On the security of the keyed sponge construction

The advantage in differentiating the sponge construction from a random oracle is upper bounded by N22−(c+1), with N the number of calls to the underlying transformation or permutation and c the capacity, resulting in an expected time complexity of N ∼ 2. In this paper we prove that the advantage in distinguishing a keyed sponge from a random oracle is much smaller in typical use cases. In particular, when the data complexity is limited to M ≪ 2, the expected time complexity is about N ∼ min(2/M, 2|K|), with |K| the length of the key. This improvement over the indifferentiability bound allows decreasing the capacity (and thus the permutation width) for a given required security level or achieving a higher security level for a given capacity. This new bound has positive implications for all applications in which a sponge function is used for encryption and/or authentication, or generally in conjunction with a key, including on platforms with limited resources.