RFC 2612 (rfc2612) - Page 2 of 19

The CAST-256 Encryption Algorithm

RFC 2612           The CAST-256 Encryption Algorithm           June 1999


1. Introduction

   This document describes the CAST-256 encryption algorithm, a DES-like
   Substitution-Permutation Network (SPN) cryptosystem built upon the
   CAST-128 encryption algorithm [1] which appears to have good
   resistance to differential cryptanalysis, linear cryptanalysis, and
   related-key cryptanalysis.  This cipher also possesses a number of
   other desirable cryptographic properties, including avalanche, Strict
   Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no
   complementation property, and an absence of weak and semi-weak keys.
   It thus appears to be a good candidate for general-purpose use
   throughout the Internet community wherever a cryptographically-
   strong, freely-available encryption algorithm is required.

   CAST-256 has a block size of 128 bits and a variable key size (128,
   160, 192, 224, or 256 bits).

2. CAST-256 Algorithm Specification

2.1 CAST-128 Notation

   The following notation from CAST-128 [1] is relevant to CAST-256.

      CAST-128 uses a pair of subkeys per round:  a 5-bit quantity Kri
      is used as a "rotation" key for round i and a 32-bit quantity Kmi
      is used as a "masking" key for round i.

      Three different round functions are used in CAST-128.  The rounds
      are as follows (where D is the data input to the operation, Ia -
      Id are the most significant byte through least significant byte of
      I, respectively, Si is the ith s-box (see Section 2.1.1 for s-box
      contents), and O is the output of the operation).  Note that "+"
      and "-" are addition and subtraction modulo 2**32, "^" is bitwise
      eXclusive-OR, and "