The Mosti Sereneii Republic, reunited in congress, decided :
- That all presently known block ciphers suck ;
- That an actually useful block cipher is required for our own purposesiii;
- That we will consider proposals from barbarians as well as citizensiv.
Consequently, you are cordially invited to submit a proposal for a block cipher that :
- Worksv on block sizes of 1 kbytes, 4 kbytes, 16 kbytes and 64 kbytes. Bonus points for ciphers that work on an arbitrary block size.
- Use a 64 kbyte key.
- Fits In Headvi
- Items which come with a proof of hardness, as well as items that eschew basic arithmetic operationsvii as implemented by computers will be particularly favoured.
- While we will consider purely theoretical proposals, items which come with sample implementation and assorted tests will be preferred.viii
The rewards will be a 10 BTC payment from me, as well as a honoris causa position in the very Lordship. Let the party begin!
———- Moreso than anything else. [↩]
- This denotes that it is sovereign. [↩]
- Which are, quite transparently, the destruction of any other pretend-sovereign and the enslavement of its supporters. [↩]
- Citizenship revolves around presence in the WoT. [↩]
- The difference between works and "works" is best illustrated by the discussion of keccak. [↩]
- This means that the intelligent reader can hold the entire item in his mind at the same time. In this sense Fermat's theorem is an example of FIH, even if the proof hardly qualifies ; whereas Maxwell's original equations are not an example of FIH, even if Heaviside's restatement is. [↩]
- To understand this point, the relevant discussion :
mircea_popescu asciilifeform if you feel like entertaining some crackpottery, suppose a hash function defined as follows : a) calculate PM ; pM ; P!M ; p!M where P and p are the perimeters of polygons of M sides circumscribing and inscribed respectively in the same circle and !M is the bitwise negation of M ; b) calculate V1 = 2pMPM/(PM+pM) ; V2 = sqrt(pMPM) ; V3 = 2p!MP!M/(P!M+p!M) ; V4 = sqrt(p!MP!M) ; c) calculate H = (V1 - V2) * (V3 - V4) and finally d) return blocksize digits from the key-th position in H. how'd you go about attacking this ?
asciilifeform I would have to think about it. But Gauss could prolly tell you right now! Wake'im up.
mircea_popescu lol. (basically - they're the classical (Archimedan!) approximations of Pi, for the text and reversed text, to an arbitrary precision. Makes for an eminently tunable hashfunction).asciilifeform Terrible hash function. Bailey, Borwein, & Plouffe.
mircea_popescu Do you see what I did here ?asciilifeform (IIRC Plouffe was the worker bee and the other 2 were parasites).
mircea_popescu It is apparently a lot easier to follow math in words than in symbols, EVEN FOR YOU.asciilifeform Actually I am writing it out in symbols!111111 Why the bitwise negation ?
mircea_popescu HA! You took a second to answer after my 2nd line, minutes after the first produced nothing! Timing attack on your brain!asciilifeform Clearly!1
mircea_popescu Anyway - being able to calculate Pi itself does not actually help here, because we're specifically collecting the noise of the formula against the text and its mirror, rather than Pi itself. Hence the substractions.asciilifeform The root ops go poorly with bit arithmetic.
mircea_popescu So they do. GOOD. Fuck the fucking computing-centric paradigm in crypotography. It's your tool not your fucking master.asciilifeform Then let's have the candle.
mircea_popescu No. It's your tool, it must be used.asciilifeform Then you're stuck with wandering decimal crud. And titanic lookup tables, etc.
mircea_popescu Sure. Anyway bignum operations is a solved problem. Even in Lisp.asciilifeform 'even' l0l
mircea_popescu :)asciilifeform But decimal soup is still ick
mircea_popescu Good.asciilifeform You won't have repeatable output.
mircea_popescu So ?asciilifeform No repeat, no decrypt.
mircea_popescu Hash function not cipherasciilifeform Then works.
* mircea_popescu is still curious to hear how people'd attack, if anyone cares. Esp re preimage.asciilifeform I will prolly care. on the train, some time soon.
mircea_popescu The reason I give it is mostly didactic. It plainly shows what I mean re proper use of math and treating your computer like a tool to do a job rather than treating your job as something to be adjusted to fit the computer - without having to delve into complexities and subtleties of number theory etc. Something as commonplace as "use the intervals of confidence of a polynomial method to estimate a transcendent" is really good enough. And it exhibits all those important properties : such as, you can ~actually~ use infinite message, and you can also use any arbitrary padding you like, up to infinity - the hash function won't complain. And you can want it to shit out any block size you want it to shit out - also won't complain, but give EQUALLY MEANINGFUL results. Whether you ask for 3 or 13 or 294 digits.asciilifeform I am quite certain that you knew this, but pretty much all published block ciphers date to the dark ages, when transistor was painfully expensive
mircea_popescu I do. Still, some points have to be made. REPEATEDLY. Also, this is NOT a block cipher, but anyway.asciilifeform Age of cheap transistor had a faux-renaissance where folks used the cheap transistors for elaborate self-delusion - 'this is sooo complicated, nobody!1111 could crack', which led to a pile of corpses and a reaction.
mircea_popescu Quite. Whereas the correct solution is to stick to the math. computers are fucking tractors not farm designers.
asciilifeform Which enemy, naturally, took full advantage of. And here we are, somewhere after this.
[↩]
- If you are unsure as to how this sort of submission should ideally look, djb's excellent salsa20 page should provide some good pointers. [↩]