4

I have been reading the Cryptographic sponge functions paper, but I'm still confused.

Does Keccak in authenticated encryption mode absorb ciphertext or plaintext?

Edit: Are there any test vectors to verify implementation of Keccak authenticated encryption?

Cryptographeur
  • 4,317
  • 2
  • 27
  • 40
LightBit
  • 1,649
  • 13
  • 27
  • 1
    You absorb the plaintext, which means that the rate section of the state is equal to the ciphertext. – Cryptographeur Dec 08 '13 at 22:16
  • 4
    Keccak itself isn't really bothered. It just needs some input, now if that happens to be plain or ciphertext depends on the application. – rath Dec 09 '13 at 00:21
  • @figlesquidge Thanks. Are there any test vectors for that? – LightBit Dec 09 '13 at 08:29
  • @rath I'm asking for "standard" way. – LightBit Dec 09 '13 at 08:32
  • @trina: http://sponge.noekeon.org/SpongeDuplex.pdf defines the 'SpongeWrap' mode, which is the one referred to in the paper LightBit gives, and I think it's reasonable to say SpongeWrap is the standard construction. That said, expect many more Keccak-based AE modes to come forward in the next few months as caeser submissions come forward. – Cryptographeur Dec 10 '13 at 16:11
  • 2
    @LightBit as far as test vectors go, you could generate them yourself using KeccakTools (https://github.com/gvanas/KeccakTools). Uncomment testKeccakDuplex() in the main function, rebuild, and run. You could also modify testKeccakDuplex() itself to add new test vectors. – mattkelly Jan 23 '14 at 15:38

1 Answers1

7

The authenticated encryption mode devised by the Keccak team is the SpongeWrap method, and is first described in this paper — the paper you cite is an amalgamation of all their major sponge papers. The encryption method wrap is described in Algorithm 3, on page 10. In particular, lines 14–18 absorb-squeeze with respect to the ciphertext.

In practice it is probably simpler to think of it in the following way:

SpongeWrap diagram

To implement this in terms of absorbing and squeezing, we have to use the squeezed output from the previous iteration (here called $s_r$, called $z$ in their algorithm) and xor this with the message, before absorbing in the message as part of the next call. In my mind absorbing / squeezing is a much less clear way of describing the process, but mathematically it is important since it clearly shows the object to be an instance of a Duplex Object, which is itself a series of sponges, and thus allows us to use their security proofs.

I do not know of any test vectors for SpongeWrap.

Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181
Cryptographeur
  • 4,317
  • 2
  • 27
  • 40
  • @Ilmari: Thanks very much for the image! Unfortunately perp doesn't seem to be a constant-width character, rather breaking my ascii art :( – Cryptographeur Dec 09 '13 at 18:19