[Swan-dev] [Cryptography] Which big-name ciphers have been broken in living memory? (fwd)

Paul Wouters paul at nohats.ca
Wed Aug 27 19:21:01 EEST 2014

Just to keep the CAST references in the archive....

---------- Forwarded message ----------
Date: Tue, 26 Aug 2014 22:09:16
From: Samuel Neves <sneves at dei.uc.pt>
To: cryptography at metzdowd.com
Subject: Re: [Cryptography] Which big-name ciphers have been broken in living

On 08/26/2014 12:24 PM, Peter Gutmann wrote:
> Bear <bear at sonic.net> writes:
>> Is there any evidence that CAST5 is in any way inadequate?
>> People are upset with use of an "Antique" algorithm?  Why?
> There's nothing obviously wrong with CAST, but it is nearly twenty years old
> and hasn't had anywhere near the analysis of AES (or 3DES), particularly
> against recent cryptanalysis techniques.  Anything new that turns up will
> pretty much automatically get thrown at AES, and we know that it's resistant
> to it.  Do we know that anyone's tried the same with CAST?  From this page:
> https://web.archive.org/web/20071217153044/http://adonis.ee.queensu.ca/cast/
> the last analysis published was in 1997 (a Google search turns up one or two
> newer ones, but mostly in regard to CAST5 being the ancestor of CAST-256).
> David Wagner's boomerang attack breaks CAST-256 with 16 rounds, and CAST5 is
> the predecessor of CAST-256 with...16 rounds (presumably it can't be extended
> back to CAST5 or someone would have announced this, but how hard has anyone
> looked?).  CAST5 also has lots of lovely large S-boxes and S-box lookups,
> which would seem to make it vulnerable to assorted timing/cache/whatever side-
> channel attacks, but there's no indication that anyone's looked at them
> because they're all too busy focusing on AES instead.
> So we've got an algorithm that hasn't had any significant cryptanalytic
> attention since the late 1990s, and that could well be vulnerable to newer
> techniques (and in particular a whole pile of side-channel attacks), but we'll
> never know because as far as we know no-one's ever looked.

I can see 3 analyses of CAST5 (aka CAST-128) in the last 7 years:

  - A linear attack on 3 rounds (out of 16) by Nakahara and Rasmussen [1];
  - More linear cryptanalysis on up to 6 rounds by Wang, Wang, and Hu [2];
  - A differential attack on up to 9 rounds by Wang, Wang, Chow, and Hui [3].

You might recognize the name Xiaoyun Wang as the cryptanalyst who broke MD5, SHA-0, SHA-1, and many other primitives.
The best of all 3 (mostly theoretical) attacks goes up to 9 out of 16 rounds of CAST-128; this is still a better
security margin than AES had when it was selected in the 1990s (7 out of 10).

[1] http://www.lbd.dcc.ufmg.br/colecoes/sbseg/2007/004.pdf
[2] http://dl.acm.org/citation.cfm?id=1616747
[3] https://www.jstage.jst.go.jp/article/transfun/E93.A/12/E93.A_12_2744/_article

The cryptography mailing list
cryptography at metzdowd.com

More information about the Swan-dev mailing list