CAST-256 (CAST6) is a symmetric-key block cipher invented in June 1998. It was submitted as a candidate for the Advanced Encryption Standard (AES); however, it was not among the five AES finalists. It is an extension of an earlier cipher, CAST-128; both were designed according to the “CAST”.
CAST-256 is an extension of the CAST-128 cipher and uses the same elements as CAST-128, including S-boxes, but is adapted for a block size of 128 bits – twice the size of its 64-bit predecessor. CAST-256 is composed of 48 rounds, sometimes described as 12 “quad-rounds”, arranged in a generalized Feistel network.
Differential cryptanalysis is usually a chosen plaintext attack applicable primarily to block ciphers. It was invented in 1990 by Biham and Shamir . Linear cryptanalysis has been introduced by Matsui . It is a known plaintext attack proposed in 1993 to break Data Encryption Standard (DES).
Linear and differential cryptanalysis are a basic tool to evaluate the security of block ciphers. Both cryptanalytic methods were applied to attack the block cipher DES faster than an exhaustive key search [3, 9]. Both of these attacks have been identified as effective techniques for breaking large-class symmetric cipher.
A differential linear attack is a combination of both linear and differential cryptanalysis. It has been introduced by Hellman and Langford  in 1994 and applied it to break 8-round DES. The attack uses a differential characteristic over part of the cipher with a probability of 1. The rounds immediately following the differential characteristic have a defined linear approximation, and we expect that for each chosen plaintext pair, the probability of the linear approximation holding for one chosen plaintext but not the other will be lower for the correct key. The attack was generalized by Biham, Dunkelman, and Keller  in 2002 to use differential characteristics with probability less than 1.
A zero-correlation linear attack is a novel promising key recovery technique
for block ciphers developed by Bogdanov in [6, 7]. It is a novel extension
of linear cryptanalysis and based on linear approximations with probability
The best cryptanalysis so far in the classical single-key model without the weak-key assumption has been a linear attack on 32 rounds. We find 30-round differential-zero correlation linear distinguisher for CAST-256 and attack 33 rounds of CAST-256 using multidimensional differential-zero correlation linear cryptanalysis. Our attack is the best-known attack on CAST-256 according to the number of rounds without the weak-key assumption.
In this paper, we will propose a new method, the multiple differential-zero
correlation linear attack, to analyze the CAST-256 block cipher. By
constructing a 30-round distinguisher, using the new method, we propose an
attack on 33-round CAST-256 with data complexity of
Our paper is organized as follows: Section 2 provides a brief description of CAST-256. Section 3 introduces our new method of multiple differential-zero correlation linear attack. In Section 4, we present details of the 30-round multiple differential-zero correlation linear distinguisher. The 33-round multiple differential-zero correlation linear attack on CAST-256 is discussed in detail in Section 5. We summarize our results in Section 6.
2 Description of CAST-256
CAST-256 is designed based on CAST-128. It is capable of using cryptographic
keys of 128, 160, 192, or 256 bits to encrypt and decrypt data in blocks of
128 bits. Its S-boxes
The forward quad-round
The reverse quad-round
3 Multiple differential-zero correlation linear attack
We propose a new cryptanalytic method, called multiple differential-zero correlation linear attack, which combines differential and multiple linear cryptanalysis with correlation exactly zero.
To define a differential-linear distinguisher, we need to treat the block
cipher E (
Let p and
with probability 1. The differential-zero correlation linear distinguisher is concerned with the event
By the assumptions used in  we have
We have the following relationship between the probability distribution of
z and the correlations
We assume that the correlations of all linear equations and their nonzero
linear combinations are equal to zero. It follows that
We select N distinct
Then we can construct, as shown above, a function
For sufficiently large sample size N and number l of zero-correlation linear approximations given for the cipher, the statistic T will have two distinct distributions:
- (1)For the cipher exhibiting zero-correlation, the statistic T follows a
-distribution with mean and variance as follows:
- (2)For a randomly drawn permutation which is our wrong-key, the statistic T follows a
-distribution with mean and variance
The proof of this proposition is available in .
4 The 30-round differential-zero correlation linear distinguisher
In this section, we first present a 30-round differential-linear distinguisher, which consists of a 2-round differential characteristic with probability 1 followed by a 28-round linear approximation with correlation 0.
The 30-round differential-zero correlation linear distinguisher is made of a
28-round linear approximation
4.1 The 2-round differential characteristic
The 2-round truncated differential
4.2 The 28-round zero correlation linear characteristic
The construction of a 28-round linear characteristic is illustrated in Figure 4, which is from round 9 to round 36 (four forward quad-rounds followed by three reverse quad-rounds).
5 Key recovery attack on 33-round CAST-256
We use the 30-round differential zero-correlation linear approximations to attack 33 rounds of CAST-256.
The attack works as follows:
- (1)Choose λ structures
, , where a structure is defined to be a set of plaintexts with the 64 bits taking all the possible values and the other 64 bits fixed, . In a chosen-plaintext attack scenario, obtain all the ciphertexts for the plaintexts in each of the λ structures; we denote the ciphertext for plaintext by .
- (2)Allocate a 32-bit global counter
for each of possible values of the 32-bit vector z and set it to 0. will contain the number of times the vector value z occurs for the current key guess. The vector z is the evaluations of 32 basis zero-correlation masks.
- (3)Guess a value for
and do as follows:
- (a)Partially encrypt every plaintext
with the guessed to get its intermediate value immediately after 2 rounds, and we denote it by .
, and we denote the resulting value by .
- (c)Partially decrypt
with the guessed to get its plaintext, and find the plaintext in , and we denote it by ; the corresponding ciphertext for is denoted by .
- (d)Guess a value for
and do as follows:
- (i)For each pair
of ciphertext, partially decrypt it with the guessed to get the pair of the 32 bits concerned by the output mask, compute , , and increment V[z] when is zero.
- (ii)Compute the statisticfor this distribution.
- (iii)If the guess for
belongs to the first ϕ guesses for , then record the guess; otherwise, remove the guess with the smallest deviation from the ϕ guesses.
- (i)For each pair
- (a)Partially encrypt every plaintext
In this attack, we set
The data complexity suggested by Bogdanov in [5, Corollary 2] is
The time complexity of steps 2(a), 2(c) is
The time complexity of step 2(d) is
In this paper, we present a new attack, the multiple differential-zero
correlation linear attack. By analyzing the property of the concatenation
between forward quad-round and reverse quad-round, we construct a 30-round
distinguisher for CAST-256. Based on the distinguisher, we propose a first
33-round attack on CAST-256 according to the number of rounds without the
weak-key assumption with data complexity of
E. Biham, O. Dunkelman and N. Keller, Enhancing differential-linear cryptanalysis, Advances in Cryptology – ASIACRYPT 2002, Lecture Notes in Comput. Sci. 2501, Springer, Berlin (2002), 254–266.
E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Advances in Cryptology – CRYPTO ’90, Lecture Notes in Comput. Sci. 537, Springer, Berlin (1990), 2–21.
E. Biham and A. Shamir, Differential cryptanalysis of the full 16-round DES, Advances in Cryptology – CRYPTO ’92, Lecture Notes in Comput. Sci. 740, Springer, Berlin (1993), 487–496.
A. Bogdanov, G. Leander, K. Nyberg and M. Wang, Integral and multidimensional linear distinguishers with correlation zero, preprint (2012), https://www.iacr.org/archive/asiacrypt2012/76580239/76580239.pdf.
A. Bogdanov, G. Leander, K. Nyberg and M. Wang, Integral and multidimensional linear distinguishers with correlation zero, Advances in Cryptology – ASIACRYPT 2012, Lecture Notes in Comput. Sci. 7658, Springer, Berlin (2012), 244–261.
A. Bogdanov and V. Rijmen, Linear hulls with correlation zero and linear cryptanalysis of block ciphers, Des. Codes Cryptogr. 70 (2014), 369–383.
A. Bogdanov and M. Wang, Zero correlation linear cryptanalysis with reduced data complexity, Fast Software Encryption – FSE ’12, Lecture Notes in Comput. Sci. 7549, Springer, Berlin (2012), 29–48.
S. K. Langford and M. E. Hellman, Differential-linear cryptanalysis, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Comput. Sci. 839, Springer, Berlin (1994), 17–25.
M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology – EUROCRYPT ’93, Lecture Notes in Comput. Sci. 765, Springer, Berlin (1994), 386–397.
M. Matsui and A. Yamagishi, A new method for known plaintext attack of FEAL cipher, Advances in Cryptology – EUROCRYPT ’92, Lecture Notes in Comput. Sci. 658, Springer, Berlin (1993), 81–91.
J. J. Nakahara and M. Rasmussen, Linear analysis of reduced-round CAST-128 and CAST-256, Proceedings of the 7th Brazilian Symposium on Information and Computer System Security, Federal University of Rio de Janeiro, Rio de Janeiro (2007), 45–55.
D. Wagner, The boomerang attack, Fast Software Encryption – FSE ’99, Lecture Notes in Comput. Sci. 1636, Springer, Berlin (1999), 156–170.
M. Q. Wang, X. Y. Wang and C. H. Hu, New linear cryptanalytic results of reduced-round of CAST-128 and CAST-256, Selected Areas in Cryptography – SAC 2008, Lecture Notes in Comput. Sci. 5381, Springer, Berlin (2009), 429–441.
J. Y. Zhao, M. Q. Wang and L. Wen, Improved linear cryptanalysis of CAST-256, J. Comput. Sci. Tech. 29 (2014), 1134–1139.