[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[minion-cvs] Addressed another flaw in the lioness key schedule. Ad...
Update of /home/minion/cvsroot/doc
In directory moria.seul.org:/tmp/cvs-serv9880
Addressed another flaw in the lioness key schedule. Added explicit description of SPRP_ENCRYPT.
RCS file: /home/minion/cvsroot/doc/minion-spec.tex,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- minion-spec.tex 29 May 2002 17:41:50 -0000 1.10
+++ minion-spec.tex 29 May 2002 18:54:59 -0000 1.11
@@ -42,21 +42,36 @@
as described in XXXXCITE, with PRNG(K,n) as our stream generator,
and the keyed-SHA1 construction specified in the LIONESS paper.
- K1 and K3 are 160 bits long; K2 and K4 are 128 bits long.
+ K1 through K4 are 160 bits long.
+ Thus, SPRP_ENCRYPT(K1,K2,K3,K4,M) is computed as follows:
+ L := M[0:20]
+ R := M[20:len(M)-20]
+ R := ENCRYPT( H(K1 | L | K1)[0:16], R)
+ L := L xor H(K2 | R | K2)
+ R := ENCRYPT( H(K3 | L | K3)[0:16], R)
+ L := L xor H(K4 | R | K4)
+ return L | R
For convenience, we write SPRP_ENC(MS,P,M) to denote:
where K=HASH(MS | P)
K1 = K
- K2 = K[0:16] xor 0x00...01
+ K2 = K xor 0x00...01
K3 = K xor 0x00...02
- K3 = K[0:16] xor 0x00...03
+ K4 = K xor 0x00...03
[XXXX This violates the constraint in the LION/BEAR paper that
requires the keys to be 'independant'. Nonetheless, George
and Markus Kuhn believe it's safe, since all the keys
will be used as inputs to hash functions before anybody
uses them. -NM]
+ [XXXX Where we use H(K_n | L | K_n) above, LIONESS specifies
+ L xor K_n. In our case, however, L and K_n are longer than
+ the keysize of PRNG. Rather than truncate L xor K_n (which
+ could violate the all-or-nothing properties of LIONESS,
+ we use the same keyed-hash construction for all 4 keys. -NM]
- SPRP_DECRYPT(K1,K2,K3,K4,M) (Len(M) bytes) Inverts SPRP_ENCRYPT.