Hubbry Logo
CAST-128CAST-128Main
Open search
CAST-128
Community hub
CAST-128
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
CAST-128
CAST-128
CAST-128
View on Wikipedia
from Wikipedia
CAST-128
General
DesignersCarlisle Adams and Stafford Tavares
First published1996
SuccessorsCAST-256
Cipher detail
Key sizes40 to 128 bits
Block sizes64 bits
StructureFeistel network
Rounds12 or 16
Three rounds of the CAST-128 block cipher

In cryptography, CAST-128 (alternatively CAST5) is a symmetric-key block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Government of Canada use by the Communications Security Establishment. The algorithm was created in 1996 by Carlisle Adams and Stafford Tavares using the CAST design procedure.[1]

Another member of the CAST family of ciphers, CAST-256 (a former AES candidate) was derived from CAST-128. According to some sources, the CAST name is based on the initials of its inventors, though Bruce Schneier reports the authors' claim that "the name should conjure up images of randomness".[2]

CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 and 128 bits (but only in 8-bit increments). The full 16 rounds are used when the key size is longer than 80 bits.[3]

Components include large 8×32-bit S-boxes based on bent functions, key-dependent rotations, modular addition and subtraction, and XOR operations. There are three alternating types of round function, but they are similar in structure and differ only in the choice of the exact operation (addition, subtraction or XOR) at various points.

Although Entrust holds a patent on the CAST design procedure, CAST-128 is available worldwide on a royalty-free basis for commercial and non-commercial uses.

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

CAST-128

View on Grokipedia
from Grokipedia
CAST-128 (also known as CAST5) is a symmetric-key block cipher that operates on 64-bit data blocks using keys of variable length from 40 to 128 bits in 8-bit increments, employing a Feistel network structure with either 12 rounds for keys up to 80 bits or 16 rounds for longer keys. Developed by Carlisle Adams and Stafford Tavares in the mid-1990s, it was designed as an unencumbered, royalty-free algorithm to provide cryptographic security for Internet applications, offering resistance to differential cryptanalysis, linear cryptanalysis, and related-key attacks. The cipher's round function incorporates three types of operations involving four 8×32-bit S-boxes (S1 through S4), modular addition and subtraction, exclusive-or, and circular left shifts, generating subkeys through a complex schedule that produces 16 pairs of 32-bit masking keys and 5-bit rotation keys. These S-boxes, along with four additional ones used only in key scheduling, are fixed and predefined to ensure consistency and strength, totaling 8 KB of lookup tables (with only 4 KB required for the round function). CAST-128 satisfies key cryptographic criteria such as the , Strict Avalanche Criterion, and Bit Independence Criterion, while avoiding weak or semi-weak keys and the complementation property. Standardized in RFC 2144 in 1997, CAST-128 has been incorporated into protocols like via RFC 2984 and is implemented in various cryptographic libraries for general-purpose , though its 64-bit block makes it vulnerable to attacks in certain modes of operation (e.g., CBC), rendering it unsuitable for new high-security applications. Despite this, it remains notable for its balanced design, efficient performance (3.3 MB/s on a 150 MHz processor), and role in early open cryptographic standards.

Overview

Description

CAST-128 is a symmetric-key block cipher designed for confidentiality in data encryption. It operates as a Feistel network, processing plaintext in 64-bit blocks to produce ciphertext of equal length. The algorithm supports variable key lengths ranging from 40 to 128 bits, in 8-bit increments, to provide flexibility for export restrictions on cryptographic implementations. It employs 12 rounds for key sizes of 80 bits or less and 16 rounds for longer keys, enhancing security based on key strength. CAST-128 was developed in the early by Carlisle Adams and Tavares at Entrust Technologies. Intended as an alternative to the (DES), it offers improved security margins through its substitution-permutation structure.

Specifications

CAST-128 is a symmetric-key with a fixed block size of 64 bits. It supports variable s ranging from 40 to 128 bits in 8-bit increments: specifically, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, or 128 bits. The number of rounds depends on the key size, using 12 rounds for keys of 80 bits or fewer and 16 rounds for longer keys. The cipher employs a Feistel structure, incorporating substitution via S-boxes, arithmetic operations (modular addition and subtraction), exclusive-or (XOR), and circular left shifts within each round function. CAST-128 provides implicit support for standard block cipher modes including ECB and CBC, with explicit details and test vectors for ECB in the specification; it can also be adapted for CFB and OFB modes as typical for such ciphers, though no proprietary modes are defined. Keys and data are processed in big-endian byte order, with the most significant byte first. The following table summarizes the s, corresponding number of rounds, and effective level (equivalent to the key size in bits):
Key Size (bits)RoundsEffective Security (bits)
401240
481248
561256
641264
721272
801280
881688
961696
10416104
11216112
12016120
12816128

History

Development

CAST-128 was designed between 1993 and 1995 by Carlisle Adams and Stafford Tavares while working at Northern Telecom (later rebranded as Entrust Technologies) in , . The cipher's development was driven by growing concerns over the (DES), whose 56-bit key length was increasingly vulnerable following the introduction of differential cryptanalysis in 1990, as well as stringent U.S. export controls that restricted strong cryptography to 40-bit keys for non-U.S. markets. Adams and Tavares sought to create a versatile symmetric offering stronger security while accommodating variable key sizes from 40 to 128 bits in 8-bit increments to comply with export regulations and provide scalability. Central to the design principles was building resistance against both differential and , achieved through the use of irregularly structured substitution boxes (S-boxes) and heterogeneous round functions that varied in operations across rounds to avoid predictable patterns. These elements drew from the broader design procedure, initially outlined in earlier work on S-box construction resistant to differential attacks. The algorithm was first publicly described by Adams in 1996 at the Selected Areas in Cryptography (SAC) workshop in . Although not initially released as open-source due to patent protection on the underlying CAST procedure, its full specification was later published in 1997 as () Request for Comments () 2144, making it freely available on a royalty-free basis. As the inaugural member of the CAST family of ciphers, CAST-128 laid the groundwork for subsequent variants, including CAST-256, by demonstrating the efficacy of the CAST procedure in producing secure, efficient encryption algorithms.

Standardization and Adoption

CAST-128 achieved formal standardization through RFC 2144, published by the (IETF) in May 1997 and authored by Carlisle Adams. This informational RFC details the complete algorithm specification, including its variable key sizes from 40 to 128 bits in 8-bit increments, and provides a reference implementation in to facilitate adoption and verification. The algorithm was further recognized in international standards, notably ISO/IEC 18033-3:2005, which includes CAST-128 among approved 64-bit block ciphers for encryption alongside algorithms like TDEA and MISTY1. It received approval for use in Canadian government systems by the , permitting its application for protecting Protected A and Protected B with 128-bit keys, until its deprecation at the end of 2023. However, in 2023, the deprecated CAST-128, recommending migration to stronger algorithms like AES for ongoing use. Early adoption occurred rapidly following , with integration into (PGP) software starting in version 5 released in 1997, where it served as a option for under the OpenPGP framework. Similarly, CAST-128 was incorporated into (SSH) protocols for secure remote access, as specified in RFC 4253 for the SSH transport layer. During the 1990s, a 40-bit key variant was commonly employed to comply with U.S. export restrictions on , though full 128-bit implementations became unrestricted thereafter. By the 2010s, CAST-128's usage declined as it was overshadowed by the Advanced Encryption Standard (AES), largely due to its 64-bit block size vulnerability to birthday attacks in high-volume data scenarios; nonetheless, it persists in legacy systems and certain protocol implementations for backward compatibility.

Design

Overall Structure

CAST-128 operates as a Feistel network cipher, processing fixed 64-bit blocks of data by splitting each block into two 32-bit halves, L and R. In the encryption process, the initial plaintext block is divided such that L_0 comprises the first 32 bits and R_0 the remaining 32 bits. Each round updates the halves by setting the new left half to the previous right half (L_i = R_{i-1}) and computing the new right half as the previous left half XORed with the output of the round function applied to the previous right half (R_i = L_{i-1} \oplus f(R_{i-1}, K_{m,i}, K_{r,i})). This structure ensures that decryption can use the same round function with subkeys in reverse order. The round function f processes a 32-bit input using a masking subkey K_{m,i} (32 bits) and a rotation subkey K_{r,i} (5 bits), incorporating arithmetic operations, bitwise XOR, modular addition and subtraction (all modulo 2^{32}), and lookups in four 8 \times 32-bit substitution boxes (S1 to S4). The function begins by applying a masking operation to the input D (the right half): for Type 1 rounds, I = (K_{m,i} + D) rotated left by K_{r,i} bits; for Type 2, I = (K_{m,i} \oplus D) rotated left by K_{r,i} bits; for Type 3, I = (K_{m,i} - D) rotated left by K_{r,i} bits. The resulting 32-bit I is divided into four 8-bit parts (I_a, I_b, I_c, I_d), each looked up in one S-box to yield four 32-bit outputs, which are then combined differently per type: Type 1 uses ((S1[I_a] \oplus S2[I_b]) - S3[I_c]) + S4[I_d]; Type 2 uses ((S1[I_a] - S2[I_b]) + S3[I_c]) \oplus S4[I_d]; Type 3 uses ((S1[I_a] + S2[I_b]) \oplus S3[I_c]) - S4[I_d]. These masking types cycle through the rounds to enhance diffusion. The performs either 12 rounds (for key sizes up to 80 bits) or 16 rounds (for longer keys), with the types assigned as follows: rounds 1, 4, 7, 10, 13, and 16 use Type 1; rounds 2, 5, 8, 11, and 14 use Type 2; rounds 3, 6, 9, 12, and 15 use Type 3. After all rounds, the halves are swapped to form the 64-bit C = R_n || L_n, where n is the number of rounds. Decryption mirrors exactly, applying the same round functions but processing the subkeys in reverse sequence from the last round to the first, leveraging the self-inverse property of the Feistel . A high-level pseudocode outline of the encryption is:

Split plaintext P into L_0 (bits 1-32), R_0 (bits 33-64) n = 12 if key length ≤ 80 bits else 16 for i = 1 to n: L_i = R_{i-1} I = masking_operation(R_{i-1}, K_{m,i}) rotated left by K_{r,i} bits // type-dependent f_output = combine_Sboxes(I_a, I_b, I_c, I_d) // type-dependent operations R_i = L_{i-1} \oplus f_output Swap: ciphertext C = R_n || L_n

Split plaintext P into L_0 (bits 1-32), R_0 (bits 33-64) n = 12 if key length ≤ 80 bits else 16 for i = 1 to n: L_i = R_{i-1} I = masking_operation(R_{i-1}, K_{m,i}) rotated left by K_{r,i} bits // type-dependent f_output = combine_Sboxes(I_a, I_b, I_c, I_d) // type-dependent operations R_i = L_{i-1} \oplus f_output Swap: ciphertext C = R_n || L_n

Here, masking_operation and combine_Sboxes vary by round type as described above.

Key Schedule

The key schedule of CAST-128 expands a variable-length user key (40 to 128 bits in 8-bit increments) into 16 pairs of subkeys, each pair consisting of a 32-bit masking key Km_i and a 5-bit key Kr_i for rounds i = 1 to 16. If the user key is shorter than 128 bits, it is padded with zeros appended to the least significant bits to reach exactly 128 bits; longer keys are not supported and must be truncated, though the standard recommends keys up to 128 bits. The padded key is then interpreted as four 32-bit words x_0, x_1, x_2, x_3, loaded in big-endian byte order. The expansion proceeds in two identical passes of a non-linear mixing procedure using substitution boxes S5, S6, S7, and S8, each pass generating 16 32-bit intermediate values through four iterations of byte-wise lookups and XOR operations for . In each iteration j (j = 0 to 3), the current words x_0 to x_3 are used to compute four temporary 32-bit values z_0 to z_3 as follows (where byte selections are denoted by bit shifts and masks): z0=x0S5[(x316)&0xFF]S6[x3&0xFF]S7[(x324)&0xFF]S8[(x38)&0xFF]S7[(x224)&0xFF]z_0 = x_0 \oplus S_5[(x_3 \gg 16) \& 0xFF] \oplus S_6[x_3 \& 0xFF] \oplus S_7[(x_3 \gg 24) \& 0xFF] \oplus S_8[(x_3 \gg 8) \& 0xFF] \oplus S_7[(x_2 \gg 24) \& 0xFF] z1=x2S5[(z024)&0xFF]S6[(z08)&0xFF]S7[(z016)&0xFF]S8[z0&0xFF]S8[(x28)&0xFF]z_1 = x_2 \oplus S_5[(z_0 \gg 24) \& 0xFF] \oplus S_6[(z_0 \gg 8) \& 0xFF] \oplus S_7[(z_0 \gg 16) \& 0xFF] \oplus S_8[z_0 \& 0xFF] \oplus S_8[(x_2 \gg 8) \& 0xFF] z2=x3S5[z1&0xFF]S6[(z18)&0xFF]S7[(z116)&0xFF]S8[(z124)&0xFF]S5[(x216)&0xFF]z_2 = x_3 \oplus S_5[z_1 \& 0xFF] \oplus S_6[(z_1 \gg 8) \& 0xFF] \oplus S_7[(z_1 \gg 16) \& 0xFF] \oplus S_8[(z_1 \gg 24) \& 0xFF] \oplus S_5[(x_2 \gg 16) \& 0xFF] z3=x1S5[(z28)&0xFF]S6[(z216)&0xFF]S7[z2&0xFF]S8[(z224)&0xFF]S6[(x20)&0xFF]z_3 = x_1 \oplus S_5[(z_2 \gg 8) \& 0xFF] \oplus S_6[(z_2 \gg 16) \& 0xFF] \oplus S_7[z_2 \& 0xFF] \oplus S_8[(z_2 \gg 24) \& 0xFF] \oplus S_6[(x_2 \gg 0) \& 0xFF] These z values are then combined using further S-box lookups on specific bytes to produce four intermediate keys K_{4j+1} to K_{4j+4}: K4j+1=S5[(z224)&0xFF]S6[(z216)&0xFF]S7[(z18)&0xFF]S8[z1&0xFF]S5[(z08)&0xFF]K_{4j+1} = S_5[(z_2 \gg 24) \& 0xFF] \oplus S_6[(z_2 \gg 16) \& 0xFF] \oplus S_7[(z_1 \gg 8) \& 0xFF] \oplus S_8[z_1 \& 0xFF] \oplus S_5[(z_0 \gg 8) \& 0xFF] The expressions for K_{4j+2}, K_{4j+3}, and K_{4j+4} follow similar patterns but with permuted byte indices from the z values and S-boxes (e.g., rotations in selection like (z_3 \gg 16), (z_0 \gg 0), etc.). After computing these four K values, the input words are updated via XOR: x_0 \oplus= K_{4j+1}, x_1 \oplus= K_{4j+2}, x_2 \oplus= K_{4j+3}, x_3 \oplus= K_{4j+4}. This completes one iteration; the process repeats for the next three iterations to yield all 16 K values for the pass. In the first pass, the 16 generated K values directly become the masking subkeys Km_1 to Km_{16}. The second pass repeats the procedure identically but starts from the original unupdated x_0 to x_3, producing another set of 16 K values, from which the subkeys are derived by masking the least significant 5 bits: Kr_i = K_i & 31 for i = 1 to 16. This design employs non-linear mixing via the S-boxes to ensure strong across the key material, mitigating risks from weak or related keys by avoiding linear dependencies in the subkey derivation. Key length influences the schedule indirectly through padding: shorter keys result in more zero bytes in the higher x words (x_2 and x_3 for keys under 64 bits, for example), leading to reduced effective mixing in those components. Additionally, the uses only the first 12 subkey pairs for keys of 80 bits or fewer (12 rounds total), while full 128-bit keys employ all 16 pairs (16 rounds), balancing and performance for smaller keys.

Substitution Boxes

CAST-128 employs eight fixed substitution boxes (S-boxes), denoted S1 through S8, each mapping 8-bit inputs to 32-bit outputs, resulting in 256 entries per . S1 to S4 are utilized in the round function for providing non-linearity, while S5 to S8 support the . The S-box values were generated using a structured procedure based on binary bent functions to ensure high cryptographic strength. Specifically, each S-box is constructed as a 256 × 32 matrix where the columns are distinct bent vectors of 256, selected to achieve optimal properties such as maximum between rows and balanced weights, with the final entries formed by summing (modulo 2) these vectors. These predefined values are hardcoded in implementations rather than computed dynamically. The S-boxes exhibit strong cryptographic properties, including a minimum nonlinearity of 74 and a maximum entry of 2 in the difference distribution table, designed to resist differential and linear by minimizing and biases. This high nonlinearity and low immunity enhance their role in introducing within the . In the f-function, a 32-bit input is first combined with a subkey using , XOR, or ( 2³²), then circularly left-shifted by a amount derived from another subkey. The resulting 32-bit value is divided into four 8-bit bytes (from most to least significant), each indexing one of S1 to S4 via modular reduction to [0, 255]. These 32-bit outputs are then combined using a type-specific expression involving XORs, , and (again 2³²), such as (S1[Ia] ⊕ S2[Ib]) − S3[Ic] + S4[Id] for type 1 rounds. The function type rotates irregularly across rounds to improve security. Unlike the DES S-boxes, which consist of eight small 6×4 tables producing 4-bit outputs, CAST-128's S-boxes provide larger 32-bit outputs and are selected in an irregular manner per round, contributing to better and resistance to known attacks. For illustration, sample entries from S7 include 0x85e04019 for input 0x00 and 0x332bf567 for input 0x01; full tables are provided in the RFC appendix.

Cryptanalysis

Known Attacks

CAST-128 has been subjected to various cryptanalytic attacks, primarily on reduced-round versions, though no practical break of the full 16-round cipher has been demonstrated. Differential has been applied to reduced-round CAST-128, with the best known results including an attack on 9 rounds requiring 2^{58} chosen plaintexts and 2^{73} encryptions. An earlier identified a 6-round differential characteristic with probability 2^{-53} under a fraction 2^{-23.8} of the key space, enabling an attack on 8 rounds. Extending these to the full 16 rounds remains impractical due to the high data and time complexities involved. Linear cryptanalysis yields approximations for reduced rounds, such as a 12-round approximation with bias 2^{-60}, but these cannot be efficiently extended to the full cipher owing to the low bias and increasing key schedule complexity. For instance, a 6-round attack requires 2^{53.96} known plaintexts and 2^{88.51} encryptions. A 2023 study on multidimensional linear cryptanalysis of Feistel ciphers applied the technique to reduced-round CAST-128, verifying theoretical cost estimates experimentally and demonstrating reduced data complexity compared to classical linear attacks, though still impractical for the full cipher. Related-key attacks exploit weaknesses in the key schedule. A 1996 analysis on the CAST family revealed vulnerabilities allowing a 2^{32} time attack on a 12-round version by using related keys with specific differences, affecting subkey generation. Although CAST-128's key schedule was refined for better resistance, similar techniques apply to reduced rounds. The 64-bit block size exposes CAST-128 to birthday attacks, where collisions occur after approximately 2^{32} blocks in modes like CBC without proper nonce management, limiting its suitability for encrypting large volumes of data. Truncated differential analysis from 1997 showed theoretical paths for reduced rounds but no practical breaks for the full , confirming the design's robustness against this technique. Overall, no total break exists for the full 16-round CAST-128 with 128-bit keys, making it against known attacks when used appropriately.

Security Evaluation

CAST-128 demonstrates strong resistance to differential and linear cryptanalytic attacks, with analyses showing that full-round attacks require significantly more data and computation than feasible, providing a robust margin. Its flexible key sizes, ranging from 40 to 128 bits in 8-bit increments, enable adjustable levels suitable for various applications while maintaining efficiency. As of 2025, no practical cryptanalytic breaks have been discovered that outperform exhaustive search, affirming its reliability against known classical threats. Despite these strengths, the 64-bit block size renders CAST-128 vulnerable to birthday-bound attacks, such as the Sweet32 attack in CBC mode within protocols like TLS, where encrypting over 2^32 blocks can lead to collisions and plaintext recovery. Consequently, it is recommended against use in new cryptographic designs, particularly for high-volume data encryption. With a 128-bit key, CAST-128 offers approximately 128 bits of security against brute-force attacks, but the block size limits effective security to around 32 bits against collision-based exploits in certain modes. In comparisons, CAST-128 surpasses DES in key length and resistance to exhaustive search but falls short of AES-128 due to its smaller block size and reduced margin against quantum-accelerated attacks like applied to key search or mode-specific vulnerabilities. The National Institute of Standards and Technology (NIST) permits CAST-128 in legacy validated modules for but strongly prefers AES for new implementations; it remains suitable for low-data-volume applications, such as key wrapping. Analyses confirm CAST-128 achieves the strict avalanche criterion, with approximately 50% of output bits changing per round following a single-bit input alteration, ensuring effective .

Implementations and Usage

Software Libraries

OpenSSL, a widely used open-source cryptographic library, has supported CAST-128 (referred to as CAST5) since version 0.9.7 released in 2002, including modes such as CAST5-CBC, CAST5-CFB, CAST5-ECB, and CAST5-OFB. The Bouncy Castle library provides full implementation of CAST-128 for and .NET environments, enabling variable key lengths from 40 to 128 bits with support for standard modes. Language-specific libraries include Python's cryptography package, which offers CAST5 support in its decrepit module for legacy compatibility, allowing integration with modern Python applications. For C#, the Bouncy Castle .NET API delivers comprehensive CAST-128 functionality, as native support is absent from the .NET Framework's System.Security.Cryptography namespace. Reference implementations in C derive from the detailed algorithmic description in RFC 2144, which provides the necessary pseudocode equivalents, tables, and procedures for developers to build compliant versions. Performance benchmarks for CAST-128 implementations on modern CPUs indicate significantly higher throughputs compared to mid-1990s hardware (around 3.3 MB/s), benefiting from general CPU improvements, though no standardized exists, unlike AES-NI for AES. These libraries exhibit strong portability across systems (via ), Windows (via Bouncy Castle and ports), and embedded platforms (due to the algorithm's modest 64-bit block size and low memory footprint). To ensure , implementations must conform to the test vectors specified in RFC 2144's Appendix B, verifying correct operation for both 40-bit and 128-bit keys across various plaintexts and initialization vectors. However, naive software implementations remain vulnerable to side-channel attacks, particularly timing discrepancies during lookups, necessitating constant-time operations and masking techniques for secure deployment.

Protocol Integrations

CAST-128, also known as CAST5, is integrated as an optional in the OpenPGP standard for encrypting session keys and data packets, assigned algorithm ID 3 with support for 128-bit keys as defined in RFC 2144. It was commonly used in early versions of PGP and GPG for file and , serving as a default symmetric cipher in PGP 5.0 and later releases prior to the widespread adoption of AES. In modern OpenPGP implementations, it remains supported but is often superseded by stronger alternatives in preference lists. In the SSH-2 protocol, CAST-128 is supported as an optional encryption algorithm under the name "cast128-cbc," utilizing Cipher Block Chaining (CBC) mode with a 128-bit key for securing packet payloads during communication. This integration allows SSH clients and servers to negotiate CAST-128 for , though it has been largely deprecated in favor of AES-based ciphers since the early 2010s due to performance and security preferences in updated implementations. CAST-128 is incorporated into TLS/SSL through cipher suites such as TLS_RSA_WITH_CAST_CBC_SHA, which employs RSA key exchange with CAST-128 in CBC mode and for message authentication, enabling secure web communications in legacy configurations. These suites, introduced in early TLS versions, became vulnerable to the exploiting the 64-bit block size, leading to their removal from recommended configurations in modern TLS deployments post-2016. Beyond these, CAST-128 serves as an Encapsulating Security Payload (ESP) transform in for protecting IP traffic, specified in draft standards for CBC mode operation to provide in VPN tunnels. It is also used in for symmetric encryption of content within the Cryptographic Message Syntax (CMS), with object identifiers and processing rules outlined for interoperability. In legacy VPN implementations, such as certain setups, CAST-128 appears as an available encryption option for compatibility with older systems. Across these protocols, CAST-128 is typically deployed in CBC mode combined with for integrity, where the (IV) is generated and handled according to protocol-specific rules—such as random IVs prepended to encrypted data in OpenPGP or implicitly derived in SSH packet encryption—to ensure security against chosen-plaintext attacks. Deprecation trends accelerated after 2016, driven by the Sweet32 vulnerability and the shift to 128-bit block ciphers like AES, resulting in its phase-out from standard configurations in TLS, SSH, and ; however, it persists in some embedded systems and IoT devices for .

References

  1. https://datatracker.ietf.org/doc/html/rfc2144
  2. https://datatracker.ietf.org/doc/html/rfc2984
  3. https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8459.pdf
  4. https://www.rfc-editor.org/rfc/rfc2144.html
  5. https://garykessler.net/library/crypto.html
  6. https://patents.google.com/patent/US5825886A/en
  7. https://www.akadia.com/download/documents/intro_to_crypto.pdf
  8. https://link.springer.com/article/10.1023/A:1008229029587
  9. https://www.semanticscholar.org/paper/DESIGNING-S-BOXES-FOR-CIPHERS-RESISTANT-TO-%28-Adams-Tavares/a19e2f25cba7d1fdbd514cebe1aa7a969eb243b4
  10. https://www.rfc-editor.org/info/rfc2144
  11. https://www.iso.org/standard/37972.html
  12. https://publications.gc.ca/collections/collection_2017/cstc-csec/D97-3-111-2016-eng.pdf
  13. https://www.cyber.gc.ca/sites/default/files/itsp.40.111_1-e.pdf
  14. https://www.rfc-editor.org/rfc/rfc4880.html
  15. https://datatracker.ietf.org/doc/rfc4253/
  16. https://pycryptodome.readthedocs.io/en/latest/src/cipher/cast.html
  17. https://datatracker.ietf.org/doc/html/rfc2144#section-2
  18. https://datatracker.ietf.org/doc/html/rfc2144#section-2.2
  19. https://www.oryx-embedded.com/doc/cast128_8c_source.html
  20. https://www.rfc-editor.org/rfc/rfc2144.html#appendix-A
  21. https://link.springer.com/chapter/10.1007/978-3-319-54705-3_2
  22. https://hub.hku.hk/handle/10722/152449
  23. https://link.springer.com/chapter/10.1007/978-3-642-04159-4_28
  24. https://www.researchgate.net/publication/363148405_Linear_Analysis_of_reduced-round_CAST-128_and_CAST-256
  25. https://tosc.iacr.org/index.php/ToSC/article/view/11277
  26. https://link.springer.com/chapter/10.1007/BFb0028479
  27. https://www.schneier.com/wp-content/uploads/2016/02/paper-relatedkey.pdf
  28. https://www.openssl.org/docs/man1.1.1/man1/enc.html
  29. https://cryptography.io/en/latest/hazmat/decrepit/ciphers/
  30. https://csrc.nist.gov/csrc/media/events/physical-security-testing-workshop/documents/papers/physecpaper19.pdf
  31. https://datatracker.ietf.org/doc/html/rfc4880#section-9.2
  32. https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3.7
  33. https://datatracker.ietf.org/doc/html/rfc4253#section-6.3
  34. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
  35. https://sweet32.info/
  36. https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/
  37. https://datatracker.ietf.org/doc/html/rfc4880#section-5.3
Add your contribution
Related Hubs
User Avatar
No comments yet.