Join Log in
Score:0
Lance avatar Crypto

How to implement a basic "sponge function"?

tn flag
Lance

In Chapter 6 of Serious Cryptography, they write about the sponge function:

  1. It XORs the first message block, M1, to H0, a predefined initial value of the internal state (for example, the all-zero string). Message blocks are all the same size and smaller than the internal state.
  2. A permutation, P, transforms the internal state to another value of the same size.
  3. It XORs block M2 and applies P again, and then repeats this for the message blocks M3, M4, and so on. This is called the absorbing phase.
  4. After injecting all the message blocks, it applies P again and extracts a block of bits from the state to form the hash. (If you need a longer hash, apply P again and extract a block.) This is called the squeezing phase.

The security of a sponge function depends on the length of its internal state and the length of the blocks. If message blocks are r-bit long and the internal state is w-bit long, then there are c = w – r bits of the internal state that can’t be modified by message blocks. The value of c is called a sponge’s capacity, and the security level guaranteed by the sponge function is c/2. For example, to reach 256-bit security with 64-bit message blocks, the internal state should be w = 2 × 256 + 64 = 576 bits. Of course, the security level also depends on the length, n, of the hash value. The complexity of a collision attack is therefore the smallest value between 2^{n/2} and 2^{c/2}, while the complexity of a second preimage attack is the smallest value between 2^n and 2^{c/2}.

To be secure, the permutation P should behave like a random permutation, without statistical bias and without a mathematical structure that would allow an attacker to predict outputs. As in compression function–based hashes, sponge functions also pad messages, but the padding is simpler because it doesn’t need to include the message’s length. The last message bit is simply followed by a 1 bit and as many zeroes as necessary.

The Wikipedia page is too opaque for turning into code as well.

Wondering if one could show a simplistic demonstration of a realish-world sponge function, to sail home these 4 bullet points on how it works.

Some questions related to implementing it:

  • What is the block size? Assuming 512
  • What is the input data (utf-8, etc.)? Does it matter?
  • What to XOR the first message block with? What number? And future blocks too?

I don't really know where to begin, haven't found any code snippets related to "sponge functions" either.

The Keccak Sponge Functions paper is a bit too math heavy to be able to glean a clear software implementation from it (for me at least).

Just looking for the bare basics. Perhaps this is as simple as it can get?

164
0 + 0
Maarten Bodewes avatar
in flag
Maarten Bodewes
I've made the question less JavaScript specific, as that would be off topic here; the questions you have about the implementation should be on topic. Note that providing sample code still isn't considered on topic here.
0
Reply
Lance avatar
tn flag
Lance
Ok I've removed the snippet, thanks. I found the [keccak sponge function in readable form](https://github.com/lancejpollard/hash/blob/make/lib/keccak-sponge.c), but it's quite dense and involved, can a sponge function not just be very simple to demonstrate how it works?
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Uh, sure. Maybe there are simple implementations available (there are simplified AES specs used for learning purposes, for instance), but I don't know any. Not sure if other sponge functions would be more applicable. Spritz is certainly deliberately simple, so maybe have a look at that *for learning purposes*. Not sure if the sponge functionality is separated out of the stream cipher in their implementation though. SPONGENT also looks pretty simple. I also saw a paper where a hash was used as underlying function. Now that's of course a bit strange, but it might be helpful for learning purposes
0
Reply
kelalaka avatar
in flag
kelalaka
You forgot some important part of this 1. Every team must submit code for the SHA-3 competition, 2. SHA-3 standard is given by the [NIST](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf) and they have test vectors, too. I might call this dupe of this [Step-by-step working out with example input for NIST Hash Functions like SHA-1,SHA-2, and SHA-3](https://crypto.stackexchange.com/q/95783/18298)
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
I kind of assumed that the Keccak reference implementation would not be sufficiently "simple" and known, but sure you can use the functions of the ref implementation or a language specific port - if that's the answer then sure....
0
Reply
kr flag
mentallurg
Does this answer your question? [What is the sponge construction in simple terms?](https://crypto.stackexchange.com/questions/83258/what-is-the-sponge-construction-in-simple-terms)
0
Reply
Lance avatar
tn flag
Lance
No, I am looking for a technical implementation, ideally in code or pseudocode of some sort.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.