24-12-2012, 06:23 PM
The CAST-256 Encryption Algorithm
The CAST-256 Encryption Algorithm.pdf (Size: 284.98 KB / Downloads: 36)
Algorithm Specification
Algorithm Specification
CAST-128 Notation
The following notation from CAST-128 [A97b, A97c] is relevant to CAST-256.
· CAST-128 uses a pair of subkeys per round: a 5-bit quantity kri
is used as a
“rotation” key for round i and a 32-bit quantity kmi
is used as a “masking” key for
round i.
· Three different round functions are used in CAST-128. The rounds are as follows
(where D is the data input to the operation, Ia - Id are the most significant byte
through least significant byte of I , respectively, Si is the ith s-box (see following
page for s-box definitions), and O is the output of the operation). Note that + and -
are addition and subtraction modulo 232 , Å is bitwise eXclusive-OR, and ¿ is the
circular left-shift operation.
Design Rationale
Overall Structure
The fundamental mechanism for the expansion of a 64-bit block size to a larger block
size is the generalization of the basic Feistel network (Schneier and Kelsey [SK96] have
referred to the structure used here as an “incomplete” Feistel network). The motivation is
as follows. In a traditional Feistel network (such as DES), rather than thinking of the
exchange of left and right halves in each round as a “swap”, it may be viewed as a
circular right-shift of 32 bits. Such a view allows one to consider a cipher with a block
size of 32n bits, which uses the same round function as the original cipher but requires n
rounds (instead of 2) to input all bits of the block to the round function.