Network Working Group C. Adams
Request for Comments: 2612 J. Gilchrist
Category: Informational Entrust Technologies
June 1999
The CAST-256 Encryption Algorithm
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
There is always a desire in the Internet community for unencumbered
encryption algorithms with a range of key sizes that can provide
security for a variety of cryptographic applications and protocols.
This document describes an existing algorithm that can be used to
satisfy this requirement. Included are a description of the cipher
and the key scheduling algorithm, the s-boxes, and a set of test
vectors (Appendix A).
Table of Contents
Abstract........................................................11. Introduction.................................................22. CAST-256 Algorithm Specification.............................23. Cipher Naming................................................84. Cipher Usage.................................................85. Security Considerations......................................86. References...................................................97. Authors' Addresses...........................................9Appendix A. Test Vectors.......................................10
Full Copyright Statement.......................................19Adams & Gilchrist Informational [Page 1]
RFC 2612 The CAST-256 Encryption Algorithm June 19991. Introduction
This document describes the CAST-256 encryption algorithm, a DES-like
Substitution-Permutation Network (SPN) cryptosystem built upon the
CAST-128 encryption algorithm [1] which appears to have good
resistance to differential cryptanalysis, linear cryptanalysis, and
related-key cryptanalysis. This cipher also possesses a number of
other desirable cryptographic properties, including avalanche, Strict
Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no
complementation property, and an absence of weak and semi-weak keys.
It thus appears to be a good candidate for general-purpose use
throughout the Internet community wherever a cryptographically-
strong, freely-available encryption algorithm is required.
CAST-256 has a block size of 128 bits and a variable key size (128,
160, 192, 224, or 256 bits).
2. CAST-256 Algorithm Specification2.1 CAST-128 Notation
The following notation from CAST-128 [1] is relevant to CAST-256.
CAST-128 uses a pair of subkeys per round: a 5-bit quantity Kri
is used as a "rotation" key for round i and a 32-bit quantity Kmi
is used as a "masking" key for round i.
Three different round functions are used in CAST-128. The rounds
are as follows (where D is the data input to the operation, Ia -
Id are the most significant byte through least significant byte of
I, respectively, Si is the ith s-box (see Section 2.1.1 for s-box
contents), and O is the output of the operation). Note that "+"
and "-" are addition and subtraction modulo 2**32, "^" is bitwise
eXclusive-OR, and "<<<" is the circular left-shift operation.
Type 1: I = ((Kmi + D) <<< Kri)
O = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]
Type 2: I = ((Kmi ^ D) <<< Kri)
O = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]
Type 3: I = ((Kmi - D) <<< Kri)
O = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]
Let f1, f2, f3 be keyed round function operations of Types 1, 2,
and 3 (respectively) above.
Adams & Gilchrist Informational [Page 2]
RFC 2612 The CAST-256 Encryption Algorithm June 19992.2 CAST-256 Notation
The following notation is employed in the specification of CAST-256.
Let f1, f2, f3 be as defined for CAST-128.
Let BETA = (ABCD) be a 128-bit block where A, B, C and D are each
32 bits in length.
Let "BETA <- Qi(BETA)" be short-hand notation for the following:
C = C ^ f1(D, Kr0_(i), Km0_(i))
B = B ^ f2(C, Kr1_(i), Km1_(i))
A = A ^ f3(B, Kr2_(i), Km2_(i))
D = D ^ f1(A, Kr3_(i), Km3_(i))
Let "BETA <- QBARi(BETA)" be short-hand notation for the
following:
D = D ^ f1(A, Kr3_(i), Km3_(i))
A = A ^ f3(B, Kr2_(i), Km2_(i))
B = B ^ f2(C, Kr1_(i), Km1_(i))
C = C ^ f1(D, Kr0_(i), Km0_(i))
(Q(*) is called a "forward quad-round" and QBAR(*) is called a
"reverse quad-round".)
Let Kr_(i) = {Kr0_(i), Kr1_(i), Kr2_(i), Kr3_(i)} be the set of
rotation keys for the ith quad-round, where Krj_(i) is a 5-bit
rotation key for f1, f2, or f3 (as specified above).
Let Km_(i) = {Km0_(i), Km1_(i), Km2_(i), Km3_(i)} be the set of
masking keys for the ith quad-round, where Kmj_(i) is a 32-bit
masking key for f1, f2, or f3 (as specified above).
Let KAPPA = (ABCDEFGH) be a 256-bit block where A, B, ..., H are
each 32 bits in length.
Let "KAPPA <- Wi(KAPPA)" be short-hand notation for the
following:
G = G ^ f1(H, Tr0_(i), Tm0_(i))
F = F ^ f2(G, Tr1_(i), Tm1_(i))
E = E ^ f3(F, Tr2_(i), Tm2_(i))
D = D ^ f1(E, Tr3_(i), Tm3_(i))
C = C ^ f2(D, Tr4_(i), Tm4_(i))
B = B ^ f3(C, Tr5_(i), Tm5_(i))
A = A ^ f1(B, Tr6_(i), Tm6_(i))
H = H ^ f2(A, Tr7_(i), Tm7_(i))
(W(*) is called a "forward octave".)
Adams & Gilchrist Informational [Page 6]
RFC 2612 The CAST-256 Encryption Algorithm June 1999
Let "Kr_(i) <- KAPPA" be short-hand notation for the
following: Kr0_(i) = 5LSB(A), Kr1_(i) = 5LSB(C), Kr2_(i) =
5LSB(E), Kr3_(i) = 5LSB(G)
where 5LSB(x) denotes "the five least significant bits of x".
Let "Km_(i) <- KAPPA" be short-hand notation for the following:
Km0_(i) = H, Km1_(i) = F, Km2_(i) = D, Km3_(i) = B
2.3 The CAST-256 Cipher
BETA = 128bits of plaintext.
for (i=0; i<6; i++)
BETA <- Qi(BETA)
for (i=6; i<12; i++)
BETA <- QBARi(BETA)
128bits of ciphertext = BETA
Round Key Re-Ordering for Decryption
The cipher employs a 256-bit primary key K. Decryption is
identical to encryption except that the sets of quad-round keys
Kr_(i), Km_(i) derived from K are used in reverse order as
follows.
for (i=0; i<12; i++)
{
KrNEW_(i) = Kr_(11-i)
KmNEW_(i) = Km_(11-i)
}
2.4 The CAST-256 Key Schedule
Initialization:
Cm = 2**30 * SQRT(2) = 5A827999 (base 16)
Mm = 2**30 * SQRT(3) = 6ED9EBA1 (base 16)
Cr = 19
Mr = 17
Adams & Gilchrist Informational [Page 7]
RFC 2612 The CAST-256 Encryption Algorithm June 1999
for (i=0; i<24; i++)
{
for (j=0; j<8; j++)
{
Tmj_(i) = Cm
Cm = (Cm + Mm) mod 2**32
Trj_(i) = Cr
Cr = (Cr + Mr) mod 32
}
}
Key Schedule:
KAPPA = ABCDEFGH = 256 bit of primary key, K.
for (i=0; i<12; i++)
{
KAPPA <- W2i(KAPPA)
KAPPA <- W2i+1(KAPPA)
Kr_(i) <- KAPPA
Km_(i) <- KAPPA
}
Note: (|K| = 128) => (E = F = G = H = 0)
(|K| = 160) => (F = G = H = 0)
(|K| = 192) => (G = H = 0)
(|K| = 224) => (H = 0)
3. Cipher Naming
In order to avoid confusion when variable keysize operation is used,
the name CAST-256 is to be considered synonymous with the name CAST6;
this allows a keysize to be appended without ambiguity. Thus, for
example, CAST-256 with a 192-bit key is to be referred to as CAST6-
192; where a 256-bit key is explicitly intended, the name CAST6-256
should be used.
4. Cipher Usage
The CAST-256 cipher described in this document is available worldwide
on a royalty-free and licence-free basis for commercial and non-
commercial uses.
5. Security Considerations
This entire memo is about security since it describes an algorithm
which is specifically intended for cryptographic purposes.
Adams & Gilchrist Informational [Page 8]
RFC 2612 The CAST-256 Encryption Algorithm June 19996. References
[1] Adams, C., "The CAST-128 Encryption Algorithm", RFC 2144, May
1997.
7. Authors' Addresses
Carlisle Adams
Entrust Technologies
750 Heron Road, Suite E08
Ottawa, Ontario, Canada
K1V 1A7
Phone: 613-247-3180
Fax: 613-247-3690
EMail: carlisle.adams@entrust.com
Jeff Gilchrist
Entrust Technologies
750 Heron Road, Suite E08
Ottawa, Ontario, Canada
K1V 1A7
Phone: 613-248-3074
Fax: 613-247-3450
EMail: jeff.gilchrist@entrust.com
Adams & Gilchrist Informational [Page 9]
RFC 2612 The CAST-256 Encryption Algorithm June 1999
Appendix A: Test Vectors
Intermediate Values Known Answer Test. The data listed is:
KEYSIZE=the current key length in bits
KEY=the key in hexadecimal format
PT=the plaintext to be encrypted
R=the quad-round number (1 to 12)
ROTK1,ROTK2,ROTK3,ROTK4=the rotation keys for the current quad-round
MASK1,MASK2,MASK3,MASK4=the masking keys for the current quad-round
OUT=the output of the quad-round
CT=the ciphertext corresponding to the given plaintext.
For each key size, an encryption and the corresponding decryption are
shown.
KEYSIZE=128
KEY=2342bb9efa38542c0af75647f29f615d
PT=00000000000000000000000000000000
R=1
ROTK1=1c ROTK2=1d ROTK3=18 ROTK4=06
MASK1=f364d7f9 MASK2=233500c0 MASK3=83cee501 MASK4=01f857c6
OUT=e2c604af966715811b377f12de19e459
R=2
ROTK1=1e ROTK2=18 ROTK3=13 ROTK4=02
MASK1=ae877786 MASK2=ef78852e MASK3=0aa1c41f MASK4=a28ec9c4
OUT=5375c3be208f38eed0419d98f50dd9b3
R=3
ROTK1=02 ROTK2=1d ROTK3=01 ROTK4=0b
MASK1=a3eedefb MASK2=ac426ecf MASK3=2e8220ec MASK4=cd92c34a
OUT=732e4ec0f205e39afaf407c956d83728
R=4
ROTK1=0d ROTK2=1d ROTK3=04 ROTK4=12
MASK1=3046827f MASK2=568ab6b9 MASK3=b86e7c10 MASK4=ef290a58
OUT=af23fd837033dc81a60be8a69865c543
R=5
ROTK1=01 ROTK2=14 ROTK3=0c ROTK4=06
MASK1=302e76c3 MASK2=cf429964 MASK3=e9ecad47 MASK4=8850a515
OUT=8b5e011401e1124f731135fa780c59ef
R=6
ROTK1=17 ROTK2=1d ROTK3=0e ROTK4=09
Adams & Gilchrist Informational [Page 10]
RFC 2612 The CAST-256 Encryption Algorithm June 1999
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Adams & Gilchrist Informational [Page 19]
