1 files changed, 15 insertions, 8 deletions

diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html
index 2637d50..e60cc95 100644
--- a/templates/nonce-reuse.html
+++ b/templates/nonce-reuse.html
@@ -18,16 +18,18 @@
             <div class="crumbs">
                 <a href="/git/forbidden-salamanders">source code</a>
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/nonce-reuse"><strong>aes-gcm nonce reuse</strong></a>
+                <a href="/forbidden-salamanders/nonce-reuse"><strong>nonce reuse</strong></a>
+				<!--
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a>
+                <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a>
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a>
+                <a href="/forbidden-salamanders/key-commitment">key commitment</a>
+				-->
             </div>
         </div>
         <p>
             <strong>Nonce reuse.</strong> Due to rising entropy
-            prices, Roseacrucis has started to reuse nonces. You must perform the
+            prices, Roseacrucis has started to reuse AES-GCM nonces. You must perform the
             Forbidden Attack in order to recover the authentication key and
             forge arbitrary ciphertext.
         </p>
@@ -160,10 +162,15 @@
             polynomial</a>.
         </p>
         <p>
-            We plug \(h\) back into the first equation to recover \(s\),
-            and finally, we can forge the MAC for arbitary ciphertext under the
-            same nonce. Note that there may be multiple possible monomial roots;
-            in this case, one can check each possibility online.
+            We plug \(h\) back into the first equation to recover \(s\), and we
+            can forge the MAC for arbitary ciphertext under the same nonce.
+            Note that there may be multiple possible monomial roots; in this
+            case, one can check each possibility against the enemy.
+        </p>
+        <p>
+            Readers who wish to implement this attack themselves can try
+            <a href="https://cryptopals.com/">Cryptopals</a>; specifically
+            Set 8 Problem 62.
         </p>
         </details>
 		<details>