(2025-03-31) A single "why?" for a thousand "how?": hand cipher threat models ----------------------------------------------------------------------------- Before even considering using any cryptosystem, regardless of its level of security, one must answer a very important question: what and whom exactly are we protecting our data or communication against? Improper threat modeling may lead to underestimation of the adversaries' resources or overprotection of one area while neglecting some other no less critical ones. And when the main "why?" is answered, it might seem that, in the modern age, pen and paper ciphers just cannot be the answer to the "how?". Surprisingly, this is not always true, and I can show some scenarios such ciphers still are very useful in. Imagine a situation where you have to use a public computer or a work computer in a corporation evil enough to keylog every machine. So, everything you type in is monitored. Not just everything you send but everything you type in. In an anticipation of such a situation, you might already have set up an innocent-looking gateway page to send out your communication to the outer world from such harsh environments. However, you need to type in the message in an already encrypted form. Here's where pen and paper ciphers like DRACONDI, InterPlay-36 or even Digifair come in handy. Of course, if the threat model includes sending gibberish or coded data itself being discovered, you might also have to use a null cipher by turning every ciphertext letter into a random-ish word that starts with that letter, with the gateway page being able to convert your text back into the ciphertext and then decrypt it and send it out. Additionally, in order to protect your gateway from replay attacks, your plaintext must contain a predefined prefix and a non-reusable message ID, and if either of them is invalid, the gateway must not further process such a message. Another scenario might be personal notekeeping and storage of structured personal information like phonebooks, card numbers, PINs etc in a physical or even electronic environment that can't be trusted. In this case, the balance between speed of operation, key length and security is paramount. For example, the main mistake of Theodore Kaczynski when he encrypted his diary was his usage of enormous keytables that were impossible to memorize and had to be kept at all times. Of course they were found (along with all the usage instructions!) and used to decrypt the journal. Had he used something where the key material could easily be destroyed and then recreated from memory whenever necessary, that journal might remain a secret to this very day. Finally, let's not forget that "traditional" communication methods such as snail mail and classified ads still exist. Of course, one could use PGP and print out the base64-encoded version of the ciphertext data and send it as a physical letter, but that would imply more effort than just using a hand cipher with no electronics in the middle. Again, if the threat model also suggests that all letters are monitored, the mere fact of sending base64 could be incriminating. Besides, computers can help with concealing the information in the covertext but the handwriting, if done properly, can conceal much more. Steganography for mere mortals though is a topic for another time. --- Luxferre ---