diff --git a/README.md b/README.md index 02f62f6..3ef8708 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This code has not been formally audited, Use at your own risk or ask a cryptogra [Lioness](https://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf) is a large block cipher built from - Stream cipher, - Hash function, -- Key derivation function (KDF), although this can be remove if the input key is large enough to cover the four sub-keys used. +- Key derivation function (KDF), although this can be removed if the input key is large enough to cover the four sub-keys used. In here we use: - Chacha20 from [rustcrypto streamciphers](https://github.com/RustCrypto/stream-ciphers) @@ -52,12 +52,12 @@ Some notes: - Encryption and decryption are both in-place for now. - The block length need to be bigger than `32` bytes because Lioness splits the block into two where the left part is 32-byte, and the right part can't be empty. might support small blocks in the future, but for Sphinx use-case, this should work. -- If you need authenticity, make sure to prepend the plaintext with `k` zeros and check the zeros after decryption. This will be supported in the future... see [integrity example](./examples/integrity.rs) +- If you need authenticity, make sure to prepend the plaintext with `k = 128-bits` zeros and check the zeros after decryption. This will be supported in the future... see [integrity example](./examples/integrity.rs) ### TODO - [ ] Add more tests, examples, and benchmarks ... - [ ] Make it generic for any compatible cipher, keyed_hash, and KDF. -- [ ] Compare with another implementation ... maybe with Haskel when available. +- [ ] Compare with existing implementation + maybe with Haskel when available. - [ ] Add a version with API which prepend the plaintext with k-zeros and checks authenticity after decryption. - [ ] impl enc and dec to the API to work beside encrypt_in_place and decrypt_in_place. - ... diff --git a/examples/integrity.rs b/examples/integrity.rs index aedfa93..f7fd7e0 100644 --- a/examples/integrity.rs +++ b/examples/integrity.rs @@ -1,7 +1,7 @@ use anyhow::Result; use lioness_blockcipher::{Lioness, MasterKey}; -const K: usize = 32; +const K: usize = 16; fn main() -> Result<()> { let key: MasterKey = [0x42; 32]; diff --git a/src/lib.rs b/src/lib.rs index 299eddb..c94ddd9 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -9,11 +9,11 @@ use sha3::{ }; use zeroize::{Zeroize, ZeroizeOnDrop}; -// We expect the input key to be of size 32 bytes (128-bits) +// We expect the input key to be of size 32 bytes (256-bits) // because in sphinx this is the size of the shared key `s` between the sender and each hop. // This shared key is then used to derive all the needed keys to encrypt the payload pub const MASTER_KEY_LEN: usize = 32; -// For LIONESS, the length of the left part of the key (after splitting block into left `L` and right `R`) +// For LIONESS, the length of the left part (after splitting block into left `L` and right `R`) // must be the same size as: // - the stream cipher key // - the output (digest) of the keyed-hash function @@ -58,7 +58,7 @@ struct RoundKeys { /// WARNING: integrity/authenticity is not guaranteed by the LIONESS large-block cipher /// This is because LIONESS is not an AEAD but one can add an authentication check by /// simply prepending the plaintext with `k` bytes of zeros -/// a safe value for `k` would be 32 bytes which is what the Sphinx paper suggests. +/// a safe value for `k` would be 16-bytes which is what the Sphinx paper suggests. /// However, this prepending is not part of the code here. #[derive(Clone, ZeroizeOnDrop)] pub struct Lioness {