Skip to main content
SpringerLink
Log in

Generic Security of the SAFE API and Its Applications

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2023 (ASIACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14445))

  • 224 Accesses

Abstract

We provide security foundations for SAFE, a recently introduced API framework for sponge-based hash functions tailored to prime-field-based protocols. SAFE aims to provide a robust and foolproof interface, has been implemented in the Neptune hash framework and some zero-knowledge proof projects, but despite its usability and applicability it currently lacks any security proof. Such a proof would not be straightforward as SAFE abuses the inner part of the sponge and fills it with protocol-specific data.

In this work we identify the SAFECore as versatile variant sponge construction underlying SAFE, we prove indifferentiability of SAFECore for all (binary and prime) fields up to around \(|\mathbb {F}_p |^{c/2}\) queries, where \(\mathbb {F}_p \) is the underlying field and c the capacity, and we apply this security result to various use cases. We show that the SAFE-based protocols of plain hashing, authenticated encryption, verifiable computation, non-interactive proofs, and commitment schemes are secure against a wide class of adversaries, including those dealing with multiple invocations of a sponge in a single application. Our results pave the way of using SAFE with the full taxonomy of hash functions, including SNARK-, lattice-, and x86-friendly hashes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For preimage resistance, an improved result is derived, cf. [28].

  2. 2.

    https://github.com/filecoin-project/neptune/tree/master/src/sponge.

  3. 3.

    Here, we omit the superscript \(\texttt{RO}\) on \(\texttt{S}\) to simplify notation.

  4. 4.

    Here, we remark that the distinguisher never makes a redundant query, so it can never set the former condition in an inverse query or the latter condition in a forward query.

  5. 5.

    In their work, Naito and Ohta omitted a factor 2, which is included here. Our bound can also be derived from [38, Lemma 1].

References

  1. Longsight faulty design (2018). https://github.com/zcash/zcash/issues/2233#issuecomment-416648993

  2. Tornado Cash Privacy Solution Version 1.4 (2021). https://tornado.cash/Tornado.cash_whitepaper_v1.4.pdf

  3. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7

    Chapter  Google Scholar 

  4. Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020). https://doi.org/10.13154/tosc.v2020.i3.1-45

  5. Aumasson, J., Khovratovich, D., Quine, P.: SAFE: Sponge API for Field Elements. Cryptology ePrint Archive, Paper 2023/522 (2023). https://eprint.iacr.org/2023/522

  6. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73. ACM (1993). https://doi.org/10.1145/168588.168596

  7. Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Paper 2004/331 (2004). https://eprint.iacr.org/2004/331

  8. Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-Shamir heuristic and applications to helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_38

    Chapter  Google Scholar 

  9. Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017). https://tosc.iacr.org/index.php/ToSC/article/view/801

  10. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19

    Chapter  Google Scholar 

  11. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Keccak. In: International Conference on the Theory and Application of Cryptographic Techniques (2013)

    Google Scholar 

  12. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge Functions (2007)

    Google Scholar 

  13. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    Chapter  Google Scholar 

  14. Bowe, S.: BLS12-381: New zk-SNARK elliptic curve construction (2017). https://electriccoin.co/blog/new-snark-curve

  15. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    Chapter  Google Scholar 

  16. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26

    Chapter  Google Scholar 

  17. Cortier, V., Gaudry, P., Yang, Q.: How to fake zero-knowledge proofs, again. In: E-Vote-Id 2020-The International Conference for Electronic Voting (2020). https://hal.inria.fr/hal-02928953/document

  18. Daemen, J., Mennink, B., Van Assche, G.: Full-state keyed duplex with built-in multi-user support. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 606–637. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_21

    Chapter  Google Scholar 

  19. Dao, Q., Miller, J., Wright, O., Grubbs, P.: Weak Fiat-Shamir Attacks on Modern Proof Systems. Cryptology ePrint Archive, Paper 2023/691 (2023). https://eprint.iacr.org/2023/691.pdf

  20. Dobraunig, C., Mennink, B.: Leakage resilience of the duplex construction. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 225–255. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_8

    Chapter  Google Scholar 

  21. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  22. Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R.: Reinforced concrete: a fast hash function for verifiable computation. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 1323–1335. Association for Computing Machinery, New York (2022). https://doi.org/10.1145/3548606.3560686

  23. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, 11–13 August 2021, pp. 519–535. USENIX Association (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/grassi

  24. Grassi, L., Mennink, B.: Security of truncated permutation without initial value. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part II. LNCS, vol. 13792, pp. 620–650. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22966-4_21

    Chapter  Google Scholar 

  25. Haines, T., Lewis, S.J., Pereira, O., Teague, V.: How not to prove your election outcome. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020, pp. 644–660. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00048

  26. Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: ZCash protocol specification (2023). https://github.com/zcash/zips/blob/master/protocol/protocol.pdf

  27. Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 359–388. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22966-4_21

    Chapter  Google Scholar 

  28. Lefevre, C., Mennink, B.: Tight preimage resistance of the sponge construction. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 185–204. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_7

    Chapter  Google Scholar 

  29. Maller, M., Khovratovich, D.: Baloo: open source implementation (2022). https://github.com/mmaller/caulk-dev/tree/main/baloo

  30. Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2

    Chapter  Google Scholar 

  31. Mennink, B.: Understanding the duplex and its security. IACR Trans. Symmetric Cryptol. 2023(2), 1–46 (2023). https://tosc.iacr.org/index.php/ToSC/article/view/10976

  32. Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_19

    Chapter  Google Scholar 

  33. Naito, Y., Ohta, K.: Improved indifferentiable security analysis of PHOTON. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 340–357. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_20

    Chapter  Google Scholar 

  34. NIST: SHA-3 competition. In: International Conference on the Theory and Application of Cryptographic Techniques (2007–2012)

    Google Scholar 

  35. Polygon Team: Introducing Plonky2 (2017). https://polygon.technology/blog/introducing-plonky2

  36. Prest, T., et al.: Falcon: fast-Fourier lattice-based compact signatures over NTRU. Submission NIST’s Post-quantum Cryptogr. Standardization Process 36(5), 1–75 (2018)

    Google Scholar 

  37. Setty, S.: Nova: open source implementation

    Google Scholar 

  38. Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Paper 2004/332 (2004). https://eprint.iacr.org/2004/332

  39. Zhang, Y.: Introducing zkEVM (2022). https://scroll.io/blog/zkEVM

Download references

Acknowledgements

We would like to thank Mary Maller for fruitful discussions on the applications of our result. Mario Marhuenda Beltrán and Bart Mennink are supported by the Netherlands Organisation for Scientific Research (NWO) under grant VI.Vidi.203.099.

Author information

Authors and Affiliations

  1. Ethereum Foundation, Luxembourg City, Luxembourg

    Dmitry Khovratovich

  2. Radboud University, Nijmegen, The Netherlands

    Mario Marhuenda Beltrán & Bart Mennink

Authors
  1. Dmitry Khovratovich
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mario Marhuenda Beltrán
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bart Mennink
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mario Marhuenda Beltrán .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jian Guo

  2. Monash University, Melbourne, VIC, Australia

    Ron Steinfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khovratovich, D., Beltrán, M.M., Mennink, B. (2023). Generic Security of the SAFE API and Its Applications. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14445. Springer, Singapore. https://doi.org/10.1007/978-981-99-8742-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8742-9_10

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8741-2

  • Online ISBN: 978-981-99-8742-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation