7

From the literature, it looks like the security proofs of sponge functions depend on how well they approximate a random permutation, Since a block cipher also ideally behaves like a random permutation does that mean strong block ciphers make for strong sponge functions?

As in, can I expect:

extern char *input,*output;
extern int input_length,output_length;

char block[16] = {0};
char key[16] = {0};
for(i = 0; i < input_length; i++) {   
    AES128_ecrypt(key,block,block);
    block[0] ^= input[i]
}
for (i = 0; i < output_length; i++) {
    AES128_encrypt(key,block,block);
    output[i] = block[0];
}

to be a cryptographically strong sponge hash of rate 8 bits and capacity 120 bits and hence be strong against $2^{60}$ attacks?

otus
  • 32,462
  • 5
  • 75
  • 167
John Meacham
  • 385
  • 1
  • 8

1 Answers1

9

I believe that, in this specific case, you are correct; it would appear to take $2^{60}$ effort to find a collision in the above function.

On the other hand, there is one nit with this approach: this makes stronger assumptions on the block cipher than is typically assumed. A block cipher behaves as a random permutation if it is keyed by a random unknown key; there is no such requirement that holds if it is keyed by a publicly known key. AES is believed to act like a random permutation even with a fixed key, however that might not hold in general. You could come up with an artificial block cipher that meets the normal requirements, but doesn't work as a sponge function.

poncho
  • 154,064
  • 12
  • 239
  • 382