5
$\begingroup$

In the standard Keccak hash function, the sponge construction is used with Keccak-f permutation as the internal transformation. Since Keccak-f is efficiently invertible, we can walk back the internal state of the sponge.

While the capacity part of the internal state is never supposed to be exposed, this still sounds like a misuse risk. Is there any reason not to use the non-invertible $F(x) = x \oplus \text{Keccak-f}(x)$ as the internal transformation? What is their design rationale? The non-invertible sponge construction should be exactly as secure in the ideal permutation model because you can recover an oracle for the permutation as $P(x) = x \oplus F(x)$.

I searched around the Internet and find this 2025 paper claiming better generic bounds if feed-forward connections are added. The paper also claims "Avoiding feeding forward seems to be a major goal of the sponge construction." but I found no evidence elsewhere to support it, nor can I understand why it is desirable to avoid feed-forward connections.

I also found this unanswered question speculating about security benefits that seem to be confirmed by the above 2025 paper. That question proposes to use a related non-invertible $F(r\|c) = 0^*\|c \oplus \text{Keccak-f}(r\|c)$ that does not feed-forward the rate component. (Are there any difference in security between their $F$ and my $F$?)

Improve this question
$\endgroup$
2
  • 1
    $\begingroup$ Here is another related paper. MacaKey is also related. As the current answer says, it's probably mostly based on the memory footprint, but I think they should've done a feed-forward from a security standpoint. $\endgroup$ Commented Nov 19, 2025 at 19:35
  • 1
    $\begingroup$ This question seems relevant also. $\endgroup$ Commented Nov 20, 2025 at 0:12

1 Answer 1

Reset to default
5
$\begingroup$

Is there any reason not to use the non-invertible $F(x) = x \oplus \text{Keccak-f}(x)$ as the internal transformation? What is their design rationale?

The design rationale can be found in Section 5.2 of “The Keccak reference” [Version 3.0: January 14, 2011]:

The sponge construction requires an underlying function $f$, either a transformation or a permutation. [...] We have chosen a permutation [...] because of the following advantages:

Block cipher experience An iterated permutation is an iterated block cipher with a fixed key. In its design one can build on knowledge obtained from block cipher design and cryptanalysis.

Memory efficiency Often a transformation is built by taking a permutation and adding a feedforward loop. This implies that (at least part of) the input must be kept during the complete computation. This is not the case for a permutation, leading to a relatively small RAM footprint.

Improve this answer
$\endgroup$

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.