Some of the programs listed here are strong encryption products, and the export of them from the US is restricted by the EAR regulations. In order to avoid violating these restrictions, they have been encrypted with PGP conventional encryption, and bear the extension .bin. In order to get these files in any useable form, you will need to contact me by e-mail, giving a statement of citizenship and residence, and also your PGP public key (RSA only, I am using PGP 2.6.3a) and I will reply with instructions as to how to decrypt the files.
The new EAR regs are somewhat difficult to understand, but AFAIK they have been almost completely relaxed for *source code*. My normal distribution files contain source, listing, executable, symbol, and documentation files. Over a period of time I will be converting the above encrypted files to .ZIP files containing only the source and documentation, and unencrypted. Apparently I must notify firstname.lastname@example.org of each file that I put up this way, but if it is only web download I need not do any reporting of exports.
I have been informed that downloading from the garbo site at University of Vaasa in Finland is very difficult now, so I have added alternative sites where I know of them.
The original PGE program was written by someone styling himself Roche'Crypt; no one seems to know who he is (including the person from whom I got the program). It would hide a message file in another file by the very simple method of appending the message to the file, and then appending a 4 byte little endian number which points to the start of the message. A companion program UNPGE would retrieve the message. The original PGE contained encryption and thus was subject to EAR. I have encoded a version which I call PGE 2.0, and does not contain encryption. In addition to the two operating files, I have added a file called PGECLEAR which removes the message from the envelope and readies it for reuse. Of course this system does not do a good job of hiding text; the text should first be encrypted into binary form by something like PGP or IDEA. To download PGE 2.0, click here.
When used with Henry Hastur's STEALTH program, the result is a very secure encryption and concealment. STEALTH removes the packet ID bytes from a binary PGP message, which removes one more way of determining that PGP is in use. (STEALTH can be downloaded from the University of Milan Archive ).
PGE 2.0 can be used with graphic files or any other binary files, including
.WAV, .COM, and .EXE files.
Return to INDEX
This version 5.0 is a complete rewrite of the former version which had separate HIDE and SEEK files. This is a single program with a GUI ala Dave Harris, which puts data into the lower bits of a .GIF file. This program suffers from the same defect as its predecessor, in that it does not properly handle the interleave of the palette tables in .GIF, and therefore it is suggested that it be used only on B&W .GIF images. The distribution includes IDEA in both .EXE and .C source, so IMHO it is subject to EAR, and you will have to follow the instructions at the beginning of this document to get it. To download the encrypted file click here. FLASH! This is now available from the Steganography Home Page. Eric does not supply the program directly, but rather links to a .uk site. Also a new program FFENCODE which does not conflict with EAR is available here.
The author of HIDESEEK, Colin Maroney, has notified me that he has created
a version especially for WinDoze 95. I do not run that OS, so I cannot give any
information about it except for what is in the .DOC file. In that file he says
that he uses BLOWFISH to scramble the insertion points, but does not encrypt
the message file. Also, the program now uses .BMP files instead of .GIFs.
Download the file from CypherNet by
Be advised that that D/L contains long file names, and will not UNZIP in a
Return to INDEX
TinyIdea is a very small program (503 bytes in one version) written by Fauzan Mirza, a student at the Royal Holloway college in England, along with Mark Andreas and others. It is an 8086 assembler implementation of Lai and Massey's International Data Encryption Algorithm (IDEA) along with a Tandem Davies-Meyer hashing routine and CFB block chaining. Since it is not being exported from the US, you can get Tiny Idea by clicking here. or here or here.
TinyIdea makes use of the simplifications available when using the CFB mode in order to achieve its small size. In this mode, according to Applied Cryptography, 2nd Edition (referred to hereafter as AC2) use of the CFB mode means that the IDEA algorithm is applied not to the data, but to an XOR of the expanded IDEA key and the previous encrypted data block. This produces a unique encryption string, dependent on the IDEA pass phrase as entered, and the message text itself. This is then XORed with a data block to produce the cipher text. The effect is the same as a simple XOR with a pseudo-OTP key the length of the data file. Decryption uses the same method, merely reversing the source order. This explains why the program does not need to calculate the multiplicative inverses like the original IDEA does. (This is also mentioned in AC2). It seems that the CFB mode allows the use of the encryption algorithm in one direction only; even a hashing algorithm could be used for encryption with the CFB mode, although I have been told that such a system would be much slower than TinyIdea.
A newer version of TinyIdea, even shorter than the original, was written
by Mark Andreas, also known as email@example.com. That site seems to be no
longer on line. Mark had sent me his distribution file, and I have taken the
step of posting it on this site as ti.zip in
order to prevent its being lost forever. This version has many options in
its source code and a lot of explanation.
Return to INDEX
The pseudo-OTP seems pretty robust, but I recommend
that it be used with caution. In particular, the first block encryption is weak
since the IV for it is 0s. So if you are encrypting a number of files which
have a common data structure in the first 8 bytes (such as PKZIP or JPEG files)
you should work a 'pseudo IV' in the system. It also encrypts in place, which
is dangerous unless you have a recovery system.
Return to INDEX
BLOWFISH is probably the best known 64-bit cipher. It was written by Bruce Schneier of Counterpane Inc. I have written my own version of this cipher, which I have called DOSFISH. As of this writing it consists of 425 bytes for the executable program, but requires an auxiliary file containing the hexa- decimal digits ofPI for initialization purposes, just like BLOWFISH. This has been added to my web site (soucce and documents only to remove it from EAR restrictions). Click here to download.
I have recently been informed that Dutra de Lacerda
has a version of BLOWFISH written in Pascal, using CBC block chaining,
and that he has recently done the same thing that I did, putting the
BLOWFISH encryption algorithm in the TinyIdea framework.
So you overseas readers can get these programs by clicking
here for is CBC version or
for the CFB version. Also available on several mirror sites in central
Europe. You can visit Dulac's web site for more crypto information
Return to INDEX
In order to eliminate the requirement for a 4168 byte file containing the bytes
of PI, I have written GOLDFISH. This, while using the same encryption routines
of BLOWFISH, uses the RC5 (and RC6) key initialization scheme, starting with the
hexadecimal digits of e (natural log base) -2, and adding the Fibonacci number
(sometimes called the golden ratio, hence the name) for each P and S box. This
yields an even more compact version of the program, while sacrificing any
interchangeability with BLOWFISH. You can download
GOLDFISH by clicking on the link, source only to comply with EAR.
Return to INDEX
The winner of the AES competition is RIJNDAEL, an effort by Joan Daemen and Vincent Rijmen of Belgium. (I am informed by Vincent Rijmen that there is no English equivalent to the pronunciation of this, but the best approximation is "ray'n dahl"). This is one encryption scheme that is NOT a Feistel network. Instead it uses matrix algebra in GF(2^8). The authors of RIJNDAEL have made it clear that it is in the public domain; they say it is not and never will be subject to patent or copyright.
AES is set up for 128, 192, and 256-bit keys, with fixed 128-bit block size. In my DOS-based CFB block chaining version, the 256-byte S-box is calculated from code based formulas found in Dr. Brian Gladman's C version of the program, taking up only 48 bytes, which keeps the code size at 460 bytes. This program takes into account the loss in available entropy when input is from the keyboard. A 16-byte passphrase might only have 75 bits of entropy instead of the 128 possible bits. The program allows a passphrase to be entered of length twice the block size, and runs a Davies-Meyer hash algorithm on that passphrase to arrive at the actual cipher key. The latest change adds an optional key-check for decryption which prevents overwriting the source file if the key does not match. With the new changes to EAR, I have posted the source code and executable as well as the listing for the version as described above as tinyaes.zip. There is also included in this package a non-hashed version with fixed key and a fixed input file to allow those who are paranoid about such things to check the algorithm and key scheduling against the official NIST vectors.
I have just been informed that this program is now available from the University of Vaasa archive in Finland and the STUBA archive of the Slovak Technical University in Slovakia.
My version of the original RIJNDAEL cipher, with its multiple block size and key size combinations, remains as tinyrijn.zip.
While most of my encryption efforts have been enclosed in a CFB block
chaining shell, a correspondent had requested that I look at OFB block
chaining. The most important thing here is that the IV be unique for each
encryption. My effort here, rijn-ofb.zip uses
as the IV a combination of time, date, file size, and filename. It is slightly
shorter than CFB, and more flexible in the command line syntax. But the
consensus is that it is not as secure and may also suffer where downloading
changes the file date.
Return to INDEX
SAFER+ is the AES submission of CYLINK corporation in California, although the algorithm was invented by Massey (Switzerland) and Kachatarian and Kuregian (Armenia). While SAFER+ did not survive the first round cut, it is a very interesting program. It uses a fixed block size of 128 bits, with key lengths of 128, 192, or 256 bits. It uses ADD, XOR, and EXP and LOG substitutions. There is also a matrix multiplication by Hadamard transform in each round.
CYLINK has also said that they have released this cipher into the public
domain. This is now available in Tiny CFB form as
here . Recent experimentation with TINYSAFR has
shown the feasibility of adding the Davies-Meyer key hash to a further size-
optimized version, and it is this version that is presently included in the
Return to INDEX
All the above ciphers are block ciphers. As an example of a stream cipher I have programed here TINYARC4, based on the description in Applied Cryptography 2nd Edition. This operates like RSA's RC4(c). The name is copyright, which is the reason for my change, but the cipher itself is considered a 'trade secret' and the secrecy has been broken long ago (I found a version coded in 1995 on the web).
A stream cipher operates by producing a pseudo-random but repeatable stream which is XORed byte-by-byte with the plain text to produce the cipher text. Decryption depends on being able to produce the identical stream to XOR the cipher text to reconstitute the plaintext.
I have only posted the source code and a documentation file. It can be
downloaded here .
Return to INDEX
I have done some work on key
exchange for programs such as IDEA or BLOWFISH. While I realize that the work
that I have done is not completely secure, it is probably good enough to keep
your kids (or spouse) from recovering the key. My latest effort has implemented
the Shamir-Omura commutative encryption algorithm for 32-bit operations. This
algorithm uses 32-bit exponentiation, requiring the breaker to find the finite
field logarithm of the message. This is considered a 'hard' problem just like
factoring a large integer. In its present form the program is 32-bit, which
allows the exchange of a 4-byte key with certain limitations. For more
information click here.
Return to INDEX
Hashing is a procedure which often causes confusion to novice crypto enthusiasts. The ideal hash function returns a different 'digest' (a large hexadecimal number) for each plaintext file it hashes. SHA1 used to be the standard hash function, having been developed to a specification developed by NIST and reviewed by NSA. It produces a 160 bit hash of the source file, so the chance of two files having the same hash is about 1 in 10^53.
Hashing is not the same as encryption, in that there is no good way to reverse or 'decrypt' the hash. It is a completely one way function. Therefore this algorithm is not subject to EAR rules.
A second version, SHA1PASS, is optimized for hashing passwords to the 160-bit SHA1 output. The input is to STDIN, so it can be either typed in from the keyboard or redirected in from a file (but a caveat here; the password file MUST be terminated with a CR (0Dh) in order to properly end the input function (INT21h Function 0Ah). It can be downloaded by clicking here.
With the advent of 256-bit encryption products, hash functions of more
strength than the 160-bit SHA1 are required. NIST has recently released the
specs for SHA256, SHA384, and SHA512; the numeric portion of the name indicates
the number of bits in the hash. SHA256 is simple to code using 32-bit register
operations. The other two use 64-bit operations, with the 384-bit version
being the same as the 512, just discarding the extra bits and with a different
initialization. The 384-bit and 512-bit programs are now available. All have
been put into a single .ZIP file, available here.
Return to INDEX
This is a set of programs that encrypt a portion of your hard or floppy disk with the IDEA encryption algorithm. Its advantage over other such programs is that it does not require partitioning the disk; instead it creates a 'pseudo- partition' by creating a file which is hidden, system, and read-only. In order to see it at all, you must use something like Norton FA. When the proper file is present on the disk, and if the CONFIG.SYS and AUTOEXEC.BAT files include the changes specified in the documentation, the first call to the drive assigned to that disk 'partition' will bring up a box requesting a pass phrase. Once the pass phrase is entered correctly that 'drive' looks like any other. I have just discovered that SecureDevice works properly even with disk format systems that rewrite the boot sector, such as FDFORMAT and 2M30. (SFS and I think Secure Drive do their own rewrite of the boot sector, and therefore are incompatible with the above formatters. To download SECURE DEVICE click here. Note: This file is stored in .ARJ compressed format. If you do not have a means of decompressing .ARJ files, download the necessary utility by clicking here. Taking control of the drive letter to which this 'partition' is assigned is accomplished with the file JDRIVE.SYS placed in the CONFIG.SYS file, along with the drive letter desired. To download JDRIVE.SYS click here.
A caveat about the use of JDRIVE.SYS with DRVSPACE is in order. DRVSPACE
normally uses drive O:, but it also appears to reserve another 8 drives. So
if you want to use, say J: and S:, you are out of luck. You must load JDRIVE
with the J: argument, then DRVSPACE, and then must use the X: argument for
the next invocation of JDRIVE. Error messages encountered if you handle this
wrong are 'Too many block devices' and the like.
Return to INDEX
RealDeal is a secure file deleter, written by Iolo Davidson, a frequent contributer to alt.security.pgp. You can either load it as a TSR to work whenever a program is deleted (includes WinDoze swap files), or (more safely, I suspect) run it from a command line. One minor annoyance is that it does not handle wild cards. See my file ERA.BAT below for a wild card adaption of this program. To download REALDEAL.ZIP click here.
Iolo has just released a new and much faster program called SCORCH. It only works as a standalone program, not as a TSR. It DOES handle the wild cards however. To download SCORCH.ZIP click here.
Another secure file deletion system is the WIPEUTIL.ZIP collection from Mark Andreas. This contains programs to wipe the files, wipe the unused disk space, and wipe the 'tips' (i.e., the areas between end-of-file and end-of- cluster) which might contain older data from a prior usage of the last cluster of the file. Mark's home page seems to be unavailable now, so I have reposted it here.
Another file wiping program, possibly easier to use than the WIPEUTIL
collection, is WIPEM, by Emil Laurentiu of Romania. This is a single program
which can make multiple passes through your disk, wiping empty space, directory
entries, and 'tips'. Get it here.
Return to INDEX
Adi Shamir proposed a way of splitting up a 'secret' such as a file, or
what have you, into n parts of which any k (k < n) would be sufficient to
reconstruct the original file. In 1993 Hal Finney reduced this to a program
which is in the public domain. The reference is to a non-US site, since
this program may be subject to EAR regulations. To download SECSPLIT
Return to INDEX
FDFORMAT is a program written by Christoph H. Hochsetter in Germany. (Note that the e-mail address given in the docs is no longer valid). FDFORMAT will format a 3 1/2" disk to as much as 1.72MB. It requires a small TSR program to be installed (usually during the boot process) so it rewrites the boot sector to boot from the hard disk even if the floppy is present. I have used it for several years, with only occasional problems. If the computer tells me that the disk is invalid, I try again, and I can't remember a case where the second try has not worked. To get FDFORMAT Click here.
2M30 is a program written by Ciriaco Garcia de Celis, a student in Spain.
It will take a 3 1/2" HD disk to 1.88KB (actually yields 1.91KB) It also needs
a TSR loaded, and boots from the hard disk, but has options to boot from the
floppy. The TSR will also handle FDFORMAT disks, so only the 2M TSR is needed.
There are a lot of utility programs and documentation both in English and
Spanish. It will also, according to the docs, handle 3 1/2" 4D disks, and
even has another formatting method (2MGUI) for larger formats. (I cannot use
GUI because it does some drive letter assignments during boot which conflict
with my drive letter assignments). To get 2M30 high capacity disk formatter
Click here. In the two years that I have been using 2M30 I have never had a
failure to read or write to the disk, so I rate this program as very reliable.
Return to INDEX
Have you ever run out of memory in your editor? I normally use Thomas Thurston's EDIT 1.11 but that program, like DOS EDIT, is limited to about 50K of file size. I like the single character command editors, like the one that I wrote for the Z80, instead of the Word Perfect style, and EDIT 1.11 fits this criterion. I have spent a fair amount of time looking for editors which will handle larger files, and have come up with the following 2 files: (I welcome additional information on large editors).
The program available from SimTel known as SLED allows the file(s) to use all of the unused memory in the lower 640K. It will also handle multiple files at a time. Be warned, however, that it makes a lot of use of the F-keys. If you have reassigned the functions of your F-keys, as I do in my boot, you will have to un-reassign them (e-mail me for how to do this) before you can run SLED. EDIT 1.11 also uses the F-keys, but in a different manner, so that the prior reassignments are not a problem.
Another editor, TECH-ED uses a virtual
memory system and the docs say that it can handle any size files! I have
used it for files too large for SLED, and it seems to work well.
Return to INDEX
I have come to make use of many small utility files which have come from various sources. Since they are short, and the disk at Freenet has a rather large cluster size, I have ZIPped them all into one file. Here is what they do for me.
This short TSR program makes the CapsLock key work more like the one on a typewriter. Pressing CapsLock will turn the output into all caps, but holding down Shift when typing a letter will turn CapsLock off for subsequent letters. This is a TSR to be put into the AUTOEXEC.BAT file.
I started in computers using a Teletype 33 as a terminal. The CTRL key was next to the A. Keyboards were made this way until the advent of the 102 key keyboard used with the AT. At that time CapsLock replaced CTRL and CTRL moved to the bottom of the keyboard. SWAPKEY is a TSR which exchanges these two keys.
I do not use the keypad for numeric entry, and use the keypad instead for the arrow keys. (A legacy from the XT keyboard). My computer boots with the NUMLOCK energized. NUMLKOFF is a program to undo this.
Starting with the AT keyboard, the number of F-keys increased from 10 to 12. However, my systems do not do anything with the extra F-keys. ENHANCED is a TSR which energizes these two keys.
Especially when working with the F-keys and other special purpose keys it is necessary to refer to them by their scancode. SCANCODE is a .COM program which displays the scancode for each key pressed.
This is a program originally published in PC Magazine which redirects the printer output to a file named in the command line. Running PRN2FILE with nothing in the command line sets the output back to PRN.
Another PC Magazine program which allows the marking of an area of the monitor in reverse video and then saving it to a file. Other options are also available.
ANSI escape sequences can be used to redefine the F-keys. The key parameter used in the escape sequence is the scancode (See above). The file FKEYDEF is used to effect this. Note that either ANSI.SYS be included in CONFIG.SYS or that ANSI.COM, a TSR, be called from AUTOEXEC.BAT before the FKEYDEF file is used. The command for this file is TYPE FKEYDEF. No output appears on the screen except a line feed for each key redefined. The file as given sets out some of my redefinitions; you will want to set up your own. Each line starts with an escape followed by [, and ends with p. The scan code of the key to be redefined, preceded by a 0, is next, then the new definition. The 13 represents a carriage return. Semicolons separate the scancode and various parts of the new definition.
Back in 1977 I wrote an editor program from scratch to run on the Z80 CPU machines. At that time I was using a North Star Horizon, the first computer to use two 5 1/4" disks. The program needed to fit into 800H bytes, since I only had 24k of memory. Twenty years later, not being satisfied with the current crop of editors (the only one that I am aware of that will accept input from a script file is EDLIN) I have updated this program to 80x86 assembler language. Some of it is somewhat awkward, since I did not try very hard to update the logic, just some general changes like using BX in place of the HL registers, and working around all the Ccondition and Rcondition instructions. It is working pretty well, and it is now up on my site, along with my Z80 textformatter (ala Dartmouth Runoff) and a letter writing program. If you are interested, click here.
This PC Magazine program when loaded as a TSR blanks the screen when Alt-NumLock is pressed. The program then expects a password followed by a carriage return. Retyping the same password (and carriage return) restores the screen as it was before the freeze.
This is a short program to set variables in the environment space. The documentation is pretty complete, and it allows you to set variables like PGPPASS or PGPPATH from a .BAT file or on boot.
SEND.COM was taken from the University of Vaasa archive works like the ECHO command, but omits the CR LF at the end. Useful in writing several items on the same line of a file.
At one time I needed a file to insure that certain data was in upper case. To use the file you can either type or include in a .BAT file:
send filename.ext | upcaseassuming UPCASE.COM has been put in your DOS path directories.
To download UTILITY.ZIP, click here.
I have written several simple .BAT programs to make using PGP easier. Here are some that I especially like:
PGPSHELL.BAT encrypts a file with PGP and mails it with NWERTHY c: cd\ & Make sure we are in root dir % @echo off if [%1] ==  goto noparam % Must at least have file name edit e:%1 % Create or edit named file if [%PGPPASS%] ==  call setpgp % Set env variable with phrase pgp -seat e:%1 %2 % Sign, encrypt, ASCII and text :mail cd\nwerthy nwerthy % NWERTHY has a link to EDIT goto end :noparam echo "USAGE: PGPSHELL
[RECIPIENT]" :end cd\ x % End with screen saver % SETPGP.BAT prompts for the PGPPASS phrase and sets into the environment @setenv pgppass %%prompt %%noecho Enter PGPPASS phrase: VIEW.BAT decrypts a PGP message to the screen only, can be saved if desired @echo off if [%1] ==  goto noparam if [%pgppass%] ==  call setpgp pgp %1.asc -m goto end :noparam echo "USAGE: view [filename] (No ext, .ASC assumed)" :end ERA.BAT This program uses Iolo Davidson's RealDeal in a way to allow the use of wild cards which RealDeal does not support. RealDeal is a secure file wiping program. ERA.BAT also allows multiple files on the command line. @echo off :start if not exist %1 goto nofind for %%a in (%1) do call erasub %%a shift if not [%1] ==  goto start echo SUCCESSFUL END OF DELETE SEQUENCE goto end :NOFIND echo %1 NOT FOUND :END ERASUB.BAT is the subroutine called above. Note that the second line of this subroutine could be substituted for the 'call erasub', (with %%a in place of %1), but there would be no way to print the message that the file was deleted. echo off realdeal [%1] /garb /silent % Use REALDEAL in command mode, no % echo %1 WIPED AND DELETED % logo, secure wipe with garbage % WIPE.BAT uses the faster SCORCH program by Iolo Davidson @echo off :start if not exist %1 goto nofind % Test that program exists % scorch [%1] /three /silent % Three wipes with no logo % if exist %1 goto nowipe % If program still exists, trouble! % shift if not [%1] ==  goto start % Allow multiple arguments % echo SUCCESSFUL END OF SCORCH SEQUENCE goto end :nowipe echo %1 COULD NOT BE WIPED. CHECK FOR ATTRIBUTES goto end :nofind echo %1 NOT FOUND, SCORCH SEQUENCE DISCONTINUED :END
Did you ever wish that you could make a .BAT file respond to a Y or N command given during the running of the file and take a corresponding branch or execute or ignore a specific command? Prof Timo Salmi of the University of Vaasa in Finland has an archive of .BAT hints that are excellent for creating such a file. The URL is ftp://garbo.uwasa.fi/pc/tsbatxx.zip where xx represents a version number; take the highest. As for responding to a command the batch processor will not do so directly, but the trick is to use the command to set an environment variable which can then be tested. Here is a little sample:
if not exist n:\afn.rep goto end echo DO YOU WANT TO DELETE REPLY PACKET? fc con nul /lb1 /n | time | find " 1: " | upcase > setinput.bat echo set input_=%%4 > enter.bat call setinput if %input_% == Y del n:\afn.rep del setinput.bat del enter.bat set input_= :end
The third line makes a comparison between your typed input and the NUL file
(the first parameter is LB1 in lower case), runs it through the TIME program,
and puts the following line in SETINPUT.BAT, a temporary file created for this
purpose: 'Enter correct time 1: Y'. When SETINPUT.BAT is called, it thinks
it is to run a file called ENTER.BAT, which must be created first. ENTER.BAT
sets an environmental variable input_ to the fourth parameter of the call to
ENTER.BAT, which is Y (assuming that the response was either Y or y). The
contents of this variable are tested (to use an environmental variable it must
be enclosed in % characters) and the deletion of n:\afn.rep is carried out
if the proper response was input. The next three lines are simply house
cleaning. I encourage the browsing of the GARBO archive
at the University of Vaasa; I considered myself a good .BAT programmer until I
saw what Prof Salmi had accomplished!
Return to INDEX
To return to my home page click here.
-----BEGIN PGP SIGNATURE----- Version: PGP 2.6.3ia-multi05 Charset: cp850 Comment: GET AES cipher program from www.afn.org/~afn21533/tinyaes.zip iQB1AwUBQqxJrYeSoGA2Tbg9AQG4ewL+MbviQZTsmhWxpy0oDfcXeDof88vngsFP maEi9guny8vsSbOno3bbjlwrIK7x7ROuSDD+YwLihsZBmpy6S7yaislsUaTT50yD 2i1rwaA8CXjLMswB2DvJqXjRsrk7xm8G =BeX/ -----END PGP SIGNATURE-----