The CAST128 Encryption Algorithm
RFC 2144
Document  Type 
RFC  Informational
(May 1997; No errata)
Was draftrfcedinfoadams (individual)



Last updated  20130302  
Stream  Legacy  
Formats  plain text html pdf htmlized bibtex  
Stream  Legacy state  (None)  
Consensus Boilerplate  Unknown  
RFC Editor Note  (None)  
IESG  IESG state  RFC 2144 (Informational)  
Telechat date  
Responsible AD  (None)  
Send notices to  (None) 
Network Working Group C. Adams Request for Comments: 2144 Entrust Technologies Category: Informational May 1997 The CAST128 Encryption Algorithm Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract There is a need in the Internet community for an unencumbered encryption algorithm with a range of key sizes that can provide security for a variety of cryptographic applications and protocols. This document describes an existing algorithm that can be used to satisfy this requirement. Included are a description of the cipher and the key scheduling algorithm (Section 2), the sboxes (Appendix A), and a set of test vectors (Appendix B). TABLE OF CONTENTS STATUS OF THIS MEMO.............................................1 ABSTRACT........................................................1 1. INTRODUCTION.................................................1 2. DESCRIPTION OF ALGORITHM.....................................2 3. INTELLECTUAL PROPERTY CONSIDERATIONS.........................8 4. SECURITY CONSIDERATIONS......................................8 5. REFERENCES...................................................8 6. AUTHOR'S ADDRESS.............................................8 APPENDICES A. SBOXES......................................................9 B. TEST VECTORS................................................15 1. Introduction This document describes the CAST128 encryption algorithm, a DESlike SubstitutionPermutation Network (SPN) cryptosystem which appears to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semiweak keys. It thus appears to be a good Adams Informational [Page 1] RFC 2144 CAST128 Encryption Algorithms May 1997 candidate for generalpurpose use throughout the Internet community wherever a cryptographicallystrong, freelyavailable encryption algorithm is required. Adams [Adams] discusses the CAST design procedure in some detail; analyses can also be obtained online (see, for example, [Web1] or [Web2]). 2. Description of Algorithm CAST128 belongs to the class of encryption algorithms known as Feistel ciphers; overall operation is thus similar to the Data Encryption Standard (DES). The full encryption algorithm is given in the following four steps. INPUT: plaintext m1...m64; key K = k1...k128. OUTPUT: ciphertext c1...c64. 1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K (see Sections 2.1 and 2.4). 2. (L0,R0) < (m1...m64). (Split the plaintext into left and right 32bit halves L0 = m1...m32 and R0 = m33...m64.) 3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows: Li = Ri1; Ri = Li1 ^ f(Ri1,Kmi,Kri), where f is defined in Section 2.2 (f is of Type 1, Type 2, or Type 3, depending on i). 4. c1...c64 < (R16,L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.) Decryption is identical to the encryption algorithm given above, except that the rounds (and therefore the subkey pairs) are used in reverse order to compute (L0,R0) from (R16,L16). See Appendix B for test vectors which can be used to verify correctness of an implementation of this algorithm. 2.1. Pairs of Round Keys CAST128 uses a pair of subkeys per round: a 32bit quantity Km is used as a "masking" key and a 5bit quantity Kr is used as a "rotation" key. Adams Informational [Page 2] RFC 2144 CAST128 Encryption Algorithms May 1997 2.2. NonIdentical Rounds Three different round functions are used in CAST128. The rounds are as follows (where "D" is the data input to the f function and "Ia"  "Id" are the most significant byte through least significant byte of I, respectively). Note that "+" and "" are addition and subtraction modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left shift operation. Type 1: I = ((Kmi + D) <<< Kri) f = ((S1[Ia] ^ S2[Ib])  S3[Ic]) + S4[Id] Type 2: I = ((Kmi ^ D) <<< Kri) f = ((S1[Ia]  S2[Ib]) + S3[Ic]) ^ S4[Id] Type 3: I = ((Kmi  D) <<< Kri) f = ((S1[Ia] + S2[Ib]) ^ S3[Ic])  S4[Id] Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.Show full document text