The Improved Differential Cryptanalysis Of CAST-128 And CAST-256

CAST-128 and CAST-256 are two symmetric algorithms designed by Adams in 1990s.Both of them adopt the CAST design procedure which makes them can resist the attack of differential cryptanalysis,linear cryptanalysis et.at,and process a number of desirable cryptographic properties,such as Strict Avalanche Criterion(SAC),Bit Independence Criterion(BIC).CAST-128 is a DES-like Feistel cipher,and notably used as the default cipher in some versions of GNU Privacy Guard(GPG)and Pretty Good Privacy(PGP)systems.It has also been approved for Government of Canada use by the Com-munications Security Establishment.Its blocksize is 64 bites,and the keysize is from 40 bits to 128 bits.As an extension of CAST-128,CAST-256 also adopts the CAST design procedure,and it was submitted as a candidate for the Advanced Encryption Standard(AES)(though it is not the five final candidates).Since CAST-128 and CAST-256 process good desirable cryptographic proper-ties,they are widely used.And there are many different types of attacks on them which include differential cryptanalysis,linear cryptanalysis,boomrange crypt-analysis and ultidimensional zero-correlation cryptanalysis et.al.In the existing literature,H.Seki et.al proposed a differential cryptanalysis of 36 rounds of modified CAST-256.They recover 74-bit information of subkeys with 2123 cho-sen plaintexts and 295 36-round encryptions.This is the best result of CAST-256 under weak key assumption before our paper.Besides,J.Zhao et.al present a linear attack on CAST-256.And this is the best linear attack on CAST-256.For CAST-128,M.Wang et.al present the best differential and linear cryptanalysis of CAST-128.They recover 104 bits of subkey information of 9-round CAST-128 with 257 chosen plaintexts and 2101.8 9-round encryption.And they also proposed a linear cryptanalysis of 6-round CAST-128.The data complexity is 253 96 known plaintexts,and the time complexity is 288 51 encryptions.The differential attack on 9-round CAST-128 is also under the weak key assumption.In this paper,we achieve improved differential cryptanalysis of both CAST-128 and CAST-256 based on the technique of "guess-and-determin" and "accessing differential tables".Firstly,this paper propose a differential attack on 9-round CAST-128 and recover all subkeys of 9-round CAST-128 with 273 encryptions and 258 chose plaintexts.Although we cannot improve the number of attacked rounds,the time complexity is significantly reduced.Then we mount an improved differential attack on 10 quad-rounds of modified CAST-256 which increase one quad-round than previous attack.The time complexity of this attack is 2217 en-cryptions,Mnd the data complexity is 2123 chosen plaintexts.As far as we know,these are the best known attacks on CAST-128 and CAST-256 under weak key assumption.