In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number pi| as the constants. Using digits of millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit. Digits in the positional representations of real numbers such as, e, and irrational roots are believed to appear with equal frequency. Such numbers can be viewed as the opposite extreme of Chaitin–Kolmogorov random numbers in that they appear random but have very low information entropy. Their use is motivated by early controversy over the U.S. Government's 1975 Data Encryption Standard, which came under criticism because no explanation was supplied for the constants used in its S-box. Thus a need was felt for a more transparent way to generate constants used in cryptography. "Nothing up my sleeve" is a phrase associated with magicians, who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside.
The U.S. National Security Agency used the square roots of small integers to produce the constants used in its "Secure Hash Algorithm" SHA-1. The SHA-2 functions use the square roots and cube roots of small primes.
* The SHA-1 hash algorithm uses 0123456789ABCDEFFEDCBA9876543210F0E1D2C3 as its initial hash value.
The ARIA key schedule uses the binary expansion of 1/.
The key schedule of the RC5 cipher uses binary digits from both and the golden ratio.
The BLAKE hash function, a finalist in the SHA-3 competition, uses a table of 16 constant words which are the leading 512 or 1024 bits of the fractional part of.
The key schedule of the KASUMI cipher uses 0x123456789ABCDEFFEDCBA9876543210 to derive the modified key.
The Salsa20 family of ciphers use the ASCII string "expand 32-byte k" as constants in its block initialization process.
Counterexamples
The Streeboghash function S-box was claimed to be generated randomly, but was reverse-engineered and proven to be generated algorithmically with some "puzzling" weaknesses.
Data Encryption Standard has constants that were given out by NSA. They turned out to be far from random, but instead of being a backdoor they made the algorithm resilient against differential cryptanalysis, a method not publicly known at the time.
Dual_EC_DRBG, a NIST-recommended cryptographic pseudo-random bit generator, came under criticism in 2007 because constants recommended for use in the algorithm could have been selected in a way that would permit their author to predict future outputs given a sample of past generated values. In September 2013 The New York Times wrote that "internal memos leaked by a former NSA contractor, Edward Snowden, suggest that the NSA generated one of the random number generators used in a 2006 NIST standard—called the Dual EC DRBG standard—which contains a back door for the NSA."
P curves are standardized by NIST for elliptic curve cryptography. The coefficients in these curves are generated by hashing unexplained random seeds, such as:
Although not directly related, after the backdoor in Dual_EC_DRBG had been exposed, suspicious aspects of the NIST's P curve constants led to concerns that the NSA had chosen values that gave them an advantage in finding private keys. Since then, many protocols and programs started to use Curve25519 as an alternative to NIST P-256 curve.
Limitations
Bernstein and coauthors demonstrate that use of nothing-up-my-sleeve numbers as the starting point in a complex procedure for generating cryptographic objects, such as elliptic curves, may not be sufficient to prevent insertion of back doors. If there are enough adjustable elements in the object selection procedure, the universe of possible design choices and of apparently simple constants can be large enough so that a search of the possibilities allows construction of an object with desired backdoor properties.
