I have been reading the Cryptographic sponge functions paper, but I'm still confused.
Does Keccak in authenticated encryption mode absorb ciphertext or plaintext?
Edit: Are there any test vectors to verify implementation of Keccak authenticated encryption?
The authenticated encryption mode devised by the Keccak team is the SpongeWrap method, and is first described in this paper — the paper you cite is an amalgamation of all their major sponge papers. The encryption method wrap is described in Algorithm 3, on page 10. In particular, lines 14–18 absorb-squeeze with respect to the ciphertext.
In practice it is probably simpler to think of it in the following way:
To implement this in terms of absorbing and squeezing, we have to use the squeezed output from the previous iteration (here called $s_r$, called $z$ in their algorithm) and xor this with the message, before absorbing in the message as part of the next call. In my mind absorbing / squeezing is a much less clear way of describing the process, but mathematically it is important since it clearly shows the object to be an instance of a Duplex Object, which is itself a series of sponges, and thus allows us to use their security proofs.
I do not know of any test vectors for SpongeWrap.
