Internet-Draft Areion October 2023
Sakemi & Kanno Expires 25 April 2024 [Page]
Network Working Group
Intended Status:
Y. Sakemi, Ed.
GMO Cybersecurity by Ierae, Inc.
S. Kanno
GMO Cybersecurity by Ierae, Inc.

Ultra-Low Latency Cryptography Areion


This document specifies a series of cryptographic wide-block permutations named "Areion"[Areion] for efficient encryption and hashing of relatively short input data. Additionally, it describes AEAD scheme constructed from Areion.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 25 April 2024.

Table of Contents

1. Introduction

The recent evolution of communication technologies demands cryptographic primitives that can offer both robust security and high efficiency. Wide-block ciphers, which operate on larger block sizes than traditional block ciphers, have gained attention as a promising solution to address the limitations of 128-bit block sizes, such as those in AES-GCM. Notably, concerns regarding the limitations of 128-bit block sizes have been raised in public comments[PublicCommentOnSP800-38A] on NIST SP800-38A[SP800-38A].

Areion is a novel cryptographic primitive designed to meet these requirements, offering a wide-block permutation suitable for various cryptographic constructions.

Areion's design is deeply influenced by the AES instructions and the Single Instruction, Multiple Data (SIMD) paradigm. The AES-NI instruction set, which is a part of modern CPUs, provides hardware support for AES operations. This hardware acceleration is crucial for Areion, enabling it to achieve low-latency operations.

In this document, we specify a detailed specification of permutation on Areion.

Note: While Areion can be applied for hashing, this document focuses on its encryption capabilities. Hashing functions using Areion are outside of scope in this document.

1.1. Conventions Used in This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Design of Areion Permutation

The Areion permutation algorithm is designed to provide a robust foundation for cryptographic constructions. This section provides a detailed specification of the Areion permutation algorithm for both Areion-256 and Areion-512.

2.1. Notations








AddRoundConstant operations of the AES round function. AC is analogous to the AddRoundKey operation in AES, but instead of a round key, a constant is added.


Bitwise XOR operation


Function composition, where the function on the right is applied first

2.2. Functions

Based on the operations in the AES round function, we define four functions F_i for i in {0, 1, 2, 3} as follows.

  • F_0 = MC ◦ SR ◦ SB

  • F_1 = SR ◦ SB

  • F_2 = MC ◦ SR ◦ SB ◦ AC ◦ MC ◦ SR ◦ SB

  • F_3 = MC ◦ SR ◦ SB ◦ AC ◦ SR ◦ SB

2.3. Areion-256 Permutation


A 256-bit block divided into two 128-bit halves: L and R


For each round r from 1 to 10
    a. L' = L ^ F_0(R)
    b. R' = R ^ F_1(L ^ F_0(R))
    c. Update L = L' and R = R'

Concatenation of L and R

2.4. Areion-512 Permutation


A 512-bit block divided into four 128-bit quarters: A, B, C, and D.


For each round r from 1 to 15:
    a. A' = A ^ F_2(D)
    b. B' = B ^ F_3(C ^ F_2(D))
    c. C' = C ^ F_0(B ^ F_3(C ^ F_2(D)))
    d. D' = D ^ F_1(A ^ F_0(B ^ F_3(C ^ F_2(D))))
    e. Update A = A', B = B', C = C', and D = D'

Concatenation of A, B, C, and D.

3. Permutation-based AEAD schemes by Areion

The Areion can be constructed as AEADs by combining it with various permutation-based AEAD. In this document, we describe an Areion-OPP as concrete example in Appendix A

4. IANA Considerations

This document has no IANA actions.

5. Security Considerations

For security considerations of Areion, this document refers to Section 5 of [Areion].

6. Acknowledgements

These research results were obtained from the commissioned research(No.05801) by National Institute of Information and Communications Technology (NICT) , Japan.

The authors would like to thank Takanori Isobe, Ryoma Ito, Fukang Liu, Kazuhiko Minematsu, Motoki Nakahashi, Kosei Sakamoto, and Rentaro Shiba for their academic insights and advice as a design team on Areion.

7. References

7.1. Normative References

Isobe, T., Ito, R., Liu, F., Minematsu, K., Nakahashi, M., Sakamoto, K., and R. Shiba, "Areion: Highly-Efficient Permutations and Its Applications (Extended Version)", , <>.
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.

7.2. Informative References

National Institute of Standards and Technology, "PUBLIC COMMENTS ON SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques and SP 800-38A Addendum, Three Variants of Ciphertext Stealing for CBC Mode", , <>.
Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", , <>.

Appendix A. Permutation-based authenticated encryption modes, OPP

In this section, we describe the algorithm for Areion-OPP. For details, see [Areion]. Note: We plan to describe our Internet Draft based on Section 4.2.2 of [Areion].


Appendix B. Example Implementation


Appendix C. Test Cases & Test Vectors


Authors' Addresses

Yumi Sakemi (editor)
GMO Cybersecurity by Ierae, Inc.
Satoru Kanno
GMO Cybersecurity by Ierae, Inc.