Paper 2019/1475

On the Security of Sponge-type Authenticated Encryption Modes

Bishwajit Chakraborty, Ashwin Jha, and Mridul Nandi

Abstract

The sponge duplex is a popular mode of operation for constructing authenticated encryption schemes. In fact, one can assess the popularity of this mode from the fact that around $ 25 $ out of the $ 56 $ round 1 submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are based on this mode. Among these, $14$ sponge-type constructions are selected for the second round consisting of $32$ submissions. In this paper, we generalize the duplexing interface of the duplex mode, which we call Transform-then-Permute. It encompasses Beetle as well as a new sponge-type mode SpoC (both are round 2 submissions to NIST LwC). We show a tight security bound for Transform-then-Permute based on $b$-bit permutation, which reduces to finding an exact estimation of the expected number of multi-chains (defined in this paper). As a corollary of our general result, authenticated encryption advantage of Beetle and SpoC is about $\frac{T(D+r2^r)}{2^b}$ where $T$, $D$ and $r$ denotes the number of offline queries (related to time complexity of the attack), number of construction queries (related to data complexity) and rate of the construction (related to efficiency). Previously the same bound has been proved for Beetle under the limitation that $ T << min\{2^r, 2^{b/2}\} $ (that compels to choose larger permutation with higher rate). In the context of NIST LwC requirement, SpoC based on $ 192 $-bit permutation achieves the desired security with $ 64 $-bit rate, which is not achieved by either duplex or Beetle (as per the previous analysis).

Note: This version contains some minor restructuring of the content and a revised bound for PHOTON-Beetle.