DOCSLIB.ORG

Secure Password Storing Using Prime Decomposition Chaovalit Somboonpattanakit and Nawaporn Wisitpongphan

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

IAENG International Journal of Computer Science, 48:1, IJCS_48_1_16 ______________________________________________________________________________________ Secure Password Storing Using Prime Decomposition Chaovalit Somboonpattanakit and Nawaporn Wisitpongphan Abstract—Nowadays, passwords are widely used for authenti- Key Stretching [7] is an adjustable hash function used for cation and they are the main targets of many hackers. Over the enhancing the security of the password stored in the database. past few years, there were several unfortunate major password The Key Stretching relies on high computing power and large leak incidents. Billions of passwords were exposed to public due to unsecured password storing methods. To further exacerbate memory usage during the hashing process, thus, cracking the situation, many users prefer to use the same password on or reversing is infeasible. Although Key Stretching is the multiple websites or services. Hence, a password leak from one best mechanism for storing passwords, the principle of this source will likely cause damage to users’ data in many other method is still the same as a normal hash method with some systems. In this study, we proposed a secure method for storing additional salt in the plain text format. passwords by incorporating prime decomposition technique. The novel Prime Decomposition Password Storing (PDPS) tech- Storing hashed or salted hashed passwords may no longer nique does not store original or encrypted password, but allows be secure, hence, we propose another way to securely store the same password to be converted differently on different passwords. We claim that the proposed method will be safe systems without adding extra information. We claimed that the even in the event of password leak. proposed PDPS can protect the confidentiality of the password in the event of password database leaked. II. BACKGROUND Index Terms—password, password storing, prime decompo- sition, secure, authentication. According to NIST disclaimer statement [8], most users reuse the same password on multiple systems when forcing them to use a complex password. In addition, if a user I. INTRODUCTION has selected a good password, the system should not force ASSWORD is apparently the most popular authenti- the users to change the password often because users may P cation method for modern applications. During system simply create a new password that is similar to the old one, registration, users have to create a password that is easy to e.g., adding a certain numeric or alphabet pattern at the end remember. Most systems force users to create a complex of the old password. Therefore, when the passwords got password, which is composed of numbers, alphabets, and leaked to the public, the attacker can use those passwords sometimes special characters, to prevent conventional pass- to attack other systems. Therefore, forcing users to come word attacking methods. However, users’ ability to remember up with a complex password does not always imply that deteriorates as the rules for creating passwords get more the users’ password will be secured. To get around this complicated. As a result, many users tend to reuse the same problem, we proposed a novel technique for securing the password on different systems. Therefore, besides forcing stored passwords. The main idea is to allow users to select the users to create a strong password, service providers have any password they want without imposing strict set of rules to also ensure that they provide a secure password storing or requirements. Users can use any password that is easy for system that can protect users’ information in the event of them to remember. password database leak. There many research studies that focused on enhancing A. Authentication mechanisms password storing security. The most popular technique is the use of hash functions [1], [2] or Key Stretching [3], [4]. Authentication is a mechanism that is used to identify a Example of these techniques are MD5, SHA3, SCRYPT, person by using a certain set of data. Typically, users have to ARGON2, etc. provide various personal information to identify themselves However, using a pure hash function without additional on different systems for security purpose. The set of data protection mechanism such as “salt” for storing passwords that is commonly used to identify a user can come from makes this approach vulnerable to time-memory tradeoff these factors [9]: password attack [5] using a pre-computed table, which is 1) Something you know: password, pin readily available on the Internet [6]. Therefore, adding salt 2) Something you have: smart card, hardware token will only make hacking more time and resource consuming, 3) Something you are: fingerprint, iris scan but cracking the salted hashed passwords is still plausible. 4) Somebody who knows you: human relations Authentication mechanisms can include one, two, or multiple Manuscript received May 29, 2020; revised January 14, 2021. factors. Using more than one factor helps increase the secu- C. Somboonpattanakit is a PhD candidate of King Mongkut’s Univer- sity of Technology North Bangkok, Bangkok, Thailand. He is now with rity level during the validation process but also add burden Department of Information Technology, Rajamangala University, Bangkok, to users because it requires extra steps or additional devices, Thailand. (email: [email protected]) e.g., using both the password and the finger scan [10] or re- N. Wisitpongphan is a Assistant Professor of Data Communication and Networking Department, King Mongkut’s University of Technology North questing the users to input the OTP (One-time password) sent Bangkok, Bangkok, Thailand. (e-mail: [email protected]) to them via SMS and validate within a specified time [11]. Volume 48, Issue 1: March 2021 IAENG International Journal of Computer Science, 48:1, IJCS_48_1_16 ______________________________________________________________________________________ B. Password Storing Techniques D. Related Work Usually systems or application developers have various One of the most popular methods for protecting the pass- ways to protect the stored passwords [12]: words is to use hash functions such as MD5 or SHA3 [22]. 1) Plain text password: This is the most unsecured However, these methods are prone to Time-Memory Trade- method for storing passwords because the password is stored Offs attack because of their fast hashing speed. Therefore, as is without any encryption. Hence, attackers who get access the traditional one-way hash function is not the best way to to the password database can readily use the leaked password keep passwords secured, although in general it is still widely to exploit other systems. In 2016, roughly 100 million plain used. As a result, key stretching techniques are becoming text passwords from the large social media website (vk.com) more popular. was exposed to public [13]. The lesson learned from such Unlike traditional hash functions, key stretching runs at an event is that users should come up with unique password a very slow speed and consumes significant amount of for each website. computer resources [3], especially the processing power, in 2) Encrypted password: The password is encrypted with order to prevent an attacker from using a precomputed table. a certain algorithm such as AES, DES or 3DES prior to However, as the processing speed of the GPU or FPGA storing [14], [15]. The key for encrypting the password is hardware increases, the key stretching technique, which relies also stored in the same database because it will be used again solely on the use of processing power, is no longer safe. in the validation process. This method can keep the password secured by making the password unreadable. This, by far, is According to the aforementioned problem, there are sev- the most popular method because of its low complexity and eral studies that resorted to other techniques for securing a slightly higher security level than that of the plain text the password. Colin Percival [4] proposed memory-hard method. However, in the event of database leak, there is a (SCRYPT) algorithm that uses significant amount of memory possibility that the attackers can also obtain the key from the instead of extra processing power to prevent GPU or FPGA same database. attack. This technique is more appealing because the memory 3) Hashed password: This method works by applying a space is typically limited and the advancement in hard drive one-way hash function such as MD5 or SHA3 to a password development is usually slower than that of the processor. and stores the hash results in the database instead of storing However, SCRYPT still has flexibility and complexity prob- the original passwords. When the attackers gain access to the lems, thus, not practical for deploying in a real system. database, they will see only hash values and will have to put Despite these problems, this concept has become a model extra effort to obtain the original passwords. However, this for many ideas later. method is still vulnerable to the rainbow table attack [16]. To overcome the challenge faced by memory consumption- 4) Salted hash password: This method will add a random based approach, LYRA2 algorithm [23] uses cryptographic string to the password before hashing. The goal of adding salt sponge function, which allows flexibility in configuring the to the password [17] is to create a different hashed value of size of the input and output independently. By exploiting the the same password, thereby preventing Time-Memory Trade- properties of a sponge, i.e., absorbing and squeezing, the user Offs attack [18]. However, because the salt must be stored can adjust the parameters to suit any working environment. in the plain text format in the database, attackers who know Among the techniques described in this section, the pass- the salt and the hashed value can still use this information word hash function together with a key stretching is the most to crack the password. secured technique for storing the passwords.
Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units

    GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units

    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
  • Computationally Data-Independent Memory Hard Functions

    Computationally Data-Independent Memory Hard Functions

    Computationally Data-Independent Memory Hard Functions Mohammad Hassan Ameri∗ Jeremiah Blocki† Samson Zhou‡ November 18, 2019 Abstract Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at 2 most N log log N . By contrast, the dMHF scrypt achieves maximal CMC Ω(N 2) — though O log N the CMC of scrypt would be reduced to just (N) after a side-channel attack. In this paper, we introduce the notion ofO computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (ran- domized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker — even if the attacker selects the initial in- put. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC Ω(N 2).
  • PHC: Status Quo

    PHC: Status Quo

    PHC: status quo JP Aumasson @veorq / http://aumasson.jp academic background principal cryptographer at Kudelski Security, .ch applied crypto research and outreach BLAKE, BLAKE2, SipHash, NORX Crypto Coding Standard Password Hashing Competition Open Crypto Audit Project board member do you use passwords? this talk might interest you! Oct 2013 "hash" = 3DES-ECB( static key, password ) users' hint made the guess game easy... (credit Jeremi Gosney / Stricture Group) May 2014; "encrypted passwords" (?) last week that's only the reported/published cases Lesson if Adobe, eBay, and Avast fail to protect their users' passwords, what about others? users using "weak passwords"? ITsec people using "weak defenses"? developers using "weak hashes"? cryptographers, who never bothered? agenda 1. how (not) to protect passwords 2. the Password Hashing Competition (PHC) 3. the 24-2 PHC candidates 4. next steps, and how to contribute WARNING this is NOT about bikeshed topics as: password policies password managers password-strength meters will-technology-X-replace-passwords? 1. how (not) to protect passwords solution of the 60's store "password" or the modern alternative: obviously a bad idea (assuming the server and its DB are compromised) solution of the early 70's store hash("password") "one-way": can't be efficiently inverted vulnerable to: ● efficient dictionary attacks and bruteforce ● time-memory tradeoffs (rainbow tables, etc.) solution of the late 70's store hash("password", salt) "one-way": can't be efficiently inverted immune to time-memory tradeoffs vulnerable to: ● dictionary attacks and bruteforce (but has to be repeated for different hashes) solution of the 2000's store hash("password", salt, cost) "one-way": can't be efficiently inverted immune to time-memory tradeoffs inefficient dictionary attacks and bruteforce main ideas: ● be "slow" ● especially on attackers' hardware (GPU, FPGA) => exploit fast CPU memory access/writes PBKDF2 (Kaliski, 2000) NIST and PKCS standard in Truecrypt, iOS, etc.
  • Intro to Cryptography 1 Introduction 2 Secure Password Manager

    Intro to Cryptography 1 Introduction 2 Secure Password Manager

    Programming Assignment 1 Winter 2021 CS 255: Intro to Cryptography Prof. Dan Boneh Due Monday, Feb. 8, 11:59pm 1 Introduction In many software systems today, the primary weakness often lies in the user’s password. This is especially apparent in light of recent security breaches that have highlighted some of the weak passwords people commonly use (e.g., 123456 or password). It is very important, then, that users choose strong passwords (or “passphrases”) to secure their accounts, but strong passwords can be long and unwieldy. Even more problematic, the user generally has many different services that use password authentication, and as a result, the user has to recall many different passwords. One way for users to address this problem is to use a password manager, such as LastPass and KeePass. Password managers make it very convenient for users to use a unique, strong password for each service that requires password authentication. However, given the sensitivity of the data contained in the password manager, it takes considerable care to store the information securely. In this assignment, you will be writing a secure and efficient password manager. In your implemen- tation, you will make use of various cryptographic primitives we have discussed in class—notably, authenticated encryption and collision-resistant hash functions. Because it is ill-advised to imple- ment your own primitives in cryptography, you should use an established library: in this case, the Stanford Javascript Crypto Library (SJCL). We will provide starter code that contains a basic tem- plate, which you will be able to fill in to satisfy the functionality and security properties described below.
  • User Authentication and Cryptographic Primitives

    User Authentication and Cryptographic Primitives

    User Authentication and Cryptographic Primitives Brad Karp UCL Computer Science CS GZ03 / M030 16th November 2016 Outline • Authenticating users – Local users: hashed passwords – Remote users: s/key – Unexpected covert channel: the Tenex password- guessing attack • Symmetric-key-cryptography • Public-key cryptography usage model • RSA algorithm for public-key cryptography – Number theory background – Algorithm definition 2 Dictionary Attack on Hashed Password Databases • Suppose hacker obtains copy of password file (until recently, world-readable on UNIX) • Compute H(x) for 50K common words • String compare resulting hashed words against passwords in file • Learn all users’ passwords that are common English words after only 50K computations of H(x)! • Same hashed dictionary works on all password files in world! 3 Salted Password Hashes • Generate a random string of bytes, r • For user password x, store [H(r,x), r] in password file • Result: same password produces different result on every machine – So must see password file before can hash dictionary – …and single hashed dictionary won’t work for multiple hosts • Modern UNIX: password hashes salted; hashed password database readable only by root 4 Salted Password Hashes • Generate a random string of bytes, r Dictionary• For user password attack still x, store possible [H(r,x after), r] in attacker seespassword password file file! Users• Result: should same pick password passwords produces that different aren’t result close to ondictionary every machine words. – So must see password file
  • Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
  • To Change Your Ud Password(S)

    To Change Your Ud Password(S)

    TO CHANGE YOUR UD PASSWORD(S) The MyCampus portal allows the user a single-signon for campus applications. IMPORTANT NOTICE AT BOTTOM OF THESE INSTRUCTIONS !! INITIAL PROCEDURE TO ALLOW YOU TO CHANGE YOUR PASSWORD ON THE UD NETWORK : 1. In your web browser, enter http://mycampus.dbq.edu . If you are logging in for the first time, you will be directed to answer (3) security questions. Also, be sure to answer one of the recovery methods. 2. Once the questions are answered, you will click on SUBMIT and then CONTINUE and then YES. 3. In one location, you will now find MyUD, Campus Portal, Email and UDOnline (Moodle). 4. You can now click on any of these apps and you will be logged in already. The email link will prompt you for the password a second time until we get all accounts set up properly. YOU MUST BE SURE TO LOGOUT OF EACH APPLICATION AFTER YOU’RE DONE USING IT !! TO CHANGE YOUR PASSWORD: 1. After you have logged into the MyCampus.dbq.edu website, you will see your username in the upper- right corner of the screen. 2. Click on your name and then go into My Account. 3. At the bottom, you will click on Change Password and then proceed as directed. 4. You can now logout. You will need to use your new password on your next login. Password must be a minimum of 6 characters and contain 3 of the following 4 categories: - Uppercase character - Lowercase character - Number - Special character You cannot use the previous password You’ll be required to change your password every 180 days.
  • Security + Encryption Standards

    Security + Encryption Standards

    Security + Encryption Standards Author: Joseph Lee Email: joseph@ ripplesoftware.ca Mobile: 778-725-3206 General Concepts Forward secrecy / perfect forward secrecy • Using a key exchange to provide a new key for each session provides improved forward secrecy because if keys are found out by an attacker, past data cannot be compromised with the keys Confusion • Cipher-text is significantly different than the original plaintext data • The property of confusion hides the relationship between the cipher-text and the key Diffusion • Is the principle that small changes in message plaintext results in large changes in the cipher-text • The idea of diffusion is to hide the relationship between the cipher-text and the plaintext Secret-algorithm • A proprietary algorithm that is not publicly disclosed • This is discouraged because it cannot be reviewed Weak / depreciated algorithms • An algorithm that can be easily "cracked" or defeated by an attacker High-resiliency • Refers to the strength of the encryption key if an attacker discovers part of the key Data-in-transit • Data sent over a network Data-at-rest • Data stored on a medium Data-in-use • Data being used by an application / computer system Out-of-band KEX • Using a medium / channel for key-exchange other than the medium the data transfer is taking place (phone, email, snail mail) In-band KEX • Using the same medium / channel for key-exchange that the data transfer is taking place Integrity • Ability to determine the message has not been altered • Hashing algorithms manage Authenticity
  • Reset Forgotten Password with Office365

    Reset Forgotten Password with Office365

    RESET FORGOTTEN PASSWORD 1. Go to https://login.microsoftonline.com 2. Click the link “Can’t access your account?” 3. Select Work or School account 4. Enter in your User ID with the @uamont.edu at the end and then enter the characters as seen in the picture. You can click the refresh button for a different set of letters. 5. You will have 3 options to verify your account and reset your password. This information was set up when you registered with self-service password reset. If you have not registered, please go to https://aka.ms/ssprsetup and enter in your information. A step by step guide on how to do this can be found here. a. Text your mobile phone b. Call your mobile phone c. Answer Security Questions 6. Choose one option and enter the information requested 7. Click Text for text my mobile phone, Call for call my mobile phone, or click Next when you’ve answered all security questions. a. If you have selected Text my mobile phone you will be required to enter in a verification code and click Next b. If you have select Call my mobile phone you will receive a call and will need to enter # to verify. 8. Enter in your new password and click Finish a. Note: If you receive the message, “Unfortunately, your password contains a word, phrase, or pattern that makes it easily guessable. Please try again with a different password.” Please try to create a password that does not use any dictionary words. b. Passwords must meet 3 of the 4 following requirements i.
  • Class-Action Lawsuit

    Class-Action Lawsuit

    Case 3:20-cv-00863-SI Document 1 Filed 05/29/20 Page 1 of 279 Steve D. Larson, OSB No. 863540 Email: [email protected] Jennifer S. Wagner, OSB No. 024470 Email: [email protected] STOLL STOLL BERNE LOKTING & SHLACHTER P.C. 209 SW Oak Street, Suite 500 Portland, Oregon 97204 Telephone: (503) 227-1600 Attorneys for Plaintiffs [Additional Counsel Listed on Signature Page.] UNITED STATES DISTRICT COURT DISTRICT OF OREGON PORTLAND DIVISION BLUE PEAK HOSTING, LLC, PAMELA Case No. GREEN, TITI RICAFORT, MARGARITE SIMPSON, and MICHAEL NELSON, on behalf of CLASS ACTION ALLEGATION themselves and all others similarly situated, COMPLAINT Plaintiffs, DEMAND FOR JURY TRIAL v. INTEL CORPORATION, a Delaware corporation, Defendant. CLASS ACTION ALLEGATION COMPLAINT Case 3:20-cv-00863-SI Document 1 Filed 05/29/20 Page 2 of 279 Plaintiffs Blue Peak Hosting, LLC, Pamela Green, Titi Ricafort, Margarite Sampson, and Michael Nelson, individually and on behalf of the members of the Class defined below, allege the following against Defendant Intel Corporation (“Intel” or “the Company”), based upon personal knowledge with respect to themselves and on information and belief derived from, among other things, the investigation of counsel and review of public documents as to all other matters. INTRODUCTION 1. Despite Intel’s intentional concealment of specific design choices that it long knew rendered its central processing units (“CPUs” or “processors”) unsecure, it was only in January 2018 that it was first revealed to the public that Intel’s CPUs have significant security vulnerabilities that gave unauthorized program instructions access to protected data. 2. A CPU is the “brain” in every computer and mobile device and processes all of the essential applications, including the handling of confidential information such as passwords and encryption keys.
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms

    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms

    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
  • Cryptographic Sponge Functions

    Cryptographic Sponge Functions

    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................