SPONGENT is a family of lightweight hash functions designed by Andrey Bogdanov, Miroslav Knežević , Gregor Leander, Deniz Toz, Kerem Varıcı, and Ingrid Verbauwhede.
SPONGENT is a hermetic sponge based on a wide PRESENT-type permutation. Given a ﬁnite number of input bits, it produces hash sizes of 88 (for preimage resistance only), 128,160, 224, and 256 bits based on a sponge construction following the hermetic sponge strategy.
width, where r is the rate and c the capacity.
In SPONGENT, the b-bit 0 is taken as the initial value before the absorbing phase. The message is first padded by a single bit 1 followed by a necessary number of 0 bits up to a multiple of r bits. Then it is cut into r-bit message blocks that are xored into the first r bits of the state, interleaved with applications of the permutation πb. Once all message blocks have been absorbed, the first r bits of the state are returned as output, interleaved with applications of the permutation πb, until n bits are returned.
lCounterb(i) is the state of an LFSR dependent on b at time i which yields the round constant in round i and is added to the rightmost bits of state. retnuoClb(i) is the value of lCounterb(i) with its bits in reversed order and is added to the leftmost bits of state.
sBoxLayerb: This denotes the use of a 4-bit to 4-bit S-box which is applied b/4 times in parallel
pLayerb: This is an extension of the (inverse) present bit-permutation and moves bit j of state to bit position Pb( j ), where
lCounterb: This is one of the four ⌈ log2 R ⌉-bit LFSRs. The LFSR is clocked once every time its state has been used and its ﬁnal value is all ones. If ζ is the root of unity in the corresponding binary finite ﬁeld, the n-bit LFSRs deﬁned by the polynomials given below are used for the spongent variants.
Following table provides sizes and initial values of all the LFSRs.