103:
445:, ζ(5), sin(1), sin(2), cos(1), cos(2), tan(1), or tan(2). For these constants, there also exists several different binary representations to choose. If a constant is used as a random seed, a large number of hash function candidates also exist for selection, such as SHA-1, SHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-256, or SHA3-384.
396:
Although not directly related, after the backdoor in Dual_EC_DRBG had been exposed, suspicious aspects of the NIST's P curve constants led to concerns that the NSA had chosen values that gave them an advantage in finding private keys. Since then, many protocols and programs started to use
412:
and coauthors demonstrate that use of nothing-up-my-sleeve numbers as the starting point in a complex procedure for generating cryptographic objects, such as elliptic curves, may not be sufficient to prevent insertion of back doors. For example, many candidates of seemingly harmless and
49:
millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit—though even with natural-seeming selections, enough
35:. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a
346:, came under criticism in 2007 because constants recommended for use in the algorithm could have been selected in a way that would permit their author to predict future outputs given a sample of past generated values. In September 2013
452:
ensures that the universe of possible design choices and of apparently simple constants can be large enough so that an automatic search of the possibilities allows construction of an object with desired backdoor properties.
807:
39:
to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number
710:
739:
799:
354:, suggest that the NSA generated one of the random number generators used in a 2006 NIST standard—called the Dual EC DRBG standard—which contains a back door for the NSA."
321:
hash function S-box was claimed to be generated randomly, but was reverse-engineered and proven to be generated algorithmically with some "puzzling" weaknesses.
555:
195:
917:
859:
27:
are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as
566:, 236 kB) – Current version of the Secure Hash Standard (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512), 1 August 2002, amended 25 February 2004
658:
580:
202:
328:(DES) has constants that were given out by NSA. They turned out to be far from random, but instead made the algorithm resilient against
702:
731:
994:
613:
477:
1004:
301:
family of ciphers use the ASCII string "expand 32-byte k" or "expand 16-byte k" as constants in its block initialization process.
654:
504:
981:, (1990). Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology – CRYPTO '90. Springer-Verlag. 2–21.
940:
51:
362:
358:
343:
888:
329:
96:
601:
Henri
Gilbert; M. Girault; P. Hoogvorst; F. Noilhan; T. Pornin; G. Poupard; J. Stern; S. Vaudenay (May 19, 1998).
95:(though they were later found to have been carefully selected to protect against the then-classified technique of
552:
418:
246:
70:
114:, who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside.
909:
563:
325:
138:
88:
777:
855:
449:
833:
208:
derives all of its arbitrary constants, including all entries of the S-box, from the binary expansion of
999:
272:
176:
80:
36:
409:
84:
62:
576:
28:
643:
99:). Thus a need was felt for a more transparent way to generate constants used in cryptography.
91:, which came under criticism because no explanation was supplied for the constants used in its
947:
Daniel J. Bernstein, Tung Chou, Chitchanok
Chuengsatiansup, Andreas Hu ̈lsing, Eran Lambooij,
250:
161:
279:
competition, uses a table of 16 constant words which are the leading 512 or 1024 bits of the
951:, Ruben Niederhagen, and Christine van Vredendaal, September 27, 2015, accessed June 4, 2016
769:
111:
944:
559:
280:
602:
689:
Proceedings of the Second
International Workshop on Fast Software Encryption (FSE) 1994e
102:
964:
527:
473:
351:
681:
988:
635:
218:
157:. SHA-1 also uses 0123456789ABCDEFFEDCBA9876543210F0E1D2C3 as its initial hash value.
146:
76:
762:"Reverse-Engineering the S-box of Streebog, Kuznyechik and STRIBOBr1 (Full Version)"
639:
438:
335:
239:
205:
169:
20:
500:
773:
948:
422:
366:
142:
978:
937:
648:
607:
482:
398:
123:
87:. Their use is motivated by early controversy over the U.S. Government's 1975
448:
If there are enough adjustable parameters in the object selection procedure,
974:
910:"The NSA Is Breaking Most Encryption on the Internet - Schneier on Security"
800:"Government Announces Steps to Restore Confidence on Encryption Standards"
149:
to produce the hash constants in their "Secure Hash
Algorithm" functions,
16:
Numbers used by cryptographers to show that they are working in good faith
880:
318:
294:
cipher uses 0x123456789ABCDEFFEDCBA9876543210 to derive the modified key.
75:, and irrational roots are believed to appear with equal frequency (see
442:
298:
434:
430:
426:
307:
uses the string "OrpheanBeholderScryDoubt" as an initialization string
304:
291:
191:
32:
761:
938:
How to manipulate curve standards: a white paper for the black hat
276:
187:
154:
150:
101:
92:
54:
exists in the possible choices that the utility of these numbers
339:
127:
829:
350:
wrote that "internal memos leaked by a former NSA contractor,
229:
131:
413:"uninteresting" simple mathematical constants exist, such as
478:"Did NSA Put a Secret Backdoor in New Encryption Standard?"
414:
40:
732:"hash - Why is the BCrypt text "OrpheanBeholderScryDoubt""
79:). Such numbers can be viewed as the opposite extreme of
760:
Biryukov, Alex; Perrin, Léo; Udovenko, Aleksei (2016).
164:
encryption algorithm uses the binary representation of
534:, second edition, John Wiley and Sons, 1996, p. 247.
361:. The coefficients in these curves are generated by
130:function to generate constants for the widely used
110:"Nothing up my sleeve" is a phrase associated with
856:"[tor-talk] NIST approved crypto in Tor?"
468:
466:
83:in that they appear random but have very low
8:
971:, second edition. John Wiley and Sons, 1996.
603:"Decorrelated Fast Cipher: an AES candidate"
388:a335926a a319a27a 1d00896a 6773a482 7acdac73
381:c49d3608 86e70493 6a6678e1 139d26b7 819f7e90
374:bd713447 99d5c7fc dc45b59f a3b9ab8f 6a948bc5
221:key schedule uses the binary expansion of 1/
703:"src/lib/libc/crypt/bcrypt.c - diff - 1.3"
653:(Report). Version 1.2—Final Report.
523:
521:
495:
493:
332:, a method not publicly known at the time.
168:(without the initial 3) to initialize its
644:Security and Performance Analysis of ARIA
196:United States Declaration of Independence
577:"Revision of NEWDES, Robert Scott, 1996"
798:Perlroth, Nicole (September 10, 2013).
462:
401:as an alternative to NIST P-256 curve.
854:Maxwell, Gregory (September 8, 2013).
553:FIPS 180-2: Secure Hash Standard (SHS)
357:P curves are standardized by NIST for
253:use 2654435769 or 0x9e3779b9 which is
175:RFC 3526 describes prime numbers for
7:
232:cipher uses binary digits from both
810:from the original on April 23, 2015
736:Information Security Stack Exchange
661:from the original on July 16, 2011
616:from the original on April 9, 2008
45:as the constants. Using digits of
14:
81:Chaitin–Kolmogorov random numbers
106:Card that was hidden in a sleeve
55:
920:from the original on 2017-12-15
891:from the original on 2015-05-22
862:from the original on 2014-10-02
836:from the original on 2017-09-05
780:from the original on 2023-08-02
742:from the original on 2023-07-10
713:from the original on 2022-07-05
642:; S. B. Örs (January 7, 2004).
583:from the original on 2012-11-08
507:from the original on 2011-09-06
682:"The RC5 Encryption Algorithm"
655:Katholieke Universiteit Leuven
1:
179:that are also generated from
774:10.1007/978-3-662-49890-3_15
25:nothing-up-my-sleeve numbers
638:; C. De Cannière; J. Lano;
359:elliptic curve cryptography
344:pseudo-random bit generator
342:-recommended cryptographic
245:Multiple ciphers including
194:cipher is derived from the
1021:
830:"SafeCurves: Introduction"
330:differential cryptanalysis
97:differential cryptanalysis
63:positional representations
995:Random number generation
326:Data Encryption Standard
290:The key schedule of the
228:The key schedule of the
139:National Security Agency
89:Data Encryption Standard
65:of real numbers such as
1005:Transparency (behavior)
450:combinatorial explosion
126:used the trigonometric
881:"SafeCurves: Rigidity"
680:Rivest, R. L. (1994).
107:
177:internet key exchange
105:
969:Applied Cryptography
532:Applied Cryptography
275:, a finalist in the
268:is the golden ratio.
885:safecurves.cr.yp.to
766:Iacr-Eurocrypt-2016
273:BLAKE hash function
145:of the first eight
85:information entropy
56:has been questioned
943:2016-03-08 at the
804:The New York Times
707:cvsweb.openbsd.org
558:2012-03-12 at the
348:The New York Times
108:
691:. pp. 86–96.
543:RFC 1321 Sec. 3.4
1012:
952:
935:
929:
928:
926:
925:
914:www.schneier.com
906:
900:
899:
897:
896:
877:
871:
870:
868:
867:
851:
845:
844:
842:
841:
826:
820:
819:
817:
815:
795:
789:
788:
786:
785:
757:
751:
750:
748:
747:
728:
722:
721:
719:
718:
699:
693:
692:
686:
677:
671:
670:
668:
666:
652:
632:
626:
625:
623:
621:
611:
598:
592:
591:
589:
588:
573:
567:
550:
544:
541:
535:
525:
516:
515:
513:
512:
501:"Blowfish Paper"
497:
488:
487:
470:
389:
382:
375:
286:
263:
256:
237:
224:
213:
182:
167:
68:
48:
43:
1020:
1019:
1015:
1014:
1013:
1011:
1010:
1009:
985:
984:
961:
956:
955:
945:Wayback Machine
936:
932:
923:
921:
908:
907:
903:
894:
892:
879:
878:
874:
865:
863:
853:
852:
848:
839:
837:
828:
827:
823:
813:
811:
797:
796:
792:
783:
781:
759:
758:
754:
745:
743:
730:
729:
725:
716:
714:
701:
700:
696:
684:
679:
678:
674:
664:
662:
646:
634:
633:
629:
619:
617:
605:
600:
599:
595:
586:
584:
575:
574:
570:
560:Wayback Machine
551:
547:
542:
538:
526:
519:
510:
508:
499:
498:
491:
472:
471:
464:
459:
407:
387:
380:
373:
314:
312:Counterexamples
284:
281:fractional part
261:
254:
233:
222:
209:
180:
165:
120:
66:
46:
41:
17:
12:
11:
5:
1018:
1016:
1008:
1007:
1002:
997:
987:
986:
983:
982:
972:
965:Bruce Schneier
960:
957:
954:
953:
930:
901:
872:
846:
821:
790:
752:
723:
694:
672:
627:
593:
568:
545:
536:
528:Bruce Schneier
517:
489:
476:(2007-11-15).
474:Bruce Schneier
461:
460:
458:
455:
437:, √7, log(2),
406:
403:
394:
393:
392:
391:
384:
377:
355:
352:Edward Snowden
333:
322:
313:
310:
309:
308:
302:
295:
288:
269:
243:
226:
215:
199:
184:
173:
158:
147:prime integers
135:
119:
116:
61:Digits in the
15:
13:
10:
9:
6:
4:
3:
2:
1017:
1006:
1003:
1001:
998:
996:
993:
992:
990:
980:
976:
973:
970:
966:
963:
962:
958:
950:
946:
942:
939:
934:
931:
919:
915:
911:
905:
902:
890:
886:
882:
876:
873:
861:
857:
850:
847:
835:
831:
825:
822:
814:September 11,
809:
805:
801:
794:
791:
779:
775:
771:
767:
763:
756:
753:
741:
737:
733:
727:
724:
712:
708:
704:
698:
695:
690:
683:
676:
673:
660:
656:
650:
645:
641:
637:
631:
628:
615:
609:
604:
597:
594:
582:
578:
572:
569:
565:
561:
557:
554:
549:
546:
540:
537:
533:
529:
524:
522:
518:
506:
502:
496:
494:
490:
485:
484:
479:
475:
469:
467:
463:
456:
454:
451:
446:
444:
440:
436:
432:
428:
424:
420:
416:
411:
404:
402:
400:
385:
378:
371:
370:
368:
364:
360:
356:
353:
349:
345:
341:
337:
334:
331:
327:
323:
320:
316:
315:
311:
306:
303:
300:
296:
293:
289:
282:
278:
274:
270:
267:
260:
252:
248:
244:
241:
236:
231:
227:
220:
216:
212:
207:
204:
203:AES candidate
200:
197:
193:
189:
185:
178:
174:
171:
163:
159:
156:
152:
148:
144:
140:
136:
133:
129:
125:
122:
121:
117:
115:
113:
104:
100:
98:
94:
90:
86:
82:
78:
77:normal number
74:
73:
64:
59:
57:
53:
44:
38:
34:
30:
26:
22:
1000:Cryptography
968:
933:
922:. Retrieved
913:
904:
893:. Retrieved
884:
875:
864:. Retrieved
849:
838:. Retrieved
824:
812:. Retrieved
803:
793:
782:. Retrieved
765:
755:
744:. Retrieved
735:
726:
715:. Retrieved
706:
697:
688:
675:
663:. Retrieved
630:
618:. Retrieved
596:
585:. Retrieved
571:
548:
539:
531:
509:. Retrieved
481:
447:
408:
395:
367:random seeds
365:unexplained
347:
336:Dual_EC_DRBG
265:
258:
240:golden ratio
234:
210:
170:key schedule
143:square roots
109:
71:
60:
24:
21:cryptography
18:
949:Tanja Lange
636:A. Biryukov
423:Euler gamma
405:Limitations
369:, such as:
989:Categories
979:Adi Shamir
959:References
924:2015-05-20
895:2015-05-20
866:2015-05-20
840:2017-05-02
784:2019-03-26
746:2022-07-05
717:2022-07-05
649:PostScript
640:B. Preneel
608:PostScript
587:2010-06-09
511:2010-06-09
483:Wired News
439:(1 + √5)/2
399:Curve25519
124:Ron Rivest
975:Eli Biham
457:Footnotes
410:Bernstein
141:used the
137:The U.S.
112:magicians
941:Archived
918:Archived
889:Archived
860:Archived
834:Archived
808:Archived
778:Archived
740:Archived
711:Archived
659:Archived
614:Archived
581:Archived
556:Archived
505:Archived
319:Streebog
264:, where
251:Red Pike
238:and the
162:Blowfish
118:Examples
37:backdoor
665:June 9,
620:June 9,
386:P-384:
379:P-256:
372:P-224:
363:hashing
299:Salsa20
190:of the
52:entropy
33:ciphers
305:Bcrypt
292:KASUMI
192:NewDES
29:hashes
685:(PDF)
606:(PDF/
277:SHA-3
188:S-box
155:SHA-2
151:SHA-1
134:hash.
93:S-box
816:2013
667:2010
622:2010
443:ζ(3)
340:NIST
338:, a
324:The
317:The
297:The
271:The
249:and
219:ARIA
217:The
201:The
186:The
160:The
153:and
128:sine
31:and
770:doi
564:PDF
283:of
247:TEA
230:RC5
206:DFC
132:MD5
19:In
991::
977:,
967:.
916:.
912:.
887:.
883:.
858:.
832:.
806:.
802:.
776:.
768:.
764:.
738:.
734:.
709:.
705:.
687:.
657:.
612:.
579:.
530:.
520:^
503:.
492:^
480:.
465:^
441:,
435:√5
433:,
431:√3
429:,
427:√2
425:,
421:,
417:,
257:2/
69:,
58:.
23:,
927:.
898:.
869:.
843:.
818:.
787:.
772::
749:.
720:.
669:.
651:)
647:(
624:.
610:)
590:.
562:(
514:.
486:.
419:e
415:π
390:.
383:.
376:.
287:.
285:π
266:ϕ
262:⌋
259:ϕ
255:⌊
242:.
235:e
225:.
223:π
214:.
211:e
198:.
183:.
181:π
172:.
166:π
72:e
67:π
47:π
42:π
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.