Register values and s. As a difference to the paper, we also include n in the state, for easy access to it within the various functions.

See §3.1 State.

Returns the standard initial state. See §3.2 InitializeState.

Takes a variable-lenght input and updates the state based on it. Spritz absorbs input in blocks of floor (n / 2) nibbles each (low-order nibble of each byte first). After each block is absorbed, we call shuffle.

Satisfies the following law:

absorb x1 >> absorb x2 = 'absorb (x1 ++ x2)'

See §3.2 Absorb.

Splits the given input byte into two nibbles and updates state based on each nibble, low-order nibble first. See §3.2 AbsorbByte.

Tests whether Spritz is full of absorbed data (i.e. a = floor (n / 2). If it is, calls shuffle to mix in the absorbed data and reset a to 0. Then updates the state based on the value of the supplied nibble. See §3.2 AbsorbNibble.

Equivalent to absorbing a special "stop" symbol outside of the oridnary input alphabet. The intent is to provide a clean way to separate different inputs being absorbed. See §2.1.

whips, crushes, whips, crushes, and finally whips again. According to the paper, each whip randomizes the state. Calling crush between each whip causes the effects of crush to be not easily determined by manipulating the input. See §3.2 Shuffle.

Calls update r times. Also updates w to the next largest value that is relatively prime to n.

Provides a non-invertable transformation from states to states. Intentionally loses information about the current state by mapping 2^(n2) states to 1 state, since each of @n2@ pairs of compared values in s are sorted into increasing order. See §3.2 "crush".

Main output function for Spritz. The Int parameter states how many bytes to produce. Calls shuffle if a > 0, which shuffles any unabsorbed input and puts Spritz into "squeeze mode" (a > 0). See §3.2 "squeeze".

Basic pseudorandom output routine. Calls shuffle when a > 0, updates state using update, and produces one output byte using output. See §3.2 "drip".

Advances the system to the next state by adding w to i, giving j and k their next values, and swapping s'_'i with s'_'j. w being relatively prime to n means that the value of i cycles modulo n as repeated updates are performed. See §3.2 "update".

Computes a single byte (n-value) to output, saves it in register z and returns it.

See §3.1 Nibbles.

See §3.1 Nibbles.

A utility function that adds the first parameter to the second then returns that modulo the third parameter (n). This is used throughout Spritz in place of a more traditional xor approach so that n can be any value and is not limited to being a power of 2.

See plusmod. This is very similar except it subtracts the first two arguments instead of adding them.

Swap two elements given indices of S.

Adds-modulo-N (plusmod) each byte of the message with the corresponding byte of the output of squeeze yielding an ecrypted ciphertext. See §2.2.

Decrypts a message encrypted with encrypt. Identical to encrypt except uses submod instead. See §2.2.

Used in the paper at the top of encrypt* and decrypt, but not used by default in this library. Still, we provide it in case it's needed.

keySetup n' k' = put (initializeState n') >> absorb k'

Produces an r-byte hash of the input message.

hash absorbs the input message, calls absorbStop to signal the end of the input message, then absorbs the desired hash length (r).

The given r is absorbed for functional separation.

See §2.3.

Message authentication code. See §2.4.