Article

On Time-Space Lower Bounds for Finding Short Collisions in Sponge Hash Functions

Authors:

Akshima,

Xiaoqi Duan,

Siyao Guo,

Qipeng LiuAuthors Info & Claims

Theory of Cryptography: 21st International Conference, TCC 2023, Taipei, Taiwan, November 29–December 2, 2023, Proceedings, Part III

Pages 237 - 270

https://doi.org/10.1007/978-3-031-48621-0_9

Published: 29 November 2023 Publication History

Abstract

Sponge paradigm, used in the design of SHA-3, is an alternative hashing technique to the popular Merkle-Damgård paradigm. We revisit the problem of finding B-block-long collisions in sponge hash functions in the auxiliary-input random permutation model, in which an attacker gets a piece of S-bit advice about the random permutation and makes T (forward or inverse) oracle queries to the random permutation.

Recently, significant progress has been made in the Merkle-Damgård setting and optimal bounds are known for a large range of parameters, including all constant values of B. However, the sponge setting is widely open: there exist significant gaps between known attacks and security bounds even for

B = 1

Freitag, Ghoshal and Komargodski (CRYPTO 2022) showed a novel attack for

B = 1

that takes advantage of the inverse queries and achieves advantage

\tilde{Ω} (min (S^{2} T^{2} / 2^{2 c}

{(S^{2} T / 2^{2 c})}^{2 / 3}) + T^{2} / 2^{r})

, where r is bit-rate and c is the capacity of the random permutation. However, they only showed an

\tilde{O} (S T / 2^{c} + T^{2} / 2^{r})

security bound, leaving open an intriguing quadratic gap. For

B = 2

, they beat the general security bound by Coretti, Dodis, Guo (CRYPTO 2018) for arbitrary values of B. However, their highly non-trivial argument is quite laborious, and no better (than the general) bounds are known for

B \geq 3

In this work, we study the possibility of proving better security bounds in the sponge setting. To this end,

•

For

B = 1

, we prove an improved

\tilde{O} (S^{2} T^{2} / 2^{2 c} + S / 2^{c} + T / 2^{c} + T^{2} / 2^{r})

bound. Our bound strictly improves the bound by Freitag et al., and is optimal for

S T^{2} \leq 2^{c}

•

For

B = 2

, we give a considerably simpler and more modular proof, recovering the bound obtained by Freitag et al.

•

We obtain our bounds by adapting the recent multi-instance technique of Akshima, Guo and Liu (CRYPTO 2022) which bypasses the limitations of prior techniques in the Merkle-Damgård setting. To complement our results, we provably show that the recent multi-instance technique cannot further improve our bounds for

B = 1, 2

, and the general bound by Correti et al., for

B \geq 3

Overall, our results yield state-of-the-art security bounds for finding short collisions and fully characterize the power of the multi-instance technique in the sponge setting.

References

[1]

Akshima CD, Drucker A, and Wee H Micciancio D and Ristenpart T Time-space tradeoffs and short collisions in merkle-damgård hash functions Advances in Cryptology - CRYPTO 2020 2020 Heidelberg Springer 157-186

Abstract

References

Cited By

Index Terms

Recommendations

Generic MitM Attack Frameworks on Sponge Constructions

Finding collisions for round-reduced SM3

Collisions for RC4-Hash

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Share

Share this Publication link

Share on social media

Affiliations