{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T00:29:01Z","timestamp":1766449741500,"version":"3.37.3"},"reference-count":96,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2018,6,15]],"date-time":"2018-06-15T00:00:00Z","timestamp":1529020800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001832","name":"Radboud University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100001832","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2019,7]]},"DOI":"10.1007\/s00145-018-9299-7","type":"journal-article","created":{"date-parts":[[2018,6,15]],"date-time":"2018-06-15T19:13:22Z","timestamp":1529090002000},"page":"895-940","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":11,"title":["Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes"],"prefix":"10.1007","volume":"32","author":[{"given":"Philipp","family":"Jovanovic","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Atul","family":"Luykx","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bart","family":"Mennink","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yu","family":"Sasaki","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kan","family":"Yasuda","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2018,6,15]]},"reference":[{"key":"9299_CR1","unstructured":"J. Alizadeh, M. Aref, N. Bagheri, Artemia v1 (2014), submission to CAESAR competition"},{"key":"9299_CR2","unstructured":"E. Andreeva, B. Bilgin, A. Bogdanov, A. Luykx, F. Mendel, B. Mennink, N. Mouha, Q. Wang, K. Yasuda, PRIMATEs v1 (2014), submission to CAESAR competition"},{"key":"9299_CR3","unstructured":"E. Andreeva, B. Bilgin, A. Bogdanov, A. Luykx, F. Mendel, B. Mennink, N. Mouha, Q. Wang, K. Yasuda, PRIMATEs v1.1 (2016), submission to CAESAR competition"},{"key":"9299_CR4","doi-asserted-by":"crossref","unstructured":"E. Andreeva, B. Bilgin, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, APE: authenticated permutation-based encryption for lightweight cryptography, in C. Cid, C. Rechberger, (eds.) Fast Software Encryption\u201421st International Workshop, FSE 2014, London, UK, March 3\u20135, 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540 (Springer, 2014), pp. 168\u2013186","DOI":"10.1007\/978-3-662-46706-0_9"},{"key":"9299_CR5","doi-asserted-by":"crossref","unstructured":"E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, E. Tischhauser, K. Yasuda, Parallelizable and authenticated online ciphers, in K. Sako, P. Sarkar, (eds.) Advances in Cryptology\u2014ASIACRYPT 2013\u201419th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1\u20135, 2013, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8269 (Springer, 2013), pp. 424\u2013443","DOI":"10.1007\/978-3-642-42033-7_22"},{"key":"9299_CR6","doi-asserted-by":"crossref","unstructured":"E. Andreeva, J. Daemen, B. Mennink, G. Van Assche, Security of keyed sponge constructions using a modular proof approach, in G. Leander, (ed.) Fast Software Encryption\u201422nd International Workshop, FSE 2015, Istanbul, Turkey, March 8\u201311, 2015, Revised Selected Papers. Lecture Notes in Computer Science, vol. 9054 (Springer, 2015), pp. 364\u2013384","DOI":"10.1007\/978-3-662-48116-5_18"},{"key":"9299_CR7","unstructured":"J. Aumasson, P. Jovanovic, S. Neves, NORX v1 (2014), submission to CAESAR competition"},{"key":"9299_CR8","unstructured":"J. Aumasson, P. Jovanovic, S. Neves, NORX v2.0 (2015), submission to CAESAR competition"},{"key":"9299_CR9","unstructured":"N. Bagheri, Padding of Artemia (2014), CAESAR mailing list"},{"key":"9299_CR10","doi-asserted-by":"crossref","unstructured":"M. Bellare, V.T. Hoang, Identity-based format-preserving encryption, in B.M. Thuraisingham, D. Evans, T. Malkin, D. Xu, (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30\u2013November 03, 2017 (ACM, 2017), pp. 1515\u20131532","DOI":"10.1145\/3133956.3133995"},{"issue":"4","key":"9299_CR11","doi-asserted-by":"publisher","first-page":"469","DOI":"10.1007\/s00145-008-9026-x","volume":"21","author":"M Bellare","year":"2008","unstructured":"M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469\u2013491 (2008)","journal-title":"J. Cryptol."},{"key":"9299_CR12","unstructured":"M. Bellare, P. Rogaway, Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Report 2004\/331 (2004)"},{"key":"9299_CR13","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Vaudenay [93], pp. 409\u2013426","DOI":"10.1007\/11761679_25"},{"key":"9299_CR14","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, D. Wagner, The EAX mode of operation, in B.K. Roy, W. Meier, (eds.) Fast Software Encryption, 11th International Workshop, FSE 2004, Delhi, India, February 5\u20137, 2004, Revised Papers. Lecture Notes in Computer Science, vol. 3017 (Springer, 2004), pp. 389\u2013407","DOI":"10.1007\/978-3-540-25937-4_25"},{"key":"9299_CR15","doi-asserted-by":"crossref","unstructured":"J. Benaloh, (ed.), Topics in Cryptology\u2014CT-RSA 2014\u2014The Cryptographer\u2019s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25\u201328, 2014, in Proceedings, Lecture Notes in Computer Science, vol. 8366 (Springer, 2014)","DOI":"10.1007\/978-3-319-04852-9"},{"key":"9299_CR16","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge Functions. ECRYPT Hash Function Workshop (2007)"},{"key":"9299_CR17","doi-asserted-by":"crossref","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction, in N.P. Smart, (ed.) Advances in Cryptology\u2014EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13\u201317, 2008. Proceedings. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 181\u2013197","DOI":"10.1007\/978-3-540-78967-3_11"},{"key":"9299_CR18","doi-asserted-by":"crossref","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge-based pseudo-random number generators, in S. Mangard, F. Standaert, (eds.) Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17\u201320, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6225 (Springer, 2010), pp. 33\u201347","DOI":"10.1007\/978-3-642-15031-9_3"},{"key":"9299_CR19","doi-asserted-by":"crossref","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Duplexing the sponge: Single-pass authenticated encryption and other applications, in A. Miri, S. Vaudenay, (eds.) Selected Areas in Cryptography\u201418th International Workshop, SAC 2011, Toronto, ON, Canada, August 11\u201312, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7118 (Springer, 2011), pp. 320\u2013337","DOI":"10.1007\/978-3-642-28496-0_19"},{"key":"9299_CR20","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the security of the keyed sponge construction. Symmetric Key Encryption Workshop (2011)"},{"key":"9299_CR21","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Permutation-based encryption, authentication and authenticated encryption. Directions in Authenticated Ciphers (2012)"},{"key":"9299_CR22","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, R. Van Keer, Keyak v1 (2014), submission to CAESAR competition"},{"key":"9299_CR23","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, R. Van Keer, Keyak v2 (2015), submission to CAESAR competition"},{"key":"9299_CR24","doi-asserted-by":"crossref","unstructured":"A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, I. Verbauwhede, spongent: A lightweight hash function, in B. Preneel, T. Takagi, (eds.) Cryptographic Hardware and Embedded Systems\u2014CHES 2011\u201413th International Workshop, Nara, Japan, September 28\u2013October 1, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6917 (Springer, 2011), pp. 312\u2013325","DOI":"10.1007\/978-3-642-23951-9_21"},{"key":"9299_CR25","unstructured":"CAESAR, Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014). http:\/\/competitions.cr.yp.to\/caesar.html"},{"key":"9299_CR26","unstructured":"D. Chang, M. Dworkin, S. Hong, J. Kelsey, M. Nandi, A Keyed Sponge Construction with Pseudorandomness in the Standard Model. NIST\u2019s 3rd SHA-3 Candidate Conference 2012 (2012)"},{"key":"9299_CR27","doi-asserted-by":"crossref","unstructured":"D. Chang, M. Nandi, Improved indifferentiability security analysis of chopmd hash function, in K. Nyberg, (ed.) Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10\u201313, 2008, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5086 (Springer, 2008), pp. 429\u2013443","DOI":"10.1007\/978-3-540-71039-4_27"},{"issue":"4","key":"9299_CR28","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1214\/aoms\/1177729330","volume":"23","author":"H Chernoff","year":"1952","unstructured":"H. Chernoff, A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations. Ann. Math. Stat. 23(4), 493\u2013507 (1952)","journal-title":"Ann. Math. Stat."},{"key":"9299_CR29","doi-asserted-by":"crossref","unstructured":"B. Cogliati, R. Lampe, Y. Seurin, Tweaking even-mansour ciphers, in Gennaro and Robshaw [40], pp. 189\u2013208","DOI":"10.1007\/978-3-662-47989-6_9"},{"issue":"1","key":"9299_CR30","doi-asserted-by":"publisher","first-page":"329","DOI":"10.1007\/BF02124750","volume":"5","author":"RM Corless","year":"1996","unstructured":"R.M. Corless, G.H. Gonnet, D.E.G. Hare, D.J. Jeffrey, D.E. Knuth, On the Lambert $${W}$$ W function. Adv. Comput. Math. 5(1), 329\u2013359 (1996)","journal-title":"Adv. Comput. Math."},{"key":"9299_CR31","doi-asserted-by":"crossref","unstructured":"J. Daemen, B. Mennink, G. Van Assche, Full-state keyed duplex with built-in multi-user support, in T. Takagi, T. Peyrin, (eds.) Advances in Cryptology\u2014ASIACRYPT 2017\u201423rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3\u20137, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10625 (Springer, 2017), pp. 606\u2013637","DOI":"10.1007\/978-3-319-70697-9_21"},{"key":"9299_CR32","doi-asserted-by":"crossref","unstructured":"I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Cryptanalysis of iterated even-mansour schemes with two keys, in Sarkar and Iwata [87], pp. 439\u2013457. http:\/\/dx.doi.org\/10.1007\/978-3-662-45611-8_23","DOI":"10.1007\/978-3-662-45611-8_23"},{"key":"9299_CR33","unstructured":"C. Dobraunig, M. Eichlseder, F. Mendel, M. Schl\u00e4ffer, Ascon v1 (2014), submission to CAESAR competition"},{"key":"9299_CR34","unstructured":"C. Dobraunig, M. Eichlseder, F. Mendel, M. Schl\u00e4ffer, Ascon v1.1 (2015), submission to CAESAR competition"},{"key":"9299_CR35","unstructured":"FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015)"},{"key":"9299_CR36","doi-asserted-by":"crossref","unstructured":"M. Fischlin, J. Coron, (eds.), Advances in Cryptology\u2014EUROCRYPT 2016\u201435th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8\u201312, 2016, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9665 (Springer, 2016)","DOI":"10.1007\/978-3-662-49896-5"},{"key":"9299_CR37","doi-asserted-by":"crossref","unstructured":"E. Fleischmann, C. Forler, S. Lucks, Mcoe: A family of almost foolproof on-line authenticated encryption schemes, in A. Canteaut, (ed.) Fast Software Encryption\u201419th International Workshop, FSE 2012, Washington, DC, USA, March 19\u201321, 2012. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7549 (Springer, 2012), pp. 196\u2013215","DOI":"10.1007\/978-3-642-34047-5_12"},{"key":"9299_CR38","doi-asserted-by":"crossref","unstructured":"P. Gazi, K. Pietrzak, S. Tessaro, The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC, in Gennaro and Robshaw [40], pp. 368\u2013387","DOI":"10.1007\/978-3-662-47989-6_18"},{"key":"9299_CR39","doi-asserted-by":"crossref","unstructured":"P. Gazi, S. Tessaro, Provably robust sponge-based prngs and kdfs, in Fischlin and Coron [36], pp. 87\u2013116","DOI":"10.1007\/978-3-662-49890-3_4"},{"key":"9299_CR40","doi-asserted-by":"crossref","unstructured":"R. Gennaro, M. Robshaw, (eds.), Advances in Cryptology\u2014CRYPTO 2015\u201435th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16\u201320, 2015, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9215, (Springer, 2015)","DOI":"10.1007\/978-3-662-47989-6"},{"key":"9299_CR41","doi-asserted-by":"crossref","unstructured":"M. Girault, J. Stern, On the length of cryptographic hash-values used in identification schemes, in Y. Desmedt, (ed.) Advances in Cryptology\u2014CRYPTO \u201994, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21\u201325, 1994, Proceedings. Lecture Notes in Computer Science, vol. 839 (Springer, 1994), pp. 202\u2013215","DOI":"10.1007\/3-540-48658-5_21"},{"key":"9299_CR42","unstructured":"D. Gligoroski, H. Mihajloska, S. Samardjiska, H. Jacobsen, M. El-Hadedy, R. Jensen, $$\\pi $$ \u03c0 -Cipher v1 (2014), submission to CAESAR competition"},{"key":"9299_CR43","unstructured":"D. Gligoroski, H. Mihajloska, S. Samardjiska, H. Jacobsen, M. El-Hadedy, R. Jensen, $$\\pi $$ \u03c0 -Cipher v2.0 (2015), submission to CAESAR competition"},{"key":"9299_CR44","doi-asserted-by":"crossref","unstructured":"R. Granger, P. Jovanovic, B. Mennink, S. Neves, Improved masking for tweakable blockciphers with applications to authenticated encryption, in Fischlin and Coron [36], pp. 263\u2013293","DOI":"10.1007\/978-3-662-49890-3_11"},{"key":"9299_CR45","doi-asserted-by":"crossref","unstructured":"J. Guo, T. Peyrin, A. Poschmann, The PHOTON family of lightweight hash functions, in P. Rogaway, (ed.) Advances in Cryptology\u2014CRYPTO 2011\u201431st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14\u201318, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6841 (Springer, 2011), pp. 222\u2013239","DOI":"10.1007\/978-3-642-22792-9_13"},{"key":"9299_CR46","doi-asserted-by":"crossref","unstructured":"S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel, H. Yoshida, A lightweight 256-bit hash function for hardware and low-end devices: Lesamnta-lw, in K.H. Rhee, D. Nyang, (eds.) Information Security and Cryptology\u2014ICISC 2010\u201413th International Conference, Seoul, Korea, December 1\u20133, 2010, Revised Selected Papers. Lecture Notes in Computer Science, vol. 6829 (Springer, 2010), pp. 151\u2013168","DOI":"10.1007\/978-3-642-24209-0_10"},{"key":"9299_CR47","doi-asserted-by":"crossref","unstructured":"S. Hirose, H. Kuwakado, H. Yoshida, Compression functions using a dedicated blockcipher for lightweight hashing, in H. Kim, (ed.) Information Security and Cryptology\u2014ICISC 2011\u201414th International Conference, Seoul, Korea, November 30\u2013December 2, 2011. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7259 (Springer, 2011), pp. 346\u2013364","DOI":"10.1007\/978-3-642-31912-9_23"},{"key":"9299_CR48","doi-asserted-by":"crossref","unstructured":"V.T. Hoang, T. Krovetz, P. Rogaway, Robust authenticated-encryption AEZ and the problem that it solves, in E. Oswald, M. Fischlin, (eds.) Advances in Cryptology\u2014EUROCRYPT 2015\u201434th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26\u201330, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015), pp. 15\u201344","DOI":"10.1007\/978-3-662-46800-5_2"},{"key":"9299_CR49","unstructured":"V.T. Hoang, S. Tessaro, The multi-user security of double encryption, in J. Coron, J.B. Nielsen, (eds.) Advances in Cryptology\u2014EUROCRYPT 2017\u201436th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30\u2013May 4, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10211 (2017), pp. 381\u2013411"},{"key":"9299_CR50","unstructured":"A. Hoorfar, M. Hassani, Inequalities on the Lambert $${W}$$ W function and hyperpower function. J. Inequal. Pure Appl. Math. 9(2) (2008)"},{"key":"9299_CR51","doi-asserted-by":"crossref","unstructured":"T. Iwata, K. Ohashi, K. Minematsu, Breaking and repairing GCM security proofs, in R. Safavi-Naini, R. Canetti, (eds.) Advances in Cryptology\u2014CRYPTO 2012\u201432nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19\u201323, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7417 (Springer, 2012), pp. 31\u201349","DOI":"10.1007\/978-3-642-32009-5_3"},{"key":"9299_CR52","doi-asserted-by":"crossref","unstructured":"\u00c9. Jaulmes, A. Joux, F. Valette, On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction, in J. Daemen, V. Rijmen, (eds.) Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4\u20136, 2002, Revised Papers. Lecture Notes in Computer Science, vol. 2365 (Springer, 2002), pp. 237\u2013251","DOI":"10.1007\/3-540-45661-9_19"},{"key":"9299_CR53","doi-asserted-by":"crossref","unstructured":"P. Jovanovic, A. Luykx, B. Mennink, Beyond 2 c\/2 security in sponge-based authenticated encryption modes, in Sarkar and Iwata [87], pp. 85\u2013104","DOI":"10.1007\/978-3-662-45611-8_5"},{"key":"9299_CR54","unstructured":"L.R. Knudsen, F. Mendel, C. Rechberger, S.S. Thomsen, Cryptanalysis of MDC-2, in A. Joux, (ed.) Advances in Cryptology\u2014EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26\u201330, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5479 (Springer, 2009), pp. 106\u2013120"},{"key":"9299_CR55","doi-asserted-by":"crossref","unstructured":"T. Krovetz, P. Rogaway, The software performance of authenticated-encryption modes, in A. Joux, (ed.) Fast Software Encryption\u201418th International Workshop, FSE 2011, Lyngby, Denmark, February 13\u201316, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 6733 (Springer, 2011), pp. 306\u2013327","DOI":"10.1007\/978-3-642-21702-9_18"},{"key":"9299_CR56","doi-asserted-by":"crossref","unstructured":"U.M. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in M. Naor, (ed.) Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004, Cambridge, MA, USA, February 19\u201321, 2004, Proceedings. Lecture Notes in Computer Science, vol. 2951 (Springer, 2004), pp. 21\u201339","DOI":"10.1007\/978-3-540-24638-1_2"},{"key":"9299_CR57","doi-asserted-by":"crossref","unstructured":"D.A. McGrew, J. Viega, The security and performance of the galois\/counter mode (GCM) of operation, in A. Canteaut, K. Viswanathan, (eds.) Progress in Cryptology\u2014INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20\u201322, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3348 (Springer, 2004), pp. 343\u2013355","DOI":"10.1007\/978-3-540-30556-9_27"},{"key":"9299_CR58","unstructured":"F. Mendel, S. Thomsen, An Observation on JH-512. Available online (2008)"},{"key":"9299_CR59","doi-asserted-by":"crossref","unstructured":"B. Mennink, XPX: generalized tweakable even-mansour with improved security guarantees, in Robshaw and Katz [76], pp. 64\u201394","DOI":"10.1007\/978-3-662-53018-4_3"},{"key":"9299_CR60","doi-asserted-by":"crossref","unstructured":"B. Mennink, R. Reyhanitabar, D. Viz\u00e1r, Security of full-state keyed sponge and duplex: Applications to authenticated encryption, in T. Iwata, J.H. Cheon, (eds.) Advances in Cryptology\u2014ASIACRYPT 2015\u201421st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29\u2013December 3, 2015, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9453 (Springer, 2015), pp. 465\u2013489","DOI":"10.1007\/978-3-662-48800-3_19"},{"key":"9299_CR61","unstructured":"H. Mihajloska, B. Mennink, D. Gligoroski, $$\\pi $$ \u03c0 -Cipher with Intermediate Tags (2016), available online"},{"key":"9299_CR62","unstructured":"B. Minaud, Re: CBEAM Withdrawn as of today! (2014), CAESAR mailing list"},{"key":"9299_CR63","doi-asserted-by":"crossref","unstructured":"K. Minematsu, Parallelizable rate-1 authenticated encryption from pseudorandom functions, in P.Q. Nguyen, E. Oswald, (eds.) Advances in Cryptology\u2014EUROCRYPT 2014\u201433rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11\u201315, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441 (Springer, 2014), pp. 275\u2013292","DOI":"10.1007\/978-3-642-55220-5_16"},{"key":"9299_CR64","doi-asserted-by":"crossref","unstructured":"M. Mitzenmacher, E. Upfal, (eds.), Probability and Computing: Randomized Algorithms and Probabilistic Analysis. (Cambridge University Press, New York, 2005)","DOI":"10.1017\/CBO9780511813603"},{"key":"9299_CR65","unstructured":"P. Morawiecki, K. Gaj, E. Homsirikamol, K. Matusiewicz, J. Pieprzyk, M. Rogawski, M. Srebrny, M. W\u00f3jcik, ICEPOLE v1 (2014), submission to CAESAR competition"},{"key":"9299_CR66","unstructured":"P. Morawiecki, K. Gaj, E. Homsirikamol, K. Matusiewicz, J. Pieprzyk, M. Rogawski, M. Srebrny, M. W\u00f3jcik, ICEPOLE v2 (2015), submission to CAESAR competition"},{"key":"9299_CR67","doi-asserted-by":"crossref","unstructured":"R. Motwani, P. Raghavan, (eds.), Randomized Algorithms. (Cambridge University Press, New York, 1995)","DOI":"10.1017\/CBO9780511814075"},{"key":"9299_CR68","doi-asserted-by":"crossref","unstructured":"Y. Naito, Y. Sasaki, L. Wang, K. Yasuda, Generic state-recovery and forgery attacks on chopmd-mac and on NMAC\/HMAC, in K. Sakiyama, M. Terada, (eds.) Advances in Information and Computer Security\u20148th International Workshop on Security, IWSEC 2013, Okinawa, Japan, November 18\u201320, 2013, Proceedings. Lecture Notes in Computer Science, vol. 8231 (Springer, 2013), pp. 83\u201398","DOI":"10.1007\/978-3-642-41383-4_6"},{"key":"9299_CR69","doi-asserted-by":"crossref","unstructured":"Y. Naito, K. Yasuda, New bounds for keyed sponges with extendable output: Independence between capacity and message length, in T. Peyrin, (ed.) Fast Software Encryption\u201423rd International Conference, FSE 2016, Bochum, Germany, March 20\u201323, 2016, Revised Selected Papers. Lecture Notes in Computer Science, vol. 9783 (Springer, 2016), pp. 3\u201322","DOI":"10.1007\/978-3-662-52993-5_1"},{"key":"9299_CR70","doi-asserted-by":"crossref","unstructured":"I. Nikolic, L. Wang, S. Wu, Cryptanalysis of round-reduced $${\\setminus }$$ \\ mathttled, In S. Moriai, (ed.) Fast Software Encryption\u201420th International Workshop, FSE 2013, Singapore, March 11\u201313, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8424 (Springer, 2013), pp. 112\u2013129","DOI":"10.1007\/978-3-662-43933-3_7"},{"key":"9299_CR71","unstructured":"F.W.J. Olver, D.W. Lozier, R.F. Boisvert, C.W. Clark, (eds.), NIST Handbook of Mathematical Functions. (Cambridge University Press, New York, 2010)"},{"key":"9299_CR72","doi-asserted-by":"crossref","unstructured":"T. Peyrin, Y. Seurin, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, in Robshaw and Katz [76], pp. 33\u201363","DOI":"10.1007\/978-3-662-53018-4_2"},{"key":"9299_CR73","unstructured":"B. Preneel, R. Govaerts, J. Vandewalle, On the power of memory in the design of collision resistant hash functions, in J. Seberry, Y. Zheng, (eds.) Advances in Cryptology\u2014AUSCRYPT \u201992, Workshop on the Theory and Application of Cryptographic Techniques, Gold Coast, Queensland, Australia, December 13\u201316, 1992, Proceedings. Lecture Notes in Computer Science, vol. 718 (Springer, 1992), pp. 105\u2013121"},{"key":"9299_CR74","doi-asserted-by":"crossref","unstructured":"M. Raab, A. Steger, \u201cBalls into Bins\u201d\u2014A simple and tight analysis, in M. Luby, J.D.P. Rolim, M.J. Serna, (eds.) Randomization and Approximation Techniques in Computer Science, Second International Workshop, RANDOM\u201998, Barcelona, Spain, October 8\u201310, 1998, Proceedings. Lecture Notes in Computer Science, vol. 1518 (Springer, 1998), pp. 159\u2013170","DOI":"10.1007\/3-540-49543-6_13"},{"key":"9299_CR75","unstructured":"R. Reyhanitabar, Do Sponge-based AE modes have beyond $$2^{c\/2}$$ 2 c \/ 2 \u201cSecurity\u201d? (2014), CAESAR mailing list"},{"key":"9299_CR76","doi-asserted-by":"crossref","unstructured":"M. Robshaw, J. Katz, (eds.), Advances in Cryptology\u2014CRYPTO 2016\u201436th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14\u201318, 2016, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9814 (Springer, 2016)","DOI":"10.1007\/978-3-662-53008-5"},{"key":"9299_CR77","doi-asserted-by":"crossref","unstructured":"P. Rogaway, Authenticated-encryption with associated-data, in V. Atluri, (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, November 18\u201322, 2002. (ACM, 2002), pp. 98\u2013107","DOI":"10.1145\/586123.586125"},{"key":"9299_CR78","doi-asserted-by":"crossref","unstructured":"P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in P.J. Lee, (ed.) Advances in Cryptology\u2014ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5\u20139, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3329 (Springer, 2004), pp. 16\u201331","DOI":"10.1007\/978-3-540-30539-2_2"},{"key":"9299_CR79","doi-asserted-by":"crossref","unstructured":"P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: a block-cipher mode of operation for efficient authenticated encryption, in M.K. Reiter, P. Samarati, (eds.) CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 6\u20138, 2001 (ACM, 2001), pp. 196\u2013205","DOI":"10.1145\/501983.502011"},{"key":"9299_CR80","doi-asserted-by":"crossref","unstructured":"P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in Vaudenay [93], pp. 373\u2013390","DOI":"10.1007\/11761679_23"},{"key":"9299_CR81","doi-asserted-by":"crossref","unstructured":"M.J.O. Saarinen, Authenticated Encryption from GOST R 34.11-2012 LPS Permutation, in CTCrypt 2014 (2014)","DOI":"10.4213\/mvk146"},{"key":"9299_CR82","doi-asserted-by":"crossref","unstructured":"M.O. Saarinen, Beyond modes: Building a secure record protocol from a cryptographic sponge permutation, in Benaloh [15], pp. 270\u2013285","DOI":"10.1007\/978-3-319-04852-9_14"},{"key":"9299_CR83","doi-asserted-by":"crossref","unstructured":"M.O. Saarinen, CBEAM: efficient authenticated encryption from feebly one-way $$\\phi $$ \u03d5 functions, in Benaloh [15], pp. 251\u2013269","DOI":"10.1007\/978-3-319-04852-9_13"},{"key":"9299_CR84","unstructured":"M.J.O. Saarinen, CBEAM r1 (2014), submission to CAESAR competition"},{"key":"9299_CR85","unstructured":"M.J.O. Saarinen, STRIBOB r1 (2014), submission to CAESAR competition"},{"key":"9299_CR86","unstructured":"M.J.O. Saarinen, B.B. Brumley, STRIBOB r2: \u201cWHIRLBOB\u201d (2015), submission to CAESAR competition"},{"key":"9299_CR87","doi-asserted-by":"crossref","unstructured":"P. Sarkar, T. Iwata, (eds.), Advances in Cryptology\u2014ASIACRYPT 2014\u201420th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7\u201311, 2014. Proceedings, Part I, Lecture Notes in Computer Science, vol. 8873 (Springer, 2014)","DOI":"10.1007\/978-3-662-45608-8"},{"key":"9299_CR88","doi-asserted-by":"crossref","unstructured":"Y. Sasaki, L. Wang, Generic attacks on strengthened HMAC: n-bit secure HMAC requires key in all blocks, in M. Abdalla, R.D. Prisco, (eds.) Security and Cryptography for Networks\u20149th International Conference, SCN 2014, Amalfi, Italy, September 3\u20135, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8642 (Springer, 2014), pp. 324\u2013339","DOI":"10.1007\/978-3-319-10879-7_19"},{"key":"9299_CR89","doi-asserted-by":"crossref","unstructured":"Y. Sasaki, K. Yasuda, How to incorporate associated data in sponge-based authenticated encryption, in K. Nyberg, (ed.) Topics in Cryptology\u2014CT-RSA 2015, The Cryptographer\u2019s Track at the RSA Conference 2015, San Francisco, CA, USA, April 20\u201324, 2015. Proceedings. Lecture Notes in Computer Science, vol. 9048 (Springer, 2015), pp. 353\u2013370","DOI":"10.1007\/978-3-319-16715-2_19"},{"key":"9299_CR90","unstructured":"Y. Sasaki, K. Yasuda, Directly Evaluating Multi-Collisions and Improving Security Bounds. Symmetric Cryptography, Dagstuhl Seminar 16021 (2016)"},{"key":"9299_CR91","doi-asserted-by":"crossref","unstructured":"K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, Birthday paradox for multi-collisions, in M.S. Rhee, B. Lee, (eds.) Information Security and Cryptology\u2014ICISC 2006, 9th International Conference, Busan, Korea, November 30\u2013December 1, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4296 (Springer, 2006), pp. 29\u201340","DOI":"10.1007\/11927587_5"},{"key":"9299_CR92","doi-asserted-by":"crossref","unstructured":"K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, Birthday paradox for multi-collisions. IEICE Trans. 91-A(1), 39\u201345 (2008)","DOI":"10.1093\/ietfec\/e91-a.1.39"},{"key":"9299_CR93","doi-asserted-by":"crossref","unstructured":"S. Vaudenay, (ed.), Advances in Cryptology\u2014EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28\u2013June 1, 2006, Proceedings, Lecture Notes in Computer Science, vol. 4004 (Springer, 2006)","DOI":"10.1007\/11761679"},{"key":"9299_CR94","unstructured":"D. Viz\u00e1r, Ciphertext forgery on HANUMAN. Cryptology ePrint Archive, Report 2016\/697 (2016)"},{"key":"9299_CR95","unstructured":"D. Whiting, R. Housley, N. Ferguson, AES Encryption and Authentication Using CTR Mode and CBC-MAC. IEEE 802.11-02\/001r2 (2002)"},{"key":"9299_CR96","unstructured":"H. Wu, The Hash Function JH (2011), submission to NIST\u2019s SHA-3 competition"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9299-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-018-9299-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9299-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,7]],"date-time":"2024-07-07T14:27:18Z","timestamp":1720362438000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-018-9299-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,6,15]]},"references-count":96,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,7]]}},"alternative-id":["9299"],"URL":"https:\/\/doi.org\/10.1007\/s00145-018-9299-7","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"type":"print","value":"0933-2790"},{"type":"electronic","value":"1432-1378"}],"subject":[],"published":{"date-parts":[[2018,6,15]]},"assertion":[{"value":"9 August 2016","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 May 2018","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"15 June 2018","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}