[Cryptography] ideas for (long) Nothing up my sleeve numbers
Nico Williams
nico at cryptonector.com
Wed Apr 2 19:57:43 EDT 2014
On Wed, Apr 02, 2014 at 03:41:27PM -0700, Tom Mitchell wrote:
> For an offset into the billions of digits of Pi
> I would discard a sane number of digits
> based on the digits right of the dp of Pi itself from
> math.h i.e.
> lseek(1415926535897^9323846bits) into PI. ^ marks what seems sane to me.
[This thread is getting repetitive :/]
"Nothing up my sleeve number" == very little freedom in selecting that
number. Ways to limit such freedom:
- pick small numbers (e.g., 2)
- pick an irrational number from a small set of them (pi, e, and
sqrt(2) -- all easily available and computed), then an appropriate
length prefix of its mantissa; no seeking
The first won't look random; the second will. Neither will or could be
random, as explained earlier.
(The golden number is the irrational that's easiest for me to remember
how to compute: it's the limit of the ratio of consecutive Fibonacci
numbers as the Fibonacci number index goes to infinity. That's also
easier to approximate by hand than pi and e: just find the Fibonacci
numbers for sufficiently large N and N+1, then divided them. I like
Phi for this and other reasons. But really, just a few well-known
irrationals will do.)
> Thus the only thing needed is a published value
> of Pi with a lot of bits sufficient to suffer tossing
> many bits away.
Or just compute each digit until you have enough. It's simple stuff:
http://en.wikipedia.org/wiki/Bailey%E2%80%93Borwein%E2%80%93Plouffe_formula
The recent threads about safe curves went into this in some detail. DJB
calls this "rigidity". See the list archives and
http://safecurves.cr.yp.to/rigid.html
Nico
--
More information about the cryptography
mailing list