Paper 2019/1475

On the Security of Sponge-type Authenticated Encryption Modes

Bishwajit Chakraborty, Ashwin Jha, and Mridul Nandi


The sponge duplex is a popular mode of operation for constructing authenticated encryption schemes. In fact, one can assess the popularity of this mode from the fact that around $ 25 $ out of the $ 56 $ round 1 submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are based on this mode. Among these, $14$ sponge-type constructions are selected for the second round consisting of $32$ submissions. In this paper, we generalize the duplexing interface of the duplex mode, which we call Transform-then-Permute. It encompasses Beetle as well as a new sponge-type mode SpoC (both are round 2 submissions to NIST LwC). We show a tight security bound for Transform-then-Permute based on $b$-bit permutation, which reduces to finding an exact estimation of the expected number of multi-chains (defined in this paper). As a corollary of our general result, authenticated encryption advantage of Beetle and SpoC is about $\frac{T(D+r2^r)}{2^b}$ where $T$, $D$ and $r$ denotes the number of offline queries (related to time complexity of the attack), number of construction queries (related to data complexity) and rate of the construction (related to efficiency). Previously the same bound has been proved for Beetle under the limitation that $ T << min\{2^r, 2^{b/2}\} $ (that compels to choose larger permutation with higher rate). In the context of NIST LwC requirement, SpoC based on $ 192 $-bit permutation achieves the desired security with $ 64 $-bit rate, which is not achieved by either duplex or Beetle (as per the previous analysis).

Note: This version contains some minor restructuring of the content and a revised bound for PHOTON-Beetle.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in FSE 2021
SpongeduplexBeetleSpoClightweightAEADtight bound
Contact author(s)
bishu math ynwa @ gmail com
ashwin jha1991 @ gmail com
mridul nandi @ gmail com
2020-06-24: last of 9 revisions
2019-12-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bishwajit Chakraborty and Ashwin Jha and Mridul Nandi},
      title = {On the Security of Sponge-type Authenticated Encryption Modes},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1475},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.