File Coverage

blib/lib/Crypt/Spritz.pm
Criterion Covered Total %
statement 3 3 100.0
branch n/a
condition n/a
subroutine 1 1 100.0
pod n/a
total 4 4 100.0


line stmt bran cond sub pod time code
1             =head1 NAME
2              
3             Crypt::Spritz - Spritz stream cipher/hash/MAC/AEAD/CSPRNG family
4              
5             =head1 SYNOPSIS
6              
7             use Crypt::Spritz;
8              
9             # see the commented examples in their respective classes,
10             # but basically
11              
12             my $cipher = new Crypt::Spritz::Cipher::XOR $key, $iv;
13             $ciphertext = $cipher->crypt ($cleartext);
14              
15             my $cipher = new Crypt::Spritz::Cipher $key, $iv;
16             $ciphertext = $cipher->encrypt ($cleartext);
17             # $cleartext = $cipher->decrypt ($ciphertext);
18              
19             my $hasher = new Crypt::Spritz::Hash;
20             $hasher->add ($data);
21             $digest = $hasher->finish;
22              
23             my $hasher = new Crypt::Spritz::MAC $key;
24             $hasher->add ($data);
25             $mac = $hasher->finish;
26              
27             my $prng = new Crypt::Spritz::PRNG $entropy;
28             $prng->add ($additional_entropy);
29             $keydata = $prng->get (32);
30              
31             my $aead = new Crypt::Spritz::AEAD::XOR $key;
32             $aead->nonce ($counter);
33             $aead->associated_data ($header);
34             $ciphertext = $aead->crypt ($cleartext);
35             $mac = $aead->mac;
36              
37             my $aead = new Crypt::Spritz::AEAD $key;
38             $aead->nonce ($counter);
39             $aead->associated_data ($header);
40             $ciphertext = $aead->encrypt ($cleartext);
41             # $cleartext = $aead->decrypt ($ciphertext);
42             $mac = $aead->mac;
43              
44             =head1 DESCRIPTION
45              
46             This module implements the Spritz spongelike function (with N=256), the
47             spiritual successor of RC4 developed by Ron Rivest and Jacob Schuldt.
48              
49             Its strength is extreme versatility (you get a stream cipher, a hash, a
50             MAC, a DRBG/CSPRNG, an authenticated encryption block/stream cipher and
51             more) and extremely simple and small code (encryption and authentication
52             can be had in 1KB of compiled code on amd64, which isn't an issue for most
53             uses in Perl, but is useful in embedded situations, or e.g. when doing
54             crypto using javascript in a browser and communicating with Perl).
55              
56             Its weakness is its relatively slow speed (encryption is a few times
57             slower than RC4 or AES, hashing many times slower than SHA-3, although
58             this might be reversed on an 8-bit-cpu) and the fact that it is totally
59             unproven in the field (as of this writing, the cipher was just a few
60             months old), so it can't be called production-ready.
61              
62             All the usual caveats regarding stream ciphers apply - never repeat your
63             key, never repeat your nonce and so on - you should have some basic
64             understanding of cryptography before using this cipher in your own
65             designs.
66              
67             The Spritz base class is not meant for end users. To make usage simpler
68             and safer, a number of convenience classes are provided for typical
69             end-user tasks:
70              
71             random number generation - Crypt::Spritz::PRNG
72             hashing - Crypt::Spritz::Hash
73             message authentication - Crypt::Spritz::MAC
74             encryption - Crypt::Spritz::Cipher::XOR
75             encryption - Crypt::Spritz::Cipher
76             authenticated encryption - Crypt::Spritz::AEAD::XOR
77             authenticated encryption - Crypt::Spritz::AEAD
78              
79             =cut
80              
81             package Crypt::Spritz;
82              
83 2     2   1357 use XSLoader;
  2         3  
  2         889  
84              
85             $VERSION = 1.01;
86              
87             XSLoader::load __PACKAGE__, $VERSION;
88              
89             @Crypt::Spritz::ISA = Crypt::Spritz::Base::;
90              
91             @Crypt::Spritz::Hash::ISA =
92             @Crypt::Spritz::PRNG::ISA =
93             @Crypt::Spritz::Cipher::ISA =
94             @Crypt::Spritz::AEAD::ISA = Crypt::Spritz::Base::;
95              
96             @Crypt::Spritz::MAC::ISA = Crypt::Spritz::Hash::;
97              
98             @Crypt::Spritz::Cipher::XOR::ISA = Crypt::Spritz::Cipher::;
99             @Crypt::Spritz::AEAD::XOR::ISA = Crypt::Spritz::AEAD::;
100              
101             sub Crypt::Spritz::Cipher::keysize () { 32 }
102             sub Crypt::Spritz::Cipher::blocksize () { 64 }
103              
104             *Crypt::Spritz::Hash::new = \&Crypt::Spritz::new;
105              
106             *Crypt::Spritz::Hash::add =
107             *Crypt::Spritz::PRNG::add = \&Crypt::Spritz::absorb;
108              
109             *Crypt::Spritz::PRNG::get = \&Crypt::Spritz::squeeze;
110              
111             *Crypt::Spritz::AEAD::new = \&Crypt::Spritz::MAC::new;
112             *Crypt::Spritz::AEAD::finish = \&Crypt::Spritz::Hash::finish;
113              
114             *Crypt::Spritz::AEAD::associated_data =
115             *Crypt::Spritz::AEAD::nonce = \&Crypt::Spritz::absorb_and_stop;
116              
117              
118             =head2 THE Crypt::Spritz CLASS
119              
120             This class implements most of the Spritz primitives. To use it effectively
121             you should understand them, for example, by reading the L
122             paper|http://people.csail.mit.edu/rivest/pubs/RS14.pdf>, especially
123             pp. 5-6.
124              
125             The Spritz primitive corresponding to the Perl method is given as
126             comment.
127              
128             =over 4
129              
130             =item $spritz = new Crypt::Spritz # InitializeState
131              
132             Creates and returns a new, initialised Spritz state.
133              
134             =item $spritz->init # InitializeState
135              
136             Initialises the Spritz state again, throwing away the previous state.
137              
138             =item $another_spritz = $spritz->clone
139              
140             Make an exact copy of the spritz state. This method can be called on all
141             of the objects in this module, but is documented separately to give some
142             cool usage examples.
143              
144             =item $spritz->update # Update
145              
146             =item $spritz->whip ($r) # Whip
147              
148             =item $spritz->crush # Crush
149              
150             =item $spritz->shuffle # Shuffle
151              
152             =item $spritz->output # Output
153              
154             Calls the Spritz primitive ovf the same name - these are not normally
155             called manually.
156              
157             =item $spritz->absorb ($I) # Absorb
158              
159             Absorbs the given data into the state (usually used for key material,
160             nonces, IVs messages to be hashed and so on).
161              
162             =item $spritz->absorb_stop # AbsorbStop
163              
164             Absorbs a special stop symbol - this is usually used as delimiter between
165             multiple strings to be absorbed, to thwart extension attacks.
166              
167             =item $spritz->absorb_and_stop ($I)
168              
169             This is a convenience function that simply calls C followed by
170             C.
171              
172             =item $octet = $spritz->drip # Drip
173              
174             Squeezes out a single byte from the state.
175              
176             =item $octets = $spritz->squeeze ($len) # Squeeze
177              
178             Squeezes out the requested number of bytes from the state - this is usually
179              
180             =back
181              
182              
183             =head2 THE Crypt::Spritz::PRNG CLASS
184              
185             This class implements a Pseudorandom Number Generatore (B),
186             sometimes also called a Deterministic Random Bit Generator (B). In
187             fact, it is even cryptographically secure, making it a B.
188              
189             Typical usage as a random number generator involves creating a PRNG
190             object with a seed of your choice, and then fetching randomness via
191             C:
192              
193             # create a PRNG object, use a seed string of your choice
194             my $prng = new Crypt::Spritz::PRNG $seed;
195              
196             # now call get as many times as you wish to get binary randomness
197             my $some_randomness = $prng->get (17);
198             my moree_randomness = $prng->get (5000);
199             ...
200              
201             Typical usage as a cryptographically secure random number generator is to
202             feed in some secret entropy (32 octets/256 bits are commonly considered
203             enough), for example from C or C, and then
204             generate some key material.
205              
206             # create a PRNG object
207             my $prng = new Crypt::Spritz::PRNG;
208              
209             # seed some entropy (either via ->add or in the constructor)
210             $prng->add ($some_secret_highly_entropic_string);
211              
212             # now call get as many times as you wish to get
213             # hard to guess binary randomness
214             my $key1 = $prng->get (32);
215             my $key2 = $prng->get (16);
216             ...
217              
218             # for long running programs, it is advisable to
219             # reseed the PRNG from time to time with new entropy
220             $prng->add ($some_more_entropy);
221              
222             =over 4
223              
224             =item $prng = new Crypt::Spritz::PRNG [$seed]
225              
226             Creates a new random number generator object. If C<$seed> is given, then
227             the C<$seed> is added to the internal state as if by a call to C.
228              
229             =item $prng->add ($entropy)
230              
231             Adds entropy to the internal state, thereby hopefully making it harder
232             to guess. Good sources for entropy are irregular hardware events, or
233             randomness provided by C or C.
234              
235             The design of the Spritz PRNG should make it strong against attacks where
236             the attacker controls all the entropy, so it should be safe to add entropy
237             from untrusted sources - more is better than less if you need a CSPRNG.
238              
239             For use as PRNG, of course, this matters very little.
240              
241             =item $octets = $prng->get ($length)
242              
243             Generates and returns C<$length> random octets as a string.
244              
245             =back
246              
247              
248             =head2 THE Crypt::Spritz::Hash CLASS
249              
250             This implements the Spritz digest/hash algorithm. It works very similar to
251             other digest modules on CPAN, such as L.
252              
253             Typical use for hashing:
254              
255             # create hasher object
256             my $hasher = new Crypt::Spritz::Hash;
257              
258             # now feed data to be hashed into $hasher
259             # in as few or many calls as required
260             $hasher->add ("Some data");
261             $hasher->add ("Some more");
262              
263             # extract the hash - the object is not usable afterwards
264             my $digest = $hasher->finish (32);
265              
266             =over 4
267              
268             =item $hasher = new Crypt::Spritz::Hash
269              
270             Creates a new hasher object.
271              
272             =item $hasher->add ($data)
273              
274             Adds data to be hashed into the hasher state. It doesn't matter whether
275             you pass your data in in one go or split it up, the hash will be the same.
276              
277             =item $digest = $hasher->finish ($length)
278              
279             Calculates a hash digest of the given length and return it. The object
280             cannot sensibly be used for further hashing afterwards.
281              
282             Typical digest lengths are 16 and 32, corresponding to 128 and 256 bit
283             digests, respectively.
284              
285             =item $another_hasher = $hasher->clone
286              
287             Make an exact copy of the hasher state. This can be useful to generate
288             incremental hashes, for example.
289              
290             Example: generate a hash for the data already fed into the hasher, by keeping
291             the original hasher for further C calls and calling C on a C.
292              
293             my $intermediate_hash = $hasher->clone->finish;
294              
295             Example: hash 64KiB of data, and generate a hash after every kilobyte that
296             is over the full data.
297              
298             my $hasher = new Crypt::Spritz::Hash;
299              
300             for (0..63) {
301             my $kib = "x" x 1024; # whatever data
302              
303             $hasher->add ($kib);
304              
305             my $intermediate_hash = $hasher->clone->finish;
306             ...
307             }
308              
309             These kind of intermediate hashes are sometimes used in communications
310             protocols to protect the integrity of the data incrementally, e.g. to
311             detect errors early, while still having a complete hash at the end of a
312             transfer.
313              
314             =back
315              
316              
317             =head2 THE Crypt::Spritz::MAC CLASS
318              
319             This implements the Spritz Message Authentication Code algorithm. It works
320             very similar to other digest modules on CPAN, such as L, but
321             implements an authenticated digest (like L).
322              
323             I means that, unlike L, where
324             everybody can verify and recreate the hash value for some data, with a
325             MAC, knowledge of the (hopefully) secret key is required both to create
326             and to verify the digest.
327              
328             Typical use for hashing is almost the same as with L,
329             except a key (typically 16 or 32 octets) is provided to the constructor:
330              
331             # create hasher object
332             my $hasher = new Crypt::Spritz::Mac $key;
333              
334             # now feed data to be hashed into $hasher
335             # in as few or many calls as required
336             $hasher->add ("Some data");
337             $hasher->add ("Some more");
338              
339             # extract the mac - the object is not usable afterwards
340             my $mac = $hasher->finish (32);
341              
342             =over 4
343              
344             =item $hasher = new Crypt::Spritz::MAC $key
345              
346             Creates a new hasher object. The C<$key> can be of any length, but 16 and
347             32 (128 and 256 bit) are customary.
348              
349             =item $hasher->add ($data)
350              
351             Adds data to be hashed into the hasher state. It doesn't matter whether
352             you pass your data in in one go or split it up, the hash will be the same.
353              
354             =item $mac = $hasher->finish ($length)
355              
356             Calculates a message code of the given length and return it. The object
357             cannot sensibly be used for further hashing afterwards.
358              
359             Typical digest lengths are 16 and 32, corresponding to 128 and 256 bit
360             digests, respectively.
361              
362             =item $another_hasher = $hasher->clone
363              
364             Make an exact copy of the hasher state. This can be useful to
365             generate incremental macs, for example.
366              
367             See the description for the C method for some
368             examples.
369              
370             =back
371              
372              
373             =head2 THE Crypt::Spritz::Cipher::XOR CLASS
374              
375             This class implements stream encryption/decryption. It doesn't implement
376             the standard Spritz encryption but the XOR variant (called B
377             in the paper).
378              
379             The XOR variant should be as secure as the standard variant, but
380             doesn't have separate encryption and decryaption functions, which saves
381             codesize. IT is not compatible with standard Spritz encryption, however -
382             drop me a note if you want that implemented as well.
383              
384             Typical use for encryption I decryption (code is identical for
385             decryption, you simply pass the encrypted data to C):
386              
387             # create a cipher - $salt can be a random string you send
388             # with your message, in clear, a counter (best), or empty if
389             # you only want to encrypt one message with the given key.
390             # 16 or 32 octets are typical sizes for the key, for the salt,
391             # use whatever you need to give a unique salt for every
392             # message you encrypt with the same key.
393              
394             my $cipher = Crypt::Spritz::Cipher::XOR $key, $salt;
395              
396             # encrypt a message in one or more calls to crypt
397              
398             my $encrypted;
399              
400             $encrypted .= $cipher->crypt ("This is");
401             $encrypted .= $cipher->crypt ("all very");
402             $encrypted .= $cipher->crypt ("secret");
403              
404             # that's all
405              
406             =over 4
407              
408             =item $cipher = new Crypt::Spritz::Cipher::XOR $key[, $iv]
409              
410             Creates a new cipher object usable for encryption and decryption. The
411             C<$key> must be provided, the initial vector C<$IV> is optional.
412              
413             Both C<$key> and C<$IV> can be of any length. Typical lengths for the
414             C<$key> are 16 (128 bit) or 32 (256 bit), while the C<$IV> simply needs to
415             be long enough to distinguish repeated uses of tghe same key.
416              
417             =item $encrypted = $cipher->crypt ($cleartext)
418              
419             =item $cleartext = $cipher->crypt ($encrypted)
420              
421             Encrypt or decrypt a piece of a message. This can be called as many times
422             as you want, and the message can be split into as few or many pieces as
423             required without affecting the results.
424              
425             =item $cipher->crypt_inplace ($cleartext_or_ciphertext)
426              
427             Same as C, except it I.
428              
429             =item $another_cipher = $cipher->clone
430              
431             Make an exact copy of the cipher state. This can be useful to cache states
432             for reuse later, for example, to avoid expensive key setups.
433              
434             While there might be use cases for this feature, it makes a lot more sense
435             for C and C, as they allow
436             you to specify the IV/nonce separately.
437              
438             =item $constant_32 = $cipher->keysize
439              
440             =item $constant_64 = $cipher->blocksize
441              
442             These methods are provided for L compatibility and simply
443             return C<32> and C<64>, respectively.
444              
445             Note that it is pointless to use Spritz with L, as Spritz is
446             not a block cipher and already provides an appropriate mode.
447              
448             =back
449              
450              
451             =head2 THE Crypt::Spritz::Cipher CLASS
452              
453             This class is pretty much the same as the C
454             class, with two differences: first, it implements the "standard" Spritz
455             encryption algorithm, and second, while this variant is easier to analyze
456             mathematically, there is little else to recommend it for, as it is slower,
457             and requires lots of code duplication code.
458              
459             So unless you need to be compatible with another implementation that does
460             not offer the XOR variant, stick to C.
461              
462             All the methods from C are available, except
463             C, which has been replaced by separate C and C
464             methods:
465              
466             =over 4
467              
468             =item $encrypted = $cipher->encrypt ($cleartext)
469              
470             =item $cleartext = $cipher->decrypt ($encrypted)
471              
472             Really the same as C, except you need separate
473             calls and code for encryption and decryption.
474              
475             =back
476              
477              
478             =head2 THE Crypt::Spritz::AEAD::XOR CLASS
479              
480             This is the most complicated class - it combines encryption and
481             message authentication into a single "authenticated encryption
482             mode". It is similar to using both L and
483             L, but makes it harder to make mistakes in combining
484             them.
485              
486             You can additionally provide cleartext data that will not be encrypted or
487             decrypted, but that is nevertheless authenticated using the MAC, which
488             is why this mode is called I, I
489             Associated Data>. Associated data is usually used to any header data that
490             is in cleartext, but should nevertheless be authenticated.
491              
492             This implementation implements the XOR variant. Just as with
493             L, this means it is not compatible with
494             the standard mode, but uses less code and doesn't distinguish between
495             encryption and decryption.
496              
497             Typical usage is as follows:
498              
499             # create a new aead object
500             # you use one object per message
501             # key length customarily is 16 or 32
502             my $aead = new Crypt::Spritz::AEAD::XOR $key;
503              
504             # now you must feed the nonce. if you do not need a nonce,
505             # you can provide the empty string, but you have to call it
506             # after creating the object, before calling associated_data.
507             # the nonce must be different for each usage of the $key.
508             # a counter of some kind is good enough.
509             # reusing a nonce with the same key completely
510             # destroys security!
511             $aead->nonce ($counter);
512              
513             # then you must feed any associated data you have. if you
514             # do not have associated cleartext data, you can provide the empty
515             # string, but you have to call it after nonce and before crypt.
516             $aead->associated_data ($header);
517              
518             # next, you call crypt one or more times with your data
519             # to be encrypted (opr decrypted).
520             # all except the last call must use a length that is a
521             # multiple of 64.
522             # the last block can have any length.
523             my $encrypted;
524              
525             $encrypted .= $aead->crypt ("1" x 64);
526             $encrypted .= $aead->crypt ("2" x 64);
527             $encrypted .= $aead->crypt ("3456");
528              
529             # finally you can calculate the MAC for all of the above
530             my $mac = $aead->finish;
531              
532             =over 4
533              
534             =item $aead = new Crypt::Spritz::AEAD::XOR $key
535              
536             Creates a new cipher object usable for encryption and decryption.
537              
538             The C<$key> can be of any length. Typical lengths for the C<$key> are 16
539             (128 bit) or 32 (256 bit).
540              
541             After creation, you have to call C next.
542              
543             =item $aead->nonce ($nonce)
544              
545             Provide the nonce value (nonce means "value used once"), a value the is
546             unique between all uses with the same key. This method I be called
547             I C and I C.
548              
549             If you only ever use a given key once, you can provide an empty nonce -
550             but you still have to call the method.
551              
552             Common strategies to provide a nonce are to implement a persistent counter
553             or to generate a random string of sufficient length to guarantee that it
554             differs each time.
555              
556             The problem with counters is that you might get confused and forget
557             increments, and thus reuse the same sequence number. The problem with
558             random strings i that your random number generator might be hosed and
559             generate the same randomness multiple times (randomness can be very hard
560             to get especially on embedded devices).
561              
562             =item $aead->associated_data ($data)
563              
564             Provide the associated data (cleartext data to be authenticated but not
565             encrypted). This method I be called I C and I
566             C.
567              
568             If you don't have any associated data, you can provide an empty string -
569             but you still have to call the method.
570              
571             Associated data is typically header data - data anybody is allowed to
572             see in cleartext, but that should nevertheless be protected with an
573             authentication code. Typically such data is used to identify where to
574             forward a message to, how to find the key to decrypt the message or in
575             general how to interpret the encrypted part of a message.
576              
577             =item $encrypted = $cipher->crypt ($cleartext)
578              
579             =item $cleartext = $cipher->crypt ($encrypted)
580              
581             Encrypt or decrypt a piece of a message. This can be called as many times
582             as you want, and the message can be split into as few or many pieces as
583             required without affecting the results, with one exception: All except the
584             last call to C needs to pass in a multiple of C<64> octets. The
585             last call to C does not have this limitation.
586              
587             =item $cipher->crypt_inplace ($cleartext_or_ciphertext)
588              
589             Same as C, except it I.
590              
591             =item $another_cipher = $cipher->clone
592              
593             Make an exact copy of the cipher state. This can be useful to cache states
594             for reuse later, for example, to avoid expensive key setups.
595              
596             Example: set up a cipher state with a key, then clone and use it to
597             encrypt messages with different nonces.
598              
599             my $cipher = new Crypt::Spritz::AEAD::XOR $key;
600              
601             my $message_counter;
602              
603             for my $message ("a", "b", "c") {
604             my $clone = $cipher->clone;
605             $clone->nonce (pack "N", ++$message_counter);
606             $clone->associated_data ("");
607             my $encrypted = $clone->crypt ($message);
608             ...
609             }
610              
611             =back
612              
613              
614             =head2 THE Crypt::Spritz::AEAD CLASS
615              
616             This class is pretty much the same as the C
617             class, with two differences: first, it implements the "standard" Spritz
618             encryption algorithm, and second, while this variant is easier to analyze
619             mathematically, there is little else to recommend it for, as it is slower,
620             and requires lots of code duplication code.
621              
622             So unless you need to be compatible with another implementation that does
623             not offer the XOR variant, stick to C.
624              
625             All the methods from C are available, except
626             C, which has been replaced by separate C and C
627             methods:
628              
629             =over 4
630              
631             =item $encrypted = $cipher->encrypt ($cleartext)
632              
633             =item $cleartext = $cipher->decrypt ($encrypted)
634              
635             Really the same as C, except you need separate
636             calls and code for encryption and decryption, but you have the same
637             limitations on usage.
638              
639             =back
640              
641              
642             =head1 SECURITY CONSIDERATIONS
643              
644             At the time of this writing, Spritz has not been through a lot of
645             cryptanalysis - it might get broken tomorrow. That's true for any crypto
646             algo, but the probability is quite a bit higher with Spritz. Having said
647             that, Spritz is almost certainly safer than RC4 at this time.
648              
649             Nevertheless, I wouldn't protect something very expensive with it. I also
650             would be careful about timing attacks.
651              
652             Regarding key lengths - as has been pointed out, traditional symmetric key
653             lengths (128 bit, 256 bit) work fine. Longer keys will be overkill, but
654             you can expect keys up to about a kilobit to be effective. Longer keys are
655             safe to use, they will simply be a waste of time.
656              
657              
658             =head1 PERFORMANCE
659              
660             As a cipher/prng, Spritz is reasonably fast (about 100MB/s on 2014 era
661             hardware, for comparison, AES will be more like 200MB/s).
662              
663             For key setup, ivs, hashing, nonces and so on, Spritz is very slow (about
664             5MB/s on 2014 era hardware, which does SHA-256 at about 200MB/s).
665              
666              
667             =head1 SUPPORT FOR THE PERL MULTICORE SPECIFICATION
668              
669             This module supports the perl multicore specification
670             (L) for all encryption/decryption
671             (non-aead > 4000 octets, aead > 400 octets), hashing/absorbing (> 400
672             octets) and squeezing/prng (> 4000 octets) functions.
673              
674              
675             =head1 SEE ALSO
676              
677             L.
678              
679             =head1 SECURITY CONSIDERATIONS
680              
681             I also cannot give any guarantees for security, Spritz is a very new
682             cryptographic algorithm, and when this module was written, almost
683             completely unproven.
684              
685             =head1 AUTHOR
686              
687             Marc Lehmann
688             http://software.schmorp.de/pkg/Crypt-Spritz
689              
690             =cut
691              
692             1;
693