### Design

SPONGENT is a family of lightweight hash functions designed by Andrey Bogdanov, Miroslav Knežević , Gregor Leander, Deniz Toz, Kerem Varıcı, and Ingrid Verbauwhede

SPONGENT is a hermetic sponge based on a wide PRESENT-type permutation. Given a ﬁnite number of input bits, it produces hash sizes of 88 (for preimage resistance only), 128,160, 224, and 256 bits based on a sponge construction following the hermetic sponge strategy.

## Permutation-based Sponge Construction

SPONGENT relies on a sponge construction – a simple iterated design hat takes a variable-length input and can produce an output of an arbitrary length based on a permutation πb operating on a state of a fixed number b of bits. The size of the internal state b = r + c ≥ n is called width, where r is the rate and c the capacity.

SPONGENT, the b-bit 0 is taken as the initial value before the absorbing phase.  The message is first padded by a single bit 1 followed by a necessary number of 0 bits up to a multiple of r bits. Then it is cut into r-bit  message blocks that are xored into the first r bits of the state, interleaved with applications of the permutation πb. Once all message blocks have been absorbed, the first r bits of the state are returned as output, interleaved with applications of the permutation πb, until n bits are returned.

## Parameters

We propose 13 variants of SPONGENT with 5 diﬀerent security levels:

n
(bit)
b
(bit)
c
(bit)
r
(bit)
R number
of rounds
SPONGENT-88/80/8
SPONGENT-88/176/88
88
88
88
264
80
176
8
88
45
135
SPONGENT-128/128/8
SPONGENT-128/256/128
128
128
136
384
128
256
8
128
70
195
SPONGENT-160/160/16
SPONGENT-160/160/80
SPONGENT-160/320/160
160
160
160
176
240
480
160
160
320
16
80
160
90
120
240
SPONGENT-224/224/16
SPONGENT-224/224/112
SPONGENT-224/448/224
224
224
224
240
336
372
224
224
448
16
112
224
120
170
340
SPONGENT-256/256/16
SPONGENT-256/256/128
SPONGENT-256/256/256
256
256
256
272
384
768
256
256
512
16
128
256
140
195
385

## PRESENT-type Permutation

The permutation πb : F2b → F2b is an R-round transform of the input state of b bits that can be outlined as:

`    ``for i = 1 to R do``  `
`    ``    ``state ← retnuoCl``b``(i) ⊕ state ⊕ lCounter``b``(i)`
`    ``    ``state ← sBoxLayer``b`` (state)`
`    ``    ``state ← pLayer``b`` (state)`
`    ``end for`

lCounterb(i) is the state of an LFSR dependent on b at time i which yields the round constant in round i and is added to the rightmost bits of state. retnuoClb(i) is the value of lCounterb(i) with its bits in reversed order and is added to the leftmost bits of state.

sBoxLayerb: This denotes the use of a 4-bit to 4-bit S-box which is applied b/4 times in parallel

 ` x` ` 0 1 2 3 4 5 6 7 8 9 A B C D E F` ` S[x]` ` E D B 0 2 1 4 F 7 A 8 5 9 C 3 6`

pLayerb: This is an extension of the (inverse) present bit-permutation and moves bit j of state to bit position Pb( j ), where

` ``   ``P``b`` (j)` `=`` j·b/4 mod b−1  ``  ``if j ∈ {0,...,b−2}`
` ``   ``P``b`` (j)` `= b − 1  ` `    `` ``  ``  ``if j = b − 1`

lCounterb: This is one of the four ⌈ log2 R ⌉-bit LFSRs. The LFSR is clocked once every time its state has been used and its ﬁnal value is all ones. If ζ is the root of unity in the corresponding binary finite ﬁeld, the n-bit LFSRs deﬁned by the polynomials given below are used for the spongent variants.

 LFSR size (bit) Primitive Polynomial 6 ζ6 + ζ5 + 1 7 ζ7 + ζ6 + 1 8 ζ8 + ζ4 + ζ3 + ζ2 + 1 9 ζ9 + ζ4 + 1

Following table provides sizes and initial values of all the LFSRs.

 LFSR size (bit) Initial Value (hex) SPONGENT-88/80/8 SPONGENT-88/176/88 68 05D2 SPONGENT-128/128/8 SPONGENT-128/256/128 78 7AFB SPONGENT-160/160/16 SPONGENT-160/160/80 SPONGENT-160/320/160 778 4501A7 SPONGENT-224/224/16 SPONGENT-224/224/112 SPONGENT-224/448/224 789 0152105 SPONGENT-256/256/16SPONGENT-256/256/128 SPONGENT-256/256/256 889 9EFB015