From d53fd5c63c58ea00b8249b3ce2dc95315ea624e1 Mon Sep 17 00:00:00 2001
From: cyfraeviolae <cyfraeviolae>
Date: Wed, 31 Aug 2022 00:03:26 -0400
Subject: updates

---
 templates/nonce-reuse.html | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'templates/nonce-reuse.html')

diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html
index eff36b4..5412050 100644
--- a/templates/nonce-reuse.html
+++ b/templates/nonce-reuse.html
@@ -165,8 +165,9 @@
         <p>
             We plug \(h\) back into the first equation to recover \(s\), and we
             can forge the MAC for arbitary ciphertext under the same nonce.
-            Note that there may be multiple possible monomial roots; in this
-            case, one can check each possibility against the enemy.
+            Note that there may be multiple possible roots; in this
+            case, one can check each possibility against the enemy, or perform
+            the attack twice on two pairs of intercepted messages.
         </p>
             <p>
                 One can use SageMath to compute factors of a polynomial:
@@ -189,6 +190,7 @@ for factor, _ in p.factor():
 		<ul>
 			<li>The gcd of two polynomials is unique only up to multiplication by a non-zero constant because &ldquo;greater&rdquo; is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the <em>monic</em> gcd, which is unique.</li>
 			<li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).</li>
+            <li>The authentication key <strong>must</strong> appear in one of the linear factors (those of the form \(y+h\)). This allows one to skip parts of the distinct-degree factorization and equal-degree factorization, making the algorithm much faster. Exercise: prove this claim.</li>
 		</ul>
         <p>
             Readers who wish to implement this attack themselves can try
@@ -198,7 +200,7 @@ for factor, _ in p.factor():
         </details>
 		<details>
 			<summary>
-                Show me the code.
+                Example with code.
 			</summary>
         <pre>
 from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, gcm_decrypt, nonce_reuse_recover_secrets
-- 
cgit v1.2.3