cryptopals

Matasano's cryptopals challenges (cryptopals.com).
Log | Files | Refs | README | LICENSE
commit 4050c40c05715ec9d326aeadf5c52fbc89cfc751
parent e2a32696c8959fdb36698752f4460a67657a75b2
Author: Jared Tobin <jared@jtobin.io>
Date:   Sat, 26 Aug 2023 18:53:47 -0230

Couple of text patches.

Diffstat:

Mdocs/s6.md | 19+++++++++----------


1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/docs/s6.md b/docs/s6.md
@@ -121,11 +121,10 @@ and now the forgery, produced of course without the secret key:
 #### 6.43
 
 Parameter generation for DSA as detailed in
-[FIPS.186-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#
-page=40) seems to be particularly annoying and unrewarding to implement,
-so I didn't bother with it. The rest of the protocol is pretty standard
-fare; Cryptopals.DSA implements 'keygen', 'sign', and 'verify'
-functionality.
+[FIPS.186-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=40)
+seems to be particularly annoying and unrewarding to implement, so I
+didn't bother with it. The rest of the protocol is pretty standard fare;
+Cryptopals.DSA implements 'keygen', 'sign', and 'verify' functionality.
 
 As for the attack here, if one knows the subkey/nonce he can trivially
 recover the private key:
@@ -201,9 +200,8 @@ As an illustration, if badParams contains g = 0, then:
 The case is much the same for g = p + 1, since r = 1 for every signature
 produced. Any public key generated with these parameters will equal 1,
 but the "magic signature" will work for DSA pubkeys generated with other
-'g' parameters, so long as they use g = p + 1 when actually signing and
-verifying. For the magicsig and arbitrary k, and arbitrary pubkey y, we
-have that:
+'g' parameters, so long as they use g = p + 1 when actually verifying.
+For the magicsig and arbitrary k, and arbitrary pubkey y, we have that:
 
     r = y^k mod p                 (mod q)
 
@@ -226,7 +224,7 @@ and then for any u, we have:
        = y^k mod p                (mod q)
        = r
 
-so that every signature will verify by construction.
+so that the signature will verify for every message by construction.
 
 An illustration. First generate a keypair with normal, God-fearing
 parameters:
@@ -244,7 +242,7 @@ Here's the magic signature-making function:
         in  Sig r s
 
 Here's a magic signature, again created with good parameters. It looks
-convincing enough:
+innocuous enough:
 
     > let mag = magicsig defaultParams (pub per)
     > mag
@@ -261,4 +259,5 @@ parameters in which g = p + 1:
     > unsafeVerify otherBadParams (pub per) "Goodbye, world" mag
     True
 
+Bad group!