Just to keep the CAST references in the archive....
---------- Forwarded message ----------
Date: Tue, 26 Aug 2014 22:09:16
From: Samuel Neves <[email protected]>
To: [email protected]
Subject: Re: [Cryptography] Which big-name ciphers have been broken in living
memory?
On 08/26/2014 12:24 PM, Peter Gutmann wrote:
Bear <[email protected]> writes:
Is there any evidence that CAST5 is in any way inadequate?
People are upset with use of an "Antique" algorithm? Why?
There's nothing obviously wrong with CAST, but it is nearly twenty years old
and hasn't had anywhere near the analysis of AES (or 3DES), particularly
against recent cryptanalysis techniques. Anything new that turns up will
pretty much automatically get thrown at AES, and we know that it's resistant
to it. Do we know that anyone's tried the same with CAST? From this page:
https://web.archive.org/web/20071217153044/http://adonis.ee.queensu.ca/cast/
the last analysis published was in 1997 (a Google search turns up one or two
newer ones, but mostly in regard to CAST5 being the ancestor of CAST-256).
David Wagner's boomerang attack breaks CAST-256 with 16 rounds, and CAST5 is
the predecessor of CAST-256 with...16 rounds (presumably it can't be extended
back to CAST5 or someone would have announced this, but how hard has anyone
looked?). CAST5 also has lots of lovely large S-boxes and S-box lookups,
which would seem to make it vulnerable to assorted timing/cache/whatever side-
channel attacks, but there's no indication that anyone's looked at them
because they're all too busy focusing on AES instead.
So we've got an algorithm that hasn't had any significant cryptanalytic
attention since the late 1990s, and that could well be vulnerable to newer
techniques (and in particular a whole pile of side-channel attacks), but we'll
never know because as far as we know no-one's ever looked.
I can see 3 analyses of CAST5 (aka CAST-128) in the last 7 years:
- A linear attack on 3 rounds (out of 16) by Nakahara and Rasmussen [1];
- More linear cryptanalysis on up to 6 rounds by Wang, Wang, and Hu [2];
- A differential attack on up to 9 rounds by Wang, Wang, Chow, and Hui [3].
You might recognize the name Xiaoyun Wang as the cryptanalyst who broke MD5,
SHA-0, SHA-1, and many other primitives.
The best of all 3 (mostly theoretical) attacks goes up to 9 out of 16 rounds of
CAST-128; this is still a better
security margin than AES had when it was selected in the 1990s (7 out of 10).
[1] http://www.lbd.dcc.ufmg.br/colecoes/sbseg/2007/004.pdf
[2] http://dl.acm.org/citation.cfm?id=1616747
[3]
https://www.jstage.jst.go.jp/article/transfun/E93.A/12/E93.A_12_2744/_article
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
