Return to Question

Is there a simple hash function that one can compute without a computer?
Is there any strong enough pen-and-paper or mind cipher?
I am concerned more about security and side-channel attacks, and less about speed and simplicity.

Is there a secure cryptosystem that can be performed mentally?
I am looking for a hash function, not an encryption protocol.

Pen-and-paper one-way function for externally-anonymous survey
This question was asking for a fast and simple trapdoor function, which I am not looking for.

Is there a simple hash function that one can compute without a computer?
Is there any strong enough pen-and-paper or mind cipher?
I am concerned more about security and side-channel attacks, and less about speed and simplicity.

Is there a secure cryptosystem that can be performed mentally?
I am looking for a hash function, not an encryption protocol.

Pen-and-paper one-way function for externally-anonymous survey
This question was asking for a fast and simple trapdoor function, which I am not looking for.

I am looking for a cryptographic hash function that can be computed by a human using only paper and pen without ever leaking any information about the plaintext on the paper.

• Input/output: Any input/output set is acceptable as long as a human can represent and convert between that and text (e.g., base-2 <-> ASCII is acceptable).
• Memory: Keeping in mind that humans can hold about 7±2 objects in working memory, the algorithm must require no more than 11 chunks (e.g., 11 digits, letters, or common words) of secure memory at any time. Data that do not need to be kept private can be offloaded to paper. Assume that the plaintext can be randomly accessed from secure read-only memory stored in the mind of the human.
• Speed: The hash should be computable for a short input (say, 16 ASCII characters) in under a day. Under an hour would be great. Under a minute, fantastic.
• Materials: Assume access to pen and paper. Precomputed tables (e.g., for S-boxes) are undesirable but acceptable; better would be tables that can be recomputed from easily-memorized compressed representations. Same goes for magic numbers or other precomputed data.
• Security: The hash function should be preimage resistant. Second preimage resistance and collision resistance would be nice bonuses.
• Side-channel attacks: The paper (or any medium other than the brain) must not at any time contain data that leaks information about the plaintext (burning the paper afterward is insufficient; assume that the state of the paper is monitored by an adversary throughout the computation).
• Instruction set: The processing instrument is a human brain and operations must be executable by, say, a typical math/CS grad student (with practice). It may be useful to assume that the human can perform single-digit base-64 arithmetic (a set of $64^2$ mappings can be learned easily within a year through spaced repetition).
• Description: It would be great if the algorithm can be memorized (along with representations of all precomputed tables and magic numbers). Otherwise, it would be best if a description fits on two sides of A4 paper (in words, diagrams, or anything else).

Esoteric instructions are acceptable. For example, if some part of the algorithm that requires a lot of secure memory can be done under a homomorphic scheme that requires little secure memory to execute (the idea being that everything can then be offloaded to paper without risk of leaking the plaintext), then go for it. (Something like this would presumably require a source of cryptographic randomness. That is okay: the human can memorize a single high-entropy string—known to no one else—and reuse that every time.)

I am looking for a cryptographic hash function that can be computed by a human using only paper and pen without ever leaking any information about the plaintext on the paper.

• Input/output: Any input/output set is acceptable as long as a human can represent and convert between that and text (e.g., base-2 <-> ASCII is acceptable).
• Memory: Keeping in mind that humans can hold about 7±2 objects in working memory, the algorithm must require no more than 11 chunks (e.g., 11 digits, letters, or common words) of secure memory at any time. Data that do not need to be kept private can be offloaded to paper. Assume that the plaintext can be randomly accessed from secure read-only memory stored in the mind of the human.
• Speed: The hash should be computable for a short input (say, 16 ASCII characters) in under a day. Under an hour would be great. Under a minute, fantastic.
• Materials: Assume access to pen and paper. Precomputed tables (e.g., for S-boxes) are undesirable but acceptable; better would be tables that can be recomputed from easily-memorized compressed representations. Same goes for magic numbers or other precomputed data.
• Security: The hash function should be preimage resistant. Second preimage resistance and collision resistance would be nice bonuses.
• Side-channel attacks: The paper (or any medium other than the brain) must not at any time contain data that leaks information about the plaintext (burning the paper afterward is insufficient; assume that the state of the paper is monitored by an adversary throughout the computation).
• Instruction set: The processing instrument is a human brain and operations must be executable by, say, a typical math/CS grad student (with practice). It may be useful to assume that the human can perform single-digit base-64 arithmetic (a set of $64^2$ mappings can be learned easily within a year through spaced repetition).
• Description: It would be great if the algorithm can be memorized (along with representations of all precomputed tables and magic numbers). Otherwise, it would be best if a description fits on two sides of A4 paper (in words, diagrams, or anything else).

Esoteric instructions are acceptable. For example, if some part of the algorithm that requires a lot of secure memory can be done under a homomorphic scheme that requires little secure memory to execute (the idea being that everything can then be offloaded to paper without risk of leaking the plaintext), then go for it. (Something like this would presumably require a source of cryptographic randomness. That is okay: the human can memorize a high-entropy string known to no one else.)

• Input/output: Any input/output set is acceptable as long as a human can represent and convert between that and text (e.g., base-2 <-> ASCII is acceptable).
• Memory: Keeping in mind that humans can hold about 7±2 objects in working memory, the algorithm must require no more than 11 chunks (e.g., 11 digits, letters, or common words) of secure memory at any time. Data that do not need to be kept private can be offloaded to paper. Assume that the plaintext can be randomly accessed from a read-only memory store.
• Speed: The hash should be computable for a short input (say, 16 ASCII characters) in under a day. Under an hour would be great. Under a minute, fantastic.
• Materials: Assume access to pen and paper. Precomputed tables (e.g., for S-boxes) are undesirable but acceptable; better would be tables that can be recomputed from easily-memorized compressed representations. Same goes for magic numbers or other precomputed data.
• Security: The hash function should be preimage resistant. Second preimage resistance and collision resistance would be nice bonuses.
• Side-channel attacks: The paper (or any medium other than the brain) must not at any time contain data that leaks information about the plaintext (burning the paper afterward is insufficient; assume that the state of the paper is monitored by an adversary throughout the computation).
• Instruction set: The processing instrument is a human brain and operations must be executable by, say, a typical math/CS grad student (with practice). It may be useful to assume that the human can perform single-digit base-64 arithmetic (a set of $64^2$ mappings can be learned easily within a year through spaced repetition).
• Description: It would be great if the algorithm can be memorized (along with representations of all precomputed tables and magic numbers). Otherwise, it would be best if a description fits on two sides of A4 paper (in words, diagrams, or anything else).

• Input/output: Any input/output set is acceptable as long as a human can represent and convert between that and text (e.g., base-2 <-> ASCII is acceptable).
• Memory: Keeping in mind that humans can hold about 7±2 objects in working memory, the algorithm must require no more than 11 chunks (e.g., 11 digits, letters, or common words) of secure memory at any time. Data that do not need to be kept private can be offloaded to paper. Assume that the plaintext can be randomly accessed from secure read-only memory stored in the mind of the human.
• Speed: The hash should be computable for a short input (say, 16 ASCII characters) in under a day. Under an hour would be great. Under a minute, fantastic.
• Materials: Assume access to pen and paper. Precomputed tables (e.g., for S-boxes) are undesirable but acceptable; better would be tables that can be recomputed from easily-memorized compressed representations. Same goes for magic numbers or other precomputed data.
• Security: The hash function should be preimage resistant. Second preimage resistance and collision resistance would be nice bonuses.
• Side-channel attacks: The paper (or any medium other than the brain) must not at any time contain data that leaks information about the plaintext (burning the paper afterward is insufficient; assume that the state of the paper is monitored by an adversary throughout the computation).
• Instruction set: The processing instrument is a human brain and operations must be executable by, say, a typical math/CS grad student (with practice). It may be useful to assume that the human can perform single-digit base-64 arithmetic (a set of $64^2$ mappings can be learned easily within a year through spaced repetition).
• Description: It would be great if the algorithm can be memorized (along with representations of all precomputed tables and magic numbers). Otherwise, it would be best if a description fits on two sides of A4 paper (in words, diagrams, or anything else).