Resistance of a CAST-like encryption algorithm to linear and differential cryptanalysis (Q1369726)

The CAST encryption algorithm has been designed to serve as an alternative to DES that is both resistant to known attacks (linear and differential cryptanalysis) and suitable even for software implementation. The CAST algorithm consists of a series of rounds of substitutions accomplished using \(m\times n\) s-boxes such that \(m<n\). The original CAST uses s-boxes based on ``bent'' functions and this fact makes the analysis of the security of CAST rather difficult. In the paper the analysis is simplified by considering a CAST-like algorithm with randomly generated s-boxes instead of s-boxes generated from bent functions. After a brief overview of the CAST structure linear cryptanalysis of the CAST-like cipher is discussed. First, a CAST like cipher using \(8\times 32\) s-boxes with a minimum nonlinearity greater than or equal to \(64\) is considered and bounds for its \(r-\)round linear approximations are obtained. Subsequently it is shown that the probability of randomly generating an s-box with nonlinearity less than \(64\) is very small (moreover, such s-boxes can be eliminated by straightforward testing). It is concluded that 12 rounds CAST-like cipher has better degree of resistance to the linear attack than 16 rounds of DES. In the next section the resistance of the CAST-like encryption algorithm to differential cryptanalysis is examined. Some bounds are derived from which follow that with respect to this type of attack e.g. an 8-round CAST-like cipher is better than a 15-round DES.