asciilifeform: in other quiteolds, http://werner-heisenberg.unh.edu/diary.htm
BingoBoingo: "The chickens on the lower floor bother me a little, though their usefulness makes sense to me in every way." << What redditard would accept this compromise!
BingoBoingo: "In Urfeld it turns out that over night the garden was trampled by deer." << Who could have predicted free food would just walk by and make a mess of your labor food.
shinohai: Venison + Salad .... mmmmmmm
mod6: <+mircea_popescu> meanwhile in lulz for alf, https://bitcointalk.org/index.php?topic=1959633.msg19501495#msg19501495 << HEH
deedbot: http://qntra.net/2017/08/a-list-of-known-bitcoin-ransom-cases/ << Qntra - A List Of Known Bitcoin Ransom Cases
BingoBoingo: !~later tell cazalla ty
jhvh1: BingoBoingo: The operation succeeded.
BingoBoingo: !!up edivad
deedbot: edivad voiced for 30 minutes.
edivad: hallo
edivad: i'm a junior sysadmin trying to install trb on my VPS without success
mircea_popescu: specifically ?
edivad: fwiv it seems that V download seals and patches but then the bitcoin source code is not included, and i should gather it on my own?
mircea_popescu: are you using what, mod6 's recipe ?
edivad: yes, following these instructions since the beginning: http://thebitcoin.foundation/trb-howto.html
edivad: tried both online and offline mode, with zero luck
mircea_popescu: did you do 0x09, gathered vpatches ?
edivad: yes
mircea_popescu: mod6 did a u160 test item end up stranded in there ?
mircea_popescu: edivad this is somewhat odd as i recently had a new node configured, came out just fine.
edivad: tried also yestereday to troubleshoot with mod6, (there was another issue related to the locale of my OS, then fixed with him), but now i'm stuck at 0x0B
mircea_popescu: seems you're missing a file for some reason.
edivad: i'm on ubuntu 16.04, fresh installation
mircea_popescu: that wouldn't do anything.
trinque: > patch: not found
edivad: maybe it's just a permission problem?
trinque: no, you're missing the utility patch.
mircea_popescu: doh.
mircea_popescu: edivad sudo apt get patch eh.
edivad: was an assumption in the tutorial?
mircea_popescu: well, it's technically part of core linux, but apparently they ship systems without.
mircea_popescu: will prolly have to add patch to the pile at the end eh.
edivad: patch is already the newest version (2.7.5-1).
mircea_popescu: i have 2.6
mircea_popescu: edivad can you run it from command line ?
edivad: yes
mircea_popescu: this is bizarre. try the actual line from the .sh that fails ? (prolly the first one to string match "patch") ?
edivad: guys, i'm gonna having asap my usual generous amount of morning coffee, since i was typing in the wrong VPS
mircea_popescu: lol!
edivad: now just installed patch on the right vps
trinque: loller
mircea_popescu: ah so okay. that makes more sense then.
mircea_popescu was bracing self for "o look, new version of patch, breaks downstream" lulz.
edivad: gonna report even in case of success
mircea_popescu: a sound policy.
trinque to bed, to dream of tomorrow's generous amount of morning coffee
mircea_popescu: enjoy.
BingoBoingo wishes trinque a night with no strange knocks on door
edivad: may I take advantage of my troubleshooting sign up into the channel to ask about tmsr?
mircea_popescu: ask away
edivad: thanks, basically i was reading the universal plan for wealth
mircea_popescu: !!key edivad
deedbot: Not registered.
mircea_popescu: you can just register a key you know.
edivad: !!key edivad
deedbot: Not registered.
mircea_popescu: !!help
edivad: thanks
edivad: nice
BingoBoingo: !!up edivad
deedbot: edivad voiced for 30 minutes.
edivad: I know bitcoin since a couple of years and learned the hard way how to protect my funds and stay away from scams. Now I finally got into the sweet spot where I realized how many orders of magnitude my savings are safer in bitcoins
edivad: Then after this "sweet spot", also the universal plan for wealth makes sense to me
mircea_popescu: so good for you.
BingoBoingo: edivad: Ah, so at this point reading into TMSR history will be very beneficial for girding yourself against long cons and other social engineering attempts against your wealth and your self.
edivad: but my question is: as a student without a regular jub, should I need to a aim at a minimum wage job, to possibly apply for credit and then fly away to a second/third word country, get a decent house, marry and reproduce?
mircea_popescu: how is another man going to answer that question for you ?
edivad: or there is a better way to get credit, without harming finance of my family (so not asking to them to put collaterals for my loans)
mircea_popescu: this is how growing up goes : you take stock of situation, you make a plan, you implement it.
BingoBoingo: edivad: Which socialist hellhole do you reside in now?
edivad: mircea_popescu: because the universal plan for wealth makes some great guidelines, but then since every situation is different, I'm trying to understand if there is a better approach for who hasn't already a job and is studying
edivad: BingoBoingo: italy
BingoBoingo: Have you considered working construction?
mircea_popescu: what are they to build in italy ?
BingoBoingo: STADIUMS!
BingoBoingo: For the latest wave of Vandals!
edivad: in this summer holidays aside of ruinous altcoin trading I've done some painter job paid 5 euros/hour
edivad: since it was the first work experience, I was even able to enjoy it
edivad: but then after a month i realized that I was needing a better plan
mircea_popescu: i can see that heh
BingoBoingo: Painting done well is a perfectly respectable trade.
BingoBoingo: And it's a rather portable skill
edivad: well, I have a spare brazilian passport in the drawer, so when I've read the universal plan, I instantly got some very powerful energy for a future exit plan
deedbot: http://qntra.net/2017/08/y-combinator-startups-begin-overt-political-discrimination/ << Qntra - Y Combinator Startups Begin Overt Political Discrimination
edivad: now that i've registered my pgp key, should i be able to authenticate signing something?
BingoBoingo: edivad: Just remember that hunger can be the most devious thief of all as evidenced by kakobrekla's 500 BTC car. Every situation is different, but many of them rhyme.
BingoBoingo: edivad: You authenticate by decrypting something.
edivad: OK
mircea_popescu: and in random other lulz : it's funny how the libertards worshipping at the watergate shrine usually omit to mention that by then washington post had been a libel tabloid for years. somehow dillard stokes' name never comes up. somehow they don't seem to notice it always was simply us sturmer.
edivad: make[3]: c: Command not found
edivad: in this case what is missing?
mircea_popescu: gcc ?
edivad: gcc is already the newest version (4:5.3.1-1ubuntu1).
BingoBoingo: !!up bounce
deedbot: bounce voiced for 30 minutes.
mircea_popescu: edivad your makefile is getting mangled somewhere.
edivad: let me copy the entire error log
BingoBoingo: !!up edivad
deedbot: edivad voiced for 30 minutes.
edivad: tried now to install the common bitcoin core dependencies with apt
edivad: but no luck
edivad: when i'll login again in IRC, what command should i use to authenticate?
mircea_popescu: !!key edivad
mircea_popescu: use !!v in pm to deedbot.
mircea_popescu: !!rate edivad 1 painter/student
deedbot: Get your OTP: http://p.bvulpes.com/pastes/brgvw/?raw=true
edivad: let me try
mircea_popescu: and in other civilised behaviours : always remember to hold pinky elevated! http://68.media.tumblr.com/e0686d449baf8a8d73a2199a83f7780c/tumblr_o1f357D0Zh1sr105eo1_1280.jpg
BingoBoingo: !!up edivad
deedbot: edivad voiced for 30 minutes.
BingoBoingo: !!key edivad
mircea_popescu: lol nothing works for this guy does it.
BingoBoingo: !~later tell trinque maybe look into the edivad deedbot registration thing? Guy is having a hard time
jhvh1: BingoBoingo: The operation succeeded.
mircea_popescu: edivad do it here.
edivad: ok
edivad: !!v
mircea_popescu: ...
mircea_popescu: read the help would you.
edivad: !!up
deedbot: Get your OTP: http://p.bvulpes.com/pastes/WQBqO/?raw=true
edivad: !!v 47E94847E0937D49A0D0EBF20F880C396B416F19177CCDCF756E42A74558A76B
deedbot: You are now voiced in #trilema
edivad: wow :)
edivad: thanks BingoBoingo for the help
BingoBoingo: you are welcome
edivad: a thing that i've not asked and now i remembered
edivad: is allowed/polite to scrape all the btcbase.org/log website?
mircea_popescu: you could just make your own logger.
edivad: I've done it yesterday for a friend that asked me a dvd with the logs inside, to read them when on holiday with no internet access
mircea_popescu: nothing wrong with it.
mircea_popescu: they also end up on archive.is, because the bot archives links and the odds of a whole day going by without a single log reference are small.
edivad: ok thanks, intially i thought that maybe doing 400-500 mb of http traffic could be seen as a bad thing
mircea_popescu: well so if you thought that you could have asked before rather than after eh.
mircea_popescu: anyway, forward your thanks to phf for allowing your exericse.
edivad: i know, it wasn't a smart move, but if you see a spike of traffic now you know that it wasn't a ddos attempt
mircea_popescu: i don't maintain btcbase ; phf does.
mircea_popescu bbl
edivad: phf: so, sorry for not having asked before
BingoBoingo unsure phf really will notice one complete scrape
edivad: it was about 250 mb iirc
edivad: but i've done two times becouse the first has gone wrongly to the standard output
deedbot: http://phuctor.nosuchlabs.com/gpgkey/B47B72AF088972BB3797D9E788CB4552536D6536CAB9BD720FAC499CC89527BF << Recent Phuctorings. - Phuctored: 1537...4537 divides RSA Moduli belonging to '210.48.108.183 (ssh-rsa key from 210.48.108.183 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (gordon.mostfm.com. NZ AUK)
deedbot: http://phuctor.nosuchlabs.com/gpgkey/B47B72AF088972BB3797D9E788CB4552536D6536CAB9BD720FAC499CC89527BF << Recent Phuctorings. - Phuctored: 1781...1313 divides RSA Moduli belonging to '210.48.108.183 (ssh-rsa key from 210.48.108.183 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (gordon.mostfm.com. NZ AUK)
mircea_popescu: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
mircea_popescu: what happened to your key ?
PeterL: hi, thanks for the !!up, my key is on another computer
mircea_popescu: aite
PeterL: http://btcbase.org/log/2017-08-08#1695498 << this is completely unrelated to sina's item
a111: Logged on 2017-08-08 23:26 mircea_popescu: PeterL http://btcbase.org/log/2017-08-08#1695421 << is this supposed to interface with sina's item ?
mircea_popescu: alright
PeterL: I looked at miller-rabin, and switching over to that algorithim is quite simple
mircea_popescu: found a c impl somewhere ?
PeterL: I tested the fermat test, and with 100 numbers of 1024 bits deemed prime by the fermat test, 50 were found to be composite by miller-rabin
mircea_popescu: aha.
PeterL: so yes, using the fermat test would be bad
mircea_popescu: and mind that m-r is a ~probabilistic~ test.
mircea_popescu: you gotta have the params set correctly
PeterL: http://btcbase.org/log/2017-08-08#1695504 << so the program goes through the keys and checks the decryption against each challenge-string
a111: Logged on 2017-08-08 23:33 mircea_popescu: PeterL +# IMPORTANT NOTE: if the cs is too small, messages have a chance to get decrypted by the wrong key << what is the logic behind this ?
PeterL: if you have a 0 byte cs, then every message looks good
mircea_popescu: um.
PeterL: using the wrong key will result in a random byte string, so with a cs of 1 byte, you have 1/256 chance of looking like it was the right key
mircea_popescu: 0 length isn't usually what one thinks of when seeing "too small". same istrue if 1 byte string ?
mircea_popescu: uh.
PeterL: so I guess "too small" would be something like two or less?
PeterL: not that using the wrong key will give you the plaintext message, but that if it uses the wrong key and happens to match the cs for that key, it will pass the pile of garbage on to all the peers
mircea_popescu: so you are telling me that m ^ e ^ d mod n always has an integer solution for randomly chosen parameters.
PeterL: well, won't that calculation always result in an integer?
mircea_popescu: yes, but would that integer then also be m ?
PeterL: oh, wait, no, I didn't see the extra ^ e in there
mircea_popescu: this is the basis of rsa : m ^ e ^ d = m mod n
mircea_popescu: or how shall i best put it, that's not equality but modulo congruence. whereby 7 = 5 mod 2
PeterL: if you have an encrypted text c, then c ^ d mod n will give an integer, without previously knowing m, how will you check for congruence?
mircea_popescu: PeterL the logical approach would be to include a checksum neh ?
mircea_popescu: https://www.ti89.com/cryptotut/rsa3.htm << very handy rsa tutorial in that it uses base 10 and alphabet-indexing for letters. so one can actually rsa by hand and get a good model of what's going on.
PeterL: aha, that seems like a logical solution.
mircea_popescu: PeterL the broader point here being that you can't warn the user about things he can't control. you gotta provide for it yourself.
mircea_popescu: PeterL the other problem this discussion reveals, of course, is that you aren't using any padding ?
PeterL: this is the padding algorithm described by alf: take random bits r and message x, encrypt r to key A and encrypt (r XOR x) to key B
mod6: edivad's environment is indeed some sort of non-developer version of linux that has almost no tools pre-installed. also, had some non-english version, which my V does not work with. Yesterday asked him to remove gpg v2, and install v1.4.10.
mircea_popescu: PeterL and then you add key A and B to the message at the end so recipient can un-pad ?
mod6: These problems should be resolved once sane environment is achieved.
PeterL: no, recipient goes through his list of keys A and B until he finds the one that decrypts it
mircea_popescu: ...
mircea_popescu: i think you misconstrue alf's padding algo.
PeterL: that is also possible
mod6: meanwwhile, I'll add a preface to the HOWTO doc on the minimum requirements. thanks to diana_coman for gathering them up once upon a time.
mircea_popescu: now : textbook rsa (the sort of thing you seem to be discussing, above) has no semantic security and on top of that is malleable.
mircea_popescu: it's not useful in the field.
PeterL: that is what we were trying to fix, no?
mircea_popescu: long fixed problem, so not really.
mircea_popescu: now, alf's scheme is probably valid padding, though it is very expensive. it works like so : to encrypt a message m to key X, you : a) generate two one-time keys, A and B. you encrypt some bits of m to A and some to B, randomly chosen. you pile together : the bits of m encrypted with A, the bits of m encrypted with B, the schedule of which is which, and the keys A and B into one large m'
mircea_popescu: and THAT you then encrypt to key X and send ove.r
mircea_popescu: what gpg normally uses is called OAEP
mircea_popescu: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
mircea_popescu: it's a sort of two-box permutation thing.
mircea_popescu: basically it takes a random string, jumbles it with the original message, and spits out two halves. the hope with it is that it provides all-or-nothing security, in the sense that to recover any bit of the message you need to correctly process the entire pair of jumbled strings.
PeterL: this thing? http://btcbase.org/log/2017-02-14#1613906
a111: Logged on 2017-02-14 19:19 asciilifeform: specifically, for every byte you intend to send, you instead send two: x, y. which you generate by obtaining rng byte r, and payload byte b, and x := b xor r, y := r
mircea_popescu: similar, but not exactly.
mircea_popescu: oaep works like this : given hash and hash' hash functions, calculate X as hash(m00) xor G(r) and Y = r xor hash'(X).
mircea_popescu: because hash and hash' are used to stretch/reduce the bitlength of their parameters, something like mpfhf (which permits arbitrary sized outputs/inputs) could work well ; but is also slow.
mircea_popescu: and besides, not muchly tested yet.
mircea_popescu: and upstream, to make clear what "semantic security" means : rsa is deterministic, if i wish to see if your "encrypted" string really was message m, all i have to do is encrypt m myself. if the results match i have cryptographic confirmation.
PeterL: is that a good thing?
mircea_popescu: (and, of course, for short messages ie shorter than n i can just compute the e-root).
mircea_popescu: PeterL terrible, terrible thing, which is why irl rsa is always padded.
mircea_popescu: and since we're apparently doing rsa likbez : if r used in padding above contributes less than n / e^2 bits of entropy to the final, padded message, coppersmith has a few words to tell you.
mircea_popescu: (and they are http://www.di.ens.fr/~fouque/ens-rennes/coppersmith.pdf )
PeterL: mircea_popescu linking to a pdf, what is the world coming to!?
mircea_popescu: i know right ?
PeterL: in " n / e^2 bits of entropy ", what are n and e, the key modulus and exponent?
mircea_popescu: yes.
PeterL: do you mean the bitsize of n and e, or the actual numbers?
mircea_popescu: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
mircea_popescu: i mean the bitsize ; it's not just that though, partially known secrets, low exponents etc all conspire to empwer the latice reduction.
PeterL: how low is low for an exponent?
PeterL: and what partially known secrets here?
PeterL: is 65537 big enough for an exponent?
mircea_popescu: 3, generally. that, you never know. yeah.
deedbot: http://trilema.com/2017/se-vende-joyeria-fina/ << Trilema - Se Vende Joyeria Fina
mircea_popescu: anyway, let it be said that there's nothing wrong with oaep as far as we know, but for the sake of argument a mpfhf based padding scheme would conceivably work like this : 1. given message m, of length l, generate r = random bits, of length l' up to l but not less than 256 bits. 2. compose m' = r + m + c (in that order), where c is l - l` (and its bitness is always same as the bitness of len(m')-256). 3. compose Pm = R + S +
mircea_popescu: c (in that order), where R and S are produced by mpfhf(m') with R len set to c (bitness same as bitness of len(Pm). Pm will be the padded message sent to RSA. The recipient will have to undo mpfhf with known R and S to obtain m.
mircea_popescu: this scheme is both slow and bulky. it is not likely useful for gossipd-style comms. it is certainly valuable for signing material, especially because rsa signature is much more padding-vulnerable than encryption ; and perhaps for some limited encryption work.
mircea_popescu: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
mircea_popescu: PeterL so if you feel like writing a mpfhf reverser... afaik nobody has to date.
BingoBoingo: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
PeterL: I will check in later once I am back at my computer with my key to verify this conversation has been with the real PeterL
PeterL: I will have a look at making a reversing function for the mpfhf
BingoBoingo: !~ticker --market all
jhvh1: BingoBoingo: Bitstamp BTCUSD last: 3298.67, vol: 13040.95962783 | Bitfinex BTCUSD last: 3294.8, vol: 30614.16409473 | BTCChina BTCUSD last: 3325.733768, vol: 12852.97540000 | Kraken BTCUSD last: 3337.978, vol: 6685.96834593 | Volume-weighted last average: 3306.45847118
mircea_popescu: works
PeterL: mircea_popescu: if l is less than 256, then l' = 256?
PeterL: for your padding scheme above ^
mircea_popescu: no. l' = rnd(0, l) ; if l' < 256 l' = 256.
mircea_popescu: and rnd(256, l) is not equivalent because who the fuck knows what rnd does when a > b.
PeterL: so not more than rather than not less than 256
asciilifeform: http://btcbase.org/log/2017-08-09#1695792 << variably-sized packets are the mistake here.
a111: Logged on 2017-08-09 14:11 PeterL: if you have a 0 byte cs, then every message looks good
mircea_popescu: huh ?
asciilifeform: use fixed size.
mircea_popescu: asciilifeform i was discussing a more general rsa scheme, not gossipd specifically.
asciilifeform: aite, i'm walking the l0gz still
mircea_popescu: but yes, for unrelated reasons fixed size is the right choice for gossipd.
PeterL: asciilifeform, I am not sure I understand what you are getting at here
asciilifeform: http://btcbase.org/log/2017-08-09#1695799 << of course it does. rsa decrypt is c^d(mod n) , where c is ciphertext , n is public modulus, d is private exponent.
a111: Logged on 2017-08-09 14:14 mircea_popescu: so you are telling me that m ^ e ^ d mod n always has an integer solution for randomly chosen parameters.
asciilifeform: this produces a solution always.
asciilifeform: ( but it will be rubbish if either of the 3 values is not the expected one)
asciilifeform: PeterL: don't permit messages of any length but L.
asciilifeform: L is e.g. 512.
asciilifeform: not 1 byte more, not 1 less.
asciilifeform: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
PeterL: right, my scheme was doing that
asciilifeform: PeterL: so what was this : http://btcbase.org/log/2017-08-09#1695794 about ?
a111: Logged on 2017-08-09 14:12 PeterL: using the wrong key will result in a random byte string, so with a cs of 1 byte, you have 1/256 chance of looking like it was the right key
PeterL: It checks to see if it is using the right key by comparing the decrypted text agains a pre-known challeng-string (cs)
asciilifeform: so why on earth would you permit anything like a 1 or 0 byte string ?!
PeterL: mircea_popescu suggested instead using a checksum
asciilifeform: that's the more typical solution aha
PeterL: who am I to stop people from sabotaging themselves?
asciilifeform: PeterL: one of the most comical failure modes, ubiquitous in usg crypto, is the null cipher
asciilifeform: where there is a ready-made 'shoot yourself in the head' button, conveniently under everywhere you might ever put your elbow
asciilifeform: this is not to continue .
PeterL: I see.
PeterL: I am still learning here, the last time I came and said "how do I know if I have used the right key to decrypt it?" nobody suggested a checksum, now I will try to figure out how that would fit into the program
asciilifeform: you have a substring S in every packet, that gotta equal H(rest of the packet) or whole thing discarded.
asciilifeform: ( importantly, the fact of said discard must not be discernible through timing side channel )
asciilifeform: requirement for H is more or less the opposite of mircea_popescu's hash exercise -- it gotta compute in fixed time.
asciilifeform: ( while otherwise quality hash. my current favourite for this is keccak's hash )
mircea_popescu: asciilifeform man, you're mixing industrial process into educative discourse without any sort of rhyme or reason, resultin in some very confuysed and eventually frustrated people.
erlehmann: PeterL 1. write grammar 2. ??? 3. never correct invalid input, nuke it from orbit instead
asciilifeform: aite, i'ma let mircea_popescu handle pedagogical thread, brb
mircea_popescu: don't even have to, but consider the context. yes "it's what rsa is", that's what i'm checking, that he knows.
mircea_popescu: erlehmann wanna do that ?
erlehmann: mircea_popescu nope.
mircea_popescu: how come ?
PeterL: so for longer messages, they will get cut into chunks. It it better to check the first chunk until you find the right key and then use it to dercypt the whole message, or do you want to decrypt the whole message with every key (to hide the fact you found a match)?
mircea_popescu: PeterL the cutting into chunks should happen prior at some client level. it's ok if your think accepts no messagtes lonmger than x. irc doesn't either.
mircea_popescu: your thing*
PeterL: but I want to make longer messages possible
mircea_popescu: why ?
PeterL: why not?
erlehmann: mircea_popescu it feels like work. i had that experience a few minutes ago, when i explained to a rando on the train the concept of non-existence dependencies.
mircea_popescu: because udp packets if nothing else ; besides "longer" is not the same as endless.
mircea_popescu: erlehmann so what, you're of a firm "will only work for evil empires" persuasion ?
erlehmann: no, just tired
mircea_popescu: in other lulz, /me went to open bank account today. you can not BELIEVE how fucking pussy whipped these people are. a) bank's only wire intermediary is bank of america. why ? uh... that's what the other banks do too. but... why ? umm... is it because you schmucks are a us colony, in the sense you don't get medicare and they still get all your shit anyway ? uhhhh
PeterL: well, udp packet is alot bigger than the 512bytes that fit in a rsa packet, why waste all the space?
mircea_popescu: b) they want to... "know your customers". bitch, it's none of your fucking business ? uh no, because ley so and so say so.
asciilifeform: PeterL: 512 is really top limit of 'guaranteed nonfragment no matter what'
mircea_popescu: im guessing i'll be taking ads in the local newspaper, "looking for lawyers willing to sue the government, apply within".
mircea_popescu: PeterL how did you come uop with the 512 value ?
asciilifeform: empirically
mircea_popescu: asciilifeform damn. listen you!
PeterL: do we need guarentee non-fragment ?
PeterL: and if we are sending to key A and B, we will need 1024 bits for each segment anyway
mircea_popescu: PeterL let's get back to cogency here. how did you come to the "512 rsa packet limit" ?
PeterL: 4096 bit key n, message needs to be smaller than that, right?
mircea_popescu: nope.
PeterL: well, shoot, I must be confused somewhere
mircea_popescu: how did you get that idea ?
mircea_popescu: pro tip : it is always a very useful thing to be able to reflect your own mental process, which starts with being able to answer "where i got this from". makes error handling much faster and infinitely more efficient.
PeterL: c^d mod n = m, therefore m must be smaller than n?
mircea_popescu: PeterL can you tell me anything about what the greeks used for encryption ?
PeterL: not really, the ceasar cipher or something?
mircea_popescu: well cesar was a roman, wasn't he ? the "technologically advanced" dorks that took the sail tech of the people who sailed from sweden to south africa and made some square sailed tubs that sunk in the mediterranean half the time.
mircea_popescu: i mean actual strategoi of the ancient greece.
mircea_popescu: !#s scytale
a111: 6 results for "scytale", http://btcbase.org/log-search?q=scytale
mircea_popescu: basically they had this early elliptic curve crypto, implemented as an arbitrary cone on which they wrapped a string. because the string is fixed length see, whereas the section of cone is not.
mircea_popescu: make sense to you ?
PeterL: alright, so the decryption relied on having an identical physical object?
mircea_popescu: yeah.
mircea_popescu: now, intuitively, would you imagine this worked at all if the string was so short it never fully wrapped ?
PeterL: ok
PeterL: hmm, no, it would have nothing to transpose to
mircea_popescu: short messages are a problem for rsa, not a boon. this is generally fixed by padding.
PeterL: ok, but how short is short?
mircea_popescu: shorter than size of n, here.
PeterL: I thought it was only bad if m^e was less than n?
mircea_popescu: that's what i meant earlier with the e-root. if say your key is 1024 bits, and your exponent is 3, and your "encrypted" message is, numerically, 1404928, i can readily extract the cube root and find the original as 112.
mircea_popescu: had there been a wrap, i couldn't have extracted the cube root [quite so easily]
PeterL: right, I understand that part
mircea_popescu: PeterL yes, there is that. larger e provides some protection agaisnt this issue.
mircea_popescu: but in any case, the point is -- rsa is not better for shorter messages. for really short messages it can be really shitty. which is why my 256 minimum bits in the padding scheme.
PeterL: alright, so my scheme pads everything to the length of the key, but as I understand it still has to be smaller than the key n?
mircea_popescu: what it and why ?
PeterL: because you are calculating a number mod n, so the result will therefore be smaller than n
mircea_popescu: so ?
mircea_popescu: that the result is smaller than n is of no consequence to you is it.
PeterL: so you can't use a number larger than n
mircea_popescu: why not ?
PeterL: because the decryption is also a calculation mod n
mircea_popescu: really, use that item i linked earlier.
a111: Logged on 2017-08-09 14:24 mircea_popescu: https://www.ti89.com/cryptotut/rsa3.htm << very handy rsa tutorial in that it uses base 10 and alphabet-indexing for letters. so one can actually rsa by hand and get a good model of what's going on.
asciilifeform: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
mircea_popescu: do an example once, it's instructive. easy to follow because small numbers.
PeterL: it looks like this thing is encrypting each character individually?
mircea_popescu: it is.
PeterL: so each character must have a value less than the n it is using, right?
mircea_popescu: you mean, the modulus, p * q ?
PeterL: yes
mircea_popescu: right, solving will only find the lowest anyway.
PeterL: so the message is larger than the key modulus, part of it will be lost when it is decrypted
PeterL: so if ^
mircea_popescu: and so thereby a 4096 bit key can handle chunks of up to 512 bytes of message.
PeterL: yes
mircea_popescu: slightly less even. but anyway.
deedbot: http://qntra.net/2017/08/bitcoin-network-mining-diffficulty-up-7-32-to-another-all-time-high-in-first-adjustment-after-roger-ver-ified-fork/ << Qntra - Bitcoin Network Mining Diffficulty Up ~7.32% To Another All Time High In First Adjustment After Roger Ver-ified Fork
mircea_popescu: PeterL and as asciilifeform aptly points out, this happens to be convenient, because it's right around the size of the nonfragmenting udp packet.
mircea_popescu: (the precediny line was 146 characters, which is less trhan 146 bytes, especially if you do a lzw or something like sane people first)
PeterL: and my scheme splits messages into r and m xor r, so I need 1024 bytes to pass the smallest message, which is already larger than the UDP "unfragmentation limit" of 512 bytes, so why stop there and not just let the message get longer by adding in some more chunks?
PeterL: up to the limit of the size of a udp packet?
asciilifeform: PeterL: think carefully, this is flawed logic
asciilifeform: you don't ~have~ 1024 bytes
PeterL: please, help me see the flaw?
asciilifeform: ergo if you want to use the xor padding algo, you are stuck with payloads of half the size.
PeterL: which would mean using keys of half the size, right?
asciilifeform: not necessarily
mircea_popescu: PeterL what is the scheme contemplated here, that you take a say 8 byte message, generate an 8 byte r, then create a 16 byte padded message by appending the r and the r xor m and then rsa that ?
asciilifeform: ( i will also note, the problem with allowing packet fragging is that frag reassembly is a Something-To-Allcomers operation . )
PeterL: mircea_popescu: but encrypting the r to one key and the r xor m to a second key, so you end up with two rsa-key-length segments
mircea_popescu: ok, so then you also send 2, udp sized packets ?
PeterL: well, I was putting it all in one udp packet
mircea_popescu: yes, but we're examining why and whether you have to.
PeterL: if they did not come together in one packet, then you would have to hold onto packets and try to match them up with their partner
mircea_popescu: yes.
PeterL: this seemed like it would be cleaner
mircea_popescu: but even if you send them "together", there's no guarantee they stay unfragmented. not at that size.
PeterL: (perhaps I misunderstand how udp packets get reassembled)
mircea_popescu: as alf says : "something to all comers". primo target of ddos monkeys.
PeterL: the other optin would be to use rsa keys of half the size, allowing only 256 byte messages
mircea_popescu: you mean messages of half the size.
PeterL: well, message still limited by key size, so yes
mircea_popescu: so your gossiptron only accepts lines of up to 256 chars in length, then you lzw that and pad etc. not the end of the world.
mircea_popescu: the rng consumption will be significant though.
PeterL: but that 256 also has to carry stuff like user name
mircea_popescu: yes.
PeterL: still better than twitter, I guess
mircea_popescu: you would see value in eg irc dropping its 200 char limit or what was it ?
PeterL: I do find it annoying that long messages get split, but I guess it is not the end of the world or anything
PeterL: suggestions on a good hash function for a checksum?
mircea_popescu: xor the bytes ?
asciilifeform: lol that's probably the worst conceivable
mircea_popescu: :D
mircea_popescu: !!up PeterL
deedbot: PeterL voiced for 30 minutes.
mircea_popescu: anyway, crcs usually what people use.
mircea_popescu: steal gnuradio's crc32 for instance.
mircea_popescu: iirc openpgp used a crc-24 self-formulation
mircea_popescu: (that =4char thing at the end of the messages)
mircea_popescu: and with this, PeterL finds himself exposed to galois fields, polynomial division, and the rest of the "easy to implement and straightforward" jewels.
asciilifeform: you wouldn't want to use a checksum ( e.g. crc ) for decryptable-legit vs random rubbish distinguisher
asciilifeform: this problems was how we even ended up with cryptological hash functs
asciilifeform: ( if anyone recalls my sageprobe crack ? that was as simple as it was because the thing used crc as hash... )
mod6: BingoBoingo: 7-ish
BingoBoingo: mod6: ty fxd
PeterL: asciilifeform: ^ what would be the downside of using crc for this?
PeterL looks, finds a .py standar lib function for this: binascii.crc32
deedbot: http://phuctor.nosuchlabs.com/gpgkey/FB227B026FA94ABC18FD0A71ADB21D83E8E43BBF14F2DEBFE85F490FFF3627B9 << Recent Phuctorings. - Phuctored: 1578...0979 divides RSA Moduli belonging to '82.214.135.102 (ssh-rsa key from 82.214.135.102 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (82-214-135-102.itsa.net.pl. PL)
deedbot: http://phuctor.nosuchlabs.com/gpgkey/FB227B026FA94ABC18FD0A71ADB21D83E8E43BBF14F2DEBFE85F490FFF3627B9 << Recent Phuctorings. - Phuctored: 1618...0213 divides RSA Moduli belonging to '82.214.135.102 (ssh-rsa key from 82.214.135.102 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (82-214-135-102.itsa.net.pl. PL)
mircea_popescu: asciilifeform yes, well, everything has problems. but there's a difference between using a crc as hash and using a crc as checksum ; and using say sawed-barrel keccak (take first or last x bytes, whatever) isn't all that good because it's really not designed for fragment behaviour like that, nor was such studied
mircea_popescu: trying to stuff a mac or something in there will make the bondogle regret the days of the aes/rsa combo.
mircea_popescu: besides rsa allows existential forgery ~anyway~.
asciilifeform: waiwat
asciilifeform: whole point of the M+H(M) or no-go combo is to prevent forgery.
asciilifeform: ( if message dun match the prescribed structure -> forgery )
mircea_popescu: so you want to take a message m, add that many random bits to it, and then add twice that many bits as a hash of the pile, thereby using 25% of the space for the plaintext ?
mircea_popescu: (the rsa forgery comment was re sig ^ e mod n || sig mod n always verifies as validly signed.)
mircea_popescu: and incidentally, pss should prolly be in the final tmsr-rsatron huh.
mircea_popescu: http://grouper.ieee.org/groups/1363/P1363a/contributions/pss-submission.pdf for the day of the pdfs.
mircea_popescu: (ftr, the way pgp does it is that it repeats two bytes of a more or less random block of 16 bytes, and then checks if they came out the same. this is in fact WORSE than http://btcbase.org/log/2017-08-09#1696023 but then again contemporary applied cryptography is a very low effort, low quality field).
a111: Logged on 2017-08-09 18:37 mircea_popescu: xor the bytes ?
mircea_popescu: (believe it or not, the 18 byte lulz is actually specificed as such, https://archive.is/QYKu5#selection-3121.6-3121.789 ; worth a read, has null IV and all sorta gems)
mircea_popescu: BingoBoingo by following qntra link, i fell upon http://trilema.com/2014/the-woes-of-altcoin-or-why-there-is-no-such-thing-as-cryptocurrencies/#comment-117679 which i suppose explains http://btcbase.org/log/2017-08-01#1692327
a111: Logged on 2017-08-01 23:43 mircea_popescu: i suspect steemit is a sort of how did they call that alt-disqus/alt-github "let us steal your content" thing ?
BingoBoingo: Ah, that may be it?
mircea_popescu: guy made a blog, next year but still.
BingoBoingo: Not really made a blog. Started making posts on platform that it seems some other folks made.
BingoBoingo not looked into "who made Steemit"
mircea_popescu: it's incomprehensible to me, how this "i moved from a forum to a ... forum" thing works in the public's mind.
mircea_popescu: but, it given, it's no wonder all cars migrating to being the same engine in different plastifications.
mircea_popescu: BingoBoingo http://btcbase.org/log/2016-05-21#1470340 << low effort reddit spinoff ?
a111: Logged on 2016-05-21 23:31 shinohai: https://steemit.com/girlsgonesteem-nsfw/@steempower/welcome-to-girls-gone-steem#comments <<< the logo even looks like a turd. "steem"
asciilifeform: mircea_popescu: i looked at the pss thing, seems like simply yet another obfuscatorily-complex nsaological artifact
mircea_popescu: iirc there is a proof it is as secure as rsa.
asciilifeform: replete with magicnumbers, 'random oracle' assumptions, 'perfect hash', and other maculae
mircea_popescu: what is this, bayesian proof evaluation ?
asciilifeform: mno, i did go & read
asciilifeform: here's a gem :
asciilifeform: ''When RSA is the underlying primitive, something even more is known: that the ability to forge with resources R in an attack which does not exploit some structural characteristic of the MGF implies the ability to invert RSA on random strings using computational resources only slightly greater than R.''
mircea_popescu: so what is teh fail ?
asciilifeform: see problem ?
asciilifeform: thing ~assumes~ own conclusion ! acquinas-style.
mircea_popescu: wait.
asciilifeform: now if you want a pubkeycrypto where this proof actually exists, i know of exactly one : cramer-shoup
mircea_popescu: the statement is that if pss is used atop rsa, then baring poor implementation a forgery is going to cost more than what reversing rsa costs.
asciilifeform: ( my distaste for it comes largely from it not being rsa, and from a suspicion that enemy has a partial pill against discrete logarithm problem , given that dsa was based on same )
mircea_popescu: pubkey crypto dunb enter into it, this is a discussion of signature hashing (digests, really) schemes.
mircea_popescu: distaste for c-s ?
asciilifeform: possibly distaste is wrong word
asciilifeform: but for above reasons i prefer rsa.
mircea_popescu: i thought there's consensus re offering c-s in teh tmsr cryptotron
asciilifeform: i don't know of any hard, tangible reason to avoid it.
asciilifeform: at any rate it is just as easily implemented on pmachine as rsa.
mircea_popescu: afaik pretty much the only candidate besides rsa itself.
asciilifeform: ( dun require any new primitives )
asciilifeform: aha.
asciilifeform: i know of no others worth bothering with.
mircea_popescu: but in my own mind the "well alf is making P" pretty much was "he's walking to path to both cs and rsa impls to the furthest node"
asciilifeform: correct.
mircea_popescu: otherwise why implement a ptron rather than simply a rsatron.
asciilifeform: incidentally you get best attributes of both if you harness them as i described, via otpxor
asciilifeform: ( yet another reason for pmach )
asciilifeform: you can do more or less whatever variations on whichever theme, you feel like, all it costs is a few extra chars in pubkey
erlehmann: btw i found a new social game
erlehmann: 1. mention non-existence dependencies to people who know C and/or C++
asciilifeform: erlehmann: incidentally what exactly is a 'nonexistence dependency' ?
erlehmann: 2. look on while almost all of them develop the exactiy same train of thoughts (including fixing make, which is impossible for this kind of program)
mircea_popescu: asciilifeform that for x to work, y has to not exist.
mircea_popescu: like you know, poisons.
asciilifeform: granted, but when would this come into play ?
asciilifeform: in erlehmann's context
mircea_popescu: i dunno he has some abstractive grammars itch.
asciilifeform: didn't we do the STOP FUCKING PARTIALMAKING thread ?
erlehmann: asciilifeform on systems with multiple include paths, a C or C++ header file is looked for in location A, B, C. it is found in directory C. it does not exist in location A or B.
asciilifeform: clean the fucking chalkboard
erlehmann: s/directory/location
asciilifeform: flush the toilet.
erlehmann: if C changes, the target needs to be rebuilt. that is a dependency.
asciilifeform: multiple include paths are retarded.
erlehmann: if A or B start to exist, the target also needs to be rebuilt. that is a non-existence dependency.
asciilifeform: they correspond to a vgraph with contradictory inputs.
mircea_popescu: well, systems without patch are also retarded.
asciilifeform: systems are to be fixed - i.e. brought into conformance with vtronics -- or discarded.
asciilifeform: no third.
mircea_popescu: asciilifeform anyway, let's sit down and make something sane for this guy. peterl i mean. what's his message supposed to be like ?
erlehmann: asciilifeform that is one possible answer to the think. the thing that starts the triggering is usually a combination of said devs using make and realizing that this is, indeed, a problem.
mircea_popescu: letting him "figure for self" at this juncture is unsanitary.
asciilifeform: erlehmann: the problem however is not where you seem to put it
BingoBoingo: mircea_popescu: Looking like exactly that
erlehmann: asciilifeform C header files are only one instance of such non-existence dependencies where existing of a thingy invalidates the assumptions that went into building another thingy.
erlehmann: they are only arguably the most common one
asciilifeform: erlehmann: are you familiar with how v works ?
erlehmann: and excellent for stunning freeBSD developers btw
asciilifeform: erlehmann: the problem you describe is absent in v
erlehmann: asciilifeform you are correct
asciilifeform: erlehmann: if it is present in whatever you are using instead -- your process is broken
erlehmann: asciilifeform it is always absent if you always build clean
mircea_popescu: erlehmann that's not what v does.
erlehmann: mircea_popescu in a way, it does. no?
asciilifeform: erlehmann: the building-clean thing is sanity. we had this thread. if your program is 'too big to always build clean', IT IS TOO BIG
asciilifeform: cut it. like procrustes, or into independent subsystems, i don't care how
asciilifeform: no program has any business being a billion line build.
mircea_popescu: erlehmann it's a pile of patches. how the compiler optimizes the rebuilding is irrelevant ; if you change one file it can rebuild the whole thing or not ; but v still only changes the one file and still doesn't have the problem.
erlehmann: asciilifeform correct. the talk begins with me mentioning non-existence dependencies and ends with the recipient either having a solution (one guy), being aware of the problem already (i counted two) or being unaware of it but being aware that their software is a lie.
erlehmann: the solution turned out to be a non-solution btw
erlehmann: something involving a goedelized perl script that builds all build rules that don't build themselves. drugs were probably involved.
asciilifeform: erlehmann: you seem to be fixated on a problem that simply doesn't exist in sane contexts
asciilifeform: !#s martian problem
a111: 4 results for "martian problem", http://btcbase.org/log-search?q=martian%20problem
erlehmann: asciilifeform the goal of the game is to make dev aware of context being insane
a111: Logged on 2014-11-26 01:11 asciilifeform: 'Id like to see one expression coined by the poker writer Matt Matros become common parlance, since it applies far more widely than only to poker. An alien problem means some problem that might be fun, interesting and educational to analyze, and it would be really important to know the solution if you ever found yourself in that situation, but the point is that you shouldn't even be having that problem in the first pl
asciilifeform brb
erlehmann: indeed, one part of the solution is to return to earth
mircea_popescu: to encrypt : take plaintext message M, no longer than 250 bytes, and zero-pad it to 250 bytes. take pile of random bits R 250 bytes long. calculate X = M xor R. calculate Y = R xor MPFHF(X) set for R.len = 250 bytes. RSA the 500 byte pile of X || Y. done. to decrypt : de-RSA the 500 byte pile. cut it in two halves. calculate R = Y xor X. calculate M as X xor R. done.
mircea_popescu: how's that sound ?
mircea_popescu: erlehmann did anything further come of it ?
erlehmann: mircea_popescu one person hallucinated having seen the elusive djb redo c code that ultimately did not exist. another person was a release manager and made sure the problem does not exist. a third person wrote a cmake thingy longer than my own redo implementation. a freebsd developer confirmed the problem exists.
erlehmann: mainly i realized why my talk to the conference was rejected
asciilifeform: mircea_popescu: mphf in a fixedtime fixedspace system is insane
erlehmann: because the reaction of most people to it is
mircea_popescu: asciilifeform most importantly, do we ACTUALLY want to do something pgp-retarded like say R.len = 200 bytes, repeat the last 50 for a 250 byte total then use the repeat to make sure you decrypted correctly ?
erlehmann: 1. this is not a problem at all in my process
mircea_popescu: asciilifeform what else makes arbitrary size output ?
erlehmann: 2. yes, this might be a problem for some, but it never happens to me
mircea_popescu: but yes insane.
asciilifeform: keccak?
asciilifeform: or any other sponge
mircea_popescu: i thought it's any input fixed output
erlehmann: 3. yes, this is not detectable, but the effect is negligible
erlehmann: 4. yes the effect matters. we can patch make, though
asciilifeform: mircea_popescu: nope that'd be classisal hashes
erlehmann: 5. make is unfixable, but we can patch gcc!
mircea_popescu: erlehmann which talk is this ?
erlehmann: (which does not help btw)
asciilifeform: sponge goes from any-input to desired-width-out
asciilifeform bbl, meat
mircea_popescu: asciilifeform i guess when he comes back from the mpfhf reverser ima make him do a keccak impl that ACTUALLY does the any-output thing. afaik they're all 32/64byte
mircea_popescu: but afaik keccak isn't that fix-space-able either.
erlehmann: mircea_popescu i wanted to give a talk about non-existence dependencies at SHA 2017 and it was rejected with “provide a 5min lightning talk on problem instead”. problem: 5min are enough to understand the problem, not why you are having it or what follows from it.
mircea_popescu: erlehmann was this paid ?
erlehmann: one lulzy consequence is that a lot of software might have been released with sublty wrong header files included
erlehmann: mircea_popescu like, ticket? it was camping, mostly
mircea_popescu: did they pay you to do a talk.
erlehmann: no, they rejected my entry
erlehmann: like, my submission
mircea_popescu: do you know who harlan ellison is ?
erlehmann: maybe i am not clear enough: i did not get to hold a talk so i talked to random c developers for fun.
erlehmann: mircea_popescu not yet
mircea_popescu: aite, here : https://www.youtube.com/watch?v=mj5IV23g-fE
mircea_popescu: watch at least until he says turnip
erlehmann: on train now, later
mircea_popescu: "tell that to some guy a little younger than you, who just fell off the turnip truck. there is no publicity value in my talk being at your conference. what, if you sell 2000 of them it'll be a miracle. and what, what are people going to say, uuuuuu i like how that erlehmann talks, i wonder if he's got a blog or anything".
mircea_popescu: nobody knows what the fuck "sha 2017" is. nobody cares. even the people paid to fucking care stopped giving a shit in the 90s, as that nsa goon at "crypto conferences" piece amply attests.
mircea_popescu: hanging out with any other troop of stoners would be a better use of your time, in the sense of variety.
mircea_popescu: in other lulz : obviously there's a "foundation" and a "code of conduct" (the usgistani nonsense copy/pasted) and a freenode chan, why not. ~600 accounts logged in (specifically : http://p.bvulpes.com/pastes/yDU6G/?raw=true ) , ZERO anyone has to say at all whatsoever. most are related to matrix.org, which is a pile of nonsensical lulz which you're more than welcome to try and make sense of by yourself. in any case, it's an "
mircea_popescu: independent" "free" bla bla made by amdocs employees. which YES, is that thing made by the israeli golden pages, and YES is that thing involved in the espionage scandals. and so on.
mircea_popescu: but isn't it great that all mgm needs to do is to put on a coupla hats and suddenly the turnips think themselves human fucking beings ?
asciilifeform: http://btcbase.org/log/2017-08-09#1696171 << it dun branch-on-secrets if correctly made. so yes fixed.
a111: Logged on 2017-08-09 22:14 mircea_popescu: but afaik keccak isn't that fix-space-able either.
mircea_popescu: are we talking the keccak reference code here ?
asciilifeform: the algo strictly
asciilifeform: the 'reference' is sad
mircea_popescu: yeah well, above his pay grade.
mircea_popescu: but yes, i agree that in principle something-like-keccak could be made to spit arbitrary len digests ; and perhaps also in fixed space. the latter will require actual impl to settle.
asciilifeform: fwiw i have a half-built one here. on hold until p.
asciilifeform: mircea_popescu: amusingly that was almost whole point of keccak
mircea_popescu: no, i know.
mircea_popescu: well barnacled.
asciilifeform: that and killing length extension attack idiocy
mircea_popescu: ftr, we both talking http://keccak.noekeon.org/KeccakReferenceAndOptimized-3.0.zip ?
asciilifeform: but this being said , i am not even ready yet to barf re ref-keccak, i aint even yet done barfing re ffa not having already existed
asciilifeform: srsly wtf, oughta have been written in 1993 at the latest
mircea_popescu: the herd is lazy, the aparatchicks are scared, and the intelligent are lost in the soup, interacting with cattle and criminals as if they were people.
pa1atine: hi all, great reads I had those days. logs are a trove of wisdom
pa1atine: http://btcbase.org/log/2017-08-09#1696206 < first verse of your religious leader sermon? ;)
a111: Logged on 2017-08-09 23:00 mircea_popescu: the herd is lazy, the aparatchicks are scared, and the intelligent are lost in the soup, interacting with cattle and criminals as if they were people.
trinque: sorry, we're past our quip quota for the day. what else you got?
pa1atine: nothing, really
pa1atine: just back reading all the stuff
pa1atine: much catch up to do
pa1atine: http://btcbase.org/log/2017-07-18#1686026 <this one was the one that got me occupied the last couple days
a111: Logged on 2017-07-18 18:23 mircea_popescu: asciilifeform understand this bit of GT : the knowledge of all the things you don't know thereby constructs a sybil of you.
PeterL: just wanted to verify that http://btcbase.org/log/2017-08-09#1695864 was indeed me
a111: Logged on 2017-08-09 17:10 PeterL: I will check in later once I am back at my computer with my key to verify this conversation has been with the real PeterL
PeterL: http://btcbase.org/log/2017-08-09#1696147 << I don't think we need to do a hash on the data, it is already xored with the random string
a111: Logged on 2017-08-09 22:09 mircea_popescu: to encrypt : take plaintext message M, no longer than 250 bytes, and zero-pad it to 250 bytes. take pile of random bits R 250 bytes long. calculate X = M xor R. calculate Y = R xor MPFHF(X) set for R.len = 250 bytes. RSA the 500 byte pile of X || Y. done. to decrypt : de-RSA the 500 byte pile. cut it in two halves. calculate R = Y xor X. calculate M as X xor R. done.
PeterL: and wouldn't you also need to know S if you are going to reverse the MPFHF from a given R?
PeterL: Is there a way to calculate the probabilty that a random string of 256 bytes will pass a csc check?
PeterL: csc32 that is
PeterL: ack, I meant crc32
mircea_popescu: !!up pa1atine
deedbot: pa1atine voiced for 30 minutes.
mircea_popescu: !~later tell peterl the hash-xor thing is oadp, which is a provedly strong padding scheme for rsa.
jhvh1: mircea_popescu: The operation succeeded.
mircea_popescu: reversing MPFHF is not required for the above quoted version, as the fhf is used there as a hash function not as a padder. (and alf's objection is valid, not a very good option, a settable size output sponge would be much better).
mircea_popescu: reversing mpfhf is required for the padding scheme originally described, whereby you simply mpfhf the plaintext message and then encrypt the S + R, see http://btcbase.org/log/2017-08-09#1695856
a111: Logged on 2017-08-09 15:58 mircea_popescu: anyway, let it be said that there's nothing wrong with oaep as far as we know, but for the sake of argument a mpfhf based padding scheme would conceivably work like this : 1. given message m, of length l, generate r = random bits, of length l' up to l but not less than 256 bits. 2. compose m' = r + m + c (in that order), where c is l - l` (and its bitness is always same as the bitness of len(m')-256). 3. compose Pm = R + S +
mircea_popescu: these two are are not the same thing.
mircea_popescu: and finally re crc : given a string S of any length, the probability of a string S' where less than 32 bits have been altered in a "burst" passiong crc32 is 0. if you go over 32 bit long bursts the probability is ~ proportional to the burst length / 32.
mod6: <+erlehmann> something involving a goedelized perl script that builds all build rules that don't build themselves. drugs were probably involved. << dafaq is this dude on about?
asciilifeform: soooo ACHTUNG PANZERS , asciilifeform went and actually tried http://btcbase.org/log/2017-08-08#1695511 :
a111: Logged on 2017-08-08 23:51 asciilifeform: it thereby follows that i could unroll comba into explicit cases from 1 to 8 words
asciilifeform: for simplicity, tested the case that actually happens in practice: on a 64bit box, any ffa width over 512 bits gives a strictly 8-wide comba mult ocurrence
asciilifeform: and so here http://wotpaste.cascadianhacker.com/pastes/hoM4U/?raw=true we have a combasquareatron explicitly unrolled for 8-word operand
asciilifeform: ( yielding 16 word result )
asciilifeform: it is loop- (and any other jump) - free
asciilifeform: so theoretically x86 branch predictor oughta be very very happy;
asciilifeform: HOWEVER the actual result is : ~13% cut in execution time.
asciilifeform: so imho it is not worth it.
asciilifeform: mircea_popescu, phf , mod6 , et al ^^
mod6: hmm, nice test though
asciilifeform: had to.
asciilifeform: itched to find, what if another 2x vrooom is possible.
asciilifeform: but apparently branch predictor dun matter so much when your entire thing is ~guaranteed to fit in cache
mod6: yeah, worth the hunting trip
asciilifeform: there's still a dilemma tho :
asciilifeform: the unrolled-8word thing is 1 ) less general 2) harder to read with naked eye but 3 ) easier to prove correct
asciilifeform: 3 of course because no branching
asciilifeform: you can reduce it algebraically
asciilifeform: so currently it is not obvious to me, which variant is Moar Right Thing
asciilifeform: ( i'ma keep the general case, for nao, because it is always very easy to turn it into the above later. but not vice-versa. )
mod6: sure. keep it in your back pocket.
asciilifeform: aite, nao all asciilifeform needs is a constantspacetime MODULAR exp algo that can be expressed with the mux primitive
asciilifeform: and then we can play.
asciilifeform: ( nobody seems to have produced a branch-free montgomery-reduction algo. or any other division-free modexp. )
asciilifeform: srsly this entire exercise has been a brainmelting tour of the sheer unfathomable worthlessness of 'the litarature', 'the cryptography komyoonity', et al
asciilifeform: 'sorry you can't have multiplication in algebraic - branch-free - form ! That Would Be Wrong'
mircea_popescu: asciilifeform yeah, i guess. depends though, good to have both variants.
mircea_popescu: honestly i don't believe the somewhat more cl is such a problem.
asciilifeform: mircea_popescu: it'd be many moar , to correctly handle cases of 1-7 word too
mircea_popescu: anyway. i think the point re : fathers are worthless , siblings are severely retarded is well vindicated
asciilifeform: ( a ptron is permitted to be invoked with any bitness that is multiple of 64 )
asciilifeform: waiwat
asciilifeform: did i miss a whole thread
mircea_popescu: asciilifeform i doubt it. ~nobody who came before did anything useful and ~nobody currently active has an actually functioning brain.
asciilifeform: aa
mircea_popescu: anyway, re the unrolls : it's really not that bad, because of the patterns. it's only "unreadable" because alien because too much time spent reading code written by idiots.
mircea_popescu: will get used to it (tm)
asciilifeform: we definitely don't need any case of comba above 8 tho
mircea_popescu: right.
asciilifeform: currently i lean to unrolling them ~in the proof doc~ and leaving proggy as is.
asciilifeform: tabula proof!
mircea_popescu: i am all for keepiong the unrolled version at the ready ; but i really see no problem with having and using the unrolled loops version. you read it once, over a weekend or a week, and you use it ten billion times over fifty years.
mircea_popescu: tell me 13% of 50 years somehow comes out to less than a week ?
asciilifeform: anyway this is the easy bit. hard bit apparently is the final crown, coughing up a sane modexp
asciilifeform: turns out, none is publicly known.
asciilifeform: ( every single motherfucking modexp in the open lit, branches on seekrit )
mircea_popescu: coincidentally.\
asciilifeform: ^ if asciilifeform is wrong here, folx, plz to write in !!
asciilifeform: knuth has one with 'addition chains', but it requires the exponent to be welded into place for all time
asciilifeform: and as such is unsuitable for ptron
asciilifeform: ( generating ideal additionchain for a particular exp, incidentally, is np-hard )
mircea_popescu: myeah
mircea_popescu: and a possible candidate for "alt cryptosystem" at that.
mircea_popescu: i think we even spoke of it back in the day
asciilifeform: has same problem as every other nphard
asciilifeform: (no way to prevent 'easy case')
asciilifeform: (problem from 'use as cryptosystem' pov)
asciilifeform: or, more formally, no way to prove the absence of arbitary number of classes of 'easy case'
mircea_popescu: !#s kochanski
a111: 2 results for "kochanski", http://btcbase.org/log-search?q=kochanski
asciilifeform: he's the d00d with the '90s rsa chip
mircea_popescu: yes but also has a reduciton method iirc ?
mircea_popescu: which was serializable
asciilifeform: it's catastrophically slow on general-purpose comp
asciilifeform: AND branches on seekrits.
mircea_popescu: ah is it ?
asciilifeform: aha. wants fast bittwiddle
asciilifeform: ( rather than word arithm )
mircea_popescu: but you serialize and do a whole word's worth of bit diddle as a xor
mircea_popescu: there's no rule you must do the parts in order or anything
asciilifeform: you can , but still have the 'guessing and undo' thing
asciilifeform: ergo much branching. and all of it on seekrit bits.
mircea_popescu: hm
asciilifeform: what is needed is a wholly algebraic process. like my mult.
mircea_popescu: no but you write it as a full matrix, you get the undo for free
asciilifeform: where control flow is SAME regardless of what the exponentiation args are.
asciilifeform: it is the only acceptable form for ptron.
asciilifeform: otherwise whole thing is a massive waste.
mircea_popescu: it would take a shitload of memory wouldn't it
asciilifeform: (' a little bit ' of seekrit-branch is same as 'little big pregnant' )
asciilifeform: no reason why it oughta
asciilifeform: now if you were to try to rsa by exping first and THEN mod, the universe could not hold your intermediates
asciilifeform: so that falls out trivially.
asciilifeform: any practical modexp algo has to 'mod as it goes along'
mircea_popescu: im still talking of trying to adapt kochanski's thing
asciilifeform: if you can picture a branch-free form, lemme know
asciilifeform: i dun see it
mircea_popescu: asciilifeform he is doing this D-to-k table thing
asciilifeform: ( the infallible litmus for ffability : 'can this be UNROLLED TO DEATH?' if not -- no go )
mircea_popescu: but you don't have to use a table, you should be able to make it work in a matrixc
asciilifeform: also his thing uses carry-save form
asciilifeform: which dun work with conventional machine arithm
mircea_popescu: i am telling you, his thing is ripe for rewritting in a more apt notation. he is misrepresenting it because thinking in therms of fucking logic gates
asciilifeform: understand, that's how he makes the ops independent ( rather than chained )
asciilifeform: by ignoring the carry, and reconstituting later
asciilifeform: we cannot do this. because the simplicity of ffa comes from using strictly ordinary machineword arithmetic.
asciilifeform: where, e.g., word addition, is sequential.
mircea_popescu: you can add the words in any order you wish and you can keep whichever intermediates you feel like
mircea_popescu: he -- cant
asciilifeform: mno.
asciilifeform: there is carry.
asciilifeform: can't 'add in any order you wish'
mircea_popescu: there is carry
asciilifeform: nor subtract
mircea_popescu: hm
asciilifeform: incidentally various heathen bignumtrons use carry-save form. it is one of the reasons why they are 10,000s of lines, and mine is ~1k.
asciilifeform: it was the most effective optimization i knew, and the one i rejected first and most incurably.
asciilifeform: because antifitsinhead.
mircea_popescu: mgh.
asciilifeform: the sad and slow constantspacetime solution , is the same exponentiation-by-squaring ffa has now, http://wotpaste.cascadianhacker.com/pastes/BVxyN/?raw=true , but after FZ_Square(B, B, C_Sqr); we FZ_Mod(B, M B) every time.
asciilifeform: ( for modexp, that is )
asciilifeform: grr,
asciilifeform: FZ_Mod(B, M, B)
asciilifeform: http://wotpaste.cascadianhacker.com/pastes/HuJDk/?raw=true << for anybody who forgot how division worx.
asciilifeform: sloooow
asciilifeform: division is the single most expensive arithmetic op.
asciilifeform: there is not an equiv of karatsuba for it
mircea_popescu: this is irksome
asciilifeform: aha!
asciilifeform: currently trying to express montgomery reduction ffaically.
asciilifeform: ( for 3 wks or so nao... )
asciilifeform: but if anyone has better idea -- write in
mircea_popescu: heh. the graph of a ^ x mod b looks eheheheheeexactly like the riemann functions / unit covering shenanigans.
mircea_popescu: i know that face glaring back at me. it is the face of unyielding fucking doom.