1800+ entries in 0.181s
a111: Logged on 2016-08-18 12:32 mircea_popescu: asciilifeform since we're on this btw, the way i want tmsr-
rsa key generation to work is as follows : a contains a number of entropy bytes specified by user in tmsr-
rsa.conf read whenever tmsr-
rsa.conf specifies (such as urandom); b contains a base-tmsr string specified by user. c = base-tmsr(a).b ; p = nextprime(cut(sha512(c),257)) ; process is repeated for q = nextprime (cut(sha512(c'),258));
mircea_popescu: PeterL you can't use unpadded
rsa. it du nwork that way.
mircea_popescu: !~later tell peterl the hash-xor thing is oadp, which is a provedly strong padding scheme for
rsa.
a111: Logged on 2017-08-09 22:09 mircea_popescu: to encrypt : take plaintext message M, no longer than 250 bytes, and zero-pad it to 250 bytes. take pile of random bits R 250 bytes long. calculate X = M xor R. calculate Y = R xor MPFHF(X) set for R.len = 250 bytes.
RSA the 500 byte pile of X || Y. done. to decrypt : de-
RSA the 500 byte pile. cut it in two halves. calculate R = Y xor X. calculate M as X xor R. done.
mircea_popescu: to encrypt : take plaintext message M, no longer than 250 bytes, and zero-pad it to 250 bytes. take pile of random bits R 250 bytes long. calculate X = M xor R. calculate Y = R xor MPFHF(X) set for R.len = 250 bytes.
RSA the 500 byte pile of X || Y. done. to decrypt : de-
RSA the 500 byte pile. cut it in two halves. calculate R = Y xor X. calculate M as X xor R. done.
☟︎ mircea_popescu: but in my own mind the "well alf is making P" pretty much was "he's walking to path to both cs and
rsa impls to the furthest node"
mircea_popescu: afaik pretty much the only candidate besides
rsa itself.
mircea_popescu: the statement is that if pss is used atop
rsa, then baring poor implementation a forgery is going to cost more than what reversing
rsa costs.
mircea_popescu: (the
rsa forgery comment was re sig ^ e mod n || sig mod n always verifies as validly signed.)
mircea_popescu: trying to stuff a mac or something in there will make the bondogle regret the days of the aes/
rsa combo.
PeterL: the other optin would be to use
rsa keys of half the size, allowing only 256 byte messages
PeterL: mircea_popescu: but encrypting the r to one key and the r xor m to a second key, so you end up with two
rsa-key-length segments
mircea_popescu: PeterL what is the scheme contemplated here, that you take a say 8 byte message, generate an 8 byte r, then create a 16 byte padded message by appending the r and the r xor m and then
rsa that ?
a111: Logged on 2017-08-09 14:24 mircea_popescu:
https://www.ti89.com/cryptotut/rsa3.htm << very handy
rsa tutorial in that it uses base 10 and alphabet-indexing for letters. so one can actually
rsa by hand and get a good model of what's going on.
mircea_popescu: but in any case, the point is --
rsa is not better for shorter messages. for really short messages it can be really shitty. which is why my 256 minimum bits in the padding scheme.
mircea_popescu: short messages are a problem for
rsa, not a boon. this is generally fixed by padding.
mircea_popescu: PeterL let's get back to cogency here. how did you come to the "512
rsa packet limit" ?
PeterL: well, udp packet is alot bigger than the 512bytes that fit in a
rsa packet, why waste all the space?
mircea_popescu: don't even have to, but consider the context. yes "it's what
rsa is", that's what i'm checking, that he knows.
mircea_popescu: asciilifeform i was discussing a more general
rsa scheme, not gossipd specifically.
mircea_popescu: this scheme is both slow and bulky. it is not likely useful for gossipd-style comms. it is certainly valuable for signing material, especially because
rsa signature is much more padding-vulnerable than encryption ; and perhaps for some limited encryption work.
mircea_popescu: c (in that order), where R and S are produced by mpfhf(m') with R len set to c (bitness same as bitness of len(Pm). Pm will be the padded message sent to
RSA. The recipient will have to undo mpfhf with known R and S to obtain m.
mircea_popescu: and since we're apparently doing
rsa likbez : if r used in padding above contributes less than n / e^2 bits of entropy to the final, padded message, coppersmith has a few words to tell you.
mircea_popescu: PeterL terrible, terrible thing, which is why irl
rsa is always padded.
mircea_popescu: and upstream, to make clear what "semantic security" means :
rsa is deterministic, if i wish to see if your "encrypted" string really was message m, all i have to do is encrypt m myself. if the results match i have cryptographic confirmation.
mircea_popescu: now : textbook
rsa (the sort of thing you seem to be discussing, above) has no semantic security and on top of that is malleable.
PeterL: it also serves as a practice for me for understanding
rsa algorithm
PeterL: and so it uses your proposed "virtual otp" straight
rsa encryption
PeterL: I took a stab at writing my own
rsa