This preview shows page 1. Sign up to view the full content.
Unformatted text preview: rithm uses six Sboxes with an 8bit input and a 32bit output. Construction of these Sboxes is implementationdependent and complicated; see the references for details. To encrypt, first divide the plaintext block into a left half and a right half. The algorithm has 8 rounds. In each round the right half is combined with some key material using function f and then XORed with the left half to form the new right half. The original right half (before the round) becomes the new left half. After 8 rounds (don’t switch the left and right halves after the eighth round), the two halves are concatenated to form the ciphertext. Function f is simple: (1) Divide the 32bit input into four 8bit quarters: a, b, c, d. (2) Divide the 16bit subkey into two 8bit halves: e, f. (3) Process a through Sbox 1, b through Sbox 2, c through Sbox 3, d through Sbox 4, e through Sbox 5, and f through Sbox 6. (4) XOR the six Sbox outputs together to get the final 32bit output. Alternatively, the 32bit input can be XORed with 32 bits of key, divided into four 8bit quarters, processed through the Sboxes, and then XORed together [7]. N rounds of this appears to be as secure as N + 2 rounds of the other option. The 16bit subkey for each round is easily calculated from the 64bit key. If k1, k2,..., k8 are the 8 bytes of the key, then the subkeys for each round are: Round 1: k1, k2 Round 2: k3, k4 Round 3: k5, k6 Round 4: k7, k8 Round 5: k4, k3 Round 6: k2, k1 Round 7: k8, k7 Round 8: k6, k5 The strength of this algorithm lies in its Sboxes. CAST does not have fixed Sboxes; new ones are constructed for each application. Design criteria are in [10]; bent functions are the Sbox columns, selected for a number of desirable Sbox properties (see Section 14.10). Once a set of Sboxes has been constructed for a given implementation of CAST, they are fixed for all time. The Sboxes are implementationdependent, but not keydependent. It was shown in [10] that CAST is resistant to differential cryptanalysis and in [728]...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details