[Cryptography] ideas for (long) Nothing up my sleeve numbers

Miroslav Kratochvil exa.exa at gmail.com
Sun Mar 30 14:43:14 EDT 2014

Hello list,

so I am implementing a variant of XSYND The Provably Secure Stream Cipher
[1] derived from "better known" SYND [2] for my paranoid
quantum-computer-resistant pet project [3].

The problem is that I need a very big amount of provably random constants
for initialization of the content of some internal matrices (A_1 and A_2 in
the paper; only thing that the autors specify about them is that the bits
need to be uniformly random, not secret).

Therefore, the question: What is your favourite idea for a good,
random-enough Nothing Up My Sleeve data with size around 2^14 bits? (e.g.
long, reputable, randomly looking positive integer that is less than

My best guess is "Pi and Euler's number to a very high percision", but that
seems boring.

Thanks for ideas,

end note for those who have read the paper:

I will certainly not use exactly these NUMS to fill up the syndrome
matrices, I instead want to feed them to "preparation" phase that will run
XSYND with NUMS and supplied key+IV several times to generate the contents
of new A_i matrices that will be used to generate the actual keystream.

Or should I use some simpler key expansion function, even when XSYND is
there already a key expansion function?

Or did I get it completely wrong?



[2] http://www.unilim.fr/pages_perso/philippe.gaborit/isit_synd_rev.pdf

[3] https://github.com/exaexa/codecrypt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140330/d585988d/attachment.html>

More information about the cryptography mailing list