CAST-256 A Submission for the Advanced Encryption Standard

Carlisle Adams First AES Candidate Conference August 20-22, 1998

Orchestrating Enterprise Security ã1997 Entrust Technologies “Vital Statistics” FName • CAST-256 FInventors • Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener FKey Sizes • 128, 160, 192, 224, 256 bits FBlock Size • 128 bits

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 2 Outline FHistory FDescription FAnalysis F“Features and Advantages” FConclusions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 3 History F1985-86 • Advice: “don’t go into crypto.; no future” F1988-90 • design procedure for symmetric ciphers - Boolean functions, s-boxes, round functions, key scheduling, overall framework F1992-93 • the name “CAST” introduced • specification of various parameters • CAST-1, CAST-2 in first Entrust product

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 4 History (cont’d) F1993-95 • modified key schedule: CAST-3 • further concentration on round function • further concentration on s-box design, efficient (networked) construction - preliminary s-boxes: CAST-4 - final s-boxes: CAST-5 • CAST-5 published as “CAST-128” F1995-97 • draft paper distributed and on web site • interest begins to rise

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 5 History (cont’d) F1997 • CAST paper published (DCC) • CAST-128 cipher published (RFC 2144) • interest rises significantly F1997-98 • CAST-128 used to form basis of CAST-256 F1998 • CSE endorsement of CAST-128 • CAST-256 submitted as AES candidate

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 6 Description FBased on CAST-128 • identical round function FExpansion to 128-bit block • simple generalization of Feistel structure FExpansion to 256-bit key • uses encryption (256-bit block) to generate round keys

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 7 Feistel Network

L R

k0 +

R L

k1 +

L R

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 8 “Incomplete” Feistel Network

L R A B C

k0 k0 + +

R L C A B

k1 k1 + +

L R B C A

k2 +

A B C

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 9 “Incomplete” Feistel Network

L R A B C A B C D

k0 k0 k0 + + +

R L C A B D A B C

k1 k1 k1 + + +

L R B C A C D A B

k2 k2 + +

A B C B C D A

k3 +

A B C D Orchestrating Enterprise Security ã1997 Entrust Technologies p. 10 CAST-256 Notation

A B C D

k0 + C = C Å f (D, k (i) ,k (i) ) 1 r0 m0 (i) (i) B = B Å f 2 (C, kr , km ) b ¬ Q (b) 1 1 D A B C i A = AÅ f (B,k (i ) ,k (i ) ) 3 r2 m2 (i) (i) { D = D Å f1 ( A,kr , km ) k1 3 3 + “Forward Quad-Round”

C D A B

k2 D = D Å f ( A,k (i) , k (i) ) + 1 r3 m3 (i ) (i ) A = AÅ f 3 (B,kr ,km ) b ¬ Q (b) 2 2 i B = B Å f (C, k (i) , k (i) ) 2 r1 m1 B C D A (i) (i) { C = C Å f1 (D, kr ,km ) 0 0 k3 “Reverse Quad-Round” +

A B C D Orchestrating Enterprise Security ã1997 Entrust Technologies p. 11 CAST-256 Cipher

b = 128 bits of plaintext.

for (i = 0; i < 6; i + +)

b ¬ Qi (b) for (i = 6; i < 12; i + +)

b ¬ Qi (b)

128 bits of ciphertext = b

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 12 CAST-256 Key Schedule k = ABCDEFGH = 256 bits of primary key, K. for (i = 0; i < 12 ; i + + ){

k ¬ w 2 i (k ) k ¬ w 2 i +1 (k ) (i ) k r ¬ k (i ) k m ¬ k } G = G Å f (H,t (i) ,t (i) ) 1 r0 m0 F = F Å f (G,t (i) ,t (i) ) 2 r1 m1 E = E Å f (F,t (i) ,t (i) ) 3 r2 m2 D = D Å f (E,t (i) ,t (i) ) k ¬ w (k) 1 r3 m3 i C = C Å f (D,t (i) ,t (i) ) 2 r4 m4 { (i) (i) B = B Å f (C,t ,t ) 3 r5 m5 A = AÅ f (B,t (i) ,t (i) ) 1 r6 m6 H = H Å f ( A,t (i) ,t (i) ) 2 r7 m7 Orchestrating Enterprise Security ã1997 Entrust Technologies p. 13 CAST-256 Key Schedule (cont’d)

30 cm = 2 2 = 5A82799916 30 mm = 2 3 = 6ED9EBA116

cr = 19

mr = 17

for(i = 0; i < 24; i + +) for( j = 0; j < 8; j + +){ (i ) tm j = cm 32 cm = (cm + mm ) mod 2 t (i ) c rj = r

cr = (cr + mr ) mod 32 }

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 14 Outline FHistory FDescription FAnalysis F“Features and Advantages” FConclusions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 15 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 16 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 17 Boolean Functions F“Bent” functions of 8 variables • highest possible nonlinearity over all binary Boolean functions (120) • nonlinear order of 4 (highest possible for bent functions)

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 18 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 19 S-Boxes FProperties • XOR difference table of 0’s and 2’s • nonlinearity of 74 • DMOSAC = 0

• DHOBIC32,1 = 36 • row weight distribution: approx. binomial • row pair wt. distribution: approx. binomial • average column weight: 128

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 20 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 21 Key Mixing FNon-surjective attack considerations • key entropy per round = 37 bits FDifferential, Linear considerations • combination of masking key, rotation key, and mixed operations for data combining

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 22 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 23 Mixed Operations FExperimental work • combinations of pairs and triples of s-boxes using XOR, addition, subtraction - examination of XOR diff. distribution table - significant drop in maximum entry FTheoretical work • deriving probability of maximum entry exceeding a specific bound - supports experimental evidence

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 24 Mixed Operations (cont’d) FAppear to • increase resistance to linear, differential attacks by decreasing round probability FAppear to • significantly increase resistance to higher- order differential attacks

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 25 Analysis FInherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 26 Multiple Round Functions FAppear to • increase complexity of constructing differential and linear characteristics - order of round functions precludes iteration of some low-round characteristics

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 27 Analysis (cont’d) FParticular to CAST-256 • Generalized (“incomplete”) Feistel - security of quad-round - security of “forward then reverse” quad-rounds - number of rounds • Key schedule - security of overall structure - equivalent, weak, semi-weak keys

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 28 Outline FHistory FDescription FAnalysis F“Features and Advantages” FConclusions

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 29 “Features and Advantages” FHistory • CAST design procedure has been under scrutiny for almost 10 years (both public and private)

• minor weaknesses have been found - non-surjective attack, HOD attack but nothing extendable beyond 5-6 rounds

• CAST-128 has received most extensive analysis and appears to be strong

• CAST-256 inherits the strength of the round fn.

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 30 “Features and Advantages” (cont’d) FFramework • generalized Feistel structure is a clean, intuitive design that facilitates understanding and analysis

• single structure for encryption and decryption • other blocksizes can be accommodated, if desired • 48 rounds is a lot of rounds...!

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 31 “Features and Advantages” (cont’d) FKey Schedule • properties of cipher give properties of round keys (e.g., independence)

• provable non-existence of equivalent keys, unlikelihood of weak and semi-weak keys

• partial knowledge of round keys is of little help

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 32 Conclusion

• CAST-256 is a strong candidate for AES - performance is quite good (2/3 that of CAST-128)

- code size and complexity are reasonable

- multiple key sizes supported (without any change in performance)

- multiple block sizes may also be specified

• Thanks again to NIST for designing and running the AES process as well as they have!

Orchestrating Enterprise Security ã1997 Entrust Technologies p. 33