## Cryptology ePrint Archive: Report 2018/449

Key Prediction Security of Keyed Sponges

Bart Mennink

Abstract: The keyed sponge is a well-accepted method for message authentication. It processes data at a certain rate by sequential evaluation of an underlying permutation. If the key size $k$ is smaller than the rate, currently known bounds are tight, but if it exceeds the rate, state of the art only dictates security up to $2^{k/2}$. We take closer inspection at the key prediction security of the sponge and close the remaining gap in the existing security analysis: we confirm key security up to close to $2^k$, regardless of the rate. The result impacts all applications of the keyed sponge and duplex that process at a rate smaller than the key size, including the STROBE protocol framework, as well as the related constructions such as HMAC-SHA-3 and the sandwich sponge.

Category / Keywords: secret-key cryptography / outer-keyed sponge, full-keyed sponge, key prediction, graph-based proof

Original Publication (with minor differences): IACR-FSE-2019

Date: received 14 May 2018, last revised 13 Nov 2018

Contact author: b mennink at cs ru nl

Available format(s): PDF | BibTeX Citation

Note: Updated to ToSC-version.

Short URL: ia.cr/2018/449

[ Cryptology ePrint archive ]