How to remember a 128-bit key using constrained choice

by Stephen Hewitt | Published 8 August 2018


This article shows how to memorise a 128-bit key by using the principle of constrained choice introduced in the previous article [PW]. This article continues from the earlier article and assumes knowledge of it but is intended for a more technical audience.

All the memory techniques described in [PW] are also used for memorising your key. The differences are only in the abbreviation scheme and in the list of partitions.

All the warnings and caveats of [PW] apply too.


The abbreviation scheme here abbreviates each word to the first three letters of the word. If the word has less than three letters then it is padded with “x”.

Each byte of your key is represented by one word and you memorise the whole key by memorising a sequence of words. For a 128-bit key that means you remember a sequence of 16 words.

You chose each word for your sequence from a word list which has been partitioned into 256 parts. For each byte of your key you are constrained to chose your word from the partition that represents that byte value.

To regenerate your key from your memorised word list you lookup (in reverse) the byte value corresponding to the three letter abbreviation of each word you have memorised. Note that this means that you need to keep a copy of the mapping defined in [256PARTS], something that is unnecessary in the case of a password.

Proceed exactly as for creating a strong password in [PW], except instead of using dice or beads to select a random partition you use the value of the byte of your key at that point.

An example

So for example, suppose your key was b26b73c2bfb156d151beee89a35c1c27. (The MD5 hash of "")

You start by looking up b2 in [256PARTS]

You find the entry like this

0xb2 = 35;13 = L;C = 178 { abh agi bun die jux muf onl vol wro }
abhor agile agitate bun bunch bundle bung bungalow bungee bunk bunker
bunny bunsen die diesel diet juxtapose muff muffin muffle muffler mufti
onlooker volatile volcano volley volt volume volunteer voluptuous wrong

You choose one of the words from the list, or think of another one that starts with one of the three-letter abbreviations listed.

For this example I will use the technique of the Memory Walk introduced in [PW]. We will use the same imaginary walk through Cambridge. So let's say that this time starting at Queens' College I notice a game of volleyball in progress on the grass near the Mathematical Bridge. In this way I remember "volley".

The second byte of the key is 6b. So you look it up in [256PARTS] and find the following entry.

0x6b = 23;35 = G;L = 107 { fos hyg jur kor mog num opt pat upg }
fossil foster hygiene jury koran korea korma mogul numb numbat number
numismatics opt optics optimist optimum option optometry pat patch pate
patent path pathology patient patio patriot patrol patron patsy pattern

Continuing the walk up Silver Street and crossing the bridge, on the right is the riverside patio outside the Anchor pub. So let's use this as our second word.

The third byte of the key is 73. Looking this up you find the following.

0x73 = 24;14 = H;D = 115 { bic fir gel jut leb nex plu rit tat }
bicarbonate bicentennial biceps bicycle fir fire firefly firewall firm
first gel gelatine jute lebanon nexus pluck plug plum plumber plume
plummet plump plunder plunge plural plus plush plutonium rite ritual
ritz tattoo

The next part of Silver Street has very narrow pavements on which it is difficult to wheel a bicycle when there are other pedestrians, so this will remind me of bicycle as my next word.

In this way you can continue until you have memorised the whole key. This will not continue here. Instead [PW] includes a complete example with 16 words.

So for the first three bytes of the key we have volley patio bicycle.

Retrieving the key

To retrieve the key you abbreviate the words of your memorised sequence to their first three letters. In our example so far that will be vol pat bic

You then look up these abbreviations in the inverse lookup table in Appendix 1 of [256PARTS].

The inverse look-up table exists as proof-of-concept and today perhaps only specialist users will manually decode their phrase back to a hexadecimal representation of a key. Usually a cryptographic key is going to be entered into some kind of cryptographic software which uses it. Hopefully future software will enable the three letter abbreviations to be entered directly and will itself contain a table to convert them back into the key.


See below for links.

A 256-part list for memorising 128-bit keys by constrained choice, Version 1, Stephen Hewitt, August 2018.
How to remember a provably strong password: a new way using constrained choice, Stephen Hewitt, July 2018.