asciilifeform: ( i.e. every time you write down a '+' that's a minimum of 2N LUTs used up, that cannot be used for anything else, where N is the operand width )
asciilifeform: understand that in fpga 'secret shift' is NOT a function that can be 'called', but a physical object that gets instantiated, using thousands of cells, every time you use it.
asciilifeform: and incidentally i was not joking when said 32kb, it is fully my intention to eventually put whole thing on fpga where there will be certainly not even half MB of working space.
asciilifeform: barrett needs large scratch buffer for the mults; gcd can happen in-place.
asciilifeform: (i.e. you still win if you take 500x the cpu cycles, so long as you don't get cache-evicted)
asciilifeform: and gcd wins vs however-many trial divisions with barrett.
asciilifeform: in practice on pc speed appears to be inversely proportional to memory used, rather than the cpu cycle count.
asciilifeform: the fact that divisions are dog slow, for seconds
asciilifeform: the fact that i don't need the batch aspect for anything, for starters
asciilifeform: when you ffaize 'simpler' is not always what initially looks like .
asciilifeform: but this would weigh more than all of ffa to date !
asciilifeform: but hypothetically it may even be possible to ffaize bernstein's tree. or even to do it in such a way that doesn't wipe out the cpu winning from it. and even possibly to prove that it works and doesn't leak bits and doesn't let composites through once in a while.
asciilifeform: why the hell should i keep random crud in a table to pick up later.
asciilifeform: because i'm on a chip with 32kB of memory, say.
asciilifeform: if gcd(r, p) == 1 -- then worth m-r, otherwise not )
asciilifeform: ( in our concrete case, r, a random , and p, a primorial -- for the pre-mr litmus test )
asciilifeform: situation where rsa is breakable, but no one can yet break it, makes it the sane option . because alternative is to become a donkey fucker ( rely on face to face for all comms , hope that nobody invents listening bug, etc )
asciilifeform: problem is that the historical period where crypto was a contest of bullet vs armour, rather than 'absolute bullet exists'/'absolute armour exists' is not over.
asciilifeform: people offering a (3) are sellingsomething.
asciilifeform: you get choice between 1) rsa 2) public key crypto does not exist
asciilifeform: when submarine is built, meant to last maybe 20yrs, test takes much longer than week
asciilifeform: apeloyee: i don't actually see how 'test for a week' is crackpottery when speaking about a key that is intended to stand up for 50 years ( or longer )
asciilifeform: and incidentally if there existed an UNBIASED constructor of primes, i'd use that
asciilifeform: ( i.e. i regard the proof behind strength of the probabilistic ver, as fundamentally stronger than the other's )
asciilifeform: i'll take the p(failure) to the week's power, over the possibility of hypothesis falling and ALL keys fucked.
asciilifeform: ( very often abuse of terminology, what people actually mean by 'deterministic version' is 'probabilistic with prng supplying the random' )
asciilifeform: i'm not aware of a fully deterministic test that doesn't run in geological (e.g. saxena) time
asciilifeform: which he'd rather have -- key that he genned inside 50cent chip, staying there, or primality-torture on his fleet of pentiums etc
asciilifeform: this requirement is somewhat in tension with classical airgapism 'this key was born in this tin can, and must die in it' however
asciilifeform: ( and naturally it parallelizes without any effort on all iron you might have , just set it up on each )
asciilifeform: and moreover for long-term key genning, imho a week or longer probabilistic primality test is not inappropriate.
asciilifeform: i can't think of why to do any such thing
asciilifeform: i suspect that for any probabilistic test, you can construct a boojum (e.g. you know that he will do 300 rounds, you make one that needs 301 )
