Paper 2025/963

Permutation-Based Hashing With Stronger (Second) Preimage Resistance

Siwei Sun, School of Cryptology, University of Chinese Academy of Sciences, China
Shun Li, School of Cryptology, University of Chinese Academy of Sciences, China
Zhiyu Zhang, School of Cryptology, University of Chinese Academy of Sciences, China
Charlotte Lefevre, Univ Rennes, Inria, CNRS, IRISA, Rennes, France
Bart Mennink, Maastricht University, Maastricht, The Netherlands
Zhen Qin, School of Cryptology, University of Chinese Academy of Sciences, China
Dengguo Feng, State Key Laboratory of Cryptology, China
Abstract

The sponge is a popular construction of hash function design. It operates with a $b$-bit permutation on a $b$-bit state, that is split into a $c$-bit inner part and an $r$-bit outer part. However, the security bounds of the sponge are most often dominated by the capacity $c$: if the length of the digest is $n$ bits, the construction tightly achieves $\min\{n/2,c/2\}$-bit collision resistance, $\min\{n,c/2\}$-bit second preimage resistance, and $\min\{n,\max\{n-r,c/2\}\}$-bit preimage resistance. Here, it is noteworthy that the generic attacks matching the preimage and second preimage bounds make use of the inverse of the permutation. We demonstrate that, by a relatively simple adjustment, significantly improved preimage and second preimage resistance can be achieved. In detail, we first present the SPONGE-DM construction, that differs from the sponge by evaluating the permutation during absorption in a Davies-Meyer mode. This construction generically achieves $\min\{n/2,c/2\}$-bit collision resistance as the sponge does, but $n$-bit preimage resistance and $\min\{n,c-\log_2(\alpha)\}$-bit second preimage resistance, where $\alpha$ is the maximum size of the first preimage in blocks. Next, we investigate how improved security can be achieved with a smaller feed-forward, and we present the SPONGE-EDM$^a$ family of functions, indexed by a parameter $a\in\{0,\ldots,b\}$. These functions replace the permutation during absorption in the sponge by an Encrypted Davies-Meyer mode, but with only $a$ bits of feed-forward. For $a=b$, comparable bounds as for SPONGE-DM are obtained, and these bounds gradually decrease to the original sponge bounds for decreasing values of $a$. We present various instantiations of SPONGE-DM and SPONGE-EDM$^a$ using the Keccak and Ascon permutations, and concretely demonstrate the immediate security and performance gains of these instances. For example, one can achieve up to $512$-bit preimage and second preimage resistance using the $800$-bit Keccak permutation (rather than 1600-bit in SHA-3), and likewise, one can use the $1600$-bit Keccak permutation to easily achieve up to $1024$-bit preimage and second preimage resistance (therewith properly fitting within the recently announced Chinese call for a new generation of cryptographic algorithms). Finally, we show the benefits of using these instantiations in the context of hash-based signature schemes whose security relies solely on the (second) preimage resistance of the underlying hash functions (such as Ascon-Sign).

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2026
Keywords
SHA3Sponge(Second) preimage resistanceCryptographic permutationsHash-based signatures
Contact author(s)
siweisun isaac @ gmail com
lishun @ ucas ac cn
zhangzhiyu @ ucas ac cn
charlotte lefevre @ irisa fr
bart mennink @ maastrichtuniversity nl
History
2026-06-04: last of 6 revisions
2025-05-26: received
See all versions
Short URL
https://ia.cr/2025/963
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/963,
      author = {Siwei Sun and Shun Li and Zhiyu Zhang and Charlotte Lefevre and Bart Mennink and Zhen Qin and Dengguo Feng},
      title = {Permutation-Based Hashing With Stronger (Second) Preimage Resistance},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/963},
      year = {2025},
      url = {https://eprint.iacr.org/2025/963}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.