It should probably be noted that this is not some sort of validation to the fact that "the NSA owns this particular DRBG".
Surprisingly (to me), this is merely a signal of a government agency that takes public perception to heart and issues a vote of not-complete-confidence in standards it has previous prescribed, and today is seeking to rectify the problem by looking for nothing up my sleeve numbers [0] agreed upon by security researchers and the public at large. A smart move, no doubt a difficult one to make, as even the slightest suggestion of no-confidence in a prescribed standard is quite damaging to the reputation of an institution devoted to maintaining reliable standards.
Somewhat off topic, but it seems like it would be better to use some future unpredictable events to really remove any "nothing up my sleeve" doubt. e.x. hash of the sum of all S&P 500 companies' closing stock prices on a specific future date.
I assume you need some flexibility in choosing a nothing-up-my-sleeve number, in case the first number you try has properties that are bad for the algorithm.
Imagine if the super-official, international standard nothing-up-my-sleeve number was 1. Any time you need consistent but arbitrary bits in a cryptographic algorithm, they must be ...000000000000001. That doesn't sound like it would work very well.
In that case, you announce a reroll, along with a published paper explaining that x^1 == x. But, assuming you use SHA-256 or higher, the chances of that happening are less than one over the number of atoms in the observable universe, so you shouldn't worry about it the same way you don't worry about hash collisions happening purely by chance.
Ok, then describe some algorithm with exact criteria (and explanations of criteria) needed for the number, but still seeded by future random events, ex "if the first hash doesn't meet these crtieria, hash it again and again until it does.
The variety of "nothing up my sleeve" numbers listed in Wikipedia suggests that the NSA could brute force a "nothing up my sleeve" source backtracked from a vulnerable number they wanted to use.
> It should probably be noted that this is not some sort of validation to the fact that "the NSA owns this particular DRBG".
It sounds like the NYT is convinced. The caption under the header picture reads:
"As part of its efforts to foil Web encryption, the National Security Agency inserted a backdoor into a 2006 security standard adopted by the National Institute of Science and Technology, the federal agency charged with recommending cybersecurity standards."
Surprisingly (to me), this is merely a signal of a government agency that takes public perception to heart and issues a vote of not-complete-confidence in standards it has previous prescribed, and today is seeking to rectify the problem by looking for nothing up my sleeve numbers [0] agreed upon by security researchers and the public at large. A smart move, no doubt a difficult one to make, as even the slightest suggestion of no-confidence in a prescribed standard is quite damaging to the reputation of an institution devoted to maintaining reliable standards.
More info on nothing-up-my-sleeve: [0] http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number