asciilifeform: mircea_popescu: i'm curious wtf aes is doing in the kernel.
asciilifeform: mircea_popescu: re 'sad serpent hole', a d00d like shinohai could easily take my proggy and determine whether e.g. aes's, key expander is injective (afaik nobody ever bothered)
asciilifeform: unlike the massive pile of pgpgrams-cum-aes we've collectively shat out all over the net, nobody's even ciphered anyffing with serpent of yet, aside from diana_coman's tests
asciilifeform: ( existing schemes resembling this are retarded primarily because they have luser enter key via pc kbd , and secondarily because they all married to aes )
asciilifeform: and yes, i like it largely because not crowned by hitler. ( tho admittedly there is no way to prove the negative of hitlerian authorship for it, the author set of it iirc intersects with that of aes , which ~was~ crowned )
asciilifeform: loox like this part only does hashing and aes
asciilifeform: they can steal it any number of times, but they have no ideological drive to ~keep~ it, so it ends up in the usg safe next to the aes weak key formula and the nuke src. all over again.
asciilifeform: ( what would 'getting somewhere' look like ? how about a general theory, or even ~study of particular case, like aes~ re how many bits of key are leaked per, say, TB of ciphertext )
asciilifeform: zx2c4: does it bother you that no proof of strength for any symmetric cipher other than otp (e.g. aes, chacha, etc ) exists ?
asciilifeform: almost impossible to bring up crypto in heathendom without a 'voice in the crowd' 'helpfully' reminding about 'standardized, well-designed aes'
asciilifeform: rather than, e.g., 'rsa broken OR aes broken OR prng broke OR riemann is false OR ...'
asciilifeform: any attempt at proceeding in the absence of said theory, is guaranteed to give you a 'it seemed clever and unbreakable to ME!' idiocy, a la aes et al.
asciilifeform: after that let's write to obummer and ask for the aes pill.
asciilifeform: the ~actual~ purpose of the attempted 'frameworks' is to drill into your skull and install the idea that nullcipher, diffiehellman, aes, are acceptable things to exist in this world, and can be pushed as 'cryptography'
asciilifeform: massive pile of moving parts, aes, various post-conversion bernsteinisms, null ciphers, 'this is faster on 32-bit cpu so we're using it', let's-give-enemy-raw-bytes-from-prng, and other jokes.
asciilifeform: privkeys are plaintext ( you can cipher them via some other cmdline util, or even another piped p, but no nonsense re 'bitcoin-style' enter-aes-pw etc )
asciilifeform: e.g. yes some retired to dogs crone somewhere once photocopied the algo for breaking the weak class of aes key. no she has nfi what the funny letter on the paper meant, why would she.
asciilifeform: ( lessay you HAD to use a block cipher, and want to combine aes, serpent, and gost, such that to GUARANTEE the best strength of the 3 )
asciilifeform: ( today's, e.g. aes, have moar boxes still. but same principle, of rearrangement. )
asciilifeform: e.g., aes(0, 1, 2, ...., maxint) is perfectly uniform by all known tests.
asciilifeform: naturally there was nothing provable re aes -- but it served a useful end, which was to make machine evaluation of the contents en masse, impractical
asciilifeform: many, many years ago, asciilifeform wrote a ( and won't claim to be the only one who had this simple idea ) thing for evading censorware, that'd encipher a blob ( aes, iirc ) and package all but N bits of the key with the compressed ciphertext
asciilifeform: prng, e.g., aes(aes(...(0))) , or urandom, etc. give uniform distrib. and quickly ideal montecarlo for 'pi', etc. but , interestingly, same sort of dieharder out as FG, in that the level of 'happy' is directly proportional to the size of the collected blob, or rather, inversely proportional to # of the idiot rewinds.
asciilifeform: '...the software, available for iOS and Android, basically uses the OpenPGP standard to perform public-private cryptography, uses AES for ephemeral per-message encryption, and exchanges public keys between users via TLS connections with certificate pinning.'
asciilifeform: because enemy can do this just as easily with, e.g., first two blocks (and iv) of AES-CBC.
asciilifeform: BUT it is in several ways, apparent to the naked eye, less retarded than aes☟︎
asciilifeform: the political history is also rather interesting (it was on track to winning the 'aes competition', received fewest thumbs-down votes from the panelists, but mysteriously torpedoed by usg and did not win)☟︎
asciilifeform: the difficulty is in making something that can be distinguished, in a spot check, from aes(unixtime+salt), by skeptic.
asciilifeform: otherwise it can just as easily be a device that puts current unix time + salt through aes
asciilifeform: mircea_popescu: it needs tmsr-rsa (i ain't releasing anything with aes or koch's idiocy)
asciilifeform: (idiot pgp still needs 256 rng bits for aes session keys, when transmitting, and this is own can of lolworms)☟︎
asciilifeform: earlier this year, i wanted to fit symmetric cipher into trb, and get rid of 'blackholing' etc. but mircea_popescu correctly pointed out that it is the Wrong Thing to cement a pseudoscientific abortion like AES (or ANY OTHER known symmetric cipher!) into place
asciilifeform: in other 'news', heathen 'rng design' folk write what aaaaaalmost looked like good intro to subj, https://forum.stanford.edu/events/2016/slides/iot/Ben.pdf , until the mindfuck 'Want to keep generating entropy bits without needing to keep powering the HWRNG Use HWRNG to seed a PRNG (AES counter mode)...'
asciilifeform: i'll believe, when, e.g., the recipe for taking 100MB of aes ciphertext and distilling out the key, is posted.
asciilifeform: (e.g., aes of a stream of nulls, outscores (debiased) geiger, electric rng, whatever you like, on ~100% of the tests)
asciilifeform: mircea_popescu: most likely, pile sits around busting aes.
asciilifeform: i find it also very interesting that all aes-like ('boxes') cryptosystems are direct descendants of rotor machines. which were known to be pseudoscientific even when first built, as vernam existed☟︎
asciilifeform: 'aes is hard to break' 'says who' 'says me, i haven't broken it yet'☟︎
asciilifeform: mircea_popescu: see thread from this morning. hashes suck in exactly the way aes sucks.
asciilifeform: understand that the 'hardness' of all known (and perhaps even any possible) hashes is just as unproven as that of, e.g., aes.
asciilifeform: 'A number of IETF standards groups are currently in the process of applying the second-system effect to redesigning their crypto protocols. A major feature of these changes includes the dropping of traditional encryption algorithms and mechanisms like RSA, DH, ECDH/ECDSA, SHA-2, and AES, for a completely different set of mechanisms, including Curve25519 (designed by Dan Bernstein et al), EdDSA (Bernstein and colleagues), Poly
asciilifeform: (note that speck and simon were ~not~ proclaimed as crown standards, like des or aes)
asciilifeform: 'Besides integrating hardware accelerators for AES and SSL....'
asciilifeform: the document appears to describe standard gcm/aes. snore.
asciilifeform: n encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption)....'
asciilifeform: the use of multiple ciphersystems, presumably (if operator is not entirely retarded) would be something like 'first aes with key k1, then the output with serpent and key k2, then twofish with k3....' etc
asciilifeform: (knowing weak keys in aes does not break the message if under it is, e.g., twofish, with DISTINCT KEY)
asciilifeform: or, alternatively, like the choice of 'aes' over the stronger but 'slower' 'serpent' cipher, it was merely orders from lizardhitler.☟︎☟︎
asciilifeform: (who typically succumbs to the temptation of using hw-accelerates, e.g., aes? - folks setting up vpn or otherwise bridging nets with serious traffic. aka delicious targets for usg.)
asciilifeform: last bit re: this gadget: seems like the open source folks were somehow clued in regarding, and dared to put to use, the aes acceleration.
asciilifeform: i'd avoid the built-in aes, etc. instructions. if i were hitler and ordering a 'magic packet' back-door for this device, i would almost certainly ask that it spit back recently-used operands for these on the wire.
asciilifeform: questionable attacks on aes, etc << there are stables of ops grunts paid to sow disinfo - false research leads, general-purpose 'fud' for the academic community, promotion of sensational mystery meats ('badbios' !), etc.
asciilifeform: ecdsa curves, 'nothing up my sleeve' constants << think back to the legend with the 'randomly wired' neural net. if secp256k1 (or, another example, aes s-boxes) have sufficiently broad classes of 'weak key' - then all you need to do is find a simple, e.g., sqrt(2), whatever, 'sleeve constant' that impresses the fools.
asciilifeform: 'Assembly acceleration of various algorithms... ...x86_64 CPUs' << translation: let's use intel's diddled aes instructions.
asciilifeform: mircea_popescu: well, i'd enjoy reading, e.g., what the aes weak key class is.
asciilifeform: only want to hear rsa key. (or aes, whatever.)
asciilifeform: to see this as issue with aes in particular is a grave mistake. it's an issue with using a 'food chain' that you aren't intimately aware of to the bottom.
asciilifeform: no one forces you to use intel's aes instructions!
asciilifeform: decimation: aes hard disk << what actually happens inside the drive? how does one know? this is not a minor detail - it's the beginning and end.
asciilifeform: twofish was submitted as an aes candidate
asciilifeform: jurov: misconception. this was 'codebook mode' aes
asciilifeform: exercise: encipher a consecutive stream of nulls, with aes, using whatever you want as init vector
asciilifeform: the 'zorro' thing isn't a mega-news, on account of it being a kind of 'castrated' aes variant