3.1415926535897932 is as far as I get from memory... which is more Pi than you need for most things. I was hoping someone else caught that digits 9 and 10 were omitted

He is absolutely awesome

He is my favorite on this channel!

AlucardNoir that's true

Now we have the Parker ||

I think you'll find that's a Parker concatenation.

Are we just calling anything a "Parker X" that has a dubious solution now??? :-)

Of course not, we're only doing it with things that originate with Matt "Parker Square" Parker.

Yes, this one is super interesting. I wish if we can get a thorough expiation to why it works and how

it works by evil bit level hacking

Or on the fast Parker square function.

tl;dr it's not actually a sqare root but an approximation that works pretty closely given the inputs and range of the output

+Christoph Michelbach I believe you'll find that the fast Parker Square function is simple: pick an arbitrary number with no basis, then find a thing it's close to, and then say "close enough" :P

We are being hood winked!!!

Yea, but the entire algorithm is public knowledge, it’s not like they can sneak in some extra bit that no one knows about because it has to be implemented in encryption libraries. The devs of the libraries probably could, but again these things will be checked by again and again by different people and agencies, it would take a large conspiracy across a range of people to get away with something like that. Not impossible, but improbable

That is *much* harder.

Sad

Differential cryptoanalysis?

@@AlchemistOfNirnroot (sssshhhh, it might be the american spelling !)

@@TheSam1902 actually I, speaking as an American, believe differential is correct. Not sure whether it should be cryptanalysis or cryptoanalysis, however (Though cryptanalisys definitely looks like a typo mixing up the y and the i)

@@Twisted_Code Yeah it's "cryptOanalysis" (capital O for emphasis), because you're analysing crypto not crypts

@sundhaug92 it's cryptanalysis. Nobody uses the o in that name. But yes, come on computerphile, make a video already.

Not long ago I still had 3832 as my lockscreen code, haha

@@infernocaptures8739 ok

Simple, you sneak out the back so no one knows you were there

Backdoor for hashes: because hashes are iterative (you add a block, jumble it, add another block, jumble it again and so on), a backdoor would be a “magic” block that when added to existing hash (note: oversimplification, it's not easy to add another block to a generated hash but it's still much easier than brute-forcing it) would after jumbling get an output hash that will make it easy to get the original block - e.g. your password (it can be the original block directly but that would be too obvious that someone will probably notice just by random chance). To get this “magic” block, you have to either bend the initial state or the algorithm (or both). Bending the initial state is easy which is the reason for nothing-up-my-sleeve numbers (sequences or digits of pi are highly unlikely to fit). Compared to that, bending the algorighm is very hard, especially if you want to keep the algorithm simple so that it won't look suspicious to have backdoors.

NIST's recommended constants for dual elliptic curve RNG are highly suspected to have a backdoor in them but I'm not sure if that's been proven.

@@MrHatoi Dual_EC_DRBG used "points on a curve" which were deliberately chosen such that one is a "multiple" of the other, and NSA knew that factor. Dr. Mike made a video about that a year after this video was released.

How often do they use pi in the West Indies? Why, that would be the "pi rate of the Carribean"!

KlaxonCow Your version is more clever.

Only if you use windows.

Ultimately it mostly comes down to how well (or badly) you smooth the inherently random data that is the random fluctuations in the transfer rate.

@@seraphina985 Why does the transfer rate have random fluctuations?

@@jacobscrackers98 your info doesn't stream through a server intact. A router breaks network info into packets that are sent through the system on a timeshare with other random packets... I think, or something close to that, it is all quite mindboggling to me.

...and what is the estimated time to make that video and will the estimate be wrong ?? :) :) :)

ATschTheCube Maybe we can get an extra video about that!

This is somewhere on my list of future videos, it's really interesting!

I was hoping for not only this, (which i knew of) but other examples as well.

it's a bit of a shame Micheal didn't go into the reason for the DES magic number too. It was because the NSA actually knew about differential cryptanalysis before it was known to the public so they tried to keep the origin of the constant as secret as possible to keep the technique secret.

Yep, which is why I attempt to avoid NIST p256 too. Using Curve25519 where possible as it is clear exactly how it is generated by someone not half as untrustworthy as the NSA.

Lεst wε forgεt.

I was looking for this comment :D Glad I'm not the only nerd that noticed that.

Perhaps they're considering a video on that later? Or perhaps they consider such a thing 'controversial'? I suppose there are some terrible human beings out there that would defend the actions of the scumbags at the NSA out of a combination of ignorance and unquestioning adoration of authority.

Is it theoretically possible? Yes. Is is probable that they've done that? No. How do we know? Because nobody else has found it. That's why these numbers work for this. Everyone knows where these numbers came from, and every crpyto programmer is gonna be well-versed in them because Sha is the standard. So i imagine pretty much every crypto programmer has, at some point, tried to see if they could use one or more of those numbers to form a back door, cause they know how each is special and if there is some way to exploit it, then they will have just hacked the nsa, immortalizing them. I imagine it's probably one of those problems, like recognizing handwriting is for the nerual network crowd, where it's something they all try, and some probably come back to with more experience and try some more. Heck, I wouldn't be surprised if trying to find that backdoor is an assignment they give freshman in cyber security majors. Tl;Dr, these numbers will have been analyzed and tested and squeezed constantly and consistently for however long they've existed, from every angle, simple and complex. If there was a possible backdoor, it would have been found. And maybe one was, not sure, but if so, all they'd need to do is replace it with avagadros number or whatever, ain't no big real

@@projecttitanomega I was talking about introducing a new algorithm that seems to have straightforward magic numbers.

I believe there was a leak some time ago on the nsa. It said something like there being 2 random large primes in some algorithm that were specifically designed to create a backdoor.

I would not be surprised.... they have the capacity to throw time and money on this kind of research....

These people who would want to do that lets not name them have the kind of resources to hire anybody in the world for that very purpose. Their own operational policy is to assume security is compromised at all times which is very telling.

I think the idea is that the density of numbers that can create a backdoor are low, and so are the numbers that will seem simple enough. So the intersection of the two is very small and very hard to find.

It's the same principle that allows, say, public-key crypto to work. You take some random numbers, run them through some formulas, and you get answer out. But given the answer, it's _real_ hard to figure out what numbers you started with. But if you know those starting numbers, that lets you undo some of the hard work of the crypto. For public-key cryptography, knowing the private key lets you easily decrypt messages encrypted using the public key. For a hash function, if there's a potential weakness in the algorithm you can exploit with a specially-crafted constant in the right place, then knowing _how_ it was specially-crafted might let you create hash collisions more easily, or somesuch. Now, sure, you can say "could someone sufficiently clever just pick random constants and then reverse-engineer a backdoor from it" but then you can also say "could someone sufficiently clever just take a public key and reverse-engineer the private key from it". In theory, mathematically speaking, yes, but _practically_ speaking, not really. There isn't sufficient cleverness in the world, unless the crypto is _real_ broken, in which case it's not going to survive the scrutiny of the world for long. The whole point of these things is that they're supposed to be infeasibly difficult to reverse-engineer.

But that's the point, isn't it? If a malicious actor wanted to hide a vulnerability in plain sight, it wouldn't do to risk any sufficiently knowledgeable third-party stumbling across that same vulnerability and calling them out on it publicly, thus irreparably damaging that actor's reputation. They need to engineer the vuln to be difficult to discover within a reasonably long operational timeframe. A.K.A. the Nobody But Us (NOBUS) principle.

Yes an algorithm might be designed to have a hidden weakness with specific innocent numbers. But knowing where the numbers came from should make it a lot easier to find such a weakness.

The NSA was probably using it on other people. Remember at the time cold war was still going on; it would make sense that the NSA would want to protect US business secrets(by extension the US's technological dominance) in case the Soviets know about differential cryptanalysis, but not let them know it exist if they haven't found it themself.

If the unique aspect is to complex people will trust it less. if the unique aspect isn't complex it's unlikely to exist.

Oh wait he corrected it at the end never mind

Op Op Watch the end of the video.

It might also just be little-endian (the order of the bytes is reversed), thus 0x67452301 is 0x01234567

0110 0111 0100 0101 0010 1000 0000 0001 VS 0000 0001 0010 0011 0100 0101 0110 0111 As you can see, the jumbled version has a more "random" set of 1's an 0's that you need for your program to work in the way you want it to. So 0x67452801 is a good middle ground between "random enough to make the program work" and "You know where the number comes from."

TG MrNacknime is right. The constants (in principle) *are* 0x01234567, 0x89abcdef, 0xfedcba98 and 0x76543210 (and the fifth, 0x0f1e2d3c). The NSA didn't dream up these nothing-up-my-sleeve-numbers for SHA-1. They just reused the constants Rivest used in MD4 and MD5 (except that they needed a fifth constant, so they took the concept just a bit further). MD4 and MD5 both assume little endian in their specifications. In this case, little endian vs big endian doesn't really make a difference, since inside the hash function, the numbers have little meaning as numbers anyway. But it means that when we deal in big endian, they'll look reversed. The square root based constants are also taken from MD4.

Sam Auciello he said they make the algorithm resistant to differential cryptoanalysis

Well you have to start somewhere, so your "numberless" algorithm would then presumable just use zeros instead of these random-ish but hard coded ones. This would not only be more obscure from coding point of view but probably a lot less secure. The only really differing case would be to use (pseudo) random numbers but then the algorithm would no longer be deterministic and fit for purpose.

I guess I don't know enough about differential cryptoanalysis to dispute this. It's just like.. before I watched this video I was not concerned that the NSA had a back-door for the SHA algorithm. After watching the video I'm not convinced. So.. the video failed to make the point it was trying to make..

They pick numbers using a published method, so the public can better trust the "random" and inconsequential numbers you pick. This way the numbers aren't just "made up" and are therefore less likely to be part of some sort of back door.

The chosen numbers are to demonstrate that the constants are essentially arbitrary, and are used with no hidden agenda. Any constants could be used to salt the hash, provided that the constants are agreed upon by everyone using the algorithm. Constants which follow an obvious pattern (such as counting up & down) are easily seen as being arbitrary.

Let's say in a movie scene you see the main character dial a phone number which you can clearly see it's 555-123456 you won't think much of that number and continue watching the movie. What if the number was something else like 406-22786 (I made it up) maybe you still won't think much of it but if you are a bit savvy you might notice that's not the usual holliwood 555 number and might decide to investigate further or just straight up pause the movie and call it. And you find out it's an easter egg that relates to the movie somehow (let's say the answering machine of a famous pizzeria in the movie universe). That's the same deal with the magic numbers used in cryptographic algorithms, they are chosen to be like 555 numbers: obviously not with any kind of ulterior motive to be as they are.

Okay but what are the numbers used for? Why do they exist at all if they don't mean anything?

I think they are generally used to seed the pseudo-random generating algorithms. You mix them into the data to create hashes. Correct me if I'm mistaken, I have never implemented cryptography or hashing in general.

Further. He pronounces 'th' as 'v', probably a mostly british speech impediment.

kstringer24 Not a speech impediment, just an accent.

That's my point. His speech impediment makes him difficult to understand because his poor pronunciation produces other genuine words, but said out of context.

I would have, but he corrected himself in the outro.

SHA-1 has been cracked, it takes allot of processing power but is feasible to do thats why it was removed

That obviously depends on the requirements … or the definition of wrong. For example, IEEE 754 requires that the result of dividing two floating-point numbers a/b, assuming it is within range, must be exact to representable precision. As a human readable example, this could look like: 10.0 / 3.00 -> 0.333, all with 3 digits of precision. While this number is obviously not the true result of 10/3, it is in fact the (only) correct approximation of 10/3 to 3 decimal digits. IOW, it is the least wrong approximation to 3 digits.

I've always heard the term "magic numbers" to describe numbers people put in their code without explaining what they are (instead of declaring them are constants), so that eventually the program breaks down and no one (including the author) has any idea how to fix it because no one knows what those numbers are there for.

Magic numbers are more commonly used in file headers to make it clear what the file type is

Reality Channel Watch the end of the video.

I know but he should've gotten it right the FIRST time

Watch to the end.... >Sean

@@Computerphile You're right :)) I posted this too early

Of course we know: it's exactly the length of a 1 unit square's diagonal... There's no "magick"... And in base "square root of two" it's exactly ONE.

Garry Iglesias no, in base "square root of two" it's exactly one zero.

+Y F-N ... True, I wrote this comment too close from my waking time :).

So what do you know about it? You just gave the definition, but you did noet tell us how big it is in de base of the unit square. That would be informative. Saying it is itself does not tell you anything.

Peter Velzen it was a joke

he says so at the end.

did you even watch the end of the video? he says it's wrong

xD yeah!

Chris still impressive he spotted that!

TechyBen I would say yes and no. Depending on the algorithm, some numbers may result in very bad performance. So you need to make sure the number chosen is good.

Yes, kinda. It's just that "2^2^2^2" is just as arbitrary as "4948894894" But how do you know two to the power of two 4 times, is not also a secret back door, just as my chosen 4948etc is a backdoor? I still chose it, it was not a random/group decision.

I suppose partly, however, picking a set of numbers that only contains numbers like these gives you a lot less leeway to set things up such that you can have an advantage, when compared to picking arbitrary numbers.

or well... there are 2 missing digits in your sequence

Hafliði Örn Ólafsson Well, there it is. Watch the end of the video

He admits it at the end of the video.

He says so at the end-card

Watch the end of the video...

ok nevermind you said it at the end