| … | |
… | |
| 38 | $aead->nonce ($counter); |
38 | $aead->nonce ($counter); |
| 39 | $aead->associated_data ($header); |
39 | $aead->associated_data ($header); |
| 40 | $ciphertext = $aead->encrypt ($cleartext); |
40 | $ciphertext = $aead->encrypt ($cleartext); |
| 41 | # $cleartext = $aead->decrypt ($ciphertext); |
41 | # $cleartext = $aead->decrypt ($ciphertext); |
| 42 | $mac = $aead->mac; |
42 | $mac = $aead->mac; |
|
|
43 | |
|
|
44 | =head1 WARNING |
|
|
45 | |
|
|
46 | The best known result (early 2017) against Spritz is a distinguisher |
|
|
47 | attack on 2**44 outputs with multiple keys/IVs, and on 2**60 outputs with |
|
|
48 | a single key (see doi:10.1007/978-3-662-52993-5_4 for details). These are |
|
|
49 | realistic attacks, so Spritz needs to be considered broken, although for |
|
|
50 | low data applications it should still be useful. |
| 43 | |
51 | |
| 44 | =head1 DESCRIPTION |
52 | =head1 DESCRIPTION |
| 45 | |
53 | |
| 46 | This module implements the Spritz spongelike function (with N=256), the |
54 | This module implements the Spritz spongelike function (with N=256), the |
| 47 | spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
55 | spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
| … | |
… | |
| 80 | |
88 | |
| 81 | package Crypt::Spritz; |
89 | package Crypt::Spritz; |
| 82 | |
90 | |
| 83 | use XSLoader; |
91 | use XSLoader; |
| 84 | |
92 | |
| 85 | $VERSION = 0.2; |
93 | $VERSION = 1.02; |
| 86 | |
94 | |
| 87 | XSLoader::load __PACKAGE__, $VERSION; |
95 | XSLoader::load __PACKAGE__, $VERSION; |
| 88 | |
96 | |
| 89 | @Crypt::Spritz::ISA = Crypt::Spritz::Base::; |
97 | @Crypt::Spritz::ISA = Crypt::Spritz::Base::; |
| 90 | |
98 | |
| … | |
… | |
| 117 | |
125 | |
| 118 | =head2 THE Crypt::Spritz CLASS |
126 | =head2 THE Crypt::Spritz CLASS |
| 119 | |
127 | |
| 120 | This class implements most of the Spritz primitives. To use it effectively |
128 | This class implements most of the Spritz primitives. To use it effectively |
| 121 | you should understand them, for example, by reading the L<Spritz |
129 | you should understand them, for example, by reading the L<Spritz |
| 122 | paper/http://people.csail.mit.edu/rivest/pubs/RS14.pdf>, especially |
130 | paper|http://people.csail.mit.edu/rivest/pubs/RS14.pdf>, especially |
| 123 | pp. 5-6. |
131 | pp. 5-6. |
| 124 | |
132 | |
| 125 | The Spritz primitive corresponding to the Perl method is given as |
133 | The Spritz primitive corresponding to the Perl method is given as |
| 126 | comment. |
134 | comment. |
| 127 | |
135 | |
| … | |
… | |
| 637 | limitations on usage. |
645 | limitations on usage. |
| 638 | |
646 | |
| 639 | =back |
647 | =back |
| 640 | |
648 | |
| 641 | |
649 | |
|
|
650 | =head1 SECURITY CONSIDERATIONS |
|
|
651 | |
|
|
652 | At the time of this writing, Spritz has not been through a lot of |
|
|
653 | cryptanalysis - it might get broken tomorrow. That's true for any crypto |
|
|
654 | algo, but the probability is quite a bit higher with Spritz. Having said |
|
|
655 | that, Spritz is almost certainly safer than RC4 at this time. |
|
|
656 | |
|
|
657 | Nevertheless, I wouldn't protect something very expensive with it. I also |
|
|
658 | would be careful about timing attacks. |
|
|
659 | |
|
|
660 | Regarding key lengths - as has been pointed out, traditional symmetric key |
|
|
661 | lengths (128 bit, 256 bit) work fine. Longer keys will be overkill, but |
|
|
662 | you can expect keys up to about a kilobit to be effective. Longer keys are |
|
|
663 | safe to use, they will simply be a waste of time. |
|
|
664 | |
|
|
665 | |
|
|
666 | =head1 PERFORMANCE |
|
|
667 | |
|
|
668 | As a cipher/prng, Spritz is reasonably fast (about 100MB/s on 2014 era |
|
|
669 | hardware, for comparison, AES will be more like 200MB/s). |
|
|
670 | |
|
|
671 | For key setup, ivs, hashing, nonces and so on, Spritz is very slow (about |
|
|
672 | 5MB/s on 2014 era hardware, which does SHA-256 at about 200MB/s). |
|
|
673 | |
|
|
674 | |
|
|
675 | =head1 SUPPORT FOR THE PERL MULTICORE SPECIFICATION |
|
|
676 | |
|
|
677 | This module supports the perl multicore specification |
|
|
678 | (L<http://perlmulticore.schmorp.de/>) for all encryption/decryption |
|
|
679 | (non-aead > 4000 octets, aead > 400 octets), hashing/absorbing (> 400 |
|
|
680 | octets) and squeezing/prng (> 4000 octets) functions. |
|
|
681 | |
|
|
682 | |
| 642 | =head1 SEE ALSO |
683 | =head1 SEE ALSO |
| 643 | |
684 | |
| 644 | L<http://people.csail.mit.edu/rivest/pubs/RS14.pdf>. |
685 | L<http://people.csail.mit.edu/rivest/pubs/RS14.pdf>. |
| 645 | |
686 | |
| 646 | =head1 SECURITY CONSIDERATIONS |
687 | =head1 SECURITY CONSIDERATIONS |
