avgjoe: so if I understand correct: all the deedbot functions are ready to go for a newcomer, except for the wallet function that works well after having a good wot connection
trinque: wot updates and all the rest are immediate
avgjoe: trinque: may I also ask, is just the wallet feature that need human presence or deedbot does other semi-auto functions?
trinque: avgjoe: the point being, while I can give you a lot of nice words about not stealing your bitcents, this doesn't amount to much.
avgjoe: why the reverse show 1 connection?
asciilifeform: the db
trinque: I am the operator yes.
avgjoe: is a feature for doing off chain transactions by trusting the human meat or i'm missing something?
trinque: avgjoe: no, there is no hotwallet
mircea_popescu: nobody cared about him back when he was a good actor 20 years ago as much as they care now, that he delivers wooden monologues of sheer nonsense.
mircea_popescu: wasn't meeting the above quals.
asciilifeform: but then suddenly very very hip when crackpot symmetrics.
mircea_popescu: or w/e the fuck. the youth is desperate for adult figures, much like the savage kids in the us black ghetto.
mircea_popescu: goes to their silly little "polyamory" covens on campus and frowns paternally.
asciilifeform: i've no particular objection to snake oil from king cobra vs from japanese viper; but as i observed earlier, the sudden popularity of bernsteinism has never been explained to my satisfaction.
mircea_popescu: i know, i know. just saying, "we picked the non-chosen candidates at random, go sue."
avgjoe: a curiosity about the deedbot wallet feature: if i use that feature, who is controlling the keys?
asciilifeform has been, in person, to one of the shameful, incestuous tree-houses of the 'cryptographers'
mircea_popescu: well... now there is.
a111: 0 results for "\"Transgressing the Boundaries: Towards a Transformative Hermeneutics of Quantum Gravity\"", http://btcbase.org/log-search?q=%22Transgressing%20the%20Boundaries%3A%20Towards%20a%20Transformative%20Hermeneutics%20of%20Quantum%20Gravity%22
mircea_popescu: !#s "Transgressing the Boundaries: Towards a Transformative Hermeneutics of Quantum Gravity"
mircea_popescu: http://btcbase.org/log/2018-04-12#1797184 << you definitely should do that, seeing how the superficial "was reviewed" claim collapses upon the most cursory scrutiny. this is not a good state to put yourself into, it makes it too easy to be painted with unflattering brushes.
TrixxC: i brb there is someone at door
mircea_popescu: but if you look through that category ("la pas prin lume") there's a ton of various.
BingoBoingo: Ah, the seekrit beach
mircea_popescu: http://trilema.com/2018/land-of-coffee-land-of-winds-land-of-oddly-moistened-bints/ << that's from the day i died at sea
mircea_popescu: you seen the pics ?
britknee: enjoy the beach
mircea_popescu: well, actually about to go to the beach right now, but in general speaking.
a111: Logged on 2014-11-13 23:07 mircea_popescu: In the days when Sussman was a novice, Minsky once came to him as he sat hacking at the PDP-6.
a111: Logged on 2018-04-12 18:06 mircea_popescu: http://btcbase.org/log/2018-04-12#1797132 << this counterstructure argument is actually quite strong ; may indeed be stronger than the proponent realizes.
asciilifeform: http://btcbase.org/log/2018-04-12#1797532 << as far as i can tell the 'rsa has structure! but aes, surely not' is instance of minsky's empty room ( http://btcbase.org/log/2014-11-13#920444 )
mircea_popescu: britknee right he is, somehow slipped through the cracks. sorry for the delay ; but it's done now.
mircea_popescu: asciilifeform it can't be a debit like that, because the main unknown is the approach.
avgjoe: hello, can i ask why deedbot doesn't send me the challange to solve? instead it tells me that i should not up myself
asciilifeform: so what you'd want to prove is that there exists ~no~ method more effective than brute guess, for $system.
a111: Logged on 2018-04-12 18:10 mircea_popescu: http://btcbase.org/log/2018-04-12#1797142 << understand, the discussion here is re cryptographic hardness, not mathematical hardness ; as discussed otherplaces in the logs, the mathematical notion of difficulty is "what's the absolute hardest case this problem can yield", because they want to offer maximal flop guarantees ; cryptographically it is kinda opposite : what's the LOWEST difficulty a problem in this class may yield
asciilifeform: http://btcbase.org/log/2018-04-12#1797536 << we may have had the thread iirc, but : cryptographic 'lowest difficulty' is inescapably statistical, considering that there is a nonzero and calculable probability of guessing a key ( under any system which is not otp, i.e. correct key is somehow distinguishable from the space of possible rubbish key )
BingoBoingo: Now, there's also "alfajores integrals" where a birdseed paste is smashed between two birdseed wafers, but those cost ~70 pesos whereas alfajores verdaderos costs 20-30 pesos
ben_vulpes: BingoBoingo: that thing was way too way over the top
asciilifeform: right now 2 types of cipher are known -- otp, and errythingelse. only re otp is there a mathematical statement of any substance ( i.e. it is degenerate case, leaks 0 bits )
asciilifeform: ( what would 'getting somewhere' look like ? how about a general theory, or even ~study of particular case, like aes~ re how many bits of key are leaked per, say, TB of ciphertext )
mircea_popescu: . because they want to put a MINIMUM floor in. so to a large degree mathematical discussions of hardness are not cryptographically useful.
mircea_popescu: http://btcbase.org/log/2018-04-12#1797142 << understand, the discussion here is re cryptographic hardness, not mathematical hardness ; as discussed otherplaces in the logs, the mathematical notion of difficulty is "what's the absolute hardest case this problem can yield", because they want to offer maximal flop guarantees ; cryptographically it is kinda opposite : what's the LOWEST difficulty a problem in this class may yield
a111: Logged on 2018-04-12 16:13 zx2c4: but even hardness of factoring... how hard is this actually? what number theoretic advances are right around the corner?
mircea_popescu: http://btcbase.org/log/2018-04-12#1797136 << approximately zero, in that case, for good fundamental reasons to do with... the structure of theoretical possibility.
a111: Logged on 2018-04-12 16:12 zx2c4: things like RSA boil down to number theory problems. but that's in a sense scarier than the set of problems that good block ciphers tend to boil down to. because it means that those primitives have lots of _structure_, and generally structure is something that can be exploited. just look at all the amazing and fantastic attacks on things with structure. so just boiling down to a [currently considered] "hard problem" doesn't provide as much solace
mircea_popescu: http://btcbase.org/log/2018-04-12#1797132 << this counterstructure argument is actually quite strong ; may indeed be stronger than the proponent realizes.
asciilifeform: re the aleph ? nfi
asciilifeform: linked proggy is iirc by another d00d
mircea_popescu: no, and compiled to 40kb, it's clear from this and plenty other signs the dood has the right ideas in his head.
asciilifeform: to be fair, the thing isn't even obscenely lengthy, esp for a robo-generated proggy. ( it remains the case that i dislike c, and also ecc; but these are orthogonal concerns )
mircea_popescu: these are yet too high level matters to be practically approached by this "here's an impl" method.
ckang: 'pull request are always welcome' :) as they say
asciilifeform: why the author stopped where he did, and did not unroll ~all~ of the loops, i do not presently know
mircea_popescu: the line 332 explosion is a fine example of this as any could be had.
asciilifeform: ( the pipe stays full )
ben_vulpes: i was halfway expecting to see the classic machinegeneratedliquishit objections
a111: Logged on 2018-04-12 15:48 zx2c4: our two x25519 C implementations (32bit and 64bit) are actually generated by theorem proving software, so that we're sure they dont contain any errors
ben_vulpes: in other modern scotchguardlifeamericana, these "100% cotton!" napkins are clearly coated with some heinous anti-absorbent "nanotech". yes, works to wipe crumbs off toddlerface but holyfuck is aggressively and annoyingly nonabsorbent.
mircea_popescu: ben_vulpes all the Order deny,allow Deny from all Allow from x thing does is lock out by ip ; it's not even generated by wp itself ; it can be implemented any way, iptables, csf, whatever.
mircea_popescu: it redirects missing file references into index.php ; that's how it does the url replace thing.
ben_vulpes: huh danielpbarron mentioned to me that it writes the permalinks into .htaccess, this is not so?
ben_vulpes: mircea_popescu: the .htaccess files included with/generated by mpwp include the `Allow` incantation, which is not a thing in apache 2.4; trilema purports to run on 2.4.16; can the Order/Allow incantations be replaced with the 2.4-style Require?
mircea_popescu: generally the alfajor as a commercial item is two wafers, ddl in betrween, whole dipped in hard chocolate.
ben_vulpes: experiments from the kitchen, im sure more variants with chocolate will appear as soon as i mention the idea
mircea_popescu: they have chocolate alfajors tho, is yours just ddl ?
mircea_popescu: hey, i didn't think i even liked girls, as a 14yo. people get strange ideas in their heads.
mircea_popescu: ben_vulpes you should see the britt chocolate covered macadamia nuts.
ben_vulpes: well they are a far cry from the mango gelato of mircea_popescu's haremfactory but goshdarn these alfajores are magical with coffee in the morning
mircea_popescu: anyway, guy got a bitcoin, meaning he can put however many more hours into the thing you're using, so wins all around.
mircea_popescu: word. you're building quite the diplomatic reputation for yourself, you know that ?
mircea_popescu: these logs are getting ever huger.
mircea_popescu: zx2c4 and the good news is, linus permitted ada modules before.
asciilifeform: the use of pointers, for instance, is discouraged, and their migration between scopes is prohibited
asciilifeform: zx2c4: there is some quite 'fascist' compile-time checking. most noobs to the lang, spend a week or so getting their proggy to even build.
asciilifeform: if you switch the runtime checks on, you get a ~50% speed penalty in practice, vs 'naked c'
mircea_popescu: actually, most crap is not even permitted. see all the pragmas.
zx2c4: so most checking is runtime instead of compile time then?
asciilifeform: ( gnat , the ada compiler, is based on ordinary gcc )
mircea_popescu: but that's related to how they can't even exist in c.
asciilifeform: there is absolutely no justification for the continued use of c, aka overflowlang, aka heapabuselang, since... oh, 1985.
mircea_popescu: zx2c4 the good news is that i am now finally in a position to explain what EXACTLY is meant by "terrorist" : that feeling in http://btcbase.org/log/2018-04-12#1797417 when shit keeps coming and coming and coming up. what is it, if not spiritual terror ?
asciilifeform: i'ma cheat and cite my own article, http://www.loper-os.org/?p=1913 : '... in a heavily-restricted subset of the Ada programming language — the only currently-existing nonproprietary statically-compiled language which permits fully bounds-checked, pointerolade-free code and practically-auditable binaries. We will be using GNAT, which relies on the GCC backend.'
zx2c4: linus has never been so happy about other languages in the kernel. for example, he rejected a C++ layer many years ago
asciilifeform: ( it is however presently unclear to me why the entire ciphrator has to live in kernelspace. granted the packet-thrower perhaps must. but why whole thing. )
mircea_popescu: that's a perl impl of a v tool by mod6 ; everyone is invited to make their own v tools.
zx2c4: it's written in C because its in the linux kernel, which is written in C
mircea_popescu: asciilifeform did we ever establish why he wrote the thing in c ?
mircea_popescu: the idea with it is that patches must be a) clearly assigned to a responsible key and b) well read. actually, not putatively a la ers's trillion dead fish eyes.
asciilifeform: cascadianhacker.com/07_v-tronics-101-a-gentle-introduction-to-the-most-serene-republic-of-bitcoins-cryptographically-backed-version-control-system << likbez
mircea_popescu: anyway, as to the other one : v is the republican... well many things, but also works as a versioning system. here's a pretty picture to help the notion along : http://btcbase.org/patches << you can select from the drop menu to the left, see vaqrious trees extant. you can click on any item to see the patch it represents.
mircea_popescu: you have to get it in your head, that 0 is an invariant, and permitting it is always dangerous, because it's not "just another number".
mircea_popescu: the problem is fundamental, though. the same EXACT thinking informs this problem as informs the earlier discussion with asciilifeform over null ciphers.
zx2c4: i suppose your point is that you _could_ choose to obscure the lengths of the messages youre sending back? whereas with zero that isnt a possibility?
mircea_popescu: this reduces your strength, like it or not, because ~attacker inferred something~. that's what strength is, "attacker doesn't infer". see the history of the concept of "ban" and hopw turning bamburismus'd.
zx2c4: with many TCP protocols you can infer what's behind it based on the length
mircea_popescu: one thing at a time : if an attacker observes a stream of n messages of lengths != 0, there is nothing he can infer : maybe they're part of one message, or maybe they're not, or maybe they don't even say anything.
mircea_popescu: http://www.dianacoman.com/2017/12/07/introducing-eucrypt/ << it uses the v system ; are you familiar with v ?
mircea_popescu: anyway, the point here isn't that padded protocols infoleak in multiples of the paddiong., the point is that 0 is a special case invariant, and yhou can never leak a multiple of 0 safely. because, again, a message of arbitrary length n can be presented as m messages of length k ; but 0 messages can never carry anything.
mircea_popescu: yes, that's how wer dop it. do you happen to be familiar with diana coman's work on the ada impl of rsa/keccak etc >?
zx2c4: this may indeed be too large of an infoleak and you'd prefer a different padding scheme like always filling the entire MTU
zx2c4: mircea_popescu: padded protocols infoleak in multiples of the padding. you get to see if a given packet elicited a 0 reply, a 16 reply, a 32 reply, a 48 reply, and so forth
mircea_popescu: in any case, cryptography comes in two sorts : sort a), known here as "this must be secure, it's so confusing to me", and sort b). the moment you say "i can't see what this gives attacker" you force-shove yourself in group a. it's not your business to know the attacker, that's the whole fundamental philosophy of ciphering, that you do not need to know the attacker.
asciilifeform: zx2c4: the distinguishability of keepalives also makes it considerably easier to carry out timing attack on your nonconstanttime ecc engine
zx2c4: then thoes keepalives are in response to some message he received
mircea_popescu: this is the problem : you introduce a categorical breach with this system.
mircea_popescu: that may be, but we're discussing the 0 case.
mircea_popescu: well, for instance, if i know six nodes in your network and know asciilifeform uses at most two, and i see those are not transmitting, i know he's asleep and send the titassassins.
asciilifeform: zx2c4: speaking in general of symmetric ciphers -- a known-plaintext instance anywhere in the stream, or even a means of narrowing down possible plaintext, makes for considerably cheaper break
zx2c4: there _are_ attacks, on say voice compression algorithms, which can gather some information from having precise sizes alone, which is why things are padded to nearest 16. but i dont see what would be gathered by what youre suggesting
mircea_popescu: why am i held to explain how a protocol breach can be elevated to arbitrary height ? the attracker FIND SOMETHING
zx2c4: what is the attack here?
mircea_popescu: so wouldn't it make sense for me to send 8 whether i have anything to say or not ?
zx2c4: thats right. the padding only happens in multiples of 16
mircea_popescu: and if my slut eve in the other room is listening in, she can distinguish the case where i sent 0 from the case where i sent 8 ?
zx2c4: when you encrypt a message of 0 bytes, you get 0 bytes of ciphertext + 16 bytes of authentication tag
asciilifeform: mircea_popescu do you have a link to the famous penguin handy ?
mircea_popescu: zx2c4 here's a simple alternative to consider : would you agree the assemblage would be more secure if instead of sending a null payload you sent a random string ?
zx2c4: normally when you encrypt a message of 32 bytes, you get 32 bytes of cipher text + 16 bytes of authentication tag
zx2c4: im not seeing the vulnerability youre speaking about
mircea_popescu: asciilifeform depends on how he makes the nonce.
mircea_popescu: can you off the top of your head give me a dummy example of such ?
mircea_popescu: so it is not "empty" in the sense of "" ; it is empty in the sense of the payload being null, but the actual message is in fact a nonce and some tags anyway.
zx2c4: because all i need is the valid authtag/nonce. i dont have any actual content to put in there
mircea_popescu: now, why is the thing you send an empty message ?
zx2c4: in this case, its important that you send me a keepalive, so that i know you at least got it. however, these keepalives arent persistent. if subsequently, i have nothing more to say to you, then we both go silent and dont say anything.
zx2c4: every time i send you something, i expect to hear back from you. if i dont hear back from you, then something bad has happened,and i should start over with a new handshake. my way of hearing back to you might be in the natural sense -- i send a TCP SYN, you send me back a TCP ACK -- or it might be the case that you actually just have nothing to send back to me. you got my message just fine, but really just cant think of anything to say back to me.
mircea_popescu: i can't use the trilema-style url-reference (here's an example : http://trilema.com/2018/boboban/#selection-47.0-47.10 ) because you don't have implemented. but it's from the /protocol page
mircea_popescu: "If a packet has been received from a given peer, but we have not sent one back to the given peer in KEEPALIVE ms, we send an empty packet." <<
mircea_popescu: zx2c4 the fundamental problem with "set to empty" is that ciphers can be and many are vulnerable to this, as a particular case of "known plaintext"
zx2c4: also, btw, when you're not using the payload parameter in a message, it's just set to empty, because the authentication tag used by it is still important for the protocol.
asciilifeform: ( alternatively, how many bits do i need to flip in an otherwise correctly configured box, to set a 'noise' cipherer, into null mode ? )
a111: Logged on 2018-04-12 16:44 mircea_popescu: http://btcbase.org/log/2018-04-12#1796991 << let me ask you this then : why do you send an encrypted empty message when heartbeat fails ?
zx2c4: i remember asking for this on the mailing list at some point
mircea_popescu: this is principally enforced by dizzy operators not touching the framework in the first place, but only given implementations of it.
zx2c4: one thing to keep in mind is that Noise isn't a single ready-made protocol for every application designer to take. its instead a protocol framework for protocol designers to use. knowing explicitly what the payload param gives you in each message is really important, so that you dont screw up and put your stuff somewhere it shouldnt be. there are legitimate protocol use cases for using the payload parameter early on during the handshake. its
zx2c4: because IPsec's null cipher mode is for transport data. what youre asking about with 7.4 is the payload parameter of the handshake messages
mircea_popescu: how is it not the same thing ?
zx2c4: its not about LoC either.
asciilifeform: mircea_popescu: what i see is, the cell is there, but there is no indication that it is connected , as it ought to be, to red lights, siren, and dropping of reactor moderator rods
zx2c4: this is not the case of the "null mode" in IPsec, which is obviously a complete disaster with no good justification
mircea_popescu: the ready argument for doing it this way is simplicity.
zx2c4: there are valid use cases of sending information in the clear in the payload parameter. for example, perhaps you want to use it to advertise which aspects of the protocol are valid for subsequent messages. or you want to send a certificate along to authenticate yourself. the payload parameter certainly shouldnt be confused with transport messages, which are what are allowed after the handshake completes
mircea_popescu: asciilifeform seems to me the case to be, that they defined a matrix, and then implemented all the cells, and fuck you if you pick a dumb cell.
asciilifeform: it appears to be a valid state of the state machine. else why would it be mentioned in the spec.
mircea_popescu: zx2c4 you can voice yourself (permanently) by saying !!up to deedbot ; saves us the trouble.
asciilifeform: what's the justification, for permitting it at all
asciilifeform: i understand the bare fact, zx2c4 . my question is, why do you think the protocol author permitted an unsecured mode as a valid mode of operation ?
zx2c4: but there's certainly not any "null-ciphering" and this is only a misunderstanding of what the specification says
zx2c4: this is spelled out explicitly in the section you mentiond
zx2c4: noise defines several different handshakes. wireguard uses Noise_IKpsk2, which is 1-RTT. But there are other noise handshakes, some of which are 0-RTT, 1-RTT, 2-RTT, 1.5-RTT, and so forth. each handshake message can optionally contain a payload -- to contain things like, say, certificates or other data. the question is at which stage of the handshake do you use the payload parameter? if you do it too early in some, you get zero confidentiality. so
a111: Logged on 2018-04-11 16:11 asciilifeform: mircea_popescu: picture if the selector on kalash had a 'fires backwards' position.
asciilifeform: this does not bother you ?
asciilifeform: zx2c4: granted, but it would appear that the orig spec of 'noise' permits null-ciphering, just like the nsa-authored ssl/tls.
a111: Logged on 2018-04-12 15:36 zx2c4: - minimal state machine, as mentioned above, which means 1-RTT: if something goes wrong with a message being dropped, the solution is always to just "start over the protocol", since it's only 1-RTT. this saves amazing amounts of complexity
mircea_popescu: http://btcbase.org/log/2018-04-12#1797002 << this is fucking grand. i love reading through this list, it's in the vein of "oh my god, check that out, he natively gets it!"
asciilifeform: zx2c4: do i misread ? because in the spec, 'No confidentiality. This payload is sent in cleartext.' ( http://www.noiseprotocol.org/noise.html#message-format section 7.4 )
mircea_popescu: http://btcbase.org/log/2018-04-12#1796991 << let me ask you this then : why do you send an encrypted empty message when heartbeat fails ?
zx2c4: Noise is from Trevor Perrin. I've been very involved in contributing to the project though (i mentioned at the end of the specification)
asciilifeform: zx2c4: are you the author of 'noise' protocol ?
zx2c4: well im still around here for another half hour or so, so feel free to lob anything more at me
a111: Logged on 2018-04-12 09:42 spyked: http://btcbase.org/log/2018-04-12#1796749 <-- that's probably my thing, I've been playing with it for the last two weeks or so, I have it in a loop grabbing feeds from republican blogs.
a111: Logged on 2018-04-12 09:38 spyked: http://btcbase.org/log/2017-08-19#1701034 <-- /me now wonders whether e.g. http://btcbase.org/log/2017-08-19#1701034 could have been "illuminated" in any other way than through whipping. it is what it is, isn't it?
mircea_popescu: http://btcbase.org/log/2018-04-12#1796976 << you know me. he doesn't know you. this makes all the difference in the world -- i can whip my slavegirls into shape because they ~love me~. people without this benefit are stuck going at snail speed, which is why "education" in the unsexualized way it's implemented publicly does not work. it couldn't fucking work.
mircea_popescu: speaking of which and ben_vulpes boyhood dreams, ssto and so on : i dreamt last night that someone actually managed to create that true wunderwaffen material, the composite/ceramic with higher tensile strength than steel, but negligible caloric conductivity. making some iiiincredible jet engines.
a111: Logged on 2018-04-12 08:31 ckang: cant get behind all this 3d printer fanboy stuff, its just not a good substrate with the current materials for anything you want to last somewhat longterm
mircea_popescu: i think if you have not enough in your wallet it drops it silently ; and if the payment's not processed yet you might have nothing in your wallet yet.
mircea_popescu: there's also !!balance and !!ledger, and besides
mircea_popescu: so it permits indefeasible record of deeds ; something the fiat sovereigns have not yet managed.
mircea_popescu: http://deedbot.org/ << on deedbot you can register any arbitrary item ; it keeps a record that indeed your signature did so ; and it marks the time, through inclusion in the bitcoin blockchain
mircea_popescu: the deed in deedbot comes from the republican system for registration of deeds. think of it as your county clerk, you can go to him to register your wedding or business or w/e.
mircea_popescu: this is a lot more than meets the eye ; because it actually restructures conversations into a tree. things here have a depth not encountered anywhere else.
zx2c4: if you guys wind up using wireguard for part of your infra and want to support wireguard for a year, i'm always looking for large donations, etc. not sure if that's what deedbot is for exactly but that would be quite the nice deed
mircea_popescu: you can click the link and see a website-based story of the log ; the bot also reads the line referenced in conversation.
a111: Logged on 2018-04-12 16:32 mircea_popescu: now let's look at the logs :
mircea_popescu: now let's look at the logs :
mircea_popescu: they are not for you ; they are for me. deedbot works an otp verification model -- you tell it to do whatever youwant, it asks you to prove you own the key, if you do it does it.
zx2c4: no, not at all. im also not quite sure what to do with these pgp encrypted blobs i cant decrypt
mircea_popescu: zx2c4 you understand how the logs work btw ?
mircea_popescu: zx2c4 the tls fails i bet.
asciilifeform: mircea_popescu: lol notyet, i did the 'civilized' thing as you suggested.
asciilifeform: zx2c4: i'ma leave the rest of the session to mircea_popescu , owner of this chan, and my co-author in e.g. the FUCKGOATS auditable trng, https://archive.is/CGQkR )
asciilifeform: but it so happens that i in particular do not think much of the work of current 'pro cryptographers'.
mircea_popescu: o hey there zx2c4
zx2c4: seems like lots of things these days have testimonials
zx2c4: and then since several other colleagues and cryptographers have reviewed the system favorably
asciilifeform: zx2c4: so it is not possible currently for me to learn , which cryptographers reviewed, and what they had said ?
zx2c4: then in the acknowledgement of the paper, a few others arementioned who reviewed it while it was being written
asciilifeform: i'm curious, for instance, whether any of the cryptographers observed that the arithmetical routines behind your ecc are not in fact constant time on e.g. arm.
zx2c4: the paper was peer reviewed for NDSS'17
asciilifeform: are the reviews published somewhere ?
asciilifeform: since mentioned scrutiny : on www of 'wireguard', there is mention of 'reviewed by cryptographers' . may i ask, who reviewed ?
asciilifeform: i don't see 'not publicly smashed to bits of just yet' as a proof of strength, given as it is true of literally every system ever devised, until the moment of public breakage
zx2c4: blake2 came from blake which went through the sha3 contest as a finalist
zx2c4: but anyway, the world has learned quite a bit since md5
zx2c4: i'm pretty sure there's no conspiracy
zx2c4: theyre simple and fast on all hardware, and he came up with an api for using them that many developers like to use (the nacl stuff)
asciilifeform: but of djb's in particular, their sudden popularity in past few yrs also has no satisfying explanation imho.
asciilifeform: i am skeptical of all symmetric ciphers and hashes, given as there exists no scientific basis for considering any of them to be actually strong.
zx2c4: seems like there are many places and interesting ways to optimize at this point. lots of neat creative work coming out. but that with aes and whatnot, we're in a pretty good place in terms of symmetric crypto
zx2c4: so anyway, im less concerned about symmetric cryptography than other things
zx2c4: but even hardness of factoring... how hard is this actually? what number theoretic advances are right around the corner?
asciilifeform: sadly enough, there is not, as of my last look, a proof that rsa reduces to hardness-of-Factoring
zx2c4: things like RSA boil down to number theory problems. but that's in a sense scarier than the set of problems that good block ciphers tend to boil down to. because it means that those primitives have lots of _structure_, and generally structure is something that can be exploited. just look at all the amazing and fantastic attacks on things with structure. so just boiling down to a [currently considered] "hard problem" doesn't provide as much solace
zx2c4: not anymore than other things in cryptography worry me
asciilifeform: zx2c4: does it bother you that no proof of strength for any symmetric cipher other than otp (e.g. aes, chacha, etc ) exists ?
zx2c4: aes is also well understood, but is neither easy to implement, simple, nor fast on all hardware
asciilifeform: how did you settle on the use of bernsteinian cryptoprimitives ( e.g. chacha ) ?
asciilifeform: ( or see the ffa article series, http://www.loper-os.org/?cat=49 , currently on sabbatical but due to resume after i come back from upcoming biznistrip )
asciilifeform: zx2c4: i've spent the past ~2yrs writing a properly constant-time arithmetic lib. it is being slowly published. ( see earlier link to my www )
zx2c4: if you're interested in crypto primitives in wireguard in general, i can give you an overview of our implementations. the hacl and fiat code is not the only code we have in there
asciilifeform: zx2c4: most of the currently-sold intels are ok re : imul. arm, however, is not
asciilifeform: zx2c4: phf has been fiddling with the thing's uniturd processing of late; prolly introduced bug
shinohai: !~weather
a111: Logged on 2018-02-17 04:22 asciilifeform: mod6: i will share my current hypothesis : all current intels have MUL leakage
asciilifeform: btw zx2c4 , i must regret to inform you that the code you linked, is in fact NOT constant-time on several common architectures, because it makes use of machine MUL instruction ( gcc will compile a nonconstant-operanded '*' to e.g. IMUL on x86 )
zx2c4: you mean if you just wanted to hand audit the .o that comes out of this?
asciilifeform: out of curiosity, how big is the typical built binary for this library ? ( say, on amd64 )
zx2c4: ill show you the code
zx2c4: our discussion of HACL* and fiat-crypto pertains to the two C implementations of x25519
zx2c4: yes, there are no conditional jumps
asciilifeform: how is the latter guaranteed ?
asciilifeform: let's posit that the proving system itself contains no errors. what classes of error do these systems claim to exclude ?
zx2c4: fiat-crypto also has a 64bit one, but the HACL* one was faster
zx2c4: the 32bit one comes from fiat-crypto
zx2c4: the 64bit one comes from HACL*
zx2c4: our two x25519 C implementations (32bit and 64bit) are actually generated by theorem proving software, so that we're sure they dont contain any errors
zx2c4: another advantage of DH over RSA is that ECDH allows for really short and sweet keys