CAST-256 A Submission for the Advanced Encryption Standard
Carlisle Adams First AES Candidate Conference August 20-22, 1998
Orchestrating Enterprise Security ã1997 Entrust Technologies “Vital Statistics” FName • CAST-256 FInventors • Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener FKey Sizes • 128, 160, 192, 224, 256 bits FBlock Size • 128 bits
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 2 Outline FHistory FDescription FAnalysis F“Features and Advantages” FConclusions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 3 History F1985-86 • Advice: “don’t go into crypto.; no future” F1988-90 • design procedure for symmetric ciphers - Boolean functions, s-boxes, round functions, key scheduling, overall framework F1992-93 • the name “CAST” introduced • specification of various parameters • CAST-1, CAST-2 in first Entrust product
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 4 History (cont’d) F1993-95 • modified key schedule: CAST-3 • further concentration on round function • further concentration on s-box design, efficient (networked) construction - preliminary s-boxes: CAST-4 - final s-boxes: CAST-5 • CAST-5 published as “CAST-128” F1995-97 • draft paper distributed and on web site • interest begins to rise
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 5 History (cont’d) F1997 • CAST paper published (DCC) • CAST-128 cipher published (RFC 2144) • interest rises significantly F1997-98 • CAST-128 used to form basis of CAST-256 F1998 • CSE endorsement of CAST-128 • CAST-256 submitted as AES candidate
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 6 Description FBased on CAST-128 • identical round function FExpansion to 128-bit block • simple generalization of Feistel structure FExpansion to 256-bit key • uses encryption (256-bit block) to generate round keys
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 7 Feistel Network
L R
k0 +
R L
k1 +
L R
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 8 “Incomplete” Feistel Network
L R A B C
k0 k0 + +
R L C A B
k1 k1 + +
L R B C A
k2 +
A B C
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 9 “Incomplete” Feistel Network
L R A B C A B C D
k0 k0 k0 + + +
R L C A B D A B C
k1 k1 k1 + + +
L R B C A C D A B
k2 k2 + +
A B C B C D A
k3 +
A B C D Orchestrating Enterprise Security ã1997 Entrust Technologies p. 10 CAST-256 Notation
A B C D
k0 + C = C Å f (D, k (i) ,k (i) ) 1 r0 m0 (i) (i) B = B Å f 2 (C, kr , km ) b ¬ Q (b) 1 1 D A B C i A = AÅ f (B,k (i ) ,k (i ) ) 3 r2 m2 (i) (i) { D = D Å f1 ( A,kr , km ) k1 3 3 + “Forward Quad-Round”
C D A B
k2 D = D Å f ( A,k (i) , k (i) ) + 1 r3 m3 (i ) (i ) A = AÅ f 3 (B,kr ,km ) b ¬ Q (b) 2 2 i B = B Å f (C, k (i) , k (i) ) 2 r1 m1 B C D A (i) (i) { C = C Å f1 (D, kr ,km ) 0 0 k3 “Reverse Quad-Round” +
A B C D Orchestrating Enterprise Security ã1997 Entrust Technologies p. 11 CAST-256 Cipher
b = 128 bits of plaintext.
for (i = 0; i < 6; i + +)
b ¬ Qi (b) for (i = 6; i < 12; i + +)
b ¬ Qi (b)
128 bits of ciphertext = b
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 12 CAST-256 Key Schedule k = ABCDEFGH = 256 bits of primary key, K. for (i = 0; i < 12 ; i + + ){
k ¬ w 2 i (k ) k ¬ w 2 i +1 (k ) (i ) k r ¬ k (i ) k m ¬ k } G = G Å f (H,t (i) ,t (i) ) 1 r0 m0 F = F Å f (G,t (i) ,t (i) ) 2 r1 m1 E = E Å f (F,t (i) ,t (i) ) 3 r2 m2 D = D Å f (E,t (i) ,t (i) ) k ¬ w (k) 1 r3 m3 i C = C Å f (D,t (i) ,t (i) ) 2 r4 m4 { (i) (i) B = B Å f (C,t ,t ) 3 r5 m5 A = AÅ f (B,t (i) ,t (i) ) 1 r6 m6 H = H Å f ( A,t (i) ,t (i) ) 2 r7 m7 Orchestrating Enterprise Security ã1997 Entrust Technologies p. 13 CAST-256 Key Schedule (cont’d)
30 cm = 2 2 = 5A82799916 30 mm = 2 3 = 6ED9EBA116
cr = 19
mr = 17
for(i = 0; i < 24; i + +) for( j = 0; j < 8; j + +){ (i ) tm j = cm 32 cm = (cm + mm ) mod 2 t (i ) c rj = r
cr = (cr + mr ) mod 32 }
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 14 Outline FHistory FDescription FAnalysis F“Features and Advantages” FConclusions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 15 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 16 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 17 Boolean Functions F“Bent” functions of 8 variables • highest possible nonlinearity over all binary Boolean functions (120) • nonlinear order of 4 (highest possible for bent functions)
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 18 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 19 S-Boxes FProperties • XOR difference table of 0’s and 2’s • nonlinearity of 74 • DMOSAC = 0
• DHOBIC32,1 = 36 • row weight distribution: approx. binomial • row pair wt. distribution: approx. binomial • average column weight: 128
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 20 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 21 Key Mixing FNon-surjective attack considerations • key entropy per round = 37 bits FDifferential, Linear considerations • combination of masking key, rotation key, and mixed operations for data combining
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 22 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 23 Mixed Operations FExperimental work • combinations of pairs and triples of s-boxes using XOR, addition, subtraction - examination of XOR diff. distribution table - significant drop in maximum entry FTheoretical work • deriving probability of maximum entry exceeding a specific bound - supports experimental evidence
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 24 Mixed Operations (cont’d) FAppear to • increase resistance to linear, differential attacks by decreasing round probability FAppear to • significantly increase resistance to higher- order differential attacks
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 25 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 26 Multiple Round Functions FAppear to • increase complexity of constructing differential and linear characteristics - order of round functions precludes iteration of some low-round characteristics
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 27 Analysis (cont’d) FParticular to CAST-256 • Generalized (“incomplete”) Feistel - security of quad-round - security of “forward then reverse” quad-rounds - number of rounds • Key schedule - security of overall structure - equivalent, weak, semi-weak keys
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 28 Outline FHistory FDescription FAnalysis F“Features and Advantages” FConclusions
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 29 “Features and Advantages” FHistory • CAST design procedure has been under scrutiny for almost 10 years (both public and private)
• minor weaknesses have been found - non-surjective attack, HOD attack but nothing extendable beyond 5-6 rounds
• CAST-128 has received most extensive analysis and appears to be strong
• CAST-256 inherits the strength of the round fn.
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 30 “Features and Advantages” (cont’d) FFramework • generalized Feistel structure is a clean, intuitive design that facilitates understanding and analysis
• single structure for encryption and decryption • other blocksizes can be accommodated, if desired • 48 rounds is a lot of rounds...!
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 31 “Features and Advantages” (cont’d) FKey Schedule • properties of cipher give properties of round keys (e.g., independence)
• provable non-existence of equivalent keys, unlikelihood of weak and semi-weak keys
• partial knowledge of round keys is of little help
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 32 Conclusion
• CAST-256 is a strong candidate for AES - performance is quite good (2/3 that of CAST-128)
- code size and complexity are reasonable
- multiple key sizes supported (without any change in performance)
- multiple block sizes may also be specified
• Thanks again to NIST for designing and running the AES process as well as they have!
Orchestrating Enterprise Security ã1997 Entrust Technologies p. 33