[Cryptography] ideas for (long) Nothing up my sleeve numbers

Judd Storrs jstorrs at gmail.com
Mon Mar 31 11:47:19 EDT 2014

For "nothing up your sleeve" what about using well-known data to
reproducibly derive the numbers? For example you could use one of the
typical image processing test images[1] such as cameraman, peppers,
mandril or Lena using versions taken from curated databases[2].
Similarly, you could use census data or other government publications
that are widely archived and curated. The bitcoin blockchain is also a
possibility--you could process the first 1000 or so bitcoin blocks.
Whatever processing would have to be simple and the data you rely on
would have to be unlikely to be crafted by you.

[1] http://web.eecs.utk.edu/courses/fall2011/ece572/testimage.htm
[2] http://sipi.usc.edu/database/

On Sun, Mar 30, 2014 at 1:43 PM, Miroslav Kratochvil <exa.exa at gmail.com> wrote:
> Hello list,
> so I am implementing a variant of XSYND The Provably Secure Stream Cipher
> [1] derived from "better known" SYND [2] for my paranoid
> quantum-computer-resistant pet project [3].
> The problem is that I need a very big amount of provably random constants
> for initialization of the content of some internal matrices (A_1 and A_2 in
> the paper; only thing that the autors specify about them is that the bits
> need to be uniformly random, not secret).
> Therefore, the question: What is your favourite idea for a good,
> random-enough Nothing Up My Sleeve data with size around 2^14 bits? (e.g.
> long, reputable, randomly looking positive integer that is less than
> 2^(2^14))?
> My best guess is "Pi and Euler's number to a very high percision", but that
> seems boring.
> Thanks for ideas,
> -mk
> (
> end note for those who have read the paper:
> I will certainly not use exactly these NUMS to fill up the syndrome
> matrices, I instead want to feed them to "preparation" phase that will run
> XSYND with NUMS and supplied key+IV several times to generate the contents
> of new A_i matrices that will be used to generate the actual keystream.
> Or should I use some simpler key expansion function, even when XSYND is
> there already a key expansion function?
> Or did I get it completely wrong?
> )
> Refs.:
> [1]
> http://www.cayrel.net/PublicationsCayrel/2012%20-%20Improving%20the%20performance%20of%20the%20SYND%20Stream-Cipher.pdf
> [2] http://www.unilim.fr/pages_perso/philippe.gaborit/isit_synd_rev.pdf
> [3] https://github.com/exaexa/codecrypt
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list