International Association for Cryptologic Research (IACR)
Abstract
This paper reconsiders the design of the stream cipher RC4, and
proposes an improved variant, which we call ``Spritz\u27\u27
(since the output comes in fine drops rather than big
blocks.)
Our work leverages the considerable cryptanalytic work done
on the original RC4 and its proposed variants. It also uses
simulations extensively to search for biases and to guide the
selection of intermediate expressions.
We estimate that Spritz can produce output with about 24 cycles/byte
of computation. Furthermore, our statistical tests suggest that about 281 bytes of output are needed before one can reasonably distinguish Spritz output from random output; this is a marked improvement over RC4. [Footnote:
However, see Appendix F for references
to more recent work that suggest that our estimates of
the work required to break Spritz may be optimistic.]
In addition, we formulate Spritz as a ``sponge (or sponge-like)
function,\u27\u27 (see Bertoni et al.), which can ``Absorb\u27\u27 new
data at any time, and from which one can ``Squeeze\u27\u27 pseudorandom
output sequences of arbitrary length. Spritz can thus be easily
adapted for use as a cryptographic hash function, an encryption
algorithm, or a message-authentication code generator. (However, in
hash-function mode, Spritz is rather slow.