Nothing-up-my-sleeves numbers – Block Ciphers and Their Modes of Operation
14.2.8 Nothing-up-my-sleeves numbers
To avoid the risk of backdoors, cryptographers prefer so-called Nothing-up-My-Sleeves (NUMS) numbers to be used as constants or initialization values. Simply put, a NUMS number is any number whose origin is easy to explain. That is, it is easy to explain how the number was chosen. Figuratively, the NUMS concept is analogous to a magician demonstrating that they have no objects hidden in their sleeves before performing a magic trick.
As an example, a number composed of the first k digits of π, e or would be considered a NUMS number because it is derived from a well-known mathematical constant like π or e, or from a very specific number, such as
, which was probably the first number that ancient Greek mathematicians discovered to be irrational.
How do NUMS numbers make cryptographic algorithms more secure? The idea is that the choice of NUMS numbers is very constrained compared to (seemingly) random numbers. There are infinitely many random numbers. But there are only so many mathematical constants and well-known numbers with very specific mathematical properties, and their digits are given by nature.
As a result, the likelihood of Eve finding a NUMS number that introduces a backdoor or weakens the cryptographic algorithm is extremely low. With random numbers, on the other hand, Eve could simply generate one random number after the other until she finds one that affects the algorithm’s security.
Whether this scenario is practical depends on the cryptographic algorithm – are there parameters that are cryptographically weak? – and the computing resources available to Eve. The latter is rather easy to address, especially if Eve is a large organization, let alone a nation state.
14.3 The AES block cipher
In stark contrast to the DES algorithm, whose design criteria were never fully published, the AES was conceived in a very transparent process. After a formal, worldwide Call for Algorithms published in 1997 by the NIST, the National Institute of Standards and Technology in the United States, 15 candidate algorithm specifications were submitted, along with reference implementations in C and Java. The goal was to find a block cipher that was as secure as Triple-DES, but much more efficient. More specifically, the AES should have a block length of 128 bits and should be able to support variable key lengths of 128, 192, and 256 bits. Further selection criteria, apart from security, were as follows:
- Versatility: The selected algorithm should perform uniformly well on all hardware platforms, ranging from chip cards over PCs to Application-Specific Integrated Circuits(ASICs) and Field Programmable Gate Arrays (FPGAs).
- Key agility: It should be possible to switch to a different key very fast.
- Simplicity: The design of the elected algorithm should be as clean and transparent as possible
At the end of the evaluation process, in May 2000, the selected algorithm was announced: it was called Rijndael and had been submitted by the Belgian cryptographers Joan Daemen and Vincent Rijmen. All five candidate algorithms that had reached the second stage of the competition were deemed to be very secure. But averaged over all platforms, Rijndael showed the best performance of all candidate ciphers. Moreover, its clean and elegant design was very convincing.
Soon after the NIST had declared Rijndael to be the AES, other standardization organizations followed. Today the AES block cipher is by far the most-used block cipher worldwide.