[1751] in cryptography@c2.net mail archive
Re: Question regarding CAST S-Box design
daemon@ATHENA.MIT.EDU (Marcus Leech)
Wed Oct 15 12:36:47 1997
Date: Wed, 15 Oct 1997 05:58:05 +0100
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
To: Steve Reid <sreid@sea-to-sky.net>
CC: cryptography@c2.net
Steve Reid wrote:
>
> In "Constructing Symmetric Ciphers Using the CAST Design Procedure",
> C. Adams recommends S-boxes that are strong against differential and
> linear cryptanalysis. He then goes on to describe a modification to
> the round function to provide "intrinsic immunity" to differential
> and linear cryptanalysis.
>
> In AC2, Schneier suggests that structured S-boxes tend to be weaker
> against unknown attacks, and gives DES as an example. Other properties
> are mentioned in the CAST paper (such as BIC and SAC), but ciphers like
> Blowfish seem to do fine with random S-boxes.
>
"seems to do fine" is about all you can say about Blowfish. Because
it has randomly-generated S-boxes, with no fixed properties from
key to key, it's very hard to analyse.
CAST, and DES, and other ciphers that have well-defined design
principles (some better documented than others :-) ), are much
easier to analyse against known attacks.
> Why structure the CAST S-boxes to be strong against differential and
> linear cryptanalysis when the round function already provides immunity?
For the same reason that, in the physical world, you set up multiple
lines of defense. Even if the round-function pre-processing
(mixing operations from different groups, etc) in CAST turns out
to be weak, the S-boxes are still strong. Designing the round
function that way was, from what I understand from Carlisle, quite
straightforward. The S-box generation procedure function doesn't
take that long to execute, so why not do it?
