[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: mixminion-cvs@freehaven.net*Subject*: [minion-cvs] Addressed another flaw in the lioness key schedule. Ad...*From*: nickm@seul.org (Nick Mathewson)*Date*: Wed, 29 May 2002 14:55:01 -0400 (EDT)*Delivered-To*: archiver@seul.org*Delivered-To*: mixminion-cvs-outgoing@seul.org*Delivered-To*: mixminion-cvs@seul.org*Delivery-Date*: Wed, 29 May 2002 14:55:01 -0400*Reply-To*: mixminion-cvs@freehaven.net*Sender*: owner-mixminion-cvs@freehaven.net

Update of /home/minion/cvsroot/doc In directory moria.seul.org:/tmp/cvs-serv9880 Modified Files: minion-spec.tex Log Message: Addressed another flaw in the lioness key schedule. Added explicit description of SPRP_ENCRYPT. Index: minion-spec.tex =================================================================== RCS file: /home/minion/cvsroot/doc/minion-spec.tex,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- minion-spec.tex 29 May 2002 17:41:50 -0000 1.10 +++ minion-spec.tex 29 May 2002 18:54:59 -0000 1.11 @@ -42,21 +42,36 @@ as described in XXXXCITE, with PRNG(K,n) as our stream generator, and the keyed-SHA1 construction specified in the LIONESS paper. - K1 and K3 are 160 bits long; K2 and K4 are 128 bits long. + K1 through K4 are 160 bits long. + + Thus, SPRP_ENCRYPT(K1,K2,K3,K4,M) is computed as follows: + L := M[0:20] + R := M[20:len(M)-20] + R := ENCRYPT( H(K1 | L | K1)[0:16], R) + L := L xor H(K2 | R | K2) + R := ENCRYPT( H(K3 | L | K3)[0:16], R) + L := L xor H(K4 | R | K4) + return L | R For convenience, we write SPRP_ENC(MS,P,M) to denote: LIONESS_ENCRYPT(K1,K2,K3,K4,M) where K=HASH(MS | P) K1 = K - K2 = K[0:16] xor 0x00...01 + K2 = K xor 0x00...01 K3 = K xor 0x00...02 - K3 = K[0:16] xor 0x00...03 + K4 = K xor 0x00...03 [XXXX This violates the constraint in the LION/BEAR paper that requires the keys to be 'independant'. Nonetheless, George and Markus Kuhn believe it's safe, since all the keys will be used as inputs to hash functions before anybody uses them. -NM] + + [XXXX Where we use H(K_n | L | K_n) above, LIONESS specifies + L xor K_n. In our case, however, L and K_n are longer than + the keysize of PRNG. Rather than truncate L xor K_n (which + could violate the all-or-nothing properties of LIONESS, + we use the same keyed-hash construction for all 4 keys. -NM] - SPRP_DECRYPT(K1,K2,K3,K4,M) (Len(M) bytes) Inverts SPRP_ENCRYPT.

- Prev by Date:
**[minion-cvs] Addressed another flaw in the lioness key schedule. Ad...** - Next by Date:
**[minion-cvs]** - Prev by thread:
**[minion-cvs] Addressed another flaw in the lioness key schedule. Ad...** - Next by thread:
**[minion-cvs]** - Index(es):