CAST-256

{{Short description|Block cipher}}

{{more footnotes|date=September 2013}}

{{Use dmy dates|date=May 2021}}

{{Infobox block cipher

| name = CAST-256

| image =

| caption =

| designers = Carlisle Adams, Stafford Tavares, Howard Heys, Michael Wiener

| publish date = 1998

| derived from = CAST-128

| derived to =

| key size = 128, 160, 192, 224, or 256 bits

| block size = 128 bits

| structure = generalised Feistel network (Type 1){{cite conference |title=On Generalized Feistel Networks |last1=Hoang |first1=Viet Tung |last2=Rogaway |first2=Phillip |date=2010 |publisher=Springer |book-title=LNCS 6223 |pages=613–630 |location=USA |conference=CRYPTO 2010|doi=10.1007/978-3-642-14623-7_33 |doi-access=free }}

| rounds = 48

| cryptanalysis =

}}

In cryptography, CAST-256 (or CAST6) is a symmetric-key block cipher published in June 1998. It was submitted as a candidate for the Advanced Encryption Standard (AES); however, it was not among the five AES finalists. It is an extension of an earlier cipher, CAST-128; both were designed according to the "CAST" design methodology invented by Carlisle Adams and Stafford Tavares. Howard Heys and Michael Wiener also contributed to the design.

CAST-256 uses the same elements as CAST-128, including S-boxes, but is adapted for a block size of 128 bits – twice the size of its 64-bit predecessor. (A similar construction occurred in the evolution of RC5 into RC6). Acceptable key sizes are 128, 160, 192, 224 or 256 bits. CAST-256 is composed of 48 rounds, sometimes described as 12 "quad-rounds", arranged in a generalized Feistel network.

In RFC 2612, the authors state that, "The CAST-256 cipher described in this document is available worldwide on a royalty-free and licence-free basis for commercial and non-commercial uses."

Currently, the best public cryptanalysis of CAST-256 in the standard single secret key setting that works for all keys is the zero-correlation cryptanalysis breaking 28 rounds with 2^246.9 time and 2^98.8 data.{{cite book | first = Andrey | last = Bogdanov | author2 = Leander, Gregor | author3 = Nyberg, Kaisa | author4 = Wang, Meiqin | title = Advances in Cryptology – ASIACRYPT 2012 | chapter = Integral and Multidimensional Linear Distinguishers with Correlation Zero | series = Lecture Notes in Computer Science | volume = 7658 | pages = 244–261 | year = 2012 | url = http://www2.compute.dtu.dk/~anbog/ac12-zerocorrelation.pdf | doi = 10.1007/978-3-642-34961-4_16 | isbn = 978-3-642-34960-7 | s2cid = 26601027 | access-date = 13 May 2013 | archive-date = 4 March 2016 | archive-url = https://web.archive.org/web/20160304061630/http://www2.compute.dtu.dk/~anbog/ac12-zerocorrelation.pdf | url-status = dead }}