3

Ascon has an interesting state construction where linear diffusion only occurs within words and the only non-linearity serves as also the only diffusion between words:

ascon_state

ascon_sbox

As far as I know it's the only standardized cipher where an s-box serves as the only diffusion mechanism between parts of the state.

The rationale stated in their publications did not address this seemingly novel approach.

There are a number of permutations based on 4 128-bit vectors utilizing AES (ex. Haraka) but they rely on shuffling bytes around. Would not using 4-bit s-boxes been a better choice? Is there something wrong with the approach? Ascon was selected despite or because of it.

meercat
  • 31
  • 1

1 Answers1

2

For any s-box there exists a bit-sliced implementation of it - such as the one in the second image.

And if you look at what operations are performed you will see that many are exactly what a linear mixing stage would perform.

The lack of rotations in this stage would tend to slow diffusion and the Ascon publication remarks on it.

As for why Haraka doesn't use this method, performance. Shuffling bytes with AVX instructions is going to be much faster than bit-slicing 4-bit sboxes.

Here is a 4-bit sbox from Serpent:

#define S0(x0, x1, x2, x3, x4) ({           \
                    x4  = x3;   \
    x3 |= x0;   x0 ^= x4;   x4 ^= x2;   \
    x4 = ~x4;   x3 ^= x1;   x1 &= x0;   \
    x1 ^= x4;   x2 ^= x0;   x0 ^= x3;   \
    x4 |= x0;   x0 ^= x2;   x2 &= x1;   \
    x3 ^= x2;   x1 = ~x1;   x2 ^= x4;   \
    x1 ^= x2;                   \
    })

source: https://github.com/torvalds/linux/blob/master/crypto/serpent_generic.c

If there is some well performing way to shuffle bits into proper positions then using the AES s-box across the 4 vectors (2 bits from each vector) would have been ideal in my opinion. Isolating the s-box via AES-NI is possible as shown in: https://crypto.stackexchange.com/a/113837/124923

Lamira Ya
  • 241
  • 1
  • 5