RFC 2144 (rfc2144) - Page 1 of 15


The CAST-128 Encryption Algorithm



Alternative Format: Original Text Document



Network Working Group                                         C. Adams
Request for Comments: 2144                        Entrust Technologies
Category: Informational                                       May 1997


                   The CAST-128 Encryption Algorithm

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   There is a need in the Internet community for an unencumbered
   encryption algorithm with a range of key sizes that can provide
   security for a variety of cryptographic applications and protocols.

   This document describes an existing algorithm that can be used to
   satisfy this requirement.  Included are a description of the cipher
   and the key scheduling algorithm (Section 2), the s-boxes (Appendix
   A), and a set of test vectors (Appendix B).

TABLE OF CONTENTS

   STATUS OF THIS MEMO.............................................1
   ABSTRACT........................................................1
   1. INTRODUCTION.................................................1
   2. DESCRIPTION OF ALGORITHM.....................................2
   3. INTELLECTUAL PROPERTY CONSIDERATIONS.........................8
   4. SECURITY CONSIDERATIONS......................................8
   5. REFERENCES...................................................8
   6. AUTHOR'S ADDRESS.............................................8
   APPENDICES
   A. S-BOXES......................................................9
   B. TEST VECTORS................................................15

1. Introduction

   This document describes the CAST-128 encryption algorithm, a DES-like
   Substitution-Permutation Network (SPN) cryptosystem which appears to
   have good resistance to differential cryptanalysis, linear
   cryptanalysis, and related-key cryptanalysis.  This cipher also
   possesses a number of other desirable cryptographic properties,
   including avalanche, Strict Avalanche Criterion (SAC), Bit
   Independence Criterion (BIC), no complementation property, and an
   absence of weak and semi-weak keys.  It thus appears to be a good



Adams                        Informational