asciilifeform: aa

asciilifeform: did i miss a whole thread

asciilifeform: waiwat

asciilifeform: ( a ptron is permitted to be invoked with any bitness that is multiple of 64 )

asciilifeform: mircea_popescu: it'd be many moar , to correctly handle cases of 1-7 word too

asciilifeform: 'sorry you can't have multiplication in algebraic - branch-free - form ! That Would Be Wrong'

asciilifeform: srsly this entire exercise has been a brainmelting tour of the sheer unfathomable worthlessness of 'the litarature', 'the cryptography komyoonity', et al

asciilifeform: ( nobody seems to have produced a branch-free montgomery-reduction algo. or any other division-free modexp. )

asciilifeform: and then we can play.

asciilifeform: aite, nao all asciilifeform needs is a constantspacetime MODULAR exp algo that can be expressed with the mux primitive

asciilifeform: ( i'ma keep the general case, for nao, because it is always very easy to turn it into the above later. but not vice-versa. )

asciilifeform: so currently it is not obvious to me, which variant is Moar Right Thing

asciilifeform: you can reduce it algebraically

asciilifeform: 3 of course because no branching

asciilifeform: the unrolled-8word thing is 1 ) less general 2) harder to read with naked eye but 3 ) easier to prove correct

asciilifeform: there's still a dilemma tho :

asciilifeform: but apparently branch predictor dun matter so much when your entire thing is ~guaranteed to fit in cache

asciilifeform: itched to find, what if another 2x vrooom is possible.

asciilifeform: had to.

asciilifeform: mircea_popescu, phf , mod6 , et al ^^

asciilifeform: so imho it is not worth it.

asciilifeform: HOWEVER the actual result is : ~13% cut in execution time.

asciilifeform: so theoretically x86 branch predictor oughta be very very happy;

asciilifeform: it is loop- (and any other jump) - free

asciilifeform: ( yielding 16 word result )

asciilifeform: and so here http://wotpaste.cascadianhacker.com/pastes/hoM4U/?raw=true we have a combasquareatron explicitly unrolled for 8-word operand

asciilifeform: for simplicity, tested the case that actually happens in practice: on a 64bit box, any ffa width over 512 bits gives a strictly 8-wide comba mult ocurrence ☟︎

asciilifeform: soooo ACHTUNG PANZERS , asciilifeform went and actually tried http://btcbase.org/log/2017-08-08#1695511 : ☝︎

asciilifeform: srsly wtf, oughta have been written in 1993 at the latest

asciilifeform: but this being said , i am not even ready yet to barf re ref-keccak, i aint even yet done barfing re ffa not having already existed

asciilifeform: that and killing length extension attack idiocy

asciilifeform: mircea_popescu: amusingly that was almost whole point of keccak

asciilifeform: fwiw i have a half-built one here. on hold until p.

asciilifeform: the 'reference' is sad

asciilifeform: the algo strictly

asciilifeform: http://btcbase.org/log/2017-08-09#1696171 << it dun branch-on-secrets if correctly made. so yes fixed. ☝︎

asciilifeform bbl, meat

asciilifeform: sponge goes from any-input to desired-width-out

asciilifeform: mircea_popescu: nope that'd be classisal hashes

asciilifeform: or any other sponge

asciilifeform: keccak?

asciilifeform: mircea_popescu: mphf in a fixedtime fixedspace system is insane

asciilifeform brb

asciilifeform: http://btcbase.org/log/2014-11-26#934853 << thread ☝︎

asciilifeform: !#s martian problem

asciilifeform: erlehmann: you seem to be fixated on a problem that simply doesn't exist in sane contexts

asciilifeform: no program has any business being a billion line build.

asciilifeform: cut it. like procrustes, or into independent subsystems, i don't care how

asciilifeform: erlehmann: the building-clean thing is sanity. we had this thread. if your program is 'too big to always build clean', IT IS TOO BIG

asciilifeform: erlehmann: if it is present in whatever you are using instead -- your process is broken

asciilifeform: erlehmann: the problem you describe is absent in v

asciilifeform: erlehmann: are you familiar with how v works ?

asciilifeform: erlehmann: the problem however is not where you seem to put it

asciilifeform: no third.

asciilifeform: systems are to be fixed - i.e. brought into conformance with vtronics -- or discarded.

asciilifeform: they correspond to a vgraph with contradictory inputs.

asciilifeform: multiple include paths are retarded.

asciilifeform: flush the toilet.

asciilifeform: clean the fucking chalkboard

asciilifeform: didn't we do the STOP FUCKING PARTIALMAKING thread ?

asciilifeform: in erlehmann's context

asciilifeform: granted, but when would this come into play ?

asciilifeform: erlehmann: incidentally what exactly is a 'nonexistence dependency' ?

asciilifeform: you can do more or less whatever variations on whichever theme, you feel like, all it costs is a few extra chars in pubkey

asciilifeform: ( yet another reason for pmach )

asciilifeform: incidentally you get best attributes of both if you harness them as i described, via otpxor

asciilifeform: correct.

asciilifeform: i know of no others worth bothering with.

asciilifeform: aha.

asciilifeform: ( dun require any new primitives )

asciilifeform: at any rate it is just as easily implemented on pmachine as rsa. ☟︎

asciilifeform: i don't know of any hard, tangible reason to avoid it.

asciilifeform: but for above reasons i prefer rsa.

asciilifeform: possibly distaste is wrong word

asciilifeform: ( my distaste for it comes largely from it not being rsa, and from a suspicion that enemy has a partial pill against discrete logarithm problem , given that dsa was based on same )

asciilifeform: now if you want a pubkeycrypto where this proof actually exists, i know of exactly one : cramer-shoup

asciilifeform: thing ~assumes~ own conclusion ! acquinas-style.

asciilifeform: see problem ?

asciilifeform: ''When RSA is the underlying primitive, something even more is known: that the ability to forge with resources R in an attack which does not exploit some structural characteristic of the MGF implies the ability to invert RSA on random strings using computational resources only slightly greater than R.''

asciilifeform: here's a gem :

asciilifeform: mno, i did go & read

asciilifeform: replete with magicnumbers, 'random oracle' assumptions, 'perfect hash', and other maculae

asciilifeform: mircea_popescu: i looked at the pss thing, seems like simply yet another obfuscatorily-complex nsaological artifact

asciilifeform: ( if message dun match the prescribed structure -> forgery )

asciilifeform: whole point of the M+H(M) or no-go combo is to prevent forgery.

asciilifeform: waiwat

asciilifeform: ( if anyone recalls my sageprobe crack ? that was as simple as it was because the thing used crc as hash... )

asciilifeform: this problems was how we even ended up with cryptological hash functs

asciilifeform: you wouldn't want to use a checksum ( e.g. crc ) for decryptable-legit vs random rubbish distinguisher

asciilifeform: lol that's probably the worst conceivable

asciilifeform: ( i will also note, the problem with allowing packet fragging is that frag reassembly is a Something-To-Allcomers operation . )

asciilifeform: not necessarily

asciilifeform: ergo if you want to use the xor padding algo, you are stuck with payloads of half the size.

asciilifeform: you don't ~have~ 1024 bytes

asciilifeform: PeterL: think carefully, this is flawed logic

asciilifeform: !!up PeterL

asciilifeform: empirically

asciilifeform: PeterL: 512 is really top limit of 'guaranteed nonfragment no matter what'

asciilifeform: aite, i'ma let mircea_popescu handle pedagogical thread, brb

asciilifeform: ( while otherwise quality hash. my current favourite for this is keccak's hash )