Skip to main content
Springer Nature Link
Log in

Improved Linear Cryptanalysis of CAST-256

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with 128-bit block accepting 128, 160, 192, 224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recovery attack on 24-round CAST-256. In ASIACRYPT 2012, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear approximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak-key assumption so far.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. Biham E, Shamir A. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 1991, 4(1): 3–72.

    Article  MATH  MathSciNet  Google Scholar 

  2. Matsui M. Linear cryptanalysis method for DES cipher. In Proc. Workshop on the Theory and Application of Cryptographic Techniques, May 1993, pp.386–397.

  3. Knudsen L. Truncated and higher order differentials. In Proc. the 2nd Int. Workshop on Fast Software Encryption, December 1994, pp.196–211.

  4. Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In Proc. Int. Conf. the Theory and Application of Cryptographic Techniques, May 1999, pp.12–23.

  5. Borst J, Knudsen L, Rijmen V. Two attacks on reduced IDEA. In Proc. the 16th Advances in Cryptology-Eurocrypt, May 1997, pp.1–13.

  6. Blondeau C, Gérard B. Multiple differential cryptanalysis: Theory and practice. In Proc. the 18th Int. Workshop on Fast Software Encryption, February 2011, pp.35–54.

  7. Wang M Q, Sun Y, Tischhauser E, Preneel B. A model for structure attacks, with applications to PRESENT and Serpent. In Proc. the 19th Int. Workshop on Fast Software Encryption, March 2012, pp.49–68.

  8. Wagner D. The boomerang attack. In Proc. the 6th Int. Workshop on Fast Software Encryption, March 1999, pp.156–170.

  9. Albrecht M, Cid C. Algebraic techniques in differential cryptanalysis. In Proc. the 16th Int. Workshop on Fast Software Encryption, February 2009, pp.193–208.

  10. Wang M, Sun Y, Mouha N, Preneel B. Algebraic techniques in differential cryptanalysis revisited. In Proc. the 16th Information Security and Privacy Australasian Conference, July 2011, pp.120–141.

  11. Biryukov A, De Cannière C, Quisquater M. On multiple linear approximations. In Proc. the 24th Int. Cryptology Conf., August 2004, pp.1–22.

  12. Hermelin M, Cho J, Nyberg K. Multidimensional extension of Matsui's Algorithm 2. In Proc. the 16th Int. Workshop on Fast Software Encryption, February 2009, pp.209-227.

  13. Kaliski B, Robshaw M. Linear cryptanalysis using multiple approximations. In Proc. the 14th Int. Cryptology Conf. Advances in Cryptology, August 1994, pp.26–39.

  14. Bogdanov A, Rijmen V. Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Designs, Codes and Cryptography, 2014, 70(3): 369–383.

    Article  MATH  MathSciNet  Google Scholar 

  15. Adams C, Gilchrist J. The CAST-256 encryption algorithm, June 1999. http://www.ietf.org/rfc/rfc2612.txt, Sept. 2014.

  16. Adams C. The CAST-128 encryption algorithm, May 1997. http://www.ietf.org/rfc/rfc2144.txt, Oct. 2014.

  17. Nakahara J J, Rasmussen M. Linear analysis of reduced-round CAST-128 and CAST-256. In Proc. the 7th Brazilian Symposium on Information and Computer System Security, Aug. 2007, pp.45–55.

  18. Wang M Q, Wang X Y, Hu C H. New linear cryptanalytic results of reduced-round of CAST-128 and CAST-256. In Proc. the 15th Int. Workshop on Selected Areas in Cryptography, August 2009, pp.429–441.

  19. Sun Y, Wang M Q, Sun Q M. How to search linear approximation for large non-surjective S-box. In Proc. the 6th ACM Symposium on Information, Computer and Communications Security, March 2011, pp.459–465.

  20. Biham E. A note on comparing the AES candidates. In Proc. the 2nd AES Candidate Conference, March 1999, pp.22–23.

  21. Seki H, Kaneko T. Differential cryptanalysis of CAST-256 reduced to nine quad-rounds. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2001, 84(4): 913–918.

    Google Scholar 

  22. Bogdanov A, Leander G, Nyberg K, Wang M Q. Integral and multidimensional linear distinguishers with correlation zero. In Proc. the 18th Int. Conf. Theory and Application of Cryptology and Information Security, December 2012, pp.244–261.

  23. Adams C M. Constructing symmetric ciphers using the CAST design procedure. Designs, Codes and Cryptography, 1997, 12(3): 283–316.

    Article  MATH  MathSciNet  Google Scholar 

  24. Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whiting D. Improved cryptanalysis of Rijndael. In Proc. the 7th Int. Workshop on Fast Software Encryption, April 2000, pp.213–230.

  25. Selçuk A A. On probability of success in linear and differential cryptanalysis. Journal of Cryptology, 2008, 21(1): 131–147.

    Article  MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, 250100, China

    Jing-Yuan Zhao, Mei-Qin Wang & Long Wen

  2. School of Mathematics, Shandong University, Jinan, 250100, China

    Jing-Yuan Zhao, Mei-Qin Wang & Long Wen

Authors
  1. Jing-Yuan Zhao
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Mei-Qin Wang
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Long Wen
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Mei-Qin Wang.

Additional information

This work was supported by the National Basic Research 973 Program of China under Grant No. 2013CB834205, the National Natural Science Foundation of China under Grant Nos. 61133013, 61070244 and 61103237, the Program for New Century Excellent Talents in University of China under Grant No. NCET-13-0350, as well as the Interdisciplinary Research Foundation of Shandong University under Grant No. 2012JC018.

Electronic supplementary material

Below is the link to the electronic supplementary material.

ESM 1

(PDF 75 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhao, JY., Wang, MQ. & Wen, L. Improved Linear Cryptanalysis of CAST-256. J. Comput. Sci. Technol. 29, 1134–1139 (2014). https://doi.org/10.1007/s11390-014-1496-8

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-014-1496-8

Keywords