summaryrefslogtreecommitdiff
path: root/index.html
diff options
context:
space:
mode:
authorcyfraeviolae <cyfraeviolae>2022-08-23 23:16:44 -0400
committercyfraeviolae <cyfraeviolae>2022-08-23 23:16:44 -0400
commit32137f612509ee577703d4316dc6a2ec937da709 (patch)
tree5dab75e3af3dc164d2d481e00b250f5b07ee8585 /index.html
parentceddd427cb40bcb5fb03373c6de82a69d362aabc (diff)
work
Diffstat (limited to 'index.html')
-rw-r--r--index.html46
1 files changed, 23 insertions, 23 deletions
diff --git a/index.html b/index.html
index 7b4572b..1fd52b1 100644
--- a/index.html
+++ b/index.html
@@ -35,10 +35,10 @@
Choose one of the following missions.
</p>
<p>
- <strong><a href="#">Nonce reuse</a>.</strong> Due to rising entropy
- prices, Roseacrucis has started to reuse nonces. You must perform the
- Forbidden Attack in order to recover the authentication key and
- forge arbitrary ciphertext.
+ <strong><a href="/forbidden-salamanders/nonce-reuse">Nonce
+ reuse</a>.</strong> Due to rising entropy prices, Roseacrucis has
+ started to reuse nonces. You must perform the Forbidden Attack in order to
+ recover the authentication key and forge arbitrary ciphertext.
</p>
<p>
<strong><a href="#">Nonce truncation</a>.</strong> The sorcerer
@@ -82,7 +82,7 @@
interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\)
of degree less than \(128\). Multiplication
is performed modulo \(m\). This field is of characteristic 2;
- e.g., \((\alpha^5 + \alpha+1)+(\alpha^5 + \alpha+1) = 0\).
+ e.g., \((\alpha^5 + 1)+(\alpha^5 + 1) = 0\).
</p>
<p>
We interpret 16-byte blocks as elements in \(\mathbb{K}\)
@@ -95,40 +95,40 @@
the block.
</p>
<p>
- 12-byte nonces are interpreted as 96-bit integers in big-endian byte order.
- </p>
+ 12-byte nonces are interpreted as 96-bit integers in big-endian
+ byte order. Let \(\operatorname{Byte} = [0, 2^8-1]\) and
+ \(x_i\) refer to the \(i\)th 16-byte chunk of the bytestring
+ \(x\).
+ </p>
<p>
- Let \(\operatorname{Byte} = [0, 2^8-1]\).
+ \(\operatorname{encode_{big}}(x, n)\) encodes an integer \(x\) into \(n\) bytes in big-endian
+ byte order. \(\operatorname{pad_n}(x, p)\) pads the length of
+ the bytestring \(x\) to the nearest multiple of \(n\) with the
+ byte \(p\). \(\operatorname{AES}(k, x)\) refers to
+ the <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">128-bit AES block cipher</a>.
</p>
<br>
<div class="algorithm">
<p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p>
<ol class="algorithm-code">
- <li>\( aad' = \operatorname{chunk}_{16}(aad, \operatorname{pad}=\mathtt{0x00}) \)</li>
- <li>\( c' = \operatorname{chunk}_{16}(c, \operatorname{pad}=\mathtt{0x00}) \)</li>
- <li>\( len = \operatorname{encode_{big}}(128\vert aad' \vert, 8) \mathbin\Vert \operatorname{encode_{big}}(128\vert c'\vert, 8) \)</li>
- <li>\( blocks = aad' \mathbin\Vert c' \mathbin\Vert (len) \mathbin\Vert (s) \)</li>
- <li>\( \operatorname{return} \sum\limits_{i=1}^{\vert blocks\vert} blocks_{\vert blocks \vert-i} h^{i-1}\)</li>
+ <li>\( len = \operatorname{encode_{big}}(8y, 8) \mathbin\Vert \operatorname{encode_{big}}(8z, 8) \)</li>
+ <li>\( blocks = \operatorname{pad}_{16}(aad, 0) \mathbin\Vert \operatorname{pad}_{16}(c, 0) \mathbin\Vert len \mathbin\Vert s \)</li>
+ <li>\( N = \frac{\vert blocks \vert}{16} \)</li>
+ <li>\( \operatorname{return} \sum\limits_{i=1}^{N} blocks_{N-i} h^{i-1}\)</li>
</ol>
</div>
<br>
<br>
<div class="algorithm">
- <p>\(\operatorname{GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p>
+ <p>\(\operatorname{AES-GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p>
<ol class="algorithm-code">
- <li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES-ECB}(k, n') \)</li>
+ <li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES}(k, n') \)</li>
<li> \( c = r \oplus m \) </li>
- <li> \( h = \operatorname{AES-ECB}(k, 0) \) </li>
- <li> \( s = \operatorname{AES-ECB}(k, 2^{32}n + 1) \) </li>
+ <li> \( h = \operatorname{AES}(k, 0) \) </li>
+ <li> \( s = \operatorname{AES}(k, 2^{32}n + 1) \) </li>
<li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li>
</ol>
</div>
- <p>
- The authentication key \( h \) is independent of the
- nonce \( n \). The constant term \( s \) acts as a blind to
- hide the confidential block data in the MAC. Finally, note
- that the polynomial computation reverses the order of the blocks.
- </p>
</details>
<!-- <script id="MathJax-script" async src="/forbidden-salamanders/static/mathjax.js"></script> -->
<!-- <script type="text/x-mathjax-config"> -->