1

In Chapter 6 of Serious Cryptography, they write about the sponge function:

  1. It XORs the first message block, M1, to H0, a predefined initial value of the internal state (for example, the all-zero string). Message blocks are all the same size and smaller than the internal state.
  2. A permutation, P, transforms the internal state to another value of the same size.
  3. It XORs block M2 and applies P again, and then repeats this for the message blocks M3, M4, and so on. This is called the absorbing phase.
  4. After injecting all the message blocks, it applies P again and extracts a block of bits from the state to form the hash. (If you need a longer hash, apply P again and extract a block.) This is called the squeezing phase.

The security of a sponge function depends on the length of its internal state and the length of the blocks. If message blocks are r-bit long and the internal state is w-bit long, then there are c = w – r bits of the internal state that can’t be modified by message blocks. The value of c is called a sponge’s capacity, and the security level guaranteed by the sponge function is c/2. For example, to reach 256-bit security with 64-bit message blocks, the internal state should be w = 2 × 256 + 64 = 576 bits. Of course, the security level also depends on the length, n, of the hash value. The complexity of a collision attack is therefore the smallest value between 2^{n/2} and 2^{c/2}, while the complexity of a second preimage attack is the smallest value between 2^n and 2^{c/2}.

To be secure, the permutation P should behave like a random permutation, without statistical bias and without a mathematical structure that would allow an attacker to predict outputs. As in compression function–based hashes, sponge functions also pad messages, but the padding is simpler because it doesn’t need to include the message’s length. The last message bit is simply followed by a 1 bit and as many zeroes as necessary.

The Wikipedia page is too opaque for turning into code as well.

Wondering if one could show a simplistic demonstration of a realish-world sponge function, to sail home these 4 bullet points on how it works.

Some questions related to implementing it:

  • What is the block size? Assuming 512
  • What is the input data (utf-8, etc.)? Does it matter?
  • What to XOR the first message block with? What number? And future blocks too?

I don't really know where to begin, haven't found any code snippets related to "sponge functions" either.

The Keccak Sponge Functions paper is a bit too math heavy to be able to glean a clear software implementation from it (for me at least).

Just looking for the bare basics. Perhaps this is as simple as it can get?

Lance
  • 171
  • 6
  • I've made the question less JavaScript specific, as that would be off topic here; the questions you have about the implementation should be on topic. Note that providing sample code still isn't considered on topic here. – Maarten Bodewes Jan 20 '22 at 09:35
  • Ok I've removed the snippet, thanks. I found the keccak sponge function in readable form, but it's quite dense and involved, can a sponge function not just be very simple to demonstrate how it works? – Lance Jan 20 '22 at 09:54
  • Uh, sure. Maybe there are simple implementations available (there are simplified AES specs used for learning purposes, for instance), but I don't know any. Not sure if other sponge functions would be more applicable. Spritz is certainly deliberately simple, so maybe have a look at that for learning purposes. Not sure if the sponge functionality is separated out of the stream cipher in their implementation though. SPONGENT also looks pretty simple. I also saw a paper where a hash was used as underlying function. Now that's of course a bit strange, but it might be helpful for learning purposes – Maarten Bodewes Jan 20 '22 at 10:01
  • You forgot some important part of this 1. Every team must submit code for the SHA-3 competition, 2. SHA-3 standard is given by the NIST and they have test vectors, too. I might call this dupe of this Step-by-step working out with example input for NIST Hash Functions like SHA-1,SHA-2, and SHA-3 – kelalaka Jan 20 '22 at 10:19
  • I kind of assumed that the Keccak reference implementation would not be sufficiently "simple" and known, but sure you can use the functions of the ref implementation or a language specific port - if that's the answer then sure.... – Maarten Bodewes Jan 20 '22 at 10:32
  • Does this answer your question? What is the sponge construction in simple terms? – mentallurg Jan 20 '22 at 11:39
  • No, I am looking for a technical implementation, ideally in code or pseudocode of some sort. – Lance Jan 20 '22 at 11:47

0 Answers0