Areion: Highly-Efficient Permutations and Its Applications

1.1. Conventions Used in This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

2.1. Maximal Use of AES Instructions

Areion is designed to be implemented solely using AES instructions, such as aesenc in Intel AES-NI or vaeseq and vaesmcq in ARMv8 NEON. These instructions are among the most efficient and cryptographically strong operations available in modern SIMD instruction sets. This approach avoids slower shuffle operations and leverages the deep security analysis of the AES round function.¶

2.2. Pipeline-Friendly Feistel Structure

Modern processors can execute multiple AES instructions in parallel through pipelining (e.g., Intel Ice Lake can pipeline up to 6 aesenc instructions). Areion adopts a "pipeline-friendly" Feistel-type structure, which, unlike traditional Feistel schemes or Simpira v2, adds F-functions in a way that takes full advantage of this hardware parallelism. This structure allows for more AES instructions to be executed in parallel within a single round, significantly reducing latency.¶

2.3. Systematic Search for Optimal Functions

The specific F-functions used in Areion-256 (F_1, F_2) and Areion-512 (F_0, F_1, F_3) were not chosen arbitrarily. They are the result of a systematic search over all possible combinations of 1- and 2-round AES operations. The chosen structures, (2, 1)-perm for Areion-256 and (0, 1, 0, 3, pi_1)-perm for Areion-512, were identified as providing the best trade-off between the lowest number of AES instructions required and the highest security level achieved against differential, linear, impossible differential, and integral attacks.¶

2.4. Round Counts and Security Margins

The number of rounds, 10 for Areion-256 and 15 for Areion-512, was determined by detailed security analysis. This analysis (detailed in Section 6) identified the longest possible attacks (e.g., 5-round zero-sum for Areion-256, 10-round zero-sum for Areion-512) and established the full round counts to provide a sufficient security margin against all known cryptanalytic techniques.¶

3.1. Notations

SB:

SubBytes¶

SR:

ShiftRows¶

MC:

MixColumns¶

AC:

AddRoundConstant operations of the AES round function. This operation adds a round constant to the state, similar to the AddRoundKey operation in AES, but instead of a round key, a constant is added.¶

^:

Bitwise XOR operation¶

◦:

Function composition, where the function on the right is applied first¶

3.2. Functions

Based on the operations in the AES round function, we define four 128-bit functions F_i for i in {0, 1, 2, 3}. Each function maps a 128-bit state to a 128-bit state. The AES round operations SubBytes, ShiftRows, MixColumns, and AddRoundConstant are denoted by SB, SR, MC, and AC, respectively. AC(x, C) denotes the bitwise XOR of a 128-bit constant C to the 128-bit state x.¶

• F_0(x) = MC ◦ SR ◦ SB(x)¶

• F_1(x) = SR ◦ SB(x)¶

• For a given round index r, F_2^{(r)}(x) = MC ◦ SR ◦ SB ◦ AC( MC ◦ SR ◦ SB(x), RC_r )¶

• For a given round index r, F_3^{(r)}(x) = MC ◦ SR ◦ SB ◦ AC( SR ◦ SB(x), RC_r )¶

The constants RC_r used in AC(·, RC_r) are the round constants defined in Section 3.3. F_0 and F_1 do not use round constants.¶

3.3. Round Constants

Areion uses 128-bit round constants RC_r for r = 0, 1, ..., 14. The constants are derived from the binary expansion of the fractional part of π and are given in hexadecimal notation in Table 1. Each constant is used in little-endian byte order when applied by AC(x, RC_r).¶

In round r of Areion-256 (0 ≤ r ≤ 9) and Areion-512 (0 ≤ r ≤ 14), the constant RC_r is added to exactly one 128-bit word via AC(x, RC_r) inside F_2^{(r)} or F_3^{(r)}, respectively.¶

3.4. Areion-256 Permutation

Input:

A 256-bit block divided into two 128-bit halves: x0 and x1.¶

Procedures:¶

Let (x0, x1) be the two 128-bit words of the input.¶

The Areion-256 permutation processes 10 rounds organized as 5 pairs. Each pair of rounds swaps the parameter positions to enable efficient pipelining:¶

          For i from 0 to 9 step 2:
            Round i:   (x0, x1) := RoundFunction256(x0, x1, i)
            Round i+1: (x1, x0) := RoundFunction256(x1, x0, i+1)

          Where RoundFunction256(a, b, r) is defined as:
            rc0 = RC_r (round constant from Table 1)
            rc1 = 0^128 (all-zero 128-bit value)
            b := aesenc(aesenc(a, rc0), b)
            a := aesenclast(a, rc1)
            return (a, b)

          <t>Here, aesenc(state, key) performs SubBytes, ShiftRows, MixColumns, then XOR with key (corresponds to _mm_aesenc_si128 in Intel AES-NI or equivalent), and aesenclast(state, key) performs SubBytes, ShiftRows, then XOR with key without MixColumns (corresponds to _mm_aesenclast_si128).

Output:

Concatenation of x0 and x1 after all rounds.¶

Implementation Note: The parameter swapping between round pairs (x0,x1) → (x1,x0) is critical for correct operation and matches the official reference implementation.¶

3.5. Inverse Areion-256 Permutation

The inverse permutation, denoted Areion-256-Inverse, reverses the steps of the forward permutation. It takes a 256-bit block (x0, x1) as input and returns the original block.¶

The decryption process iterates from round r = 9 down to 0, processing two rounds at a time to mirror the forward pair structure.¶

          // Initial state: (x0, x1) from forward output

          For i from 8 down to 0 step 2:
            // Inverse Round i+1 (Odd round: Input was (x1, x0))
            // In forward round i+1: x1 = F_1(x1), x0 = x0 XOR F_2(x1, i+1)
            // Inverse operations:
            x1 = F_1_Inverse(x1)
            x0 = x0 XOR F_2(x1, i+1)

            // Inverse Round i (Even round: Input was (x0, x1))
            // In forward round i: x0 = F_1(x0), x1 = x1 XOR F_2(x0, i)
            // Inverse operations:
            x0 = F_1_Inverse(x0)
            x1 = x1 XOR F_2(x0, i)

          return (x0, x1)

          Where F_1_Inverse(x) is defined as:
            return aesdeclast(x, 0^128)

          And F_2(x, i) is the same forward function used in encryption.

Note: aesdeclast(state, key) performs InverseShiftRows, InverseSubBytes, then XOR with key. This corresponds exactly to the inverse of aesenclast with a zero key.¶

3.6. Areion-512 Permutation

Input:

A 512-bit block divided into four 128-bit quarters: A, B, C, and D.¶

Procedures:¶

Let (A, B, C, D) be the four 128-bit words of the input.

For each round r from 0 to 14:
For each round r from 0 to 14:
    1. x1 = x1 XOR F_0(x0)
    2. x3 = x3 XOR F_0(x2)
    3. x0 = F_1(x0)
    4. x2 = F_3^{(r)}(x2)

    5. Shuffle (x0, x1, x2, x3) -> (x1, x2, x3, x0) (Left Rotate).

Output is the concatenation of x0, x1, x2, and x3.

Output:

Concatenation of A, B, C, and D.¶

4.2. Variable-Input Hash Function Areion512-MD

Areion512-MD is a variable-input-length hash function built from the Areion-512 permutation using a Davies-Meyer compression function in the Merkle-Damgård framework. It outputs a 256-bit message digest and targets a 256-bit preimage security level, as in [Areion].¶

H0 = 0x6a09e667bb67ae853c6ef372a54ff53a
H1 = 0x510e527f9b05688c1f83d9ab5be0cd19

A || B = M_i
C || D = H^(i)

    H^(i+1) = Areion512-DM(A || B || C || D)
            = Areion512-DM(M_i || H^(i))

Areion512-MD(M) = H^(t)

5.1. Parameters

The parameters for Areion256-OPP are defined as follows:¶

• Underlying permutation: Areion-256 as specified in Section 3.4.¶

• Block size b: 256 bits.¶

• Word size w: 64 bits.¶

• Number of words in LFSR state n: 4 (the masking state is (x0, x1, x2, x3)).¶

• Recommended key sizes: 128 or 256 bits.¶

• Nonce size: 128 bits.¶

• Tag length: 256 bits.¶

5.2. Masking Function

The masking function of the Masked Even-Mansour (MEM) construction used inside OPP is implemented by a word-oriented LFSR over 256-bit states. Each state consists of four 64-bit words (x0, x1, x2, x3). The LFSR update function φ is defined as follows:¶

φ : (x0, x1, x2, x3) ↦ (x1, x2, x3, (x0 <<< 3) XOR (x3 >> 5))

Here, rotation to the left (<<<) and logical right shift (>>) are taken on 64-bit words. Note: In the reference implementation and test vectors, the right operation is instantiated as a logical right shift (>> 5), not a rotation. For Areion256-OPP, >> 5 MUST be interpreted as logical right shift.¶

5.3. Key and Nonce Formatting

Let N denote the 128-bit nonce and K denote the secret key. The underlying permutation in the MEM construction takes a 256-bit input which is mapped to the two 128-bit words (L, R) for Areion-256.¶

• For a 128-bit key K, the initial 256-bit input to Areion-256 is N || K, where N is the most-significant 128 bits and K is the least-significant 128 bits. This concatenation is mapped to the two 128-bit words (L, R) = (N, K).¶

• For a 256-bit key K, this document RECOMMENDS the following initialization:¶

  L || R = (N || 0^128) XOR K
  

  ¶

  Here, 0^128 denotes the 128-bit all-zero value. In other words, the 256-bit quantity (N || 0^128) is XORed with the 256-bit key K, and the result is assigned to (L, R).¶

The following subsections describe the full encryption and decryption algorithms, derived from the Generic OPP specification [OPP-eprint] but instantiated specifically for Areion-256.¶

   MEM(X, Y) = Areion-256(X XOR Y) XOR Y
   MEM-Inverse(X, Y) = Areion-256-Inverse(X XOR Y) XOR Y

   // Map (K, N) to initial mask La
   If |K| == 128: S_init = Nonce || Key
   Else (|K| == 256): S_init = (Nonce || 0^128) XOR Key
   La = Areion-256(S_init)
   Le = γ(La)

   // Initialize accumulators
   Sa = 0^256 (Associated Data accumulator)
   Se = 0^256 (Encryption accumulator)

   Break A into 256-bit blocks A_0, ..., A_{h-1}
   For i = 0 to h-2:
       // Absorb full block
       B = A_i XOR La
       P = Areion-256(B)
       Sa = Sa XOR P XOR La
       La = φ(La)

   // Process last block A_{h-1} (potentially partial or empty)
   // Note: Reference implementation treats empty A same as partial
   If |A| > 0:
       La = β(La)
       If |A_{h-1}| == 256:
           // Full last block treated as partial in logic flow if separate function
           // But ref optimization absorbs normally.
           // Standard OPP Logic for Last Block:
           PadA = Pad(A_{h-1}) // If already full, Pad appends full block?
                               // No, ref `opp_absorb_lastblock` always pads.
           // Ref logic: if input length is multiple of block size, process as full blocks.
           // If partial remaining, process last block.
           // However, for consistency with ref `opp_absorb_data`:

       If A_{h-1} is full block (processed in loop):
           (Already done)
       Else (Partial A_{h-1}):
           PadA = Pad(A_{h-1})
           B = PadA XOR La
           P = Areion-256(B)
           Sa = Sa XOR P XOR La
           La = φ(La)

   // Corrected Logic matching ref `opp_absorb_data` and `opp_absorb_lastblock`
   Mask = La
   While |A| >= 256:
       Block = A[0..255]
       Sa = Sa XOR Areion-256(Block XOR Mask) XOR Mask
       Mask = φ(Mask)
       A = A[256..end]

   If |A| > 0 (Partial Remainder):
       Mask = β(Mask)
       PadA = Pad(A)
       Sa = Sa XOR Areion-256(PadA XOR Mask) XOR Mask
       Mask = φ(Mask)

   // Se accumulates message checksum, Le is mask
   Mask = Le
   While |M| >= 256:
       Block = M[0..255]
       // Encrypt Block using MEM
       // Out = Areion-256(Block XOR Mask) XOR Mask
       Out = MEM(Block, Mask)
       Append Out to Ciphertext
       // Accumulate Plaintext
       Se = Se XOR Block
       Mask = φ(Mask)
       M = M[256..end]

   If |M| > 0 (Partial Remainder):
       Mask = β(Mask)
       PadM = Pad(M)
       // Encrypt Partial
       // Keystream generation: Encrypt Zero-Block with Mask
       Keystream = MEM(0^256, Mask)
       Out = Keystream XOR PadM
       Append Out[0..|M|-1] to Ciphertext
       // Accumulate Padded Plaintext
       Se = Se XOR PadM

   // Calculate Tag Mask M_tag
   // Ref: `opp_finalise`: m = beta(beta(mask))

   M_tag = β(β(Mask))

   // Tag = Sa XOR MEM(Se, M_tag)
   // Block = Areion-256(Se XOR M_tag) XOR M_tag
   Block = MEM(Se, M_tag)
   Tag = Sa XOR Block

   Return (Ciphertext, Tag)

6.1. Security Claims

• Permutations (Areion-256, Areion-512): The permutations are claimed to provide 128-bit security as public permutations.¶

• SFIL Hash (Areion256-DM, Areion512-DM): These hash functions claim 256-bit security against preimage attacks. Collision resistance is not claimed as it is generally not required for their intended applications (e.g., hash-based signatures).¶

• VIL Hash (Areion512-MD): This hash function claims 256-bit security against preimage attacks and 128-bit security against collision attacks, consistent with SHA2-256.¶

6.2. AEAD Security

Areion256-OPP provides confidentiality and integrity for messages under the assumption that Areion-256 behaves as a pseudorandom permutation. The security properties can be described using the terminology in [RFC9771].¶

• Nonce Misuse: OPP is a nonce-respecting mode. If a nonce is repeated with the same key, confidentiality is lost for the colliding blocks (similar to ECB mode for those blocks), and authenticity is completely compromised. Implementations MUST ensure nonces are unique.¶
• Related-Key Attacks: As noted in Section 5.3, the 256-bit key initialization (N || 0^128) XOR K allows trivial related-key attacks. If an attacker can control specific bit-flips in both the Key and the Nonce, they can force the same initial state. Usage of Areion256-OPP in protocols that allow related-key queries is NOT RECOMMENDED.¶
• Usage Limits: While OPP enables parallel processing, the birthday bound security (128 bits for 256-bit block) implies that one should not process more than 2^128 blocks with a single key. Given the large block size, this limit is practically unreachable.¶

6.3. Cryptanalysis Summary

The full-round versions of Areion-256 (10 rounds) and Areion-512 (15 rounds) provide sufficient security margins against known attacks.¶

• Differential/Linear Attacks: The number of active S-boxes in reduced-round variants grows quickly, satisfying the 128-bit security threshold (22 active S-boxes) at 4 rounds for Areion-256 and 6 rounds for Areion-512, providing a large margin for the full-round versions.¶

• Impossible Differential Attacks: The longest impossible differential distinguishers found are for 4 rounds of Areion-256 and 8 rounds of Areion-512, well below the full round counts.¶

• Integral and Zero-Sum Attacks: The most effective integral-style attack is the zero-sum distinguisher. Such distinguishers have been found for 5 rounds of Areion-256 (with 2^32 data/time) and 10 rounds of Areion-512 (with 2^32 data/time). These are the attacks with the deepest penetration, and the full round counts are set to provide a 2x or 1.5x margin over them, respectively.¶

• MITM Preimage Attacks: For the DM hash constructions, meet-in-the-middle preimage attacks were found on 5-round Areion256-DM and 10-round Areion512-DM. This confirms the security margins of the 10-round and 15-round permutations used in the final hash constructions.¶