Abstract
This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.
Similar content being viewed by others
References
C. M. Adams, A formal and practical design procedure for substitution-permutation network cryptosystems, Ph.D. Thesis, Department of Electrical Engineering, Queen's University (1990).
C. M. Adams and S. E. Tavares, The use of bent sequences to achieve higher-order strict avalanche criterion in S-box design, Technical Report TR 90-013, Dept. of Elec. Eng., Queen's University, Kingston, Ontario, Canada, Jan. (1990).
C. M. Adams and S. E. Tavares, Generating and counting binary bent sequences, IEEE Transactions on Information Theory, Vol. IT-36, (1990) pp. 1170–1173.
C. M. Adams, On immunity against Biham and Shamir's “Differential Cryptanalysis”, Information Processing Letters, Vol. 41 (1992) pp. 77–80.
C. M. Adams and S. E. Tavares, Designing s-boxes for ciphers resistant to differential cryptanalysis, Proceedings of the 3rd Symposium on the State and Progress of Research in Cryptography, Rome, Italy, Feb. (1993) pp. 181–190.
C. M. Adams, Simple and effective key scheduling for symmetric ciphers, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.
C. M. Adams, Designing DES-like ciphers with guaranteed resistance to differential and linear attacks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144.
E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag (1993).
E. Biham, New types of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt '93, Springer-Verlag (1994) pp. 398–409.
L. Brown, J. Pieprzyk, and J. Seberry, LOKI—A cryptographic primitive for authentication and secrecy applications, Advances in Cryptology: Proc. of Auscrypt '90 (1990) pp. 229–236.
L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI, Advances in Cryptology: Proc. of Asiacrypt '91.
D. Coppersmith, The real reason for Rivest's phenomenon, Adv. in Cryptology: Proc. of Crypto '85, Springer-Verlag, New York (1986) pp. 535–536.
D. Coppersmith, The data encryption standard (DES) and its strength against attacks, IBM Journal of Research and Development, Vol. 38,No. 3 (1994) pp. 243–250.
D. Davies, Some regular properties of the ‘data encryption standard’ algorithm, Advances in Cryptology: Proc. of Crypto '82, Springer-Verlag, New York (1983) pp. 89–96.
D. Davies, A message authenticator algorithm suitable for a mainframe computer, Advances in Cryptology: Proc. of Crypto '84, Springer-Verlag, New York (1985) pp. 394–400.
M. Dawson and S. E. Tavares, An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1992) pp. 352–367.
W. Diffie and M. E. Hellman, Privacy and Authentication: An Introduction to Cryptography, Proceedings of the IEEE, Vol. 67, (1979) pp. 397–427.
H. Feistel, Cryptography and computer privacy, Scientific American, Vol. 228 (1973) pp. 15–23.
H. Feistel, W. Notz, and J. L. Smith, Some cryptographic techniques for machine-to-machine data communications, Proceedings of the IEEE, Vol. 63 (1975) pp. 1545–1554.
E. Grossman and B. Tuckerman, Analysis of a Feistel-like cipher weakened by having no rotating key, Technical Report RC 6375, IBM (1977).
C. Harpes, G. Kramer, and J. Massey, A generalization of linear cryptanalysis and the applicability of Matsui's piling-up lemma, Proc. of Eurocrypt '95, Springer-Verlag (1995) pp. 24–38.
H. M. Heys and S. E. Tavares, Cryptanalysis of tree-structured substitution-permutation networks, IEE Electronics Letters, Vol. 29,No. 1 (1993) pp. 40–41.
H. M. Heys, The design of substitution-permutation network ciphers resistant to cryptanalysis, Ph.D. Thesis, Department of Electrical and Computer Engineering, Queen's University (1994).
H. M. Heys and S. E. Tavares, On the security of the CAST encryption algorithm, Canadian Conference on Electrical and Computer Engineering, Halifax, Nova Scotia, Canada, Sept. (1994) pp. 332–335.
B. S. Kaliski Jr., R. L. Rivest, and A. T. Sherman, Is the data encryption standard a group? (Results of cycling experiments on DES), Journal of Cryptology, Vol. 1-1 (1988) pp. 3–36.
J. B. Kam and G. I. Davida, Structured design of substitution-permutation encryption networks, IEEE Trans. on Computers, Vol. C-28 (1979) pp. 747–753.
L. R. Knudsen, Cryptanalysis of LOKI91, Advances in Cryptology: Proc. of Auscrypt '92, Springer-Verlag (1993) pp. 196–208.
L. R. Knudsen, Iterative characteristics of DES and s2-DES, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 497–511.
X. Lai and J. L. Massey, A proposal for a new block encryption standard, Adv. in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, (1991) pp. 389–404.
X. Lai, J. L. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1991) pp. 17–38.
J. Lee, H. M. Heys, and S. E. Tavares, On the resistance of the CAST encryption algorithm to differential cryptanalysis, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 107–120.
J. Massey, SAFERK-64: A byte-oriented block-ciphering algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., Springer-Verlag, Dec. 9–11 (1993) pp. 1–17. [See also: SAFER K-64: One Year Later, in Proceedings of the Second International Workshop on Fast Software Encryption, Springer-Verlag (1995) pp. 212–241; and Strengthened Key Schedule for the Cipher SAFER, posted to the USENET newsgroup sci.crypt, September 9 (1995)]
M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology: Proc. of Eurocrypt '93, Springer-Verlag, (1994) pp. 386–397.
W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, Adv. in Cryptology: Proc. of Eurocrypt '89, Springer-Verlag (1990) pp. 549–562.
H. Meijer, Multiplication-permutation encryption networks, Technical Report # 85-171, Queen's University, Dept. of Computing and Information Science (1985).
R. Merkle, A fast software one-way hash function, Journal of Cryptology, Vol. 3,No. 1 (1990) pp. 43–58.
R. Merkle, Fast software encryption functions, Advances in Cryptology: Proc. of Crypto '90, Springer-Verlag, New York (1991) pp. 477–501.
S. Miyaguchi, A. Shiraishi, and A. Shimizu, Fast data encryption algorithm feal-8, Review of Electrical Communications Laboratories, Vol. 36,No. 4 (1988).
S. Miyaguchi, The FEAL cipher family, Advances in Cryptology: Proc. of Crypto '90, Springer-Verlag, New York (1991) pp. 627–638.
J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, Advances in Cryptology: Proc. of Crypto '86, Springer-Verlag, New York (1987) pp. 9–32.
National Bureau of Standards (U.S.), Data Encryption Standard (DES), Federal Information Processing Standards Publication 46, Jan. 15 (1977).
K. Nyberg, Constructions of bent functions and difference sets, Advances in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, (1991) pp. 151–160.
K. Nyberg, Perfect nonlinear S-boxes, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1991) pp. 378–386.
K. Nyberg and L. Knudsen, Provable security against differential cryptanalysis, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 566–574.
L. O'Connor, An average case analysis of a differential attack on a class of SP-networks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 121–130.
B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle, Propagation characteristics of boolean functions, Advances in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, Berlin (1991) pp. 161–173.
V. Rijmen, B. Preneel, On weaknesses of non-surjective round functions, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 100–106.
R. Rivest, The RC5 encryption algorithm, Proceedings of the Second International Workshop on Fast Software Encryption, Springer-Verlag (1995) pp. 86–96.
B. Schneier, The blowfish encryption algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., Springer-Verlag, Dec. 9–11 (1993) pp. 191–204.
J. Seberry, X.-M. Zhang, and Y. Zheng, Systematic generation of cryptographically robust S-Boxes (Extended Abstract), Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, Nov. 3–5 (1993) pp. 171–182.
C. E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, Vol. 28 (1949) pp. 656–715.
M. Sivabalan, S. E. Tavares, and L. E. Peppard, On the design of SP networks from an information theoretic point of view, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 260–279.
A. F. Webster, Plaintext/ciphertext bit dependencies in cryptographic systems, M.Sc. Thesis, Department of Electrical Engineering, Queen's University, Kingston, Ont. (1985).
A. F. Webster and S. E. Tavares, On the design of S-Boxes, Adv. in Cryptology: Proc. of Crypto '85, Springer-Verlag, New York (1986) pp. 523–534.
M. Wiener, personal communication.
A. Youssef, personal communication.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Adams, C.M. Constructing Symmetric Ciphers Using the CAST Design Procedure. Designs, Codes and Cryptography 12, 283–316 (1997). https://doi.org/10.1023/A:1008229029587
Issue Date:
DOI: https://doi.org/10.1023/A:1008229029587