This preview shows page 1. Sign up to view the full content.
Unformatted text preview: rithm uses six S-boxes with an 8-bit input and a 32-bit output. Construction of these S-boxes is implementation-dependent and complicated; see the references for details. To encrypt, first divide the plaintext block into a left half and a right half. The algorithm has 8 rounds. In each round the right half is combined with some key material using function f and then XORed with the left half to form the new right half. The original right half (before the round) becomes the new left half. After 8 rounds (don’t switch the left and right halves after the eighth round), the two halves are concatenated to form the ciphertext. Function f is simple: (1) Divide the 32-bit input into four 8-bit quarters: a, b, c, d. (2) Divide the 16-bit subkey into two 8-bit halves: e, f. (3) Process a through S-box 1, b through S-box 2, c through S-box 3, d through S-box 4, e through S-box 5, and f through S-box 6. (4) XOR the six S-box outputs together to get the final 32-bit output. Alternatively, the 32-bit input can be XORed with 32 bits of key, divided into four 8-bit quarters, processed through the S-boxes, and then XORed together . N rounds of this appears to be as secure as N + 2 rounds of the other option. The 16-bit subkey for each round is easily calculated from the 64-bit key. If k1, k2,..., k8 are the 8 bytes of the key, then the subkeys for each round are: Round 1: k1, k2 Round 2: k3, k4 Round 3: k5, k6 Round 4: k7, k8 Round 5: k4, k3 Round 6: k2, k1 Round 7: k8, k7 Round 8: k6, k5 The strength of this algorithm lies in its S-boxes. CAST does not have fixed S-boxes; new ones are constructed for each application. Design criteria are in ; bent functions are the S-box columns, selected for a number of desirable S-box properties (see Section 14.10). Once a set of S-boxes has been constructed for a given implementation of CAST, they are fixed for all time. The S-boxes are implementation-dependent, but not key-dependent. It was shown in  that CAST is resistant to differential cryptanalysis and in ...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10