International Association for Cryptologic Research

International Association
for Cryptologic Research


Generic Security of the SAFE API and Its Applications

Dmitry Khovratovich , Ethereum Foundation
Mario Marhuenda Beltrán , Radboud University, Netherlands
Bart Mennink , Radboud University, Netherlands
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2023
Abstract: We provide security foundations for SAFE, a recently introduced API framework for sponge-based hash functions tailored to prime-field-based protocols. SAFE aims to provide a robust and foolproof interface, has been implemented in the Neptune hash framework and some zero-knowledge proof projects, but despite its usability and applicability it currently lacks any security proof. Such a proof would not be straightforward as SAFE abuses the inner part of the sponge and fills it with protocol-specific data. In this work we identify the SAFECore as versatile variant sponge construction underlying SAFE, we prove indifferentiability of SAFECore for all (binary and prime) fields up to around $|\mathbb{F}_p|^{c/2}$ queries, where $\mathbb{F}_p$ is the underlying field and $c$ the capacity, and we apply this security result to various use cases. We show that the SAFE-based protocols of plain hashing, authenticated encryption, verifiable computation, non-interactive proofs, and commitment schemes are secure against a wide class of adversaries, including those dealing with multiple invocations of a sponge in a single application. Our results pave the way of using SAFE with the full taxonomy of hash functions, including SNARK-, lattice-, and x86-friendly hashes.
  title={Generic Security of the SAFE API and Its Applications},
  author={Dmitry Khovratovich and Mario Marhuenda Beltrán and Bart Mennink},