Re: [P1619-2] P1619.2 Recirculation Ballot has now started
As far as I remember, the intention was indeed to always use M1, exactly
as specified in the code. (The same holds for line 29 on page 8). This
is consistent with the code from the EME* paper (see lines 136 and 236
in the code on page 5 in http://eprint.iacr.org/2004/125.pdf)
I have a vague recollection of actually using this fact in the proof of
security (but this was many years ago and my memory isn't that great
anymore :)
-- Shai
Laszlo.Hars@xxxxxxxxxxx wrote:
> A question I received about the last draft:
>
> The EME2 code shows in line 29 (page 10)
>
> PPPj = MP xor M1
>
> Do we have to always use M1? The engineer thought it was a typo, M1
> should be M. The case could be different from Line 26.
>