[Cryptography] mathematical constants

[Michael Kjörling]

On 7 Jun 2026 23:50 -0700, from huitema at huitema.net (Christian Huitema):
> If the goal is "nothing up my sleeve", one of the problem is the number of
> possible inputs. For example, assume a hidden attack that is blocked if the
> standard constants are derived from the digits of Pi, but enabled if they
> are derived from the HKDF of "a well known piece of text". Imaging an
> attacker willing to try finding one of the multiple thousands "well known
> pieces of text" until finding one that meets the desired goal...

Doing so wouldn't even be particularly difficult, if one is aware of
what pattern to the constant enables a particular attack.

Download all of Project Gutenberg or some similar resource. Write a
program which takes the first m..n words or sentences from each work
or maybe the first m..n sentences of each paragraph; and runs those
through x number of possible one-way functions, then checks whether
the output satisfies the criteria. Depending on those criteria, the
combinatorics might well not be unreasonable.

Then the selection of the "nothing up my sleeve" value can be
specified as something like "the first $number sentences from $work by
$author as published in $year, encoded in US-ASCII, run through
Argon2d with parameters such-and-such". Easy to verify, nothing
obviously malicious going on especially if in this example the hashing
isn't all that unusual, and at a glance the inputs to the selection
and generation of the "nothing up my sleeve" value are all relatively
low entropy; and if an attack is discovered by an external party,
offers a large degree of plausible deniability.

-- 
Michael Kjörling
🔗 https://michael.kjorling.se