Cryptographic Sponges Guido Bertoni, Joan Daemen, Michaël Peeters* and Gilles Van Assche *NXP Semiconductors STMicroelectronics Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 2 Introduction • Sponge functions model • the finite state of iterated cryptographic functions • as in iterated hash functions, stream ciphers, etc. • Random sponges can be used • as a reference for (hash function) design • as an inspiration for (hash function) design • Sponges are simple Echternach Symmetric Crypto 2008 3 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 4 r c Sponge Construction 0 0 p0 f The last block absorbed A C p1 S S shall not be zero. f absorbing squeezing A C z0 S S f A C z1 S S f … Echternach Symmetric Crypto 2008 5 Inner Collisions, State Collisions Inner collision A C A C a S S b S S A C A C S S S S • State collision f • Absorbing phase A C • Hash collision S S State collision • Squeezing phase • Output periodicity Echternach Symmetric Crypto 2008 6 Random Sponges • Random T-sponge c+r 2c+r • Randomly chosen in (2 ) transformations f • Random P-sponge c+r • Randomly chosen in (2 )! permutations f Echternach Symmetric Crypto 2008 7 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 8 Uses Examples (1/5) • Hash function Padded message Hash 0 f f f … f f Echternach Symmetric Crypto 2008 9 Uses Examples (2/5) • Message authentication code Key Padded message MAC 0 f f f … f f Echternach Symmetric Crypto 2008 10 Uses Examples (3/5) • Stream cipher Key IV Key stream 0 f f f f … f Echternach Symmetric Crypto 2008 11 Uses Examples (4/5) • Random-access stream cipher Key, Key stream IV, i block i 0 f Echternach Symmetric Crypto 2008 12 Uses Examples (5/5) • Mask generating functions, key derivation Variable-length input Variable-length output 0 f f … f f f … f • See PKCS#1 and IEEE Std 1363a Echternach Symmetric Crypto 2008 13 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 14 Distinguishing Random Sponges • Adversary queries a black box, either RS or RO • Budget of N input and output blocks ? • Theorem: A random sponge can only be distinguished from a random oracle by the presence of inner collisions. • When N 2c/2, inner collisions are unlikely ¿ Echternach Symmetric Crypto 2008 15 Attacking Random Sponges -1 -1 • White box access to f (and f ) f,f • Budget of N function calls • Expected workload for operations: • Producing inner collision • Finding a path to inner state • Producing output cycles • Binding an output string to a state The expected workload is a function of: • Upper bounds for attacks: c • Output collision capacity , • (Second) pre-image P/T-sponge, bitrate r. • Length extension Echternach Symmetric Crypto 2008 16 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 17 Indifferentiability Framework • Goal: obtain lower bound on generic attacks • Distinguisher has to differentiate between: • the ideal system (Random Oracle), and • the construction (here, the Sponge), • with access to publicly-known function or parameter (here, the transformation f) • If indifferentiable • cryptosystem using construction as strong as cryptosystem using ideal system • Maurer et al., TCC 2004; Coron et al., CRYPTO 2005 Echternach Symmetric Crypto 2008 18 Differentiating Random Sponges [ ] distinguisher D padded [ ] [ ] ? [ ] sponge S0 F RO P f simulator Echternach Symmetric Crypto 2008 19 Differentiating Random Sponges • Theorem: a random sponge can be differentiated from a random oracle only with c+1 c probability N(N+1)/2 , with N<2 . ¼ • Here N is the total number of calls to f [ ] Generic attacks D require 2c/2. N [ 0] [ ] Echternach Symmetric Crypto 2008 S F 20 Proving the Indifferentiability f a transformation or f • Simulating f a permutation • Keeps memory of (input, output) pairs in a graph [ ] • Properties RO • Sponge-consistence P with what RO says 0 • Similar output distribution • Can be differentiated • By different distribution of simulator and random f Echternach Symmetric Crypto 2008 21 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 22 Random Sponge as a Reference • Reference for concrete designs • External interface (input / output) only • Automatically determines the complexity of attacks • Near-collisions, chosen target forced prefix pre-image, … • Unlike the Random Oracle: • State collisions are modeled • Parameters c r • Capacity , T/P-sponge, bitrate • Input/output size limitations Echternach Symmetric Crypto 2008 23 Flat Sponge Claim c/2 • Expected workload: min(Random Oracle, 2 ) random oracle flat sponge claim attack c=512 complexity ) n d e io n g llis 256 (2 a co 2 im re p ion llis co output size 256 512 n Echternach Symmetric Crypto 2008 24 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 25 Constructing a Sponge Function • Choose c, r c/2 • No generic attacks below 2 • Transformation or permutation over c+r bits • Construct a random(!) transformation? • Construct a random(!) permutation! • It shall not have any special properties(!) • except its compact description • Other constructions build upon permutations: see also Snefru, FFT-Hash, SMASH, … Echternach Symmetric Crypto 2008 26 Advantages of the Sponge Construction • Relative simplicity in design • Permutation similar to block cipher design • E.g., block cipher without key schedule • Flexibility • One permutation can accommodate for several (c,r) pairs • Simplicity • Simple model, simple proofs • Suitable for many applications • Variable-length output Echternach Symmetric Crypto 2008 27 Outline Introduction Definitions Uses Examples Attacking sponges Indifferentiability Random sponge as a reference Constructing a sponge function Conclusion Echternach Symmetric Crypto 2008 28 Conclusion • Sponges are a simple model • to model the finite state of iterated primitives • Sponges are a simple tool • for expressing compact security claims • for building hash functions and stream ciphers • Sponges are fun! Thank you for your attention! Echternach Symmetric Crypto 2008 29 References • Bertoni et al., Sponge Functions, Ecrypt Hash Workshop 2007, May 2007; also as a public comment to NIST, http://www.csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html • Bertoni et al., On the Indifferentiability of the Sponge Construction, Eurocrypt 2008, to appear • Web page under construction: http://sponge.noekeon.org/ • It should appear end of January 2008 Echternach Symmetric Crypto 2008 30.