Cryptographic Sponges

Guido Bertoni, Joan Daemen, Michaël Peeters* and Gilles Van Assche *NXP Semiconductors STMicroelectronics Outline

Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 2 Introduction

• Sponge functions model • the finite state of iterated cryptographic functions • as in iterated hash functions, stream ciphers, etc. • Random sponges can be used • as a reference for (hash function) design • as an inspiration for (hash function) design • Sponges are simple

Echternach Symmetric Crypto 2008 3 Outline

 Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 4 r c Sponge Construction 0 0 p0 f

The last block absorbed A C p1 S S shall not be zero. f absorbing

squeezing A C z0 S S f

A C z1 S S f

… Echternach Symmetric Crypto 2008 5 Inner Collisions, State Collisions

Inner collision

A C A C a S S b S S

A C A C S S S S • State collision f • Absorbing phase A C • Hash collision S S State collision • Squeezing phase • Output periodicity

Echternach Symmetric Crypto 2008 6 Random Sponges

• Random T-sponge c+r 2c+r • Randomly chosen in (2 ) transformations f • Random P-sponge c+r • Randomly chosen in (2 )! permutations f

Echternach Symmetric Crypto 2008 7 Outline

 Introduction  Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 8 Uses Examples (1/5)

• Hash function

Padded message Hash

0 f f f … f f

Echternach Symmetric Crypto 2008 9 Uses Examples (2/5)

• Message authentication code

Key Padded message MAC

0 f f f … f f

Echternach Symmetric Crypto 2008 10 Uses Examples (3/5)

• Stream cipher

Key IV Key stream

0 f f f f … f

Echternach Symmetric Crypto 2008 11 Uses Examples (4/5)

• Random-access stream cipher

Key, Key stream IV, i block i

0 f

Echternach Symmetric Crypto 2008 12 Uses Examples (5/5)

• Mask generating functions, key derivation

Variable-length input Variable-length output

0 f f … f f f … f

• See PKCS#1 and IEEE Std 1363a

Echternach Symmetric Crypto 2008 13 Outline

 Introduction  Definitions  Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 14 Distinguishing Random Sponges

• Adversary queries a black box, either RS or RO • Budget of N input and output blocks ? • Theorem: A random sponge can only be distinguished from a random oracle by the presence of inner collisions. • When N 2c/2, inner collisions are unlikely ¿

Echternach Symmetric Crypto 2008 15 Attacking Random Sponges

-1 -1 • White box access to f (and f ) f,f • Budget of N function calls • Expected workload for operations: • Producing inner collision • Finding a path to inner state • Producing output cycles • Binding an output string to a state The expected workload is a function of: • Upper bounds for attacks: c • Output collision capacity , • (Second) pre-image P/T-sponge, bitrate r. • Length extension

Echternach Symmetric Crypto 2008 16 Outline

 Introduction  Definitions  Uses Examples  Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 17 Indifferentiability Framework

• Goal: obtain lower bound on generic attacks • Distinguisher has to differentiate between: • the ideal system (Random Oracle), and • the construction (here, the Sponge), • with access to publicly-known function or parameter (here, the transformation f) • If indifferentiable • cryptosystem using construction as strong as cryptosystem using ideal system • Maurer et al., TCC 2004; Coron et al., CRYPTO 2005

Echternach Symmetric Crypto 2008 18 Differentiating Random Sponges

[ ] distinguisher D

padded [ ] [ ] ? [ ] sponge S0 F RO P f simulator

Echternach Symmetric Crypto 2008 19 Differentiating Random Sponges

• Theorem: a random sponge can be differentiated from a random oracle only with c+1 c probability N(N+1)/2 , with N<2 . ¼ • Here N is the total number of calls to f [ ] Generic attacks D require 2c/2. N

[ 0] [ ]

Echternach Symmetric Crypto 2008 S F 20 Proving the Indifferentiability f a transformation or f • Simulating f a permutation • Keeps memory of (input, output) pairs in a graph [ ] • Properties RO • Sponge-consistence P with what RO says 0 • Similar output distribution • Can be differentiated • By different distribution of simulator and random f

Echternach Symmetric Crypto 2008 21 Outline

 Introduction  Definitions  Uses Examples  Attacking sponges  Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 22 Random Sponge as a Reference

• Reference for concrete designs • External interface (input / output) only • Automatically determines the complexity of attacks • Near-collisions, chosen target forced prefix pre-image, … • Unlike the Random Oracle: • State collisions are modeled • Parameters c r • Capacity , T/P-sponge, bitrate • Input/output size limitations

Echternach Symmetric Crypto 2008 23 Flat Sponge Claim

c/2 • Expected workload: min(Random Oracle, 2 ) random oracle flat sponge claim attack c=512 complexity ) n d e io n g llis 256 (2 a co 2 im re p ion llis co output size 256 512 n

Echternach Symmetric Crypto 2008 24 Outline

 Introduction  Definitions  Uses Examples  Attacking sponges  Indifferentiability  Random sponge as a reference Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 25 Constructing a Sponge Function

• Choose c, r c/2 • No generic attacks below 2 • Transformation or permutation over c+r bits • Construct a random(!) transformation? • Construct a random(!) permutation! • It shall not have any special properties(!) • except its compact description • Other constructions build upon permutations: see also Snefru, FFT-Hash, SMASH, …

Echternach Symmetric Crypto 2008 26 Advantages of the Sponge Construction

• Relative simplicity in design • Permutation similar to block cipher design • E.g., block cipher without key schedule • Flexibility • One permutation can accommodate for several (c,r) pairs • Simplicity • Simple model, simple proofs • Suitable for many applications • Variable-length output

Echternach Symmetric Crypto 2008 27 Outline

 Introduction  Definitions  Uses Examples  Attacking sponges  Indifferentiability  Random sponge as a reference  Constructing a sponge function Conclusion

Echternach Symmetric Crypto 2008 28 Conclusion

• Sponges are a simple model • to model the finite state of iterated primitives • Sponges are a simple tool • for expressing compact security claims • for building hash functions and stream ciphers • Sponges are fun! Thank you for your attention!

Echternach Symmetric Crypto 2008 29 References

• Bertoni et al., Sponge Functions, Ecrypt Hash Workshop 2007, May 2007; also as a public comment to NIST, http://www.csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html • Bertoni et al., On the Indifferentiability of the Sponge Construction, Eurocrypt 2008, to appear • Web page under construction: http://sponge.noekeon.org/ • It should appear end of January 2008

Echternach Symmetric Crypto 2008 30