You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stefan Kolbl points out this problem with the 4-pass method:
The algorithm computes expand_left(left_0, cid_len, 1) and in the next round expand_right(right_1, cid_len, 2). Now, (especially for smaller domains) it can happen that the two round functions in the Feistel encrypt the same block:
If left_0 = 0x0202 this would give you expand_left(0x0202, 0x02, 0x01) = 0x02020000000000000000000000000102
Now in the next round, if right_1 = 0x0102, you would get expand_right(0x0102, 0x02, 0x02) = 0x02020000000000000000000000000102, encrypting the same block.
This seems like a quite bad property to have.
Indeed, there are ways to avoid ugly and error-prone bit shifting while avoiding this property. In particular, we can always use expand-left, but just padding odd-bytes with zeros to preserve byte boundaries and avoid bit-shifting.
The text was updated successfully, but these errors were encountered:
Stefan Kolbl points out this problem with the 4-pass method:
Indeed, there are ways to avoid ugly and error-prone bit shifting while avoiding this property. In particular, we can always use expand-left, but just padding odd-bytes with zeros to preserve byte boundaries and avoid bit-shifting.
The text was updated successfully, but these errors were encountered: