| 1 |
NAME |
| 2 |
Crypt::Spritz - Spritz stream cipher/hash/MAC/AEAD/CSPRNG family |
| 3 |
|
| 4 |
SYNOPSIS |
| 5 |
use Crypt::Spritz; |
| 6 |
|
| 7 |
# see the commented examples in their respective classes, |
| 8 |
# but basically |
| 9 |
|
| 10 |
my $cipher = new Crypt::Spritz::Cipher::XOR $key, $iv; |
| 11 |
$ciphertext = $cipher->crypt ($cleartext); |
| 12 |
|
| 13 |
my $cipher = new Crypt::Spritz::Cipher $key, $iv; |
| 14 |
$ciphertext = $cipher->encrypt ($cleartext); |
| 15 |
# $cleartext = $cipher->decrypt ($ciphertext); |
| 16 |
|
| 17 |
my $hasher = new Crypt::Spritz::Hash; |
| 18 |
$hasher->add ($data); |
| 19 |
$digest = $hasher->finish; |
| 20 |
|
| 21 |
my $hasher = new Crypt::Spritz::MAC $key; |
| 22 |
$hasher->add ($data); |
| 23 |
$mac = $hasher->finish; |
| 24 |
|
| 25 |
my $prng = new Crypt::Spritz::PRNG $entropy; |
| 26 |
$prng->add ($additional_entropy); |
| 27 |
$keydata = $prng->get (32); |
| 28 |
|
| 29 |
my $aead = new Crypt::Spritz::AEAD::XOR $key; |
| 30 |
$aead->nonce ($counter); |
| 31 |
$aead->associated_data ($header); |
| 32 |
$ciphertext = $aead->crypt ($cleartext); |
| 33 |
$mac = $aead->mac; |
| 34 |
|
| 35 |
my $aead = new Crypt::Spritz::AEAD $key; |
| 36 |
$aead->nonce ($counter); |
| 37 |
$aead->associated_data ($header); |
| 38 |
$ciphertext = $aead->encrypt ($cleartext); |
| 39 |
# $cleartext = $aead->decrypt ($ciphertext); |
| 40 |
$mac = $aead->mac; |
| 41 |
|
| 42 |
DESCRIPTION |
| 43 |
This module implements the Spritz spongelike function (with N=256), the |
| 44 |
spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
| 45 |
|
| 46 |
Its strength is extreme versatility (you get a stream cipher, a hash, a |
| 47 |
MAC, a DRBG/CSPRNG, an authenticated encryption block/stream cipher and |
| 48 |
more) and extremely simple and small code (encryption and authentication |
| 49 |
can be had in 1KB of compiled code on amd64, which isn't an issue for |
| 50 |
most uses in Perl, but is useful in embedded situations, or e.g. when |
| 51 |
doing crypto using javascript in a browser and communicating with Perl). |
| 52 |
|
| 53 |
Its weakness is its relatively slow speed (encryption is a few times |
| 54 |
slower than RC4 or AES, hashing many times slower than SHA-3, although |
| 55 |
this might be reversed on an 8-bit-cpu) and the fact that it is totally |
| 56 |
unproven in the field (as of this writing, the cipher was just a few |
| 57 |
months old), so it can't be called production-ready. |
| 58 |
|
| 59 |
All the usual caveats regarding stream ciphers apply - never repeat your |
| 60 |
key, never repeat your nonce and so on - you should have some basic |
| 61 |
understanding of cryptography before using this cipher in your own |
| 62 |
designs. |
| 63 |
|
| 64 |
The Spritz base class is not meant for end users. To make usage simpler |
| 65 |
and safer, a number of convenience classes are provided for typical |
| 66 |
end-user tasks: |
| 67 |
|
| 68 |
random number generation - Crypt::Spritz::PRNG |
| 69 |
hashing - Crypt::Spritz::Hash |
| 70 |
message authentication - Crypt::Spritz::MAC |
| 71 |
encryption - Crypt::Spritz::Cipher::XOR |
| 72 |
encryption - Crypt::Spritz::Cipher |
| 73 |
authenticated encryption - Crypt::Spritz::AEAD::XOR |
| 74 |
authenticated encryption - Crypt::Spritz::AEAD |
| 75 |
|
| 76 |
THE Crypt::Spritz CLASS |
| 77 |
This class implements most of the Spritz primitives. To use it |
| 78 |
effectively you should understand them, for example, by reading the |
| 79 |
Spritz paper <http://people.csail.mit.edu/rivest/pubs/RS14.pdf>, |
| 80 |
especially pp. 5-6. |
| 81 |
|
| 82 |
The Spritz primitive corresponding to the Perl method is given as |
| 83 |
comment. |
| 84 |
|
| 85 |
$spritz = new Crypt::Spritz # InitializeState |
| 86 |
Creates and returns a new, initialised Spritz state. |
| 87 |
|
| 88 |
$spritz->init # InitializeState |
| 89 |
Initialises the Spritz state again, throwing away the previous |
| 90 |
state. |
| 91 |
|
| 92 |
$another_spritz = $spritz->clone |
| 93 |
Make an exact copy of the spritz state. This method can be called on |
| 94 |
all of the objects in this module, but is documented separately to |
| 95 |
give some cool usage examples. |
| 96 |
|
| 97 |
$spritz->update # Update |
| 98 |
$spritz->whip ($r) # Whip |
| 99 |
$spritz->crush # Crush |
| 100 |
$spritz->shuffle # Shuffle |
| 101 |
$spritz->output # Output |
| 102 |
Calls the Spritz primitive ovf the same name - these are not |
| 103 |
normally called manually. |
| 104 |
|
| 105 |
$spritz->absorb ($I) # Absorb |
| 106 |
Absorbs the given data into the state (usually used for key |
| 107 |
material, nonces, IVs messages to be hashed and so on). |
| 108 |
|
| 109 |
$spritz->absorb_stop # AbsorbStop |
| 110 |
Absorbs a special stop symbol - this is usually used as delimiter |
| 111 |
between multiple strings to be absorbed, to thwart extension |
| 112 |
attacks. |
| 113 |
|
| 114 |
$spritz->absorb_and_stop ($I) |
| 115 |
This is a convenience function that simply calls "absorb" followed |
| 116 |
by "absorb_stop". |
| 117 |
|
| 118 |
$octet = $spritz->drip # Drip |
| 119 |
Squeezes out a single byte from the state. |
| 120 |
|
| 121 |
$octets = $spritz->squeeze ($len) # Squeeze |
| 122 |
Squeezes out the requested number of bytes from the state - this is |
| 123 |
usually |
| 124 |
|
| 125 |
THE Crypt::Spritz::PRNG CLASS |
| 126 |
This class implements a Pseudorandom Number Generatore (PRNG), sometimes |
| 127 |
also called a Deterministic Random Bit Generator (DRBG). In fact, it is |
| 128 |
even cryptographically secure, making it a CSPRNG. |
| 129 |
|
| 130 |
Typical usage as a random number generator involves creating a PRNG |
| 131 |
object with a seed of your choice, and then fetching randomness via |
| 132 |
"get": |
| 133 |
|
| 134 |
# create a PRNG object, use a seed string of your choice |
| 135 |
my $prng = new Crypt::Spritz::PRNG $seed; |
| 136 |
|
| 137 |
# now call get as many times as you wish to get binary randomness |
| 138 |
my $some_randomness = $prng->get (17); |
| 139 |
my moree_randomness = $prng->get (5000); |
| 140 |
... |
| 141 |
|
| 142 |
Typical usage as a cryptographically secure random number generator is |
| 143 |
to feed in some secret entropy (32 octets/256 bits are commonly |
| 144 |
considered enough), for example from "/dev/random" or "/dev/urandom", |
| 145 |
and then generate some key material. |
| 146 |
|
| 147 |
# create a PRNG object |
| 148 |
my $prng = new Crypt::Spritz::PRNG; |
| 149 |
|
| 150 |
# seed some entropy (either via ->add or in the constructor) |
| 151 |
$prng->add ($some_secret_highly_entropic_string); |
| 152 |
|
| 153 |
# now call get as many times as you wish to get |
| 154 |
# hard to guess binary randomness |
| 155 |
my $key1 = $prng->get (32); |
| 156 |
my $key2 = $prng->get (16); |
| 157 |
... |
| 158 |
|
| 159 |
# for long running programs, it is advisable to |
| 160 |
# reseed the PRNG from time to time with new entropy |
| 161 |
$prng->add ($some_more_entropy); |
| 162 |
|
| 163 |
$prng = new Crypt::Spritz::PRNG [$seed] |
| 164 |
Creates a new random number generator object. If $seed is given, |
| 165 |
then the $seed is added to the internal state as if by a call to |
| 166 |
"add". |
| 167 |
|
| 168 |
$prng->add ($entropy) |
| 169 |
Adds entropy to the internal state, thereby hopefully making it |
| 170 |
harder to guess. Good sources for entropy are irregular hardware |
| 171 |
events, or randomness provided by "/dev/urandom" or "/dev/random". |
| 172 |
|
| 173 |
The design of the Spritz PRNG should make it strong against attacks |
| 174 |
where the attacker controls all the entropy, so it should be safe to |
| 175 |
add entropy from untrusted sources - more is better than less if you |
| 176 |
need a CSPRNG. |
| 177 |
|
| 178 |
For use as PRNG, of course, this matters very little. |
| 179 |
|
| 180 |
$octets = $prng->get ($length) |
| 181 |
Generates and returns $length random octets as a string. |
| 182 |
|
| 183 |
THE Crypt::Spritz::Hash CLASS |
| 184 |
This implements the Spritz digest/hash algorithm. It works very similar |
| 185 |
to other digest modules on CPAN, such as Digest::SHA3. |
| 186 |
|
| 187 |
Typical use for hashing: |
| 188 |
|
| 189 |
# create hasher object |
| 190 |
my $hasher = new Crypt::Spritz::Hash; |
| 191 |
|
| 192 |
# now feed data to be hashed into $hasher |
| 193 |
# in as few or many calls as required |
| 194 |
$hasher->add ("Some data"); |
| 195 |
$hasher->add ("Some more"); |
| 196 |
|
| 197 |
# extract the hash - the object is not usable afterwards |
| 198 |
my $digest = $hasher->finish (32); |
| 199 |
|
| 200 |
$hasher = new Crypt::Spritz::Hash |
| 201 |
Creates a new hasher object. |
| 202 |
|
| 203 |
$hasher->add ($data) |
| 204 |
Adds data to be hashed into the hasher state. It doesn't matter |
| 205 |
whether you pass your data in in one go or split it up, the hash |
| 206 |
will be the same. |
| 207 |
|
| 208 |
$digest = $hasher->finish ($length) |
| 209 |
Calculates a hash digest of the given length and return it. The |
| 210 |
object cannot sensibly be used for further hashing afterwards. |
| 211 |
|
| 212 |
Typical digest lengths are 16 and 32, corresponding to 128 and 256 |
| 213 |
bit digests, respectively. |
| 214 |
|
| 215 |
$another_hasher = $hasher->clone |
| 216 |
Make an exact copy of the hasher state. This can be useful to |
| 217 |
generate incremental hashes, for example. |
| 218 |
|
| 219 |
Example: generate a hash for the data already fed into the hasher, |
| 220 |
by keeping the original hasher for further "add" calls and calling |
| 221 |
"finish" on a "clone". |
| 222 |
|
| 223 |
my $intermediate_hash = $hasher->clone->finish; |
| 224 |
|
| 225 |
Example: hash 64KiB of data, and generate a hash after every |
| 226 |
kilobyte that is over the full data. |
| 227 |
|
| 228 |
my $hasher = new Crypt::Spritz::Hash; |
| 229 |
|
| 230 |
for (0..63) { |
| 231 |
my $kib = "x" x 1024; # whatever data |
| 232 |
|
| 233 |
$hasher->add ($kib); |
| 234 |
|
| 235 |
my $intermediate_hash = $hasher->clone->finish; |
| 236 |
... |
| 237 |
} |
| 238 |
|
| 239 |
These kind of intermediate hashes are sometimes used in |
| 240 |
communications protocols to protect the integrity of the data |
| 241 |
incrementally, e.g. to detect errors early, while still having a |
| 242 |
complete hash at the end of a transfer. |
| 243 |
|
| 244 |
THE Crypt::Spritz::MAC CLASS |
| 245 |
This implements the Spritz Message Authentication Code algorithm. It |
| 246 |
works very similar to other digest modules on CPAN, such as |
| 247 |
Digest::SHA3, but implements an authenticated digest (like |
| 248 |
Digest::HMAC). |
| 249 |
|
| 250 |
*Authenticated* means that, unlike Crypt::Spritz::Hash, where everybody |
| 251 |
can verify and recreate the hash value for some data, with a MAC, |
| 252 |
knowledge of the (hopefully) secret key is required both to create and |
| 253 |
to verify the digest. |
| 254 |
|
| 255 |
Typical use for hashing is almost the same as with Crypt::Spritz::MAC, |
| 256 |
except a key (typically 16 or 32 octets) is provided to the constructor: |
| 257 |
|
| 258 |
# create hasher object |
| 259 |
my $hasher = new Crypt::Spritz::Mac $key; |
| 260 |
|
| 261 |
# now feed data to be hashed into $hasher |
| 262 |
# in as few or many calls as required |
| 263 |
$hasher->add ("Some data"); |
| 264 |
$hasher->add ("Some more"); |
| 265 |
|
| 266 |
# extract the mac - the object is not usable afterwards |
| 267 |
my $mac = $hasher->finish (32); |
| 268 |
|
| 269 |
$hasher = new Crypt::Spritz::MAC $key |
| 270 |
Creates a new hasher object. The $key can be of any length, but 16 |
| 271 |
and 32 (128 and 256 bit) are customary. |
| 272 |
|
| 273 |
$hasher->add ($data) |
| 274 |
Adds data to be hashed into the hasher state. It doesn't matter |
| 275 |
whether you pass your data in in one go or split it up, the hash |
| 276 |
will be the same. |
| 277 |
|
| 278 |
$mac = $hasher->finish ($length) |
| 279 |
Calculates a message code of the given length and return it. The |
| 280 |
object cannot sensibly be used for further hashing afterwards. |
| 281 |
|
| 282 |
Typical digest lengths are 16 and 32, corresponding to 128 and 256 |
| 283 |
bit digests, respectively. |
| 284 |
|
| 285 |
$another_hasher = $hasher->clone |
| 286 |
Make an exact copy of the hasher state. This can be useful to |
| 287 |
generate incremental macs, for example. |
| 288 |
|
| 289 |
See the description for the "Crypt::Spritz::Hash::clone" method for |
| 290 |
some examples. |
| 291 |
|
| 292 |
THE Crypt::Spritz::Cipher::XOR CLASS |
| 293 |
This class implements stream encryption/decryption. It doesn't implement |
| 294 |
the standard Spritz encryption but the XOR variant (called spritz-xor in |
| 295 |
the paper). |
| 296 |
|
| 297 |
The XOR variant should be as secure as the standard variant, but doesn't |
| 298 |
have separate encryption and decryaption functions, which saves |
| 299 |
codesize. IT is not compatible with standard Spritz encryption, however |
| 300 |
- drop me a note if you want that implemented as well. |
| 301 |
|
| 302 |
Typical use for encryption *and* decryption (code is identical for |
| 303 |
decryption, you simply pass the encrypted data to "crypt"): |
| 304 |
|
| 305 |
# create a cipher - $salt can be a random string you send |
| 306 |
# with your message, in clear, a counter (best), or empty if |
| 307 |
# you only want to encrypt one message with the given key. |
| 308 |
# 16 or 32 octets are typical sizes for the key, for the salt, |
| 309 |
# use whatever you need to give a unique salt for every |
| 310 |
# message you encrypt with the same key. |
| 311 |
|
| 312 |
my $cipher = Crypt::Spritz::Cipher::XOR $key, $salt; |
| 313 |
|
| 314 |
# encrypt a message in one or more calls to crypt |
| 315 |
|
| 316 |
my $encrypted; |
| 317 |
|
| 318 |
$encrypted .= $cipher->crypt ("This is"); |
| 319 |
$encrypted .= $cipher->crypt ("all very"); |
| 320 |
$encrypted .= $cipher->crypt ("secret"); |
| 321 |
|
| 322 |
# that's all |
| 323 |
|
| 324 |
$cipher = new Crypt::Spritz::Cipher::XOR $key[, $iv] |
| 325 |
Creates a new cipher object usable for encryption and decryption. |
| 326 |
The $key must be provided, the initial vector $IV is optional. |
| 327 |
|
| 328 |
Both $key and $IV can be of any length. Typical lengths for the $key |
| 329 |
are 16 (128 bit) or 32 (256 bit), while the $IV simply needs to be |
| 330 |
long enough to distinguish repeated uses of tghe same key. |
| 331 |
|
| 332 |
$encrypted = $cipher->crypt ($cleartext) |
| 333 |
$cleartext = $cipher->crypt ($encrypted) |
| 334 |
Encrypt or decrypt a piece of a message. This can be called as many |
| 335 |
times as you want, and the message can be split into as few or many |
| 336 |
pieces as required without affecting the results. |
| 337 |
|
| 338 |
$cipher->crypt_inplace ($cleartext_or_ciphertext) |
| 339 |
Same as "crypt", except it *modifies the argument in-place*. |
| 340 |
|
| 341 |
$another_cipher = $cipher->clone |
| 342 |
Make an exact copy of the cipher state. This can be useful to cache |
| 343 |
states for reuse later, for example, to avoid expensive key setups. |
| 344 |
|
| 345 |
While there might be use cases for this feature, it makes a lot more |
| 346 |
sense for "Crypt::Spritz::AEAD" and "Crypt::Spritz::AEAD::XOR", as |
| 347 |
they allow you to specify the IV/nonce separately. |
| 348 |
|
| 349 |
$constant_32 = $cipher->keysize |
| 350 |
$constant_64 = $cipher->blocksize |
| 351 |
These methods are provided for Crypt::CBC compatibility and simply |
| 352 |
return 32 and 64, respectively. |
| 353 |
|
| 354 |
Note that it is pointless to use Spritz with Crypt::CBC, as Spritz |
| 355 |
is not a block cipher and already provides an appropriate mode. |
| 356 |
|
| 357 |
THE Crypt::Spritz::Cipher CLASS |
| 358 |
This class is pretty much the same as the "Crypt::Spritz::Cipher::XOR" |
| 359 |
class, with two differences: first, it implements the "standard" Spritz |
| 360 |
encryption algorithm, and second, while this variant is easier to |
| 361 |
analyze mathematically, there is little else to recommend it for, as it |
| 362 |
is slower, and requires lots of code duplication code. |
| 363 |
|
| 364 |
So unless you need to be compatible with another implementation that |
| 365 |
does not offer the XOR variant, stick to "Crypt::Spritz::Cipher::XOR". |
| 366 |
|
| 367 |
All the methods from "Crypt::Spritz::Cipher::XOR" are available, except |
| 368 |
"crypt", which has been replaced by separate "encrypt" and "decrypt" |
| 369 |
methods: |
| 370 |
|
| 371 |
$encrypted = $cipher->encrypt ($cleartext) |
| 372 |
$cleartext = $cipher->decrypt ($encrypted) |
| 373 |
Really the same as "Crypt::Spritz::Cipher::XOR", except you need |
| 374 |
separate calls and code for encryption and decryption. |
| 375 |
|
| 376 |
THE Crypt::Spritz::AEAD::XOR CLASS |
| 377 |
This is the most complicated class - it combines encryption and message |
| 378 |
authentication into a single "authenticated encryption mode". It is |
| 379 |
similar to using both Crypt::Spritz::Cipher::XOR and Crypt::Spritz::MAC, |
| 380 |
but makes it harder to make mistakes in combining them. |
| 381 |
|
| 382 |
You can additionally provide cleartext data that will not be encrypted |
| 383 |
or decrypted, but that is nevertheless authenticated using the MAC, |
| 384 |
which is why this mode is called *AEAD*, *Authenticated Encryption with |
| 385 |
Associated Data*. Associated data is usually used to any header data |
| 386 |
that is in cleartext, but should nevertheless be authenticated. |
| 387 |
|
| 388 |
This implementation implements the XOR variant. Just as with |
| 389 |
Crypt::Spritz::Cipher::XOR, this means it is not compatible with the |
| 390 |
standard mode, but uses less code and doesn't distinguish between |
| 391 |
encryption and decryption. |
| 392 |
|
| 393 |
Typical usage is as follows: |
| 394 |
|
| 395 |
# create a new aead object |
| 396 |
# you use one object per message |
| 397 |
# key length customarily is 16 or 32 |
| 398 |
my $aead = new Crypt::Spritz::AEAD::XOR $key; |
| 399 |
|
| 400 |
# now you must feed the nonce. if you do not need a nonce, |
| 401 |
# you can provide the empty string, but you have to call it |
| 402 |
# after creating the object, before calling associated_data. |
| 403 |
# the nonce must be different for each usage of the $key. |
| 404 |
# a counter of some kind is good enough. |
| 405 |
# reusing a nonce with the same key completely |
| 406 |
# destroys security! |
| 407 |
$aead->nonce ($counter); |
| 408 |
|
| 409 |
# then you must feed any associated data you have. if you |
| 410 |
# do not have associated cleartext data, you can provide the empty |
| 411 |
# string, but you have to call it after nonce and before crypt. |
| 412 |
$aead->associated_data ($header); |
| 413 |
|
| 414 |
# next, you call crypt one or more times with your data |
| 415 |
# to be encrypted (opr decrypted). |
| 416 |
# all except the last call must use a length that is a |
| 417 |
# multiple of 64. |
| 418 |
# the last block can have any length. |
| 419 |
my $encrypted; |
| 420 |
|
| 421 |
$encrypted .= $aead->crypt ("1" x 64); |
| 422 |
$encrypted .= $aead->crypt ("2" x 64); |
| 423 |
$encrypted .= $aead->crypt ("3456"); |
| 424 |
|
| 425 |
# finally you can calculate the MAC for all of the above |
| 426 |
my $mac = $aead->finish; |
| 427 |
|
| 428 |
$aead = new Crypt::Spritz::AEAD::XOR $key |
| 429 |
Creates a new cipher object usable for encryption and decryption. |
| 430 |
|
| 431 |
The $key can be of any length. Typical lengths for the $key are 16 |
| 432 |
(128 bit) or 32 (256 bit). |
| 433 |
|
| 434 |
After creation, you have to call "nonce" next. |
| 435 |
|
| 436 |
$aead->nonce ($nonce) |
| 437 |
Provide the nonce value (nonce means "value used once"), a value the |
| 438 |
is unique between all uses with the same key. This method *must* be |
| 439 |
called *after* "new" and *before* "associated_data". |
| 440 |
|
| 441 |
If you only ever use a given key once, you can provide an empty |
| 442 |
nonce - but you still have to call the method. |
| 443 |
|
| 444 |
Common strategies to provide a nonce are to implement a persistent |
| 445 |
counter or to generate a random string of sufficient length to |
| 446 |
guarantee that it differs each time. |
| 447 |
|
| 448 |
The problem with counters is that you might get confused and forget |
| 449 |
increments, and thus reuse the same sequence number. The problem |
| 450 |
with random strings i that your random number generator might be |
| 451 |
hosed and generate the same randomness multiple times (randomness |
| 452 |
can be very hard to get especially on embedded devices). |
| 453 |
|
| 454 |
$aead->associated_data ($data) |
| 455 |
Provide the associated data (cleartext data to be authenticated but |
| 456 |
not encrypted). This method *must* be called *after* "nonce" and |
| 457 |
*before* "crypt". |
| 458 |
|
| 459 |
If you don't have any associated data, you can provide an empty |
| 460 |
string - but you still have to call the method. |
| 461 |
|
| 462 |
Associated data is typically header data - data anybody is allowed |
| 463 |
to see in cleartext, but that should nevertheless be protected with |
| 464 |
an authentication code. Typically such data is used to identify |
| 465 |
where to forward a message to, how to find the key to decrypt the |
| 466 |
message or in general how to interpret the encrypted part of a |
| 467 |
message. |
| 468 |
|
| 469 |
$encrypted = $cipher->crypt ($cleartext) |
| 470 |
$cleartext = $cipher->crypt ($encrypted) |
| 471 |
Encrypt or decrypt a piece of a message. This can be called as many |
| 472 |
times as you want, and the message can be split into as few or many |
| 473 |
pieces as required without affecting the results, with one |
| 474 |
exception: All except the last call to "crypt" needs to pass in a |
| 475 |
multiple of 64 octets. The last call to "crypt" does not have this |
| 476 |
limitation. |
| 477 |
|
| 478 |
$cipher->crypt_inplace ($cleartext_or_ciphertext) |
| 479 |
Same as "crypt", except it *modifies the argument in-place*. |
| 480 |
|
| 481 |
$another_cipher = $cipher->clone |
| 482 |
Make an exact copy of the cipher state. This can be useful to cache |
| 483 |
states for reuse later, for example, to avoid expensive key setups. |
| 484 |
|
| 485 |
Example: set up a cipher state with a key, then clone and use it to |
| 486 |
encrypt messages with different nonces. |
| 487 |
|
| 488 |
my $cipher = new Crypt::Spritz::AEAD::XOR $key; |
| 489 |
|
| 490 |
my $message_counter; |
| 491 |
|
| 492 |
for my $message ("a", "b", "c") { |
| 493 |
my $clone = $cipher->clone; |
| 494 |
$clone->nonce (pack "N", ++$message_counter); |
| 495 |
$clone->associated_data (""); |
| 496 |
my $encrypted = $clone->crypt ($message); |
| 497 |
... |
| 498 |
} |
| 499 |
|
| 500 |
THE Crypt::Spritz::AEAD CLASS |
| 501 |
This class is pretty much the same as the "Crypt::Spritz::AEAD::XOR" |
| 502 |
class, with two differences: first, it implements the "standard" Spritz |
| 503 |
encryption algorithm, and second, while this variant is easier to |
| 504 |
analyze mathematically, there is little else to recommend it for, as it |
| 505 |
is slower, and requires lots of code duplication code. |
| 506 |
|
| 507 |
So unless you need to be compatible with another implementation that |
| 508 |
does not offer the XOR variant, stick to "Crypt::Spritz::AEAD::XOR". |
| 509 |
|
| 510 |
All the methods from "Crypt::Spritz::AEAD::XOR" are available, except |
| 511 |
"crypt", which has been replaced by separate "encrypt" and "decrypt" |
| 512 |
methods: |
| 513 |
|
| 514 |
$encrypted = $cipher->encrypt ($cleartext) |
| 515 |
$cleartext = $cipher->decrypt ($encrypted) |
| 516 |
Really the same as "Crypt::Spritz::AEAD::XOR", except you need |
| 517 |
separate calls and code for encryption and decryption, but you have |
| 518 |
the same limitations on usage. |
| 519 |
|
| 520 |
SECURITY CONSIDERATIONS |
| 521 |
At the time of this writing, Spritz has not been through a lot of |
| 522 |
cryptanalysis - it might get broken tomorrow. That's true for any crypto |
| 523 |
algo, but the probability is quite a bit higher with Spritz. Having said |
| 524 |
that, Spritz is almost certainly safer than RC4 at this time. |
| 525 |
|
| 526 |
Nevertheless, I wouldn't protect something very expensive with it. I |
| 527 |
also would be careful about timing attacks. |
| 528 |
|
| 529 |
Regarding key lengths - as has been pointed out, traditional symmetric |
| 530 |
key lengths (128 bit, 256 bit) work fine. Longer keys will be overkill, |
| 531 |
but you can expect keys up to about a kilobit to be effective. Longer |
| 532 |
keys are safe to use, they will simply be a waste of time. |
| 533 |
|
| 534 |
PERFORMANCE |
| 535 |
As a cipher/prng, Spritz is reasonably fast (about 100MB/s on 2014 era |
| 536 |
hardware, for comparison, AES will be more like 200MB/s). |
| 537 |
|
| 538 |
For key setup, ivs, hashing, nonces and so on, Spritz is very slow |
| 539 |
(about 5MB/s on 2014 era hardware, which does SHA-256 at about 200MB/s). |
| 540 |
|
| 541 |
SUPPORT FOR THE PERL MULTICORE SPECIFICATION |
| 542 |
This module supports the perl multicore specification |
| 543 |
(<http://perlmulticore.schmorp.de/>) for all encryption/decryption |
| 544 |
(non-aead > 4000 octets, aead > 400 octets), hashing/absorbing (> 400 |
| 545 |
octets) and squeezing/prng (> 4000 octets) functions. |
| 546 |
|
| 547 |
SEE ALSO |
| 548 |
<http://people.csail.mit.edu/rivest/pubs/RS14.pdf>. |
| 549 |
|
| 550 |
SECURITY CONSIDERATIONS |
| 551 |
I also cannot give any guarantees for security, Spritz is a very new |
| 552 |
cryptographic algorithm, and when this module was written, almost |
| 553 |
completely unproven. |
| 554 |
|
| 555 |
AUTHOR |
| 556 |
Marc Lehmann <schmorp@schmorp.de> |
| 557 |
http://software.schmorp.de/pkg/Crypt-Spritz |
| 558 |
|
