| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 | <!DOCTYPE html>
<html>
  <head>
    <title>Forbidden Salamanders</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" type="text/css" href="/static/styles.css">
    <link rel="stylesheet" type="text/css" href="/forbidden-salamanders/static/styles.css">
    <link rel="shortcut icon" type="image/x-icon" href="/forbidden-salamanders/static/favicon.ico">
  </head>
  <body>
	<div class="container">
        <div>
            <div class="home">
                <a href="/forbidden-salamanders" class="home-title">Forbidden Salamanders</a>
                <span> at </span><a href="/">cyfraeviolae.org</a>
            </div>
            <div class="crumbs">
                <a href="/git/forbidden-salamanders">source code</a>
                <span class="sep"> · </span>
                <a href="/forbidden-salamanders/nonce-reuse">nonce reuse</a>
                <span class="sep"> · </span>
                <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a>
                <span class="sep"> · </span>
                <a href="/forbidden-salamanders/key-commitment">key commitment</a>
            </div>
        </div>
		<p>
            The FIPS-compliant sorcerer Roseacrucis uses the <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">Advanced Encryption Standard in Galois/Counter Mode</a>
            to correspond with his retinue. The Library’s cryptanalysts
            have intercepted the communication channel, but we need your
            help to exploit their broken protocols.
		</p>
		<p>
			Choose one of the following missions.
		</p>
        <p>
            <strong><a href="#">Nonce reuse</a>.</strong> Due to rising entropy
            prices, Roseacrucis has started to reuse nonces. You must perform the
            Forbidden Attack in order to recover the authentication key and
            forge arbitrary ciphertext.
        </p>
        <p>
            <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer
            aims to conserve bandwidth by truncating nonces from twelve bytes
            to four. Use the enemy as a decryption oracle to once again,
            recover the authentication key and forge arbitrary ciphertext.
        </p>
        <p>
            <strong><a href="#">Key commitment</a>.</strong> One of
			our agents has infiltrated Roseacrucis’ inner circle, but all
			secret keys are required to be surrendered to the
			counterintelligence authority. Help her send ciphertexts to the
			Library that decrypt to confidential information under one key, but
			innocuous banter under another.
        </p>
        <br>
		<details>
			<summary>
                Though it is not required to complete your missions, we now
                review the construction of AES-GCM.
			</summary>
            <p>
                AES-GCM is a block cipher that accepts a key of 16 bytes,
                a nonce of 12 bytes, plaintext, and additional authenticated data.
                It returns ciphertext and a message authentication code (MAC).
            </p>
            <p>
                The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC.
            </p>
			<p>
				Let
				\[
					m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1
				\]
				\[
					\mathbb{K} = \mathbb{F}(2^{128})/m.
				\]
			</p>
			<p>
				The finite field \(\mathbb{K}\) can be
				interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\)
				of degree less than \(128\). Multiplication
				is performed modulo \(m\). This field is of characteristic 2;
				e.g., \((\alpha^5 + \alpha+1)+(\alpha^5 + \alpha+1) = 0\).
			</p>
			<p>
				We interpret 16-byte blocks as elements in \(\mathbb{K}\)
				in little-endian bit order:
                \[
				b_0b_1b_2\ldots{}b_{127} \mapsto
                b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127},
                \]
				where \(b_0\) is the least significant bit of the first byte of
				the block.
			</p>
			<p>
				12-byte nonces are interpreted as 96-bit integers in big-endian byte order.
			</p>
            <p>
                Let \(\operatorname{Byte} = [0, 2^8-1]\).
            </p>
			<br>
			<div class="algorithm">
                <p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p>
				<ol class="algorithm-code">
                    <li>\( aad' = \operatorname{chunk}_{16}(aad, \operatorname{pad}=\mathtt{0x00}) \)</li>
                    <li>\( c' = \operatorname{chunk}_{16}(c, \operatorname{pad}=\mathtt{0x00}) \)</li>
					<li>\( len = \operatorname{encode_{big}}(128\vert aad' \vert, 8) \mathbin\Vert \operatorname{encode_{big}}(128\vert c'\vert, 8) \)</li>
					<li>\( blocks = aad' \mathbin\Vert c' \mathbin\Vert (len) \mathbin\Vert (s) \)</li>
					<li>\( \operatorname{return} \sum\limits_{i=1}^{\vert blocks\vert} blocks_{\vert blocks \vert-i} h^{i-1}\)</li>
				</ol>
			</div>
			<br>
			<br>
			<div class="algorithm">
                <p>\(\operatorname{GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p>
				<ol class="algorithm-code">
					<li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES-ECB}(k, n') \)</li>
					<li> \( c = r \oplus m \) </li>
					<li> \( h = \operatorname{AES-ECB}(k, 0) \) </li>
					<li> \( s = \operatorname{AES-ECB}(k, 2^{32}n + 1) \) </li>
					<li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li>
				</ol>
			</div>
            <p>
                The authentication key \( h \) is independent of the
                nonce \( n \). The constant term \( s \) acts as a blind to
                hide the confidential block data in the MAC. Finally, note
                that the polynomial computation reverses the order of the blocks.
            </p>
		</details>
    <!-- <script id="MathJax-script" async src="/forbidden-salamanders/static/mathjax.js"></script> -->
	<!-- <script type="text/x-mathjax-config"> -->
	  <!-- MathJax.Hub.Config({ TeX: { extensions: ["AMSmath.js", "AMSsymbols.js"] }}); -->
	<!-- </script> -->
<script>
MathJax = {
  tex: {
		extensions: ["AMSmath.js", "AMSsymbols.js"]
  }
};
</script>
<script id="MathJax-script" async
  src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js">
</script>
  </body>
</html>
 |