Paper 2022/1009

Time-Space Tradeoffs for Sponge Hashing: Attacks and Limitations for Short Collisions

Cody Freitag, Cornell Tech
Ashrujit Ghoshal, University of Washington
Ilan Komargodski, Hebrew University of Jerusalem, NTT Research
Abstract

Sponge hashing is a novel alternative to the popular Merkle-Damgård hashing design. The sponge construction has become increasingly popular in various applications, perhaps most notably, it underlies the SHA-3 hashing standard. Sponge hashing is parametrized by two numbers, r and c (bitrate and capacity, respectively), and by a fixed-size permutation on bits. In this work, we study the collision resistance of sponge hashing instantiated with a random permutation by adversaries with arbitrary -bit auxiliary advice input about the random permutation that make online queries. Recent work by Coretti et al. (CRYPTO '18) showed that such adversaries can find collisions (with respect to a random -bit initialization vector) with advantage . Although the above attack formally breaks collision resistance in some range of parameters, its practical relevance is limited since the resulting collision is very long (on the order of blocks). Focusing on the task of finding short collisions, we study the complexity of finding a -block collision for a given parameter . We give several new attacks and limitations. Most notably, we give a new attack that results in a single-block collision and has advantage In certain range of parameters (e.g., ), our attack outperforms the previously-known best attack. To the best of our knowledge, this is the first natural application for which sponge hashing is provably less secure than the corresponding instance of Merkle-Damgård hashing. Our attack relies on a novel connection between single-block collision finding in sponge hashing and the well-studied function inversion problem. We also give a general attack that works for any and has advantage , adapting an idea of Akshima et al. (CRYPTO '20). We complement the above attacks with bounds on the best possible attacks. Specifically, we prove that there is a qualitative jump in the advantage of best possible attacks for finding unbounded-length collisions and those for finding very short collisions. Most notably, we prove (via a highly non-trivial compression argument) that the above attack is optimal for in some range of parameters.

Note: Fixed a typo in Claim 5.9

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in CRYPTO 2022
Keywords
Time-space tradeoffsAI-RPMSponge constructionshort collisions
Contact author(s)
cfreitag @ cs cornell edu
ashrujit @ cs washington edu
ilank @ cs huji ac il
History
2023-03-09: last of 2 revisions
2022-08-05: received
See all versions
Short URL
https://ia.cr/2022/1009
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1009,
      author = {Cody Freitag and Ashrujit Ghoshal and Ilan Komargodski},
      title = {Time-Space Tradeoffs for Sponge Hashing: Attacks and Limitations for Short Collisions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1009},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1009}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.