[Swan-dev] Peter Gutmann on CAST

Paul Wouters paul at nohats.ca
Tue Aug 26 23:40:20 EEST 2014

We recently fixed the support for it. It is not in any of our default
esp= algorithm lists, so it will only be used when explicitely


---------- Forwarded message ----------
Date: Tue, 26 Aug 2014 07:24:29
From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Cc: wk at gnupg.org, cryptography at metzdowd.com
To: bear at sonic.net, pgut001 at cs.auckland.ac.nz
Subject: Re: [Cryptography] Which big-name ciphers have been broken in living

Bear <bear at sonic.net> writes:

>Is there any evidence that CAST5 is in any way inadequate?
>People are upset with use of an "Antique" algorithm?  Why?

There's nothing obviously wrong with CAST, but it is nearly twenty years old
and hasn't had anywhere near the analysis of AES (or 3DES), particularly
against recent cryptanalysis techniques.  Anything new that turns up will
pretty much automatically get thrown at AES, and we know that it's resistant
to it.  Do we know that anyone's tried the same with CAST?  From this page:


the last analysis published was in 1997 (a Google search turns up one or two
newer ones, but mostly in regard to CAST5 being the ancestor of CAST-256).
David Wagner's boomerang attack breaks CAST-256 with 16 rounds, and CAST5 is
the predecessor of CAST-256 with...16 rounds (presumably it can't be extended
back to CAST5 or someone would have announced this, but how hard has anyone
looked?).  CAST5 also has lots of lovely large S-boxes and S-box lookups,
which would seem to make it vulnerable to assorted timing/cache/whatever side-
channel attacks, but there's no indication that anyone's looked at them
because they're all too busy focusing on AES instead.

So we've got an algorithm that hasn't had any significant cryptanalytic
attention since the late 1990s, and that could well be vulnerable to newer
techniques (and in particular a whole pile of side-channel attacks), but we'll
never know because as far as we know no-one's ever looked.

>So, I say the burden of evidence falls on those requesting a change here.
>What is wrong with CAST5 that people want to get rid of it?

Show me evidence that it's immune to cryptanalytic techniques developed in the
last 15 years, and to the smorgasbord of side-channel attacks that have been
thrown at AES, and I'll agree with you.  As Bruce Schneier likes to say,
"attacks always get better, they never get worse".  CAST5 has been standing
still for about fifteen years while the attackers moved ahead.  How do we know
it's still safe?

The cryptography mailing list
cryptography at metzdowd.com

More information about the Swan-dev mailing list