[ascon] Which modes should be implemented

[m-temp]

Currently there are two Ascon variants:

• Ascon128 64 bit block size, 6 rounds of permutation
• Ascon128a 128 bit block size, 8 rounds of permutations

Unfortunately, NIST hasn't decided how the final standard should look like. According to https://csrc.nist.gov/Presentations/2023/update-on-standardization-of-ascon-family the latest news is:

• Either Ascon-128 or both Ascon-128 and Ascon-128a
• Do not include Ascon-80pq
• XOF standardization instead of hash functions

This means, we most likely need Ascon-128.

There are two options atm: a) Implementing both Ascon-128 and Ascon-128a and add a config option in the control register. b) Implementing only Ascon-128 at the moment and add later (if needed) Ascon-128a.

_See https://github.com/lowRISC/opentitan/pull/22218#discussion_r1555909433_

[m-temp]

I filed a draft PR https://github.com/lowRISC/opentitan/pull/22537 I favor to add another one-hot encoded field for the variant.

Question: Is it a problem, if this field is ignored when we later implement hashing/XOF?

[m-temp]

https://github.com/lowRISC/opentitan/pull/22981 implements both variants. Due to the structure of the reference implementation / vendor code, only either ascon128 or ascon128a can be tested at the same time.

[cdgori]

I am ok with the one-hot encoded field in #22537 and I think the testing limitation will be ok.

Please get someone from software to comment on the field being ignored in XOF mode(s)