CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.
[1]
Toshinobu Kaneko,et al.
Differential Cryptanalysis of CAST-256 Reduced to Nine Quad-Rounds
,
2001
.
[2]
Changhui Hu,et al.
New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256
,
2008,
Selected Areas in Cryptography.
[3]
Bruce Schneier,et al.
Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish)
,
1993,
FSE.
[4]
Ali Aydin Selçuk,et al.
On Probability of Success in Linear and Differential Cryptanalysis
,
2008,
Journal of Cryptology.
[5]
Eli Biham,et al.
Differential cryptanalysis of DES-like cryptosystems
,
1990,
Journal of Cryptology.
[6]
Serge Vaudenay,et al.
On the Weak Keys of Blowfish
,
1996,
FSE.