1 files changed, 87 insertions, 73 deletions

diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html
index 9761955..2637d50 100644
--- a/templates/nonce-reuse.html
+++ b/templates/nonce-reuse.html
@@ -32,6 +32,88 @@
             forge arbitrary ciphertext.
         </p>
         <br>
+		{% if form.errors %}
+		<div class="errors">
+			Errors:
+			<ul>
+				{% for name, errors in form.errors.items() %}
+				{% for error in errors %}
+				<li> {{name}}: {{ error }} </li>
+				{% endfor %}
+				{% endfor %}
+			</ul>
+		</div>
+		{% endif %}
+        <form action="/forbidden-salamanders/nonce-reuse" method="post">
+			<div><em>
+				Roseacrucis chooses a key, a nonce, and two messages. He encrypts both messages under the same nonce.
+			</em></div><br>
+
+            <div>
+            <label for="key">Key (16 bytes in hex)</label>
+			<input name="key" id="key" type="text" value="{{ key if key else '746c6f6e6f7262697374657274697573' }}" minlength=32 maxlength=32 required>
+            </div>
+
+            <div>
+            <label for="nonce">Nonce (12 bytes in hex)</label>
+			<input name="nonce" id="nonce" type="text" value="{{ nonce if nonce else '4a4f5247454c424f52474553' }}" minlength=24 maxlength=24 required>
+            </div>
+
+            <div>
+            <label for="m1">First intercepted message</label>
+			<input name="m1" id="m1" type="text" required maxlength=64 value="{{m1 if m1 else 'The universe (which others call the Library)'}}">
+            </div>
+
+            <div>
+            <label for="m2">Second intercepted message</label>
+			<input name="m2" id="m2" type="text" required maxlength=64 value="{{m2 if m2 else 'From any of the hexagons one can see, interminably'}}">
+            </div>
+
+			<br><div><em>
+				After intercepting the ciphertexts, you choose a new message to forge under the same key and nonce.
+			</em></div><br>
+
+            <div>
+            <label for="mf">Forged message; shorter than the first message</label>
+			<input name="mf" id="mf" type="text" required maxlength=64 value="{{mf}}">
+            </div>
+
+            <div>
+				<button type="submit">Recover authentication key and forge MAC</button>
+            </div>
+        </form>
+		<form action="/forbidden-salamanders/nonce-reuse" method="get">
+		<div>
+			<button type="submit">Reset</button>
+		</div>
+		</form>
+		{% if macs %}
+        <div class="solution">
+			<p>
+				Forged ciphertext: <code>{{ c_forged.hex() }}</code>
+				{% if macs|length == 1 %}
+				<br>
+				Forged MAC: <code>{{macs[0][2].hex()}}</code>
+				<br>
+				Authentication key: <code>{{macs[0][0].hex()}}</code></li>
+				{% endif %}
+			</p>
+			{% if macs|length != 1 %}
+			Forged MAC candidates:
+			<ul>
+				{% for h, _, mac in macs %}
+				<li>
+					MAC: <code>{{mac.hex()}}</code>
+					<ul class="inner-ul">
+						<li>Authentication key: <code>{{h.hex()}}</code></li>
+					</ul>
+				</li>
+				{% endfor %}
+			</ul>
+			{% endif %}
+        </div>
+		{% endif %}
+        <br>
 		<details>
 			<summary>
                 Attack outline.
@@ -84,61 +166,6 @@
             in this case, one can check each possibility online.
         </p>
         </details>
-        <br>
-        <form action="/forbidden-salamanders/nonce-reuse" method="post">
-            <div>
-            <label for="key">Key (16 bytes in hex)</label>
-			<input name="key" id="key" type="text" value="{{ key.hex() if key else '59454c4c4f575f5355424d4152494e45' }}" minlength=32 maxlength=32>
-            </div>
-
-            <div>
-            <label for="nonce">Nonce (12 bytes in hex)</label>
-			<input name="nonce" id="nonce" type="text" value="{{ nonce.hex() if nonce else '4a4f5247454c424f52474553' }}" minlength=24 maxlength=24>
-            </div>
-
-            <div>
-            <label for="m1">First intercepted message (in ASCII)</label>
-			<input name="m1" id="m1" type="text" required maxlength=100 value="{{m1}}">
-            </div>
-
-            <div>
-            <label for="m2">Second intercepted message (in ASCII)</label>
-			<input name="m2" id="m2" type="text" required maxlength=100 value="{{m2}}">
-            </div>
-
-            <div>
-            <label for="mf">Forged message; shorter than the first message (in ASCII)</label>
-			<input name="mf" id="mf" type="text" required maxlength=100 value="{{mf}}">
-            </div>
-
-            <div>
-				<button type="submit">Recover authentication key and forge MAC</button>
-            </div>
-        </form>
-		{% if macs %}
-        <div>
-			<p>
-				Forged ciphertext: <code>{{ c_forged.hex() }}</code>
-			</p>
-			Forged MAC candidates:
-			<ul>
-				{% for h, _, mac in macs %}
-				<li>
-					MAC: <code>{{mac.hex()}}</code>
-					<ul>
-						<li>Authentication key: <code>{{h.hex()}}</code></li>
-					</ul>
-				</li>
-				{% endfor %}
-			</ul>
-			<form action="/forbidden-salamanders/nonce-reuse" method="get">
-            <div>
-				<button type="submit">Reset</button>
-            </div>
-			</form>
-        </div>
-		{% endif %}
-        <br>
 		<details>
 			<summary>
                 Show me the code.
@@ -148,10 +175,8 @@ from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, g
 
 k = b"tlonorbistertius"
 nonce = b"jorgelborges"
-m1 = b"The universe (which others call the Library)"
-aad1 = b"The Anatomy of Melancholy"
-m2 = b"From any of the hexagons one can see, interminably"
-aad2 = b"Letizia Alvarez de Toledo"
+m1, aad1 = b"The universe (which others call the Library)", b""
+m2, aad2 = b"From any of the hexagons one can see, interminably", b""
 
 c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
 c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)
@@ -161,21 +186,10 @@ possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1,
 
 # Forge the ciphertext
 m_forged = b"As was natural, this inordinate hope"
-assert len(m_forged) <= len(m1)
-c_forged = xor(c1, xor(m1, m_forged))
-aad_forged = b"You who read me, are You sure of understanding my language?"
+c_forged, aad_forged = xor(c1, xor(m1, m_forged)), b""
 
-# Check possible candidates for authentication key
-succeeded = False
 for h, s in possible_secrets:
-    mac_forged = gmac(h, s, aad_forged, c_forged)
-    try:
-        assert gcm_decrypt(k, nonce, aad_forged, c_forged, mac_forged) == m_forged
-        succeeded = True
-        print(c_forged.hex(), mac_forged.hex())
-    except AssertionError:
-        pass
-assert succeeded</pre></details>
+    print("MAC candidate": gmac(h, s, aad_forged, c_forged))</pre></details>
 		<details>
 			<summary>
                 Show me the math.
@@ -219,7 +233,7 @@ for factor, _ in p.factor():
 		</p>
 		<ul>
 			<li>The gcd of two polynomials is unique only up to multiplication by a non-zero constant because &ldquo;greater&rdquo; is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the <em>monic</em> gcd, which is unique.</li>
-			<li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}})\).</li>
+			<li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).</li>
 		</ul>
         </details>
 <script>