log☇︎
▁▁▁▁⏐︎ 7040
asciilifeform: BingoBoingo: thing was never usg.adopted, was 90% of its orig appeal
BingoBoingo: asciilifeform: It's a quote from a piece of children's literature. Sub "President" for "Man ritualistically staying alone"
asciilifeform: lol
BingoBoingo working on a piece covering republican research and doctrine on censorship resistance as of 2018 to throw on the blognotebook, to inform Pizarro marketing.
asciilifeform: https://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf ( pdfturd! ) << near as i can tell, is the 'full paper' referred to in the 'short'
asciilifeform: and it claims a specific process that supposedly produced the sboxes, but gives only pseudocode with a handwave ' if has desired properties, then keep sbox ' turd
asciilifeform: BingoBoingo: potentially interesting, but i suspect that it wont do much for the idjit heathens , who dun grasp even most basic step of hygiene , i.e. letting go of dnsism
BingoBoingo: asciilifeform: It's not for heathens. It's for me and whoever else reads to repackage for heathens.
asciilifeform: as if it could possibly matter where you host sumthing if 'customer has come to expect' weev.com as the only way in
asciilifeform: BingoBoingo: aite then
asciilifeform: '... it was an- alyzed by programs we developed for investigating block ciphers, and we found bounds on the probabilities of the differential and linear characteristics. These bounds show that this choice suits our needs.' << spoiler: also posted nowhere...
BingoBoingo: Like other Republic pursuits we have experience, practice, and doctrine in the logs but like other things (v state of the art) it could benefit from collection
mircea_popescu: asciilifeform i have nfi why ANY of those!
asciilifeform: mircea_popescu: i looked over notes from the 1st time i read the thing, and had same reaction then ! but then, left with 'maybe i find why'. 3y later, not found why !
mircea_popescu: ours is not to find out why.
asciilifeform: at this point i strongly suspect that there ~isn't~ a 'why', author pulled thing out of his arse like the others.
mircea_popescu: anyway, the likely reason they don't publish scratchwork is that before republic, nobody had any fucking idea how to do intellectual work. q is a lot like asking "why would doctors not wash hands". because before someone told them to, they didn't, that's why. ☟︎
asciilifeform brb,meat
mircea_popescu: BingoBoingo that's a good idea incidentally. lotta stuff we invented last tuesday and in the brief interval became seemingly "older than dirt" / "in kindergarten!!!" is in fact entirely unheard of outside the walls.
BingoBoingo: It is an issue I am concretely running into
BingoBoingo: We've documented our victories well, but when explaining to heathens why, collections of log links where the path to victory happens and is discussed often don't quite do it on their own
BingoBoingo: And after Kirchner in Argentina, Bolnasaro in Brasil... The Uruguayos on Reddit think planes surely can not be rockets: http://archive.is/dSdho
mircea_popescu: right.
mircea_popescu: moreover, heathens are generally completely bereft of any kind of thought process. by way of example : http://p.bvulpes.com/pastes/WXFOP/?raw=true
BingoBoingo: !!rate nicooleci 2 Mircea's chattle, summarizer in training, Outside the Wire
deedbot: nicooleci is not registered in WoT.
BingoBoingo: !!rate nicoleci 2 Mircea's chattle, summarizer in training, Outside the Wire
deedbot: Get your OTP: http://p.bvulpes.com/pastes/ZuzlP/?raw=true
BingoBoingo: !!v FE4479BA4353DE8C614A7112895F7D418CD6C2111FA664BB81648676A6C5B540
deedbot: BingoBoingo rated nicoleci 2 << Mircea's chattle, summarizer in training, Outside the Wire
asciilifeform: http://btcbase.org/log/2018-10-29#1866964 << specifically in the context of the 'crypto contest' where serpent was trotted out, there was a loud and pompous 'here's ciphers, with jusfifications!' circus. so imho the excuse of 'not knew to wash hands yet' is not available ☝︎
a111: Logged on 2018-10-29 00:44 mircea_popescu: anyway, the likely reason they don't publish scratchwork is that before republic, nobody had any fucking idea how to do intellectual work. q is a lot like asking "why would doctors not wash hands". because before someone told them to, they didn't, that's why.
mircea_popescu: hey, people cca 1400 made big deal of "purity" as well.
mircea_popescu: using the words is worth nothing ; if not used by a lord they're powerless.
asciilifeform: meanwhile, in sneak previews, http://p.bvulpes.com/pastes/bmF1K/?raw=true
asciilifeform: ^ summary of serial i/o processor thing asciilifeform baked. will be applicable even if we come up with sumthing less sad than serpent, in fyootoor.
asciilifeform: mircea_popescu: somewhat related observation: designers of blockciphers are fixated on 'what if known plaintext block', but it is not clear to me why this has to be a living problem when you can fill up 1/4 or 1/2 or whatever of block with rng
asciilifeform: ( if storage/bandwidth are cheap, potentially could stuff all but 1 byte, or even bit, with rngolade, if you like )
asciilifeform: it also handily disposes of the penguin.
asciilifeform: ( without requiring blocks to contain serial #s or anything of the kind )
asciilifeform: sorta like what people already do re rsa.
asciilifeform: and yes it means that rng bitrate will constrain write speed. but it aint as if this is not solvable problem.
asciilifeform: one possible handy algo for the degenerate case of '1 bit of payload per block' -- your block is ~wholesale~ rngolade, and you simply flip the last bit so xor(b0,b1,...,bN) equals your desired payload bit.
asciilifeform: this solves (if you will) asciilifeform's ancient puzzler, 'how to avoid any part of block being known plaintext'
asciilifeform: nao, exercise for the reader : find the bandwidth of this channel ( how many bits , if more than one, can be stuffed into a block and still preserve this property ) ... ☟︎
mircea_popescu: i dunno i like "block" to begin with.
asciilifeform: hm?
asciilifeform: relatedly, asciilifeform tried to bake a proof that the lamehash keyinflater function of serpent is one-to-one ( i.e. actually carries 256bit of the key register's entropy into the 528 bytes of whiteolade ) and not only didnt , but realized that afaik no such proof exists for any 'troo' hash also ( incl keccak.. ) ☟︎
asciilifeform: mebbe i'm thick and it's a trivial provable ? ( diana_coman ? mircea_popescu
asciilifeform: ? know a proof? )
mircea_popescu: i'm not aware such a thing was ever proven.
asciilifeform: ikr?
mircea_popescu: myeah.
asciilifeform: actually, funnily enuff , i nao see a proof for serpent's, but not keccak
asciilifeform: ( in serpent inflator, the only ops are xor, rotate, and sboxation, all 3 conserve entropy )
mircea_popescu: asciilifeform this isn't much of an argument, let alone "proof". + and * also conserve entropy, yet y=x/2 - x/2 +4 does not.
deedbot: http://bimbo.club/?p=69 << Bimbo.Club - TMSR Log Summary - 10/24/2018
Mocky: or a more direct counter argument: A xor A = 0 ☟︎
Mocky: http://btcbase.org/log/2018-10-29#1866992 >> using a variation this algo you can stuff a block half full of bits without any 2 consecutive bits being from a known plaintext, while the accumulating xor prevents the penguin ☝︎
a111: Logged on 2018-10-29 03:26 asciilifeform: nao, exercise for the reader : find the bandwidth of this channel ( how many bits , if more than one, can be stuffed into a block and still preserve this property ) ...
diana_coman: asciilifeform, no proof that I'm aware of, as per earlier http://www.dianacoman.com/2017/11/22/taming-of-the-serpent-in-ada/#selection-49.0-49.393
asciilifeform: diana_coman: aha
asciilifeform: Mocky_: yea , calls for an actual proof..
asciilifeform: meanwhile, in other lulz, https://archive.is/plVal << trivial local-privesc in xorg ( introduced by shitgnomes in '16 )
mircea_popescu: Mocky_ yeah but i wanted to drive the point home.
asciilifeform: mircea_popescu: not only were you right, but i just about have a handle on deriving the factual key bitness of serpent..
mircea_popescu: and it's almost 2/3 ?
asciilifeform: i'ma refrain from pons&fleischmanning this one..
asciilifeform: ( for anybody who wants to take a stab at this in parallel with asciilifeform , hint : xor-with-constant is injective , can be factored out of equation; ditto sboxes )
asciilifeform: mircea_popescu: 1/3
asciilifeform: i.e. 85-bit strength, possibly smaller ( i haven't algebraicized the entire recurrence yet )
deedbot: http://qntra.net/2018/10/germany-merkel-plots-her-exit/ << Qntra - Germany: Merkel Plots Her Exit
asciilifeform: logic : take the key inflator http://ossasepia.com/2018/02/22/eucrypt-chapter-11-serpent/#selection-87.13060-87.13306 ;
asciilifeform: let the key words (32bit ea.) be A,B,C,D,E,F,G,H. so W(-8)=A, W(-7)=B, W(-6)=C, W(-5)=D, W(-4)=E, W(-3)=F, W(-2)=G, W(-1)=H ;
asciilifeform: now we factor out the ... xor 16#9e3779b9# xor Unsigned_32(I), it's an injective operation (neither adds nor subtracts entropy) ;
asciilifeform: ditto the s-boxes (they are reversible, merely permute)
mircea_popescu: i'm not so persuaded by this latest bit.
asciilifeform: mircea_popescu: they're reversible !
asciilifeform: i.e. have exactly same number of possible outputs as there are inputs
asciilifeform: thinkaboutit, then we'll proceed
asciilifeform: ( if sboxes were'nt reversible, deciphering wouldn't work )
mircea_popescu: that they are reversible is tru!
asciilifeform: therefore the inputs:outputs are 1:1 .
mircea_popescu: and in point of fact reversed as the thing works.
asciilifeform: correct
asciilifeform: how else could it work.
asciilifeform: and the two xor's-with-constants, just the same reversible.
mircea_popescu: consider the sets P {1,2,3,4} and E {1,2,3,4,5}. now, the function taking all numbers <4 to themselvews and 4 to either 4 or 5 with 50-50 probability IS in fact reversible
asciilifeform: thereby do not affect the quantity we are seeking.
mircea_popescu: is however not in fact entropy conserving
asciilifeform: mircea_popescu: if it has a random component, it aint reversible, how wouldja reverse it ? with time machine ?
asciilifeform: gimme an inverse for it, we can go to vegas
mircea_popescu: i can reverse it, cuz P4 or P5 are E4 so i need to now nothing.
mircea_popescu: know*
asciilifeform: i dun get it, what's P5 ?
mircea_popescu: the 5th element of P set.
mircea_popescu: a fuck i did it backlwards
mircea_popescu: E4 and E5 are both P4.
asciilifeform: whole thing plox ?
mircea_popescu: consider the sets P {1,2,3,4} and E {1,2,3,4,5}. now, the function taking all numbers <4 to themselvews and 4 to either 4 or 5 with 50-50 probability IS in fact reversible (because E5 and E4 are directly P4). is however not in fact entropy conserving.
mircea_popescu: it is entropy* conserving, where entropy* is a special "entropy-colored-for-meaning", but this isn't useful. ☟︎
asciilifeform: let's try this. so i throw in {1,2,3,4,5} and the rng cranks and i get a {1,2,3,5,5}, then i put it back and rng cranks again and i get a {1,2,3,4,4}, with nonzero probability. so i reversed ??
mircea_popescu: can't throw in 5. the P set is 1,2,3,4.
asciilifeform: ( not even speaking of fact that this aint a function of the inputs, in the civilized sense, it is a function of input and rng )
mircea_popescu: i agree this is uncivilised.
asciilifeform: then it aint reversible if it can't turn the 5 back into a 4
asciilifeform: what am i missing
mircea_popescu: the problem with one's preoblems is that they rarely have the decency.
mircea_popescu: asciilifeform what 5 ?
asciilifeform: well i put in {1,2,3,4} and out came {1,2,3,5}.
asciilifeform: now i want reverse.
mircea_popescu: and the reverse is 1,2,3,4.
asciilifeform: but what function gives it to be with prob=1 ?
mircea_popescu: cuz E4, E5 are the indistinct sysnonyms of P4.
mircea_popescu: the function which takes all numbers <4 to themselves and all numbers >4 to 4.
asciilifeform: by this token there exists inverse keccak, consisting of a list of values which when xor'd with any given one, produces original.
mircea_popescu: i agreed it is not civilised!
mircea_popescu: what do you want me to do ?
asciilifeform: this is trivially true but is not what we want when asking 'can haz reverse keccak'
mircea_popescu: i have problems with statements.
asciilifeform: lol
mircea_popescu: it's what i do for a living.
asciilifeform: with the tools in the actual box, however, afaik there is no headache of this kind, xor-with-constant is reversible and conserves.
asciilifeform: there are exactly as many possible outputs as inputs, and if you xor with the constant again, you get the input back.
asciilifeform: so, continuing: we throw out the constants, and:
asciilifeform: W(0) = RLeft11(xor(a,d,f,h))
asciilifeform: W(1) = RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))
asciilifeform: W(2) = RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))
asciilifeform: W(3) = 3,RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))
asciilifeform: grrrrr
asciilifeform: W(3) = RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))
asciilifeform: W(4) = RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))
asciilifeform: W(5) = RLeft11(xor(f,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))))
asciilifeform: W(6) = RLeft11(xor(g,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))))))
asciilifeform: W(7) = RLeft11(xor(h,RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))))),RLeft11(xor(g,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)
asciilifeform: ),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))))))))))))
asciilifeform: but after this, it chews the cud, e.g. W(8) = RLeft11(xor(RLeft11(xor(a,d,f,h)),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h))))))
asciilifeform: )))))),RLeft11(xor(h,RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))))),RLeft11(xor(g,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))),RLeft11(xor(f,RLeft11(xor(a,d,f,h)
asciilifeform: ),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))),RLeft11(xor(e,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))),RLeft11(xor(d,g,RLeft11(xor(a,d,f,h)),RLeft11(xor(c,f,h,RLeft11(xor(b,e,g,RLeft11(xor(a,d,f,h)))))))))))))))))) , and we can ignore these
asciilifeform: apologies for the log clutter, but this imho belongs in the l0gz
asciilifeform: nao, is it a controversial statement that xors with an item that's already been rolled in, can only ~subtract~ entropy, never add ? ☟︎
asciilifeform: regardless of how rotated.
asciilifeform: anything that appears on the right-hand side of one of those xor's, can potentially cancel itself out...
asciilifeform: so! for instance ! if a, d, f, h are such that xor(a,d,f,h) = 0, then term a no longer appears in the equation at all ! ☟︎
asciilifeform: so all possible inputs where this holds , result in the same inflated-key. ☟︎
mod6: holy moly
asciilifeform: bahahaha
asciilifeform: 'cipher contest' my shiny metal arse...
asciilifeform: if xor(b,e,g) = 0, then term b no longer appears in equation...
mircea_popescu: heh.
asciilifeform: if xor(c,f,h) = 0 -- then c...
asciilifeform: and so on.
asciilifeform: at this point i strongly suspect that the actual bitness, is 64 OR SMALLER
mircea_popescu: asciilifeform the objection you had, you know, "this is trivially true but is not what we want" goes very much to the core of the issue -- cryptographic notions of strength are very hard to meaningfully describe mathematically because htey're always "obviously this has ONE trivial solution, but does it have more than the one ?!" math deals in 0 and 1s, it's ill equipped to deal with this batshit nonsense.
asciilifeform: mircea_popescu: it dun even seem like we need exotica here
mircea_popescu: right. anyway, back to the practicals -- are sbox outputs ~equiprobable~ ?
asciilifeform: the actual bitness of serpent , seems like, is so small as to be iterable on pc.
mircea_popescu: because if not, then VERY likely what we're seeing is a subclass of http://btcbase.org/log/2018-10-29#1867048 ☝︎
a111: Logged on 2018-10-29 15:53 mircea_popescu: it is entropy* conserving, where entropy* is a special "entropy-colored-for-meaning", but this isn't useful.
asciilifeform: mircea_popescu: what would mean 'equiprobable' ? they're a 1:1 mapping
mircea_popescu: yes 1:1 by count. but by occurence ?
asciilifeform: you put in 000..., you always get same thing, you put in 111... you get another distinct thing, ditto, and so on
asciilifeform: see e.g. http://www.loper-os.org/?p=2627
asciilifeform: they're caesar's cipher.
asciilifeform: alphabet-a -> alphabet-b.
mircea_popescu: right.
asciilifeform: or, if you like, enigma rotors.
mircea_popescu: http://btcbase.org/log/2018-10-29#1867088 << not controversial. can substract, though doesn't necessarily have to ; can never add. ☝︎
a111: Logged on 2018-10-29 16:06 asciilifeform: nao, is it a controversial statement that xors with an item that's already been rolled in, can only ~subtract~ entropy, never add ?
asciilifeform: right
asciilifeform: for our purposes, that means 'they subtract'.
asciilifeform: thus far, afaik, we already know that there aint 2**256 possible 528-byte serpent expandedkeys. nor 2**128. and as i currently suspect, not even 2**64 .
asciilifeform: and for some reason this took 20yrs ?! to get out...
mircea_popescu: the reason being that it wasn't gonna move till i baked it in some pie.
mircea_popescu: which finally got some attention from ppls.
asciilifeform: hey, it didn't click in asciilifeform's head either until asciilifeform went to fpgaize it..
asciilifeform: 'notation is worth +80 iq' or how did it go. ☟︎
mircea_popescu: right.
asciilifeform: it also suggests a very different picture, vs the one i previously supposed, re why it didn't win the tourney. ( rather than washington:'omfg too strong', rather went 'omfg our academi.flunkies kissing arse so hard they cant breathe' )
asciilifeform: entirely possible also that the 'lost despite most votes' thing was engineered stunt.
asciilifeform: i gotta take off my hat to whoever cooked that up.
mircea_popescu: asciilifeform consider also that if a, b, c, d, e, f are rng words, then (P xor a) xor b) etc does not in fact substract anything.
asciilifeform: mircea_popescu: yer xoring overlapped copies, remember
asciilifeform: rotleft-11
mircea_popescu: asciilifeform likely explanation being "whisperer", ie, technical quimby sinking it behind the doors because "it's fucking stupid".
asciilifeform: mircea_popescu: cuz it ~is~
asciilifeform: i feel pretty stupid, tbh, for not noticing in '16
asciilifeform: quimby must have died of laughter by nao
asciilifeform: 'omfg they bought it'
mircea_popescu: bitter days of http://trilema.com/2016/btmsr-block-cipher-competition/#comment-123804
asciilifeform: relatedly, for shits & giggles asciilifeform has been reading a 'digital evidence' law school textbook, for entomological/ameritardological studies, and it goes out of its way to mention 'serpent sank an fbi case'
asciilifeform: b00k circa 2007 iirc
asciilifeform: i suspect that the thing was a mine planted specifically, if you will, for tmsr.
asciilifeform: i can't speak for other folx, but i'ma have to repeat h. hughes, 'fly in it? i wouldn't walk under it'
deedbot: http://qntra.net/2018/10/godaddy-does-it-again-taking-domain-name-in-response-to-media-pressure/ << Qntra - GoDaddy Does It Again: Taking Domain Name In Response To Media Pressure
asciilifeform: BingoBoingo: mebbe give it a week, whoknows, somebody turns up a mistake in asciilifeform's maffs. then can qntra...
asciilifeform: a proggy that takes a 256b key and shits out its 4+ sister-keys, prolly wouldnt hurt, either; if somebody can be arsed to write. ☟︎
asciilifeform: ( dun forget to acct for the constants )
mircea_popescu: suppose... you actually do that ?
asciilifeform: i will, eventually, if nobody else can be arsed
asciilifeform: washington can pay for its own auto-pill fpga, if they want one tho, i dun see why to do this work for them.
mircea_popescu: so far, we're still ~in the same position as http://btcbase.org/log/2018-10-26#1866400 / http://btcbase.org/log/2018-10-26#1866449 ☝︎☝︎
a111: Logged on 2018-10-26 16:48 mircea_popescu: i am experimenting with serpent, and yes it's borne of that ancient discussion of ours, but i'm nowhere near-ready to bake it into "this is tmsr secure disk"
a111: Logged on 2018-10-26 17:04 mircea_popescu: in short, because this winding discussion risks overwhelming buffers, the salient points are a) that i'm not ready to go to war over serpent, it's a meh-maybe item ; b) that building our spearheads around items we're not willing to die for may be how the converse of http://btcbase.org/log-search?q=bitcoin+corrupts altogether.
BingoBoingo: asciilifeform: If your math stands the week, you may be the best qualified to do the qntra on it
asciilifeform: mircea_popescu: as i understand not; we're at http://btcbase.org/log/2018-10-26#1866454 . ☝︎
a111: Logged on 2018-10-26 17:05 mircea_popescu: yeah but suppose some bright kid walks into here one day with that item we all suspect is under a rock somewhere
mircea_popescu: aha!
mircea_popescu: he GOTTA WALK WITH IT THO
asciilifeform: you dun need 'acres of crays' to walk 2**64 or however many, troo-keyz.
mircea_popescu: the issue is that ~however many~.
mircea_popescu: bright kid walks in with a convincing story as to how he's gonna walk in with item != bright kid walks into here one day with that item.
asciilifeform: what bitness wouldja live with ?
mircea_popescu: the court will only consider positive cases.
asciilifeform: aite
asciilifeform: i do suggest to look for a spare tyre, tho, this one's hissing air.
mircea_popescu: seems like it.
asciilifeform: whether asciilifeform takes month, week, or day, to cough up pill
asciilifeform: ( i certainly didn't expect ~this~ 3days in... )
asciilifeform: hilariously, i have a tall pile of academiliquishit re serpent right here on desk, and it ALL without exception dwells on the sboxes & lineartransform, 0 discussion of key schedule.
asciilifeform: btw i seem to recall that the original mircea_popescu & diana_coman thread where 'let's try serpent' turned up that the current 'paper' is not in fact the original, and the orig has evaporated. nao gotta wonder what was in it.
asciilifeform: ( i'd walk over to uni to try an' dig it up, but then remembered that they abolished the paper-papers archive for 'electronic' lulz )
diana_coman: asciilifeform, yes re original - I could not source it and no idea why
asciilifeform: diana_coman: that's exactly what i remembered.
asciilifeform: diana_coman: i'm still boggled re the sheer wtf of it all.
asciilifeform: for lulz, would be interesting to dig up the list of 'luminaries' who voted for serpent. ( last i recall, it was public )
diana_coman: I'm re-reading here with pen and paper
asciilifeform: aite, won't distract then
diana_coman: I can cite though from the 2000 paper (or apparently 2000...): "Since then we have sought to strengthen the algorithm and improve its performance. As a result, we have selected new, stornger, S-boxes and changed the key schedule slightly."
asciilifeform: yaya i have both papers here
asciilifeform: ( no hard dating for either , tho )
asciilifeform: diana_coman: http://p.bvulpes.com/pastes/94fgv/?raw=true << the raw emacs-sewed recurrence equations, if it helps
asciilifeform: diana_coman: can substitute with search-and-replace
asciilifeform: ( they're broken up in the log, so possibly this is handier )
mircea_popescu: asciilifeform http://trilema.com/2018/so-i-designed-a-block-chipher/
asciilifeform reads..
mircea_popescu: i'd have said more, but the editor showed wordcount 777, and i deem this a very good omen re cipher quality.
asciilifeform: lol
asciilifeform: lol you almost got me, i half-expected the piece to be about a block cipher
mircea_popescu: isn't it ?!
asciilifeform: haha, after a fashion.
mircea_popescu: didja read that whole thing
asciilifeform: i did
mircea_popescu: ow shit, i mystypoed in the title, wtf is a "chipher".
asciilifeform: it's about xor, in the specific style used in winblowz shitware to hide strings from av. ☟︎
asciilifeform: i deciphered these with perl script, for a living, for yrs.
mircea_popescu: are you saying this is weak ?
asciilifeform: define weak!111
mircea_popescu: weaker than serpent.
asciilifeform: slightly, lol
mircea_popescu: show me!
asciilifeform: it's multiply-run otp, wat.
asciilifeform: shannon already showed how to break, it's in the kindergarden text
mircea_popescu: do you mind ?
asciilifeform: sure, wainot , after tea
asciilifeform: pretty tired from curing serpent.
mircea_popescu: works.
asciilifeform: mircea_popescu: meanwhile plz be so kind as to say how to decipher.
asciilifeform: ( having, that is, the key )
deedbot: http://trilema.com/2018/so-i-designed-a-block-chipher/ << Trilema - So I designed a block chipher.
mircea_popescu: same procedure, xor the Pmessage as per key.
asciilifeform: mircea_popescu: your offsetting rotates (as e.g. ram on z80) or truncates? ( when message is shifted beyond the buffer bound ) ?
mircea_popescu: rotates, it's a ring buffer.
asciilifeform: ok
mircea_popescu: asciilifeform like it or not, this is the ur-blockchipher. ALL OTHERS, not only casually but NECESSARILY, are mini-clipped versions of this. "competition or no competition", if it got shitboxes it's this and naught else.
mircea_popescu: and yes, you've inspired me.
mircea_popescu: and no, "we have pre-padded ring buffers with THIS particular message that's worth hardwiring because it's ever so magical" ain't a reasoning.
diana_coman: asciilifeform, that helps, thank you! I had to take break and I'm slow on this sort of things so it'll take a while until I get to say anything ☟︎
asciilifeform: mircea_popescu: http://p.bvulpes.com/pastes/gWzx9/?raw=true , satisfy yerself that it dun reverse
asciilifeform: e.g. http://p.bvulpes.com/pastes/K6AYY/?raw=true
asciilifeform: ^ bits are printed in ascending majority, left to right
asciilifeform: mircea_popescu: 'write-only memory'
asciilifeform: and before you ask, variant where either key or msg can be longer, http://p.bvulpes.com/pastes/AQPnG/?raw=true , and transpose msg and key for reverse, dun reverse either.
asciilifeform: it's a crosscut-shredder, not a ciphrator..
asciilifeform: pretty handy proof , however, that the xor liquishit on the right hand side of those serpent eqs, doesn't conserve entropy ! ☟︎
mircea_popescu: HA.
asciilifeform: see, you win phree toy, from this arcade.
mircea_popescu: "our block cipher has to have backdoor because we built a paper shredder and well..."
mircea_popescu: asciilifeform this is so much better than having to correct the title.
asciilifeform: ahahayes
asciilifeform hoses down vivisection table
mircea_popescu: this has been a very fun morning.
asciilifeform: verily
mircea_popescu: now tell me, "why can't tv be more entertaining".
asciilifeform: nao y'know wai asciilifeform dun have a tv..
asciilifeform: http://btcbase.org/log/2018-10-29#1867215 << dun feel sad, serpent had to hang on asciilifeform's wall for 2yrs before this. ☝︎
a111: Logged on 2018-10-29 19:22 diana_coman: asciilifeform, that helps, thank you! I had to take break and I'm slow on this sort of things so it'll take a while until I get to say anything
mircea_popescu: asciilifeform check this out : as per the "chipher", let there be a plaintext P of n bits ; and a key K of k bits. given a ciphertext E of n bits, it is a fact that any one bit of P is the result of xoring of up to k bits of P. if you know K you know ~which ones~, and as you have E you know ~what they must xor to~. this results in a message-wide system of k equations which is determinate.
mircea_popescu: (provided of course k>=n, which yes, it's a block cipher)
asciilifeform: i suspect i'ma need some strong чифир for this chipher
asciilifeform: 'any one bit of P is the result of xoring of up to k bits of P' << y'mean 'any one bit of E' ?
mircea_popescu: well, we're trying to get P back right.
asciilifeform: well yes, presumably from E ?
asciilifeform: or else from what.
mircea_popescu: P[n] = K[0]*P[a] x K[1] * P[b] x ...
mircea_popescu: E is just what these equal to, see.
mircea_popescu: damn.
asciilifeform: aaha
mircea_popescu: E[i] = K[0]*P[a] x K[1] * P[b] x ...
mircea_popescu: so this is, in fact, a system of (here) 512 xor-equations, with ak nown result (e[x]) and a known parameter matrix (K)
mircea_popescu: as long as P doesn't have more bits than K, this is a determinate system.
asciilifeform: diana_coman et al : http://p.bvulpes.com/pastes/uX1BM/?raw=true << for convenience, the recurrence eqs rewritten 1) as sexpr 2) with the orig constant-xors included
asciilifeform: ( define RL11 as 'rotate left by 11 bits inside 32bit reg' )
asciilifeform: grr, loox like i munged it, 1s, will fix
asciilifeform: diana_coman et al : http://p.bvulpes.com/pastes/kH2Av/?raw=true << proper.
asciilifeform: mircea_popescu: feel free to bake this by curing the little proggy pasted earlier
asciilifeform: mircea_popescu: seems to me that ~now~ you correctly defined... the http://btcbase.org/log/2018-10-29#1867192 cipher. ☝︎
a111: Logged on 2018-10-29 18:29 asciilifeform: it's about xor, in the specific style used in winblowz shitware to hide strings from av.
asciilifeform: ( and if mircea_popescu's point was that ~all~ present-day 'block ciphers' are reducible to some variant of it -- the point is made )
asciilifeform: !#s maslennikov
a111: 22 results for "maslennikov", http://btcbase.org/log-search?q=maslennikov
asciilifeform: the basic boojum is that it aint a cipher of any kind, and the ubiquitous sbox derpery is simply squid ink to obscure this. maslennikov details how he pointed this out to 1980s kgb and got sacked. ☟︎
asciilifeform: all 'enigma', regardless of what kinda lipstick is put on'em, are sad.
mircea_popescu: Consider K = 01010 ; P = 00111 ; RB = (00111), (01110), (11100), (11001), (10011).
mircea_popescu: E therefore is : E1 = 0 x 0 x 1 = 0 ; E2 = 0 x 0 x 1 = 0 ; E3 = 1 x 1 x 0 = 0 ; E4 = 1 x 1 x 0 = 1 ; E5 = 1 x 1 x 1 = 0 thus E = 00010.
mircea_popescu: To now obtain P back from E and K : P[1] = P[1] x P[2] x P[4] ; P[2] = P[2] x P[3] x P[5] ; P[3] = P[3] x P[4] x P[1] ; P[4] = P[4] x P[5] x P[2] ; P[5] = P[5] x P[0] x P[3].
mircea_popescu: To obtain P back from E without K : P[1] = P[1] x K[1] * P[1] x K[2] * P[2] x K[3] * P[3] x K[4] * P[4] x K[5] * P[5] ; P[2] = P[2] x K[1] * P[2] x K[2] * P[3] x K[3] * P[4] x K[4] * P[5] x K[5] * P[6] ; and so following all the way down.
mircea_popescu: so : with K it's a system of 5 equations with 5 unknowns ; without K it's a system of 5 equations with 10 unknowns.
mircea_popescu: for a 5 bit key you only have to try 2^3 permutations or so, it's true. but anyways.
asciilifeform: mircea_popescu: what's RB ?
mircea_popescu: ring buffers
asciilifeform: aa
mircea_popescu: s-boxes, if you prefer.
asciilifeform: and you prolly meant 'P[1] = E[1] x E[2] x E[4] ;' neh
mircea_popescu: neh.
asciilifeform: then i dungetit
asciilifeform: how does P[1] = P[1] x P[2] x P[4] work
mircea_popescu: E[1] = P[1] x P[2] x P[4] ; P[2] = P[2] x P[3] x P[5] is what i meant.
asciilifeform: this in re 'to obtain P back from E and K'
mircea_popescu: yes.
asciilifeform: so, this is exactly the previous scheme, but with * rather than xor ?
mircea_popescu: no no, x is xor * is multiplication (in the sense that if the key is 0 at that offset, the rb dun get applied)
mircea_popescu: so if K[q] = 0, then that line's skipped ; otherwise it's applied.
asciilifeform: so how does this diff from the previous item , what am i missing
asciilifeform: .. and how do i eat P[2] = P[2] x P[3] x P[5] , it's recursive
mircea_popescu: to be clear : it's exactly the same scheme ; showing you how P ~must~ be obtainable from known K and E.
BingoBoingo: In other updates: Cansorship resistance piece approaching 1500 words and has yet to advance beyond 2014 Republican state of the art.
asciilifeform: mircea_popescu: if i encrypt message=2 with key=10, i get same 5 as if i encrypt message=2 with key=10
asciilifeform: err if i encrypt message=2 with key=10, i get same 5 as if i encrypt message=7 with key=10
asciilifeform: run the proggy.
asciilifeform: it aint 1:1.
asciilifeform: i.e. crosscut shredder.
asciilifeform: the transform is not reversible.
asciilifeform: worse, msg=8,key=10 still 5.
asciilifeform: knowing the key and the ciphertext tells you almost nuffin about the plaintext, cuz it's a write-only-memory, lol
asciilifeform: you lose the info as it gets xor'd with rotated copies of self.
asciilifeform: which is why http://btcbase.org/log/2018-10-29#1867222 earlier. ☝︎
a111: Logged on 2018-10-29 19:39 asciilifeform: pretty handy proof , however, that the xor liquishit on the right hand side of those serpent eqs, doesn't conserve entropy !
mircea_popescu: asciilifeform you agree that if i give you 5 equations with 5 unknowns, this is in fact resolvable ?
asciilifeform: http://p.bvulpes.com/pastes/eDGtm/?raw=true if y'dontbelieve.
asciilifeform: mircea_popescu: it'd be resolvable if that's actually what you had. but in fact you dun have.
asciilifeform: yer bits got xor'd with selves and turned into 0s.
mircea_popescu: only if 1st bit of key is set :(
mircea_popescu: :) *
asciilifeform: y'know, lol, like in http://btcbase.org/log/2018-10-29#1867005 . ☝︎
a111: Logged on 2018-10-29 06:45 Mocky: or a more direct counter argument: A xor A = 0
asciilifeform: ( ty Mocky btw, it's what got the whole thing moving )
mircea_popescu: there's a reason i say " Consider K = 01010"
asciilifeform: mircea_popescu: that's the k in my example, neh
mircea_popescu: i confess i dunno what teh breakdown is, here.
asciilifeform: try the proggy, it will make sense, i suspect
mircea_popescu: asciilifeform why "new buf: [1, 1, 0, 1]" ?
asciilifeform: after xor for that step
asciilifeform: ( keep in mind that [1, 1, 0, 1] is 11, we print the bits in ascending majority. can reverse if it makes moar readable, if you like )
asciilifeform: in that step, yer message was [1, 1, 1, 0], it got rotated by 1 place, and is then [1, 1, 0, 1], and that's yer buf after 1st step.
mircea_popescu: asciilifeform K = 0101, P = 1110. RB = (1110), (1101), (1011), (0111). E1 = 1 x 1 x 0 = 1 ; E2 = 1 x 1 x 1 = 0 ; E3 = 1 x 0 x 1 = 0 ; E4 = 0 x 1 x 1 = 0 ; E = 1000.
mircea_popescu: why is your E 1010 ?
asciilifeform: btw 'message gets xor'd with self' is not whole story, what you're doing is asking 1 bit to store 3 or more , this dunwork
mircea_popescu: i honestly have nfi what you're talking aboot.
asciilifeform: you're xoring Kbits distinct (if lowest kbit is 0, and there are no symmetries in the message) strings into a Kbits-sized hole.
asciilifeform: this dun make sense ?
mircea_popescu: notrly.
asciilifeform: i dun currently know how to make it clearer.
mircea_popescu: i guess this'll have to rest then.
mircea_popescu: unless you're willing do debug the .py, it's spitting out wrong values.
asciilifeform: willing
asciilifeform: plox to show for which pair wrong output
mircea_popescu: ok, so make 7 10 yield 1000 not 1010. as above!
asciilifeform: http://p.bvulpes.com/pastes/UGLI3/?raw=true << verboser proggy; http://p.bvulpes.com/pastes/NpoNl/?raw=true out
asciilifeform: also, mircea_popescu: 1 x 1 x 0 aint 1
asciilifeform: and 1x1x1 aint 0
asciilifeform: if we're speaking of xor.
asciilifeform: yer example dun go with the arithmetic on my planet, no matter how i define 'x'
asciilifeform: dun have to believe proggy, do it with pen, and write the troof table for xor if you must.
asciilifeform: ( spoiler : 1x1->0, 0x1->1, 1x0->1, 0x0->0 )
asciilifeform brb,meat
mircea_popescu: lmao ima have to redo this. apparently im terrible at handmaffs
mircea_popescu: K = 0101, P = 1110. RB = (1110), (1101), (1011), (0111). E1 = 1 x 1 x 0 = 0 ; E2 = 1 x 1 x 1 = 1 ; E3 = 1 x 0 x 1 = 0 ; E4 = 0 x 1 x 1 = 1 ; E = 0101 ?
mircea_popescu: asciilifeform ^
mircea_popescu: mno, actually still bs.
mircea_popescu: K = 0101, P = 1110. RB = (1110), (1101), (1011), (0111). E1 = 1 x 1 x 0 = 0 ; E2 = 1 x 1 x 1 = 1 ; E3 = 1 x 0 x 1 = 0 ; E4 = 0 x 1 x 1 = 0 ; E = 0100. ☟︎
mircea_popescu: by now, covered all the possible combinations of 4 bits (ain't that many) -- but never fell on the mp.py 1010.
asciilifeform: http://p.bvulpes.com/pastes/Ar3qj/?raw=true << even moar pedantic
asciilifeform: ( src, http://p.bvulpes.com/pastes/5JKVg/?raw=true )
asciilifeform: mircea_popescu: your 1st 'lmao will have to redo' is correct.
asciilifeform: except that you did the key walk backwards.
asciilifeform genuinely bbl
mircea_popescu: i don't actually follow your proggy any ; regardless, the values it spits dun seem to agree with what i expect.
mircea_popescu: if we manage to fixate on a specific datapoint we'd prolly benefit here.
mircea_popescu: on the other hand, entirely unclear to me why the fuck we're discussing some [evidently buggy/misimplemented] program or my own inept handcalculus. either we agree a system of n equations with n unknowns is determinate or we don't and that's the end of the matter.
diana_coman: http://btcbase.org/log/2018-10-29#1867144 -> asciilifeform, do you mind outlining how you see this? I'm still chewing it all but atm I have trouble fully grasping this. ☝︎
a111: Logged on 2018-10-29 16:52 asciilifeform: a proggy that takes a 256b key and shits out its 4+ sister-keys, prolly wouldnt hurt, either; if somebody can be arsed to write.
diana_coman: basically I get http://btcbase.org/log/2018-10-29#1867091 BUT can't yet follow it to http://btcbase.org/log/2018-10-29#1867092 mainly because it seems to me that the effect of A is basically in fixing d,f,h (so that xor(a,d,f,h)=0); in short: wouldn't a change (of any number of bits) in a trigger (if imposing xor(a,d,f,h)=0 still) changes further in b-h so that the resulting key schedule is different? theoretically that would be the ration ☝︎☝︎☟︎
a111: Logged on 2018-10-29 16:18 asciilifeform: so! for instance ! if a, d, f, h are such that xor(a,d,f,h) = 0, then term a no longer appears in the equation at all !
a111: Logged on 2018-10-29 16:19 asciilifeform: so all possible inputs where this holds , result in the same inflated-key.
diana_coman: ale for the choice of underlying primitive polynomial but I'm still fuzzy on what goes on in there exactly
asciilifeform: mircea_popescu: if we can agree to walk the key in same direction, we get same answ
deedbot: http://bingology.net/2018/10/29/censorship-resistance-in-2018-an-introduction/ << Bingology - BingoBoingo's Blog - Censorship Resistance In 2018 - An Introduction
BingoBoingo: ^ asciilifeform mod6 mircea_popescu Please correct me if I have misunderstood anything
asciilifeform: diana_coman: look at the recurrence, term a appears directly only once, in w(0)
BingoBoingo: Just under 2100 words
asciilifeform: diana_coman: errywhere else, it appears strictly as a copy of w(0)
asciilifeform: ditto, term b only appears directly in w(1)
asciilifeform: and c -- in w(2) ; d -- in w(3) .
BingoBoingo: If the censorship resistance piece survives peer review, Imma test it on some orcs and start using it as my explainer to heathens for why the fuck I am in this hell hole
asciilifeform: e -- in w(4) .
asciilifeform: err, strike that
asciilifeform: but the rest, appear-directly 1ce.
asciilifeform: diana_coman: i'm baking a proggy that shits out sister keys, if it still dun make sense, you can wait till its birthed and try yourself.
asciilifeform: test is straightforward, you take yer vintage serpent and feed in k1,string, get ciphertext1, k2,string, get ciphertext2, and observe that the ciphertexts are same (cuz key expanded to same thing)
asciilifeform: cleaning up the above : a, b, c, appear directly 1ce; the rest --only as recurrence terms.
asciilifeform: if you have d,f,h, such that a == d xor f xor h ( or if you like , a xor d == f xor h , or a xor d xor f == h , it's transitive) then a term disappears from the eqn ☟︎
BingoBoingo: !Q later tell nicoleci please use irc instead of linked in messaging
asciilifeform: will leave the others as exercise.
asciilifeform: likewise, e.g., entire w(1) term will disappear if you have (XOR B E G (RL11 (XOR A D F H #9e3779b9 0)) == #9e3779b9 ( the 1 dun du nuffin, as 9 is odd)
asciilifeform: can similarly do for the other right-hands.
asciilifeform: grr, #9e3779b8, the 1 flips. i'ma leave this alone until proggy.
asciilifeform tired