How to remember a 128-bit key using ‘constrained choice’
by Stephen Hewitt | Published 8 August 2018
Introduction
This article shows how to memorise a 128-bit cryptographic key by using the principle of ‘constrained choice’ introduced in the previous article [PW]. This article continues from the earlier article and assumes knowledge of it but is intended for a more technical audience.
All the memory techniques described in [PW] are also used for memorising your key. The differences are only in the abbreviation scheme and in the list of partitions.
All the warnings and caveats of [PW] apply too.
Details
The abbreviation scheme here abbreviates each word to the first three letters of the word. If the word has less than three letters then it is padded with “x”.
Each byte of your key is represented by one word and you memorise the whole key by memorising a sequence of words. For a 128-bit key that means you remember a sequence of 16 words.
You chose each word for your sequence from a word list which has been partitioned into 256 parts. For each byte of your key you are constrained to choose your word from the partition that represents that byte value.
To regenerate your key from your memorised word list you lookup (in reverse) the byte value corresponding to the three letter abbreviation of each word you have memorised. Note that this means that you need to keep a copy of the mapping defined in [256PARTS], something that is unnecessary in the case of a password.
Proceed exactly as for creating a strong password in [PW], except instead of using dice or beads to select a random partition you use the value of the byte of your key at that point.
An example
So for example, suppose your key was b26b73c2bfb156d151beee89a35c1c27. (The MD5 hash of "cambridgeclarion.org")
You start by looking up b2 in [256PARTS]
You find the entry like this
0xb2 = 35;13 = L;C = 178 { abh agi bun die jux muf onl vol wro } abhor agile agitate bun bunch bundle bung bungalow bungee bunk bunker bunny bunsen die diesel diet juxtapose muff muffin muffle muffler mufti onlooker volatile volcano volley volt volume volunteer voluptuous wrong wrote
You choose one of the words from the list, or think of another one that starts with one of the three-letter abbreviations listed.
For this example I will use the technique of the Memory Walk introduced in [PW]. We will use the same imaginary walk through Cambridge. So let's say that this time starting at Queens' College I notice a game of volleyball in progress on the grass near the Mathematical Bridge. In this way I remember "volley".
The second byte of the key is 6b. So you look it up in [256PARTS] and find the following entry.
0x6b = 23;35 = G;L = 107 { fos hyg jur kor mog num opt pat upg } fossil foster hygiene jury koran korea korma mogul numb numbat number numismatics opt optics optimist optimum option optometry pat patch pate patent path pathology patient patio patriot patrol patron patsy pattern upgrade
Continuing the walk up Silver Street and crossing the bridge, on the right is the riverside patio outside the Anchor pub. So let's use this as our second word.
The third byte of the key is 73. Looking this up you find the following.
0x73 = 24;14 = H;D = 115 { bic fir gel jut leb nex plu rit tat } bicarbonate bicentennial biceps bicycle fir fire firefly firewall firm first gel gelatine jute lebanon nexus pluck plug plum plumber plume plummet plump plunder plunge plural plus plush plutonium rite ritual ritz tattoo
The next part of Silver Street has very narrow pavements on which it is difficult to wheel a bicycle when there are other pedestrians, so this will remind me of bicycle as my next word.
In this way you can continue until you have memorised the whole key. This will not continue here. Instead [PW] includes a complete example with 16 words.
So for the first three bytes of the key we have volley patio bicycle.
Retrieving the key
To retrieve the key you abbreviate the words of your memorised sequence to their first three letters. In our example so far that will be vol pat bic
You then look up these abbreviations in the inverse lookup table in Appendix 1 of [256PARTS].
The inverse look-up table exists as proof-of-concept and today perhaps only specialist users will manually decode their phrase back to a hexadecimal representation of a key. Usually a cryptographic key is going to be entered into some kind of cryptographic software which uses it. Hopefully future software will enable the three letter abbreviations to be entered directly and will itself contain a table to convert them back into the key.
References
See below for links.
- [256PARTS]
- A 256-part list for memorising 128-bit keys by constrained choice, Version 1, Stephen Hewitt, August 2018.
- [PW]
- How to remember a provably strong password: a new way using ‘constrained choice’, Stephen Hewitt, Cambridge Clarion, July 2018.
Related
- A 256-part list for memorising 128-bit keys by constrained choice Version 1, PDF (SHA256 f0e29eae9eef1537ea51727e6b3726587cb4e19cfa093a2ae2412a0604ece052)
- A 256-part list for memorising 128-bit keys by constrained choice Version 1, Plain text (SHA256 0663419a926d339c38cee377884cba36bf48ea8b04f537b0dc246e2df0588935)
- How to remember a provably strong password: a new way using ‘constrained choice’ July 2018, Stephen Hewitt. The 2nd Clarion data privacy article
- An idea for public key authentication from a name without certificates or central authority May 2021 Stephen Hewitt
- A design for passwords with system-assigned randomness and user choice July 2023 Stephen Hewitt
- Lepron, a project to develop pronounceable pseudowords for representing binary strings - Part 1: introduction and goals May 2021 An empirical investigation by Stephen Hewitt
- Lepron project part 2: towards public key authentication without central authority using names made of pseudowords August 2021 An open source project by Stephen Hewitt
- Lepron project part 3: A first attempt at pronounceable passwords using dice for quantified strength September 2021 An open source project by Stephen Hewitt
- Lepron project part 4: pseudowords with entropy of 3.5 bits/letter from trigrams Possible applications include pronounceable passwords and usable public key authentication
- How to use beads to generate random letters and numbers by hand 22 September 2017, Stephen Hewitt. The first Clarion data privacy article
- Manual encryption with a one-time pad revisited March 2019, Stephen Hewitt. The 4th Clarion data privacy article
- A simple way to represent cryptographic key fingerprints 7 June 2020, Stephen Hewitt. The 5th Clarion data privacy article
- Empirical explorations of faster Fermat factorisation, part 1 February 2022, A technical article - optimisations for a simple algorithm
External links
- How to Memorize a Random 60-Bit String Marjan Ghazvininejad and Kevin Knight, 2015 (SHA256 of PDF f0e091f445a4f777b123d56153cf149552e51424493ddf276378a709cbf5d79c)
- Testing Computer-Aided Mnemonics and Feedback for Fast Memorization of High-Value Secrets Sauvik Das, Jason Hong, Stuart Schechter, 2016 (SHA256 of PDF 55e044b41d4fc637197b25cfa130ab655683fbe76d70d92246238d715bc12af6)
- Learning system-assigned passwords (up to 56 bits) in a single registration session with the methods of cognitive psychology S M Taiabul Haque, Mahdi Nasrullah Al-Ameen, Matthew Wright, Shannon Scielzo, NDSS Symposium 26 February 2017 (SHA256 of PDF dd281016d070b67e6bcd51c42823c9e7c804afd8a6d71487bb24bf641f1e5da1)