C
 capacity

In a sponge function, the capacity is the number of bits that are not directly involved in the input and output of blocks.
D
 dec function

From a sequence of input strings, a doublyextendable cryptographic (or dec) function is a function that returns an arbitrarylength digest of the input. In addition, it enjoys incrementability properties:
 appending a string to the input sequence costs only the processing of the new string;
 requesting more output bits costs only the production of these new bits.
A dec function is thus the generalization of a hash function with extendable input and output, and of a XOF with extendable input.
 deck function

From a secret key and a sequence of input strings, a doublyextendable cryptographic keyed (or deck) function is a function that returns an arbitrarylength output. In addition, it enjoys incrementability properties:
 appending a string to the input sequence costs only the processing of the new string;
 requesting more output bits costs only the production of these new bits.
Informally, a deck function is PRFsecure when it is infeasible, for an adversary not knowing the key, to distinguish the output bits from independent uniformlydrawn random bits.
 duplex construction

The duplex construction is a way to build a duplex object from a cryptographic permutation.
 duplex object

A duplex object is an instance of the duplex construction with a specific permutation and specific rate and capacity parameters.
A duplex object is a stateful object that, for each oneblock input, returns one block of digest over all the previously received input blocks.
It can be seen as implementing a restricted dec function, where the input strings are restricted to one block each and the output is restricted to one block.
Thanks to the sponge duplexing lemma, the security of a duplex object reduces to that of the sponge function with the same permutation and parameters.
F
 Farfalle

Farfalle is a construction that builds a deck function from cryptographic permutations and rolling functions.
H
 hash function

A (cryptographic) hash function is a function from an input string to a digest of fixed length.
I
 inner part

In a sponge function, the inner part is the part of the state that is not directly involved in the input and output of blocks.
It consists of the last $c$ bits of the state, with $c$ the capacity.
O
 outer part

In a sponge function, the outer part is the part of the state to which input blocks are added in the absorbing phase and from which output blocks are extracted in the squeezing phase.
It consists of the first $r$ bits of the state, with $r$ the rate.
P
 permutation

A (cryptographic) permutation is a bijective mapping within $\mathbb{Z}_2^b$, for some integer $b$ called the width of the permutation.
R
 rate

In a sponge function, the rate is the number of bits of the state to which input blocks are added in the absorbing phase and from which output blocks are extracted in the squeezing phase.
 rolling function

A rolling function is a lightweight permutation that is used inside the Farfalle construction to iteratively diversify a secret state.
S
 sponge construction

The sponge construction is a way to build a XOF from a cryptographic permutation.
 sponge function

A sponge function is an instance of the sponge construction with a specific permutation and specific rate and capacity parameters.
It implements a XOF.
W
 width

In a permutation, the width is the number of bits on which it operates.
X
 XOF

From an input string, an extendable output function (or XOF) is a function that returns an arbitrarylength digest of the input. In addition, requesting more output bits costs only the production of these new bits.
A XOF is thus the generalization of a hash function with arbitrarilylong and extendable output.
We first heard the term XOF from Ray Perlner at the SHA3 conference in 2014.