tmsr - Search: rsa

600+ entries in 0.081s

asciilifeform: rsa-oaep requires hashtronics for padding.

mircea_popescu: wait, when did we move off oaep for rsa padding ?!

asciilifeform: what remains is 1) prime-baking 2) rsa (and similar cryptosystems, tho c-s dun need it) padtron -- requires constant-spacetime keccak 3) optional asmistic speedups.

a111: Logged on 2019-01-05 14:22 mircea_popescu: finally, asciilifeform is working on rsa-based ssl-ism replacement (notwithstanding he ~seems to be~ working on any and all wank on the "side" during spare time he doesn't have and all that), which we want so we can finally move bitcoin off sheer cretinity and into cuntoo (and which is principally why we want sane db also, but as i said -- yet immature).

mircea_popescu: finally, asciilifeform is working on rsa-based ssl-ism replacement (notwithstanding he ~seems to be~ working on any and all wank on the "side" during spare time he doesn't have and all that), which we want so we can finally move bitcoin off sheer cretinity and into cuntoo (and which is principally why we want sane db also, but as i said -- yet immature). ☟︎

stratum: I do not recall any skeptical talk about rsa, though, I do think https can be valuable in attempting to mitigating some issues one may encounter, this is true.

danielpbarron: also a fan of https and skeptic of rsa

asciilifeform: mircea_popescu: re 'homebrew crypto', there actually was a 1990s plague of commercial shitware folx who flunked arithmetic and then went to 'implement rsa', with exponent = 1 and so on

asciilifeform: ( if not for irc line char # cap, could even make it do 2048bit widths, rsa etc. will still fire faster than ping lag on typical day..)

asciilifeform: turns out, the entire justification for use of branching in rsa at all, is bogus. ( and 'short exps' aint a justification -- if you know the max length of your e in advance, you can use fixed exponentiator , same as i do )

asciilifeform: http://www.loper-os.org/?p=2892#selection-4511.0-4595.6 << rsa timings.

asciilifeform: not exactly mega-surprise, eccism worx on small (by rsa-planet standards) numbers.

asciilifeform: if yer sending a probe to pluto, it'll actually rsa faster than the time of signal bounce, yes

asciilifeform: literally simplest possible (afaik) rsa.

asciilifeform: btw diana_coman since you read 1-6, you can nao rsa!11

asciilifeform: mircea_popescu: there's a reason i wrote the thing that way, with 'what's the minimum for rsa modexp without ANY accelerations', and only then with

asciilifeform: mircea_popescu: for added lulz, given http://btcbase.org/log/2018-12-07#1878844 , one actually ~could~, in principle, bake 'rsa pnoje' ( in the sense that, e.g., 2048 * (1/.296) ~= 7kbit/s , moar than enuff for voice ) ☝︎

diana_coman: create one rsa_sender or one s_sender

diana_coman: you don't have to deploy rsa sender on s box

diana_coman: "as asciilifeform describes" aka 1 item put/get at a time; 2 different queues, one for rsa one for s

diana_coman: q1 has 22 elements all of which are rsa packets; q2 has 33 items all of which are s packets ; rsa processor eats from q1 , s processor from q2

asciilifeform: what happens is that nothing behind the 22 rsa items is eaten until they are. as one'd expect from an ordinary fifo. hence asciilifeform's nitpick.

mircea_popescu: if it gets, and it gets a rsa item ?

mircea_popescu: yes. diana_coman mind explaining how this works ? so, queue has 55 elements, 22 of which rsa packets. now what happens ?

diana_coman: mircea_popescu, that's precisely why I made it that way; I suppose it's not clear there at all but yes - because processing of rsa/s is meant to be easily and entirely separated physically, aka machines

mircea_popescu: but re your q : these 6 workers pick rsa from queuer ; and these 3 pick serpent from queue.

mircea_popescu: this machine for serpent, this machine for rsa, is the model here.

asciilifeform: mircea_popescu: how wouldja, e.g., 'these 6 cpus for serpent, these 3 -- for rsa' if yer packets are in 1 queue ?

asciilifeform: ( i thought orig mircea_popescu spec was 'keep rsa packets in own queue, so clearly cap the resource that is spent on'em'

mircea_popescu: "this is needed for the same reason as the generic at UDP lib previously - to allow one to store Serpent messages or RSA messages while maintaining them clearly differentiated" << why are you putting ducks and geese in the same line though ?

asciilifeform: ( i.e. without the variant packet widths . instantiate one with rsa-width buffer, and 1 w/ serp.width )

diana_coman: mircea_popescu, that was my current idea: 2 sockets, one for rsa and one for serpent, with different ports too

mircea_popescu: diana_coman does it then make sense to have a process that has a socket open and handles the serpent queue, and one proces with a different socket open handling the rsa queue (with a view that these :6666 and :6667 ports then get moved to separate machines if need be) ?

mircea_popescu: so, i hear from cto the comms spec's mostly implemented. now, we're at the point where we wanna make a rsa and a serpent sender.

asciilifeform: ( i.e. starting with ch.6 can already rsa )

diana_coman: and for that matter I did not even mention rsa by name

asciilifeform: diana_coman: the only immediate gotcha that stands out to asciilifeform's lens is that the public crypto example was rsa ( did anyone ask 'but prof. coman, bitcoin dun use rsa?' )

asciilifeform: if you can build it, potentially quickest pill is to transplant the trad fs logic from uboot to it ( google's shitware demands that the kernel lie on a custom googlistic partition, and be 'signed' with their sad-rsa in custom format etc )

asciilifeform: i have a b00k like that here, 'учебное пособие по криптографии' somthing or other. which fails to contain rsa.

deedbot: http://ossasepia.com/2018/11/30/smg-comms-chapter-10-actions-and-rsa-keys/ << Ossasepia - SMG Comms Chapter 10: Actions and RSA Keys

asciilifeform: in unrelated lulz, $ wc -l libffa/* >> 3930 , $ wc -l ffacalc/* >> 1184 ; and story not even finished yet. ( tho ch1's 'RSA occupies around 3000 lines, incl. comments' was not a lie, it's exactly what the minimal rsa of ch9 weighs... )

mircea_popescu: we made our own keccak, we made our own serpent, you made / are making our own rsa -- time for our own ecc.

mircea_popescu: http://btcbase.org/log/2018-11-27#1875133 << it's not clear to me why we have ssl AT ALL. the idea is to replace that whole pile with straight rsa, much like we're taking out dns (and touched upon in same piece) ☝︎

mircea_popescu: http://btcbase.org/log/2018-11-23#1874309 << "At 5.1 the public exponent e of the client's RSA key is fixed as an int64". first bit set, too, so 8 bytes. ☝︎

asciilifeform: i dun particularly see why unix needs to be happening on an airgapped rsa box.

asciilifeform: i'm willing to 'marry' rsa, but not oaep, oaep only willing to casually fuck

asciilifeform: but if it were possible to have straight rsa, rather than rsa and hash,would be stronger system ( no hash ever was proven strong, even in the sense rsa is )

asciilifeform: mircea_popescu: we have hashes cuz some thing simply cannot be done without'em ( short rsa sigs of GB inputs, etc )

mircea_popescu: http://btcbase.org/log/2018-11-14#1872257 << i am not aware something better than oaep for rsa padding ~could in principle be had~, let alone actually is known to exist. ☝︎

asciilifeform: ( cuz that's where most time spent when rsa )

diana_coman: http://btcbase.org/log/2018-11-12#1871477 - that was just another rsa key in the tests; meanwhile fixed once and for all, properly i.e. http://ossasepia.com/2018/11/04/smg-comms-chapter-6-packing-and-unpacking-rsa/comment-page-1/#comment-4457 ☝︎

asciilifeform: ( rsa on z80, 6502, etc. is ~nonstarter, even if one 'banks' the address lines to give enuff mem, the 8bit buggers lack a multiplier, so you get 'egyptian' speed )

asciilifeform: it's prolly the oldest chip, not counting 'heavies' like vax, that can rsa on sumthing like human timescale.

diana_coman: http://btcbase.org/log/2018-11-05#1869503 -> and done; asciilifeform and anyone else requiring strictly 80 cols - I've updated the post with a .vpatch to read the keys from file and thus keep them out of the fully-80-cols-now code itself: http://ossasepia.com/2018/11/04/smg-comms-chapter-6-packing-and-unpacking-rsa/#selection-157.0-159.591 ☝︎

mircea_popescu: why does there not exist a rsa-sized specialist processor widely available now ?

mircea_popescu: and so in order to rsa on a commercial processor, you gotta do a mountain of switching

mircea_popescu: well, we use 4096 bit keys, therefore as asciilifeform well points out, the native byte of rsa is 8192.

Mocky: I don't know rsa maths well enough to say

mircea_popescu: importantly... what's the byteness of rsa ?

a111: Logged on 2018-10-25 15:44 mircea_popescu: now, a 4096 bit native fpga, specifically for rsa-ing and rsa-likes-ing, THAT might be very useful, because there the s-o-d item is major win.

mircea_popescu: standard line length may not be shorter than common lines. which among other things will be rsa keys. so it'll be, willy nily, over 80.

asciilifeform: ( the width of the constants pictured in http://ossasepia.com/2018/11/04/smg-comms-chapter-6-packing-and-unpacking-rsa/#selection-121.192-121.4240 )

a111: Logged on 2018-11-04 13:38 deedbot: http://ossasepia.com/2018/11/04/smg-comms-chapter-6-packing-and-unpacking-rsa/ << Ossasepia - SMG Comms Chapter 6: Packing and Unpacking RSA

diana_coman: asciilifeform> http://btcbase.org/log/2018-11-04#1869188 << kilometre-wide lines, wai! -> because RSA keys are kilometre-wide! ☝︎

a111: Logged on 2018-11-04 13:38 deedbot: http://ossasepia.com/2018/11/04/smg-comms-chapter-6-packing-and-unpacking-rsa/ << Ossasepia - SMG Comms Chapter 6: Packing and Unpacking RSA

deedbot: http://ossasepia.com/2018/11/04/smg-comms-chapter-6-packing-and-unpacking-rsa/ << Ossasepia - SMG Comms Chapter 6: Packing and Unpacking RSA ☟︎☟︎

a111: Logged on 2018-11-01 20:48 mircea_popescu: asciilifeform speaking of "taking suggestions" : suppose you bake me a proper drop-in gpg replacement. in ada, constant time, does FG-aware keygen, signing, verification, and encryption/decription. 100% rsa, none of the "cipher" bs as per current.

mircea_popescu: asciilifeform speaking of "taking suggestions" : suppose you bake me a proper drop-in gpg replacement. in ada, constant time, does FG-aware keygen, signing, verification, and encryption/decription. 100% rsa, none of the "cipher" bs as per current. ☟︎

mircea_popescu: they didn't discuss factored keys re rsa, everything and anything but that -- we went ther,e it yielded.

asciilifeform: back upstack, this is why i even suggested rabinism, it's a less-expensive rsa that actually plugs into this hole.

asciilifeform: ( you want exponentiation, tho, i.e. actual rsa op, or snoop can get n2 by gcd of successive msgs )

mircea_popescu: in which case yes, it'd seem at least one workable method is for parties to declare F=RSA-n1n2(x) and then use its spew as otp pad for all their stuff.

mircea_popescu: asciilifeform in fact, as eulora comms mandate the parties know at least one rsa key of each other, it becomes eminently possible to use (session-based!) n1*n2 for this purpose.

asciilifeform: 'rsa as expander' imho is easier to reduce to 'known difficulty' than 'find roots of ~randomly-picked polynomial' is

mircea_popescu: nothing wrong with using the RSA as the f, but idea remains.

asciilifeform: mircea_popescu: btw here, if we must, is an example of an injective key expander that is physically possible, but requires an exotic object : a rsa pub that nobody has the priv to. then can 'hash-expand' by rsa-enciphering message to it.

mircea_popescu: anyway, back to it : "blockcipher takes 10 bits of P and no more ; spits out 16 bits of E exactly" a) needs entropy and b) probably reduces to rsa-with-oaep.

asciilifeform: or whether rsa reduces to factoring.

asciilifeform: ( like rsa )

asciilifeform: see, rabin dun replace rsa, because of the 4-roots headache; but given as you kick off the 'session' with a rsagram, the latter can contain a bitstring that gives seq #1 . then it gets incremented and appended to payload of each rabinogram, allowing the 4 roots to be distinguished.

asciilifeform: as part of the rsa payload, give sequence #, and each rabinism will contain the correct next-seq in the correct-of-four roots

asciilifeform: mircea_popescu: the 'destructiring problem' is universal to all systems, even rsa

asciilifeform: more interesting, imho, even, is rabin's system, which (unlike rsa) is equiv to factoring problem, and iirc requires only 4 multiplications to decrypt ( and only 1 squaring to encrypt )

asciilifeform: ( the fundamental q is not 'canhaz 4 ring binder?' or 'canhaz 3?' or 'canhaz clean desk' but rather 'canhaz symm cipher whose difficulty reduces to factoring but cheaper than abused-rsa ? ' )

asciilifeform: mircea_popescu: i.e. supplies it in rsa envelope ?

asciilifeform: will note, tho, re fg timeouts -- the most likely waiting-on-fg scenario is starvation, rather than outright hangage , thing shits out 7kB/s per spec, 8 on a good day; i expect it will be the limiting reactant re how many rsa msgs / sec can be produced

asciilifeform: http://ossasepia.com/2018/10/31/smg-comms-chapter-5-rsa-with-oaep-from-ada/#selection-155.1206-155.2305 << example of where i'dve used an ada record

deedbot: http://ossasepia.com/2018/10/31/smg-comms-chapter-5-rsa-with-oaep-from-ada/ << Ossasepia - SMG Comms Chapter 5: RSA with OAEP from Ada

mircea_popescu: i suppose that could be the backup alternative then : if we end up ditching serpent, we use a rsa packet to move ~1.4kb of entropy for initializing the mt, and then use mt generated pads for a cipher.

asciilifeform: rsa & c-s (the latter, really a narrowed elgamal) are the only 2 oasis i know to exist in that desert.

a111: Logged on 2018-10-30 16:53 asciilifeform: ( tho the reason why rsa is based on exponentiation, rather than straight multiplication-of-'plaintext'-prime-by-seekrit-prime is that in the latter variant you could trivially extract seekrit-prime with gcd )

asciilifeform: to make life even harder, rsa also suffers from 'can haz provably hard case' problem, there's classes of 'easy' primes, and no particular reason to think that we exhaustively know all of'em..

asciilifeform: it's the reason for asciilifeform's lulzsubmission to mircea_popescu's 'block contest'. it wasn't even joak, it was 'rsa is the only tool in that box that i have any reason to think actually worx'

a111: Logged on 2018-10-30 16:51 asciilifeform: the closest thing i can think of to a working variant of mircea_popescu's device, is where you keep the carries, and use primes... and we know it as.. rsa

asciilifeform: and yes if you had fast iron bignumtron, could use ordinary rsa and dispense with enigmas.

asciilifeform: ( tho the reason why rsa is based on exponentiation, rather than straight multiplication-of-'plaintext'-prime-by-seekrit-prime is that in the latter variant you could trivially extract seekrit-prime with gcd ) ☟︎

asciilifeform: the closest thing i can think of to a working variant of mircea_popescu's device, is where you keep the carries, and use primes... and we know it as.. rsa ☟︎

asciilifeform: sorta like what people already do re rsa.

asciilifeform: mircea_popescu: a little tricky to ~boot~ from rsa dump, with bare hands, tho

mircea_popescu: more power to 'em. i always carried rsa'd dumps.