This is a bit of a research question / discussion.
EXtensible Output Functions (XOFs) such as sponge functions typically have two phases: first you absorb some amount of input material, then you squeeze some amount of output material. Currently, the only implementation of XOF is SHA3 / SHAKE, which will panic inside KeccakDigest.absorb() if you try to absorb after squeezing.
The task for this ticket is to do a careful reading of FIPS 202 which defines the SHA3 family, and contains NIST's definition of XOF, and decide if it is actually an error to interleave absorb() and squeeze() calls, then refactor the code and adjust tests to do the decided-upon behaviour.
This is a bit of a research question / discussion.
EXtensible Output Functions (XOFs) such as sponge functions typically have two phases: first you absorb some amount of input material, then you squeeze some amount of output material. Currently, the only implementation of XOF is SHA3 / SHAKE, which will panic inside KeccakDigest.absorb() if you try to absorb after squeezing.
The task for this ticket is to do a careful reading of FIPS 202 which defines the SHA3 family, and contains NIST's definition of XOF, and decide if it is actually an error to interleave absorb() and squeeze() calls, then refactor the code and adjust tests to do the decided-upon behaviour.