Abstract
Sponge paradigm, used in the design of SHA-3, is an alternative hashing technique to the popular Merkle-Damgård paradigm. We revisit the problem of finding B-block-long collisions in sponge hash functions in the auxiliary-input random permutation model, in which an attacker gets a piece of S-bit advice about the random permutation and makes T (forward or inverse) oracle queries to the random permutation.
Recently, significant progress has been made in the Merkle-Damgård setting and optimal bounds are known for a large range of parameters, including all constant values of B. However, the sponge setting is widely open: there exist significant gaps between known attacks and security bounds even for \(B=1\).
Freitag, Ghoshal and Komargodski (CRYPTO 2022) showed a novel attack for \(B=1\) that takes advantage of the inverse queries and achieves advantage \(\widetilde{\varOmega }(\min (S^2T^2/2^{2c}\), \( (S^2T/2^{2c})^{2/3})+T^2/2^r)\), where r is bit-rate and c is the capacity of the random permutation. However, they only showed an \(\widetilde{O}(ST/2^c+T^2/2^r)\) security bound, leaving open an intriguing quadratic gap. For \(B=2\), they beat the general security bound by Coretti, Dodis, Guo (CRYPTO 2018) for arbitrary values of B. However, their highly non-trivial argument is quite laborious, and no better (than the general) bounds are known for \(B\ge 3\).
In this work, we study the possibility of proving better security bounds in the sponge setting. To this end,
-
For \(B=1\), we prove an improved \(\widetilde{O}(S^2T^2/2^{2c}+S/2^c+T/2^c+T^2/2^r)\) bound. Our bound strictly improves the bound by Freitag et al., and is optimal for \(ST^2\le 2^c\).
-
For \(B=2\), we give a considerably simpler and more modular proof, recovering the bound obtained by Freitag et al.
-
We obtain our bounds by adapting the recent multi-instance technique of Akshima, Guo and Liu (CRYPTO 2022) which bypasses the limitations of prior techniques in the Merkle-Damgård setting. To complement our results, we provably show that the recent multi-instance technique cannot further improve our bounds for \(B=1,2\), and the general bound by Correti et al., for \(B\ge 3\).
Overall, our results yield state-of-the-art security bounds for finding short collisions and fully characterize the power of the multi-instance technique in the sponge setting.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In some practical sponge applications like SHA-3, this salt is usually set to 0. However, when we study the collision resistance of sponge hash functions in the auxiliary input model, such a fixed salt will make finding collisions trivial. [CDG18] identified this need for salting the hash functions for collision resistance in the auxiliary input model and so we are interested in the security bounds against a random initialization salt (just like what prior works [CDG18, ACDW20, AGL22, FGK22] did). See more details on the definition of the auxiliary input model below in Sect. 2.4.
- 2.
[CDG18] proved an \(\widetilde{O}(\frac{ST^2}{C}+\frac{T^2}{R})\) bound using presampling which implies an \((\widetilde{O}(\frac{ST^2}{C}+\frac{T^2}{R}))^S\) multi-instance security.
References
Akshima, C.D., Drucker, A., Wee, H.: Time-space tradeoffs and short collisions in merkle-damgård hash functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 157–186. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-56784-2_6
Akshima, G.S., Liu, Q.: Time-space lower bounds for finding collisions in merkle-damgård hash functions. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13509, pp. 192–221. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15982-4_7
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: ECRYPT Hash Workshop, vol. 2007. Citeseer (2007)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Coretti, S., Dodis, Y., Guo, S.: Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 693–721. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_23
Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_9
Corrigan-Gibbs, H., Kogan, D.: The discrete-logarithm problem with preprocessing. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 415–447. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_14
Corrigan-Gibbs, H., Kogan, D.: The function-inversion problem: barriers and opportunities. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 393–421. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_16
Chung, K.M., Guo, S., Liu, Q., Qian, L.: Tight quantum time-space tradeoffs for function inversion. In: Irani, S. (ed.) 61st IEEE Annual Symposium on Foundations of Computer Science, FOCS 2020, Durham, NC, USA, 16–19 November 2020, pp. 673–684. IEEE (2020)
Chawin, D., Haitner, I., Mazor, N.: Lower bounds on the time/memory tradeoff of function inversion. In: Theory of Cryptography - 18th International Conference, TCC 2020, Durham, NC, USA, 16–19 November 2020, Proceedings, Part III, pp. 305–334 (2020)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39
Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_16
De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_35
Freitag, C., Ghoshal, A., Komargodski, I.: Time-space tradeoffs for sponge hashing: attacks and limitations for short collisions. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13509, pp. 131–160. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15982-4_5
Freitag, C., Ghoshal, A., Komargodski, I.: Optimal security for keyed hash functions: avoiding time-space tradeoffs for finding collisions. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14007, pp. 440–469. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30634-1_15
Gravin, N., Guo, S., Kwok, T.C., Lu, P.: Concentration bounds for almost k-wise independence with applications to non-uniform security. In: Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms, SODA 2021, Virtual Conference, 10–13 January 2021, pp. 2404–2423 (2021)
Golovnev, A., Guo, S., Peters, S., Stephens-Davidowitz, N.: Revisiting time-space tradeoffs for function inversion. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 453–481. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-38545-2_15
Ghoshal, A., Komargodski, I.: On time-space tradeoffs for bounded-length collisions in merkle-damgård hashing. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 202. LNCS, vol. 13509, pp. 161–191. Springer, Heidelberg (2022)
Ghoshal, A., Tessaro, S.: The Query-Complexity of Preprocessing Attacks. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 482–513. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-38545-2_16
Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)
Impagliazzo, R., Kabanets, V.: Constructive proofs of concentration bounds. In: Serna, M., Shaltiel, R., Jansen, K., Rolim, J. (eds.) APPROX/RANDOM -2010. LNCS, vol. 6302, pp. 617–631. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15369-3_46
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Acknowledgements
We thank TCC reviewers for their constructive comments. Siyao Guo and Akshima are supported by National Natural Science Foundation of China Grant No.62102260, Shanghai Municipal Education Commission (SMEC) Grant No. 0920000169, NYTP Grant No. 20121201 and NYU Shanghai Boost Fund. The work was done while Xiaoqi Duan was a research assistant at Shanghai Qi Zhi Institute and supported by the Shanghai Qi Zhi Institute. Most of the work was done while Qipeng Liu was a Postdoctoral researcher in Simons Institute, supported in part by the Simons Institute for Theory of Computing, through a Quantum Postdoctoral Fellowship and by the DARPA SIEVE-VESPA grant No. HR00112020023. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the supporting institutions.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Akshima, Duan, X., Guo, S., Liu, Q. (2023). On Time-Space Lower Bounds for Finding Short Collisions in Sponge Hash Functions. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-48621-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48620-3
Online ISBN: 978-3-031-48621-0
eBook Packages: Computer ScienceComputer Science (R0)
