Tightness of the Suffix Keyed Sponge Bound


  • Christoph Dobraunig Graz University of Technology, Graz, Austria; Radboud University, Nijmegen, The Netherlands
  • Bart Mennink Radboud University, Nijmegen, The Netherlands




generic attacks, symmetric cryptography, permutation-based cryptography, SuKS


Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.




How to Cite

Dobraunig, C., & Mennink, B. (2020). Tightness of the Suffix Keyed Sponge Bound. IACR Transactions on Symmetric Cryptology, 2020(4), 195–212. https://doi.org/10.46586/tosc.v2020.i4.195-212