Abstract
Sponge hashing is a novel alternative to the popular Merkle-Damgård hashing design. The sponge construction has become increasingly popular in various applications, perhaps most notably, it underlies the SHA-3 hashing standard. Sponge hashing is parametrized by two numbers, r and c (bitrate and capacity, respectively), and by a fixed-size permutation on r+ c bits. In this work, we study the collision resistance of sponge hashing instantiated with a random permutation by adversaries with arbitrary S-bit auxiliary advice input about the random permutation that make T online queries. Recent work by Coretti et al. (CRYPTO ’18) showed that such adversaries can find collisions (with respect to a random c-bit initialization vector) with advantage Θ(ST2/ 2c+ T2/ 2r). Although the above attack formally breaks collision resistance in some range of parameters, its practical relevance is limited since the resulting collision is very long (on the order of T blocks). Focusing on the task of finding short collisions, we study the complexity of finding a B-block collision for a given parameter B≥ 1. We give several new attacks and limitations. Most notably, we give a new attack that results in a single-block collision and has advantage Ω((S2T22c)2/3+T22r). In certain range of parameters (e.g., ST2> 2c ), our attack outperforms the previously-known best attack. To the best of our knowledge, this is the first natural application for which sponge hashing is provably less secure than the corresponding instance of Merkle-Damgård hashing. Our attack relies on a novel connection between single-block collision finding in sponge hashing and the well-studied function inversion problem. We also give a general attack that works for any B≥ 2 and has advantage Ω(STB/ 2c+ T2/ 2min { r , c }), adapting an idea of Akshima et al. (CRYPTO ’20). We complement the above attacks with bounds on the best possible attacks. Specifically, we prove that there is a qualitative jump in the advantage of best possible attacks for finding unbounded-length collisions and those for finding very short collisions. Most notably, we prove (via a highly non-trivial compression argument) that the above attack is optimal for B= 2 in some range of parameters.
Original language | English |
---|---|
Title of host publication | Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings |
Editors | Yevgeniy Dodis, Thomas Shrimpton |
Publisher | Springer Science and Business Media Deutschland GmbH |
Pages | 131-160 |
Number of pages | 30 |
ISBN (Print) | 9783031159817 |
DOIs | |
State | Published - 2022 |
Event | 42nd Annual International Cryptology Conference, CRYPTO 2022 - Santa Barbara, United States Duration: 15 Aug 2022 → 18 Aug 2022 |
Publication series
Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|
Volume | 13509 LNCS |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 42nd Annual International Cryptology Conference, CRYPTO 2022 |
---|---|
Country/Territory | United States |
City | Santa Barbara |
Period | 15/08/22 → 18/08/22 |
Bibliographical note
Publisher Copyright:© 2022, International Association for Cryptologic Research.