A new proof for the security of the keyed sponge construction in the ideal compression function model

Journal of Science and Technology on Information Security 
18 No 2.CS (10) 2019 
Tuan Anh Nguyen, Bui Cuong Nguyen 
Abstract— In this paper, we present a new 
proof for the security of keyed Sponge. Our 
method is built on the previous result about the 
indistinguishability of the Sponge construction. 
Following this approach, we can see the strong 
relationship between the security of keyed Sponge 
and its original version. 
Tóm tắt— Trong bài báo này, chúng tôi đưa ra 
một chứng minh mới cho độ an toàn của cấu trúc 
Sponge có khóa. Phương pháp của chúng tôi sử 
dụng kết quả trước đó về tính không phân biệt 
được của cấu trúc Sponge. Theo cách tiếp cận 
này, chúng ta có thể thấy mối liên hệ chặt chẽ về 
độ an toàn của cấu trúc Sponge có khóa và phiên 
bản nguyên thủy của nó. 
Keywords— Sponge construction, keyed 
Sponge construction, ideal compression function 
model, PRF security. 
Từ khóa— Cấu trúc Sponge, Cấu trúc Sponge 
có khóa, mô hình hàm nén lý tưởng, độ an toàn 
PRF. 
I. INTRODUCTION 
Since its introduction, the Sponge 
construction [1] has been attracting research 
attention in the cryptography community. It is 
the fundamental of the SHA-3 standard Keccak 
[2]. In the security model of Maurer [3], Bertoni 
at el. [4] proved that the advantage in 
differentiating the sponge construction from a 
random oracle is upper bounded by 𝑂(𝑁2 2𝑐⁄ ), 
with N the number of calls to the underlying 
function f and c the capacity. 
Inspired by the introduction of keys into hash 
functions as before and the beautiful theoretical 
results of the sponge construction, designers 
presented the keyed version for it: 
Sponge(K‖M), we denote by KeyedSponge. 
This manuscript is received July 10, 2019. It is commented 
on August 16, 2019 and is accepted on August 23, 2019 by 
the first reviewer. It is commented on September 30, 2019 
and is accepted on October 6, 2019 by the second reviewer. 
This version was proposed to build a wide 
spectrum of symmetric-key primitive: 
Reseedable pseudorandom number generator 
[5], pseudorandom function and message 
authentication codes (PRFs/MAC) [6, 7], 
extendable-output functions [8] and 
authenticated encryption modes [9]. Because of 
its wide application, the security of the 
KeyedSponge construction has been evaluated 
in many documents and now it still attracts 
interest from the cryptography community. 
Previous results 
The KeyedSponge construction has been 
previously studied by two main approaches: the 
H-coefficient technique and the Sponge graph. 
For the first method there are two outstanding 
papers: Elena Andreeva [10] and Peter Gaži 
[11]. Specifically, Elena Andreeva evaluated the 
security of keyed Sponge when the key length k 
is a multiple of r. The distinguishing advantage 
of the KeyedSponge construction under any 
adversary who makes at most q construction 
queries, and at most Q primitive queries is 
upper bounded by 
𝑁0
2+2𝜇𝑄
2𝑐
+ 𝜆(𝑄) +
2(
𝑘
𝑟
)𝑄
2𝑏
, 
where 𝑁0 is the number of fresh calls to the 
underlying function f when he makes q 
construction queries (here we let f(x) is not fresh 
if it has already been made due to a prior query 
to the construction) and μ is the total maximum 
multiplicity (see [10]) and 
𝜆(𝑄)
≤
{
𝑄
2𝑘
 if 𝑘 = 𝑟
min {
𝑄2
2𝑐+1
+
𝑄
2𝑘
,
1
2𝑏
+
𝑄
2
(
1
2
−
log2(3𝑏)
2𝑟
−
1
𝑟
)𝑘
} otherwise.
A New Proof for the Security of the Keyed 
Sponge Construction in the Ideal Compression 
Function Model 
Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin 
 No 2.CS (10) 2019 19 
The distinguishing advantage of the 
KeyedSponge was estimated by Peter Gaži has 
upper bound: 
𝑂 (
𝑞2 + 𝑞𝑄 + 𝑙𝑞
2𝑏−𝑧
) +
(
𝑘
𝑟)𝑁1
2𝑏
+min {
𝑁1
2
(
1
2
−
log2(3𝑏)
2𝑟
−
1
𝑟
)𝑘
,
𝑁1
2𝑘
+
𝑁1
2
2𝑐
}, 
where l is the maximum number of blocks in 
each construction query, z (z<r) is the fixed 
length of output and 𝑁1 = 𝑞𝑙 + 𝑄. 
 For the second method, Guido Bertoni [6] 
uses the Sponge graph to directly evaluate the 
security of the KeyedSponge construction. The 
distinguishing advantage is upper bounded by: 
𝑂 (
𝑁0
2
2𝑐
+
𝑁0𝑄
2𝑐
+
𝑄
2𝑘
). 
In our knowledge, it is the best result ever. 
Our contributions. In this paper, we give a 
new proof for the security of the KeyedSponge 
construction according to the second approach. 
We evaluate it by using the security of the 
Sponge construction. Our bound are: 
𝑄
2𝑘
+
𝑄2
2𝑐+1
+
𝑁2
2𝑐+1
, 
where N is the number of fresh calls to the 
underlying function f when adversary makes 
both construction queries and primitive queries. 
Although this result is not as tight as Guido 
Bertoni's, it shows a close relationship between 
the security of the KeyedSponge and Sponge 
construction. 
Organization of the paper. After the 
introduction, in Section 2 we present some 
preliminaries. In Section 3, we recall the 
security of the Sponge construction. In Section 4, 
we evaluate the indistinguishability of the 
KeyedSponge construction. Finally, some 
conclusions are given in Section 5. 
II. PRELIMINARIES 
We denote the set of all finite strings of 
arbitrary length by ℤ2
∗ , the set of infinite-length 
bit strings is denoted by ℤ2
∞, the concatenation of 
two strings x and y is denoted as x‖y. We let 
left𝑧(𝑥) denote the z leftmost bits of x. We 
denote the length in bits of a message x by |x|. The 
number of r-bit blocks of x is denoted by |𝑥|𝑟. 
Random oracle. 
 Let ℛ𝒪: ℤ2
∗ → ℤ2
∞ be a random oracle 
which takes inputs of arbitrary but finite length 
and returns random infinite strings, where each 
output bit is selected uniformly and 
independently for every input M. 
We denote a call to ℛ𝒪 where the output is 
truncated to its z first bits by 𝑍 = ℛ𝒪(𝑀, 𝑧). 
Sponge construction. 
The Sponge construction determines the 
 ... ction. In the security model of this 
paper, we consider the KeyedSponge 
construction is built on a random permutation 
𝑓. The PRF-security of Keyed Sponge is the 
indistinguishability between the real world 
and the ideal world. Let 𝒪𝑅 =
KeyedSponge𝐾
𝑓(⋅) with 𝐾 ←
$
{0,1}𝑘 be the 
oracle in the real world, and 𝒪𝐼 = ℛ𝒪 be the 
oracle in the ideal world. The 
indistinguishability considers the case where 
an adversary 𝒜 has query access to 
(𝒪𝑅 , 𝑓, 𝑓
−1) in the real world and (𝒪𝐼 , 𝑓, 𝑓
−1) 
in the ideal world, and after 𝒜’s interaction, it 
outputs a result 𝑦 ∈ {0,1}. We call queries to 
𝒪𝑅/𝒪𝐼 “construction queries” and queries to 
(𝑓, 𝑓−1) “primitive queries”. We define the 
advantage function as 
AdvKeyedSponge
prf (𝒜)
≔ |Pr[𝒜𝒪𝑅,𝑓,𝑓
−1
= 1]
− Pr[𝒜𝒪𝐼,𝑓,𝑓
−1
= 1]|. 
We denote 𝑞 and 𝑄 respectively as the 
number of construction and primitive queries. 
III. MODEL THE SECURITY OF THE 
SPONGE CONSTRUCION 
In [12], the authors evaluated the 
indistinguishability of the Sponge 
construction when an adversary was able to 
query the Sponge construction and the 
underlying function 𝑓. Then, in the ideal 
world besides the oracle ℛ𝒪, [12] built 
another component with the same interface as 
𝑓. For the components to be hard 
to distinguish, it should simulate the behavior 
of a random permutation of the same width as 
𝑓. For this reason it is called a simulator, 
denoted 𝒫. 
Algorithm 1. 𝐒𝐩𝐨𝐧𝐠𝐞[𝒇, 𝒑𝒂𝒅, 𝒓] 
Require: 𝑟 < 𝑏 
Interface: 𝑍 = 𝑠𝑝𝑜𝑛𝑔𝑒(𝑀, 𝑧) with 𝑀 ∈ ℤ2
∗ , z > 0 and 
𝑍 ∈ ℤ2
𝑧. 
𝑃 = 𝑀||𝑝𝑎𝑑[𝑟](|𝑀|) 
𝑠 = 0𝑏 
for i = 0 to |𝑃|𝑟 − 1 do 
𝑠 = 𝑠 ⊕ (𝑃𝑖||0
𝑏−𝑟) 
𝑠 = 𝑓(𝑠) 
end for 
𝑇 = ⌊𝑠⌋𝑟 
while |𝑇| < 𝑧 do 
𝑠 = 𝑓(𝑠) 
𝑇 = 𝑇||leftz(𝑠) 
end while 
return 𝑍 = leftz(𝑇) 
Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin 
 No 2.CS (10) 2019 21 
In addition, we have an additional 
constraint when an adversary queries to the 
real world (the Sponge construction and its 
underlying function 𝑓), he the adversary can 
verify whether the responses to the queries are 
Sponge-consistent or not. The Sponge-
consistent means that: the result for a 
construction query will be the same as the 
answer when we simulate the Sponge 
construction by querying directly to 𝑓. In 
particular, let 𝑀 be a message, if we make a 
construction query (𝑀, 𝑧) then we receive 𝑍. 
In the other hand, the message 𝑀 after 
padding will have the form: 𝑃 =
𝑀‖pad[𝑟](|𝑀|). Then, we can compute the 
𝑗th block of 𝑍 by querying to the function 𝑓: 
𝑍𝑗 = absorb̅̅ ̅̅ ̅̅ ̅̅ ̅(𝑃‖0
𝑟𝑗). For the ideal world to 
be hard to distinguish from the real world it 
shall also behave sponge-consistent. For that 
reason, the simulator may have query access 
to the random oracle ℛ𝒪 for satisfying 
sponge-consistency. 
Before going into the specific definition of 
the simulator 𝒫 we recall some symbols. In the 
Sponge graph, we define the set of rooted 
supernodes ℛ as the subset of ℤ2
𝑐 containing 0𝑐 
and all the supernodes accessible from it 
through the supernode graph. We say that a 
node 𝑠 = (�̅�, �̂�) is rooted if �̂� ∈ ℛ. Let 𝑂 be the 
set of supernodes with an outgoing edge. 
Algorithm 2 (see algorithm 9, [12]): The simulator 𝒫 
Interface 𝒫1, taking node 𝑠 as input. 
If node 𝑠 has no outgoing edge then 
 If node 𝑠 is rooted AND ℛ ∪ 𝑂 ≠ ℤ2
𝑐 (no saturation) 
then 
 Construct path to 𝑡: find path to 𝑠, append �̅� and call the 
result 𝑃 
 Write 𝑃 as 𝑃 = 𝑃′0𝑟𝑗 where 𝑃′ does not end with 0𝑟 
 if 𝑃′ can be unpadded into 𝑀 then 
 Assign to 𝑡̅ the value 𝑍𝑗 with 𝑍 = ℛ𝒪(𝑀, 𝑗𝑟) 
 Else 
 Choose 𝑡̅ randomly and uniformly 
 end if 
 Choose �̂� randomly and uniformly form ℤ2
𝑐\(ℛ ∪ 𝑂) 
and such that 𝑡̅‖�̂� has no incoming edge yet 
 Let 𝑡 = 𝑡̅‖�̂� 
 Else 
 Choose 𝑡 randomly and uniformly from all nodes that 
have no incoming edge yet 
 End if 
 Add an edge from 𝑠 to 𝑡 
End if 
Return the node 𝑡 at the end of the outgoing edge from 𝑠 
Interface 𝒫−1, taking node 𝑠 as input 
If node 𝑠 has no incoming edge then 
 Choose 𝑡̅ randomly and uniformly 
 Choose �̂� randomly and uniformly from ℤ2
𝑐\ℛ and such 
that 𝑡̅‖�̂� has no outgoing edge yet 
 Let 𝑡 = 𝑡̅‖�̂� 
 Add an edge from 𝑡 to 𝑠 
End if 
Return the node 𝑡 at the beginning of the incoming edge 
into 𝑠 
Then, [12] considered the advantage of an 
adversary when distinguishing the two 
following world. 
Real world. It contains the Sponge 
construction and the underlying random 
permutation 𝑓. The adversary can make queries 
to the Sponge construction, the permutation 𝑓 
and 𝑓−1. 
Ideal world. It contains the random oracle 
ℛ𝒪 and the simulator 𝒫. The adversary can 
make queries to 𝒫 and 𝒫−1. 
We define the ℛ𝒪 differentiating advantage 
as 
AdvSponge
ind (𝒜) ≔ |Pr [𝒜Sponge
𝑓,𝑓,𝑓−1]
− Pr[𝒜ℛ𝒪,𝒫,𝒫
−1
= 1]| 
Theorem 1 (Theorem 9, [12]). The ℛ𝒪 
differentiating advantage of the Sponge 
construction calling the random permutation 
𝑓 is upper bound by 1 − ∏ (
1−
𝑖+1
2𝑐
1−
𝑖
2𝑟+𝑐
)𝑁−1𝑖=0 with 
𝑁 is the number of fresh calls to 𝑓. 
In the paper [12], 𝑁 was denoted by the cost 
of the queries. However, in our security model, 
it is the number of fresh calls to 𝑓. 
IV. OUR EVALUATION FOR THE 
SECURITY OF THE KEYSPONGE 
In this section, we will evaluate the PRF-
security of the KeyedSponge construction by 
using Theorem 1 which states about the ℛ𝒪 
differentiating advantage of the Sponge 
construction. 
Proposition 1. Let 𝒜 be an adversary 
making at most 𝑞 construction queries and at 
Journal of Science and Technology on Information Security 
22 No 2.CS (10) 2019 
most 𝑄 primitive queries. Then, the PRF-
security of the KeyedSponge construction 
calling the random permutation 𝑓 is upper 
bound by: 
Advℱ𝐾
prf(𝒜) ≤
𝑄
2𝑘
+
𝑄2
2𝑐+1
+
𝑁2
2𝑐+1
, 
where 𝑁 is the number of fresh calls to 𝑓 in 
both query types. 
Proof. This result will be proved by 
reduction. It means that we will prove the 
security of the KeyedSponge construction 
through the security of the Sponge construction 
by constructing an adversary ℬ which against 
the Sponge construction from the adversary 𝒜. 
First, ℬ chooses a key 𝐾 randomly and 
uniformly from {0,1}𝑘, and it remains the same 
throughout the process (𝒜 does no 𝐾). If 𝒜 
makes a construction query (𝑀, 𝑧) then ℬ 
makes the construction query (𝐾‖𝑀, 𝑧) to its 
oracle. If 𝒜 makes the primitive query 𝑋 then 
ℬ also makes the primitive query 𝑋. The 
adversary ℬ returns to 𝒜 the value that he 
receives. Final, after making the queries, if 𝒜 
returns a bit 𝑦 ∈ {0,1} then ℬ also returns the 
bit 𝑦. This means that, if 𝒜 thinks that the 
oracles, which he interacted, is the real world, 
then B also thinks that the oracles, which he 
interacted, is the real world, and vice versa. 
 Let Pr[𝒜real ⇒ 1] or Pr[𝒜ideal ⇒ 1] be 
the probability that 𝒜 returns 1 when he is used 
as a subroutine of ℬ, where the oracle that ℬ is 
interacted is real or ideal world. We have: 
Pr[𝒜real ⇒ 1] = Pr [ ℬSponge
𝑓,𝑓,𝑓−1 ⇒ 1] 
and 
Pr[𝒜ideal ⇒ 1] = Pr[ℬℛ𝒪,𝒫,𝒫
−1
⇒ 1]. 
 In the other hand, in the real world, the 
result that 𝒜 receives for the construction query 
(𝑀, 𝑧) is Sponge𝑓(𝐾‖𝑀, 𝑧) =
KeyedSponge𝐾
𝑓(𝑀, 𝑧). This means that the view 
that 𝒜 runs as a subroutine of ℬ same the view 
that 𝒜 runs against the KeyedSponge 
construction. We have, 
Pr[𝒜real ⇒ 1] = Pr[𝒜𝒪𝑅,𝑓,𝑓
−1
= 1]. 
 Now, we consider when ℬ accesses into the 
ideal model. The result that 𝒜 receives for the 
construction query (𝑀, 𝑧) is ℛ𝒪(𝐾‖𝑀, 𝑧). It is 
a 𝑧-bit randomly and uniformly string. This is 
identical when 𝒜 runs against the KeyedSponge 
construction. For primitive queries 𝑋, the result 
that 𝒜 receives from ℬ is 𝒫(𝑋) or 𝒫−1(𝑋). So, 
we need evaluate the difference between a 
random permutation 𝑓 and the simulator 𝒫. 
Lemma 1 (Lemma 5, [12]). The advantage of 
an adversary in distinguishing 𝑓 and 𝒫 with 
the number of queries 𝑄 < 2𝑐 is upper 
bounded by: 
1 −∏(
1 −
𝑖 + 1
2𝑐
1 −
𝑖
2𝑟+𝑐
)
𝑄−1
𝑖=0
. 
(The proof of this lemma is presented in [12]). 
When 𝑄 is significantly smaller than 2𝑐, the 
above bound can be simplified to 𝑄2/2𝑐+1. 
Indeed, using the 1 − 𝑥 ≈ 𝑒−𝑥 approximation, 
we have 
log∏(
1 −
𝑖 + 1
2𝑐
1 −
𝑖
2𝑟+𝑐
)
𝑄−1
𝑖=0
= ∑ [log (1 −
𝑖 + 1
2𝑐
)
𝑄−1
𝑖=0
− log (1 −
𝑖
2𝑟+𝑐
)] 
≈ ∑ [−
𝑖 + 1
2𝑐
− (−
𝑖
2𝑟+𝑐
)]
𝑄−1
𝑖=0
= ∑ [−
𝑖+1
2𝑐
+
𝑖
2𝑟+𝑐
]𝑄−1𝑖=0 
= −
𝑄(𝑄 + 1)
2𝑐+1
+
(𝑄 − 1)𝑄
2𝑟+𝑐+1
. 
Then 
Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin 
 No 2.CS (10) 2019 23 
∏(
1−
𝑖 + 1
2𝑐
1 −
𝑖
2𝑟+𝑐
)
𝑄−1
𝑖=0
≈ 𝑒
−
𝑄(𝑄+1)
2𝑐+1
+
(𝑄−1)𝑄
2𝑟+𝑐+1 . 
So, we have 
1 −∏(
1−
𝑖 + 1
2𝑐
1 −
𝑖
2𝑟+𝑐
)
𝑄−1
𝑖=0
≈ 1 − 𝑒
−
𝑄(𝑄+1)
2𝑐+1
+
(𝑄−1)𝑄
2𝑟+𝑐+1 
≈
𝑄(𝑄 + 1)
2𝑐+1
−
(𝑄 − 1)𝑄
2𝑟+𝑐+1
= 𝑂 (
𝑄2
2𝑐+1
). 
 Continue with the case that ℬ accesses into 
the ideal model. We can see that, if 𝒜 runs 
against the KeyedSponge construction then 
ℛ𝒪(𝑀, 𝑧) and 𝑓(𝑋) (or 𝑓−1(𝑋)) do not have 
any relationship. When 𝒜 runs as a subroutine 
of ℬ, the values that he receives for the 
construction queries and the primitive queries 
are ℛ𝒪(𝐾‖𝑀, 𝑧) and 𝒫(𝑋) (or 𝒫−1(𝑋)). Note 
that the simulator 𝒫 satisfies Sponge-consistent: 
the result for a construction query to ℛ𝒪 will be 
the same as the answer when we simulate by 
querying directly to 𝒫. However, this only 
happens when the adversary 𝒜 guesses the key 
𝐾 among primitive queries. The probability of it 
is 𝑄/2𝑘. 
Thus, in the case that ℬ accesses into the ideal 
model, we have 
Pr[ℬℛ𝒪,𝒫,𝒫
−1
⇒ 1] − Pr[𝒜𝒪𝐼,𝑓,𝑓
−1
= 1]
≤
𝑄
2𝑘
+
𝑄2
2𝑐+1
. 
From above arguments we have 
AdvKeySponge
prf (𝒜)
= Pr[𝒜𝒪𝑅,𝑓,𝑓
−1
= 1]
− Pr[𝒜𝒪𝐼,𝑓,𝑓
−1
= 1] 
≤ Pr [ ℬSponge
𝑓,𝑓,𝑓−1 ⇒ 1]
− Pr[ℬℛ𝒪,𝒫,𝒫
−1
⇒ 1] +
𝑄
2𝑘
+
𝑄2
2𝑐+1
≤ AdvSponge
ind (ℬ) +
𝑄
2𝑘
+
𝑄2
2𝑐+1
≤
𝑄
2𝑘
+
𝑄2
2𝑐+1
+
𝑁2
2𝑐+1
, 
where 𝑁 is the number of fresh call to 𝑓 
when ℬ making the construction and primitive 
queries. However, 𝑁 is also the number of fresh 
call to 𝑓 when 𝒜 making the construction and 
primitive queries. Indeed, for the construction 
query 𝑀 of 𝒜 or 𝐾‖𝑀 of ℬ, the oracle of 𝒜 
and ℬ both compute Sponge𝑓(𝐾‖𝑀, 𝑧); for the 
primitive query 𝑋, both of them compute 
𝑓(𝑋).■ 
V. CONCLUSION 
In this paper, the security of the 
KeyedSponge construction has been evaluated 
by a new way. We have proved the security of 
the KeyedSponge construction based on the 
security of the Sponge construction by 
reduction method. However, our indirect proof 
lead to the security bound is not as good as the 
result in the direct way of Guido Bertoni. 
Therefore, closing this gap will still be an open 
problem in the future. 
REFERENCES 
[1]. Bertoni, G., et al. Sponge functions. in ECRYPT 
hash workshop. 2007. Citeseer. 
[2]. Bertoni, G., et al., Keccak specifications. 
Submission to NIST (round 2), 2009: p. 320-337. 
[3]. Maurer, U., R. Renner, and C. Holenstein. 
Indifferentiability, impossibility results on 
reductions, and applications to the random oracle 
methodology. in Theory of cryptography 
conference. 2004. Springer. 
[4]. Bertoni, G., et al. On the indifferentiability of the 
sponge construction. in Annual International 
Conference on the Theory and Applications of 
Cryptographic Techniques. 2008. Springer. 
[5]. Bertoni, G., et al. Sponge-based pseudo-random 
number generators. in International Workshop on 
Cryptographic Hardware and Embedded Systems. 
2010. Springer. 
[6]. Bertoni, G., et al. On the security of the keyed 
sponge construction. in Symmetric Key Encryption 
Workshop. 2011. 
[7]. Bertoni, G., et al., Permutation-based encryption, 
authentication and authenticated encryption. 
Directions in Authenticated Ciphers, 2012. 
[8]. Dworkin, M.J., SHA-3 standard: Permutation-
based hash and extendable-output functions. 2015. 
Journal of Science and Technology on Information Security 
24 No 2.CS (10) 2019 
[9]. Bertoni, G., et al. Duplexing the sponge: single-
pass authenticated encryption and other 
applications. in International Workshop on Selected 
Areas in Cryptography. 2011. Springer. 
[10]. Andreeva, E., et al. Security of keyed sponge 
constructions using a modular proof approach. in 
International Workshop on Fast Software 
Encryption. 2015. Springer. 
[11]. Gaži, P., K. Pietrzak, and S. Tessaro. The exact 
PRF security of truncation: tight bounds for keyed 
sponges and truncated CBC. in Annual Cryptology 
Conference. 2015. Springer. 
[12]. Guido, B., et al., Cryptographic sponge functions. 2011. 
ABOUT THE AUTHORS 
B.S. Tuan Anh Nguyen 
Email: tuananhnghixuan@gmail. com 
The Workplace: Institute of 
Cryptography Science and 
Technology, Government 
Information Security Committee. 
The education process: Graduated 
in Mathematic, VNU University of 
Science, 2016. 
Subjects: block cipher, hash function, message 
authentication code, tweakable block cipher 
PhD. Bui Cuong Nguyen 
Email:nguyenbuicuong@gmail.
com 
The Workplace: Institute of 
Cryptography Science and 
Technology, Government 
Information Security 
Committee. 
The education process: 
Graduated in Mathematic, Hanoi National University 
of Education, 2004. Graduated Master in Mathematics, 
VNU University of Science, 2007. Graduated PhD in 
Cryptography, Academy of military science and 
technology, 2018. 
Subjects: block cipher, hash function, message 
authentication code, tweakable block cipher