log☇︎
254900+ entries in 0.144s
mircea_popescu: the bitch with high level cognition, be it math, fucking, programming horses, riding computers et all is that you never fucking know which the same thing you'll be doing this time
asciilifeform: (when's the last time you made a rainbow table.)
asciilifeform: there is no expectation that modern-day ones will fail along same fault-lines.
asciilifeform: it had answers for some peculiarly braindead hash algos from the '90s, yes.
mircea_popescu: just vague memories from back when i knew friends with rainbow tables.
mircea_popescu: still simpler than your thing, and imo better collision resistance (now h(s) = h(s+s') is required which iirc is tougher than (s+x) = (s+y) )
mircea_popescu: asciilifeform t1 you publish K.sign(hash(S)) ; time t2 you publish J.sign(hash(S+S')) ; time t3 you publish S and S' thus proving J knew before everyone else.
asciilifeform: and that the 'do trapdoors exist' fundamental question is not only not settled, but afaik there is not the faintest clue where one might begin from to settle it, nor what the proof would look like.
asciilifeform: this is probably a good time to remind readers that hash algos as we have them today (incl., yes, keccak) are pseudoscientific kit, similar to the block ciphers, rather than items where the strength is of some provable kind
mircea_popescu: asciilifeform i don't require that len(h(x)) < len(x).
asciilifeform opens his circle-squaring tool chest.
mircea_popescu: hey, you're breaking rsa over there, do some useful stuff!
mircea_popescu: the one important salient point here is that what we would really like for a hash function would be a H so that it is mathematically proven that NO j' exists so that h(s+j) = h(s+j')
asciilifeform: call remains open for 'shorter algo that solves same problem'.
mircea_popescu: still, i wouldn't say these differences allow for a strict determination.
mircea_popescu: well yes, but in my secret-k scheme the epsilon is my domain alone.
mircea_popescu: now this said, a provably collision-resistant h might be found ; and would be amply useful.
mircea_popescu: and the problem of t3-t1 being an interval at enemy's discretion rather than your discretion remains.
asciilifeform: (and of the time-orderer.)
asciilifeform: correct, so it stands on the strength of the hash solely.
mircea_popescu: this is STILL a weaker standard than "gimme s in h(s)" albeit not quite as catastrophically bad as prevbiously thought
mircea_popescu: so he'll have to find proper salt-collision, h(s+j') = h(s+j)
asciilifeform: and pre-agreement among the verifiers that said signature was the origin.
asciilifeform: and we posited time-ordering.
asciilifeform: but it isn't, because you signed H(S), the genuine S, with K, at time T
asciilifeform: it still doesn't link back to K.
asciilifeform: mno, he would need an S' such that H(S') == H(S)
mircea_popescu: and see the comments above re weaker standard and bad time exposure.
mircea_popescu: at time t1+e hitler publishes J' ; at time t2+e hitler publishes S'.
asciilifeform: using the formulation above, describe what hitler should do
mircea_popescu: and t3-t1 is in his control, whereas epsilon is in mine
mircea_popescu: also enemy has t3-t1 to fish for the pair ; as opposed to epsilon
asciilifeform: so, for convenience, i'll reprint: 1) at time T, i publish Ksign(H(S)), where S is a lengthy random string; at time T1, when i wish to invoke the continuity i publish H(S+J) ; at time T2: J; at time T3, S.
mircea_popescu: this is a much weaker standard of failure for h than "here's h(s) tell me s"
mircea_popescu: at t1.5 hitler deedbots J', at t2.5 hitler deedbots S' so that hash(s'+j') = hash(s+j)
mircea_popescu: asciilifeform your scheme is actually dead in the water because between t2 and t3 enemy can deedbot in your name.
asciilifeform: btw if mircea_popescu ONLY wants to give J' to his best friends, he can do that already via the otp he has with them.
mircea_popescu: this much is true.
asciilifeform: likewise 'my inner circle knows what the true J' is' is not solving same problem as 'everyone who knew Kpublic can reliably learn true J' ' which in the case of serious 'for the ages' signatures, e.g., vtronics, you actually ~do~ want
asciilifeform: current thread is re parachute specifically against catastrophe that would burn down rsa, c-s, similar.
mircea_popescu: because of the whole "array of keys" thing, it'd actually allow jumping over dead rsa
mircea_popescu: the correct pill to all of this being, of course, gossipd.
asciilifeform: aha, because single-message is not a thing in our universe.
asciilifeform: it is not open to mitm.
asciilifeform: my algo from earlier requires only time-order.
mircea_popescu: which is why we HAVE both of these.
mircea_popescu: there's no way out of this, i'm affraid.
mircea_popescu: in general "collapsed cryptosystem" reduces one to a "either you have time-order and single-message or else you restart from scratch".
mircea_popescu: suppose for safety of this scheme, ? is made so that create-key takes a day.
asciilifeform: which is ~why~ i had the multiple steps.
asciilifeform: you are open to mitm in the act of deedbotting.
mircea_popescu: this however is a necessary assumption (seen in t1 t2 etc) and not escapable in the current paradigm.
mircea_popescu: this system presumes there's such a thing as ordering of events.
asciilifeform: i get it, mircea_popescu reeeeeally loves the repudiability thing, but you gotta be careful not to make a cannon that shoots in ALL directions simultaneously. someone has to get privileged knowledge of the true J' or you are cryptodead.
mircea_popescu: J.sign("Here's the laydown : 1. rsa got fucked, this is the process to exrtract privkey from pubkey ; 2. message so-and-so on deedbot was creating by so-hashing this salt and this pubkey ; 3. this here key J was created by using cryptoisystem ? with rng = privkey.K, which guarantees i am the one that made it ; 4. please use this here J' in future")
asciilifeform: outside of buttsex room, there is no such thing as a 'one message' that cannot be mitm'd.
asciilifeform: recall, if rsa died, mircea_popescu cannot simply pgp the J' to his current circle of friends.
asciilifeform: and if you posit the otp (or some other way, perhaps through buttsex, for him to give the True J' to the intended recipients) it turns into my algo.
mircea_popescu: can just go in the same message.
asciilifeform: this'd be handy if mircea_popescu had otp set up in advance with the people he intends to give the actual J' to
mircea_popescu: ie, until t2+epsilon
asciilifeform: which in the given algo, it is.
asciilifeform: and they are all equally poppycock if the private key of J is publicly known
asciilifeform: anyone can make their own J'
mircea_popescu: i don't. the point is to prove K-J continuity , not to retain sole control of J
asciilifeform: how does mircea_popescu retain sole knowledge of the private key of J ?
deedbot: http://trilema.com/2016/florence-foster-jenkins/ << Trilema - Florence Foster Jenkins
mircea_popescu: well no, i just publish the fingerprint. as per t2 = rsa broken, it then follows one can extract privkey.K from K
asciilifeform: so you published both halves of the k keypair, correct ?
mircea_popescu: then at t2+epsilon when i publish k you extract privkey.K from it and check that J was made by create-key(privkey.K_
asciilifeform: i have the deedbotted hash(salt+pubkey.K) to work with
asciilifeform: ok, can haz algo? i found a string J, which is a public key for an asymmetric cryptosystem, that purports to belong to mircea_popescu, and published after the rsacalypse. what do i do with it.
asciilifeform: but to permit ~any~ Jsystem and ~any~ J in advance.
asciilifeform: and we want the algo specifically not to depend on how Jsystem works.
asciilifeform: it is just a string of bits, for the purposes of this gedankenexperiment.
mircea_popescu: well how would i know, right. it'd depend on that.
asciilifeform: recall, we don't know anything about the cryptosystem J is a pubkey for.
asciilifeform: i can use to determine, for some input J, whether it belongs to the fella who has priv.K.
mircea_popescu: because the only one who could make j is the one who at t1 owned privkey.L
asciilifeform: mircea_popescu: but how do i verify that J belongs to mircea_popescu
asciilifeform: mircea_popescu: i get that part
mircea_popescu: i publish k, you a) verify it hash-salts to same value and b) encrypt to it
asciilifeform: anyway this is ~= earlier algo, just with one fewer step
mircea_popescu: in this scheme, hash has to be epsilon-strong and that's all.
asciilifeform: ah in this case with the usual meaning of deedbot, 'sign with wot key'
mircea_popescu: which is why yours and this are equivalent (they depend on the strength of has function)
mircea_popescu: asciilifeform but he has to also break the salted hash
mircea_popescu: at t2+epsilon, everyone can verify K-J continuity ; at t2 only breaker of rsa can verify.
asciilifeform: mircea_popescu: here's the lethal boojum: enemy knows privkey.K at t2 and if he can get to his keyboard before you get to yours, you're dead
asciilifeform: if you divulged the seed, you divulged the privkey
mircea_popescu: ie all cryptosystems reduce to hash fucntion
mircea_popescu: this doesn't matter so much, future cryptosystem will be made on the basis of rng ; rng can work with pubkey as entropy source. ☟︎
asciilifeform: mircea_popescu: this works if your K is known in advance
mircea_popescu: asciilifeform for one thing, unpublished key is a simpler variant. create secret key K, salt-and-hash K, publish K. at later point divulge K. verification is one step and passive for you.
trinque: oh boy, here comes the tornado
trinque: I'm doing the paste-import thing. patience rAISellers
shinohai: Weird why he hasn't been seen yet, his key imported to keyserver
asciilifeform: where you demonstrate that you knew Kpriv and a secret S at time T, and at some time T+i you show that 'he who knew S at time T now wishes to use key J for everyday life.'
asciilifeform: at any rate, it is not difficult to generalize this scheme into a wide variety of 'parachutes'
asciilifeform: perhaps this is obvious from my description, but i have learned that it sometimes helps to restate the obvious.