词条 | Nothing-up-my-sleeve number |
释义 |
In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm.[1] These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number {{pi}} as the constants.[2] Using digits of {{pi}} millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit. Digits in the positional representations of real numbers such as {{pi}}, e, and irrational roots are believed to appear with equal frequency (see normal number). Such numbers can be viewed as the opposite extreme of Chaitin–Kolmogorov random numbers in that they appear random but have very low information entropy. Their use is motivated by early controversy over the U.S. Government's 1975 Data Encryption Standard, which came under criticism because no explanation was supplied for the constants used in its S-box (though they were later found to have been carefully selected to protect against the then-classified technique of differential cryptanalysis).[1] Thus a need was felt for a more transparent way to generate constants used in cryptography. “Nothing up my sleeve” is a phrase associated with magicians, who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside.[2] Examples
Counterexamples
Although not directly related, after the backdoor in Dual_EC_DRBG had been exposed, suspicious aspects of the NIST's P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in finding[15] private keys.[16] Since then, many protocols and programs started to use Curve25519 as an alternative to NIST P-256 curve. {{Quote|I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry|author=Bruce Schneier |title=The NSA Is Breaking Most Encryption on the Internet (2013)}} LimitationsBernstein, et al., demonstrate that use of nothing-up-my-sleeve numbers as the starting point in a complex procedure for generating cryptographic objects, such as elliptic curves, may not be sufficient to prevent insertion of back doors. If there are enough adjustable elements in the object selection procedure, the universe of possible design choices and of apparently simple constants can be large enough so that a search of the possibilities allows construction of an object with desired backdoor properties.[17] Footnotes1. ^1 Bruce Schneier. Applied Cryptography, second edition, John Wiley and Sons, 1996, p. 278. 2. ^TV Tropes entry for "nothing up my sleeve" 3. ^RFC 1321 Sec. 3.4 4. ^FIPS 180-2: Secure Hash Standard (SHS) (PDF, 236 kB) – Current version of the Secure Hash Standard (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512), 1 August 2002, amended 25 February 2004 5. ^1 Blowfish Paper 6. ^Revision of NEWDES, Robert Scott, 1996 7. ^{{cite journal |author1=Henri Gilbert |author2=M. Girault |author3=P. Hoogvorst |author4=F. Noilhan |author5=T. Pornin |author6=G. Poupard |author7=J. Stern |author8=S. Vaudenay | title = Decorrelated Fast Cipher: an AES candidate | date = May 19, 1998 | url = http://citeseer.ist.psu.edu/gilbert98decorrelated.html | format = PDF/PostScript}} 8. ^{{cite journal | author = A. Biryukov, C. De Cannière, J. Lano, B. Preneel, S. B. Örs | title = Security and Performance Analysis of ARIA | version = Version 1.2—Final Report | publisher = Katholieke Universiteit Leuven | date = January 7, 2004 | url = http://www.cosic.esat.kuleuven.be/publications/article-500.ps | format = PostScript}} 9. ^{{cite conference|last=Rivest|first=R. L.|year=1994|title=The RC5 Encryption Algorithm|booktitle=Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e|pages=86–96|url=http://theory.lcs.mit.edu/~rivest/Rivest-rc5rev.pdf|format=PDF}} 10. ^{{Cite journal|last=Biryukov|first=Alex|last2=Perrin|first2=Léo|last3=Udovenko|first3=Aleksei|date=2016|title=Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1 (Full Version)|url=https://eprint.iacr.org/2016/071}} 11. ^1 {{cite news |date=2007-11-15 |author=Bruce Schneier |title=Did NSA Put a Secret Backdoor in New Encryption Standard? |url=https://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 |publisher=Wired News }} 12. ^{{cite news|first=Nicole |last=Perlroth |title=Government Announces Steps to Restore Confidence on Encryption Standards|url=http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/?src=twrhp&_r=1&|accessdate=September 11, 2013|newspaper=The New York Times|date=September 10, 2013}} 13. ^https://safecurves.cr.yp.to/ 14. ^{{Cite web|url = https://lists.torproject.org/pipermail/tor-talk/2013-September/029956.html|title = [tor-talk] NIST approved crypto in Tor?|date = September 8, 2013|accessdate = 2015-05-20|first = Gregory|last = Maxwell}} 15. ^{{Cite web|title = SafeCurves: Rigidity|url = https://safecurves.cr.yp.to/rigid.html|website = safecurves.cr.yp.to|accessdate = 2015-05-20}} 16. ^{{Cite web|title = The NSA Is Breaking Most Encryption on the Internet - Schneier on Security|url = https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929|website = www.schneier.com|accessdate = 2015-05-20}} 17. ^[https://bada55.cr.yp.to/bada55-20150927.pdf How to manipulate curve standards: a white paper for the black hat] Daniel J. Bernstein, Tung Chou, Chitchanok Chuengsatiansup, Andreas Hu ̈lsing, Eran Lambooij, Tanja Lange, Ruben Niederhagen, and Christine van Vredendaal, September 27, 2015, accessed June 4, 2016 References
2 : Random number generation|Cryptography |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。