Clarify reliance on Keccak behaving like a random oracle

[ounsworth]

Nimrod Aviram said:

The construction relies on Keccak behaving like a random oracle. As Joan and Gilles have pointed out, this is a modelling choice, not something that can be proven. This is a somewhat strong assumption, albeit a workable one. I recommend clarifying the reliance on this assumption in the document. The construction proposed here can be assumed to be a dual-PRF when assuming the underlying hash function to be a random oracle. My understanding is that the authors don't claim it to be a dual-PRF without random oracle assumptions, i.e. in the standard model.

https://mailarchive.ietf.org/arch/msg/cfrg/LYkaqKMS2yIWqkHKASWbZ9aHhTY/

[wussler]

From Felix: Simply adding the following consideration may be sufficient

"The sponge construction was proven to be indifferentiable from a random oracle [BDPA08], assuming the Keccak permutation behaves like a random permutation."