# Normal view

Before yesterdayNews from the Ada programming language world

# "Finite Field Arithmetic." Chapter 21A: Extended GCD and Modular Multiplicative Inverse. (Part 1 of 3)

1 May 2020 at 02:23

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

• All of the materials from the Chapters 1 through 15.
• There is no vpatch in Chapter 21A.
• For best results, please read this chapter on a colour display!

ACHTUNG: The subject of the Chapter 21 originally promised at the conclusion of Chapter 20 is postponed. That topic will be revisited later!

On account of the substantial heft of Chapter 21, I have cut it into three parts: 21A, 21B, and 21C. You are presently reading 21A, which consists strictly of an introduction to FFA's variant of the Extended GCD algorithm and its proof of correctness.

Recall that in Chapter 18C, we demonstrated the use of FFA and Peh to generate cryptographic primes, of the kind which are used in e.g. the RSA public key cryptosystem.

We also performed GPG-RSA signature verifications using Peh, and learned how to adapt traditional GPG public keys for use with it.

But why have we not yet seen how to generate a new RSA keypair ?

The still-missing mathematical ingredient is an operation known as the modular multiplicative inverse.

This is a process where, provided an integer N and a non-zero modulus M, we find (or fail to find -- its existence depends on the co-primality of the inputs) the integer X where:

NX ≡ 1 (mod M).

... or, in FFAistic terminology, where FFA_FZ_Modular_Multiply(N, X, M) would equal 1.

In RSA, this operation is used when deriving a public key corresponding to a given private key. (It is also used when ensuring that a selected pair of secret primes has certain properties.) The exact details of this process will be the subject of Chapter 22.

Typically, the modular multiplicative inverse is obtained via the Extended GCD algorithm. It differs from the ordinary GCD of Chapter 15 in that, when given inputs X, Y, it returns, in addition to their greatest common divisor, the Bezout coefficients: a pair of integers P, Q which satisfy the equation:

PX + QY = GCD(X,Y)

The modular multiplicative inverse of N modulo M exists strictly when GCD(N, M) = 1.

Therefore, in that case,

NX + MY = GCD(N,M) = 1

... which can be written as:

NX - 1 = (-Y)M

i.e.:

NX ≡ 1 (mod M).

The reader has probably already guessed that the typical heathen formulation of Extended GCD, i.e. one which uses a series of divisions with remainder, is unsuitable as a starting point for writing FFA's Extended GCD -- for the same reason as why the analogous Euclidean GCD was unsuitable (and rejected) for writing the ordinary GCD routine of Chapter 15. Division is the most expensive arithmetical operation, and it would have to be repeated a large number of times, while discarding many of the outputs (a la the old-style non-Barrettian modular exponentiation of Chapter 6.)

Fortunately, it is possible to write a much more efficient constant-spacetime algorithm for Extended GCD, rather closely similar to the one we used for ordinary GCD.

Our algorithm of choice for a properly FFAtronic Extended GCD will be very similar to the Binary Extended GCD pictured in Vanstone's Applied Cryptography.

However, in addition to constant-spacetime operation, our algorithm will differ from the traditional one by avoiding any internal use of signed arithmetic, and will produce outputs having the form :

PX - QY = GCD(X,Y)

Because the Extended GCD algorithm chosen for FFA is not wholly identical to any previously-published one, on account of having to satisfy the familiar requirements, I decided that a full proof of correctness for it ought to be given prior to publishing Chapter 21's Vpatch.

Let's proceed with deriving this algorithm and its correctness proof.

As a starting point, let's take the traditional non-constant-time Stein's GCD given as Algorithm 2 at the start of Chapter 15:

Iterative Quasi-Stein GCD from Chapter 15.

For integers A ≥ 0 and B ≥ 0:

1. Twos := 0
2. Iterate until B = 0:
3.    Ae, Be := IsEven(A), IsEven(B)
4.    A      := A >> Ae
5.    B      := B >> Be
6.    Twos   := Twos + (Ae AND Be)
7.    Bnext   := Min(A, B)
8.    Anext   := |A - B|
9.    A, B   := Anext, Bnext
10. A := A × 2Twos
11. A contains the GCD.

Now, suppose that Twos -- the common power-of-two factor of A and B -- were known at the start of the algorithm, and that it were to be divided out of both numbers prior to entering the loop. The rewritten algorithm could look like this:

Algorithm 1: Quasi-Stein GCD with "Twos" Removal.

For integers X ≥ 0 and Y ≥ 0:

1. Twos := Find_Common_Power_Of_Two_Factor(X, Y)
2. X    := X >> Twos
3. Y    := Y >> Twos
4. A    := X
5. B    := Y
6. Iterate until B = 0:
7.    A      := A >> IsEven(A)
8.    B      := B >> IsEven(B)
9.    Bnext   := Min(A, B)
10.    Anext   := |A - B|
11.    A, B   := Anext, Bnext
12. A := A << Twos
13. A contains GCD(X,Y).

Suppose that we have a correct definition of Find_Common_Power_Of_Two_Factor. (For now, let's merely suppose.)

Algorithm 1 will do precisely the same job as Iterative Quasi-Stein GCD. However, it has one new property -- presently useless -- of which we will later take advantage: because 2Twos (which could be 1, i.e. 20, if either input were odd to begin with) was divided out of X and Y in steps 2 and 3 -- upon entering the loop at step 7, at least one of X, Y can be now relied upon to be odd. (If X and Y were both equal to zero at the start, step 7 is never reached, and the algorithm terminates immediately.)

Now we want to extend Algorithm 1 to carry out Extended GCD.

First, let's introduce two pairs of additional variables. Each pair will represent the coefficients in an equation which states A or B in terms of multiples of X and Y: Ax, Ay for A; and Bx, By for B :

 A = AxX - AyY B = ByY - BxX

Elementarily, if we were to give these coefficients the following values:

 Ax := 1 Ay := 0 Bx := 0 By := 1

... both equations will hold true, regardless of the particular values of A and B.

Of course, this alone does not give us anything useful.

However, if we assign these base-case values to the coefficients at the start of the algorithm, and correctly adjust them every time we make a change to A or B, the equations will likewise hold true after the completion of the loop, and, in the end, it will necessarily be true that:

 AxX - AyY = GCD(X,Y)

... and, importantly, also true that :

 AxX - AyY = GCD(X,Y)

When A or B is divided by two, we will divide each of the coefficients in the corresponding pair (Ax, Ay or Bx, By respectively) likewise by two. When A and B switch roles, the pairs of coefficients will likewise switch roles. When A is subtracted from B, or vice-versa, the respective pairs will be likewise subtracted from one another, keeping the invariant.

In order to keep the invariant at all times, it will be necessary to apply certain transformations. The mechanics of these transformations will account for most of the moving parts of our Extended GCD algorithm.

To make it clear where we will want to put the new variables and the mechanisms for keeping the invariant, let's rewrite Algorithm 1 in traditional branched-logic form:

Algorithm 2. Quasi-Stein with Branched Logic.

1. Twos := Find_Common_Power_Of_Two_Factor(X, Y)
2. X    := X >> Twos
3. Y    := Y >> Twos
4. A    := X
5. B    := Y
6. Iterate until B = 0:
7.    If IsOdd(A) and IsOdd(B) :
8.       If B < A :
9.          A := A - B
10.       Else :
11.          B := B - A
12.    If IsEven(A) :
13.       A := A >> 1
14.    If IsEven(B) :
15.       B := B >> 1
16. A := A << Twos
17. A contains GCD(X,Y).

Now, let's work out what must be done to the coefficients Ax, Ay and Bx, By when we carry out the operations A - B and B - A (steps 9 and 11, respectively) to keep the invariant :

 A - B = (AxX - AyY) - (ByY - BxX) = (Ax + Bx)X - (Ay + By)Y B - A = (ByY - BxX) - (AxX - AyY) = (Ay + By)Y - (Ax + Bx)X

If we write these simplified expressions side-by-side with the original invariant equations :

 A = AxX - AyY A - B = (Ax + Bx)X - (Ay + By)Y B = ByY - BxX B - A = (Ay + By)Y - (Ax + Bx)X

... it becomes quite obvious. In both the A - B and the B - A cases, we only need to compute the sums Ax + Bx and Ay + By ; the only difference will consist of whether they must be assigned, respectively, to Ax, Ay or Bx, By.

Now, suppose we introduce these new parts into Algorithm 2, and end up with :

Algorithm 3. A naive attempt at Extended GCD.

1. Twos := Find_Common_Power_Of_Two_Factor(X, Y)
2. X    := X >> Twos
3. Y    := Y >> Twos
4. A    := X
5. B    := Y
6. Ax   := 1
7. Ay   := 0
8. Bx   := 0
9. By   := 1
10. Iterate until B = 0:
11.    If IsOdd(A) and IsOdd(B) :
12.       If B < A :
13.          A  := A - B
14.          Ax := Ax + Bx
15.          Ay := Ay + By
16.       Else :
17.          B  := B - A
18.          Bx := Bx + Ax
19.          By := By + Ay
20.    If IsEven(A) :
21.       A  := A  >> 1
22.       Ax := Ax >> 1
23.       Ay := Ay >> 1
24.    If IsEven(B) :
25.       B  := B  >> 1
26.       Bx := Bx >> 1
27.       By := By >> 1
28. A := A << Twos
29. A contains GCD(X,Y).
30. AxX - AyY = GCD(X,Y).

Unfortunately, Algorithm 3 will not work; the equation at step 30 will not hold true. And the attentive reader probably knows why.

For the inattentive: the erroneous logic is marked in red.

The problem is that we have no guarantee that Ax, Ay or Bx, By are in fact even at steps 22,23 and 26,27 where they are being divided by two. An entire bit of information "walks away into /dev/null" every time one of these coefficients turns out to have been odd. And then, the invariant no longer holds. Instead of correct coefficients Ax, Ay at step 30, we will end up with rubbish.

The pill needed here is known (according to D. Knuth) as Penk's Method. (I have not succeeded in discovering who, when, or where, Penk was. Do you know? Tell me! A reader found the works of Penk.)

This method, as it happens, is not complicated. And it looks like this:

Algorithm 4. Extended GCD with Penk's Method.

1. Twos := Find_Common_Power_Of_Two_Factor(X, Y)
2. X    := X >> Twos
3. Y    := Y >> Twos
4. A    := X
5. B    := Y
6. Ax   := 1
7. Ay   := 0
8. Bx   := 0
9. By   := 1
10. Iterate until B = 0:
11.    If IsOdd(A) and IsOdd(B) :
12.       If B < A :
13.          A  := A - B
14.          Ax := Ax + Bx
15.          Ay := Ay + By
16.       Else :
17.          B  := B - A
18.          Bx := Bx + Ax
19.          By := By + Ay
20.    If IsEven(A) :
21.       A  := A  >> 1
22.       If IsOdd(Ax) or IsOdd(Ay) :
23.          Ax := Ax + Y
24.          Ay := Ay + X
25.       Ax := Ax >> 1
26.       Ay := Ay >> 1
27.    If IsEven(B) :
28.       B  := B  >> 1
29.       If IsOdd(Bx) or IsOdd(By) :
30.          Bx := Bx + Y
31.          By := By + X
32.       Bx := Bx >> 1
33.       By := By >> 1
34. A := A << Twos
35. A contains GCD(X,Y).
36. AxX - AyY = GCD(X,Y).

Of course, for our purposes, it does not suffice to merely know what it looks like; we must also understand precisely why it is guaranteed to work !

At this point, the reader should be satisfied with the logic of the Odd-A-Odd-B case; and therefore knows that the invariant in fact holds when we first reach either of the two places where Penk's Method is applied.

Let's start by proving that what Penk does to Ax, Ay (in steps 22..24) and Bx, By (in steps 29..31) does not itself break the invariant.

Review the invariant again:

 A = AxX - AyY B = ByY - BxX

... and see that in the first case,

1.       If IsOdd(Ax) or IsOdd(Ay) :
2.          Ax := Ax + Y
3.          Ay := Ay + X

... the A invariant equation holds :

 (Ax + Y)X - (Ay + X)Y = (AxX + XY) - (AyY + XY) = AxX - AyY = A

And in the second case,

1.       If IsOdd(Bx) or IsOdd(By) :
2.          Bx := Bx + Y
3.          By := By + X

... the B invariant equation holds :

 (By + X)Y - (Bx + Y)X = (ByY + XY) - (BxX + XY) = ByY - BxX = B

The added X and Y terms simply cancel out in both cases.

However, it remains to be proven that Penk's Method actually resolves our problem, rather than merely avoids creating a new one; i.e. that these operations in fact guarantee the evenness of the coefficients prior to their division by two.

Let's demonstrate this for the Even-A case first; later, it will become apparent that the same approach works likewise in the Even-B case.

At the start of step 21, we know that A is even :

1.    If IsEven(A) :
2.       A  := A  >> 1
3.       If IsOdd(Ax) or IsOdd(Ay) :
4.          Ax := Ax + Y
5.          Ay := Ay + X

And, at all times, we know that X and Y cannot be even simultaneously (because we have divided out 2Twos from each of them.)

On top of all of this: since we graduated from kindergarten, we also know about the following properties of arithmetic operations upon odd and even numbers:

 +/- Odd Even Odd Even Odd Even Odd Even

Parity of Multiplication:

 × Odd Even Odd Odd Even Even Even Even

So, what then do we know about the parities of the working variables at step 21? Let's illustrate all possible combinations of parities, using the above colour scheme; and observe that we only need the A invariant equation for this. As it happens, there are exactly two possible combinations of parities for its terms :

 A = AxX - AyY A = AxX - AyY

Elementarily, given that A is even at this step, both terms of its invariant equation must have the same parity.

Let's produce a table where all possible combinations of parities of the variables having an unknown parity (Ax, Ay) are organized by the known parities of the variables having a known parity (X, Y, A).

In yellow, we will mark variables which could be either odd or even in a particular combination; in red, those which are known to be odd; in green, those known to be even; and in grey, those for which neither of the possible parities would make the known parities of X, Y, and A in that combination possible, and therefore imply a logical impossibility :

 Odd(X) Even(X) Odd(X) Odd(Y) Odd(Y) Even(Y) A = Ax X - Ay Y Ax X - Ay Y Ax X - Ay Y Ax X - Ay Y Ax X - Ay Y Ax X - Ay Y

Now, let's remove the two impossible entries from the above table:

 Odd(X) Even(X) Odd(X) Odd(Y) Odd(Y) Even(Y) A = Ax X - Ay Y A would be Odd! A would be Odd! Ax X - Ay Y Ax X - Ay Y Ax X - Ay Y

And now suppose that we have reached step 23. Therefore we already know that at least one of Ax and Ay is odd. Let's remove from the table the only entry where this is not true; and, finally, in all of the remaining entries, indicate the deduced parity of the variables whose parity was previously indeterminate :

 Odd(X) Even(X) Odd(X) Odd(Y) Odd(Y) Even(Y) A = Ax X - Ay Y A would be Odd! A would be Odd! Ax,Ay are Even Ax X - Ay Y Ax X - Ay Y

All of the parities are now determined.

We are left with only three possible combinations of parities of the terms of A which could exist at step 23. So let's list what happens to each of them when Penk's Method is applied, i.e. Y is added to Ax and X is added to Ay :

 Possible Parity Combos Parity of Ax + Y ? Parity of Ay + X ? A = Ax X - Ay Y Ax + Y = Even Ay + X = Even Ax X - Ay Y Ax + Y = Even Ay + X = Even Ax X - Ay Y Ax + Y = Even Ay + X = Even

In the Even-A case, Penk's Method works, QED. It is difficult to think of how this could be made more obvious. The parities on both sides of the + sign always match, and so we have forced both Ax and Ay to be even, without breaking the invariant equation for A.

And now, how about the Even-B case ? Suppose that we have reached step 30. Let's do the same thing as we have done for the Even-A case:

 B = ByY - BxX B = ByY - BxX

... does this remind you of anything you've seen before?

Instead of telling the nearly-same and rather tedious story twice, let's leave step 30 as an...

Chapter 21A, Exercise #1: Prove that Penk's Method is correct in the Even-B case.

Chapter 21A, Exercise #2: Why are simultaneously-even X and Y forbidden in this algorithm?

Now, we are ready to rewrite Algorithm 4, this time grouping any repeating terms together, as follows:

Algorithm 5. Extended GCD with Penk's Method and Unified Terms.

For integers X ≥ 1 and Y ≥ 0:

1. Twos := Find_Common_Power_Of_Two_Factor(X, Y)
2. X    := X >> Twos
3. Y    := Y >> Twos
4. A    := X
5. B    := Y
6. Ax   := 1
7. Ay   := 0
8. Bx   := 0
9. By   := 1
10. Iterate until B = 0:
11.    If IsOdd(A) and IsOdd(B) :
12.       D  := |B - A|
13.       Sx :=  Ax + Bx
14.       Sy :=  Ay + By
15.       If B < A :
16.          A  := D
17.          Ax := Sx
18.          Ay := Sy
19.       Else :
20.          B  := D
21.          Bx := Sx
22.          By := Sy
23.    If IsEven(A) :
24.       A  := A  >> 1
25.       If IsOdd(Ax) or IsOdd(Ay) :
26.          Ax := Ax + Y
27.          Ay := Ay + X
28.       Ax := Ax >> 1
29.       Ay := Ay >> 1
30.    If IsEven(B) :
31.       B  := B  >> 1
32.       If IsOdd(Bx) or IsOdd(By) :
33.          Bx := Bx + Y
34.          By := By + X
35.       Bx := Bx >> 1
36.       By := By >> 1
37. A := A << Twos
38. A contains GCD(X,Y).
39. AxX - AyY = GCD(X,Y).

At this point, we have something which closely resembles commonly-used traditional variants of the Binary Extended GCD algorithm. With the not-unimportant difference that all of the working variables stay positive throughout. This way, we will avoid the need to introduce signed arithmetic into the internals of FFA.

Should we proceed with rewriting Algorithm 5 using constant-time operations? ...or is something important still missing? What is it ?

Chapter 21A, Exercise #3: What, other than the use of FFA-style constant-time arithmetic, is missing in Algorithm 5 ?

~To be continued in Chapter 21B.~

# The Fossil Vault.

11 April 2020 at 17:47

I have recently built two new WWW mirrors containing certain publicly-available software:

## 1. Historic Gentoo Distfiles.

I have been using Gentoo for nearly all Linux-related work since 2007. It was "the lesser of evils": to my knowledge, no other Linux variant ever offered a comparable level of rodenticidal control, while at the same time providing an adequate means of automatically cutting through "dependency hell".

This uniqueness made Gentoo a target for concerted attack by the Enemy, on a variety of fronts. Through creeping Poetteringism, the cancerous blight of GCC 5+, and the eventual decay -- fostered by corrupt maintainers -- of the portage system into unusability, it became nearly impossible to set up a hygienic Gentoo system from scratch.

The minute you try emerge --sync, you will be force-fed a boiling ocean of liquid shit under the name of "progress". And the machine will have to be scrubbed and re-OSed, if you wish to continue with civilized life on it.

Eventually I resorted to creating "canned" Gentoos using bitwise copies of old installations. (E.g. this system for ARM-64, and this one for AMD-64, are provided for my ISP service customers.)

One obvious problem with the "canned" approach is the decay of the official Gentoo distfiles mirrors. At one time these operated purely by accretion, i.e. added new packages while preserving the old. At a certain point this changed, and the servants of "progress" began to sabotage the ecosystem by deliberately removing "ungodly" packages. Mirror operators which refused to participate in this "cultural revolution" were delisted and you will not find them via the Gentoo WWW -- even supposing their mirrors are still standing (many have simply given up.)

Until and unless a cultural "reset" takes place, and something like what Gentoo tried to be in 2007 again exists as a living entity, I intend to continue the use of my hand-curated "fossilized" variants. And to make this easier for others, I have put together a public distfiles mirror:

## http://dulap.xyz/gentoo/distfiles

... using the contents of my backup tapes from a multitude of Gentoo systems I have operated.

Gentoo users may add this URL to their GENTOO_MIRRORS list in /etc/portage/make.conf; or download any necessary tarballs into their local /usr/portage/distfiles by hand; this is a matter of taste.

WARNING: this repository is offered with no warranty or endorsement of any kind, and certainly contains software with dangerous flaws. It does not necessarily reflect the current configuration of any of the Gentoo machines I presently use (although packages from both the RK and the "Dulap" variant's default distfiles directories are all present.) I have trimmed some -- but by no means all! -- of the obvious garbage. It goes without saying that I am not responsible for the contents of the tarballs, or even their integrity. Please do not use tarballs for which you do not have an authoritative signature for safety-critical work! From this -- or any other public repository.

Any and all questions regarding the above -- I prefer to answer here.

People from my L1 WoT who wish to contribute specimens to this collection, are invited to contact me.

At this time, the Gentoo collection weighs ~16GB.

## 2. GNAT.

The following mirror now contains a multitude of GNAT and miscellaneous Ada-related packages/dependencies, obtained on April 10, 2020 via JFW's method:

READMEs, as well as MS-Win and Apple binaries have been omitted. Packages with duplicate names are stored in the "dupes" subdirectories (1, 2, 3, 4, 5, 6, 7)

The same warning as given for the Gentoo repository applies to this collection.

At this time, the Ada collection weighs ~17GB. Aside from the binaries removal, this set was not curated in any way.

Readers are encouraged to mirror the mirrors. Anyone who has done this, is encouraged to leave a comment here, with the URL of the new mirror.

• 11 April 2020 at 17:47

# "Finite Field Arithmetic." Chapter 20D: "Litmus" Errata: Support for Nested Clearsigned Texts.

14 January 2020 at 18:48

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20d_litmus_nested_fix.kv.vpatch.

As of Chapter 20D, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

Litmus as given in the previous chapter would choke (failing safe, i.e. rejecting the signature) when fed "nested" clearsigned texts. This bug has been fixed:

```# 'ASCII-Armoured' PGP signatures have mandatory start and end markers:
START_MARKER="^\-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-"
END_MARKER="^\-\-\-\-\-END PGP SIGNATURE\-\-\-\-\-"

.......

CLEAR_MARKER="^\-\-\-\-\-BEGIN PGP SIGNED MESSAGE\-\-\-\-\-"

.......```

To test, invoke Litmus with two arguments: the public key, followed by the input file:

```-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is a test-fire GPG 'clearsigned' document written for
FFA Chapter 20C.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCgAGBQJeGimSAAoJELmCKKABq//HfgsH/1bg0zpL1PoApHE5BMNXmJ7U
7vWKQJ3ZCsGvkUSIgIZESTp6EpGDclBQqvBsdBZ9KVnBpGiIbmKbNjDNlZU5YcWt
MCZXkR6Lfd3rYKHcySOEvkoCMQ4ytbEQM4IBE57AqQIpmnI7Mo1033TnDgL2KdXd
PHLtedNyaKwzVJw08BtKjzole130GvElSMmxilrHZ0w+2J4uHRuBELyZbJ55vu+x
Bx+Q5OpMwz0ZG4vjz8ncZE/nCvK/sZv/RXsdNow95fETH5DKC9HfIP279kKlBRg=
=3ozu
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCgAGBQJeHgg9AAoJELmCKKABq//HHywH/3cfUfV8SH2yuxHNBPmk3Yha
Nw/40YK52/DJ/H+RUY6Zei2X3tJPYe3vDN2P3iRqKBycpUPtNnCDaF3BAvg7cyRQ
PghpykoSeERxIQZaIQWTUyMQRBwoMF90wiQpcgCEXRH3xZo/p0M3M6zPrqKElXf4
essZmM3jsvfU9T8JGho0RPyK1J42fTBCiRb0Y++ZQGWVEwJugtVnQOL76fYmSUpW
vDBKgNJfvGOMNTCTLemqD2nn6DZzLN9TOrRlmLvfr0lbzu9rSGAMtRKqozhZeCXf
LiTWWVZkCUGr/SEk5olhbHQnfoYMH1V071qJnpv1/5QqIiZ1z2KbP65Ba/i3i0A=
=o/9T
-----END PGP SIGNATURE-----```

`./litmus.sh asciilifeform.peh asciilifeform-clearsigned-twice.txt`

... which will yield the output:

`VALID GPG RSA signature from asciilifeform <[email protected]>`

Naturally, no verification is performed on the embedded clearsigned text (just as in traditional GPG. If you want to operate on the embedded text, you must extract it.)

~To be continued!~

• 14 January 2020 at 18:48

# "Finite Field Arithmetic." Chapter 20C: Support for 'Clearsigned' GPG texts in "Litmus."

11 January 2020 at 20:29

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20c_litmus_clearsigned.kv.vpatch.

As of Chapter 20C, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

Litmus now supports GPG "clearsigned" texts. Compatibility with the program given in the previous chapter is retained. The "clearsigned" mode of operation is selected simply by invoking the script with two arguments instead of the usual three:

```.......

# Whether we are working on a 'clearsigned text'
CLEARSIGN_MODE=false

# Set up in the selected mode:
case \$ARGCOUNT in
2) # If given two arguments, verify a 'clearsigned' text file:
CLEARSIGN_MODE=true
# The processed payload will end up in a temporary file:
DATAFILE=\$(mktemp) || { echo "Failed to create temp file!" >&2; \
exit \$RET_EGGOG; }
# On exit, if in 'clearsign' mode, remove temporary file with payload:
trap remove_temp_file EXIT
# Expect 'Canonical Text Signature' in GPG sig packet turd
expect_sig_class=1
;;
3) # Verify Detached Signature on given Data File (third argument is path):
# The given Data file to be verified against the Signature
DATAFILE=\$3 # i.e. path given on command line
# Expect 'Detached Binary Signature' in GPG sig packet turd
expect_sig_class=0
;;
*) # If invalid arg count -- print usage and abort:
echo "Usage: \$0 publickey.peh signature.sig datafile"
echo "   or: \$0 publickey.peh clearsigned.txt"
exit \$RET_EGGOG
;;
esac
.......```

RFC4880 (the document GPG nominally conforms to) specifies certain transformations required to obtain the hashable payload from the document (e.g. imposition of MSDOS-style line endings) which were implemented as follows:

```.......

# If we are operating on a 'clearsigned' text file, \$DATAFILE will be
# an empty temporary file, and the payload is to be extracted to it,

.......

if [ \$CLEARSIGN_MODE == true ]
then
# Find position of 'clearsign' payload start marker:
CLEAR_MARKER="\-\-\-\-\-BEGIN PGP SIGNED MESSAGE\-\-\-\-\-"
start_clr=\$(grep -m 1 -n "\$CLEAR_MARKER" \$SIGFILE | cut -d ':' -f1)

if [ "\$start_clr" == "" ]
then
eggog_broken_clearsigned
fi

start_clr=\$((\$start_clr + 1))

# The payload ends with the line preceding the sig start:
end_clr=\$((start_ln - 2))

start_body=\$(tail -n "+\$start_clr" \$SIGFILE | \
grep -v -n -m 1 "^Hash:" | cut -d ':' -f1)

# Skip the above headers and mandatory empty line:
start_clr=\$((\$start_clr + \$start_body))

# If there is no payload, or the markers are misplaced, abort:
if [ \$start_clr -ge \$end_clr ]
then
eggog_broken_clearsigned
fi

# Extract the 'clearsign' payload to the temporary file:
cat \$SIGFILE | sed -n "\$start_clr,\$end_clr p" | \
sed 's/[ \t]*\$//; s/^- //' | \
awk '{printf("%s\r\n",\$0)}' \
> \$DATAFILE

# Remove the trailing CR,LF ending:
truncate -s -2 \$DATAFILE

# After this, proceed exactly like with 'detached' sigs, but
# with the expected 'class' being 1 rather than 0.
fi

.......```

To verify a "clearsigned" message, invoke Litmus with two arguments: the public key, followed by the input file, e.g.:

`./litmus.sh asciilifeform.peh asciilifeform-clearsigned.txt`

... which will yield the output:

`VALID GPG RSA signature from asciilifeform <[email protected]>`

~To be continued!~

• 11 January 2020 at 20:29

# "Finite Field Arithmetic." Chapter 20B: Support for Selected Ancient Hash Algos in "Litmus."

7 January 2020 at 20:51

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20b_litmus_legacy_hashes.kv.vpatch.

As of Chapter 20B, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

In the course of experimenting with the subject of the previous Chapter, I found that a number of current and past Vtronicists had misconfigured their GPG, and emit suboptimal signatures (i.e. not SHA-512, the strongest of the ancient hashes supported by that utility). And so I added support for these. (Litmus will emit a warning if such a signature is encountered.)

The following routine has been added to Litmus:

```# If Sig was made with an unsupported hash algo:
eggog_unsupported_hash() {
algo=\$1
echo "This sig uses an unsupported Digest Algo: \$1 !" >&2
exit \$RET_EGGOG
}

.......

# Warnings:
achtung() {
echo "WARNING: \$1" >&2
}

.......

# Digest Algo (only certain hash algos are supported)
get_sig_bytes 1
turd+=\$r
hex_to_int
sig_digest_algo=\$r

# If hash algo is supported, get ASN turd and MD_LEN; and if not, eggog:
case \$sig_digest_algo in
1)  ## MD5 -- NOT SUPPORTED ##
eggog_unsupported_hash "MD5"
;;

2)  ## SHA1 ##
achtung "This sig was made with SHA-1, which is cheaply breakable!"
HASHER="shasum -a 1 -b"
ASN="3021300906052b0e03021a05000414"
MD_LEN=20
;;

3)  ## RIPE-MD/160 -- NOT SUPPORTED ##
eggog_unsupported_hash "RIPE-MD/160"
;;

8)  ## SHA256 ##
achtung "This sig was made with SHA-256; GPG supports SHA-512."
HASHER="shasum -a 256 -b"
ASN="3031300d060960864801650304020105000420"
MD_LEN=32
;;

9)  ## SHA384 ##
achtung "This sig was made with SHA-384; GPG supports SHA-512."
HASHER="shasum -a 384 -b"
ASN="3041300d060960864801650304020205000430"
MD_LEN=48
;;

10) ## SHA512 ##
HASHER="shasum -a 512 -b"
ASN="3051300D060960864801650304020305000440"
MD_LEN=64 # 512 / 8 == 64 bytes
;;

11) ## SHA224 ##
achtung "This sig was made with SHA-224; GPG supports SHA-512."
HASHER="shasum -a 224 -b"
ASN="302D300d06096086480165030402040500041C"
MD_LEN=28
;;

*)  ## Unknown Digest Type ##
eggog_unsupported_hash "UNKNOWN (type \$sig_digest_algo)"
;;
esac

# Calculate length (bytes) of the ASN turd for the digest used in the sig:
ASN_LEN=\$((\${#ASN} / 2))

.......```

To test, for instance, verification of SHA-1 signatures (please stop using SHA-1, people! see e.g. here), download this Litmus-converted GPG public key of former contributor Diana Coman, and verify her signature of Chapter 1:

`./litmus.sh diana_coman.peh ffa_ch1_genesis.kv.vpatch.diana_coman.sig ffa_ch1_genesis.kv.vpatch`

... which will yield the output:

```WARNING: This sig was made with SHA-1, which is cheaply breakable!
VALID GPG RSA signature from Diana Coman <[email protected]>```

~To be continued!~

• 7 January 2020 at 20:51

# "Finite Field Arithmetic." Chapter 20: "Litmus", a Peh-Powered Verifier for GPG Signatures.

6 January 2020 at 20:54

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20_litmus.kv.vpatch.

As of Chapter 20, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

The subject of this chapter is Litmus: a simple and practical demonstration program powered by Peh. It is expected to work on all reasonable Unix-like systems, so long as the required command-line utilities (see EXTERNALS) are present.

Litmus verifies traditional GPG public key signatures (presently, only of the "detached" type, with RSA and SHA512 hash -- the optimal knob settings available in GPG) and is suitable for use in e.g. Vtronics.

The source code of Litmus appears below in its entirety:

```#!/bin/sh

############################################################################
# 'Litmus' Utility. Verifies traditional GPG RSA signatures using Peh.     #
#                                                                          #
# Usage: ./litmus.sh publickey.peh signature.sig datafile                  #
#                                                                          #
# Currently, supports only RSA 'detached' signatures that use SHA512 hash. #
# See instructions re: converting traditional GPG public keys for use with #
# this program.                                                            #
#                                                                          #
# Peh, xxd, hexdump, shasum, and a number of common utils (see EXTERNALS)  #
# must be present on your machine.                                         #
#                                                                          #
# (C) 2020 Stanislav Datskovskiy ( www.loper-os.org )                      #
# http://wot.deedbot.org/17215D118B7239507FAFED98B98228A001ABFFC7.html     #
#                                                                          #
# You do not have, nor can you ever acquire the right to use, copy or      #
# distribute this software ; Should you use this software for any purpose, #
# or copy and distribute it to anyone or in any manner, you are breaking   #
# the laws of whatever soi-disant jurisdiction, and you promise to         #
# continue doing so for the indefinite future. In any case, please         #
# always : read and understand any software ; verify any PGP signatures    #
# that you use - for any purpose.                                          #
############################################################################

# External programs that are required (if not found, will eggog) :
EXTERNALS="peh xxd hexdump base64 shasum cut tr sed wc grep printf"

# Return Codes:

# Signature is VALID for given Sig, Data File, and Public Key:
RET_VALID_SIG=0

# Signature is INVALID:

# All Other Cases:
RET_EGGOG=-1

# Terminations:

# Success (Valid RSA signature) :
done_sig_valid() {
echo "VALID \$pubkey_algo signature from \$pubkey_owner"
exit \$RET_VALID_SIG
}

# Failure (INVALID RSA signature) :
echo "Signature is INVALID for this public key and input file!"
}

# Failure in decoding 'GPG ASCII armour' :
eggog_sig_armour() {
echo "\$SIGFILE could not decode as a GPG ASCII-Armoured Signature!" >&2
exit \$RET_EGGOG
}

# Failure from corrupt signature :
eggog_sig_corrupt() {
echo "\$SIGFILE is corrupt!" >&2
exit \$RET_EGGOG
}

# Failure from bad Peh :
eggog_peh() {
echo "EGGOG in executing Peh tape! Please check Public Key." >&2
exit \$RET_EGGOG
}

# Number of Arguments required by this program:
REQD_ARGS=3

# If invalid arg count, print usage and abort:
if [ "\$#" -ne \$REQD_ARGS ]; then
echo "Usage: \$0 publickey.peh signature.sig datafile"
exit \$RET_EGGOG
fi

# We only support SHA512. Parameters for it:
HASHER="shasum -a 512 -b"

# For 'PKCS' encoding, the ASN magic turd corresponding to SHA512:
ASN="3051300D060960864801650304020305000440"
ASN_LEN=\$((\${#ASN} / 2))
MD_LEN=64 # 512 / 8 == 64 bytes

# Minimal Peh Width (used for non-arithmetical ops, e.g. 'Owner')
MIN_PEH_WIDTH=256

# The given public key file (a Peh tape, see docs)
PUBFILE=\$1

# The given Detached GPG Signature file to be verified
SIGFILE=\$2

# The given Data file to be verified against the Signature
DATAFILE=\$3

# Verify that each of the given input files exists:
FILES=(\$PUBFILE \$SIGFILE \$DATAFILE)
for f in \${FILES[@]}; do
if ! [ -f \$f ]; then
echo "\$f does not exist!" >&2
exit \$RET_EGGOG
fi
done

# Calculate length of the pubkey file:
PUBFILE_LEN=\$(wc -c \$PUBFILE | cut -d ' ' -f1)

# Peh's Return Codes
PEH_YES=1
PEH_NO=0
PEH_MU=255
PEH_EGGOG=254

# Execute given Peh tape, with given FFA Width and Height,
# on top of the pubkey tape; returns output in \$peh_res and \$peh_code.
run_peh_tape() {
# The tape itself
tape=\$1

# FFA Width for the tape
peh_width=\$2

# FFA Stack Height for the tape
peh_height=\$3

# Compute the length of the given tape
tape_len=\${#tape}

# Add the length of the Public Key tape to the above
tape_len=\$((\$tape_len + \$PUBFILE_LEN))

# Max Peh Life for all such tapes
peh_life=\$((\$tape_len * 2))

# Execute the tape:
peh_res=\$((cat \$PUBFILE; echo \$tape) |
peh \$peh_width \$peh_height \$tape_len \$peh_life);
peh_code=\$?

# # If Peh returned PEH_EGGOG:
if [ \$peh_code -eq \$PEH_EGGOG ]
then
# Abort: likely, coarse error of pilotage in the public key tape.
eggog_peh
fi
}

run_peh_tape "@Algo!QY" \$MIN_PEH_WIDTH 1
pubkey_algo=\$peh_res

run_peh_tape "@Owner!QY" \$MIN_PEH_WIDTH 1
pubkey_owner=\$peh_res

# The only supported algo is GPG RSA:
if [ "\$pubkey_algo" != "GPG RSA" ]
then
echo "This public key specifies algo '\$pubkey_algo';" >&2
echo "The only algo supported is 'GPG RSA' !" >&2
exit \$RET_EGGOG
fi

# Verify that all of the necessary external programs in fact exist:
for i in \$EXTERNALS
do
command -v \$i >/dev/null && continue ||
exit \$RET_EGGOG; }
done

# 'ASCII-Armoured' PGP signatures have mandatory start and end markers:
START_MARKER="-----BEGIN PGP SIGNATURE-----"
END_MARKER="-----END PGP SIGNATURE-----"

# Determine start and end line positions for payload:
start_ln=\$(grep -m 1 -n "\$START_MARKER" \$SIGFILE | cut -d ':' -f1)
end_ln=\$(grep -m 1 -n "\$END_MARKER" \$SIGFILE | cut -d ':' -f1)

# Both start and end markers must exist :
if [ "\$start_ln" == "" ] || [ "\$end_ln" == "" ]
then
echo "\$SIGFILE does not contain ASCII-armoured PGP Signature!" >&2
exit \$RET_EGGOG
fi

start_ln=\$((\$start_ln + 1))
end_ln=\$((\$end_ln - 1))

# If there is no payload, or the markers are misplaced, abort:
if [ \$start_ln -ge \$end_ln ]
then
eggog_sig_armour
fi

sig_payload=\$(sed -n "\$start_ln,\$end_ln p" < \$SIGFILE |
sed -n "/^Version/!p" | sed -n "/^=/!p" | tr -d " tnr")

# If eggog -- abort:
if [ \$? -ne 0 ]
then
eggog_sig_armour
fi

# Obtain the sig bytes:
sig_bytes=(\$(echo \$sig_payload | base64 -d | hexdump -ve '1/1 "%.2x "'))

# If eggog -- abort:
if [ \$? -ne 0 ]
then
eggog_sig_armour
fi

# Number of bytes in the sig file
sig_len=\${#sig_bytes[@]}

# Test that certain fields in the Sig have their mandatory value
sig_field_mandatory() {
f_name=\$1
f_value=\$2
f_mandate=\$3
if [ "\$f_value" != "\$f_mandate" ]
then
reason="\$f_name must equal \$f_mandate; instead is \$f_value."
echo "\$SIGFILE is UNSUPPORTED : \$reason" >&2
echo "Only RSA and SHA512 hash are supported !" >&2
exit \$RET_EGGOG
fi
}

# Starting Position for get_sig_bytes()
sig_pos=0

# Extract given # of sig bytes from the current sig_pos; advance sig_pos.
get_sig_bytes() {
# Number of bytes requested
count=\$1

# Result: \$count bytes from current \$sig_pos (contiguous hex string)
r=\$(echo \${sig_bytes[@]:\$sig_pos:\$count} | sed "s/ //g" | tr 'a-z' 'A-Z')

sig_pos=\$((\$sig_pos + \$count))

# If more bytes were requested than were available in sig_bytes:
if [ \$sig_pos -gt \$sig_len ]
then
# Abort. The signature was mutilated somehow.
eggog_sig_corrupt
fi
}

# Convert the current sig component to integer
hex_to_int() {
r=\$((16#\$r))
}

# Turd to be composed of certain values from the sig, per RFC4880.
# Final hash will run on the concatenation of DATAFILE and this turd.
turd=""

## Parse all of the necessary fields in the GPG Signature:

# CTB (must equal 0x89)
get_sig_bytes 1
sig_ctb=\$r
sig_field_mandatory "Version" \$sig_ctb 89

# Length
get_sig_bytes 2
hex_to_int
sig_length=\$r

# Version (only Version 4 -- what GPG 1.4.x outputs -- is supported)
get_sig_bytes 1
turd+=\$r
sig_version=\$r
sig_field_mandatory "Version" \$sig_version 04

# Class (only class 0 is supported)
get_sig_bytes 1
turd+=\$r
sig_class=\$r
sig_field_mandatory "Class" \$sig_class 00

# Public Key Algo (only RSA is supported)
get_sig_bytes 1
turd+=\$r
sig_pk_algo=\$r
sig_field_mandatory "Public Key Algo" \$sig_pk_algo 01

# Digest Algo (only SHA512 is supported)
get_sig_bytes 1
turd+=\$r
sig_digest_algo=\$r
sig_field_mandatory "Digest Algo" \$sig_digest_algo 0A

# Hashed Section Length
get_sig_bytes 2
turd+=\$r
hex_to_int
sig_hashed_len=\$r

# Hashed Section (typically: timestamp)
get_sig_bytes \$sig_hashed_len
turd+=\$r
sig_hashed=\$r

# Unhashed Section Length
get_sig_bytes 1
hex_to_int
sig_unhashed_len=\$r

get_sig_bytes \$sig_unhashed_len

# Compute Byte Length of Hashed Header (for last field)

# Final section of the hashed turd (not counted in hashed_header_len)
turd+=\$sig_version
turd+="FF"

# Compute the hash of data file and the hashed appendix from sig :
hash=\$((cat \$DATAFILE; xxd -r -p < << \$turd) | \$HASHER | cut -d ' ' -f1)
# Convert to upper case
hash=\$(echo \$hash | tr 'a-z' 'A-Z')

# Parse the RSA Signature portion of the Sig file:

# RSA Packet Length (how many bytes to read)
get_sig_bytes 1
hex_to_int
rsa_packet_len=\$r

# The RSA Packet itself
get_sig_bytes \$rsa_packet_len
rsa_packet=\$r

# Digest Prefix (2 bytes)
get_sig_bytes 2
digest_prefix=\$r

# See whether it matches the first two bytes of the actual computed hash :
computed_prefix=\$(printf "%.4s" \$hash)

if [ "\$digest_prefix" != "\$computed_prefix" ]
then
# It didn't match, so we can return 'bad signature' immediately:
fi

# If prefix matched, we will proceed to do the actual RSA operation.

# RSA Bitness given in Sig
get_sig_bytes 2
hex_to_int
rsa_bitness=\$r

# Compute RSA Byteness from the above
rsa_byteness=\$(((\$rsa_bitness + 7) / 8))

# RSA Bitness for use in determining required Peh width:
rsa_width=\$((\$rsa_byteness * 8))

# Only traditional GPG RSA widths are supported:
if [ \$rsa_width != 2048 ] && [ \$rsa_width != 4096 ] && [ \$rsa_width != 8192 ]
then
reason="Only 2048, 4096, and 8192-bit RSA are supported."
echo "\$SIGFILE is UNSUPPORTED : \$reason" >&2
exit \$RET_EGGOG
fi

# RSA Signature per se (final item read from sig file)
get_sig_bytes \$rsa_byteness
rsa_sig=\$r

# Per RFC4880, 'PKCS' encoding of hash is as follows:
# 0 1 [PAD] 0 [ASN] [MD]

# First two bytes of PKCS-encoded hash will always be 00 01 :
pkcs="0001"

# Compute necessary number of padding FF bytes :
pkcs_pad_bytes=\$((\$rsa_byteness - \$MD_LEN - \$ASN_LEN - 3))

for ((x=1; x< =\$pkcs_pad_bytes; x++)); do
pkcs+="FF"
done

# Attach the 00 separator between the padding and the ASN:
pkcs+="00"

# Attach the ASN ('magic' corresponding to the hash algo) :
pkcs+=\$ASN

# Finally, attach the computed (from Data file) hash itself :
pkcs+=\$hash

# Generate a Peh tape which will attempt to verify \$rsa_sig against the pubkey,
# computing the expression \$rsa_sig ^ PUB_E mod PUB_M and comparing to \$pkcs.
# Outputs 'Valid' and returns Yes_Code (1) if and only if signature is valid.
tape=".\$rsa_sig@Public-Op!.\$pkcs={[Valid]QY}{[Invalid]QN}_"

# Execute the tape:
run_peh_tape \$tape \$rsa_width 3

# 'Belt and suspenders' -- test both output and return code:
# If verification succeeded, return code will be 1, and output 'Valid':
if [ \$peh_code -eq \$PEH_YES ] && [ "\$peh_res" == "Valid" ]
then
# Valid RSA signature:
done_sig_valid
else
# Signature was not valid:
fi
# The end.```

Public keys for use with Litmus are Peh tapes, and their format is illustrated here. Mine (converted from my GPG public key using, for the time being, PGPDump and a few minutes of elbow grease) appears below:

```(----------------------------------------------------------------------------)
( Public key converted from GPG key 17215D118B7239507FAFED98B98228A001ABFFC7 )
(----------------------------------------------------------------------------)
@RSA-Public-Modulus@
.
CDD49A674BAF76D3B73E25BC6DF66EF3ABEDDCA461D3CCB6416793E3437C7806562694
EC37EABEFF3FBE6D3C726DC68E599EBFE5456EF19813398CD7D548D746A30AA47D4293
968BFBAFCBF65A90DFFC87816FEE2A01E1DC699F4DDABB84965514C0D909D54FDA7062
A2037B50B771C153D5429BA4BA335EAB840F9551E9CD9DF8BB4A6DC3ED1318FF3969F7
9535B91B417D0AF14BE09C78B53AF9C5F494BCF2C60349FFA93C81E817AC682F0055A6
07BB56D6A281C1A04CEFE1
;
(----------------------------------------------------------------------------)
@RSA-Public-Exponent@
.
10001
;
LC
(----------------------------------------------------------------------------)
@Public-Op@
(N is on stack) @RSA-Public-Exponent! @RSA-Public-Modulus! MX
;
(----------------------------------------------------------------------------)
@Algo@[GPG RSA];
(----------------------------------------------------------------------------)
@Owner@[asciilifeform <[email protected]>];
(----------------------------------------------------------------------------)
RC```

Now verify the vpatch of this chapter and its signature using Litmus:

`./litmus.sh asciilifeform.peh ffa_ch20_litmus.kv.vpatch.asciilifeform.sig ffa_ch20_litmus.kv.vpatch`

... which should yield the output:

`VALID GPG RSA signature from asciilifeform <[email protected]>`

If you find that Litmus balks on your GPG signatures, ensure that SHA512 (the longest hash supported by old rotten GPG) is selected in your config (typically ~/.gnupg/gpg.conf) :

```personal-digest-preferences SHA512
cert-digest-algo SHA512```

In Chapter 21, we will discuss the astonishing ugliness of the GPG data format, and construct a means for semi-automatic conversion of traditional GPG public keys into the format used by Litmus.

~To be continued!~

• 6 January 2020 at 20:54

# “Finite Field Arithmetic.” Chapter 19: Peh Tuning and Demo Tapes.

1 June 2019 at 18:59

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch19_peh_tuning_and_demos.kv.vpatch.

You should end up with the same directory structure as previously.

As of Chapter 19, the versions of Peh and FFA are 250 and 253, respectively.

The demo tapes from Chapter 18C have been added to the Peh v-set and are henceforth available under the subdirectory demos.

Now compile Peh:

```cd ffacalc
gprbuild```

But do not run it quite yet.

First, the mail bag!

Reader PeterL observed that the declare block in:

```   -- Modulus. Permits the asymmetric Dividend and Divisor in FZ_Mod_Exp.
procedure FZ_Mod(Dividend  : in FZ;
Divisor   : in FZ;
Remainder : out FZ) is

-- ......................................
-- ......................................

-- Performs Restoring Division on a given segment of Dividend:Divisor
procedure Slice(Index : Dividend_Index;
Cut   : Divisor_Cuts) is
begin

declare

-- Borrow, from comparator
C   : WBool;

-- Left-Shift Overflow
LsO : WBool;

-- Current cut of Remainder register
Rs  : FZ renames R(1 .. Cut);

-- Current cut of Divisor
Ds  : FZ renames Divisor(1 .. Cut);

-- Current word of Dividend, starting from the highest
W   : Word  := Dividend(Dividend'Last + 1 - Index);

begin

-- For each bit in the current Dividend word:
for b in 1 .. Bitness loop

-- Send top bit of current Dividend word to the bottom of W
W := Rotate_Left(W, 1);

-- Advance Rs, shifting in the current Dividend bit
FZ_ShiftLeft_O_I(N => Rs, ShiftedN => Rs, Count => 1,
OF_In => W and 1,
Overflow => LsO);

-- Subtract Divisor-Cut from R-Cut; Underflow goes into C
FZ_Sub(X => Rs, Y => Ds, Difference => Rs, Underflow => C);

-- If C=1, subtraction underflowed, and we must undo it:
FZ_Add_Gated(X => Rs, Y => Ds, Sum => Rs,
Gate => C and W_Not(LsO));

end loop;

end;

end Slice;

-- ......................................
-- ......................................```

... is redundant. It has been removed as of this Chapter. As this removal has no effect on the built binary, the FFA version number is unchanged.

Now, let's eat the meat of this Chapter.

Before we can proceed with what was promised at the conclusion of Chapter 18, we will offer some simplification of the Peh moving parts, and fix a small but potentially dangerous flaw in the semantics of the Overflow Flag. Let's start with the former.

Recall where in Chapter 18, we have the reader modality controls:

```   -- Start a Peh Machine with the given Dimensions and Tape; return a Verdict.
function Peh_Machine(Dimensions : in Peh_Dimensions;
Tape       : in Peh_Tapes;
RNG        : in RNG_Device) return Peh_Verdicts is

............
............

-- Whether we are currently inside a Proposed Subroutine Name:
SubNameMode   : Boolean      := False;

-- Whether we are currently inside a Proposed Subroutine Body:
SubBodyMode   : Boolean      := False;

............

-- Prefixed Operators
PrevC         : Character    := ' ';
HavePrefix    : Boolean      := False;

............```

As of the present Chapter, these have been replaced with:

```   -- Start a Peh Machine with the given Dimensions and Tape; return a Verdict.
function Peh_Machine(Dimensions : in Peh_Dimensions;
Tape       : in Peh_Tapes;
RNG        : in RNG_Device) return Peh_Verdicts is

............
............

-- The possible Modes of the reader:
type Modes is (Normal, SubName, SubBody, PrefixOp);

Mode          : Modes        := Normal;

............

-- Prefixed Operators
PrevC         : Character    := ' ';

............```

... and consequently, Op is now a much more readable item:

```      -- All Peh Symbols begin their processing here :
procedure Op(C : in Character) is
begin

-- See whether we are inside a 'Block' :

-- ... in a Comment block:
if CommLevel > 0 then
case C is
when ')' =>  -- Drop a nesting level:
CommLevel := CommLevel - 1;
when '(' =>  -- Add a nesting level:
CommLevel := CommLevel + 1;
when others =>
null; -- Other symbols have no effect at all
end case;

-- ... in a Quote block:
elsif QuoteLevel > 0 then
case C is
when ']' =>   -- Drop a nesting level:
QuoteLevel := QuoteLevel - 1;
when '[' =>   -- Add a nesting level:
QuoteLevel := QuoteLevel + 1;
when others =>
null; -- Other symbols have no effect on the level
end case;

-- If we aren't the mode-exiting ']', print current symbol:
if QuoteLevel > 0 then
Write_Char(C);
end if;

--- ... in a ~taken~ Conditional branch:
elsif CondLevel > 0 then
case C is
when '}' =>   -- Drop a nesting level:
CondLevel := CondLevel - 1;

-- If we exited the Conditional as a result,
-- we push a 1 to trigger the possible 'else' clause:
if CondLevel = 0 then
Push;
FFA_WBool_To_FZ(1, Stack(SP));
end if;

when '{' =>   -- Add a nesting level:
CondLevel := CondLevel + 1;

when others =>
null; -- Other symbols have no effect on the level
end case;

else
--- ... we are not inside a 'Block' :

case Mode is

--- ... a character in a proposed Subroutine Name:
when SubName =>
SubName_Symbol(C);

--- ... a character in a proposed Subroutine Body:
when SubBody =>
SubBody_Symbol(C);

--- ... the second character of a Prefixed Op:
when PrefixOp =>
-- Drop prefix-op hammer, until another prefix-op cocks it:
Mode := Normal;

-- Dispatch this op, where prefix is the preceding character
Op_Prefixed(Prefix => PrevC, O => C);

-- This is a Normal Op...
when Normal =>
-- ... so proceed with the normal rules:
Op_Normal(C);

-- Save the current Symbol as a possible prefix:
PrevC := C;

end case;

end if;
end Op;```

SubName_Symbol and SubBody_Symbol do exactly what you would expect, from having read Chapter 18, with the obvious necessary changes in regards to the reader mode state variable. (See also line 1073, with regards to the prefix control.)

This is just about all of the treatment the subject deserves. The Peh version has been advanced to 250K, on account of this and the following change.

Now, let's proceed to the matter of the Overflow Flag.

In particular, the treatment of Registers in the Cutout mechanism :

1. All Register-accessing opcodes (including Zaps and Debug Print) which execute inside either the Guarded or the Cutout segments, will make use exclusively of the segregated Cutout Register Set.
2. All Register-accessing opcodes (including Zaps and Debug Print) which execute inside the Public segment, will make use exclusively of the Ordinary Register Set.

Observe that, in Chapter 18, the Overflow Flag -- unlike the registers -- was not included in the set of segregated state which prevents inadvertent flow of information between routines residing in the Cutout Tape segment and those in the rest of a Tape.

This flaw has been corrected as of this Chapter:

```   -- Start a Peh Machine with the given Dimensions and Tape; return a Verdict.
function Peh_Machine(Dimensions : in Peh_Dimensions;
Tape       : in Peh_Tapes;
RNG        : in RNG_Device) return Peh_Verdicts is

............
............

-- Carry/Borrow Flag set by certain arithmetical Ops:
Flag          : WBool        := 0;

-- 'Cutout'-segregated Carry/Borrow Flag:
CO_Flag       : WBool        := 0;

............

-- Zero the currently-active Overflow Flag:
procedure Zap_Flag is
begin
if Use_CO_Registers then
CO_Flag := 0;
else
Flag    := 0;
end if;
end Zap_Flag;

............
............

-- Print a Debug Trace (used in 'QD') :
procedure Print_Trace is
begin

............
............

-- Print active Overflow-Flag, then Ticks and IP:

if Use_CO_Registers then
Write_String("Flag (CO) :" & WBool'Image(CO_Flag));
else
Write_String("Flag      :" & WBool'Image(Flag));
end if;

............
............

----------------
-- Arithmetic --
----------------

-- Subtract
when '-' =>
Want(2);
FFA_FZ_Subtract(X          => Stack(SP - 1),
Y          => Stack(SP),
Difference => Stack(SP - 1),
Underflow  => F);

-- If we are in the Cutout, write the CO_Flag instead of Flag:
if Use_CO_Registers then
CO_Flag := FFA_Word_NZeroP(F);
else
Flag    := FFA_Word_NZeroP(F);
end if;
Drop;

when '+' =>
Want(2);
Y        => Stack(SP),
Sum      => Stack(SP - 1),
Overflow => F);

-- If we are in the Cutout, write the CO_Flag instead of Flag:
if Use_CO_Registers then
CO_Flag := FFA_Word_NZeroP(F);
else
Flag    := FFA_Word_NZeroP(F);
end if;
Drop;

............
............
............

-- Put the Overflow flag on the stack
when 'O' =>
Push;
-- If we are in the Cutout, read CO_Flag instead of Flag:
if Use_CO_Registers then
FFA_WBool_To_FZ(CO_Flag, Stack(SP));
else
FFA_WBool_To_FZ(Flag,    Stack(SP));
end if;

............
............```

The difference in semantics is easily illustrated via the following Peh Tape:

```(----------------------------------------------------------------------------)
(----------------------------------------------------------------------------)
(- Demo Tape for 'Peh'; illustrates change in Flag semantics in Chapter 19. -)
(-                                                                          -)
(- (C) 2019 Stanislav Datskovskiy ( www.loper-os.org )                      -)
(- http://wot.deedbot.org/17215D118B7239507FAFED98B98228A001ABFFC7.html     -)
(-                                                                          -)
(- You do not have, nor can you ever acquire the right to use, copy or      -)
(- distribute this software ; Should you use this software for any purpose, -)
(- or copy and distribute it to anyone or in any manner, you are breaking   -)
(- the laws of whatever soi-disant jurisdiction, and you promise to         -)
(- continue doing so for the indefinite future. In any case, please         -)
(- always : read and understand any software ; verify any PGP signatures    -)
(- that you use - for any purpose.                                          -)
(-                                                                          -)
(----------------------------------------------------------------------------)
(----------------------------------------------------------------------------)

(----------------------------------------------------------------------------)

( Begin the Cutout: )
LC

(----------------------------------------------------------------------------)

( This subroutine causes the Cutout-Active Overflow Flag to be Set : )

@Set-OF-In-Cutout@ ( Regs : none )
.0 .1 - _
;

(----------------------------------------------------------------------------)

( This subroutine causes the Cutout-Active Overflow Flag to be Cleared : )

@Clear-OF-In-Cutout@ ( Regs : none )
ZF
;

(----------------------------------------------------------------------------)

( This subroutine returns the Cutout-Active Overflow Flag : )

@Get-OF-In-Cutout@ ( Regs : none )
O
;

(----------------------------------------------------------------------------)

( Terminate the Cutout : )
RC

(----------------------------------------------------------------------------)

( This subroutine causes the Ordinary Overflow Flag to be Set : )

@Set-OF-Ordinary@ ( Regs : none )
.0 .1 - _
;

(----------------------------------------------------------------------------)

( This subroutine causes the Ordinary Overflow Flag to be Cleared : )

@Clear-OF-Ordinary@ ( Regs : none )
ZF
;

(----------------------------------------------------------------------------)

( This subroutine returns the Ordinary Overflow Flag : )

@Get-OF-Ordinary@ ( Regs : none )
O
;

(----------------------------------------------------------------------------)

( Display both Overflow Flags : )
@Show-Both-OF-Flags@ (Regs : none)

[Ordinary OF = ]
@Get-OF-Ordinary!
{[1]}{[0]}_

[ ]

@Get-OF-In-Cutout!
[Cutout's OF = ]
{[1]}{[0]}_
[]
;

(----------------------------------------------------------------------------)

(------------------------------ Main Program : ------------------------------)

( Regs: none )

[Setting Ordinary OF:
]
@Set-OF-Ordinary!

@Show-Both-OF-Flags!
[

]

[Setting Cutout's OF:
]
@Set-OF-In-Cutout!

@Show-Both-OF-Flags!
[

]

( Clear the Flags : )

[Clearing Ordinary OF:
]
@Clear-OF-Ordinary!

@Show-Both-OF-Flags!
[

]

[Clearing Cutout's OF:
]
@Clear-OF-In-Cutout!

@Show-Both-OF-Flags!
[

]

( we're done:  )
QY

(--------------------------------~~The End~~---------------------------------)```

This Tape is invoked as, e.g.:

`    cat ch19_flag.peh | ./ffa/ffacalc/bin/peh 256 32 10000 0`

In Chapter 18, where there is only one Overflow Flag register, you will expect to see the following output:

```Setting Ordinary OF:
Ordinary OF = 1 Cutout's OF = 1

Setting Cutout's OF:
Ordinary OF = 1 Cutout's OF = 1

Clearing Ordinary OF:
Ordinary OF = 0 Cutout's OF = 0

Clearing Cutout's OF:
Ordinary OF = 0 Cutout's OF = 0```

Whereas, as of this Chapter, where the flags are properly segregated, unsurprisingly:

```Setting Ordinary OF:
Ordinary OF = 1 Cutout's OF = 0

Setting Cutout's OF:
Ordinary OF = 1 Cutout's OF = 1

Clearing Ordinary OF:
Ordinary OF = 0 Cutout's OF = 1

Clearing Cutout's OF:
Ordinary OF = 0 Cutout's OF = 0```

In Chapter 20, we will proceed with more interesting refinements to Peh.

~To be continued!~

• 1 June 2019 at 18:59