Transcript for 17-05-2016, 120 lines:
03:01:34 funkenstein_: http://log.bitcoin-assets.com/?date=14-05-2016#1447035 <-- wait what?
03:01:34 assbot: Logged on 14-05-2016 15:26:47; Apocalyptic: otherwise it's a neat way to produce curves over large prime fields that have prime order and thus look "ok", but where the DLP can be trivially solved
03:02:52 funkenstein_: Koblitz says "It should be noted that in the case of elliptic curves over pri
03:02:52 funkenstein_: me fields,
03:02:52 funkenstein_: no new classes of weak elliptic curves have been discovered s
03:02:52 funkenstein_: ince 1997. In
03:02:52 funkenstein_: particular, no weaknesses in the NIST curves have been disco
03:02:53 funkenstein_: vered since
03:02:55 funkenstein_: they were proposed around 18 years ago."
03:05:55 funkenstein_: but "so and so says" isn't really much in this game
03:11:12 funkenstein_: scratch all that, how about - thanks for your reply - can you produce such a curve and show me how to solve the DLP?
08:20:49 kakobrekla: prepare to fall of your chair https://bugs.chromium.org/p/project-zero/issues/detail?id=820
08:21:32 kakobrekla: and dont forget to check the first reply
14:22:00 asciilifeform: kakobrekla: lulzy. but not first time av gets raped
15:45:19 pigeons: i love it when firewalls and intrusion detection systems and antivirus get you owned
15:45:31 pigeons: worse than if you didnt use them
15:45:47 kakobrekla: doesnt happen often enough
15:48:38 thestringpuller: whoa pigeons haven't seen you in awhile
15:49:16 pigeons: i heard this channel was less silly recently
15:49:50 kakobrekla: pigeons i hear complaints its less everything
15:50:02 thestringpuller: less complaints?
15:50:24 kakobrekla: but it is what you make of it. news at 11. although news here are at 7.
17:49:11 pankkake: http://nymag.com/thecut/2016/05/look-a-new-device-that-talks-to-your-tampon.html we're getting closer to the litteral internet of shit
17:49:26 pankkake: less everything = i can read it and have a life
17:57:17 fluffypony: can't wait for Smart Toilet Paper
17:58:21 kakobrekla: http://log.bitcoin-assets.com/?date=17-05-2016#1447096 < oh the life without a demagogue
17:58:21 assbot: Logged on 17-05-2016 17:49:26; pankkake: less everything = i can read it and have a life
20:00:25 Apocalyptic: funkenstein_: yeah I could but I guess it's better if you read the original paper available at http://www.monnerat.info/publications/anomalous.pdf
20:01:25 funkenstein_: hey thanks, I'll check it out :)
20:13:18 funkenstein_: 1728 eh? that makes me even more curious
20:24:34 funkenstein_: such curves which have group orders equal to the order of the field should be easy to detect
20:33:30 funkenstein_: sure as fuck is disconcerting though to somebody like me without enough background in the field
20:39:15 asciilifeform: funkenstein_: ecc is fundamentally evil
20:39:38 asciilifeform: because - among other reasons - it contains this - entirely unnecessary, in, e.g., rsa - 'moving part'
20:39:42 asciilifeform: i.e. the curve
20:40:04 asciilifeform: and you can readily tell, without ~any mathematical education, that it is a work of evil,
20:40:12 asciilifeform: purely from how - and by whom - it was pushed
20:40:39 asciilifeform: e.g., the entirely spurious claims of 'bitwise security equivalence of k-bit ecc with m-bit rsa', where k<m
20:41:07 funkenstein_: and the "this is also a great random number generator"
20:42:34 asciilifeform: prng is a braindamaged concept regardless of how it is done
20:42:43 funkenstein_: so you really think these curves are broken and some folks can take anyone's coin at anytime?
20:43:04 asciilifeform: funkenstein_: depends what you mean by 'broken'.
20:43:25 asciilifeform: more of a 'breakable'.
20:44:46 asciilifeform: funkenstein_: here is an illustration of the concept:
20:45:00 asciilifeform: ^ was 'breakable' for decades
20:45:05 asciilifeform: but not 'broken' until last month.
20:45:11 asciilifeform: (afaik)
20:45:41 funkenstein_: well this is a good example of how ECC might give improvement
20:46:53 asciilifeform: how?!
20:47:18 funkenstein_: if I'm joe at assist.mil, and I need a privkey...
20:47:39 funkenstein_: do I roll dice or go download "privkey generator" from my phriends down the road?
20:48:10 funkenstein_: but that brings up another question
20:48:14 asciilifeform: phun phakt: u.s. *.mil are not permitted to generate own keys
20:48:18 asciilifeform: they are issued keys by nsa.
20:48:27 asciilifeform: on (until quite recently) paper tape.
20:48:31 funkenstein_: yeah that one gets me lolling every time :)
20:49:04 funkenstein_: but makes sense in the "you belong to me now" kind of way
20:49:40 funkenstein_: ^ classic
20:50:02 funkenstein_: my question though..
20:50:51 funkenstein_: there are various moduli which one could use as a privkey which lead to broken crypto
20:51:04 funkenstein_: (in RSA)
20:51:13 funkenstein_: there are also various curves in ECDSA which lead to broken crypto
20:51:52 funkenstein_: are there also various points, i.e. numbers to stick into privkey field, which lead to broken crypto in ecdsa?
20:52:03 asciilifeform: afaik this is unknown.
20:52:29 asciilifeform: but generally every cipher system, symmetric or asymmetric, has a non-null set of 'weak key'
20:53:51 asciilifeform: systems having 'magic numbers', such as ecc, on top of this give you a collective simultaneous fucking of everyone who used a weak magic
20:54:11 asciilifeform: possibly decades after the fact.
20:54:56 asciilifeform: bitcoin users live with ecc largely for the same reason they live with the 1,001 other crocks of shit
20:55:14 asciilifeform: (namely, satoshi's thing is a permanent schelling point and there is no actual choice)
20:56:08 asciilifeform: somehow the fact that nsa did not standardize secp256k1 is thought to argue in its favour, but this is poppycock if you think about it - there is no public info re how broad the class of naturally-occurring weak curve is.
20:57:03 funkenstein_: yeah, i'm not entirely convinced that everything hitler touched is evil nor that what he didn't touch is gold
20:57:53 asciilifeform: today, just as decade ago, i see 0 practical arguments in favour of ecc
20:58:09 asciilifeform: ('saves bandwidth' is not an argument, we aren't stuck on 300 baud modem)
20:58:19 funkenstein_: privkey generation fits in head
20:58:43 asciilifeform: on what planet ?!
20:58:54 funkenstein_: or rather, can be done in the woods on bark
20:59:26 asciilifeform: you will do the ecc also in bark ?
21:00:29 funkenstein_: of course not but at least I can have full confidence in my key entropy
21:00:58 funkenstein_: of course a privkey isn't much use without calculating the pubkey that goes with it
21:01:39 asciilifeform: realize that you could deterministically turn the same set of dice tosses into an rsa key
21:01:41 asciilifeform: just as easily
21:02:34 funkenstein_: i think that one needs a writeup
21:02:42 funkenstein_: for idiots like me :)
21:02:53 asciilifeform: read, e.g., src of gnupg
21:02:58 asciilifeform: to see how rsa key is generated.
21:03:27 funkenstein_: as i understand it a lot more dice throws are needed because many have to be thrown out (as they don't lead to primes)
21:03:37 funkenstein_: as well as a lot of primality checking
21:03:44 asciilifeform: (essentially, you obtain a random bit string of certain length, and find the next prime after the integer it represents which meets certain tests)
21:03:48 asciilifeform: and then you do it again.
21:03:55 funkenstein_: ah ok
21:03:56 asciilifeform: this gives you p and q.
21:04:33 funkenstein_: so primes with large gaps below them are selected preferenetially
21:04:35 asciilifeform: and no, you don't throw it out, one is never far from a prime
21:05:12 asciilifeform: ;;google prime number theorem
21:05:13 gribble: Error: We broke The Google!
21:05:26 asciilifeform: http://mathworld.wolfram.com/PrimeNumberTheorem.html << try this one
21:06:18 funkenstein_: in the algo you describe, primes are not equally likely to be chosen
21:06:36 funkenstein_: which probably doesn't matter
21:06:47 asciilifeform: funkenstein_: what's the logic here
21:07:07 funkenstein_: the second of a twin prime is exceedingly unlikely to be chosen
21:07:49 asciilifeform: why?
21:08:08 funkenstein_: there is only a single random number which will lead to its selection
21:09:12 funkenstein_: if i pick 20,21, or 22, all lead to the choice "23"
21:09:43 funkenstein_: so "23" is three times more likely than "31"
21:10:31 asciilifeform: in actual implementations, there is also a series of tests for 'strong prime', and being 'first in twin pair' is actually an instant-winner, and is preferred
21:10:55 asciilifeform: so the classes of primes used are even narrower than supposed in the schoolbook description
21:12:11 asciilifeform: see 'pollard rho' algorithm as to why.
21:15:53 funkenstein_: anyway you can see how I imagine the specification if RSA key is somewhat more tricky than the ECC "any number between 0 and FFFFFFFFbla"
21:16:13 asciilifeform: funkenstein_: my point was that you can also specify rsa that way:
21:16:27 asciilifeform: 'the next appropriate rsa modulus after integer 0 ... FFFFFFF...'
21:16:45 asciilifeform: the difference is wholly accidental
21:23:28 funkenstein_: it's too bad there's no one time pad DSA isn't it
21:27:38 asciilifeform: funkenstein_: the otp equiv. for signature is lamport's scheme
21:28:45 funkenstein_: aha!
21:28:51 funkenstein_: ty
21:29:37 funkenstein_: incidentally do you think a yet-another-altcoin built with RSA would be not entirely a waste of time?
21:30:59 asciilifeform: surely not waste.