Abstract
The Sponge function is known to achieve 2^{c/2} security, where c is its capacity. This bound was carried over to its keyed variants, such as SpongeWrap, to achieve a min {2^{c/2},2^kappa } security bound, with kappa the key length. Similarly, many CAESAR competition submissions were designed to comply with the classical 2^{c/2} security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min {2^{b/2},2^c,2^kappa }, with b>c the permutation size, by proving that the CAESAR submission NORX achieves this bound. The proof relies on rigorous computation of multi-collision probabilities, which may be of independent interest. We additionally derive a generic attack based on multi-collisions that matches the bound. We show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of some of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. We finally consider the remaining one of the three PRIMATEs, APE, and derive a blockwise adaptive attack in the nonce-respecting setting with complexity 2^{c/2}, therewith demonstrating that the techniques cannot be applied to APE.
Highlights
Authenticated encryption schemes, cryptographic functions that aim to simultaneously provide data privacy and integrity, have gained renewed attention in light of the CAESAR competition [25]
The main proof in this work concerns NORX mode v1 and v2 [7,8], but we demonstrate its applicability to the CAESAR submissions Ascon v1 and v1.1 [33,34], CBEAM v1
We discuss how the mode security proof of NORX generalizes to the CAESAR submissions Ascon, the BLNK mode underlying CBEAM/STRIBOB, ICEPOLE, Keyak (v1 only), and two out of the three PRIMATEs
Summary
Authenticated encryption schemes, cryptographic functions that aim to simultaneously provide data privacy and integrity, have gained renewed attention in light of the CAESAR competition [25]. A significant fraction of the CAESAR competition submissions use modes of operation for permutations. Security of the Sponge construction as a hash function follows from the fact that the user can only affect the outer state, adversaries only succeed with significant probability if they make on the order of 2c/2 permutation queries, as this many are needed to produce an inner state collision [16]. Keyed versions of the Sponge construction, such as KeyedSponge [20] and SpongeWrap [19], are proven up to a similar bound of 2c−a (pseudorandom function security for the former and privacy and authenticity for the latter), assuming a limit of 2a on online complexity, but are restricted by the key size κ to 2κ.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
