Designs, Codes and Cryptography

, Volume 12, Issue 3, pp 283–316

Constructing Symmetric Ciphers Using the CAST Design Procedure

  • Carlisle M. Adams
Article

Abstract

This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.

design of encryption algorithms block ciphers substitution boxes key scheduling differential cryptanalysis linear cryptanalysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    C. M. Adams, A formal and practical design procedure for substitution-permutation network cryptosystems, Ph.D. Thesis, Department of Electrical Engineering, Queen's University (1990).Google Scholar
  2. 2.
    C. M. Adams and S. E. Tavares, The use of bent sequences to achieve higher-order strict avalanche criterion in S-box design, Technical Report TR 90-013, Dept. of Elec. Eng., Queen's University, Kingston, Ontario, Canada, Jan. (1990).Google Scholar
  3. 3.
    C. M. Adams and S. E. Tavares, Generating and counting binary bent sequences, IEEE Transactions on Information Theory, Vol. IT-36, (1990) pp. 1170–1173.Google Scholar
  4. 4.
    C. M. Adams, On immunity against Biham and Shamir's “Differential Cryptanalysis”, Information Processing Letters, Vol. 41 (1992) pp. 77–80.Google Scholar
  5. 5.
    C. M. Adams and S. E. Tavares, Designing s-boxes for ciphers resistant to differential cryptanalysis, Proceedings of the 3rd Symposium on the State and Progress of Research in Cryptography, Rome, Italy, Feb. (1993) pp. 181–190.Google Scholar
  6. 6.
    C. M. Adams, Simple and effective key scheduling for symmetric ciphers, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.Google Scholar
  7. 7.
    C. M. Adams, Designing DES-like ciphers with guaranteed resistance to differential and linear attacks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144.Google Scholar
  8. 8.
    E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag (1993).Google Scholar
  9. 9.
    E. Biham, New types of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt '93, Springer-Verlag (1994) pp. 398–409.Google Scholar
  10. 10.
    L. Brown, J. Pieprzyk, and J. Seberry, LOKI—A cryptographic primitive for authentication and secrecy applications, Advances in Cryptology: Proc. of Auscrypt '90 (1990) pp. 229–236.Google Scholar
  11. 11.
    L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI, Advances in Cryptology: Proc. of Asiacrypt '91.Google Scholar
  12. 12.
    D. Coppersmith, The real reason for Rivest's phenomenon, Adv. in Cryptology: Proc. of Crypto '85, Springer-Verlag, New York (1986) pp. 535–536.Google Scholar
  13. 13.
    D. Coppersmith, The data encryption standard (DES) and its strength against attacks, IBM Journal of Research and Development, Vol. 38,No. 3 (1994) pp. 243–250.Google Scholar
  14. 14.
    D. Davies, Some regular properties of the ‘data encryption standard’ algorithm, Advances in Cryptology: Proc. of Crypto '82, Springer-Verlag, New York (1983) pp. 89–96.Google Scholar
  15. 15.
    D. Davies, A message authenticator algorithm suitable for a mainframe computer, Advances in Cryptology: Proc. of Crypto '84, Springer-Verlag, New York (1985) pp. 394–400.Google Scholar
  16. 16.
    M. Dawson and S. E. Tavares, An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1992) pp. 352–367.Google Scholar
  17. 17.
    W. Diffie and M. E. Hellman, Privacy and Authentication: An Introduction to Cryptography, Proceedings of the IEEE, Vol. 67, (1979) pp. 397–427.Google Scholar
  18. 18.
    H. Feistel, Cryptography and computer privacy, Scientific American, Vol. 228 (1973) pp. 15–23.Google Scholar
  19. 19.
    H. Feistel, W. Notz, and J. L. Smith, Some cryptographic techniques for machine-to-machine data communications, Proceedings of the IEEE, Vol. 63 (1975) pp. 1545–1554.Google Scholar
  20. 20.
    E. Grossman and B. Tuckerman, Analysis of a Feistel-like cipher weakened by having no rotating key, Technical Report RC 6375, IBM (1977).Google Scholar
  21. 21.
    C. Harpes, G. Kramer, and J. Massey, A generalization of linear cryptanalysis and the applicability of Matsui's piling-up lemma, Proc. of Eurocrypt '95, Springer-Verlag (1995) pp. 24–38.Google Scholar
  22. 22.
    H. M. Heys and S. E. Tavares, Cryptanalysis of tree-structured substitution-permutation networks, IEE Electronics Letters, Vol. 29,No. 1 (1993) pp. 40–41.Google Scholar
  23. 23.
    H. M. Heys, The design of substitution-permutation network ciphers resistant to cryptanalysis, Ph.D. Thesis, Department of Electrical and Computer Engineering, Queen's University (1994).Google Scholar
  24. 24.
    H. M. Heys and S. E. Tavares, On the security of the CAST encryption algorithm, Canadian Conference on Electrical and Computer Engineering, Halifax, Nova Scotia, Canada, Sept. (1994) pp. 332–335.Google Scholar
  25. 25.
    B. S. Kaliski Jr., R. L. Rivest, and A. T. Sherman, Is the data encryption standard a group? (Results of cycling experiments on DES), Journal of Cryptology, Vol. 1-1 (1988) pp. 3–36.Google Scholar
  26. 26.
    J. B. Kam and G. I. Davida, Structured design of substitution-permutation encryption networks, IEEE Trans. on Computers, Vol. C-28 (1979) pp. 747–753.Google Scholar
  27. 27.
    L. R. Knudsen, Cryptanalysis of LOKI91, Advances in Cryptology: Proc. of Auscrypt '92, Springer-Verlag (1993) pp. 196–208.Google Scholar
  28. 28.
    L. R. Knudsen, Iterative characteristics of DES and s2-DES, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 497–511.Google Scholar
  29. 29.
    X. Lai and J. L. Massey, A proposal for a new block encryption standard, Adv. in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, (1991) pp. 389–404.Google Scholar
  30. 30.
    X. Lai, J. L. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1991) pp. 17–38.Google Scholar
  31. 31.
    J. Lee, H. M. Heys, and S. E. Tavares, On the resistance of the CAST encryption algorithm to differential cryptanalysis, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 107–120.Google Scholar
  32. 32.
    J. Massey, SAFERK-64: A byte-oriented block-ciphering algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., Springer-Verlag, Dec. 9–11 (1993) pp. 1–17. [See also: SAFER K-64: One Year Later, in Proceedings of the Second International Workshop on Fast Software Encryption, Springer-Verlag (1995) pp. 212–241; and Strengthened Key Schedule for the Cipher SAFER, posted to the USENET newsgroup sci.crypt, September 9 (1995)]Google Scholar
  33. 33.
    M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology: Proc. of Eurocrypt '93, Springer-Verlag, (1994) pp. 386–397.Google Scholar
  34. 34.
    W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, Adv. in Cryptology: Proc. of Eurocrypt '89, Springer-Verlag (1990) pp. 549–562.Google Scholar
  35. 35.
    H. Meijer, Multiplication-permutation encryption networks, Technical Report # 85-171, Queen's University, Dept. of Computing and Information Science (1985).Google Scholar
  36. 36.
    R. Merkle, A fast software one-way hash function, Journal of Cryptology, Vol. 3,No. 1 (1990) pp. 43–58.Google Scholar
  37. 37.
    R. Merkle, Fast software encryption functions, Advances in Cryptology: Proc. of Crypto '90, Springer-Verlag, New York (1991) pp. 477–501.Google Scholar
  38. 38.
    S. Miyaguchi, A. Shiraishi, and A. Shimizu, Fast data encryption algorithm feal-8, Review of Electrical Communications Laboratories, Vol. 36,No. 4 (1988).Google Scholar
  39. 39.
    S. Miyaguchi, The FEAL cipher family, Advances in Cryptology: Proc. of Crypto '90, Springer-Verlag, New York (1991) pp. 627–638.Google Scholar
  40. 40.
    J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, Advances in Cryptology: Proc. of Crypto '86, Springer-Verlag, New York (1987) pp. 9–32.Google Scholar
  41. 41.
    National Bureau of Standards (U.S.), Data Encryption Standard (DES), Federal Information Processing Standards Publication 46, Jan. 15 (1977).Google Scholar
  42. 42.
    K. Nyberg, Constructions of bent functions and difference sets, Advances in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, (1991) pp. 151–160.Google Scholar
  43. 43.
    K. Nyberg, Perfect nonlinear S-boxes, Advances in Cryptology: Proc. of Eurocrypt '91, Springer-Verlag (1991) pp. 378–386.Google Scholar
  44. 44.
    K. Nyberg and L. Knudsen, Provable security against differential cryptanalysis, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 566–574.Google Scholar
  45. 45.
    L. O'Connor, An average case analysis of a differential attack on a class of SP-networks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 121–130.Google Scholar
  46. 46.
    B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle, Propagation characteristics of boolean functions, Advances in Cryptology: Proc. of Eurocrypt '90, Springer-Verlag, Berlin (1991) pp. 161–173.Google Scholar
  47. 47.
    V. Rijmen, B. Preneel, On weaknesses of non-surjective round functions, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 100–106.Google Scholar
  48. 48.
    R. Rivest, The RC5 encryption algorithm, Proceedings of the Second International Workshop on Fast Software Encryption, Springer-Verlag (1995) pp. 86–96.Google Scholar
  49. 49.
    B. Schneier, The blowfish encryption algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., Springer-Verlag, Dec. 9–11 (1993) pp. 191–204.Google Scholar
  50. 50.
    J. Seberry, X.-M. Zhang, and Y. Zheng, Systematic generation of cryptographically robust S-Boxes (Extended Abstract), Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, Nov. 3–5 (1993) pp. 171–182.Google Scholar
  51. 51.
    C. E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, Vol. 28 (1949) pp. 656–715.Google Scholar
  52. 52.
    M. Sivabalan, S. E. Tavares, and L. E. Peppard, On the design of SP networks from an information theoretic point of view, Advances in Cryptology: Proc. of Crypto '92, Springer-Verlag (1993) pp. 260–279.Google Scholar
  53. 53.
    A. F. Webster, Plaintext/ciphertext bit dependencies in cryptographic systems, M.Sc. Thesis, Department of Electrical Engineering, Queen's University, Kingston, Ont. (1985).Google Scholar
  54. 54.
    A. F. Webster and S. E. Tavares, On the design of S-Boxes, Adv. in Cryptology: Proc. of Crypto '85, Springer-Verlag, New York (1986) pp. 523–534.Google Scholar
  55. 55.
    M. Wiener, personal communication.Google Scholar
  56. 56.
    A. Youssef, personal communication.Google Scholar

Copyright information

© Kluwer Academic Publishers 1997

Authors and Affiliations

  • Carlisle M. Adams
    • 1
  1. 1.Entrust TechnologiesOttawaCanada

Personalised recommendations