On the Security of the CAST Encryption Algorithm - CiteSeerX

21 downloads 516 Views 136KB Size Report
On the Security of the CAST Encryption Algorithm ... Specifically, we investigate the security of the cipher ..... Procedure for Substitution-Permutation Network.
On the Security of the CAST Encryption Algorithm H. M. Heys and S. E. Tavares Department of Electrical and Computer Engineering Queen’s University Kingston, Ontario, Canada email: [email protected] The round function is implemented using S-boxes of dimension where and . The example CAST system presented in [2] uses four S-boxes to implement a 64–bit block cipher. The inputs to the four S-boxes are determined by XORing to the right half-block and then a 32–bit sub-key1 dividing the half-block into four –bit groups. The 32–bit outputs of the four S-boxes are XORed together to produce the output of the function . Letting represent the 32–bit output of the -th S-box given an 8–bit input , the operation of the round function may be represented by

Abstract — In this paper we examine a new private key encryption algorithm referred to as CAST. Specifically, we investigate the security of the cipher with respect to linear cryptanalysis. From our analysis we conclude that it is easy to select S-boxes so that an efficient implementation of the CAST algorithm is demonstrably resistant to linear cryptanalysis.

/ #102*

The CAST encryption algorithm [1][2] belongs to a class of private key block ciphers which are composed of substitution boxes (S-boxes) with fewer input bits than output bits. Recently, a software implementation of the CAST cipher has been developed for application in computer security products [3]. In [2], it is suggested that, with an appropriate number of substitution rounds, the CAST cipher is resistant to differential cryptanalysis [4]. In this paper, we show that the CAST cipher, with an appropriate number of rounds, is resistant to linear cryptanalysis [5]. Similarly to the Data Encryption Standard [6] and other proposed block ciphers, the CAST algorithm consists of a series of rounds of substitutions in order to achieve the “confusion” and “diffusion” principles suggested by Shannon [7]. The basic algorithm structure is illustrated in Figure 1. The algorithm encrypts by dividing the -bit plaintext input block in half. The right halfblock, , is transformed by a round function and then XORed bit-by-bit to the left half-block, . The right and left halves are then swapped. This is repeated for the number of rounds in the cipher, . Consequently, the algorithm may be viewed as the following iterated operation:



/



354576

;:    9  3 49> @ ? AB CD F ? A7B E (2) 4=<  where  ? A7B is the 8 -th byte of  and  ? A7B is the 8 -th byte of  .

In the following section we consider the application of linear cryptanalysis to the CAST algorithm.

G.

Linear Cryptanalysis of CAST

Linear cryptanalysis [5] is one of the most powerful attacks on private key block ciphers. It has been shown that DES is theoretically susceptible to the attack using known plaintexts. To attack a block cipher using a basic linear cryptanalysis technique, the cryptanalyst is interested in the best linear approximation of the form:

* :!H



I KJL MN  I NOPRQ94=JS MM RQ94UTVWRXYJZ MN W[X\



         !

"-,.%

8

6



%')(+*



. Introduction



"$#&%

(3)

Let the probability that equation (3) is satisfied be represented by . If the magnitude is large enough and sufficient plaintext-ciphertext pairs

]_^

d

(1)

1

This format is identical to all so-called DES-like ciphers. The novelty of CAST is the round function .



1

` ]G^Rabc(2*G`

The sub-keys are determined by a key scheduling algorithm. For details of the CAST key scheduling algorithm see [8].

plaintext

L1

the system linear approximation, increases the number of known plaintexts required in the cryptanalysis. Consider the following nonlinearity measures based on the Hamming distance to the nearest affine function.2 Let the distance between two $ -bit functions, % and & , be given by

R1 K1

F

')( L2

R2

%+* &),#-

. /10)24365

K2

F

: & (?; . For comparison we have included the corresponding values for DES. Note that the CAST algorithm is comparable in size to DES and is significantly more resistant to linear cryptanalysis. It should be noted that the bound for ?A@ arises by determining the number of known plaintexts required to determine one key bit. To determine all key bits using linear cryptanalysis, the number of plaintexts will be significantly larger then the bounds listed. For example, for >CBEDGF , ? @IHHJKLK . Clearly, in comparison with a theoretical security level of JKNM (based on the number of encryptions required in an exhaustive key search), a 16–round CAST network constructed using S-boxes with OP3QSRUTCFV is secure against linear cryptanalysis in the strictest theoretical sense. As well, a 12–round CAST cipher requires much more than JW3X known plaintexts, an impractical memory requirement for a cryptanalyst and we can therefore state that such a cipher is secure against a practical linear cryptanalysis. The bound on the 8–round cipher appears low where 64–bit key security is required. However, it should be noted that it would be a very difficult task for a cryptanalyst to find a linear approximation close to the lower bound. Certainly for systems with security requirements on the order of 40 key bits or less, an 8–round cipher would be adequately secure against linear cryptanalysis.

¤

~ ˆ < œ BŸž J ~