Security of Keyed Sponge Constructions Using a Modular Proof Approach
 30 Citations
 1.6k Downloads
Abstract
Sponge functions were originally proposed for hashing, but find increasingly more applications in keyed constructions, such as encryption and authentication. Depending on how the key is used we see two main types of keyed sponges in practice: inner and outerkeyed. Earlier security bounds, mostly due to the wellknown sponge indifferentiability result, guarantee a security level of c / 2 bits with c the capacity. We reconsider these two keyed sponge versions and derive improved bounds in the classical indistinguishability setting as well as in an extended setting where the adversary targets multiple instances at the same time. For cryptographically significant parameter values, the expected workload for an attacker to be successful in an ntarget attack against the outerkeyed sponge is the minimum over \(2^k/n\) and \(2^c/\mu \) with k the key length and \(\mu \) the total maximum multiplicity. For the innerkeyed sponge this simplifies to \(2^k/\mu \) with maximum security if \(k=c\). The multiplicity is a characteristic of the data available to the attacker. It is at most twice the data complexity, but will be much smaller in practically relevant attack scenarios. We take a modular proof approach, and our indistinguishability bounds are the sum of a bound in the PRP model and a bound on the PRPsecurity of EvenMansour type block ciphers in the ideal permutation model, where we obtain the latter result by using Patarin’s Hcoefficient technique.
Keywords
Sponge construction Keyed sponge (Authenticated) encryption Indistinguishability1 Introduction
Sponge functions are versatile cryptographic primitives that can be used for hashing, but also in a wide range of keyed applications, such as message authentication codes (MAC), stream encryption, authenticated encryption, and pseudorandom sequence generation [5, 7, 8]. This fact is illustrated by the large number of sponge based candidates in the CAESAR competition for authenticated encryption schemes [12]: Artemia [1], Ascon [15], ICEPOLE [23], Ketje [10], Keyak [11], NORX [3], \(\pi \)Cipher [19], PRIMATEs [2], Prøst [21] and STRIBOB [28]. More recently, Rivest and Schuldt [27] presented an update of the RC4 stream cipher with the name Spritz, also adopting a keyed sponge construction.
The sponge function consists of the application of the sponge construction to a fixedlength permutation (or transformation) f. It is a function that maps an input string of variable length to an output of arbitrary length. The duplex construction also makes use of a fixedlength permutation but results in a stateful object that can be fed with short input strings and from which short output strings can be extracted [8]. The above mentioned authenticated encryption schemes are for example based on the duplex construction. In [8] Bertoni et al. prove the security of the duplex construction equivalent to the security of the sponge construction, which means that any security result on the sponge construction is automatically valid for the duplex construction.
We can identify two types of keyed sponge functions, both of which we see applied in practice [1, 2, 3, 10, 11, 15, 19, 21, 23, 25, 28, 29]. The first type applies the key by taking it as the first part of the sponge input and we call it the outerkeyed sponge. The second innerkeyed sponge applies the key on the inner part of the initial state, and can be viewed as successive applications of the EvenMansour [16, 17] type block cipher, which in turn calls an unkeyed permutation.
One way to argue security of the keyed sponge constructions is via the indifferentiability result of [6]. This result guarantees that the keyed sponge constructions can replace random oracles in any singlestage cryptographic system [22, 26] as long as the total complexity of the adversary is less than \(2^{(c+1)/2}\). Bertoni et al. [9] derived an improved bound on the distinguishing advantage against the outerkeyed sponge by separating the total complexity into time and data complexity. However, their proof contains a subtle error: [9, Lemma 1] proves that the keyed sponge output is uniformly and independently distributed if certain conditions are fulfilled, whereas the proof requires uniformity of the joint keyed sponge output and queries to f, which does exhibit a bias. Regarding the innerkeyed sponge, Chang et al. considered security of the construction in the socalled standard model in [13]. Central in their reasoning is the clever trick to describe the keyed sponge as the sponge construction calling an EvenMansour block cipher. Their bound does however not go beyond the generic sponge indifferentiability bound of [6] as their main intention appears to have been to prove security in the standard model rather than the ideal permutation model.
1.1 Our Contribution
We prove bounds on the generic security of both types of keyed sponge constructions in the singletarget and multitarget scenarios. In the singletarget scenario, we bound the success probability of distinguishing a single instance of the construction from a random oracle for a given attack complexity and providing the adversary with additional access to the underlying permutation f. In the multitarget scenario, the adversary targets multiple instances of the keyed sponge at the same time. In practice, many systems support multiple users using the same algorithm and the adversary may be willing to leverage his resources to break at least one of the users’ account. It can be regarded as important to the system provider who wants to avoid losing credibility in such a case. For the multitarget analysis, we introduce a generalized version of indistinguishability security.
Our proofs are performed in two steps. Firstly, considering the keyed sponge constructions to be implicitly based on an underlying block cipher, we derive a bound for the distinguishing advantage of the constructions in the PRP model. Secondly, we deal with the PRP security of the EvenMansour construction in the ideal permutation model using Patarin’s Hcoefficient technique [14, 24]. This modular proof approach results in compact proofs that are easy to verify.
When estimating the required capacity c to achieve a required security level, the important term in all of the bounds is of the form \(\frac{M^2 + \mu N}{2^c}\). Here, M is the data complexity, N the time complexity, and \(\mu \) is the socalled total maximum multiplicity. The multiplicity is determined by the keyed sponge outputs available to the adversary and is a function of M. It first appeared in Bertoni et al. [7], and allows us to achieve bounds that significantly improve over the earlier singletarget bounds of [9, 13]. The multiplicity makes the bound widely applicable, as it allows to take into account the restrictions an adversary faces in a concrete use case. In more detail, in the worst case the multiplicity equals twice the data complexity but in many attack scenarios it is orders of magnitude smaller, leading to a tighter bound. For cryptographically significant parameter values, the dominant term in the bound is the time complexity by divided by \(2^c/\mu \). In other words, our bounds imply security beyond the birthday bound on the capacity for all existing keyed sponge based modes.
We remark that a recent work of Jovanovic et al. [20] proved bounds on the distinguishing advantage for keyed sponge based authenticated encryption. Their results are specific for authentication encryption modes applying a keyed sponge construction and explicitly require nonce uniqueness. Moreover, unlike the bounds in this paper, their bound contains a term involving the permutation width making it tight only for large rates. Additionally, our results yield a tight bound whatever the rate, exploiting the multiplicity, which is typically small in the case of unique nonce scenarios (see also Sect. 6). Finally, a concurrent work by Gaži et al. [18] proves tight bounds for the specific case of MACs produced by a keyed sponge, but without generalizing to other applications that require longer output lengths.
1.2 Version History
Gaži, Pietrzak, and Tessaro pointed out that the preproceedings version contains an oversight in the analysis of the outerkeyed sponge. Informally, the probability that a distinguisher guesses the key was bounded incorrectly. We have fixed the issue, using a result from Gaži et al. [18]. We refer to the proof of Theorem 6 and the subsequent discussion for more details.
1.3 Outline
The remainder of this paper is organized as follows. In Sect. 2, we provide the definitions of the constructions we use. This is followed by an introduction to the security model of indistinguishability in Sect. 3. In Sect. 4, we prove our bounds for the innerkeyed sponge and in Sect. 5 those for the outerkeyed sponge. Finally, we discuss the implications of our bounds in Sect. 6.
2 Definitions of Constructions
In this section we specify the constructions we address in this paper.
2.1 The Sponge Construction
The sponge construction operates on a state s of b bits, and calls a bbit permutation f. It takes as input a message \(m\in \{0,1\}^{*}\) and natural number \(\ell \) and outputs a potentially infinite string truncated to the chosen length \(\ell \in \mathbb {N}\), denoted \(z\in \{0,1\}^{\ell }\).

Absorbing phase: the rbit input message blocks are sequentially XORed into the outer part of the state, interleaved with applications of the function f;

Squeezing phase: the bits of the outer part of the state are returned as output blocks, interleaved with applications of the function f, until enough bits are produced.
2.2 The EvenMansour Construction
2.3 The RootKeyed Sponge
As a way to highlight the similarities between the inner and outerkeyed sponges, which we will define in the next sections, we define a common construction called the rootkeyed sponge. Basically, it is a variant of the sponge construction where the state is initialized to a key \(K\in \{0,1\}^{b}\) instead of \(0^b\). The rootkeyed sponge \(\textsc {RKS}^f_K\) is defined in Algorithm 2.
2.4 The InnerKeyed Sponge
2.5 The OuterKeyed Sponge
3 Security Model
The security analyses in this work are done in the indistinguishability framework where one bounds the advantage of an adversary \(\mathcal {A}\) in distinguishing a real system from an ideal system. The real system contains one or more specified constructions, while the ideal one consists of ideal functions with the same interface. We explain the highlevel idea for the case where \(\mathcal {A}\) attacks one instance of a keyed sponge construction.
Suppose \(f:\{0,1\}^{b}\rightarrow \{0,1\}^{b}\) is a permutation and consider a keyed sponge construction \(\mathcal {H}_K^f\) based on f and some key \(K\in \{0,1\}^{k}\). Let \(\mathcal {RO}\) be a random oracle [4] with the same interface as \(\mathcal {H}_K^f\). Adversary \(\mathcal {A}\) is given query access to either \(\mathcal {H}_K^f\) or \(\mathcal {RO}\) and tries to tell both apart. It is also given access to the underlying permutation f, which is modeled by query access. The random oracle is required to output infinitely long strings truncated to a certain length. The function can be defined as \(\mathcal {RO}:\{0,1\}^{*}\times \mathbb {N}\rightarrow \{0,1\}^{\mathbb {N}}\) that on input \((m,\ell )\) outputs \(\mathcal {RO}(m,\ell )=\lfloor \mathcal {RO}^\infty (m)\rfloor _\ell \), where \(\mathcal {RO}^\infty :\{0,1\}^{*}\rightarrow \{0,1\}^{\infty }\) takes inputs of arbitrary but finite length and returns random infinite strings where each output bit is selected uniformly and independently, for every m.
We similarly consider the PRP security of the EvenMansour construction \(E^f_K\), where \(\mathcal {A}\) is given query access to either this construction or a random permutation \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(b)\) with domain and range \(\{0,1\}^{b}\), along with query access to f. We also consider a slightly more advanced notion of kdPRP security, where the root key derivation function \(\textsc {kd}\) is applied to K first.
The security proofs of \(\textsc {IKS}\) and \(\textsc {OKS}\) consist of two steps: the first one reduces the security of the construction to the PRP security (for \(\textsc {IKS}\)) or kdPRP security (for \(\textsc {OKS}\)) of the EvenMansour construction. This step does not depend on f and is in fact a standardmodel reduction. Next, we investigate the PRP/kdPRP security of EvenMansour under the assumption that f is a random permutation.
3.1 Counting

Data or online complexityM: the amount of access to the construction \(\mathcal {H}_K^f\) or \(\mathcal {RO}\), that in many practical use cases is limited;

Time or offline complexityN: computations requiring no access to the construction, in practical use cases only limited by the computing power and time available to the adversary.
Both M and N are expressed in terms of the number of primitive calls. We include in M only fresh calls: a call from \(\mathcal {H}_K^f\) to f is not fresh if it has already been made due to a prior query to the construction. In the ideal world a random oracle naturally does not make calls to f, but the data complexity is counted as if it would and as such, it is fully determined by the queries. For N, we assume without loss of generality that the adversary makes no repeated queries.
In our proofs, we use an additional characteristic of the queries called the total maximum multiplicity and denote it by \(\mu \). Let \(\{(s_i,t_i)\}_{i=1}^M\) be the set of M input/output pairs for f made in construction evaluations.
Definition 1
3.2 Distinguishing Advantage for Keyed Sponges
We are now ready to give the indistinguishability definition for keyed sponges (the PRP and kdPRP security definitions will be discussed in Sects. 4 and 5). Our definition is broad in the sense that it considers also security against a multitarget attack, where an attacker has access to an array of \(n\ge 1\) instances of the keyed sponge or random oracles. We refer to this notion as joint indistinguishability. Naturally, joint indistinguishability reduces to plain or regular indistinguishability for \(n=1\). The model is illustrated in Fig. 2.
Definition 2
Note that, as we consider \(n\ge 1\) instances of the construction, we have similarly split the online complexity M into \(M_1+\cdots +M_n\). In other words, M gives the online complexity over all n instances.
3.3 Patarin’s HCoefficient Technique
Our proofs partly rely on Patarin’s Hcoefficient technique [24]. We briefly summarize this technique, and refer to Chen and Steinberger [14] for further discussion.
Lemma 1
Proofs using Patarin’s technique consist of first carefully defining a set of “bad” transcripts \(\mathcal {T}_\mathrm {bad}\), and then showing that both \(\varepsilon \) and \(\Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \) are small for this set of bad transcripts.
4 Distinguishing Advantage of the InnerKeyed Sponge
We bound the distinguishing advantage of the innerkeyed sponge construction in the ideal permutation model. A bound for the case of \(n=1\) is given in Sect. 4.1, and it is generalized to arbitrary \(n\) in Sect. 4.2. Both proofs consist of two steps that are both of independent interest. Note that we assume equal key size and capacity in our proofs. If \(k < c\), the denominator \(2^c\) in the bounds of Theorems 2 and 4 must be replaced by \(2^k\).
Before proceeding, we define the notion of PRP security that we will use in the security proof of the innerkeyed sponge to replace \(E^f_{K_1},\ldots ,E^f_{K_n}\) with random permutations \(\pi _1,\ldots ,\pi _n\), in analogy with (4). As multiple instances of E for \(n\) different keys are considered, we call this notion joint PRP security.
Definition 3
4.1 Single Target
Theorem 1
Proof
\(\square \)
We now bound the PRP security of the EvenMansour construction in the ideal permutation model. The proof is a generalization of the security analysis of the EvenMansour block cipher [16, 17].
Theorem 2
Proof
Bounding the probability of bad transcripts in the ideal world. In the ideal world, \((\tau _1,\tau _f)\) is a transcript generated independently of the dummy key \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\). First consider the first condition of (8). Fix any tuple (x, y) (N choices). By construction, \(\tau _1\) contains at most \(\mu _\mathrm {fw}\) tuples (s, t) such that \(\bar{s}=\bar{x}\). This gives a total of \(\mu _\mathrm {fw}N\) values \(\hat{s}\oplus \hat{x}\), and any could be hit by the randomly generated K. A similar reasoning holds for the second part of (8), resulting in \(\mu _\mathrm {bw}N\) values. Concluding, \(\Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \le \frac{\mu N}{2^c}\), where we use that \(\mu =\mu _\mathrm {fw}+\mu _\mathrm {bw}\).
4.2 Multiple Targets
Theorem 3
Proof
We now bound the joint PRP security of the EvenMansour construction in the ideal permutation model.
Theorem 4
Proof
The proof follows the one of Theorem 2, with the difference that multiple keys are involved. Adversary \(\mathcal {A}\) has access to \(X=(E^f_{K_1},\dots ,E^f_{K_n},f)\) in the real world or \(Y=(\pi _1,\dots ,\pi _n,f)\) in the ideal world. The \(n\) construction oracles are also denoted \((\mathcal {O}_1,\ldots ,\mathcal {O}_n)\). It makes \(M_h\) construction queries to \(\mathcal {O}_h\) with total maximum multiplicity at most \(\mu \) (over all \(M=M_1+\cdots +M_n\) construction queries) and at most N primitive queries. The interaction with \(\mathcal {O}_h\) (for \(h=1,\ldots ,n\)) is denoted \(\tau _h=\{(s_i,t_i)\}_{i=1}^{M_h}\) and the interaction with f is denoted \(\tau _f=\{(x_j,y_j)\}_{j=1}^N\). As before, we will disclose the keys \(K_{1}, \dots K_{n}\) at the end of the experiment. The transcripts are thus of the form \(\tau =(K_1,\ldots ,K_n,\tau _1,\ldots ,\tau _n,\tau _f)\).
Bounding the probability of bad transcripts in the ideal world. In the ideal world, \((\tau _1,\dots ,\tau _n,\tau _f)\) is a transcript generated independently of the dummy keys \(K_1,\dots ,K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\). The proof of Theorem 2 straightforwardly generalizes to show that (9) is set with probability at most \(\frac{\mu N}{2^c}\). Here, we use that for any tuple \((x,y)\in \tau _f\), the set \((\tau _1,\dots ,\tau _n)\) of M queries in total contains at most \(\mu _\mathrm {fw}\) tuples (s, t) such that \(\bar{s}=\bar{x}\). A similar exercise is done for (10): for \(h\ne h'\), there are at most \(2M_hM_{h'}\) values \(s\oplus s'\) and \(t\oplus t'\) with \((s,t) \in \tau _h\) and \((s',t') \in \tau _{h'}\), and the value \(K_h\oplus K_{h'}\) has probability \(1/2^c\). Concluding, \(\Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \le \frac{\mu N}{2^c} + \frac{2\sum _{h\ne h'} M_h M_{h'}}{2^c}\).
5 Distinguishing Advantage of the OuterKeyed Sponge
We bound the distinguishing advantage of the outerkeyed sponge construction in the ideal permutation model. A bound for the case of \(n=1\) is given in Sect. 5.1, and it is generalized to arbitrary \(n\) in Sect. 5.2. The highlevel ideas of the proofs are the same as the ones of Sect. 4. The outerkeyed sponge differs from the innerkeyed sponge by the presence of a key derivation function using f. Therefore, a more involved version of PRP security is needed, where the key derivation L from K is taken into account. We call this notion joint kdPRP (key derivated PRP) security. For simplicity, we assume that all keys have equal length, with \(v=k/r\) their block length.
Definition 4
Intuitively, permutation f results in a kdPRP secure block cipher if (i) it renders sufficiently secure evaluations of \(\textsc {kd}\) and (ii) \(E^f_{\hat{L}_1},\dots ,E^f_{\hat{L}_n}\) are secure EvenMansour block ciphers. Note that, indeed, Definition 4 generalizes Definition 3 in the same way the \(\textsc {OKS}^f_K\) of (7) generalizes over \(\textsc {IKS}^f_K\) of (5).
5.1 Single Target
Theorem 5
Proof
The proof follows the one of Theorem 1 with the difference that now we have \(L=\textsc {kd}^f(K)\), and therefore we bound \(\varDelta _\mathcal {B}(E^f_{\hat{L}},f;\pi ,f) \le \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[1]}}(M,\mu ,N)\). We note that the initial state \(\bar{L}0^c\) (cf. (7)) has no influence on the proof, and we can assume it to be disclosed to the adversary. \(\square \)
We now bound the kdPRP security of the EvenMansour construction in the ideal permutation model.
Theorem 6
Proof
Finally, consider the probability that \(D_Y\) satisfies (12). Conditioned on the fact that (11) is not satisfied, L is randomly generated from a set of size at least \(2^bN\alpha \). This particularly means that a given value for \(\hat{L}_i\) has probability at most \(1/(2^c(N+\alpha )2^{r})\). A straightforward generalization of the proof of Theorem 2 shows that the second probability is bound by \(\frac{\mu N}{2^c(N+\alpha )2^{r}} \le \frac{2\mu N}{2^c}\), again using that \(N+\alpha \le 2^{b1}\).
In the preproceedings version, \(\lambda (N)\) was inadvertently bounded by \(N/2^k\). A similar event was considered by Gaži et al. [18], and we can use their result. We restate it in Lemma 2.
Lemma 2
5.2 Multiple Targets
Theorem 7
Proof
The proof is a combination of the ones of Theorems 3 and 5, and therefore omitted. \(\square \)
We now bound the joint kdPRP security of the EvenMansour construction in the ideal permutation model.
Theorem 8
Proof
Bounding the ratio\({\varvec{\Pr \left( D_X=\tau \right) /\Pr \left( D_Y=\tau \right) }}\)for good transcripts. The analysis is a direct combination of the proofs of Theorems 4 and 6. \(\square \)
6 Discussion and Conclusions
Our theorems have implications on all keyedsponge based modes as they impose upper bounds to the success probability for both singletarget and multitarget attacks, generic in f. In general, a designer of a cryptographic system has a certain security level in mind, where a security level of s bits implies that it should resist against adversaries with resources for performing an amount of computation equivalent to \(2^s\) executions of f. This security level s determines a lower bound for the choice of the sponge capacity c. The indifferentiability bound of Bertoni et al. [6] gives a bound \(\frac{(M+N)^2}{2^{c+1}}\) resulting in the requirement \(c \ge 2s1\) bits. For attack complexities that are relevant in practice, our success probability bounds are dominated by \(\frac{\mu N}{2^c}\), combining the time complexity and the multiplicity. This results in the requirement \(c \ge s + \log _2(\mu )\) bits. The designer can use this in its advantage by increasing the rate for higher speed or to take a permutation with smaller width for smaller footprint.
The main advantage of having a dependence on \(\mu \) in the bound is that it makes its application flexible. The proof in this paper remains generic and independent of any use case scenario by considering an adversary who can perform all kinds of queries. Yet, the way a keyed sponge function is used in a concrete protocol can restrict what the attacker can actually do, and the bound follows depending on how these restrictions affect the multiplicity.
In general, \(\mu \) depends on the mode of use and on the ability of the adversary, and a designer that cares about efficiency has the challenge to reliably estimate it. In realworld applications, the amount of data that will be available to an adversary can easily be upper bound due to physical, protocollevel or other restrictions, imposing an upper bound to M. As per definition \(\mu \le 2M\) the value of c can be taken \(c \ge s + \log _2(M) + 1\).
The bound \(\mu \le 2M\) is actually very pessimistic and virtually never reached. The multiplicity is the sum of two components: the forward multiplicity \(\mu _\mathrm {fw}\) and the backward multiplicity \(\mu _\mathrm {bw}\). The latter is determined by the responses of the keyed sponge and even an active attacker has little grip on it. For small rates, it is typically \(M2^{r}\) multiplied by a small constant.
The forward multiplicity, however, can be manipulated in some settings. An example of such a use case is a very liberal mode of use on top of the duplex construction [8]. At each duplexing call, the adversary can choose the input for the next duplexing call to force the outer part to some fixed value and let \(\mu _\mathrm {fw}\) approach M. The dominating security term then becomes \(\frac{MN}{2^c}\), reducing the requirement to \(c \ge s + \log _2(M)\). However, most modes and attack circumstances do not allow the adversary to increase the forward multiplicity \(\mu _\mathrm {fw}\) beyond a small multiple of \(M2^{r}\). This is in general the case if the adversary cannot choose the outer values. For instance, for sponge based stream ciphers which output a keystream on input of a nonce: if the total number of output blocks is much smaller than \(2^{r/2}\), we have \(\mu = 2\) with overwhelming probability, reducing the requirement to \(c \ge s+1\). A similar effect occurs in the case of noncerespecting authenticated encryption scenarios.
Knowing the mode of use and the relevant adversary model, one can often demonstrate an upper bound to the multiplicity. If no sharp bounds can be demonstrated, it may be possible to prove that the multiplicity is only higher than some value \(\mu _{\text {limit}}\) with a very low probability. This probability should then be included in the bound as an additional term.
Notes
Acknowledgments
This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007). Elena Andreeva and Bart Mennink are Postdoctoral Fellows of the Research Foundation – Flanders (FWO). We thank Peter Gaži, Krzysztof Pietrzak, and Stefano Tessaro for pointing out a flaw in an earlier version of the proof.
References
 1.Alizadeh, J., Aref, M., Bagheri, N.: Artemia v1, submission to CAESAR competition (2014)Google Scholar
 2.Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mendel, F., Mennink, B., Mouha, N., Wang, Q., Yasuda, K.: PRIMATEs v1, submission to CAESAR competition (2014)Google Scholar
 3.Aumasson, J., Jovanovic, P., Neves, S.: NORX v1, submission to CAESAR competition (2014)Google Scholar
 4.Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM (1993)Google Scholar
 5.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007, May 2007Google Scholar
 6.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 7.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Spongebased pseudorandom number generators. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 8.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 9.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop, February 2011Google Scholar
 10.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Ketje v1, submission to CAESAR competition (2014)Google Scholar
 11.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keyak v1, submission to CAESAR competition (2014)Google Scholar
 12.CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness, November 2014. http://competitions.cr.yp.to/caesar.html
 13.Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: NIST SHA3 Workshop, March 2012Google Scholar
 14.Chen, S., Steinberger, J.: Tight security bounds for keyalternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 15.Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1, submission to CAESAR competition (2014)Google Scholar
 16.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993) CrossRefGoogle Scholar
 17.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 18.Gaži, P., Pietrzak, K., Tessaro, S.: Tight bounds for keyed sponges and truncated CBC. In: Cryptology ePrint Archive, Report 2015/053, 22 January 2015Google Scholar
 19.Gligoroski, D., Mihajloska, H., Samardjiska, S., Jacobsen, H., ElHadedy, M., Jensen, R.: \(\pi \)Cipher v1, submission to CAESAR competition (2014)Google Scholar
 20.Jovanovic, P., Luykx, A., Mennink, B.: Beyond \(2^{c/2}\) security in spongebased authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014) Google Scholar
 21.Kavun, E., Lauridsen, M., Leander, G., Rechberger, C., Schwabe, P., Yalçın, T.: Prøst v1, submission to CAESAR competition (2014)Google Scholar
 22.Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 23.Morawiecki, P., Gaj, K., Homsirikamol, E., Matusiewicz, K., Pieprzyk, J., Rogawski, M., Srebrny, M., Wójcik, M.: ICEPOLE v1, submission to CAESAR competition (2014)Google Scholar
 24.Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 25.Perlner, R.: SHA3based MACs. In: NIST SHA3 Workshop, August 2014Google Scholar
 26.Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 27.Rivest, R.L., Schuldt, J.C.N.: Spritz  a spongy RC4like stream cipher and hash function, October 2014Google Scholar
 28.Saarinen, M.: STRIBOB r1, submission to CAESAR competition (2014)Google Scholar
 29.Turan, M.S.: Special publication on authenticated encryption. In: NIST SHA3 Workshop, August 2014Google Scholar