spongent: A Lightweight Hash Function

Andrey Bogdanov, Miroslav Kneževi?, Gregor Leander, Deniz Toz, Kerem Var?c?, Ingrid Verbauwhede

13th International Workshop, Nara, Japan, September 28 – October 1, 2011. Proceedings


This paper proposes spongent – a family of lightweight hash functions with hash sizes of 88 (for preimage resistance only), 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy. Its smallest implementations in ASIC require 738, 1060, 1329, 1728, and 1950 GE, respectively. To our best knowledge, at all security levels attained, it is the hash function with the smallest footprint in hardware published so far, the parameter being highly technology dependent. spongent offers a lot of flexibility in terms of serialization degree and speed. We explore some of its numerous implementation trade-offs.

We furthermore present a security analysis of spongent. Basing the design on a present-type primitive provides confidence in its security with respect to the most important attacks. Several dedicated attack approaches are also investigated.

[DOI] [bib]