An implementation of the Areion permutations and some potential uses.

This implementation passes test vectors, but Areion is a brand-new algorithm with no third-party cryptanalysis to date.

This implementation is compliant with the test vectors in the updated version of the paper (2023-09-21).

This repository also includes a few different hash algorithms based on the Areion512 permutation.

Areion-256-Sponge uses the Areion512 permutation in a sponge construction with a 256-bit rate. On x86_64 platforms, it's roughly as fast as vectorized SHA-256; on Apple Silicon it's about half as fast.

Areion-512-MMO is a Matyas-Meyer-Oseas hash function using a single-key Even-Mansour block cipher based on the Areion-512 permutation.

The single-key Even-Mansour scheme uses a public permutation P to construct a block cipher for key K and plaintext block M:

SEM(K, M) = P(M ^ K) ^ K

The Matyas-Meyer-Oseas mode uses a block cipher E(K, M) to construct a hash function, calculating the current hash state H_i given the previous hash state H_{i-1} and current message block M_i:

MMO(H_{i-1}, M_i) = E(H_{i-1}, M_i) ^ M_i

These can be combined into a single form:

SEM-MMO(H_{i-1}, M_i) = P(M_i ^ H_{i-1}) ^ H_{i-1} ^ M_i

Areion-512-MMO uses four 128-bit words, initialized with the same constants as SHA-512:

H_0 = (0x6a09e667f3bcc908bb67ae8584caa73b, 0x3c6ef372fe94f82ba54ff53a5f1d36f1,
       0x510e527fade682d19b05688c2b3e6c1f, 0x1f83d9abfb41bd6b5be0cd19137e2179)

It then iterates through the message in 512-bit blocks, updating the state words using the MMO-SEM compression function. To produce a final digest, the same padding as SHA-512 is used (i.e. appending an0x80 byte, padding to the nearest block, and appending a 128-bit big-endian counter of the message length in bits), and the final state words are serialized in big-endian form.

The resulting hash function offers 256 bits of collision resistance if the permutation P (i.e. Areion-512) is indistinguishable from a random permutation. Untruncated digests are vulnerable to length-extension attacks. With dedicated AES and 128-bit vector instructions, performance is ~1.7x that of vectorized SHA-256 on x86_64 processors and ~1.1x that of fully-accelerated SHA-256 on Apple Silicon processors.

Areion-512-HAIFA is a HAIFA-style hash function based on the Areion512 permutation, allowing for variable digest lengths (0..64 bytes), and immune to length extension attacks.

Areion-512-MMO uses four 128-bit words, initialized with the same constants as SHA-512, plus a constant tweak, consisting of the SHA-512-256 constants, XORed with the output size.

, with the final word XORed with the output size in bits:

H_0 = (0x6a09e667f3bcc908bb67ae8584caa73b, 0x3c6ef372fe94f82ba54ff53a5f1d36f1,
       0x510e527fade682d19b05688c2b3e6c1f, 0x1f83d9abfb41bd6b5be0cd19137e2179)
T = (0x22312194fc2bf72c9f555fa3c84c64c2, 0x2393b86b6f53b151963877195940eabd,
     0x96283ee2a88effe3be5e1e2553863992, 0x2b0199fc2c85b8aa0eb72ddc81c52ca2 ^ output_size)

The tweak can also be used to incorporate a salt, domain separation string, and other metadata.

Its compression function uses a 128-bit counter of the number of bits which have been processed, including the current block:

C(H, T, M, #bits) = P(H ^ T ^ M ^ #bits) ^ H ^ T

The resulting hash function offers 256 bits of collision resistance if the permutation P (i.e. Areion-512) is indistinguishable from a random permutation. This construction is not vulnerable to length-extension attacks. With dedicated AES and 128-bit vector instructions, performance is ~1.7x that of vectorized SHA-256 on x86_64 processors and ~1.2x that of fully-accelerated SHA-256 on Apple Silicon processors.

Copyright © 2023 Coda Hale

Distributed under the Apache License 2.0 or MIT License.