#trilema | 2017-08-09

pest - 3h 13m
trilema - 1028d

Show Idle (>14 d.) Chans

← 2017-08-08 | 2017-08-10 → ↓

00:10	asciilifeform	in other quiteolds, http://werner-heisenberg.unh.edu/diary.htm
00:17	BingoBoingo	"The chickens on the lower floor bother me a little, though their usefulness makes sense to me in every way." << What redditard would accept this compromise!
00:19	BingoBoingo	"In Urfeld it turns out that over night the garden was trampled by deer." << Who could have predicted free food would just walk by and make a mess of your labor food.
00:24	shinohai	Venison + Salad .... mmmmmmm
		~ 19 minutes ~
00:44	mod6	<+mircea_popescu> meanwhile in lulz for alf, https://bitcointalk.org/index.php?topic=1959633.msg19501495#msg19501495 << HEH
00:48	deedbot	http://qntra.net/2017/08/a-list-of-known-bitcoin-ransom-cases/ << Qntra - A List Of Known Bitcoin Ransom Cases
00:48	BingoBoingo	!~later tell cazalla ty
00:48	jhvh1	BingoBoingo: The operation succeeded.
		~ 1 hours 26 minutes ~
02:14	BingoBoingo	!!up edivad
02:14	deedbot	edivad voiced for 30 minutes.
02:15	edivad	hallo
02:15	edivad	i'm a junior sysadmin trying to install trb on my VPS without success
02:15	mircea_popescu	specifically ?
02:15	edivad	https://thepasteb.in/p/P1hvEKZkQp3Sl
02:17	edivad	fwiv it seems that V download seals and patches but then the bitcoin source code is not included, and i should gather it on my own?
02:17	mircea_popescu	are you using what, mod6 's recipe ?
02:18	edivad	yes, following these instructions since the beginning: http://thebitcoin.foundation/trb-howto.html
02:18	edivad	tried both online and offline mode, with zero luck
02:19	mircea_popescu	did you do 0x09, gathered vpatches ?
02:19	edivad	yes
02:21	mircea_popescu	mod6 did a u160 test item end up stranded in there ?
02:21	mircea_popescu	edivad this is somewhat odd as i recently had a new node configured, came out just fine.
02:21	edivad	tried also yestereday to troubleshoot with mod6, (there was another issue related to the locale of my OS, then fixed with him), but now i'm stuck at 0x0B
02:22	mircea_popescu	seems you're missing a file for some reason.
02:22	edivad	i'm on ubuntu 16.04, fresh installation
02:23	mircea_popescu	that wouldn't do anything.
02:23	trinque	> patch: not found
02:23	edivad	maybe it's just a permission problem?
02:24	trinque	no, you're missing the utility patch.
02:24	mircea_popescu	doh.
02:24	mircea_popescu	edivad sudo apt get patch eh.
02:24	edivad	was an assumption in the tutorial?
02:25	mircea_popescu	well, it's technically part of core linux, but apparently they ship systems without.
02:25	mircea_popescu	will prolly have to add patch to the pile at the end eh.
02:25	edivad	patch is already the newest version (2.7.5-1).
02:26	mircea_popescu	i have 2.6
02:26	mircea_popescu	edivad can you run it from command line ?
02:26	edivad	yes
02:27	mircea_popescu	this is bizarre. try the actual line from the .sh that fails ? (prolly the first one to string match "patch") ?
02:28	edivad	guys, i'm gonna having asap my usual generous amount of morning coffee, since i was typing in the wrong VPS
02:29	mircea_popescu	lol!
02:29	edivad	now just installed patch on the right vps
02:29	trinque	loller
02:29	mircea_popescu	ah so okay. that makes more sense then.
02:29	*	mircea_popescu was bracing self for "o look, new version of patch, breaks downstream" lulz.
02:29	edivad	gonna report even in case of success
02:29	mircea_popescu	a sound policy.
02:33	*	trinque to bed, to dream of tomorrow's generous amount of morning coffee
02:33	mircea_popescu	enjoy.
02:37	*	BingoBoingo wishes trinque a night with no strange knocks on door
02:41	edivad	may I take advantage of my troubleshooting sign up into the channel to ask about tmsr?
02:41	mircea_popescu	ask away
02:41	edivad	thanks, basically i was reading the universal plan for wealth
02:41	mircea_popescu	!!key edivad
02:41	deedbot	Not registered.
02:41	mircea_popescu	you can just register a key you know.
02:42	edivad	!!key edivad
02:42	deedbot	Not registered.
02:42	mircea_popescu	!!help
02:42	deedbot	http://deedbot.org/help.html
02:42	edivad	thanks
02:42	edivad	nice
02:45	BingoBoingo	!!up edivad
02:45	deedbot	edivad voiced for 30 minutes.
02:45	edivad	I know bitcoin since a couple of years and learned the hard way how to protect my funds and stay away from scams. Now I finally got into the sweet spot where I realized how many orders of magnitude my savings are safer in bitcoins
02:46	edivad	Then after this "sweet spot", also the universal plan for wealth makes sense to me
02:46	mircea_popescu	so good for you.
02:47	BingoBoingo	edivad: Ah, so at this point reading into TMSR history will be very beneficial for girding yourself against long cons and other social engineering attempts against your wealth and your self.
02:50	edivad	but my question is: as a student without a regular jub, should I need to a aim at a minimum wage job, to possibly apply for credit and then fly away to a second/third word country, get a decent house, marry and reproduce?
02:50	mircea_popescu	how is another man going to answer that question for you ?
02:51	edivad	or there is a better way to get credit, without harming finance of my family (so not asking to them to put collaterals for my loans)
02:53	mircea_popescu	this is how growing up goes : you take stock of situation, you make a plan, you implement it.
02:54	BingoBoingo	edivad: Which socialist hellhole do you reside in now?
02:54	edivad	mircea_popescu: because the universal plan for wealth makes some great guidelines, but then since every situation is different, I'm trying to understand if there is a better approach for who hasn't already a job and is studying
02:55	edivad	BingoBoingo: italy
02:55	BingoBoingo	Have you considered working construction?
02:56	mircea_popescu	what are they to build in italy ?
02:56	BingoBoingo	STADIUMS!
02:57	BingoBoingo	For the latest wave of Vandals!
02:58	edivad	in this summer holidays aside of ruinous altcoin trading I've done some painter job paid 5 euros/hour
02:59	edivad	since it was the first work experience, I was even able to enjoy it
03:00	edivad	but then after a month i realized that I was needing a better plan
03:00	mircea_popescu	i can see that heh
03:01	BingoBoingo	Painting done well is a perfectly respectable trade.
03:01	BingoBoingo	And it's a rather portable skill
03:02	edivad	well, I have a spare brazilian passport in the drawer, so when I've read the universal plan, I instantly got some very powerful energy for a future exit plan
03:04	deedbot	http://qntra.net/2017/08/y-combinator-startups-begin-overt-political-discrimination/ << Qntra - Y Combinator Startups Begin Overt Political Discrimination
03:08	edivad	now that i've registered my pgp key, should i be able to authenticate signing something?
03:08	BingoBoingo	edivad: Just remember that hunger can be the most devious thief of all as evidenced by kakobrekla's 500 BTC car. Every situation is different, but many of them rhyme.
03:09	BingoBoingo	edivad: You authenticate by decrypting something.
03:09	edivad	OK
03:10	mircea_popescu	and in random other lulz : it's funny how the libertards worshipping at the watergate shrine usually omit to mention that by then washington post had been a libel tabloid for years. somehow dillard stokes' name never comes up. somehow they don't seem to notice it always was simply us sturmer.
03:10	edivad	make[3]: c: Command not found
03:11	edivad	in this case what is missing?
03:11	mircea_popescu	gcc ?
03:11	edivad	gcc is already the newest version (4:5.3.1-1ubuntu1).
03:12	BingoBoingo	http://qntra.net/2017/08/a-list-of-known-bitcoin-ransom-cases/#comment-107260
03:12	BingoBoingo	!!up bounce
03:12	deedbot	bounce voiced for 30 minutes.
03:12	mircea_popescu	edivad your makefile is getting mangled somewhere.
03:13	edivad	let me copy the entire error log
03:14	edivad	https://thepasteb.in/p/BghP57zQGWycY
03:16	BingoBoingo	!!up edivad
03:16	deedbot	edivad voiced for 30 minutes.
03:16	edivad	tried now to install the common bitcoin core dependencies with apt
03:16	edivad	but no luck
03:17	edivad	when i'll login again in IRC, what command should i use to authenticate?
03:18	mircea_popescu	!!key edivad
03:18	deedbot	http://wot.deedbot.org/2774E3A42199C93B528647ECD19963F9A5C443AC.asc
03:18	mircea_popescu	use !!v in pm to deedbot.
03:18	mircea_popescu	!!rate edivad 1 painter/student
03:18	deedbot	Get your OTP: http://p.bvulpes.com/pastes/brgvw/?raw=true
03:19	edivad	let me try
03:19	mircea_popescu	and in other civilised behaviours : always remember to hold pinky elevated! http://68.media.tumblr.com/e0686d449baf8a8d73a2199a83f7780c/tumblr_o1f357D0Zh1sr105eo1_1280.jpg
03:21	BingoBoingo	!!up edivad
03:21	deedbot	edivad voiced for 30 minutes.
03:21	BingoBoingo	!!key edivad
03:21	deedbot	http://wot.deedbot.org/2774E3A42199C93B528647ECD19963F9A5C443AC.asc
03:21	mircea_popescu	lol nothing works for this guy does it.
03:23	BingoBoingo	!~later tell trinque maybe look into the edivad deedbot registration thing? Guy is having a hard time
03:23	jhvh1	BingoBoingo: The operation succeeded.
03:23	mircea_popescu	edivad do it here.
03:24	edivad	ok
03:24	edivad	!!v
03:24	mircea_popescu	...
03:24	mircea_popescu	read the help would you.
03:25	edivad	!!up
03:25	deedbot	Get your OTP: http://p.bvulpes.com/pastes/WQBqO/?raw=true
03:28	edivad	!!v 47E94847E0937D49A0D0EBF20F880C396B416F19177CCDCF756E42A74558A76B
03:28	deedbot	You are now voiced in #trilema
03:28	edivad	wow :)
03:29	edivad	thanks BingoBoingo for the help
03:32	BingoBoingo	you are welcome
03:32	edivad	a thing that i've not asked and now i remembered
03:32	edivad	is allowed/polite to scrape all the btcbase.org/log website?
03:33	mircea_popescu	you could just make your own logger.
03:33	edivad	I've done it yesterday for a friend that asked me a dvd with the logs inside, to read them when on holiday with no internet access
03:34	mircea_popescu	nothing wrong with it.
03:34	mircea_popescu	they also end up on archive.is, because the bot archives links and the odds of a whole day going by without a single log reference are small.
03:35	edivad	ok thanks, intially i thought that maybe doing 400-500 mb of http traffic could be seen as a bad thing
03:36	mircea_popescu	well so if you thought that you could have asked before rather than after eh.
03:36	mircea_popescu	anyway, forward your thanks to phf for allowing your exericse.
03:37	edivad	i know, it wasn't a smart move, but if you see a spike of traffic now you know that it wasn't a ddos attempt
03:37	mircea_popescu	i don't maintain btcbase ; phf does.
03:38	*	mircea_popescu bbl
03:38	edivad	phf: so, sorry for not having asked before
03:40	*	BingoBoingo unsure phf really will notice one complete scrape
03:41	edivad	it was about 250 mb iirc
03:42	edivad	but i've done two times becouse the first has gone wrongly to the standard output
03:54	deedbot	http://phuctor.nosuchlabs.com/gpgkey/B47B72AF088972BB3797D9E788CB4552536D6536CAB9BD720FAC499CC89527BF << Recent Phuctorings. - Phuctored: 1537...4537 divides RSA Moduli belonging to '210.48.108.183 (ssh-rsa key from 210.48.108.183 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (gordon.mostfm.com. NZ AUK)
03:54	deedbot	http://phuctor.nosuchlabs.com/gpgkey/B47B72AF088972BB3797D9E788CB4552536D6536CAB9BD720FAC499CC89527BF << Recent Phuctorings. - Phuctored: 1781...1313 divides RSA Moduli belonging to '210.48.108.183 (ssh-rsa key from 210.48.108.183 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (gordon.mostfm.com. NZ AUK)
		~ 6 hours 12 minutes ~
10:06	mircea_popescu	!!up PeterL
10:06	deedbot	PeterL voiced for 30 minutes.
10:06	mircea_popescu	what happened to your key ?
10:06	PeterL	hi, thanks for the !!up, my key is on another computer
10:07	mircea_popescu	aite
10:07	PeterL	http://btcbase.org/log/2017-08-08#1695498 << this is completely unrelated to sina's item
10:07	a111	Logged on 2017-08-08 23:26 mircea_popescu: PeterL http://btcbase.org/log/2017-08-08#1695421 << is this supposed to interface with sina's item ?
10:07	mircea_popescu	alright
10:08	PeterL	I looked at miller-rabin, and switching over to that algorithim is quite simple
10:08	mircea_popescu	found a c impl somewhere ?
10:09	PeterL	I tested the fermat test, and with 100 numbers of 1024 bits deemed prime by the fermat test, 50 were found to be composite by miller-rabin
10:09	mircea_popescu	aha.
10:09	PeterL	so yes, using the fermat test would be bad
10:10	mircea_popescu	and mind that m-r is a ~probabilistic~ test.
10:10	mircea_popescu	you gotta have the params set correctly
10:11	PeterL	http://btcbase.org/log/2017-08-08#1695504 << so the program goes through the keys and checks the decryption against each challenge-string
10:11	a111	Logged on 2017-08-08 23:33 mircea_popescu: PeterL +# IMPORTANT NOTE: if the cs is too small, messages have a chance to get decrypted by the wrong key << what is the logic behind this ?
10:11	PeterL	if you have a 0 byte cs, then every message looks good
		↖
10:11	mircea_popescu	um.
10:12	PeterL	using the wrong key will result in a random byte string, so with a cs of 1 byte, you have 1/256 chance of looking like it was the right key
		↖
10:12	mircea_popescu	0 length isn't usually what one thinks of when seeing "too small". same istrue if 1 byte string ?
10:12	mircea_popescu	uh.
10:12	PeterL	so I guess "too small" would be something like two or less?
10:14	PeterL	not that using the wrong key will give you the plaintext message, but that if it uses the wrong key and happens to match the cs for that key, it will pass the pile of garbage on to all the peers
10:14	mircea_popescu	so you are telling me that m ^ e ^ d mod n always has an integer solution for randomly chosen parameters.
		↖
10:14	PeterL	well, won't that calculation always result in an integer?
10:15	mircea_popescu	yes, but would that integer then also be m ?
10:16	PeterL	oh, wait, no, I didn't see the extra ^ e in there
10:16	mircea_popescu	this is the basis of rsa : m ^ e ^ d = m mod n
10:16	mircea_popescu	or how shall i best put it, that's not equality but modulo congruence. whereby 7 = 5 mod 2
10:17	PeterL	if you have an encrypted text c, then c ^ d mod n will give an integer, without previously knowing m, how will you check for congruence?
10:23	mircea_popescu	PeterL the logical approach would be to include a checksum neh ?
10:24	mircea_popescu	https://www.ti89.com/cryptotut/rsa3.htm << very handy rsa tutorial in that it uses base 10 and alphabet-indexing for letters. so one can actually rsa by hand and get a good model of what's going on.
		↖
10:24	PeterL	aha, that seems like a logical solution.
10:25	mircea_popescu	PeterL the broader point here being that you can't warn the user about things he can't control. you gotta provide for it yourself.
10:29	mircea_popescu	PeterL the other problem this discussion reveals, of course, is that you aren't using any padding ?
10:31	PeterL	this is the padding algorithm described by alf: take random bits r and message x, encrypt r to key A and encrypt (r XOR x) to key B
10:32	mod6	edivad's environment is indeed some sort of non-developer version of linux that has almost no tools pre-installed. also, had some non-english version, which my V does not work with. Yesterday asked him to remove gpg v2, and install v1.4.10.
10:32	mircea_popescu	PeterL and then you add key A and B to the message at the end so recipient can un-pad ?
10:32	mod6	These problems should be resolved once sane environment is achieved.
10:32	PeterL	no, recipient goes through his list of keys A and B until he finds the one that decrypts it
10:32	mircea_popescu	...
10:32	mircea_popescu	i think you misconstrue alf's padding algo.
10:33	PeterL	that is also possible
10:33	mod6	meanwwhile, I'll add a preface to the HOWTO doc on the minimum requirements. thanks to diana_coman for gathering them up once upon a time.
10:33	mircea_popescu	now : textbook rsa (the sort of thing you seem to be discussing, above) has no semantic security and on top of that is malleable.
10:33	mircea_popescu	it's not useful in the field.
10:34	PeterL	that is what we were trying to fix, no?
10:34	mircea_popescu	long fixed problem, so not really.
10:35	mircea_popescu	now, alf's scheme is probably valid padding, though it is very expensive. it works like so : to encrypt a message m to key X, you : a) generate two one-time keys, A and B. you encrypt some bits of m to A and some to B, randomly chosen. you pile together : the bits of m encrypted with A, the bits of m encrypted with B, the schedule of which is which, and the keys A and B into one large m'
10:35	mircea_popescu	and THAT you then encrypt to key X and send ove.r
10:36	mircea_popescu	what gpg normally uses is called OAEP
10:36	mircea_popescu	!!up PeterL
10:36	deedbot	PeterL voiced for 30 minutes.
10:37	mircea_popescu	it's a sort of two-box permutation thing.
10:38	mircea_popescu	basically it takes a random string, jumbles it with the original message, and spits out two halves. the hope with it is that it provides all-or-nothing security, in the sense that to recover any bit of the message you need to correctly process the entire pair of jumbled strings.
10:40	PeterL	this thing? http://btcbase.org/log/2017-02-14#1613906
10:40	a111	Logged on 2017-02-14 19:19 asciilifeform: specifically, for every byte you intend to send, you instead send two: x, y. which you generate by obtaining rng byte r, and payload byte b, and x := b xor r, y := r
10:41	mircea_popescu	similar, but not exactly.
10:42	mircea_popescu	oaep works like this : given hash and hash' hash functions, calculate X as hash(m00) xor G(r) and Y = r xor hash'(X).
10:44	mircea_popescu	because hash and hash' are used to stretch/reduce the bitlength of their parameters, something like mpfhf (which permits arbitrary sized outputs/inputs) could work well ; but is also slow.
10:45	mircea_popescu	and besides, not muchly tested yet.
10:46	mircea_popescu	and upstream, to make clear what "semantic security" means : rsa is deterministic, if i wish to see if your "encrypted" string really was message m, all i have to do is encrypt m myself. if the results match i have cryptographic confirmation.
10:47	PeterL	is that a good thing?
10:47	mircea_popescu	(and, of course, for short messages ie shorter than n i can just compute the e-root).
10:47	mircea_popescu	PeterL terrible, terrible thing, which is why irl rsa is always padded.
10:49	mircea_popescu	and since we're apparently doing rsa likbez : if r used in padding above contributes less than n / e^2 bits of entropy to the final, padded message, coppersmith has a few words to tell you.
10:50	mircea_popescu	(and they are http://www.di.ens.fr/~fouque/ens-rennes/coppersmith.pdf )
10:52	PeterL	mircea_popescu linking to a pdf, what is the world coming to!?
10:52	mircea_popescu	i know right ?
10:55	PeterL	in " n / e^2 bits of entropy ", what are n and e, the key modulus and exponent?
10:55	mircea_popescu	yes.
11:04	PeterL	do you mean the bitsize of n and e, or the actual numbers?
11:07	mircea_popescu	!!up PeterL
11:07	deedbot	PeterL voiced for 30 minutes.
11:08	mircea_popescu	i mean the bitsize ; it's not just that though, partially known secrets, low exponents etc all conspire to empwer the latice reduction.
11:08	PeterL	how low is low for an exponent?
11:09	PeterL	and what partially known secrets here?
11:10	PeterL	is 65537 big enough for an exponent?
11:12	mircea_popescu	3, generally. that, you never know. yeah.
		~ 37 minutes ~
11:49	deedbot	http://trilema.com/2017/se-vende-joyeria-fina/ << Trilema - Se Vende Joyeria Fina
11:58	mircea_popescu	anyway, let it be said that there's nothing wrong with oaep as far as we know, but for the sake of argument a mpfhf based padding scheme would conceivably work like this : 1. given message m, of length l, generate r = random bits, of length l' up to l but not less than 256 bits. 2. compose m' = r + m + c (in that order), where c is l - l` (and its bitness is always same as the bitness of len(m')-256). 3. compose Pm = R + S +
		↖
11:58	mircea_popescu	c (in that order), where R and S are produced by mpfhf(m') with R len set to c (bitness same as bitness of len(Pm). Pm will be the padded message sent to RSA. The recipient will have to undo mpfhf with known R and S to obtain m.
11:59	mircea_popescu	this scheme is both slow and bulky. it is not likely useful for gossipd-style comms. it is certainly valuable for signing material, especially because rsa signature is much more padding-vulnerable than encryption ; and perhaps for some limited encryption work.
12:14	mircea_popescu	!!up PeterL
12:14	deedbot	PeterL voiced for 30 minutes.
12:14	mircea_popescu	PeterL so if you feel like writing a mpfhf reverser... afaik nobody has to date.
		~ 52 minutes ~
13:07	BingoBoingo	!!up PeterL
13:07	deedbot	PeterL voiced for 30 minutes.
13:10	PeterL	I will check in later once I am back at my computer with my key to verify this conversation has been with the real PeterL
		↖
13:11	PeterL	I will have a look at making a reversing function for the mpfhf
13:22	BingoBoingo	!~ticker --market all
13:22	jhvh1	BingoBoingo: Bitstamp BTCUSD last: 3298.67, vol: 13040.95962783 \| Bitfinex BTCUSD last: 3294.8, vol: 30614.16409473 \| BTCChina BTCUSD last: 3325.733768, vol: 12852.97540000 \| Kraken BTCUSD last: 3337.978, vol: 6685.96834593 \| Volume-weighted last average: 3306.45847118
13:27	mircea_popescu	works
13:30	PeterL	mircea_popescu: if l is less than 256, then l' = 256?
13:31	PeterL	for your padding scheme above ^
13:31	mircea_popescu	no. l' = rnd(0, l) ; if l' < 256 l' = 256.
13:32	mircea_popescu	and rnd(256, l) is not equivalent because who the fuck knows what rnd does when a > b.
13:32	PeterL	so not more than rather than not less than 256
13:32	asciilifeform	http://btcbase.org/log/2017-08-09#1695792 << variably-sized packets are the mistake here.
13:32	a111	Logged on 2017-08-09 14:11 PeterL: if you have a 0 byte cs, then every message looks good
13:32	mircea_popescu	huh ?
13:32	asciilifeform	use fixed size.
13:32	mircea_popescu	asciilifeform i was discussing a more general rsa scheme, not gossipd specifically.
13:33	asciilifeform	aite, i'm walking the l0gz still
13:33	mircea_popescu	but yes, for unrelated reasons fixed size is the right choice for gossipd.
13:36	PeterL	asciilifeform, I am not sure I understand what you are getting at here
13:36	asciilifeform	http://btcbase.org/log/2017-08-09#1695799 << of course it does. rsa decrypt is c^d(mod n) , where c is ciphertext , n is public modulus, d is private exponent.
13:36	a111	Logged on 2017-08-09 14:14 mircea_popescu: so you are telling me that m ^ e ^ d mod n always has an integer solution for randomly chosen parameters.
13:36	asciilifeform	this produces a solution always.
13:36	asciilifeform	( but it will be rubbish if either of the 3 values is not the expected one)
13:37	asciilifeform	PeterL: don't permit messages of any length but L.
13:37	asciilifeform	L is e.g. 512.
13:37	asciilifeform	not 1 byte more, not 1 less.
13:37	asciilifeform	!!up PeterL
13:37	deedbot	PeterL voiced for 30 minutes.
13:38	PeterL	right, my scheme was doing that
13:38	asciilifeform	PeterL: so what was this : http://btcbase.org/log/2017-08-09#1695794 about ?
13:38	a111	Logged on 2017-08-09 14:12 PeterL: using the wrong key will result in a random byte string, so with a cs of 1 byte, you have 1/256 chance of looking like it was the right key
13:39	PeterL	It checks to see if it is using the right key by comparing the decrypted text agains a pre-known challeng-string (cs)
13:39	asciilifeform	so why on earth would you permit anything like a 1 or 0 byte string ?!
13:39	PeterL	mircea_popescu suggested instead using a checksum
13:40	asciilifeform	that's the more typical solution aha
13:40	PeterL	who am I to stop people from sabotaging themselves?
13:40	asciilifeform	PeterL: one of the most comical failure modes, ubiquitous in usg crypto, is the null cipher
13:40	asciilifeform	where there is a ready-made 'shoot yourself in the head' button, conveniently under everywhere you might ever put your elbow
13:40	asciilifeform	this is not to continue .
13:41	PeterL	I see.
13:43	PeterL	I am still learning here, the last time I came and said "how do I know if I have used the right key to decrypt it?" nobody suggested a checksum, now I will try to figure out how that would fit into the program
13:44	asciilifeform	you have a substring S in every packet, that gotta equal H(rest of the packet) or whole thing discarded.
13:45	asciilifeform	( importantly, the fact of said discard must not be discernible through timing side channel )
13:45	asciilifeform	requirement for H is more or less the opposite of mircea_popescu's hash exercise -- it gotta compute in fixed time.
13:45	asciilifeform	( while otherwise quality hash. my current favourite for this is keccak's hash )
13:45	mircea_popescu	asciilifeform man, you're mixing industrial process into educative discourse without any sort of rhyme or reason, resultin in some very confuysed and eventually frustrated people.
13:46	erlehmann	PeterL 1. write grammar 2. ??? 3. never correct invalid input, nuke it from orbit instead
13:46	asciilifeform	aite, i'ma let mircea_popescu handle pedagogical thread, brb
13:47	mircea_popescu	don't even have to, but consider the context. yes "it's what rsa is", that's what i'm checking, that he knows.
13:47	mircea_popescu	erlehmann wanna do that ?
13:47	erlehmann	mircea_popescu nope.
13:47	mircea_popescu	how come ?
13:47	PeterL	so for longer messages, they will get cut into chunks. It it better to check the first chunk until you find the right key and then use it to dercypt the whole message, or do you want to decrypt the whole message with every key (to hide the fact you found a match)?
13:48	mircea_popescu	PeterL the cutting into chunks should happen prior at some client level. it's ok if your think accepts no messagtes lonmger than x. irc doesn't either.
13:48	mircea_popescu	your thing*
13:49	PeterL	but I want to make longer messages possible
13:49	mircea_popescu	why ?
13:49	PeterL	why not?
13:49	erlehmann	mircea_popescu it feels like work. i had that experience a few minutes ago, when i explained to a rando on the train the concept of non-existence dependencies.
13:49	mircea_popescu	because udp packets if nothing else ; besides "longer" is not the same as endless.
13:50	mircea_popescu	erlehmann so what, you're of a firm "will only work for evil empires" persuasion ?
13:51	erlehmann	no, just tired
13:52	mircea_popescu	in other lulz, /me went to open bank account today. you can not BELIEVE how fucking pussy whipped these people are. a) bank's only wire intermediary is bank of america. why ? uh... that's what the other banks do too. but... why ? umm... is it because you schmucks are a us colony, in the sense you don't get medicare and they still get all your shit anyway ? uhhhh
13:52	PeterL	well, udp packet is alot bigger than the 512bytes that fit in a rsa packet, why waste all the space?
13:53	mircea_popescu	b) they want to... "know your customers". bitch, it's none of your fucking business ? uh no, because ley so and so say so.
13:53	asciilifeform	PeterL: 512 is really top limit of 'guaranteed nonfragment no matter what'
13:53	mircea_popescu	im guessing i'll be taking ads in the local newspaper, "looking for lawyers willing to sue the government, apply within".
13:53	mircea_popescu	PeterL how did you come uop with the 512 value ?
13:53	asciilifeform	empirically
13:53	mircea_popescu	asciilifeform damn. listen you!
13:53	PeterL	do we need guarentee non-fragment ?
13:54	PeterL	and if we are sending to key A and B, we will need 1024 bits for each segment anyway
13:55	mircea_popescu	PeterL let's get back to cogency here. how did you come to the "512 rsa packet limit" ?
13:55	PeterL	4096 bit key n, message needs to be smaller than that, right?
13:55	mircea_popescu	nope.
13:56	PeterL	well, shoot, I must be confused somewhere
13:56	mircea_popescu	how did you get that idea ?
13:56	mircea_popescu	pro tip : it is always a very useful thing to be able to reflect your own mental process, which starts with being able to answer "where i got this from". makes error handling much faster and infinitely more efficient.
13:56	PeterL	c^d mod n = m, therefore m must be smaller than n?
13:57	mircea_popescu	PeterL can you tell me anything about what the greeks used for encryption ?
13:57	PeterL	not really, the ceasar cipher or something?
13:58	mircea_popescu	well cesar was a roman, wasn't he ? the "technologically advanced" dorks that took the sail tech of the people who sailed from sweden to south africa and made some square sailed tubs that sunk in the mediterranean half the time.
13:58	mircea_popescu	i mean actual strategoi of the ancient greece.
13:58	mircea_popescu	!#s scytale
13:58	a111	6 results for "scytale", http://btcbase.org/log-search?q=scytale
13:59	mircea_popescu	basically they had this early elliptic curve crypto, implemented as an arbitrary cone on which they wrapped a string. because the string is fixed length see, whereas the section of cone is not.
		↖
13:59	mircea_popescu	make sense to you ?
14:00	PeterL	alright, so the decryption relied on having an identical physical object?
14:00	mircea_popescu	yeah.
14:00	mircea_popescu	now, intuitively, would you imagine this worked at all if the string was so short it never fully wrapped ?
14:00	PeterL	ok
14:00	PeterL	hmm, no, it would have nothing to transpose to
14:01	mircea_popescu	short messages are a problem for rsa, not a boon. this is generally fixed by padding.
14:01	PeterL	ok, but how short is short?
14:02	mircea_popescu	shorter than size of n, here.
14:02	PeterL	I thought it was only bad if m^e was less than n?
14:02	mircea_popescu	that's what i meant earlier with the e-root. if say your key is 1024 bits, and your exponent is 3, and your "encrypted" message is, numerically, 1404928, i can readily extract the cube root and find the original as 112.
14:03	mircea_popescu	had there been a wrap, i couldn't have extracted the cube root [quite so easily]
14:03	PeterL	right, I understand that part
14:04	mircea_popescu	PeterL yes, there is that. larger e provides some protection agaisnt this issue.
14:04	mircea_popescu	but in any case, the point is -- rsa is not better for shorter messages. for really short messages it can be really shitty. which is why my 256 minimum bits in the padding scheme.
14:05	PeterL	alright, so my scheme pads everything to the length of the key, but as I understand it still has to be smaller than the key n?
14:06	mircea_popescu	what it and why ?
14:06	PeterL	because you are calculating a number mod n, so the result will therefore be smaller than n
14:06	mircea_popescu	so ?
14:06	mircea_popescu	that the result is smaller than n is of no consequence to you is it.
14:06	PeterL	so you can't use a number larger than n
14:07	mircea_popescu	why not ?
14:07	PeterL	because the decryption is also a calculation mod n
14:07	mircea_popescu	really, use that item i linked earlier.
14:07	mircea_popescu	http://btcbase.org/log/2017-08-09#1695807 <
14:07	a111	Logged on 2017-08-09 14:24 mircea_popescu: https://www.ti89.com/cryptotut/rsa3.htm << very handy rsa tutorial in that it uses base 10 and alphabet-indexing for letters. so one can actually rsa by hand and get a good model of what's going on.
14:08	asciilifeform	!!up PeterL
14:08	deedbot	PeterL voiced for 30 minutes.
14:08	mircea_popescu	do an example once, it's instructive. easy to follow because small numbers.
14:08	PeterL	it looks like this thing is encrypting each character individually?
14:08	mircea_popescu	it is.
14:09	PeterL	so each character must have a value less than the n it is using, right?
14:11	mircea_popescu	you mean, the modulus, p * q ?
14:13	PeterL	yes
14:13	mircea_popescu	right, solving will only find the lowest anyway.
14:15	PeterL	so the message is larger than the key modulus, part of it will be lost when it is decrypted
14:15	PeterL	so if ^
14:16	mircea_popescu	and so thereby a 4096 bit key can handle chunks of up to 512 bytes of message.
14:16	PeterL	yes
14:16	mircea_popescu	slightly less even. but anyway.
14:16	deedbot	http://qntra.net/2017/08/bitcoin-network-mining-diffficulty-up-7-32-to-another-all-time-high-in-first-adjustment-after-roger-ver-ified-fork/ << Qntra - Bitcoin Network Mining Diffficulty Up ~7.32% To Another All Time High In First Adjustment After Roger Ver-ified Fork
14:17	mircea_popescu	PeterL and as asciilifeform aptly points out, this happens to be convenient, because it's right around the size of the nonfragmenting udp packet.
14:18	mircea_popescu	(the precediny line was 146 characters, which is less trhan 146 bytes, especially if you do a lzw or something like sane people first)
14:18	PeterL	and my scheme splits messages into r and m xor r, so I need 1024 bytes to pass the smallest message, which is already larger than the UDP "unfragmentation limit" of 512 bytes, so why stop there and not just let the message get longer by adding in some more chunks?
14:19	PeterL	up to the limit of the size of a udp packet?
14:19	asciilifeform	PeterL: think carefully, this is flawed logic
14:19	asciilifeform	you don't ~have~ 1024 bytes
14:19	PeterL	please, help me see the flaw?
14:20	asciilifeform	ergo if you want to use the xor padding algo, you are stuck with payloads of half the size.
14:20	PeterL	which would mean using keys of half the size, right?
14:20	asciilifeform	not necessarily
14:20	mircea_popescu	PeterL what is the scheme contemplated here, that you take a say 8 byte message, generate an 8 byte r, then create a 16 byte padded message by appending the r and the r xor m and then rsa that ?
14:21	asciilifeform	( i will also note, the problem with allowing packet fragging is that frag reassembly is a Something-To-Allcomers operation . )
14:23	PeterL	mircea_popescu: but encrypting the r to one key and the r xor m to a second key, so you end up with two rsa-key-length segments
14:24	mircea_popescu	ok, so then you also send 2, udp sized packets ?
14:24	PeterL	well, I was putting it all in one udp packet
14:25	mircea_popescu	yes, but we're examining why and whether you have to.
14:26	PeterL	if they did not come together in one packet, then you would have to hold onto packets and try to match them up with their partner
14:26	mircea_popescu	yes.
14:26	PeterL	this seemed like it would be cleaner
14:26	mircea_popescu	but even if you send them "together", there's no guarantee they stay unfragmented. not at that size.
14:27	PeterL	(perhaps I misunderstand how udp packets get reassembled)
14:27	mircea_popescu	as alf says : "something to all comers". primo target of ddos monkeys.
14:28	PeterL	the other optin would be to use rsa keys of half the size, allowing only 256 byte messages
14:28	mircea_popescu	you mean messages of half the size.
14:29	PeterL	well, message still limited by key size, so yes
14:31	mircea_popescu	so your gossiptron only accepts lines of up to 256 chars in length, then you lzw that and pad etc. not the end of the world.
14:31	mircea_popescu	the rng consumption will be significant though.
14:31	PeterL	but that 256 also has to carry stuff like user name
14:32	mircea_popescu	yes.
14:32	PeterL	still better than twitter, I guess
14:33	mircea_popescu	you would see value in eg irc dropping its 200 char limit or what was it ?
14:34	PeterL	I do find it annoying that long messages get split, but I guess it is not the end of the world or anything
14:36	PeterL	suggestions on a good hash function for a checksum?
14:37	mircea_popescu	xor the bytes ?
		↖
14:37	asciilifeform	lol that's probably the worst conceivable
14:38	mircea_popescu	:D
14:38	mircea_popescu	!!up PeterL
14:38	deedbot	PeterL voiced for 30 minutes.
14:38	mircea_popescu	anyway, crcs usually what people use.
14:40	mircea_popescu	steal gnuradio's crc32 for instance.
14:41	mircea_popescu	iirc openpgp used a crc-24 self-formulation
14:42	mircea_popescu	(that =4char thing at the end of the messages)
14:45	mircea_popescu	and with this, PeterL finds himself exposed to galois fields, polynomial division, and the rest of the "easy to implement and straightforward" jewels.
14:46	asciilifeform	you wouldn't want to use a checksum ( e.g. crc ) for decryptable-legit vs random rubbish distinguisher
14:46	asciilifeform	this problems was how we even ended up with cryptological hash functs
14:47	asciilifeform	( if anyone recalls my sageprobe crack ? that was as simple as it was because the thing used crc as hash... )
14:53	mod6	BingoBoingo: 7-ish
14:55	BingoBoingo	mod6: ty fxd
14:57	PeterL	asciilifeform: ^ what would be the downside of using crc for this?
14:58	*	PeterL looks, finds a .py standar lib function for this: binascii.crc32
		~ 26 minutes ~
15:25	deedbot	http://phuctor.nosuchlabs.com/gpgkey/FB227B026FA94ABC18FD0A71ADB21D83E8E43BBF14F2DEBFE85F490FFF3627B9 << Recent Phuctorings. - Phuctored: 1578...0979 divides RSA Moduli belonging to '82.214.135.102 (ssh-rsa key from 82.214.135.102 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (82-214-135-102.itsa.net.pl. PL)
15:25	deedbot	http://phuctor.nosuchlabs.com/gpgkey/FB227B026FA94ABC18FD0A71ADB21D83E8E43BBF14F2DEBFE85F490FFF3627B9 << Recent Phuctorings. - Phuctored: 1618...0213 divides RSA Moduli belonging to '82.214.135.102 (ssh-rsa key from 82.214.135.102 (13-14 June 2016 extraction) for Phuctor import. Ask asciilifeform or framedragger on Freenode, or email fd at mkj dot lt) <ssh...lt>; ' (82-214-135-102.itsa.net.pl. PL)
		~ 1 hours 18 minutes ~
16:43	mircea_popescu	asciilifeform yes, well, everything has problems. but there's a difference between using a crc as hash and using a crc as checksum ; and using say sawed-barrel keccak (take first or last x bytes, whatever) isn't all that good because it's really not designed for fragment behaviour like that, nor was such studied
16:46	mircea_popescu	trying to stuff a mac or something in there will make the bondogle regret the days of the aes/rsa combo.
16:48	mircea_popescu	besides rsa allows existential forgery ~anyway~.
16:58	asciilifeform	waiwat
16:58	asciilifeform	whole point of the M+H(M) or no-go combo is to prevent forgery.
16:58	asciilifeform	( if message dun match the prescribed structure -> forgery )
17:07	mircea_popescu	so you want to take a message m, add that many random bits to it, and then add twice that many bits as a hash of the pile, thereby using 25% of the space for the plaintext ?
17:07	mircea_popescu	(the rsa forgery comment was re sig ^ e mod n \|\| sig mod n always verifies as validly signed.)
17:11	mircea_popescu	and incidentally, pss should prolly be in the final tmsr-rsatron huh.
17:13	mircea_popescu	http://grouper.ieee.org/groups/1363/P1363a/contributions/pss-submission.pdf for the day of the pdfs.
17:17	mircea_popescu	(ftr, the way pgp does it is that it repeats two bytes of a more or less random block of 16 bytes, and then checks if they came out the same. this is in fact WORSE than http://btcbase.org/log/2017-08-09#1696023 but then again contemporary applied cryptography is a very low effort, low quality field).
17:17	a111	Logged on 2017-08-09 18:37 mircea_popescu: xor the bytes ?
17:20	mircea_popescu	(believe it or not, the 18 byte lulz is actually specificed as such, https://archive.is/QYKu5#selection-3121.6-3121.789 ; worth a read, has null IV and all sorta gems)
17:33	mircea_popescu	BingoBoingo by following qntra link, i fell upon http://trilema.com/2014/the-woes-of-altcoin-or-why-there-is-no-such-thing-as-cryptocurrencies/#comment-117679 which i suppose explains http://btcbase.org/log/2017-08-01#1692327
17:33	a111	Logged on 2017-08-01 23:43 mircea_popescu: i suspect steemit is a sort of how did they call that alt-disqus/alt-github "let us steal your content" thing ?
17:34	BingoBoingo	Ah, that may be it?
17:36	mircea_popescu	guy made a blog, next year but still.
17:40	BingoBoingo	Not really made a blog. Started making posts on platform that it seems some other folks made.
17:41	*	BingoBoingo not looked into "who made Steemit"
17:41	mircea_popescu	it's incomprehensible to me, how this "i moved from a forum to a ... forum" thing works in the public's mind.
17:41	mircea_popescu	but, it given, it's no wonder all cars migrating to being the same engine in different plastifications.
17:43	mircea_popescu	BingoBoingo http://btcbase.org/log/2016-05-21#1470340 << low effort reddit spinoff ?
17:43	a111	Logged on 2016-05-21 23:31 shinohai: https://steemit.com/girlsgonesteem-nsfw/@steempower/welcome-to-girls-gone-steem#comments <<< the logo even looks like a turd. "steem"
17:46	asciilifeform	mircea_popescu: i looked at the pss thing, seems like simply yet another obfuscatorily-complex nsaological artifact
17:47	mircea_popescu	iirc there is a proof it is as secure as rsa.
17:47	asciilifeform	replete with magicnumbers, 'random oracle' assumptions, 'perfect hash', and other maculae
		↖
17:47	mircea_popescu	what is this, bayesian proof evaluation ?
17:48	asciilifeform	mno, i did go & read
17:48	asciilifeform	here's a gem :
17:48	asciilifeform	''When RSA is the underlying primitive, something even more is known: that the ability to forge with resources R in an attack which does not exploit some structural characteristic of the MGF implies the ability to invert RSA on random strings using computational resources only slightly greater than R.''
17:48	mircea_popescu	so what is teh fail ?
17:48	asciilifeform	see problem ?
17:49	asciilifeform	thing ~assumes~ own conclusion ! acquinas-style.
17:50	mircea_popescu	wait.
17:50	asciilifeform	now if you want a pubkeycrypto where this proof actually exists, i know of exactly one : cramer-shoup
17:51	mircea_popescu	the statement is that if pss is used atop rsa, then baring poor implementation a forgery is going to cost more than what reversing rsa costs.
17:52	asciilifeform	( my distaste for it comes largely from it not being rsa, and from a suspicion that enemy has a partial pill against discrete logarithm problem , given that dsa was based on same )
17:52	mircea_popescu	pubkey crypto dunb enter into it, this is a discussion of signature hashing (digests, really) schemes.
17:52	mircea_popescu	distaste for c-s ?
17:52	asciilifeform	possibly distaste is wrong word
17:52	asciilifeform	but for above reasons i prefer rsa.
17:52	mircea_popescu	i thought there's consensus re offering c-s in teh tmsr cryptotron
17:53	asciilifeform	i don't know of any hard, tangible reason to avoid it.
17:53	asciilifeform	at any rate it is just as easily implemented on pmachine as rsa.
		↖
17:53	mircea_popescu	afaik pretty much the only candidate besides rsa itself.
17:53	asciilifeform	( dun require any new primitives )
17:53	asciilifeform	aha.
17:53	asciilifeform	i know of no others worth bothering with.
17:54	mircea_popescu	but in my own mind the "well alf is making P" pretty much was "he's walking to path to both cs and rsa impls to the furthest node"
17:54	asciilifeform	correct.
17:54	mircea_popescu	otherwise why implement a ptron rather than simply a rsatron.
17:54	asciilifeform	incidentally you get best attributes of both if you harness them as i described, via otpxor
17:55	asciilifeform	( yet another reason for pmach )
17:55	asciilifeform	you can do more or less whatever variations on whichever theme, you feel like, all it costs is a few extra chars in pubkey
17:56	erlehmann	btw i found a new social game
17:57	erlehmann	1. mention non-existence dependencies to people who know C and/or C++
17:57	asciilifeform	erlehmann: incidentally what exactly is a 'nonexistence dependency' ?
17:57	erlehmann	2. look on while almost all of them develop the exactiy same train of thoughts (including fixing make, which is impossible for this kind of program)
17:58	mircea_popescu	asciilifeform that for x to work, y has to not exist.
17:58	mircea_popescu	like you know, poisons.
17:58	asciilifeform	granted, but when would this come into play ?
17:58	asciilifeform	in erlehmann's context
17:58	mircea_popescu	i dunno he has some abstractive grammars itch.
17:58	asciilifeform	didn't we do the STOP FUCKING PARTIALMAKING thread ?
17:59	erlehmann	asciilifeform on systems with multiple include paths, a C or C++ header file is looked for in location A, B, C. it is found in directory C. it does not exist in location A or B.
17:59	asciilifeform	clean the fucking chalkboard
17:59	erlehmann	s/directory/location
17:59	asciilifeform	flush the toilet.
17:59	erlehmann	if C changes, the target needs to be rebuilt. that is a dependency.
17:59	asciilifeform	multiple include paths are retarded.
17:59	erlehmann	if A or B start to exist, the target also needs to be rebuilt. that is a non-existence dependency.
17:59	asciilifeform	they correspond to a vgraph with contradictory inputs.
17:59	mircea_popescu	well, systems without patch are also retarded.
18:00	asciilifeform	systems are to be fixed - i.e. brought into conformance with vtronics -- or discarded.
18:00	asciilifeform	no third.
18:00	mircea_popescu	asciilifeform anyway, let's sit down and make something sane for this guy. peterl i mean. what's his message supposed to be like ?
18:00	erlehmann	asciilifeform that is one possible answer to the think. the thing that starts the triggering is usually a combination of said devs using make and realizing that this is, indeed, a problem.
18:00	mircea_popescu	letting him "figure for self" at this juncture is unsanitary.
18:00	asciilifeform	erlehmann: the problem however is not where you seem to put it
18:01	BingoBoingo	mircea_popescu: Looking like exactly that
18:01	erlehmann	asciilifeform C header files are only one instance of such non-existence dependencies where existing of a thingy invalidates the assumptions that went into building another thingy.
18:01	erlehmann	they are only arguably the most common one
18:01	asciilifeform	erlehmann: are you familiar with how v works ?
18:01	erlehmann	and excellent for stunning freeBSD developers btw
18:02	asciilifeform	erlehmann: the problem you describe is absent in v
18:02	erlehmann	asciilifeform you are correct
18:02	asciilifeform	erlehmann: if it is present in whatever you are using instead -- your process is broken
18:02	erlehmann	asciilifeform it is always absent if you always build clean
18:02	mircea_popescu	erlehmann that's not what v does.
18:03	erlehmann	mircea_popescu in a way, it does. no?
18:03	asciilifeform	erlehmann: the building-clean thing is sanity. we had this thread. if your program is 'too big to always build clean', IT IS TOO BIG
18:03	asciilifeform	cut it. like procrustes, or into independent subsystems, i don't care how
18:04	asciilifeform	no program has any business being a billion line build.
18:04	mircea_popescu	erlehmann it's a pile of patches. how the compiler optimizes the rebuilding is irrelevant ; if you change one file it can rebuild the whole thing or not ; but v still only changes the one file and still doesn't have the problem.
18:04	erlehmann	asciilifeform correct. the talk begins with me mentioning non-existence dependencies and ends with the recipient either having a solution (one guy), being aware of the problem already (i counted two) or being unaware of it but being aware that their software is a lie.
18:05	erlehmann	the solution turned out to be a non-solution btw
18:05	erlehmann	something involving a goedelized perl script that builds all build rules that don't build themselves. drugs were probably involved.
18:06	asciilifeform	erlehmann: you seem to be fixated on a problem that simply doesn't exist in sane contexts
18:06	asciilifeform	!#s martian problem
18:06	a111	4 results for "martian problem", http://btcbase.org/log-search?q=martian%20problem
18:06	erlehmann	asciilifeform the goal of the game is to make dev aware of context being insane
18:07	asciilifeform	http://btcbase.org/log/2014-11-26#934853 << thread
18:07	a111	Logged on 2014-11-26 01:11 asciilifeform: 'Id like to see one expression coined by the poker writer Matt Matros become common parlance, since it applies far more widely than only to poker. An alien problem means some problem that might be fun, interesting and educational to analyze, and it would be really important to know the solution if you ever found yourself in that situation, but the point is that you shouldn't even be having that problem in the first pl
18:07	*	asciilifeform brb
18:08	erlehmann	indeed, one part of the solution is to return to earth
18:09	mircea_popescu	to encrypt : take plaintext message M, no longer than 250 bytes, and zero-pad it to 250 bytes. take pile of random bits R 250 bytes long. calculate X = M xor R. calculate Y = R xor MPFHF(X) set for R.len = 250 bytes. RSA the 500 byte pile of X \|\| Y. done. to decrypt : de-RSA the 500 byte pile. cut it in two halves. calculate R = Y xor X. calculate M as X xor R. done.
		↖
18:09	mircea_popescu	how's that sound ?
18:10	mircea_popescu	erlehmann did anything further come of it ?
18:12	erlehmann	mircea_popescu one person hallucinated having seen the elusive djb redo c code that ultimately did not exist. another person was a release manager and made sure the problem does not exist. a third person wrote a cmake thingy longer than my own redo implementation. a freebsd developer confirmed the problem exists.
18:12	erlehmann	mainly i realized why my talk to the conference was rejected
18:12	asciilifeform	mircea_popescu: mphf in a fixedtime fixedspace system is insane
18:12	erlehmann	because the reaction of most people to it is
18:12	mircea_popescu	asciilifeform most importantly, do we ACTUALLY want to do something pgp-retarded like say R.len = 200 bytes, repeat the last 50 for a 250 byte total then use the repeat to make sure you decrypted correctly ?
18:12	erlehmann	1. this is not a problem at all in my process
18:12	mircea_popescu	asciilifeform what else makes arbitrary size output ?
18:12	erlehmann	2. yes, this might be a problem for some, but it never happens to me
18:12	mircea_popescu	but yes insane.
18:13	asciilifeform	keccak?
18:13	asciilifeform	or any other sponge
18:13	mircea_popescu	i thought it's any input fixed output
18:13	erlehmann	3. yes, this is not detectable, but the effect is negligible
18:13	erlehmann	4. yes the effect matters. we can patch make, though
18:13	asciilifeform	mircea_popescu: nope that'd be classisal hashes
18:13	erlehmann	5. make is unfixable, but we can patch gcc!
18:13	mircea_popescu	erlehmann which talk is this ?
18:13	erlehmann	(which does not help btw)
18:13	asciilifeform	sponge goes from any-input to desired-width-out
18:14	*	asciilifeform bbl, meat
18:14	mircea_popescu	asciilifeform i guess when he comes back from the mpfhf reverser ima make him do a keccak impl that ACTUALLY does the any-output thing. afaik they're all 32/64byte
18:14	mircea_popescu	but afaik keccak isn't that fix-space-able either.
		↖
18:14	erlehmann	mircea_popescu i wanted to give a talk about non-existence dependencies at SHA 2017 and it was rejected with “provide a 5min lightning talk on problem instead”. problem: 5min are enough to understand the problem, not why you are having it or what follows from it.
18:15	mircea_popescu	erlehmann was this paid ?
18:15	erlehmann	one lulzy consequence is that a lot of software might have been released with sublty wrong header files included
18:15	erlehmann	mircea_popescu like, ticket? it was camping, mostly
18:15	mircea_popescu	did they pay you to do a talk.
18:15	erlehmann	no, they rejected my entry
18:16	erlehmann	like, my submission
18:16	mircea_popescu	do you know who harlan ellison is ?
18:16	erlehmann	maybe i am not clear enough: i did not get to hold a talk so i talked to random c developers for fun.
18:16	erlehmann	mircea_popescu not yet
18:17	mircea_popescu	aite, here : https://www.youtube.com/watch?v=mj5IV23g-fE
18:17	mircea_popescu	watch at least until he says turnip
18:28	erlehmann	on train now, later
18:28	mircea_popescu	"tell that to some guy a little younger than you, who just fell off the turnip truck. there is no publicity value in my talk being at your conference. what, if you sell 2000 of them it'll be a miracle. and what, what are people going to say, uuuuuu i like how that erlehmann talks, i wonder if he's got a blog or anything".
18:29	mircea_popescu	nobody knows what the fuck "sha 2017" is. nobody cares. even the people paid to fucking care stopped giving a shit in the 90s, as that nsa goon at "crypto conferences" piece amply attests.
18:30	mircea_popescu	hanging out with any other troop of stoners would be a better use of your time, in the sense of variety.
		~ 17 minutes ~
18:47	mircea_popescu	in other lulz : obviously there's a "foundation" and a "code of conduct" (the usgistani nonsense copy/pasted) and a freenode chan, why not. ~600 accounts logged in (specifically : http://p.bvulpes.com/pastes/yDU6G/?raw=true ) , ZERO anyone has to say at all whatsoever. most are related to matrix.org, which is a pile of nonsensical lulz which you're more than welcome to try and make sense of by yourself. in any case, it's an "
		↖
18:47	mircea_popescu	independent" "free" bla bla made by amdocs employees. which YES, is that thing made by the israeli golden pages, and YES is that thing involved in the espionage scandals. and so on.
18:48	mircea_popescu	but isn't it great that all mgm needs to do is to put on a coupla hats and suddenly the turnips think themselves human fucking beings ?
18:52	asciilifeform	http://btcbase.org/log/2017-08-09#1696171 << it dun branch-on-secrets if correctly made. so yes fixed.
18:52	a111	Logged on 2017-08-09 22:14 mircea_popescu: but afaik keccak isn't that fix-space-able either.
18:53	mircea_popescu	are we talking the keccak reference code here ?
18:54	asciilifeform	the algo strictly
18:54	asciilifeform	the 'reference' is sad
18:54	mircea_popescu	yeah well, above his pay grade.
18:54	mircea_popescu	but yes, i agree that in principle something-like-keccak could be made to spit arbitrary len digests ; and perhaps also in fixed space. the latter will require actual impl to settle.
18:55	asciilifeform	fwiw i have a half-built one here. on hold until p.
18:55	asciilifeform	mircea_popescu: amusingly that was almost whole point of keccak
18:55	mircea_popescu	no, i know.
18:55	mircea_popescu	well barnacled.
18:55	asciilifeform	that and killing length extension attack idiocy
18:56	mircea_popescu	ftr, we both talking http://keccak.noekeon.org/KeccakReferenceAndOptimized-3.0.zip ?
18:57	asciilifeform	but this being said , i am not even ready yet to barf re ref-keccak, i aint even yet done barfing re ffa not having already existed
18:57	asciilifeform	srsly wtf, oughta have been written in 1993 at the latest
19:00	mircea_popescu	the herd is lazy, the aparatchicks are scared, and the intelligent are lost in the soup, interacting with cattle and criminals as if they were people.
		↖
		~ 41 minutes ~
19:41	pa1atine	hi all, great reads I had those days. logs are a trove of wisdom
19:43	pa1atine	http://btcbase.org/log/2017-08-09#1696206 < first verse of your religious leader sermon? ;)
19:43	a111	Logged on 2017-08-09 23:00 mircea_popescu: the herd is lazy, the aparatchicks are scared, and the intelligent are lost in the soup, interacting with cattle and criminals as if they were people.
19:44	trinque	sorry, we're past our quip quota for the day. what else you got?
19:44	pa1atine	nothing, really
19:45	pa1atine	just back reading all the stuff
19:45	pa1atine	much catch up to do
19:52	pa1atine	http://btcbase.org/log/2017-07-18#1686026 <this one was the one that got me occupied the last couple days
19:52	a111	Logged on 2017-07-18 18:23 mircea_popescu: asciilifeform understand this bit of GT : the knowledge of all the things you don't know thereby constructs a sybil of you.
		~ 20 minutes ~
20:13	PeterL	just wanted to verify that http://btcbase.org/log/2017-08-09#1695864 was indeed me
20:13	a111	Logged on 2017-08-09 17:10 PeterL: I will check in later once I am back at my computer with my key to verify this conversation has been with the real PeterL
20:15	PeterL	http://btcbase.org/log/2017-08-09#1696147 << I don't think we need to do a hash on the data, it is already xored with the random string
20:15	a111	Logged on 2017-08-09 22:09 mircea_popescu: to encrypt : take plaintext message M, no longer than 250 bytes, and zero-pad it to 250 bytes. take pile of random bits R 250 bytes long. calculate X = M xor R. calculate Y = R xor MPFHF(X) set for R.len = 250 bytes. RSA the 500 byte pile of X \|\| Y. done. to decrypt : de-RSA the 500 byte pile. cut it in two halves. calculate R = Y xor X. calculate M as X xor R. done.
20:18	PeterL	and wouldn't you also need to know S if you are going to reverse the MPFHF from a given R?
20:19	PeterL	Is there a way to calculate the probabilty that a random string of 256 bytes will pass a csc check?
20:20	PeterL	csc32 that is
20:20	PeterL	ack, I meant crc32
20:23	mircea_popescu	!!up pa1atine
20:23	deedbot	pa1atine voiced for 30 minutes.
20:24	mircea_popescu	!~later tell peterl the hash-xor thing is oadp, which is a provedly strong padding scheme for rsa.
20:24	jhvh1	mircea_popescu: The operation succeeded.
20:26	mircea_popescu	reversing MPFHF is not required for the above quoted version, as the fhf is used there as a hash function not as a padder. (and alf's objection is valid, not a very good option, a settable size output sponge would be much better).
20:27	mircea_popescu	reversing mpfhf is required for the padding scheme originally described, whereby you simply mpfhf the plaintext message and then encrypt the S + R, see http://btcbase.org/log/2017-08-09#1695856
20:27	a111	Logged on 2017-08-09 15:58 mircea_popescu: anyway, let it be said that there's nothing wrong with oaep as far as we know, but for the sake of argument a mpfhf based padding scheme would conceivably work like this : 1. given message m, of length l, generate r = random bits, of length l' up to l but not less than 256 bits. 2. compose m' = r + m + c (in that order), where c is l - l` (and its bitness is always same as the bitness of len(m')-256). 3. compose Pm = R + S +
20:27	mircea_popescu	these two are are not the same thing.
20:28	mircea_popescu	and finally re crc : given a string S of any length, the probability of a string S' where less than 32 bits have been altered in a "burst" passiong crc32 is 0. if you go over 32 bit long bursts the probability is ~ proportional to the burst length / 32.
		~ 1 hours 53 minutes ~
22:22	mod6	<+erlehmann> something involving a goedelized perl script that builds all build rules that don't build themselves. drugs were probably involved. << dafaq is this dude on about?
		~ 19 minutes ~
22:42	asciilifeform	soooo ACHTUNG PANZERS , asciilifeform went and actually tried http://btcbase.org/log/2017-08-08#1695511 :
22:42	a111	Logged on 2017-08-08 23:51 asciilifeform: it thereby follows that i could unroll comba into explicit cases from 1 to 8 words
22:43	asciilifeform	for simplicity, tested the case that actually happens in practice: on a 64bit box, any ffa width over 512 bits gives a strictly 8-wide comba mult ocurrence
		↖
22:44	asciilifeform	and so here http://wotpaste.cascadianhacker.com/pastes/hoM4U/?raw=true we have a combasquareatron explicitly unrolled for 8-word operand
22:44	asciilifeform	( yielding 16 word result )
22:44	asciilifeform	it is loop- (and any other jump) - free
22:44	asciilifeform	so theoretically x86 branch predictor oughta be very very happy;
22:46	asciilifeform	HOWEVER the actual result is : ~13% cut in execution time.
22:47	asciilifeform	so imho it is not worth it.
22:47	asciilifeform	mircea_popescu, phf , mod6 , et al ^^
22:50	mod6	hmm, nice test though
22:50	asciilifeform	had to.
22:51	asciilifeform	itched to find, what if another 2x vrooom is possible.
22:51	asciilifeform	but apparently branch predictor dun matter so much when your entire thing is ~guaranteed to fit in cache
22:56	mod6	yeah, worth the hunting trip
22:57	asciilifeform	there's still a dilemma tho :
22:57	asciilifeform	the unrolled-8word thing is 1 ) less general 2) harder to read with naked eye but 3 ) easier to prove correct
22:58	asciilifeform	3 of course because no branching
22:58	asciilifeform	you can reduce it algebraically
22:59	asciilifeform	so currently it is not obvious to me, which variant is Moar Right Thing
23:00	asciilifeform	( i'ma keep the general case, for nao, because it is always very easy to turn it into the above later. but not vice-versa. )
23:00	mod6	sure. keep it in your back pocket.
23:02	asciilifeform	aite, nao all asciilifeform needs is a constantspacetime MODULAR exp algo that can be expressed with the mux primitive
23:02	asciilifeform	and then we can play.
23:04	asciilifeform	( nobody seems to have produced a branch-free montgomery-reduction algo. or any other division-free modexp. )
23:05	asciilifeform	srsly this entire exercise has been a brainmelting tour of the sheer unfathomable worthlessness of 'the litarature', 'the cryptography komyoonity', et al
23:08	asciilifeform	'sorry you can't have multiplication in algebraic - branch-free - form ! That Would Be Wrong'
23:11	mircea_popescu	asciilifeform yeah, i guess. depends though, good to have both variants.
23:11	mircea_popescu	honestly i don't believe the somewhat more cl is such a problem.
23:12	asciilifeform	mircea_popescu: it'd be many moar , to correctly handle cases of 1-7 word too
23:12	mircea_popescu	anyway. i think the point re : fathers are worthless , siblings are severely retarded is well vindicated
23:12	asciilifeform	( a ptron is permitted to be invoked with any bitness that is multiple of 64 )
23:13	asciilifeform	waiwat
23:13	asciilifeform	did i miss a whole thread
23:13	mircea_popescu	asciilifeform i doubt it. ~nobody who came before did anything useful and ~nobody currently active has an actually functioning brain.
23:13	asciilifeform	aa
23:14	mircea_popescu	anyway, re the unrolls : it's really not that bad, because of the patterns. it's only "unreadable" because alien because too much time spent reading code written by idiots.
23:14	mircea_popescu	will get used to it (tm)
23:14	asciilifeform	we definitely don't need any case of comba above 8 tho
23:14	mircea_popescu	right.
23:14	asciilifeform	currently i lean to unrolling them ~in the proof doc~ and leaving proggy as is.
23:15	asciilifeform	tabula proof!
23:15	mircea_popescu	i am all for keepiong the unrolled version at the ready ; but i really see no problem with having and using the unrolled loops version. you read it once, over a weekend or a week, and you use it ten billion times over fifty years.
23:15	mircea_popescu	tell me 13% of 50 years somehow comes out to less than a week ?
23:15	asciilifeform	anyway this is the easy bit. hard bit apparently is the final crown, coughing up a sane modexp
23:15	asciilifeform	turns out, none is publicly known.
23:16	asciilifeform	( every single motherfucking modexp in the open lit, branches on seekrit )
23:16	mircea_popescu	coincidentally.\
23:16	asciilifeform	^ if asciilifeform is wrong here, folx, plz to write in !!
23:17	asciilifeform	knuth has one with 'addition chains', but it requires the exponent to be welded into place for all time
23:17	asciilifeform	and as such is unsuitable for ptron
23:18	asciilifeform	( generating ideal additionchain for a particular exp, incidentally, is np-hard )
23:18	mircea_popescu	myeah
23:18	mircea_popescu	and a possible candidate for "alt cryptosystem" at that.
23:18	mircea_popescu	i think we even spoke of it back in the day
23:19	asciilifeform	has same problem as every other nphard
23:19	asciilifeform	(no way to prevent 'easy case')
23:19	asciilifeform	(problem from 'use as cryptosystem' pov)
23:20	asciilifeform	or, more formally, no way to prove the absence of arbitary number of classes of 'easy case'
23:20	mircea_popescu	!#s kochanski
23:20	a111	2 results for "kochanski", http://btcbase.org/log-search?q=kochanski
23:20	asciilifeform	he's the d00d with the '90s rsa chip
23:21	mircea_popescu	yes but also has a reduciton method iirc ?
23:21	mircea_popescu	which was serializable
23:21	mircea_popescu	http://www.nugae.com/encryption/bin/design.pdf << that
23:22	asciilifeform	it's catastrophically slow on general-purpose comp
23:22	asciilifeform	AND branches on seekrits.
23:22	mircea_popescu	ah is it ?
23:22	asciilifeform	aha. wants fast bittwiddle
23:22	asciilifeform	( rather than word arithm )
23:23	mircea_popescu	but you serialize and do a whole word's worth of bit diddle as a xor
23:23	mircea_popescu	there's no rule you must do the parts in order or anything
23:23	asciilifeform	you can , but still have the 'guessing and undo' thing
23:23	asciilifeform	ergo much branching. and all of it on seekrit bits.
23:23	mircea_popescu	hm
23:23	asciilifeform	what is needed is a wholly algebraic process. like my mult.
		↖
23:24	mircea_popescu	no but you write it as a full matrix, you get the undo for free
23:24	asciilifeform	where control flow is SAME regardless of what the exponentiation args are.
23:24	asciilifeform	it is the only acceptable form for ptron.
23:24	asciilifeform	otherwise whole thing is a massive waste.
23:24	mircea_popescu	it would take a shitload of memory wouldn't it
23:24	asciilifeform	(' a little bit ' of seekrit-branch is same as 'little big pregnant' )
23:24	asciilifeform	no reason why it oughta
23:25	asciilifeform	now if you were to try to rsa by exping first and THEN mod, the universe could not hold your intermediates
23:25	asciilifeform	so that falls out trivially.
23:25	asciilifeform	any practical modexp algo has to 'mod as it goes along'
23:25	mircea_popescu	im still talking of trying to adapt kochanski's thing
23:26	asciilifeform	if you can picture a branch-free form, lemme know
23:26	asciilifeform	i dun see it
23:26	mircea_popescu	asciilifeform he is doing this D-to-k table thing
23:26	asciilifeform	( the infallible litmus for ffability : 'can this be UNROLLED TO DEATH?' if not -- no go )
23:26	mircea_popescu	but you don't have to use a table, you should be able to make it work in a matrixc
23:27	asciilifeform	also his thing uses carry-save form
23:27	asciilifeform	which dun work with conventional machine arithm
23:28	mircea_popescu	i am telling you, his thing is ripe for rewritting in a more apt notation. he is misrepresenting it because thinking in therms of fucking logic gates
23:28	asciilifeform	understand, that's how he makes the ops independent ( rather than chained )
23:28	asciilifeform	by ignoring the carry, and reconstituting later
23:29	asciilifeform	we cannot do this. because the simplicity of ffa comes from using strictly ordinary machineword arithmetic.
23:29	asciilifeform	where, e.g., word addition, is sequential.
23:29	mircea_popescu	you can add the words in any order you wish and you can keep whichever intermediates you feel like
23:29	mircea_popescu	he -- cant
23:29	asciilifeform	mno.
23:30	asciilifeform	there is carry.
23:30	asciilifeform	can't 'add in any order you wish'
23:30	mircea_popescu	there is carry
23:30	asciilifeform	nor subtract
23:30	mircea_popescu	hm
23:31	asciilifeform	incidentally various heathen bignumtrons use carry-save form. it is one of the reasons why they are 10,000s of lines, and mine is ~1k.
23:32	asciilifeform	it was the most effective optimization i knew, and the one i rejected first and most incurably.
23:32	asciilifeform	because antifitsinhead.
23:37	mircea_popescu	mgh.
23:48	asciilifeform	the sad and slow constantspacetime solution , is the same exponentiation-by-squaring ffa has now, http://wotpaste.cascadianhacker.com/pastes/BVxyN/?raw=true , but after FZ_Square(B, B, C_Sqr); we FZ_Mod(B, M B) every time.
23:48	asciilifeform	( for modexp, that is )
23:48	asciilifeform	grr,
23:48	asciilifeform	FZ_Mod(B, M, B)
23:50	asciilifeform	http://wotpaste.cascadianhacker.com/pastes/HuJDk/?raw=true << for anybody who forgot how division worx.
23:50	asciilifeform	sloooow
23:52	asciilifeform	division is the single most expensive arithmetic op.
23:52	asciilifeform	there is not an equiv of karatsuba for it
23:52	mircea_popescu	this is irksome
23:53	asciilifeform	aha!
23:56	asciilifeform	currently trying to express montgomery reduction ffaically.
23:56	asciilifeform	( for 3 wks or so nao... )
23:57	asciilifeform	but if anyone has better idea -- write in
23:59	mircea_popescu	heh. the graph of a ^ x mod b looks eheheheheeexactly like the riemann functions / unit covering shenanigans.
23:59	mircea_popescu	i know that face glaring back at me. it is the face of unyielding fucking doom.

← 2017-08-08 | 2017-08-10 → ↑