asciilifeform: ty

asciilifeform: anybody got copy ?

asciilifeform: item paywalled

asciilifeform: ( meteorite specifically on your head, not elsewhere )

asciilifeform: mircea_popescu: chance of these without sabotaged rng is < chance of meteorite

asciilifeform: apeloyee: i don't see what is wrong with standard modexp

asciilifeform: waiwat

asciilifeform: y'mean exponents ?

asciilifeform: mircea_popescu: review the mr algo , it is actually surprisingly easy to ffaize, just replace all 'return true' with flag := flag OR true, etc

asciilifeform: then all ACCEPTED primes took exactly same number of cpu clocks, to produce.

asciilifeform: apeloyee: each individual test has to be fixedtime though. then -- yes.

asciilifeform: apeloyee: correct.

asciilifeform: just like i did everywhere else.

asciilifeform: can instead -- mux.

asciilifeform: it doesn't mean that we are forced to BRANCH on it.

asciilifeform: mircea_popescu: all that means is that one of the inputs comes from rng.

asciilifeform: all steps that were previously conditional, happen muxed.

asciilifeform: same method as constant gcd.

asciilifeform: yes there is.

asciilifeform: if you want 'compromise' rsa, use koch's.

asciilifeform: there is to be no compromise on leak.

asciilifeform: ANY LEAK IS A PROBLEM

asciilifeform: understand, this thing is 800 lines right now and i consider it too big.

asciilifeform: no 'different versions'

asciilifeform: what?!

asciilifeform: if you leak in one place, the rest of the places are worthless

asciilifeform: this is why ultimately entire primality test algo must be constant time, just like the other pieces.

asciilifeform: via the interval it took you to ACCEPT.

asciilifeform: and then if your miller-rabin is variable time, you have leaked key bits.

asciilifeform: for miller rabin you may end up ACCEPTING the test

asciilifeform: apeloyee: no, because there is another possibility

asciilifeform: because all you do is get NEXT N bits from rng, they have ( if rng is proper ) 0 relation to previous N

asciilifeform: rejecting rng result that doesn't pass the gcd sieve -- leaks nothing

asciilifeform: ( i linked to a concrete algo for this attack some months ago )

asciilifeform: the time taken by heathen miller-rabin , in fact leaks key bits.

asciilifeform: if we generate keys continuously, it is a problem.

asciilifeform: possibly constantly, depending on the rsa keying system

asciilifeform: otherwise sieve is waste of time.

asciilifeform: apeloyee: i see your point. either we dispense with the sieve, or decide to count from the moment after sieve.

asciilifeform: *variability allowed not in the test, but in output

asciilifeform: there must be no variability in the time the ~test~ takes.

asciilifeform: apeloyee: no contradiction. the variability of time is in the ~test~, not the output result , which naturally will vary depending on what rng gave you

asciilifeform: because on pc most of the wait time is for memory access.

asciilifeform: ( as in above case with knuth divider )

asciilifeform: so far almost all of my theoretical predictions re which optimizations will be worth the effort, were wrong

asciilifeform: so how do you propose to multiply anything modulo 2^(k+64) ?

asciilifeform: *not

asciilifeform: *that are now power of 2 size

asciilifeform: ( karatsuba assumes length always divisible by 2 )

asciilifeform: i even threw out ability to have mul operands that are not power of 2.

asciilifeform: all of my mult is xbit * xbit -> 2xbit . ( after using apeloyee's method, also can have xbit * xbit -> upperhalf(2xbit) )

asciilifeform: how? k is discrete ( multiple of e.g. 64 )

asciilifeform: it isn't clear to me exactly how

asciilifeform: ( karatsuba, i will note for n00bz, parallelizes , but i deliberately omitted parallelization logic because i want ffa buildable on msdos and for machines with 1 cpu )

asciilifeform: a 2sec modexp is already a wholly fine replacement for koch's gpg, say.

asciilifeform: if ffa can be made to do 4096b modexp in 0.5s on typical comp, that gives ~1byte/msec purersa payload. which is enough for many purposes, e.g. voice.

asciilifeform: apeloyee: theoretically. but cache locality win from smaller memory segment sometimes gives surprising winning. the example above, for instance, gives 2x speedup rather than my predicted 25%.

asciilifeform: ( a concrete example : http://wotpaste.cascadianhacker.com/pastes/bP0Qt/?raw=true vs http://wotpaste.cascadianhacker.com/pastes/YBnZR/?raw=true knuthianmod )

asciilifeform: ( reader can pick which he wants )

asciilifeform: in the end might even release different variants that have different complexity tradeoffs.

asciilifeform: and then bernsteinian karatsuba, possibly, and whatever else i can think of.

asciilifeform: which i will also make, and decide if it was worth the cost

asciilifeform: it is! but much smaller than, for instance, the secretshift-barrett.

asciilifeform: ( unrolled comba would have explicit unrolled cases for 1,2,...,8-word operands )

asciilifeform: for instance unrolled comba wins 20-25% speed, but i did not use it in place of the generic because it is longer and harder to read.

asciilifeform: apeloyee: my strategy so far was to introduce moving parts very, very reluctantly ( started with egyptian multiplier, for example ) when there is absolutely no choice.

asciilifeform: i'ma try it next

asciilifeform: currently i'm aiming for <1sec (opteron 3GHz) 4096b modexp, with minimal new moving parts. after that -- releasing.

asciilifeform: not yet, considering that it dun work yet, lol

asciilifeform: describe in detail ?

asciilifeform: !!up apeloyee

asciilifeform: mircea_popescu: what was it

asciilifeform: mircea_popescu: 404 eggog ?

asciilifeform: well yes but loox like intends to be a coherentwave of gurlz rather than randopolarized, if you will.

asciilifeform: mircea_popescu: for some reason i can't help but think of the old lul with chinese on footstools synchronously jumping

asciilifeform: lolwassat

asciilifeform: ah hm.

asciilifeform: waitasec why was ro petroimporting

asciilifeform: lollected

asciilifeform: in tito's case , and for that matter kim ir sen's -- 'throne is mine, i won it as partizan commander in the war, took no payola from foreign devils' was tru. but how did the shoemaker get ~his~ throne

asciilifeform: possibly fancied himself tito ?

asciilifeform: very easy to 3 instead of 30 when you dun gotta do the rocket, n00kz, etc

asciilifeform: aufklärung!

asciilifeform: mircea_popescu: lol is that the sniper-roof

asciilifeform: rather than bravery

asciilifeform: in ru sphere it often is chalked up to the proverbial 'дедушка старый - ему всё равно'

asciilifeform: this last part is well-known

asciilifeform: ( and/or bought )

asciilifeform: gorby wasn't even 60 and already chicken

asciilifeform: why would fuhrer deliberately omit the paperwork

asciilifeform went on a tr kick and noticed that dulap is a turkish, i.e. dolap ( crate )

asciilifeform: aayes

asciilifeform: ( or possibly i misread re habitation. but still fountain of lulz. )

asciilifeform: speaking of ro, http://perevod99.blogspot.ru/2011/08/blog-post_23.html << ru pro linguist with some decades of ro habitation, various lulzy posts re subj and other.

asciilifeform: oh hey

asciilifeform: wassis

asciilifeform: differ by an orc glyf

asciilifeform: word for girl vs face say

asciilifeform: mircea_popescu's www 'cheats' by omitting the orc letterz

asciilifeform: apparently that easy huh