FullState Keyed Duplex with BuiltIn Multiuser Support
 6 Citations
 1.4k Downloads
Abstract
The keyed duplex construction was introduced by Bertoni et al. (SAC 2011) and recently generalized to fullstate absorption by Mennink et al. (ASIACRYPT 2015). We present a generalization of the fullstate keyed duplex that natively supports multiple instances by design, and perform a security analysis that improves over that of Mennink et al. in terms of a more modular security analysis and a stronger and more adaptive security bound. Via the introduction of an additional parameter to the analysis, our bound demonstrates a significant security improvement in case of noncerespecting adversaries. Furthermore, by supporting multiple instances by design, instead of adapting the security model to it, we manage to derive a security bound that is largely independent of the number of instances.
Keywords
Duplex construction Fullstate Distinguishing bounds Authenticated encryption1 Introduction
Bertoni et al. [8] introduced the sponge construction as an approach to design hash functions with variable output length (later called extendable output functions (XOF)). The construction faced rapid traction in light of NIST’s SHA3 competition, with multiple candidates inspired by the sponge methodology. Keccak, the eventual winner of the competition and now standardized as SHA3 [27], internally uses the sponge construction. The sponge construction found quick adoption in the area of lightweight hashing [19, 32]. Also beyond the area of hash functions various applications of the sponge construction appeared such as keystream generation and MAC computation [12], reseedable pseudorandom sequence generation [10, 30], and authenticated encryption [11, 14]. In particular, the ongoing CAESAR competition for the development of a portfolio of authenticated encryption schemes has received about a dozen spongebased submissions.
At a high level, the sponge construction operates on a state of b bits. This is split into an inner part of size c bits and an outer part of size r bits, where \(b=c+r\). Data absorption and squeezing is done via the outer part, r bits at a time, interleaved with evaluations of a bbit permutation f. Bertoni et al. [9] proved a bound on the security of the sponge construction in the indifferentiability framework of Maurer et al. [37]. While it was clear from the start that this birthdaytype bound in the capacity is tight for the unkeyed use cases, i.e., hashing, for the keyed use cases of the sponge it appeared that a higher level of security could be achieved. This has resulted in an impressive series of papers on the generic security of keyed versions of the sponge, with bounds improving and the construction becoming more efficient.
1.1 Keyed Sponge and Keyed Duplex
Keyed Sponge. Bertoni et al.’s original keyed sponge [13] was simply the sponge with input \((K\Vert M)\) where K is the key. Chang et al. [21] suggested an alternative where the initial state of the sponge simply contains the key in its inner part. Andreeva et al. [2] generalized and improved the analyses of both the outer and innerkeyed sponge, and also considered security of these functions in the multitarget setting. In a recent analysis their bounds were improved by Naito and Yasuda in [42]. All of these results, however, stayed relatively close to the (keyless) sponge design that absorbs input in blocks of r bits in the outer part of the state. It turned out that, thanks to the secrecy of part of the state after key injection, one can absorb data over the full state, and therewith achieve maximal compression. Fullstate absorbing was first explicitly proposed in a variant of sponge for computing MACs: donkeySponge [14]. It also found application in various recent spongeinspired designs, such as Chaskey [41].
Nearly tight bounds for the fullstate absorbing keyed sponge were given by Gaži et al. [29] but their analysis was limited to the case of fixed output length. Mennink et al. [38] generalized and formalized the idea of the fullstate keyed sponge and presented an improved security bound for the general case where the output length is variable.
Keyed Duplex. Whereas the keyed sponge serves message authentication and stream encryption, authenticated encryption is mostly done via the keyed duplex construction [11]. This is a stateful construction that consists of an initialization interface and a duplexing interface. Initialization resets the state and a duplexing call absorbs a data block of at most \(r\,\,1\) bits, applies the underlying permutation f and squeezes at most r bits. Bertoni et al. [11] proved that the output of duplexing calls can be simulated by calls to a sponge, a fortiori making duplex as strong as sponge.
The duplex construction finds multiple uses in the CAESAR competition [20] in the embodiment of the authenticated encryption mode SpongeWrap [11] or close variants of it. The recent line of research on improving bounds of spongeinspired authenticated encryption schemes, set by Jovanovic et al. [35], Sasaki and Yasuda [46], and Reyhanitabar et al. [44], can be seen as an analysis of a specific use case of the keyed duplex. The FullState SpongeWrap [38], an authenticated encryption scheme designed from the fullstate keyed duplex, improves over these results. Particularly, the idea already found application in the Motorist mode of the CAESAR submission Keyak [16].
Trading Sponge for Duplex. As said, the duplex can be simulated by the sponge, but not the other way around. This is the case because duplex pads each input block and cannot simulate sponge inputs with, e.g., long sequences of zeroes. It is therefore natural that Mennink et al. [38] derived a security bound on the fullstate keyed duplex by viewing it as an extension to the fullstate keyed sponge. However, we observe that the introduction of fullstate absorption changes that situation: the fullstate keyed duplex can simulate the fullstate keyed sponge. All keyed usages of the sponge can be described quite naturally as application of the keyed duplex and it turns out that proving security of keyed duplex is easier than that of keyed sponge. Therefore, in keyed use cases, the duplex is preferred as basic building block over the sponge.
1.2 Multitarget Security
The problem of multitarget security of cryptographic designs has been acknowledged and analyzed for years. Biham [17] considered the security of blockciphers in the multitarget setting and shows that the security strength can erode to half the key size if data processed by sufficiently many keys is available. Various extensions have subsequently appeared [7, 18, 34]. It has been demonstrated (see, e.g., [5] for public key encryption and [22] for message authentication codes) that the security of a scheme in the multitarget setting can be reduced to the security in the singletarget setting, at a security loss proportional to the number of keys used.
However, in certain cases, a dedicated analysis in the multitarget setting could render improved bounds. Andreeva et al. [2] considered the security of the outer and innerkeyed sponge in the multitarget setting, a proof which internally featured a security analysis of the EvenMansour blockcipher in the multitarget setting. The direction of multitarget security got subsequently popularized by Mouha and Luykx [40], leading to various multitarget security results [4, 33] with security bounds (almost) independent of the number of targets involved.
1.3 Our Contribution
We present a generalization of the fullstate keyed duplex that facilitates multiple instances by design (Sect. 2.2). This generalization is realized via the formalization of a state initialization function that has access to a key array \(\mathbf {K}\) consisting of u keys of size \(k\), generated following a certain distribution. Given as input a key index \(\delta \) and an initialization vector \(\mathrm {iv}\), it initializes the state using \(\mathrm {iv}\) and the \(\delta \)th key taken from \(\mathbf {K}\). We capture its functional behavior under the name of an extendable input function (XIF) and explicitly define its idealized instance.
Unlike the approach of Mennink et al. [38], who viewed the fullstate keyed duplex as an extension to the fullstate keyed sponge, our analysis is a dedicated analysis of the fullstate keyed duplex. To accommodate bounds for different use cases, we have applied a rephasing to the definition of the keyed duplex. In former definitions of the (keyed) duplex, a duplexing call consisted of input injection, applying the permutation f, and then output extraction. In our new definition, the processing is as follows: first the permutation f, then output extraction, and finally input injection. This adjustment reflects a property present in practically all modes based on the keyed duplex, namely that the user (or adversary) must provide the input before knowing the previous output. The rephasing allows us to prove a bound on keyed duplex that is tight even for those use cases. The fact that, in previous definitions, an adversary could see the output before providing the input allowed it to force the outer part of the state to a value of its choice, and as such gave rise to a term in the bound at worst \(MN/2^c\) and at best \(\mu N/2^c\), where \(\mu \) is a term that reflects a property of the transcript that needs to be bound by outofband reasonings.
Comparison of the schemes analyzed in earlier works and this work. By “pure bound” we mean that the derived security bound is expressed purely as a function of the adversary’s capabilities. Differences in bounds are not reflected by the table.
Full state absorption  Extendable output  Multitarget  Pure bound  

Bertoni et al. [13]  —  \(\checkmark \)  —  \(\checkmark \) 
Bertoni et al. [11]  —  \(\checkmark \)  —  \(\checkmark \) 
Chang et al. [21]  —  \(\checkmark \)  —  \(\checkmark \) 
Andreeva et al. [2]  —  \(\checkmark \)  \(\checkmark \)  — 
Gaži et al. [29]  \(\checkmark \)  —  —  \(\checkmark \) 
Mennink et al. [38]  \(\checkmark \)  \(\checkmark \)  —  — 
Naito and Yasuda [42]  —  \(\checkmark \)  —  \(\checkmark \) 
This work  \(\checkmark \)  \(\checkmark \)  \(\checkmark \)  \(\checkmark \) 
Application of our analysis to Ketje, Ascon, NORX, and Keyak. For the nonce misuse case, we consider \(L+\varOmega =M/2\). A “Strength” equal to s means that it requires a computational effort \(2^s\) to distinguish. Here, \(a=\log _2(Mr)\).
Scheme  Parameters  Misuse (Eq. (2))  

b  c  r  Strength  Equation  Strength  
Ketje [15]  Jr  200  184  16  \(\min \{196a,177\}\)  \(189a\)  
Sr  400  368  32  \(\min \{396a,360\}\)  \(374a\)  
Ascon [24]  128  320  256  64  \(\min \{317a,248\}\)  \(263a\)  
128a  320  192  128  \(\min \{318a,184\}\)  \(200a\)  
NORX [3]  32  512  128  384  127  (3)  \(137a\) 
64  1024  256  768  255  (3)  \(266a\)  
Keyak [16]  River  800  256  544  255  (3)  \(266a\) 
Lake  1600  256  1344  255  (3)  \(267a\) 
Our general security bound, covering among others a broader spectrum of key sampling distributions, is given in Theorem 1. It is noteworthy that, via the builtin support of multiple targets, we manage to obtain a security bound that is largely independent of the number of users u: the only appearance is in the key guessing part, \(q_\mathrm {iv}N/2^k\), which shows an expected decrease in the security strength of exhaustive key search by a term \(\log _2 q_\mathrm {iv}\). Note that security erosion can be avoided altogether by requiring \(\mathrm {iv}\) to be a global nonce, different for each initialization call (irrespective of the used key).
Our analysis improves over the one of [38] in multiple aspects. First, our security bound shows less security erosion for increasing data complexities. Whereas in (1) security strength erodes to \(k \log _2 M\), in (2) this is \(c  \log _2(L + \varOmega )\) with \(L + \varOmega < M\). By taking \(c > k+ \log _2 M_{\max }\) with \(M_{\max }\) some upper bound on the amount of data an adversary can get its hands on, one can guarantee that this term does not allow attacks faster than exhaustive key search.
Second, via the use of parameters L and \(\varOmega \) our bound allows for a more flexible interpretation and a wide range of use cases. For example, in stream ciphers, \(L=\varOmega =0\) by design. This also holds for most duplexbased authenticated encryption schemes in the case of noncerespecting adversaries that cannot obtain unverified decrypted ciphertexts.
Third, even in the general case (with key size taken equal to c bits and no nonce restriction on \(\mathrm {iv}\)), our bound still improves over the one of [38] by replacing the multiplicity metric, that can only be evaluated a posteriori, by the metrics L and \(\varOmega \), that reflect what the adversary can do.
Fourth, in our approach we address the multikey aspect natively. This allows us to determine the required set of properties on the joint distribution of all keys under attack. Theorem 1 works for arbitrary key sampling techniques with individual keys of sufficient minentropy and the probability that two keys in the array collide is small enough, and demonstrates that the fullstate keyed duplex remains secure even if the keys are not independently and uniformly randomly distributed.
Finally, we perform an analysis on the contribution of outerstate multicollisions to the bound that is of independent interest. This analysis strongly contributes to the tightness of our bounds, as we illustrate in the Stairway to Heaven graph in Fig. 4.
1.4 Notation
For an integer \(n\in \mathbb {N}\), we denote \(\mathbb {Z}_n=\{0,\ldots ,n1\}\) and by \(\mathbb {Z}_2^{n}\) the set of bit strings of length n. \(\mathbb {Z}_2^*\) denotes the set of bit strings of arbitrary length. For two bit strings \(s,t\in \mathbb {Z}_2^n\), their bitwise addition is denoted \(s+t\). The expression \({\lfloor s \rfloor _{\ell }}\) denotes the bitstring s truncated to its first \(\ell \) bits. A random oracle [6] \({\mathcal {RO}}:\mathbb {Z}_2^*\rightarrow \mathbb {Z}_2^n\) is a function that maps bit strings of arbitrary length to bit strings of some length n. In this paper, the value of n is determined by the context. We denote by \((x)_{(y)}\) the falling factorial power \((x)_{(y)}=x(x1)\cdots (xy+1)\).
Throughout this work, b denotes the width of the permutation f. The parameters c and r denote the capacity and rate, where \(b=c+r\). For a state value \(s\in \mathbb {Z}_2^b\), we follow the general convention to define its outer part by \(\overline{s}\in \mathbb {Z}_2^r\) and its inner part by \(\widehat{s}\in \mathbb {Z}_2^c\), in such a way that \(s=\overline{s}\widehat{s}\). The key size is conventionally denoted by \(k\), and the number of users by u. Throughout, we assume that \(u\le 2^k\), and regularly use an encoding function \(\mathsf {Encode}:\mathbb {Z}_u\rightarrow \mathbb {Z}_2^k\), mapping integers from \(\mathbb {Z}_u\) to \(k\)bit strings in some injective way.
2 Constructions
In Sect. 2.1, we will discuss the key sampling technique used in this work. The keyed duplex construction is introduced in Sect. 2.2, and we present its “ideal equivalent,” the ideal extendable input function, in Sect. 2.3. To suit the security analysis, we will also need an inbetween hybrid, the randomized duplex, discussed in Sect. 2.4.
2.1 Key Sampling
Our keyed duplex construction has builtin multiuser support, and we start with a formalization of the key sampling that we consider. At a high level, our formalization is not specific for the keyed duplex, and may be of independent interest for modeling multitarget attacks.
Two plausible examples of the key distribution are random sampling with replacement and random sampling without replacement. In the former case, all keys are generated uniformly at random and pairwise independent, but it may cause problems in case of accidental collisions in the key array. The latter distribution resolves this by generating all keys uniformly at random from the space of values excluding the ones already sampled. A third, more extreme, example of \(\mathcal {D}_\mathrm{K}\) generates \(\mathbf {K}[0]\) uniformly at random and defines all subsequent keys as \(\mathbf {K}[\delta ] = \mathbf {K}[0] +\mathsf {Encode}(\delta )\).
2.2 Keyed Duplex Construction
It calls a bbit permutation f and is given access to an array \(\mathbf {K}\) consisting of \({u}\) keys of size \(k\) bits. A user can make two calls: initialization and duplexing calls.
In an initialization call it takes as input a key index \(\delta \) and a string \(\mathrm {iv}\in \mathbb {Z}_2^{bk}\) and initializes the state as \(f(\mathbf {K}[\delta ] \mathrm {iv})\). In the same call, the user receives an rbit output string Z and injects a bbit string \(\sigma \). A duplexing call just performs the latter part: it updates the state by applying f to it, returns to the user an rbit output string Z and injects a userprovided bbit string \(\sigma \).
Both in initialization and duplexing calls, the output string Z is taken from the state prior to the addition of \(\sigma \) to it, but the user has to provide \(\sigma \) before receiving Z. This is in fact a rephasing compared to the original definition of the duplex [11] or of the fullstate keyed duplex [38], and it aims at better reflecting typical use cases. We illustrate this with the SpongeWrap authenticated encryption scheme [11] and its more recent variants [38]. In this scheme, each plaintext block is typically encrypted by (i) applying f, (ii) fetching a block of key stream, (iii) adding the key stream and plaintext blocks to get a ciphertext block, and (iv) adding the plaintext block to the outer part of the state. By inspecting Algorithm 3 in [11], there is systematically a delay between the production of key stream and its use, requiring to buffer a key stream block between the (original) duplexing calls. In contrast, our rephased calls better match the sequence of operations.
The flag in the initialization and duplexing calls is required to implement decryption in SpongeWrap and variants. In that case, the sequence of operations is the same as above, except that step (iii) consists of adding the key stream and ciphertext blocks to get a plaintext block. However, a user would need to see the keystream block before being able to add the plaintext block in step (iv). One can see, however, that step (iv) is equivalent to overwriting the outer part of the state with the ciphertext block. Switching between adding the plaintext block (for encryption) and overwriting with the ciphertext block (for decryption) is the purpose of the flag. The usage of the flag, alongside the rephasing is depicted in Fig. 1.
2.3 Ideal Extendable Input Function
We define an ideal extendable input function (IXIF) in Algorithm 2. It has the same interface as KD, but instead it uses a random oracle \({\mathcal {RO}}:\mathbb {Z}_2^*\rightarrow \mathbb {Z}_2^r\) to generate its responses. In particular, every initialization call initializes a \(\mathsf {Path}\) as \(\mathsf {Encode}(\delta ) \mathrm {iv}\). In both initialization and duplexing calls, an rbit output is generated by evaluating \({\mathcal {RO}}(\mathsf {Path})\) and the bbit input string \(\sigma \) is absorbed by appending it to the \(\mathsf {Path}\). Figure 2 has an illustration of IXIF (at the right).
2.4 Randomized Duplex Construction
3 Security Setup
The security analysis in this work is performed in the distinguishability framework where one bounds the advantage of an adversary \(\mathcal {A}\) in distinguishing a real system from an ideal system.
Definition 1
Lemma 1
The Hcoefficient technique can thus be used to neatly bound a distinguishing advantage in the terminology of Definition 1, and a proof typically goes in four steps: (i) investigate what transcripts look like, which gives a definition for \(\mathcal {T}\), (ii) define the partition of \(\mathcal {T}\) into \(\mathcal {T}_\mathrm {good}\) and \(\mathcal {T}_\mathrm {bad}\), (iii) investigate the fraction of (8) for good transcripts and (iv) analyze the probability that \(D_{\mathcal {P}}\) generates a bad transcript.
4 Security of Keyed Duplex Construction
We prove that the fullstate keyed duplex construction (KD) is sound. We do so by proving an upper bound for the advantage of distinguishing the KD calling a random permutation f from an ideal extendable input function (IXIF). Both in the real and ideal world the adversary gets additional query access to f and \(f^{1}\), simply denoted as \(f\).
The main result is stated in Sect. 4.2, but before doing so, we specify the resources of the adversary in Sect. 4.1.
4.1 Quantification of Adversarial Resources
Following Andreeva et al. [2], we specify adversarial resources that impose limits on the transcripts that any adversary can obtain. The basic resource metrics are quantitative: they specify the number of queries an adversary is allowed to make for each type.

N : the number of primitive queries. It corresponds to computations requiring no access to the (keyed) construction. It is usually called the time or offline complexity. In practical use cases, N is only limited by the computing power and time available to the adversary.

M : the number of construction queries. It corresponds to the amount of data processed by the (keyed) construction. It is usually called the data or online complexity. In many practical use cases, M is limited.
We remark that identical calls are counted only once. In other words, N only counts the number of primitive queries, and M only counts the number of unique tuples \((\mathsf {Path},\sigma )\).
It is possible to perform an analysis solely based on these metrics, but in order to more accurately cover practical settings that were not covered before (such as the multikey setting or the noncerespecting setting), and to eliminate the multiplicity (a metric used in all earlier results in this direction), we define a number of additional metrics.

q: the total number of different initialization tuples \((\mathsf {Encode}(\delta ),\mathrm {iv})\). Parameter q corresponds to the number of times an adversary can start a fresh initialization of KD or IXIF.

\(\varvec{q_\mathrm {iv}}{\varvec{:}}\) \(\mathrm {iv}\) multiplicity, the maximum number of different initialization tuples \((\mathsf {Encode}(\delta ),\mathrm {iv})\) with same \(\mathrm {iv}\), maximized over all \(\mathrm {iv}\) values.

\(\varvec{\varOmega }{\varvec{:}}\) the number of queries with \(\text {flag}= \text {true}\).

L: equals the number of queries M minus the number of distinct paths. It corresponds to the number of construction queries that have the same \(\mathsf {Path}\) as some prior query.
In many practical use cases, q is limited, but as it turns out reinitialization queries give the adversary more power. The metric \(q_\mathrm {iv}\) is relevant in multitarget attacks, where clearly \(q_\mathrm {iv}\le {u}\). The relevance of \(\varOmega \) and L is the following. In every query with flag equal to true, the adversary can force the outer part of the input to f in a later query to a chosen value \(\alpha \) by taking \(\overline{\sigma } = \alpha \). Note that, as discussed in Sect. 2.2, by adopting authenticated encryption schemes with a slightly nonconventional encryption method, \(\varOmega \) can be forced to zero. Similarly, construction queries with the same path return the same value Z, and hence allow an adversary to force the outer part of the input to f in a later query to a chosen value \(\alpha \) by taking \(\sigma \) such that \(\overline{\sigma } = Z + \alpha \). An adversary can use this technique to increase the probability of collisions in \(f(s)+\sigma \) and to speed up inner state recovery. By definition, \(L \le M1\) but in many cases L is much smaller. In particular, if one considers KD in the noncerespecting setting, where no \((\mathsf {Encode}(\delta ),\mathrm {iv})\) occurs twice, the adversary never generates a repeating path, and \(L=0\).
4.2 Main Result
Our bound uses a function that is defined in terms of a simple ballsintobins problem.
Definition 2
In words, when uniformly randomly sampling M elements from a set of \(2^r\) elements, the probability that there is an element that is sampled more than x times is smaller than \(x 2^{c}\).
Theorem 1
The proof is given in Sect. 4.3.
4.3 Proof of Theorem 1
The two remaining distances, i.e., the first term of (9) and the term of (10), will be analyzed in the next lemmas. The proof of Theorem 1 directly follows.
Lemma 2
Lemma 3
The proof of Lemma 2 is given in Sect. 5, and the proof of Lemma 3 is given in Sect. 6.
5 Distance Between RD and IXIF
Bounding the Hcoefficient Ratio for Good Transcripts. Denote \(\mathcal {O}={\textsc {RD}^{\phi ,\pi }_{}}\) and \(\mathcal {P}={\textsc {IXIF}^{{\mathcal {RO}}}}\) for brevity. Consider a good transcript \(\tau \in \mathcal {T}_\mathrm {good}\). For the real world \(\mathcal {O}\), the transcript defines exactly q inputoutput pairs for \(\phi \) and exactly \(MqL\) inputoutput pairs for \(\pi \). It follows that \(\Pr \left( D_{\mathcal {O}}=\tau \right) = 1/((2^b)_{(q)}(2^b)_{(MqL)})\). For the ideal world \(\mathcal {P}\), every different \(\mathsf {Path}\) defines exactly one evaluation of \({\mathcal {RO}}(\mathsf {Path}){\mathcal {RO}}'(\mathsf {Path})\), so \(\Pr \left( D_{\mathcal {P}}=\tau \right) = 2^{(ML)b}\). We consequently obtain that \(\displaystyle \frac{\Pr \left( D_{\mathcal {O}}=\tau \right) }{\Pr \left( D_{\mathcal {P}}=\tau \right) } \ge 1\).
Bounding the Probability of Bad Transcripts in the Ideal World. In the ideal world, every t is generated as \({\mathcal {RO}}(\mathsf {Path}){\mathcal {RO}}'(\mathsf {Path})\). As the number of distinct \(\mathsf {Path}\)’s in \(\tau \) is \(ML\), there are \({M\,{}\,L\atopwithdelims ()2}\) possibilities for a tcollision, each occurring with probability \(2^{b}\). The probability of such a collision is hence \(\frac{{M\,{}\,L\atopwithdelims ()2}}{2^b}\).
6 Distance Between KD and RD
In this section we bound the advantage of distinguishing the keyed duplex from a randomized duplex, (12) of Lemma 3. The analysis consists of four steps. In Sect. 6.1, we revisit the KDvsRD setup, and exclude the case where the queries made by the adversary result in a forward multiplicity that exceeds a certain threshold \(T_\mathrm {fw}\). Next, in Sect. 6.2 we convert our distinguishing setup to a simpler one, called the permutation setup and illustrated in Fig. 3. In this setup, the adversary has direct query access to the primitives \(\phi \) and \(\pi \) of the randomized duplex, and at the keyed duplex side, we define two constructions on top of f that turn out to be hard to distinguish from \(\phi \) and \(\pi \). We carefully translate the resources of the adversary \(\mathcal {B}\) in the KDvsRD setup to those of the adversary \(\mathcal {C}\) in the permutation setup. In Sect. 6.3 we subsequently prove a bound in this setup. This analysis in part depends on a threshold on backward multiplicities \(T_\mathrm {bw}\). In Sect. 6.4 where we return to the KDvsRD setup and blend all results. Finally, in Sects. 6.5 and 6.6 we analyze the function \(\nu _{r,c}^{M}\) that plays an important role in our analysis.
We remark that forward and backward multiplicity appeared before in Bertoni et al. [10] and Andreeva et al. [2], but we resolve them internally in the proof. There is a specific reason for resolving forward multiplicity before the conversion to the permutation setup and backward multiplicity after this conversion. Namely, in the permutation setup, an adversary could form its queries so that the forward multiplicity equals \(Mq\), leading to a noncompetitive bound, while the backward multiplicity cannot be controlled by the adversary as it cannot make inverse queries to the constructions. It turns out that, as discussed in Sect. 6.4, we can bound the thresholds as functions of M, L, and \(\varOmega \).
6.1 The KDvsRD Setup
6.2 Entering the Permutation Setup
6.3 Distinguishing Bound for the Permutation Setup
Description of Transcripts. The adversary has access to either \(({I}^{f}_{\kappa ,\mathbf {K}},{E}^{f}_{\kappa }, {f})\) or \((\phi ,\pi , {f})\). The queries of the adversary and their responses are assembled in three transcripts \({\tau _\mathrm{f}}, {\tau _\mathrm{d}}\), and \({\tau _\mathrm{i}}\).
 \({\tau _\mathrm{f}}=\{(x_j,y_j)\}_{j=1}^N\)

The queries to f and \(f^{1}\). The transcript does not code whether the query was \(y = f(x)\) or \(x = f^{1}(y)\).
 \({\tau _\mathrm{i}}= \{(\delta _i,\mathrm {iv}_i,t_i)\}_{i=1}^{q'}\)

The queries to the initialization function \(\mathcal {O}_{\mathrm {i}}\), \({I}^{f}_{\kappa ,\mathbf {K}}\) in the real world and \(\phi \) in the ideal world.
 \({\tau _\mathrm{d}}=\{(s_i,t_i)\}_{i=1}^{M'}\)

The queries to the duplexing function \(\mathcal {O}_{\mathrm {d}}\), \({E}^{f}_{\kappa }\) in the real world and \(\pi \) in the ideal world.
We define the backward multiplicity as characteristic of the transcript \(\tau \):
Definition 3
Bounding the Hcoefficient Ratio for Good Transcripts. Denote \(\mathcal {O}=({I}^{f}_{\kappa ,\mathcal {D}_\mathrm{K}},{E}^{f}_{\kappa }, {f})\) and \(\mathcal {P}=(\phi ,\pi , {f})\) for brevity. Consider a good transcript \(\tau \in \mathcal {T}_\mathrm {good}\).
In the real world \(\mathcal {O}\), the transcript defines exactly \(q'+M'+N\) inputoutput pairs of f, so \(\Pr \left( D_{\mathcal {O}}=\tau \right) = 1/(2^b)_{(q'+M'+N)}\). In the ideal world \(\mathcal {P}\), every tuple in \({\tau _\mathrm{f}}\) defines exactly N inputoutput pairs for f, every tuple in \({\tau _\mathrm{i}}\) defines exactly \(q'\) inputoutput pairs for \(\phi \), and every tuple in \({\tau _\mathrm{d}}\) defines exactly \(M'\) inputoutput pairs for \(\pi \). It follows that \(\Pr \left( D_{\mathcal {P}}=\tau \right) = 1/((2^b)_{(N)}(2^b)_{(q')}(2^b)_{(M')})\). We consequently obtain that \(\displaystyle \frac{\Pr \left( D_{\mathcal {O}}=\tau \right) }{\Pr \left( D_{\mathcal {P}}=\tau \right) } \ge 1\).
Bounding the Probability of Bad Transcripts in the Ideal World. In the ideal world, \(\kappa \) is generated uniformly at random. The key array \(\mathbf {K}\) is generated according to distribution \(\mathcal {D}_\mathrm{K}\), cf., Sect. 2.1. We will use the minentropy and maximum collision probability definitions of (6) and (7).
For (20), fix any \((x,y) \in {\tau _\mathrm{f}}\). There are at most \(q_\mathrm {iv}\) tuples in \({\tau _\mathrm{i}}\) with \(\mathrm {iv}\) equal to the last \(bk\) bits of x. For any of those tuples, the probability that the first \(k\) bits of x are equal to \(\mathbf {K}[\delta ]\) is at most \(2^{H_{\min }(\mathcal {D}_\mathrm{K})}\), cf., (6). The collision probability is hence at most \(q_\mathrm {iv}N/2^{H_{\min }(\mathcal {D}_\mathrm{K})}\).
For (21), fix any \((x,y) \in {\tau _\mathrm{f}}\). There are at most \(T_\mathrm {fw}\) tuples in \({\tau _\mathrm{d}}\) with \(\overline{x}=\overline{s}\). For any of those tuples, the probability that \(\widehat{x}=\widehat{s} +\kappa \) is \(2^{c}\). The collision probability is hence at most \(T_\mathrm {fw}N/2^c\).
For (24) or (25), we will assume \(\lnot \)(27). Fix any \((x,y) \in {\tau _\mathrm{f}}\). There are at most \(T_\mathrm {bw}\) tuples in \({\tau _\mathrm{i}}\cup {\tau _\mathrm{d}}\) with \(\overline{y}=\overline{t}\). For any of those tuples, the probability that \(\widehat{y}=\widehat{t}+\kappa \) is \(2^{c}\). The collision probability is hence at most \(T_\mathrm {bw}N/2^c\).
For (26), fix any \((\delta ,\mathrm {iv},t)\in {\tau _\mathrm{i}}\) and any \((s',t')\in {\tau _\mathrm{d}}\). As \(\phi \) and \(\pi \) are only evaluated in forward direction, and \(\phi \) is queried at most \(q'\) times, the probability that \(t=t'\) for these two tuples is at most \(1/(2^bq')\). The collision probability is hence at most \(M'q'/(2^bq')\).
For (23), a collision of this form implies the existence of two distinct \(\delta ,\delta '\) such that \(K[\delta ]=K[\delta ']\). This happens with probability at most \({u\atopwithdelims ()2}/2^{H_{\text {coll}}(\mathcal {D}_\mathrm{K})}\), cf., (7).
6.4 Returning to the KDvsRD Setup

\(q' \le q\): for every query to \(\mathcal {O}_{\mathrm {i}}\) there must be at least one initialization query.

\(M' \le MqL\): The minus L is there because queries with repeated paths just give duplicate queries to \(\mathcal {O}_{\mathrm {i}}\) and the q initialization queries do not give queries to \(\mathcal {O}_{\mathrm {d}}\).
Although the probabilities on the \(\mu _\mathrm {fw}\) and \(\mu _\mathrm {bw}\) are defined differently (the former in the KDvsRD setup, the latter in the permutation setup), in essence they are highly related and we can rely on multicollision limit function of Definition 2 for their analysis. There is one caveat. Definition 2 considers balls thrown uniformly at random into the \(2^r\) bins, hence a bin is hit with probability \(1/2^r\). In Lemma 6 in upcoming Sect. 6.6, we will prove that for nonuniform bin allocation where the probability that a ball hits any particular bin is upper bounded by \(y2^{r}\), the multicollision limit function is at most \(\nu _{r,c}^{yM}\). In our case the states are generated from a set of size at least \(2^bMN\) (for both \(\mathcal {O}\) and \(\mathcal {P}\)) and thus its outer part is thrown in a bin with probability at most \(2^c/(2^bMN)\), where we use that \(M+N\le 2^{b1}\). Using the fact that \(\nu _{r,c}^{M}\) is a monotonic function in M and that \(2^b/(2^bMN) < 2\) for any reasonable value of \(M+N\), we upper bound the multicollision limit function by \(\nu _{r,c}^{2(ML)}\)
6.5 Bounds on \(\nu _{r,c}^{M}\)
We will upper bound \(\nu _{r,c}^{M}\) by approximating the term \(\Pr (\mu > x)\) in Definition 2 by simpler expressions that are strictly larger.
Case \(\varvec{\lambda }<\) 1. If we consider Eq. (33) with value of x given and we look for the maximum value of x such that it holds. This gives the value of \(\lambda \) where \(\nu _{r,c}^{M}\) transitions from \(x1\) to x. We can now prove the following lemma.
Lemma 4
The value of \(\lambda \) where \(\nu _{r,c}^{M}\) transitions from \(x\,\,1\) to x is lower bounded by \(2^{b/x}\).
Proof
If we substitute \(\lambda \) by \(M2^{r}\), this gives bounds on M for which \(\nu _{r,c}^{M}\) achieves a certain value. If we denote by \(M_x\) the value where \(\nu _{r,c}^{M}\) transitions from \(x1\) to x, we have \(M_x \ge 2^{rb/x} = 2^{((x1)rc)/x}\). In particular \(M_2 \ge 2^{(rc)/2}\). It follows that \(\nu _{r,c}^{M}\) is 1 for \(M \le 2^{(rc)/2}\). Clearly, M must be an integer value, so the value of \(\nu _{r,c}^{M}\) for \(M=1\) will be above 1 if \(r < c+2\).
Lemma 5
Proof
Clearly, for large M, \(\nu _{r,c}^{M}\) asymptotically converges to \(M/2^r\).
6.6 Dealing with Nonuniform Sampling
In this section we address the nonuniform ballsandbins problem. We consider the ballsandbins problems for some values r and c where the probability that a ball hits a particular bin (of the \(2^r\) bins) is not \(2^{r}\). In other words, the distribution is not uniform. In general the probability distribution for the nth ball depends on how the previous \(n1\) balls were distributed. We denote this distribution by D and define \(D(i \mid s)\) as the probability that a ball falls in bin i given the sequence s of bins in which the previous \(n1\) balls fell. We denote by \(\nu _{r,c}^{D,M}\) the variant of the function with the same name with the given distribution.
Definition 4
We can now prove the following lemma.
Lemma 6
If for every bin, according to the distribution D the probability for a ball to end up in that bin satisfies \(D(i \mid s)2^{r}\le y2^{r}\) for some \(y\le 0.1\) and any i and s, then \(\nu _{r,c}^{D,M} \le \nu _{r,c}^{2M}\), provided \(M\le y2^c\) and \(r\ge 5\).
Proof

Experiment 1: we drop 2M balls into \(2^r\) bins and the distribution is uniform.

Experiment 2: we drop M balls into \(2^r\) bins and the probability for a ball to land in any particular bin is between \((1y)\cdot 2^{r}\) and \((1+y)\cdot 2^{r}\).
We need to prove that \(\nu _{r,c}^{2M}\) of the first experiment is at least \(\nu _{r,c}^{D,M}\) of the second experiment. The general strategy is as follows. First, we prove that \(\nu _{r,c}^{2M}\) is lower bounded by some threshold t. Then, if for all \(x \ge t\), we have \(\Pr \left( \mu ^{\text {exp 1}}> x\right) \ge \Pr \left( \mu ^{\text {exp 2}} > x\right) \), then \(\nu _{r,c}^{D,M} \le \nu _{r,c}^{2M}\) because \(x=\nu _{r,c}^{2M}\) satisfies the equation \(\Pr \left( \mu ^{\text {exp 2}} > x\right) < \frac{x}{2^c}\). Clearly, the condition above is satisfied if for all \(x \ge t\) and for all bins i, we have \(\Pr \left( X_i^{\text {exp 1}}> x\right) \ge \Pr \left( X_i^{\text {exp 2}} > x\right) \), where \(X_i\) is the number of balls in bin i. And in turn, it is satisfied if for all \(x \ge t\) and for all bins i, we have \(\Pr \left( X_i^{\text {exp 1}} = x\right) \ge \Pr \left( X_i^{\text {exp 2}} = x\right) \).
Notes
Acknowledgement
Bart Mennink is supported by a postdoctoral fellowship from the Netherlands Organisation for Scientific Research (NWO) under Veni grant 016.Veni.173.017.
References
 1.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar and Iwata [45], pp. 105–125Google Scholar
 2.Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander [36], pp. 364–384Google Scholar
 3.Aumasson, J., Jovanovic, P., Neves, S.: NORX v3.0 (2016). Submission to CAESAR Competition. https://competitions.cr.yp.to/round3/norxv30.pdf
 4.Bellare, M., Bernstein, D.J., Tessaro, S.: Hashfunction based PRFs: AMAC and its multiuser security. In: Fischlin and Coron [28], pp. 566–595Google Scholar
 5.Bellare, M., Boldyreva, A., Micali, S.: Publickey encryption in a multiuser setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3540455396_18 CrossRefGoogle Scholar
 6.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM (1993)Google Scholar
 7.Bernstein, D.J.: The Poly1305AES messageauthentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_3 CrossRefGoogle Scholar
 8.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop 2007, May 2007Google Scholar
 9.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540789673_11 CrossRefGoogle Scholar
 10.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Spongebased pseudorandom number generators. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642150319_3 CrossRefGoogle Scholar
 11.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: Miri and Vaudenay [39], pp. 320–337Google Scholar
 12.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, January 2011Google Scholar
 13.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop, February 2011Google Scholar
 14.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Permutationbased encryption, authentication and authenticated encryption. In: Directions in Authenticated Ciphers, July 2012Google Scholar
 15.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje V2, September 2016Google Scholar
 16.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje V2, document version 2.2, September 2016Google Scholar
 17.Biham, E.: How to decrypt or even substitute DESencrypted messages in \({2}^{\text{28 }}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
 18.Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved timememory tradeoffs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_8 CrossRefGoogle Scholar
 19.Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642239519_21 CrossRefGoogle Scholar
 20.CAESAR: Competition for authenticated encryption: security, applicability, and robustness, November 2014. http://competitions.cr.yp.to/caesar.html
 21.Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: NIST SHA3 Workshop, March 2012Google Scholar
 22.Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri and Vaudenay [39], pp. 293–319Google Scholar
 23.Chen, S., Steinberger, J.: Tight security bounds for keyalternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642552205_19 CrossRefGoogle Scholar
 24.Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2016). Submission to CAESAR Competition. http://ascon.iaik.tugraz.at
 25.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). https://doi.org/10.1007/3540573321_17 CrossRefGoogle Scholar
 26.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 27.FIPS 202: SHA3 Standard: PermutationBased Hash and ExtendableOutput Functions (2015)Google Scholar
 28.Fischlin, M., Coron, J.S. (eds.): EUROCRYPT 2016, Part I. LNCS, vol. 9665. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662498903 zbMATHGoogle Scholar
 29.Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro and Robshaw [31], pp. 368–387Google Scholar
 30.Gaži, P., Tessaro, S.: Provably robust spongebased PRNGs and KDFs. In: Fischlin and Coron [28], pp. 87–116 (2016)Google Scholar
 31.Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015, Part I. LNCS, vol. 9215. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662479896 zbMATHGoogle Scholar
 32.Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642227929_13 CrossRefGoogle Scholar
 33.Hoang, V.T., Tessaro, S.: Keyalternating ciphers and keylength extension: exact bounds and multiuser security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184_1 CrossRefGoogle Scholar
 34.Hong, J., Sarkar, P.: New applications of time memory data tradeoffs. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 353–372. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_19 CrossRefGoogle Scholar
 35.Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2^{c/2} security in spongebased authenticated encryption modes. In: Sarkar and Iwata [45], pp. 85–104Google Scholar
 36.Leander, G. (ed.): FSE 2015. LNCS, vol. 9054. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662481165 zbMATHGoogle Scholar
 37.Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246381_2 CrossRefGoogle Scholar
 38.Mennink, B., Reyhanitabar, R., Vizár, D.: Security of fullstate keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662488003_19 CrossRefGoogle Scholar
 39.Miri, A., Vaudenay, S. (eds.): SAC 2011. LNCS, vol. 7118. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642284960 zbMATHGoogle Scholar
 40.Mouha, N., Luykx, A.: Multikey security: the EvenMansour construction revisited. In: Gennaro and Robshaw [31], pp. 209–223Google Scholar
 41.Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/9783319130514_19 CrossRefGoogle Scholar
 42.Naito, Y., Yasuda, K.: New bounds for keyed sponges with extendable output: independence between capacity and message length. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 3–22. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662529935_1 CrossRefGoogle Scholar
 43.Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642041594_21 CrossRefGoogle Scholar
 44.Reyhanitabar, R., Vaudenay, S., Vizár, D.: Boosting OMD for almost free authentication of associated data. In: Leander [36], pp. 411–427Google Scholar
 45.Sarkar, P., Iwata, T. (eds.): ASIACRYPT 2014, Part I. LNCS, vol. 8873. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456118 zbMATHGoogle Scholar
 46.Sasaki, Y., Yasuda, K.: How to incorporate associated data in spongebased authenticated encryption. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 353–370. Springer, Cham (2015). https://doi.org/10.1007/9783319167152_19 Google Scholar