From f392ddd37473628a289f61d574e830573c47ede0 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 9 Jul 2024 12:32:04 +1000 Subject: [PATCH] Fix accidental sub/super scripting --- draft-thomson-ppm-prss.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-thomson-ppm-prss.md b/draft-thomson-ppm-prss.md index d920b65..1de13bb 100644 --- a/draft-thomson-ppm-prss.md +++ b/draft-thomson-ppm-prss.md @@ -280,12 +280,12 @@ identifier will produce the same randomness. A randomness context is produced by invoking the `Expand()` function of the chosen KDF, passing the shared entropy generated in {{extract}} as the `prk` -input, the byte sequence that identifies the context (`ctx_id`) as the `info` +input, the byte sequence that identifies the context (`ctx\_id`) as the `info` input, and the PRF parameter `Nk` as the `L` input (see {{prf}}), as follows: ~~~ pseudocode -def context = Context.new(kdf, prf, extracted, ctx_id): - context = kdf.Expand(prk = extracted, info = ctx_id, L = prf.Nk) +def context = Context.new(kdf, prf, extracted, ctx\_id): + context = kdf.Expand(prk = extracted, info = ctx\_id, L = prf.Nk) ~~~ The expanded entropy produced by this process is the only information that is @@ -560,7 +560,7 @@ p <= 2^{b-(k+a)/2-2} We use this first component to bound the value of `q` for the second component. If advantage is equally divided between each component we can bound `q` to be at -most `2^((k-a)/2)`, where `a` is the desired attacker advantage in bits (that +most `2\^((k-a)/2)`, where `a` is the desired attacker advantage in bits (that is, advantage is at most 2-a). Using that value for `q` and an advantage of `(2^a)/2` for the second component @@ -574,7 +574,7 @@ AES-256 having the same 128-bit block size as AES-128. Consequently, increasing `q` only reduces the value of `p`. On this basis, the same `q` value can be used for AES-256 as for AES-128. The -usage limit for AES-256 can be doubled to `2^(b-(k+a)/2-1)` (243 for +usage limit for AES-256 can be doubled to `2\^(b-(k+a)/2-1)` (243 for 40 bits of security; the first component is a negligible 2-169). This analysis models AES as an ideal pseudorandom permutation.