Sufficient conditions on padding schemes of sponge construction and sponge-based authenticated-encryption scheme

Abstract

The sponge construction, designed by Bertoni, Daemen, Peeters, and Van Assche, is the hash domain extension, which allows any hash-output size, and it was also adopted as the hash mode for several concrete hash algorithms. For its security reason, they showed that its padding scheme is required to be injective, reversible, and the last block of a padded message is non-zero. However, firstly we will show that if the output size is less than or equal to the one-block size, then any injective and reversible padding scheme is sufficient. In particular, only for any message whose size is a multiple of block-length, we can take the identity function (which is also injective and reversible) as its padding scheme. Next, we take a look at the padding scheme of SpongeWrap which is a sponge-based authenticated encryption scheme and designed by the same authors. Since the padding scheme of SpongeWrap is inspired by that of the sponge construction, it requires that the padding scheme of SpongeWrap calls its underlying padding scheme for every message block, where the underlying padding scheme is also required to be injective, reversible, and the last block of a padded message is non-zero. In addition, the padding scheme of SpongeWrap includes additional frame bits for the privacy and authenticity of SpongeWrap. So, the padding scheme of SpongeWrap consists of its underlying padding scheme and frame bits. However, secondly, we will show that the non-zero condition on the underlying padding scheme is redundant, in other words, any injective and reversible padding scheme is sufficient for the underlying padding scheme. © Springer-Verlag 2012.