diff options
| author | cyfraeviolae <cyfraeviolae> | 2022-08-30 16:01:50 -0400 |
|---|---|---|
| committer | cyfraeviolae <cyfraeviolae> | 2022-08-30 16:02:06 -0400 |
| commit | 962813c11fc4489259f8de1ccda5f7d87f92c0d7 (patch) | |
| tree | 3e583836f979001ba70ead27726b5f3e580a9045 /aesgcmanalysis.py | |
| parent | c14d12e6bc997a1aa4d6ed8bde90c8dc9659f3a5 (diff) | |
pdfs
Diffstat (limited to 'aesgcmanalysis.py')
| -rw-r--r-- | aesgcmanalysis.py | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py index 12442c1..668e75b 100644 --- a/aesgcmanalysis.py +++ b/aesgcmanalysis.py @@ -759,9 +759,13 @@ def collide(k1, k2, nonce, c): lens = bytes_to_gf128(encode_lengths(0, len(c) + 16)) acc = gf128_mul(lens, gf128_add(h1, h2)) acc = gf128_add(acc, gf128_add(p1, p2)) - for i in range(1, mlen): - hi = gf128_add(gf128_exp(h1, mlen+2-i), gf128_exp(h2, mlen+2-i)) - acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[(i-1)*16:((i-1)+1)*16]), hi)) + h1Running = gf128_exp(h1, 3) + h2Running = gf128_exp(h2, 3) + for i in reversed(range(mlen-1)): + hi = gf128_add(h1Running, h2Running) + h1Running = gf128_mul(h1Running, h1) + h2Running = gf128_mul(h2Running, h2) + acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) inv = gf128_inv(gf128_add(gf128_mul(h1, h1), gf128_mul(h2, h2))) c_append = gf128_mul(acc, inv) c_ = c + gf128_to_bytes(c_append) @@ -771,21 +775,19 @@ def collide(k1, k2, nonce, c): def collide_penultimate(k1, k2, nonce, c): h1 = authentication_key(k1) h2 = authentication_key(k2) - p1 = gmac_blind(k1, nonce) - p2 = gmac_blind(k2, nonce) + p1 = blind(k1, nonce) + p2 = blind(k2, nonce) assert len(c) % 16 == 0 mlen = len(c)//16 lens = bytes_to_gf128(encode_lengths(0, len(c))) acc = gf128_mul(lens, gf128_add(h1, h2)) acc = gf128_add(acc, gf128_add(p1, p2)) - n=4 h1Running = gf128_exp(h1, 4) h2Running = gf128_exp(h2, 4) for i in reversed(range(0, mlen-2)): hi = gf128_add(h1Running, h2Running) h1Running = gf128_mul(h1Running, h1) h2Running = gf128_mul(h2Running, h2) - n+=1 acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) hi = gf128_add(gf128_exp(h1, 2), gf128_exp(h2, 2)) i = mlen-1 @@ -869,17 +871,17 @@ def key_search_pdf_pdf(): m1 = a + b'\x0a' c1 = gctr(k1, nonce, m1) while True: - k2 = secrets.token_bytes(16) - m2 = gctr(k2, nonce, c1) - if m2[0] == b'%'[0] and b'\x0a' not in m2[:-1] and m2[-1] == b'\x0a'[0]: + k2 = secrets.token_bytes(16) + m2 = gctr(k2, nonce, c1) + if m2[0] == b'%'[0] and b'\x0a' not in m2[:-1] and m2[-1] == b'\x0a'[0]: return k1, k2, nonce, c1 def att_merge_pdf_pdf(pdf1, pdf2, aad): # precomputed with key_search_pdf_pdf - k1 = binascii.unhexlify('c94a4dbd95faf02bdc0c39e0c0984299') - k2 = binascii.unhexlify('e4d26cdfbc732473103a5a887a755e19') - nonce = binascii.unhexlify('4a4f5247454c424f52474553') - r = binascii.unhexlify('ade70922bef96292d1b7d39d53140ed2229a6819eebe86f5a536ad7da256679ae12b88a8bbfad501') + k1 = unhexlify('c94a4dbd95faf02bdc0c39e0c0984299') + k2 = unhexlify('e4d26cdfbc732473103a5a887a755e19') + nonce = unhexlify('4a4f5247454c424f52474553') + r = unhexlify('ade70922bef96292d1b7d39d53140ed2229a6819eebe86f5a536ad7da256679ae12b88a8bbfad501') N = len(pdf1) + len(pdf2) + 1000 pdf1stream = gctr(k1, nonce, b'\x00'*N) |