Keyed sponge with prefix-free padding: Independence between capacity and online queries without the suffix key

Abstract

In this paper, we study the pseudo-random function (PRF) security of keyed sponges. “Capacity” is a parameter of a keyed sponge that usually defines a dominant term in the PRF-security bound. So far, the PRF-security of the “prefix” keyed sponge has mainly been analyzed, where for a key K, a message M and the sponge function Sponge, the output is defined as Sponge(K‖M). A tight bound for the capacity term was given by Naito and Yasuda (FSE 2016): O((qQ + q2)/2c) for the capacity c, the number of online queries q and the number of offline queries Q. Later, Naito (CANS 2016) showed that using the sandwich method where the output is defined as Sponge(K‖M‖K), the dependence between c and q can be removed, i.e., the capacity term is improved to O(rQ/2c), where r is the rate. However, unlike the prefix keyed sponge, the sandwich keyed sponge uses the suffix key that requires the memory to keep the suffix key. The additional memory requirement seems not to be appropriate for lightweight settings. For this problem, we consider a keyed sponge with a prefix-free padding, KSpongePF, where for a prefix-free padding function pfpad, the output is defined as Sponge(K‖pfpad(M)). We show that KSpongePF achieves the same level of PRF-security as the sandwich keyed sponge: the capacity term is O(rQ/2c). Hence, using KSpongePF, the independence between c and q can be ensured without the suffix key.