top | item 40830388

(no title)

d-z-m | 1 year ago

> 0¹²⁰10000111

for those of you(like me) wondering where this apparently spooky constant is coming from, it is a bitstring of the coefficients of the lexically first irreducible polynomial of degree b with the minimum possible number of non-zero terms, where b is the block size(in bits) of the underlying block cipher with which CMAC is instantiated. So, nothing up the sleeve here.

discuss

Retr0id|1 year ago

My natural follow-up question was "why can't you just have K1 = L?" Obviously it's inherited from CMAC, but why does CMAC do it?

Investigating further, general-case CMAC involves generating a K1 and a K2, which afaict just need to be arbitrarily different from each other. So why not something even simpler, like "xor with 1"?

pbsd|1 year ago

The multiplication in CMAC is there to distinguish between full and partial final input blocks. It can't be simply a xor with a constant because that would be easily cancelable in the input, and wouldn't satisfy the required xor-universal-like properties required by the security proof.

The input here is highly restricted so there's no point to it.

unknown|1 year ago

[deleted]

Dylan16807|1 year ago

It's an 8 bit constant padded to 128 bits, so while I appreciate the explanation it's not nearly enough entropy to spook me.