Chapter

Advances in Cryptology – EUROCRYPT 2008

Volume 4965 of the series Lecture Notes in Computer Science pp 181-197

On the Indifferentiability of the Sponge Construction

  • Guido BertoniAffiliated withSTMicroelectronics
  • , Joan DaemenAffiliated withSTMicroelectronics
  • , Michaël PeetersAffiliated withNXP Semiconductors
  • , Gilles Van AsscheAffiliated withSTMicroelectronics

Abstract

In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (instead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length).