| … | |
… | |
| 36 | $aead->nonce ($counter); |
36 | $aead->nonce ($counter); |
| 37 | $aead->associated_data ($header); |
37 | $aead->associated_data ($header); |
| 38 | $ciphertext = $aead->encrypt ($cleartext); |
38 | $ciphertext = $aead->encrypt ($cleartext); |
| 39 | # $cleartext = $aead->decrypt ($ciphertext); |
39 | # $cleartext = $aead->decrypt ($ciphertext); |
| 40 | $mac = $aead->mac; |
40 | $mac = $aead->mac; |
|
|
41 | |
|
|
42 | WARNING |
|
|
43 | The best known result (early 2017) against Spritz is a distinguisher |
|
|
44 | attack on 2**44 outputs with multiple keys/IVs, and on 2**60 outputs |
|
|
45 | with a single key (see doi:10.1007/978-3-662-52993-5_4 for details). |
|
|
46 | These are realistic attacks, so Spritz needs to be considered broken, |
|
|
47 | although for low data applications it should still be useful. |
| 41 | |
48 | |
| 42 | DESCRIPTION |
49 | DESCRIPTION |
| 43 | This module implements the Spritz spongelike function (with N=256), the |
50 | This module implements the Spritz spongelike function (with N=256), the |
| 44 | spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
51 | spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
| 45 | |
52 | |
| … | |
… | |
| 74 | authenticated encryption - Crypt::Spritz::AEAD |
81 | authenticated encryption - Crypt::Spritz::AEAD |
| 75 | |
82 | |
| 76 | THE Crypt::Spritz CLASS |
83 | THE Crypt::Spritz CLASS |
| 77 | This class implements most of the Spritz primitives. To use it |
84 | This class implements most of the Spritz primitives. To use it |
| 78 | effectively you should understand them, for example, by reading the |
85 | effectively you should understand them, for example, by reading the |
| 79 | "http://people.csail.mit.edu/rivest/pubs/RS14.pdf" in Spritz paper, |
86 | Spritz paper <http://people.csail.mit.edu/rivest/pubs/RS14.pdf>, |
| 80 | especially pp. 5-6. |
87 | especially pp. 5-6. |
| 81 | |
88 | |
| 82 | The Spritz primitive corresponding to the Perl method is given as |
89 | The Spritz primitive corresponding to the Perl method is given as |
| 83 | comment. |
90 | comment. |
| 84 | |
91 | |
| … | |
… | |
| 515 | $cleartext = $cipher->decrypt ($encrypted) |
522 | $cleartext = $cipher->decrypt ($encrypted) |
| 516 | Really the same as "Crypt::Spritz::AEAD::XOR", except you need |
523 | Really the same as "Crypt::Spritz::AEAD::XOR", except you need |
| 517 | separate calls and code for encryption and decryption, but you have |
524 | separate calls and code for encryption and decryption, but you have |
| 518 | the same limitations on usage. |
525 | the same limitations on usage. |
| 519 | |
526 | |
|
|
527 | SECURITY CONSIDERATIONS |
|
|
528 | At the time of this writing, Spritz has not been through a lot of |
|
|
529 | cryptanalysis - it might get broken tomorrow. That's true for any crypto |
|
|
530 | algo, but the probability is quite a bit higher with Spritz. Having said |
|
|
531 | that, Spritz is almost certainly safer than RC4 at this time. |
|
|
532 | |
|
|
533 | Nevertheless, I wouldn't protect something very expensive with it. I |
|
|
534 | also would be careful about timing attacks. |
|
|
535 | |
|
|
536 | Regarding key lengths - as has been pointed out, traditional symmetric |
|
|
537 | key lengths (128 bit, 256 bit) work fine. Longer keys will be overkill, |
|
|
538 | but you can expect keys up to about a kilobit to be effective. Longer |
|
|
539 | keys are safe to use, they will simply be a waste of time. |
|
|
540 | |
|
|
541 | PERFORMANCE |
|
|
542 | As a cipher/prng, Spritz is reasonably fast (about 100MB/s on 2014 era |
|
|
543 | hardware, for comparison, AES will be more like 200MB/s). |
|
|
544 | |
|
|
545 | For key setup, ivs, hashing, nonces and so on, Spritz is very slow |
|
|
546 | (about 5MB/s on 2014 era hardware, which does SHA-256 at about 200MB/s). |
|
|
547 | |
|
|
548 | SUPPORT FOR THE PERL MULTICORE SPECIFICATION |
|
|
549 | This module supports the perl multicore specification |
|
|
550 | (<http://perlmulticore.schmorp.de/>) for all encryption/decryption |
|
|
551 | (non-aead > 4000 octets, aead > 400 octets), hashing/absorbing (> 400 |
|
|
552 | octets) and squeezing/prng (> 4000 octets) functions. |
|
|
553 | |
| 520 | SEE ALSO |
554 | SEE ALSO |
| 521 | <http://people.csail.mit.edu/rivest/pubs/RS14.pdf>. |
555 | <http://people.csail.mit.edu/rivest/pubs/RS14.pdf>. |
| 522 | |
556 | |
| 523 | SECURITY CONSIDERATIONS |
557 | SECURITY CONSIDERATIONS |
| 524 | I also cannot give any guarantees for security, Spritz is a very new |
558 | I also cannot give any guarantees for security, Spritz is a very new |
