Indiﬀerentiability of the Sponge Construction with a Restricted Number of Message Blocks

. The sponge construction is a popular method for hashing. Quickly after its introduction, the sponge was proven to be tightly indiﬀerentiable from a random oracle up to ≈ 2 c/ 2 queries, where c is the capacity. However, this bound is not tight when the number of message blocks absorbed is restricted to (cid:96) < (cid:100) c 2( b − c ) (cid:101) +1 (but still an arbitrary number of blocks can be squeezed). In this work, we show that this restriction leads to indiﬀerentiability from a random oracle up to ≈ min (cid:110) 2 b/ 2 , max (cid:110) 2 c/ 2 , 2 b − (cid:96) × ( b − c ) (cid:111)(cid:111) queries, where b > c is the permutation size. Depending on the parameters chosen, this result allows to have enhanced security or to absorb at a larger rate for applications that require a ﬁxed-length input hash function.


Introduction
The sponge construction is a permutation-based mode used among others for hashing. Introduced by Bertoni et al. [BDPV07], it gained quickly in popularity after the SHA-3 competition [NIS12] won by Keccak [BDPA11], which relies on the sponge construction. Informally, the sponge is based on a keyless permutation of size b bits. The global state of the sponge, also of size b bits, is split as the sum r + c, where r is called the rate, and c the capacity. The data to hash is first injectively padded, absorbed by blocks of r bits, and a digest is extracted, also by blocks of r bits. Between each data absorption and extraction, the permutation is applied on the entire state.
In the ideal permutation model, the sponge has been proven to be secure up to ≈ 2 c/2 queries [BDPV08]. The bound was proven in the indifferentiability framework of Maurer et al. [MRH04] and Coron et al. [CDMP05]. Informally, this result means that the sponge construction based on an ideal permutation behaves like a random oracle in single stage games [RSS11], so that the mode has no underlying structural weaknesses. As a matter of fact, the indifferentiability bound is tight. Indeed, after ≈ 2 c/2 absorb calls, one can find collisions between the states of the sponge over c bits, and by using a subsequent absorb call, the partial collision can be transformed into a full-state collision. This fact was already known by the designers of the sponge [BDPV07], and we explain the attack in detail in Section 3.4. One important property of this attack is that in order to succeed with high probability, the adversary needs to be able to absorb c 2r + 1 message blocks.
Application. Hash functions are usually described as functions that map binary strings of arbitrary length into digests of fixed size. However, a restricted input-length hash function is sufficient for several applications. For instance, some proof of knowledge protocols require only hashing of finite field elements. The Fiat-Shamir Heuristic [FS86] allows to remove interactivity of a public-coin proof by making use of a hash function for which the input has a length fixed in advance. Moreover, a restricted input-length hash function could be sufficient for password hashing applications. Now, given the bound of Theorem 1 and a desired security level k, one can wonder whether there are better parameter choices, i.e., can we maximize the rates r s and r a and the size of input strings? First, the choice c s = k maximizes the squeezing rate. Now, if arbitrary-size strings should be processed, then one has to choose c a = 2k to maximize r a . Otherwise, we can aim at b − r a ≥ k. From c s = k, this implies r s ≥ r a . Thus to maximize efficiency and the domain size, the best choice is r a = r s and = 1, so that c a = c s = k.
Outline. The remainder of this paper is as follows. Section 2 introduces the notation and preliminary context, Section 3 presents in detail the sponge construction and the specificities of the security model to our setting, Section 4 is dedicated to the indifferentiability result and the proof, and finally Section 5 discusses the tightness of the bound.

Notation
For a finite set S, x $ ← − S means that the element x is sampled uniformly at random from S. 1 x∈S denotes the indicator function of S, i.e., x := y means that x is defined to be equal to y. For i, j ∈ N such that i ≤ j, i, j denotes the set {i, . . . , j}. For a ∈ N, {0, 1} a denotes the set of binary strings of size a, and {0, 1} * denotes a∈N {0, 1} a . We use the symbol to denote the empty string. In the following, let X, Y ∈ {0, 1} * . If L is an ordered list, for 1 ≤ i < j ≤ |L|, L[i : j] denotes the sub-list of L containing the i th to the j th element (latter excluded). We also use this notation for binary strings, i.e., X[i : j] denotes the bits of X from position i to j. Moreover, let b, r, c ∈ N such

A Useful Lemma
In the proof we need to use the following result based on Choi et al.'s work [CLL19, page 187], that we state here for completeness.
Lemma 1. Let q, R ∈ N. Consider the experiment of throwing uniformly at random q balls in R bins. For u ∈ 1, R , denote by S u the size of the bin number u. Then one has Proof. Let u ∈ 1, R . This is clear that S u follows a binomial distribution with q experiments and success probability p := 1 R . Let µ := pq be the expectation of S u . Then, from the Chernoff bound, we know that for any δ > 1, thus for any j > 2µ, .
Whenever j ≥ µ + 3 ln 2q p , the quantity e µ−j 3 is upper bounded by p 2q . Therefore, for any j ≥ 2µ + 3 ln 2q p , Now, Pr max where the last inequality uses (1). By replacing p by 1 R and µ by q R , we obtain which concludes the proof.

Security Model
We will use the indifferentiability framework, introduced by Maurer et al. [MRH04], and refined in the context of hash functions by Coron et al. [CDMP05]. We describe here the general indifferentiability framework, and will highlight the particularities of the security model in our setting in Section 3.2. Let r s ∈ N. Consider a construction H based on an ideal primitive P, which gives an extendable output function denoted by H P . We consider random oracles [BR93] with an infinite domain and codomain, denoted by RO. For M ∈ {0, 1} * , and k, k ∈ N, RO(M )[k : k ] denotes the bits from position k to k (latter excluded) of the stream RO(M ). Let S be an algorithm called simulator which has the same input domain and outputs strings in the same range as P, and that is allowed to query RO. Consider a distinguisher D that has access to either (H P , P) or (RO, S). W.l.o.g., we assume that D never makes queries for which it already knows the answer. The primitive query history of the distinguisher is an ordered list denoted by Q P , where for X, Y ∈ {0, 1} b , d ∈ {fwd, inv}, i ∈ N, Q P [i] = (X, Y, d) means that the query i was in direction d, and D received as answer X or Y depending on the direction of the query. Similarly, the construction query history is denoted by Q C , it is described in our particular setting in Section 3.2. The indifferentiability advantage of D from a random oracle, denoted by Adv iff H (D), is defined as follows: Moreover, Adv iff H (q) denotes the supremum of the set Adv iff H (D), over all distinguishers allowed to make at most q queries. Note that the way queries are made can be refined. In the case of the sponge, one construction query has a practical cost which depends on the length of the padded message and the number of bits of the stream to extract. In Section 3.2 we specify a metrics to count construction queries.
Public indifferentiability. In the indifferentiability setting, the simulator is not allowed to access the construction queries made by the adversary. This yields a security model which is too strong for some applications where queries to the hash function can be disclosed to all parties without affecting the security. Among others, this is the case for some signature schemes, proof protocols or encryption protocols, e.g. [BR96,BR93,FS86]. This motivated the introduction of the public indifferentiability framework [YMO09,DRS09,MPS12]. Public differentiability differs from indifferentiability precisely in the fact that the simulator has access to all construction queries made by the adversary.

The Sponge Construction
In this section we describe the sponge construction where the absorbing and squeezing rates are different. Let b, c a , r a , c s , c a ∈ N such that b = r a + c a = r s + c s . Let P be a permutation, and IV ∈ {0, 1} b . Let pad be an injecting padding that splits the message to hash M ∈ {0, 1} * into k blocks of length r a and such that the last block is not zero. The inverse function of pad is denoted by unpad . We consider that unpad (M ) returns the symbol ⊥ whenever M does not correspond to a valid padding. Algorithm 1 defines the sponge construction based on P, and Fig. 1 illustrates it.

Security Model of the Sponge with Restricted Message Blocks
In the following, let H be the sponge construction.
Construction queries and their cost. In the real world, a construction query takes two parameters: a message M ∈ {0, 1} * , and an integer k ∈ N. H P (M, k) corresponds to the (k + 1) th first squeezed blocks after having absorbed M . Thus in order to match the real world, we consider that the random oracle queried with inputs M ∈ {0, 1} * and k ∈ N gives RO(M )[0 : r s ×(k+1)]. Moreover, a construction query in the real world has a practical cost which depends on the number of underlying permutation evaluations required to compute the digest. Following the approach of Bertoni et al. [BDPV08], we measure the cost of a construction query based on the number of permutation evaluations required in the real world to produce the output. More precisely, if |pad (M )| = l × r a , then a query with input M and k has a cost of l + k. We define the construction query history Q C as an ordered list, which contains elements of the form (M, k, Z). In the real world, Z corresponds to the (k + 1) th squeezed block after having absorbed M . In the ideal world, Indifferentiability of the sponge when restricting the number of message blocks. When the number of message blocks is restricted to , we impose that the distinguisher can make construction queries only with messages M such that |pad (M )| ≤ × r a . More formally, denote by RDist[q P , q C , ] the set of distinguishers that satisfy the constraint above making at most q P primitive queries and construction queries with a total cost of at most q C . The restricted indifferentiability (resp., public indifferentiability) advantage of the sponge from a random oracle is defined as follows: Adv pubiff H (D) .

Graph Construction of the Sponge with Restricted Message Blocks
We adapt the graph representation from [BDPV08] to our setting. This graph is derivable from a primitive query history Q. The nodes are all elements in The set ValidPaths gathers the nodes involved in paths, i.e., The set Rooted includes all the nodes which appear in valid paths. The set rRooted is a compact way of characterizing the paths. Informally, if the simulator receives a forward query with X, and (X, M, k) ∈ rRooted, and unpad (M ) = ⊥, then in order to produce a consistent answer with respect to the random oracle, the answer Y must satisfy outer rs (Y ) = RO (unpad (M )) [r s × k : r s × (k + 1)]. Finally, we define the set AbsorbPath as follows: In other words this set gathers the nodes where absorption of a message block is still possible. Note that the obtained path is not necessarily a valid path, since the message blocks m 1 , . . . , m l can all be equal to 0 ra . One important remark is that, as long as no inner collisions occur with nodes in AbsorbPath, where q := |Q|. Looking ahead, AbsorbPath contains the only nodes where inner collisions are dangerous.
We will see later that in some situations, the simulator has a query history different from the primitive query history of the distinguisher. Therefore, when this is not clear from the context, for Set ∈ {ValidPaths, Rooted, rRooted, AbsorbPath} we use the notation Set(Q) to clarify which query history is used to build Set.

Differentiability Attack on the Sponge Construction
In this section we describe a differentiability attack on the (plain) sponge [BDPV07]. Let k = ca 2ra , and for simplicity, assume that k is an integer. Consider the following distinguisher D: 1. D first makes all possible k first absorb calls with primitive queries. It obtains 2 k×ra different states (Y i ) i∈ 1,2 k×ra such that 2. If the simulator emulates well a permutation, 2 then with high probability there exist i = j such that Y i ca = Y j and neither outer ra (Y i ) nor outer ra (Y j ) is equal to 0 ra . Let M i (resp., M j ) be the concatenation of all message blocks used to reach Y i (resp., Y j ); 3. The distinguisher makes the construction queries associated to unpad (M i outer ra (Y i )) and unpad (M j outer ra (Y j )). If both outputs coincide, then the distinguisher returns "real", otherwise "ideal".
In the real world, two sequences of message blocks that lead to the same state have the same digest, while in the ideal world, the outputs are independent. D succeeds with high probability, and makes 2 k×ra = 2 ca/2 queries. However, this attack requires at least k + 1 absorb calls. Thus, whenever k + 1 > , this attack cannot be applied to the sponge when restricting the number of message blocks to .

Indifferentiability of the Sponge when Restricting the Message Blocks
In this section, we prove indifferentiability of the sponge when restricting the number of message blocks, as stated in Theorem 1.
Theorem 1. Let H be the sponge construction, and b, c a , r a , c s , r s as described in Section 3.1. Then one has Interpretation of the bound. In the following, we ignore logarithmic factors. When the maximum number of message blocks absorbed is not a limiting factor (i.e., when c a /2 ≤ r a ( − 1)), we obtain an upper bound of the form which matches PHOTON indifferentiability bound when c s ≥ c a /2 + log(c a ) [NO14]. On the other hand, when c a /2 > r a ( − 1), we obtain an upper bound of the form Moreover, when only one message block is absorbed (i.e., = 1), our bound matches again the one from Naito and Ohta [NO14] by setting r = r a and r = 0 (recall that r is the rate of the first message block, and r is the rate when absorbing subsequent message blocks). To our knowledge, the bound provides new results whenever c a /2 > r a × ( − 1) and when = 1.
Outline. The remainder of this section is organized as follows. Section 4.1 introduces the simulator used for the proof, Section 4.2 introduces an intermediate world, Section 4.3 lists the bad events, Section 4.4 splits and computes the probabilities, and Section 4.5 adapts the result to the setting of public indifferentiability.

Simulator Definition
The simulator S is described algorithmically in Algorithm 2. On a high-level view, S keeps track of the graph construction from Section 3.1 to ensure that its responses are consistent with the random oracle. To do that, it logs the query history in an ordered list called Q Sim . For i ∈ N , Q Sim [i] contains a tuple (X, Y, d) which corresponds to the i th query. For any fresh query, S behaves as a random function. We could have a simulator which outputs permutationconsistent responses, but this would not improve significantly the bound. More precisely, the term q 2 2 b in the bound of Theorem 1 does not only come from the PRP/PRF switching lemma, but appears at other places. For example, at the end of Section 5 we present an attack with a cost of ≈ 2 b/2 queries which would succeed even when using a permutation-consistent variant of S.
Algorithm 2: Simulator definition. Init () is run once at the beginning of the game, S fwd (resp., S inv ) is the algorithm run by S on forward (resp., inverse) queries. The inputs X and Y are b-bit strings.
1 Function Init (): 2 QSim ← ∅; /* does not correspond to a valid padding, but this initialization allows to take into account paths of form IV

World Decomposition
Denote by W 1 the real world, i.e., implemented by (H P , P) as shown in Fig. 2a, and let W 3 be the ideal world giving access to (RO, S) (see Fig. 2c). We introduce an intermediate world W 2 , depicted in Fig. 2b. This world gives access to (H S , S), where the simulator is based on a random oracle hidden from the adversary. This decomposition, done among others in the proof of PHOTON indifferentiability [NO14], allows to separate the quality of randomness of the simulator from the consistency of the answers.
W 1 versus W 2 . As detailed more formally in Section 4.4.2, the difference between W 1 and W 2 lies in the difference of randomness. More precisely, the ideal world implements a perfectly random permutation, while the simulator behaves like a two-sided random function. This is a well known result, and is upper bounded by the PRP/PRF switching lemma.
W 2 versus W 3 . The simulator from world W 2 has a priori more knowledge than the one from W 3 , since it indirectly knows the construction queries made by the adversary. In Section 4.3, we define a bad event GUESS which prevents the adversary from exploiting this difference of behavior. Moreover, we have to guarantee that the simulator behaves consistently according to the random oracle, i.e., whenever one can compute H P (M, k) from the query history Q P , then it coincides with RO(M )[0 : r s × k]. We will define additional bad events to capture inconsistent answers. These bad events, including GUESS, are given in Section 4.3.

Bad Events
In this section, we formally define bad events over the query history of the simulator. For the sake of the proof, we define an enhanced simulator query history Ext(Q Sim ) that contains additionally the origin O ∈ {C, D} of the query, i.e., elements in Ext(Q Sim ) are of the form (X, Y, d, O), where "C" indicates that the query was made by the construction and "D" by the adversary. Note that the simulator has no access to this list, it is introduced only to rigorously analyze the security. This enhanced query history is only useful for W 2 . We also define Fresh(Q Sim ), which is the query history without duplicated queries. More precisely, the i th element of Fresh(Q Sim ) is a tuple (X i , Y i , d i ) ∈ Q Sim such that there is no j < i such that Fresh(Q Sim )[j] = (X i , Y i , d) for d ∈ {fwd, inv}. Let σ be the total number of queries made to the simulator, so that σ = q C +q P in W 2 , σ = q P in W 3 . Moreover, letσ be the total number of fresh queries to the simulator, so thatσ ≤ σ. For simplicity of notation, for i ∈ 1,σ , (X i , Y i ) denotes the first two elements in Fresh(Q Sim )[i]. We define the following bad events:

Moreover, let
Interpretation. GUESS is an event that can be set only in W 2 . It reflects the fact that the distinguisher is able to enter in the middle of a path without having made all the queries before that path. To do that, the adversary has two different possibilities. The first one, corresponding to GUESS SQU, consists of making use of the outer parts disclosed by the construction queries. In other words, for a fixed u ∈ {0, 1} rs , if there exist x construction queries which output is u, then a primitive query with input u w has a probability of ≈ x 2 cs to set GUESS SQU. The second strategy corresponds to GUESS ABS. It targets the nodes in AbsorbPath, and only concerns forward queries. In this setting, besides having access to r s bits, the adversary is allowed to overwrite up to r a bits, as illustrated in Fig. 3. As long as GUESS is not set, the adversary is not aware of paths where the simulator in W 2 has more knowledge than the one from W 3 . The remaining bad events COL, CONNECT, and INNER concern the consistency of the answers with respect to the random oracle, i.e., when a path connects to a node or two paths collide without the simulator being able to ensure consistency. COL flags full-state collisions, and CONNECT is set when the order of the queries is not respected. The event INNER flags both potential full-state collisions and inconsistent queries that involve nodes in AbsorbPath. Note that the event of a query hitting the IV is captured by the event INNER 2 . Finally, COL is also useful to bound the distance between W 1 and W 2 .

Probability Splitting and Computation
Remember that q := q P + q C . For i ∈ 1, σ and any event evt, evt i denotes that evt is triggered after the first i queries. Moreover, for W x ∈ {W 1 , W 2 , W 3 }, denote by Pr Wx (evt) the probability that evt is set in world W x .
4.4.1 Outline. Let D be any distinguisher, we have Looking ahead, we will show in Section 4.4.3 that Using this fact, denoting P := Pr D W2 = 1 | ¬BAD = Pr D W3 = 1 | ¬BAD , the distance (4) can be decomposed as follows: Therefore, the advantage of the adversary can be upper bounded as the sum of (3) and (6). The remainder of the proof is organized as follows. Section 4.4.2 is dedicated to upper bounding the distance in (3), then Section 4.4.3 shows the claim made in (5), i.e., the distance between W 2 and W 3 conditioned on ¬BAD is zero, Section 4.4.4 upper bounds (6), and we conclude in Section 4.4.5.
4.4.2 W 1 Versus W 2 . Because the padding is prefix-free, the RO calls in lines 13 and 24 of Algorithm 2 are never accessed twice for the same entry. Therefore, the simulator behaves exactly as a random permutation as long as COL is not set in W 2 . Therefore, by the fundamental lemma of game playing [BR06], Moreover, for any i ∈ 1, q , one has 4.4.3 W 2 Versus W 3 as Long as no Bad. The only difference between W 2 and W 3 lies in the consistency of the responses: the construction oracle in W 2 calls the simulator, while in W 3 , the answers come from a random oracle. As explained in Section 4.3, ¬GUESS prevents the distinguisher from being aware of paths where the simulator from W 2 has more knowledge than the one in W 3 . Therefore, with ¬GUESS, we can assume that both simulators provide the same level of consistency, and w.l.o.g., we focus on the simulator from W 3 . In this world, the construction queries come from a random oracle and Q Sim coincides with the primitive query history of the distinguisher Q P . Let i ∈ 1, q P , assume that the query number i gives . Assume by contradiction that this query breaks the consistency, while BAD is not set. We split the cases depending on the direction of the query.
Forward query. In order to break the consistency, the query must be involved in a valid path. There are two possibilities, depending on whether X i ∈ AbsorbPath or not: (i) There exists a valid path with m l = 0 ra . In other words, X i is involved in a path during the squeezing phase. Note that we can have k = 0. Let k := k + 1.
(ii) There exists a valid path where m l = 0 ra . Concretely, it means that X i ∈ AbsorbPath. In that case, let k := 0. Let M := m 1 · · · m l . In both cases, (X i , M, k ) ∈ rRooted(Q P ). Because of ¬BAD, the existence of such a path is unique. Indeed, if X i is involved in two different paths, then it implies that either a full-state collision or a collision with an element in AbsorbPath occurred, which are prevented by respectively ¬COL and ¬INNER. Thus line 21 of the algorithm of S fwd (Algorithm 2) is satisfied for this particular M and k , and by construction of the simulator the answer Y is consistent with respect to RO, i.e., outer rs (Y ) = RO (unpad (M )) [r s × k : r s × (k + 1)]. Moreover, thanks to ¬CONNECT ∧ ¬INNER, there are no edges starting from Y i resulting to a valid path. Therefore, this query cannot break the consistency.
Inverse query. An inverse query breaking the consistency implies that X i connects either to the IV, or to an already existing path such that the newly created path is valid. These two cases are prevented by ¬COL ∧ ¬INNER ∧ ¬CONNECT.
Conclusion. As long as BAD is not set, all queries to H S and to RO give the same output, and both simulators exhibit the same behavior. Therefore,

Probability of BAD.
Basic reasoning. In W 3 , the adversary can learn information about the randomness used by the simulator from the construction queries before making the underlying primitive query. This can make the probability computation quite hard to evaluate. Fortunately, in W 3 , the bad events are COL, CONNECT, and INNER, and they only concern the (fresh) query history of the simulator. We can thus consider a more powerful adversary D , which replaces its construction queries by primitive queries. The probability that D sets BAD is no smaller in W 2 than in W 3 . Moreover, the only meaningful metrics for COL, CONNECT, and INNER is the total number of queries made to the simulator. Thus the query cost of D in W 2 does not change compared to the one of D, since it makes 0 construction queries and at most q P + q C primitive queries. Therefore, Thus from now, we can focus on the probability computation in W 2 . By basic probability, we have We evaluate each term individually.
GUESS SQU i . Setting this event is similar to a guessing game: in order to win, the adversary must be able to guess a node N in a valid path. Thanks to the construction oracle, D it has access to the r s upper bits of q C different nodes. Let u ∈ {0, 1} rs , we define, similarly to Choi et al.
[CLL19], the random variable F u as follows: i.e., F u is the number of construction queries which outer part hit u. The distribution of the random variables (F u ) u∈{0,1} rs is the same as the bin-and-balls experiment described in Lemma 1. Now, given a query v w with v ∈ {0, 1} rs and w ∈ {0, 1} cs , the probability that GUESS SQU i is set, conditioned on the query history of the i − 1 previous queries Q i−1 , is upper bounded by max u∈{0,1} rs F u 2 cs . Therefore, by summing over all possible Q i−1 we obtain We can use Lemma 1, and obtain E max a∈{0,1} rs F u ≤ 2q C 2 rs + 3r s + 3 ln(q C ) + 3 , so that GUESS ABS i . For the event GUESS ABS i , the situation is more complex. Indeed, assume first that c a = c s . Then in order to win, the adversary has to guess c a bits. The r a upper bits do not matter, since the adversary can overwrite them (see Fig. 3b, where r s −r a = 0). Therefore, in this setting the adversary is more powerful than in the case of the event GUESS SQU i . However, the number of nodes that the adversary can guess here is upper bounded by |AbsorbPath|, which is much smaller than q C in some settings. Now, Fig. 3 illustrates the two different possibilities depending on the values of r s and r a . First, if r s < r a (cf., Fig. 3a), the adversary has  access to and can control r s bits. It can add any bits to r a − r s other bits, but has no access to them. Therefore, in this setting the success probability is upper bounded by On the other hand, if r s ≥ r a (cf., Fig. 3b), The adversary has access and can control r a bits, has access to r s − r a bits, and has to guess the c s remaining ones. The situation therefore again boils down to a bin-and-balls game. This time, |AbsorbPath| different balls are thrown in R := 2 rs−ra bins. For u ∈ 1, R , let S u be the number of balls in the bucket u. The probability to set GUESS ABS i conditioned on the query history is upper bounded by max u∈ 1,R S u 2 cs .
We can use again Lemma 1, and obtain E max a∈{0,1} rs−ra F u ≤ 2 |AbsorbPath| 2 rs−ra + 3r s + 3 ln(|AbsorbPath|) + 3 , so that for any choice of r a and r s , COL i and CONNECT i . As long as BAD i−1 is not set, the remaining events can be set with a non-zero probability only if the query is fresh. Here, the adversary has no access to the randomness source used by the simulator. Thus, the probabilities of the bad events COL i and CONNECT i can be upper bounded as follows: INNER i . For any query with a node in AbsorbPath, the probability that it sets INNER 1 i is upper bounded by 2q 2 ca . Therefore, Moreover, the probability to set INNER 2 i is upper bounded as follows: Therefore, Wrap-up. Remark that the event GUESS can be set only with a primitive query from the distinguisher, so that the adversary has at most q P attempts. Now, plugging (11) to (14) into (10) gives 2q C 2 b + 6r s + 3 ln(q C ) + 3 ln(|AbsorbPath|) + 6 2 cs + 2 |AbsorbPath| 2 ca + q i=1 2(i − 1) 2 b + 1 Yi∈AbsorbPath × 2q 2 ca + |AbsorbPath| 2 ca ≤ q P (6 ln(q) + 6r s + 6) 2 cs + 5q |AbsorbPath| 2 ca + q 2 2 b ≤ q P (6 ln(q) + 6r s + 6) 2 cs + q 2 2 b + min where the penultimate inequality uses 2q C q P ≤ q 2 , and the last inequality uses (2). Note that we implicitly used ¬BAD i−1 at each step to upper bound |AbsorbPath|. Finally, using (9), we can infer that the bound in (15) also applies in W 3 , so that (6) ≤ q P (12 ln(q) + 12r s + 12) 2 cs + 2q 2 2 b + min 10q(q + 1) 2 ca , 20q 2 b− ×ra . (16)

Conclusion.
Remember that in Section 4.4.1, we established that the distinguisher advantage is upper bounded by the sum of (3) and (6). These terms are themselves upper bounded in respectively (7) and (16), which concludes the proof.

Public Indifferentiability
Public indifferentiability was introduced in [YMO09, DRS09] and refined in [MPS12]. As detailed in Section 2.3, public indifferentiability is a weaker security notion, which has nevertheless concrete applications. In the setting of public indifferentiability, the simulator is aware of all construction queries made by the distinguisher. We define a simulator S which, when being informed of the construction query with input (M, k), where (M, k, Y ) ∈ rRooted, makes the corresponding forward query to S. In this setting, GUESS is no more a bad event, yet the remainder part of Section 4.4.3 remains unchanged. We can copy the proof of Section 4.4, but without using the bad event GUESS. This gives a bound Adv R−pubiff H (q C , q P , ) ≤ 3q 2 2 b + min 6q(q + 1) 2 ca , 12q 2 b− ×ra .
In particular, the number of squeezed bits per construction query can be arbitrary.

Tightness of the Result
Our result guarantees indifferentiability up to min 2 cs , 2 b/2 , max 2 ca/2 , 2 b− ×ra queries (up to logarithmic and constant factors). In the following, we show different attacks that apply to our simulator. The best strategy depends on the parameters used, as clarified in the following.