The paper on the "SNEIKEN and SNEIKHA" AE and HASH sponge-based algorithms, respectively, presents a 512-bit permutation function "SNEIK512" that, unlike other permutations (ie: Keccak-f1600, gimli, etc.) takes a domain parameter. Their AE and HASH algorithms use this parameter to establish domain separation.
All other AE and HASH algorithms that I have seen that are sponge-based perform domain separation by modifying bits in the sponge CAPACITY before computing the permutation.
SNEIK512 modifies state bits with the domain (via XOR to the state) on each permutation round to effectively generate a domain-specific permutation. The end result appears to be the same : Domain separation for AE and HASH.
The paper does not go into detail on how they choose which permutation state-variable to modify (they modify the RATE), nor do they describe anything about the possible security impact of this modification.
After thinking about this permutation design, it appears that this may be a generalized way to change existing permutations to support domain separation.
My questions then are :
- Can this be applied to existing permutations (ex : keccak-f1600 , gimli, etc) in a general manner without reducing/impacting security?
- If yes, can this modification be generalized (ie: simple rule to apply for any permutation function)?
- Are there generalized limits to how much of the state can be modified before there is an unacceptable impact on security (if any)?