We next demonstrate how the negative effects on the security bound of the construction by Daemen et al. can be resolved. Instead of only allowing a truncated output, we generalize the construction to allow for any finalization function and investigate the security of this for five different types of finalization. Our findings, among others, show that the security of the SHA-2 mode does not degrade if the feed-forward is dropped and that the modern BLAKE3 construction is secure in principle but that its use of the extendable output requires its counter used for random access to be public. Finally, we introduce the tree sponge, a generalization of the sequential sponge construction with parallel absorbing and squeezing.
Category / Keywords: secret-key cryptography / Hash Functions, Block Ciphers, Tree Hashing, Indifferentiability Date: received 2 Mar 2022 Contact author: aldo gunsing at ru nl Available format(s): PDF | BibTeX Citation Version: 20220302:142523 (All versions of this report) Short URL: ia.cr/2022/283