key com

1 files changed, 8 insertions, 9 deletions

diff --git a/templates/mac-truncation.html b/templates/mac-truncation.html
index cf91149..1cbd629 100644
--- a/templates/mac-truncation.html
+++ b/templates/mac-truncation.html
@@ -116,6 +116,14 @@
 			on the web: <a href="#show-code">download the library</a> to run it locally.
 		</p>
         <p>
+            This attack was shown by Dutch cryptographer Niels Ferguson
+            in <a href="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf">Authentication weaknesses in GCM</a>.
+            He notes that a (then-)competing mode, CWC, avoids this attack by
+            encrypting the GMAC polynomial with the block cipher before adding
+            \(s\). This breaks the linear relationship between the ciphertext
+            and the MAC.
+        </p>
+        <p>
             Review the <a href="/forbidden-salamanders/nonce-reuse">nonce reuse attack</a>
             to learn why recovering the authentication key is enough to forge MACs over
             arbitrary ciphertexts.
@@ -336,15 +344,6 @@
 			and compute a forged MAC for arbitrary ciphertext under the same nonce
             as in the <a href="/forbidden-salamanders/nonce-reuse">nonce reuse attack</a>.
 		</p>
-        <h4>Addendum</h4>
-        <p>
-            This attack was first shown by Dutch cryptographer Niels Ferguson
-            in his paper <a href="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf">Authentication weaknesses in GCM</a>.
-            He notes that a (then-)competing mode, CWC, avoids this attack by
-            encrypting the GMAC polynomial with the block cipher before adding
-            \(s\). This breaks the linear relationship between the ciphertext
-            and the MAC.
-        </p>
         <p>
             Readers who wish to implement this attack themselves can try
             <a href="https://cryptopals.com/">Cryptopals</a>; specifically