RFC 2612 (rfc2612) - Page 2 of 19
The CAST-256 Encryption Algorithm
Alternative Format: Original Text Document
RFC 2612 The CAST-256 Encryption Algorithm June 1999
1. Introduction
This document describes the CAST-256 encryption algorithm, a DES-like
Substitution-Permutation Network (SPN) cryptosystem built upon the
CAST-128 encryption algorithm [1] which appears to have good
resistance to differential cryptanalysis, linear cryptanalysis, and
related-key cryptanalysis. This cipher also possesses a number of
other desirable cryptographic properties, including avalanche, Strict
Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no
complementation property, and an absence of weak and semi-weak keys.
It thus appears to be a good candidate for general-purpose use
throughout the Internet community wherever a cryptographically-
strong, freely-available encryption algorithm is required.
CAST-256 has a block size of 128 bits and a variable key size (128,
160, 192, 224, or 256 bits).
2. CAST-256 Algorithm Specification
2.1 CAST-128 Notation
The following notation from CAST-128 [1] is relevant to CAST-256.
CAST-128 uses a pair of subkeys per round: a 5-bit quantity Kri
is used as a "rotation" key for round i and a 32-bit quantity Kmi
is used as a "masking" key for round i.
Three different round functions are used in CAST-128. The rounds
are as follows (where D is the data input to the operation, Ia -
Id are the most significant byte through least significant byte of
I, respectively, Si is the ith s-box (see Section 2.1.1 for s-box
contents), and O is the output of the operation). Note that "+"
and "-" are addition and subtraction modulo 2**32, "^" is bitwise
eXclusive-OR, and "