Nothing up my sleeve number

From Wikipedia, the free encyclopedia

In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for (in Bruce Schneier's words) a "nefarious reason", for example, to create a "backdoor" to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants. Using later digits of π, say starting at the 7,463,398th position, would not be considered as trustworthy. The algorithm designer might have selected that starting point because it created a secret weakness he could later exploit.

Such numbers can be viewed as the opposite extreme of Chaitin–Kolmogorov random numbers in that they appear random but have very low information entropy.

Their use is motivated by early controversy over the U.S. Government's 1975 Data Encryption Standard, which came under criticism because no explanation was supplied for the constants used in its S-box (though they were later found to have good justification, see Differential cryptanalysis). Thus a need was felt for a more transparent way to generate constants used in cryptography. "Nothing up my sleeve" is a phrase associated with magicians, who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside.

[edit] Examples

• The cipher Khafre, designed in 1989, includes constants from the book A Million Random Digits with 100,000 Normal Deviates, published by the RAND Corporation in 1951.
• Ron Rivest used the trigonometric sine function to generate constants for the widely-used MD5 hash.
• The U.S. National Security Agency used the square roots of small integers to produce the constants used in its "Secure Hash Algorithm" SHA-1. The SHA-2 functions use the square roots and cube roots of small primes.
• The Blowfish encryption algorithm uses the binary representation of π to initialize its key schedule.
• RFC 3526 describes prime numbers for internet key exchange that are also generated from π.
• The S-box of the NewDES cipher is derived from the United States Declaration of Independence.
• The AES candidate DFC derives all of its arbitrary constants, including all entries of the S-box, from the binary expansion of e.
• The key schedule of the RC5 cipher uses binary digits from both e and the golden ratio.
• Dual EC DRBG, a NIST-recommended cryptographic random bit generator, came under criticism in 2007 because constants recommended for use in the algorithm could have been selected in a way that would permit their author to predict future outputs given a sample of past generated values.^[1]

[edit] References

• Bruce Schneier. Applied Cryptography, second edition. John Wiley and Sons, 1996.
• Eli Biham, Adi Shamir, (1990). Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology — CRYPTO '90. Springer-Verlag. 2–21.