{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,6]],"date-time":"2025-12-06T00:36:49Z","timestamp":1764981409495,"version":"3.46.0"},"reference-count":14,"publisher":"Walter de Gruyter GmbH","issue":"2","license":[{"start":{"date-parts":[[2017,4,21]],"date-time":"2017-04-21T00:00:00Z","timestamp":1492732800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017,6,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    CAST-256 (or CAST6) is a symmetric-key block cipher published in June 1998.\nIt was submitted as a candidate for Advanced Encryption Standard (AES). In\nthis paper, we will propose a new chosen text attack, the multiple\ndifferential-zero correlation linear attack, to analyze the CAST-256 block\ncipher. Our attack is the best-known attack on CAST-256 according to the\nnumber of rounds without the weak-key assumption. We first construct a\n30-round differential-zero correlation linear distinguisher. Based on the\ndistinguisher, we propose a first 33-round attack on CAST-256 with data\ncomplexity of\n                    <jats:inline-formula id=\"j_jmc-2016-0054_ineq_9999_w2aab3b7e1668b1b6b1aab1c15b1b1Aa\">\n                      <jats:alternatives>\n                        <m:math xmlns:m=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                          <m:msup>\n                            <m:mn>2<\/m:mn>\n                            <m:mn>115.63<\/m:mn>\n                          <\/m:msup>\n                        <\/m:math>\n                        <jats:tex-math>{2^{115.63}}<\/jats:tex-math>\n                      <\/jats:alternatives>\n                    <\/jats:inline-formula>\n                    and time complexity\n                    <jats:inline-formula id=\"j_jmc-2016-0054_ineq_9998_w2aab3b7e1668b1b6b1aab1c15b1b3Aa\">\n                      <jats:alternatives>\n                        <m:math xmlns:m=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                          <m:msup>\n                            <m:mn>2<\/m:mn>\n                            <m:mn>238.26<\/m:mn>\n                          <\/m:msup>\n                        <\/m:math>\n                        <jats:tex-math>{2^{238.26}}<\/jats:tex-math>\n                      <\/jats:alternatives>\n                    <\/jats:inline-formula>\n                    . In the end, the\n111-bit subkey is recovering.\n                  <\/jats:p>","DOI":"10.1515\/jmc-2016-0054","type":"journal-article","created":{"date-parts":[[2017,4,19]],"date-time":"2017-04-19T06:01:28Z","timestamp":1492581688000},"page":"55-62","source":"Crossref","is-referenced-by-count":0,"title":["Multiple differential-zero correlation linear cryptanalysis of reduced-round CAST-256"],"prefix":"10.1515","volume":"11","author":[{"given":"Massoud","family":"Hadian Dehkordi","sequence":"first","affiliation":[{"name":"School of Mathematics , Iran University of Science and Technology , Narmak , Tehran 16844 , Iran"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Roghayeh","family":"Taghizadeh","sequence":"additional","affiliation":[{"name":"School of Mathematics , Iran University of Science and Technology , Narmak , Tehran 16844 , Iran"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"374","published-online":{"date-parts":[[2017,4,21]]},"reference":[{"doi-asserted-by":"crossref","unstructured":"E. Biham, O. Dunkelman and N. Keller,\nEnhancing differential-linear cryptanalysis,\nAdvances in Cryptology \u2013 ASIACRYPT 2002,\nLecture Notes in Comput. Sci. 2501,\nSpringer, Berlin (2002), 254\u2013266.","key":"2025120600314646132_j_jmc-2016-0054_ref_001_w2aab3b7e1668b1b6b1ab2ab1Aa","DOI":"10.1007\/3-540-36178-2_16"},{"doi-asserted-by":"crossref","unstructured":"E. Biham and A. Shamir,\nDifferential cryptanalysis of DES-like cryptosystems,\nAdvances in Cryptology \u2013 CRYPTO \u201990,\nLecture Notes in Comput. Sci. 537,\nSpringer, Berlin (1990), 2\u201321.","key":"2025120600314646132_j_jmc-2016-0054_ref_002_w2aab3b7e1668b1b6b1ab2ab2Aa","DOI":"10.1007\/3-540-38424-3_1"},{"doi-asserted-by":"crossref","unstructured":"E. Biham and A. Shamir,\nDifferential cryptanalysis of the full 16-round DES,\nAdvances in Cryptology \u2013 CRYPTO \u201992,\nLecture Notes in Comput. Sci. 740,\nSpringer, Berlin (1993), 487\u2013496.","key":"2025120600314646132_j_jmc-2016-0054_ref_003_w2aab3b7e1668b1b6b1ab2ab3Aa","DOI":"10.1007\/3-540-48071-4_34"},{"doi-asserted-by":"crossref","unstructured":"A. Bogdanov, G. Leander, K. Nyberg and M. Wang,\nIntegral and multidimensional linear distinguishers with correlation zero,\npreprint (2012), https:\/\/www.iacr.org\/archive\/asiacrypt2012\/76580239\/76580239.pdf.","key":"2025120600314646132_j_jmc-2016-0054_ref_004_w2aab3b7e1668b1b6b1ab2ab4Aa","DOI":"10.1007\/978-3-642-34961-4_16"},{"doi-asserted-by":"crossref","unstructured":"A. Bogdanov, G. Leander, K. Nyberg and M. Wang,\nIntegral and multidimensional linear distinguishers with correlation zero,\nAdvances in Cryptology \u2013 ASIACRYPT 2012,\nLecture Notes in Comput. Sci. 7658,\nSpringer, Berlin (2012), 244\u2013261.","key":"2025120600314646132_j_jmc-2016-0054_ref_005_w2aab3b7e1668b1b6b1ab2ab5Aa","DOI":"10.1007\/978-3-642-34961-4_16"},{"doi-asserted-by":"crossref","unstructured":"A. Bogdanov and V. Rijmen,\nLinear hulls with correlation zero and linear cryptanalysis of block ciphers,\nDes. Codes Cryptogr. 70 (2014), 369\u2013383.","key":"2025120600314646132_j_jmc-2016-0054_ref_006_w2aab3b7e1668b1b6b1ab2ab6Aa","DOI":"10.1007\/s10623-012-9697-z"},{"doi-asserted-by":"crossref","unstructured":"A. Bogdanov and M. Wang,\nZero correlation linear cryptanalysis with reduced data complexity,\nFast Software Encryption \u2013 FSE \u201912,\nLecture Notes in Comput. Sci. 7549,\nSpringer, Berlin (2012), 29\u201348.","key":"2025120600314646132_j_jmc-2016-0054_ref_007_w2aab3b7e1668b1b6b1ab2ab7Aa","DOI":"10.1007\/978-3-642-34047-5_3"},{"doi-asserted-by":"crossref","unstructured":"S. K. Langford and M. E. Hellman,\nDifferential-linear cryptanalysis,\nAdvances in Cryptology \u2013 CRYPTO \u201994,\nLecture Notes in Comput. Sci. 839,\nSpringer, Berlin (1994), 17\u201325.","key":"2025120600314646132_j_jmc-2016-0054_ref_008_w2aab3b7e1668b1b6b1ab2ab8Aa","DOI":"10.1007\/3-540-48658-5_3"},{"doi-asserted-by":"crossref","unstructured":"M. Matsui,\nLinear cryptanalysis method for DES cipher,\nAdvances in Cryptology \u2013 EUROCRYPT \u201993,\nLecture Notes in Comput. Sci. 765,\nSpringer, Berlin (1994), 386\u2013397.","key":"2025120600314646132_j_jmc-2016-0054_ref_009_w2aab3b7e1668b1b6b1ab2ab9Aa","DOI":"10.1007\/3-540-48285-7_33"},{"doi-asserted-by":"crossref","unstructured":"M. Matsui and A. Yamagishi,\nA new method for known plaintext attack of FEAL cipher,\nAdvances in Cryptology \u2013 EUROCRYPT \u201992,\nLecture Notes in Comput. Sci. 658,\nSpringer, Berlin (1993), 81\u201391.","key":"2025120600314646132_j_jmc-2016-0054_ref_010_w2aab3b7e1668b1b6b1ab2ac10Aa","DOI":"10.1007\/3-540-47555-9_7"},{"doi-asserted-by":"crossref","unstructured":"J. J. Nakahara and M. Rasmussen,\nLinear analysis of reduced-round CAST-128 and CAST-256,\nProceedings of the 7th Brazilian Symposium on Information and Computer System Security,\nFederal University of Rio de Janeiro, Rio de Janeiro (2007), 45\u201355.","key":"2025120600314646132_j_jmc-2016-0054_ref_011_w2aab3b7e1668b1b6b1ab2ac11Aa","DOI":"10.5753\/sbseg.2007.20914"},{"doi-asserted-by":"crossref","unstructured":"D. Wagner,\nThe boomerang attack,\nFast Software Encryption \u2013 FSE \u201999,\nLecture Notes in Comput. Sci. 1636,\nSpringer, Berlin (1999), 156\u2013170.","key":"2025120600314646132_j_jmc-2016-0054_ref_012_w2aab3b7e1668b1b6b1ab2ac12Aa","DOI":"10.1007\/3-540-48519-8_12"},{"doi-asserted-by":"crossref","unstructured":"M. Q. Wang, X. Y. Wang and C. H. Hu,\nNew linear cryptanalytic results of reduced-round of CAST-128 and CAST-256,\nSelected Areas in Cryptography \u2013 SAC 2008,\nLecture Notes in Comput. Sci. 5381,\nSpringer, Berlin (2009), 429\u2013441.","key":"2025120600314646132_j_jmc-2016-0054_ref_013_w2aab3b7e1668b1b6b1ab2ac13Aa","DOI":"10.1007\/978-3-642-04159-4_28"},{"doi-asserted-by":"crossref","unstructured":"J. Y. Zhao, M. Q. Wang and L. Wen,\nImproved linear cryptanalysis of CAST-256,\nJ. Comput. Sci. Tech. 29 (2014), 1134\u20131139.","key":"2025120600314646132_j_jmc-2016-0054_ref_014_w2aab3b7e1668b1b6b1ab2ac14Aa","DOI":"10.1007\/s11390-014-1496-8"}],"container-title":["Journal of Mathematical Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.degruyter.com\/view\/j\/jmc.2017.11.issue-2\/jmc-2016-0054\/jmc-2016-0054.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.degruyterbrill.com\/document\/doi\/10.1515\/jmc-2016-0054\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.degruyterbrill.com\/document\/doi\/10.1515\/jmc-2016-0054\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,6]],"date-time":"2025-12-06T00:33:48Z","timestamp":1764981228000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.degruyterbrill.com\/document\/doi\/10.1515\/jmc-2016-0054\/html"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,4,21]]},"references-count":14,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2017,5,16]]},"published-print":{"date-parts":[[2017,6,1]]}},"alternative-id":["10.1515\/jmc-2016-0054"],"URL":"https:\/\/doi.org\/10.1515\/jmc-2016-0054","relation":{},"ISSN":["1862-2984","1862-2976"],"issn-type":[{"type":"electronic","value":"1862-2984"},{"type":"print","value":"1862-2976"}],"subject":[],"published":{"date-parts":[[2017,4,21]]}}}