Linear Analysis of reducedround CAST-128 and CAST-256
Jorge Nakahara Jr1
Mads Rasmussen2
1 UNISANTOS,
Brazil
2 LSI-TEC, PKI Certification department
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Summary
• The CAST-128 and CAST-256 Block Ciphers
• Linear Cryptanalysis: brief overview
• Linear Analysis of CAST-128 and CAST-256
• Attack Details
• Conclusions and Open Problems
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-128
•
•
•
•
•
•
64-bit iterated block cipher
key: 40 bits up to 128 bits (increments of 8 bits)
12 up to 16 rounds
Feistel Network structure
designed by C. Adams and S.Tavares (1996)
S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed
Aug. 4, 1994, issued Apr. 3, 1996
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-128
• CAST-128 is part of the GnuPG suite of
cryptographic algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes: for
encryption and decryption (S1, S2, S3, S4) and for
the key schedule (S5, S6, S7, S8)
• round operations: +, -, <<<, 
• three round functions: f1, f2 and f3
• An official algorithm for use with the Canadian
Government:
http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-128
f1
Round functions
f2
f3
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-256
• a former candidate to the Advanced Encryption
Standard (AES) Development Process (1997)
• 128-bit iterated block cipher
• 128-, 192- and 256-bit key
• 48 rounds for all key sizes
• generalized Feistel Network structure
• S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed
Aug. 4, 1994, issued Apr. 3, 1996
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-256
one quad-round
f2
f3
f1
f1
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-256
• full CAST-256: six quad-rounds + six inverse
quad-rounds
f1
one inverse
quad-round
=
one quad-round
upside down
f3
f2
f1
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Cryptanalysis
• developed by Mitsuru Matsui (Mitsubishi Corp)
• first ideas: Adi Shamir (DES S-boxes’ parity),
1994
• applied to FEAL-4 cipher (Sean Murphy, 1989),
then to FEAL-8, DES (Matsui, 1991-1993)
• known-plaintext (KP) attack (sometimes, can
also work in a ciphertext-only setting)
• general cryptanalytic technique: used against
block ciphers, stream ciphers, and other crypto
algorithms
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Cryptanalysis
• basic tool: (some notions)
• linear relation, a linear combination of bits of
plaintext, ciphertext and key
• linear approximation: Boolean function holding
with non-uniform parity (away from ½)
• bias: difference between 0-parity and ½
• the higher the bias, the more effective the linear
approximation
• number of KP for a high success attack:  bias-2
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Cryptanalysis
• strategy: derive linear approximations for each
individual cipher components
• non-linear components are the main targets
• combine linear approximations of consecutive
components, until reach a full round
• for multiple rounds, use Matsui’s Piling-Up
Lemma
• this Lemma assumes all round approximations
are independent, which is not always true (but is
usually good enough for practical purposes, e.g.
DES)
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
• 8x32-bit S-boxes are always non-surjective
mappings
• Modular addition and substraction in round
function F
• motivation for linear approximations of the form 08
 32, across the S-box, where 32 is a nonzero bit
mask
• bias for all S-boxes S1,...,S4 with mask 32=1 is 2-5
• we use 32=1 (least significant bit) to bypass the
modular addition and subtraction after the Sboxes in the round function
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
f1
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
• iterative linear relations: input and output bit masks are
identical, so that it can be concatenated to itself, with a fixed
decrease in the bias
• for CAST-128: 2-round iterative linear relations w 1 active F
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
• iterative linear relations: input and output bit masks are
identical, so that it can be concatenated to itself, with a fixed
decrease in the bias
• for CAST-128: 2-round iterative linear relations w 1 active F
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-256
• CAST-256 S-boxes are the same as for CAST128
• thus, the same bit masks are used: 0  1
• similarly, we look for iterative linear relations
• result: 4-round iterative linear relations, or one
quad-round iterative linear relations.
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-256
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-256
1 active F per quad-round
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-256
Other combinations
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-256
Bit mask controls active F
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Attack Results on reduced-round
CAST-128
#Rounds
Data/Memory
Time
2
237
237
distinguishing attack
3
237
237
distinguishing attack
4
237
272.5
key-recovery attack
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Comments
Attack Results on reduced-round
CAST-256
#Rounds
Data/Memory
Time
Comments
4
237
237
distinguishing attack
5
237
271.7
key-recovery attack
8
269
269
distinguishing attack
9
269
2103
key-recovery attack
12
2101
2101
distinguishing attack
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Conclusions
• first known-plaintext attack reported on
(reduced-round) CAST-128 and CAST-256
• attacks exploit non-surjectivity of 8x32-bit Sboxes (happens for any such mappings)
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Open Problems
• we found quadratic equations for all four Sboxes S1,...,S4 of CAST-128/CAST-256.
The question is: can we use them in a (pure)
algebraic attack?
• what about combining linear and quadratic
equations??
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of reducedround CAST-128 and CAST-256
Jorge Nakahara Jr1
Mads Rasmussen2
1 UNISANTOS,
Brazil
2 LSI-TEC, PKI Certification department
SBSeg 2007, NCE/UFRJ, Rio de Janeiro