The block cipher CAST-256 based on CAST- 128 was a candidatealgorithm for the AES round 1. In this paper we present a firstresult of a differential attack on CAST- 256 reduced to 9quad-rounds. One of the three round functions of CAST-256 hasdifferential characteristics, for which a non-zero inputxor resultsin a zero outputxor, with high probability.
展开▼