{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T15:51:25Z","timestamp":1773676285814,"version":"3.50.1"},"reference-count":0,"publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","issue":"1","license":[{"start":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T00:00:00Z","timestamp":1773619200000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ToSC"],"abstract":"<jats:p>The sponge construction underpins many modern symmetric primitives, enabling efficient hashing and authenticated encryption. While full-state absorption is known to be secure in keyed sponges, the security of full-state squeezing has remained unclear. Recently, Lefevre and Marhuenda-Beltr\u00e1n introduced MacaKey, which applies ideas from the summation-truncation hybrid technique of constructing PRFs to the full-state sponge. The authors claimed that MacaKey is provably secure up to the birthday bound in capacity, even when the adversary is allowed to request variable-length outputs. In this work, we revisit this claim and show that MacaKey is insecure as a PRF. We demonstrate a simple four-query distinguishing attack that violates its claimed bound, exploiting the exposure of the full internal state and the resulting loss of secrecy in the capacity portion during squeezing. We then propose a simple modification that restores security with negligible overhead. The modified construction, KeyMacaKey, re-randomizes the internal state after absorption by incorporating a keyed finalization step without requiring an extra permutation call. Further, we show that KeyMacaKey achieves the stronger security of birthday-bound in the full state size than what was claimed for MacaKey.<\/jats:p>","DOI":"10.46586\/tosc.v2026.i1.76-94","type":"journal-article","created":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T14:18:52Z","timestamp":1773670732000},"page":"76-94","source":"Crossref","is-referenced-by-count":0,"title":["Breaking and Fixing MacaKey"],"prefix":"10.46586","volume":"2026","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2883-4870","authenticated-orcid":false,"given":"Ritam","family":"Bhaumik","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8729-6163","authenticated-orcid":false,"given":"Bishwajit","family":"Chakraborty","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-9948-3714","authenticated-orcid":false,"given":"Chandranan","family":"Dhar","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"25480","published-online":{"date-parts":[[2026,3,16]]},"container-title":["IACR Transactions on Symmetric Cryptology"],"original-title":[],"link":[{"URL":"https:\/\/tosc.iacr.org\/index.php\/ToSC\/article\/download\/12779\/12468","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/tosc.iacr.org\/index.php\/ToSC\/article\/download\/12779\/12468","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T14:18:52Z","timestamp":1773670732000},"score":1,"resource":{"primary":{"URL":"https:\/\/tosc.iacr.org\/index.php\/ToSC\/article\/view\/12779"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,16]]},"references-count":0,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,3,16]]}},"URL":"https:\/\/doi.org\/10.46586\/tosc.v2026.i1.76-94","relation":{},"ISSN":["2519-173X"],"issn-type":[{"value":"2519-173X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,16]]}}}