[Cryptography] Keccak-based AEAD cipher algorithm

Stephan Mueller smueller at chronox.de
Thu Jul 28 01:34:06 EDT 2022 

Am Dienstag, 26. Juli 2022, 22:23:32 CEST schrieb Jacob Christian Munch-
Andersen:

Hi Jacob,

> On Tue, Jul 26, 2022, at 11:47 AM, Stephan Mueller wrote:
> > Using Keccak, a symmetric stream cipher algorithm using the authenticated
> > encryption with additional data (AEAD) algorithm can be specified.
> 
> Before getting to an actual cryptographic review, there are a few structural
> issues that I think you need to fix.
> 
> First of all, why are there two almost identical algorithms? It doesn't seem
> like they serve different purposes or have significantly different
> trade-offs, so why wouldn't you just pick the one you think is best and
> forget about the other one?

Exactly. It all started off by using KMAC as this was the natural choice 
considering it handles a key. But then KMAC requires at least 2 Keccak 
operations during initialization whereas cSHAKE requires only one. And when 
comparing KMAC to cSHAKE, both are basically identical with the exception that 
KMAC adds more padding (that is filled with zeros). Thus I thought why not 
using cSHAKE instead.

For research, I implemented both to also see the difference in performance. 
But in the end, one should remain.
> 
> Second, what functions do I actually need to call in order to use this? You
> have placed all the documentation inside code files, which is ugh. But more
> important, you have failed to provide a concise instruction, and some
> sample code is really a must-have.

The instruction on using the code is given in the header files with the 
function names. The examples on using the code are given in the test case 
files in [1] through [4].

> When I look at the header files there
> are a bunch of different functions, as best I can tell
> lc_cc_encrypt_oneshot and lc_cc_decrypt_oneshot are the sane choices, with
> everything else serving as footguns for those who are unaware.
> 
> Third, could you elaborate why one should choose this algorithm over
> competing ones? We already have plenty different to choose from, so a new
> one isn't worth much if it isn't better than the old ones in some way.

It started as a research project to study whether a viable algorithm based on 
hashes can be created. I.e. the algorithm use hashes to encrypt data (a weird 
statement, but this is true in this case).


[1] https://github.com/smuellerDD/leancrypto/blob/master/aead/tests/
cshake_crypt_test.c

[2] https://github.com/smuellerDD/leancrypto/blob/master/aead/tests/
cshake_crypt_large_test.c

[2] https://github.com/smuellerDD/leancrypto/blob/master/aead/tests/
kmac_crypt_test.c

[4] https://github.com/smuellerDD/leancrypto/blob/master/aead/tests/
kmac_crypt_large_test.c

Ciao
Stephan

More information about the cryptography mailing list