CAST-256 A Submission for the Advanced Encryption Standard - PowerPoint PPT Presentation

CAST-256 A Submission for the Advanced Encryption Standard Carlisle Adams First AES Candidate Conference August 20-22, 1998 Orchestrating Enterprise Security  1997 Entrust Technologies

“Vital Statistics” ! Name • CAST-256 ! Inventors • Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener ! Key Sizes • 128, 160, 192, 224, 256 bits ! Block Size • 128 bits Orchestrating Enterprise Security  1997 Entrust Technologies p. 2

Outline ! History ! Description ! Analysis ! “Features and Advantages” ! Conclusions Orchestrating Enterprise Security  1997 Entrust Technologies p. 3

History ! 1985-86 • Advice: “don’t go into crypto.; no future” ! 1988-90 • design procedure for symmetric ciphers − Boolean functions, s-boxes, round functions, key scheduling, overall framework ! 1992-93 • the name “CAST” introduced • specification of various parameters • CAST-1, CAST-2 in first Entrust product Orchestrating Enterprise Security  1997 Entrust Technologies p. 4

History (cont’d) ! 1993-95 • modified key schedule: CAST-3 • further concentration on round function • further concentration on s-box design, efficient (networked) construction − preliminary s-boxes: CAST-4 − final s-boxes: CAST-5 • CAST-5 published as “CAST-128” ! 1995-97 • draft paper distributed and on web site • interest begins to rise Orchestrating Enterprise Security  1997 Entrust Technologies p. 5

History (cont’d) ! 1997 • CAST paper published (DCC) • CAST-128 cipher published (RFC 2144) • interest rises significantly ! 1997-98 • CAST-128 used to form basis of CAST-256 ! 1998 • CSE endorsement of CAST-128 • CAST-256 submitted as AES candidate Orchestrating Enterprise Security  1997 Entrust Technologies p. 6

Description ! Based on CAST-128 • identical round function ! Expansion to 128-bit block • simple generalization of Feistel structure ! Expansion to 256-bit key • uses encryption (256-bit block) to generate round keys Orchestrating Enterprise Security  1997 Entrust Technologies p. 7

Feistel Network L R k0 + R L k1 + L R Orchestrating Enterprise Security  1997 Entrust Technologies p. 8

“Incomplete” Feistel Network L R A B C k0 k0 + + R L C A B k1 k1 + + L R B C A k2 + A B C Orchestrating Enterprise Security  1997 Entrust Technologies p. 9

“Incomplete” Feistel Network L R A B C A B C D k0 k0 k0 + + + R L C A B D A B C k1 k1 k1 + + + L R B C A C D A B k2 k2 + + A B C B C D A k3 + A B C D Orchestrating Enterprise Security  1997 Entrust Technologies p. 10

CAST-256 Notation A B C D k0 + = ⊕ ( ) i ( ) i C C f ( D k , , k ) 1 r m { 0 0 = ⊕ ( ) i ( ) i B B f ( , C k , k ) 2 r m β ← Q i ( ) β D A B C 1 1 = ⊕ ( ) i ( ) i A A f ( , B k , k ) 3 r m 2 2 = ⊕ ( ) i ( ) i D D f ( , A k , k ) k1 1 r m 3 3 + “Forward Quad-Round” C D A B k2 = ⊕ ( ) i ( ) i D D f ( , A k , k ) + 1 r m { 3 3 = ⊕ ( ) i ( ) i A A f ( , B k , k ) 3 r m β ← Q i ( ) β 2 2 = ⊕ ( ) i ( ) i B B f ( , C k , k ) 2 r m 1 1 B C D A = ⊕ ( ) i ( ) i C C f ( D k , , k ) 1 r m 0 0 k3 “Reverse Quad-Round” + A B C D Orchestrating Enterprise Security  1997 Entrust Technologies p. 11

CAST-256 Cipher β = 128 bits of plaintext. = < + + for i ( 0 ; i 6 ; i ) β ← Q i ( ) β = < + + for i ( 6 ; i 12 ; i ) β ← Q i ( ) β 128 bits of ciphertext = β Orchestrating Enterprise Security  1997 Entrust Technologies p. 12

CAST-256 Key Schedule κ = = ABCDEFGH 256 bits of primary key, K . = < + + for i ( 0 ; i 12 ; i ){ κ ← ω κ ( ) 2 i κ ← ω κ ( ) + 2 i 1 ← κ k ( ) i r ← κ k ( ) i m } = ⊕ ( ) i ( ) i G G f ( H t , , t ) 1 r m 0 0 = ⊕ ( ) i ( ) i F F f ( G t , , t ) 2 r m 1 1 = ⊕ ( ) i ( ) i E E f ( F t , , t ) 3 r m 2 2 i ( ) { = ⊕ ( ) i ( ) i D D f ( E t , , t ) κ ← ω κ 1 r m 3 3 = ⊕ ( ) i ( ) i C C f ( D t , , t ) 2 r m 4 4 = ⊕ ( ) i ( ) i B B f ( , C t , t ) 3 r m 5 5 = ⊕ ( ) , i ( ) i A A f ( , B t t ) 1 r m 6 6 = ⊕ ( ) i ( ) i H H f ( , A t , t ) 2 r m 7 7 Orchestrating Enterprise Security  1997 Entrust Technologies p. 13

CAST-256 Key Schedule (cont’d) = = 30 c 2 2 5 827999 A m 16 = = 30 m 2 3 6 ED EBA 9 1 m 16 = c 19 r = m 17 r = < + + for i ( 0 ; i 24 ; i ) = < + + for j ( 0 ; j 8 ; j ){ = ( ) i t c m m j = + 32 ( ) mod 2 c c m m m m = ( ) i t c r r j = + c ( c m ) mod 32 r r r } Orchestrating Enterprise Security  1997 Entrust Technologies p. 14

Outline ! History ! Description ! Analysis ! “Features and Advantages” ! Conclusions Orchestrating Enterprise Security  1997 Entrust Technologies p. 15

Analysis ! Inherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions Orchestrating Enterprise Security  1997 Entrust Technologies p. 16

Analysis ! Inherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions Orchestrating Enterprise Security  1997 Entrust Technologies p. 17

Boolean Functions ! “Bent” functions of 8 variables • highest possible nonlinearity over all binary Boolean functions (120) • nonlinear order of 4 (highest possible for bent functions) Orchestrating Enterprise Security  1997 Entrust Technologies p. 18

Analysis ! Inherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions Orchestrating Enterprise Security  1997 Entrust Technologies p. 19

S-Boxes ! Properties • XOR difference table of 0’s and 2’s • nonlinearity of 74 • DMOSAC = 0 • DHOBIC 32,1 = 36 • row weight distribution: approx. binomial • row pair wt. distribution: approx. binomial • average column weight: 128 Orchestrating Enterprise Security  1997 Entrust Technologies p. 20

Analysis ! Inherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions Orchestrating Enterprise Security  1997 Entrust Technologies p. 21

Key Mixing ! Non-surjective attack considerations • key entropy per round = 37 bits ! Differential, Linear considerations • combination of masking key, rotation key, and mixed operations for data combining Orchestrating Enterprise Security  1997 Entrust Technologies p. 22

Analysis ! Inherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions Orchestrating Enterprise Security  1997 Entrust Technologies p. 23

Mixed Operations ! Experimental work • combinations of pairs and triples of s-boxes using XOR, addition, subtraction − examination of XOR diff. distribution table − significant drop in maximum entry ! Theoretical work • deriving probability of maximum entry exceeding a specific bound − supports experimental evidence Orchestrating Enterprise Security  1997 Entrust Technologies p. 24

Mixed Operations (cont’d) ! Appear to • increase resistance to linear, differential attacks by decreasing round probability ! Appear to • significantly increase resistance to higher- order differential attacks Orchestrating Enterprise Security  1997 Entrust Technologies p. 25

Analysis ! Inherited from CAST-128 • Boolean functions • Substitution boxes • Key mixing per round • Mixed operations • Multiple round functions Orchestrating Enterprise Security  1997 Entrust Technologies p. 26

Multiple Round Functions ! Appear to • increase complexity of constructing differential and linear characteristics − order of round functions precludes iteration of some low-round characteristics Orchestrating Enterprise Security  1997 Entrust Technologies p. 27

Analysis (cont’d) ! Particular to CAST-256 • Generalized (“incomplete”) Feistel − security of quad-round − security of “forward then reverse” quad-rounds − number of rounds • Key schedule − security of overall structure − equivalent, weak, semi-weak keys Orchestrating Enterprise Security  1997 Entrust Technologies p. 28

Outline ! History ! Description ! Analysis ! “Features and Advantages” ! Conclusions Orchestrating Enterprise Security  1997 Entrust Technologies p. 29

“Features and Advantages” ! History • CAST design procedure has been under scrutiny for almost 10 years (both public and private) • minor weaknesses have been found − non-surjective attack, HOD attack but nothing extendable beyond 5-6 rounds • CAST-128 has received most extensive analysis and appears to be strong • CAST-256 inherits the strength of the round fn. Orchestrating Enterprise Security  1997 Entrust Technologies p. 30