Multiple differential-zero correlation linear cryptanalysis of reduced-round CAST-256

Abstract

Abstract CAST-256 (or CAST6) is a symmetric-key block cipher published in June 1998. It was submitted as a candidate for Advanced Encryption Standard (AES). In this paper, we will propose a new chosen text attack, the multiple differential-zero correlation linear attack, to analyze the CAST-256 block cipher. Our attack is the best-known attack on CAST-256 according to the number of rounds without the weak-key assumption. We first construct a 30-round differential-zero correlation linear distinguisher. Based on the distinguisher, we propose a first 33-round attack on CAST-256 with data complexity of 2 115.63 {2^{115.63}} and time complexity 2 238.26 {2^{238.26}} . In the end, the 111-bit subkey is recovering.