diff options
Diffstat (limited to 'aesgcmanalysis.py')
| -rw-r--r-- | aesgcmanalysis.py | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py index cc752f7..52b4012 100644 --- a/aesgcmanalysis.py +++ b/aesgcmanalysis.py @@ -669,7 +669,7 @@ def find_b(n, basis, ct, mac, nonce, aad, oracle): base = bytearray(ct) idx = 0 while True: - choice = random.sample(basis, random.randint(1, 12)) + choice = random.sample(basis, random.randint(1, 14)) b = sum(choice) % 2 flips = gen_flips(b) blocks = gen_blocks(n, flips) @@ -686,7 +686,7 @@ def find_b(n, basis, ct, mac, nonce, aad, oracle): base[j*16:(j+1)*16] = xor(base[j*16:(j+1)*16], block) idx += 1 -def nonce_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle): +def nonce_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle, compute_T_once=False): orig_ct = ct ct = aad + ct n = compute_n(ct) @@ -696,10 +696,14 @@ def nonce_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle): X = None K = None basisKerK = None - while K is None or (basisKerK is None or len(basisKerK) > 1): + if compute_T_once: T = gen_t(n, mac_bytes, X, minrows=7) _, _, basisKerT = kernel(T, rref_mod_2) - assert len(basisKerT[0]) == n*128 + while K is None or (basisKerK is None or len(basisKerK) > 1): + if not compute_T_once: + T = gen_t(n, mac_bytes, X, minrows=7) + _, _, basisKerT = kernel(T, rref_mod_2) + assert len(basisKerT[0]) == n*128 b = find_b(n, basisKerT, ct, mac, nonce, aad, oracle) flips = gen_flips(b) @@ -785,8 +789,9 @@ def nonce_truncation_demo(): cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=MACBYTES) cipher.update(aad) pt = cipher.decrypt_and_verify(base, mac) - h, s = nonce_truncation_recover_secrets(ct, mac, nonce, MACBYTES, aad, oracle) + h, s = nonce_truncation_recover_secrets(ct, mac, nonce, MACBYTES, aad, oracle, compute_T_once=True) assert h == authentication_key(k) return h, s -# nonce_truncation_demo() +if __name__ == "__main__": + nonce_truncation_demo() |