1 comment

[ 4.3 ms ] story [ 13.3 ms ] thread
As far as I can tell, the described process does not actually result in a cryptographic sponge, since the sponge construction relies on the application of a permutation of the internal state (not just any "pseudorandom transformation").

Since MD5 is not a permutation (i.e. it is not an invertible function), the state update function is lossy and the resulting construction probably does not constitute a (safe) cryptographic sponge.

Caveat emptor and all that.

EDIT: you could use MD5 to make a cryptographic sponge by using a Feistel or Lai-Massey scheme (which would ensure that the transformation of the state is reversible); as it is right now, I'm not sure it's a good idea.