asciilifeform: http://btcbase.org/log/2017-10-27#1730047 << i sat down to write something quite similar, and then realized that i can milk a remote node for its rsa privkey via timing , lol. but fast forward to today. ffa still on track for release for end of nov. btw. ☝︎

asciilifeform: dun have to be an rsa key for this, neh

asciilifeform: mod6: current ffa has no problem building and running with 32bit word; but it will not do useful work in 8/16bit msdos, and this needs fix ( i described simple fix above. my priority atm tho is barrettron and practical rsa demo )

asciilifeform: i dun buy the 'no one has proven rsa to be hard so it dun matter how to implement it, let's use wet noodles and dried shit' argument. ☟︎

asciilifeform: '...the timings from the RSA HSM showed that a doubling of the key length increased the time required to sign nearly six-fold, and the time for verification even more. The timings from the Ed25519 HSM were agreeably small (all sub-50ms).' << this is precious

asciilifeform: 'So instead he's moving toward ECC ciphers, which are well-researched — more so than RSA, according to Koch. '

asciilifeform: 'Koch then moved into Elliptic Curve Cryptography (ECC), which he discussed at some length. RSA, he said, is not likely to stay secure for much longer without really large keys. Support for 4096-bit RSA keys has been in GnuPG for some time, but Koch contends that real security will require 16Kb keys; that makes keys, fingerprints, and signatures all unusably long, particularly for embedded devices and hardware security modules (HSMs)

asciilifeform: ... it follows that a 0.85sec 4096b modexp is all you need for a reasonable 'rsa phone' item. ☟︎

asciilifeform: btw let's do the phone thing, briefly. a 4096b rsa modexp can carry 4096b , i.e. 512byte, of payload sans padding. let's conservatively suppose that padding ( and hash auth, or whatever, and/or lubyzation, etc ) costs half of the payload room. so you get 256 byte per 4096b modexp;

asciilifeform: i too would like to meet the d00d who , e.g., wrote nonleaking realtime rsa , made a modem around it, made own FG, etc

asciilifeform: remember that ffa is not strictly for rsa.

asciilifeform: situation where rsa is breakable, but no one can yet break it, makes it the sane option . because alternative is to become a donkey fucker ( rely on face to face for all comms , hope that nobody invents listening bug, etc )

asciilifeform: you get choice between 1) rsa 2) public key crypto does not exist

asciilifeform: fall of rsa is roughly same item as 'global warming'

asciilifeform: rather than, e.g., 'rsa broken OR aes broken OR prng broke OR riemann is false OR ...'

asciilifeform: but in light of this, a correct rsatron is still one that stands on nothing BUT the assumption that rsa is hard.

asciilifeform: if you want 'compromise' rsa, use koch's.

asciilifeform: possibly constantly, depending on the rsa keying system

asciilifeform: sadly, rsa per se dun come with a guarantee.

asciilifeform: me -- yes. but my understanding was that diana_coman needed only rsa.

asciilifeform: the other obvious place for gcd is rsa phi

asciilifeform: let, for concreteness, x's are 8192 bits wide ( as they are in the 4096b rsa demo. ) m - in same - is 4096b wide.

asciilifeform: ( aka rsa op )

asciilifeform: just bignum. but if you add 20ln from rsa.c (in gpg 1.4 from mircea_popescu) in, it yes encrypts/keygens/etc

asciilifeform: ( proper rsa is 'heavier' than most folx, incl. asciilifeform of a few yrs ago, appreciated. consider, ussr never was able to afford rsa at all. )

asciilifeform: ( incidentally fast ffalicious rsa on ~fpga~ is trivial. )

asciilifeform continues the very slow and painful walk through most of undergrad number theory that leads, possibly, to usable nonleaking rsa on pc.

asciilifeform: this is a fundamental headache, innit. 'wanna use actual rsa, or that thing you've been fraudulently introduced to as rsa, that leaks key, but runs fast'

asciilifeform: that's still quite slow vs. heathen rsa.

asciilifeform: diana_coman: ffa arithmetic stack is theoretically available. however until i have barrett reduction going, it's a ~30 second modular exponentiation ( i.e. per rsa op )

asciilifeform: now you stand and fall strictly by rsa. P(rsabreak) is <= P(rsabreak OR whateverfucktardationyouusedforablockcipherbreak) , in all cases.

asciilifeform: now you stand and fall strictly by rsa. P(rsabreak) is <= P(rsabreak AND whateverfucktardationyouusedforablockcipherbreak) , in all cases.

asciilifeform: which is why i favour using rsa in place of blockcipher-hash-prng, painfully. the actual averagecase hardness of rsa is unknown and will probably remain unknown. but at least when you use ~solely~ rsa, you avoid introducing ANOTHER unknown.

asciilifeform: is it rsa key ??

asciilifeform: '~All general-purpose modular reduction involves numerator- and denominator-dependent branches... ...includes modular reduction for elliptic curve arithmetic, in which the numerator is secret; and modular reduction for RSA, in which the numerator (plaintext message) or denominator (p, q) can be secret.'

asciilifeform: ( and when we do rsa, can store the reciprocal in the key, there's no particular reason to compute it every time )

asciilifeform: i'd prefer a macroscale numbertheoretical hash, even one that explicitly stands on strength of, e.g., rsa, to the currently extant soup.

asciilifeform pictures rsa sliderule...

asciilifeform: ( it is worth remembering that ffa is not built to be a museum piece, 'shortest physically possible rsa', but grudgingly made concessions liek abandoning egyptian mul -- so long as result is still fixedspacetime -- , so that it can actually be fired in anger . )

asciilifeform: but my aim is to write an rsa such that, yes, no one can be considered numerate if it does not fit in his head.

asciilifeform: i'd like it not to be lost upstack, so will restate ftr : a 'optimized' rsa that no longer fits in head and is no longer demonstrably-correct , ( and worse yet, no longer operates branch-free ) is NOT RSA and is simply a turd being fraudulently passed off as the genuine article

asciilifeform: it also comes from 'reasonable' people who 'oh hey i can make rsa 1.5x faster if i use weird bases, so what if my code is now 20kline instead of 2k'

asciilifeform: it is usg.rsa.

asciilifeform: it is NOT RSA

asciilifeform: and answer is that obviously idjits will take ANYTHING you make, sane rsa, sane kalash, whatever, and Bolt Shit To The Side

asciilifeform: like kochian rsa.

asciilifeform: if we gotta compute on fpga, to do rsa sanely -- then fpga it is. 8192-bit regs.

asciilifeform: and use usg's rsa.

asciilifeform: and that an rsa that is not ptronic is not worth using

asciilifeform: ( incidentally reader might ask 'why not do montgomery? you're doing rsa anyway' and answer is not only 'maybe tomorrow, cramer-shoup and not rsa' but also that we do things such as primality testing , and other non-rsa op )

asciilifeform: no 'speshul rsa forms' in ffa.

asciilifeform: it is ok for rsa where you sink it to the bottom of the sea and never intend to change the modulus

asciilifeform: well we are talking about a O(NlogN) rsa vs a O(N^5) one

asciilifeform: ( the rsa operation, the one and only, is modular exponentiation. but it is made trivially from modular multiplication . )