Paper 2015/541

Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption

Bart Mennink, Reza Reyhanitabar, and Damian Vizár


We provide a security analysis for full-state keyed Sponge and full-state Duplex constructions. Our results can be used for making a large class of Sponge-based authenticated encryption schemes more efficient by concurrent absorption of associated data and message blocks. In particular, we introduce and analyze a new variant of SpongeWrap with almost free authentication of associated data. The idea of using full-state message absorption for higher efficiency was first made explicit in the Donkey Sponge MAC construction, but without any formal security proof. Recently, Gaži, Pietrzak and Tessaro (CRYPTO 2015) have provided a proof for the fixed-output-length variant of Donkey Sponge. Yasuda and Sasaki (CT-RSA 2015) have considered partially full-state Sponge-based authenticated encryption schemes for efficient incorporation of associated data. In this work, we unify, simplify, and generalize these results about the security and applicability of full-state keyed Sponge and Duplex constructions; in particular, for designing more efficient authenticated encryption schemes. Compared to the proof of Gaži et al., our analysis directly targets the original Donkey Sponge construction as an arbitrary-output-length function. Our treatment is also more general than that of Yasuda and Sasaki, while yielding a more efficient authenticated encryption mode for the case that associated data might be longer than messages.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Sponge constructionDuplex constructionfull-state absorptionauthenticated encryptionassociated data.
Contact author(s)
damian vizar @ epfl ch
2015-09-23: last of 2 revisions
2015-06-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bart Mennink and Reza Reyhanitabar and Damian Vizár},
      title = {Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2015/541},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.