log☇︎
141400+ entries in 0.09s
asciilifeform: diana_coman: aside from von neumann, and the crc encyclopaedia of well-known algos, i cannot in good conscience recommend much reading. there are works devoted to specific known attacks on rsa ( song y. yang, plus a few ru items ) ; at least 1 dead tree on differential cryptoanalysis ( how items like des get trivially demolished ) whose author presently escapes me; and that's just about it
asciilifeform: diana_coman: the writer is typically a schneier-style wretch who made 'the bargain' and very well knows about otp
diana_coman: that being said, whenever I find I don't even have that poor picture as full and as clear as I'd like, I'm still left with little other choice then to go and read; possibly again, what can I do
asciilifeform: ( full usage/dep topology for every named entity in your proj )
diana_coman: asciilifeform, I suspect it's quite possible that the writer would end up with that q so... no book
asciilifeform: in today's gnattronics finds :
mircea_popescu: something quite like that.
asciilifeform: to produce the brick of nonsense that follows
asciilifeform: including the otp proof would immediately invite the q, in even a half-awake reader, of why the fuck the rest of the tree had to die
mircea_popescu: dun look good together.
mircea_popescu: hey, every ro "blog" omits mention of trilema.
asciilifeform: ( and , jaw-droppingly, just about every book 'on crypto' omits the otp proof. that very same, that constitutes the alpha and the omega of what's actually proven in the subject at all )
asciilifeform: but as for the general principles which a naive n00b might hope to find in such a work -- there's nothing since old man john von n.
asciilifeform: which is why 'hitting the books' is a very limited proposition. the most that can generally be asked from the dead trees, is an accurate picture of the popular algos, plus details of the most well-known attacks on various (e.g. lenstra's, pollard's, etc )
asciilifeform: diana_coman: there is ~nothing serious printed on the subject publicly since... von neumann
mircea_popescu: now, the expectation is that a full day of play will produce less than say 2^15 or so messages.
mircea_popescu: in ~principle~ serpent doesn't expose the key anymore than it exposes the cipher. the claim is that if you know about 2^100 or so plaintext-ciphertext matches you can extract the key.
diana_coman: k, I think I got it
diana_coman: mircea_popescu, and then when client enciphers with 1 from a set of 8 selected from those 16: does this mean reusing that 1 key for as many 128 chunks that particular eulora message has? or do you mean 1 per chunk ?
mircea_popescu: asciilifeform yes but taking the assumptions other way to see how bad it looks.
mircea_popescu: but if memory serves the "attack" on serpent used 2^100 plaintexts sorta deal
mircea_popescu: and suddenly the fg entropy debit is relevant : eulora server will be capable to produce iirc no more than 64 serpent keys/second per installed FG.
mircea_popescu: the major advantage of which is that user will be able to enjoy security flowing from server even without own fg.
asciilifeform: actually if client doesn't get to generate keys
mircea_popescu: diana_coman i guess we'll define a "control packet" which is always the first 128 bits of every comm, which will contain data such as "killed key #x moved to #y" and also "running out of keys send moar".
a111: Logged on 2017-11-22 21:56 asciilifeform: my approach is a universal 'stretcher', predicated on having reasonably fast and high-quality trng.
mircea_popescu: diana_coman thereby all game packets will be multiples of 128 bits, and in principle a client can live off the first original rsa op its entire life if it so wishes.
asciilifeform: iirc this is the scheme asciilifeform originally suggested.
mircea_popescu: this actually seems a rather workable method tbh.
mircea_popescu: asciilifeform client just keeps a list. adds to it when rsagram
asciilifeform: dun have to swap ~all~ the keys every time there's an rsagram
mircea_popescu: when left with two unburned gets new set.
mircea_popescu: anyway, so what's the work mode here, every now and again server sends client a rsa-encrypted packet containing 16 aes keys ; client enciphers its comms to the server with one selected from a set of 8 selected from those 16 ; and deciphers server's with one selected from set of 8 other than previous set. now and again burns a key.
mircea_popescu: check it out, diana_coman has found de-facto work-around to "my theme overwrites text up top" : put an intro in, page or so before code :D
asciilifeform: ( in other 'gangrene ? what gangrene?' horrors : 'LibTomCrypt is pretty nice to read (only bug found in last 10 years was in prime generation — failed to iterate Miller-Rabin)' -- from turd https://comsecuris.com/slides/slides-bignum-bhus2015.pdf re broken bignumatrons. cited line presented as a 'hey it's pretty good'... )
mircea_popescu: so basically we'll be reusing serpent keys, is the idea ?
asciilifeform: ah with no splits then yea
asciilifeform: i read that line as a restatement of the ancient 'seekrit algos are a stupidity, honest crypto keeps only privkey seekrit' truism
a111: Logged on 2017-11-14 14:55 mircea_popescu: this is the problem with "complexify the code machine" tendency. somehow it appears intuitively evident that having a portion of the code INSIDE the machine is "a more complex, therefore a more secure system". it is not. 100% of the key belongs in the key.
mircea_popescu: asciilifeform dja recall the discssion with apelyobee fellow ? http://btcbase.org/log/2017-11-14#1737658 ☝︎
asciilifeform: y'know the splits dun all have to be ciphered with same scheme
asciilifeform: keccak, i meant, turned up missing items
asciilifeform: mircea_popescu: the current serpent www is at the very minimum known to be missing items from before
mircea_popescu: OTHER 1998 documents, of lesser political sensitivity, exist there in original format.
mircea_popescu: asciilifeform the "specificication" published on cambridge page is most likely a later fake. it's a 2006 item supposedly of a 1998 document.
diana_coman: mircea_popescu, let me see if I got this right re "patch": simply apply serpent as it is and then at the next level up glue x keys together and send as "key", glue the corresponding x outputs together and use as "output"; basically lump together 16 serpents
mircea_popescu: asciilifeform right you are, it's in the... 2006 spec.
mircea_popescu: asciilifeform i have this itching half-memory that serpent 256 was actually defined
asciilifeform: because ultimately yes 'down to the 4bit sbox!'
asciilifeform: sad, innit. asciilifeform for instance has a mtbf of about 1hr when reading about symmetric ciphers. after that -- barf
mircea_popescu: it's bullshit all the way down, "the 4096 bit block gets cut into 16 sub blocks to be fit into rotorizers that cut each block into 64 bits and process with their 4 bit s boxes". because we're from the fucking cartoons. ☟︎
mircea_popescu: anyway, whatever, diana_coman : the correct implementation approach to patch the 256 bit serpent into 4096 bit rsa is to cut every rsa block into 16 fragments, cipher each independently with diff keys, then paste the 16 keys together make 4096 bit of key.
asciilifeform: modular exp is intrinsically costlier , at least on pc iron, than the idjit rotorization used in symmetrics
asciilifeform: it does cost moar tho. even once i'm done with the asm version.
mircea_popescu: and why trhe fuck am i using "4 bit permutations"
asciilifeform: really not hard to see
mircea_popescu: dja see why i'd muchly prefer a native tmsr.rsa length symmetric cypher rather than this nonsense ?
asciilifeform: ( the latter is defined as a family of functions, and so 'rubber' )
asciilifeform: rather like the diff b/w sha512 and keccak
asciilifeform: mircea_popescu: serpent isn't defined as a stretchable thing - i.e. it isn't obvious what ought to be changed to produce a larger ( or smaller, for that matter ) block, and still to have it meaningfully similar to original
a111: Logged on 2017-11-22 21:45 asciilifeform: anyway for 512bit key, you still keep the 128bit block. but each time you have incoming 128b plaintext, you shamir it rngistically into 512bits, i.e. 4 128b parcels that must be xor'd to reconstitute the original. each of these get ciphered with one of 4 independently-generated 128b keys.
mircea_popescu: diana_coman those happy days.
diana_coman: ha, back when I was blissfully only *playing* this game!!
a111: Logged on 2014-09-07 18:00 mircea_popescu: It gets worse. Nearly every AES implementation using AESNI will leave two values in registers: The final block of output, and the final round key. The final block of output isn't a problem for encryption operations — it is ciphertext, which we can assume has leaked anyway — but for encryption an AES-128 key can be computed from the final round key, and for decryption the final round key is the AES-128 key. (For AES
asciilifeform: almost impossible to bring up crypto in heathendom without a 'voice in the crowd' 'helpfully' reminding about 'standardized, well-designed aes'
mircea_popescu: apparently AES is one of those topics where someone could just pick up the log discussion over 3 years and make anencyclopedia entry
a111: Logged on 2015-07-12 03:17 mircea_popescu: asciilifeform http://trilema.com/2014/minigame-smg-august-2014-statement/#comment-114754 << don't you find it a little odd that even on an obscure liuttle game such as eulora, someone does find the time to carefully probe me about aes ?
mircea_popescu: http://btcbase.org/log/2015-07-12#1198022 there's actually lotta these ☝︎
a111: Logged on 2014-09-07 17:56 mircea_popescu: i wasn't aware this is public knowledge.
mircea_popescu: hm that;s still kinda late.
a111: Logged on 2016-02-06 16:55 mircea_popescu: derp #1 : "What is wrong with existing block ciphers like AES? AES has been in widespread use for over a decade and to the best of my knowledge, there is still no practical attack on it (unless someone has built a working quantum computer and not told anyone about it). Its totally free of patents and IP issues. Its been implemented in a huge variety of hardware and software (including the Intel CPU that I am using to m
asciilifeform: ( in the shannon sense. you haven't narrowed down what the 4th could be, by knowing 1..3 )
asciilifeform: diana_coman: observe that knowing 1,2,or even 3, gives you 0 bits of info re the original.
diana_coman: asciilifeform, that makes perfect sense, yes
a111: Logged on 2017-11-22 20:14 BingoBoingo: ben_vulpes: Apparently teaches girls to respond to favors with affection, Grill Scouts says bad family
mircea_popescu: http://btcbase.org/log/2017-11-22#1742164 << hey, next the "instruction function of soviet pioneer org in protecting the poor clueless adults from toxic facts and hate truth" will emerge. and then, probably, the NEP. and then, i guess, the http://trilema.com/2014/the-problem-of-enforcement/#footnote_0_55204 ☝︎
asciilifeform: diana_coman: now let's split 1 byte into ~four~, A,B,C,D. we take same transform and do it to X and Y in turn. in total, we've used 4 bytes from rng device, to cut 1 byte into 4 otpfrags.
asciilifeform: diana_coman: lemme give specific example. start with splitting 1 byte. to split byte B into X and Y, you take byte R from rng, and compute B xor R = X. then Y = R . X xor Y = B .
shinohai: lmfao this thread
ben_vulpes: writing niggers on the wall is basically shooting babies, trinque omfg be more sensitive
trinque: how did someone writing niggers in a school bathroom make the news?
ben_vulpes: "School superintended Keith Marty said it was a surprise to staff that the student responsible was not white." still? STILL a surprise? http://www.dailymail.co.uk/news/article-5108107/Student-writes-white-lives-matter-N-word-mirror.html
shinohai has enjoyed asciilifeform 's and diana_coman 's exchange and also goes to tea [~}
diana_coman: I think I need to read more on this, so I'll hit the books
asciilifeform: ( your encipherment speed is limited to 1/S of your rng's bit rate, where S is the splitness )
asciilifeform: my approach is a universal 'stretcher', predicated on having reasonably fast and high-quality trng. ☟︎
asciilifeform: nope. it isn't a keccak-like thing, isn't 'rubber'
diana_coman: yes, I had found that one; for some reason I thought you had in mind a different approach for expanding block + key size for serpent itself
asciilifeform: you thereby get a 'ratchet'. which afaik is the only hard strength result in all of crypto aside from von neumann's otp proof...
a111: Logged on 2017-02-25 21:26 asciilifeform: so, for instance, you can prove that a k-of-k (must have ALL parts) shamir split, where you then take each share and encipher with different method -- will NEVER be weaker than the strongest cipher used.
asciilifeform: anyway orig method is in log, http://btcbase.org/log/2017-02-25#1618462 << merely in application to slightly different form of the problem ( how to combine voodoociphers in such a way that the result can in no circumstances be weaker than the strongest of the items ) ☝︎
asciilifeform: and, on top of this, each stream ~individually~ is not distinguishable from rngolade.
asciilifeform: back to the shamir scheme : the only thing i can properly prove about it, is that it isn't weaker than straight single-key-with-no-splits
a111: Logged on 2016-12-24 01:03 asciilifeform: picture the following 1-dimensional automaton, that eats bitstring in sets of 2bits, and : '10' -> 'tape step left' ; '01' -> 'tape step right' ; '11' -> invert bit at current square; '00' -> terminate.
asciilifeform: sorta how i ended up exploring the http://btcbase.org/log/2016-12-24#1589881 item ☝︎
asciilifeform: the 1 aspect that historically bothered me, is that enemy knows now a relation between the plaintexts in the 4 streams
diana_coman: ah, it was the construction on top you had in mind
asciilifeform: does this make sense ?
asciilifeform: on the decipherment end, each split gets deciphered with the respective 128b key , and the four parcels xor'd to form the plaintext again.
diana_coman: hm, I probably did not know how to search for it properly as I did look but still not very clear on it