Tightness of the Suffix Keyed Sponge Bound

Christoph Erwin Dobraunig, Bart Mennink

Research output: Contribution to journalArticlepeer-review


Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.
Original languageEnglish
Pages (from-to)195-212
Number of pages18
JournalIACR Transactions on Symmetric Cryptology
Issue number4
Publication statusPublished - Dec 2020


  • Generic attacks
  • Permutation-based cryptography
  • SuKS
  • Symmetric cryptography

ASJC Scopus subject areas

  • Software
  • Computational Mathematics
  • Applied Mathematics
  • Computer Science Applications

Cite this