Improved Differential Cryptanalysis of CAST-128 and CAST-256

Abstract

CAST-128 and CAST-256 are two symmetric algorithms designed by Adams in 1990s. Both of them adopt the CAST design procedure which makes them process a number of desirable cryptographic. CAST-128 is notably used as the default cipher in some versions of GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP) systems. As an extension of CAST-128, CAST-256 was submitted as a candidate for the Advanced Encryption Standard (AES). Since they are widely used, there are many different attacks on them. Differential cryptanalysis is one of the most powerful tools. In this paper, we achieve improved differential cryptanalysis of both CAST-128 and CAST-256 based on the technique of accessing differential tables. Firstly, we propose a differential attack on 9-round CAST-128 with \(2^{73}\) encryptions and \(2^{58}\) chosen plaintexts. Although we cannot improve the number of attacked rounds, the time complexity is significantly reduced. Then we mount an improved differential attack on 10 quad-rounds of modified CAST-256 which increase one quad-round than previous attack. The time complexity of this attack is \(2^{217}\) encryptions, and the data complexity is \(2^{123}\) chosen plaintexts. As far as we know, these are the best known attacks on CAST-128 and CAST-256 under weak key assumption.