ess 1e259be0d7 Small correction in lc4.py | 7 months ago | |
---|---|---|
LS47.scad | 11 months ago | |
LS47_en.stl | 11 months ago | |
LS47_ru.stl | 11 months ago | |
README.md | 10 months ago | |
lc4.py | 7 months ago | |
ls47.py | 10 months ago | |
tiles.jpg | 1 year ago |
This is a slight improvement of the ElsieFour cipher as described by Alan Kaminsky [1]. We use 7x7 characters instead of original (barely fitting) 6x6, to be able to encrypt some structured information. We also describe a simple key-expansion algorithm, because remembering passwords is popular. Similar security considerations as with ElsieFour hold.
There’s also a 3D-printable SCAD model of the whole thing. Yay!
We suggest printing the model using more than one filament color to make the letters easily recognizable. Thanks go to Martin Ptasek for providing the picture.
If you trust your computer, there is now a very simple python implementation in
ls47.py
. A much better version usuable as an actual binary (also supporting
several versions of padding and the original ElsieFour cipher) was supplied by
Bernhard Esslinger from the CrypTool project, available in lc4.py
.
We have added some real punctuation, basic stuff for writing expressions, punctuation and quotes. The letters of the board now look like this:
_ a b c d e f
g h i j k l m
n o p q r s t
u v w x y z .
0 1 2 3 4 5 6
7 8 9 , - + *
/ : ? ! ' ( )
Zoomed in, it’s very practical to have extra position information written on the tiles:
/-----\ /-----\ /-----\ /-----\ /-----\
| | | | | | | | | |
| _ 0| | a 1| | b 2| | c 3| | d 4| ...
| 0 | | 0 | | 0 | | 0 | | 0 |
\-----/ \-----/ \-----/ \-----/ \-----/
/-----\ /-----\
| | | |
| g 0| | h 1| ...
| 1 | | 1 |
\-----/ \-----/
. .
. .
. .
To run (hand-run) the encryption/decryption, you will also need some kind of a marker (e.g. a small shiny stone, bolt nut or similar kind of well-shaped trash).
You may as well see the paper [1], there are also pictures. This is somewhat more concentrated:
P
.M
.C := P + M mod (7,7)
. Output the letter found on position C
as ciphertext.M := M + C' mod (7,7)
where C'
are the numbers written on the ciphertext tile.1,2. Symmetric key with 3,4. We want to encrypt 'y'.
marker put on 'e' Look at the marked tile:
[e]f _ a b c d /-----\
l m g h i j k | |
( ) / : ? ! ' | e 5|
s t n o p q r | 0 |
z . u v w x y \-----/
5 6 0 1 2 3 4
+ * 7 8 9 , -
5. Ciphertext is 'w' 6. Rotate the plaintext 1 position
(='y' moved by (5,0)) right, keep marker coordinates.
[e]f _ a b c d [e]f _ a b c d
Output 'w'! l m g h i j k l m g h i j k
( ) / : ? ! ' ( ) / : ? ! '
s t n o p q r s t n o p q r
z . u v w x y >> y z . u v w x
5 6 0 1 2 3 4 5 6 0 1 2 3 4
+ * 7 8 9 , - + * 7 8 9 , -
7. Rotate the ciphertext 1 Now look at the ciphertext tile:
position down.
[e]f _ a b , d /-----\
l m g h i c k | |
( ) / : ? j ' | w 2|
s t n o p ! r | 3 |
y z . u v q x \-----/
5 6 0 1 2 w 4
+ * 7 8 9 3 -
8. Update the marker position 9. GOTO 3.
by ciphertext offset (2,3).
e f _ a b , d
l m g h i c k
( ) / : ? j '
s t[n]o p ! r
y z . u v q x
5 6 0 1 2 w 4
+ * 7 8 9 3 -
Decryption procedure is basically the same, except that in step 5 you know C
and M
, and need to produce P
by subtraction: P := C - M mod (7,7)
.
Otherwise (except that you input ciphertext and output plaintext) everything
stays the same.
Grab a bag full of tiles and randomly draw them one by one. Key is the 49-item permutation of them.
Remembering 49-position random permutation that includes weird characters is not very handy. You can instead derive the keys from an arbitrary string of sufficient length.
“Sufficient” means “provides enough entropy”. Full keys store around 208 bits of entropy. To reach that, your password should have:
To have the “standard” 128 bits of entropy, the numbers reduce to roughly 39, 28 and 25, respectively.
Note that you can save the expanded tile board for later if you don’t want to expand the passwords before each encryption/decryption.
The actual expansion can be as simple as this:
I:=0
, put the tiles on the board sorted by their numbers (i.e. as on the picture above)Px, Py
.I
-th row Px
positions rightI
th column Py
positions downI := I + 1 mod 7
, repeat from 2 with next letter of the password.To get a different ciphertext even if the same plaintext is encrypted repeatedly; prepend it with a nonce. A nonce is a completely random sequence of letters of a pre-negotiated length (e.g. N tiles drawn randomly from a bag, adviseable value of N is at least 10).
You may also want to add a random number of spaces to the end of the ciphertext
-- it prevents the enemy from seeing the difference between ciphertexts of ‘yes
please’ and ‘no’, which would otherwise encrypt to gibberish that is easily
distinguishable by length, like qwc3w_cs'(
and +v
.
Because ciphertext may be altered in the transfer or during the error-prone
human processing, it is advised to append a simple “signature” to the end of
the message; which may look as simple as __YourHonorableNameHere
. If the
signature doesn’t match expectations (which happens with overwhelming
probability if there was any error in the process), either try again to see if
you didn’t make a mistake, or discard the message and ask the sender to
re-transmit.
This works because the cipher output is message-dependent: Having a wrong bit somewhere in the middle causes avalanche effect and erases any meaning from the text after several characters.
[1] Kaminsky, Alan. “ElsieFour: A Low-Tech Authenticated Encryption Algorithm For Human-to-Human Communication.” IACR Cryptology ePrint Archive 2017 (2017): 339.