Constructing Symmetric Ciphers Using the CAST Design Procedure

This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.

[1]  Carlo Harpes,et al.  A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma , 1995, EUROCRYPT.

[2]  Willi Meier,et al.  Nonlinearity Criteria for Cryptographic Functions , 1990, EUROCRYPT.

[3]  Stafford E. Tavares,et al.  On the Design of S-Boxes , 1985, CRYPTO.

[4]  C. Adams,et al.  The Use of Bent Sequences to Achieve Higher-Order Strict Avalanche Criterion in S-Box Design , 1990 .

[5]  L. Knudsen Iterative Characteristics of DES and S^2-DES , 1993 .

[6]  James L. Massey,et al.  SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm , 1993, FSE.

[7]  Kaisa Nyberg,et al.  Constructions of Bent Functions and Difference Sets , 1991, EUROCRYPT.

[8]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[9]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[10]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[11]  John B. Kam,et al.  Structured Design of Substitution-Permutation Encryption Networks , 1979, IEEE Transactions on Computers.

[12]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[13]  J.L. Smith,et al.  Some cryptographic techniques for machine-to-machine data communications , 1975, Proceedings of the IEEE.

[14]  Shoji Miyaguchi,et al.  The FEAL Cipher Family , 1990, CRYPTO.

[15]  Jennifer Seberry,et al.  Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI , 1991, ASIACRYPT.

[16]  Carlisle Adams,et al.  Generating and counting binary bent sequences , 1990, IEEE Trans. Inf. Theory.

[17]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[18]  Vincent Rijmen,et al.  On Weaknesses of Non–surjective Round Functions , 1997, Des. Codes Cryptogr..

[19]  Lars R. Knudsen,et al.  Provable Security Against Differential Cryptanalysis , 1992, CRYPTO.

[20]  Don Coppersmith,et al.  The Data Encryption Standard (DES) and its strength against attacks , 1994, IBM J. Res. Dev..

[21]  Stafford E. Tavares,et al.  An Expanded Set of S-box Design Criteria Based on Information Theory and its Relation to Differential-Like Attacks , 1991, EUROCRYPT.

[22]  C. Adams,et al.  DESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS ( Extended , 1993 .

[23]  Howard M. Heys,et al.  Cryptanalysis of tree-structured substitution-permutation networks , 1993 .

[24]  Stafford E. Tavares,et al.  On the Design of SP Networks From an Information Theoretic Point of View , 1992, CRYPTO.

[25]  C. Adams A formal and practical design procedure for substitution-permutation network cryptosystems , 1992 .

[26]  H. Feistel Cryptography and Computer Privacy , 1973 .

[27]  Kaisa Nyberg,et al.  Perfect Nonlinear S-Boxes , 1991, EUROCRYPT.

[28]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[29]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[30]  Gustavus J. Simmons,et al.  Cycle Structures of the DES with Weak and Semi-Weak Keys , 1986, CRYPTO.

[31]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[32]  Luke O 'connor An Average Case Analysis of a Diierential Attack on a Class of Sp-networks , .

[33]  Ralph C. Merkle,et al.  Fast Software Encryption Functions , 1990, CRYPTO.

[34]  E. Tavares,et al.  On the security of the CAST encryption algorithm , 1994, 1994 Proceedings of Canadian Conference on Electrical and Computer Engineering.

[35]  Don Coppersmith,et al.  The Real Reason for Rivest's Phenomenon , 1985, CRYPTO.

[36]  Donald W. Davies,et al.  A Message Authenticator Algorithm Suitable for A Mainframe Computer , 1985, CRYPTO.

[37]  Ronald L. Rivest,et al.  The RC5 Encryption Algorithm , 1994, FSE.

[38]  Carlisle M. Adams,et al.  On Immunity Against Biham and Shamir's "Differential Cryptanalysis" , 1992, Information Processing Letters.

[39]  Donald W. Davies Some Regular Properties of the 'Data Encryption Standard' Algorithm , 1982, CRYPTO.