PGP word list

Last updated

The PGP Word List ("Pretty Good Privacy word list", also called a biometric word list for reasons explained below) is a list of words for conveying data bytes in a clear unambiguous way via a voice channel. They are analogous in purpose to the NATO phonetic alphabet, except that a longer list of words is used, each word corresponding to one of the 256 distinct numeric byte values.

Contents

History and structure

The PGP Word List was designed in 1995 by Patrick Juola, a computational linguist, and Philip Zimmermann, creator of PGP. [1] [2] The words were carefully chosen for their phonetic distinctiveness, using genetic algorithms to select lists of words that had optimum separations in phoneme space. The candidate word lists were randomly drawn from Grady Ward's Moby Pronunciator list as raw material for the search, successively refined by the genetic algorithms. The automated search converged to an optimized solution in about 40 hours on a DEC Alpha, a particularly fast machine in that era.

The Zimmermann–Juola list was originally designed to be used in PGPfone, a secure VoIP application, to allow the two parties to verbally compare a short authentication string to detect a man-in-the-middle attack (MiTM). It was called a biometric word list because the authentication depended on the two human users recognizing each other's distinct voices as they read and compared the words over the voice channel, binding the identity of the speaker with the words, which helped protect against the MiTM attack. The list can be used in many other situations where a biometric binding of identity is not needed, so calling it a biometric word list may be imprecise. Later, it was used in PGP to compare and verify PGP public key fingerprints over a voice channel. This is known in PGP applications as the "biometric" representation. When it was applied to PGP, the list of words was further refined, with contributions by Jon Callas. More recently, it has been used in Zfone and the ZRTP protocol, the successor to PGPfone.

The list is actually composed of two lists, each containing 256 phonetically distinct words, in which each word represents a different byte value between 0 and 255. Two lists are used because reading aloud long random sequences of human words usually risks three kinds of errors: 1) transposition of two consecutive words, 2) duplicate words, or 3) omitted words. To detect all three kinds of errors, the two lists are used alternately for the even-offset bytes and the odd-offset bytes in the byte sequence. Each byte value is actually represented by two different words, depending on whether that byte appears at an even or an odd offset from the beginning of the byte sequence. The two lists are readily distinguished by the number of syllables; the even list has words of two syllables, the odd list has three. The two lists have a maximum word length of 9 and 11 letters, respectively. Using a two-list scheme was suggested by Zhahai Stewart.

Word lists

Here are the two lists of words as presented in the PGPfone Owner's Manual. [3]

HexEven WordOdd Word
00aardvarkadroitness
01absurdadviser
02accrueaftermath
03acmeaggregate
04adriftalkali
05adultalmighty
06afflictamulet
07aheadamusement
08aimlessantenna
09Algolapplicant
0AallowApollo
0Balonearmistice
0Cammoarticle
0Dancientasteroid
0EappleAtlantic
0Fartistatmosphere
10assumeautopsy
11AthensBabylon
12atlasbackwater
13Aztecbarbecue
14baboonbelowground
15backfieldbifocals
16backwardbodyguard
17banjobookseller
18beamingborderline
19bedlampbottomless
1AbeehiveBradbury
1Bbeeswaxbravado
1CbefriendBrazilian
1DBelfastbreakaway
1EberserkBurlington
1Fbilliardbusinessman
20bisonbutterfat
21blackjackCamelot
22blockadecandidate
23blowtorchcannonball
24bluebirdCapricorn
25bombastcaravan
26bookshelfcaretaker
27brackishcelebrate
28breadlinecellulose
29breakupcertify
2Abrickyardchambermaid
2BbriefcaseCherokee
2CBurbankChicago
2Dbuttonclergyman
2Ebuzzardcoherence
2Fcementcombustion
30chairliftcommando
31chattercompany
32checkupcomponent
33chiselconcurrent
34chokingconfidence
35chopperconformist
36Christmascongregate
37clamshellconsensus
38classicconsulting
39classroomcorporate
3Acleanupcorrosion
3Bclockworkcouncilman
3Ccobracrossover
3Dcommencecrucifix
3Econcertcumbersome
3Fcowbellcustomer
HexEven WordOdd Word
40crackdownDakota
41crankydecadence
42crowfootDecember
43crucialdecimal
44crumpleddesigning
45crusadedetector
46cubicdetergent
47dashboarddetermine
48deadboltdictator
49deckhanddinosaur
4Adogsleddirection
4Bdragnetdisable
4Cdrainagedisbelief
4Ddreadfuldisruptive
4Edrifterdistortion
4Fdropperdocument
50drumbeatembezzle
51drunkenenchanting
52Dupontenrollment
53dwellingenterprise
54eatingequation
55edictequipment
56eggheadescapade
57eightballEskimo
58endorseeveryday
59endowexamine
5Aenlistexistence
5Beraseexodus
5Cescapefascinate
5Dexceedfilament
5Eeyeglassfinicky
5Feyetoothforever
60facialfortitude
61falloutfrequency
62flagpolegadgetry
63flatfootGalveston
64flytrapgetaway
65fractureglossary
66frameworkgossamer
67freedomgraduate
68frightengravity
69gazelleguitarist
6AGeigerhamburger
6BglitterHamilton
6Cglucosehandiwork
6Dgoggleshazardous
6Egoldfishheadwaters
6Fgremlinhemisphere
70guidancehesitate
71hamlethideaway
72highchairholiness
73hockeyhurricane
74indoorshydraulic
75indulgeimpartial
76inverseimpetus
77involveinception
78islandindigo
79jawboneinertia
7Akeyboardinfancy
7Bkickoffinferno
7Ckiwiinformant
7Dklaxoninsincere
7Elocaleinsurgent
7Flockupintegrate
HexEven WordOdd Word
80meritintention
81minnowinventive
82miserIstanbul
83MohawkJamaica
84muralJupiter
85musicleprosy
86necklaceletterhead
87Neptuneliberty
88newbornmaritime
89nightbirdmatchmaker
8AOaklandmaverick
8BobtuseMedusa
8Coffloadmegaton
8Dopticmicroscope
8Eorcamicrowave
8Fpaydaymidsummer
90peachymillionaire
91pheasantmiracle
92physiquemisnomer
93playhousemolasses
94Plutomolecule
95precludeMontana
96prefermonument
97preshrunkmosquito
98printernarrative
99prowlernebula
9Apupilnewsletter
9BpuppyNorwegian
9CpythonOctober
9DquadrantOhio
9Equiveronlooker
9Fquotaopulent
A0ragtimeOrlando
A1ratchetoutfielder
A2rebirthPacific
A3reformpandemic
A4regainPandora
A5reindeerpaperweight
A6rematchparagon
A7repayparagraph
A8retouchparamount
A9revengepassenger
AArewardpedigree
ABrhythmPegasus
ACribcagepenetrate
ADringboltperceptive
AErobustperformance
AFrockerpharmacy
B0ruffledphonetic
B1sailboatphotograph
B2sawdustpioneer
B3scallionpocketful
B4scenicpoliteness
B5scorecardpositive
B6Scotlandpotato
B7seabirdprocessor
B8selectprovincial
B9sentenceproximate
BAshadowpuberty
BBshamrockpublisher
BCshowgirlpyramid
BDskullcapquantity
BEskydiveracketeer
BFslingshotrebellion
HexEven WordOdd Word
C0slowdownrecipe
C1snaplinerecover
C2snapshotrepellent
C3snowcapreplica
C4snowslidereproduce
C5soloresistor
C6southwardresponsive
C7soybeanretraction
C8spanielretrieval
C9spearheadretrospect
CAspellbindrevenue
CBspheroidrevival
CCspigotrevolver
CDspindlesandalwood
CEspyglasssardonic
CFstagehandSaturday
D0stagnatesavagery
D1stairwayscavenger
D2standardsensation
D3staplersociable
D4steamshipsouvenir
D5sterlingspecialist
D6stockmanspeculate
D7stopwatchstethoscope
D8stormystupendous
D9sugarsupportive
DAsurmountsurrender
DBsuspensesuspicious
DCsweatbandsympathy
DDsweltertambourine
DEtacticstelephone
DFtalontherapist
E0tapewormtobacco
E1tempesttolerance
E2tigertomorrow
E3tissuetorpedo
E4tonictradition
E5topmosttravesty
E6trackertrombonist
E7transittruncated
E8traumatypewriter
E9treadmillultimate
EATrojanundaunted
EBtroubleunderfoot
ECtumorunicorn
EDtunnelunify
EEtycoonuniverse
EFuncutunravel
F0unearthupcoming
F1unwindvacancy
F2uprootvagabond
F3upsetvertigo
F4upshotVirginia
F5vaporvisitor
F6villagevocalist
F7virusvoyager
F8Vulcanwarranty
F9waffleWaterloo
FAwalletwhimsical
FBwatchwordWichita
FCwaysideWilmington
FDwillowWyoming
FEwoodlarkyesteryear
FFZuluYucatan

Examples

Each byte in a bytestring is encoded as a single word. A sequence of bytes is rendered in network byte order, from left to right. For example, the leftmost (i.e. byte 0) is considered "even" and is encoded using the PGP Even Word table. The next byte to the right (i.e. byte 1) is considered "odd" and is encoded using the PGP Odd Word table. This process repeats until all bytes are encoded. Thus, "E582" produces "topmost Istanbul", whereas "82E5" produces "miser travesty".

A PGP public key fingerprint that displayed in hexadecimal as

E58294F2E9A227486E8B
061B31CC528FD7FA3F19

would display in PGP Words (the "biometric" fingerprint) as

topmost IstanbulPluto vagabondtreadmill Pacificbrackish dictatorgoldfish Medusa
afflict bravadochatter revolverDupont midsummerstopwatch whimsicalcowbell bottomless

The order of bytes in a bytestring depends on endianness.

Other word lists for data

There are several other word lists for conveying data in a clear unambiguous way via a voice channel:

Related Research Articles

In communications and information processing, code is a system of rules to convert information—such as a letter, word, sound, image, or gesture—into another form, sometimes shortened or secret, for communication through a communication channel or storage in a storage medium. An early example is an invention of language, which enabled a person, through speech, to communicate what they thought, saw, heard, or felt to others. But speech limits the range of communication to the distance a voice can carry and limits the audience to those present when the speech is uttered. The invention of writing, which converted spoken language into visual symbols, extended the range of communication across space and time.

<span class="mw-page-title-main">Checksum</span> Data used to detect errors in other data

A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity.

<span class="mw-page-title-main">F</span> 6th letter of the Latin alphabet

F, or f, is the sixth letter of the Latin alphabet, used in the modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is ef, and the plural is efs.

<span class="mw-page-title-main">Hash function</span> Mapping arbitrary data to fixed-size values

A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable length output. The values returned by a hash function are called hash values, hash codes, hash digests, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

<span class="mw-page-title-main">Morse code</span> Transmission of language with brief pulses

Morse code is a telecommunications method which encodes text characters as standardized sequences of two different signal durations, called dots and dashes, or dits and dahs. Morse code is named after Samuel Morse, one of the early developers of the system adopted for electrical telegraphy.

<span class="mw-page-title-main">V</span> 22nd letter of the Latin alphabet

V, or v, is the twenty-second letter of the Latin alphabet, used in the modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is vee, plural vees.

The International Radiotelephony Spelling Alphabet or simply Radiotelephony Spelling Alphabet, commonly known as the NATO phonetic alphabet, is the most widely used set of clear-code words for communicating the letters of the Roman alphabet. Technically a radiotelephonic spelling alphabet, it goes by various names, including NATO spelling alphabet, ICAO phonetic alphabet and ICAO spelling alphabet. The ITU phonetic alphabet and figure code is a rarely used variant that differs in the code words for digits.

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.

In computer programming, Base64 is a group of binary-to-text encoding schemes that transforms binary data into a sequence of printable characters, limited to a set of 64 unique characters. More specifically, the source binary data is taken 6 bits at a time, then this group of 6 bits is mapped to one of 64 unique characters.

Base32 is an encoding method based on the base-32 numeral system. It uses an alphabet of 32 digits, each of which represents a different combination of 5 bits (25). Since base32 is not very widely adopted, the question of notation—which characters to use to represent the 32 digits—is not as settled as in the case of more well-known numeral systems (such as hexadecimal), though RFCs and unofficial and de-facto standards exist. One way to represent Base32 numbers in human-readable form is using digits 0–9 followed by the twenty-two upper-case letters A–V. However, many other variations are used in different contexts. Historically, Baudot code could be considered a modified (stateful) base32 code.

<span class="mw-page-title-main">Diceware</span> Method for generating passphrases using dice

Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator. For each word in the passphrase, five rolls of a six-sided die are required. The numbers from 1 to 6 that come up in the rolls are assembled as a five-digit number, e.g. 43146. That number is then used to look up a word in a cryptographic word list. In the original Diceware list 43146 corresponds to munch. By generating several words in sequence, a lengthy passphrase can thus be constructed randomly.

<span class="mw-page-title-main">Gaj's Latin alphabet</span> Form of Latin script used to write Serbo-Croatian

Gaj's Latin alphabet, also known as abeceda or gajica, is the form of the Latin script used for writing Serbo-Croatian and all of its standard varieties: Bosnian, Croatian, Montenegrin, and Serbian.

PGPfone was a secure voice telephony system developed by Philip Zimmermann in 1995. The PGPfone protocol had little in common with Zimmermann's popular PGP email encryption package, except for the use of the name. It used ephemeral Diffie-Hellman protocol to establish a session key, which was then used to encrypt the stream of voice packets. The two parties compared a short authentication string to detect a Man-in-the-middle attack, which is the most common method of wiretapping secure phones of this type. PGPfone could be used point-to-point over the public switched telephone network, or over the Internet as an early Voice over IP system.

The diehard tests are a battery of statistical tests for measuring the quality of a random number generator. They were developed by George Marsaglia over several years and first published in 1995 on a CD-ROM of random numbers. In 2006, the original diehard tests were extended into the dieharder tests.

A binary-to-text encoding is encoding of data in plain text. More precisely, it is an encoding of binary data in a sequence of printable characters. These encodings are necessary for transmission of data when the communication channel does not allow binary data or is not 8-bit clean. PGP documentation uses the term "ASCII armor" for binary-to-text encoding when referring to Base64.

A spelling alphabet is a set of words used to represent the letters of an alphabet in oral communication, especially over a two-way radio or telephone. The words chosen to represent the letters sound sufficiently different from each other to clearly differentiate them. This avoids any confusion that could easily otherwise result from the names of letters that sound similar, except for some small difference easily missed or easily degraded by the imperfect sound quality of the apparatus. For example, in the Latin alphabet, the letters B, P, and D sound similar and could easily be confused, but the words "bravo", "papa" and "delta" sound completely different, making confusion unlikely.

In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint."

The ISO basic Latin alphabet is an international standard for a Latin-script alphabet that consists of two sets of 26 letters, codified in various national and international standards and used widely in international communication. They are the same letters that comprise the current English alphabet. Since medieval times, they are also the same letters of the modern Latin alphabet. The order is also important for sorting words into alphabetical order.

<span class="mw-page-title-main">B</span> 2nd letter of the Latin alphabet

B, or b, is the second letter of the Latin alphabet, used in the modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is bee, plural bees.

References

This article incorporates material that is copyrighted by PGP Corporation and has been licensed under the GNU Free Documentation License. (per Jon Callas, CTO, CSO PGP Corporation, 4-Jan-2007)
  1. Juola, Patrick; Zimmermann, Philip (1996). "Whole-word phonetic distances and the PGPfone alphabet" (PDF). Proceeding of Fourth International Conference on Spoken Language Processing. ICSLP '96. Vol. 1. pp. 98–101. doi:10.1109/ICSLP.1996.607046. ISBN   0-7803-3555-4. S2CID   10385500.
  2. Juola, Patrick (1996). "Isolated Word Confusion Metrics and the PGPfone Alphabet". Proceedings of New Methods in Language Processing 2. Ankara, Turkey: Oxford University, Dept. of Experimental Psychology. arXiv: cmp-lg/9608021 . Bibcode:1996cmp.lg....8021J.
  3. "Archived copy". web.mit.edu. Archived from the original on 26 March 2010. Retrieved 12 January 2022.{{cite web}}: CS1 maint: archived copy as title (link)
  4. "EFF's New Wordlists for Random Passphrases". 19 July 2016.
  5. mnemonic encoding Archived 2008-03-02 at the Wayback Machine and updated code