RFC 2144 (rfc2144) - Page 2 of 15
The CAST-128 Encryption Algorithm
Alternative Format: Original Text Document
RFC 2144 CAST-128 Encryption Algorithms May 1997 candidate for general-purpose use throughout the Internet community wherever a cryptographically-strong, freely-available encryption algorithm is required. Adams [Adams] discusses the CAST design procedure in some detail; analyses can also be obtained on-line (see, for example, [Web1] or [Web2]). 2. Description of Algorithm CAST-128 belongs to the class of encryption algorithms known as Feistel ciphers; overall operation is thus similar to the Data Encryption Standard (DES). The full encryption algorithm is given in the following four steps. INPUT: plaintext m1...m64; key K = k1...k128. OUTPUT: ciphertext c1...c64. 1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K (see Sections 2.1 and 2.4). 2. (L0,R0) <-- (m1...m64). (Split the plaintext into left and right 32-bit halves L0 = m1...m32 and R0 = m33...m64.) 3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows: Li = Ri-1; Ri = Li-1 ^ f(Ri-1,Kmi,Kri), where f is defined in Section 2.2 (f is of Type 1, Type 2, or Type 3, depending on i). 4. c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.) Decryption is identical to the encryption algorithm given above, except that the rounds (and therefore the subkey pairs) are used in reverse order to compute (L0,R0) from (R16,L16). See Appendix B for test vectors which can be used to verify correctness of an implementation of this algorithm. 2.1. Pairs of Round Keys CAST-128 uses a pair of subkeys per round: a 32-bit quantity Km is used as a "masking" key and a 5-bit quantity Kr is used as a "rotation" key. Adams Informational
