Sandwich construction for keyed sponges: Independence between capacity and online queries

Abstract

We study the pseudo-random function (PRF) security of keyed sponges that use a sponge function with extendable outputs in a black-box way. “Capacity” is a parameter of a keyed sponge that usually defines a dominant term in the PRF-bound. The previous works have improved the capacity term in the PRF-bound of the “prefix” keyed sponge, where the key is prepended to an input message, and then the resultant value is inputted into the sponge function. A tight bound for the capacity term was given by Naito and Yasuda (FSE 2016): (qQ + q2)/2c where c is the capacity, q is the number of online queries and Q is the number of offline queries. Thus the following question is naturally arisen: can we construct a keyed sponge with beyond the (q2 +qQ)/2c bound security? In this paper, we consider the “sandwich” keyed sponge, where the key is both prepended and appended to an input message, and then the resultant value is inputted into the sponge function. We prove that the capacity term becomes rQ/2c for the rate r, which is usually r << q and r << Q. Therefore, by the sandwich construction, the dependence between the capacity term and the number of online queries can be removed.