Paper 2023/520
Generic Security of the SAFE API and Its Applications
, Radboud University Nijmegen, Radboud University NijmegenAbstract
We provide security foundations for SAFE, a recently introduced API framework for sponge-based hash functions tailored to prime-field-based protocols. SAFE aims to provide a robust and foolproof interface, has been implemented in the Neptune hash framework and some zero-knowledge proof projects, but currently lacks any security proof. In this work we identify the SAFECore as versatile variant sponge construction underlying SAFE, we prove indifferentiability of SAFECore for all (binary and prime) fields up to around $|\mathbb{F}_p|^{c/2}$ queries, where $\mathbb{F}_p$ is the underlying field and $c$ the capacity, and we apply this security result to various use cases. We show that the SAFE-based protocols of plain hashing, authenticated encryption, verifiable computation, non-interactive proofs, and commitment schemes are secure against a wide class of adversaries, including those dealing with multiple invocations of a sponge in a single application. Our results pave the way of using SAFE with the full taxonomy of hash functions, including SNARK-, lattice-, and x86-friendly hashes.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint.
- Keywords
- SAFEspongeAPIfield elementsindifferentiability
- Contact author(s)
-
khovratovich @ gmail com
mmarhuenda @ cs ru nl
b mennink @ cs ru nl - History
- 2023-09-14: last of 2 revisions
- 2023-04-11: received
- See all versions
- Short URL
- https://ia.cr/2023/520
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/520,
author = {Dmitry Khovratovich and Mario Marhuenda Beltrán and Bart Mennink},
title = {Generic Security of the {SAFE} {API} and Its Applications},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/520},
year = {2023},
url = {https://eprint.iacr.org/2023/520}
}
