Security of the Suffix Keyed Sponge

We formalize and analyze the general suffix keyed sponge construction, a pseudorandom function built on top of a cryptographic permutation. The construction hashes its data using the (keyless) sponge construction, transforms part of the state using the secret key, and generates the tag from the output of a final permutation call. In its simplest form, if the key and tag size are at most the rate of the sponge, one can see the suffix keyed sponge as a simple sponge function evaluation whose input is the plaintext appended with the key. The suffix keyed sponge is, however, much more general: the key and tag size may exceed the rate without any need to make extra permutation calls. We prove that the suffix keyed sponge construction achieves birthday-bound PRF security in the capacity, even if key and tag size exceed the rate. Furthermore, we prove that if the absorption of the key into the state happens in a leakage resilient manner, the suffix keyed sponge itself is leakage resilient as well. Our findings show that the suffix keyed sponge compares favorably with the hash-then-MAC construction. For instance, to reach a security level of k bits, the side-channel protected component in the suffix keyed sponge just needs to process k bits of input besides the key, whereas schemes following the hash-then-MAC construction need a side-channel protected MAC function that processes 2k bits of input besides the key. Moreover, even if we just consider black-box attacks, the MAC function in a hash-then-MAC scheme needs to be cryptographically strong whereas in the suffix keyed sponge the key may be absorbed by a simple XOR. The security proofs are performed using the H-coefficient technique, and make effective use of the multicollision limit function results of Daemen et al. (ASIACRYPT 2017), both for arguing that state manipulation larger than the rate is tolerated after key processing and for upper bounding the amount of leakage an attacker may gain about the secret key.


Introduction
Whenever a device operates in a hostile environment and side-channel attacks [KJJ99] are a threat, protection against them becomes a necessity. Hence, a lot of effort has been put in the design of countermeasures against side-channel attacks like masking [GP99,CJRR99], threshold implementations [NRR06,NRS11], or special primitives that limit the available data complexity for an attacker [MSJ12,TS14,MSNF16]. However, the application of such countermeasures is not for free and requires additional resources like chip area, energy, power, computation time, randomness, and so on. In the context of message authentication codes (MACs), this has led to an increased popularity of functions that process the bulk of the input in a keyless manner and use the secret key for finalization only. This way, the first and largest part is not prone to side-channel attacks; only the second part must be protected, but as it is reasonably small this is an easier task. This particularly applies to the case where messages may be arbitrarily large (as in our use case). This approach comes to life in the hash-then-MAC construction, used in [BKP + 16, BPPS17, BGP + 19, GPPS19], among others. In the hash-then-MAC construction, one first hashes the plaintext P using a hash function H, and subsequently authenticates the outcome using a MAC function F with key K to obtain a tag T : The advantage of hash-then-MAC over traditional MAC functions like PMAC [BR02] and CMAC [Dwo05] in the context of side-channel protection is evident: as such constructions apply a cryptographic primitive with secret key at least once per plaintext block, each of these invocations must have countermeasures against side-channel attacks in place. In contrast, for hash-then-MAC, the amount of exposure of the secret key is independent of the number of processed input blocks.
However, in order for the hash-then-MAC construction to be k-bit secure, where k is the security level, one must necessarily take a hash function with digest size 2k [BKP + 16, BPPS17, BGP + 19, GPPS19]. This also means that the function F (K, ·), which is the critical part in the construction from a side-channel perspective, must be able to process 2k-bit inputs. This negatively impacts the resources needs to implement countermeasures; in general, it is cheaper to protect a smaller primitive against side-channel attacks.
An alternative to the hash-then-MAC approach is the suffix keyed sponge approach used in ISAP [DEM + 17]. A generalized depiction of the suffix keyed sponge is given in Figure 1, and it is described in detail in Section 3. The function operates as a sponge on top of a permutation p with a state of b = c + r bits, split into an outer part of size r (the rate) and an inner part of size c (the capacity). The k-bit key K is absorbed using an s-bit to s-bit keyed function G and one output block T of size t is squeezed. For a specific case where the state size s and the tag size t are at most the rate r and in addition the key is absorbed by a simple XOR, the construction matches the original description of Bertoni et al. [BDPV11a,Section 5.11.2]. However, the suffix keyed sponge construction that we consider is more general.
For the suffix keyed sponge, there is no reason to believe that the function G needs to be 2k bits large, like it is required for F in hash-then-MAC. In the case of G, it seems to suffice to use a k-bit keyed function only. Indeed, in the suffix keyed sponge we can resort to the secrecy of the state, and collisions in the input to G are not necessarily harmful. Because for the suffix keyed sponge the function G is the focal point of protection against side-channel attacks, the construction compares favorably over the hash-then-MAC mode.
Unfortunately, no analysis of the suffix keyed sponge has appeared so far, neither in the black-box setting nor in the leakage resilient setting. The best we can do is to fall back to the indifferentiability of the keyless sponge [BDPV08]. This reduction is valid as long as we consider security in a black-box setting, where the key is absorbed using an XOR, key and tag are of size at most the rate, and the capacity is at least twice the security level. In other words, this is how security of the original and more restrictive version of the suffix keyed sponge of Bertoni et al. [BDPV11a,Section 5.11.2] was argued.

Our Contribution
We present a complete and general analysis of the suffix keyed sponge (SuKS), both in the black-box model and in the leakage resilience model. Noting that G is pivotal in the analysis of leakage resilience (the key comes into play only at the occurrence of G), we demonstrate how the security bound depends on the choice of G.

Suffix Keyed Sponge with Restricted Parameters
As a starter, we consider the restricted version of the suffix keyed sponge, where the state size s of G and the tag size t are at most the rate r of the sponge. This restricted version corresponds to the original suffix keyed sponge description of Bertoni et al. [BDPV11a,Section 5.11.2], though with arbitrary key absorbing function G. In this case, as mentioned above, we can resort to the indifferentiability of the keyless sponge [BDPV08] and argue that the resulting construction behaves as a pseudorandom function. This indifferentiability result states that if there is no inner collision on the c-bit inner part, the sponge function (with random permutation) is indifferentiable from a random oracle, and we can analyze security of an idealized version of the suffix keyed sponge. That construction, in turn, can only be broken by an adversary that ever guesses the output of the function G. The result and analysis are given in Section 4.

Suffix Keyed Sponge with Unrestricted Parameters
We present the main result in Section 5: security of the suffix keyed sponge in an unrestricted setting. In this case, both the state size s of the function G as well as the tag size t may be larger than the rate r. We prove that the construction still achieves c/2-bit security under the assumption that the outputs of G are uniform (hard to guess) and universal (collide with small probability).
Note that one can consider the suffix keyed sponge state right before the evaluation of G as a state with s-bit rate and (b − s)-bit capacity, but b − s may be smaller than c, and hence, it may be that collisions occur on the (b − s)-bit inner part even though the keyless part of the suffix keyed sponge does not have inner collisions. The trick in the proof consists of observing that, even if there are multicollisions on this (b − s)-bit inner part, these multicollisions do not harm security of the construction as long as the input to G is different. A symmetric reasoning is applied on the state from which the tag is derived: it can be split into a t-bit outer part and a (b − t)-bit inner part. Overall, the bound shows that even partial (multi-)collisions on the input to or output of the keyed permutation call in the suffix keyed sponge provide only limited help to the adversary. Hence, the security level usually stays in the area of 2 c/2 . The result holds for an arbitrary G that is uniform and universal, but this does not mean that it needs to be cryptographically strong: a simple XOR suffices. This observation demonstrates another advantage of the suffix keyed sponge over the hash-then-MAC approach, where F must necessarily be cryptographically strong.

Leakage Resilience of Suffix Keyed Sponge
In practice, however, one might want select a stronger function G, for the plain reason that for an XOR even a small leakage usually allows to draw conclusions about the absorbed secret key. We therefore transform the main result to the setting of leakage resilience PRF design in Section 6. We consider non-adaptive leakage, akin to [Pie09, YSPY10, FPS12, SPY + 10, DP10], and restrict our focus to leakage coming from p. In other words, we assume that G is a protected function (it could be instantiated as a leakage resilient keyed duplex, cf., Dobraunig and Mennink [DM19a]), and consider that the adversary may obtain leakage from the last invocation of p in the suffix keyed sponge. It is easily observed from Figure 1 that only this invocation of p may leak information; all previous ones process no secret data in the first place. Keeping this in mind, the leakage resilience proof is quite clean. First, we note that for repeated inputs X to G for different (b − s)-bit inner parts, the permutation p may leak different pieces of information about G(K, X). By upper bounding the maximum size of a multicollision in the input to G, we can henceforth upper bound the amount of leakage that an adversary may learn for any particular G(K, X), and then upper bound its success probability of guessing this value.
We stress, again, that G need not be cryptographically strong, unlike F in hash-then-MAC. This provides additional flexibility when considering leakage resilience. For instance, it could be possible to use a masked block cipher as G, but with heavily reduced rounds, since an attacker does not see the full output of the block cipher but only a limited leakage of it.
In Section 7, we map our results to ISAP [DEM + 17] and demonstrate that the multicollision events only contribute to the bound negligibly, both in the black-box setting and in the leakage resilience setting. In the conclusion in Section 8, we elaborate on what our leakage resilient PRF result means for leakage resilient MAC design.

Related Work
A significant amount of research has been put in the analysis of the keyed sponge, where the state of the sponge is keyed prior to the absorption of data [BDPV11c, CDH + 12, ADMV15, NY16, JLM14, GPT15, MRV15, BDPV11b, MRV15, DMV17, Men18]. These results have not only led to better and more fine grained bounds, but in the end also demonstrated that the full bit-width of the state can be used to absorb data in the case of such "prefix" keyed duplex or sponge [DMV17]. The reason for this is that, as the key is used to initialize the state, all subsequent states are secret to an adversary.
By allowing full-state absorption, these constructions are naturally more efficient than the suffix keyed sponge. On the downside, however, secrecy of the states also makes these constructions more expensive from a side-channel protection point of view. Constructions following the prefix keyed duplex or prefix keyed sponge usually allow for the evaluation of the same secret state for varying inputs. This is for instance the case in authenticated encryption schemes, which are initialized using a static secret key and a nonce. Hence, DPA attacks can be mounted if the protection against side-channel attacks is insufficient, as shown by Samwel and Daemen [SD17]. Even stronger: not only the initialization has to be protected, but every stage where known changing inputs are mixed with a static secret. In the case of an attacker that can control all the inputs, e.g, for a MAC based on a prefix keyed sponge during verification, this means that the whole construction has to be protected against side-channel attacks. In this light, it makes sense to limit the exposure of the secret key and rely on a suffix keyed sponge as done in ISAP [DEM + 17].
It is worth noting that there exist other ways besides hash-then-MAC and the suffix keyed sponge to end up with leakage resilient MAC constructions. One way to do so is to base the scheme on ideas from asymmetric cryptography, an approach endeavored in a proposal of Martin et al. [MOSW15] that is based on the Barreto-Naehrig [BN05] family of pairing-friendly elliptic curves.
Alternatively, one can design a leakage resilient PRF from a (smaller) weak PRF in a sequential fashion, where the key input to the underlying weak PRF depends on the processed data so far. This approach is adopted in [YSPY10, FPS12, SPY + 10, DP10], among others. Such a PRF can, naturally, also be used as instantiation of G in the suffix keyed sponge.

Preliminaries
Let m, n ∈ N. The set of n-bit strings is denoted {0, 1} n , the set of arbitrarily long strings is denoted {0, 1} * , the set of n-bit functions is denoted func(n), and the set of n-bit permutations is denoted perm(n). We let ¢ n be any injective padding function that transforms an arbitrarily long string X ∈ {0, 1} * into n-bit blocks X 1 , . . . , X . For X ∈ {0, 1} n and if m ≤ n, we denote by left m (X) (resp., right m (X)) the m leftmost (resp., rightmost) bits of X. If m ≥ n, we write (m) n = m(m − 1) · · · (m − n + 1) as the falling factorial. For a finite set X , X $ ← − X denotes the uniformly random drawing of an element X from X .

Distinguishing Advantage
An adversary A is an algorithm. It is given access to one or more oracles O, and after interaction with O it outputs a decision bit b: b ← A O . For two oracles O and P, the adversarial distinguishing advantage is defined as (1)

PRF Security
internally uses a permutation p ∈ perm(b). We write F instantiated with permutation p and key K ∈ {0, 1} k as F p K . The pseudorandom function (PRF) security of F against an adversary A is defined as where the randomness is taken over the random drawing of K $ ← − {0, 1} k , the random drawing of p $ ← − perm(b), the definition of a function R m,t : {0, 1} m → {0, 1} t that generates a random t-bit response for each new input, and the random coins of A.
The adversary is typically bounded by three types of complexities: q denotes the construction complexity, the number of queries the adversary may make to F p K or R m,t ; N denotes the total primitive complexity, which accounts for the total number of evaluations of p (either direct forwardly, direct inversely, or via the real-world construction oracle F p K ); τ denotes the time complexity.
It is a well-known result that a PRF is a secure message authentication code in the black-box model [GGM84,BKR94,BGM04]. More detailed, if Adv mac F (A) denotes the advantage of an adversary A with query access to (F p K , p) to output a non-trivial forgery for F p K , then where q is the number of forgery attempts that A makes. We note that this reduction does not necessarily apply in the leakage resilience setting, cf., Section 8.

Uniform and Universal Functions
Let k, s ∈ N and δ, ε where the randomness is taken over the random drawing of K where the randomness is taken over the random drawing of K $ ← − {0, 1} k . Here, we say that a function is 0-uniform (resp., 0-universal) if above definition applies for δ = ∞ (resp., ε = ∞).
Note that for k ≤ s, the function G(K, X) = K 0 s−k ⊕ X that simply XORs the two input values is 2 −k -uniform and 0-universal. Alternatively, we can define G as a random function: . This function G is 2 −s -uniform and 2 −s -universal.

Multicollision Limit Function
Daemen et al. [DMV17] introduced the multicollision limit function in the context of keyed sponge proofs. We will use the same notion in our proofs.
Let q, b, s ∈ N such that s ≤ b. Consider the experiment of throwing q balls uniformly at random in 2 b−s bins, and denote by µ the maximum number of balls in any single bin. The multicollision limit function µ q b−s,s is defined as the smallest natural number x that satisfies Daemen et al. also proved that if one does not consider the bins to be uniformly randomly selected, but rather according to a distribution D where the i-th ball ends up in a certain bin with probability the corresponding multicollision function, defined as Furthermore, Daemen et al. [DMV17] gave an in-depth analysis of the term µ q b−s,s . The analysis is tedious, but the conclusion is that the term behaves as follows:

Suffix Keyed Sponge
, 1} t is defined in Algorithm 1 and depicted in Figure 1. The function first injectively pads its input P , and hashes it the usual sponge way. Only at this point, the key will be used: the outer k bits of the resulting state are transformed through G(K, ·). The resulting state is processed by the permutation p once more, and the tag equals the outer t bits of the state.

Security of Suffix Keyed Sponge with Restricted Parameters
As a starter, we prove security of the suffix keyed sponge for a restricted case where s, t ≤ r.
, 1} t be a function that generates a random t-bit response for each new input. Consider any adversary A, whose goal is to maximize As we will argue security based on the uniformity and universality of G (and not on the computational security of it), we assume that A is computationally unbounded. Let sponge p be the sponge construction based on permutation p with rate r, that gets input strings of size a multiple of r (we can assume w.l.o.g. that the message is already padded) and a natural number z ∈ N, and it outputs a string of z bits. One can equivalently write F p K as a function F sponge p K as follows: We will resort to the indifferentiability of the sponge [BDPV08], which states that there exists a simulator S such that ∆ A sponge p , p ; RO, S RO ≤ N +1 2 /2 c for any adversary A with total complexity N , where RO is a random oracle. We write F RO K as the suffix keyed sponge construction where the two evaluations of sponge p are replaced by RO, and write F RO,RO K as that construction where the first evaluation of sponge p is replaced by RO and the second one by RO . By a game hopping argument, where A and A are some adversaries with the same primitive complexity N as A (noting that any evaluation of F sponge p K indeed consists of two sponge calls, but they jointly consist of + 1 unique primitive evaluations). The first and last distance in (5) are at most the indifferentiability of the sponge, N +1 2 /2 c . For the middle term of (5), we define the following event bad: As long as bad does not happen, the adversary cannot notice the difference between RO and RO for the finalization calls in both world. Therefore, The event bad requires an adversary to force S into querying the random oracle for value Y := G K (Z) ⊕ Z, where Z is fixed by the specific query that A makes (by design of the actual simulator of [BDPV08]). The adversary makes N attempts, and any of them succeeds with probability at most 2 −δ . We thus obtain that Pr (bad) ≤ N/2 δ .

Security of Suffix Keyed Sponge with Unrestricted Parameters
In this section, we set aside the restriction s, t ≤ r of the previous section and present the main result, namely security of the suffix keyed sponge for arbitrary r, s, t.
Theorem 2. Let b, c, r, k, s, t ∈ N such that c + r = b and k, s, t ≤ b. Consider the suffix keyed sponge of Section 3 based on random permutation p The proof of Theorem 2 is given in Section 5.1. Note that G itself may be anything, as long as it is 2 −δ -uniform and 2 −ε -universal. The simple XOR function, i.e., setting s = k and taking G(K, X) = K ⊕ X, is 2 −k -uniform and 0-universal. A more general instantiation is to have G to be a pseudorandom function independent of the permutation p. In this case, the first step of the proof would be to replace G by a random function at cost Adv prf G (A ), for some adversary A . The second step would be to rely on the observation that a random s-bit function is 2 −s -uniform and 2 −s -universal (see Section 2.3). This leads to the following corollary, for which the formal proof is given in Section 5.2. Corollary 1. Let b, c, r, k, s, t ∈ N such that c + r = b and k, s, t ≤ b. Consider the suffix keyed sponge of Section 3 based on random permutation p For any adversary A with construction complexity q ≥ 2, primitive complexity N ≤ 2 b−1 , and time complexity τ , for some adversary A with construction complexity q, primitive complexity 0, and time complexity τ ≈ τ .

Proof of Theorem 2
1} t be a function that generates a random t-bit response for each new input. Consider any adversary A, whose goal is to maximize We will call O := (F p K , p) the real world and P := (R * ,t , p) the ideal world. As we will argue security based on the uniformity and universality of G (and not on the computational security of it), we assume that A is computationally unbounded. Without loss of generality, it is deterministic: for any probabilistic adversary there is a deterministic one with the same success probability.

Oracle Interaction
The adversary has a total primitive complexity N , meaning that for the real world the total number primitive queries (direct or through F p K ) does not exceed N . Of course, the ideal world R * ,t does not query p, but the complexity is counted in terms of the number of evaluations that would be made to p in the real world. Note that in the real world O = (F p K , p), any construction query P of blocks entails + 1 evaluations of p: the first evaluations are "offline" and the adversary can evaluate them itself using the primitive oracle, and the last evaluation is keyed. We will thus consider A to be allowed an "offline" complexity N − q and an online complexity q. Without loss of generality, as duplicated queries are not counted doubly, we may assume that before each construction query, the adversary makes all primitive queries but the last one itself offline.
The interaction of A with its oracle (O or P) is summarized in a view. All q construction queries (to F p K in the real world and to R * ,t in the ideal world) are summarized in a view All primitive evaluations (to p, in both worlds) are summarized in a view where dir j ∈ {+, −} denotes the direction of the j-th query: forward primitive queries are denoted by dir j = + and inverse primitive queries by dir j = −. The variables dir j are used to distinguish between the direction of the queries in case of inner collisions. After the conversation of A with its oracle, but before it outputs its decision bit, we reveal additional information to A. First of all, we reveal a key K. In the real world, this is the key K $ ← − {0, 1} k that is effectively used by G K ; in the ideal world, it is a dummy key. In addition, we reveal a tuple {Z 1 , . . . , Z q }. In the real world, these are the values that are truncated at the end of each construction query to F p K (i.e., the values right b−t (S) with S the state of line 7 of Algorithm 1); in the ideal world, these are random values The aggregate view is defined as v = (v c , v p , K). We assume that the adversary never makes any duplicate query, hence P i = P i for any two distinct queries in v c and (X j , Y j ) = (X j , Y j ) for any two distinct queries in v p . It is important to note that, as we force A to make all primitive queries corresponding to the unkeyed part of F p K , for each construction query (P i , T i ), the state value U i that is at the end of the unkeyed part of F p K (see Figure 1) can be retrieved from v p . We subsequently define V i and W i from U i , K, and v c as follows: Note that in the real world (F p K , p), the values V i and W i are the actual values indicated in Figure 1. In the ideal world, they are simply defined as in (8) and (9).

H-Coefficient Technique
We denote by D O the probability distribution of views in interaction with O, and by D P the probability distribution of views in interaction with P. Define V to be the set of "attainable views": views v such that Pr (D P = v) > 0. We will use the H-coefficient technique [Pat08,CS14].

Bad Views
Informally, we consider a view bad if for any construction query P i in the real world O = (F p K , p), the evaluation (V i , W i ) of p is repeated. This is formally covered by the following two events: We indeed need these two bad events, because in the non-occurrence of either of those, v = (v c , v p , K) corresponds to exactly N input/output tuples of p (and one key).
However, analyzing bad events coll cc and coll cp is quite involved, and we will define four auxiliary bad events. For this, let ν right = µ 2(N −q) b−s,s and ν tag = µ q t,b−t be two thresholds.
Events cap fwd and cap inv cover the case that there exists a inner collision, and that the adversary has potentially found two different plaintexts leading to the same inner part. At the cost of readability, the event cap fwd can be tightened slightly, noting that it is not a problem if right c (Y j ) hits an older inner part if this j-th query is not "rooted", i.e., if there is no path from 0 b to this query. See also Daemen et al. [DMV18].
The events mc right and mc tag cover multicollisions on part of the state, and are included to tighten the bounding of the occurrence of coll cc ∨ coll cp . We note that the choice of thresholds ν right and ν tag (and our reliance on the multicollision limit function of Section 2.4) is for the sake of generality. It may be that for specific parameter choices b, c, s, t, better thresholds may render a better bound. See also Section 8.
We write cap = cap fwd ∨ cap inv and bad = cap ∨ mc right ∨ mc tag ∨ coll cc ∨ coll cp .

Probability of Bad View
Our goal is to bound the probability that a bad transcript is generated in the ideal world, Pr (D P ∈ V bad ). This probability equals the probability that a view v generated by D P satisfies bad. By basic probability theory, Pr (D P ∈ V bad ) = Pr (bad) ≤ Pr (cap) + Pr (mc right ) + Pr (mc tag ) + Pr (coll cc | ¬(cap ∨ mc right )) + Pr (coll cp | ¬(cap ∨ mc right ∨ mc tag )) .
Here, we recall that in the ideal world, K cap. Consider the j-th query (dir j , X j , Y j ). If it is a forward query it can only set cap fwd and if it is an inverse query it can only set cap inv . In either case, the response is uniformly randomly generated using a random permutation p from a set of size at least 2 b − (j − 1) elements. The query sets cap fwd with probability at most (2j − 1)2 r /(2 b − (j − 1)) and cap inv with probability at most j2 r /(2 b − (j − 1)). In either case, as any query is either forward or inverse, the success probability is at most 2(2j − 1)/2 c , using that j − 1 ≤ 2 b−1 . Summing over all queries, we obtain The values Y j are randomly generated from {0, 1} b \{Y 1 , . . . , Y j−1 }, and at most N − q draws are done. The event mc right is thus a balls-and-bins experiment with N − q balls randomly thrown into 2 b−s bins, in such a way that any of the bins contains more than ν right balls. Note that the distribution of balls satisfies the condition of (3). By definition of ν right = µ 2(N −q) b−s,s , we can resort to the multicollision limit function of Section 2.4 and obtain The values W i are randomly generated from {0, 1} b , and q draws are done. The event mc tag is thus a balls-and-bins experiment with q balls uniformly randomly thrown into 2 t bins, in such a way that any of the bins contains more than ν tag balls. By definition of ν tag = µ q t,b−t , we can resort to the multicollision limit function of Section 2.4 and obtain b−s,s · q/2, and we obtain that there exist i, i such that V i = V i with probability at most For the second event of coll cc , as the values W i are randomly generated from {0, 1} b , there exist i, i with W i = W i with probability at most q 2 /2 b ≤ q 2 /2 b . We thus obtain coll cp . Fix any primitive query (dir j , X j , Y j ) (N − q possibilities). We consider both equations of the event separately. First consider equation V i = X j : • If dir j = +, the equation V i = X j is equivalent to stating that As for the analysis coll cc , by ¬cap and ¬mc right , there are at most ν right = µ 2(N −q) b−s,s construction queries with right b−s (U i ) = right b−s (X j ). By 2 −δ -uniformity of G, any of these satisfies above equation with probability at most 2 −δ .
• If dir j = −, the equation happens with probability at most µ 2(N −q) b−s,s /2 δ as it is symmetric to the case of V i = X j in forward queries.

Next consider equation
By ¬mc tag , there are at most ν tag = µ q t,b−t construction queries with T i = left s (Y j ).
any of these satisfies above equation with probability at most 1/2 b−t .
Aggregating both cases, we obtain Conclusion. Summing the individual terms, we obtain for (11) that where we used that min{δ, ε} ≤ s and q ≥ 2.

Ratio for Good Views
Consider any good view v ∈ V good . We will prove that Pr Real World. We start with the real world O = (F p K , p). The view v p corresponds to exactly N − q distinct input/output tuples of p. For any construction query P i in the extended view v c , the unkeyed part of the evaluation of F p K (M ) is included in v p . The keyed evaluation of p is the tuple (V i , W i ) defined in (8)-(9). By the non-occurrence of coll cp , it is different from any tuple in v p , and by the non-occurrence of coll cc it is different from any earlier tuple (V i , W i ) with i < i. Therefore, the good view v = (v c , v p , K) corresponds to exactly N input/output tuples of p and one random key K. Therefore, we obtain: Ideal World. We next consider the ideal world P = (R * ,t , p). The view v p corresponds to exactly N − q distinct input/output tuples of p. The extended view v c consists of q outputs T 1 , . . . , T q of R * ,t and q dummy values Z 1 , . . . , Z q $ ← − {0, 1} b−t . Finally, the key K is random as before. Therefore, we obtain: Bounding the Ratio. Combining (14) and (15), we obtain the following for any good view v ∈ V good :

Proof of Corollary 1
Let , 1} t be a function that generates a random t-bit response for each new input. Consider any adversary A, whose goal is to maximize As a first step, we replace G K by a function R s : {0, 1} s → {0, 1} s that generates a random s-bit response for each new input. Denote the resulting suffix keyed sponge construction by F p,Rs . By a straightforward reduction, where A is some adversary with construction complexity q, primitive complexity 0 (as G does not depend on p), and time complexity τ ≈ τ . The remaining distance ∆ A F p,Rs , p ; R * ,t , p of (18) is bounded using Theorem 2, noting that R s is an instance of a random function family, which is 2 −s -uniform and 2 −s -universal (see Section 2.3).

Leakage Resilience of Suffix Keyed Sponge
We will demonstrate how Theorem 2 carries over to leakage resilience. We first describe the model of leakage resilient PRFs in Section 6.1. The leakage resilience of the suffix keyed sponge is stated in Section 6.2.

Leakage Resilient PRF Security
We transform the definition of PRF security of Section 2.2 to security in case of leakage resilience. We will restrict our focus to non-adaptive L-resilience of Dodis and Pietrzak [DP10], where the adversary receives leakage under any leakage L ∈ L of the scheme under investigation. We adopt the well-established approach [Pie09, YSPY10, FPS12, SPY + 10, DP10,BMOS17] where the adversary has access to a leak-free version of the construction which it has to distinguish from random, and a leaky version, which it may use to obtain leakage.
Let b, k, t, λ, λ ∈ N and m ∈ N ∪ { * }. Consider the suffix keyed sponge function 1} t that internally uses a permutation p ∈ perm(b) and a function G :  (V, W ), where U is the state before evaluation of G and where V and W are the state before and after the last evaluation of p in F p K (see Figure 1). Note that L G must also operate on left s (U ) and L p must also operate on right b−s (V ) and left t (W ), despite that the adversary knows these values: the leakage functions may operate differently depending on these values. The leakage functions give the same leakage whenever the inputs are the same, but possibly different leakages for different inputs. The non-adaptive leakage resilient pseudorandom function (NALR-PRF) security of F against an adversary A is defined as where the randomness is taken over the random drawing of K that generates a random t-bit response for each new input, and the random coins of A.
The adversary never repeats construction queries (both to the leaky and leak-free oracle). The adversary is typically bounded by three types of complexities: q denotes the construction complexity, the number of queries it may make to ([F p K ] L , F p K ) or ([F p K ] L , R m,t ); N denotes the total primitive complexity, which accounts for the total number of evaluations of p (either direct or via the real-world construction oracle); τ denotes the time complexity.
We briefly elaborate on the scope of our model. Any leakage function L that gives a bounded amount of information about its inputs is fine. For instance, a probe placed on a wire within a circuit falls into this category. The only restriction we have is that L is chosen at the beginning of the experiment, and hence stays the same for every evaluation. E.g., a function that gives for a permutation call p(K A 1 ) the first λ bits of K and for p(K A 2 ) the second λ bits of K is fine. However, the function is not allowed to be change, e.g., getting for p(K A 1 ) the first λ bits of K and for a later same call p(K A 1 ) the second λ bits of K is not allowed. The parameter λ is basically used to upper bound the total amount an adversary might learn from this single call p(K A 1 ), over the entire duration of the experiment.

Security of Suffix Keyed Sponge under Leakage
We will prove that the suffix keyed sponge is a leakage resilient PRF under the assumption that p is a random permutation and G is a 2 −δ -uniform and 2 −ε -universal function that is strongly protected against side-channel attacks. Stated differently, we inherit the assumptions of Theorem 2, and in addition require that G is strongly protected.
In a bit more detail, we say that G is strongly protected if it is 2 −δ -uniform and 2 −ε -universal even under internal leakage, i.e., if for any leakage function L G ∈ L G , any auxiliary leakage function L aux : {0, 1} s → {0, 1} ν (for some ν), and any X, X , Y ∈ {0, 1} s with X = X , where the randomness is taken over the random drawing of K $ ← − {0, 1} k . The condition that earlier leakage must be considered over any possible Z is generous: it can be refined to only consider values Z for which G actually gets evaluated in the suffix keyed sponge construction. However, in many applications, including the one that we will discuss in the next paragraph, the generous conditioning is tolerable. The auxiliary leakage function L aux is required to capture leakage on G(K, X) that might be gathered from outside G, i.e., from leaky evaluations of p. Indeed, in our construction, the leaky evaluation of p gets V as input, where left s (V ) = G(K, left s (U )), and we must take this leakage into account when investigating leakage coming from G.
The assumption that G is strongly protected is well-established, see [BKP + 18, BPPS17, GPPS19] among others, with the difference that we apply it to the definition of universal hashing. By adopting the generous definition of strongly protected universal G, we can separate leakage of G from leakage of p, and thus discard of leakage incurred by evaluations of G in the proof: they are implicit in the uniformity terms δ and ε.
One way to construct a suitable G is by instantiating it with an "adjusted ideal extendable input function (AIXIF)" in light of the formalism of Dobraunig and Mennink [DM19a]. Simply said, an AIXIF is the ideal equivalent of a leakage resilient keyed duplex construction, and Dobraunig and Mennink proved that the keyed duplex is indistinguishable from an AIXIF (under certain conditions) even if the construction leaks upon each duplexing call. Such a function would, indeed, do the job in the instantiation of G, as an AIXIF leaks no useful information, except, possibly, a constant amount of information about the key that is the same for each evaluation of the AIXIF. Clearly, upon instantiation of the AIXIF as a leakage resilient keyed duplex [DM19a], one has to take into account the distinguishing advantage with respect to the AIXIF. A concrete example of how a leakage resilient keyed duplex can be used to instantiate G in the suffix keyed sponge is given by Dobraunig and Mennink [DM19b,Proposition 6]. In this example, G is instantiated with a k-bit keyed AIXIF that is strongly protected 2 −(k−λ) -uniform and 2 −(k−λ) -universal, where λ denotes the maximum amount of leakage incurred by evaluations of the cryptographic permutation within the mode.
We are ready to state the theorem on the leakage resilience of the suffix keyed sponge.
Theorem 3. Let b, c, r, k, s, t, λ ∈ N such that c + r = b and k, s, t ≤ b. Consider the suffix keyed sponge of Section 3 based on random permutation p $ ← − perm(b) and a function G : {0, 1} k × {0, 1} s → {0, 1} s . Assume that G is strongly protected 2 −δ -uniform and 2 −ε -universal. For any adversary A with construction complexity q ≥ 2 and primitive complexity N ≤ 2 b−1 , where we recall that λ denotes the maximum amount of information leaked in one leaky evaluation of p.
The proof is given in Section 6.3.

Proof of Theorem 3
The proof is a mere extension of that of Section 5.1, but as the adversary is given access to an additional oracle, and gets leakage for that oracle, care must be taken in the formal application of the H-coefficient technique. In current proof, we highlight the changes.
, 1} t be a function that generates a random t-bit response for each new input. Let L = (L p , L G ) ∈ L be any leakage function. Consider any adversary A, whose goal is to maximize We will call O := ([F p K ] L , F p K , p) the real world and P := ([F p K ] L , R * ,t , p) the ideal world. As before, we assume that A is deterministic.

Oracle Interaction
As before, the adversary has a total primitive complexity N , meaning that for the real world the total number primitive queries (direct or through [F p K ] L or F p K ) does not exceed N . We again require A to make all unkeyed primitive queries itself offline, and all primitive evaluations (to p, in both worlds) are summarized in a view Any construction query to [F p K ] L leaks information, namely through evaluations of G K and through evaluations of the last permutation call. As discussed above, we can restrict our focus to leakage from p: leakage from G K is captured implicitly in the universality terms δ and , as we will also detail later on. Thus, in our setting, any construction query to [F p K ] L leaks the value L p (V, W ) ∈ {0, 1} λ . Noting that, in fact, the adversary also learns the values right b−s (V ) and left t (W ), we will model the leakage more generously: we assume that for each query the adversary learns λ bits of left s (V ), called V ∈ {0, 1} λ , and λ bits of right b−t (W ), called W ∈ {0, 1} λ . For consistency, we simply define V = W = ⊥ if the corresponding query is made to the challenge oracle (F p K in the real world or R * ,t in the ideal world). All q construction queries (to ([F p K ] L , F p K ) in the real world and to ([F p K ] L , R * ,t ) in the ideal world) are summarized in a view v c = {(P 1 , T 1 , V 1 , W 1 ), . . . , (P q , T q , V q , W q )} .
(One can deduce from ( V i , W i ) whether the i-th query was made to the leaky or leak-free oracle.) After the conversation of A with its oracle, but before it outputs its decision bit, we reveal the key K and the values Z i as before, but now the definition of these values Z i is slightly more delicate. For queries to [F p K ] L (in either world) or to F p K (in the real world only), the values Z i are the values that are truncated at the end of the construction query; for R * ,t , these are random values Z i

The aggregate view is defined as
Note that the definitions of U i , V i , and W i (see also (8)-(9)) carry over. In particular, if the i-th query was made to the leaky oracle [F p K ] L , the leakages V i and W i are consistent with the values V i and W i .

Bad Views
We inherit the bad events of Section 5.1, but now with thresholds ν right = µ 2(N −q) b−s,s and ν tag = µ 2q t,b−t . We furthermore need to split event coll cp into input and output collisions: • coll cp-in : there exist i ∈ {1, . . . , q} and j ∈ {1, . . . , N − q} with • coll cp-out : there exist i ∈ {1, . . . , q} and j ∈ {1, . . . , N − q} with The reason for this separation is that in the proof of Section 5.1, coll cp-out is proven under the non-occurrence of mc tag , but as the view v c also includes queries to [F p K ] L , one can only upper bound the probability that mc tag occurs under the condition that coll cp-in does not occur.
Finally, we define a helping event used to bound the amount of leakage. Let ν left = µ 2(N −q) s,b−s be a threshold. We write cap = cap fwd ∨ cap inv and

Probability of Bad View
Our goal is to bound the probability that a bad view is generated in the ideal world, Pr (D P ∈ V bad ). This probability equals the probability that a view v generated by D P sets bad. By basic probability theory, ≤ Pr (cap) + Pr (mc left ) + Pr (mc right ) + Pr (mc tag | ¬coll cp-in ) + Pr (coll cc | ¬(cap ∨ mc right )) + Pr (coll cp-in | ¬(cap ∨ mc left ∨ mc right )) + Pr (coll cp-out | ¬(cap ∨ mc tag ∨ coll cp-in )) .
Much of the analysis of the proof of Section 5.1 carries over verbatim, but there are some differences, most notably in the analysis of mc left (the new bad event) and coll cp (leakages must be taken into account).
cap. The analysis is identical to the one in Section 5.1, and we obtain mc left . The analysis is symmetric to the one of mc right in Section 5.1, and we obtain mc right . The analysis is identical to the one in Section 5.1, and we obtain mc tag . Note that the tuples in v c either come from R * ,t or [F p K ] L . In the former case, the values W i are randomly generated from {0, 1} b . In the latter case, by ¬coll cp-in , they are generated uniformly randomly without replacement. The event mc tag is thus a balls-andbins experiment with q balls randomly (with some distribution) thrown into 2 t bins, in such a way that any of the bins contains more than ν tag balls. Note that the distribution of balls satisfies the condition of (3). By definition of ν tag = µ 2q t,b−t , we can resort to the multicollision limit function of Section 2.4 and obtain coll cc . The analysis for the case of V i = V i is identical to the one in Section 5.1. Here, we note that, particularly, the probability analysis does not change as it is independent of the leakage that happens outside G. That leakage, in turn, is captured within the 2 −ε -universality of G. if and only if V i = V i , but that case was already covered above. If at least one of the two queries is made to R * ,t , equation W i = W i holds with probability at most 1/(2 b − (j − 1)) ≤ 2/2 b , using that j − 1 ≤ 2 b−1 . There are at most q 2 ≤ q 2 /2 choices i, i ∈ {1, . . . , q} such that at least one of the two queries is made to R * ,t .
We obtain coll cp-in . Fix any primitive query (dir j , X j , Y j ). We make a distinction depending on the direction of this query. If dir j = +, the equation V i = X j is equivalent to stating that As for the analysis coll cc , by ¬cap and ¬mc right , there are at most ν right = µ 2(N −q) b−s,s construction queries with right b−s (U i ) = right b−s (X j ). By ¬mc left , the adversary might have seen at most ν left = µ 2(N −q) s,b−s leakages for G(K, left s (U i )). Each of these leakages reduces the entropy of the state by at most λ bits. As G itself is 2 −δ -uniform (and this covers leakage within G itself), any of the queries satisfies above equation with probability at Here, we explicitly note that (20) is defined conditioned on auxiliary leakage, which in current analysis is of size ν := µ 2(N −q) s,b−s λ bits. If dir j = −, the case of equation V i = X j is symmetric, as in the proof of Section 5.1, but now with probability 2 −δ as no leakage can be exploited.
Aggregating both cases, we obtain coll cp-out . Fix any primitive query (dir j , X j , Y j ). We make a distinction depending on the direction of this query.
If dir j = −, the equation W i = Y j is equivalent to stating that By ¬mc tag , there are at most ν tag = µ 2q t,b−t construction queries with T i = left s (Y j ). We have Z i $ ← − {0, 1} b−t , but the adversary may have learned information about this value through leakage. There could be at most one leakage for this value, and this leakage reduces the entropy by at most λ bits. Therefore any of these construction queries satisfies above equation with probability at most 1/2 b−t−λ .
If dir j = + and the i-th query is to [F p K ] L , the equation cannot be set by condition ¬coll cp-in . If the i-th query is to R * ,t , the equation W i = Y j happens with probability at most q/(2 b − (j − 1)) ≤ 2q/2 b , using that j − 1 ≤ 2 b−1 .
Aggregating both cases, we obtain Conclusion. Summing the individual terms, we obtain for (24) that where we used that min{δ, ε} ≤ s and q ≥ 2.

Ratio for Good Views
Consider any good view v ∈ V good . We will prove that Pr Real World. For the real world, the analysis is exactly as that of Section 5.1, using that the leakage values V i , W i in v c -the only difference compared with the analysis in Section 5.1 -contain no additional information after the values Z i and K have been revealed. Therefore, we obtain: Ideal World. For the ideal world, the analysis is more involved, as construction queries may be to the real but leaky oracle [F p K ] L or to the ideal oracle R * ,t . Assume that v contains q ≤ q queries to the ideal oracle. By independence of R * ,t from ([F p K ] L , p), we can resort to the analysis for the real world for all elements in v except for the q queries to R * ,t . For these q queries, we can observe that the outputs T i $ ← − {0, 1} t and dummy values Z i $ ← − {0, 1} b−t are randomly generated, as before. Therefore, we obtain: Bounding the Ratio. Combining (26) and (27), we obtain the following for any good view v ∈ V good :

Conclusion
The H-coefficient technique of Lemma 1 gives, using (25) and (28): As this holds for any leakage function L ∈ L, this completes the proof.

Application
One Comparing both construction, we see that they achieve a similar security level, namely 128 bits up to small constant factors. The biggest difference in both bounds is the factor µ 2(N −q) b−s,s , which changes from 3 to 5. This is a marginal change considering that the inner part of the state for the 320-bit construction is just 192 bits, which is significantly smaller than the 256-bit capacity one would need in order to rely on the indifferentiability result of the sponge [BDPV08].
In previous examples, we upper bounded the values of µ q t,b−t and µ 2(N −q) b−s,s by upper bounding the query complexities q and N to 2 128 . However, if we consider the leakage resilience bound of Theorem 3, doing the same thing would distort the advantage, since the advantage an attacker gains by exploiting the leakage is tightly coupled with µ 2(N −q) s,b−s . Hence, we have to consider µ 2(N −q) s,b−s as a function, which grows for a fixed b and s if 2(N −q) increases. To get some insight what this means for practical cases, let us consider an attacker with complexities N = 2 65 and q = 2 64 . Furthermore, assume that r = 64, c = 256, and s = t = 128 as in the example above. In this case, we get µ 2(N −q) s,b−s = µ 2q t,b−t = µ 2 65 128,192 ≤ 5 and µ 2(N −q) b−s,s = µ 2 65 192,128 ≤ 3. If we assume that G is strongly protected 2 −128 -uniform and 2 −128 -universal, we get Adv nalr-prf F (A) ≤ 1 2 61 + 5 2 192 + 3 · 2 65 2 128−5λ + 5 · 2 65 2 192−λ , meaning that in this case λ can be up to 12 bits while still having an advantage smaller than one.

Conclusion and Discussion
Towards Leakage Resilient Message Authentication. In this paper, we provided the -to the best of our knowledge -first dedicated analysis of the suffix keyed sponge and bounded the advantage of an attacker in distinguishing this construction from a PRF in the black-box security model and in the leakage resilience model. However, we stress that such a leakage resilient PRF not always results in a leakage resilient MAC. This remark seems counter-intuitive, but recently, Berti et al. [BGP + 19] and Guo et al. [GPPS19] detailed a problem with MACs during the verification. In most cases, this is done by computing a tag T from the transmitted data M by using the PRF and compare it with the transmitted tag T . If this comparison is not done in a leakage resilient manner, information about T can leak. Thus, an attacker could learn information about T by repeated queries of the same M with different T . If all the information about T is learned, a forgery M T can be created.
In their schemes, Berti et al.
[BGP + 19] and Guo et al. [GPPS19] overcome this issue in their hash-then-MAC construction by computing the inverse of a perfectly protected tweakable block cipher on the transmitted T to compare directly the outcome of the hash function, so no information about T can leak. The approach is also used in Spook [BBB + 19]. Clearly, this can also be done for a MAC based on a suffix keyed sponge if we do not use T directly, but also put T in a perfectly protected block cipher and transmit E K (T ), and also doing the comparison via the inverse. Another way to protect the comparison is, as suggested by Dobraunig et al. [DEM + 19], via one additional permutation call during the verification. In this case, T and T are computed and transmitted as normal, but instead of a direct comparison, e.g., left t (p(T 0 b−t )) is compared with left t (p(T 0 b−t )) first. In such a comparison, quite in a similar manner to [GPPS19, BGP + 19], the comparison only reveals mostly useless information, namely only at most t out of b − t bits of p(T 0 b−t ), which gives no advantage in retrieving T .
Estimation of Multicollision Probabilities. The leakage resilience security bound of Theorem 3 has a term that bounds the probability of a large multicollision in the outer part of the state: The bound is based on the multicollision limit function bounding from Section 2.4. This bound, however, shows an unexpected behavior if s = b, i.e., if one opts to absorb the key over the full state: the bound of Theorem 3 becomes meaningless. However, this is purely due to generality. For specific cases, in particular when b − s c, other choices for the threshold value ν left would give a better bound. For example, in case b = s one would simply not even have collisions in the first place (by assumption that ¬cap holds).
Suffix Keyed Sponge for Short Messages. The description of the suffix keyed sponge of Section 3 is given in a general manner in such a way that it still resembles as much as possible from the sponge. One can improve the efficiency of the suffix keyed sponge slightly by absorbing more data bits in the first round. Let a ∈ N satisfy a ≤ c/2, and consider an adjustment of the suffix keyed sponge where the first block is of size r + a bits, but all remaining blocks are of size r bits. In the security proofs of both the black-box and the leakage resilience case, this only affects the definition and analysis of cap inv , which is set if an inverse query satisfies right c−a (X j ) = 0 c−a . This, in turn, happens with probability at most 2(N − q)/2 c−a . Summarizing, one can increase the rate for the first block by a ≤ c/2 bits, and this only adds 2(N − q)/2 c−a to the bound of Theorem 2, Corollary 1, or Theorem 3. This term would not dominate the bound as long as a ≤ c/2. Scientific Research (NWO) under Veni grant 016.Veni.173.017. We thank the reviewers and shepherds of ToSC 2019 for their valuable comments.