5
$\begingroup$

Security proofs of schemes like the sponge construction assumes that a permutation $P$ is chosen uniformly at random and the attacker is given access to oracles for $P$ and $P^{-1}$. When the sponge construction is actually used in the real world, it is instantiated with a publicly specified permutation such as Keccak-f[1600] or Gimli.

My question is how can we judge the security of a real, public permutation such as Keccak-f[1600]. For block ciphers, we can evaluate them against an "ideal" security model such as PRP, and we announce a break if it deviates from the PRP conditions. We might try something similar for public permutations, and say that they are broken if they can be distinguished from a random permutation. However, since they lack a key, there are always trivial distinguishers like $\mathcal{A}^P = [P(0) = c]$ for a suitably hard-coded $c$.

How can we define a security model to include only actual "structural" distinguishers? Maybe we can sample a random permutation $\sigma$ and ask the attacker to distinguish $\sigma \circ P \circ \sigma^{-1}$. However, the random permutation $\sigma$ can hide weaknesses in $P$. For example, if $P$ has a single fixed point, the attacker can no longer find it in polynomial amount of queries. It seems like even if $\sigma \circ P \circ \sigma^{-1}$ is indistinguishable from random, it does not imply that $P$ can be safely used with the sponge construction (or other constructions proven secure in a ideal permutation model).

Update: In other words, what do we mean by saying a specific public permutation $P$ such as Gimli is "secure" (or alternatively, broken), in the general sense? We cannot simply say "Real: The attacker is given oracles for $P$ and $P^{-1}$; Random: Sample a random permutation $\sigma$, and give oracles for $\sigma$ and $\sigma^{-1}$; if the attacker can distinguish real from random then $P$ is broken". The reason is that the attacker cam precompute $P(0)$.

Let's look at what various papers use as their security model:

I certainly agree that each of these papers demonstrates a break, but it is not clear what essential feature of the permutation they are breaking. What counts as "distinguished from a randomly chosen permutation" (that still excludes trivial distinguishers we don't care about)?

Improve this question
$\endgroup$
9
  • 4
    $\begingroup$ I find the question confusing because your question ("how can we define the security model") seems to be answered quite clearly in the first paragraph ("$P$, $P^{-1}$ chosen uniformly and oracle access given to adversary). The philosophical issues you have with this model also apply equally well to the random oracle model, and any other idealized model. $\endgroup$ Commented Oct 24, 2025 at 18:06
  • $\begingroup$ Well, need a long answer to show a permutation with a fixed point is distinguishable from a random permutation. $\endgroup$ Commented Oct 24, 2025 at 19:45
  • $\begingroup$ @Mikero I think the ideal permutation model is the assumption used to prove the security of sponges. My question is about checking the security of the underlying permutation. The ideal permutation model itself does not tell us how to determine whether a public permutation like Keccak-f[1600] can be approximately considered an ideal permutation. (In contrast, the PRP definition does tell us whether a specific block cipher like Rijndael is approximately ideal). $\endgroup$ Commented Oct 24, 2025 at 20:24
  • $\begingroup$ @user1641237 Please could you link some papers where you think it isn't clear. I think you've basically answered your own question. It's about distinguishing a permutation from one picked uniformly at random. And also this whole goal is theoretical rather than practical. You can use a non-random permutation in the sponge/duplex. For example, the Ascon permutation has distinguishers for the full 12 rounds. This is one of the weird aspects of cryptography; security proofs aren't really a proof of security. As an outsider without a formal background, it all comes across as a bit silly. $\endgroup$ Commented Oct 25, 2025 at 8:21
  • $\begingroup$ @samuel-lucas6 The problem is any specific public permutation can be trivially distinguished from a randomly chosen permutation, by $P(0) \overset{?}{=} c$ where $c$ is precomputed from the public permutation. I am asking how can we define an attack model that excludes such trivial distinguishers while including all genuine "structural" distinguishers. $\endgroup$ Commented Oct 25, 2025 at 14:29

1 Answer 1

Reset to default
2
$\begingroup$

Sponge have capacities - they divide a permutation state into rate and capacity bits, data are put on the rate bits, the state is permuted, and output is squeezed from the same range of rate bits.

So when attacking a permutation, usually the capacity bits are not disclosed to the attacker, and the adversary must distinguish the 'rate' bits from random strings.

Improve this answer
$\endgroup$
5
  • 1
    $\begingroup$ For sponges in particular, distinguishing the rate part from random certainly works. However, there seems to be general claims like "this paper broke N rounds of Gimli" that are independent from the sponge construction. I looked at these papers but they don't seem to be using some common definition for what is "broken"... $\endgroup$ Commented Oct 24, 2025 at 20:27
  • $\begingroup$ @user1641237 It appears that for certain input, some part of the output can be predicted without knowing the full input, or have certain pattern. See inria.hal.science/hal-03045986/document#page=10 $\endgroup$ Commented Oct 25, 2025 at 2:37
  • $\begingroup$ In what world is Keccak a permutation? Or sponges in general? See en.wikipedia.org/wiki/Permutation . It's contorting the language, like saying AES is a permutation which is clearly isn't. $\endgroup$ Commented Oct 25, 2025 at 15:14
  • $\begingroup$ @PaulUszak While Keccak the hash function isn't a permutation, the building block Keccak-f[1600] is one. Keccak then instantiates the sponge constructiong using Keccak-f[1600] as the "stirring the entropy pool" permutation. $\endgroup$ Commented Oct 25, 2025 at 17:09
  • $\begingroup$ @user1641237 Hmm, struggling to see how XOR and LFSR injection is a permutation. $\endgroup$ Commented Oct 26, 2025 at 21:56

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.