# C

capacity
In a sponge function, the capacity is the number of bits that are not directly involved in the input and output of blocks.

# D

dec function
From a sequence of input strings, a doubly-extendable cryptographic (or dec) function is a function that returns an arbitrary-length digest of the input. In addition, it enjoys incrementability properties:
• appending a string to the input sequence costs only the processing of the new string;
• requesting more output bits costs only the production of these new bits.
A dec function is thus the generalization of a hash function with extendable input and output, and of a XOF with extendable input.
deck function
From a secret key and a sequence of input strings, a doubly-extendable cryptographic keyed (or deck) function is a function that returns an arbitrary-length output. In addition, it enjoys incrementability properties:
• appending a string to the input sequence costs only the processing of the new string;
• requesting more output bits costs only the production of these new bits.
Informally, a deck function is PRF-secure when it is infeasible, for an adversary not knowing the key, to distinguish the output bits from independent uniformly-drawn random bits.
duplex construction
The duplex construction is a way to build a duplex object from a cryptographic permutation.
duplex object
A duplex object is an instance of the duplex construction with a specific permutation and specific rate and capacity parameters. A duplex object is a stateful object that, for each one-block input, returns one block of digest over all the previously received input blocks. It can be seen as implementing a restricted dec function, where the input strings are restricted to one block each and the output is restricted to one block. Thanks to the sponge duplexing lemma, the security of a duplex object reduces to that of the sponge function with the same permutation and parameters.

# F

Farfalle
Farfalle is a construction that builds a deck function from cryptographic permutations and rolling functions.

# H

hash function
A (cryptographic) hash function is a function from an input string to a digest of fixed length.

# I

inner part
In a sponge function, the inner part is the part of the state that is not directly involved in the input and output of blocks. It consists of the last $c$ bits of the state, with $c$ the capacity.

# O

outer part
In a sponge function, the outer part is the part of the state to which input blocks are added in the absorbing phase and from which output blocks are extracted in the squeezing phase. It consists of the first $r$ bits of the state, with $r$ the rate.

# P

permutation
A (cryptographic) permutation is a bijective mapping within $\mathbb{Z}_2^b$, for some integer $b$ called the width of the permutation.

# R

rate
In a sponge function, the rate is the number of bits of the state to which input blocks are added in the absorbing phase and from which output blocks are extracted in the squeezing phase.
rolling function
A rolling function is a lightweight permutation that is used inside the Farfalle construction to iteratively diversify a secret state.

# S

sponge construction
The sponge construction is a way to build a XOF from a cryptographic permutation.
sponge function
A sponge function is an instance of the sponge construction with a specific permutation and specific rate and capacity parameters. It implements a XOF.

# W

width
In a permutation, the width is the number of bits on which it operates.

# X

XOF
From an input string, an extendable output function (or XOF) is a function that returns an arbitrary-length digest of the input. In addition, requesting more output bits costs only the production of these new bits. A XOF is thus the generalization of a hash function with arbitrarily-long and extendable output. We first heard the term XOF from Ray Perlner at the SHA-3 conference in 2014.