tmsr - Search: i

39100+ entries in 0.263s

mircea_popescu: britknee i'm here all week!

asciilifeform: http://btcbase.org/log/2018-04-12#1797532 << as far as i can tell the 'rsa has structure! but aes, surely not' is instance of minsky's empty room ( http://btcbase.org/log/2014-11-13#920444 ) ☝︎☝︎☟︎

avgjoe: hello, can i ask why deedbot doesn't send me the challange to solve? instead it tells me that i should not up myself

asciilifeform: http://btcbase.org/log/2018-04-12#1797536 << we may have had the thread iirc, but : cryptographic 'lowest difficulty' is inescapably statistical, considering that there is a nonzero and calculable probability of guessing a key ( under any system which is not otp, i.e. correct key is somehow distinguishable from the space of possible rubbish key ) ☝︎

asciilifeform: right now 2 types of cipher are known -- otp, and errythingelse. only re otp is there a mathematical statement of any substance ( i.e. it is degenerate case, leaks 0 bits )

BingoBoingo: <ben_vulpes> i have been seduced into liking sugary delights! << It's scarcely been more than a month since a fractional alfajore gave you sugar shock

asciilifeform: ftr i got ~nowhere re: a proper approach to cryptohardness.

mircea_popescu: i don't get it, what happened ?

asciilifeform: to be fair, the thing isn't even obscenely lengthy, esp for a robo-generated proggy. ( it remains the case that i dislike c, and also ecc; but these are orthogonal concerns )

asciilifeform: why the author stopped where he did, and did not unroll ~all~ of the loops, i do not presently know

asciilifeform: i had example of this back in august, of comba.

ben_vulpes: i was halfway expecting to see the classic machinegeneratedliquishit objections

mircea_popescu: not afaik. i linked you to a snippet lessee

ben_vulpes: experiments from the kitchen, im sure more variants with chocolate will appear as soon as i mention the idea

mircea_popescu: hey, i didn't think i even liked girls, as a 14yo. people get strange ideas in their heads.

ben_vulpes: i have been seduced into liking sugary delights!

ckang: lol i try and connect people ;)

zx2c4: i need to head out for a bit now

zx2c4: hah i like that

mircea_popescu: zx2c4 the good news is that i am now finally in a position to explain what EXACTLY is meant by "terrorist" : that feeling in http://btcbase.org/log/2018-04-12#1797417 when shit keeps coming and coming and coming up. what is it, if not spiritual terror ? ☝︎☟︎

asciilifeform: i'ma cheat and cite my own article, http://www.loper-os.org/?p=1913 : '... in a heavily-restricted subset of the Ada programming language — the only currently-existing nonproprietary statically-compiled language which permits fully bounds-checked, pointerolade-free code and practically-auditable binaries. We will be using GNAT, which relies on the GCC backend.'

zx2c4: i dont have enough exposure to ada to say for certain. how come?

zx2c4: unlikely that'd make it upstream if i did wireguard that way, but neat that that's possible

asciilifeform: ( iirc i posted a cookbook re same, while back )

zx2c4: i suppose your point is that you _could_ choose to obscure the lengths of the messages youre sending back? whereas with zero that isnt a possibility?

zx2c4: i havent seen v

mircea_popescu: zx2c4 is this constant time ecc implementation on display somewhere btw ? i don't think i ever saw one before.

asciilifeform: because i can tell when a particular message has been received and ack'd

mircea_popescu: in any case, cryptography comes in two sorts : sort a), known here as "this must be secure, it's so confusing to me", and sort b). the moment you say "i can't see what this gives attacker" you force-shove yourself in group a. it's not your business to know the attacker, that's the whole fundamental philosophy of ciphering, that you do not need to know the attacker.

mircea_popescu: because i can turn a 31 message into two 15 messages or back ; but i can't turn 0 messages into anything else.

zx2c4: mircea_popescu: an attacker can also distinguish between a length 15 message and a length 31 message. i still maintain this doesnt give an attacker anything useful

mircea_popescu: well, for instance, if i know six nodes in your network and know asciilifeform uses at most two, and i see those are not transmitting, i know he's asleep and send the titassassins.

zx2c4: there _are_ attacks, on say voice compression algorithms, which can gather some information from having precise sizes alone, which is why things are padded to nearest 16. but i dont see what would be gathered by what youre suggesting

mircea_popescu: why am i held to explain how a protocol breach can be elevated to arbitrary height ? the attracker FIND SOMETHING

mircea_popescu: so wouldn't it make sense for me to send 8 whether i have anything to say or not ?

mircea_popescu: and if my slut eve in the other room is listening in, she can distinguish the case where i sent 0 from the case where i sent 8 ?

zx2c4: no, i dont think sending a random string would make it more secure

mircea_popescu: and if i encrypt 8 bytes, what do i get ?

zx2c4: because all i need is the valid authtag/nonce. i dont have any actual content to put in there

zx2c4: in this case, its important that you send me a keepalive, so that i know you at least got it. however, these keepalives arent persistent. if subsequently, i have nothing more to say to you, then we both go silent and dont say anything.

zx2c4: every time i send you something, i expect to hear back from you. if i dont hear back from you, then something bad has happened,and i should start over with a new handshake. my way of hearing back to you might be in the natural sense -- i send a TCP SYN, you send me back a TCP ACK -- or it might be the case that you actually just have nothing to send back to me. you got my message just fine, but really just cant think of anything to say back to me.

mircea_popescu: i can't use the trilema-style url-reference (here's an example : http://trilema.com/2018/boboban/#selection-47.0-47.10 ) because you don't have implemented. but it's from the /protocol page

asciilifeform: ( alternatively, how many bits do i need to flip in an otherwise correctly configured box, to set a 'noise' cipherer, into null mode ? )

mircea_popescu: oops . i mean : http://btcbase.org/log/2018-04-12#1797270 ☝︎

zx2c4: i remember asking for this on the mailing list at some point

asciilifeform: mircea_popescu: what i see is, the cell is there, but there is no indication that it is connected , as it ought to be, to red lights, siren, and dropping of reactor moderator rods

asciilifeform: i understand the bare fact, zx2c4 . my question is, why do you think the protocol author permitted an unsecured mode as a valid mode of operation ?

mircea_popescu: http://btcbase.org/log/2018-04-12#1797002 << this is fucking grand. i love reading through this list, it's in the vein of "oh my god, check that out, he natively gets it!" ☝︎

asciilifeform: zx2c4: do i misread ? because in the spec, 'No confidentiality. This payload is sent in cleartext.' ( http://www.noiseprotocol.org/noise.html#message-format section 7.4 )

zx2c4: Noise is from Trevor Perrin. I've been very involved in contributing to the project though (i mentioned at the end of the specification)

mircea_popescu: i have to read your previous convo.

a111: Logged on 2018-04-12 09:42 spyked: http://btcbase.org/log/2018-04-12#1796749 <-- that's probably my thing, I've been playing with it for the last two weeks or so, I have it in a loop grabbing feeds from republican blogs.

mircea_popescu: http://btcbase.org/log/2018-04-12#1796976 << you know me. he doesn't know you. this makes all the difference in the world -- i can whip my slavegirls into shape because they ~love me~. people without this benefit are stuck going at snail speed, which is why "education" in the unsexualized way it's implemented publicly does not work. it couldn't fucking work. ☝︎

mircea_popescu: speaking of which and ben_vulpes boyhood dreams, ssto and so on : i dreamt last night that someone actually managed to create that true wunderwaffen material, the composite/ceramic with higher tensile strength than steel, but negligible caloric conductivity. making some iiiincredible jet engines.

mircea_popescu: i think if you have not enough in your wallet it drops it silently ; and if the payment's not processed yet you might have nothing in your wallet yet.

zx2c4: i wonder if that verification worked i just posted

zx2c4: if you guys wind up using wireguard for part of your infra and want to support wireguard for a year, i'm always looking for large donations, etc. not sure if that's what deedbot is for exactly but that would be quite the nice deed

zx2c4: no, not at all. im also not quite sure what to do with these pgp encrypted blobs i cant decrypt

zx2c4: asciilifeform: oh, okay. im happy to keep going though. and if you want to be uncivilized, ill gladly accept any harshness you want to throw my way. i dont scare easilyt

mircea_popescu: zx2c4 the tls fails i bet.

asciilifeform: mircea_popescu: lol notyet, i did the 'civilized' thing as you suggested.

asciilifeform: zx2c4: i'ma leave the rest of the session to mircea_popescu , owner of this chan, and my co-author in e.g. the FUCKGOATS auditable trng, https://archive.is/CGQkR )

zx2c4: i tried registering my key privately to deedbot but it didnt respond

asciilifeform: but it so happens that i in particular do not think much of the work of current 'pro cryptographers'.

asciilifeform: i'm less interested in 'testimonials', and more in re criticisms

zx2c4: i havent compiled a list of Name+WrittenReview. maybe i should do that ☟︎

asciilifeform: i'm curious, for instance, whether any of the cryptographers observed that the arithmetical routines behind your ecc are not in fact constant time on e.g. arm.

zx2c4: i dont think they post the reviews? except that it was "accepted" to the conference

asciilifeform: since mentioned scrutiny : on www of 'wireguard', there is mention of 'reviewed by cryptographers' . may i ask, who reviewed ?

zx2c4: i dont think hmac-md5 is anywhere near broken, actually.

asciilifeform: i don't see 'not publicly smashed to bits of just yet' as a proof of strength, given as it is true of literally every system ever devised, until the moment of public breakage

zx2c4: i'd be surprised to see all 20 rounds of chacha broken

zx2c4: i'm pretty sure there's no conspiracy

asciilifeform: i am skeptical of all symmetric ciphers and hashes, given as there exists no scientific basis for considering any of them to be actually strong.

asciilifeform: several yrs ago i went in search of ~any~ problem that can be shown to have a ~nphard average case~ . and found none.

asciilifeform: when i ask for 'reduces to nphard', obviously i cannot mean 'factoring', because its hardness is not proven

asciilifeform: ( i.e. a reduction to np-hard or for that matter ANY particular complexity class )

asciilifeform: ( or see the ffa article series, http://www.loper-os.org/?cat=49 , currently on sabbatical but due to resume after i come back from upcoming biznistrip )

asciilifeform: but i have a somewhat different approach, which i call 'fits in head'

asciilifeform: zx2c4: i've spent the past ~2yrs writing a properly constant-time arithmetic lib. it is being slowly published. ( see earlier link to my www )

zx2c4: if you're interested in crypto primitives in wireguard in general, i can give you an overview of our implementations. the hacl and fiat code is not the only code we have in there

zx2c4: i dont own any via 2000 hardware to test on

zx2c4: asciilifeform: i haven't been able to observe any non-constant time multiplications on intel in that code

a111: Logged on 2018-02-17 04:22 asciilifeform: mod6: i will share my current hypothesis : all current intels have MUL leakage

asciilifeform: btw zx2c4 , i must regret to inform you that the code you linked, is in fact NOT constant-time on several common architectures, because it makes use of machine MUL instruction ( gcc will compile a nonconstant-operanded '*' to e.g. IMUL on x86 )

zx2c4: i can check for you one sec

asciilifeform: if i want to hand-audit it, say.

asciilifeform: i.e. , if i disasm your .o , will i see 0 conditional jumps ?

zx2c4: (i've got a project going on right now to rewrite that actually)

asciilifeform: ( i grasp the connectionless scheme , having prototyped a similar item )

zx2c4: ive got some more design properties to enumerate if you'd like, but i can answer your direct questions too

zx2c4: asciilifeform: i agreed to stick around for 2 hours. worry not. :P

asciilifeform: zx2c4: don't go away yet plz. i'd like to ask a few q re your crypto design

zx2c4: asciilifeform: oh cool. i havent seen this ill take a look

zx2c4: indeed. i guess you could call the property 'stealthiness'

zx2c4: then on top of that i wanted a few nice properties:

zx2c4: wireguard is supposed to be implementable using simple algorithms with as small of a state machine as possible, so that the code size and complexity is kept at a minimum. in otherwords, it aims to be easily auditable so that people can actually read it and feel confident that it doesnt have horrible vulnerabilities. with massive codebases and highly complex designs like openvpn or ipsec, this obviously isnt possible. so with wireguard i was trying

zx2c4: are you interested in learning about the security properties i had in mind when designing wireguard?

zx2c4: it's small, minimal, has the flexibility to be exactly what i needed and nothing larger. makes conservative choices. fits into the security model i was aiming for with the implementation properties i was looking for. i was also involved with noise from very early on, so several concerns and needs i had with wireguard got factored into noise. and since noise is a very interesting framework, it's now receiving much needed academic attention in

asciilifeform: zx2c4: it so happens that i have a few q: