Michael J. Wiener

An analysis of the CAST-256 cipher

We examine the cryptographic security of the CAST-256 symmetric block encryption algorithm. The CAST-256 cipher has been proposed as a candidate for the Advanced Encryption Standard currently under consideration by the U.S. National Institute of Standards and Technology (NTST). It has been designed for a 128-bit block size and variable key sizes of up to 256 bits to suit AES requirements. We specifically consider the cryptographic security of the cipher in relation to the cryptanalytic property of diffusion and the cryptanalysis techniques of linear and differential cryptanalysis.

Selected Areas in Cryptography

Block Cipher Cryptanalysis.- Improved DST Cryptanalysis of IDEA.- Improved Related-Key Impossible Differential Attacks on Reduced-Round AES-192.- Related-Key Rectangle Attack on the Full SHACAL-1.- Stream Cipher Cryptanalysis I.- Cryptanalysis of Achterbahn-Version 2.- Cryptanalysis of the Stream Cipher ABC v2.- The Design of a Stream Cipher LEX.- Dial C for Cipher.- Improved Security Analysis of XEX and LRW Modes.- Extended Hidden Number Problem and Its Cryptanalytic Applications.- Changing the Odds Against Masked Logic.- Advances on Access-Driven Cache Attacks on AES.- Blind Differential Cryptanalysis for Enhanced Power Attacks.- Efficient Implementations I.- Efficient Implementations of Multivariate Quadratic Systems.- Unbridle the Bit-Length of a Crypto-coprocessor with Montgomery Multiplication.- Delaying and Merging Operations in Scalar Multiplication: Applications to Curve-Based Cryptosystems.- Stream Cipher Cryptanalysis II.- On the Problem of Finding Linear Approximations and Cryptanalysis of Pomaranch Version 2.- Multi-pass Fast Correlation Attack on Stream Ciphers.- Crossword Puzzle Attack on NLS.- Invited Talk.- When Stream Cipher Analysis Meets Public-Key Cryptography.- Efficient Implementations II.- On Redundant ?-Adic Expansions and Non-adjacent Digit Sets.- Pairing Calculation on Supersingular Genus 2 Curves.- Efficient Divisor Class Halving on Genus Two Curves.- Message Authentication on 64-Bit Architectures.- Some Notes on the Security of the Timed Efficient Stream Loss-Tolerant Authentication Scheme.- Constructing an Ideal Hash Function from Weak Ideal Compression Functions.- Provably Good Codes for Hash Function Design.