[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CAST-128 - A few Comments from the Author...
Below are Carlisle Adams (principle author of CAST-128) comments on the
recent discussions of a need for a recommended cipher stronger than DES.
Pointers to additional analysis of CAST are given.
If anybody has additional requests for information on CAST-128 feel free
to send them to firstname.lastname@example.org or email@example.com.
>From: Carlisle Adams
>Sent: Wednesday, June 25, 1997 4:21 PM
>To: Greg Carter
>Subject: A few comments on CAST-128...
>Given the discussion that has been occurring with respect to a recommended
>cipher for IPSec, I'd like to make a few comments regarding CAST-128.
>1) Bart Preneel said:
> "No cipher has been analyzed as much as DES (>> 25 person-years).
>[Quite an understatement here, since DES easily had ">>25 person-years" of
>analysis by 1977!]
> "IDEA is a very
> distant second (a few person-years). IMHO, all the others are at about the
> same level (at most 1 person-year)."
>"At most 1 person-year" is certainly wrong for CAST-128. The CAST design
>procedure itself was initially developed between 1988 and 1990 (like IDEA, it
>constituted the primary focus of a Ph.D. dissertation), and has undergone
>significant examination since then. (See, for a sampling of CAST-related
>papers, the site http://adonis.ee.queensu.ca:8000/cast/cast.html). The
>particular instantiation called CAST-128 has existed for about a year (the
>s-boxes were completed last summer, but all other details of this particular
>cipher were finalized a couple of years ago) and it has received a lot of
>scrutiny by cryptanalysts within industry, academia, and certain government
>agencies in that time.
>2) Bart also included some speed information:
> Processor: 90 MHz Pentium
> Speed: Mbit/s
> Author: Antoon Bosselaers
> CAST 24.4
>Note that for environments in which a shorter key (80 bits or less) is
>sufficient, CAST-128 uses 12 rounds rather than 16, so the speed above would
>be increased to roughly 32.5 Mbit/s.
>3) Perry Metzger said:
> > At least in my brief search, I didn't find a CAST-128 implementation
> There are a couple out there already, actually, but they are only now
> starting to pop their heads over the horizon.
>One example that I've seen recently is: www.interchg.ubc.ca/janke/fastcast/
>4) Perry also said:
> I'd say we mandate DES as we do now, and
> recommend 3DES, which has a very solid amount of research behind it.
>Note that if 128-bit strength is desired, this cannot be achieved with 2-key
>triple-DES (only 112 bits anyway, and even "easier" with time-memory tradeoff
>attacks). Note also that even 3-key triple-DES has a so-called
>"certificational weakness" (a theoretical attack requiring 2**56 time, 2**56
>memory, and 2**56 (chosen) plaintext-ciphertext pairs); see Menezes/van
>Oorschot/Vanstone p.236, for example.
>Finally, the speed of triple-DES may not be totally unacceptable *if* you
>have a very, very, highly optimized implementation. However, most people do
>not have DES code that has been tuned to such an extreme so, for most people,
>speed really is an issue.
>I'm therefore not convinced that triple-DES is the right recommendation. A
>single 128-bit cipher with reasonable speed seems preferable to slow
>triple-encryption with 168-bit keys and a certificational weakness. Granted,
>years more intense analysis on any cipher would make everyone feel more
>confident, but (obviously) this takes years. Perhaps for a cipher that is
>RECOMMENDED (as opposed to MANDATED), this extra level of confidence is not
>quite so critical, especially since you can never have 100% confidence
>Alternatively, hedge your bets: mandate DES and recommend two others.
>JOPO (Just One Person's Opinion),