Paper 2023/1673

Designing Full-Rate Sponge based AEAD modes

Bishwajit Chakraborty, Indian Statistical Institute, Kolkata, Nanyang Technological University, Singapore
Nilanjan Datta, Institute for Advancing Intelligence, TCG CREST
Mridul Nandi, Indian Statistical Institute, Kolkata, Institute for Advancing Intelligence, TCG CREST

Sponge based constructions have gained significant popularity for designing lightweight authenticated encryption modes. Most of the authenticated ciphers following the Sponge paradigm can be viewed as variations of the Transform-then-permute construction. It is known that a construction following the Transform-then-permute paradigm provides security against any adversary having data complexity $D$ and time complexity $T$ as long as $DT \ll 2^{b-r}$. Here, $b$ represents the size of the underlying permutation, while $r$ pertains to the rate at which the message is injected. The above result demonstrates that an increase in the rate leads to a degradation in the security of the constructions, with no security guaranteed to constructions operating at the full rate, where $r=b$. This present study delves into the exploration of whether adding some auxiliary states could potentially improve the security of the Transform-then-permute construction. Our investigation yields an affirmative response, demonstrating that a special class of full rate Transform-then-permute with additional states, dubbed frTtP+, can indeed attain security when operated under a suitable feedback function and properly initialized additional state. To be precise, we prove that frTtP+ provides security as long as $D \ll 2^{s/2}$ and $T \ll 2^{s}$, where $s$ denotes the size of the auxiliary state in terms of bits. To demonstrate the applicability of this result, we show that the construction $Orange-Zest_{mod}$ belongs to this class, thereby obtaining the desired security. In addition, we propose a family of full-rate Transform-then-permute construction with a Beetle-like feedback function, dubbed \textsf{fr-Beetle}, which also achieves the same level of security.

Note: This is the full version of the paper titled "Designing Full-Rate Sponge based AEAD modes" accepted at INDOCRYPT 2023.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. INDOCRYPT 2023
Authenticated EncryptionSponge Mode of OperationTransform-then- permuteCombined Feedback
Contact author(s)
bishu math ynwa @ gmail com
nilanjan datta @ tcgcrest org
mridul nandi @ gmail com
2023-10-30: approved
2023-10-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bishwajit Chakraborty and Nilanjan Datta and Mridul Nandi},
      title = {Designing Full-Rate Sponge based AEAD modes},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1673},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.