… | |
… | |
36 | $aead->nonce ($counter); |
36 | $aead->nonce ($counter); |
37 | $aead->associated_data ($header); |
37 | $aead->associated_data ($header); |
38 | $ciphertext = $aead->encrypt ($cleartext); |
38 | $ciphertext = $aead->encrypt ($cleartext); |
39 | # $cleartext = $aead->decrypt ($ciphertext); |
39 | # $cleartext = $aead->decrypt ($ciphertext); |
40 | $mac = $aead->mac; |
40 | $mac = $aead->mac; |
|
|
41 | |
|
|
42 | WARNING |
|
|
43 | The best known result (early 2017) against Spritz is a distinguisher |
|
|
44 | attack on 2**44 outputs with multiple keys/IVs, and on 2**60 outputs |
|
|
45 | with a single key (see doi:10.1007/978-3-662-52993-5_4 for details). |
|
|
46 | These are realistic attacks, so Spritz needs to be considered broken, |
|
|
47 | although for low data applications it should still be useful. |
41 | |
48 | |
42 | DESCRIPTION |
49 | DESCRIPTION |
43 | This module implements the Spritz spongelike function (with N=256), the |
50 | This module implements the Spritz spongelike function (with N=256), the |
44 | spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
51 | spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
45 | |
52 | |