Results 1 
4 of
4
The CAST256 Encryption Algorithm
"... This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that p ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both
Higher Order Differential Attack of a CAST Cipher
 Proceedings of the Fifth International Workshop on Fast Software Encryption
, 1998
"... Abstract. This paper proposes a new higher order differential attack. The higher order differential attack proposed at FSE’97 by Jakobsen and Knudsen used exhaustive search for recovering the last round key. Our new attack improves the complexity to the cost of solving a linear system of equations. ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. This paper proposes a new higher order differential attack. The higher order differential attack proposed at FSE’97 by Jakobsen and Knudsen used exhaustive search for recovering the last round key. Our new attack improves the complexity to the cost of solving a linear system of equations. As an example we show the higher order differential attack of a CAST cipher with 5 rounds. The required number of chosen plaintexts is 2 17 and the required complexity is less than 2 25 times the computation of the round function. Our experimental results show that the last round key of the CAST cipher with 5 rounds can be recovered in less than 15 seconds on an UltraSPARC station. 1
An Analysis of the CAST256 Cipher
, 1999
"... In this paper, we examine the cryptographic security of the CAST256 symmetric block encryption algorithm. The CAST256 cipher has been proposed as a candidate for the Advanced Encryption Standard currently under consideration by the U.S. National Institute of Standards and Technology (NIST). It has ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper, we examine the cryptographic security of the CAST256 symmetric block encryption algorithm. The CAST256 cipher has been proposed as a candidate for the Advanced Encryption Standard currently under consideration by the U.S. National Institute of Standards and Technology (NIST). It has been designed for a 128bit block size and variable key sizes of up to 256 bits to suit AES requirements. In this paper, we specifically consider the cryptographic security of the cipher in relation to the cryptanalytic property of diffusion and the cryptanalysis techniques of linear and differential cryptanalysis. 1 Introduction The CAST256 [1] cipher is a new symmetric block cipher with a 128bit block size and has been submitted as a candidate for the Advanced Encryption Standard (AES) [2]. The design of CAST256 was derived from the CAST128 cipher [3], a 64bit block cipher, and benefits from the results of analysis of this earlier cipher [4]. Due to the relatively large block size ...
Asymptotic Bounds on Differential Probabilities
, 1998
"... Let ; (ff ! fi) be the probability of a differential approximation to the nbit permutation , determined with respect to the group (Z ). The probability is determined from the difference table ; for which ; (ff; fi) = 2 ; (ff ! fi). We show that the distribution of asymptotically ..."
Abstract
 Add to MetaCart
Let ; (ff ! fi) be the probability of a differential approximation to the nbit permutation , determined with respect to the group (Z ). The probability is determined from the difference table ; for which ; (ff; fi) = 2 ; (ff ! fi). We show that the distribution of asymptotically follows a Poisson distribution. Let ; (fffi) where I is the identity of (Z ), and define B n = ln N \Gamma 1). Our main results are to show that with high probability for a random permutation , Pr (2B n ; ! 2n) = \Phi, and Pr ; ! 2B n ) 2 f + ; fig, where + and fi denote modular addition and modular multiplication. Thus XOR differences admit higher probability approximations for random permutations than differences with respect to + and fi. Further, with high probability, the best differential probability for a random 64bit permutation with respect to XOR differences lies in the interval [2 ].