[Cryptography] ideas for (long) Nothing up my sleeve numbers
Sampo Syreeni
decoy at iki.fi
Sun Mar 30 23:10:54 EDT 2014
On 2014-03-30, Hanno Böck wrote:
>> My best guess is "Pi and Euler's number to a very high percision",
>> but that seems boring.
>
> I doubt that this is the best idea, as they are certainly not
> pseudo random.
To my eye randomness is much different from "sleeveness". If you have a
totally random number, it's of course nothing-in-the-sleeve by
definition: you couldn't have chosen it, nobody could have known it
before God gave it to you, and in hir infinite wisdom se then also made
it damn sure every extant cryptographer had a personal, blinding
revelation, irrefutable by anything before, now, and thereafter, that
you and you alone were given this number, it is random, and all of you
lot are in perfect informational balance about the fact.
That's pretty much the naked definition of true randomness. I'd guess
much of why e.g. John Denker objects to the naked version is because you
really do need a benevolent and crypto-interested god behind that
reasoning. That kind of real randomness ain't manna that drops from the
sky, or automatically emerges from crypto-nice-looking nonlinear systems
when you torture them enough. Instead it's a precious resource, which
quite possibly might not exist at *all* outside of theology.
The only systems where we really have something which even *looks* truly
random are the quantum ones, and certain derivatives of them where we
can already fully explain the noise of a macroscopic system's noise as
an aggregate of its quantum parts. That's what Denker bases his
argument: things like Johnson-Nyquist noise are one of the few
macroscopically measurable things which we understand fully enough to
say that they're very likely truly random, and quantifiably so, under
the assumption that the process of wavefunction collapse upon
measurement is random.
Nothing-up-the-sleeveness requires nowhere near such assumptions, nor
does it address the same problem. When you apply that one, you already
have a system which you believe is indifferent to which precise sequence
of bits you put in. At the same time you worry that since some other,
Demonic people already put in hard to verify backdoors in their
cryptosystems, or ostensibly could do so. Since both you and your
scientific peers are all kind of paranoid because of it, you want to
show that even if those free variables in your system weren't quite as
insensitive to choice as you thought and your argument showed, it still
would have been prohibitively costly for you to actually *choose* your
constants for somebody's benefit.
So, the problems solved are very different. Randomness is about
mathematical assumptions, and ones which are pretty much impossible to
fulfil in any rational frame of mind. You can approach them in a manner
which gets the job done and is rather believable when you trace the full
argument right downto you source of physical randomness, spell out your
assumptions, and whatnot. Denker's work is a case in point, there.
Sleeveness is instead about human trust relations. If we knew how to
ascertain our trust in shared sources of randomness, the problem would
be solved. But there really doesn't seem to be any way to fulfil the
"shared" part as of now. Hence, the trust problem can't be solved
wholesale. We need partial solutions, and one of them in cryptosystem
design is to somehow show other people that the constants you chose for
your variables weren't made up. In that application the basic assumption
already is that even if you just set all of them to zero, it wouldn't
matter, because the security of your system shouldn't depend on the
precise values assigned those variables (okay, it might, but then always
modulo some clear statistical criterion dependent only on your circuit
topology; then you'd also not just assign random bits to your variables,
but either give a clean reduction to an equiprobabilistically minimum
risk vector of constants, or more likely just redesign so that your
constant vector simply fulfils every condition a key input would, within
the relevant construction; so that setting it to zero wouldn't do any
harm either).
It's that trust aspect why you also don't need even (pseudo)random
numbers. It's convenient that any numbers used for this purpose fulfil
the freest statistical assumptions of equidistributed independence, but
it isn't necessary by any means that they cannot be predicted. In fact
predictability is a plus here, and the more the better, because that
increases trust. All that you need in this game is binding precommitment
by Nature, on your behalf, or something close enough in wiggle-room to
make everybody believe you couldn't have made it up on the relevant
margin.
(I'm not saying I will have the nerve, but I might just suggest a
protocol for this in the coming days. Algorithm and all.)
--
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
More information about the cryptography
mailing list