[Cryptography] mathematical constants

[Jerry Leichter]

> If the goal is "nothing up my sleeve", one of the problem is the number of possible inputs. For example, assume a hidden attack that is blocked if the standard constants are derived from the digits of Pi, but enabled if they are derived from the HKDF of "a well known piece of text". Imaging an attacker willing to try finding one of the multiple thousands "well known pieces of text" until finding one that meets the desired goal...
Indeed, while the very first uses of the “nothing up my sleeve” claim relied on a very small base of values, since everyone wants to use their own values (Why?  Why not use the same set of values for everything, if the actual values don’t matter?) the claim that the values “couldn’t have been influenced” becomes harder to support.

What would work would be pre-commitment to values.  For example, we could have a clearinghouse to which the proposer of a new algorithm would publicly apply for some number of bits.  The clearinghouse would choose that number of bits from the next digits in the RAND book of random numbers.

This is subject to a theoretical attack:  Someone could look ahead in the book, find a “good” sequence, then wait for it to be “next.”  Unlikely, but if you really want to eliminate that possibility, there’s the idea (due I think to Rabin) of a random beacon:  A source that continuously broadcasts random bits to, nominally, the entire world. It could be a natural source - radio emissions from the Sun; it could be artificial. An algorithm proposer would publish the algorithm with unspecified constants to be filled in at a specified future time from the beacon.
                                          -- Jerry