Using expand-left and expand-right has undesirable properties
martinduke opened this issue · comments
Stefan Kolbl points out this problem with the 4-pass method:
The algorithm computes expand_left(left_0, cid_len, 1) and in the next round expand_right(right_1, cid_len, 2). Now, (especially for smaller domains) it can happen that the two round functions in the Feistel encrypt the same block:
If left_0 = 0x0202 this would give you expand_left(0x0202, 0x02, 0x01) = 0x02020000000000000000000000000102
Now in the next round, if right_1 = 0x0102, you would get expand_right(0x0102, 0x02, 0x02) = 0x02020000000000000000000000000102, encrypting the same block.
This seems like a quite bad property to have.
Indeed, there are ways to avoid ugly and error-prone bit shifting while avoiding this property. In particular, we can always use expand-left, but just padding odd-bytes with zeros to preserve byte boundaries and avoid bit-shifting.
Fixed by #208