This document contains several sections of the CAST-256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST-256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both

Abstract. This paper proposes a new higher order differential attack. The higher order differential attack proposed at FSE’97 by Jakobsen and Knudsen used exhaustive search for recovering the last round key. Our new attack improves the complexity to the cost of solving a linear system of equations. As an example we show the higher order differential attack of a CAST cipher with 5 rounds. The required number of chosen plaintexts is 2 17 and the required complexity is less than 2 25 times the computation of the round function. Our experimental results show that the last round key of the CAST cipher with 5 rounds can be recovered in less than 15 seconds on an UltraSPARC station. 1

In this paper, we examine the cryptographic security of the CAST-256 symmetric block encryption algorithm. The CAST-256 cipher has been proposed as a candidate for the Advanced Encryption Standard currently under consideration by the U.S. National Institute of Standards and Technology (NIST). It has been designed for a 128-bit block size and variable key sizes of up to 256 bits to suit AES requirements. In this paper, we specifically consider the cryptographic security of the cipher in relation to the cryptanalytic property of diffusion and the cryptanalysis techniques of linear and differential cryptanalysis. 1 Introduction The CAST-256 [1] cipher is a new symmetric block cipher with a 128-bit block size and has been submitted as a candidate for the Advanced Encryption Standard (AES) [2]. The design of CAST-256 was derived from the CAST-128 cipher [3], a 64-bit block cipher, and benefits from the results of analysis of this earlier cipher [4]. Due to the relatively large block size ...

Let ; (ff ! fi) be the probability of a differential approximation to the n-bit permutation , determined with respect to the group (Z ). The probability is determined from the difference table ; for which ; (ff; fi) = 2 ; (ff ! fi). We show that the distribution of asymptotically follows a Poisson distribution. Let ; (fffi) where I is the identity of (Z ), and define B n = ln N \Gamma 1). Our main results are to show that with high probability for a random permutation , Pr (2B n ; ! 2n) = \Phi, and Pr ; ! 2B n ) 2 f + ; fig, where + and fi denote modular addition and modular multiplication. Thus XOR differences admit higher probability approximations for random permutations than differences with respect to + and fi. Further, with high probability, the best differential probability for a random 64-bit permutation with respect to XOR differences lies in the interval [2 ].