46

I, myself, do not plan on getting into a situation where I would be unable to use a computer in order to communicate securely. However, I can think of many practical situations in which mental cryptography would be useful.

Is there a secure cryptosystem that is simple enough to be performed mentally?

Clearly, one of the challenges is remembering >100 bits of entropy to leverage, but I am assuming that this can be done beforehand.

How susceptible would any such system be to side channel attacks (like trash rummaging)?

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
John Gietzen
  • 1,515
  • 2
  • 15
  • 16

5 Answers5

30

(Converted to answer from a comment.)

If pen and paper are permitted, one could probably carry out the RC4 algorithm fairly easily using 256 numbered pieces of paper (small post-it notes might be ideal, since they'd be harder to move by accident) arranged in a 16 by 16 grid (I'd suggest numbering the notes in hex for easier indexing), with two coins or something to keep track of the $i$ and $j$ indices. The algorithm itself is simple enough to memorize, too. To destroy the internal state, just shuffle the notes (and cut them up and burn them if you want to be sure).

The hard part would be key setup. The usual way of keying RC4 is not only laborious to do by hand (it's more or less equivalent to 256 encryption steps), but doesn't really shuffle the state all that well. The standard remedy for that is to discard the initial part of the output, which makes for even more work for our would-be computerless cryptographer. If you can safely carry around the state as a stack of notes, you can do it once and then just keep churning out more of the same keystream for each message, but if not, some alternative key setup mechanism would be highly recommended.

Also, there's always Solitaire, although it needs a deck of cards and has significantly worse biases than RC4. In fact, the design of Solitaire bears a strong resemblance to RC4, and was almost certainly inspired by it. Given the known weaknesses of Solitaire, if you want a hand cipher using playing cards it might be better to go with RC4-52 (i.e. standard RC4, only with 52 instead of 256 elements in the state array), although I don't know if anyone's done any serious cryptanalysis of that. (It's almost certainly weaker than normal RC4, but I'm not sure how much weaker. Probably still better than Solitaire, though.)

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
19

I can think of 2 cryptographic systems.

One that can be done with a deck of cards is a scheme called Pontifex (aka solitaire) that was developed for the book Cryptonomicon. Some more technical details and example of it in use at Bruce Schneier's website. Although it should be noted that some weaknesses have been discovered in Pontifex .

Another one, although this one involves lots of paper, is a straddling checkerboard which formed the basis of the system used by Soviet spies in the US (the full system was more complicated and called VIC). The spy using the system would only need to remember a phrase and a date. From these 2 items, one could generate the checkerboard. It takes a simple set of rules to encode a message. The book Kahn on Codes has a couple of pages where they explain how messages were encrypted with this scheme. Several spies were detected by finding intermediate work in trash.

Ethan Heilman
  • 2,326
  • 2
  • 20
  • 40
Tangurena
  • 1,436
  • 15
  • 21
3

A self-shrinking LFSR can be implemented using nothing but a couple of decks of cards.

  • 0 equals face down
  • 1 equals face down.

You can then split the deck at each tap point and XOR the items in your head. After the XOR is done, you move the cards on to next split deck; this has the effect of shifting the register.

Key set-up is easy, each iteration is extremely easy however it would be painfully slow to operate.

Given a sufficiently long and dense polynomial, it is however, secure.

Simon Johnson
  • 3,236
  • 17
  • 21
3

People have long used code systems for this purpose, instead of ciphers. With a code, you pre-establish entire messages. "John has a long mustache" might mean "sabotage the phone lines". Or the number of suits on the dry cleaning order might indicate the size of the enemy force.

Sometimes the codes are awkward, and give away the existence of the code without giving up the meaning. A telegraph agent once received a reply to a message that asked "is mother 'dead' or 'deceased'?" which was a pretty pointless clarification to ask for unless there was a hidden meaning.

Used once, they're as secure as the endpoints who protected them. Used multiple times, they leave a distinctive pattern that can be decoded.

John Deters
  • 3,778
  • 16
  • 29
2

this doesn't suit the entropy part

the old & basic encoding mechanisms like Caesar (easy) or Substitution (concentrate) Cipher could be done mentally too.

if you simply want to speak or signal an encoded message to few in public place. You could do "gibberish talk", which has several ways..... with basic outline as

  • decide on peices of 'gibberish' (some jumbled up letters) and their place-holders in the sentence (like spaces, fullstop); you can even choose multiple gibberish for same placeholder and use randomly any of it for more Confusion

  • decide on break-point length for actual words, after which the gibberish has to be inserted..... you can even have a series of queued break-points if you can process it

AbhishekKr
  • 131
  • 2