71800+ entries in 0.047s
mircea_popescu: asciilifeform man, you're mixing industrial process into educative discourse without any sort of rhyme or reason, resultin in some very confuysed and eventually frustrated people.
mircea_popescu: but yes, for unrelated reasons fixed size is the right choice for gossipd.
mircea_popescu: asciilifeform i was discussing a more general rsa scheme, not gossipd specifically.
mircea_popescu: and rnd(256, l) is not equivalent because who the fuck knows what rnd does when a > b.
mircea_popescu: PeterL so if you feel like writing a mpfhf reverser... afaik nobody has to date.
mircea_popescu: this scheme is both slow and bulky. it is not likely useful for gossipd-style comms. it is certainly valuable for signing material, especially because rsa signature is much more padding-vulnerable than encryption ; and perhaps for some limited encryption work.
mircea_popescu: c (in that order), where R and S are produced by mpfhf(m') with R len set to c (bitness same as bitness of len(Pm). Pm will be the padded message sent to RSA. The recipient will have to undo mpfhf with known R and S to obtain m.
mircea_popescu: anyway, let it be said that there's nothing wrong with oaep as far as we know, but for the sake of argument a mpfhf based padding scheme would conceivably work like this : 1. given message m, of length l, generate r = random bits, of length l' up to l but not less than 256 bits. 2. compose m' = r + m + c (in that order), where c is l - l` (and its bitness is always same as the bitness of len(m')-256). 3. compose Pm = R + S +
☟︎ mircea_popescu: i mean the bitsize ; it's not just that though, partially known secrets, low exponents etc all conspire to empwer the latice reduction.
mircea_popescu: and since we're apparently doing rsa likbez : if r used in padding above contributes less than n / e^2 bits of entropy to the final, padded message, coppersmith has a few words to tell you.
mircea_popescu: PeterL terrible, terrible thing, which is why irl rsa is always padded.
mircea_popescu: (and, of course, for short messages ie shorter than n i can just compute the e-root).
mircea_popescu: and upstream, to make clear what "semantic security" means : rsa is deterministic, if i wish to see if your "encrypted" string really was message m, all i have to do is encrypt m myself. if the results match i have cryptographic confirmation.
mircea_popescu: because hash and hash' are used to stretch/reduce the bitlength of their parameters, something like mpfhf (which permits arbitrary sized outputs/inputs) could work well ; but is also slow.
mircea_popescu: oaep works like this : given hash and hash' hash functions, calculate X as hash(m00) xor G(r) and Y = r xor hash'(X).
mircea_popescu: basically it takes a random string, jumbles it with the original message, and spits out two halves. the hope with it is that it provides all-or-nothing security, in the sense that to recover any bit of the message you need to correctly process the entire pair of jumbled strings.
mircea_popescu: now, alf's scheme is probably valid padding, though it is very expensive. it works like so : to encrypt a message m to key X, you : a) generate two one-time keys, A and B. you encrypt some bits of m to A and some to B, randomly chosen. you pile together : the bits of m encrypted with A, the bits of m encrypted with B, the schedule of which is which, and the keys A and B into one large m'
mircea_popescu: now : textbook rsa (the sort of thing you seem to be discussing, above) has no semantic security and on top of that is malleable.
mircea_popescu: PeterL and then you add key A and B to the message at the end so recipient can un-pad ?
mircea_popescu: PeterL the other problem this discussion reveals, of course, is that you aren't using any padding ?
mircea_popescu: PeterL the broader point here being that you can't warn the user about things he can't control. you gotta provide for it yourself.
mircea_popescu: PeterL the logical approach would be to include a checksum neh ?
mircea_popescu: or how shall i best put it, that's not equality but modulo congruence. whereby 7 = 5 mod 2
mircea_popescu: so you are telling me that m ^ e ^ d mod n always has an integer solution for randomly chosen parameters.
☟︎ mircea_popescu: 0 length isn't usually what one thinks of when seeing "too small". same istrue if 1 byte string ?
mircea_popescu: anyway, forward your thanks to phf for allowing your exericse.
mircea_popescu: well so if you thought that you could have asked before rather than after eh.
mircea_popescu: they also end up on archive.is, because the bot archives links and the odds of a whole day going by without a single log reference are small.
mircea_popescu: and in random other lulz : it's funny how the libertards worshipping at the watergate shrine usually omit to mention that by then washington post had been a libel tabloid for years. somehow dillard stokes' name never comes up. somehow they don't seem to notice it always was simply us sturmer.
mircea_popescu: this is how growing up goes : you take stock of situation, you make a plan, you implement it.
mircea_popescu: how is another man going to answer that question for you ?
mircea_popescu was bracing self for "o look, new version of patch, breaks downstream" lulz.
mircea_popescu: this is bizarre. try the actual line from the .sh that fails ? (prolly the first one to string match "patch") ?
mircea_popescu: will prolly have to add patch to the pile at the end eh.
mircea_popescu: well, it's technically part of core linux, but apparently they ship systems without.
mircea_popescu: edivad this is somewhat odd as i recently had a new node configured, came out just fine.