Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption

Transcription

1 Secuty of Full-State Keyed Sponge and uplex: Applcatons to Authentcated Encypton Bat Mennnk 1 Reza Reyhantaba 2 aman Vzá 2 1 ept. Electcal Engneeng, ESAT/COSIC, KU Leuven, and Mnds, Belgum bat.mennnk@esat.kuleuven.be 2 EPFL, Lausanne, Swtzeland {eza.eyhantaba,daman.vza}@epfl.ch Abstact. We povde a secuty analyss fo full-state keyed Sponge and full-state uplex constuctons. Ou esults can be used fo makng a lage class of Sponge-based authentcated encypton schemes moe effcent by concuent absopton of assocated data and message blocks. In patcula, we ntoduce and analyze a new vaant of SpongeWap wth almost fee authentcaton of assocated data. The dea of usng full-state message absopton fo hghe effcency was fst made explct n the onkey Sponge MAC constucton, but wthout any fomal secuty poof. Recently, Gaž, Petzak and Tessao (CRYPTO 2015) have povded a poof fo the fxed-output-length vaant of onkey Sponge. Yasuda and Sasak (CT-RSA 2015) have consdeed patally full-state Sponge-based authentcated encypton schemes fo effcent ncopoaton of assocated data. In ths wok, we unfy, smplfy, and genealze these esults about the secuty and applcablty of full-state keyed Sponge and uplex constuctons; n patcula, fo desgnng moe effcent authentcated encypton schemes. Compaed to the poof of Gaž et al., ou analyss dectly tagets the ognal onkey Sponge constucton as an abtay-output-length functon. Ou teatment s also moe geneal than that of Yasuda and Sasak, whle yeldng a moe effcent authentcated encypton mode fo the case that assocated data mght be longe than messages. Keywods: Sponge constucton, uplex constucton, full-state absopton, authentcated encypton, assocated data. 1 Intoducton Snce ts ntoducton, the Sponge constucton by Beton, aemen, Peetes and Van Assche [4] has faced an mmense ncease n populaty. As smple hash functon mode, t s the fundament of the SHA-3 standad Keccak [5], but also ts keyed vaants have become vey popula modes of opeaton fo a pemutaton to buld a wde spectum of symmetc-key pmtves: eseedable pseudoandom numbe geneatos [7], pseudoandom functons and message authentcaton codes (PRFs/MACs) [9, 11], Extendable-Output Functons ( XOFs ) [24] and authentcated encypton (AE) modes [10,11]. The keyed Sponge pncple also got adopted n Sptz, a new RC4-lke steam cphe [26], and n 10 out of 57 submssons to the cuently unnng CAESAR competton on authentcated encypton [1, 3]. These use cases enfoce the fact that Sponge-based constuctons wll contnue to play an mpotant ole, not only n the new hashng standad SHA-3, but n vaous next-geneaton cyptogaphc algothms. The classcal Sponge constucton conssts of a sequental applcaton of a pemutaton p on a state of b bts. Ths state s pattoned nto an -bt ate o oute pat and a c-bt capacty o nne pat, whee b = + c. In the absopton phase, message blocks of sze bts ae absobed by the oute pat and the state s tansfomed usng p, whle n the squeezng phase, dgests ae extacted fom the oute pat bts at a tme. In the ndffeentablty famewok of Maue, Renne and Holensten [20], Beton et al. [6] poved that the Sponge constucton s secue up to the O(2 c/2 ) bthday-type bound. The capacty pat s left untouched thoughout the evaluaton of the Sponge constucton: a volaton of ths paadgm would make the ndffeentablty secuty esult vod. In ths wok, we stve fo optmalty, and nvestgate the most effcent ways of usng Sponges fo message authentcaton and authentcated encypton n a povably secue manne. In both

2 dectons, we consde a genealzaton of the cuently known schemes to full-state absopton, the most effcent usage of the undelyng pemutaton, and we show that these schemes ae secue. ue to the full-state absopton, we cannot anymoe ely on the classcal ndffeentablty esult of the Sponge (as was fo nstance done n [2,10]), and a new secuty analyss s equed. We wll elaboate on both dectons n the followng. Message Authentcaton. Beton et al. [9] ntoduced the keyed Sponge as a smple evaluaton of the Sponge functon on the key and the message, Sponge(K M), and poved secuty beyond O(2 c/2 ). Chang et al. consdeed a slght vaant of the keyed Sponge whee the key s pocessed n the nne pat of the Sponge, and obseved that t can be seen as the Sponge based on an Even- Mansou blockcphe. At FSE 2015, Andeeva, aemen, Mennnk and Van Assche [2] consdeed a genec and mpoved analyss of both the oute- and nne-keyed Sponge. So fa, howeve, these constuctons have only been consdeed wth the classcal -bt absopton. The dea of usng full-state message absopton fo achevng hghe effcency was fst made explct n the onkey Sponge MAC constucton [11], 3 but wthout any fomal secuty poof. The ecently ntoduced onkey-nsped MAC functon Chaskey [22] dd get a fomal secuty analyss, but ts poof s thwated towads Chaskey and does not apply to the onkey Sponge. A thoough analyss of the full-state message absopton keyed Sponge had to wat fo Gaž, Petzak and Tessao [17], who pove nealy tght secuty up to O(lq(q +N)/2 b +q(q +l+n)/2 c ), whee the advesay makes q quees of maxmal length l, and makes N pmtve calls. Howeve, the analyss only apples to the fxed-output-length vaant, and the poof does not dectly seem to extend to the ognal abtay-output-length keyed Sponge. In ths wok, we povde a dect poof fo ths moe geneal case. In moe detal, we pesent a genealzed scheme, dubbed Full-state Keyed Sponge (FKS), whose secuty mples the secuty of onkey Sponge n the deal pemutaton settng, and pove that t s secue up to appoxmately 2(ql)2 + 2q2 l 2 b 2 + μn, whee k s the sze of the key, and μ s a paamete c 2 k called the multplcty. We note that usage of the oute-keyed Sponge makes no longe any dffeence fom the usage of the nne-keyed vaant n the pesence of full-state absopton (see also Sect. 8). Ou poof of FKS follows the modula appoach of Andeeva et al., but due to the full-state absopton, we cannot ely on the ndffeentablty esult of [6], and pesent a new and moe detaled analyss. Authentcated Encypton. Encypton va the Sponge can be done (and s typcally done) va the uplex constucton [10], a stateful constucton consstng of an ntalzaton nteface and a duplexng nteface. The ntalzaton nteface can be called to ntalze an all-zeo state; the duplexng nteface absobs a message of sze < bts and squeezes bts of the oute pat. The secuty of the uplex taces back to the ndffeentablty of the classcal Sponge, yeldng a O(2 c/2 ) secuty bound. Beton et al. [10] showed that the uplex, n tun, allows fo authentcated encypton n the fom of SpongeWap. Ths mode s, de facto, the bass of the majoty of Sponge-based submssons to the CAESAR competton. Jovanovc et al. [18] e-nvestgated Sponge-based authentcated encypton schemes, stang NORX, and deved beyond bthday-bound secuty. These esults ae, howeve, all fo the usual -bt absopton. Yasuda and Sasak [27] have consdeed seveal full-state and patally full-state Sponge-based authentcated encypton schemes fo effcent ncopoaton of assocated data, dectly lftng Jovanovc et al. s secuty poofs. The concuent absopton mode poposed by Yasuda and Sasak (Fg. 3 n [27]) fals to utlze the full-state absopton when the assocated data becomes longe than the message, focng the mode swtch fom a full-state mode to the classcal -bt absobng Sponge mode; hence, we efe to ths as a patally full-state AE mode. Full-state data absopton was also poposed by Reyhantaba, Vaudenay and Vzá [25] n the compesson functon based AE mode p-om. We genecally am to optmze the effcency n Sponge-based authentcated encypton. To ths end, we fst fomalze the Full-state Keyed uplex (FK) constucton. It dffes fom the 3 We note that apat fom full-state absopton, the onkey Sponge also uses less ounds n the undelyng pemutaton dung the absobng phase. 2

3 ognal uplex n the fact that () the key s explctly used to ntalze the state (In ths, the FK s smla to the Monkey uplex [11]) and () the absopton s pefomed on the ente state. Note that the possblty to absob n the ente state enfoces the explct usage of the key. Next, we pove that FK s povably secue,.e., ndstngushable fom a andom oacle wth the same ntefaces. As befoe, we cannot ely on the classcal ndffeentablty poof due to the full-state absopton; howeve, we show how to adapt the FKS poof to a specal case dectly elated to the secuty of FK. We exemplfy the bette absopton capabltes of FK by the ntoducton of a Full-state SpongeWap (FSW). The FSW constucton s moe geneal than that of Yasuda and Sasak, who only consdeed specfc AE constuctons, and nteestngly, ou appoach also yelds a moe effcent (tuly full-state) authentcated encypton mode espectve of the elatve lengths of messages and the assocated data. Oganzaton of the Pape. Notatons and pelmnay concepts ae pesented n Sect. 2. We pesent the Full-state Keyed Sponge and Full-state Keyed uplex n Sect. 3. The secuty model s dscussed n Sect. 4. In Sect. 5 we pove secuty of FKS and n Sect. 6 of FK. The ntoducton of the Full-state SpongeWap, and the applcaton of FK to ths constucton s gven n Sect. 7. Sect. 8 povdes a bef dscusson on elated-key secuty and ou secuty models. 2 Notatons and Conventons The set of all stngs of length b s denoted as {0, 1} b fo any b 1 and the set of all fnte stngs of abtay length s denoted as {0, 1} *. We wll denote the empty stng of length 0 as ε. Fo any postve b, we let {0, 1} <b = b 1 =0 {0, 1} denote set of all stngs of length less than b ncludng ε. Fo two stngs X, Y {0, 1} * we let X Y denote the stng obtaned by concatenaton of X and Y. Fo a stng X {0, 1} x we let left l (X) denote the l leftmost bts of X and ght (X) the ghtmost bts of X such that X = left χ (X) ght x χ (X) fo any 0 χ x. Fo ntegal b,, c such that b = + c, and fo t {0, 1} b, we let oute (t) = left (t) and nne (t) = ght c (t). Fo a non-empty fnte set S let a $ S denote samplng an element a fom S unfomly at andom. We let Z denote the cadnalty f Z s a set and the length f Z s a stng. We let Pem (b) denote the set of all pemutatons of b-bt stngs and Func (b) the set of all functons ove b-bt stngs. Gven two stngs X, Y, let llcp b (X, Y ) = max 0 { : left b (X) = left b (Y )} denote the length of the longest common pefx between X and Y n b-bt blocks. Fo a stng X and a non-empty set of stngs {Y 1,..., Y n } let llcp b (X; Y 1,..., Y n ) = max {llcp b (X, Y 1 ),..., llcp b (X, Y n )}. Fo any two pas of nteges (, j), (, j ), we say that (, j ) < (, j) f ethe < o f = and j < j. We say that (, j ) (, j) f (, j ) < (, j) o f (, j ) = (, j). In othe wods, we use lexcogaphcal odeng to detemne odeng of ntege-tuples. 3 Sponge Constuctons 3.1 Full-State Keyed Sponge We consde the Full-state Keyed Sponge (FKS) constucton that s usng a publc pemutaton p : {0, 1} b {0, 1} b. It s futhemoe paametezed wth, k, whch ae equed to satsfy < b and k b =: c. The paametzaton s sometmes left mplct f t s clea fom the context. 3

4 M pad b Z left z M 1 M 2 M m Z 1 Z z/ 1 Z z/ c 0 b k K b p p p p p c Fg. 1: The FKS constucton. FKS gets as nput a key K {0, 1} k, a message M {0, 1} *, and a natual numbe z, and t outputs a stng Z {0, 1} z : FKS p (K, M, z) = FKS p K (M, z) = Z. It opeates on a state t {0, 1} b, whch s ntalzed usng the key K. The message M s fst padded to a length a multple of b bts, usng pad b (M) = M 10 b 1 M mod b, whch s then vewed as m b-bt message blocks M 1... M m. 4 These message blocks ae pocessed one-by-one, nteleaved wth evaluatons of p. Afte the absopton of M, the oute bts of the state ae output and the state s pocessed va p untl a suffcent amount of output bts ae obtaned. FKS s depcted n Fg. 1, and Algo. 1 povdes a fomal specfcaton of FKS. Algothm 1 FKS[p,, k](k, M, z) 1: t 0 b k K 2: M 1 M m b pad b (M) 3: fo = 1,..., m do 4: s t M 5: t p(s) 6: Z left (t) 7: whle Z < z do 8: t p(t) 9: Z Z left (t) 10: etun left z (Z) Algothm 2 FK[p,, k] 1: Inteface FK.ntalze(K) 2: t 0 b k K 1: Inteface FK.duplexng(M, z) 2: f z > o M b then 3: etun 4: s t pad b (M) 5: t p(s) 6: etun left z (t) 3.2 Full-State Keyed uplex We pesent the Full-state Keyed uplex (FK) constucton, a genealzaton of the uplex of Beton et al. [8,10]. FK s also paametezed by a publc pemutaton p : {0, 1} b {0, 1} b and values, k, whch ae equed to satsfy < b and k b =: c. Agan, the paametzaton s sometmes left mplct f clea fom the context. An nstance of FK, denoted by, conssts of two ntefaces:.ntalze and.duplexng..ntalze gets as nput a key K {0, 1} k and outputs nothng, whle.duplexng gets as nput a message M {0, 1} <b and a natual numbe z, and t outputs a stng Z {0, 1} z. FK s depcted n Fg. 2, and the fomal specfcaton s gven n Algo. 2. FK s a genealzaton of FKS whee.ntalze s used to ntalze the state, and messages ae absobed nto the state and/o dgests ae squeezed out of the state usng.duplexng calls. 4 In fact, any njectve paddng functon woks, as long as the last block s always non-zeo. 4

5 : z M 1 Z 1 M 2 Z 2 M m Z m pad b leftz 1 pad b leftz 2 pad b leftzm c K 0 b k p p p ntalze duplexng duplexng duplexng Fg. 2: The FK constucton. 4 Secuty Models and Tools Multplcty. Let {(x, y )} σ =1 be a set of σ evaluatons of a pemutaton p. Followng Andeeva et al. [2], we defne the total maxmal multplcty as μ = μ fwd + μ bwd, whee μ fwd = max { {1,..., σ} : oute (x ) = a}, a μ bwd = max { {1,..., σ} : oute (y ) = a}. a The multplcty s a quantty that chaacteses the data that ae avalable to the advesay dung the attack. We have 2 μ 2σ pe defnton, howeve the uppe bound 2σ s neve eached n pactcal applcatons of sponge-based constuctons. Beng a sum of fowad and backwad multplctes, the total multplcty can be seen as a measue of advesay s ablty to contol the oute pat of the pemutaton nputs and outputs espectvely. In case of sponge-based desgns, the backwad multplcty can be expected to be appoxmately σ2 whle the fowad multplcty vaes wth concete applcatons [2]. 4.1 Advesaes and Patan s Coeffcent-H Technque We consde an nfomaton-theoetc advesay A that has access to one o moe oacles X; ths s denoted bya X and the notaton A X 1 means that A, afte nteacton wth X, etuns 1. It s a classcal fact (fo a smple poof see [14]) that n the nfomaton-theoetc settng, advesaes can be assumed to be detemnstc wthout loss of genealty. We use Patan s Coeffcent-H technque [23]; moe pecsely, a evsted fomulaton of t by Chen and Stenbege [14]. Consde a detemnstc nfomaton-theoetc advesay A whose goal s to dstngush two oacles X and Y : [ ] [ Δ A (X; Y ) = P A X 1 P A Y 1]. Hee, X and Y ae andomzed algothms; the andomzaton depends on the specfc scenao and fo now s left mplct. The nteacton wth any of the two systems X o Y s summazed n a tanscpt τ. enote by X the pobablty dstbuton of tanscpts when nteactng wth X, and smlaly, Y the dstbuton of tanscpts when nteactng wth Y. A tanscpt τ s called attanable f P [ Y = τ] > 0, meanng that t can occu dung nteacton wth Y. enote by T the set of all attanable tanscpts. The Coeffcent-H technque states the followng, fo the poof of whch we efe to [14]. Lemma 1 (Coeffcent-H Technque [14, 23]). Consde a fxed detemnstc advesay A. Let T = T good T bad be a patton nto good tanscpts T good and bad tanscpts T bad. If thee exsts an ε such that fo all τ T good, P [ X = τ] P [ Y = τ] 1 ε, 5

6 then, Δ A (X; Y ) ε + P [ Y T bad ]. The two pattons of T ae labeled as T good and T bad to ad the ntutveness of the poof. The tanscpts n T good ae good n the sense that they gve us a hgh value of P [ X = τ]/p [ Y = τ] and thus small ε whle the bad tanscpts fom T bad fal to do so. 4.2 Secuty Models fo FKS and FK Let RO : {0, 1} * {0, 1} be a andom oacle whch takes nputs of abtay but fnte length and etuns andom nfnte stngs, whee each output bt s selected unfomly and ndependently fo evey nput M. Let F be ethe FKS o FK, whch s based on a pemutaton p : {0, 1} b {0, 1} b and a key K {0, 1} k. We wll defne the secuty of F n two settngs: the publc pemutaton settng, whee the advesay has quey access to the pemutaton (secuty comes fom the sececy of K), and the secet pemutaton settng (wth no explct key K), whee the advesay has no access to the undelyng pemutaton and the secuty comes fom the sececy of the pemutaton. We use the notatons F p K and F 0 π to efe to the publc pemutaton and secet pemutaton based schemes, espectvely; whee, π s a secet andom pemutaton. In both settngs, we consde an advesay that ams to dstngush the eal F fom an deal (efeence) pmtve an oacle RO wth the same nteface. Fo F = FKS the coespondng deal pmtve RO s defned by RO FKS (M, z) = left z (RO (M)). Fo F = FK the coespondng efeence pmtve RO FK s a stateful oacle wth two ntefaces: (1) RO FK.ntalze() that ntalzes the state of the oacle, St, to the empty stng, and (2) RO FK.duplexng(M, z) that, on nput M {0, 1} <b and a natual numbe z, fst updates the state as St St pad b (M) and then outputs left z (RO (St)). We defne the dstngushng advantage of any advesay A aganst F based on a publc pemutaton by Adv nd ] P F [ K p,p(a) = $ {0, 1} k, p $ Pem (b) : A F p K,p,p 1 1 K [ P p $ Pem (b) : A RO,p,p 1 1]. The dstngushng advantage of A aganst F based on a secet pemutaton s defned by [ ] [ Adv nd P F (A) = π $ Pem (b) : A F π 0 π 0 1 P A RO 1]. The esouce paametezed advantage functons ae defned as usual. Let Adv nd F p,p(q, l, μ, N) = max A Adv nd F p,p(a) be the maxmum advantage ove all advesaes that K K make q quees to the left oacle, all of maxmal length l pemutaton calls f F = FKS o that make at most q ntalze() calls to the left oacle and ssue at most l duplexng quees afte each ntalzaton f F = FK wth total maxmal multplcty μ n both cases, and that make N dect quees to the publc pemutaton. To smplfy the analyss, we assume that each of the q oacle quees n fact conssts of exactly l pemutaton (o that the advesay ndeed makes l duplexng calls afte each ntalzaton). Ths s wthout loss of genealty, t can smply be acheved by gvng exta squeezng outputs to the advesay. Smlaly, we defne Adv nd F (q, l, μ) = max 0 π A Adv nd F (A), 0 π notcng that n ths case N = 0, thus t s omtted fom the esouces. 4.3 Secuty Model fo Even-Mansou Ou poof eles on a educton to the secuty of a low-entopy sngle-key Even-Mansou constucton [15, 16]. In moe detal, let p : {0, 1} b {0, 1} b be a pemutaton and K {0, 1} k be a key. The Even-Mansou blockcphe s defned as E p K (M) = p(m (0b k K)) (0 b k K). 6

7 We defne the dstngushng advantage of any advesay A aganst E based on a publc pemutaton p as Adv pp ] P [ K E p,p(a) = $ {0, 1} k, p $ Pem (b) : A Ep K,p,p 1 1 K [ P π, p $ Pem (b) : A π,p,p 1 1]. Let Adv pp E p,p(q, μ, N) = max A Adv pp E p,p(a) be the maxmum advantage ove all advesaes that K K make q quees to the left oacle, wth total maxmal multplcty μ, and that make N dect quees to the publc pemutaton. 5 Secuty Analyss of FKS We pove the followng esult fo FKS: Theoem 1. Let b,, c, k > 0 be such that b = +c and k c. Let FKS be the scheme of Sect Then, Adv nd 2(ql)2 FKS p,p(q, l, μ, N) K 2 b + 2q2 l 2 c + μn 2 k. The poof follows to a cetan extent the modula appoach of [2], and n patcula also uses the obsevaton that FKS p K can altenatvely be consdeed as FKSEp K 0, a cleve obsevaton used befoe by Chang et al. [13]. Note that ths obsevaton only woks fo k c: t conssts of xong two dummy keys K K n-between evey two adjacent pemutaton calls, and f k > c ths would ental a dffeence n the squeezng blocks of FKS. Ths tck splts the secuty of FKS p K nto the secuty of the Even-Mansou blockcphe and the secuty of FKS wth secet pmtve. Lookng back at [2], the secuty of Inne-keyed Sponge/Oute-keyed Sponge [2] wth secet pemutatons was smply eveted to the classcal ndffeentablty esult of [6]. Because ths s a athe loose appoach, and addtonally because the ndffeentablty bound cannot be used fo FKS due to ts full-state absopton, we consde the secuty of FKS wth secet pmtve n moe detal and deve an mpoved bound. Poof (Poof of Theoem 1). Consde any advesay A wth esouces (q, l, μ, N). Note that FKS p K = FKSEp K 0. Theefoe, by a modula agument, Adv nd FKS p K,p(A) = Δ A ( FKS Ep K 0, p; RO FKS, p Δ B (FKS π 0, p; RO FKS, p) + Δ C (E p K, p; π, p) = Adv nd FKS (B) + π Advpp 0 E p,p(c) K fo some advesay B wth esouces (q, l, μ) and advesay C wth esouces (ql, μ, N). Note that B also has access to p, but quees to ths oacle ae meanngless as ts left oacle (FKS π 0 o RO FKS ) s ndependent of p. In [2], t s poven that Adv pp μn E p,p(c) fo any C. In Lem. 2, we pove that Adv nd 2 K k FKS (B) π 0 2(ql) 2 + 2q2 l 2 b 2 fo any advesay B. c Lemma 2. Let b,, c > 0 be such that b = + c. Let FKS be the scheme of Sect Then, Adv nd 2(ql)2 FKS (q, l, μ) π 0 2 b + 2q2 l 2 c. ) 7

8 Poof. Gven that the paddng s publcly known and njectve, we can genealze the settng, and assume that the th quey M has length dvsble by b and that M m 0 b,.e. we assume that all the quees ae aleady padded. Moe detaled, fo 1 q, we let m = M /b and M = M 1 M 2 m... M s.t. M j = b fo 1 j m. We futhe assume, that the advesay always asks fo output of length dvsble by and that evey quey nduces exactly l pmtve calls. Ths s wthout loss of genealty: we can smply output fee bts to the advesay. We wll denote the b-bt state of FKS just befoe the j th applcaton of π s made when pocessng the th quey as s j fo 1 j l. Smlaly, we wll denote the b-bt state of FKS just afte the jth applcaton of π n th quey as t j fo 1 j l. We wll call the fome n-states and the latte out-states. Note that evey n-state s j s detemned by the out-state tj 1 and the block of quey M j as s j = tj 1 M j n the absobng phase o just by t j n the squeezng phase as depcted n Fg. 3. M 1 M 2 M m 1 M m Z 1 Z 2 Z l m +1 0 b π π π π π π s 1 t 1 s 2 t 2 s m 1 s m t m 1 s m +1 t m t m +1 s l t l s l+1 Fg. 3: Pocessng the th quey. To ad the smplcty of futhe analyss we addtonally defne ntal dummy out-states t 0 = 0b and extended quees M = M 0 (l m)b fo 1 q. Now we can expess evey n-state, be t absobng o squeezng, as s j = t j 1 M j. We wll goup the out-states of th quey as T = {t 0, t1,..., tl }. Because each quey nduces exactly l calls to π, we know that a quey M wll be answeed by a stng Z = Z 1 (... Zz ) wth z = l m + 1 and Z j = fo 1 j z. In patcula, we have that Z j = oute t m+j 1. The RP-RF Swtch. We stat by eplacng the andom pemutaton π $ Pem (b) by a andom functon f $ Func (b) n the expement. Ths wll contbute the tem (ql) 2 /2 b to the fnal bound by a standad hybd agument so we have Adv nd FKS (q, l, μ) π Advnd (q, l, μ) + (ql) 2 /2 b. 0 FKS f 0 Patan s Coeffcent-H Technque. We wll use the coeffcent-h technque to show that (q, l, μ) (ql) 2 /2 b + 2q 2 l/2 c. The two systems an advesay s tyng to dstngush ae Adv nd FKS f 0 FKS f 0 and RO FKS. We wll efe to the fome as X and to the latte as Y. In ethe of the wolds, the advesay makes q quees M 1,..., M q and leans the esponses Z 1,..., Z q. The tanston fom quees M to M s njectve, and addtonally the length m of M s mplct fom M. Theefoe, we can summaze the nteacton of the advesay wth ts oacle (X o Y ) wth a tanscpt ( M 1,..., M q, Z 1,..., Z q ). To facltate the analyss, we wll dsclose addtonal nfomaton T 1,..., T q to the advesay at the end of the expement. In the eal wold, these ae the out-states T = {t 0, t1,..., tl } as dscussed n the begnnng of the poof. In the deal wold, these ae dummy vaables that satsfy the followng ntnsc popetes of the Sponge constucton: 1. t 0 = 0b fo 1 q, 8

9 ( 2. f llcp b M, M ) = n fo 1, q then t j = tj ( ) fo 1 j n, 3. oute = Z j fo 1 q and 1 j z, t j+m 1 but ae pefectly andom othewse. Note that n both wolds, Z 1,..., Z q ae fully detemned by T 1,..., T q, so we can dop them fom the tanscpt. Thus a tanscpt of advesay s nteacton wth FKS wll be τ = ( M 1,..., M q, T 1,..., T q ). Wth espect to Lem. 1, we wll show that thee exsts a defnton of bad tanscpts T bad, such that P [ X = τ] / P [ Y = τ] = 1 fo any τ T good = T T bad, and thus Adv nd (q, l, μ) FKS f 0 P [ Y T bad ]. efnton of a Bad Tanscpt. Stated fomally, a tanscpt τ s labeled as bad f (1, 1) (, j), (, j ) (q, l) such that: j j llcp b ( M, M ) < j = j l, t j 1 M j = 1 tj j M. Ths fomalzaton of a bad tanscpt comes wth an ntutve, nfomal ntepetaton; as long as all elevant nputs s j = tj 1 M j to the andom functon f nduced by the Sponge functon ae dstnct the output of the Sponge wll be dstbuted unfomly. We do not eque unqueness of all n-states because the advesay can tvally foce the epetton by ssung quees wth common pefxes, as we have agued eale. ( Howeve these collsons ae not a poblem because unqueness of the quees mples that llcp b M, M ) < max{m, m } fo any two quees M, M. Even f the advesay tuncates an old quey and thus foces an old absobng n-state s to be squeezed fo output, t s stll not a poblem because the advesay has not seen the mage f(s) befoe. Note that albet n-states do not exst n the deal wold, they can be defned by the same elaton as n the eal wold,.e. s j = tj 1 M j. Boundng the Rato of Pobabltes of Good Tanscpts. In the deal wold, the outstates {t 0 }q =0 ae always assgned a value tvally. Besde that, we wll also tvally assgn a sngle andomly sampled value to multple state vaables, that ae affected by the common pefxes of the quees. The emanng out-states ae sampled unfomly at andom. It follows that thee ae exactly η(τ) = q =1 l llcp b (M ; M 1,..., M 1 ) b-bt values n any tanscpt τ, that ae sampled ndependently and unfomly. We thus have P [ Y = τ] = 2 η(τ)b fo any τ. Let Ω X be the set of all possble eal-wold oacles. We have that Ω X = 2 b2b. Let comp X (τ) Ω X be the set of all oacles compatble wth the tanscpt τ,.e. the set of the eal-wold oacles that ae capable of poducng τ n an expement. We wll compute the pobablty of seeng τ n the eal wold as P [ X = τ] = comp X (τ) / Ω X. Note that a eal-wold oacle s completely detemned by the undelyng functon f. If τ T good, then evey n-state s j = tj 1 M j n-state s j j and M that does not tvally collde wth some othe due to common pefx of j M must be dstnct. The numbe of doman ponts of f that have an mage assgned by τ s easly seen to be η(τ) = q =1 l llcp b (M ; M 1,..., M 1 ). A compatble functon f can theefoe have abtay mage values on the emanng 2 b η(τ) doman ponts. Thus we compute comp X (τ) = 2 b(2b η(τ)) and P [ X = τ] = comp X (τ) Ω X (1) b η(τ)) = 2b(2 = 2 η(τ)b = P [ Y = τ]. 2 b2b Boundng the Pobablty of a Bad Tanscpt n the Ideal Wold. We can bound the pobablty of τ beng bad (cf. (1)) by fst boundng the collson pobablty of an abtay but fxed pa of n-states s j, sj (.e. the event sj = sj occus) and then summng ths pobablty fo all possble values of (, j), (, j ) wth (, j ) (, j). Because ths pobablty vaes sgnfcantly, we wll splt all n-states nto thee classes and bound pobabltes of ndvdual collsons between these classes. 9

10 We ( wll assocate to each n-state s j a label stamp j. We set stampj = fee f 1 < j = llcp b M ; M 1,..., M ) 1 +1 m such that m * < j fo some * <. We wll set stamp 1 = ntal fo 1 q and stamp j = fxed ( n the ) emanng cases. Infomally, we have stampj = fee wheneve the advesay foces oute = Z j m * 1 by eusng exactly fst j 1 blocks of * t j 1 a pevous quey M * ( ) n M ( and sets M j M j = * 0b. By dong ths, t feely but non-tvally chooses oute s j = oute s j * M j * M ) j. Note that f the advesay puts M j = M j *, ths s not counted as a fee state (the states wll n fact be the same). We have stamp j = ntal fo the ntal n-state of evey quey. As the condton (1) s symmetcal w..t. (, j) and (, j ), and as t cannot be satsfed f (, j) = (, j ), t can be ephased as (1, 1) (, j ) < (, j) (q, l) such that: ( llcp b M ; M 1,..., M ) 1 < j l, s j = sj. (2) ong so s wthout loss of genealty, as each s j wth j llcp b ( M ; M 1,..., M 1 ) s dentcal wth some pevous state that has aleady been checked fo collsons wth s j fo evey possble (, j ). In the futhe analyss, we wll be wokng wth (2) athe than wth (1). We wll now bound the pobablty of collson of an abtay pa of n-states (s j, sj ) = (t j 1 M j, 1 tj j M ) wth stampj = fxed. We fx abtay and nvestgate the followng thee cases fo j. In each case we teat evey (, j ) < (, j). Case 1: llcp b ( M ; M 1,..., M 1 ) + 1 < j m. In ths case, t j 1 s undetemned when the advesay ssues the quey M. Ths mples that t wll be ndependent fom all t j 1 (, j ) < (, j). The pobablty of the collson t j 1 M j = t j 1 2 b. j M Case 2: max { ( ) } llcp b M ; M 1,..., M 1 + 1, m < j l. Hee t j 1 ( ) nne Z j m t j 1 = fo any s easly seen to be and M j = 0 b. Although the advesay leans the value of Z j m dung the expement, ths s ndependent of all s j wth (, j ) < (, j) (because j + 1 > ( llcp b M ; M 1,..., M ) ( ) 1 ). Even f stamp j {fee, ntal} and oute s j = α fo some ( ) ) value α chosen by the advesay, the collson Z j m nne t j 1 = α nne ( s j happens wth pobablty ( 2 b. ) ( Case 3: j = llcp b M ; M 1,..., M If j = llcpb M, M ) + 1, the n-state s j =j, call t a twn-state of s j, cannot collde wth sj, as by the second tval popety tj 1 = t j 1 ( and by j 1 = llcp b M, M ) we have j M M j. Note that f thee was an * < wth ( m * llcp b M, M *) = j 1 and j m then we would have stamp j = fee. Howeve f we had the same stuaton but wth j > m then M and M ( ) * would be dentcal. So oute t j 1 has not been set and evealed to the advesay by any pevous output value and fo any non-twn, n-state s j, the pobablty of collson s at most 2 b by a smla agument as n Case 1. Thee ae no moe than ql choces fo (, j) and no moe than ql possble (, j ) fo evey (, j) so the oveall pobablty that the condton (2) wll be evaluated due to a pa of n-states wth stamp j = fxed s at most (ql)2 /2 b. ) ( ) If stamp j ( s = fee then oute j s unde advesay s contol. Howeve the value of nne t j 1 s always geneated at the end of the expement. By a case analyss smla to the pevous one we can vefy that the pobablty of a collson due to a pa of n-states wth stamp j = fee s not bgge than 2 c. It s appaent fom the defnton of a fee n-state that thee s at most one such n-state fo each quey. Havng ql n-states n total, thee ae at most q(ql) pas wth stamp j = fee and the pobablty of τ T bad due to such a pa s at most q 2 l/2 c. 10

11 If stamp j = ntal then sj cannot non-tvally collde wth any othe ntal n-state. A collson wth a non-ntal state s j mples that 1 tj j = M M 1. If j > m o f thee s some ( M * wth m * < j <= llcp b M, M ) ) * + 1, then oute ( t j 1 s known to the advesay. Howeve ( ) nne s always geneated at the end of the expement. By a case analyss smla to the t j 1 occus wth pobablty no one we caed out eale, t can be vefed that the collson s 1 = sj bgge than 2 c. Thee s exactly one ntal n-state n each quey, so smlaly as wth the fee n-states, the oveall pobablty of a tanscpt beng bad due to a pa wth an ntal n-state s at most q 2 l/2 c. By summng all the patal collson pobabltes we obtan that P [ Y T bad ] (ql) 2 /2 b + 2q 2 l/2 c. 6 Secuty Analyss of FK Fo FK, we pove the followng esult: Theoem 2. Let b,, c, k > 0 be such that b = + c and k c. Let FK be the scheme of Sect Then, Adv nd (ql)2 FK p,p(q, l, μ, N) K 2 b + (ql)2 2 c + μn 2 k. The poof uses Lem. 3 to tansfom a FK advesay nto an FKS advesay, smlaly to [8, 10]. Whle ths would be suffcent to pove the secuty of the uplex constucton, the bound nduced solely by Lem. 3 suffes fom a quanttatve degadaton: we have that Adv nd FK p,p(q, l, μ, N) K Adv nd FKS p K,p(ql, l, μ, N), esultng n a bound 2q2 l 4 2 b + 2q2 l 3 2 c + μn 2 k accodng to Thm. 1. In ealty, thee wll be a quanttatve gap between the secuty of FK constucton and that of FKS pesent, but t wll be smalle. Ths s because an FKS advesay constucted fom an FK advesay ssues quees of a specfc stuctue whch s fa fom geneal. In below poof fo FK, we use ths popety. In moe detal, we deve a specfc class of constaned advesaes and genealze the poof of Lem. 2 to these advesaes. Poof (Poof of Theoem 5). Consde any advesay A wth esouces (q, l, μ, N). We have that FK p K = FKEp K 0. Theefoe, by a modula agument, Adv nd FK p K,p(A) = Δ A ( FK Ep K 0, p; RO FK, p Δ B (FK π 0, p; RO FK, p) + Δ C (E p K, p; π, p) Adv nd FK (B) + π Advspp 0 E p,p(c) K fo some advesay B wth esouces (q, l, μ) and advesay C wth esouces (q, l, μ, N). Note that B also has access to p, but these quees ae meanngless as ts left oacle (FK π 0 o RO FK ) s ndependent of p. In [2], t s poven that Adv spp E p K,p(C) μn/2k. In Co. 3 we show that any FK advesay B can be tuned nto a specal constaned advesay B aganst FKS wth esouces (ql, l, μ): Adv nd FK (B) π Advnd 0 FKS π(b ). 0 ) In Lem. 4, we pove that Adv nd FKS π 0 (B ) (ql) 2 /2 b + (ql) 2 /2 c fo any such advesay B. Fo the emande of the poof, we ntoduce the mappng Q FKS : ({0, 1} <b ) + {0, 1} *. Fo any b > 0 and fo all X 1,..., X n {0, 1} <b we let Q FKS (X 1,..., X n ) = pad b (X 1 )... pad b (X n 1 ) X n. 11

12 Lemma 3 (uplexng lemma [10]). Let b,, c, k > 0 be such that b = + c and k c. Let = FK p as defned n Sect Then fo the th duplexng quey (M, z ) made afte the last.ntalze(k) we have Z =.duplexng (M, z ) = FKS p (K, Q FKS (M 1,..., M ), z ). Moeove, the mappng Q FKS : ({0, 1} <b ) + {0, 1} * s njectve. Poof. We wll show the fst clam by nducton. Fo = 1, the ntenal state of FK s updated to t 1 = p ( (0 b k K) pad b (M 1 ) ), whch s exactly the same as the state of FKS evaluated on M 1 only. Then both FK and FKS output the same value Z 1 = left z1 (t 1 ). Fo evey > 1, FK updates ts state to t = p (t 1 pad b (M )). By the nducton agument, t 1 s also the state of FKS afte pocessng the fst 1 padded blocks. Then the fnal state of FKS s easly seen to be t as well. The equalty of outputs follows tvally. To vefy the njectvty of Q FKS, we wll show how to nvet t. Fo any mage X = Q FKS (X 1,..., X n ), we can stat ecoveng the nput aguments fom the left to ght. Fstly, we have n = X /b. Whle X > b, we keep emovng the leftmost b bts of X and applyng the nvese of pad b to them to ecove the next component X. What emans s the unpadded block X n. The esult of Lem. 3 can be used to educe any FK advesay to a constaned FKS advesay. Moe specfcally, any advesay A aganst FK that makes q ntalze calls and duplexes l blocks afte each ntalzaton can be educed to a constaned FKS advesay A = R FKS (A). To answe the j th duplexng quey (M j, zj ) made by A afte the th ntalze call, A quees ts own oacle wth (Q FKS (M 1,..., M j ), zj ). A copes the output of A at the end of the expement. Coollay 3. Let A be an advesay aganst FK that makes q ntalze calls and duplexes l blocks afte each ntalzaton and R FKS (A) the constaned FKS advesay as defned above. It follows fom Lem. 3, that Adv nd FK (A) π Advnd 0 FKS (R FKS(A)). π 0 We denote by A q,l the set of constaned advesaes aganst FKS, that wee nduced by some FK advesay that makes q ntalze calls and duplexes l blocks afte each ntalzaton: A q,l = {R FKS (A) : A an FK advesay wth esouces (q, l)}. Lemma 4. Let b,, c > 0 be such that b = + c. Let FKS be the scheme of Sect Then, fo any constaned advesay A A q,l Adv nd FKS π 0 (A ) (ql)2 2 b + (ql)2 2 c, Poof. We wll to lage extent follow the notaton and conventons fom the poof of Lem. 2. We assume that evey quey s aleady padded and ends wth a non-zeo fnal b-bt block wth m beng the numbe of b-bt blocks n the quey M. The stuctue of the quees and the numbe of squeezed bts wll howeve dffe. Any advesay A A q,l makes exactly ql FKS quees but these quees compse at most ql unque b-bt blocks. Moeove, these quees follow a cetan patten. We have that fo evey 1 q: M l( 1)+1 = M 1 l( 1)+1 and M l( 1)+j = M l( 1)+j 1 M j l( 1)+j fo 2 j l, whee all M j l( 1)+j {0, 1}b ae non-zeo (due to paddng). Note that we have m l( 1)+j = j. Fo evey quey, A asks fo no moe than output bts. Because we know the specfc stuctue of the advesaal quees made by A, the extended quees ae now dentcal wth the ognal quees. Indeed we have fo 1 q and 1 j l that M l( 1)+j = M l( 1)+j. The ntenal n-states s j and out-states tj ae defned the same way as befoe. 12

13 The RP-RF Swtch. We wll eplace the andom pemutaton π $ Pem (b) by a andom functon f $ Func (b) n the expement. Although thee ae q l j=1 j = ql(l + 1)/2 calls to π made thoughout the expement, the stuctue of the quees mples, that thee wll be at most ql calls to π wth unque nput. Thus the swtchng wll contbute the tem (ql) 2 /2 b to the fnal bound by a standad hybd agument. We have Adv nd FKS π(a ) Adv nd (A ) + (ql) 2 /2 b. 0 FKS f 0 Patan s Coeffcent-H Technque. Ths pat of the poof eles heavly on the coespondng pat of the poof of Lem. 2. We wll show that Adv nd (A ) (ql) 2 /2 c. FKS f 0 The two systems an advesay s tyng to dstngush ae FKS f 0 and RO FKS. We wll use the same defnton of a tanscpt τ = ( M 1,..., M ql, T 1,..., T ql ) whee T l( 1)+j holds all the j+1 outstates appeang due to M l( 1)+j (ncludng the dummy state t 0 l( 1)+j ). We wll also use the same defnton of a bad state (q.v. (1)). Ths wll mmedately gve us P [ X = τ] / P [ Y = τ] = 1 fo any τ T good by a smla agument as n the poof of Lem. 2. The pobablty P [ Y T bad ] needs new nvestgaton. Boundng the Pobablty of a Bad Tanscpt n the Ideal Wold. We defne the thee possble labels of n-states, fee, ntal and fxed n the same way as befoe and we wll wok wth the e-expessed defnton of a bad state (2). Snce the defntons of fee, ntal and fxed states ae unchanged, the pobabltes of collson due to a pa of n-states s j, sj wth stamp j = fee, stampj = ntal and stampj = fxed do not change. The only thng that eally changes s the fnal countng. Fo any 1 q, the quey M l( 1)+1 = M 1 conssts of a sngle block. Thus t only nduces a sngle n-state wth stamp 1 l( 1)+1 = ntal. Then fo any 2 j l, we have ( llcp b Ml( 1)+j, M ) l( 1)+j 1 = j 1, so thee s at most one new n-state nduced by Ml( 1)+j and unaffected by the common pefx wth pevous quees. It s s j l( 1)+j and we always have stamp j l( 1)+j = fee. We see that, w..t. (2), fo evey value of, l states need to be consdeed, gvng us a total amount of ql possble tuples (, j). Fo any such state s j l( 1)+j, we need to count all othe states (vsted by (, j ) n (2)) wth whch t can collde. Fo any <, t suffces to check equalty of s j l( 1)+j wth all l n-states nduced by M l( 1)+l, as evey othe quey M l( 1)+j s ts pefx. Fo =, t suffces to look at n-states nduced by M l( 1)+j 1. Thus fo any state s j l( 1)+j, thee ae no moe than ql unque states, wth whch t can collde. Usng the collson pobabltes fom the poof of Lem. 2, we conclude that P [ Y T bad ] (ql) 2 /2 c. 7 Full-State SpongeWap and ts Secuty Ou esults fom Sect. 6 can be used to pove secuty of modfed, moe effcent vesons of exstng Sponge-based AE schemes. As an nteestng nstance, we ntoduce Full-state SpongeWap, a vaant of the authentcated encypton mode SpongeWap [8, 10], offeng mpoved effcency wth espect to pocessng of assocated data (A). 7.1 Authentcated Encypton fo Sequences of Messages We wll focus on authentcated encypton schemes that act on sequences of A-message pas. Followng Beton et al. 5 [8, 10]we wll thnk of an authentcated encypton scheme as an object W sufacng thee APIs: W.ntalze(K, N): callng ths functon wll ntalze W wth a secet key fom the set of keys K and a nonce fom the set of nonces N. 5 Beton et al. do not consde an explct nonce as we do; they athe eque the heade of the fst wappng call to be unque. 13

14 W.wap(A, M): ths functon nputs an A-message pa (A, M) and outputs a cphetext-tag pa (C, T ), whee C = M and T s a τ-bt tag authentcatng (A, M) and all the quees pocessed by W so fa (.e. snce the last ntalzaton call). W.unwap(A, C, T ): ths functon accepts a tple of A, cphetext and tag, and outputs a message M f C s an encypton of M and T s a vald tag fo (A, M), and all the pevous quees pocessed by W so fa; othewse t outputs an eo symbol. Hee, the A, messages and cphetexts ae fnte stngs and we have C = M. τ s a postve ntege and we call t the expanson of W. We eque that W s ntalzed befoe makng the fst wappng o unwappng call. Fo a gven key K, we wll use W K to efe to the coespondng keyed nstance, omttng K fom the lst of nputs; that s, W.ntalze(K, N) = W K.ntalze(N). Secuty of Authentcated Encypton. We follow Beton et al. [8, 10] fo defnng the secuty of AE. We splt the twofold secuty goal of AE nto two sepaate equements: pvacy and authentcty. Let W be a scheme fo authentcated encypton, as descbed above, that ntenally makes calls to a publc andom pemutaton p. We fomalze the pvacy of W by an expement n whch an advesay A s gven access to p, p 1 and an oacle O that povdes two ntefaces: O.ntalze(N) and O.wap(A, M). We have O {W K, RO W }, whee W K s an nstance of the eal scheme wth the key K, and RO W s an deal pmtve that acts as follows: t keeps a lst of stngs St ({0, 1} * ) * as ts ntenal state. On callng RO W.ntalze(N) the lst St s set to the empty lst and then the nonce N s added to the lst (denote ths opeaton by St St N); now each call RO W.wap(A, M) wll fst update the lst as St St (A, M) and then wll output left M +τ (RO ( St )), whee St denotes an njectve encodng of the lst St nto a stng n {0, 1} *. (Note that the lst St peseves the boundaes between N and all the queed A-message pas.) The advesay must dstngush between the two wolds: the eal wold whee t s nteactng wth W K and the deal wold whee t s nteactng wth RO W. The advantage of the advesay n dong so s defned as ] [ Adv pv P W [p] [ K (A) = $ K : A W K,p,p 1 1 P A RO W,p,p 1 1]. It s assumed that the advesay meets the nonce-equement,.e. that evey ntalze() t makes s done wth a fesh nonce. Fo the defnton of authentcty popety, consde an expement whee an advesay A s gven access to the oacle W K and s allowed to ask quees W K.ntalze(N) and W K.wap(A, M). It s assumed that A espects the nonce-equement n the wappng quees. A s agan allowed to quey p. The advesay can also attempt fogees at any tme dung the expement; we say that the advesay foges f t outputs a sequence (N, (A 1, C 1, T 1 ),..., (A n, C n, T n )) such that afte callng W.ntalze(K, N) and then W.unwap(A, C, T ) fo 1 n 1, W.unwap(A n, C n, T n ) does not etun. The sequence (N, (A 1, C 1, T 1 ),..., (A n, C n, T n )) must be such that the advesay has not obtaned (C n, T n ) fom a wappng quey that followed an ntalzaton wth N and a sees of wappng quees (A 1, M 1 ),..., (A n, M n ) wth some M 1,..., M n. The advesay does not have to use a unque nonce n the fogey. Note that t can be assumed w.l.o.g. that evey fogey attempt s ethe a fesh nonce followed by a sngle A-cphetext-tag tplet o of the fom (N, (A 1, C 1, T 1 ),..., (A n, C n, T n )) wth (N, (A 1, C 1, T 1 ),..., (A n 1, C n 1, T n 1 )) beng leaned by the advesay fom a sequence of pevous wappng quees. We defne the advantage of A as [ ] Adv auth W [p](a) = P K $ K : A W K,p,p 1 foges. We let Adv pv W [p] (q v, q, l, μ, N) = max A Adv pv W [p](a) be the maxmum advantage ove all advesaes that make q ntalze quees to the left oacle, and afte each ntalzaton do wappng quees that nduce at most l pemutaton calls (ncludng the ntalzaton) and wth total maxmal multplcty μ, and that make N dect quees to the publc pemutaton, and that make at most q v fogey attempts. We smlaly let Adv auth W [p](q, l, μ, N) = max A Adv auth W [p](a). 14

15 Algothm 3 Outlne of an FSW[p,, k, n, τ] wap/unwap(a, M) quey 1: whle thee ae both A and message bts to pocess do 2: take bt block of M and c 5 bt block of A 3: wap/unwap the message block 4: f both A and M end then 5: poduce tag usng fame bts F AM 6: else f only A ends o only M ends then 7: pocess the blocks usng fame bts F AM 8: else 9: pocess the blocks usng fame bts F AM 10: whle thee ae message bts to pocess do 11: take bt block of M 12: wap/unwap the message block 13: f M ends then 14: poduce tag usng fame bts F M 15: else 16: pocess the blocks usng fame bts F M 17: whle thee ae A bts to pocess do 18: take + c 5 bt block of A, splt t nto bt and c 5 bt pats 19: f A ends then 20: poduce tag usng fame bts F A 21: else 22: pocess the pats usng fame bts F A 23: pepae andom bts fo next quey usng fame bts F N 7.2 Full-State SpongeWap The Full-State SpongeWap (FSW) s a pemutaton mode fo authentcated encypton of Amessage sequences as descbed n Sect It s paametzed by a b-bt pemutaton p, the maxmal message block sze, the key sze k, the nonce sze n, and the tag sze τ > 0. We eque that k b =: c and n <. The set of keys s K = {0, 1} k and the set of nonces s N = {0, 1} n. The FSW constucton uses an nstance of FK ntenally to pocess the nputs block by block. To ensue doman sepaaton of dffeent stages of pocessng a quey, we use thee fame bts placed at the same poston n each duplexng call to FK as explaned n Table 1. The man motvaton of the FSW s concuent absopton of message and A to acheve maxmal effcency n tems of mnmzng the numbe of pemutaton calls made. Snce we can only pocess bts of a message nput at a tme, we can use the emande of the state fo the fame bts and a block of A. Ths mples the lengths of message and A blocks pocessed wth each pemutaton call; + 1 bts fo padded message block, 3 fame bts and (havng n mnd that the nput to FK s always padded) ths leaves us at most (b 1) ( + 1) 3 = c 5 bts fo a block of A. To mnmze the numbe of pemutaton calls made n all possble stuatons, we futhe specfy specal teatment fo the wap/unwap quees wth moe A blocks than message blocks. An nfomal outlne of a wap/unwap quey s gven n Algothm 3. Ths outlne ncely llustates how the fame bts ae used fo doman sepaaton. We next gve a complete algothmc descpton of the FSW. To keep t compact, we ntoduce the followng notatons. Fo any L {0, 1}, R {0, 1} c 5 and F {0, 1} 3, we let Q(L, F, R) = pad +1 (L) F R. (3) Note that + 4 Q(L, F, R) b 1 fo any L, F, R. We let (L, R) = lsplt(x, n) fo any X {0, 1} * such that L = left mn( X,n) (X) and ght X L (X). We let X 1 X 2... X m X denote pattonng a stng X n such a way that X = X 1 X 2... X m, X = fo 1 < m and 0 < X m. Note that m = X /. We wll use the abbevaton.dpx(m, z) fo the nteface.duplexng (M, z) of an FK. The ntefaces of FSW[p,, k, n, τ] ae defned n Algo. 4. A 15

16 label value usage F N 000 pocess nonce, deve ntal mask of a quey F AM 001 block of A and M nsde quey F M 010 block of M nsde quey F A 011 block of A nsde quey F AM 100 last block of A and M nsde quey F AM 101 last block of A and M, quey ends, poduces tag F M 110 last block of M, quey ends, poduces tag F A 111 last block of A, quey ends, poduces tag Table 1: Labelng and usage of the fame bts wthn FSW. schematc depcton of how the wap nteface pocesses vaous types of nputs s gven n Fgues 4 and Secuty of FSW The secuty of FSW s elatvely easy to analyze, thanks to the esult fom Sect. 6. Lemma 5. Let W = FSW[p,, k, n, τ] be an nstance of FSW as descbed n Sect enote any quey to W.ntalze and a lst of subsequent quees to W.wap by (N, (A 1, M 1 ),..., (A n, M n )). Then, FSW njectvely maps ths sequence to a sequence of coespondng FK duplexng quees (Q 1,..., Q d ). Poof. We pove the njectvty of the mappng by showng how t can be nveted. We efe to the mappng Q of (3) to ague that evey Q can be splt nto thee stngs L, F, R wth L = + 1, F = 3 and R c 5 just as depcted n Fg. 6. The man tck s to use the fame bts used n FSW to detemne boundaes of wappng quees and the logcal pats. We wll efe to the FK quees as fames. We can ecove the A-message pas (n the followng just pa ) fom Q = (Q 1,..., Q d ) n a left-to-ght fashon. Any pa (A, M) s encoded n a subsequence of Q that stats by a fame wth fame bts F N and ends by a fame just befoe the next fame wth fame bts F N. ependng on the lengths of A and M, the patten of fame bts between these bounday fames can dffe as depcted n Fg. 6. If both A and M ae non-empty, we follow the edge maked as A. If thee s the same numbe of -bt blocks n M as thee s of c 5 bt blocks n A, then we follow the path A.1. Othewse we follow the path A.2 and then A.21 f thee wee fewe blocks n A than n M and the path A.22 f thee wee n tun moe blocks n A than n M. If M A = ε, then we follow the path B; f A M = ε we follow the path C. In a specal case, whee both A = M = ε, we follow path. We can see, that evey possble case of lengths of M and A n tems of blocks yelds a dstnct patten of fame bt sequences. Havng dentfed whch path n Fg. 6 we ae followng, we can ecove A and M. Evey fame Q wth F {F AM, F AM } holds a padded block of M n L and an unpadded block of A n R. If F = F M, then thee s a padded block of M n L and R = ε. If F = F A, then thee s a padded block of A n L and anothe unpadded block of A n R. The fames wth F { F AM, F M, F A } ae used to poduce the tag and ae thus teated specally. The fst fame wth F χ holds data blocks and the followng ones do not. If χ = AM, then thee s a padded block of M n L and an unpadded block of A n R. If χ = M, then thee s only a padded block of M n L. If χ = A and we ae not on path then thee s a padded block of A n L and a followng unpadded block of A n R. If we ae on path then none of the fames holds any data, snce both A and M ae empty. 16

17 Algothm 4 FSW[p,, k, n, τ] 1: Inteface W.ntalze(K, N) 2:.ntalze(K) 3: S pad (N) 0 F N 0 c 5 4: Z.dpx(S, ) 1: Inteface W.wap(A, M) 2: M 1... M m M 3: (A, A * ) lsplt(a, m(c 5)) 4: A 1... A c 5 a A 5: A * 1... A * b 5 a * A * 6: f m = a = a * = 0 then 7: T ε 8: F F A 9: fo 1 to a 1 do 10: C M Z 11: Z.dpx(Q(M, F AM, A ), ) 12: f 0 < a < m o 0 < a, a * then 13: C a M a left Ma (Z) 14: Z.dpx(Q(M a, F AM, A a ), ) 15: else f 0 < m = a and a * = 0 then 16: C a M a left Ma (Z) 17: T.dpx(Q(M a, F AM, A a ), ) 18: F F AM 19: fo a + 1 to m 1 do 20: C M Z 21: Z.dpx(Q(M, F M, ε), ) 22: f a < m then 23: C m M m left Mm (Z) 24: T.dpx(Q(M m, F M, ε), ) 25: F F M 26: fo 1 to a * 1 do 27: (L, R) lsplt(a *, ) 28:.dpx(Q(L, F A, R), 0) 29: f a * > 0 then 30: 31: (L, R) lsplt(a * a *, ) T.dpx(Q(L, F A, R), ) 32: F F A 33: whle T < τ do 34: T T.dpx(Q(ε, F, ε), ) 35: Z.dpx(Q(ε, F N, ε), ) 36: C C 1... C m 37: etun C, left τ (T ) 1: Inteface W.unwap(A, C, T ) 2: C 1... C m C 3: (A, A * ) lsplt(a, m(c 5)) 4: A 1... A c 5 a A 5: A * 1... A * b 5 a * A * 6: f m = a = a * = 0 then 7: T ε 8: F F A 9: fo 1 to a 1 do 10: M C Z 11: Z.dpx(Q(M, F AM, A ), ) 12: f 0 < a < m o 0 < a, a * then 13: M a C a left Ca (Z) 14: Z.dpx(Q(M a, F AM, A a ), ) 15: else f 0 < m = a and a * = 0 then 16: M a C a left Ca (Z) 17: T.dpx(Q(M a, F AM, A a ), ) 18: F F AM 19: fo a + 1 to m 1 do 20: M C Z 21: Z.dpx(Q(M, F M, ε), ) 22: f a < m then 23: M m C m left Cm (Z) 24: T.dpx(Q(M m, F M, ε), ) 25: F F M 26: fo 1 to a * 1 do 27: (L, R) lsplt(a *, ) 28:.dpx(Q(L, F A, R), 0) 29: f a * > 0 then 30: 31: (L, R) lsplt(a * a *, ) T.dpx(Q(L, F A, R), ) 32: F F A 33: whle T < τ do 34: T T.dpx(Q(ε, F, ε), ) 35: Z.dpx(Q(ε, F N, ε), ) 36: M M 1... M m 37: f T = left τ (T ) then 38: etun M 39: else 40: etun 17

18 C1 M1 C2 M2 Cm Mm leftτ T Z left M m c 5 A M 1 +1 T1 A 2 A a 3 A a M M m +1 T2 T τ/ Z duplexng duplexng duplexng + 1 ε +1 duplexng 101 ε +1 duplexng 000 ε +1 duplexng C1 M1 C2 M2 C a Ma Ca +1 Ma +1 Cm Mm leftτ T Z left M m T1 T τ/ Z A 2 A a 001 M M m ε ε +1 c 5 A 1 A a M M a M a duplexng duplexng duplexng duplexng duplexng duplexng duplexng C1 Z M1 C2 M2 Cm Mm leftτ T left M m T1 T τ/ Z A 2 A a 001 M ε ε +1 c 5 A 1 c M c 5 A 1,R M m A a A a,r duplexng duplexng duplexng duplexng duplexng duplexng duplexng + 1 A 1,L A a,l +1 Fg. 4: Intalzaton and wappng pocesses of FSW[p,, k, n, τ]. FSW ntenally uses an nstance of FK[p,, k]. The A and message nputs A, M ae pattoned as specfed n Algothm 4 (note that A = A A * ). The fgue depcts fom top to bottom: 1) The wappng pocess when A /(c 5) = A / ; 2) The wappng pocess when A /(c 5) < A / ; 3) The wappng pocess when A /(c 5) > A /. 18

19 C1 M1 C2 M2 Cm Mm leftτ T Z left M m M 1 +1 T1 T2 010 M M m ε +1 ε +1 T τ/ Z 010 duplexng duplexng duplexng 110 duplexng 110 duplexng 000 ε +1 duplexng leftτ T k K ntalze N 0 Z c 5 0 c duplexng T ε +1 T2 ε +1 T τ/ Z c 5 A 1,R ε A 1,L +1 A 2,L A 2,R A a A a,r duplexng duplexng duplexng duplexng duplexng duplexng + 1 A a,l +1 Fg. 5: Intalzaton and wappng pocesses of FSW[p,, k, n, τ]. FSW ntenally uses an nstance of FK[p,, k]. The A and message nputs A, M ae pattoned as specfed n Algothm 4 (note that A = A A * ). The fgue depcts fom top to bottom: 1) The wappng pocess when A = ε; 2) The ntalzaton pocess (left) and the wappng pocess when M = ε (ght). 19

20 τ/ tmes 0 tmes F AM F AM A.1 F AM F AM F N A.2 A.21 F AM 0 tmes F M F M τ/ tmes F M FM F N F N A 0 tmes B F M F M C 0 tmes F A F A τ/ tmes A.22 τ/ tmes F M FM F N τ/ tmes 0 tmes F A F A F A FA F N τ/ tmes F A FA F N + 1 L 3 F Q c 5 R F A FA F N Fg. 6: The tee of all possble fame bts sequences fo a sngle A-message pa (top-left). The composton of an FK quey Q (bottom-ght). Once we extact all the blocks of A and M, we concatenate them all n the ode n whch they wee extacted to obtan A and M. We note that the nonce s contaned n the vey fst fame wth F 1 = F N as L 1 = pad (N) 0. Theoem 3. Let b,, c, k, n, τ > 0 be such that b = + c, k c and n <. Let FSW be the scheme of Sect Then, Adv pv FSW (q, l, μ, N) (ql)2 2 b + (ql)2 2 c + μn 2 k, Adv auth FSW(q, l, μ, N) (ql)2 2 b + (ql)2 2 c + μn 2 k + q v 2 τ. Poof. We stat by defnng the ROFSW an dealzed FSW that ntenally uses the RO FK nstead of FK (and thus does not use p at all). By Thm. 5 we have that Adv pv (ql)2 FSW (q, l, μ, N) Advpv ROFSW (q, l, μ) + 2 b + (ql)2 2 c + μn 2 k, Adv auth FSW(q, l, μ, N) Adv auth ROFSW(q, l, μ) + (ql)2 2 b + (ql)2 2 c + μn 2 k. By Lem. 5, we know that a unque sequence of a nonce and A-message pas yelds unque sequence of RO FK quees. We have that Adv pv ROFSW (q, l, μ) = 0. Ths s because the nonce equement mples that evey ROFSW.wap(A, M) quey s pocessed usng an RO FK wth a unque ntenal state. We fst analyse the advantage of an advesay, who only makes a sngle fogey attempt. In ode to foge, the advesay must poduce a sequence of the fom (N, (A 1, C 1, T 1 ),..., (A n, C n, T n )) that passes the authentcaton check. Ths can ethe be a fesh nonce followed by only (A 1, C 1, T 1 ) o N can be eused and ((C 1, T 1 ),..., (C n 1, T n 1 )) wee obtaned fom a sequence of wappng quees (N, (A 1, M 1 ),..., (A n 1, M n 1 )) but (C n, T n ) was not etuned by any followng wappng quey (A n, M n ). In the fome case, a fesh nonce mples that RO FK has a fesh state when (A 1, C 1, T 1 ) s unwapped and T 1 wll be compaed to τ andom bts. The pobablty of a fogey s 2 τ n ths case. In the latte case, all the tplets ((A 1, C 1, T 1 ),..., (A n 1, C n 1, T n 1 )) ae 20