CAST Encryption Algorithm Related Publications
- C.M. Adams, "A Formal and Practical Design Procedure for Substitution-Permutation network Cryptosystems", PhD Thesis, Queen's University, Kingston, Ontario, Canada, September, 1990
- C. Adams, "Symmetric cryptographic system for data encryption", U.S.
Patent # 5,511,123, April 23, 1996.
- C.M. Adams, "Constructing Symmetric Ciphers Using the CAST Design Procedure", Designs, Codes, and Cryptography, Vol. 12, No. 3, pp. 283-316, 1997
This paper describes the CAST design procedure for constructing
a family of DES-like Substitution-Permutation Network (SPN) cryptosystems
which appear to have good resistance to differential cryptanalysis, linear
cryptanalysis, and related-key cryptanalysis, along with a number of other
desirable cryptographic properties. Details of the design choices in the
procedure are given, including those regarding the component substitution
boxes (s-boxes), the overall framework, the key schedule, and the round function.
An example CAST cipher, an output of this design procedure, is presented
as an aid to understanding the concepts and to encourage detailed analysis
by the cryptologic community.
- C.M. Adams, "CAST Design Procedure Addendum
This addendum to the CAST paper (above) specifies how to use CAST with a variable key size (40 to 128 bits), provides test vectors for 40-, 80-, and 128-bit keys (so that implementations can be verified for correctness), and includes some AlgorithmIdentifiers (i.e., OBJECT IDENTIFIERs with associated Parameters) which have been defined for CAST.
- C.M. Adams and S.E. Tavares, "The Use of Bent Sequences to Achieve Higher-Order Strict Avalanche Criterion in S-Box Design. Technical Report TR 90-013. Department of Electrical Engineering, Queen's University, Kingston, Ontario. Jan. 1990.
Recently, Pieprzyk and Finkelstein described a construction procedure for
the substitution boxes (s-boxes) of Substitution-Permutation Network cryptosystems
which yielded s-boxes of high nonlinearity. Shortly afterward, in seemingly unrelated
work, Yarlagadda and Hershey discussed the analysis and synthesis of binary bent
sequences of length 4^(k), for k a positive integer. In this paper, we report on work which
not only extends the results of both of these papers, but also combines them through the
concept of "higher orders" of the Strict Avalanche Criterion for Boolean functions. We
discuss the implications for s-box design and the use of such s-boxes in the construction
of DES-like cryptosystems [Postscript]
- J. Lee, H.M. Heys, and S.E. Tavares, "Resistance of a CAST-like Encryption Algorithm to
Linear and Differential Cryptanalysis", Designs, Codes, and Cryptography,Vol. 12, No. 3, pp. 267-282, 1997.
Linear cryptanalysis and differential cryptanalysis are two recently
introduced, powerful methodologies for attacking private-key ciphers.
In this paper, we examine the application of these two cryptanalysis
techniques to a CAST-like encryption algorithm based on randomly
generated s-boxes. It is shown that, when randomly generated s-boxes
are used in a CAST-like algorithm, the resulting cipher is resistant
to both the linear attack and the differential attack.
- V. Rijmen, B. Preneel and E.De Win "On weaknesses of non-surjective round functions", Designs, Codes, and Cryptography, Vol. 12, No. 3, pp. 253-266,1997
- A.M. Youssef, S.E. Tavares, S. Mister and C.M. Adams, "Linear approximation of Injective S-boxes", IEE Electronics Letters, Vol.31, No. 25, pp.2168-2169, 1995.
In this letter the authors derive an estimate for the expected nonlinearity of a
randomly selected injective substitution box. In particular, they show that
the expected value of the nonlinearity of a randomly selected 8x32 s-box
(the same dimenssions of the CAST s-boxes) is about 72. The theoritical argument is supported with experimental results
- A.M. Youssef, Z. Chen and S.E. Tavares, "Construction of
Highly Nonlinear Injective S-boxes with Application to CAST-like
Encryption Algorithm", To appear in the proceedings of the
Canadian Conference on Electrical and Computer Engineering (CCECE'
In this paper we present two methods for constructing highly
nonlinear injective s-boxes. Both of these methods, which are based on
exponential sums, outperform previously proposed methods. In
particular, we are able to obtain injective 8x32 s-boxes with nonlinearity
equal to 80 and maximum XOR table entry of 2. We also re-evaluate the resistance of the CAST-like encryption algorithms constructed using
randomly selected s-boxes to the basic linear cryptanalysis.
- S. Mister and C. Adams, "Practical S-Box Design", Workshop in Selected Areas of Cryptography, SAC' 96, Workshop record, pp. 61-76, 1996
Much of the security of a block cipher based on the Feistel network
depends on the properties of the substitution boxes (s-boxes) used in
the round function. This paper presents one effort to construct
large, cryptographically secure s-boxes, contrasting theoretical and
practical limitations, and highlighting areas for future research.
Several (known) bent function construction methods are summarized, and
properties of the resulting bent functions are discussed. A rapid
method for calculating the nonlinearity of a boolean function, based
on the Hadamard matrix, is described.
The constructions presented are based on the use of bent functions as
s-box columns. This ensures that the maximum order strict avalanche
criterion (SAC) is satisfied. The construction attempts to maximize
nonlinearity, minimize the largest s-box XOR table entry and distance
to maximum order bit independence criterion (BIC), and ensures that
the column and row weight distributions are approximately binomial.
The best characteristics achieved for a generated s-box are compared
to those obtained for a randomly generated s-box. The constructed
s-box is at least as good with respect to all of these properties, and
is slightly better with respect to nonlinearity and distance to higher
- H. Heys and S. Tavares, "On the Security of the CAST Encryption
Algorithm", Proceedings of the Canadian Conference on Electrical and
Computer Engineering, Halifax, NS, Canada, Sept. 1994, pp.332-335.
- C. Adams, "Simple and Effective Key Scheduling for Symmetric Ciphers", Workshop in Selected Areas of Cryptography, SAC' 94, Workshop record, pp. 129-133, 1994
- C. Adams, "Designing DES-like Ciphers with Guranteed Resistance to Differential and Linear Attacks", Workshop in Selected Areas of Cryptography, SAC' 95, Workshop record, pp. 133-144, 1995
- C. Adams and S. Tavares, "Designing S-Boxes for Ciphers Resistant to
Differential Cryptanalysis", Proceedings of the 3rd Symposium on State
and Progress of Research in Cryptography, Rome, Italy, 1993, pp.181-190.
- B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source
Code in C (2nd edition), John Wiley & Sons, 1996, pp.334-335.
- A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied
Cryptography, CRC Press, 1997, p.281.
This page belongs to Queen's Cryptography and Data Security Lab and it is maintained by Amr Youssef