[Resource Topic] 2024/911: Generalized Indifferentiable Sponge and its Application to Polygon Miden VM

Welcome to the resource topic for 2024/911

Generalized Indifferentiable Sponge and its Application to Polygon Miden VM

Authors: Tomer Ashur, Amit Singh Bhati


Cryptographic hash functions are said to be the work-horses of modern cryptography. One of the strongest approaches to assess a cryptographic hash function’s security is indifferentiability. Informally, indifferentiability measures to what degree the function resembles a random oracle when instantiated with an ideal underlying primitive. However, proving the indifferentiability security of hash functions has been challenging due to complex simulator designs and proof arguments. The Sponge construction is one of the prevalent hashing method used in various systems. The Sponge has been shown to be indifferentiable from a random oracle when initialized with a random permutation.

In this work, we first introduce \mathsf{GSponge}, a generalized form of the Sponge construction offering enhanced flexibility in input chaining, field sizes, and padding types. \mathsf{GSponge} not only captures all existing sponge variants but also unveils new, efficient ones. The generic structure of \mathsf{GSponge} facilitates the discovery of two micro-optimizations for already deployed sponges. Firstly, it allows a new padding rule based on zero-padding and domain-separated inputs, saving one full permutation call in certain cases without increasing the generation time of zero-knowledge proofs. Secondly, it allows to absorb up to \mathsf{c}/2 more elements (that can save another permutation call for certain message lengths) without compromising the indifferentiability security. These optimizations enhance hashing time for practical use cases such as Merkle-tree hashing and short message processing.

We then propose a new efficient instantiation of \mathsf{GSponge} called \mathsf{Sponge2} capturing these micro-optimizations and provide a formal indifferentiability proof to establish both \mathsf{Sponge2} and \mathsf{GSponge}'s security. This proof, simpler than the original for Sponges, offers clarity and ease of understanding for real-world practitioners. Additionally, it is demonstrated that \mathsf{GSponge} can be safely instantiated with permutations defined over large prime fields, a result not previously formally proven.

ePrint: https://eprint.iacr.org/2024/911

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .