Nothing up my sleeve number

In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for (in Bruce Schneier's words) a “nefarious purpose”, for example, to create a “backdoor” to the algorithm.[1] These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants.[2] Using digits of π millions of places into its definition would not be considered as trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit.

Digits in the positional representation of real numbers such as π, e and irrational roots are believed to appear with equal frequency. See normal number. Such numbers can be viewed as the opposite extreme of Chaitin–Kolmogorov random numbers in that they appear random but have very low information entropy. Their use is motivated by early controversy over the U.S. Government's 1975 Data Encryption Standard, which came under criticism because no explanation was supplied for the constants used in its S-box (though they were later found to have been carefully selected to protect against the then-classified technique of differential cryptanalysis).[3] Thus a need was felt for a more transparent way to generate constants used in cryptography.

“Nothing up my sleeve” is a phrase associated with magicians, who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside.[4]

Counterexamples

• Dual EC DRBG, a NIST-recommended cryptographic random bit generator, came under criticism in 2007 because constants recommended for use in the algorithm could have been selected in a way that would permit their author to predict future outputs given a sample of past generated values.[1] In September 2013 The New York Times wrote that "internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a backdoor for the NSA."[11]
• Data Encryption Standard (DES) has constants that were given out by NSA. They turned out to be far from random, but instead of being a backdoor they made the algorithm resilient against differential cryptanalysis, a method not publicly known at the time.[citation needed]

Footnotes

1. ^ a b
2. ^ a b Blowfish Paper
3. ^ Bruce Schneier. Applied Cryptography, second edition, John Wiley and Sons, 1996, p. 278.
4. ^ TV Tropes entry for "nothing up my sleeve"
5. ^ RFC 1321 Sec. 3.4
6. ^ FIPS 180-2: Secure Hash Standard (SHS) (PDF, 236 kB) – Current version of the Secure Hash Standard (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512), 1 August 2002, amended 25 February 2004
7. ^ Revision of NEWDES, Robert Scott, 1996
8. ^ Henri Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay (May 19, 1998). Decorrelated Fast Cipher: an AES candidate (PDF/PostScript).
9. ^ A. Biryukov, C. De Cannière, J. Lano, B. Preneel, S. B. Örs (January 7, 2004). Security and Performance Analysis of ARIA (PostScript). Version 1.2—Final Report. Katholieke Universiteit Leuven.
10. ^ Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (PDF). Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96.
11. ^ Perlroth, Nicole (September 10, 2013). "Government Announces Steps to Restore Confidence on Encryption Standards". The New York Times. Retrieved September 11, 2013.

References

• Bruce Schneier. Applied Cryptography, second edition. John Wiley and Sons, 1996.
• Eli Biham, Adi Shamir, (1990). Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology — CRYPTO '90. Springer-Verlag. 2–21.