Keyak is an authenticated encryption scheme based on Keccak-p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadata and the plaintext. The recipient holding the same secret key can decrypt the cryptogram and check whether it is authentic.
Keyak supports also the concept of sessions. Without having to input the key again and a new nonce, the communicating parties can keep on exchanging metadata-plaintext pairs. Each time, the tag authenticates the complete exchange of messages so far. The SUV can be either a secret key and a nonce, or a one-time session key derived using public-key cryptographic techniques.
Keyak provides strong bounds against generic attacks and uses the well-analyzed Keccak-p permutation. It aims at robustness and performance on a wide range of processors.
|The Keyak authenticated encryption scheme
|Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer
|An authenticated encryption scheme with associated data and support for sessions
|The Motorist authenticated encryption mode on top of the full-state keyed duplex construction
|The Keccak-p[800, 12] permutation (for River Keyak) or the Keccak-p[1600, 12] permutation (for the other instances)
|The width of the permutation b and by the degree of parallelism Π
|Third-round candidate in the CAESAR competition
We define and document Keyak in the Keyak CAESAR submission v2.2.