Key Prediction Security of Keyed Sponges


  • Bart Mennink Digital Security Group, Radboud University, Nijmegen, The Netherlands



outer-keyed sponge, full-keyed sponge, key prediction, graph-based proof


The keyed sponge is a well-accepted method for message authentication. It processes data at a certain rate by sequential evaluation of an underlying permutation. If the key size k is smaller than the rate, currently known bounds are tight, but if it exceeds the rate, state of the art only dictates security up to 2k/2. We take closer inspection at the key prediction security of the sponge and close the remaining gap in the existing security analysis: we confirm key security up to close to 2k, regardless of the rate. The result impacts all applications of the keyed sponge and duplex that process at a rate smaller than the key size, including the STROBE protocol framework, as well as the related constructions such as HMAC-SHA-3 and the sandwich sponge.



How to Cite

Mennink, B. (2018). Key Prediction Security of Keyed Sponges. IACR Transactions on Symmetric Cryptology, 2018(4), 128–149.