asciilifeform: or, if you like, enigma rotors.

asciilifeform: alphabet-a -> alphabet-b.

asciilifeform: they're caesar's cipher.

asciilifeform: see e.g. http://www.loper-os.org/?p=2627

asciilifeform: you put in 000..., you always get same thing, you put in 111... you get another distinct thing, ditto, and so on

asciilifeform: mircea_popescu: what would mean 'equiprobable' ? they're a 1:1 mapping

asciilifeform: the actual bitness of serpent , seems like, is so small as to be iterable on pc.

asciilifeform: mircea_popescu: it dun even seem like we need exotica here

asciilifeform: at this point i strongly suspect that the actual bitness, is 64 OR SMALLER

asciilifeform: and so on.

asciilifeform: if xor(c,f,h) = 0 -- then c...

asciilifeform: if xor(b,e,g) = 0, then term b no longer appears in equation...

asciilifeform: 'cipher contest' my shiny metal arse...

asciilifeform: bahahaha

asciilifeform: so all possible inputs where this holds , result in the same inflated-key. ☟︎

asciilifeform: so! for instance ! if a, d, f, h are such that xor(a,d,f,h) = 0, then term a no longer appears in the equation at all ! ☟︎

asciilifeform: anything that appears on the right-hand side of one of those xor's, can potentially cancel itself out...

asciilifeform: regardless of how rotated.

asciilifeform: nao, is it a controversial statement that xors with an item that's already been rolled in, can only ~subtract~ entropy, never add ? ☟︎

asciilifeform: apologies for the log clutter, but this imho belongs in the l0gz

asciilifeform: ),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))))))))))))) , and we can ignore these

asciilifeform: )))))),RLeft11(xor(h,RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))))),RLeft11(xor(g,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)

asciilifeform: but after this, it chews the cud, e.g. W(8) = RLeft11(xor(RLeft11(xor(a,d,f,h)),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))

asciilifeform: ),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))))))))

asciilifeform: W(7) = RLeft11(xor(h,RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))))),RLeft11(xor(g,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)

asciilifeform: W(6) = RLeft11(xor(g,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))))))

asciilifeform: W(5) = RLeft11(xor(f,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))))

asciilifeform: W(4) = RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))

asciilifeform: W(3) = RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))

asciilifeform: grrrrr

asciilifeform: W(3) = 3,RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))

asciilifeform: W(2) = RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))

asciilifeform: W(1) = RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))

asciilifeform: W(0) = RLeft11(xor(a,d,f,h))

asciilifeform: so, continuing: we throw out the constants, and:

asciilifeform: there are exactly as many possible outputs as inputs, and if you xor with the constant again, you get the input back.

asciilifeform: with the tools in the actual box, however, afaik there is no headache of this kind, xor-with-constant is reversible and conserves.

asciilifeform: lol

asciilifeform: this is trivially true but is not what we want when asking 'can haz reverse keccak'

asciilifeform: by this token there exists inverse keccak, consisting of a list of values which when xor'd with any given one, produces original.

asciilifeform: but what function gives it to be with prob=1 ?

asciilifeform: now i want reverse.

asciilifeform: well i put in {1,2,3,4} and out came {1,2,3,5}.

asciilifeform: what am i missing

asciilifeform: then it aint reversible if it can't turn the 5 back into a 4

asciilifeform: ( not even speaking of fact that this aint a function of the inputs, in the civilized sense, it is a function of input and rng )

asciilifeform: let's try this. so i throw in {1,2,3,4,5} and the rng cranks and i get a {1,2,3,5,5}, then i put it back and rng cranks again and i get a {1,2,3,4,4}, with nonzero probability. so i reversed ??

asciilifeform: whole thing plox ?

asciilifeform: i dun get it, what's P5 ?

asciilifeform: gimme an inverse for it, we can go to vegas

asciilifeform: mircea_popescu: if it has a random component, it aint reversible, how wouldja reverse it ? with time machine ?

asciilifeform: thereby do not affect the quantity we are seeking.

asciilifeform: and the two xor's-with-constants, just the same reversible.

asciilifeform: how else could it work.

asciilifeform: correct

asciilifeform: therefore the inputs:outputs are 1:1 .

asciilifeform: ( if sboxes were'nt reversible, deciphering wouldn't work )

asciilifeform: thinkaboutit, then we'll proceed

asciilifeform: i.e. have exactly same number of possible outputs as there are inputs

asciilifeform: mircea_popescu: they're reversible !

asciilifeform: ditto the s-boxes (they are reversible, merely permute)

asciilifeform: now we factor out the ... xor 16#9e3779b9# xor Unsigned_32(I), it's an injective operation (neither adds nor subtracts entropy) ;

asciilifeform: let the key words (32bit ea.) be A,B,C,D,E,F,G,H. so W(-8)=A, W(-7)=B, W(-6)=C, W(-5)=D, W(-4)=E, W(-3)=F, W(-2)=G, W(-1)=H ;

asciilifeform: logic : take the key inflator http://ossasepia.com/2018/02/22/eucrypt-chapter-11-serpent/#selection-87.13060-87.13306 ;

asciilifeform: i.e. 85-bit strength, possibly smaller ( i haven't algebraicized the entire recurrence yet )

asciilifeform: mircea_popescu: 1/3

asciilifeform: ( for anybody who wants to take a stab at this in parallel with asciilifeform , hint : xor-with-constant is injective , can be factored out of equation; ditto sboxes )

asciilifeform: i'ma refrain from pons&fleischmanning this one..

asciilifeform: mircea_popescu: not only were you right, but i just about have a handle on deriving the factual key bitness of serpent..

asciilifeform: meanwhile, in other lulz, https://archive.is/plVal << trivial local-privesc in xorg ( introduced by shitgnomes in '16 )

asciilifeform: Mocky_: yea , calls for an actual proof..

asciilifeform: diana_coman: aha

asciilifeform: ( in serpent inflator, the only ops are xor, rotate, and sboxation, all 3 conserve entropy )

asciilifeform: actually, funnily enuff , i nao see a proof for serpent's, but not keccak

asciilifeform: ikr?

asciilifeform: ? know a proof? )

asciilifeform: mebbe i'm thick and it's a trivial provable ? ( diana_coman ? mircea_popescu

asciilifeform: relatedly, asciilifeform tried to bake a proof that the lamehash keyinflater function of serpent is one-to-one ( i.e. actually carries 256bit of the key register's entropy into the 528 bytes of whiteolade ) and not only didnt , but realized that afaik no such proof exists for any 'troo' hash also ( incl keccak.. ) ☟︎

asciilifeform: hm?

asciilifeform: nao, exercise for the reader : find the bandwidth of this channel ( how many bits , if more than one, can be stuffed into a block and still preserve this property ) ... ☟︎

asciilifeform: this solves (if you will) asciilifeform's ancient puzzler, 'how to avoid any part of block being known plaintext'

asciilifeform: one possible handy algo for the degenerate case of '1 bit of payload per block' -- your block is ~wholesale~ rngolade, and you simply flip the last bit so xor(b0,b1,...,bN) equals your desired payload bit.

asciilifeform: and yes it means that rng bitrate will constrain write speed. but it aint as if this is not solvable problem.

asciilifeform: sorta like what people already do re rsa.

asciilifeform: ( without requiring blocks to contain serial #s or anything of the kind )

asciilifeform: it also handily disposes of the penguin.

asciilifeform: ( if storage/bandwidth are cheap, potentially could stuff all but 1 byte, or even bit, with rngolade, if you like )

asciilifeform: mircea_popescu: somewhat related observation: designers of blockciphers are fixated on 'what if known plaintext block', but it is not clear to me why this has to be a living problem when you can fill up 1/4 or 1/2 or whatever of block with rng

asciilifeform: ^ summary of serial i/o processor thing asciilifeform baked. will be applicable even if we come up with sumthing less sad than serpent, in fyootoor.

asciilifeform: meanwhile, in sneak previews, http://p.bvulpes.com/pastes/bmF1K/?raw=true

asciilifeform: http://btcbase.org/log/2018-10-29#1866964 << specifically in the context of the 'crypto contest' where serpent was trotted out, there was a loud and pompous 'here's ciphers, with jusfifications!' circus. so imho the excuse of 'not knew to wash hands yet' is not available ☝︎

asciilifeform brb,meat

asciilifeform: at this point i strongly suspect that there ~isn't~ a 'why', author pulled thing out of his arse like the others.

asciilifeform: mircea_popescu: i looked over notes from the 1st time i read the thing, and had same reaction then ! but then, left with 'maybe i find why'. 3y later, not found why !

asciilifeform: '... it was an- alyzed by programs we developed for investigating block ciphers, and we found bounds on the probabilities of the differential and linear characteristics. These bounds show that this choice suits our needs.' << spoiler: also posted nowhere...

asciilifeform: BingoBoingo: aite then

asciilifeform: as if it could possibly matter where you host sumthing if 'customer has come to expect' weev.com as the only way in

asciilifeform: BingoBoingo: potentially interesting, but i suspect that it wont do much for the idjit heathens , who dun grasp even most basic step of hygiene , i.e. letting go of dnsism

asciilifeform: and it claims a specific process that supposedly produced the sboxes, but gives only pseudocode with a handwave ' if has desired properties, then keep sbox ' turd

asciilifeform: https://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf ( pdfturd! ) << near as i can tell, is the 'full paper' referred to in the 'short'