TY - JOUR
T1 - Time-Space Tradeoffs for Sponge Hashing
T2 - Attacks and Limitations for Short Collisions
AU - Freitag, Cody
AU - Ghoshal, Ashrujit
AU - Komargodski, Ilan
N1 - Publisher Copyright:
© The Author(s) 2025.
PY - 2026/1
Y1 - 2026/1
N2 - Sponge hashing is a novel alternative to the popular Merkle-Damgård hashing design. The sponge construction has become increasingly popular in various applications, perhaps most notably, it underlies the SHA-3 hashing standard. Sponge hashing is parametrized by two numbers, r and c (bitrate and capacity, respectively), and by a fixed-size permutation on r+c bits. In this work, we study the collision resistance of sponge hashing instantiated with a random permutation by adversaries with arbitrary S-bit auxiliary advice input about the random permutation that make T online queries. Recent work by Coretti et al. (CRYPTO ’18) showed that such adversaries can find collisions (with respect to a random c-bit initialization vector) with advantage Θ(ST2/2c+T2/2r). Although the above attack formally breaks collision resistance in some range of parameters, its practical relevance is limited since the resulting collision is very long (on the order of T blocks). Focusing on the task of finding short collisions, we study the complexity of finding a B-block collision for a given parameter B≥1. We give several new attacks and limitations. Most notably, we give a new attack that results in a single-block collision and has advantage (Formula presented.) In certain range of parameters (e.g., ST2>2c), our attack outperforms the previously-known best attack. To the best of our knowledge, this is the first natural application for which sponge hashing is provably less secure than the corresponding instance of Merkle-Damgård hashing. Our attack relies on a novel connection between single-block collision finding in sponge hashing and the well-studied function inversion problem. We also give a general attack that works for any B≥2 and has advantage Ω(STB/2c+T2/2min{r,c}), adapting an idea of Akshima et al. (CRYPTO ’20). We complement the above attacks with bounds on the best possible attacks. Specifically, we prove that there is a qualitative jump in the advantage of best possible attacks for finding unbounded-length collisions and those for finding very short collisions. Most notably, we prove (via a highly non-trivial compression argument) that the above attack is optimal for B=2 in some range of parameters.
AB - Sponge hashing is a novel alternative to the popular Merkle-Damgård hashing design. The sponge construction has become increasingly popular in various applications, perhaps most notably, it underlies the SHA-3 hashing standard. Sponge hashing is parametrized by two numbers, r and c (bitrate and capacity, respectively), and by a fixed-size permutation on r+c bits. In this work, we study the collision resistance of sponge hashing instantiated with a random permutation by adversaries with arbitrary S-bit auxiliary advice input about the random permutation that make T online queries. Recent work by Coretti et al. (CRYPTO ’18) showed that such adversaries can find collisions (with respect to a random c-bit initialization vector) with advantage Θ(ST2/2c+T2/2r). Although the above attack formally breaks collision resistance in some range of parameters, its practical relevance is limited since the resulting collision is very long (on the order of T blocks). Focusing on the task of finding short collisions, we study the complexity of finding a B-block collision for a given parameter B≥1. We give several new attacks and limitations. Most notably, we give a new attack that results in a single-block collision and has advantage (Formula presented.) In certain range of parameters (e.g., ST2>2c), our attack outperforms the previously-known best attack. To the best of our knowledge, this is the first natural application for which sponge hashing is provably less secure than the corresponding instance of Merkle-Damgård hashing. Our attack relies on a novel connection between single-block collision finding in sponge hashing and the well-studied function inversion problem. We also give a general attack that works for any B≥2 and has advantage Ω(STB/2c+T2/2min{r,c}), adapting an idea of Akshima et al. (CRYPTO ’20). We complement the above attacks with bounds on the best possible attacks. Specifically, we prove that there is a qualitative jump in the advantage of best possible attacks for finding unbounded-length collisions and those for finding very short collisions. Most notably, we prove (via a highly non-trivial compression argument) that the above attack is optimal for B=2 in some range of parameters.
UR - https://www.scopus.com/pages/publications/105024077870
U2 - 10.1007/s00145-025-09558-1
DO - 10.1007/s00145-025-09558-1
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:105024077870
SN - 0933-2790
VL - 39
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 1
M1 - 9
ER -