diff options
Diffstat (limited to 'index.html')
| -rw-r--r-- | index.html | 46 |
1 files changed, 23 insertions, 23 deletions
@@ -35,10 +35,10 @@ Choose one of the following missions. </p> <p> - <strong><a href="#">Nonce reuse</a>.</strong> Due to rising entropy - prices, Roseacrucis has started to reuse nonces. You must perform the - Forbidden Attack in order to recover the authentication key and - forge arbitrary ciphertext. + <strong><a href="/forbidden-salamanders/nonce-reuse">Nonce + reuse</a>.</strong> Due to rising entropy prices, Roseacrucis has + started to reuse nonces. You must perform the Forbidden Attack in order to + recover the authentication key and forge arbitrary ciphertext. </p> <p> <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer @@ -82,7 +82,7 @@ interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\) of degree less than \(128\). Multiplication is performed modulo \(m\). This field is of characteristic 2; - e.g., \((\alpha^5 + \alpha+1)+(\alpha^5 + \alpha+1) = 0\). + e.g., \((\alpha^5 + 1)+(\alpha^5 + 1) = 0\). </p> <p> We interpret 16-byte blocks as elements in \(\mathbb{K}\) @@ -95,40 +95,40 @@ the block. </p> <p> - 12-byte nonces are interpreted as 96-bit integers in big-endian byte order. - </p> + 12-byte nonces are interpreted as 96-bit integers in big-endian + byte order. Let \(\operatorname{Byte} = [0, 2^8-1]\) and + \(x_i\) refer to the \(i\)th 16-byte chunk of the bytestring + \(x\). + </p> <p> - Let \(\operatorname{Byte} = [0, 2^8-1]\). + \(\operatorname{encode_{big}}(x, n)\) encodes an integer \(x\) into \(n\) bytes in big-endian + byte order. \(\operatorname{pad_n}(x, p)\) pads the length of + the bytestring \(x\) to the nearest multiple of \(n\) with the + byte \(p\). \(\operatorname{AES}(k, x)\) refers to + the <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">128-bit AES block cipher</a>. </p> <br> <div class="algorithm"> <p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p> <ol class="algorithm-code"> - <li>\( aad' = \operatorname{chunk}_{16}(aad, \operatorname{pad}=\mathtt{0x00}) \)</li> - <li>\( c' = \operatorname{chunk}_{16}(c, \operatorname{pad}=\mathtt{0x00}) \)</li> - <li>\( len = \operatorname{encode_{big}}(128\vert aad' \vert, 8) \mathbin\Vert \operatorname{encode_{big}}(128\vert c'\vert, 8) \)</li> - <li>\( blocks = aad' \mathbin\Vert c' \mathbin\Vert (len) \mathbin\Vert (s) \)</li> - <li>\( \operatorname{return} \sum\limits_{i=1}^{\vert blocks\vert} blocks_{\vert blocks \vert-i} h^{i-1}\)</li> + <li>\( len = \operatorname{encode_{big}}(8y, 8) \mathbin\Vert \operatorname{encode_{big}}(8z, 8) \)</li> + <li>\( blocks = \operatorname{pad}_{16}(aad, 0) \mathbin\Vert \operatorname{pad}_{16}(c, 0) \mathbin\Vert len \mathbin\Vert s \)</li> + <li>\( N = \frac{\vert blocks \vert}{16} \)</li> + <li>\( \operatorname{return} \sum\limits_{i=1}^{N} blocks_{N-i} h^{i-1}\)</li> </ol> </div> <br> <br> <div class="algorithm"> - <p>\(\operatorname{GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p> + <p>\(\operatorname{AES-GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p> <ol class="algorithm-code"> - <li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES-ECB}(k, n') \)</li> + <li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES}(k, n') \)</li> <li> \( c = r \oplus m \) </li> - <li> \( h = \operatorname{AES-ECB}(k, 0) \) </li> - <li> \( s = \operatorname{AES-ECB}(k, 2^{32}n + 1) \) </li> + <li> \( h = \operatorname{AES}(k, 0) \) </li> + <li> \( s = \operatorname{AES}(k, 2^{32}n + 1) \) </li> <li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li> </ol> </div> - <p> - The authentication key \( h \) is independent of the - nonce \( n \). The constant term \( s \) acts as a blind to - hide the confidential block data in the MAC. Finally, note - that the polynomial computation reverses the order of the blocks. - </p> </details> <!-- <script id="MathJax-script" async src="/forbidden-salamanders/static/mathjax.js"></script> --> <!-- <script type="text/x-mathjax-config"> --> |