(trilema) spyked: in other news, I've been using most of my spare cycles lisping in ada. should be able to wrap up a blog post sharing a very minimal prototype (sane implem. of repl doing nothing but basic ops) in a few weeks. what I've got now adheres to most of ffa constraints. the current version isn't very clean, but getting there...
(trilema) mircea_popescu: anyway. the deeply inept handling of qatar recently (which was, at least nominally, his responsibility, even if botched 100% by ineptitude imported by ustards) and the goingnowhere in yemen promise to yield the end of the whole affair.
(trilema) a111: Logged on 2017-11-10 14:12 asciilifeform: when i sit to play a game, it feels like dereliction of duty, with, e.g., ffa yet undone, dulap not yet replaces, scintollator rng not complete, 9000 other processes
(trilema) asciilifeform: when i sit to play a game, it feels like dereliction of duty, with, e.g., ffa yet undone, dulap not yet replaces, scintollator rng not complete, 9000 other processes
(trilema) mircea_popescu: i can almost see the local charge d'affaires, "if you don't get taller hookers ima have your hotel del ray added to index!"
(trilema) asciilifeform: after bath (ffa) is built, i have 0 intention of continuing to rub against tree trunk to clean.
(trilema) asciilifeform: this echoes the ffa 'omfg slow' discussions.
(trilema) asciilifeform: and yes i am in fact allergic to any algo that i do not immediately understand, because entire objective of ffa is to be correct-via-obviousness.
(trilema) asciilifeform: no reason to. not on ffa, at any rate.
(trilema) apeloyee: the division in ffa is slow
(trilema) asciilifeform: asciilifeform did not touch ffa/p at all other than on airplane, in past wk
(trilema) asciilifeform: ( incidentally there will be no crtism in ffa . )
(trilema) asciilifeform: ( other than the basic cost of using ffa )
(trilema) asciilifeform: mircea_popescu: in ffa world, you don't lose anything by using a W-bit prime for the public exponent.
(trilema) asciilifeform: we weren't comparing gpgmpi to ffa ; but gpg.publicmodexp vs gpg.privatemodexp
(trilema) BingoBoingo: If math was fair, Elloit would have already had an ffa for asciilifeform
(trilema) asciilifeform: 1+ sec is moar in ffa ballpark than heathentron's
(trilema) asciilifeform: ( ffa work resulted in many hours deep in knuth )
(trilema) mod6: with comba, for instance, as with others (ex. karatsuba): i tend to go and read the papers on it, then review the code and see how ffa is doing it. etc.
(trilema) mod6: been studying ffa most of the month.
(trilema) asciilifeform: http://btcbase.org/log/2017-10-27#1730047 << i sat down to write something quite similar, and then realized that i can milk a remote node for its rsa privkey via timing , lol. but fast forward to today. ffa still on track for release for end of nov. btw.
(trilema) asciilifeform: mircea_popescu: ffa is example of very painful to write, but intended to be a breeze to read, workpiece
(trilema) asciilifeform: ffatronic btcsigtron wouldn’t hurt also
(trilema) a111: Logged on 2017-10-17 18:55 mircea_popescu: davout trying to include you into republican affairs in the only apparently remaining opportunity, ie discussions of accounting reform.
(trilema) mircea_popescu: davout trying to include you into republican affairs in the only apparently remaining opportunity, ie discussions of accounting reform.
(trilema) a111: Logged on 2017-10-14 18:57 apeloyee: still, left-to-right exp (as inhttp://btcbase.org/log/2017-10-14#1725202 ) uses one FZ-sized temporary less than current ffa's right-to-left. (the indexing of E can be reverted to what ffa currently has).
(trilema) apeloyee: still, left-to-right exp (as inhttp://btcbase.org/log/2017-10-14#1725202 ) uses one FZ-sized temporary less than current ffa's right-to-left. (the indexing of E can be reverted to what ffa currently has).
(trilema) asciilifeform: canonical ffa will never contain asm.
(trilema) a111: Logged on 2017-08-10 02:43 asciilifeform: for simplicity, tested the case that actually happens in practice: on a 64bit box, any ffa width over 512 bits gives a strictly 8-wide comba mult ocurrence
(trilema) a111: Logged on 2017-10-08 00:20 asciilifeform: http://btcbase.org/log/2017-10-07#1722411 << 1 ) ffa is closed form. i.e. it CAN be written as a number of nand gates, with a 'funnel' at the top, to which you present a,b,c, e.g. 4096bit, numbers, and at the bottom in a little cup you get a^b mod c , and with NO UPWARDS FEEDBACK FLOW of information , i.e. answer comes after same interval of time always, and with strictly downwards signals.
(trilema) asciilifeform: http://btcbase.org/log/2017-10-14#1725197 << this is so. idea of quoted thread was, i'd like to get ffa to where it uses strictly 2 machine types, 'Word' (whatever that is on whatever machine) and, say, 'Index', which is guaranteed to be mod 2**16 or larger. and get rid of all conversions.
(trilema) asciilifeform: this is not bad time to ask the tuned-in folx, what parts of ffa they would like to see explained in moardetail.
(trilema) mod6: i do also think there could be paragraphs even written around certain procedures in ffa. but not sure if that belongs in the code, or as a corresponding document outside of the code.
(trilema) asciilifeform: meanwhile, in ffaism, http://btcbase.org/log/2017-10-13#1724861 >>>>> http://wotpaste.cascadianhacker.com/pastes/6NmsZ/?raw=true
(trilema) asciilifeform: in the end you will have 'written ffa' nearly same as asciilifeform had.
(trilema) a111: Logged on 2017-10-13 15:14 asciilifeform: keep in mind that ffa ( esp. the more recent items ) will change.
(trilema) asciilifeform: mod6: current ffa has no problem building and running with 32bit word; but it will not do useful work in 8/16bit msdos, and this needs fix ( i described simple fix above. my priority atm tho is barrettron and practical rsa demo )
(trilema) asciilifeform: keep in mind that ffa ( esp. the more recent items ) will change.
(trilema) mod6: i believe there to be a lot of merit to having unit tests around the specific procedures and functions in ffa.
(trilema) asciilifeform: mod6: the key imho re a ffa tester, is that it gotta exist ~outside~ of ffa, and use a traditional, known-to-produce-correct-numberz ( and ideally, more than one ) arithm stack
(trilema) mod6: probably won't even start until we're closer to a finalized version of ffa.
(trilema) mod6: again, these are unit tests, not functional, integration, or performance tests. meaning: i simply call a (so far public) procedure/function within ffa with specific parameters, and expect specific outputs.
(trilema) mod6: ive been writing unit test for ffa
(trilema) asciilifeform: meanwhile, http://wotpaste.cascadianhacker.com/pastes/IkTH9/?raw=true << current ffascisms list. and growing!
(trilema) asciilifeform: veteran ffaists will recognize the usual pattern -- do all of the possible ops that go into heaviest possible hamming weight of old-fashioned shiftness; but keep (via mux) only the required subshifts.
(trilema) asciilifeform: in other ffaism, http://wotpaste.cascadianhacker.com/pastes/tdnsL/?raw=true
(trilema) mircea_popescu: this is a ridiculous state of affairs, and it will have to be returned to normalcy.
(trilema) asciilifeform: in very other lulz, at most recent count 'p' stands at 3.2kloc, of which 2k is ffa ( this is inclusive of comments, tests, and commented alt-incarnations of certain routines, as discussed in l0gz )
(trilema) asciilifeform: the supposition that ideally-correct ffa could possibly run slower than the current one (supposing these 2 differ) i see as quite fantastic.
(trilema) asciilifeform: trinque: i won't recommend to take current ffa and put in battlefield . but proposed to calculate a bandwidth assuming current degree of ughslow
(trilema) asciilifeform: i'd concur with mircea_popescu that one ought not connect ffa to, e.g., icbm, until it comes with proofs for all of the components, etc. -- but we do have a working modexp, from which can extrapolate pessimal speed ( it will get faster, but let's assume for said calculation that it will not )
(trilema) asciilifeform: ( this is quite attainable using the ffa we have ~today~, supposing one allows karatsuba to split 3way on 3 cores of whatever chip you have )
(trilema) a111: Logged on 2017-10-06 19:38 BingoBoingo: <asciilifeform> poorly porous to us, but theoretically even moar so to pantsuit << Appeal of jungle is non-interference in white man's affairs. Downside is shifting past marketing speak to discover "1GBP/s unmetered (30Mb/s international)"
(trilema) a111: Logged on 2017-10-02 19:52 mircea_popescu: so what is the idea here, if i wish to review the state of this, other than asking you, i could also what ? !#s ffa ?
(trilema) asciilifeform: is all you get. ( see current ffa src, it is illustrative )
(trilema) apeloyee: bernstein's batch trial division would seem to straightforwardly ffaize. where's the problem?
(trilema) asciilifeform: when you ffaize 'simpler' is not always what initially looks like .
(trilema) asciilifeform: but this would weigh more than all of ffa to date !
(trilema) asciilifeform: but hypothetically it may even be possible to ffaize bernstein's tree. or even to do it in such a way that doesn't wipe out the cpu winning from it. and even possibly to prove that it works and doesn't leak bits and doesn't let composites through once in a while.
(trilema) asciilifeform: remember that ffa is not strictly for rsa.
(trilema) mircea_popescu: incidentally, since we're on m-r : do we actually pick 4096 bit bases to avoid the arnault number problem ? to leverage the ffa flatness, as in http://btcbase.org/log/2017-10-07#1722376 ?
(trilema) asciilifeform: mircea_popescu: review the mr algo , it is actually surprisingly easy to ffaize, just replace all 'return true' with flag := flag OR true, etc
(trilema) apeloyee: if you have N ffa-eligible tests, bailing early out after one of them failed is not a problem.as per above.
(trilema) apeloyee: http://btcbase.org/log/2017-10-07#1722397 << I was unclear. Let A be the number to be reduced mod N, R the approximate reciprocal, K the ffa bitness fitting the modulus, then we know that 0<A - N*floor(A*R/4^K) < 2*N <2^(K+1). So might as well calculate A - N*floor(A*R/4^K) modulo 2^(K+1).
(trilema) asciilifeform: ( karatsuba, i will note for n00bz, parallelizes , but i deliberately omitted parallelization logic because i want ffa buildable on msdos and for machines with 1 cpu )
(trilema) asciilifeform: if ffa can be made to do 4096b modexp in 0.5s on typical comp, that gives ~1byte/msec purersa payload. which is enough for many purposes, e.g. voice.
(trilema) mircea_popescu: something. consider actual live events : gorbachev says at the meeting, once they move on past his insistence on having visited the pope as if anyone gave a shit about that "we are all here, who were implicated in the czech affair, except romania, that had exited then".
(trilema) mircea_popescu: but you have to also compare and contrast with romania's declared, and tirelessly promoted official philosophy of pace and "unmingling in internal affairs of sovereign states".
(trilema) asciilifeform: neato spyked . keep in mind that you gotta use the ada subset displayed in ffa.
(trilema) a111: Logged on 2017-08-14 17:15 asciilifeform: idea is, for pre-millerrabin litmus, take gcd(candidate, Qw) where Qw is largest primorial that fits in the ffawidth
(trilema) asciilifeform: http://btcbase.org/log/2017-10-07#1722411 << 1 ) ffa is closed form. i.e. it CAN be written as a number of nand gates, with a 'funnel' at the top, to which you present a,b,c, e.g. 4096bit, numbers, and at the bottom in a little cup you get a^b mod c , and with NO UPWARDS FEEDBACK FLOW of information , i.e. answer comes after same interval of time always, and with strictly downwards signals.
(trilema) a111: Logged on 2017-10-07 22:39 phf: http://btcbase.org/log/2017-10-07#1722379 << this is probably true but only because ffa mutates an array of bigits, where's any language level bignum system produces a whole new one for each operation
(trilema) a111: Logged on 2017-10-07 21:53 apeloyee: the primorial has to be, say, 2^32 times less than the ffa maxint. then you can add randomnumber*primorial, and such a number is equally likely to any prime from some interval
(trilema) asciilifeform: http://btcbase.org/log/2017-10-07#1722405 << in no case can the 'cheap initial primality test' primorial exceed the size of current ffa width. thinkaboutit.
(trilema) asciilifeform: http://btcbase.org/log/2017-10-07#1722400 << bernstein's gcd method is neither here nor there, i certainly don't need anything of the kind in ffa, and quite likely it fundamentally does not ffaize
(trilema) a111: Logged on 2017-10-07 21:09 apeloyee: asciilifeform: turns out a simple, ffa-suitable O(N^2) algorithm exists for GCD. This is adapted from GMP docs with one extra operation in the loop: http://p.bvulpes.com/pastes/oupUJ/?raw=true . Note: the code as posted is likely wrong, but I'm sure the idea can be made to work.
(trilema) a111: Logged on 2017-10-07 21:53 apeloyee: the primorial has to be, say, 2^32 times less than the ffa maxint. then you can add randomnumber*primorial, and such a number is equally likely to any prime from some interval
(trilema) a111: Logged on 2017-10-07 19:30 asciilifeform: i also suspect that they are in fact slower for maxhammingweight case of exponentiation and modulus, vs ffa.
(trilema) phf: http://btcbase.org/log/2017-10-07#1722379 << this is probably true but only because ffa mutates an array of bigits, where's any language level bignum system produces a whole new one for each operation
(trilema) apeloyee: the primorial has to be, say, 2^32 times less than the ffa maxint. then you can add randomnumber*primorial, and such a number is equally likely to any prime from some interval
(trilema) a111: Logged on 2017-10-05 19:38 asciilifeform: want to gcd(candidate, biggestprimorialthatfitsintheffabitness)
(trilema) a111: Logged on 2017-10-05 19:38 asciilifeform: want to gcd(candidate, biggestprimorialthatfitsintheffabitness)
(trilema) apeloyee: asciilifeform: turns out a simple, ffa-suitable O(N^2) algorithm exists for GCD. This is adapted from GMP docs with one extra operation in the loop: http://p.bvulpes.com/pastes/oupUJ/?raw=true . Note: the code as posted is likely wrong, but I'm sure the idea can be made to work.
(trilema) asciilifeform: i also suspect that they are in fact slower for maxhammingweight case of exponentiation and modulus, vs ffa.
(trilema) phf: i suspect that ffa's take on expmod is to iterate over every bigit of the exponent, which will have to perform base operations no matter what the numeric size is, but that's a guess.
(trilema) phf: mircea_popescu: well he either has a constant time algorithm in ffa, in which case if the goal is to compare speed specifically we should be comparing fixtime ffa and fixtime something else. otherwise he has a variable time algorithm running at worst case constant time, in which case the comparison is between base operation speed, which is still going to come out on top
(trilema) asciilifeform: in ffa, unlike in the python example, elongating the 0x10001 to full ffawidth will not change the required time.
(trilema) mod6: ah, ok. and yah, no need to let p out of the garage until ffa is pretty much "there".
(trilema) asciilifeform: considering that it only wins vs euclid because 'fast comparison' , while ALL ffa comparisons are always and forever mercilessly O(N).
(trilema) asciilifeform: mod6: i'm currently not convinced that lehmer's gcd is ffaizable.
(trilema) asciilifeform: it was made from the modulus finder from the prev ffa post ( http://wotpaste.cascadianhacker.com/pastes/KAZki/?raw=true )
(trilema) a111: Logged on 2017-10-02 19:30 asciilifeform: trinque: http://wotpaste.cascadianhacker.com/pastes/lHtia/?raw=true << unofficial ffa.ads ; http://wotpaste.cascadianhacker.com/pastes/MqgKb/?raw=true << ffa.adb
(trilema) asciilifeform: incidentally ~95% of the work ffa does in modexp, now, is multiplication. which means that there is further 20-25% speedup waiting to be had when i get bernsteinian optimization for karatsuba ( haven't yet figured it out, he buried it deep in a paper , as if he were an alchemist, quite cryptically ) and another 10-20% optimization if we move to unrolled comba ( see august thread. )
(trilema) BingoBoingo: <asciilifeform> poorly porous to us, but theoretically even moar so to pantsuit << Appeal of jungle is non-interference in white man's affairs. Downside is shifting past marketing speak to discover "1GBP/s unmetered (30Mb/s international)"
(trilema) a111: Logged on 2017-10-06 11:55 Framedragger: ty diana_coman. sad to see the state of tmsr isp affairs. i suppose it was kind of always like this, the state simply got.. actualised, so to speak. still, am planning on giving small talk on ssh scan to hackerspace people, wanted to link to phuctor, now - can't. :(
(trilema) diana_coman: anyways re state of isp affairs I don't see it getting any better by itself
(trilema) Framedragger: ty diana_coman. sad to see the state of tmsr isp affairs. i suppose it was kind of always like this, the state simply got.. actualised, so to speak. still, am planning on giving small talk on ssh scan to hackerspace people, wanted to link to phuctor, now - can't. :(
(trilema) trinque: !~later tell apeloyee glad to see someone grinding the ffa forward with asciilifeform. get me that fixed key!
(trilema) asciilifeform: want to gcd(candidate, biggestprimorialthatfitsintheffabitness)
(trilema) asciilifeform: there are 2 invocations of conventional ffa shift :
(trilema) a111: Logged on 2017-09-21 16:22 asciilifeform: !~later tell apeloyee i studied your algo, it (aside from truly massive cost, that would annihilate savings from newton, or barrett, or just about any other trick) ~still leaks~, because shifting by >wordsize is a fundamentally different op from shifting <wordsize; and the only way for this to not be true is for all shifts to happen as a series of wordsize shifts; and a shift by ffawidth-1 (max shiftness) would then consist of ffawor
(trilema) asciilifeform: and to make this untrue, you gotta do W (bitness of ffa) shifts by 1, at all times.
(trilema) mircea_popescu: your ffa does reals modexp ?
(trilema) asciilifeform: mircea_popescu: 'holes' in arithmetic suck, because they are inescapably branch conditionals. if i could not prove that div0 is impossible in the course of, e.g., modexp intermediate steps, ffa would be a wholly impossible thing.
(trilema) asciilifeform: going for ordinary arithmetics in ffa, not oddball alt-arithmetic.
(trilema) a111: Logged on 2017-10-05 16:07 asciilifeform: note that this is a 4097-bit ( in actual ffa, 8192b ) constant.
(trilema) asciilifeform: in ordinary barretting, x loses its bottom however-many bits, to make the multiplication smaller, depending on the 'bitlength' of x; and then its gets restored with a leftshift . we can't do this, because ffa.
(trilema) asciilifeform: note that this is a 4097-bit ( in actual ffa, 8192b ) constant.
(trilema) asciilifeform: incidentally if you dun let randos twiddler yer address lines ( i.e. run ffaically ) you dun get hammered.
(trilema) mircea_popescu: "In Spring 2017, the Boston College Environmental Affairs Law Review, Boston College International and Comparative Law Review, and the Journal of Law and Social Justice published their last issues and consolidated into the Boston College Law Review." for extra bonus points.
(trilema) mod6: <+asciilifeform> mod6, diana_coman , whoever else was tuned in for ffa ^^^ latest . << got it, thanks!
(trilema) asciilifeform: `ffa`.
(trilema) asciilifeform: imho it is much easier on human eye to say, e.g., @ffa
(trilema) asciilifeform: say i want to 'infect' the line http://btcbase.org/log/2017-10-02#1719816 , now if i include @ffa it will apply likewise to it.
(trilema) asciilifeform: " ffa"
(trilema) mircea_popescu: what if youi say ffa-tronic ?
(trilema) asciilifeform: ( are there any extraneous ffa's ? in the log )
(trilema) mircea_popescu: so what is the idea here, if i wish to review the state of this, other than asking you, i could also what ? !#s ffa ?
(trilema) a111: Logged on 2017-10-02 19:30 asciilifeform: trinque: http://wotpaste.cascadianhacker.com/pastes/lHtia/?raw=true << unofficial ffa.ads ; http://wotpaste.cascadianhacker.com/pastes/MqgKb/?raw=true << ffa.adb
(trilema) asciilifeform: my main contention is that folks who do not follow the logs, have 0 business with ffa drafts.
(trilema) asciilifeform: yes, folx can get ffa snippets from archive.is/l0gz but it is clear that they are drafts.
(trilema) asciilifeform: mod6, diana_coman , whoever else was tuned in for ffa ^^^ latest .
(trilema) asciilifeform: trinque: http://wotpaste.cascadianhacker.com/pastes/lHtia/?raw=true << unofficial ffa.ads ; http://wotpaste.cascadianhacker.com/pastes/MqgKb/?raw=true << ffa.adb
(trilema) trinque: is the whole ffa posted anywhere?
(trilema) ben_vulpes: asciilifeform: in my backwards-ass neck of the woods, it's practically a family affair: http://www.portlandmercury.com/feature/2017/09/27/19346945/song-of-the-red-states
(trilema) asciilifeform: trims down gpg into a quite small (relatively to original, not, e.g. ffa) c lib
(trilema) asciilifeform: it wouldn't be in any sense a 'build' of ffa.
(trilema) asciilifeform: ( incidentally fast ffalicious rsa on ~fpga~ is trivial. )
(trilema) asciilifeform: diana_coman: ffa arithmetic stack is theoretically available. however until i have barrett reduction going, it's a ~30 second modular exponentiation ( i.e. per rsa op )
(trilema) mircea_popescu: http://btcbase.org/log/2017-09-30#1718666 << not at all comparable, federal govt carved itself out some corruption purse ; mta is a local affair, has no such bs legislation.
(trilema) mod6: how's it goin with ffa stuff?
(trilema) fromphuctor: ah, no nothing related to your affairs yet, so lurker totally... wanted to check pgp on some os and came across phuctor
(trilema) a111: Logged on 2017-09-20 19:22 asciilifeform: and incidentally i dun have a nonleaking miller-rabin yet, need nonleaking gcd ( have on paper, but not in ffa yet )
(trilema) asciilifeform: and presumably whole affair didn't last long enough to connect the hose and form arsemouthsystem
(trilema) asciilifeform: exactly like my original ffa
(trilema) mircea_popescu: and in other lulz, "United States v. 11 1/4 Dozen Packages of Articles Labeled in Part Mrs. Moffats Shoo-Fly Powders for Drunkenness" is a genuine case citation, early in rem litigation in new york.
(trilema) asciilifeform: d00d was right in his observation that you ~could~ use a normalizing/denormalizing ( though proof is still a first class bitch ) algo, IF you had a secret 1..ffawidth shift. but you don't.
(trilema) asciilifeform: dness shift operations; and ergo all shifts must consist of ffawordness shift ops, as i described in http://btcbase.org/log/2017-09-20#1716343 .
(trilema) asciilifeform: !~later tell apeloyee i studied your algo, it (aside from truly massive cost, that would annihilate savings from newton, or barrett, or just about any other trick) ~still leaks~, because shifting by >wordsize is a fundamentally different op from shifting <wordsize; and the only way for this to not be true is for all shifts to happen as a series of wordsize shifts; and a shift by ffawidth-1 (max shiftness) would then consist of ffawor
(trilema) asciilifeform: http://btcbase.org/log/2017-09-20#1716403 << by definition monkey business with instruction timings is ~detectable~. but the other idea is, a proper ffa is very easy to fpgaize/siliconize.
(trilema) apeloyee: while loop in secretshift does a number of iterations dependent only on ffa number width and word width, so can be unrolled if those are known
(trilema) asciilifeform: fortunately we don't actually need any such thing in ffa. none of the algos require shifting by a seekrit bitness.
(trilema) asciilifeform: if it can't be written down without any conditional (e.g. 'if' ) statements, and also -- for a given bitness -- unrolled into writing without ANY loops -- it is not permissible routine for ffa.
(trilema) asciilifeform: ( normalization LOOKS AT SECRET BITS and therefore is forbidden anywhere in ffa for any reason )
(trilema) asciilifeform: incidentally if apeloyee or anybody else knows how to make a 1..ffabitness shifter that doesn't leak the shift amount, on ordinary pc, plz post.
(trilema) asciilifeform: ( when ffa width is determined )
(trilema) asciilifeform: apeloyee: yes because for guarantee of convergence you need MASSIVE ( afaik, at least 4x the ffawidth ) bitness
(trilema) asciilifeform: they depend strictly on which op ( which is not secret ) and the ffawidth ( also not secret )
(trilema) asciilifeform: in any ffa routine
(trilema) apeloyee: asciilifeform: is it intended that ffa doesn't have a shift that doesn't leak the upper bits of shift amount (via access pattern)?
(trilema) asciilifeform: mircea_popescu: i've been thinking about sending ffa , when finished, as an article into the saecular derps' 'cryptology journals', strictly for the lulz of getting their reject barf , and then posting, a la al schwartz
(trilema) a111: Logged on 2017-09-20 19:19 ben_vulpes: and as the keccacteams mention, little incentive for cryptoacademia to formalize how ARXceteras might fall over. hard work with little guarantee of payout apparently terrible strategy in a world of publishorperish + everyone pretends to ignore that none of the academics ever bothered to do the hard work of an actual ffa, preferring instead cheap outs like leaky tables
(trilema) asciilifeform: and incidentally i dun have a nonleaking miller-rabin yet, need nonleaking gcd ( have on paper, but not in ffa yet )
(trilema) ben_vulpes: and as the keccacteams mention, little incentive for cryptoacademia to formalize how ARXceteras might fall over. hard work with little guarantee of payout apparently terrible strategy in a world of publishorperish + everyone pretends to ignore that none of the academics ever bothered to do the hard work of an actual ffa, preferring instead cheap outs like leaky tables
(trilema) asciilifeform: bonus lul: https://archive.is/tK1o1 << list of public catastrophic bugs in bigint libs . bonus-2 : compiled by the perpetrators of mit's attempt at faux-ffa ( won't link separately, it's a megalith of mechanical 'proof' crapolade )
(trilema) asciilifeform: barpub: actually i've been having a pretty good time avoiding pointerism in, e.g., ffa, on ordinary pc
(trilema) asciilifeform: and at any rate the 'f' in ffa -- stays.
(trilema) asciilifeform: there are no tables in ffa, and an ffa with a table is pointless ( if you access leaklessly, by chugging whole table each time ( we had thread ) you wipe out the time saving. )
(trilema) asciilifeform: FZ_Exp does not calculate a^b, it calculates a^b modulo ffawidth. this is important difference.
(trilema) asciilifeform: exponentiation WITHOUT DIVISIONS (i.e. nonomodular, or modulo the set ffawidth, in this case 4096) takes 0.26
(trilema) a111: Logged on 2017-09-12 23:52 asciilifeform: http://btcbase.org/log/2017-09-12#1713184 << in ffaworld, a < or > or == comparison is not only a subtraction (O(N)) but another O(N) test for nullity (xor all the words together)
(trilema) a111: Logged on 2017-09-16 15:35 asciilifeform: ( for comparison, a NONmodular exponentiation of same width on same box with same ffa takes 0.26s. )
(trilema) asciilifeform: ( for comparison, a NONmodular exponentiation of same width on same box with same ffa takes 0.26s. )
(trilema) asciilifeform: ^ which does mean that i'ma have to a) audit the binary when ffa built for use in the field b) patch gcc/gnat not to emit DIV
(trilema) asciilifeform: this is when i point out that div0 gives maxint in ffa ( at least naked ffa, without checking first )
(trilema) asciilifeform: ( it is worth remembering that ffa is not built to be a museum piece, 'shortest physically possible rsa', but grudgingly made concessions liek abandoning egyptian mul -- so long as result is still fixedspacetime -- , so that it can actually be fired in anger . )
(trilema) asciilifeform: that was how my first ffa multer worked
(trilema) asciilifeform: one by jebelean, 'Exact Division with Karatsuba Complexity' , possibly ffaizable.
(trilema) asciilifeform: maker of cpu will almost unavoidably take an interest in 'ffa-style' arithmetizing.
(trilema) asciilifeform: ffa modular mult MUST produce correct answer for ALL possible inputs a,b,n.
(trilema) asciilifeform: is it not getting through that once you introduce a 2B-bit item, you are working in ffa of 2B bitness ?
(trilema) asciilifeform: no ffa basic op will accept operands of unequal bitnesses.
(trilema) asciilifeform: other thing, apeloyee , is that if ffa does NOT operate on mixed bitnesses. i.e. if your operands are B bits, and you introduced an intermediate of some kind that is 2B bitness, now ALL of your computations with that must be 2B wide (incl. comparisons, nullity checks.)
(trilema) asciilifeform: ( modulus and both multiplicands have same bit width, and if you read the rest of ffa as has been posted here, you will know that NO such thing as normalization ever takes place, or will ever take place, all operands are assumed to be N-bit )
(trilema) asciilifeform: incidentally in case it weren't obvious, much bloatier rsatrons than the one contemplated in ffa, fit in asciilifeform's head -- e.g. montgomery mult, barrett, various war crimes in that vein
(trilema) asciilifeform: which incidentally i am ready and willing to produce for every single piece of ffa to date.
(trilema) asciilifeform: no 'speshul rsa forms' in ffa.
(trilema) asciilifeform: ( the thing is widely used in rsatrons which agree to constrain themselves thusly, but is entirely irrelevant in ffa )
(trilema) asciilifeform: everything you've seen in ffa to date, is unrollable into iron circuit.
(trilema) asciilifeform: http://btcbase.org/log/2017-09-12#1713184 << in ffaworld, a < or > or == comparison is not only a subtraction (O(N)) but another O(N) test for nullity (xor all the words together)
(trilema) a111: Logged on 2017-08-10 19:45 asciilifeform: forn00bz: an, e.g., rsa modexp, in ffa, must be representable by a long roll of paper, on it are ops for ordinary 4function calculator, with very patient slave. and roll ONLY ROLLS FORWARD and has finite # of instructions on it, known in advance when you decide the ffa width.
(trilema) asciilifeform: whole point of ffa, is this notdoing
(trilema) asciilifeform: modulus bitness == operand bitness. this is ffa after all.
(trilema) mircea_popescu: and congrats, you've closed the liar circle on yourself. the only task remaining is to establish whether alf lied when he claimed that mp's distributive-mod algo is already in his ffa since july ; or rather he lied when he claimed distributive mod would actually be useful ; or at some other juncture.
(trilema) asciilifeform: 1) mircea_popescu describes algo for mod. 2) turns out exactly knuths's, that is in existing ffa 3) describes 'do it to each term of a+b+c in karatsuba' 4) this dun work, if it worked we would be bragging about the new 133337 recursive modular mult algo we've got
(trilema) asciilifeform: ( and worth keeping in mind that in ffaworld adding two B-bit integers does NOT give a B-bit integer, it gives a B+W bit one. where W is our word width. )
(trilema) asciilifeform: mircea_popescu: the classical ffa exponentiator, for reference, looks like http://wotpaste.cascadianhacker.com/pastes/S4dWM/?raw=true . the ~modular~ exponentiator must look like http://wotpaste.cascadianhacker.com/pastes/AiB9t/?raw=true . however it needs 'first, steal the chicken', i.e. FZ_Mod_Mul and FZ_Mod_Square .
(trilema) mircea_popescu: asciilifeform do you know how to ffa-base-convert ?
(trilema) asciilifeform: i am referring, of course, to the standard shift-and-substract knuth division, which is in the previously posted ffa
(trilema) ben_vulpes: also behind on ffaquest
(trilema) a111: Logged on 2017-08-10 19:45 asciilifeform: forn00bz: an, e.g., rsa modexp, in ffa, must be representable by a long roll of paper, on it are ops for ordinary 4function calculator, with very patient slave. and roll ONLY ROLLS FORWARD and has finite # of instructions on it, known in advance when you decide the ffa width.
(trilema) a111: Logged on 2017-09-08 16:24 asciilifeform: you oughta do this nearly always . ( 1 notable exception is ffa or other 'tight' code where you're testing speed, and correctness already known; there -g will give a 10-15x speed penalty )
(trilema) asciilifeform: you oughta do this nearly always . ( 1 notable exception is ffa or other 'tight' code where you're testing speed, and correctness already known; there -g will give a 10-15x speed penalty )
(trilema) asciilifeform: PeterL: use the subset of ada shown in ffa. i.e. no oop, no finalizations, no tasks, no array concatenation, no heap allocation.
(trilema) mircea_popescu: the funniest thing to me is that this sad state of affairs gives them no pause. "what orcs ? WE ARE THE ORCS!"
(trilema) mircea_popescu: for one thing, you'd prolly want to run it on the ffa anyway
(trilema) asciilifeform: the former is ffatronic ( bound! ) ; the latter -- potentially unbound
(trilema) a111: Logged on 2017-08-31 22:26 asciilifeform: phf: at some point ( and by this i mean when finished ffa / released 'p' ... ) i'ma have a large board made, with, say, 8 ice40-8k's, and row of dimm-holders...
(trilema) asciilifeform: phf: at some point ( and by this i mean when finished ffa / released 'p' ... ) i'ma have a large board made, with, say, 8 ice40-8k's, and row of dimm-holders...
(trilema) asciilifeform: http://btcbase.org/log/2017-08-31#1707320 << this knife has another edge, ben_vulpes . most commercial ops don't have the budget ( time, mainly , but money also ) for ActuallyWorksAndFitsInHead(tm). ( picture, if you will, ffa as a commercial project at a secular software co )
(trilema) a111: Logged on 2017-08-31 02:06 trinque: for example, I learn that a certain George HW Bush as state congressman worked against the straightening and lining with concrete of buffalo bayou!
(trilema) trinque: for example, I learn that a certain George HW Bush as state congressman worked against the straightening and lining with concrete of buffalo bayou!
(trilema) asciilifeform: or v. or ffa. and what elses.
(trilema) mircea_popescu: mod6 done : http://trilema.com/2016/how-to-participate-in-the-affairs-of-the-most-serene-republic/#selection-115.56-119.1 ; though the header could prolly go to "The Real Bitcoin public node list" or something.
(trilema) a111: Logged on 2017-08-22 16:54 mircea_popescu: hmm, not putting it in topic, putting it in http://trilema.com/2016/how-to-participate-in-the-affairs-of-the-most-serene-republic/ once i get that thing online again.
(trilema) mircea_popescu: hmm, not putting it in topic, putting it in http://trilema.com/2016/how-to-participate-in-the-affairs-of-the-most-serene-republic/ once i get that thing online again.
(trilema) mircea_popescu: and in other "baby's gonna have to learn sometime...", http://68.media.tumblr.com/3f2956963e5572ea4af56fcafa567c7d/tumblr_o0ok1jjuRA1uwe054o1_1280.jpg http://68.media.tumblr.com/be2d5b93f793c053e393e30b3562e5f5/tumblr_o0ok1jjuRA1uwe054o4_1280.jpg http://68.media.tumblr.com/5e67151689f0cc5f06068781b4b293cd/tumblr_o0ok1jjuRA1uwe054o9_1280.jpg an' http://68.media.tumblr.com/50517718fcf83d5ffa4d12bff44ce47f/tumblr_o0ok1jjuRA1uwe0
(trilema) asciilifeform: there are - by design- no deep maths in ffa.
(trilema) mod6: Ah, I admit, earlier I didn't have much chance at all to review this. In fact, to wrap my head around the fine points of ffa's more complex routines, takes me some time.
(trilema) mircea_popescu: which is why we're putting all this crazy effort into proper rsa, ffa etc.
(trilema) mircea_popescu: heck, ffa ~should~ probably be distributed as literate code.
(trilema) asciilifeform: http://btcbase.org/log/2017-08-16#1699000 << fwiw ffa is nearly a self-contained crypto textbook in itself
(trilema) mod6 goes off to read the latest ffa update,
(trilema) asciilifeform: you can generate a 6666-bit key. but you would need a 8192b invocation of ffa.
(trilema) asciilifeform: but of ffa register width
(trilema) asciilifeform: and you can't subtract ffa x0 - x1 unless they are same lengh !!
(trilema) asciilifeform: mod6: to understand ffa, you absolutely gotta grasp how ada array slices ( which Always Do The Right Thing ) work
(trilema) mod6: <+asciilifeform> this kind of optimization could be interesting if we were dealing in MB+ ffaism << yeah, perhaps the sample size used was not enough to see the delta?
(trilema) asciilifeform: ^ for readers who wondered why karatsuba is the 1 routine in ffa ~not~ inlined... think.
(trilema) asciilifeform: mod6: idea with this item, is that L is a power of 2 always. in 'classical' one, L can be anything (e.g. a 192-bit ffa ends up 3*64 on my box, i.e. L=3 )
(trilema) mod6: my ffa must be way old
(trilema) asciilifeform: this kind of optimization could be interesting if we were dealing in MB+ ffaism
(trilema) asciilifeform: PeterL: sorta why i wrote the most general , unconstrained ffa .
(trilema) asciilifeform: this means you can have, e.g., 192b, 384b, etc ffa
(trilema) asciilifeform points out that even very modest iron, ffa's quite acceptably over 8192b and higher.
(trilema) asciilifeform: no reason to use any particular pattern, understand, ffa
(trilema) mircea_popescu: asciilifeform no dude, consider the catechistic angle. "soo... why is your key 515 byts ?" "i dunno, his lordship mp said so" "why ?" "nobody knoiws, really. he just says things." "so how do you calculate it ?" "first, you set ffa to 520 bytes..." "why did he say 515 then ?" "uh... that's a good question."
(trilema) asciilifeform: ALL ffa ops take time that is not dependent on the hamming weight. that's what 'constant time' means.
(trilema) asciilifeform: incidentally, there is no reason why the ~public~ exponent , on ffatronic rsa, should not also be a large prime
(trilema) asciilifeform: e.g. 6666-bit keys work fine on ffa!
(trilema) a111: Logged on 2017-08-14 17:50 mircea_popescu: but this important point has important consequences, because now we can't have my eccentric rsa keys. must be 4096, because the only alternatives ffa permits are 2048 which is too short and 8912 which is too long.
(trilema) asciilifeform: http://btcbase.org/log/2017-08-14#1697693 << and importantly, current ffa works with ( see factorial demo ) any multiple of 64, that fits in your machine memory.
(trilema) asciilifeform: ftr i considered imposing a 'ffa W is power of 2 or fuckyou'
(trilema) asciilifeform: mircea_popescu: you can use any key bitness you like ! but gotta top it out with 0s to sit it into a ffa word
(trilema) asciilifeform: say for some peculiar purpose, an ffa run needs 192-bitness.
(trilema) mircea_popescu: but this important point has important consequences, because now we can't have my eccentric rsa keys. must be 4096, because the only alternatives ffa permits are 2048 which is too short and 8912 which is too long.
(trilema) asciilifeform: it is not possible to have anything that looks like ffa, without suffering this constraint.
(trilema) asciilifeform: mircea_popescu: 'solution to math problem' existed in 1978. ffa goal is simplicity+correctness of implementation + adequateperformance.
(trilema) asciilifeform: just like ffa worx just fine on opteron today dialed down to 32
(trilema) asciilifeform: 'ffa represents a W-bit integer as a contiguous array of N machine words of bitness B, W = N*B.'
(trilema) mircea_popescu: answer the q then! when a 128 bit computer is sold, ffa word will ahve to increase to 128 bits ?