This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.

In this paper, we present how to construct DES-like S-boxes based on Boolean functions satisfying the Strict Avalanche Criterion and compare their cryptographic properties with those of DES S-boxes in various points of view. We found that our designed DES-like S-boxes exhibit better cryptographical properties than those of DES S-boxes.

We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DES-MAC and FEAL-MAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8-round)-MAC can be broken with 2 34 pairs of plain text, while FEAL8-MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32-bits are randomly selected from among the 64-bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.

At Crypto'92, L.R. Knudsen[7] showed that s 2 DES is insufficient to assure against differential attack. In this paper, we propose a provable design criterion to strengthen s 2 DES against differential attack without disturbing its cryptographic structure. We show that new s 2 DES S-boxes can be constructed with our new design criteria and suggest new 8 s 2 DES S-boxes for replacing the current DES S-boxes. Simply called this algorithm as s 3 DES, the result of our estimation and Knudsen's recent analysis [9] give us that s 3 DES can resist against differential attack better than DES and s 2 DES, i.e., breaking s 3 DES by differential attack is less efficient than key-exhaustive search. 1. Introduction In 1990, Biham and Shamir [4] proposed one of the remarkable breaking method "differential cryptanalysis 1 " to cryptanalyze any iterated block cipher algorithm (DES [1], FEAL [2], LOKI [3], etc:). To break DES (Data Encryption Standard), they utilized the preco...