Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [sponge]

The cryptographic sponge is a construction scheme for hash functions (and other symmetric primitives) based on an unkeyed permutation. The most famous example is Keccak, which won the SHA-3 competition.

81 questions
36
votes
5 answers

What security do Cryptographic Sponges offer against generic quantum attacks?

In the face of non-quantum attacker, Keccak[r=1088,c=512] with 512 bits of output provides: Collision resistance up to $2^{256}$ operations Preimage resistance up to $2^{256}$ operations Second preimage resistance up to $2^{256}$ operations In…
Nakedible
  • 1,460
  • 11
  • 15
31
votes
1 answer

Is it possible to actually verify a “sponge function” security claim?

When using a “sponge function” to create a cryptographic hash, we can look at the flat sponge claim, which flattens the claimed success probabilities of all attacks using a single parameter: the claimed capacity cclaim Is there any way to actually…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
18
votes
2 answers

Why are the constants so simple in Keccak?

Keccak, the construction selected for SHA-3 is very interesting. It seems unlike other primitives and has chosen very simple constants. (Keccak talk PDF) The initial values of the state in Keccak is all zero, why? The round constants have just a few…
u0b34a0f6ae
  • 283
  • 2
  • 6
16
votes
1 answer

Where did the SHAKEs come from in SHA3?

Where did SHAKE128 and SHAKE256 originate from? I am trying to find them in the original Keccak documentation but can't find them. Is it some special mode of Keccak referenced in the documentation? Or something invented by NIST and added to the SHA3…
kimi
  • 193
  • 1
  • 6
12
votes
2 answers

What is the sponge construction in simple terms?

I suggested to my client to use SHA3 instead of SHA2. I know that SHA3 is based on Keccak algorithm which won the NIST's competition. I want to explain the structure of sponge functions in very simple terms; does anybody have a simple explanation of…
Sam Claro
  • 121
  • 1
  • 3
12
votes
2 answers

Why is SHA-3 a Sponge function?

A sponge function is supposed to be able to generate an arbitrary length of output. Yet, SHA3 (Bouncycastle) constrains me to choose an output length between 224, 256, 384, and 512. Evidently, these are not arbitrary lengths. How then is SHA3 a…
user56848
  • 121
  • 1
  • 3
11
votes
2 answers

Why xor the message into the state for sponge hashes?

Sponge hashes like Keccak(SHA-3) and CubeHash, xor a message block into part of the internal state. Why use a reversible operation like xor for that, instead of replacing that part of the state with the message block? It clearly has no effect on…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
9
votes
1 answer

Sponge with PRF instead of PRP

In most uses of Sponge mode of operations such as SHA3 and many of the round-2 candidates in the NIST lightweight cryptography project, the underlaying primitive is a cryptographic permutation - that is, it's bijective. For reasons of curiosity, I…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
8
votes
1 answer

Why does SpongeWrap not need a Nonce?

The AEAD scheme SpongeWrap based on the sponge construction gets only a header (additional data), a body (the message) and a key as input values, according to the paper where it is defined. What is missing compared to other AEAD schemes is a nonce…
mat
  • 2,558
  • 1
  • 14
  • 28
8
votes
1 answer

How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?

How are the weaknesses of the Merkle–Damgård construction (i.e. the Herding attack, multicollisions, length extension, expandable messages) avoided in the sponge construction?
user47987
  • 97
  • 3
8
votes
1 answer

Adding parameters to sponge's capacity

Is it safe to XOR parameters like domain, length of the message or block counter into sponge's capacity or that gives attacker control over capacity? For example NORX XORs domain into capacity. Does this break sponge security proofs? What about…
LightBit
  • 1,741
  • 14
  • 28
8
votes
1 answer

What is the importance of the $r$ and $c$ values for the Sponge Construction?

What is the importance of the $r$ and $c$ values? Keccak[r=1600,c=0] is stated on a calculator on the Keccak website to be a checksum. But I figured if c=0, then there's only one possible output? If C is 128, is there only 2^64 possible outputs,…
user3201068
  • 721
  • 1
  • 5
  • 18
7
votes
1 answer

Is a strong block cipher usable as a strong sponge function?

From the literature, it looks like the security proofs of sponge functions depend on how well they approximate a random permutation, Since a block cipher also ideally behaves like a random permutation does that mean strong block ciphers make for…
John Meacham
  • 385
  • 1
  • 8
7
votes
2 answers

Security analysis of Spritz?

Recently, a new cipher called Spritz has been released by Ronald L. Rivest and Jacob Schuldt. It should be a "drop-in replacement" for RC4. There are many differences to RC4, Spritz is "spongy" and also has a complete different way to handle the…
ralph
  • 81
  • 4
6
votes
1 answer

Rationale for NORX/Ketje/Keyak not being chosen for the CAESAR final portfolio

Was any specific rationale given on why none of the sponge-based AEAD algorithms (specifically NORX, Keyak, and Ketje) of the 3rd round candidates of the CAESAR competition made it to the final portfolio? If so, where can I find additional details?
Astolfo
  • 149
  • 3
1
2 3 4 5 6