Design

SPONGENT is a family of lightweight hash functions designed by Andrey Bogdanov, Miroslav Knežević , Gregor Leander, Deniz Toz, Kerem Varıcı, and Ingrid Verbauwhede

SPONGENT is a hermetic sponge based on a wide PRESENT-type permutation. Given a finite number of input bits, it produces hash sizes of 88 (for preimage resistance only), 128,160, 224, and 256 bits based on a sponge construction following the hermetic sponge strategy.

Permutation-based Sponge Construction

SPONGENT relies on a sponge construction – a simple iterated design hat takes a variable-length input and can produce an output of an arbitrary length based on a permutation πb operating on a state of a fixed number b of bits. The size of the internal state b = r + c ≥ n is called width, where r is the rate and c the capacity.




In 
SPONGENT, the b-bit 0 is taken as the initial value before the absorbing phase.  The message is first padded by a single bit 1 followed by a necessary number of 0 bits up to a multiple of r bits. Then it is cut into r-bit  message blocks that are xored into the first r bits of the state, interleaved with applications of the permutation πb. Once all message blocks have been absorbed, the first r bits of the state are returned as output, interleaved with applications of the permutation πb, until n bits are returned.

Parameters

We propose 13 variants of SPONGENT with 5 different security levels:

   n
(bit)
 b
(bit)
 c
(bit)
 r
(bit)
 R number
of rounds
SPONGENT-88/80/8
SPONGENT-88/176/88
 88
 88    
 88
 264
 80
 176
 8       
 88
 45
 135
SPONGENT-128/128/8
SPONGENT-128/256/128
 128
 128
 136
 384
 128
 256
 8
 128
 70
 195
SPONGENT-160/160/16
SPONGENT-160/160/80
SPONGENT-160/320/160
 160
 160
 160
 176
 240
 480
 160
 160
 320
 16
 80
 160
 90
 120
 240
SPONGENT-224/224/16
SPONGENT-224/224/112
SPONGENT-224/448/224
 224
 224
 224
 240
 336
 372
 224
 224
 448
 16
 112
 224
 120
 170
 340
SPONGENT-256/256/16
SPONGENT-256/256/128
SPONGENT-256/256/256
 256
 256
 256
 272
 384
 768
 256
 256
 512
 16
 128
 256
 140
 195
 385

PRESENT-type Permutation

The permutation πb : F2b → F2b is an R-round transform of the input state of b bits that can be outlined as:

    for i = 1 to R do 
        state ← retnuoClb(i) ⊕ state ⊕ lCounterb(i)
        state ← sBoxLayerb (state)
        state ← pLayerb (state)
    end for

lCounterb(i) is the state of an LFSR dependent on b at time i which yields the round constant in round i and is added to the rightmost bits of state. retnuoClb(i) is the value of lCounterb(i) with its bits in reversed order and is added to the leftmost bits of state.

sBoxLayerb: This denotes the use of a 4-bit to 4-bit S-box which is applied b/4 times in parallel

 x  0 1 2 3 4 5 6 7 8 9 A B C D E F
 S[x]  E D B 0 2 1 4 F 7 A 8 5 9 C 3 6


pLayerb: This is an extension of the (inverse) present bit-permutation and moves bit j of state to bit position Pb( j ), where

    Pb (j) = j·b/4 mod b−1    if j ∈ {0,...,b−2}
    Pb (j) = b − 1            if j = b − 1


lCounterb: This is one of the four ⌈ log2 R ⌉-bit LFSRs. The LFSR is clocked once every time its state has been used and its final value is all ones. If ζ is the root of unity in the corresponding binary finite field, the n-bit LFSRs defined by the polynomials given below are used for the spongent variants.

 LFSR size (bit)
 Primitive Polynomial
 6   ζ6 + ζ5 + 1 
 7   ζ7 + ζ6 + 1
 8   ζ8 + ζ4 + ζ3 + ζ2 + 1
 9   ζ9 + ζ4 + 1

Following table provides sizes and initial values of all the LFSRs.

  LFSR size (bit)
 Initial Value (hex)
SPONGENT-88/80/8
SPONGENT-88/176/88
6
8
05
D2
SPONGENT-128/128/8
SPONGENT-128/256/128
7
8
7A
FB
SPONGENT-160/160/16
SPONGENT-160/160/80
SPONGENT-160/320/160
7
7
8
45
01
A7
SPONGENT-224/224/16
SPONGENT-224/224/112
SPONGENT-224/448/224
7
8
9
01
52
105
SPONGENT-256/256/16
SPONGENT-256/256/128
SPONGENT-256/256/256
8
8
9
9E
FB
015