How I found some area of expertise in mathematical cryptography one expects to find here and there ; plus divers spots missed while shaving.

Friday, 28 April, Year 9 d.Tr. | Author: Mircea Popescu

If you've read the cat-v story you're probably thinking something along the lines of "apparently he tends to do one of these every six months or so". What can I say, apparently I do.

It all started quaintly enough in #trilema :

Framedragger btw there are like 770 people sitting and talking on ##crypto, it might not even be 100% hopeless, curious if they would respond well to FUCKGOATS advertising
asciilifeform 'people'
Framedragger usg sybils deliberately working to blackhole asciilifeform's emails!
trinque check it out; he learned the splitting
asciilifeform Framedragger: 'people' in the sense of the randos hanging out, e.g., here, and never saying a word, is the idea.

Not one to theorize, I simply joinedi and the conversation flew thickly thereuponii :

Framedragger just going throw this out there: there's an *auditable* hardware trng available here: ; anyone interested please do drop by #trilema.
Captain_Beezay Framedragger: why do you call it "true"?
Captain_Beezay also,I'd never touch anything named that,regardless of quality. onerng is out there fyi

Framedragger Captain_Beezay: it doesn't hash or do any other stupid things like that, just gives you entropy; it doesn't whiten.
mircea_popescu link for this onerng thing ?
Captain_Beezay sameiii with onerng,I have it
Captain_Beezay and I don't have to tell people I'm comitting beastiality when all I want to tell them is I have a nice hrng

mircea_popescu ah, i recall reviewing onerng cca 2014. there's serious problems with it. such as, micro is under same shielding as rf amp.
sarnold eightyeight: a new hardware token to add to your pile :)
mircea_popescu Captain_Beezay your self-broadcasting needs might be separable and for others separate from the rng issue.
mircea_popescu also, as per the schematic, the AP3105' switching voltage-booster is very likely to induce artefacts into the output. all in all it's a terrible design made by perhaps well intended yet obvious amateurs.

Captain_Beezay mircea_popescu: be it so.there was no need to call it that. I'm sure there will be people that won't mind the name
mircea_popescu anyway, got a contact for the people involved ? help them out with the "We are not aware of any other equivalent device that promotes this essential feature of security for you, the user." claim.

Captain_Beezay mircea_popescu: are you affiliated with nosuchlabs?
mircea_popescu i'm a principal.iv
Riastradh That's...quite the product name.
Riastradh Do you have a USB vendor and product id assigned for vendor NOSUCHLABS product FUCKGOATS?
mircea_popescu nope.
Ganymed :)
mircea_popescu also not going to happen, the republic is rather unfriendly to fiat pretense of the sort.

Captain_Beezay mircea_popescu: did you publish your onerng review?
Riastradh Guess I can't write a native NetBSD device driver for itv, then, like I did for my Finnish arachnoid alternative last week (which, admittedly, is not terribly auditable).
mircea_popescu Captain_Beezay back in 2014,
asciilifeform Riastradh: FUCKGOATS is an rs232 device. works equally well with, e.g., msdos, as with bsd. and with pdp11 as well as with pentium.
mircea_popescu speaking of which, is there a log website for this channel ? or how do i search past conversations ?

Riastradh Yes, but I can't detect that it is a FUCKGOATS device and automatically feed it to the entropy pool. It will look just like any other serial device, requiring operator intervention to know to use a userland program to connect to the serial interface and feed data from that to /dev/random.
asciilifeform that's actually deliberate.
asciilifeform it is meant to be used ~instead of~ whatever crock of shit your kernel came with.
mircea_popescu Riastradh you get something for that.
mircea_popescu eg the fact that someone else snooping around can't distinguish it from a keyboard.
asciilifeform well, from modem.
sarnold "boy this modem sure spits out a bunch of random gibberish"
mircea_popescu from line device, anyways.

Captain_Beezay has a serious problem with the name,anything that wants to be used professionally needs to have a sfw non-profane name.
Riastradh mircea_popescu: To get logs for the channel, send your resume to, go through a long security clearance process, &c., and then you will know what to do.
mircea_popescu Captain_Beezay the idea is to wholesale replace your notion of "professional", so that it is no longer socially acceptable to go around saying "sfw".
Riastradh asciilifeform: Not sure what you're getting at here with `crock of shit your kernel came with'.
mircea_popescu Riastradh it is a more important question than meets the eye. the fact that trilema has fully searchable logs significantly improves the quality of discussion going on and at the same time the quality of throughts thought by the participants.

Captain_Beezay mircea_popescu: No,the author is just being an inconsiderate self centered jerkvi
mircea_popescu aha.
Riastradh mircea_popescu: Your profundity is duly noted. I suggest you redirect your commentary on what constitutes professionalism to a channel more suited to the topic, say ##ideologies.
mircea_popescu remind me why i care what you suggest ; explain what exactly "noted" is supposed to mean here, you don't have a public log ; it's not directly clear what you're talking about anyway, i wasn't discussing what constitutes professionalism.

* Captain_Beezay missed the line about mircea_popescu saying he was the principal. sorry for the rudeness
Captain_Beezay mircea_popescu: I just don't appreciate others pushing their ideology on me using their technical achievements.
mircea_popescu Captain_Beezay i dun care about rudeness either way, but i like it when people make sense. otherwise, the whole point of technology is to push ideology on others.
mircea_popescu that's what it does.

Captain_Beezay you have the right to name it anything you want
Framedragger Riastradh: re. 'crock of shit', i think what was meant was that there is implicit trust in the kernel's csprng (with additional dubious operations done, including but not limited to whitening)
Captain_Beezay I will oppose acceptance of any such product as well.
Riastradh mircea_popescu: That's all very nice. Now please take your ideological proselytism back to a channel where it's on-topic.
Framedragger you people do realise that *you* raised the 'ideology' topic, right?
sarnold Framedragger: you trust the kernel for -everything-
sarnold Framedragger: in the same way that you trust the cpu for -everything-
Framedragger what, no, that's a classical slippery slope falacy.
Framedragger there is no need to trust the kernel to be the source of your randomness.
Captain_Beezay mircea_popescu: technology is a tool,how we use it is according to our own beliefsvii

Framedragger so x86 chips are broken and contain complex backdoor'y firmware. i should install malware, then?
Captain_Beezay a tool shouldn't tell me what to think or what to believe.
Riastradh Framedragger: Really not interested in arguing whether commentary around `the idea is to wholesale replace your notion of "professional"' is ideological proselytism. It's off-topic here.
asciilifeform incidentally FUCKGOATS works fine with machines having no kernel, and no os in the customary sense. for instance, fpga that fills sd card with random, for onetimepad.
mircea_popescu Riastradh do you find this "hurr durr" "now please take your hurr durr somewhere else" approach works in general ?

mircea_popescu Captain_Beezay "a tool" can't really work unless it comes with an ideology. that's what differentiates the tool from the piece of art.
sarnold mircea_popescu: in general people are more polite :)
mircea_popescu there is that.
Riastradh My patience is running pretty thin, and it's normally quite thick. If you folks have anything to discuss about crypto, feel free to bring it up; otherwise take it back to #trilema or whatever your usual haunt is.
mircea_popescu Riastradh i'd quote log lines if you have a log. as it is : "there's serious problems with it. such as, micro is under same shielding as rf amp." and "also, as per the schematic, the AP3105' switching voltage-booster is very likely to induce artefacts into the output." re the onerng thing.
sarnold asciilifeform: that's a fine point, and serial makes it way easier to use than usb too
mircea_popescu sarnold the problem with soldering an usb down is also that usb is a pretty opaque cliquish thing one might find himself willing to jettison in this lifetime.

asciilifeform incidentally, in case it were not obvious, mircea_popescu and asciilifeform are the co-authors of the linked device. and asciilifeform naively thought that a chan called 'crypto' might contain folks interested in the particulars of a (public design!) inexpensive nonwhitened rng.
sarnold asciilifeform: I think the mistake was mircea_popescu getting sucked into a debate about the name by Captain_Beezay. hehe. :)
sarnold asciilifeform: where a simple "that's name, name your own device whatever you want" would have sufficed. :)
mircea_popescu mno, apparently $random-nobodyviii with user-settable levels of "patience" is very interested in hijacking a technical discussion to talk about his feelings.

Captain_Beezay mircea_popescu: in other words,I'd much rather be talking crypto or rng right now than ideology. I'd rather buy your work and use it,but if you made it for only people that have no problem being vulgar and profane and/or won't respect the preference of others to not speak about beastiality or in a profane way in a professional setting then it's certainly not
Captain_Beezay for me and I'll discourage anyone from using it based on that non-technical merit alone.
asciilifeform the name, apparently, is working quite well. exposes folks who have... issues
mircea_popescu Captain_Beezay but by all means, go right ahead.
mircea_popescu the discussion is you saying "onerng exists" me explaining i see some problems, and now you discussing technology rather than anything else, please do.ix

Riastradh Design of RNGs for crypto is on-topic, though physical phenomona that lead to them is at the edge of the topic of this channel -- not because it's irrelevant but because it lies outside the area of expertise in mathematical cryptography one expects to find here.x
Captain_Beezay mircea_popescu: I can't even mention your rng without being profane,you have excluded me from it by calling it that. even if I liked your work I'd have to violate my beliefs in order to speak about it,very unfair. but I respect your right to name your work anything.
mircea_popescu you can just call it "FG" or for that matter anything else you wish. stetxi rosa pristina etc.

mircea_popescu but anyway, since we're here : dieharder seems to spin over samples. this is (at least to my eyes) very strange behaviour, as it introduces artefacts in the extended "sample" it considers. anyone know either the author so i can ask him why or else can explain why ?
mircea_popescu (other, of course, than the obvious "pre FG entropy samples were tiny and thus it was needed and besides they were so terribad it made little difference anyway.")

sarnold "spin over"?
Captain_Beezay mircea_popescu: forget about my little opinion,what if someone willing to audit your work or help you out doesn't because of something as silly as that. but I'll step away and allow other discussions
mircea_popescu sarnold yes. loop, if you prefer. processed kn bytes for a sample n bytes long.
sarnold mircea_popescu: that .. seems insane.
mircea_popescu it's in the code though.
mircea_popescu boyfawkes do you happen to know a girlfawkesy btw ?
Riastradh mircea_popescu: Why don't you email the author and find out?
mircea_popescu i have emailed ; haven't found out yet.

eightyeight sarnold: cool it's auditable, but .... ugh
eightyeight "[A] digital computer per se is uniquely unsuited to the task of producing entropy, in much the same way that a blast furnace is uniquely unsuitable for refrigeration."
eightyeight le sighxii

CiPHPer by the way, this is a thing:
CiPHPer I think I mentioned it in ##security
eightyeight his "Is there such a thing as better or worse entropy ?" paragraph is equally as painful to read
eightyeight he clearly doesn't understand the differences between shannon entropy and entropy as defined by the 2nd law of thermodynamics
Pilfers refer
Framedragger eightyeight: if you were to read a couple more paras down, it's addressed
mircea_popescu eightyeight what are the differences, for my curiosity ?xiii
eightyeight Framedragger: ah. indeed.
eightyeight Framedragger: it is unfortunate that the author (you?) is not admitting that there can exist "malicious entropy"
eightyeight and feeding such entropy into a system compromises itxiv)

eightyeight (which is sort of the reason the hardware and firmware is auditable, as to prove it's not malicious)
Framedragger eightyeight: (it's a product of asciilifeform and mircea_popescu; writing's probably asciilifeform's)
mircea_popescu no, the part where i liberally confuse shannon and thermodynamic entropy is mine.
Framedragger ha :)
eightyeight where can i read the source code to the firmware?
mircea_popescu eightyeight first five links on the site are the v tree, the compiled binary and two schematics
eightyeight the .vpatch files?
mircea_popescu yes. it uses the V.
mircea_popescu (V being a strong cryptographic versioning system)

mircea_popescu !~later tell ciphper hmm, key apparently belongs to one michael alexander arthur cordingley. other than being born in athens ohio nov 12 1983, who's he ?
mircea_popescu oh, no bots either is it. sigh.xv
mircea_popescu anyway. i know for a fact the key didn't exist six months ago because phuctor doesn't know it. what exactly is signing stuff like that with a new key supposed to accomplish.

andytoshi how parallelizable is shor's algo? if i want to break 100 discrete logs is this much faster to do in batch than to do them separately?
mircea_popescu andytoshi the whole point of it is being parallelizable yes ?
andytoshi mircea_popescu: right, "parallelizable" is not what i mean, what i mean is are there batch speedups
andytoshi like, for pollard-rho, a clasical algorithm, you can break 100 discrete logs in much less than 100 times as long as it takes 1
asciilifeform andytoshi: idea for shor's was to 'parallelize' by running on parallel universes.
asciilifeform (supposing anyone knew how.)
andytoshi asciilifeform: that's really not how shor's algorithm, or any quantum computation, works
mircea_popescu the item not existing, this is entirely speculative, but in the theoretical theory of it you'd take the same local time to do 1 or n.
asciilifeform angels/pinhead.

Riastradh andytoshi: I don't think Shor's algorithm factors nicely into an expensive generic precomputation followed by a cheap per-target attack. But since it would run so fast, I also don't think that's likely to matter.
Riastradh andytoshi: Why do you ask?
andytoshi Riastradh: because if you can break a lot of discrete logs (like 2^30) then wagner's generalized birthday attack becomes applicable in situations that it otherwise wouldn't be
andytoshi in particular if i give you an unlimited stream of uniformly random EC points, assuming DL is hard you won't be able to find a subset of them that sums to zero. but if you can break the DL of each point, then you can do this efficiently using wagner's algorithm
sarnold but isn't shor's algorithm itself closer to 2^16? or less?
andytoshi o.O is it really that low? for a 256-bit group?
Riastradh andytoshi: The cost of Shor's algorithm is roughly quadratic in the number of bits in the group in question.
mircea_popescu there's two parts. the fourier transform is supposed to be fast ; the exponentiation is supposedly slow.
andytoshi and the exponentiation is classical right?
mircea_popescu doesn't have to be
mircea_popescu but afaik that's the state of the art atm.
andytoshi i guess there's an implicit assumption that classical computers will have way higher clock speends that quantum computersxvi
mircea_popescu anyway, it bears pointing out that allegedly the largest factored number had about five digits ; more documented examples involve the factoring of number 15.
andytoshi heh, yeah, i'm not worried today, but i'm trying to design systems now with "how badly will a QC wreck this" mindset
mircea_popescu heck, if you could get 1k "qbits" together you could prolly write the exponentiation as a fourrier transform.

andytoshi usually "QC will break everyone's privacy" is ok, but "QC will allow silent printing of bitcoins" is not
mircea_popescu qc does not allow silent printing of bitcoins as it is.xvii
andytoshi and when i'm actually concerned about quantum computers, i won't even be ok with privacy loss :)
andytoshi understood. but with confidential transactions it would
andytoshi we understand how to do unconditionally sound CT now ... i'm thinking about unconditionally sound confidential assets, which is a bit harder
mircea_popescu this is altogether dubious. as far as bitcoin works today, in order to spend you must reference an extant transaction. no qc will help you make people's copies of the blockchain contain an inexistent transaction.
mircea_popescu spending other's bitcoins is a differenty problem from printing bitcoins on your own, and "silently" is yet another layer on that.
andytoshi yes, fine, i know. i'm not talking about the actual bitcoin system
bascule andytoshi: there are remarkably few problems where the ability to break 1 vs n discrete logs is helpful. I think I'm working on one of them... it's not exactly an area where that's something you want to formulate a defense around
mircea_popescu ah ok.
andytoshi bascule: yeah, i think this is the first time i've ever encountered this being a useful distinction
andytoshi well, actually bitcoin (the real bitcoin :P) is kinda an example because there are a lot of public keys floating around that have money associated to them, and breaking any one of them lets you steal
andytoshi (though not silently, and not in an inflating way)
mircea_popescu the bitcoin key scheme is a little more complex though. not just ec.
andytoshi yeah, agreed. most keys are not exposed like this because they aren't EC group keys
andytoshi it's only those that have been used before, and the underlying EC key exposed
bascule andytoshi: that's a multitarget attack... but that's a boring example of the property I'm talking about
mircea_popescu in principle the address is a ripemd of a sha of the public key. but yes, you can also find the public key by finding previous txn spent from that address.

bascule sure each key you break provides incremental value
bascule that's different from "you have to break N discrete logs to break X"
andytoshi bascule: ah, true! i guess then my current problem is the first one i've encountered where "you have to break N discrete logs to break X" actually applies..
bascule because in the case of "you have to break N discrete logs" the question becomes "how big should N be?"
andytoshi well, in my case N is "big enough that Wagner's algorithm is tractable given all the discrete logs"
mircea_popescu this entire discussion vaguely reminds me of a well known naggum piecew
mircea_popescu to be specific.
bascule mircea_popescu: haha the YAGNI argument
bascule funny thing about YAGNI
bascule the acronym swings both ways
mircea_popescu not really how it reads to me.
mircea_popescu long before it becomes a discussion as to whether yagni or yangni, one has to be seated at the table, and that requires passing the more pressing fogotpxviii caudine forks.
mircea_popescu dennis hopper does a great statement of that, if you've seen seek and destroy.
bascule mircea_popescu: I can't tell what that person is arguing
mircea_popescu who ?
bascule but it sounds like "you aren't going to need it"
bascule o_O
bascule I'll give you three guesses, and the first two don't count
mircea_popescu the matter isn't whether you are or aren't going to need it. before we get to that, we're stuck with "are you even going to be there".
mircea_popescu that's what he's arguing : that you aren't even going to be there, to need anything or not need it.
bascule in 20/20 hindsight, this looks so very very quaint
bascule "The only applications I know of that require multiple
bascule gigabytes of memory (and then tens of gigabytes) are those that require
bascule multiple terabytes of disk space"
bascule (let me introduce you to zkSNARKs)xix
mircea_popescu you are aware that you're producing a circular argument, yes ?
bascule the gigantic paragraph of shit in the middle of the email is riddled with statements like that
bascule are you fucking kidding me?
bascule this email may be "I can't imagine a future where more than 1 out of 1000 humans will actually have a need for electrical power"
mircea_popescu simply relabelling the imaginary work to be done from "reversing 20k wide matrix" to "blablaznarks" does not improve the standing of the child trying to fiddle with father's tools.
mircea_popescu so no, today as then, the only items actually needing gbs of memory also need tbs of disk space.
bascule the only conclusion I can draw from this email is this person is a moron
mircea_popescu yes, but the conclusions you draw tend to speak about you rather than about the world.
mircea_popescu let me know when you actually run an application that uses gbs of memory, i might have a better impression of them things then.xx

sarnold bascule: eh I thought they were fun stories of how hard it used to be collect a byte of data
sarnold bascule: nowadays we have more bytes of data than we can shake a stick at
mircea_popescu and we have to shake a lot of sticks at them to get actual data out of the deluge, too ;/

Such are my days and times. How about yours ?

  1. Turns out I had been there cca July 2014, but very little has changed in the intervening three years' experience :

    mircea_popescu any advice on how to deal with people proposing specific measures to "harden" various crypto against "quantum computing" ?
    mcpherrin mircea_popescu: there's plenty of papers on post-quantum cryptography.
    mircea_popescu i know ;/

    Hopefully they find a new pin-up dollie soon enough, this one's getting full. []

  2. To save myself the effort later,

    cat crypto.log | grep -Pv "\*\t" | cut -f4- -d " " | sed 's%>%</b>%' | sed 's/</<b>/' > crtpyo.txt

    -P turns on perl-style notation which then requires the \ before the *. []

  3. This is not actually true. The site he links specifically says

    Entropy is collected from an avalanche diode circuit and optionally an RF circuit, whitened and presented over a USB/Serial connection.


  4. Old name for significant owners with some involvement in conducting the day-to-day affairs of a company. This is not the same as officers (such as say the CEO) -- with regards to the principals, the officers fullfill the agent portion of the principal-agent relationship. []
  5. It's very dubious what this driver would do, but then again I'm no NetBSD expert. In any case, the implication that I stand to lose something in this race is lulzy in itself. []

  6. A This doesn't fit with my worldview.
    B. The idea is to make your worldview untenable.
    A. No, the guy is just a jerk.

    Fancy that wonder. []

  7. I expect he also imagines he needs "just the facts". []
  8. The question is still open. Mylord phf knows the guy, but that says little about how both github and pkgsrc stand empty on that name. []
  9. You might be totally shocked by the fact that no, the fellow really had nothing else to say after all. []
  10. And we shall soon get a load of this expertise. I hope you have your Ito calculus at the ready. []
  11. No, this is not a mistake. There is such a thing as flexion in Latin, even if you don't much encounter it in English. []
  12. If anyone feels inclined to delve, please do. Le sigh what ? []
  13. This mystery was eventually unraveled. Spoiler : it turns out they all drank from the same waterhole and someone dropped a little methylene blue in it so now they piss unphysiological colors.

    The >9000 irony crit being that alf's site is actually linked in there. []

  14. This is not so unlike claiming that there exists a "malicious level", and building your tower to be level with such a level will crumble it. I suppose this is how the whole "global warming" pseudoscience was concocted at the micro level : they threw out the "malicious data". It's a rather powerful concept as far as folly goes. (The notion is not novel, by the way -- the classical Japanese had it, something with spirits flying. []
  15. This sigh is actually quite substantial. How is one supposed to get any work done without the bots ? And without the knowledge of the bots being there to bridge the various gaps of circumstance, how is one to motivate himself to even do the work ?

    TMSR. No small matter, because anything else makes you dumber. []

  16. I hope you're taking down all this mathematical expertise. Yes ? []
  17. You knew it was coming to this. []
  18. Fuck Or Get Off The Pig. []
  19. You know, "whole idea behind zcash / here's an Ethereum blabla". He has no idea who he's talking to, obviously, and this is okay. Why is it okay ? Because people tend to be more polite!

    I'm sure they are, and I shit in their stupid mother's gaping cunts. []

  20. Because obviously. []
Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

5 Responses

  1. The Circlejerk.

  2. Mircea Popescu`s avatar
    Mircea Popescu 
    Monday, 1 May 2017

    Ca bine zici.

  3. Wiped out in timeout, damn, if only I had saved the copy, it would be here. I hope you saved one when it threw it away. Not that it matters anyhoo.

  1. [...] yes ? It meant about the same before, back when a factory was the place where the factors (ie, agents) gathered, to pile up and crudely process the furs they bought from the native hunters, some four [...]

  2. [...] you perhaps are aware, we had some fun with the "area of expertise in mathematical cryptography one expects to find" this month. Nevertheless, NSA will continue its work, designing and manufacturing the future of [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.