 Nothing up my sleeve number

In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for (in Bruce Schneier's words) a "nefarious purpose", for example, to create a "backdoor" to the algorithm.^{[1]} These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants.^{[2]} Using digits of π millions of places into its definition would not be considered as trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit.
Digits in the positional representation of real numbers such as π, e and irrational roots are believed to appear random. See normal number. Such numbers can be viewed as the opposite extreme of Chaitin–Kolmogorov random numbers in that they appear random but have very low information entropy. Their use is motivated by early controversy over the U.S. Government's 1975 Data Encryption Standard, which came under criticism because no explanation was supplied for the constants used in its Sbox (though they were later found to have good justification, see Differential cryptanalysis).^{[3]}^{p.278} Thus a need was felt for a more transparent way to generate constants used in cryptography.
"Nothing up my sleeve" is a phrase associated with magicians, who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside.^{[4]}
Examples
 The cipher Khafre, designed in 1989, includes constants from the book A Million Random Digits with 100,000 Normal Deviates, published by the RAND Corporation in 1951.
 Ron Rivest used the trigonometric sine function to generate constants for the widelyused MD5 hash.^{[5]}
 The U.S. National Security Agency used the square roots of small integers to produce the constants used in its "Secure Hash Algorithm" SHA1. The SHA2 functions use the square roots and cube roots of small primes.^{[6]}
 The Blowfish encryption algorithm uses the binary representation of π to initialize its key schedule.^{[2]}
 RFC 3526 describes prime numbers for internet key exchange that are also generated from π.
 The Sbox of the NewDES cipher is derived from the United States Declaration of Independence.^{[7]}
 The AES candidate DFC derives all of its arbitrary constants, including all entries of the Sbox, from the binary expansion of e.^{[8]}
 The ARIA key schedule uses the binary expansion of 1/π.^{[9]}
 The key schedule of the RC5 cipher uses binary digits from both e and the golden ratio.^{[10]}
 Dual EC DRBG, a NISTrecommended cryptographic random bit generator, came under criticism in 2007 because constants recommended for use in the algorithm could have been selected in a way that would permit their author to predict future outputs given a sample of past generated values.^{[1]}
Footnotes
 ^ ^{a} ^{b} Bruce Schneier (20071115). "Did NSA Put a Secret Backdoor in New Encryption Standard?". Wired News. http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115.
 ^ ^{a} ^{b} http://www.schneier.com/paperblowfishfse.html
 ^ Bruce Schneier. Applied Cryptography, second edition, John Wiley and Sons, 1996.
 ^ http://tvtropes.org/pmwiki/pmwiki.php/Main/NothingUpMySleeve TV Tropes entry for "nothing up my sleeve"
 ^ RFC 1321 Sec. 3.4
 ^ FIPS 1802: Secure Hash Standard (SHS) (PDF, 236 kB) – Current version of the Secure Hash Standard (SHA1, SHA224, SHA256, SHA384, and SHA512), 1 August 2002, amended 25 February 2004
 ^ Revision of NEWDES, Robert Scott, 1996
 ^ Henri Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay (May 19, 1998) (PDF/PostScript). Decorrelated Fast Cipher: an AES candidate. http://citeseer.ist.psu.edu/gilbert98decorrelated.html.
 ^ A. Biryukov, C. De Cannière, J. Lano, B. Preneel, S. B. Örs (January 7, 2004) (PostScript). Security and Performance Analysis of ARIA. Version 1.2—Final Report. Katholieke Universiteit Leuven. http://www.cosic.esat.kuleuven.be/publications/article500.ps.
 ^ Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (pdf). Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96. http://theory.lcs.mit.edu/~rivest/Rivestrc5rev.pdf.
References
 Bruce Schneier. Applied Cryptography, second edition. John Wiley and Sons, 1996.
 Eli Biham, Adi Shamir, (1990). Differential Cryptanalysis of DESlike Cryptosystems. Advances in Cryptology — CRYPTO '90. SpringerVerlag. 2–21.
Categories:
Wikimedia Foundation. 2010.
Look at other dictionaries:
Hardware random number generator — This SSL Accelerator computer card uses a hardware random number generator to generate cryptographic keys to encrypt data sent over computer networks. In computing, a hardware random number generator is an apparatus that generates random numbers… … Wikipedia
Money for Nothing (song) — This article is about the Dire Straits song. For the Darin song, see Money for Nothing (Darin song). Money for Nothing Single by Dire Straits … Wikipedia
William, It Was Really Nothing — Infobox Single Name = William, It Was Really Nothing Artist = The Smiths from Album = Hatful of Hollow Released = August 20 1984 Format = 7 single, 12 single, CD (1988) Recorded = Summer 1984 Genre = Alternative rock Length = 2:09 Label = Rough… … Wikipedia
List of mathematics articles (N) — NOTOC N N body problem N category N category number N connected space N dimensional sequential move puzzles N dimensional space N huge cardinal N jet N Mahlo cardinal N monoid N player game N set N skeleton N sphere N! conjecture Nabla symbol… … Wikipedia
Dual_EC_DRBG — or Dual Elliptic Curve Deterministic Random Bit Generator[1] is a controversial pseudorandom number generator (PRNG) designed and published by the National Security Agency. It is based on the elliptic curve discrete logarithm problem (ECDLP) and… … Wikipedia
Dual EC DRBG — is a controversial pseudorandom number generator (PRNG) designed and published by the National Security Agency. It is based on the elliptic curve discrete logarithm problem (ECDLP) and is one of the four PRNGs standardized in the NIST Special… … Wikipedia
RC5 — Infobox block cipher name = RC5 caption = One round (two half rounds) of the RC5 block cipher designers = Ron Rivest publish date = 1994 derived from = derived to = RC6, Akelarre key size = 0 to 2040 bits (128 suggested) block size = 32, 64 or… … Wikipedia
Blowfish (cipher) — Infobox block cipher name = Blowfish caption = The round function (Feistel function) of Blowfish designers = Bruce Schneier publish date = 1993 derived from = derived to = Twofish key size = 32 448 bits in steps of 8 bits; default 128 bits block… … Wikipedia
Substitution box — In cryptography, a substitution box (or S box) is a basic component of symmetric key algorithms. In block ciphers, they are typically used to obscure the relationship between the plaintext and the ciphertext mdash; Shannon s property of confusion … Wikipedia
Permutation box — In cryptography, a permutation box (or P box) is a method of bit shuffling used to permute or transpose bits across S boxes inputs, retaining diffusion while transposing.[1] In block ciphers, the S boxes and P Boxes are used to make the relation… … Wikipedia