Differential cryptanalysis of CAST-256 reduced to nine quad-rounds

The block cipher CAST-256 based on CAST 128 was a candidate algorithm for t he AES round 1. In this paper we present a first result of a differential a ttack on CAST-256 reduced to 9 quad-rounds. One of the three round function s of CAST-256 has differential characteristics, for which a non-zero inputx or results in a zero outputxor, with high probability. This type of charact eristic is the most useful for differential attack. We also show that CAST- 256 has weak keys with respect to differential attack. Thus CAST-256 reduce d to 9 quad-rounds can be attacked using 2(123) chosen plaintexts in the ca se of differentially weak keys. The time complexity is about 2(100) encrypt ions. Immunity to differential cryptanalysis of CAST-256 is not necessarily improved compared with CAST-128. Only 5 rounds of CAST-128 call be attacke d using a similar differential characteristic.