gnu.crypto.cipher

Class Cast5

public class Cast5 extends BaseCipher

An implmenetation of the CAST5 (a.k.a. CAST-128) algorithm, as per RFC-2144, dated May 1997.

In this RFC, Carlisle Adams (the CA in CAST, ST stands for Stafford Tavares) describes CAST5 as:

"...a DES-like Substitution-Permutation Network (SPN) cryptosystem which appears to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semi-weak keys."

CAST5 is a symmetric block cipher with a block-size of 8 bytes and a variable key-size of up to 128 bits. Its authors, and their employer (Entrust Technologies, a Nortel majority-owned company), made it available worldwide on a royalty-free basis for commercial and non-commercial uses.

The CAST5 encryption algorithm has been designed to allow a key size that can vary from 40 bits to 128 bits, in 8-bit increments (that is, the allowable key sizes are 40, 48, 56, 64, ..., 112, 120, and 128 bits. For variable keysize operation, the specification is as follows:

  1. For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64, 72, and 80 bits), the algorithm is exactly as specified but uses 12 rounds instead of 16;
  2. For key sizes greater than 80 bits, the algorithm uses the full 16 rounds;
  3. For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost, or least significant, positions) out to 128 bits (since the CAST5 key schedule assumes an input key of 128 bits).

References:

  1. The CAST-128 Encryption Algorithm.
    Carlisle Adams.

Version: $Revision: 1.3 $

Constructor Summary
Cast5()
Trivial 0-arguments constructor.
Method Summary
IteratorblockSizes()
Objectclone()
voiddecrypt(byte[] in, int i, byte[] out, int j, Object k, int bs)
voidencrypt(byte[] in, int i, byte[] out, int j, Object k, int bs)

The full encryption algorithm is given in the following four steps.

    INPUT:  plaintext m1...m64; key K = k1...k128.
    
IteratorkeySizes()
ObjectmakeKey(byte[] uk, int bs)
booleanselfTest()

Constructor Detail

Cast5

public Cast5()
Trivial 0-arguments constructor.

Method Detail

blockSizes

public Iterator blockSizes()

clone

public Object clone()

decrypt

public void decrypt(byte[] in, int i, byte[] out, int j, Object k, int bs)

encrypt

public void encrypt(byte[] in, int i, byte[] out, int j, Object k, int bs)

The full encryption algorithm is given in the following four steps.

    INPUT:  plaintext m1...m64; key K = k1...k128.
    OUTPUT: ciphertext c1...c64.
 
  1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from a user key (see makeKey() method).
  2. (L0,R0) <-- (m1...m64). (Split the plaintext into left and right 32-bit halves L0 = m1...m32 and R0 = m33...m64.).
  3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
    • Li = Ri-1;
    • Ri = Li-1 ^ F(Ri-1,Kmi,Kri), where F is defined in method F() -- f is of Type 1, Type 2, or Type 3, depending on i, and ^ being the bitwise XOR function.
  4. c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.)

Decryption is identical to the encryption algorithm given above, except that the rounds (and therefore the subkey pairs) are used in reverse order to compute (L0,R0) from (R16,L16).

Looking at the iterations/rounds in pairs we have:

    (1a)    Li = Ri-1;
    (1b)    Ri = Li-1 ^ Fi(Ri-1);
    (2a)    Li+1 = Ri;
    (2b)    Ri+1 = Li ^ Fi+1(Ri);
 
which by substituting (2a) in (2b) becomes
    (2c)    Ri+1 = Li ^ Fi+1(Li+1);
 
by substituting (1b) in (2a) and (1a) in (2c), we get:
    (3a)    Li+1 = Li-1 ^ Fi(Ri-1);
    (3b)    Ri+1 = Ri-1 ^ Fi+1(Li+1);
 
Using only one couple of variables L and R, initialised to L0 and R0 respectively, the assignments for each pair of rounds become:
    (4a)    L ^= Fi(R);
    (4b)    R ^= Fi+1(L);
 

Parameters: in contains the plain-text 64-bit block. i start index within input where data is considered. out will contain the cipher-text block. j index in out where cipher-text starts. k the session key object. bs the desired block size.

keySizes

public Iterator keySizes()

makeKey

public Object makeKey(byte[] uk, int bs)

selfTest

public boolean selfTest()
Copyright © 2001, 2002, 2003 Free Software Foundation, Inc. All Rights Reserved.