Skip to main content
SpringerLink
Log in

Constructing Symmetric Ciphers Using the CAST Design Procedure

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. C. M. Adams, A formal and practical design procedure for substitution-permutation network cryptosystems, Ph.D. Thesis, Department of Electrical Engineering, Queen's University (1990).

  2. C. M. Adams and S. E. Tavares, The use of bent sequences to achieve higher-order strict avalanche criterion in S-box design, Technical Report TR 90-013, Dept. of Elec. Eng., Queen's University, Kingston, Ontario, Canada, Jan. (1990).

    Google Scholar 

  3. C. M. Adams and S. E. Tavares, Generating and counting binary bent sequences, IEEE Transactions on Information Theory, Vol. IT-36, (1990) pp. 1170–1173.

    Google Scholar 

  4. C. M. Adams, On immunity against Biham and Shamir's “Differential Cryptanalysis”, Information Processing Letters, Vol. 41 (1992) pp. 77–80.

    Google Scholar 

  5. C. M. Adams and S. E. Tavares, Designing s-boxes for ciphers resistant to differential cryptanalysis, Proceedings of the 3rd Symposium on the State and Progress of Research in Cryptography, Rome, Italy, Feb. (1993) pp. 181–190.

  6. C. M. Adams, Simple and effective key scheduling for symmetric ciphers, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.

  7. C. M. Adams, Designing DES-like ciphers with guaranteed resistance to differential and linear attacks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144.

  8. E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag (1993).

  9. E. Biham, New types of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt '93, Springer-Verlag (1994) pp. 398–409.

  10. L. Brown, J. Pieprzyk, and J. Seberry, LOKI—A cryptographic primitive for authentication and secrecy applications, Advances in Cryptology: Proc. of Auscrypt '90 (1990) pp. 229–236.

  11. L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI, Advances in Cryptology: Proc. of Asiacrypt '91.

  12. D. Coppersmith, The real reason for Rivest's phenomenon, Adv. in Cryptology: Proc. of Crypto '85, Springer-Verlag, New York (1986) pp. 535–536.

    Google Scholar 

  13. D. Coppersmith, The data encryption standard (DES) and its strength against attacks, IBM Journal of Research and Development, Vol. 38,No. 3 (1994) pp. 243–250.

    Google Scholar 

  14. D. Davies, Some regular properties of the ‘data encryption standard’ algorithm, Advances in Cryptology: Proc. of Crypto '82, Springer-Verlag, New York (1983) pp. 89–96.

    Google Scholar 

  15. D. Davies, A message authenticator algorithm suitable for a mainframe computer, Advances in Cryptology: Proc. of Crypto '84, Springer-Verlag, New York (1985) pp. 394–400.

    Google Scholar 

  16. M. Dawson and S. E. Tavares, An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1992) pp. 352–367.

  17. W. Diffie and M. E. Hellman, Privacy and Authentication: An Introduction to Cryptography, Proceedings of the IEEE, Vol. 67, (1979) pp. 397–427.

    Google Scholar 

  18. H. Feistel, Cryptography and computer privacy, Scientific American, Vol. 228 (1973) pp. 15–23.

    Google Scholar 

  19. H. Feistel, W. Notz, and J. L. Smith, Some cryptographic techniques for machine-to-machine data communications, Proceedings of the IEEE, Vol. 63 (1975) pp. 1545–1554.

    Google Scholar 

  20. E. Grossman and B. Tuckerman, Analysis of a Feistel-like cipher weakened by having no rotating key, Technical Report RC 6375, IBM (1977).

  21. C. Harpes, G. Kramer, and J. Massey, A generalization of linear cryptanalysis and the applicability of Matsui's piling-up lemma, Proc. of Eurocrypt '95, Springer-Verlag (1995) pp. 24–38.

  22. H. M. Heys and S. E. Tavares, Cryptanalysis of tree-structured substitution-permutation networks, IEE Electronics Letters, Vol. 29,No. 1 (1993) pp. 40–41.

    Google Scholar 

  23. H. M. Heys, The design of substitution-permutation network ciphers resistant to cryptanalysis, Ph.D. Thesis, Department of Electrical and Computer Engineering, Queen's University (1994).

  24. H. M. Heys and S. E. Tavares, On the security of the CAST encryption algorithm, Canadian Conference on Electrical and Computer Engineering, Halifax, Nova Scotia, Canada, Sept. (1994) pp. 332–335.

  25. B. S. Kaliski Jr., R. L. Rivest, and A. T. Sherman, Is the data encryption standard a group? (Results of cycling experiments on DES), Journal of Cryptology, Vol. 1-1 (1988) pp. 3–36.

    Google Scholar 

  26. J. B. Kam and G. I. Davida, Structured design of substitution-permutation encryption networks, IEEE Trans. on Computers, Vol. C-28 (1979) pp. 747–753.

    Google Scholar 

  27. L. R. Knudsen, Cryptanalysis of LOKI91, Advances in Cryptology: Proc. of Auscrypt '92, Springer-Verlag (1993) pp. 196–208.

  28. L. R. Knudsen, Iterative characteristics of DES and s2-DES, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 497–511.

  29. X. Lai and J. L. Massey, A proposal for a new block encryption standard, Adv. in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, (1991) pp. 389–404.

  30. X. Lai, J. L. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1991) pp. 17–38.

  31. J. Lee, H. M. Heys, and S. E. Tavares, On the resistance of the CAST encryption algorithm to differential cryptanalysis, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 107–120.

  32. J. Massey, SAFERK-64: A byte-oriented block-ciphering algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., Springer-Verlag, Dec. 9–11 (1993) pp. 1–17. [See also: SAFER K-64: One Year Later, in Proceedings of the Second International Workshop on Fast Software Encryption, Springer-Verlag (1995) pp. 212–241; and Strengthened Key Schedule for the Cipher SAFER, posted to the USENET newsgroup sci.crypt, September 9 (1995)]

    Google Scholar 

  33. M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology: Proc. of Eurocrypt '93, Springer-Verlag, (1994) pp. 386–397.

  34. W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, Adv. in Cryptology: Proc. of Eurocrypt '89, Springer-Verlag (1990) pp. 549–562.

  35. H. Meijer, Multiplication-permutation encryption networks, Technical Report # 85-171, Queen's University, Dept. of Computing and Information Science (1985).

  36. R. Merkle, A fast software one-way hash function, Journal of Cryptology, Vol. 3,No. 1 (1990) pp. 43–58.

    Google Scholar 

  37. R. Merkle, Fast software encryption functions, Advances in Cryptology: Proc. of Crypto '90, Springer-Verlag, New York (1991) pp. 477–501.

    Google Scholar 

  38. S. Miyaguchi, A. Shiraishi, and A. Shimizu, Fast data encryption algorithm feal-8, Review of Electrical Communications Laboratories, Vol. 36,No. 4 (1988).

  39. S. Miyaguchi, The FEAL cipher family, Advances in Cryptology: Proc. of Crypto '90, Springer-Verlag, New York (1991) pp. 627–638.

    Google Scholar 

  40. J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, Advances in Cryptology: Proc. of Crypto '86, Springer-Verlag, New York (1987) pp. 9–32.

    Google Scholar 

  41. National Bureau of Standards (U.S.), Data Encryption Standard (DES), Federal Information Processing Standards Publication 46, Jan. 15 (1977).

  42. K. Nyberg, Constructions of bent functions and difference sets, Advances in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, (1991) pp. 151–160.

  43. K. Nyberg, Perfect nonlinear S-boxes, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1991) pp. 378–386.

  44. K. Nyberg and L. Knudsen, Provable security against differential cryptanalysis, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 566–574.

  45. L. O'Connor, An average case analysis of a differential attack on a class of SP-networks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 121–130.

  46. B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle, Propagation characteristics of boolean functions, Advances in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, Berlin (1991) pp. 161–173.

    Google Scholar 

  47. V. Rijmen, B. Preneel, On weaknesses of non-surjective round functions, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 100–106.

  48. R. Rivest, The RC5 encryption algorithm, Proceedings of the Second International Workshop on Fast Software Encryption, Springer-Verlag (1995) pp. 86–96.

  49. B. Schneier, The blowfish encryption algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., Springer-Verlag, Dec. 9–11 (1993) pp. 191–204.

    Google Scholar 

  50. J. Seberry, X.-M. Zhang, and Y. Zheng, Systematic generation of cryptographically robust S-Boxes (Extended Abstract), Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, Nov. 3–5 (1993) pp. 171–182.

  51. C. E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, Vol. 28 (1949) pp. 656–715.

    Google Scholar 

  52. M. Sivabalan, S. E. Tavares, and L. E. Peppard, On the design of SP networks from an information theoretic point of view, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 260–279.

  53. A. F. Webster, Plaintext/ciphertext bit dependencies in cryptographic systems, M.Sc. Thesis, Department of Electrical Engineering, Queen's University, Kingston, Ont. (1985).

    Google Scholar 

  54. A. F. Webster and S. E. Tavares, On the design of S-Boxes, Adv. in Cryptology: Proc. of Crypto '85, Springer-Verlag, New York (1986) pp. 523–534.

    Google Scholar 

  55. M. Wiener, personal communication.

  56. A. Youssef, personal communication.

Download references

Author information

Authors and Affiliations

  1. Entrust Technologies, 750 Heron Road, Suite E08, Ottawa, Canada, K1V 1A7

    Carlisle M. Adams

Authors
  1. Carlisle M. Adams
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Adams, C.M. Constructing Symmetric Ciphers Using the CAST Design Procedure. Designs, Codes and Cryptography 12, 283–316 (1997). https://doi.org/10.1023/A:1008229029587

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1008229029587

Search

Navigation