Keywords

1 Introduction

Sponge functions are versatile cryptographic primitives that can be used for hashing, but also in a wide range of keyed applications, such as message authentication codes (MAC), stream encryption, authenticated encryption, and pseudo-random sequence generation  [5, 7, 8]. This fact is illustrated by the large number of sponge based candidates in the CAESAR competition for authenticated encryption schemes [12]: Artemia [1], Ascon [15], ICEPOLE [23], Ketje [10], Keyak [11], NORX [3], \(\pi \)-Cipher [19], PRIMATEs [2], Prøst [21] and STRIBOB [28]. More recently, Rivest and Schuldt [27] presented an update of the RC4 stream cipher with the name Spritz, also adopting a keyed sponge construction.

The sponge function consists of the application of the sponge construction to a fixed-length permutation (or transformation) f. It is a function that maps an input string of variable length to an output of arbitrary length. The duplex construction also makes use of a fixed-length permutation but results in a stateful object that can be fed with short input strings and from which short output strings can be extracted [8]. The above mentioned authenticated encryption schemes are for example based on the duplex construction. In [8] Bertoni et al. prove the security of the duplex construction equivalent to the security of the sponge construction, which means that any security result on the sponge construction is automatically valid for the duplex construction.

We can identify two types of keyed sponge functions, both of which we see applied in practice [13, 10, 11, 15, 19, 21, 23, 25, 28, 29]. The first type applies the key by taking it as the first part of the sponge input and we call it the outer-keyed sponge. The second inner-keyed sponge applies the key on the inner part of the initial state, and can be viewed as successive applications of the Even-Mansour [16, 17] type block cipher, which in turn calls an unkeyed permutation.

One way to argue security of the keyed sponge constructions is via the indifferentiability result of [6]. This result guarantees that the keyed sponge constructions can replace random oracles in any single-stage cryptographic system [22, 26] as long as the total complexity of the adversary is less than \(2^{(c+1)/2}\). Bertoni et al. [9] derived an improved bound on the distinguishing advantage against the outer-keyed sponge by separating the total complexity into time and data complexity. However, their proof contains a subtle error: [9, Lemma 1] proves that the keyed sponge output is uniformly and independently distributed if certain conditions are fulfilled, whereas the proof requires uniformity of the joint keyed sponge output and queries to f, which does exhibit a bias. Regarding the inner-keyed sponge, Chang et al. considered security of the construction in the so-called standard model in [13]. Central in their reasoning is the clever trick to describe the keyed sponge as the sponge construction calling an Even-Mansour block cipher. Their bound does however not go beyond the generic sponge indifferentiability bound of [6] as their main intention appears to have been to prove security in the standard model rather than the ideal permutation model.

1.1 Our Contribution

We prove bounds on the generic security of both types of keyed sponge constructions in the single-target and multi-target scenarios. In the single-target scenario, we bound the success probability of distinguishing a single instance of the construction from a random oracle for a given attack complexity and providing the adversary with additional access to the underlying permutation f. In the multi-target scenario, the adversary targets multiple instances of the keyed sponge at the same time. In practice, many systems support multiple users using the same algorithm and the adversary may be willing to leverage his resources to break at least one of the users’ account. It can be regarded as important to the system provider who wants to avoid losing credibility in such a case. For the multi-target analysis, we introduce a generalized version of indistinguishability security.

Our proofs are performed in two steps. Firstly, considering the keyed sponge constructions to be implicitly based on an underlying block cipher, we derive a bound for the distinguishing advantage of the constructions in the PRP model. Secondly, we deal with the PRP security of the Even-Mansour construction in the ideal permutation model using Patarin’s H-coefficient technique [14, 24]. This modular proof approach results in compact proofs that are easy to verify.

When estimating the required capacity c to achieve a required security level, the important term in all of the bounds is of the form \(\frac{M^2 + \mu N}{2^c}\). Here, M is the data complexity, N the time complexity, and \(\mu \) is the so-called total maximum multiplicity. The multiplicity is determined by the keyed sponge outputs available to the adversary and is a function of M. It first appeared in Bertoni et al. [7], and allows us to achieve bounds that significantly improve over the earlier single-target bounds of [9, 13]. The multiplicity makes the bound widely applicable, as it allows to take into account the restrictions an adversary faces in a concrete use case. In more detail, in the worst case the multiplicity equals twice the data complexity but in many attack scenarios it is orders of magnitude smaller, leading to a tighter bound. For cryptographically significant parameter values, the dominant term in the bound is the time complexity by divided by \(2^c/\mu \). In other words, our bounds imply security beyond the birthday bound on the capacity for all existing keyed sponge based modes.

We remark that a recent work of Jovanovic et al. [20] proved bounds on the distinguishing advantage for keyed sponge based authenticated encryption. Their results are specific for authentication encryption modes applying a keyed sponge construction and explicitly require nonce uniqueness. Moreover, unlike the bounds in this paper, their bound contains a term involving the permutation width making it tight only for large rates. Additionally, our results yield a tight bound whatever the rate, exploiting the multiplicity, which is typically small in the case of unique nonce scenarios (see also Sect. 6). Finally, a concurrent work by Gaži et al. [18] proves tight bounds for the specific case of MACs produced by a keyed sponge, but without generalizing to other applications that require longer output lengths.

1.2 Version History

Gaži, Pietrzak, and Tessaro pointed out that the pre-proceedings version contains an oversight in the analysis of the outer-keyed sponge. Informally, the probability that a distinguisher guesses the key was bounded incorrectly. We have fixed the issue, using a result from Gaži et al. [18]. We refer to the proof of Theorem 6 and the subsequent discussion for more details.

1.3 Outline

The remainder of this paper is organized as follows. In Sect. 2, we provide the definitions of the constructions we use. This is followed by an introduction to the security model of indistinguishability in Sect. 3. In Sect. 4, we prove our bounds for the inner-keyed sponge and in Sect. 5 those for the outer-keyed sponge. Finally, we discuss the implications of our bounds in Sect. 6.

2 Definitions of Constructions

In this section we specify the constructions we address in this paper.

2.1 The Sponge Construction

The sponge construction operates on a state s of b bits, and calls a b-bit permutation f. It takes as input a message \(m\in \{0,1\}^{*}\) and natural number \(\ell \) and outputs a potentially infinite string truncated to the chosen length \(\ell \in \mathbb {N}\), denoted \(z\in \{0,1\}^{\ell }\).

We express an evaluation of the sponge function as

$$\begin{aligned} \textsc {Sponge}^f(m,\ell ) = z. \end{aligned}$$
(1)

The sponge function operates as follows. First we apply an injective padding function to the input message m, denoted by \(m||\mathrm {pad}[r](|m|)\), with r the rate. This padding rule is required to be injective and the last block is required to be different from 0. Then, we initialize the b bits of the sponge state s to zero. We refer to the first r bits of the state s as the outer part \(\bar{s}\) and to the last \(c = b - r\) bits (c is called the capacity) as its inner part \(\hat{s}\) (think back on \(\hat{\ }\) as a roof). The padded message is processed by an absorbing phase followed by a squeezing phase:

  • Absorbing phase: the r-bit input message blocks are sequentially XORed into the outer part of the state, interleaved with applications of the function f;

  • Squeezing phase: the bits of the outer part of the state are returned as output blocks, interleaved with applications of the function f, until enough bits are produced.

An illustration is given in Fig. 1 and a formal description is provided in Algorithm 1. The notation \({\lfloor x \rfloor _{n}}\) means that the string x is truncated after its first n bits.

Fig. 1.
figure 1

The sponge construction

Full size image
figure a

2.2 The Even-Mansour Construction

The (single-key) Even-Mansour construction builds a b-bit block cipher from a b-bit permutation and takes a b-bit key [16, 17]. It is defined as \(f(x\oplus K)\oplus K\). We consider a variant with the first r bits of the key are zero, reducing its effective length to c bits:

$$\begin{aligned} E^f_K(x) = f(x\oplus (0^r||K))\oplus (0^r||K). \end{aligned}$$
(2)

2.3 The Root-Keyed Sponge

As a way to highlight the similarities between the inner- and outer-keyed sponges, which we will define in the next sections, we define a common construction called the root-keyed sponge. Basically, it is a variant of the sponge construction where the state is initialized to a key \(K\in \{0,1\}^{b}\) instead of \(0^b\). The root-keyed sponge \(\textsc {RKS}^f_K\) is defined in Algorithm 2.

The root-keyed sponge can be rewritten using the Even-Mansour block cipher. Indeed, we have

$$\begin{aligned} \textsc {RKS}^f_K(m, \ell ) = \textsc {RKS}^{E^f_{\hat{K}}}_{\bar{K}||0^c}(m, \ell ), \end{aligned}$$
(3)

as key additions between subsequent applications of \(E^f_{\hat{K}}\) cancel out.

figure b

2.4 The Inner-Keyed Sponge

The inner-keyed sponge \(\textsc {IKS}^f\) is a pseudorandom function (PRF) that was first introduced by Chang et al. [13] (their case EMKSC3). An inner-keyed sponge instance is defined by a permutation f and a key \(K\in \{0,1\}^{c}\) and simply consists of the sponge construction with \(E^f_K\) as permutation:

$$\begin{aligned} \textsc {IKS}^f_K(m,\ell ) = \textsc {Sponge}^{E^f_K}(m,\ell ). \end{aligned}$$
(4)

Owing to (3), an equivalent definition of \(\textsc {IKS}^f_K(m,\ell )\) is given by

$$\begin{aligned} \textsc {IKS}^f_K(m,\ell ) = \textsc {RKS}^{E^f_K}_{0^b}(m, \ell ) = \textsc {RKS}^f_{0^r ||K}(m,\ell ). \end{aligned}$$
(5)

2.5 The Outer-Keyed Sponge

The outer-keyed sponge \(\textsc {OKS}^f\) is a PRF construction that was originally introduced by Bertoni et al. [9] as the keyed sponge. An outer-keyed sponge instance is defined by a permutation f and a key \(K\in \{0,1\}^{k}\) and simply consists of an evaluation of the sponge construction where the secret key and the message are concatenated:

$$\begin{aligned} \textsc {OKS}^f_K(m,\ell ) = \textsc {Sponge}^f(K||m,\ell ). \end{aligned}$$
(6)

While K may be of any size, we limit our analysis to the case where k is a multiple of the rate r, or \(\{0,1\}^{k}=(\{0,1\}^{r})^+\). The outer-keyed sponge can be equivalently described as a function that derives the root key \(L\in \{0,1\}^{b}\) from the cipher key \(K\in \{0,1\}^{k}\), followed by the root-keyed sponge with root key L. The root key derivation function \(\textsc {kd}^f(K)\) is defined in Algorithm 3. We obtain:

$$\begin{aligned} \textsc {OKS}^f_K(m,\ell ) = \textsc {RKS}^f_{\textsc {kd}^f(K)}(m,\ell ) \mathop {=}\limits ^{(3)} \textsc {RKS}^{E^f_{\hat{L}}}_{\bar{L}||0^c}(m, \ell ), \end{aligned}$$
(7)

with \(L=\textsc {kd}^f(K)\). This alternative description highlights a similarity with the inner-keyed sponge: the only effective difference lies in the presence of the root key derivation function.

figure c

3 Security Model

The security analyses in this work are done in the indistinguishability framework where one bounds the advantage of an adversary \(\mathcal {A}\) in distinguishing a real system from an ideal system. The real system contains one or more specified constructions, while the ideal one consists of ideal functions with the same interface. We explain the high-level idea for the case where \(\mathcal {A}\) attacks one instance of a keyed sponge construction.

Suppose \(f:\{0,1\}^{b}\rightarrow \{0,1\}^{b}\) is a permutation and consider a keyed sponge construction \(\mathcal {H}_K^f\) based on f and some key \(K\in \{0,1\}^{k}\). Let \(\mathcal {RO}\) be a random oracle [4] with the same interface as \(\mathcal {H}_K^f\). Adversary \(\mathcal {A}\) is given query access to either \(\mathcal {H}_K^f\) or \(\mathcal {RO}\) and tries to tell both apart. It is also given access to the underlying permutation f, which is modeled by query access. The random oracle is required to output infinitely long strings truncated to a certain length. The function can be defined as \(\mathcal {RO}:\{0,1\}^{*}\times \mathbb {N}\rightarrow \{0,1\}^{\mathbb {N}}\) that on input \((m,\ell )\) outputs \(\mathcal {RO}(m,\ell )=\lfloor \mathcal {RO}^\infty (m)\rfloor _\ell \), where \(\mathcal {RO}^\infty :\{0,1\}^{*}\rightarrow \{0,1\}^{\infty }\) takes inputs of arbitrary but finite length and returns random infinite strings where each output bit is selected uniformly and independently, for every m.

We similarly consider the PRP security of the Even-Mansour construction \(E^f_K\), where \(\mathcal {A}\) is given query access to either this construction or a random permutation \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(b)\) with domain and range \(\{0,1\}^{b}\), along with query access to f. We also consider a slightly more advanced notion of kdPRP security, where the root key derivation function \(\textsc {kd}\) is applied to K first.

The security proofs of \(\textsc {IKS}\) and \(\textsc {OKS}\) consist of two steps: the first one reduces the security of the construction to the PRP security (for \(\textsc {IKS}\)) or kdPRP security (for \(\textsc {OKS}\)) of the Even-Mansour construction. This step does not depend on f and is in fact a standard-model reduction. Next, we investigate the PRP/kdPRP security of Even-Mansour under the assumption that f is a random permutation.

3.1 Counting

We express our bound in terms of the query complexities that model the effort by the adversary. Here we distinguish between keyed sponge construction or random oracle queries and primitive queries to \(f^{\pm }\):

  • Data or online complexity M: the amount of access to the construction \(\mathcal {H}_K^f\) or \(\mathcal {RO}\), that in many practical use cases is limited;

  • Time or offline complexity N: computations requiring no access to the construction, in practical use cases only limited by the computing power and time available to the adversary.

Both M and N are expressed in terms of the number of primitive calls. We include in M only fresh calls: a call from \(\mathcal {H}_K^f\) to f is not fresh if it has already been made due to a prior query to the construction. In the ideal world a random oracle naturally does not make calls to f, but the data complexity is counted as if it would and as such, it is fully determined by the queries. For N, we assume without loss of generality that the adversary makes no repeated queries.

In our proofs, we use an additional characteristic of the queries called the total maximum multiplicity and denote it by \(\mu \). Let \(\{(s_i,t_i)\}_{i=1}^M\) be the set of M input/output pairs for f made in construction evaluations.

Definition 1

(Multiplicity). The maximum forward and backward multiplicities are given by

$$\begin{aligned} \mu _\mathrm {fw}&= \max _a \#\{i\in \{1,\ldots ,M\} \mid \bar{s}_i=a\}\,\, and \\ \mu _\mathrm {bw}&= \max _a \#\{i\in \{1,\ldots ,M\} \mid \bar{t}_i=a\}. \end{aligned}$$

The total maximum multiplicity is given by \(\mu =\mu _\mathrm {fw}+\mu _\mathrm {bw}\).

Note that the total maximum multiplicity \(\mu \) is the sum of the maximum forward and backward multiplicities while [7] uses the maximum over the forward and backward multiplicities.

Fig. 2.
figure 2

The keyed sponge distinguishing setup

Full size image

3.2 Distinguishing Advantage for Keyed Sponges

We are now ready to give the indistinguishability definition for keyed sponges (the PRP and kdPRP security definitions will be discussed in Sects. 4 and 5). Our definition is broad in the sense that it considers also security against a multi-target attack, where an attacker has access to an array of \(n\ge 1\) instances of the keyed sponge or random oracles. We refer to this notion as joint indistinguishability. Naturally, joint indistinguishability reduces to plain or regular indistinguishability for \(n=1\). The model is illustrated in Fig. 2.

Definition 2

(Joint Distinguishing Advantage). Let \(\mathcal {H}\) be a PRF function based on a permutation \(f\in \mathsf {Perm}(b)\). Let \(K_1,\dots ,K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) be \(n\ge 1\) keys and \(\mathcal {RO}_1,\ldots ,\mathcal {RO}_n\) be \(n\) independent random oracles with the same interface as \(\mathcal {H}_{K_1},\ldots ,\mathcal {H}_{K_n}\). The joint distinguishing advantage of \(\mathcal {A}\) is defined as

$$\begin{aligned} \mathbf {Adv}_{\mathcal {H}}^{\mathrm {ind[n]}}(\mathcal {A}) = \left| \Pr \left( \mathcal {A}^{\mathcal {H}_{K_1}^f,\dots ,\mathcal {H}_{K_n}^f,f}\Rightarrow 1\right) - \Pr \left( \mathcal {A}^{\mathcal {RO}_1,\dots ,\mathcal {RO}_n,f}\Rightarrow 1\right) \right| . \end{aligned}$$

We use \(\mathbf {Adv}_{\mathcal {H}}^{\mathrm {ind[n]}}(M_{1},\dots ,M_{n},\mu ,N)\) to denote the maximum advantage over any adversary with data complexity \(M_h\) to the h-th construction oracle (\(\mathcal {H}_{K_h}\) or \(\mathcal {RO}_h\)), time complexity N, and total maximum multiplicity \(\mu \).

Note that, as we consider \(n\ge 1\) instances of the construction, we have similarly split the online complexity M into \(M_1+\cdots +M_n\). In other words, M gives the online complexity over all n instances.

3.3 Patarin’s H-Coefficient Technique

Our proofs partly rely on Patarin’s H-coefficient technique [24]. We briefly summarize this technique, and refer to Chen and Steinberger [14] for further discussion.

Consider an information-theoretic adversary \(\mathcal {A}\) whose goal is to distinguish two systems X and Y, denoted as

$$\begin{aligned} \mathbf {Adv}(\mathcal {A}) = \varDelta (X;Y), \end{aligned}$$

where \(\varDelta (X;Y)\) denotes the statistical distance between X and Y. Without loss of generality, we can assume \(\mathcal {A}\) is a deterministic adversary and will always do so in the following. Indeed, if \(\mathcal {A}\) were a randomized adversary, there exists a deterministic adversary \(\mathcal {A}'\) with at least the same advantage (namely the one defined by \(\mathcal {A}\) and the fixed random tape). We refer to [14] for details. Its interaction with the system X or Y is summarized in a transcript \(\tau \). For \(Z\in \{X,Y\}\), denote by \(D_Z\) the probability distribution of transcripts when interacting with Z. Say that a transcript \(\tau \) is attainable if it can be obtained from interacting with Y, hence if \(\Pr \left( D_Y=\tau \right) >0\), and let \(\mathcal {T}\) be the set of all attainable transcripts. The H-coefficient technique states the following [14].

Lemma 1

(H-coefficient Technique). Consider a fixed deterministic adversary \(\mathcal {A}\). Let \(\mathcal {T}=\mathcal {T}_\mathrm {good}\cup \mathcal {T}_\mathrm {bad}\) be a partition of the set of attainable transcripts into “good” and “bad” transcripts. Let \(\varepsilon \) be such that for all \(\tau \in \mathcal {T}_\mathrm {good}\):

$$\begin{aligned} \frac{\Pr \left( D_X=\tau \right) }{\Pr \left( D_Y=\tau \right) } \ge 1-\varepsilon . \end{aligned}$$

Then, \(\mathbf {Adv}(\mathcal {A})\le \varepsilon + \Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \).

Proofs using Patarin’s technique consist of first carefully defining a set of “bad” transcripts \(\mathcal {T}_\mathrm {bad}\), and then showing that both \(\varepsilon \) and \(\Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \) are small for this set of bad transcripts.

4 Distinguishing Advantage of the Inner-Keyed Sponge

We bound the distinguishing advantage of the inner-keyed sponge construction in the ideal permutation model. A bound for the case of \(n=1\) is given in Sect. 4.1, and it is generalized to arbitrary \(n\) in Sect. 4.2. Both proofs consist of two steps that are both of independent interest. Note that we assume equal key size and capacity in our proofs. If \(k < c\), the denominator \(2^c\) in the bounds of Theorems 2 and 4 must be replaced by \(2^k\).

Before proceeding, we define the notion of PRP security that we will use in the security proof of the inner-keyed sponge to replace \(E^f_{K_1},\ldots ,E^f_{K_n}\) with random permutations \(\pi _1,\ldots ,\pi _n\), in analogy with (4). As multiple instances of E for \(n\) different keys are considered, we call this notion joint PRP security.

Definition 3

(Joint PRP Advantage). We define the joint PRP advantage of \(\mathcal {A}\) for a given block cipher \(E:\{0,1\}^{c}\times \{0,1\}^{b}\rightarrow \{0,1\}^{b}\) based on a permutation \(f\in \mathsf {Perm}(b)\) as

$$\begin{aligned} \mathbf {Adv}_{E}^{\mathrm {prp}[n]}(\mathcal {A}) = \left| \Pr \left( \mathcal {A}^{E^f_{K_1}, \dots , E^f_{K_n},f}\Rightarrow 1\right) - \Pr \left( \mathcal {A}^{\pi _1, \dots , \pi _n,f}\Rightarrow 1\right) \right| . \end{aligned}$$

The adversary can make both forward and inverse primitive queries f and \(f^{-1}\), but is restricted to forward construction queries. We use \(\mathbf {Adv}_{E}^{\mathrm {prp}[n]}(M_{1}\),..., \(M_{n}\),\(\mu ,N)\) to denote the maximum advantage over any adversary with data complexity \(M_h\) to the h-th construction oracle (\(E^f_{K_h}\) or \(\pi _h\)), time complexity N, and total maximum multiplicity \(\mu \).

4.1 Single Target

Theorem 1

For \(\textsc {IKS}^f_K:\{0,1\}^{*}\times \mathbb {N}\rightarrow \{0,1\}^{\mathbb {N}}\) with \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\) and permutation \(f\in \mathsf {Perm}(b)\):

$$\begin{aligned} \mathbf {Adv}_{\textsc {IKS}}^{\mathrm {ind[1]}}(M,\mu ,N) \le \frac{M^2}{2^c} + \mathbf {Adv}_{E}^{\mathrm {prp}[1]}(M,\mu ,N). \end{aligned}$$

Proof

Using the triangle inequality, we find that for any adversary \(\mathcal {A}\):

$$\begin{aligned} \mathbf {Adv}_{\textsc {IKS}}^{\mathrm {ind[1]}}(\mathcal {A})&\mathop {=}\limits ^{\text {def}} \varDelta _\mathcal {A}(\textsc {IKS}_K^f,f;\mathcal {RO},f)\\&\mathop {=}\limits ^{(4)} \varDelta _\mathcal {A}(\textsc {Sponge}^{E^f_K},f;\mathcal {RO},f)\\&\le \varDelta _\mathcal {A}(\textsc {Sponge}^{\pi },f;\mathcal {RO},f) + \varDelta _\mathcal {B}(E^f_K,f;\pi ,f)\\&= \varDelta _\mathcal {C}(\textsc {Sponge}^{\pi },\mathcal {RO}) + \varDelta _\mathcal {B}(E^f_K,f;\pi ,f). \end{aligned}$$

Here, \(\mathcal {B}\) and \(\mathcal {C}\) are adversaries whose joint cost is not above that of \(\mathcal {A}\). Concretely, for our cost functions M, N and total maximum multiplicity \(\mu \), this means that \(\mathcal {B}\) cannot make more than M construction queries with total maximum multiplicity at most \(\mu \) and at most N primitive queries. Distinguisher \(\mathcal {C}\) can make at most M construction queries, and its advantage is covered by the indifferentiability bound proven in [6].

    \(\square \)

We now bound the PRP security of the Even-Mansour construction in the ideal permutation model. The proof is a generalization of the security analysis of the Even-Mansour block cipher [16, 17].

Theorem 2

For \(E^f_K\) with \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\) and ideal permutation \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(b)\) we have

$$\begin{aligned} \mathbf {Adv}_{E}^{\mathrm {prp}[1]}(M,\mu ,N) \le \frac{\mu N}{2^c}. \end{aligned}$$

Proof

The proof uses Lemma 1. We consider an adversary \(\mathcal {A}\) that has access to \(X=(E^f_K,f)\) in the real world or \(Y=(\pi ,f)\) in the ideal world. It can only make forward queries to its oracle \(\mathcal {O}_1\), although it can make both forward and backward queries to f. It makes M construction queries with total maximum multiplicity at most \(\mu \) and at most N primitive queries. The interaction with \(\mathcal {O}_1\) is denoted \(\tau _1=\{(s_i,t_i)\}_{i=1}^M\) and the interaction with f is denoted \(\tau _f=\{(x_j,y_j)\}_{j=1}^N\). To ease the analysis, we will disclose K at the end of the experiment (in the ideal world, K will simply be a dummy key). The transcripts are thus of the form \(\tau =(K,\tau _1,\tau _f)\). We recall that the total maximum multiplicity is \(\mu \), which means that

$$\begin{aligned} \max _a \#\{(s_i,t_i)\in \tau _1 \mid \bar{s}_i=a \}&\le \mu _\mathrm {fw}\text { and }\\ \max _a \#\{(s_i,t_i)\in \tau _1 \mid \bar{t}_i=a \}&\le \mu _\mathrm {bw}, \end{aligned}$$

for some \(\mu _\mathrm {fw},\mu _\mathrm {bw}\) with \(\mu _\mathrm {fw}+\mu _\mathrm {bw}\le \mu \).

Definition of good and bad transcripts. We define a transcript \(\tau \) as bad if

$$\begin{aligned} \exists (s,t) \in \tau _1, (x,y) \in \tau _f \text { such that } s\oplus x = 0^r||K \vee t\oplus y = 0^r||K. \end{aligned}$$
(8)

In the real world a bad transcript implies two calls to f with the same input: one directly from querying the primitive oracle and another one indirectly from querying the construction oracle. In a good transcript in the real world, all tuples in \((\tau _1,\tau _f)\) uniquely define an input-output pair of f. Note also that in the real world the two conditions in (8) are equivalent while in the ideal world they are not.

Bounding the probability of bad transcripts in the ideal world. In the ideal world, \((\tau _1,\tau _f)\) is a transcript generated independently of the dummy key \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\). First consider the first condition of (8). Fix any tuple (xy) (N choices). By construction, \(\tau _1\) contains at most \(\mu _\mathrm {fw}\) tuples (st) such that \(\bar{s}=\bar{x}\). This gives a total of \(\mu _\mathrm {fw}N\) values \(\hat{s}\oplus \hat{x}\), and any could be hit by the randomly generated K. A similar reasoning holds for the second part of (8), resulting in \(\mu _\mathrm {bw}N\) values. Concluding, \(\Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \le \frac{\mu N}{2^c}\), where we use that \(\mu =\mu _\mathrm {fw}+\mu _\mathrm {bw}\).

Bounding the ratio \({\varvec{\Pr \left( D_X=\tau \right) /\Pr \left( D_Y=\tau \right) }}\) for good transcripts. Consider a good transcript \(\tau \in \mathcal {T}_\mathrm {good}\). Denote by \(\varOmega _X\) the set of all possible oracles in the real world and by \(\mathsf {comp}_X(\tau )\subseteq \varOmega _X\) the set of oracles in \(\varOmega _X\) compatible with transcript \(\tau \). Note that \(|\varOmega _X|=2^c\cdot 2^b!\). Define \(\varOmega _Y\) and \(\mathsf {comp}_Y(\tau )\) similarly, where \(|\varOmega _Y|=2^c\cdot (2^b!)^2\). The probabilities appearing in Lemma 1 can be computed as follows:

$$\begin{aligned} \Pr \left( D_X=\tau \right) = \frac{|\mathsf {comp}_X(\tau )|}{|\varOmega _X|} \;\text { and }\; \Pr \left( D_Y=\tau \right) = \frac{|\mathsf {comp}_Y(\tau )|}{|\varOmega _Y|}. \end{aligned}$$

Starting with \(|\mathsf {comp}_X(\tau )|\), the condition \(\tau \in \mathcal {T}_\mathrm {good}\) imposes uniqueness of the query tuples in \(\tau \), or in other words that any tuple defines exactly one input-output pair of f. As \(\tau \cup \tau _f\) consists of \(M+N\) tuples, the number of possible functions f compliant with \(\tau \) is \(|\mathsf {comp}_X(\tau )|=(2^b-M-N)!\). For the ideal world, the number of compliant functions \(\pi \) equals \((2^b-M)!\) and the number of compliant oracles f equals \((2^b-N)!\). Therefore,

$$\begin{aligned} |\mathsf {comp}_Y(\tau )| = (2^b-M)!(2^b-N)!\le (2^b-M-N)!2^b!. \end{aligned}$$

We consequently obtain

$$\begin{aligned} \Pr \left( D_X=\tau \right)&= \frac{(2^b-M-N)!}{2^c\cdot 2^b!} = \frac{(2^b-M-N)!2^b!}{2^c\cdot (2^b!)^2}\\&\ge \frac{|\mathsf {comp}_Y(\tau )|}{|\varOmega _Y|} = \Pr \left( D_Y=\tau \right) , \end{aligned}$$

and thus \(\Pr \left( D_X=\tau \right) /\Pr \left( D_Y=\tau \right) \ge 1\).    \(\square \)

In the ideal permutation model, the expressions in Theorems 1 and 2 simplify into

$$\begin{aligned} \mathbf {Adv}_{\textsc {IKS}}^{\mathrm {ind[1]}}(M,\mu ,N) \le \frac{M^2 + \mu N}{2^c}. \end{aligned}$$

4.2 Multiple Targets

Theorem 3

For \(\textsc {IKS}^f_K:\{0,1\}^{*}\times \mathbb {N}\rightarrow \{0,1\}^{\mathbb {N}}\) with \(K_1, \dots , K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\) and permutation \(f\in \mathsf {Perm}(b)\):

$$\begin{aligned} \mathbf {Adv}_{\textsc {IKS}}^{\mathrm {ind[n]}}(M_{1},\dots , M_{n}, \mu , N) \le \frac{\sum _h M_h^2}{2^c} + \mathbf {Adv}_{E}^{\mathrm {prp}[n]}(M_{1},\dots , M_{n},\mu ,N). \end{aligned}$$

Proof

A similar reasoning as for Theorems 1, but now using the notion of joint PRP security to replace \(E^f_{K_1}, \dots , E^f_{K_n}\) with \(n\) independent random permutations \(\pi _1, \dots , \pi _n\), results in

$$\begin{aligned} \mathbf {Adv}_{\textsc {IKS}}^{\mathrm {ind[n]}}(\mathcal {A})&\le \varDelta _\mathcal {C}(\textsc {Sponge}^{\pi _1},\dots ,\textsc {Sponge}^{\pi _n};\mathcal {RO}_1,\dots ,\mathcal {RO}_n)\\&\quad \quad \quad + \varDelta _\mathcal {B}(E^f_{K_1},\dots ,E^f_{K_n},f;\pi _1,\dots ,\pi _n,f). \end{aligned}$$

Here, \(\mathcal {B}\) and \(\mathcal {C}\) are adversaries whose joint cost is not above that of \(\mathcal {A}\), and particularly both make at most \(M_h\) h-th construction queries for \(h=1,\ldots ,n\). The advantage of \(\mathcal {C}\) is in fact the distinguishing bound of \(n\) sponges with independent permutations.    \(\square \)

We now bound the joint PRP security of the Even-Mansour construction in the ideal permutation model.

Theorem 4

For \(E^f_K\) with \(K_1,\dots ,K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\) and ideal permutation \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(b)\) we have

$$\begin{aligned} \mathbf {Adv}_{E}^{\mathrm {prp}[n]}(M_{1},\dots , M_{n},\mu ,N) \le \frac{\mu N}{2^c} + \frac{2\sum _{h\ne h'} M_h M_{h'}}{2^c}. \end{aligned}$$

Proof

The proof follows the one of Theorem 2, with the difference that multiple keys are involved. Adversary \(\mathcal {A}\) has access to \(X=(E^f_{K_1},\dots ,E^f_{K_n},f)\) in the real world or \(Y=(\pi _1,\dots ,\pi _n,f)\) in the ideal world. The \(n\) construction oracles are also denoted \((\mathcal {O}_1,\ldots ,\mathcal {O}_n)\). It makes \(M_h\) construction queries to \(\mathcal {O}_h\) with total maximum multiplicity at most \(\mu \) (over all \(M=M_1+\cdots +M_n\) construction queries) and at most N primitive queries. The interaction with \(\mathcal {O}_h\) (for \(h=1,\ldots ,n\)) is denoted \(\tau _h=\{(s_i,t_i)\}_{i=1}^{M_h}\) and the interaction with f is denoted \(\tau _f=\{(x_j,y_j)\}_{j=1}^N\). As before, we will disclose the keys \(K_{1}, \dots K_{n}\) at the end of the experiment. The transcripts are thus of the form \(\tau =(K_1,\ldots ,K_n,\tau _1,\ldots ,\tau _n,\tau _f)\).

Definition of good and bad transcripts. We extend the definition of bad transcripts from Theorem 2 to multiple keys. Formally, we define a transcript \(\tau \) as bad if one of the following is satisfied:

$$\begin{aligned}&\exists h, (s,t) \in \tau _h, (x,y) \in \tau _f \text { such that } s\oplus x = 0^r||K_h \vee t\oplus y = 0^r||K_h, \end{aligned}$$
(9)
$$\begin{aligned}&\exists h\ne h', (s,t) \in \tau _h, (s',t') \in \tau _{h'} \text { such that } \nonumber \\&\qquad \qquad \qquad \qquad s\oplus s' = 0^r||(K_h \oplus K_{h'}) \vee t\oplus t' = 0^r||(K_h \oplus K_{h'}). \end{aligned}$$
(10)

The second condition corresponds to colliding calls to f coming from two construction queries with different keys. In the real world, all tuples in a good transcript \((\tau _1,\ldots ,\tau _n,\tau _f)\) consistently define an input-output pair of f. Note also that in the real world the two conditions in (9) are equivalent, and similarly for the two conditions in (10).

Bounding the probability of bad transcripts in the ideal world. In the ideal world, \((\tau _1,\dots ,\tau _n,\tau _f)\) is a transcript generated independently of the dummy keys \(K_1,\dots ,K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\). The proof of Theorem 2 straightforwardly generalizes to show that (9) is set with probability at most \(\frac{\mu N}{2^c}\). Here, we use that for any tuple \((x,y)\in \tau _f\), the set \((\tau _1,\dots ,\tau _n)\) of M queries in total contains at most \(\mu _\mathrm {fw}\) tuples (st) such that \(\bar{s}=\bar{x}\). A similar exercise is done for (10): for \(h\ne h'\), there are at most \(2M_hM_{h'}\) values \(s\oplus s'\) and \(t\oplus t'\) with \((s,t) \in \tau _h\) and \((s',t') \in \tau _{h'}\), and the value \(K_h\oplus K_{h'}\) has probability \(1/2^c\). Concluding, \(\Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \le \frac{\mu N}{2^c} + \frac{2\sum _{h\ne h'} M_h M_{h'}}{2^c}\).

Bounding the ratio \(\varvec{\Pr \left( D_X=\tau \right) /\Pr \left( D_Y=\tau \right) }\) for good transcripts. As in the proof of Theorem 2, we have \(|\varOmega _X|=(2^c)^n\cdot 2^b!\) and \(|\varOmega _Y|=(2^c)^n\cdot (2^b!)^{n+1}\). Also, \(|\mathsf {comp}_X(\tau )|=(2^b-M-N)!\) by construction. For the ideal world, the number of compliant functions \(\pi _1,\dots ,\pi _n\) equals \(\prod _h (2^b-M_h)!\) and the number of compliant oracles f equals \((2^b-N)!\). Therefore,

$$\begin{aligned} |\mathsf {comp}_Y(\tau )| = \left( \prod _h (2^b-M_h)!\right) (2^b-N)! \le (2^b-M-N)!(2^b!)^n, \end{aligned}$$

and the remainder of the proof follows Theorem 2.    \(\square \)

In the ideal permutation model, the expressions in Theorems 3 and 4 simplify into

$$\begin{aligned} \mathbf {Adv}_{\textsc {IKS}}^{\mathrm {ind[n]}}(M_{1},\dots , M_{n}, \mu , N) \le \frac{M^2 + \mu N}{2^c}. \end{aligned}$$

We remark that the bound is independent of \(n\), and particularly matches the bound of Sect. 4.1. This is because M is the sum of the complexities \(M_1,\ldots ,M_n\), and additionally the multiplicity \(\mu \) is taken over all construction queries.

5 Distinguishing Advantage of the Outer-Keyed Sponge

We bound the distinguishing advantage of the outer-keyed sponge construction in the ideal permutation model. A bound for the case of \(n=1\) is given in Sect. 5.1, and it is generalized to arbitrary \(n\) in Sect. 5.2. The high-level ideas of the proofs are the same as the ones of Sect. 4. The outer-keyed sponge differs from the inner-keyed sponge by the presence of a key derivation function using f. Therefore, a more involved version of PRP security is needed, where the key derivation L from K is taken into account. We call this notion joint kdPRP (key derivated PRP) security. For simplicity, we assume that all keys have equal length, with \(v=k/r\) their block length.

Definition 4

(Joint kdPRP Advantage). We define the joint kdPRP advantage of \(\mathcal {A}\) for a given block cipher \(E:\{0,1\}^{c}\times \{0,1\}^{b}\rightarrow \{0,1\}^{b}\) based on a permutation \(f\in \mathsf {Perm}(b)\) as

$$\begin{aligned} \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[n]}}(\mathcal {A}) = \bigg |&\Pr \left( L_1\leftarrow \textsc {kd}^f_{K_1},\ldots ,L_n\leftarrow \textsc {kd}^f_{K_n};\;\mathcal {A}^{E^f_{\hat{L}_1},\dots ,E^f_{\hat{L}_n},f}\Rightarrow 1\right) \\&\quad \quad \quad - \Pr \left( \mathcal {A}^{\pi _1,\dots ,\pi _n,f}\Rightarrow 1\right) \bigg |. \end{aligned}$$

The adversary can make both forward and inverse primitive queries f and \(f^{-1}\), but is restricted to forward construction queries. We use \(\mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[n]}}(M_{1},\)..., \(M_{n}\),\(\mu ,N)\) to denote the maximum advantage over any adversary with data complexity \(M_h\) to the h-th construction oracle (\(E^f_{K_h}\) or \(\pi _h\)), time complexity N, and total maximum multiplicity \(\mu \).

Intuitively, permutation f results in a kdPRP secure block cipher if (i) it renders sufficiently secure evaluations of \(\textsc {kd}\) and (ii) \(E^f_{\hat{L}_1},\dots ,E^f_{\hat{L}_n}\) are secure Even-Mansour block ciphers. Note that, indeed, Definition 4 generalizes Definition 3 in the same way the \(\textsc {OKS}^f_K\) of (7) generalizes over \(\textsc {IKS}^f_K\) of (5).

5.1 Single Target

Theorem 5

For \(\textsc {OKS}^f_K:\{0,1\}^{*}\times \mathbb {N}\rightarrow \{0,1\}^{\mathbb {N}}\) with \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and permutation \(f\in \mathsf {Perm}(b)\):

$$\begin{aligned} \mathbf {Adv}_{\textsc {OKS}}^{\mathrm {ind[1]}}(M,\mu ,N) \le \frac{M^2}{2^c} + \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[1]}}(M,\mu ,N). \end{aligned}$$

Proof

The proof follows the one of Theorem 1 with the difference that now we have \(L=\textsc {kd}^f(K)\), and therefore we bound \(\varDelta _\mathcal {B}(E^f_{\hat{L}},f;\pi ,f) \le \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[1]}}(M,\mu ,N)\). We note that the initial state \(\bar{L}||0^c\) (cf. (7)) has no influence on the proof, and we can assume it to be disclosed to the adversary.   \(\square \)

We now bound the kdPRP security of the Even-Mansour construction in the ideal permutation model.

Theorem 6

For \(E^f_{\hat{L}}\) with \(L=\textsc {kd}^f(K)\) for \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and ideal permutation \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(b)\) we have

$$\begin{aligned} \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[1]}}(M,\mu ,N) \le \frac{2\mu N}{2^c} + \lambda (N) + \frac{2\left( \frac{k}{r}\right) N}{2^b}, \end{aligned}$$

where \(\lambda (N)\) is a term bounded in Lemma 2.

Proof

The proof follows the one of Theorem 2, where now the key generation function \(\textsc {kd}^f_K\) needs to be taken into account. Adversary \(\mathcal {A}\) has access to \(X=(E^f_{\hat{L}},f)\) in the real world or \(Y=(\pi ,f)\) in the ideal world. To ease the analysis, we will disclose K at the end of the experiment, as well as the evaluations to f corresponding to the evaluation of \(\textsc {kd}^f_K\). These evaluations are written as \(\kappa =\{(k_j,l_j)\}_{j=1}^{v}\). In the ideal world, the key K will simply be a dummy key, and \(\kappa \) corresponds to the evaluation of \(\textsc {kd}^f_K\) for this dummy key. The transcripts are thus of the form \(\tau =(K,\kappa ,\tau _1,\tau _f)\). We denote by \(\alpha \) the number of distinct elements in \(\kappa \) that are not in \(\tau _f\):

$$\begin{aligned} \alpha = \big |\kappa \backslash \tau _f\big |. \end{aligned}$$

Definition of good and bad transcripts. We extend the definition of bad transcripts from Theorem 2 to additionally cover the case \(\kappa \) shows no surprises to \(\mathcal {A}\). Formally, we define a transcript \(\tau \) as bad if one of the following is satisfied:

$$\begin{aligned}&(k_{v},l_{v}) \in \tau _f,\end{aligned}$$
(11)
$$\begin{aligned}&\exists (s,t) \in \tau _1, (x,y) \in \tau _f \text { such that } s\oplus x = 0^r||\hat{L} \vee t\oplus y = 0^r||\hat{L}. \end{aligned}$$
(12)

In the real world, all tuples in a good transcript \((\kappa ,\tau _1,\tau _f)\) consistently define an input-output pair of f. Furthermore, all of the pairs defined by \((\tau _1,\tau _f)\) are unique, but there may be duplicates without contradictions in \((\kappa ,\tau _f)\). In fact, this set contains \(|\tau _f| + \alpha \) unique tuples.

Bounding the probability of bad transcripts in the ideal world. In the ideal world, \((\kappa ,\tau _1,\tau _f)\) is a transcript generated independently of the dummy key \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\). By basic probability theory,

$$\begin{aligned} \Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \le&\;\Pr \left( D_Y \text { satisfies (11)}\right) \,+ \\&\;\Pr \left( D_Y \text { satisfies (12)} \mid D_Y \text { does not satisfy (11)}\right) \\ =&\;\Pr \left( D_Y \text { satisfies (11)} \wedge \alpha =0\right) \,+ \\&\;\Pr \left( D_Y \text { satisfies (11)}\wedge \alpha \ne 0\right) \,+\\&\;\Pr \left( D_Y \text { satisfies (12)} \mid D_Y \text { does not satisfy (11)}\right) . \end{aligned}$$

We define \(\lambda (N)=\Pr \left( D_Y \text { satisfies (11)} \wedge \alpha =0\right) \), a term which is bounded in Lemma 2. For the second probability, “\(D_Y\) satisfies (11) and \(\alpha \ne 0\)” implies the existence of a maximal index \(j\in \{1,\ldots ,v-1\}\) such that \((k_j,l_j)\not \in \tau _f\) but \((k_{j+1},l_{j+1})\in \tau _f\). As the evaluation of f corresponding to \((k_j,l_j)\) is randomly drawn from a set of size at least \(2^b-N-\alpha \), the next evaluation \(k_{j+1}=l_j\oplus (K_{j+1}||0^c)\) happens to be in \(\tau _f\) with probability at most \(\frac{N}{2^b-N-\alpha }\le \frac{2N}{2^b}\), using that \(N+\alpha \le 2^{b-1}\) without loss of generality. Quantification over j gives bound \(\frac{2vN}{2^b}\).

Finally, consider the probability that \(D_Y\) satisfies (12). Conditioned on the fact that (11) is not satisfied, L is randomly generated from a set of size at least \(2^b-N-\alpha \). This particularly means that a given value for \(\hat{L}_i\) has probability at most \(1/(2^c-(N+\alpha )2^{-r})\). A straightforward generalization of the proof of Theorem 2 shows that the second probability is bound by \(\frac{\mu N}{2^c-(N+\alpha )2^{-r}} \le \frac{2\mu N}{2^c}\), again using that \(N+\alpha \le 2^{b-1}\).

Bounding the ratio \({\varvec{\Pr \left( D_X=\tau \right) /\Pr \left( D_Y=\tau \right) }}\) for good transcripts. We have \(|\varOmega _X|=2^k\cdot 2^b!\) and \(|\varOmega _Y|=2^k\cdot (2^b!)^2\) as before. Also, \(|\mathsf {comp}_X(\tau )|=(2^b-M-N-\alpha )!\) by construction. Similarly, we find

$$\begin{aligned} |\mathsf {comp}_Y(\tau )| = (2^b-M)!(2^b-N-\alpha )!\le (2^b-M-N-\alpha )!2^b!, \end{aligned}$$

and the remainder of the proof follows Theorem 2.    \(\square \)

In the pre-proceedings version, \(\lambda (N)\) was inadvertently bounded by \(N/2^k\). A similar event was considered by Gaži et al. [18], and we can use their result. We restate it in Lemma 2.

Lemma 2

[18], Lemma 12 . If \(k=r\), we have \(\lambda (N) \le \dfrac{N}{2^k}\). Otherwise,

$$\begin{aligned} \lambda (N) \le \min \left\{ \frac{N^2}{2^{c+1}} + \frac{N}{2^k},\frac{1}{2^b} + \frac{N}{2^{\left( \frac{1}{2}-\frac{\log _2(3b)}{2r}-\frac{1}{r}\right) k}}\right\} \,. \end{aligned}$$

In the ideal permutation model, the expressions in Theorems 5 and 6 simplify into

$$\begin{aligned} \mathbf {Adv}_{\textsc {OKS}}^{\mathrm {ind[1]}}(M,\mu ,N) \le \frac{M^2 + 2\mu N}{2^c} + \lambda (N) + \frac{2\left( \frac{k}{r}\right) N}{2^b}. \end{aligned}$$

5.2 Multiple Targets

Theorem 7

For \(\textsc {OKS}^f_K:\{0,1\}^{*}\times \mathbb {N}\rightarrow \{0,1\}^{\mathbb {N}}\) with \(K_1, \dots , K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and permutation \(f\in \mathsf {Perm}(b)\):

$$\begin{aligned} \mathbf {Adv}_{\textsc {OKS}}^{\mathrm {ind[n]}}(M_{1},\dots , M_{n}, \mu , N) \le \frac{\sum _h M_h^2}{2^c} + \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[n]}}(M_{1}, \dots M_{n},\mu ,N). \end{aligned}$$

Proof

The proof is a combination of the ones of Theorems 3 and 5, and therefore omitted.     \(\square \)

We now bound the joint kdPRP security of the Even-Mansour construction in the ideal permutation model.

Theorem 8

For \(E^f_{\hat{L}_h}\) with \(L_h=\textsc {kd}^f(K)\) for \(K_h\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) (\(h=1,\ldots ,n\)) and ideal permutation \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(b)\) we have

$$\begin{aligned} \mathbf {Adv}_{E,\textsc {kd}}^{\mathrm {kdprp[n]}}&(M_{1},\dots , M_{n},\mu ,N) \\&\le \frac{2\mu N}{2^c} + \frac{4\sum _{h\ne h'} M_h M_{h'}}{2^c} + n\lambda (N) + \frac{{n\atopwithdelims ()2}}{2^k} + \frac{2\left( \frac{k}{r}\right) \left( nN + {n\atopwithdelims ()2}\right) }{2^b}, \end{aligned}$$

where \(\lambda (N)\) is a term bounded in Lemma 2.

Proof

The proof combines the ones of Theorems 4 and 6, with the difference that multiple derivated keys are involved. Adversary \(\mathcal {A}\) has access to \(X=(E^f_{\hat{L}_1},\dots ,E^f_{\hat{L}_n},f)\) in the real world or \(Y=(\pi _1,\dots ,\pi _n,f)\) in the ideal world. As before, we will disclose the keys \(K_{1}, \dots K_{n}\) at the end of the experiment, as well as the evaluations to f corresponding to the evaluations of \(\textsc {kd}^f_{K_1},\ldots ,\textsc {kd}^f_{K_n}\). These evaluations are written as \(\kappa _h=\{(k^{(h)}_j,l^{(h)}_j)\}_{j=1}^{v}\). The transcripts are thus of the form \(\tau =(K_1,\ldots ,K_n,\kappa _1,\dots ,\kappa _n,\tau _1,\ldots ,\tau _n,\tau _f)\). We denote by \(\alpha \) the number of distinct elements in \(\cup _h \kappa _h\) that are not in \(\tau _f\):

$$\begin{aligned} \alpha = \big |\cup _h \kappa _h \backslash \tau _f\big |. \end{aligned}$$

Definition of good and bad transcripts. We extend the definition of bad transcripts from Theorem 6 to multiple keys. Formally, we define a transcript \(\tau \) as bad if one of the following is satisfied:

$$\begin{aligned}&\exists h \text { such that } (k^{(h)}_{v},l^{(h)}_{v}) \in \tau _f,\end{aligned}$$
(13)
$$\begin{aligned}&\exists h\ne h' \text { such that }(k^{(h)}_{v},l^{(h)}_{v}) = (k^{(h')}_{v},l^{(h')}_{v}),\end{aligned}$$
(14)
$$\begin{aligned}&\exists h, (s,t) \in \tau _h, (x,y) \in \tau _f \text { such that } s\oplus x = 0^r||\hat{L}_h \vee t\oplus y = 0^r||\hat{L}_h,\end{aligned}$$
(15)
$$\begin{aligned}&\exists h\ne h', (s,t) \in \tau _h, (s',t') \in \tau _{h'} \text { such that }\nonumber \\&\qquad \qquad \qquad \qquad \; s\oplus s' = 0^r||(\hat{L}_h \oplus \hat{L}_{h'}) \vee t\oplus t' = 0^r||(\hat{L}_h \oplus \hat{L}_{h'}). \end{aligned}$$
(16)

The only condition different from the ones in Theorems 4 and 6 is (14), which assures that there are no two distinct evaluations of \(\textsc {kd}\) that produce the same \(\hat{L}\). As before, all query pairs defined by \((\tau _1,\dots ,\tau _n,\tau _f)\) are unique, and \((\kappa _1,\dots ,\kappa _n,\tau _f)\). contains \(|\tau _f| + \alpha \) unique query tuples.

Bounding the probability of bad transcripts in the ideal world. In the ideal world, \((\tau _1,\dots ,\tau _n,\tau _f)\) is a transcript generated independently of the dummy keys \(K_1,\dots ,K_n\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{c}\). By basic probability theory,

$$\begin{aligned} \Pr \left( D_Y\in \mathcal {T}_\mathrm {bad}\right) \le&\;\Pr \left( D_Y \text { satisfies (13)}\right) \,+ \\&\;\Pr \left( D_Y \text { satisfies (15)} \mid D_Y \text { does not satisfy (13)}\right) \,+\\&\;\Pr \left( D_Y \text { satisfies (14)}\right) \,+ \\&\;\Pr \left( D_Y \text { satisfies (16)} \mid D_Y \text { does not satisfy (14)}\right) . \end{aligned}$$

Before reasoning generalized to \(n\) targets shows that the first two probabilities are bounded by \(n\left( \lambda (N)+\frac{2vN}{2^b}\right) \) and \(\frac{2\mu N}{2^c}\), respectively. Using that the keys \(K_h\) are all randomly drawn from a set of size at least \(2^k\), the same reasoning directly shows that the third probability is bounded by \(\frac{{n\atopwithdelims ()2}}{2^k}+\frac{2v{n\atopwithdelims ()2}}{2^b}\). Finally, the fourth probability, that \(D_Y\) satisfies (16), can be analyzed slightly differently from the proof of Theorem 4. More formally, as (14) is not satisfied, \(\hat{L}_h\oplus \hat{L}_{h'}\) has probability at most \(1/(2^c-(N+\alpha )2^{-r})\) for all \(h\ne h'\). This leads to a probability upper bound \(\frac{4\sum _{h\ne h'} M_h M_{h'}}{2^c}\).

Bounding the ratio \({\varvec{\Pr \left( D_X=\tau \right) /\Pr \left( D_Y=\tau \right) }}\) for good transcripts. The analysis is a direct combination of the proofs of Theorems 4 and 6.    \(\square \)

In the ideal permutation model, the expressions in Theorems 7 and 8 simplify into

$$\begin{aligned} \mathbf {Adv}_{\textsc {OKS}}^{\mathrm {ind[n]}}(M_{1},\dots , M_{n},\mu ,N) \le \frac{2M^2 + 2\mu N}{2^c} + n\lambda (N) + \frac{{n\atopwithdelims ()2}}{2^k} + \frac{2\left( \frac{k}{r}\right) \left( nN + {n\atopwithdelims ()2}\right) }{2^b}. \end{aligned}$$

6 Discussion and Conclusions

Our theorems have implications on all keyed-sponge based modes as they impose upper bounds to the success probability for both single-target and multi-target attacks, generic in f. In general, a designer of a cryptographic system has a certain security level in mind, where a security level of s bits implies that it should resist against adversaries with resources for performing an amount of computation equivalent to \(2^s\) executions of f. This security level s determines a lower bound for the choice of the sponge capacity c. The indifferentiability bound of Bertoni et al. [6] gives a bound \(\frac{(M+N)^2}{2^{c+1}}\) resulting in the requirement \(c \ge 2s-1\) bits. For attack complexities that are relevant in practice, our success probability bounds are dominated by \(\frac{\mu N}{2^c}\), combining the time complexity and the multiplicity. This results in the requirement \(c \ge s + \log _2(\mu )\) bits. The designer can use this in its advantage by increasing the rate for higher speed or to take a permutation with smaller width for smaller footprint.

The main advantage of having a dependence on \(\mu \) in the bound is that it makes its application flexible. The proof in this paper remains generic and independent of any use case scenario by considering an adversary who can perform all kinds of queries. Yet, the way a keyed sponge function is used in a concrete protocol can restrict what the attacker can actually do, and the bound follows depending on how these restrictions affect the multiplicity.

In general, \(\mu \) depends on the mode of use and on the ability of the adversary, and a designer that cares about efficiency has the challenge to reliably estimate it. In real-world applications, the amount of data that will be available to an adversary can easily be upper bound due to physical, protocol-level or other restrictions, imposing an upper bound to M. As per definition \(\mu \le 2M\) the value of c can be taken \(c \ge s + \log _2(M) + 1\).

The bound \(\mu \le 2M\) is actually very pessimistic and virtually never reached. The multiplicity is the sum of two components: the forward multiplicity \(\mu _\mathrm {fw}\) and the backward multiplicity \(\mu _\mathrm {bw}\). The latter is determined by the responses of the keyed sponge and even an active attacker has little grip on it. For small rates, it is typically \(M2^{-r}\) multiplied by a small constant.

The forward multiplicity, however, can be manipulated in some settings. An example of such a use case is a very liberal mode of use on top of the duplex construction [8]. At each duplexing call, the adversary can choose the input for the next duplexing call to force the outer part to some fixed value and let \(\mu _\mathrm {fw}\) approach M. The dominating security term then becomes \(\frac{MN}{2^c}\), reducing the requirement to \(c \ge s + \log _2(M)\). However, most modes and attack circumstances do not allow the adversary to increase the forward multiplicity \(\mu _\mathrm {fw}\) beyond a small multiple of \(M2^{-r}\). This is in general the case if the adversary cannot choose the outer values. For instance, for sponge based stream ciphers which output a keystream on input of a nonce: if the total number of output blocks is much smaller than \(2^{r/2}\), we have \(\mu = 2\) with overwhelming probability, reducing the requirement to \(c \ge s+1\). A similar effect occurs in the case of nonce-respecting authenticated encryption scenarios.

Knowing the mode of use and the relevant adversary model, one can often demonstrate an upper bound to the multiplicity. If no sharp bounds can be demonstrated, it may be possible to prove that the multiplicity is only higher than some value \(\mu _{\text {limit}}\) with a very low probability. This probability should then be included in the bound as an additional term.