📄 rfc2144.txt
字号:
Network Working Group C. Adams
Request for Comments: 2144 Entrust Technologies
Category: Informational May 1997
The CAST-128 Encryption Algorithm
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
There is a need in the Internet community for an unencumbered
encryption algorithm with a range of key sizes that can provide
security for a variety of cryptographic applications and protocols.
This document describes an existing algorithm that can be used to
satisfy this requirement. Included are a description of the cipher
and the key scheduling algorithm (Section 2), the s-boxes (Appendix
A), and a set of test vectors (Appendix B).
TABLE OF CONTENTS
STATUS OF THIS MEMO.............................................1
ABSTRACT........................................................1
1. INTRODUCTION.................................................1
2. DESCRIPTION OF ALGORITHM.....................................2
3. INTELLECTUAL PROPERTY CONSIDERATIONS.........................8
4. SECURITY CONSIDERATIONS......................................8
5. REFERENCES...................................................8
6. AUTHOR'S ADDRESS.............................................8
APPENDICES
A. S-BOXES......................................................9
B. TEST VECTORS................................................15
1. Introduction
This document describes the CAST-128 encryption algorithm, a DES-like
Substitution-Permutation Network (SPN) cryptosystem which appears to
have good resistance to differential cryptanalysis, linear
cryptanalysis, and related-key cryptanalysis. This cipher also
possesses a number of other desirable cryptographic properties,
including avalanche, Strict Avalanche Criterion (SAC), Bit
Independence Criterion (BIC), no complementation property, and an
absence of weak and semi-weak keys. It thus appears to be a good
Adams Informational [Page 1]
RFC 2144 CAST-128 Encryption Algorithms May 1997
candidate for general-purpose use throughout the Internet community
wherever a cryptographically-strong, freely-available encryption
algorithm is required.
Adams [Adams] discusses the CAST design procedure in some detail;
analyses can also be obtained on-line (see, for example, [Web1] or
[Web2]).
2. Description of Algorithm
CAST-128 belongs to the class of encryption algorithms known as
Feistel ciphers; overall operation is thus similar to the Data
Encryption Standard (DES). The full encryption algorithm is given in
the following four steps.
INPUT: plaintext m1...m64; key K = k1...k128.
OUTPUT: ciphertext c1...c64.
1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K
(see Sections 2.1 and 2.4).
2. (L0,R0) <-- (m1...m64). (Split the plaintext into left and
right 32-bit halves L0 = m1...m32 and R0 = m33...m64.)
3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
Li = Ri-1;
Ri = Li-1 ^ f(Ri-1,Kmi,Kri), where f is defined in Section 2.2
(f is of Type 1, Type 2, or Type 3, depending on i).
4. c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and
concatenate to form the ciphertext.)
Decryption is identical to the encryption algorithm given above,
except that the rounds (and therefore the subkey pairs) are used in
reverse order to compute (L0,R0) from (R16,L16).
See Appendix B for test vectors which can be used to verify
correctness of an implementation of this algorithm.
2.1. Pairs of Round Keys
CAST-128 uses a pair of subkeys per round: a 32-bit quantity Km is
used as a "masking" key and a 5-bit quantity Kr is used as a
"rotation" key.
Adams Informational [Page 2]
RFC 2144 CAST-128 Encryption Algorithms May 1997
2.2. Non-Identical Rounds
Three different round functions are used in CAST-128. The rounds are
as follows (where "D" is the data input to the f function and "Ia" -
"Id" are the most significant byte through least significant byte of
I, respectively). Note that "+" and "-" are addition and subtraction
modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left-
shift operation.
Type 1: I = ((Kmi + D) <<< Kri)
f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]
Type 2: I = ((Kmi ^ D) <<< Kri)
f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]
Type 3: I = ((Kmi - D) <<< Kri)
f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]
Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.
Rounds 2, 5, 8, 11, and 14 use f function Type 2.
Rounds 3, 6, 9, 12, and 15 use f function Type 3.
2.3. Substitution Boxes
CAST-128 uses eight substitution boxes: s-boxes S1, S2, S3, and S4
are round function s-boxes; S5, S6, S7, and S8 are key schedule s-
boxes. Although 8 s-boxes require a total of 8 KBytes of storage,
note that only 4 KBytes are required during actual encryption /
decryption since subkey generation is typically done prior to any
data input.
See Appendix A for the contents of s-boxes S1 - S8.
2.4. Key Schedule
Let the 128-bit key be x0x1x2x3x4x5x6x7x8x9xAxBxCxDxExF, where x0
represents the most significant byte and xF represents the least
significant byte.
Let z0..zF be intermediate (temporary) bytes.
Let Si[] represent s-box i and let "^" represent XOR addition.
Adams Informational [Page 3]
RFC 2144 CAST-128 Encryption Algorithms May 1997
The subkeys are formed from the key x0x1x2x3x4x5x6x7x8x9xAxBxCxDxExF
as follows.
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
K2 = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6]
K3 = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9]
K4 = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K5 = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8]
K6 = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD]
K7 = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3]
K8 = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7]
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K9 = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9]
K10 = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC]
K11 = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2]
K12 = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K13 = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3]
K14 = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7]
K15 = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8]
K16 = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD]
Adams Informational [Page 4]
RFC 2144 CAST-128 Encryption Algorithms May 1997
[The remaining half is identical to what is given above, carrying on
from the last created x0..xF to generate keys K17 - K32.]
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K17 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
K18 = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6]
K19 = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9]
K20 = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K21 = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8]
K22 = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD]
K23 = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3]
K24 = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7]
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K25 = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9]
K26 = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC]
K27 = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2]
K28 = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K29 = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3]
K30 = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7]
K31 = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8]
K32 = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD]
2.4.1. Masking Subkeys And Rotate Subkeys
Let Km1, ..., Km16 be 32-bit masking subkeys (one per round).
Let Kr1, , Kr16 be 32-bit rotate subkeys (one per round); only the
least significant 5 bits are used in each round.
for (i=1; i<=16; i++) { Kmi = Ki; Kri = K16+i; }
Adams Informational [Page 5]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -