diff options
| author | cyfraeviolae <cyfraeviolae> | 2022-08-24 16:21:17 -0400 |
|---|---|---|
| committer | cyfraeviolae <cyfraeviolae> | 2022-08-24 16:21:17 -0400 |
| commit | 7872bbcaf421bbb2fd3ab5fb1283e9cb8282a02f (patch) | |
| tree | 0505be1597733b12825096c5437c2aa9a55d070a /templates/nonce-reuse.html | |
| parent | f649ba59fe194ef169881579138023ec1493a254 (diff) | |
work
Diffstat (limited to 'templates/nonce-reuse.html')
| -rw-r--r-- | templates/nonce-reuse.html | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index 2637d50..e60cc95 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -18,16 +18,18 @@ <div class="crumbs"> <a href="/git/forbidden-salamanders">source code</a> <span class="sep"> · </span> - <a href="/forbidden-salamanders/nonce-reuse"><strong>aes-gcm nonce reuse</strong></a> + <a href="/forbidden-salamanders/nonce-reuse"><strong>nonce reuse</strong></a> + <!-- <span class="sep"> · </span> - <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a> + <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a> <span class="sep"> · </span> - <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a> + <a href="/forbidden-salamanders/key-commitment">key commitment</a> + --> </div> </div> <p> <strong>Nonce reuse.</strong> Due to rising entropy - prices, Roseacrucis has started to reuse nonces. You must perform the + prices, Roseacrucis has started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to recover the authentication key and forge arbitrary ciphertext. </p> @@ -160,10 +162,15 @@ polynomial</a>. </p> <p> - We plug \(h\) back into the first equation to recover \(s\), - and finally, we can forge the MAC for arbitary ciphertext under the - same nonce. Note that there may be multiple possible monomial roots; - in this case, one can check each possibility online. + We plug \(h\) back into the first equation to recover \(s\), and we + can forge the MAC for arbitary ciphertext under the same nonce. + Note that there may be multiple possible monomial roots; in this + case, one can check each possibility against the enemy. + </p> + <p> + Readers who wish to implement this attack themselves can try + <a href="https://cryptopals.com/">Cryptopals</a>; specifically + Set 8 Problem 62. </p> </details> <details> |