The Keyak authenticated encryption scheme

Keyak is an authenticated encryption scheme based on Keccak-p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadata and the plaintext. The recipient holding the same secret key can decrypt the cryptogram and check whether it is authentic.

Keyak supports also the concept of sessions. Without having to input the key again and a new nonce, the communicating parties can keep on exchanging metadata-plaintext pairs. Each time, the tag authenticates the complete exchange of messages so far. The SUV can be either a secret key and a nonce, or a one-time session key derived using public-key cryptographic techniques.

Keyak provides strong bounds against generic attacks and uses the well-analyzed Keccak-p permutation. It aims at robustness and performance on a wide range of processors.

Technical details

SynopsisThe Keyak authenticated encryption scheme
Designed byGuido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer
ImplementsAn authenticated encryption scheme with associated data and support for sessions
ConstructionThe Motorist authenticated encryption mode on top of the full-state keyed duplex construction
PrimitiveThe Keccak-p[800, 12] permutation (for River Keyak) or the Keccak-p[1600, 12] permutation (for the other instances)
Parameterized byThe width of the permutation b and by the degree of parallelism Π
Instancewidthdegree of parallelism
River Keyakb=800Π=1
Lake Keyakb=1600Π=1
Sea Keyakb=1600Π=2
Ocean Keyakb=1600Π=4
Lunar Keyakb=1600Π=8
StatusThird-round candidate in the CAESAR competition

We define and document Keyak in the Keyak CAESAR submission v2.2.

The reference implementation of Keyak v2 is part of Keccak Tools. Further implementations can be found in the Keccak Code Package.