Timeline for Are there cryptographic hash functions that can be computed using only paper and pen without leaking any information about the plaintext?
Current License: CC BY-SA 3.0
29 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 20, 2024 at 16:14 | answer | added | its.just.me | timeline score: 0 | |
| Mar 24, 2018 at 3:32 | comment | added | eckes | Not sure if there is any hash (besides hashing to a fixed result) which would not leak some information. After all the whole purpose of a hash is to tell you if you guessed the input right when you use it in verification. | |
| Mar 23, 2018 at 19:18 | answer | added | Trevortni | timeline score: 2 | |
| Apr 13, 2017 at 12:48 | history | edited | CommunityBot | replaced http://crypto.stackexchange.com/ with https://crypto.stackexchange.com/ | |
| Feb 21, 2016 at 3:45 | vote | accept | Vincent Yu | ||
| Oct 30, 2014 at 5:44 | answer | added | Aaron | timeline score: 8 | |
| Aug 18, 2013 at 8:21 | answer | added | Ninveh | timeline score: 6 | |
| Aug 18, 2013 at 0:07 | history | tweeted | twitter.com/#!/StackCrypto/status/368886747414794240 | ||
| Aug 18, 2013 at 0:06 | answer | added | D.W. | timeline score: 4 | |
| Aug 17, 2013 at 19:15 | history | edited | Vincent Yu | CC BY-SA 3.0 | Added some Wikipedia links and "white-box" tag. |
| Aug 17, 2013 at 19:03 | comment | added | Vincent Yu | @Giles Ah! I was not aware of the literature on white-box cryptography, so thanks for mentioning that field. If someone writes an answer summarizing what we currently know about white-box hash algorithms, I will probably accept that answer. | |
| Aug 17, 2013 at 18:08 | comment | added | Vincent Yu | @Ninveh To minimize the damage if my PGP private key is snatched right after decryption, I state in the comment of my public key that signed messages are only to be trusted if a revocation certificate is included; the recipient should immediately upload that certificate to a key server that I also specify. If the key has already been revoked or if the recipient is unable to revoke the key, the signature should not be trusted. This ensures that any attacker can use the PGP private key to impersonate me in at most one message (and only before I manage to revoke the key through other means). | |
| Aug 17, 2013 at 18:08 | comment | added | Vincent Yu | @Ninveh Instead of decryption, the purpose I had in mind is one-time message sender verification (where I am the sender). To do this, I distribute widely and carry encrypted copies of PGP private keys with public keys signed by my current PGP private key (public keys are all distributed to key servers). To verify that I am sending a message in an insecure environment, I decrypt a PGP key using the unique passphrase generated through hash(key||salt), and use that key to sign a challenge-response (nonce) message containing information identifying my recipient and any message I wish to send. | |
| Aug 17, 2013 at 17:23 | comment | added | Gilles 'SO- stop being evil' | A white-box paper-and-pen hash algorithm? That sounds really difficult. | |
| Aug 17, 2013 at 16:01 | comment | added | Ninveh | @vyu - if this has a practical application, please explain the environment a bit better: assume that you are in an insecure environment, and try to regenerate your PW. You would do this only in order to get back your private PGP/X.509 keys, and later use those keys to decrypt a ciphertext or deal with clear text. Either the decrypting of the keys using the regenerated PW or subsequent operations require a computer - and no more secrets on that computer, therefore it must be a secured computer. Why can't you also regenerate your hashed PW on that computer? Why only mental PW decryption allowed? | |
| Aug 17, 2013 at 15:20 | comment | added | Vincent Yu | @Ninveh The initial hashing can be done quickly on any secure computer; the additional properties I am looking for are to ensure that I can regenerate a specific passphrase in an insecure environment without risk of revealing my key (which would compromise my other passphrases). The algorithm itself can be widely distributed and not memorized. I am assuming that any adversary does have access to a computer, and I understand that this imposes severe constraints for security. | |
| Aug 17, 2013 at 15:19 | comment | added | Vincent Yu | @Ninveh Actually, I'm a math/physics/astro undergrad, and I've only formally studied some elementary aspects of cryptography through number theory and quantum computation courses. I haven't had much time to study the design of hash functions (and their associated algorithms) myself, which is why I'm asking this question here. If a solution is posted, I intend to use it to create passphrases to encrypt my PGP and X.509 private keys through hash(key||salt), as outlined near the end of my question. | |
| Aug 17, 2013 at 14:58 | comment | added | Ninveh | It is also important to know if the adversary has a use of a computer - in that case, as nightcracker indicated, don't expect any security from this process. If he has only brain+paper, then you may come up with something. I'd say that for any practical PW creation application, it would be much better to spent the alloted time to mentally(+pen-paper) compose a high-entropy PW whithout coming up with a actual mental hashing function which most probably would be a one-shot affair. | |
| Aug 17, 2013 at 14:58 | comment | added | Ninveh | I guess that this an academical assignment whereby the instructor would want you to show your understanding of hashing, secrecy and security in an interesting way. In that case, it requires quite a bit of analytical effort which I doubt you will get it here. Otherwise, I can't see any practical application to your requeirements, since I can't fathom a person doing hours of calculations to come up with a high-entropy PW and still expect to remember all steps after a few weeks, when he wants to regenenerate it. (continued) | |
| Aug 17, 2013 at 14:38 | comment | added | Vincent Yu | @PaŭloEbermann I mean any information that allows expected recovery of the plaintext (or another preimage) faster than a brute-force search, given the hash value. | |
| Aug 17, 2013 at 10:05 | comment | added | Paŭlo Ebermann | What does "doesn't leak any information about the plaintext" (i.e. message) mean? Every deterministic hash function will leak information, if just "message can't be $x$ because $x$ has another hash". | |
| Aug 17, 2013 at 9:52 | comment | added | Vincent Yu | @Michael I've added a clarification to the question, thanks. There is a usage scenario near the end of the question (re: generating high-entropy passphrases). | |
| Aug 17, 2013 at 9:51 | history | edited | Vincent Yu | CC BY-SA 3.0 | Added clarification to the nature of the ROM storing the plaintext. |
| Aug 17, 2013 at 9:33 | comment | added | Michael | Aha, I understand. Might be worth incorporating that into the question - I interpreted the read only random access store as a piece of paper with the message on. If you have an example usage scenario in mind that would be interesting. | |
| Aug 17, 2013 at 9:25 | comment | added | Vincent Yu | @Michael I'm not sure what you mean by the original sensitive information. I was thinking of a situation where the plaintext exists only in the mind of the user—it is not recorded anywhere else. | |
| Aug 17, 2013 at 9:02 | comment | added | Michael | Can you expand on why you have your side channel constraint? It doesn't seem to fit in with my model of what you're trying to achieve. The original (sensitive) information is on paper with the user. Why can they not create additional sensitive information and then either destroy it or leave it along with the original? | |
| Aug 17, 2013 at 5:55 | answer | added | orlp | timeline score: 9 | |
| Aug 17, 2013 at 3:12 | review | First posts | |||
| Aug 17, 2013 at 15:33 | |||||
| Aug 17, 2013 at 2:55 | history | asked | Vincent Yu | CC BY-SA 3.0 |