log
500+ entries in 0.146s
bvt: hi. for me, the meatworld events mentioned in http://bvt-trace.net/2019/08/fg-fed-linux-rng-work-schedule/ are over, i am continuing active fg-kernel work
snsabot: Logged on 2019-09-19 05:47:32 mircea_popescu: trying to meta-smart, pseudothinking in your dumb head "if i were a literary character and these things happened to me, what'd it mean about the script" will not only fail to deliver any useful predictions (in the sense that it'll work EXACTLY as well as a RNG-choice, to perfectly fuck you over), but it will actually prevent you from deriving any benefits from the circumstance you're NOT a fucking literary char
mircea_popescu: trying to meta-smart, pseudothinking in your dumb head "if i were a literary character and these things happened to me, what'd it mean about the script" will not only fail to deliver any useful predictions (in the sense that it'll work EXACTLY as well as a RNG-choice, to perfectly fuck you over), but it will actually prevent you from deriving any benefits from the circumstance you're NOT a fucking literary character.
snsabot: Logged on 2019-06-07 16:36:15 asciilifeform: ( the 1 annoying aspect of lysotronic fg as currently drawn, is that it gets the +45v bias voltage for the detector, from batteries, as asciilifeform does not know of a 'rng safe' method to generate it from +5 without oscillators )
bvt: asciilifeform: if you recall, this was my original plan, however i got impression from 'part of kernel & welded shut' here http://bvt-trace.net/2019/08/fg-fed-linux-rng-work-schedule/comment-page-1/#comment-44 that everything should be inside
feedbot: http://bvt-trace.net/2019/08/bits-and-pieces-of-linux-rng/ << bvt's backtrace -- Bits and pieces of Linux RNG
bvt: hi, sorry for delay on the linux rng post, it is in fact ~ready, but i need one more day for proofreading
asciilifeform: typical cheats, in so far as they reach the open literature, involve the coin dispenser, rather than rng per se.
asciilifeform: the other interesting casinoism is that in usa, rng is a sealed box provided by usg. but iirc had already thread about this, in '13
asciilifeform: imho mobo oughta have dedicated socket for rng. but we aint yet there.
mircea_popescu: cuz all boxes must be rng
asciilifeform: 'make artificially easy for os and whatever ears on walls it came with, to know which box is rng'
asciilifeform: btw before it gets lost , this was imho good point.
asciilifeform: at one pt i experimented with, among other lulz, playing suspect-rng via headphone , to find regularities
bvt: after ffa I will have a look at other things (like ripping out kernel rng, having another look at gnat-arm64 internals, as it seems there is no ongoing work on this front atm). i expect to get something useful as a result, and maintain it in long term.
a111: Logged on 2018-10-12 17:36 asciilifeform: ( my sim -- converged!11 -- when i fed it... don lancaster's geiger rng tarball. )
asciilifeform: ftr i have nuffin against public rng per se, one of which i used to good effect, albeit naturally not for crypto, in early 2000s ☝︎
asciilifeform: thing actually does a deedbot-style rng turd decrypt/confirm when pressed
asciilifeform: ( the 1 annoying aspect of lysotronic fg as currently drawn, is that it gets the +45v bias voltage for the detector, from batteries, as asciilifeform does not know of a 'rng safe' method to generate it from +5 without oscillators )
asciilifeform: mechanism, for thread-completeness.
asciilifeform: meanwhile, thinking moar re this item : the two tests make roughly comparable demand on rng: 3582 * (2048 / 8) byte == 916992 bytes (single 2048 gcd) ; 3155 * (2048 / 8) == 807680 byte ; ☝︎
asciilifeform: 1 moar hypothesis : on boxes where very slow rng (e.g. fg unavailable ) or where heavily milked fg, generating e.g. ephemeral rsa privs with high frequency, economy may be much greater, as fewer doomed m-r shots means fewer '?' invocations for their witnesses gen.
asciilifeform: for both cases, 'rng' was file of first 1MB from http://nosuchlabs.com/fg/nosuchlabs_FG_1024MB_phreesample.bin .
asciilifeform: 'if I wanted to influence your RNG I would attack it at the von neumann fair toss algorithm, by ensuring that I have control over pairs of outputs somehow.' << didjaknow!111
asciilifeform: ( iirc this was when mircea_popescu persuaded asciilifeform that oughta make an rng... )
asciilifeform: certainly terrible idea, if yer using e.g. the onboard rng.
mp_en_viaje: http://btcbase.org/log/2019-04-06#1907157 << so far all that's actually been decided is the rng source (no, no tpossible to have sane iron w/o rng). ☝︎
asciilifeform: dunno, imagined that somewhere someone 1) has hands growing from torso, not arse 2) wants rng 3) likes to blog re builds
asciilifeform: ( also ougta add, that if extended riemann is troo , then the supposition that 'for erry finite set of witnesses, can produce a p for which they all lie' is not , and the rng component of m-r would then be redherring )
asciilifeform: cuz 'avoids 3/4 of space' is equiv to , e.g., rng that never produces string '00', '01', '10' for any 2 bits of output
asciilifeform: nao the q becomes, you later look at what came out of the wire. is it possible to conceive of a 'rng test' that the output would not (for particular p , taken as constant) fail ?
mircea_popescu: "from actual rng per [naive interpretation] of m-r claims", but w/e.
asciilifeform: so erry time you milk the wire for a witness, he gives you ( with some probability higher than what you would expect from actual rng per the orig m-r ) a false witness , erry time.
asciilifeform: suppose you have candidate p , generated with what you consider to be a working (i.e. uniform) rng , with no interference from devils.
asciilifeform: sure enuff, but seems to me that asking for an object that appears to pass even elementary (e.g. 'pi dart') rng smoke test, while actually avoids 3/4 of the phase space in its output, is like asking for a 2 which is also a 3 .
mircea_popescu: asciilifeform, they're not equally distributed. here's what i propose : take a rng run, ent ; then take out all carmichael numbers from it, run ent. then see if you can tell which is which.
asciilifeform: fwiw however i cannot presently think of any rng test, even the dumbest ones in the 'dieharder' collection, that wouldn't barf at a rng which avoids 3/4 (or any similar proportion) chunk of the integer number line
asciilifeform: ( like all other possible rng tests, presupposes that the device is in fact an rng, rather than e.g. tape playing back an old rng run while enemy dies of laughter )
asciilifeform: incidentally, litmus where you pluck a string of N bits from rng, and then look for the expected distribution of m-r liars ( or apparent primality ) is itself a notbad, imho, rng test
mircea_popescu: but yes, the relation you unearth is sound. the problem or set thereof i started discussing is exactly homomorphic to "well, we have no proper rng tests, "ou'll have to take the girl by the nose, count, and break out the abacuses.")
mircea_popescu: yes, "you do not even know what a working rng mathematically means"
asciilifeform: well yes, q is re ~definition~ of 'working rng', as an abstract object
mircea_popescu: your rng working or not is aside the point ; we're discussing here random numbers as a mathematical abstraction, we're not even counting "well, your set of 4, 4, 4, 4 is not exactly an implementation of that abstraction"
asciilifeform: ( and applies equally to the candidate # , and to any other application of rng )
asciilifeform: so is the idea 'you cannot know whether yer rng actually worx?' cuz then i must agree
asciilifeform: i can't see any path to 'magically fails 32 shots despite working uniform rng' without rejecting the 3/4
asciilifeform: say you have n for which the entire bottom quarter of the 2048bit witness space is liar. how does this prevent working rng from still finding working witness in the expected # of shots ?
asciilifeform: how does 'contiguous set of liars' play into scenario with working rng ?
mircea_popescu: the bound presumes a flat spectrum rng and properties of large sets of random numbers that ~have not been proven~, though they are experimentally VERY reliable.
asciilifeform: correct, the bound presumes a flat-spectrum rng.
asciilifeform: this type of failure hinges on imperfection of rng, rather than hidden boojum in m-r
asciilifeform: to the point that i'm at a loss to construct a crackpot hypothesis for the negative ( what would the loch ness monster here look like ? erry composite n, we know has 3+ / 4 of integers as proper witnesses. so where wouldja hide'em so that working rng doesn't find 1 in 32 shots before asteroid hits machine ? )
asciilifeform: all we have is the http://btcbase.org/log/2019-03-28#1905286 ( from elementary proof ) + the observation that nobody ( or at least not asciilifeform ) has ever found a composite that doesn't properly light up m-r 'composite!' indicator for 3+ / 4 rng stabs. ☝︎
mircea_popescu: in any case, it seems to me that the a witnesses MUST be generated as rng(0, 2^4096) rather than rng (2^4095, 2^4096).
asciilifeform: koch et al shat out his 'fixed witnesses' thing, and folx ate it largely cuz rng poverty. which we dun suffer from.
a111: Logged on 2016-09-11 22:50 asciilifeform: it is foolish to design for 'what if my rng silently fails'. it is a 'jesus bolt' failure
asciilifeform: when we 1st had m-r thread, i also considered a hybrid algo, where you take e.g. 32 rng witnesses, and 32 that are kept in bottle and known only to you , for 64-shot test that is slightly moar immune to rng failure. but then thought 'rng is jesus bolt, if fails, yer candidate is also fucked' so couldn't think of why to do such a thing.
asciilifeform: whereas if you actually lift 32+ rng witnesses from a working rng (as in asciilifeform's demo, or diana_coman's proggy, and elsewhere where not koch.. ) actually converges (for so long as you actually have working rng)
asciilifeform: or rad event in yer irons, also fairly high prob regardless of how you baked rng
asciilifeform: ( same params, i.e. pronounced prime if passes m-r with 32 rng-shat witnesses )
asciilifeform: mircea_popescu: funnily enuff, koch takes approx same time, and that's with him not using rng witnesses at all iirc...
mircea_popescu: asciilifeform are you nuts or what ? can't have "rng with entirely known characteristics"
asciilifeform: ( could proclaim 'fg' but that'd be a cheat imho , a primary standard oughta have entirely known characteristics, with 0 effect of component variation. but is this even possible for rng. )
asciilifeform: re standards & tests -- it still bothers asciilifeform that there aint a 'primary standard' for rng
asciilifeform: http://btcbase.org/log/2019-03-14#1902490 << this is the standard 'game-theoretical strength requires a working rng' neh. ☝︎
asciilifeform: re : 'difficult for changes to be inserted unnoticed' -- did they ever even pin a name on the debian rng lulz ?
asciilifeform: mircea_popescu: hey it's approx how microshit's 'rng' worx
mircea_popescu: asciilifeform rng!!!
asciilifeform: ( does that thing invoke rng somewhere?! )
asciilifeform: ( and in the FG reader -- again cuz the underlying i/o routines produce'em )
asciilifeform: ( there is no tree on which grows a physical rng that gives 50/50 1/0 right off the bat, i looked... )
asciilifeform: mircea_popescu: the 'distinction' ? near as i can tell, it's the 'narrative fiction' where 'you can assume that rng works'. recall the earlier entomo-gem where 'why not use fermat litmus, piano will fall on you before you see carmichael num' etc
asciilifeform: incidentally, even txco has high enuff 'jitter' that fairly good rng can and has been built solely from'em.
asciilifeform: ( would, if riemann were proven, conserve rng bits, tho , could use fewer of'em )
asciilifeform: this type of test is impossible on systems where m-r eats witness straight from rng, without possibility to override by hand.
asciilifeform inclined to reject koch's optimization ( which diana_coman retained ) where witness consists of rng(bitness_of_n - 2) , and actually make witness equal to rng(width) mod (n - 2) for full range
a111: Logged on 2019-01-22 06:57 BingoBoingo: <asciilifeform> BingoBoingo: how does it cache the e.g. tB of rng i happen to generate in racked box in jp and dload via ssh ? << I will say that this does suggest .jp s a candidate for Pzarro rack 2 when that time comes
BingoBoingo: <asciilifeform> BingoBoingo: how does it cache the e.g. tB of rng i happen to generate in racked box in jp and dload via ssh ? << I will say that this does suggest .jp s a candidate for Pzarro rack 2 when that time comes ☟︎
asciilifeform: BingoBoingo: how does it cache the e.g. tB of rng i happen to generate in racked box in jp and dload via ssh ?
asciilifeform: prolly cuz the rng picked that one letter to drop this time around
asciilifeform: re nn in general -- i vaguely suspect that a quality rng might actually cure the http://btcbase.org/log/2017-07-20#1687624 problem. but again i dun have any pigs, so haven't had occasion to try. ☝︎
asciilifeform: i'll add , for completeness of thread, that if yer ~sending~, rather than receiving, rsa packets, your bottleneck will be ~rng~ long before it could ever be the arithmetron per se
mircea_popescu: how the fuck would this even work, indulge me. arm processor just invents rng opcode ?
asciilifeform: ( and no it aint in 'ent' or 'diehard' or in afaik any pc rng tester, it moar or less demands fpga )
a111: Logged on 2019-01-15 22:10 mircea_popescu: (ie, you can construct an infinity of rng strings which'll make a given sct "falsely" converge)
asciilifeform: http://btcbase.org/log/2019-01-15#1887347 << not only this, but to date no rng has actually sufficed (i.e. sufficiently independent bits) to make the thing go in reasonable time ☝︎
mircea_popescu: (ie, you can construct an infinity of rng strings which'll make a given sct "falsely" converge) ☟︎
asciilifeform: 1 of the reasons i put this in the l0gz is that when i went to dig, turned up that erry attempt to date to do sumthing nontrivial with 'stochastic multiplier' broke teeth against rng quality.
asciilifeform: then to get integers back out, you run the process in reverse, via another comparator. it converges to the desired answer in finite ( depending on rng quality ) clock ticks.
asciilifeform: you represent the inputs ( any # of'em ) via stochasticizers, i.e. each 1 gets a comparator that eats N bits of rng and outputs a 1 if they represent integer <= the currently latched binary number, 0 otherwise.
asciilifeform: and meanwhile, in sunken atlantises : j. von neumann, the afaik last fella to really invent anyffin in re kompyooting, actually devised an interesting application for fast unbiased rng ( which did not exist in his time ). can use it to multiply large numbers with near-total noise immunity, using only an 'and' gate and two comparators.
asciilifeform: asciilifeform's recommended recipe for m-rism still remains 'feed actual rng for witnesses'
asciilifeform: incl. the rng ( this is why the thing takes an arbitrary unix path for rng dev )
asciilifeform: and indeed the quality of rng is 'jesus bolt' when running m-r in battlefield.
asciilifeform: which is why mine reads witness as param rather than directly from rng
asciilifeform: grr, moar complicated than i initially pictured, because m-r ~also~ demands rng
asciilifeform: of what ? that's the obv. version ( get from rng, until gcd shows that no small factors, and then m-r )
mircea_popescu: http://btcbase.org/log/2015-07-08#1193607 << this makes for a pretty lulzy re-read, in the context of the meanwhile better fleshed out notions of structure and trees and whatnot. isn't it obvious, asciilifeform , that the ~substantial difference~ is not at all the "head rng" but simply the extension and especially quality of the conceptual trees involved ? the "head v" so to speak ? ☝︎
asciilifeform: it is, and x is a random string from rng
asciilifeform: imho e.g. diddled pgp rng, is moar interesting than firefucks buffer overrun, the latter is used 9000/d but for whom is used the former i have nfi, it hasn't publicly leaked.