Paper 2024/407
Permutation-Based Hashing Beyond the Birthday Bound
Abstract
It is known that the sponge construction is tightly indifferentiable from a random oracle up to around $2^{c/2}$ queries, where $c$ is the capacity. In particular, it cannot provide generic security better than half of the underlying permutation size. In this paper, we aim to achieve hash function security beating this barrier. We present a hashing mode based on two $b$-bit permutations named the double sponge. The double sponge can be seen as the sponge embedded within the double block length hashing paradigm, making two permutation calls in parallel interleaved with an efficient mixing function. Similarly to the sponge, the permutation size is split as $b = r+c$, and the underlying compression function absorbs $r$ bits at a time. We prove that the double sponge is indifferentiable from a random oracle up to around $2^{2c/3}$ queries. This means that the double sponge achieves security beyond the birthday bound in the capacity. In addition, if $c>3b/4$, the double sponge beats the birthday bound in the primitive size, to our knowledge being the first hashing mode based on a permutation that accomplices this feature.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published by the IACR in TOSC 2024
- DOI
- 10.46586/tosc.v2024.i1.71-113
- Keywords
- double block length hashingpermutation-based hashingspongelightweight cryptographybeyond birthday bound
- Contact author(s)
-
charlotte lefevre @ ru nl
b mennink @ cs ru nl - History
- 2024-03-08: approved
- 2024-03-06: received
- See all versions
- Short URL
- https://ia.cr/2024/407
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/407,
author = {Charlotte Lefevre and Bart Mennink},
title = {Permutation-Based Hashing Beyond the Birthday Bound},
howpublished = {Cryptology ePrint Archive, Paper 2024/407},
year = {2024},
doi = {10.46586/tosc.v2024.i1.71-113},
note = {\url{https://eprint.iacr.org/2024/407}},
url = {https://eprint.iacr.org/2024/407}
}
