mircea_popescu: PeterL so if you feel like writing a mpfhf reverser... afaik nobody has to date.

mircea_popescu: this scheme is both slow and bulky. it is not likely useful for gossipd-style comms. it is certainly valuable for signing material, especially because rsa signature is much more padding-vulnerable than encryption ; and perhaps for some limited encryption work.

mircea_popescu: c (in that order), where R and S are produced by mpfhf(m') with R len set to c (bitness same as bitness of len(Pm). Pm will be the padded message sent to RSA. The recipient will have to undo mpfhf with known R and S to obtain m.

mircea_popescu: anyway, let it be said that there's nothing wrong with oaep as far as we know, but for the sake of argument a mpfhf based padding scheme would conceivably work like this : 1. given message m, of length l, generate r = random bits, of length l' up to l but not less than 256 bits. 2. compose m' = r + m + c (in that order), where c is l - l` (and its bitness is always same as the bitness of len(m')-256). 3. compose Pm = R + S + ☟︎

mircea_popescu: 3, generally. that, you never know. yeah.

mircea_popescu: i mean the bitsize ; it's not just that though, partially known secrets, low exponents etc all conspire to empwer the latice reduction.

mircea_popescu: (and they are http://www.di.ens.fr/~fouque/ens-rennes/coppersmith.pdf )

mircea_popescu: and since we're apparently doing rsa likbez : if r used in padding above contributes less than n / e^2 bits of entropy to the final, padded message, coppersmith has a few words to tell you.

mircea_popescu: PeterL terrible, terrible thing, which is why irl rsa is always padded.

mircea_popescu: (and, of course, for short messages ie shorter than n i can just compute the e-root).

mircea_popescu: and upstream, to make clear what "semantic security" means : rsa is deterministic, if i wish to see if your "encrypted" string really was message m, all i have to do is encrypt m myself. if the results match i have cryptographic confirmation.

mircea_popescu: and besides, not muchly tested yet.

mircea_popescu: because hash and hash' are used to stretch/reduce the bitlength of their parameters, something like mpfhf (which permits arbitrary sized outputs/inputs) could work well ; but is also slow.

mircea_popescu: oaep works like this : given hash and hash' hash functions, calculate X as hash(m00) xor G(r) and Y = r xor hash'(X).

mircea_popescu: basically it takes a random string, jumbles it with the original message, and spits out two halves. the hope with it is that it provides all-or-nothing security, in the sense that to recover any bit of the message you need to correctly process the entire pair of jumbled strings.

mircea_popescu: it's a sort of two-box permutation thing.

mircea_popescu: and THAT you then encrypt to key X and send ove.r

mircea_popescu: now, alf's scheme is probably valid padding, though it is very expensive. it works like so : to encrypt a message m to key X, you : a) generate two one-time keys, A and B. you encrypt some bits of m to A and some to B, randomly chosen. you pile together : the bits of m encrypted with A, the bits of m encrypted with B, the schedule of which is which, and the keys A and B into one large m'

mircea_popescu: it's not useful in the field.

mircea_popescu: now : textbook rsa (the sort of thing you seem to be discussing, above) has no semantic security and on top of that is malleable.

mircea_popescu: i think you misconstrue alf's padding algo.

mircea_popescu: PeterL and then you add key A and B to the message at the end so recipient can un-pad ?

mircea_popescu: PeterL the other problem this discussion reveals, of course, is that you aren't using any padding ?

mircea_popescu: PeterL the broader point here being that you can't warn the user about things he can't control. you gotta provide for it yourself.

mircea_popescu: https://www.ti89.com/cryptotut/rsa3.htm << very handy rsa tutorial in that it uses base 10 and alphabet-indexing for letters. so one can actually rsa by hand and get a good model of what's going on. ☟︎

mircea_popescu: PeterL the logical approach would be to include a checksum neh ?

mircea_popescu: or how shall i best put it, that's not equality but modulo congruence. whereby 7 = 5 mod 2

mircea_popescu: this is the basis of rsa : m ^ e ^ d = m mod n

mircea_popescu: yes, but would that integer then also be m ?

mircea_popescu: so you are telling me that m ^ e ^ d mod n always has an integer solution for randomly chosen parameters. ☟︎

mircea_popescu: 0 length isn't usually what one thinks of when seeing "too small". same istrue if 1 byte string ?

mircea_popescu: you gotta have the params set correctly

mircea_popescu: and mind that m-r is a ~probabilistic~ test.

mircea_popescu: what happened to your key ?

mircea_popescu: anyway, forward your thanks to phf for allowing your exericse.

mircea_popescu: well so if you thought that you could have asked before rather than after eh.

mircea_popescu: they also end up on archive.is, because the bot archives links and the odds of a whole day going by without a single log reference are small.

mircea_popescu: read the help would you.

mircea_popescu: lol nothing works for this guy does it.

mircea_popescu: and in other civilised behaviours : always remember to hold pinky elevated! http://68.media.tumblr.com/e0686d449baf8a8d73a2199a83f7780c/tumblr_o1f357D0Zh1sr105eo1_1280.jpg

mircea_popescu: use !!v in pm to deedbot.

mircea_popescu: and in random other lulz : it's funny how the libertards worshipping at the watergate shrine usually omit to mention that by then washington post had been a libel tabloid for years. somehow dillard stokes' name never comes up. somehow they don't seem to notice it always was simply us sturmer.

mircea_popescu: i can see that heh

mircea_popescu: what are they to build in italy ?

mircea_popescu: this is how growing up goes : you take stock of situation, you make a plan, you implement it.