This is an implementation of AES-GCM and an attack on it that can be used to fully break the cipher on nonce reuse. I wanted to use it for a blog entry but it is about 10x faster to do in Web Assembly, so that's what I'm doing.
I'm putting it up here in case it's interesting to anybody and I'll add a link to the blog entry once it's finished.
| def rev_nibble(nibble: int): | |
| return ((nibble << 3) & 0x8) | ((nibble << 1) & 0x4) | ((nibble >> 1) & 0x2) | (nibble >> 3) | |
| def feistel_function(halfblock: int, key: int, verbose=False) -> int: | |
| log = print if verbose else lambda *args, **kwargs: None | |
| sbox = [0x4, 0x3, 0x9, 0xa, 0xb, 0x2, 0xe, 0x1, | |
| 0xd, 0xc, 0x8, 0x6, 0x7, 0x5, 0x0, 0xf] | |
| log(f"\t\tFeistel function: {halfblock=:04x} with {key=:04x}") |
| import random | |
| from tqdm import tqdm | |
| from feistel_network import feistel_function, encrypt, decrypt | |
| def get_testcase(n): | |
| # This function just generates n random pairs of plaintext and ciphertext blocks | |
| # for a randomly chosen KSA. It then generates a single "secret" plaintext and "public" ciphertext. | |
| # The attack is then to recover the KSA and thus the secret plaintext from only the known plaintext and ciphertext pairs. | |
| secret_ksa = [random.randint(0, 0xffff) for _ in range(3)] | |
| pairs = [] |
| import sys | |
| def my_pow(a, k, N, verbose=False): | |
| log = print if verbose else lambda *args: None | |
| l = k.bit_length() - 1 | |
| log(f"{l=}") | |
| x_i = 1 | |
| y_i = a % N | |
| for i in range(l, -1, -1): | |
| b_i = (k >> i) & 1 |
| def teiler(n): | |
| for i in range(1, n+1): | |
| if n % i == 0: | |
| yield i | |
| def ordnung(n, q): | |
| for t in teiler(q-1): | |
| if pow(n, t, q) == 1: | |
| return t |