From 39ba5a7dacb5d8ca4d52600e96a49ad46936238c Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Wed, 24 Aug 2022 16:15:46 -0400 Subject: work --- templates/nonce-reuse.html | 160 ++++++++++++++++++++++++--------------------- 1 file changed, 87 insertions(+), 73 deletions(-) (limited to 'templates/nonce-reuse.html') diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index 9761955..2637d50 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -31,6 +31,88 @@ Forbidden Attack in order to recover the authentication key and forge arbitrary ciphertext.

+
+ {% if form.errors %} +
+ Errors: + +
+ {% endif %} +
+
+ Roseacrucis chooses a key, a nonce, and two messages. He encrypts both messages under the same nonce. +

+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ After intercepting the ciphertexts, you choose a new message to forge under the same key and nonce. +

+ +
+ + +
+ +
+ +
+
+
+
+ +
+
+ {% if macs %} +
+

+ Forged ciphertext: {{ c_forged.hex() }} + {% if macs|length == 1 %} +
+ Forged MAC: {{macs[0][2].hex()}} +
+ Authentication key: {{macs[0][0].hex()}} + {% endif %} +

+ {% if macs|length != 1 %} + Forged MAC candidates: + + {% endif %} +
+ {% endif %}
@@ -84,61 +166,6 @@ in this case, one can check each possibility online.

-
-
-
- - -
- -
- - -
- -
- - -
- -
- - -
- -
- - -
- -
- -
-
- {% if macs %} -
-

- Forged ciphertext: {{ c_forged.hex() }} -

- Forged MAC candidates: - -
-
- -
-
-
- {% endif %} -
Show me the code. @@ -148,10 +175,8 @@ from aesgcmanalysis import xor, gmac, g k = b"tlonorbistertius" nonce = b"jorgelborges" -m1 = b"The universe (which others call the Library)" -aad1 = b"The Anatomy of Melancholy" -m2 = b"From any of the hexagons one can see, interminably" -aad2 = b"Letizia Alvarez de Toledo" +m1, aad1 = b"The universe (which others call the Library)", b"" +m2, aad2 = b"From any of the hexagons one can see, interminably", b"" c1, mac1 = gcm_encrypt(k, nonce, aad1, m1) c2, mac2 = gcm_encrypt(k, nonce, aad2, m2) @@ -161,21 +186,10 @@ possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, # Forge the ciphertext m_forged = b"As was natural, this inordinate hope" -assert len(m_forged) <= len(m1) -c_forged = xor(c1, xor(m1, m_forged)) -aad_forged = b"You who read me, are You sure of understanding my language?" +c_forged, aad_forged = xor(c1, xor(m1, m_forged)), b"" -# Check possible candidates for authentication key -succeeded = False for h, s in possible_secrets: - mac_forged = gmac(h, s, aad_forged, c_forged) - try: - assert gcm_decrypt(k, nonce, aad_forged, c_forged, mac_forged) == m_forged - succeeded = True - print(c_forged.hex(), mac_forged.hex()) - except AssertionError: - pass -assert succeeded
+ print("MAC candidate": gmac(h, s, aad_forged, c_forged))
Show me the math. @@ -219,7 +233,7 @@ for factor, _ in p.factor():

  • The gcd of two polynomials is unique only up to multiplication by a non-zero constant because “greater” is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the monic gcd, which is unique.
  • -
  • The inverse Frobenius automorphism (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}})\).
  • +
  • The inverse Frobenius automorphism (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).