While trying to implement bcrypt based on the USENIX 99 paper alone, a
tiny difference between the paper and src/lib/libc/crypt/bcrypt.c left
me scratching my head until I finally gave in and had a peek.
Since it was first checked in, bcrypt.c has passed the key to the odd
Blowfish_expand0state invocations and the salt to the even, as do all
other bcrypt implementations I could find, while the paper disagrees:
> EksBlowfishSetup (cost, salt, key)
> state ← InitState ()
> state ← ExpandKey (state, salt, key)
> repeat (2 ^ cost)
>> state ← ExpandKey (state, 0, salt)
>> state ← ExpandKey (state, 0, key)
> return state
> Thereafter, ExpandKey is alternately called with the salt and then
> key for (2 ^ cost) iterations.
I have a couple of questions.
Are there any interesting reasons behind this difference (aside from
a simple mistake in either the implementation or the paper)?
Does the difference in order have any cryptanalytic implications (it
would surprise me if there were, but I’m not really a cryptographer)?