Picture of a sea sponge

The Sponge Functions Corner

Guido Bertoni1, Joan Daemen1, Michaël Peeters1 and Gilles Van Assche1

1STMicroelectronics

Pages

Main documentation

Instances of sponge functions

Figures

  • Sponge construction [PDF] [PNG]
  • Duplex construction [PDF] [PNG]

The figures above are available under the Creative Commons Attribution license. In short, they can be freely used, provided that attribution is properly done in the figure caption, either by linking to this web page or by citing the article where the particular figure first appeared.

Our papers

This page lists our papers on sponge functions and related subjects, and briefly describes what they are about. For convenience, a bibtex file is also available here.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Cryptographic sponge functions, working draft v0.1, January 2011

This document gathers all the definitions, applications and properties of sponge functions in one document. It covers the sponge and duplex constructions, their applications, generic attacks, security proofs and design aspects.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Sponge functions, Ecrypt Hash Workshop, May 2007

This is the first article defining and analyzing sponge functions. It is fully contained in Cryptographic sponge functions, except that our original definition allowed for non-binary input/output blocks. We sent this article also as an official comment on NIST's initial SHA-3 requirements.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, On the indifferentiability of the sponge construction, Eurocrypt, April 2008

This article proves that the differentiating advantage of a sponge function over a random oracle is upper bounded by N(N+1)/2c+1, with N the number of calls to the underlying transformation or permutation and c the capacity. In other words, it shows that the sponge construction is free of generic attacks (at least in the single-stage model) under complexity of about 2c/2.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Sufficient conditions for sound tree and sequential hashing modes, Cryptology ePrint Archive, Report 2009/210

A sponge function processes input in a sequential way. It can however be used as a component in a tree hashing mode. This article gives a set of four practical, simple-to-verify, conditions under which a sequential or parallel hashing mode is sound. For such a mode, it proves that the differentiating advantage over a random oracle is upper bounded by q2/2n, with q the number of queries to the underlying hash function and n the length of the chaining values. In other words, it shows that it is easy to design a tree or parallel hashing mode whose generic security is not worse than the (in)ability to generate internal collisions. This paper provides a unifying treatment of both tree and sequential hashing modes and, as a by-product, provides insight into classical fixed-input-length compression function based constructions by placing them in a wider context.

As for modes that call a sponge function, we show in this paper that a tree or parallel hashing mode takes advantage of its arbitrary output length for optimizing efficiency.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Sponge-based pseudo-random number generators, Cryptographic Hardware and Embedded Software, August 2010

This article proposes a mode for pseudo-random number generation on top of a sponge function. The mode is close to the duplex construction, with feed and fetch calls, so as to allow the generator to be easily and efficiently reseedable. The resulting pseudo-random number generator is interesting for constrained platforms in that the sponge construction does not need more memory than the state. Generic security against state recovery is taken one step further ("beyond the birthday bound") than what indifferentiability directly achieves. An alternate mode based on the duplex construction can be found in Duplexing the sponge: single-pass authenticated encryption and other applications.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, On the security of the keyed sponge construction, Symmetric Key Encryption Workshop, February 2011

In this paper, we prove the generic security of the sponge construction when the input is prefixed with a secret key, i.e., when used for authentication or (authenticated) encryption. For these use cases, the net result is that one can achieve the same security level with less capacity (hence more rate) than what indifferentiability suggests. This is particularly interesting for constrained devices, where a small permutation is used.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Duplexing the sponge: single-pass authenticated encryption and other applications, Selected Areas in Cryptography, August 2011

This is the first article defining the duplex construction. The duplex construction allows for both input and output blocks for each call to the underlying permutation. Security of this construction is easy to analyze: it is shown to reduce to that of the sponge construction, hence taking advantage of all known results on sponge. The main application is an authenticated encryption mode that costs one call to the underlying permutation per block.