1 Upper Bound of Pr[DG1 1] - Pr[DG2 1]
Tải bản đầy đủ - 0trang
Sandwich Construction for Keyed Sponges
253
−1
in
out
Let τ in := i=1
τiin , and τ out := i=1
τiout . This proof permits D to obtain
these sets and the secret key K after D’s interaction but before it outputs a
result. Thus D’s transcript is summarized as τ = (τL , τP , τ in , τ out , τK , K).
Coeﬃcient H Technique
We upper bound Pr[DG1 ⇒ 1] − Pr[DG2 ⇒ 1] by using the coeﬃcient H technique [11,21]. In this technique, ﬁrstly, we need to partition valid transcripts
into good transcripts Tgood and bad transcripts Tbad . Then we can upper bound
the diﬀerence by the following lemma, and the proof is given in e.g., [11].
Lemma 1 (Coeﬃcient H Technique). Let 0 ≤ ε ≤ 1 be such that for all τ ∈
1 =τ ]
G1
⇒ 1] − Pr[DG2 ⇒ 1] ≤ ε + Pr[T2 ∈ Tbad ].
Tgood , Pr[T
Pr[T2 =τ ] ≥ 1 − ε. Then, Pr[D
Hereafter, we ﬁrst deﬁne good and bad transcripts. We then upper bound ε and
Pr[T2 ∈ Tbad ]. Finally, we obtain the upper bound of Pr[DG1 ⇒ 1]−Pr[DG2 ⇒ 1]
by putting these upper bounds to the lemma.
Good and Bad Transcripts
In order to deﬁne good and bad transcripts, we need to recall the modiﬁcation
from Game 1 and Game 2, where the underlying primitive deﬁnition b-bit outputs
Wi , Ti and Hi is modiﬁed. In Game 1, outputs Wi , Ti and Hi in L1 are deﬁned
by using P. On the other hand, in Game 2, outputs Wi , Ti and Hi in L2 are
deﬁned by using P, Fi and Gi , respectively. Namely, in Game 2, (1) Ti and Hi
are independently deﬁned, and (2) Ti and Hi are deﬁned independently of oﬄine
queries (Xi , Yi ) and Wi -values. In addition, (3) Ti and Tj with i = j are also
independently deﬁned, and the same is true for Hi and Hj with i = j. Therefore,
if Game 1 and Game 2 are indistinguishable, then these independences for (1), (2)
and (3) should also hold in Game 1. Thus we consider conditions hitsx,ty , hithx,hy ,
hitsh,th , hitss,tt and hithh , which deﬁne good and bad transcripts. hitsh,th comes
from the independence for (1), hitsx,ty and hithx,hy come from the independence
for (2), hitss,tt and hithh come from the independence for (3). In addition, by
the PRP-PRF switch from Game 1 to Game 2, we need to consider a condition
with respect to output collisions of random functions, denoted by coll. These
deﬁnitions are given in the following.
hitsx,ty ⇔ ∃(S, T ) ∈ τ in , (X, Y ) ∈ τP ∪ τK s.t. S = X ∨ T = Y
hithx,hy ⇔ ∃(H, H ) ∈ τ out , (X, Y ) ∈ τP ∪ τK s.t. H = X ∨ H = Y
hitsh,th ⇔ ∃(S, T ) ∈ τ in , (H, H ) ∈ τ out s.t. S = H ∨ T = H
hitss,tt ⇔ ∃i, j ∈ {1, . . . , in − 1} with i = j s.t. ∃(Si , Ti ) ∈ τiin , (Sj , Tj ) ∈ τjin
s.t. Si = Sj ∨ Ti = Tj
– hithh ⇔ ∃i, j ∈ {1, . . . , out } with i = j s.t. ∃(Hi−1 , Hi ) ∈ τiout , (Hj−1 , Hj ) ∈
τjout s.t. Hi−1 = Hj−1 ∨ Hi = Hj
– coll ⇔ ∃(S, T ), (S , T ) ∈ τ in ∪ τ out s.t. S = S ∧ T = T .
–
–
–
–
We deﬁne Tbad by the set of transcripts which satisfy one of the above conditions,
and Tbad by the set of transcript which do not satisfy any of the above conditions.
254
Y. Naito
Upper Bound of Pr[T2 ∈ Tbad ]
First we note that Pr[T2 ∈ Tbad ] = Pr[hitsx,ty ∨hithx,hy ∨hitsh,th ∨hitss,tt ∨hithh ∨coll],
where these conditions are considered within Game 2. In this evaluation, we use
the randomness of internal values Si , Ti and Hi , where S1 = Wκpf ⊕ (M1 0c )
where Wκpf is deﬁned by P, and other values are deﬁned by random functions.
In order for Wκpf to become a (almost) b-bit random value, we use the condition:
hitux,wy ⇔ ∃(Uκpf , Wκpf ) ∈ τP , meaning D obtains the pair (Uκpf , Wκpf ) by some
oﬄine query. Under the condition ¬hitux,wy , D does not know Wκpf , and thereby
it can be seen as a (almost) b-bit random value. By basic probability theory, we
have
Pr[T2 ∈ Tbad ] ≤ Pr[hitux,wy ] + Pr[hitsx,ty ∧ ¬hitux,wy ] + Pr[hithx,hy ]
+ Pr[hitsh,th ∧ ¬hitux,wy ] + Pr[hitss,tt ] + Pr[hithh ] + Pr[coll]. (2)
Hereafter, we evaluate these probabilities. Without loss of generality, we assume
that (U1 , W1 ), . . . , (Uκpf , Wκpf ) are deﬁned in τK before D’s interaction.
Upper Bound of Pr[hitux,wy ]. The same condition appears at the security
proofs of the preﬁx keyed sponge function in [1,12,18], where the following upper
2κ Q
bound was given: Pr[Hitux,wy ] ≤ λ(Q) + 2pfb . We use the upper bound.
Upper Bound of Pr[hitsx,ty ∧ ¬hitux,wy ]. Due to lack of space, we give only an
intuition of deriving the upper bound. The condition hitsx,ty considers a collision
between τ in and τP ∪ τK , where τ in = τ1in ∪
in −1
in
i=2 τi
. In order to upper bound
Pr[hitsx,ty ∧ ¬hitux,wy ], the randomness of elements in τ in is used.
$
– For ∀(S, T ) ∈ τ1in , the output element T is deﬁned as T ←
− {0, 1}b by a random
function, and the input element S is of the form S = Wκpf ⊕ M1 0c . By
¬hitux,wy , Wκpf is randomly drawn from at least 2b − κpf values of b bits.
in −1
τiin , which are deﬁned by random functions, can be seen
– All elements in i=2
as b-bit random values.
Since |τ1in | ≤ q, |
in −1
in
i=2 τi |
≤ ( − 2)q, |τP ∪ τK | ≤ Q + κpf , we have
q(Q + κpf ) q(Q + κpf )
( − 2)q(Q + κpf )
+
+2×
b
b
2 − κpf
2
2b
2 q(Q + κpf )
≤
, assuming κpf ≤ 2b−1 .
2b
Pr[hitsx,ty ∧ ¬hitux,wy ] ≤
Upper Bound of Pr[hithx,hy ]. The condition hithx,hy considers a collision
in −1
between τ out and τP ∪ τK , where τ out = i=1
τiin . Similar to the evaluation
of Pr[hitsx,ty ], in order to upper bound Pr[hithx,hy ], the randomness of elements
in τ out is used. However, we need to care the fact that D can obtain the rate
values of these elements from the corresponding outputs of L2 . This implies that
the randomness of the rate values cannot be used in this evaluation. In order to
reduce the inﬂuence of this fact, we use the analysis based on a multi-collision on
Sandwich Construction for Keyed Sponges
255
the rate values, which have been used in many security proofs of sponge-based
functions e.g., [1,14,18].
q
Let H := α=1 {H1α , . . . , H αout } be the set of outputs deﬁned by G1 , . . . , G out .
Note that Hout does not include H01 , . . . , H0q . Then we deﬁne a condition for a
multi-collision in rate values of Hout .
mcoll ⇔ ∃H (1) , . . . , H (ρ) ∈ H s.t. msbr (H (1) ) = · · · = msbr (H (ρ) )
where ρ is a free parameter which will be deﬁned later. Then we have
Pr[hithx,hy ] ≤ Pr[mcoll] + Pr[hithx,hy ∧ ¬mcoll].
Firstly, we upper bound Pr[mcoll]. Fix H ∈ {0, 1}r and H (1) , . . . , H (ρ) ∈ H.
$
− {0, 1}b , the probability that H = msbr (H (1) ) = · · · =
Since H (1) , . . . , H (ρ) ←
ρ
(ρ)
msbr (H ) holds is ≤ 21r . Since |Hout | ≤ q, we have Pr[mcoll] ≤ 2r × ρq ×
1 ρ
2r
≤ 2r ×
e q
ρ2r
ρ
, using Stirling’s approximation (x! ≥ (x/e)x for any x,
where e = 2.71828 · · · is Napier’s constant).
Secondly, we upper bound Pr[hithx,hy ∧ ¬mcoll]. The strategy of deriving the
upper bound is simple but we need to deal with several types of values for Hi ,
which yields many cases. Due to lack of space, we give only an intuition of
deriving the upper bound.
– For a collision between τP ∪ τK and elements {H01 , H02 , . . . , H0q } in τ out ,
H01 , H02 , . . . , H0q are deﬁned by random functions and thus can be seen as
b-bit random values. Thus the collision probability is ≤ q × (Q + κpf ) × 1/2b .
– For a collision between τP ∪ τK and other elements {H11 , . . . , H1q , H21 , . . .} in
τ out , we use the condition ¬mcoll. Although D can obtain the rate values of
{H11 , . . . , H1q , H21 , . . .} from outputs of L2 , by ¬mcoll, for each element E in τP ∪
τK , the number of elements in {H11 , . . . , H1q , H21 , . . .} whose rate value equal
to msbr (E) is at most ρ. Since the capacity values of {H11 , . . . , H1q , H21 , . . .}
are randomly drawn from {0, 1}c by random functions, the probability that
one of the ρ values collides with E is ≤ ρ/2c . Thus the collision probability is
≤ 2(Q + κpf ) × ρ/2c .
Thus, we have Pr[hithx,hy ∧ ¬mcoll] ≤ q(Q + κpf )/2b + 2ρ(Q + κpf )/2c .
Finally, we have Pr[hithx,hy ] ≤
ρ = max r,
2c e q
2r (Q+κpf )
Pr[hithx,hy ] ≤
+
2ρ(Q+κpf )
2c
+ 2r ×
e q
ρ2r
ρ
, and putting
1/2
gives
q(Q + κpf ) 2r(Q + κpf )
+
+2×
2b
2c
⎞r
⎛
⎜
+ 2r × ⎝
≤
q(Q+κpf )
2b
e q
2c e q
2r (Q+κpf )
1/2
2r
e q(Q + κpf )
2b
1/2
⎟
⎠
q(Q + κpf ) 2r(Q + κpf )
+
+
2b
2c
44 q(Q + κpf )
2b
1/2
.
256
Y. Naito
(0)
Fig. 2. hitsh ∧ (i = nβ ) ∧ (msbr·dβ (M α ) = M β 10∗ K padβ )
Upper Bound of Pr[hitsh,th ∧¬hitux,wy ]. This evaluation makes use of the existence of the suﬃx key that avoids the attack using the iterated structure of L2 :
for two message block sequences M1α , M2α , . . . , Mnαα and M1β , M2β , . . . , Mnββ , if the
message blocks are the same up to the i-th block, namely, M1α = M1β , . . . , Miα =
Miβ , then input-output pairs of the underlying random functions are the same
up to the i-th block. By this property, hitsh,th may be satisﬁed. Concretely, this
property may yield the collision Siα = H0β as shown in Fig. 2. However, D needs
to make a query including the suﬃx key, and thereby this attack can be avoided
without a negligible probability. The detail analysis is given in the following,
(0)
where this case is considered in the sub condition hitsh of hitsh,th deﬁned bellow.
We split the condition hitsh,th into the following three conditions with respect
to the collisions S = H, T = H and the block numbers of H.
– hitsh ⇔ ∃α, β ∈ {1, . . . , q}, i ∈ {1, . . . , nα − 1} s.t. Siα = H0β
(1)
– hitsh ⇔ ∃α, β ∈ {1, . . . , q}, i ∈ {1, . . . , nα − 1}, j ∈ {1, . . . , out − 1} s.t.
Siα = Hjβ
– hitth ⇔ ∃α, β ∈ {1, . . . , q}, i ∈ {1, . . . , nα − 1}, j ∈ {1, . . . , out } s.t. Tiα = Hjβ
(0)
(0)
(1)
Since hitsh,th = hitsh ∨ hitsh ∨ hitth , we have
(0)
(1)
Pr[hitsh,th ∧ ¬hitux,wy ] ≤ Pr[hitsh ∧ ¬hitux,wy ] + Pr[hitsh ∧ ¬hitux,wy ] + Pr[hitth ].
(0)
Firstly, we upper bound Pr[hitsh ∧ ¬hitux,wy ]. We assume that hitux,wy is not
(0)
satisﬁed, and then evaluate the probability that hitsh is satisﬁed. We divide
(0)
hitsh into the following three cases. Note that in this condition, nα > nβ holds.
– hitsh ∧ (i = nβ ) ∧ (msbr·nβ (M α ) = M β 10∗ K padβ ): The equation i = nβ
ensures that the block numbers of Siα and H0β are the same, and msbr·nβ (M α ) =
(0)
Sandwich Construction for Keyed Sponges
257
M β 10∗ K padβ ensures that for each block up to the i-th block, the inputs by
the α-th and β-th online queries are the same (See also the Fig. 2). Thus, if this
case occurs, then D makes an online query including the secret key K. Since
$
− {0, 1}k , the probability that this case occurs is ≤ q/2k .
K←
(0)
– hitsh ∧ (i = nβ ) ∧ (msbr·nβ (M α ) = M β 10∗ K padβ ): By the condition
msbr·nβ (M α ) = M β 10∗ K padβ , there exists j ∈ {1, . . . , nβ − 1} such that
β
α
Sjα = Sjβ and Sj+1
= Sj+1
, where Snββ := H0β . Note that for γ ∈ {α, β}
γ
γ
= Tjγ ⊕ Mj+1
0c . By Sjα = Sjβ , Tjα , Tjβ ←
− {0, 1}b . Thus, ﬁxing α, β,
Sj+1
β
α
the probability that for some j, Sjα = Sjβ ∧ Sj+1
= Sj+1
holds is ≤ × 1/2b .
q
Therefore, the probability that this case holds is ≤ 2 × /2b ≤ 0.5 q 2 /2b .
(0)
– hitsh ∧ (i = nβ ) ∧ (i = 1): Note that S1α = Wκpf ⊕ M1α 0c , and by ¬hitux,wy ,
Wκpf is randomly drawn from at least 2b − (Q + κpf ) values of b bits. Thus,
ﬁxing α, β, the probability that S1α = H0β holds is ≤ 1/(2b − (Q + κpf )) ≤ 2/2b ,
assuming Q + κpf ≤ 2b−1 . Therefore, the probability that this case holds is
≤ q × q × 2/2b = 2q 2 /2b .
(0)
α
– hitsh ∧ (i = nβ ) ∧ (i = 1): Note that Siα = Ti−1
⊕ Miα 0c and H0β = Tnββ −1 ⊕
$
α
Mnββ 0c . By i = nβ , Ti−1
, Tnββ −1 ←
− {0, 1}b , and thereby, the probability that
$
Siα = H0β holds is ≤ 1/2b . Thus the probability that this case holds is ≤
( − 2)q × q × 1/2b = ( − 2)q 2 /2b .
Thus, we have Pr[hitsh ] ≤ q/2k + 1.5 q 2 /2b .
(1)
α
Secondly, we upper bound Pr[hitsh ∧¬hitux,wy ]. Note that Siα = Ti−1
⊕Miα 0c
α
where T0 := Wκpf . By ¬hitux,wy , Wκpf is randomly drawn from at least 2b − (Q +
(0)
$
α
κpf ) values of b bits, and Ti−1
←
− {0, 1}b for i = 1. We thus have Pr[hitsh ] ≤
b
q × out q × 1/(2 − (Q + κpf )) + ( in − 2)q × out q/2b ≤ 2 q 2 /2b , assuming that
Q + κpf ≤ 2b−1 .
(1)
− {0, 1}b , we have
Thirdly, we upper bound Pr[hitth ]. Since Tiα , Hjβ ←
b
2 2 b
Pr[hitth ] ≤ in q × out q × 1/2 ≤ q /2 .
2 2
Finally, we have Pr[hitsh,th ] ≤ 2qk + 3.52b q .
$
Upper Bound of Pr[hitss,tt ]. Note that hitss,tt ⇔ ∃α, β ∈ {1, . . . , q}, i ∈
{1, . . . , nα − 1}, j ∈ {1, . . . , nβ − 1} with i = j s.t. Siα = Sjβ ∨ Tiα = Tjβ . Without
loss of generality, we assume that j = 1. Regarding the equation Siα = Sjβ , Siα =
β
α
α
Ti−1
⊕ Miα 0c and Sjβ = Tj−1
⊕ Miβ 0c , where T0α := Wκpf . By i = j, Ti−1
and
β
β
are independently drawn, and Tj−1
←
− {0, 1}b . Thus, the probability that
Tj−1
for some α, β, i, j, Siα = Sjβ holds is ≤ q 2 × 2 × 1/2b = 0.5 2 q 2 /2b . Regarding
the equation Tiα = Tjβ , by i = j, Tiα and Tjβ are independently drawn, and
$
− {0, 1}b . Hence, the probability that for some α, β, i, j, Tiα = Tjβ holds is
Tjβ ←
$
≤ 0.5 2 q 2 /2b . Finally, we have Pr[hitss,tt ] ≤
q
2b
2 2
.
258
Y. Naito
Upper Bound of Pr[hithh ]. Note that hithh ⇔ ∃α, β ∈ {1, . . . , q} s.t. ∃i, j ∈
{0, . . . ,
out }
with i = j s.t. Hiα = Hjβ . Since for γ ∈ {α, β}, Hiγ ←
− {0, 1}b for
$
− {0, 1}b , we have Pr[hithh ] ≤
i = 0, and H0γ := Tnγγ −1 ⊕ Mnγ 0c where Tnγγ −1 ←
$
(
out +1)q
2
×
1
2b
≤
q
2b
≤
0.5 2 q 2
.
2b
Upper Bound of Pr[coll]. By the birthday analysis, Pr[coll] ≤
0.5( q)2
.
2b
Upper Bound of Pr[T2 ∈ Tbad ]. Putting the above upper bounds into (2)
gives
Pr[T2 ∈ Tbad ] ≤
2r(Q + κpf )
+
2c
44 q(Q + κpf )
2b
1/2
+
5.5 2 q 2
q
+ λ(Q) + k .
b
2
2
Upper Bound of ε
Let τ ∈ Tgood be a good transcript. For i = 1, 2, let alli be the set of all oracles
in Game i, and let compi (τ ) be the set of oracles compatible with τ in Game i.
1 (τ )|
2 (τ )|
Then Pr[T1 = τ ] = |comp
and Pr[T2 = τ ] = |comp
.
|all1 |
|all2 |
k
Firstly, we evaluate |all1 |. Since K ∈ {0, 1} and P ∈ Perm({0, 1}b ), we have
|all1 | = 2k · 2b !.
Secondly, we evaluate |all2 |. Since K ∈ {0, 1}k , P ∈ Perm({0, 1}b ), and
F1 , . . . , F in −1 , G1 , . . . , G out ∈ Func({0, 1}b , {0, 1}b ) we have |all2 | = 2k · (2b !) ·
b
((2b )2 ) in + out −1 .
Thirdly, we evaluate |comp1 (τ )|. For i ∈ {1, . . . , in −1}, let γiin be the number
of pairs in τiin . For i ∈ {1, . . . , out }, let γiout be the number of pairs in τiout . Let
in −1
out
γP be the number of pairs in τP ∪τK . Let γ in = i=1
γiin and γ out = i=1
γiout .
in
out
in
in
out
out
Let γ = γ + γ + γP . Note that τ1 , . . . , τ in −1 , τ1 , . . . , τ out , and τP ∪ τK are
deﬁned so that these sets do not overlap each other. Moreover, K is uniquely
determined. Hence we have |comp1 (τ )| = (2b − γ)!
, γ in , γ out , γP
Finally we evaluate |comp2 (τ )|. γ1in , . . . , γ inin −1 , γ1out , . . . , γ out
out
and γ are analogously deﬁned. Note that K is uniquely determined. We thus
b
in
b
out
in −1
out
(2b )2 −γi · i=1
(2b )2 −γi = (2b − γP )! ·
have |comp2 (τ )| = (2b − γP )! · i=1
b
(2b )( in + out −1)2 −γ+γP .
Hence we have
b
Pr[T1 = τ ]
(2b − γ)!
2k · (2b !) · (2b )( in + out −1)2
≥ k b · b
≥ 1.
Pr[T2 = τ ]
2 · 2 ! (2 − γP )! · (2b )( in + out −1)2b −γ+γP
We thus have ε = 0.
Upper Bound of Pr[DG1 ⇒ 1] − Pr[DG2 ⇒ 1]
By Lemma 1, we have Pr[G1 ] − Pr[G2 ]
≤
2r(Q + κpf )
+
2c
44 q(Q + κpf )
2b
1/2
+
5.5 2 q 2
q
+ λ(Q) + k .
2b
2
(3)
Sandwich Construction for Keyed Sponges
4.2
259
Upper Bound of Pr[DG2 ⇒ 1] − Pr[DG3 ⇒ 1]
Note that L3 is a random function R. We show the following lemma.
Lemma 2. L2 and R are indistinguishable unless the following events occur in
Game 2.
collh ⇔ ∃α, β ∈ {1, . . . , q} with α = β and ∃i ∈ {0, . . . ,
out
− 1} s.t. Hiα = Hiβ .
Proof. If collh does not hold then for any online query to L2 the response is freshly
and randomly drawn from {0, 1} out ×r . Hence, L2 and R are indistinguishable.
By the above lemma, Pr[DG2 ⇒ 1|¬collh ] = Pr[DG3 ⇒ 1] holds. Hence, we have
Pr[DG2 ⇒ 1] − Pr[DG3 ⇒ 1] ≤ Pr[collh ].
The upper bound is given in the following. Due to lack of space, we omit the
detail for the evaluation of Pr[collh ]. The upper bound can be obtained by using
the birthday analysis for the random functions in L2 .
Pr[DG2 ⇒ 1] − Pr[DG3 ⇒ 1] ≤ Pr[collh ] ≤
4.3
0.5 q 2
.
2b
(4)
Upper Bound of the Advantage
Putting (3) and (4) into (1) gives
Advprf
SwSponge (D) ≤
2r(Q + κpf )
+
2c
44 q(Q + κpf )
2b
1/2
+
6 2 q2
q
+ λ(Q) + k .
2b
2
References
1. Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed
sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE
2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). doi:10.1007/
978-3-662-48116-5 18
2. Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: a lightweight
hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp.
1–15. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9 1
3. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Duplexing the sponge: single-pass
authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.)
SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). doi:10.1007/
978-3-642-28496-0 19
4. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Keccak. In: Johansson, T.,
Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer,
Heidelberg (2013). doi:10.1007/978-3-642-38348-9 19
5. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: On the indiﬀerentiability of the
sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp.
181–197. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3 11
260
Y. Naito
6. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: On the security of the keyed
sponge construction. In: Symmetric Key Encryption Workshop (SKEW), February
2011
7. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Permutation-based encryption, authentication and authenticated encryption. In: Directions in Authenticated
Ciphers (2012)
8. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Sponge-based pseudo-random
number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS,
vol. 6225, pp. 33–47. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9 3
9. Bogdanov, A., Kneˇzevi´c, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.:
spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES
2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011). doi:10.1007/
978-3-642-23951-9 21
10. Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: NIST SHA-3 2012
Workshop (2012)
11. Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In:
Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–
350. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5 19
12. Gaˇzi, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight
bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M.
(eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015).
doi:10.1007/978-3-662-47989-6 18
13. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash
functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239.
Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9 13
14. Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2c/2 security in sponge-based
authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT
2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014). doi:10.1007/
978-3-662-45611-8 5
15. Maurer, U., Renner, R., Holenstein, C.: Indiﬀerentiability, impossibility results on
reductions, and applications to the random oracle methodology. In: Naor, M. (ed.)
TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). doi:10.1007/
978-3-540-24638-1 2
16. Mennink, B., Reyhanitabar, R., Viz´
ar, D.: Security of full-state keyed sponge and
duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.)
ASIACRYPT 2015. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015).
doi:10.1007/978-3-662-48800-3 19
17. Mouha, N., Mennink, B., Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede,
I.: Chaskey: an eﬃcient MAC algorithm for 32-bit microcontrollers. In: Joux, A.,
Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Heidelberg
(2014). doi:10.1007/978-3-319-13051-4 19
18. Naito, Y., Yasuda, K.: New bounds for keyed sponges with extendable output: independence between capacity and message length. In: Peyrin, T. (ed.)
FSE 2016. LNCS, vol. 9783, pp. 3–22. Springer, Heidelberg (2016). doi:10.1007/
978-3-662-52993-5 1
19. NIST: SHA-3 standard: permutation-based hash and extendable-output functions.
In: FIPS PUB 202 (2015)
20. NIST: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Regist. 27(212), 62212–62220
(2007)