.OJ OFF
.UL ON

WARLOCK - A New Matrix-based Paradigm for Public Key Cryptography

       (C) 1993 by William J. Wilson and C. Larry Craig                  


1. INTRODUCTION

The following narrative briefly reviews the functionality of 
contemporary private key and public key (PK) cryptosystems in 
meeting current and future private sector security needs.  To 
assist in meeting these needs, the WARLOCK paradigm for matrix-     
based PK cryptosystems is presented and explained.  Systems
based on this paradigm are designed as alternatives to RSA 
and RSA-hybrid systems by making available single, high-speed, 
full bandwidth systems capable of the basic cryptographic func
tions of encryption, decryption, and source authentication 
(digital signature). 

The WARLOCK paradigm is outlined in the following paragraphs  
with actual examples of system keys and step-by-step encryption, 
decryption, and authentications transformations effected by those 
keys.

User evaluations, comments and suggestions are solicited on the 
WARLOCK paradigm as well as the particular WARLOCK 4.0 PC imple
mentation (available in C++ source code from file WARLOCK.CPP and 
in MS DOS executable code as WARLOCK.EXE).  Please direct such 
input to WARLOCK@ACM.org or Datasec Systems, PO Box 4152, Hunts
ville AL 35815-4152, or by calling Wilson at (205) 881-8002.  
User suggestions and improvements will be incorporated, as appro
priate, and improved versions (as well as other implementations 
of the WARLOCK paradigm) will made available to interested users 
in the future.
  
*****************************************************************

WARNING:  The WARLOCK cryptosystem provided herein is a copy
righted system protected by patents (awarded and pending) and is 
provided solely for private personal use and evaluation only. 
Modifications to (or copies of) WARLOCK source or executable 
programs must retain the warning and proprietary legend displayed 
on the first user screen.

The use of WARLOCK cryptosystems for private-sector commercial or 
public-sector governmental purposes is strictly prohibited with
out proper licensing arrangements.  Licensing information can be 
obtained from the above-noted sources.

*****************************************************************





2. BACKGROUND

Today's telecommunications and information system designers 
contemplating cryptographic technology are confronted with a 
relatively limited set of choices and capabilities (e.g. DES, 
RSA, proposed NIST DSS (Digital Signature Standard), etc.) which, 
even when combined in hybrid systems, are inadequate in our 
opinion to the complex security and authentication needs of the 
burgeoning information age and the even more daunting require
ments of the emerging digital multimedia revolution.  For exam
ple, the NIST DSS and RSA systems suffice for authentication but 
are too slow for ordinary encryption/decryption functions forcing 
users to employ more complicated hybrid systems resulting in 
"double exposure".  Hybrid systems typically use the DES standard 
which has been widely assailed for its all-too-short key length 
(56 bits).  Nor has the proposed NIST standard met with a warm 
reception either since it presently provides only a time-consum
ing signature capability.  In terms of variety, flexibility, 
speed, and selectable and provable levels of security, we feel 
that contemporary cryptosystems fall short of efficiently meeting 
the wide range of known and predicted private sector application 
security needs, e.g. encrypted digital voice and video, digital 
satellite communication, ISDN, wireless LAN's, source authentica
tion, IFF (Interrogate Friend or Foe) protocols, smart cards, and 
a host of other emerging applications.

To meet these needs, the authors over the past several years have 
developed and tested scores of high-speed matrix-based PK crypto
systems beginning with a patented private-key version of the Hill 
cipher and culminating in the development of the WARLOCK family 
of PK cryptosystems.  Our goal throughout has been the attainment 
of a single, full-bandwidth PK cryptosystem paradigm (with digi
tal signature) of sufficient simplicity, speed, and selectable 
levels of security for meeting current and expected cryptographic 
needs of the private sector. 

3. THE HILL PARADIGM                 

In 1929 Lester H. Hill proposed a unique, matrix-based, block 
ciphering system (1.) unlike any ever proposed before.  Although 
manifestly linear and later shown to be susceptible of chosen 
plaintext attack, Hill's system represented a quantum leap in the 
art of cryptography providing for the first time a true block 
ciphering capability with strengths substantially beyond those of 
the polyalphabetic systems of his day.  In fact, if computing 
(but not creating) the inverse of a matrix were as difficult as 
computing its permanent, Hill would have invented in a single 
stroke the first provably secure public key cryptosystem complete 
with digital signature.  Notwithstanding, Hill's method, employ
ing standard matrix transformations, established a new direction 
whose full cryptographic potential in our opinion  is still 
unrealized and one capable of nullifying in large measure the 
standard tools of conventional cryptanalysis.  Apart from the 
issue of cryptographic strength, Hill succeeded in inventing the 
first two-key cryptosystem and it remained only for Hellman and 
Diffie to establish a rigorous mathematical paradigm (2.) for 
one-way, two-key public key cryptosystems and for Rivest et al. 
to provide the first viable example of such a system (3.).   

In a later development, McEliece developed a matrix-based public 
key system (4.) based on Goppa error correction codes.  Although 
inefficient in terms of bandwidth and initially lacking digital 
signature, his system demonstrated that workable matrix-based PK 
systems were indeed possible.  In spite of the fact that the 
McEliece system was recently cryptanalyzed (5.), it nevertheless 
represented a significant step in the evolution of matrix-based 
cryptosystems.

Still later, Rodney Cooper extended Hill's mod 26 systems to 
Galois Fields GF(p) and GF(q^n) to create a cryptosystem based on 
matrix theory and Galois Fields (6).  In essence, Cooper provided 
for a matrix of polynomials (subject to two moduli) to be used as 
an encryption key with the paramount advantage that  such ma
trices can be made as large as needed to accommodate any required 
level of user security.  In fact, Patti (7.) has implemented such 
extensible multi-magabit cryptokeys in PC-based extended memory 
in which he also concatenates random bits with the plaintext 
vector prior to encryption to defeat linear attacks (cited in the 
above reference) as well as known-plaintext and chosen-plaintext 
attack.  

Rather than trying to impress a known NP-hard problem into the 
service of PK cryptography as others such as Merkle et al. (8.) 
have attempted, we have employed a two-step process instead.  In 
the first step, we developed weak but workable full-bandwidth PK 
systems with digital signature capability.  In the second step, 
we hardened the resulting system by incorporating artificial com
plexities in the key generation, encryption, and decryption 
processes with the goal of attaining selectable and provable 
levels of security -- ideally NP-hard.             

Payne and McMillen's formula (9.) defines the number of nonsingu
lar nxn binary matrices possible for each dimension of n and 
thereby the number of reversible linear mappings of n-bit strings 
possible with such matrices.  It is worth noting that such map
pings are a tiny subset of the full range of (2**n)! possible 
mappings of unique n-bit values.  Unfortunately, as Chaitin has 
noted in another context (10.), all but a small fraction of these 
mappings are essentially noncomputable and can be effected only 
by table lookup -- as the small S-box mechanisms of DES exempli
fy.  For the WARLOCK paradigm, one of the required private keys 
consists of a large, non-singular nxn matrix used to disguise the 
rectangular mxn public key.  In the implementation provided here, 
a smaller nonsingular nxn private key matrix is also required.  

In the paragraphs that follow, the term "matrix" always refers to 
a binary matrix and all forms of the term "addition"  indicated 
by the + symbol designate addition modulo-two (XOR operation).
Supporting figures for the WARLOCK paradigm and the particular 
implementation are all found at the end of the paper.  
4. THE WARLOCK PARADIGM

Overview

WARLOCK is a paradigm for a family of advanced, high-speed, full-
bandwidth, matrix-based PK cryptosystems with full digital signa
ture. These systems can be operated in ordinary encryption/de
cryption mode or in superencrypted mode, (achieving encryption 
and authentication simultaneously) as necessary with key and 
block sizes incrementally selectable according to security needs.             

All implementations of the WARLOCK paradigm share certain common
alities:

     - use of a single public key K consisting of a rectangular
       mxn binary matrix where m>n and where n is the system
       block size of plaintext and ciphertext

     - achievement of nonlinear plaintext to ciphertext mappings 
       such that for plaintexts A and B under key K, the follow         
       ing is true: MAP(A,K) + MAP(B,K) <> MAP(A+B). 

     - incorporation of secret "row identifiers" in rows         
       of the public key (which are injected in disguised form        
       into the ciphertext by the encryption process) allowing        
       a private key holder to identify public key rows            
       selected by the encryption process.           

     - use of entropy increasing "noise bits" for selected
       bit positions of the public key not occupied by row 
       identifiers

     - use of a secret, nonsingular nxn matrix M to disguise the
       public key and to serve (in inverse form) as a private key
 
     - user-selectable key and system block sizes to accommodate 
       varying levels of security requirements

     - system key generation from user-supplied "key-seeds" or
       pass phrases of 1 to 85 bytes  
          
Like most computer-based cryptosystems, WARLOCK consists of three 
basic modules: a key generation module, an encryption module, and 
a decryption module.  Digital signatures are accomplished conven
tionally by using the decryption module (with the private key) to 
formulate the signature and the encryption module (with the 
public key) to validate the signature.  Because of the speed of 
WARLOCK, encryption, decryption, and validation between two 
parties may be combined through superencryption to achieve en
cryption, decryption, and validation of every data bit exchanged.              

In the key generation module, as the example below shows, the 
public key is constructed from two major parts -- an A-part 
and a B-part.  The A-part consists of a key-seed generated and 
triplicated nxn nonsingular matrix whose n dimension is exactly 
1/3 the row dimension of the public key.

The B-part is constructed beginning with a template matrix (T-
matrix) containing a diagonal of submatrices each comprised of 
"row identifiers" whose value and row positions uniquely identify 
each matrix row.  In the first step of construction, the area 
above the diagonal (initially containing zeroes) is filled with 
key-seed generated "noise bits" and the zero-filled area below 
the diagonal is filled with a second type of key-seed generated 
filler bits designated "replacement bits".  The A-part and the B-
part are then concatenated to form a single rectangular mxn 
matrix where m<n.  This matrix is then disguised by being multi
plied by a secret invertible nxn matrix_M  whose inverse later 
serves as a private key.  The result is then jumbled by 4-row 
groups (designated 4-lets) and (optionally) rows within 4-lets to 
create a single mxn public key K where m>n and where n is the 
block size of both the input plaintext and the resulting cipher
text.  The purpose of row group jumbling is to mix up the riginal 
A-part and B-part 4-lets and thereby the locations of the row 
identifiers in the B-part.

WARLOCK encryption is accomplished by expanding an n-bit plain
text block in a nonlinear manner to form an m-bit vector which is 
multiplied by the public key to create an n-bit ciphertext.  This 
multiplication is greatly hastened (as are all binary matrix 
multiplications) by the simple expedient of associating each bit 
position of the expanded vector with a row of K allowing 1-bits 
in the expanded plaintext vector to select corresponding rows of 
K which are added modulo two (exclusively-OR'd) to produce the 
plaintext.  Throughout this paper, the terms "add", "addition 
modulo 2", and XOR (exclusive-OR) are synonomous.

Decryption is a multi-step process.  In the first step, the 
ciphertext is multiplied by private key M_inverse to create the 
same value as if the plaintext had been multiplied by the com
pleted T-matrix.  Rows selected by the encryption process (whose 
row identifiers are encoded in the ciphertext) are then retrieved 
by a deconvolution process which removes the effects of the noise 
bits identified in the private key T-matrix.   Accomplishing the 
inverse of the row selection process employed during encryption 
serves to identify and recreate the original plaintext.

5. DETAILED OPERATIONAL DESCRIPTION

The following paragraphs define in more detail the actual key 
generation, encryption, and decryption functions of the WARLOCK 
4.0 implementation.

WARLOCK Key Generation
 
The WARLOCK T matrix is comprised of two major parts: an A-part 
and a B-part.  The A-part consists of a triplicated and expanded 
nonsingular A matrix as shown in Figures 1. through 3. and the B-
part consists of a set of rows each containing a unique 3-bit row 
identifiers as shown in Figure 4.  Note that the triplicated rows 
of the A part when selected always produce a "fat bit" consisting 
of 000 or 111.  These "fat bits" when combined with the row 
identifiers of the B-part in the encryption process either pre
serve the row identifier value or complement it with the result 
that identifiers are recovered in original or complemented form.  
For example, a row identifier 100 in a given ciphertext row 
position will be recovered either as 100 or as its complement 011 
-- both identifying a particular B-part row selected in the 
encryption process.  Row identifier values for the B-Part are 
chosen as shown below such that their values and their comple
ments form a unique set of unduplicated values allowing unambigu
ous row identification. 

               4-let   Row         Identifier
               Row     Identifier  Complement

                1      100         011 
                2      010         101
                3      001         110      
                4      111         000

In the encryption process, an information containing fat bit from 
the A-part consisting of 000 or 111 is always added to each 3-bit 
identifier value selected in the B-part.  This technique not only 
preserves identification of the B-part row selected, but permits 
identification of the value of the information carrying fat bit 
as well.  In other words, if a row identifier is recovered un
changed, its fat bit is known to be 000 otherwise its fat bit is 
known to be 111.  Since the selection of fat bits is also deter
mined by plaintext values, fat bits are also information carry
ing allowing the plaintext bits to be ultimately identified

                         |----------|
                         |          |
                         |  B-part  |   
                         |          |
                         |__________|          
                         |  A-Part  |
                         |__________|


                        WARLOCK T-matrix
                                              

The A-part of the WARLOCK T-matrix is created as follows.  A key-
seed generated, nonsingular nxn matrix A (whose n dimension is 
exactly 1/3 the width of the T-matrix) and its inverse A_inverse 
is initially created as shown in Figures 1. and 2.  The A-matrix 
is then triplicated and then vertically expanded to create the 
matrix shown in Fig. 3.  As already noted, triplication of the 
columns of matrix A produces the fat bits required by the encryp
tion process. In the next step, the matrix row dimension is 
increased by adding each row pair of the matrix to create a third 
row.  A fourth all-zero row is then created completing the row 
expansion.  This last step is necessary to create A-part row 
groups (4-lets) that allow the row selection process (governed by 
plaintext values) to be identical for both the A-part and the B-
part. 

Construction of the B-part of the T-matrix begins with an initial 
template containing row identifiers as shown in Figure 4.  In the 
first hardening step, key-seed generated noise bits are added 
above the submatrix diagonal to produce the intermediate version 
shown in Figure 5.  The columns of the matrix in Figure 5. are 
then rearranged (to synchronize them with their respective fat 
bits contained in the A-part) to produce the matrix shown in 
Figure 6.  In the next step, the A-part matrix shown in Figure 3. 
and the B-part matrix shown in Figure 6. are joined to form the 
single T-matrix shown in Figure 9.  

To eliminate the "sea of zeroes" under the diagonal of the B-part 
(and to further disguise the T-matrix), a special "replacement 
bit or R-bit" matrix shown in Figure 10. is created with row 
values identical for each row 4-let.  This matrix is added to the 
matrix in Figure 9. to produce the final T-matrix shown in Fig. 
11.  Not only does this step eliminate the "sea of zeroes" under 
the diagonal, but it also displaces and further disguises all 
other bits in the T-matrix.  If the set of unique replacement row 
values in the R-matrix are initially selected to sum to zero (as
in the example), the replacement row values vanish in the encryp
tion process; otherwise their sum must be removed from the ci
phertext as a special step in the decryption process.  

In the penultimate step of key generation, the T-matrix in Figure 
11. is multiplied by the M-matrix in Figure 7. to produce the 
unjumbled public key K-matrix shown in Figure 12.  In the final 
step, this matrix is then key-seed jumbled in two ways: in four 
row groups (4-lets) and by rows within groups.  For the sake of 
simplicity, row jumbling within 4-lets has been omitted.  In the 
example below 4-lets are jumbled as follows: 

                       From       To
                       4-let      4-let

                       6          1
                       4          2
                       1          3
                       2          4
                       3          5
                       5          6

WARLOCK Encryption Process

The first encryption step consists of expanding the input plain
text block of n-bits (K-matrix column dimension) to a bit vector 
of m-bits (K-matrix row dimension) in accordance with the trans
lation table below.  In the second and final step, this vector is 
then multiplied as a column vector by public key K to produce the 
ciphertext.  Alternatively, the plaintext bit values could simply 
select the applicable rows of K directly as mentioned above and 
add them together.

                                     Expanded
                      Plaintext      Plaintext Vector
                      2-bit Seg-     (Row Selector)   
                      ment           Segment         

                      00             0001    
                      01             1000
                      10             0100
                      11             0010

WARLOCK Decryption Process

Decryption is a multi-step process.  In the first step, the 
ciphertext is multiplied by private key M_inverse to produce an 
"unmasked version" having the same value as if the expanded 
plaintext had been multiplied by the T-matrix.  

In the second step, row identifiers of the B-part are recovered 
beginning with the (originally) leftmost row identifier which is 
always recovered in undisguised or complemented form (since it 
has not been altered by noise bits).  The noise bits associated 
with this identifier row (identified in the matrix in Figure 5.) 
can now be removed from the ciphertext revealing the next 
(originally) leftmost row identifier in like manner.  This proc
ess is repeated iteratively until all row identifiers have been 
identified -- in their original or complemented form.  Each 
identifier value, thus recovered, unequivocally identifies an 
applicable 4-bit row selector value which, in turn, identifies a 
2-bit sector of the plaintext.  In addition, each recovered row 
identifier identifies its associated fat bit value as 000 or 111.  

When all row identifiers have been recovered, 2/3 of the plain
text has been decrypted.  The remaining 1/3 can now be decrypted 
by examining fat bit values derived from the recovered identifier 
values themselves, i.e. for unchanged row identifiers, the ap
plicable fat bit = 000; otherwise the applicable fat bit = 111.  
When all fat bits have been identified, they are reduced from 3 
bits to 1 bit and concatenated to form a value which is multi
plied by private key A_inverse (in Fig. 2.) to recover the re
maining 1/3 of the plaintext.  

In the final step of decryption, the full set of 2-bit plaintext 
segments are unjumbled to reverse the effects of the row 4-let 
jumbling of the public key.              

6. WARLOCK 4.0 MANUAL EXAMPLE
 
As an example of WARLOCK 4.0 operation, the WARLOCK 4.0 crypto
graphic keys shown in Figures 6., 11., and 13. may be used to 
manually encrypt and decrypt 12-bit inputs and to create and 
verify 12-bit digital signatures as desired.


For example, to encrypt plain_text P =  001110000110 using pub
lic_key_K shown in Figure 13., accomplish the following steps:

  Expand plain_text P to expanded_text 000100100100000110000100. 
  per the expansion table noted on page 7.

  Select and add rows of public_key_K under control of 1-bits in
  expanded_text to produce encrypted_text as follows:

           bit 4  selects row 4  of K = 101000100001
           bit 7  selects row 7  of K = 011110010011    
           bit 10 selects row 10 of K = 110011110001
           bit 16 selects row 16 of K = 011000001000     
           bit 17 selects row 17 of K = 000010100101
           bit 22 selects row 22 of K = 001001110001

modulo 2 sum (XOR) =  encrypted_text  = 010110011111                      

To facilitate understanding of the more complex decryption proce
dure detailed below, the following reference table is provided 
which relates row identifier values (as recovered) to the follow
ing necessary information: (1) row position selected within each 
row 4-let (2) selecting 2-bit plaintext values and (3) applicable 
fat bit values.

                      Row                       
    Row Identi-       Selected    Selecting      Associated
    fier Value        within      Plaintext      Fat Bit           
    (as recovered)    4-let       Value          Value

    100               1            01            000 
    011               1            01            111
    010               2            10            000
    101               2            10            111
    001               3            11            000
    110               3            11            111
    000               4            00            000
    111               4            00            111 

The following steps detail the decryption process:

A. Multiply encrypted_text 010110011111 by private key 
key_M_inverse shown in Figure 8. to create the initial value of 
reverted_text 100101101111.  Note that the "leftmost" row identi
fier in bit positions 1, 5, and 9 is unaffected by noise bits and 
is seen to have the value 101 indicating that row 2 of the ap
plicable 4-let of the public key was chosen by a row selector 
value of 0100 translated from a 2-bit plaintext value 10.  Ac
cordingly, 

    1. Initialize the value of resultant_text with the first 2 
recovered plaintext bit values, e.g. resultant_text 10.

    2. Create the first iteration of intermediate_text by remov
ing from reverted_text the noise bits associated with row 2 of 
private key key_T_with_noise by XORing subject row 2 with the 
reverted_text to produce the first intermediate_text value as 
follows: 
             100101101111 (reverted_text)
             011010010000 (row 2 template and noise bit values)
             111111111111 (intermediate_text)

This step also records the fat bits in positions 1, 5, and 9. of 
the intermediate_text and the reduced fat bit in position 1.

B. Note that the value of the row identifier in bits 2, 6, and 10 
"uncovered" by the previous step is seen to be 111 indicating 
that row position 4 of its respective 4-let was selected and 
further indicating an invoking plaintext value of 00 and an 
associated fat bit value of 000.  Accordingly, 

     1. Append recovered plaintext bits 00 to the current result
ant_text value giving new resultant_text 1000.  

     2. Remove from the current intermediate_text value the noise 
bits associated with applicable row 4 of key_T_with_noise_bits by 
XORing subject row 4 with intermediate_text to produce a new 
intermediate_text value as follows: 

             111111111111 (current intermediate_text)
             010101110110 (row 4 template and noise bit values)
             101010001001 (new intermediate_text)

This step also records the reduced fat bits in positions 1 and 2 
of the new intermediate_text.

C.  The value of the third row identifier (bits 3, 7, and 11) 
uncovered by the previous step is seen to be 100 indicating that 
row 1 of its respective 4-let was invoked by a plaintext value of 
01 and that its associated fat bit value is 000.  Accordingly, 

    1.  Append the recovered plaintext bits 01 to the current re
sultant_text value giving 10000.  

    2.  Remove from the intermediate_text the noise bits associ
ated with row position 1 of private key key_T_with_noise_bits by 
XORing subject row 1 with the current intermediate_text to pro
duce a new intermediate_text value as follows: 

             101010001001 (current intermediate_text)
             001000000000 (row 1 template and noise bit values)               
             100010001001 (new intermediate_text)

This step also records the reduced fat bits in positions 1, 2, 
and 3 of the new intermediate_text.

D.  The fourth and final row identifier (bit positions 4, 8, and 
12) uncovered by the previous step is seen to be 001 indicating 
that row 3 was selected by a plaintext value of 11 and that its 
associated fat bit value is 000.  Accordingly, 
    1. Append recovered plaintext bits 11 to current 
resultant_text value giving 10000111.  

    2. Remove from the current intermediate_text value the noise 
bits associated with row position 3 of the subject 4-let of 
key_T_with_noise_bits by XORing row 3 with the current intermedi
ate_text to produce a new intermediate_text_value as follows: 

             100010001001 (current intermediate_text)
             000000000001 (row 3 template value)
             100010001000 (new intermediate_text)

This step also records the final reduced fat bit in position 4 of 
the new intermediate_text whose current value is now seen to be 
1000.  

D. This completed intermediate_text value 1000 (identified and 
"reduced" fat bits) will be multiplied by private key A_inverse 
to recover the final plaintext values (originally encoded by the 
A-part of the public key) as follows: 

            1000 x A_inverse = 1000  

The recovered plaintext value 1000 is then appended to the cur
rent value of resultant_text to produce resultant_text = 
100001111000.

J.  The completed resultant_text value 100001111000 (now seen to 
be a 2-bit permutation of the original plaintext) must now be 
unjumbled in the final decryption step by reversing the row 
jumbling accomplished in the last step of the key generation  
process (described on page 7.) as follows:
            
             Source Bit        Desti-     Destination 
  Source     Pair Position     nation     Bit Pair Position
  Bit Pair   (resultant_       Bit Pair   (decrypted_
  Number     text)/(value)     Number      text)/(value)    

  6          11-12  (00)       1          1-2    (00)
  4          7-8    (11)       2          3-4    (11) 
  1          1-2    (10)       3          5-6    (10) 
  3          3-4    (00)       4          7-8    (00)
  2          5-6    (01)       5          9-10   (01)
  5          9-10   (10)       6          11-12  (10)

This final permutation step produces the sought plaintext value 
001110000110 completing the decryption process.             

Source Authentication and Superencryption

To create a source authentication value S (for source authentica
tion purposes) represented by any selected 12-bit value, S must 
first be "decrypted" by the decryption module by the steps noted 
in the foregoing paragraphs to create signature value S*.  When 
submitted to the encryption module for validation, S* produces 
the sought value S thereby proving unequivocally that S emanated 
from the private key holder.

Because of the relatively high encryption and decryption speeds 
of WARLOCK 4.0, Alice and Bob may choose for purposes of enhanced 
security to exchange messages that are simultaneously encrypted 
and authenticated. To accomplish this, Alice and Bob first obtain 
each others public keys.  In encrypting messages for Bob, Alice 
accomplishes the following:

     1.  Alice first "decrypts" each plaintext block using her
         private key to create an "authenticated version" 
         of the plaintext.  She then encrypts this version 
         by Bob's public key to create a final ciphertext block
         which she transmits to Bob.

     2.  Bob first decrypts the ciphertext block by his private 
         key recovering the "authenticated version".  He then 
         transforms this version to Alice's original plaintext
         by "encrypting" it with Alice's public key thus proving
         Alice to be the originator of the plaintext since she
         is the only holder of the private key.
         
In encrypting messages for Alice, Bob follows the same procedure 
with the appropriate public and private keys. 
   
7. SEEDING THE WARLOCK KEY GENERATION FUNCTION         

A basic desideratum of classic private key cryptosystems was  
easily generated and memorized keys to avoid a possibly compro
mising (or incriminating) recording of the key.  This desideratum 
has all but vanished with DES and the advent of PK systems.  Who, 
for example, can remember a thousand-bit RSA modulus or its 
constituent primes.  Nevertheless, there are many occasions where 
one would not wish to transport private keys to a new operating 
locations, but regenerate them at their new location, use them, 
and destroy them.  Such a capability is available through the 
unique WARLOCK key seeding feature which allows users to seed the 
key generation process with a user secret key-seed (or pass 
phrase) of 1 to 85 bytes (8 to 680 bits).  Such a feature is 
typically absent from number theoretic cryptosystems such as RSA 
and the NIST DSS.  With the WARLOCK key seeding feature, users 
can establish simple mnemonic seeding tokens or create elaborate
ly structured key-seeds as needed.   

Key seeding also facilitates the use of WARLOCK as a stream 
cipher where Bob and Alice at different locations independently 
generate a common private key based on a secret shared key-seed.  
Such a procedure allows then to generate and synchronize a common 
pseudorandom bit stream beginning with an agreed-on starting 
value v which is "decrypted" by the private key and the result 
XORed with plaintext to encrypt and decrypt in the manner of one-
time pads or Vernam ciphers.  The starting value v would then be 
incremented by +1 each iteration yielding a nonrepeating cycle of 
2**n iterations where n is the system block size in bits.       
Key seeding also facilitates opportunistic encryption using 
devices such as PC's and workstations that are generally avail
able but not portable.  For example, Bob could freely transport 
the encryption/decryption program on a 3 1/2" floppy in his shirt 
pocket without fear of compromising his secret key-seed.  Alice 
could encrypt from any available PC initialized with an installed 
WARLOCK program.  Both would enter their secret key-seed at the 
time of message exchange.  

As yet another example of the potential of key seeding, consider 
an environment where Bob and Alice are deployed as secret agents 
who must unequivocally authenticate each other's identity prior 
to commencing their mission.  Each has memorized a key-seed given 
them by their faceless directors and each carries an unknown 
ciphertext segment as well.  When they finally rendezvous in 
Vienna, Bob and Alice XOR the ASCII representation of their key-
seeds to produce a new key-seed value which they use to generate 
cryptographic keys.  Each then decrypts his ciphertext segment 
with the newly-generated keys.  Bob hands his decrypted message 
to Alice who reads, "Of course, you know my name isn't Bob at 
all, it's Travis and I am pleased to meet you at last, Tatiana 
AKA Alice."   

8. WARLOCK CRYPTOGRAPHIC STRENGTH

It would be presumptuous at this point to assert that WARLOCK is 
categorically unassailable -- particularly in light of the vast 
resources of linear algebraic techniques (most of which are 
unknown to the authors) that might be mustered for its cryptanal
ysis.  The rise and fall of numerous PK cryptosystems proposed 
during the last decade certainly recommend caution as well.  
However, based on our experience to date in making and breaking 
scores of matrix-based PK cryptosystems, it is our feeling that 
the only potentially effective assault possible against WARLOCK 
is the derivation of private keys (or workable alternatives) from 
the public key (assuming that the keys are sufficiently large to 
preclude other attacks).  Clearly, the keys themselves cannot be 
exhaustively enumerated owing to their size.  Simmons generalized 
PK system attack (11.) can be precluded in several ways.  Users 
may choose to operate in superencrypted mode which accomplishes 
encryption and source authentication simultaneously or they may 
choose a suitably large system block size.  Various kinds of pre-
encryption scrambling (to increase input entropy) and post-de
cryption unscrambling may also be employed.

Thus far we have been unable to cryptanalyze WARLOCK 4.0 with 
techniques successful against ancestors of WARLOCK.  Under all 
the attacks that we have been able to muster, the work factor 
required to cryptanalyze WARLOCK 4.0 is an exponential function 
of block size which can be made arbitrarily large.  What we are 
seeking from the user community is an assessment of the viability 
of the WARLOCK paradigm as well as a more precise quantification 
of the work factor required to cryptanalyze WARLOCK 4.0.


9. CONCLUSION 
  
Apart from the undecided issue of security, the WARLOCK paradigm 
meets our objective of providing users with single high-speed 
general purpose PK cryptosystems (exemplified by WARLOCK 4.0) as 
alternatives to number theoretic systems.  We feel that WARLOCK 
cryptosystems can serve the security needs of private users to 
whom we grant free use subject to the restrictions noted in the 
source code and in the introduction to this paper.  The WARLOCK 
paradigm also suggests a new direction for the development of PK 
systems free of the computational burden of number theoretic 
systems.  Finally, the WARLOCK paradigm suggests a potentially 
fruitful direction for achieving a viable cryptographic embodi
ment of the NP-hard coding problem cited by Berlekamp et 
al.(12.).








































10. WARLOCK 4.0 NUMBERED FIGURES                          
                                        Note: To facilitate de-
1000       1000         101010101010    cryption, Row 1. is row 2        
1010       0110         100010001000    of Matrix A triplica-
1110       1100         001000100010    ted.  Row 2 is row 1
0011       1101         000000000000    triplicated; row 3 is
                        001100110011    the XOR of rows 1 and 
Figure 1.  Figure 2.    111011101110    2 and row 4 is the 
A-Part     Private Key  110111011101    XOR of rows 1, 2, and 
Matrix A   Matrix A_    000000000000    3. The same process   
           inverse                      using remaining row
                        Figure 3.       pairs of Matrix A is re-
                        A-expanded      peated to create A_expan-
                                        ded.                        

100000000000  100010101101  101101000011  The columnar rearran-                    
010000000000  010100100010  011010010000  gement of Figure 6. is
001000000000  001011001000  000001001110  required to synchronize             
111000000000  111111001001  110011001111  its row identifier co-                                           
000100000000  000100101011  011000010011  lumns with the fat bit      
000010000000  000010111111  001101110011  columns of the matrix
000001000000  000001111100  001100100110  in Figure 3. so that      
000111000000  000111011110  010101110110  they can be properly 
000000100000  000000100000  001000000000  concatenated to produce              
000000010000  000000010001  000000100001  the matrix in Figure 9.
000000001000  000000001001  000000000011               
000000111000  000000111000  001000100010  
000000000100  000000000100  000100000000                
000000000010  000000000010  000000010000  
000000000001  000000000001  000000000001               
000000000111  000000000111  000100010001  

Figure 4.     Figure 5.     Figure 6.               
B-Part        B-Part        B-Part           
Initial       key_T_temp-   Columnar re-                     
key_T_temp-   late with     arrangement
late          noise bits    = key_T_with_
                            noise_bits

110000001000     101001010100
000110100011     100100111100
100000100001     010001110011
110101011011     000001101100
111010111100     001111001000
110101000010     110010110100
001000111100     110110001110
100100010001     111111110010
011000000100     101101101000
100001111010     110101000111
000000010010     111111110000
010111011110     010111011010

Figure 7.        Figure 8.
key_M            Private Key                
                 key_M_inverse
101101000011  110100100010   011001100001
011010010000  110100100010   101110110010                  
000001001110  110100100010   110101101100   
110011001111  110100100010   000111101101                
011000010011  001101010001   010101000010   
001101110011  001101010001   000000100010                  
001100100110  001101010001   000001110111   
010101110110  001101010001   011000100111                
001000000000  010011011011   011011011011    
000000100001  010011011011   010011111010                 
000000000011  010011011011   010011011000   
001000100010  010011011011   011011111001                  
000100000000  101100110010   101000110010  
000000010000  101100110010   101100100010                
000000000001  101100110010   101100110011          
000100010001  101100110010   101000100011                  
101010101010  011111101001   110101000011  
100010001000  011111101001   111101100001                          
001000100010  011111101001   010111001011 
000000000000  011111101001   011111101001
001100110011  011001110011   010101000000
111011101110  011001110011   100010011101
110111011101  011001110011   101110101110
000000000000  011001110011   011001110011

Figure 9.     Figure 10.     Figure 11.                      
key_T_with_   replacement_   key_T_replaced                    
noise (A      rows (common   (Figure 9. XOR'd
and B-Part    displacement   with Figure 10.)     
joined)       value to be         
              XOR'd with 
              each 4-let)























001100100010    000110111010         plain_text                
110011110001    000000000101         001110000110   
000111110000    101110011110                              
011100111001    101000100001         expanded_text is         
000110101000    111100010110         000100100100000110000100 
001000101110    101101011100                              
101111011001    011110010011         encrypted_text is        
011000001000    001111011001         010110011111             
000010100101    001100100010                              
111101100110    110011110001         reverted_text is         
110101001000    000111110000         100101101111             
001010001011    011100111001                              
111100010110    000110101000         intermediate_text is     
101101011100    001000101110         100010001000             
011110010011    101111011001                              
001111011001    011000001000         resultant_text is        
100001111110    000010100101         100001111000             
001001110001    111101100110                              
110011001110    110101001000         decrypted_text is        
011011000001    001010001011         001110000110             
000110111010    100001111110                              
000000000101    001001110001         Figure 14.              
101110011110    110011001110         Transformation           
101000100001    011011000001         Sequence                 
                            
Figure 12.      Figure 13.  
key_T_to_be_    Public_key_K       
jumbled (re-    (row jumbling   
sult of multi-  by 4-lets of               
plication of    the matrix in             
Fig. 11 matrix  Figure 12.)    
by disguising   
matrix M in
Figure 7.)
    




















11. GLOSSARY OF TERMS              

Block Length (BL) - a user-supplied key generation and system 
parameter that determines systems block size, i.e. the size of 
plaintext and ciphertext blocks that will be encrypted and de
crypted by the system.  System block size is always a multiple of 
24 bits (i.e. n24 bits where n is specified by the user).  In 
addition, this parameter determines the dimensions of the various 
public and private key matrices generated by the system (as noted 
below) where the n is the user-supplied value, e.g.

              Matrix                   Bit Dimensions
                  
              A-Matrix (and inverse)   n8 x n8 (before expansion)
              T-matrix                 n24 x n32
              Matrix M (and inverse)   n24 x n24 
              Public Key Matrix        n24 x 2n24

Fat Bit - a three-bit value (of the form 000 or 111) produced by 
the triplicated A-matrix of the A-part of the public key and 
which is always combined with a particular Row Identifier in the 
B-part with the result that the Row Identifier is either left 
intact if Fat Bit = 000 or complemented if Fat Bit = 111.  As a 
result, when a Row Identifier is recovered intact, its associated 
Fat Bit is known to be 000; otherwise the Row Identifier comple
ment is found and the Fat Bit is then known to be III.  

Jumbling - in general, matrices may be jumbled by row or column 
as necessary.  For hardening purposes, the WARLOCK public key is 
row jumbled by 4-lets (4-row groups) and, optionally, by row 
within each 4-let.  4-let row jumbling results in a 2-bit permu
tation of plaintext prior to encryption with the result that 
recovered plaintext must be "unjumbled" by the inverse of the 
jumbling process after it has been decrypted. 

Key Seed (KS) - a 1 to 85 byte parameter supplied by the user for 
key generation purposes.  The KS value is expanded and used by 
the key generation module in concert with the block length param
eter to establish the bit values of all public and private key 
binary matrices.  Key generation is deterministic, that is, a 
given key seed value (in concert with a given block length param
eter) always generates the exact same private and public keys.    

Noise Bits - filler bits (created in the key generation process 
from the key seed) used to replace the "sea of zeroes" above the 
submatrix diagonal of the initial T-matrix.

Replacement Bits - filler bits (created in the key generation 
process from the key seed) used to replace the "sea of zeroes" 
below the submatrix diagonal of the initial T-matrix.  Unlike 
Noise Bits, Replacement Bits are identical for each row of a 
given 4-let as can be seen in Figure 10.  

Row Identifier - a disguised 3-bit string in each row of the 
public key that is recovered from the ciphertext in the decryp
tion process and which identifies the rows selected by the en
cryption process in accordance with bit configurations of the 
plaintext.  Knowledge of the row identifiers allows the plaintext 
to be recreated.  Row identifiers in the example are: 100, 010, 
001, and 111 and are chosen so that the set of row identifiers 
and their complements are all unique values.

Row Selector - a 4-bit configuration used in the encryption 
process that selects exactly one row of each 4-let of the public 
key and adds them modulo 2 to produce the ciphertext.  The 4-bit 
row selector is created by the plaintext expansion process from 
2-bit segments of the plaintext according to the translation 
table below.  Note that there is a one-to-one correspondence 
between each unique 2-bit plaintext value and each unique 4-bit 
Row Selector value.  This relationship is exploited in the de
cryption process. 

             Plaintext          4-bit
             2-bit Seg-         Row Se-
             ment               lector

             00                  0001
             01                  1000
             10                  0100
             11                  0010

4-let - the designation given four-row groups of the public key.  
In the encryption process, exactly one row is always chosen from 
every 4-let in accordance with the bit configuration of the 
plaintext.  The term "4-let" originated from the 4 rows always 
associated with each submatrix of the T-matrix.  To achieve 4-
lets for the A-part, the A-matrix is triplicated and expanded 
vertically as shown in Figure 3.   






















12. REFERENCES 

    1. Hill, L. "Cryptography in an Algebraic Alphabet," Amer. 
Math. Monthly. 36: 306-312, 1929. 

    2. Diffie, W., and Hellman, M.E. "New Directions in Cryptog
raphy," IEEE Trans. Inform. Theory IT-22, 644-654, Nov. 1976.

    3. Rivest, R. et al., A Method for Obtaining Digital Signa
tures and Public-key Cryptosystems, Communications of the ACM 21, 
pp. 120-126, Feb 1978.

    4. McEleice, R.J. "A Public-key cryptosystem based on Alge
braic Coding Theory," DSN Progress Rep. 42-44, Jet Propulsion 
Laboratory, pp. 114-116, 1978.

    5. Korzhik, V.L. and Turkin, A.I., "Cryptanalysis of McE
liece's Public-key Cryptosystem," Advances in Cryptology - Euro
crypt '91 Proceedings.

    6. Cooper, R. "Linear Transformations in Galois Fields and 
Their Application to Cryptography," Cryptologia, Vol 4., No. 3, 
pp. 184-188, 1992.

    7. Patti, T. "The SUMMIT Cryptosystem,"  Cryptosystems Jour
na, Vol 2., No. 2, 1992.                                  

    8. Merkle, C. and Hellman, M.E. "Hiding Information and 
Signatures in Trapdoor Knapsacks," IEEE Trans. Inform. Theory.IT-
24: pp. 525-530, 1978. 

    9. Payne, W.H. and McMillan, K.L., Orderly Enumeration of 
Nonsingular Binary Matrices Applied to Text Encryption, Communi
cations of the ACM, pp. 259-265, April 1978.                       

   10. Chaitin, G. J. ""Randomness and Mathematical Proof," 
Scientific American pp. 47-52, May 1975.

   11. Simmons, G.J., Forward Search as a Cryptanalytic Tool 
Against a Public Key Privacy Channel, Proceedings of the IEEE 
Symposium on Security and Privacy, April 1982.                       

   12. Berlecamp, E.R., McEleice, R.J., and van Tilborg, H.C.A.,  
On the Inherent Intractability of Certain Coding Problems, IEEE 
Trans. Inform. Theory, IT-24, pp. 384-386, May 1978.










13. BIOGRAPHICAL DATA

William J. Wilson is an early-retiree of the Sperry half of the 
current UNISYS corporation.  During his 23 years there, he spe
cialized in database design, information storage and retrieval, 
and system security.  He is a member of ACM occasionally consult
ing in his areas of expertise and is also identified in the 
current Directory of American Fiction Writers and Poets as both a 
writer (science fiction and horror) and a poet.  His light and 
satirical verse appeared frequently in DATAMATION (Churl's Garden 
of Verses, Solid-state Jabberwocky, Ode to the Indomitable GOTO, 
etc.) and other magazines.

C. Larry Craig (co-inventor of WARLOCK and author of the C++ 
WARLOCK program) currently works as a private consultant and 
software designer in the fields of digital communication, commu
nication networks, and cellular and telephony applications.
