Paper 2011/499

Duplexing the sponge: single-pass authenticated encryption and other applications

Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche


This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and, at no extra cost, provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.

Available format(s)
Publication info
Published elsewhere. Extended version of the paper to appear in SAC 2011
sponge functionsduplex constructionauthenticated encryptionkey wrappingprovable securitypseudo-random bit sequence generatorKeccak
Contact author(s)
gilles vanassche @ st com
2011-09-18: received
Short URL
Creative Commons Attribution


      author = {Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles Van Assche},
      title = {Duplexing the sponge: single-pass authenticated encryption and other applications},
      howpublished = {Cryptology ePrint Archive, Paper 2011/499},
      year = {2011},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.