[Cryptography] ideas for (long) Nothing up my sleeve numbers

[Sampo Syreeni]

On 2014-03-30, Hanno Böck wrote:

>> My best guess is "Pi and Euler's number to a very high percision", 
>> but that seems boring.
>
> I doubt that this is the best idea, as they are certainly not
> pseudo random.

To my eye randomness is much different from "sleeveness". If you have a 
totally random number, it's of course nothing-in-the-sleeve by 
definition: you couldn't have chosen it, nobody could have known it 
before God gave it to you, and in hir infinite wisdom se then also made 
it damn sure every extant cryptographer had a personal, blinding 
revelation, irrefutable by anything before, now, and thereafter, that 
you and you alone were given this number, it is random, and all of you 
lot are in perfect informational balance about the fact.

That's pretty much the naked definition of true randomness. I'd guess 
much of why e.g. John Denker objects to the naked version is because you 
really do need a benevolent and crypto-interested god behind that 
reasoning. That kind of real randomness ain't manna that drops from the 
sky, or automatically emerges from crypto-nice-looking nonlinear systems 
when you torture them enough. Instead it's a precious resource, which 
quite possibly might not exist at *all* outside of theology.

The only systems where we really have something which even *looks* truly 
random are the quantum ones, and certain derivatives of them where we 
can already fully explain the noise of a macroscopic system's noise as 
an aggregate of its quantum parts. That's what Denker bases his 
argument: things like Johnson-Nyquist noise are one of the few 
macroscopically measurable things which we understand fully enough to 
say that they're very likely truly random, and quantifiably so, under 
the assumption that the process of wavefunction collapse upon 
measurement is random.

Nothing-up-the-sleeveness requires nowhere near such assumptions, nor 
does it address the same problem. When you apply that one, you already 
have a system which you believe is indifferent to which precise sequence 
of bits you put in. At the same time you worry that since some other, 
Demonic people already put in hard to verify backdoors in their 
cryptosystems, or ostensibly could do so. Since both you and your 
scientific peers are all kind of paranoid because of it, you want to 
show that even if those free variables in your system weren't quite as 
insensitive to choice as you thought and your argument showed, it still 
would have been prohibitively costly for you to actually *choose* your 
constants for somebody's benefit.

So, the problems solved are very different. Randomness is about 
mathematical assumptions, and ones which are pretty much impossible to 
fulfil in any rational frame of mind. You can approach them in a manner 
which gets the job done and is rather believable when you trace the full 
argument right downto you source of physical randomness, spell out your 
assumptions, and whatnot. Denker's work is a case in point, there.

Sleeveness is instead about human trust relations. If we knew how to 
ascertain our trust in shared sources of randomness, the problem would 
be solved. But there really doesn't seem to be any way to fulfil the 
"shared" part as of now. Hence, the trust problem can't be solved 
wholesale. We need partial solutions, and one of them in cryptosystem 
design is to somehow show other people that the constants you chose for 
your variables weren't made up. In that application the basic assumption 
already is that even if you just set all of them to zero, it wouldn't 
matter, because the security of your system shouldn't depend on the 
precise values assigned those variables (okay, it might, but then always 
modulo some clear statistical criterion dependent only on your circuit 
topology; then you'd also not just assign random bits to your variables, 
but either give a clean reduction to an equiprobabilistically minimum 
risk vector of constants, or more likely just redesign so that your 
constant vector simply fulfils every condition a key input would, within 
the relevant construction; so that setting it to zero wouldn't do any 
harm either).

It's that trust aspect why you also don't need even (pseudo)random 
numbers. It's convenient that any numbers used for this purpose fulfil 
the freest statistical assumptions of equidistributed independence, but 
it isn't necessary by any means that they cannot be predicted. In fact 
predictability is a plus here, and the more the better, because that 
increases trust. All that you need in this game is binding precommitment 
by Nature, on your behalf, or something close enough in wiggle-room to 
make everybody believe you couldn't have made it up on the relevant 
margin.

(I'm not saying I will have the nerve, but I might just suggest a 
protocol for this in the coming days. Algorithm and all.)
-- 
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2