Improved Linear Cryptanalysis of CAST-256 |
| |
Authors: | Jing-Yuan Zhao Mei-Qin Wang Long Wen |
| |
Affiliation: | 1. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, 250100, China 2. School of Mathematics, Shandong University, Jinan, 250100, China
|
| |
Abstract: | CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with 128-bit block accepting 128, 160, 192, 224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recovery attack on 24-round CAST-256. In ASIACRYPT 2012, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear approximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak-key assumption so far. |
| |
Keywords: | CAST-256 linear cryptanalysis block cipher Generalized-Feistel-Network |
本文献已被 万方数据 SpringerLink 等数据库收录! |
|