--- Crypt-Spritz/README	2015/06/30 00:46:35	1.4
+++ Crypt-Spritz/README	2017/03/05 16:33:55	1.5
@@ -39,6 +39,13 @@
      # $cleartext = $aead->decrypt ($ciphertext);
      $mac = $aead->mac;
 
+WARNING
+    The best known result (early 2017) against Spritz is a distinguisher
+    attack on 2**44 outputs with multiple keys/IVs, and on 2**60 outputs
+    with a single key (see doi:10.1007/978-3-662-52993-5_4 for details).
+    These are realistic attacks, so Spritz needs to be considered broken,
+    although for low data applications it should still be useful.
+
 DESCRIPTION
     This module implements the Spritz spongelike function (with N=256), the
     spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt.