log☇︎
231000+ entries in 0.157s
mircea_popescu: i will now proceed to create a string S += hash(1011101011) three times.
mircea_popescu: message you want padded is T. i roll a random number, it comes out 1011101011 10
asciilifeform: i'm trying to write this as actual algo in my head
asciilifeform: what's 'last 4 times'
mircea_popescu: i dunno, i have no actual math to show, but intuitively it seems to me the above "take 64 bytes of rng, iterate hash over the first 60 last 4-times and then use that as tape to pad message, then put padded message + 64 bytes in question in rsatron" is practically useful and theoretically strong.
asciilifeform: it is hilarious to watch, from entomologist's chair.
asciilifeform: most of the 'solutions' do not even vaguely pretend to solve the problem, and in fact expertly avoid to say what the problem even might be.
asciilifeform: btw anyone who tries to dig in the 'official' literature re: crypto padding will barf his guts out, the subjects consists ~100% of obscurantist crapola by weight.
mircea_popescu: and the tendency is to move towards whole thingers, hence eg the keccak preference
asciilifeform: mircea_popescu and others can probably think of some useful and interesting variations on this scheme.
mircea_popescu: the whole discussion of blocks vs whole thing is all about this.
mircea_popescu: if your blocks are of known size, then they're of known size.
asciilifeform: btw tape cannot be round unless you carry its size inside the message, which is verboten because that would be STRUCTURE
asciilifeform: not necessarily, you have tape as long as you like and simply rsa it in chunks of (keylen/2)
mircea_popescu: so then you're back to blocks and a round tape.
asciilifeform: it is only palpably slow if you insist on doing the entire thing in a gargantuan exponentiation.
asciilifeform: you can split the message.
mircea_popescu: the problem is it bloats the message to an incredible size ; which plays poorly with rsa's weakness (slow)
asciilifeform: OAEP is slightly better from this pov but also gives you https://lists.gnupg.org/pipermail/gcrypt-devel/2011-June/001797.html .
asciilifeform: all that does is to append a few random bytes to the payload.
asciilifeform: existing padding schemes are precisely what i would like to get away from. idea is to introduce maximal uncertainty re the identity or purpose of any particular bit of unknown plaintext, and max fragility.
mircea_popescu: it seems to me you can ~actuyally implement~ extant padding schemes in this automaton.
asciilifeform: gpg used the weakest known padding scheme iirc.
mircea_popescu: asciilifeform but that's my question, the above is actually what rsa currently uses.
asciilifeform: (and i am leaving aside the fact that the use of sha may well introduce structure.)
asciilifeform: mircea_popescu: pretty much all of the extant schemes resolve to some variant of that. the problem is that ~all~ of them introduce structure
asciilifeform: btw i scoured the l0gz in vain for entire hour, looking for where i promised this, and cannot find.
mircea_popescu: asciilifeform what if i use the following scheme : message padded + 60 bytes of padding key + 4 bytes of iteration count. the tape is producing by doing sha recursively on the padding key and its results iteration count times.
asciilifeform: that's what 'padding' (terrible misnomer) is. the opposite of errorcode.
asciilifeform: (recall, you want a maximally fragile string. it is quite the opposite of error-correction codes.)
asciilifeform: if it does - then the cost is worth it.
asciilifeform: now i have not proved whether 2d gives you more sensitivity to mis-guessed bit .
mircea_popescu: ah thereis that.
asciilifeform: in the end you're trying to end up with a bitstring
mircea_popescu: to my mind the only reason to have 1d is if you're going to try and emulate block cyphers ie make it fixed size.
asciilifeform: the problem is that you have to derive a bounding box when you're done and want to turn the playing field into a bitstring for use wherever
asciilifeform: it works out to same thing.
asciilifeform: very similar, and actually i began with that variant.
mircea_popescu: is this worse or better ?
mircea_popescu: asciilifeform let me ask you this : suppose the tape is byte-sized, and the 8 bits are as follows : 2 bits x movement ; 2 bits y movement ; 2 bits z movement ; stop and flip bits for a total of 8. the tape is now a space.
mod6: <+asciilifeform> i can only imagine their disappointment. << lol
asciilifeform: the useful envelope of operation comes when you have at least ~16x the bottom limit. ☟︎
mircea_popescu: this definitely bears some thinking.
asciilifeform: (the theoretical lower limit.)
asciilifeform: which of course you don't want, it is quite obvious that there is no entropy in there if it only got 3x longer.
asciilifeform: 100101 turns into 111010111010101100.
mircea_popescu: but the space gets pretty narrow. 3n, you shoot n^(1/2) messages you're suddenly losing
asciilifeform: we did not destroy the structure, only made a (slightly) more complicated one.
asciilifeform: BUT enemy knows that plaintext(first_half[0]) ^ plaintext(second_half[0]) == 'T'
asciilifeform: this is superficially structure-destroying , either one of the two halves could literally be ANY bitstring of that length
asciilifeform: so one ~horrid~ padding algo would be to get a bitstring from my rng, xor the message to it, then send a message of 2x length of original consisting of: [the bitstring from rng][the result of the xor] ☟︎
asciilifeform: and enemy knows that i always begin letter with 'To:'
asciilifeform: say i want to encipher (dun matter with what) a string, 'To: mircea_popescu Subj: thermonuke launch codes ...' ☟︎
mircea_popescu: if the message is n long, does the pad-machine tape need to be n^2 ?
asciilifeform: let's take a ~terrible~ padding scheme just to show to n00bz what this whole matter is about.
asciilifeform: (the output tape size, that is. he of course knows the input tape size.)
asciilifeform: or he gets knowledge he is not supposed to have.
asciilifeform: mircea_popescu: the tape size cannot be known to decoder in advance
asciilifeform: then you append a sequence of ops , e.g., '10a10b10c10d.....' for the desired a,b,c,d... that flips the mutilated bits to the desired final state.
mircea_popescu: asciilifeform would this be better if tape were circular and of size to match our blocks ?
asciilifeform: then you produce some sequence of random moves for this machine, nondestructively (recall, all operations are invertible) waltzing over it.
asciilifeform: take the bitstring to be 'padded' (that is, mixed with entropy in such a way that it destroys enemy's ability to know any part of the structure of a plaintext inside ciphertext.)
mircea_popescu: so wait, the plan is a) make integer ; b) convert to automaton tape ; c) use that tape as padding ?
asciilifeform: i will give one elementary algo for using this, here, but there are others.
asciilifeform: this is the ideal rsa padding scheme that folx asked for.
asciilifeform: however it is also impossible to know in less time than O(N) ~which~ integer
asciilifeform: it is immediately obvious that this (nonturingcomplete) automaton can be used to 'write' any integer
asciilifeform: picture the following 1-dimensional automaton, that eats bitstring in sets of 2bits, and : '10' -> 'tape step left' ; '01' -> 'tape step right' ; '11' -> invert bit at current square; '00' -> terminate. ☟︎☟︎
mircea_popescu: the diophantine approach above + the "transfinite induction" / von neumann set are pretty much the scylla and charybdis of this sea.
asciilifeform: incidentally, since (to borrow the lament of turing's school headmaster) 'the room already stinks of mathematics', i'll share a tidbit that i promised folx some half year ago and promptly forgot: ☟︎☟︎
mircea_popescu: anyway, practice of programming, especially in a reasonably clean environment, possesses one of a notion of recursion that is then a fertile ground for mathematical scamming.
asciilifeform: mind is a slippery thing. what curious boy was not convinced that he was 'this-close' to elementary proof of fermat's.
mircea_popescu: the general point being, that the mind is not particularly adept to ~counting sets~ (including and especially in the sense of "Evaluating complexity") which is why it's very easy for it to misjudge the reach and power of recursive methods.
asciilifeform: recall that you can express turing tape as diophantine eq.
mircea_popescu: nah, it's just to my mind the next logical step after wtf are null sets anyway.
asciilifeform: somehow i was certain this was provoked by some alchemical problem in eulora
mircea_popescu: asciilifeform the whole thing was "extension of discussion of basic logic to set theory for the eager minds"
asciilifeform: that being said, there are good methods for certain special cases, if mircea_popescu's diophantines are of a particular ~kind~ i might be able to hit up my dead trees for an algo.
mircea_popescu: (it was proven sometime recently omdeed diophantine sets is ~ recursively ennumerable sets, making this a semidecidable problem)
asciilifeform: hilbert's 10th met disappointing end long enough ago that nobody needs to google
mircea_popescu: ie, that it ~feels~ like the problem should have a recursive solution.
mircea_popescu: asciilifeform it's exactly that, restated to discourage googling. the point being that it is difficult to correctly set the limits of recursion's utility intuitively
asciilifeform: i can only imagine their disappointment.
asciilifeform: in other lulz, FUCKGOATS www is getting regular hits from places such as honduras, panama, etc. via search-engine referrer. and i am beginning to suspect that these folx were looking for material concerning the fucking of ordinary goats.
asciilifeform: it is not a very promising problem as-stated imho. sorta like 'my pet mouse died, i want to resurrect it, i have this here industrial vivarium full of 10,001 live mice, how do i use them'
asciilifeform: in all fairness that is what 'gyrojet' did
BingoBoingo: <asciilifeform> if you can pound a tungsten carbide nail through something, you can also shoot it. << Why not shoot drill bit, already rifled!
asciilifeform: having tall pile of these does not, via any known method, help.
asciilifeform: then i must say, if i knew the answer, all of the keys on phuctor would be marked 'phucked'
mircea_popescu: individually. like the list could be x^2 = 4 ; x = 1 ; x ^ 3 + 5 = 6 - in which case your arbitrary equation may be a polynomial in x but not in x y
mircea_popescu: 1) you can have a list of equations that do have solutions ; 2) that if your list only contains X Y and Z unknowns, then the arbitrary item won't contain Q unknown
a111: Logged on 2016-12-23 14:07 mircea_popescu: http://btcbase.org/log/2016-12-21#1587182 << speaking of this, here's a question for the eager : a diophantine equation is a multivariate polynomial, something like ax+by^2 = 0. the question is : given an arbitrary finite set of known-good equations, can you use recursion to decide whether an arbitrary equation in the same variables is good (has integer solution) or no good ?
a111: Logged on 2016-12-23 14:01 mircea_popescu: (we'll skip over the entire "waka" incident for the sake of public morals.)
asciilifeform: http://btcbase.org/log/2016-12-23#1589133 << to my grief, i went and looked this up. ☝︎
mircea_popescu: eh, talk to young women more, you'll get acclimated.
asciilifeform: i dun even want to picture how the d00d lives. ☟︎
mircea_popescu: table stakes keep increasing ; but the good news is they also keep diversifying.
asciilifeform: like 'make telescope!' in 1700s, yes.
mircea_popescu: the most amusing jewish joke in all this - lo, trump MADE A GOOD JEWISH JOEK. this is infinitely harder than the supposed "witty self-deprecation" imbeciles gathering in new york think funny
phf: "that was some good shooting for the revolution there. hey you're good at shooting people. you're now the head of my shooting department"