Re: CAST

Perry E. Metzger (perry@piermont.com)
Thu, 16 Jul 1998 23:13:19 -0400

• Next message: Bruce Schneier: "Re: CAST (and random AES chatter)"
• Previous message: geeman@best.com: "Re: RNG in a Smart Card"
• Maybe in reply to: Ng Pheng Siong: "RNG in a Smart Card"
• Next in thread: Bruce Schneier: "Re: CAST (and random AES chatter)"
• Reply: Bruce Schneier: "Re: CAST (and random AES chatter)"

Bruce Schneier writes:
> At 07:29 PM 7/16/98 -0400, Perry E. Metzger wrote:
> >
> >Anonymous writes:
> >> OK...just saying that, if anyone feels a need to use Twofish at this
> >> point, combine it with something old; CAST just happened to be the first
> >> moderately old cipher that popped to mind.
> >
> >CAST can't even be three years old.
>
> CAST papers are older than that. There are a lot of CAST
> algorithms. Some have been beaten up somewhat; some haven't.

Original CAST is a bit older, but CAST-128 is not.

> I don't buy the design process.

Really? I actually like the design process -- it strikes me as having
some actual system to it, which most such processes do not have.

> And I DON'T like CAST-256.

I agree with this. The paper did not give me a sense of ease. Too many
"we believe the upper bound for this is X, so we therefore believe
that we are likely immune to this attack", and not enough "we have
actually attacked this" bits. The cipher may be okay (Carlisle is a
smart guy) but the paper is not that comfort inducing.

As long as we are on the topic of AES candidates...

I must say that I rather liked the Twofish paper. I'm not personally
sure about the cipher itself yet -- it needs more attack -- but the
paper had exactly the right attitude and degree of transparency about
it. You didn't allude to the design process -- you described it -- and
you didn't allude to attacks tried -- you gave the details.

The MARS paper was also very good -- it had high transparency. I
personally liked MARS a bunch, although it, too, is too young to trust
yet.

Coolest of the recent AES batch seemed to be RC6, but the paper also
left a bit to be desired in the way of transparency in describing
attacks. I liked the design methodology description, though.

Perry

• Next message: Bruce Schneier: "Re: CAST (and random AES chatter)"
• Previous message: geeman@best.com: "Re: RNG in a Smart Card"
• Maybe in reply to: Ng Pheng Siong: "RNG in a Smart Card"
• Next in thread: Bruce Schneier: "Re: CAST (and random AES chatter)"
• Reply: Bruce Schneier: "Re: CAST (and random AES chatter)"