It really isn't backdoored, though. Bada55 made a legit point that curves shouldn't be required to derive from simple math constants, but it does less of a good job showing that math constants are themselves necessarily untrustworthy. You'd need an awfully funky looking set of constants to get the degree of freedom bada55 proposes.
> The constant values used are chosen to be nothing up my sleeve numbers: the four round constants k are 230 times the square roots of 2, 3, 5 and 10. The first four starting values for h0 through h3 are the same with the MD5 algorithm, and the fifth (for h4) is similar.
Look at the BLAKE example there: it's simply the leading digits of pi.
The rest of the examples seem like they prove my point. 1/pi? sin(n)? First N primes? Cubes of first N primes? I agree! Super sketchy! Why would you use any of those? Just use pi.
You probably don't want to use BLAKE as the poster child for this argument, since it uses two sets of constants of distinct provenance: the initialization vector, which uses the same constants as SHA-2, i.e., the square roots of the first 8 primes, and the constants used in the compression function, which are indeed the expansion of pi. BLAKE2 got rid of the pi constants.
