While trying to implement bcrypt based on the USENIX 99 paper alone, a tiny difference between the paper and src/lib/libc/crypt/bcrypt.c left me scratching my head until I finally gave in and had a peek.
Since it was first checked in, bcrypt.c has passed the key to the odd Blowfish_expand0state invocations and the salt to the even, as do all other bcrypt implementations I could find, while the paper disagrees: > EksBlowfishSetup (cost, salt, key) > state ← InitState () > state ← ExpandKey (state, salt, key) > repeat (2 ^ cost) >> state ← ExpandKey (state, 0, salt) >> state ← ExpandKey (state, 0, key) > return state > Thereafter, ExpandKey is alternately called with the salt and then > key for (2 ^ cost) iterations. I have a couple of questions. Are there any interesting reasons behind this difference (aside from a simple mistake in either the implementation or the paper)? Does the difference in order have any cryptanalytic implications (it would surprise me if there were, but I’m not really a cryptographer)?
