Internet-Draft | Areion | October 2023 |
Sakemi & Kanno | Expires 25 April 2024 | [Page] |
- Workgroup:
- Network Working Group
- Internet-Draft:
- draft-sakemi-areion-00
- Published:
- Intended Status:
- Informational
- Expires:
Ultra-Low Latency Cryptography Areion
Abstract
This document specifies a series of cryptographic wide-block permutations named "Areion"[Areion] for efficient encryption and hashing of relatively short input data. Additionally, it describes AEAD scheme constructed from Areion.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 April 2024.¶
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
The recent evolution of communication technologies demands cryptographic primitives that can offer both robust security and high efficiency. Wide-block ciphers, which operate on larger block sizes than traditional block ciphers, have gained attention as a promising solution to address the limitations of 128-bit block sizes, such as those in AES-GCM. Notably, concerns regarding the limitations of 128-bit block sizes have been raised in public comments[PublicCommentOnSP800-38A] on NIST SP800-38A[SP800-38A].¶
Areion is a novel cryptographic primitive designed to meet these requirements, offering a wide-block permutation suitable for various cryptographic constructions.¶
Areion's design is deeply influenced by the AES instructions and the Single Instruction, Multiple Data (SIMD) paradigm. The AES-NI instruction set, which is a part of modern CPUs, provides hardware support for AES operations. This hardware acceleration is crucial for Areion, enabling it to achieve low-latency operations.¶
In this document, we specify a detailed specification of permutation on Areion.¶
Note: While Areion can be applied for hashing, this document focuses on its encryption capabilities. Hashing functions using Areion are outside of scope in this document.¶
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
2. Design of Areion Permutation
The Areion permutation algorithm is designed to provide a robust foundation for cryptographic constructions. This section provides a detailed specification of the Areion permutation algorithm for both Areion-256 and Areion-512.¶
2.1. Notations
- SB:
-
SubBytes¶
- SR:
-
ShiftRows¶
- MC:
-
MixColumns¶
- AC:
-
AddRoundConstant operations of the AES round function. AC is analogous to the AddRoundKey operation in AES, but instead of a round key, a constant is added.¶
-
^
: -
Bitwise XOR operation¶
-
◦
: -
Function composition, where the function on the right is applied first¶
2.2. Functions
Based on the operations in the AES round function, we define four functions F_i for i in {0, 1, 2, 3} as follows.¶
2.3. Areion-256 Permutation
- Input:
-
A 256-bit block divided into two 128-bit halves:
L
andR
¶
Procedures:¶
For each round r from 1 to 10 a. L' = L ^ F_0(R) b. R' = R ^ F_1(L ^ F_0(R)) c. Update L = L' and R = R'¶
- Output:
-
Concatenation of
L
andR
¶
2.4. Areion-512 Permutation
- Input:
-
A 512-bit block divided into four 128-bit quarters:
A
,B
,C
, andD
.¶
Procedures:¶
For each round r from 1 to 15: a. A' = A ^ F_2(D) b. B' = B ^ F_3(C ^ F_2(D)) c. C' = C ^ F_0(B ^ F_3(C ^ F_2(D))) d. D' = D ^ F_1(A ^ F_0(B ^ F_3(C ^ F_2(D)))) e. Update A = A', B = B', C = C', and D = D'¶
- Output:
-
Concatenation of
A
,B
,C
, andD
.¶
3. Permutation-based AEAD schemes by Areion
The Areion can be constructed as AEADs by combining it with various permutation-based AEAD. In this document, we describe an Areion-OPP as concrete example in Appendix A¶
4. IANA Considerations
This document has no IANA actions.¶
5. Security Considerations
For security considerations of Areion, this document refers to Section 5 of [Areion].¶
6. Acknowledgements
These research results were obtained from the commissioned research(No.05801) by National Institute of Information and Communications Technology (NICT) , Japan.¶
The authors would like to thank Takanori Isobe, Ryoma Ito, Fukang Liu, Kazuhiko Minematsu, Motoki Nakahashi, Kosei Sakamoto, and Rentaro Shiba for their academic insights and advice as a design team on Areion.¶
7. References
7.1. Normative References
- [Areion]
- Isobe, T., Ito, R., Liu, F., Minematsu, K., Nakahashi, M., Sakamoto, K., and R. Shiba, "Areion: Highly-Efficient Permutations and Its Applications (Extended Version)", , <https://eprint.iacr.org/2023/794.pdf>.
- [RFC2119]
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
- [RFC8174]
- Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
- [PublicCommentOnSP800-38A]
- National Institute of Standards and Technology, "PUBLIC COMMENTS ON SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques and SP 800-38A Addendum, Three Variants of Ciphertext Stealing for CBC Mode", , <https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38a-initial-public-comments-2021.pdf>.
- [SP800-38A]
- Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", , <https://doi.org/10.6028/NIST.SP.800-38A>.
Appendix A. Permutation-based authenticated encryption modes, OPP
In this section, we describe the algorithm for Areion-OPP. For details, see [Areion]. Note: We plan to describe our Internet Draft based on Section 4.2.2 of [Areion].¶
(TBD)¶