Linear Analysis of reduced-round CAST-128 and CAST-256

1
Linear Analysis of reduced-round CAST-128 and
CAST-256

• Jorge Nakahara Jr1
• Mads Rasmussen2
• 1 UNISANTOS, Brazil
• 2 LSI-TEC, PKI Certification department

2
Summary

• The CAST-128 and CAST-256 Block Ciphers
• Linear Cryptanalysis brief overview
• Linear Analysis of CAST-128 and CAST-256
• Attack Details
• Conclusions and Open Problems

3
CAST-128

• 64-bit iterated block cipher
• key 40 bits up to 128 bits (increments of 8
  bits)
• 12 up to 16 rounds
• Feistel Network structure
• designed by C. Adams and S.Tavares (1996)
• S-box design procedure patented by Entrust
  Technologies Inc U.S. patent 5,511,123, filed
  Aug. 4, 1994, issued Apr. 3, 1996

4
CAST-128

• CAST-128 is part of the GnuPG suite of
  cryptographic algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes for
  encryption and decryption (S1, S2, S3, S4) and
  for the key schedule (S5, S6, S7, S8)
• round operations , -, ltltlt, ?
• three round functions f1, f2 and f3
• An official algorithm for use with the Canadian
  Government
• http//www.cse-cst.gc.ca/services/crypto-service
  s/crypto-algorithms-e.html

5
CAST-128
f1
f2
Round functions
f3
6
CAST-256

• a former candidate to the Advanced Encryption
  Standard (AES) Development Process (1997)
• 128-bit iterated block cipher
• 128-, 192- and 256-bit key
• 48 rounds for all key sizes
• generalized Feistel Network structure
• S-box design procedure patented by Entrust
  Technologies Inc U.S. patent 5,511,123, filed
  Aug. 4, 1994, issued Apr. 3, 1996

7
CAST-256

• one quad-round

f2
f3
f1
f1
8
CAST-256

• full CAST-256 six quad-rounds six inverse
  quad-rounds

f1
one inverse quad-round one quad-round upside
down
f3
f2
f1
9
Linear Cryptanalysis

• developed by Mitsuru Matsui (Mitsubishi Corp)
• first ideas Adi Shamir (DES S-boxes parity),
  1994
• applied to FEAL-4 cipher (Sean Murphy, 1989),
  then to FEAL-8, DES (Matsui, 1991-1993)
• known-plaintext (KP) attack (sometimes, can also
  work in a ciphertext-only setting)
• general cryptanalytic technique used against
  block ciphers, stream ciphers, and other crypto
  algorithms

10
Linear Cryptanalysis

• basic tool (some notions)
• linear relation, a linear combination of bits of
  plaintext, ciphertext and key
• linear approximation Boolean function holding
  with non-uniform parity (away from ½)
• bias difference between 0-parity and ½
• the higher the bias, the more effective the
  linear approximation
• number of KP for a high success attack ? bias-2

11
Linear Cryptanalysis

• strategy derive linear approximations for each
  individual cipher components
• non-linear components are the main targets
• combine linear approximations of consecutive
  components, until reach a full round
• for multiple rounds, use Matsuis Piling-Up Lemma
• this Lemma assumes all round approximations are
  independent, which is not always true (but is
  usually good enough for practical purposes, e.g.
  DES)

12
Linear Analysis of CAST-128

• 8x32-bit S-boxes are always non-surjective
  mappings
• Modular addition and substraction in round
  function F
• motivation for linear approximations of the form
  08 ? ?32, across the S-box, where ?32 is a
  nonzero bit mask
• bias for all S-boxes S1,...,S4 with mask ?321 is
  2-5
• we use ?321 (least significant bit) to bypass
  the modular addition and subtraction after the
  S-boxes in the round function

13
Linear Analysis of CAST-128
f1
14
Linear Analysis of CAST-128

• iterative linear relations input and output bit
  masks are identical, so that it can be
  concatenated to itself, with a fixed decrease in
  the bias
• for CAST-128 2-round iterative linear relations
  w 1 active F

15
Linear Analysis of CAST-128

• iterative linear relations input and output bit
  masks are identical, so that it can be
  concatenated to itself, with a fixed decrease in
  the bias
• for CAST-128 2-round iterative linear relations
  w 1 active F

16
Linear Analysis of CAST-256

• CAST-256 S-boxes are the same as for CAST-128
• thus, the same bit masks are used 0 ? 1
• similarly, we look for iterative linear relations
• result 4-round iterative linear relations, or
  one quad-round iterative linear relations.

17
Linear Analysis of CAST-256
18
Linear Analysis of CAST-256
1 active F per quad-round
19
Linear Analysis of CAST-256
Other combinations
20
Linear Analysis of CAST-256
Bit mask controls active F
21
Attack Results on reduced-round CAST-128
Rounds Data/Memory Time Comments
2 237 237 distinguishing attack
3 237 237 distinguishing attack
4 237 272.5 key-recovery attack
22
Attack Results on reduced-round CAST-256
Rounds Data/Memory Time Comments
4 237 237 distinguishing attack
5 237 271.7 key-recovery attack
8 269 269 distinguishing attack
9 269 2103 key-recovery attack
12 2101 2101 distinguishing attack
23
Conclusions

• first known-plaintext attack reported on
  (reduced-round) CAST-128 and CAST-256
• attacks exploit non-surjectivity of 8x32-bit S-
  boxes (happens for any such mappings)

24
Open Problems

• we found quadratic equations for all four S-boxes
  S1,...,S4 of CAST-128/CAST-256.
• The question is can we use them in a (pure)
  algebraic attack?
• what about combining linear and quadratic
  equations??

25
Linear Analysis of reduced-round CAST-128 and
CAST-256

• Jorge Nakahara Jr1
• Mads Rasmussen2
• 1 UNISANTOS, Brazil
• 2 LSI-TEC, PKI Certification department