From c8dd842220a6bfbc73f1118943f8bf9cd9c0ed3b Mon Sep 17 00:00:00 2001
From: cyfraeviolae <cyfraeviolae>
Date: Fri, 26 Aug 2022 22:08:18 -0400
Subject: cache default answers

---
 app.py | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

(limited to 'app.py')

diff --git a/app.py b/app.py
index efc45bf..9aade4e 100644
--- a/app.py
+++ b/app.py
@@ -54,7 +54,16 @@ def solve_nonce_reuse(k, nonce, m1, m2, mf):
     c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
     c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)
 
-    possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
+    default_m1 = 'The universe (which others call the Library)'
+    default_m2 = 'From any of the hexagons one can see, interminably'
+    if k == b'tlonorbistertius' and nonce == b'JORGELBORGES' and m1 == default_m1 and m2 == default_m2:
+        possible_secrets = [(144676297626548424623350164317265032260,
+                             137128696435097309357166918744288944691),
+                            (176085395972970454284981815262084281580,
+                             250035608282660492164551282952970544944)]
+    else:
+        possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
+
     c_forged = xor(c1, xor(m1, mf))
     aad_forged = b""
     macs = []
@@ -84,15 +93,17 @@ def nonce_truncation():
                            mf=mf, h=h, c_forged=c_forged, mac=mac)
 
 def solve_nonce_truncation(k, nonce, mf):
-    aad = b""
     m = secrets.token_bytes(512)
+    aad = b""
     c, mac = gcm_encrypt(k, nonce, aad, m, mac_bytes=1)
-
-    def oracle(base, aad, mac, nonce):
-        cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1)
-        cipher.update(aad)
-        cipher.decrypt_and_verify(base, mac)
-    h, s = nonce_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle)
+    if k == b'tlonorbistertius' and nonce == b'JORGELBORGES':
+        h, s = 176085395972970454284981815262084281580, 48
+    else:
+        def oracle(base, aad, mac, nonce):
+            cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1)
+            cipher.update(aad)
+            cipher.decrypt_and_verify(base, mac)
+        h, s = nonce_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle)
     c_forged, aad_forged = xor(c, xor(m, mf)), b""
     mac = gmac(h, s, aad_forged, c_forged)
     return gf128_to_bytes(h), c_forged, mac[:1]
-- 
cgit v1.2.3