RFC 2144 (rfc2144) - Page 3 of 15
The CAST-128 Encryption Algorithm
Alternative Format: Original Text Document
RFC 2144 CAST-128 Encryption Algorithms May 1997 2.2. Non-Identical Rounds Three different round functions are used in CAST-128. The rounds are as follows (where "D" is the data input to the f function and "Ia" - "Id" are the most significant byte through least significant byte of I, respectively). Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left- shift operation. Type 1: I = ((Kmi + D) <<< Kri) f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id] Type 2: I = ((Kmi ^ D) <<< Kri) f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id] Type 3: I = ((Kmi - D) <<< Kri) f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id] Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1. Rounds 2, 5, 8, 11, and 14 use f function Type 2. Rounds 3, 6, 9, 12, and 15 use f function Type 3. 2.3. Substitution Boxes CAST-128 uses eight substitution boxes: s-boxes S1, S2, S3, and S4 are round function s-boxes; S5, S6, S7, and S8 are key schedule s- boxes. Although 8 s-boxes require a total of 8 KBytes of storage, note that only 4 KBytes are required during actual encryption / decryption since subkey generation is typically done prior to any data input. See Appendix A for the contents of s-boxes S1 - S8. 2.4. Key Schedule Let the 128-bit key be x0x1x2x3x4x5x6x7x8x9xAxBxCxDxExF, where x0 represents the most significant byte and xF represents the least significant byte. Let z0..zF be intermediate (temporary) bytes. Let Si[] represent s-box i and let "^" represent XOR addition. Adams Informational
