ROT500K2 Family / PhonoShift

PhonoShift (ROT500K2) is a keyed, format-preserving obfuscation scheme that applies polyalphabetic, class-preserving rotations driven by a PBKDF2-derived keystream. The default configuration uses 500,000 PBKDF2 iterations, from which the “500K” name originates.

V2: outputs now includes a per-message nonce (safe reuse of the same password across messages), verified modes derive their MAC key via PBKDF2 (no fast HMAC-only password oracle), and the framing/header is now stealth (no fixed nonce signature).

Mode

ROT500K2 keeps length (aside from stealth header). ROT500K2V adds verification so decrypt can return true/false.

Token check chars (ROT500K2T / ROT500K2V)

Higher = lower chance of “false OK” with wrong password.

Shift punctuation (optional) Swap punctuation glyphs within role-sets (reversible). Does not move punctuation positions. (Only ¿¡ and !?)

Input (plaintext or obfuscated)

Password

PBKDF2 iterations

Salt

Output

QR Code for current Output

The QR embeds a URL like: phonoshiftqr.html#m=... and d=.... When opened, the page asks for the password, fills the form, and auto-decodes. This only works with the default PhonoShift settings. If you change the default settings, phonoshiftqr.html fails to decode.

No QR generated yet.

Share URL

QR will be generated only if the final URL fits the QR capacity supported by the library.

Tip: Encode writes to Output. Decode reads from Input. In verified modes, Decode can detect wrong parameters.

About the ROT500K2 Family

ROT500K2 is a keyed, format-preserving rotation-based obfuscation scheme. It preserves separators (space, -, ') and character classes (digits remain digits, letters remain letters), and is fully reversible with the same password + salt + PBKDF2 iterations.

While the payload transformation itself preserves length, all ROT500K2 variants now prepend a stealth frame. This frame slightly increases total output length, but is designed to look like natural, human-written text rather than a fixed cryptographic header.

ROT500K2V is the “verified” variant. In addition to the stealth frame, it embeds a keyed verification signal so decryption can return a definitive true / false result when parameters are incorrect. It automatically selects the most appropriate verification style:

ROT500K2T (token verification): appends a small number of characters per token, offering strong verification while remaining subtle.
ROT500K2P (prefix verification): adds a short, word-like prefix derived from the plaintext, best suited for very short inputs.

Stealth framing: outputs begin with a variable, pronounceable text segment that encodes mode + nonce + padding internally. There are no fixed markers, delimiters, or repeated signatures (no ROT500K2:, no colons, no constant layout). Each encoding produces a different-looking header, even for identical inputs.

ROT500K2 Family (aka PhonoShift) — Offline Demo

About the ROT500K2 Family