Sponge function

Illustration of the sponge construction — The sponge construction for hash functions. *P_i* are blocks of the input string, *Z_i* are hashed output blocks.

In

pseudo-random number generators, and authenticated encryption.^[1]

Construction

A sponge function is built from three components:[2]

a state memory, S, containing b bits,
a function $f:\{0,1\}^{b}\rightarrow \{0,1\}^{b}$
a padding function P

S is divided into two sections: one of size r (the bitrate) and the remaining part of size c (the capacity). These sections are denoted R and C respectively.

f produces a pseudorandom permutation of the $2^{b}$ states from S.

P appends enough bits to the input string so that the length of the padded input is a whole multiple of the bitrate, r. This means the input is segmented into blocks of r bits.

Operation

The sponge function "absorbs" (in the

sponge

metaphor) all blocks of a padded input string as follows:

S is initialized to zero
for each r-bit block B of P(string)
- R is replaced with R XOR B (using bitwise XOR)
- S is replaced by f(S)

The sponge function output is now ready to be produced ("squeezed out") as follows:

repeat
- output the R portion of S
- S is replaced by f(S) unless output is full

If less than r bits remain to be output, then R will be truncated (only part of R will be output).

Another metaphor describes the state memory as an "

entropy pool", with input "poured into" the pool, and the transformation function referred to as "stirring the entropy pool".^[3]

Note that input bits are never XORed into the C portion of the state memory, nor are any bits of C ever output directly. The extent to which C is altered by the input depends entirely on the transformation function f. In hash applications, resistance to collision or preimage attacks depends on C, and its size (the "capacity" c) is typically twice the desired resistance level.

Duplex construction

It is also possible to absorb and squeeze in an alternating fashion.^[1] This operation is called the duplex construction or duplexing. It can be the basis of a single pass authenticated encryption system.

The state S is initialized to zero
for each r-bit block B of the input
- R is XORed with B
- S is replaced by f(S)
- R is now an output block of size r bits.

Overwrite mode

It is possible to omit the XOR operations during absorption, while still maintaining the chosen security level.^[1] In this mode, in the absorbing phase, the next block of the input overwrites the R part of the state. This allows keeping a smaller state between the steps. Since the R part will be overwritten anyway, it can be discarded in advance, only the C part must be kept.

Applications

Sponge functions have both theoretical and practical uses. In theoretical cryptanalysis, a random sponge function is a sponge construction where f is a random permutation or transformation, as appropriate. Random sponge functions capture more of the practical limitations of cryptographic primitives than does the widely used random oracle model, in particular the finite internal state.^[4]

The sponge construction can also be used to build practical cryptographic primitives. For example,

Spritz

refers to the sponge-construct to define the algorithm.

For other examples, a sponge function can be used to build

password hashing schemes.^[6]

References

^ ^a ^b ^c Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles. "Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications" (PDF). Retrieved 2023-03-27.
^ Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles. "The sponge and duplex constructions". Retrieved 2023-03-27.
^ ^a ^b Rivest, Ron; Schuldt, Jacob (2014-10-27). "Spritz – a spongy RC4-like stream cipher and hash function" (PDF). Retrieved 2014-12-29.
^ Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles. "On the Indifferentiability of the Sponge Construction" (PDF). Retrieved March 27, 2023.
NIST
. Retrieved 4 October 2012.

doi:10.1109/ISCAS.2019.8702498
.

External links

v
t
e
Cryptographic hash functions and message authentication codes

List

Comparison

Known attacks

Common functions

MD5 (compromised)

SHA-1 (compromised)

SHA-2

SHA-3

BLAKE2

SHA-3 finalists

BLAKE

Grøstl

JH

Skein

Keccak (winner)

Other functions

BLAKE3

CubeHash

ECOH

FSB

Fugue

GOST

HAS-160

HAVAL

Kupyna

LSH

Lane

MASH-1

MASH-2

MD2

MD4

MD6

MDC-2

N-hash

RIPEMD

RadioGatún

SIMD

SM3

SWIFFT

Shabal

Snefru

Streebog

Tiger

VSH

Whirlpool

Password hashing/
key stretching functions

Argon2

Balloon

bcrypt

Catena

crypt

LM hash

Lyra2

Makwa

PBKDF2

scrypt

yescrypt

General purpose
key derivation functions

HKDF

KDF1/KDF2

MAC functions

CBC-MAC

DAA

GMAC

HMAC

NMAC

OMAC/CMAC

PMAC

Poly1305

SipHash

UMAC

VMAC

Authenticated
encryption modes

CCM

ChaCha20-Poly1305

CWC

EAX

GCM

IAPM

OCB

Attacks

Collision attack

Preimage attack

Birthday attack

Brute-force attack

Rainbow table

Side-channel attack

Length extension attack

Design

Avalanche effect

Hash collision

Merkle–Damgård construction

Sponge function

HAIFA construction

Standardization

CAESAR Competition

CRYPTREC

NESSIE

NIST hash function competition

Password Hashing Competition

Utilization

Hash-based cryptography

Merkle tree

Message authentication

Proof of work

Salt

Pepper

v
t
e
Cryptography
General

History of cryptography

Outline of cryptography

Cryptographic protocol
Authentication protocol

Cryptographic primitive

Cryptanalysis

Cryptocurrency

Cryptosystem

Cryptographic nonce

Cryptovirology

Hash function
Cryptographic hash function

Key derivation function

Digital signature

Kleptography

Key (cryptography)

Key exchange

Key generator

Key schedule

Key stretching

Keygen

Cryptojacking malware

Ransomware

Random number generation
Cryptographically secure pseudorandom number generator (CSPRNG)

Pseudorandom noise (PRN)

Secure channel

Insecure channel

Subliminal channel

Encryption

Decryption

End-to-end encryption

Harvest now, decrypt later

Information-theoretic security

Plaintext

Codetext

Ciphertext

Shared secret

Trapdoor function

Trusted timestamping

Key-based routing

Onion routing

Garlic routing

Kademlia

Mix network

Mathematics

Cryptographic hash function

Block cipher

Stream cipher

Symmetric-key algorithm

Authenticated encryption

Public-key cryptography

Quantum key distribution

Quantum cryptography

Post-quantum cryptography

Message authentication code

Random numbers

Steganography

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=Sponge_function&oldid=1180270013"

[duplex-1] Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles. "Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications" (PDF). Retrieved 2023-03-27.

[2] Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles. "The sponge and duplex constructions". Retrieved 2023-03-27.

[Rivest2014-3] Rivest, Ron; Schuldt, Jacob (2014-10-27). "Spritz – a spongy RC4-like stream cipher and hash function" (PDF). Retrieved 2014-12-29.

[4] Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles. "On the Indifferentiability of the Sponge Construction" (PDF). Retrieved March 27, 2023.

[5] NIST
. Retrieved 4 October 2012.

[lyra2ToC-6] :10.1109/ISCAS.2019.8702498
.

[1]

[3]

[4]

[6]