summaryrefslogtreecommitdiff
path: root/templates/nonce-reuse.html
diff options
context:
space:
mode:
authorcyfraeviolae <cyfraeviolae>2022-08-31 00:03:26 -0400
committercyfraeviolae <cyfraeviolae>2022-08-31 00:03:26 -0400
commitd53fd5c63c58ea00b8249b3ce2dc95315ea624e1 (patch)
treee31497514d3b6dda2f00cf7d6cb761b16d23ae51 /templates/nonce-reuse.html
parent7863559c620faf9780b65db4f022304d4a6ac2c6 (diff)
updates
Diffstat (limited to 'templates/nonce-reuse.html')
-rw-r--r--templates/nonce-reuse.html8
1 files changed, 5 insertions, 3 deletions
diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html
index eff36b4..5412050 100644
--- a/templates/nonce-reuse.html
+++ b/templates/nonce-reuse.html
@@ -165,8 +165,9 @@
<p>
We plug \(h\) back into the first equation to recover \(s\), and we
can forge the MAC for arbitary ciphertext under the same nonce.
- Note that there may be multiple possible monomial roots; in this
- case, one can check each possibility against the enemy.
+ Note that there may be multiple possible roots; in this
+ case, one can check each possibility against the enemy, or perform
+ the attack twice on two pairs of intercepted messages.
</p>
<p>
One can use SageMath to compute factors of a polynomial:
@@ -189,6 +190,7 @@ for factor, _ in p.factor():
<ul>
<li>The gcd of two polynomials is unique only up to multiplication by a non-zero constant because &ldquo;greater&rdquo; is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the <em>monic</em> gcd, which is unique.</li>
<li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).</li>
+ <li>The authentication key <strong>must</strong> appear in one of the linear factors (those of the form \(y+h\)). This allows one to skip parts of the distinct-degree factorization and equal-degree factorization, making the algorithm much faster. Exercise: prove this claim.</li>
</ul>
<p>
Readers who wish to implement this attack themselves can try
@@ -198,7 +200,7 @@ for factor, _ in p.factor():
</details>
<details>
<summary>
- Show me the code.
+ Example with code.
</summary>
<pre>
from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, gcm_decrypt, nonce_reuse_recover_secrets