home | log | search | bash |


   

Transcript for 17-05-2016, 120 lines:

03:01:34 funkenstein_: http://log.bitcoin-assets.com/?date=14-05-2016#1447035 <-- wait what?

03:01:34 assbot: Logged on 14-05-2016 15:26:47; Apocalyptic: otherwise it's a neat way to produce curves over large prime fields that have prime order and thus look "ok", but where the DLP can be trivially solved

03:02:52 funkenstein_: Koblitz says "It should be noted that in the case of elliptic curves over pri

03:02:52 funkenstein_: me fields,

03:02:52 funkenstein_: no new classes of weak elliptic curves have been discovered s

03:02:52 funkenstein_: ince 1997. In

03:02:52 funkenstein_: particular, no weaknesses in the NIST curves have been disco

03:02:53 funkenstein_: vered since

03:02:55 funkenstein_: they were proposed around 18 years ago."

03:05:55 funkenstein_: but "so and so says" isn't really much in this game

03:11:12 funkenstein_: scratch all that, how about - thanks for your reply - can you produce such a curve and show me how to solve the DLP?

08:20:49 kakobrekla: prepare to fall of your chair https://bugs.chromium.org/p/project-zero/issues/detail?id=820

08:21:32 kakobrekla: and dont forget to check the first reply

14:22:00 asciilifeform: kakobrekla: lulzy. but not first time av gets raped

15:45:19 pigeons: i love it when firewalls and intrusion detection systems and antivirus get you owned

15:45:31 pigeons: worse than if you didnt use them

15:45:47 kakobrekla: doesnt happen often enough

15:48:38 thestringpuller: whoa pigeons haven't seen you in awhile

15:49:16 pigeons: i heard this channel was less silly recently

15:49:34 kakobrekla: http://arstechnica.com/tech-policy/2016/05/feds-say-suspect-should-rot-in-prison-for-refusing-to-decrypt-drives/

15:49:50 kakobrekla: pigeons i hear complaints its less everything

15:50:02 thestringpuller: less complaints?

15:50:24 kakobrekla: but it is what you make of it. news at 11. although news here are at 7.

17:49:11 pankkake: http://nymag.com/thecut/2016/05/look-a-new-device-that-talks-to-your-tampon.html we're getting closer to the litteral internet of shit

17:49:26 pankkake: less everything = i can read it and have a life

17:57:17 fluffypony: can't wait for Smart Toilet Paper

17:58:21 kakobrekla: http://log.bitcoin-assets.com/?date=17-05-2016#1447096 < oh the life without a demagogue

17:58:21 assbot: Logged on 17-05-2016 17:49:26; pankkake: less everything = i can read it and have a life

20:00:25 Apocalyptic: funkenstein_: yeah I could but I guess it's better if you read the original paper available at http://www.monnerat.info/publications/anomalous.pdf

20:01:25 funkenstein_: hey thanks, I'll check it out :)

20:13:18 funkenstein_: 1728 eh? that makes me even more curious

20:24:34 funkenstein_: such curves which have group orders equal to the order of the field should be easy to detect

20:33:30 funkenstein_: sure as fuck is disconcerting though to somebody like me without enough background in the field

20:39:15 asciilifeform: funkenstein_: ecc is fundamentally evil

20:39:38 asciilifeform: because - among other reasons - it contains this - entirely unnecessary, in, e.g., rsa - 'moving part'

20:39:42 asciilifeform: i.e. the curve

20:40:04 asciilifeform: and you can readily tell, without ~any mathematical education, that it is a work of evil,

20:40:12 asciilifeform: purely from how - and by whom - it was pushed

20:40:39 asciilifeform: e.g., the entirely spurious claims of 'bitwise security equivalence of k-bit ecc with m-bit rsa', where k<m

20:41:07 funkenstein_: and the "this is also a great random number generator"

20:42:34 asciilifeform: prng is a braindamaged concept regardless of how it is done

20:42:43 funkenstein_: so you really think these curves are broken and some folks can take anyone's coin at anytime?

20:43:04 asciilifeform: funkenstein_: depends what you mean by 'broken'.

20:43:25 asciilifeform: more of a 'breakable'.

20:44:46 asciilifeform: funkenstein_: here is an illustration of the concept:

20:44:47 asciilifeform: http://phuctor.nosuchlabs.com/gpgkey/3C76C921ACD9ED4BE60ECD06C341CD8F18952E398C63CD4C958503DA9E42C1B2

20:45:00 asciilifeform: ^ was 'breakable' for decades

20:45:05 asciilifeform: but not 'broken' until last month.

20:45:11 asciilifeform: (afaik)

20:45:41 funkenstein_: well this is a good example of how ECC might give improvement

20:46:53 asciilifeform: how?!

20:47:18 funkenstein_: if I'm joe at assist.mil, and I need a privkey...

20:47:39 funkenstein_: do I roll dice or go download "privkey generator" from my phriends down the road?

20:48:10 funkenstein_: but that brings up another question

20:48:14 asciilifeform: phun phakt: u.s. *.mil are not permitted to generate own keys

20:48:18 asciilifeform: they are issued keys by nsa.

20:48:27 asciilifeform: on (until quite recently) paper tape.

20:48:31 funkenstein_: yeah that one gets me lolling every time :)

20:49:04 funkenstein_: but makes sense in the "you belong to me now" kind of way

20:49:33 asciilifeform: ( see my old article, http://www.loper-os.org/?p=1323 , for some theories re the origin of this custom )

20:49:40 funkenstein_: ^ classic

20:50:02 funkenstein_: my question though..

20:50:51 funkenstein_: there are various moduli which one could use as a privkey which lead to broken crypto

20:51:04 funkenstein_: (in RSA)

20:51:13 funkenstein_: there are also various curves in ECDSA which lead to broken crypto

20:51:52 funkenstein_: are there also various points, i.e. numbers to stick into privkey field, which lead to broken crypto in ecdsa?

20:52:03 asciilifeform: afaik this is unknown.

20:52:29 asciilifeform: but generally every cipher system, symmetric or asymmetric, has a non-null set of 'weak key'

20:53:51 asciilifeform: systems having 'magic numbers', such as ecc, on top of this give you a collective simultaneous fucking of everyone who used a weak magic

20:54:11 asciilifeform: possibly decades after the fact.

20:54:56 asciilifeform: bitcoin users live with ecc largely for the same reason they live with the 1,001 other crocks of shit

20:55:14 asciilifeform: (namely, satoshi's thing is a permanent schelling point and there is no actual choice)

20:56:08 asciilifeform: somehow the fact that nsa did not standardize secp256k1 is thought to argue in its favour, but this is poppycock if you think about it - there is no public info re how broad the class of naturally-occurring weak curve is.

20:57:03 funkenstein_: yeah, i'm not entirely convinced that everything hitler touched is evil nor that what he didn't touch is gold

20:57:53 asciilifeform: today, just as decade ago, i see 0 practical arguments in favour of ecc

20:58:09 asciilifeform: ('saves bandwidth' is not an argument, we aren't stuck on 300 baud modem)

20:58:19 funkenstein_: privkey generation fits in head

20:58:43 asciilifeform: on what planet ?!

20:58:54 funkenstein_: or rather, can be done in the woods on bark

20:59:26 asciilifeform: you will do the ecc also in bark ?

21:00:29 funkenstein_: of course not but at least I can have full confidence in my key entropy

21:00:58 funkenstein_: of course a privkey isn't much use without calculating the pubkey that goes with it

21:01:39 asciilifeform: realize that you could deterministically turn the same set of dice tosses into an rsa key

21:01:41 asciilifeform: just as easily

21:02:34 funkenstein_: i think that one needs a writeup

21:02:42 funkenstein_: for idiots like me :)

21:02:53 asciilifeform: read, e.g., src of gnupg

21:02:58 asciilifeform: to see how rsa key is generated.

21:03:27 funkenstein_: as i understand it a lot more dice throws are needed because many have to be thrown out (as they don't lead to primes)

21:03:37 funkenstein_: as well as a lot of primality checking

21:03:44 asciilifeform: (essentially, you obtain a random bit string of certain length, and find the next prime after the integer it represents which meets certain tests)

21:03:48 asciilifeform: and then you do it again.

21:03:55 funkenstein_: ah ok

21:03:56 asciilifeform: this gives you p and q.

21:04:33 funkenstein_: so primes with large gaps below them are selected preferenetially

21:04:35 asciilifeform: and no, you don't throw it out, one is never far from a prime

21:05:12 asciilifeform: ;;google prime number theorem

21:05:13 gribble: Error: We broke The Google!

21:05:26 asciilifeform: http://mathworld.wolfram.com/PrimeNumberTheorem.html << try this one

21:06:18 funkenstein_: in the algo you describe, primes are not equally likely to be chosen

21:06:36 funkenstein_: which probably doesn't matter

21:06:47 asciilifeform: funkenstein_: what's the logic here

21:07:07 funkenstein_: the second of a twin prime is exceedingly unlikely to be chosen

21:07:49 asciilifeform: why?

21:08:08 funkenstein_: there is only a single random number which will lead to its selection

21:09:12 funkenstein_: if i pick 20,21, or 22, all lead to the choice "23"

21:09:43 funkenstein_: so "23" is three times more likely than "31"

21:10:31 asciilifeform: in actual implementations, there is also a series of tests for 'strong prime', and being 'first in twin pair' is actually an instant-winner, and is preferred

21:10:55 asciilifeform: so the classes of primes used are even narrower than supposed in the schoolbook description

21:12:11 asciilifeform: see 'pollard rho' algorithm as to why.

21:15:53 funkenstein_: anyway you can see how I imagine the specification if RSA key is somewhat more tricky than the ECC "any number between 0 and FFFFFFFFbla"

21:16:13 asciilifeform: funkenstein_: my point was that you can also specify rsa that way:

21:16:27 asciilifeform: 'the next appropriate rsa modulus after integer 0 ... FFFFFFF...'

21:16:45 asciilifeform: the difference is wholly accidental

21:23:28 funkenstein_: it's too bad there's no one time pad DSA isn't it

21:27:38 asciilifeform: funkenstein_: the otp equiv. for signature is lamport's scheme

21:28:45 funkenstein_: aha!

21:28:51 funkenstein_: ty

21:29:37 funkenstein_: incidentally do you think a yet-another-altcoin built with RSA would be not entirely a waste of time?

21:30:59 asciilifeform: surely not waste.