Paper 2019/573
Security of the Suffix Keyed Sponge
Christoph Dobraunig and Bart Mennink
Abstract
We formalize and analyze the general suffix keyed sponge construction, a pseudorandom function built on top of a cryptographic permutation. The construction hashes its data using the (keyless) sponge construction, transforms part of the state using the secret key, and generates the tag from the output of a final permutation call. In its simplest form, if the key and tag size are at most the rate of the sponge, one can see the suffix keyed sponge as a simple sponge function evaluation whose input is the plaintext appended with the key. The suffix keyed sponge is, however, much more general: the key and tag size may exceed the rate without any need to make extra permutation calls. We prove that the suffix keyed sponge construction achieves birthday-bound PRF security in the capacity, even if key and tag size exceed the rate. Furthermore, we prove that if the absorption of the key into the state happens in a leakage resilient manner, the suffix keyed sponge itself is leakage resilient as well. Our findings show that the suffix keyed sponge compares favorably with the hash-then-MAC construction. For instance, to reach a security level of
Note: 18/6: clarified novelty of this work compared with [12].
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published by the IACR in FSE 2020
- Keywords
- suffix MACspongeSuKSPRFleakage resilienceproof
- Contact author(s)
- b mennink @ cs ru nl
- History
- 2019-11-21: last of 2 revisions
- 2019-05-27: received
- See all versions
- Short URL
- https://ia.cr/2019/573
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2019/573,
author = {Christoph Dobraunig and Bart Mennink},
title = {Security of the Suffix Keyed Sponge},
howpublished = {Cryptology {ePrint} Archive, Paper 2019/573},
year = {2019},
url = {https://eprint.iacr.org/2019/573}
}
