Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes

  • Philipp Jovanovic
  • Atul Luykx
  • Bart Mennink
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8873)


The Sponge function is known to achieve 2 c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min {2 c/2,2 κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions are designed to comply with the classical 2 c/2 security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min {2 b/2,2 c ,2 κ } asymptotically, with b > c the permutation size, by proving that the CAESAR submission NORX achieves this bound. Furthermore, we show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. For instance, NORX64 can increase its rate and decrease its capacity by 128 bits and Ascon-128 can encrypt three times as fast, both without affecting the security level of their underlying modes in the ideal permutation model.


Authenticated encryption CAESAR Ascon CBEAM ICEPOLE Keyak NORX PRIMATEs STRIBOB 


  1. 1.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014),
  2. 2.
    Whiting, D., Housley, R., Ferguson, N.: AES Encryption and Authentication Using CTR Mode and CBC-MAC. IEEE 802.11-02/001r2 (2002)Google Scholar
  3. 3.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM Conference on Computer and Communications Security, pp. 196–205. ACM (2001)Google Scholar
  4. 4.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Function Workshop (2007)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop (SKEW 2011) (2011)Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: Single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Aumasson, J., Jovanovic, P., Neves, S.: NORX v1 (2014), Submission to CAESAR competitionGoogle Scholar
  11. 11.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1 (2014), Submission to CAESAR competitionGoogle Scholar
  12. 12.
    Minaud, B.: Re: CBEAM Withdrawn as of today! (2014), CAESAR mailing listGoogle Scholar
  13. 13.
    Saarinen, M.: CBEAM r1 (2014), Submission to CAESAR competitionGoogle Scholar
  14. 14.
    Saarinen, M.: CBEAM: Efficient authenticated encryption from feebly one-way φ functions. In: Benaloh (ed.) [9], pp. 251–269Google Scholar
  15. 15.
    Morawiecki, P., Gaj, K., Homsirikamol, E., Matusiewicz, K., Pieprzyk, J., Rogawski, M., Srebrny, M., Wójcik, M.: ICEPOLE v1 (2014), Submission to CAESAR competitionGoogle Scholar
  16. 16.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keyak v1 (2014), Submission to CAESAR competitionGoogle Scholar
  17. 17.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mendel, F., Mennink, B., Mouha, N., Wang, Q., Yasuda, K.: PRIMATEs v1 (2014), Submission to CAESAR competitionGoogle Scholar
  18. 18.
    Saarinen, M.: Beyond modes: Building a secure record protocol from a cryptographic sponge permutation. In: Benaloh (ed.) [9], pp. 270–285Google Scholar
  19. 19.
    Saarinen, M.: STRIBOB r1 (2014), Submission to CAESAR competitionGoogle Scholar
  20. 20.
    Saarinen, M.: Authenticated encryption from GOST R 34.11-2012 LPS permutation. In: CTCrypt 2014 (2014)Google Scholar
  21. 21.
    Alizadeh, J., Aref, M., Bagheri, N.: Artemia v1 (2014), Submission to CAESAR competitionGoogle Scholar
  22. 22.
    Gligoroski, D., Mihajloska, H., Samardjiska, S., Jacobsen, H., El-Hadedy, M., Jensen, R.: π-Cipher v1 (2014), Submission to CAESAR competitionGoogle Scholar
  23. 23.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptology 21(4), 469–491 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. 25.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: Authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE. LNCS. Springer (2014)Google Scholar
  28. 28.
    Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2c/2 security in sponge-based authenticated encryption modes. Cryptology ePrint Archive, Report 2014/373 (2014), Full version of this paperGoogle Scholar
  29. 29.
    Wu, H.: The Hash Function JH (2011) Submission to NIST’s SHA-3 competitionGoogle Scholar
  30. 30.
    Bagheri, N.: Padding of Artemia (2014), CAESAR mailing listGoogle Scholar
  31. 31.
    Benaloh, J. (ed.): CT-RSA 2014. LNCS, vol. 8366. Springer, Heidelberg (2014)zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Philipp Jovanovic
    • 1
  • Atul Luykx
    • 2
  • Bart Mennink
    • 2
  1. 1.Fakultät für Informatik und MathematikUniversität PassauGermany
  2. 2.Dept. Electrical Engineering, ESAT/COSICKU Leuven, and iMindsBelgium

Personalised recommendations