From 7872bbcaf421bbb2fd3ab5fb1283e9cb8282a02f Mon Sep 17 00:00:00 2001
From: cyfraeviolae <cyfraeviolae>
Date: Wed, 24 Aug 2022 16:21:17 -0400
Subject: work

---
 templates/index.html       | 13 +++++++++----
 templates/nonce-reuse.html | 23 +++++++++++++++--------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/templates/index.html b/templates/index.html
index fdcddd8..baf6a6d 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -18,11 +18,13 @@
             <div class="crumbs">
                 <a href="/git/forbidden-salamanders">source code</a>
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/nonce-reuse">aes-gcm nonce reuse</a>
+                <a href="/forbidden-salamanders/nonce-reuse">nonce reuse</a>
+                <!--
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a>
+                <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a>
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a>
+                <a href="/forbidden-salamanders/key-commitment">key commitment</a>
+                -->
             </div>
         </div>
 		<p>
@@ -37,9 +39,10 @@
         <p>
             <strong><a href="/forbidden-salamanders/nonce-reuse">Nonce
             reuse</a>.</strong> Due to rising entropy prices, Roseacrucis has
-            started to reuse nonces. You must perform the Forbidden Attack in order to
+            started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to
             recover the authentication key and forge arbitrary ciphertext.
         </p>
+        <!--
         <p>
             <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer
             aims to conserve bandwidth by truncating nonces from twelve bytes
@@ -54,6 +57,7 @@
 			Library that decrypt to confidential information under one key, but
 			innocuous banter under another.
         </p>
+        -->
         <br>
 		<details>
 			<summary>
@@ -64,6 +68,7 @@
                 AES-GCM is a block cipher that accepts a key of 16 bytes,
                 a nonce of 12 bytes, plaintext, and additional authenticated data.
                 It returns ciphertext and a message authentication code (MAC).
+                The construction is <a href="https://csrc.nist.gov/publications/detail/sp/800-38d/final">specified by NIST</a>.
             </p>
             <p>
                 The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC.
diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html
index 2637d50..e60cc95 100644
--- a/templates/nonce-reuse.html
+++ b/templates/nonce-reuse.html
@@ -18,16 +18,18 @@
             <div class="crumbs">
                 <a href="/git/forbidden-salamanders">source code</a>
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/nonce-reuse"><strong>aes-gcm nonce reuse</strong></a>
+                <a href="/forbidden-salamanders/nonce-reuse"><strong>nonce reuse</strong></a>
+				<!--
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a>
+                <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a>
                 <span class="sep"> · </span>
-                <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a>
+                <a href="/forbidden-salamanders/key-commitment">key commitment</a>
+				-->
             </div>
         </div>
         <p>
             <strong>Nonce reuse.</strong> Due to rising entropy
-            prices, Roseacrucis has started to reuse nonces. You must perform the
+            prices, Roseacrucis has started to reuse AES-GCM nonces. You must perform the
             Forbidden Attack in order to recover the authentication key and
             forge arbitrary ciphertext.
         </p>
@@ -160,10 +162,15 @@
             polynomial</a>.
         </p>
         <p>
-            We plug \(h\) back into the first equation to recover \(s\),
-            and finally, we can forge the MAC for arbitary ciphertext under the
-            same nonce. Note that there may be multiple possible monomial roots;
-            in this case, one can check each possibility online.
+            We plug \(h\) back into the first equation to recover \(s\), and we
+            can forge the MAC for arbitary ciphertext under the same nonce.
+            Note that there may be multiple possible monomial roots; in this
+            case, one can check each possibility against the enemy.
+        </p>
+        <p>
+            Readers who wish to implement this attack themselves can try
+            <a href="https://cryptopals.com/">Cryptopals</a>; specifically
+            Set 8 Problem 62.
         </p>
         </details>
 		<details>
-- 
cgit v1.2.3