diff options
Diffstat (limited to 'templates/nonce-reuse.html')
| -rw-r--r-- | templates/nonce-reuse.html | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index eff36b4..5412050 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -165,8 +165,9 @@ <p> We plug \(h\) back into the first equation to recover \(s\), and we can forge the MAC for arbitary ciphertext under the same nonce. - Note that there may be multiple possible monomial roots; in this - case, one can check each possibility against the enemy. + Note that there may be multiple possible roots; in this + case, one can check each possibility against the enemy, or perform + the attack twice on two pairs of intercepted messages. </p> <p> One can use SageMath to compute factors of a polynomial: @@ -189,6 +190,7 @@ for factor, _ in p.factor(): <ul> <li>The gcd of two polynomials is unique only up to multiplication by a non-zero constant because “greater” is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the <em>monic</em> gcd, which is unique.</li> <li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).</li> + <li>The authentication key <strong>must</strong> appear in one of the linear factors (those of the form \(y+h\)). This allows one to skip parts of the distinct-degree factorization and equal-degree factorization, making the algorithm much faster. Exercise: prove this claim.</li> </ul> <p> Readers who wish to implement this attack themselves can try @@ -198,7 +200,7 @@ for factor, _ in p.factor(): </details> <details> <summary> - Show me the code. + Example with code. </summary> <pre> from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, gcm_decrypt, nonce_reuse_recover_secrets |