[Swan-dev] [Cryptography] Which big-name ciphers have been broken in living memory? (fwd)
paul at nohats.ca
Wed Aug 27 19:21:01 EEST 2014
Just to keep the CAST references in the archive....
---------- Forwarded message ----------
Date: Tue, 26 Aug 2014 22:09:16
From: Samuel Neves <sneves at dei.uc.pt>
To: cryptography at metzdowd.com
Subject: Re: [Cryptography] Which big-name ciphers have been broken in living
On 08/26/2014 12:24 PM, Peter Gutmann wrote:
> Bear <bear at sonic.net> writes:
>> Is there any evidence that CAST5 is in any way inadequate?
>> People are upset with use of an "Antique" algorithm? Why?
> There's nothing obviously wrong with CAST, but it is nearly twenty years old
> and hasn't had anywhere near the analysis of AES (or 3DES), particularly
> against recent cryptanalysis techniques. Anything new that turns up will
> pretty much automatically get thrown at AES, and we know that it's resistant
> to it. Do we know that anyone's tried the same with CAST? From this page:
> the last analysis published was in 1997 (a Google search turns up one or two
> newer ones, but mostly in regard to CAST5 being the ancestor of CAST-256).
> David Wagner's boomerang attack breaks CAST-256 with 16 rounds, and CAST5 is
> the predecessor of CAST-256 with...16 rounds (presumably it can't be extended
> back to CAST5 or someone would have announced this, but how hard has anyone
> looked?). CAST5 also has lots of lovely large S-boxes and S-box lookups,
> which would seem to make it vulnerable to assorted timing/cache/whatever side-
> channel attacks, but there's no indication that anyone's looked at them
> because they're all too busy focusing on AES instead.
> So we've got an algorithm that hasn't had any significant cryptanalytic
> attention since the late 1990s, and that could well be vulnerable to newer
> techniques (and in particular a whole pile of side-channel attacks), but we'll
> never know because as far as we know no-one's ever looked.
I can see 3 analyses of CAST5 (aka CAST-128) in the last 7 years:
- A linear attack on 3 rounds (out of 16) by Nakahara and Rasmussen ;
- More linear cryptanalysis on up to 6 rounds by Wang, Wang, and Hu ;
- A differential attack on up to 9 rounds by Wang, Wang, Chow, and Hui .
You might recognize the name Xiaoyun Wang as the cryptanalyst who broke MD5, SHA-0, SHA-1, and many other primitives.
The best of all 3 (mostly theoretical) attacks goes up to 9 out of 16 rounds of CAST-128; this is still a better
security margin than AES had when it was selected in the 1990s (7 out of 10).
The cryptography mailing list
cryptography at metzdowd.com
More information about the Swan-dev