From d53fd5c63c58ea00b8249b3ce2dc95315ea624e1 Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Wed, 31 Aug 2022 00:03:26 -0400 Subject: updates --- templates/nonce-reuse.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'templates/nonce-reuse.html') diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index eff36b4..5412050 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -165,8 +165,9 @@

We plug \(h\) back into the first equation to recover \(s\), and we can forge the MAC for arbitary ciphertext under the same nonce. - Note that there may be multiple possible monomial roots; in this - case, one can check each possibility against the enemy. + Note that there may be multiple possible roots; in this + case, one can check each possibility against the enemy, or perform + the attack twice on two pairs of intercepted messages.

One can use SageMath to compute factors of a polynomial: @@ -189,6 +190,7 @@ for factor, _ in p.factor():

Readers who wish to implement this attack themselves can try @@ -198,7 +200,7 @@ for factor, _ in p.factor():

- Show me the code. + Example with code.
 from aesgcmanalysis import xor, gmac, gcm_encrypt, gcm_decrypt, nonce_reuse_recover_secrets
-- 
cgit v1.2.3