line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
=head1 NAME |
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
Crypt::Spritz - Spritz stream cipher/hash/MAC/AEAD/CSPRNG family |
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
=head1 SYNOPSIS |
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
use Crypt::Spritz; |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
# see the commented examples in their respective classes, |
10
|
|
|
|
|
|
|
# but basically |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
my $cipher = new Crypt::Spritz::Cipher::XOR $key, $iv; |
13
|
|
|
|
|
|
|
$ciphertext = $cipher->crypt ($cleartext); |
14
|
|
|
|
|
|
|
|
15
|
|
|
|
|
|
|
my $cipher = new Crypt::Spritz::Cipher $key, $iv; |
16
|
|
|
|
|
|
|
$ciphertext = $cipher->encrypt ($cleartext); |
17
|
|
|
|
|
|
|
# $cleartext = $cipher->decrypt ($ciphertext); |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
my $hasher = new Crypt::Spritz::Hash; |
20
|
|
|
|
|
|
|
$hasher->add ($data); |
21
|
|
|
|
|
|
|
$digest = $hasher->finish; |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
my $hasher = new Crypt::Spritz::MAC $key; |
24
|
|
|
|
|
|
|
$hasher->add ($data); |
25
|
|
|
|
|
|
|
$mac = $hasher->finish; |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
my $prng = new Crypt::Spritz::PRNG $entropy; |
28
|
|
|
|
|
|
|
$prng->add ($additional_entropy); |
29
|
|
|
|
|
|
|
$keydata = $prng->get (32); |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
my $aead = new Crypt::Spritz::AEAD::XOR $key; |
32
|
|
|
|
|
|
|
$aead->nonce ($counter); |
33
|
|
|
|
|
|
|
$aead->associated_data ($header); |
34
|
|
|
|
|
|
|
$ciphertext = $aead->crypt ($cleartext); |
35
|
|
|
|
|
|
|
$mac = $aead->mac; |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
my $aead = new Crypt::Spritz::AEAD $key; |
38
|
|
|
|
|
|
|
$aead->nonce ($counter); |
39
|
|
|
|
|
|
|
$aead->associated_data ($header); |
40
|
|
|
|
|
|
|
$ciphertext = $aead->encrypt ($cleartext); |
41
|
|
|
|
|
|
|
# $cleartext = $aead->decrypt ($ciphertext); |
42
|
|
|
|
|
|
|
$mac = $aead->mac; |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
=head1 DESCRIPTION |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
This module implements the Spritz spongelike function (with N=256), the |
47
|
|
|
|
|
|
|
spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt. |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
Its strength is extreme versatility (you get a stream cipher, a hash, a |
50
|
|
|
|
|
|
|
MAC, a DRBG/CSPRNG, an authenticated encryption block/stream cipher and |
51
|
|
|
|
|
|
|
more) and extremely simple and small code (encryption and authentication |
52
|
|
|
|
|
|
|
can be had in 1KB of compiled code on amd64, which isn't an issue for most |
53
|
|
|
|
|
|
|
uses in Perl, but is useful in embedded situations, or e.g. when doing |
54
|
|
|
|
|
|
|
crypto using javascript in a browser and communicating with Perl). |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
Its weakness is its relatively slow speed (encryption is a few times |
57
|
|
|
|
|
|
|
slower than RC4 or AES, hashing many times slower than SHA-3, although |
58
|
|
|
|
|
|
|
this might be reversed on an 8-bit-cpu) and the fact that it is totally |
59
|
|
|
|
|
|
|
unproven in the field (as of this writing, the cipher was just a few |
60
|
|
|
|
|
|
|
months old), so it can't be called production-ready. |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
All the usual caveats regarding stream ciphers apply - never repeat your |
63
|
|
|
|
|
|
|
key, never repeat your nonce and so on - you should have some basic |
64
|
|
|
|
|
|
|
understanding of cryptography before using this cipher in your own |
65
|
|
|
|
|
|
|
designs. |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
The Spritz base class is not meant for end users. To make usage simpler |
68
|
|
|
|
|
|
|
and safer, a number of convenience classes are provided for typical |
69
|
|
|
|
|
|
|
end-user tasks: |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
random number generation - Crypt::Spritz::PRNG |
72
|
|
|
|
|
|
|
hashing - Crypt::Spritz::Hash |
73
|
|
|
|
|
|
|
message authentication - Crypt::Spritz::MAC |
74
|
|
|
|
|
|
|
encryption - Crypt::Spritz::Cipher::XOR |
75
|
|
|
|
|
|
|
encryption - Crypt::Spritz::Cipher |
76
|
|
|
|
|
|
|
authenticated encryption - Crypt::Spritz::AEAD::XOR |
77
|
|
|
|
|
|
|
authenticated encryption - Crypt::Spritz::AEAD |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
=cut |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
package Crypt::Spritz; |
82
|
|
|
|
|
|
|
|
83
|
2
|
|
|
2
|
|
1357
|
use XSLoader; |
|
2
|
|
|
|
|
3
|
|
|
2
|
|
|
|
|
889
|
|
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
$VERSION = 1.01; |
86
|
|
|
|
|
|
|
|
87
|
|
|
|
|
|
|
XSLoader::load __PACKAGE__, $VERSION; |
88
|
|
|
|
|
|
|
|
89
|
|
|
|
|
|
|
@Crypt::Spritz::ISA = Crypt::Spritz::Base::; |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
@Crypt::Spritz::Hash::ISA = |
92
|
|
|
|
|
|
|
@Crypt::Spritz::PRNG::ISA = |
93
|
|
|
|
|
|
|
@Crypt::Spritz::Cipher::ISA = |
94
|
|
|
|
|
|
|
@Crypt::Spritz::AEAD::ISA = Crypt::Spritz::Base::; |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
@Crypt::Spritz::MAC::ISA = Crypt::Spritz::Hash::; |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
@Crypt::Spritz::Cipher::XOR::ISA = Crypt::Spritz::Cipher::; |
99
|
|
|
|
|
|
|
@Crypt::Spritz::AEAD::XOR::ISA = Crypt::Spritz::AEAD::; |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
sub Crypt::Spritz::Cipher::keysize () { 32 } |
102
|
|
|
|
|
|
|
sub Crypt::Spritz::Cipher::blocksize () { 64 } |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
*Crypt::Spritz::Hash::new = \&Crypt::Spritz::new; |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
*Crypt::Spritz::Hash::add = |
107
|
|
|
|
|
|
|
*Crypt::Spritz::PRNG::add = \&Crypt::Spritz::absorb; |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
*Crypt::Spritz::PRNG::get = \&Crypt::Spritz::squeeze; |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
*Crypt::Spritz::AEAD::new = \&Crypt::Spritz::MAC::new; |
112
|
|
|
|
|
|
|
*Crypt::Spritz::AEAD::finish = \&Crypt::Spritz::Hash::finish; |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
*Crypt::Spritz::AEAD::associated_data = |
115
|
|
|
|
|
|
|
*Crypt::Spritz::AEAD::nonce = \&Crypt::Spritz::absorb_and_stop; |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz CLASS |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
This class implements most of the Spritz primitives. To use it effectively |
121
|
|
|
|
|
|
|
you should understand them, for example, by reading the L
|
122
|
|
|
|
|
|
|
paper|http://people.csail.mit.edu/rivest/pubs/RS14.pdf>, especially |
123
|
|
|
|
|
|
|
pp. 5-6. |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
The Spritz primitive corresponding to the Perl method is given as |
126
|
|
|
|
|
|
|
comment. |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
=over 4 |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
=item $spritz = new Crypt::Spritz # InitializeState |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
Creates and returns a new, initialised Spritz state. |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
=item $spritz->init # InitializeState |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
Initialises the Spritz state again, throwing away the previous state. |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
=item $another_spritz = $spritz->clone |
139
|
|
|
|
|
|
|
|
140
|
|
|
|
|
|
|
Make an exact copy of the spritz state. This method can be called on all |
141
|
|
|
|
|
|
|
of the objects in this module, but is documented separately to give some |
142
|
|
|
|
|
|
|
cool usage examples. |
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
=item $spritz->update # Update |
145
|
|
|
|
|
|
|
|
146
|
|
|
|
|
|
|
=item $spritz->whip ($r) # Whip |
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
=item $spritz->crush # Crush |
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
=item $spritz->shuffle # Shuffle |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
=item $spritz->output # Output |
153
|
|
|
|
|
|
|
|
154
|
|
|
|
|
|
|
Calls the Spritz primitive ovf the same name - these are not normally |
155
|
|
|
|
|
|
|
called manually. |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=item $spritz->absorb ($I) # Absorb |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
Absorbs the given data into the state (usually used for key material, |
160
|
|
|
|
|
|
|
nonces, IVs messages to be hashed and so on). |
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
=item $spritz->absorb_stop # AbsorbStop |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
Absorbs a special stop symbol - this is usually used as delimiter between |
165
|
|
|
|
|
|
|
multiple strings to be absorbed, to thwart extension attacks. |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=item $spritz->absorb_and_stop ($I) |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
This is a convenience function that simply calls C followed by |
170
|
|
|
|
|
|
|
C. |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
=item $octet = $spritz->drip # Drip |
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
Squeezes out a single byte from the state. |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
=item $octets = $spritz->squeeze ($len) # Squeeze |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
Squeezes out the requested number of bytes from the state - this is usually |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
=back |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::PRNG CLASS |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
This class implements a Pseudorandom Number Generatore (B), |
186
|
|
|
|
|
|
|
sometimes also called a Deterministic Random Bit Generator (B). In |
187
|
|
|
|
|
|
|
fact, it is even cryptographically secure, making it a B. |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
Typical usage as a random number generator involves creating a PRNG |
190
|
|
|
|
|
|
|
object with a seed of your choice, and then fetching randomness via |
191
|
|
|
|
|
|
|
C: |
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
# create a PRNG object, use a seed string of your choice |
194
|
|
|
|
|
|
|
my $prng = new Crypt::Spritz::PRNG $seed; |
195
|
|
|
|
|
|
|
|
196
|
|
|
|
|
|
|
# now call get as many times as you wish to get binary randomness |
197
|
|
|
|
|
|
|
my $some_randomness = $prng->get (17); |
198
|
|
|
|
|
|
|
my moree_randomness = $prng->get (5000); |
199
|
|
|
|
|
|
|
... |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
Typical usage as a cryptographically secure random number generator is to |
202
|
|
|
|
|
|
|
feed in some secret entropy (32 octets/256 bits are commonly considered |
203
|
|
|
|
|
|
|
enough), for example from C or C, and then |
204
|
|
|
|
|
|
|
generate some key material. |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
# create a PRNG object |
207
|
|
|
|
|
|
|
my $prng = new Crypt::Spritz::PRNG; |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
# seed some entropy (either via ->add or in the constructor) |
210
|
|
|
|
|
|
|
$prng->add ($some_secret_highly_entropic_string); |
211
|
|
|
|
|
|
|
|
212
|
|
|
|
|
|
|
# now call get as many times as you wish to get |
213
|
|
|
|
|
|
|
# hard to guess binary randomness |
214
|
|
|
|
|
|
|
my $key1 = $prng->get (32); |
215
|
|
|
|
|
|
|
my $key2 = $prng->get (16); |
216
|
|
|
|
|
|
|
... |
217
|
|
|
|
|
|
|
|
218
|
|
|
|
|
|
|
# for long running programs, it is advisable to |
219
|
|
|
|
|
|
|
# reseed the PRNG from time to time with new entropy |
220
|
|
|
|
|
|
|
$prng->add ($some_more_entropy); |
221
|
|
|
|
|
|
|
|
222
|
|
|
|
|
|
|
=over 4 |
223
|
|
|
|
|
|
|
|
224
|
|
|
|
|
|
|
=item $prng = new Crypt::Spritz::PRNG [$seed] |
225
|
|
|
|
|
|
|
|
226
|
|
|
|
|
|
|
Creates a new random number generator object. If C<$seed> is given, then |
227
|
|
|
|
|
|
|
the C<$seed> is added to the internal state as if by a call to C. |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
=item $prng->add ($entropy) |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
Adds entropy to the internal state, thereby hopefully making it harder |
232
|
|
|
|
|
|
|
to guess. Good sources for entropy are irregular hardware events, or |
233
|
|
|
|
|
|
|
randomness provided by C or C. |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
The design of the Spritz PRNG should make it strong against attacks where |
236
|
|
|
|
|
|
|
the attacker controls all the entropy, so it should be safe to add entropy |
237
|
|
|
|
|
|
|
from untrusted sources - more is better than less if you need a CSPRNG. |
238
|
|
|
|
|
|
|
|
239
|
|
|
|
|
|
|
For use as PRNG, of course, this matters very little. |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
=item $octets = $prng->get ($length) |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
Generates and returns C<$length> random octets as a string. |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
=back |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
|
248
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::Hash CLASS |
249
|
|
|
|
|
|
|
|
250
|
|
|
|
|
|
|
This implements the Spritz digest/hash algorithm. It works very similar to |
251
|
|
|
|
|
|
|
other digest modules on CPAN, such as L. |
252
|
|
|
|
|
|
|
|
253
|
|
|
|
|
|
|
Typical use for hashing: |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
# create hasher object |
256
|
|
|
|
|
|
|
my $hasher = new Crypt::Spritz::Hash; |
257
|
|
|
|
|
|
|
|
258
|
|
|
|
|
|
|
# now feed data to be hashed into $hasher |
259
|
|
|
|
|
|
|
# in as few or many calls as required |
260
|
|
|
|
|
|
|
$hasher->add ("Some data"); |
261
|
|
|
|
|
|
|
$hasher->add ("Some more"); |
262
|
|
|
|
|
|
|
|
263
|
|
|
|
|
|
|
# extract the hash - the object is not usable afterwards |
264
|
|
|
|
|
|
|
my $digest = $hasher->finish (32); |
265
|
|
|
|
|
|
|
|
266
|
|
|
|
|
|
|
=over 4 |
267
|
|
|
|
|
|
|
|
268
|
|
|
|
|
|
|
=item $hasher = new Crypt::Spritz::Hash |
269
|
|
|
|
|
|
|
|
270
|
|
|
|
|
|
|
Creates a new hasher object. |
271
|
|
|
|
|
|
|
|
272
|
|
|
|
|
|
|
=item $hasher->add ($data) |
273
|
|
|
|
|
|
|
|
274
|
|
|
|
|
|
|
Adds data to be hashed into the hasher state. It doesn't matter whether |
275
|
|
|
|
|
|
|
you pass your data in in one go or split it up, the hash will be the same. |
276
|
|
|
|
|
|
|
|
277
|
|
|
|
|
|
|
=item $digest = $hasher->finish ($length) |
278
|
|
|
|
|
|
|
|
279
|
|
|
|
|
|
|
Calculates a hash digest of the given length and return it. The object |
280
|
|
|
|
|
|
|
cannot sensibly be used for further hashing afterwards. |
281
|
|
|
|
|
|
|
|
282
|
|
|
|
|
|
|
Typical digest lengths are 16 and 32, corresponding to 128 and 256 bit |
283
|
|
|
|
|
|
|
digests, respectively. |
284
|
|
|
|
|
|
|
|
285
|
|
|
|
|
|
|
=item $another_hasher = $hasher->clone |
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
Make an exact copy of the hasher state. This can be useful to generate |
288
|
|
|
|
|
|
|
incremental hashes, for example. |
289
|
|
|
|
|
|
|
|
290
|
|
|
|
|
|
|
Example: generate a hash for the data already fed into the hasher, by keeping |
291
|
|
|
|
|
|
|
the original hasher for further C calls and calling C on a C. |
292
|
|
|
|
|
|
|
|
293
|
|
|
|
|
|
|
my $intermediate_hash = $hasher->clone->finish; |
294
|
|
|
|
|
|
|
|
295
|
|
|
|
|
|
|
Example: hash 64KiB of data, and generate a hash after every kilobyte that |
296
|
|
|
|
|
|
|
is over the full data. |
297
|
|
|
|
|
|
|
|
298
|
|
|
|
|
|
|
my $hasher = new Crypt::Spritz::Hash; |
299
|
|
|
|
|
|
|
|
300
|
|
|
|
|
|
|
for (0..63) { |
301
|
|
|
|
|
|
|
my $kib = "x" x 1024; # whatever data |
302
|
|
|
|
|
|
|
|
303
|
|
|
|
|
|
|
$hasher->add ($kib); |
304
|
|
|
|
|
|
|
|
305
|
|
|
|
|
|
|
my $intermediate_hash = $hasher->clone->finish; |
306
|
|
|
|
|
|
|
... |
307
|
|
|
|
|
|
|
} |
308
|
|
|
|
|
|
|
|
309
|
|
|
|
|
|
|
These kind of intermediate hashes are sometimes used in communications |
310
|
|
|
|
|
|
|
protocols to protect the integrity of the data incrementally, e.g. to |
311
|
|
|
|
|
|
|
detect errors early, while still having a complete hash at the end of a |
312
|
|
|
|
|
|
|
transfer. |
313
|
|
|
|
|
|
|
|
314
|
|
|
|
|
|
|
=back |
315
|
|
|
|
|
|
|
|
316
|
|
|
|
|
|
|
|
317
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::MAC CLASS |
318
|
|
|
|
|
|
|
|
319
|
|
|
|
|
|
|
This implements the Spritz Message Authentication Code algorithm. It works |
320
|
|
|
|
|
|
|
very similar to other digest modules on CPAN, such as L, but |
321
|
|
|
|
|
|
|
implements an authenticated digest (like L). |
322
|
|
|
|
|
|
|
|
323
|
|
|
|
|
|
|
I means that, unlike L, where |
324
|
|
|
|
|
|
|
everybody can verify and recreate the hash value for some data, with a |
325
|
|
|
|
|
|
|
MAC, knowledge of the (hopefully) secret key is required both to create |
326
|
|
|
|
|
|
|
and to verify the digest. |
327
|
|
|
|
|
|
|
|
328
|
|
|
|
|
|
|
Typical use for hashing is almost the same as with L, |
329
|
|
|
|
|
|
|
except a key (typically 16 or 32 octets) is provided to the constructor: |
330
|
|
|
|
|
|
|
|
331
|
|
|
|
|
|
|
# create hasher object |
332
|
|
|
|
|
|
|
my $hasher = new Crypt::Spritz::Mac $key; |
333
|
|
|
|
|
|
|
|
334
|
|
|
|
|
|
|
# now feed data to be hashed into $hasher |
335
|
|
|
|
|
|
|
# in as few or many calls as required |
336
|
|
|
|
|
|
|
$hasher->add ("Some data"); |
337
|
|
|
|
|
|
|
$hasher->add ("Some more"); |
338
|
|
|
|
|
|
|
|
339
|
|
|
|
|
|
|
# extract the mac - the object is not usable afterwards |
340
|
|
|
|
|
|
|
my $mac = $hasher->finish (32); |
341
|
|
|
|
|
|
|
|
342
|
|
|
|
|
|
|
=over 4 |
343
|
|
|
|
|
|
|
|
344
|
|
|
|
|
|
|
=item $hasher = new Crypt::Spritz::MAC $key |
345
|
|
|
|
|
|
|
|
346
|
|
|
|
|
|
|
Creates a new hasher object. The C<$key> can be of any length, but 16 and |
347
|
|
|
|
|
|
|
32 (128 and 256 bit) are customary. |
348
|
|
|
|
|
|
|
|
349
|
|
|
|
|
|
|
=item $hasher->add ($data) |
350
|
|
|
|
|
|
|
|
351
|
|
|
|
|
|
|
Adds data to be hashed into the hasher state. It doesn't matter whether |
352
|
|
|
|
|
|
|
you pass your data in in one go or split it up, the hash will be the same. |
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
=item $mac = $hasher->finish ($length) |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
Calculates a message code of the given length and return it. The object |
357
|
|
|
|
|
|
|
cannot sensibly be used for further hashing afterwards. |
358
|
|
|
|
|
|
|
|
359
|
|
|
|
|
|
|
Typical digest lengths are 16 and 32, corresponding to 128 and 256 bit |
360
|
|
|
|
|
|
|
digests, respectively. |
361
|
|
|
|
|
|
|
|
362
|
|
|
|
|
|
|
=item $another_hasher = $hasher->clone |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
Make an exact copy of the hasher state. This can be useful to |
365
|
|
|
|
|
|
|
generate incremental macs, for example. |
366
|
|
|
|
|
|
|
|
367
|
|
|
|
|
|
|
See the description for the C method for some |
368
|
|
|
|
|
|
|
examples. |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
=back |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
|
373
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::Cipher::XOR CLASS |
374
|
|
|
|
|
|
|
|
375
|
|
|
|
|
|
|
This class implements stream encryption/decryption. It doesn't implement |
376
|
|
|
|
|
|
|
the standard Spritz encryption but the XOR variant (called B |
377
|
|
|
|
|
|
|
in the paper). |
378
|
|
|
|
|
|
|
|
379
|
|
|
|
|
|
|
The XOR variant should be as secure as the standard variant, but |
380
|
|
|
|
|
|
|
doesn't have separate encryption and decryaption functions, which saves |
381
|
|
|
|
|
|
|
codesize. IT is not compatible with standard Spritz encryption, however - |
382
|
|
|
|
|
|
|
drop me a note if you want that implemented as well. |
383
|
|
|
|
|
|
|
|
384
|
|
|
|
|
|
|
Typical use for encryption I decryption (code is identical for |
385
|
|
|
|
|
|
|
decryption, you simply pass the encrypted data to C): |
386
|
|
|
|
|
|
|
|
387
|
|
|
|
|
|
|
# create a cipher - $salt can be a random string you send |
388
|
|
|
|
|
|
|
# with your message, in clear, a counter (best), or empty if |
389
|
|
|
|
|
|
|
# you only want to encrypt one message with the given key. |
390
|
|
|
|
|
|
|
# 16 or 32 octets are typical sizes for the key, for the salt, |
391
|
|
|
|
|
|
|
# use whatever you need to give a unique salt for every |
392
|
|
|
|
|
|
|
# message you encrypt with the same key. |
393
|
|
|
|
|
|
|
|
394
|
|
|
|
|
|
|
my $cipher = Crypt::Spritz::Cipher::XOR $key, $salt; |
395
|
|
|
|
|
|
|
|
396
|
|
|
|
|
|
|
# encrypt a message in one or more calls to crypt |
397
|
|
|
|
|
|
|
|
398
|
|
|
|
|
|
|
my $encrypted; |
399
|
|
|
|
|
|
|
|
400
|
|
|
|
|
|
|
$encrypted .= $cipher->crypt ("This is"); |
401
|
|
|
|
|
|
|
$encrypted .= $cipher->crypt ("all very"); |
402
|
|
|
|
|
|
|
$encrypted .= $cipher->crypt ("secret"); |
403
|
|
|
|
|
|
|
|
404
|
|
|
|
|
|
|
# that's all |
405
|
|
|
|
|
|
|
|
406
|
|
|
|
|
|
|
=over 4 |
407
|
|
|
|
|
|
|
|
408
|
|
|
|
|
|
|
=item $cipher = new Crypt::Spritz::Cipher::XOR $key[, $iv] |
409
|
|
|
|
|
|
|
|
410
|
|
|
|
|
|
|
Creates a new cipher object usable for encryption and decryption. The |
411
|
|
|
|
|
|
|
C<$key> must be provided, the initial vector C<$IV> is optional. |
412
|
|
|
|
|
|
|
|
413
|
|
|
|
|
|
|
Both C<$key> and C<$IV> can be of any length. Typical lengths for the |
414
|
|
|
|
|
|
|
C<$key> are 16 (128 bit) or 32 (256 bit), while the C<$IV> simply needs to |
415
|
|
|
|
|
|
|
be long enough to distinguish repeated uses of tghe same key. |
416
|
|
|
|
|
|
|
|
417
|
|
|
|
|
|
|
=item $encrypted = $cipher->crypt ($cleartext) |
418
|
|
|
|
|
|
|
|
419
|
|
|
|
|
|
|
=item $cleartext = $cipher->crypt ($encrypted) |
420
|
|
|
|
|
|
|
|
421
|
|
|
|
|
|
|
Encrypt or decrypt a piece of a message. This can be called as many times |
422
|
|
|
|
|
|
|
as you want, and the message can be split into as few or many pieces as |
423
|
|
|
|
|
|
|
required without affecting the results. |
424
|
|
|
|
|
|
|
|
425
|
|
|
|
|
|
|
=item $cipher->crypt_inplace ($cleartext_or_ciphertext) |
426
|
|
|
|
|
|
|
|
427
|
|
|
|
|
|
|
Same as C, except it I. |
428
|
|
|
|
|
|
|
|
429
|
|
|
|
|
|
|
=item $another_cipher = $cipher->clone |
430
|
|
|
|
|
|
|
|
431
|
|
|
|
|
|
|
Make an exact copy of the cipher state. This can be useful to cache states |
432
|
|
|
|
|
|
|
for reuse later, for example, to avoid expensive key setups. |
433
|
|
|
|
|
|
|
|
434
|
|
|
|
|
|
|
While there might be use cases for this feature, it makes a lot more sense |
435
|
|
|
|
|
|
|
for C and C, as they allow |
436
|
|
|
|
|
|
|
you to specify the IV/nonce separately. |
437
|
|
|
|
|
|
|
|
438
|
|
|
|
|
|
|
=item $constant_32 = $cipher->keysize |
439
|
|
|
|
|
|
|
|
440
|
|
|
|
|
|
|
=item $constant_64 = $cipher->blocksize |
441
|
|
|
|
|
|
|
|
442
|
|
|
|
|
|
|
These methods are provided for L compatibility and simply |
443
|
|
|
|
|
|
|
return C<32> and C<64>, respectively. |
444
|
|
|
|
|
|
|
|
445
|
|
|
|
|
|
|
Note that it is pointless to use Spritz with L, as Spritz is |
446
|
|
|
|
|
|
|
not a block cipher and already provides an appropriate mode. |
447
|
|
|
|
|
|
|
|
448
|
|
|
|
|
|
|
=back |
449
|
|
|
|
|
|
|
|
450
|
|
|
|
|
|
|
|
451
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::Cipher CLASS |
452
|
|
|
|
|
|
|
|
453
|
|
|
|
|
|
|
This class is pretty much the same as the C |
454
|
|
|
|
|
|
|
class, with two differences: first, it implements the "standard" Spritz |
455
|
|
|
|
|
|
|
encryption algorithm, and second, while this variant is easier to analyze |
456
|
|
|
|
|
|
|
mathematically, there is little else to recommend it for, as it is slower, |
457
|
|
|
|
|
|
|
and requires lots of code duplication code. |
458
|
|
|
|
|
|
|
|
459
|
|
|
|
|
|
|
So unless you need to be compatible with another implementation that does |
460
|
|
|
|
|
|
|
not offer the XOR variant, stick to C. |
461
|
|
|
|
|
|
|
|
462
|
|
|
|
|
|
|
All the methods from C are available, except |
463
|
|
|
|
|
|
|
C, which has been replaced by separate C and C |
464
|
|
|
|
|
|
|
methods: |
465
|
|
|
|
|
|
|
|
466
|
|
|
|
|
|
|
=over 4 |
467
|
|
|
|
|
|
|
|
468
|
|
|
|
|
|
|
=item $encrypted = $cipher->encrypt ($cleartext) |
469
|
|
|
|
|
|
|
|
470
|
|
|
|
|
|
|
=item $cleartext = $cipher->decrypt ($encrypted) |
471
|
|
|
|
|
|
|
|
472
|
|
|
|
|
|
|
Really the same as C, except you need separate |
473
|
|
|
|
|
|
|
calls and code for encryption and decryption. |
474
|
|
|
|
|
|
|
|
475
|
|
|
|
|
|
|
=back |
476
|
|
|
|
|
|
|
|
477
|
|
|
|
|
|
|
|
478
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::AEAD::XOR CLASS |
479
|
|
|
|
|
|
|
|
480
|
|
|
|
|
|
|
This is the most complicated class - it combines encryption and |
481
|
|
|
|
|
|
|
message authentication into a single "authenticated encryption |
482
|
|
|
|
|
|
|
mode". It is similar to using both L and |
483
|
|
|
|
|
|
|
L, but makes it harder to make mistakes in combining |
484
|
|
|
|
|
|
|
them. |
485
|
|
|
|
|
|
|
|
486
|
|
|
|
|
|
|
You can additionally provide cleartext data that will not be encrypted or |
487
|
|
|
|
|
|
|
decrypted, but that is nevertheless authenticated using the MAC, which |
488
|
|
|
|
|
|
|
is why this mode is called I, I
|
489
|
|
|
|
|
|
|
Associated Data>. Associated data is usually used to any header data that |
490
|
|
|
|
|
|
|
is in cleartext, but should nevertheless be authenticated. |
491
|
|
|
|
|
|
|
|
492
|
|
|
|
|
|
|
This implementation implements the XOR variant. Just as with |
493
|
|
|
|
|
|
|
L, this means it is not compatible with |
494
|
|
|
|
|
|
|
the standard mode, but uses less code and doesn't distinguish between |
495
|
|
|
|
|
|
|
encryption and decryption. |
496
|
|
|
|
|
|
|
|
497
|
|
|
|
|
|
|
Typical usage is as follows: |
498
|
|
|
|
|
|
|
|
499
|
|
|
|
|
|
|
# create a new aead object |
500
|
|
|
|
|
|
|
# you use one object per message |
501
|
|
|
|
|
|
|
# key length customarily is 16 or 32 |
502
|
|
|
|
|
|
|
my $aead = new Crypt::Spritz::AEAD::XOR $key; |
503
|
|
|
|
|
|
|
|
504
|
|
|
|
|
|
|
# now you must feed the nonce. if you do not need a nonce, |
505
|
|
|
|
|
|
|
# you can provide the empty string, but you have to call it |
506
|
|
|
|
|
|
|
# after creating the object, before calling associated_data. |
507
|
|
|
|
|
|
|
# the nonce must be different for each usage of the $key. |
508
|
|
|
|
|
|
|
# a counter of some kind is good enough. |
509
|
|
|
|
|
|
|
# reusing a nonce with the same key completely |
510
|
|
|
|
|
|
|
# destroys security! |
511
|
|
|
|
|
|
|
$aead->nonce ($counter); |
512
|
|
|
|
|
|
|
|
513
|
|
|
|
|
|
|
# then you must feed any associated data you have. if you |
514
|
|
|
|
|
|
|
# do not have associated cleartext data, you can provide the empty |
515
|
|
|
|
|
|
|
# string, but you have to call it after nonce and before crypt. |
516
|
|
|
|
|
|
|
$aead->associated_data ($header); |
517
|
|
|
|
|
|
|
|
518
|
|
|
|
|
|
|
# next, you call crypt one or more times with your data |
519
|
|
|
|
|
|
|
# to be encrypted (opr decrypted). |
520
|
|
|
|
|
|
|
# all except the last call must use a length that is a |
521
|
|
|
|
|
|
|
# multiple of 64. |
522
|
|
|
|
|
|
|
# the last block can have any length. |
523
|
|
|
|
|
|
|
my $encrypted; |
524
|
|
|
|
|
|
|
|
525
|
|
|
|
|
|
|
$encrypted .= $aead->crypt ("1" x 64); |
526
|
|
|
|
|
|
|
$encrypted .= $aead->crypt ("2" x 64); |
527
|
|
|
|
|
|
|
$encrypted .= $aead->crypt ("3456"); |
528
|
|
|
|
|
|
|
|
529
|
|
|
|
|
|
|
# finally you can calculate the MAC for all of the above |
530
|
|
|
|
|
|
|
my $mac = $aead->finish; |
531
|
|
|
|
|
|
|
|
532
|
|
|
|
|
|
|
=over 4 |
533
|
|
|
|
|
|
|
|
534
|
|
|
|
|
|
|
=item $aead = new Crypt::Spritz::AEAD::XOR $key |
535
|
|
|
|
|
|
|
|
536
|
|
|
|
|
|
|
Creates a new cipher object usable for encryption and decryption. |
537
|
|
|
|
|
|
|
|
538
|
|
|
|
|
|
|
The C<$key> can be of any length. Typical lengths for the C<$key> are 16 |
539
|
|
|
|
|
|
|
(128 bit) or 32 (256 bit). |
540
|
|
|
|
|
|
|
|
541
|
|
|
|
|
|
|
After creation, you have to call C next. |
542
|
|
|
|
|
|
|
|
543
|
|
|
|
|
|
|
=item $aead->nonce ($nonce) |
544
|
|
|
|
|
|
|
|
545
|
|
|
|
|
|
|
Provide the nonce value (nonce means "value used once"), a value the is |
546
|
|
|
|
|
|
|
unique between all uses with the same key. This method I be called |
547
|
|
|
|
|
|
|
I C and I C. |
548
|
|
|
|
|
|
|
|
549
|
|
|
|
|
|
|
If you only ever use a given key once, you can provide an empty nonce - |
550
|
|
|
|
|
|
|
but you still have to call the method. |
551
|
|
|
|
|
|
|
|
552
|
|
|
|
|
|
|
Common strategies to provide a nonce are to implement a persistent counter |
553
|
|
|
|
|
|
|
or to generate a random string of sufficient length to guarantee that it |
554
|
|
|
|
|
|
|
differs each time. |
555
|
|
|
|
|
|
|
|
556
|
|
|
|
|
|
|
The problem with counters is that you might get confused and forget |
557
|
|
|
|
|
|
|
increments, and thus reuse the same sequence number. The problem with |
558
|
|
|
|
|
|
|
random strings i that your random number generator might be hosed and |
559
|
|
|
|
|
|
|
generate the same randomness multiple times (randomness can be very hard |
560
|
|
|
|
|
|
|
to get especially on embedded devices). |
561
|
|
|
|
|
|
|
|
562
|
|
|
|
|
|
|
=item $aead->associated_data ($data) |
563
|
|
|
|
|
|
|
|
564
|
|
|
|
|
|
|
Provide the associated data (cleartext data to be authenticated but not |
565
|
|
|
|
|
|
|
encrypted). This method I be called I C and I |
566
|
|
|
|
|
|
|
C. |
567
|
|
|
|
|
|
|
|
568
|
|
|
|
|
|
|
If you don't have any associated data, you can provide an empty string - |
569
|
|
|
|
|
|
|
but you still have to call the method. |
570
|
|
|
|
|
|
|
|
571
|
|
|
|
|
|
|
Associated data is typically header data - data anybody is allowed to |
572
|
|
|
|
|
|
|
see in cleartext, but that should nevertheless be protected with an |
573
|
|
|
|
|
|
|
authentication code. Typically such data is used to identify where to |
574
|
|
|
|
|
|
|
forward a message to, how to find the key to decrypt the message or in |
575
|
|
|
|
|
|
|
general how to interpret the encrypted part of a message. |
576
|
|
|
|
|
|
|
|
577
|
|
|
|
|
|
|
=item $encrypted = $cipher->crypt ($cleartext) |
578
|
|
|
|
|
|
|
|
579
|
|
|
|
|
|
|
=item $cleartext = $cipher->crypt ($encrypted) |
580
|
|
|
|
|
|
|
|
581
|
|
|
|
|
|
|
Encrypt or decrypt a piece of a message. This can be called as many times |
582
|
|
|
|
|
|
|
as you want, and the message can be split into as few or many pieces as |
583
|
|
|
|
|
|
|
required without affecting the results, with one exception: All except the |
584
|
|
|
|
|
|
|
last call to C needs to pass in a multiple of C<64> octets. The |
585
|
|
|
|
|
|
|
last call to C does not have this limitation. |
586
|
|
|
|
|
|
|
|
587
|
|
|
|
|
|
|
=item $cipher->crypt_inplace ($cleartext_or_ciphertext) |
588
|
|
|
|
|
|
|
|
589
|
|
|
|
|
|
|
Same as C, except it I. |
590
|
|
|
|
|
|
|
|
591
|
|
|
|
|
|
|
=item $another_cipher = $cipher->clone |
592
|
|
|
|
|
|
|
|
593
|
|
|
|
|
|
|
Make an exact copy of the cipher state. This can be useful to cache states |
594
|
|
|
|
|
|
|
for reuse later, for example, to avoid expensive key setups. |
595
|
|
|
|
|
|
|
|
596
|
|
|
|
|
|
|
Example: set up a cipher state with a key, then clone and use it to |
597
|
|
|
|
|
|
|
encrypt messages with different nonces. |
598
|
|
|
|
|
|
|
|
599
|
|
|
|
|
|
|
my $cipher = new Crypt::Spritz::AEAD::XOR $key; |
600
|
|
|
|
|
|
|
|
601
|
|
|
|
|
|
|
my $message_counter; |
602
|
|
|
|
|
|
|
|
603
|
|
|
|
|
|
|
for my $message ("a", "b", "c") { |
604
|
|
|
|
|
|
|
my $clone = $cipher->clone; |
605
|
|
|
|
|
|
|
$clone->nonce (pack "N", ++$message_counter); |
606
|
|
|
|
|
|
|
$clone->associated_data (""); |
607
|
|
|
|
|
|
|
my $encrypted = $clone->crypt ($message); |
608
|
|
|
|
|
|
|
... |
609
|
|
|
|
|
|
|
} |
610
|
|
|
|
|
|
|
|
611
|
|
|
|
|
|
|
=back |
612
|
|
|
|
|
|
|
|
613
|
|
|
|
|
|
|
|
614
|
|
|
|
|
|
|
=head2 THE Crypt::Spritz::AEAD CLASS |
615
|
|
|
|
|
|
|
|
616
|
|
|
|
|
|
|
This class is pretty much the same as the C |
617
|
|
|
|
|
|
|
class, with two differences: first, it implements the "standard" Spritz |
618
|
|
|
|
|
|
|
encryption algorithm, and second, while this variant is easier to analyze |
619
|
|
|
|
|
|
|
mathematically, there is little else to recommend it for, as it is slower, |
620
|
|
|
|
|
|
|
and requires lots of code duplication code. |
621
|
|
|
|
|
|
|
|
622
|
|
|
|
|
|
|
So unless you need to be compatible with another implementation that does |
623
|
|
|
|
|
|
|
not offer the XOR variant, stick to C. |
624
|
|
|
|
|
|
|
|
625
|
|
|
|
|
|
|
All the methods from C are available, except |
626
|
|
|
|
|
|
|
C, which has been replaced by separate C and C |
627
|
|
|
|
|
|
|
methods: |
628
|
|
|
|
|
|
|
|
629
|
|
|
|
|
|
|
=over 4 |
630
|
|
|
|
|
|
|
|
631
|
|
|
|
|
|
|
=item $encrypted = $cipher->encrypt ($cleartext) |
632
|
|
|
|
|
|
|
|
633
|
|
|
|
|
|
|
=item $cleartext = $cipher->decrypt ($encrypted) |
634
|
|
|
|
|
|
|
|
635
|
|
|
|
|
|
|
Really the same as C, except you need separate |
636
|
|
|
|
|
|
|
calls and code for encryption and decryption, but you have the same |
637
|
|
|
|
|
|
|
limitations on usage. |
638
|
|
|
|
|
|
|
|
639
|
|
|
|
|
|
|
=back |
640
|
|
|
|
|
|
|
|
641
|
|
|
|
|
|
|
|
642
|
|
|
|
|
|
|
=head1 SECURITY CONSIDERATIONS |
643
|
|
|
|
|
|
|
|
644
|
|
|
|
|
|
|
At the time of this writing, Spritz has not been through a lot of |
645
|
|
|
|
|
|
|
cryptanalysis - it might get broken tomorrow. That's true for any crypto |
646
|
|
|
|
|
|
|
algo, but the probability is quite a bit higher with Spritz. Having said |
647
|
|
|
|
|
|
|
that, Spritz is almost certainly safer than RC4 at this time. |
648
|
|
|
|
|
|
|
|
649
|
|
|
|
|
|
|
Nevertheless, I wouldn't protect something very expensive with it. I also |
650
|
|
|
|
|
|
|
would be careful about timing attacks. |
651
|
|
|
|
|
|
|
|
652
|
|
|
|
|
|
|
Regarding key lengths - as has been pointed out, traditional symmetric key |
653
|
|
|
|
|
|
|
lengths (128 bit, 256 bit) work fine. Longer keys will be overkill, but |
654
|
|
|
|
|
|
|
you can expect keys up to about a kilobit to be effective. Longer keys are |
655
|
|
|
|
|
|
|
safe to use, they will simply be a waste of time. |
656
|
|
|
|
|
|
|
|
657
|
|
|
|
|
|
|
|
658
|
|
|
|
|
|
|
=head1 PERFORMANCE |
659
|
|
|
|
|
|
|
|
660
|
|
|
|
|
|
|
As a cipher/prng, Spritz is reasonably fast (about 100MB/s on 2014 era |
661
|
|
|
|
|
|
|
hardware, for comparison, AES will be more like 200MB/s). |
662
|
|
|
|
|
|
|
|
663
|
|
|
|
|
|
|
For key setup, ivs, hashing, nonces and so on, Spritz is very slow (about |
664
|
|
|
|
|
|
|
5MB/s on 2014 era hardware, which does SHA-256 at about 200MB/s). |
665
|
|
|
|
|
|
|
|
666
|
|
|
|
|
|
|
|
667
|
|
|
|
|
|
|
=head1 SUPPORT FOR THE PERL MULTICORE SPECIFICATION |
668
|
|
|
|
|
|
|
|
669
|
|
|
|
|
|
|
This module supports the perl multicore specification |
670
|
|
|
|
|
|
|
(L) for all encryption/decryption |
671
|
|
|
|
|
|
|
(non-aead > 4000 octets, aead > 400 octets), hashing/absorbing (> 400 |
672
|
|
|
|
|
|
|
octets) and squeezing/prng (> 4000 octets) functions. |
673
|
|
|
|
|
|
|
|
674
|
|
|
|
|
|
|
|
675
|
|
|
|
|
|
|
=head1 SEE ALSO |
676
|
|
|
|
|
|
|
|
677
|
|
|
|
|
|
|
L. |
678
|
|
|
|
|
|
|
|
679
|
|
|
|
|
|
|
=head1 SECURITY CONSIDERATIONS |
680
|
|
|
|
|
|
|
|
681
|
|
|
|
|
|
|
I also cannot give any guarantees for security, Spritz is a very new |
682
|
|
|
|
|
|
|
cryptographic algorithm, and when this module was written, almost |
683
|
|
|
|
|
|
|
completely unproven. |
684
|
|
|
|
|
|
|
|
685
|
|
|
|
|
|
|
=head1 AUTHOR |
686
|
|
|
|
|
|
|
|
687
|
|
|
|
|
|
|
Marc Lehmann |
688
|
|
|
|
|
|
|
http://software.schmorp.de/pkg/Crypt-Spritz |
689
|
|
|
|
|
|
|
|
690
|
|
|
|
|
|
|
=cut |
691
|
|
|
|
|
|
|
|
692
|
|
|
|
|
|
|
1; |
693
|
|
|
|
|
|
|
|