# IOTA Tutorial 8 | Cryptographic sponge construction

# IOTA Tutorial

## Cryptographic sponge construction

In this video series different topics will be explained which will help you to understand IOTA. It is recommended to watch each video sequentially as I may refer to certain IOTA topics explained earlier.

In 2007, the sponge construction was introduced by Guido Bertoni and others. A sponge construction or sponge function takes input bit data of any length (message) and produce an output bit data of any desired length (hash digest). Simply said, the data is “absorbed” into the sponge, then the result is “squeezed” out.

The sponge function has two phases, the absorbing phase in which the message is compressed iteratively followed by the squeezing phase in which the hash digest is extracted in a iterative manner.

A sponge function has three components:

A state memory (S) which is divided into two sections: one of size r (the bitrate) and the other of size c (the capacity). For simplicity sake in this video the capacity will be complete ignored.

A compression function (f) of fixed length that transforms the state memory. IOTA uses the Keccak-384 hash algorithm as its compression function. Please note this Keccak-384 hash algorithm does not comply with the standardised SHA3-384 as defined by the National Institute of Standards and Technology (NIST).

A padding function (pad) which appends enough bits to the input data (M) so that the length of the padded input is a whole multiple of the bitrater. The padded input can thus be broken into r-bit blocks.

- The sponge function operates as follows, starting with the absorbing phase:

The state memory S is initialised to zero. The padded input is broken into r-bit blocks and called M0, M1, M2, etc. The r-bit block is XORed with the first message block M0 and the result is passed to the compression function f. The function stores its result in the state memory S. The updated r-bit block is XORed with the second message block M1 and the result is passed to function f. Again function f stores its result in the state memory S. The process is repeated until all message blocks M0, M1, M2 etc. are used up.

- The sponge function squeezing phase, to create the hash digest is as follows:

The r-bit block of the state memory is the first r bits of output (Z0). If more output bits are desired the r-bit block is passed to function f. Function f stores its result in the state memory S.

The r-bit block of the state memory is the next r bits of output (Z1). The process is repeated until the desired number of output bits are produced. The concatenated values Z0, Z1, Z2, etc, forms the hash digest. If the output length is not a multiple of r bits, it will be truncated.