[Cryptography] mathematical constants

[iang]

On 08/06/2026 16:39, Jerry Leichter wrote:
>> If the goal is "nothing up my sleeve", one of the problem is the number of possible inputs. For example, assume a hidden attack that is blocked if the standard constants are derived from the digits of Pi, but enabled if they are derived from the HKDF of "a well known piece of text". Imaging an attacker willing to try finding one of the multiple thousands "well known pieces of text" until finding one that meets the desired goal...
> Indeed, while the very first uses of the “nothing up my sleeve” claim relied on a very small base of values, since everyone wants to use their own values (Why?  Why not use the same set of values for everything, if the actual values don’t matter?) the claim that the values “couldn’t have been influenced” becomes harder to support.


An alternative to the simple claim of "nothing up my sleeve" is to run a 
ceremony.

We discussed this many years back. In short, several people get together 
who are keen on the security result, and perhaps adversarial. They all 
provide inputs into a simply program -- short enough to be typed in -- 
and watch that everyone's input is included & hashed.

Theoretically, only one person has to be honest for this construct to 
work. We did it at CAcert for a new root cert. I think they did a 
variant to create the zCash primary keys.

In terms of post-auditability, if everyone turns up and posts their 
process and their inputs to the world, it is secure and auditable if one 
person is honest. fwiw in the CAcert process I used Jon Callas' method 
of driving my laptop camera with dark covering into quantum noise, and 
took photos to be hashed into the overall system. Another guy used John 
Denker's sound card method.

iang