eprint.iacr.org will be offline for approximately an hour for routine maintenance again at 10pm UTC on Wednesday, April 17.

Paper 2023/520

Generic Security of the SAFE API and Its Applications

Dmitry Khovratovich, Ethereum Foundation
Mario Marhuenda Beltrán, Radboud University Nijmegen
Bart Mennink, Radboud University Nijmegen

We provide security foundations for SAFE, a recently introduced API framework for sponge-based hash functions tailored to prime-field-based protocols. SAFE aims to provide a robust and foolproof interface, has been implemented in the Neptune hash framework and some zero-knowledge proof projects, but currently lacks any security proof. In this work we identify the SAFECore as versatile variant sponge construction underlying SAFE, we prove indifferentiability of SAFECore for all (binary and prime) fields up to around $|\mathbb{F}_p|^{c/2}$ queries, where $\mathbb{F}_p$ is the underlying field and $c$ the capacity, and we apply this security result to various use cases. We show that the SAFE-based protocols of plain hashing, authenticated encryption, verifiable computation, non-interactive proofs, and commitment schemes are secure against a wide class of adversaries, including those dealing with multiple invocations of a sponge in a single application. Our results pave the way of using SAFE with the full taxonomy of hash functions, including SNARK-, lattice-, and x86-friendly hashes.

Available format(s)
Secret-key cryptography
Publication info
SAFEspongeAPIfield elementsindifferentiability
Contact author(s)
khovratovich @ gmail com
mmarhuenda @ cs ru nl
b mennink @ cs ru nl
2023-09-14: last of 2 revisions
2023-04-11: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dmitry Khovratovich and Mario Marhuenda Beltrán and Bart Mennink},
      title = {Generic Security of the SAFE API and Its Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2023/520},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/520}},
      url = {https://eprint.iacr.org/2023/520}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.