QARMA

QARMA (from Qualcomm ARM Authenticator[https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/qameleon-spec.pdf Qameleon v. 1.0: A Submission to the NIST Lightweight Cryptography Standardization Process]) is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code.{{sfn|Zong|Dong|2016}} The cipher was proposed by Roberto Avanzi in 2016.{{sfn|Zong|Dong|2016}}{{sfn|Avanzi|2016}} Two versions of QARMA are defined: QARMA-64 (64-bit block size with a 128-bit encryption key) and QARMA-128 (128-bit block size with a 256-bit key). The design of the QARMA was influenced by PRINCE and MANTIS.{{sfn|Avanzi|2016}} The cipher is intended for fully-unrolled hardware implementations with low latency (like memory encryption). Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

Architecture

File:QARMA scheme.png indicates an inverse transformation)]]

QARMA is an Even–Mansour cipher using three stages, with whitening keys w⁰ and w¹ XORed in between:

permutation F is using core key k⁰ and parameterized by a tweak T. It has r rounds inside (r = 7 for QARMA-64, r = 11 for QARMA-128);
"central" permutation C is using key k¹ and is designed to be reversible via a simple key transformation (contains two central rounds);
the third permutation is an inverse of the first (r more rounds).

All keys are derived from the master encryption key K using specialisation:

K is partitioned into halves as w⁰ Concatenation k⁰, each will have halfsize bits;
for encryption w¹ = (w⁰ >>> 1) + (w⁰ >> (halfsize-1));
for encryption k¹ = k⁰;
for decryption, the same design can be used as long as k⁰+α is used as a core key, k¹ = Q•k⁰, w¹ and w⁰ are swapped. α here is a special constant and Q a special involutary matrix. This construct is similar to the alpha reflection in PRINCE.

QARMA details. Rounds of $\digamma$ are at the top, rounds of $\overline \digamma$ are at the bottom, $C$ is on the right. Inner path describes the transformation of the internal state, outer path corresponds to the tweak update. c_i are [[round constants. |thumb|500px]]

The data is split into 16 cells (4-bit nibbles for QARMA-64, 8-bit bytes for QARMA-128). Internal state also contains 16 cells, arranged in a 4x4 matrix, and is initialized by plaintext (XORed with w⁰). In each round of $\digamma$ , the state is transformed via operations $\tau, M, S$ :

$\tau$ is ShuffleCells, a MIDORI permutation of cells ([ 0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]);
$M$ is MixColumns: each column is multiplied by a fixed matrix M;
$S$ is SubCells: each cell is transformed using an S-box.

The tweak for each round is updated using $h, \omega$ :

$h$ is a cell permutation from MANTIS ([ 6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11]);
$\omega$ is an LFSR applied to each of the cells with numbers [0, 1, 3, 4, 8, 11, 13]. For QARMA-64, the LFSR is (b3, b2, b1, b0) ⇒ (b0 + b1, b3, b2, b1), for QARMA-128, (b7, b6, ..., b0) ⇒ (b0 + b2, b7, b6, ..., b1),

The rounds of $\overline \digamma$ consist of inverse operations $\overline \tau, \overline M, \overline S, \overline h, \overline \omega$ .

Central rounds, in addition to two rounds ( $\tau, M, S$ and $\overline \tau, \overline M, \overline S$ ), include multiplication of the state by an involutary matrix Q.

References

Sources

{{cite conference |title=The QARMA Block Cipher Family|doi=10.13154/tosc.v2017.i1.4-44|conference=IACR Transactions on Symmetric Cryptology (ToSC)|year=2016|publication-date=8 March 2017|conference-url=https://tosc.iacr.org/index.php/ToSC/article/view/583|volume=17|pages=4–44|url=https://eprint.iacr.org/2016/444.pdf|first=Roberto|last=Avanzi|issue=1|archive-url=https://web.archive.org/web/20200513144451/https://eprint.iacr.org/2016/444.pdf|archive-date=May 13, 2020}}
{{cite web |last1=Zong |first1=Rui |last2=Dong |first2=Xiaoyang |title=Meet-in-the-Middle Attack on QARMA Block Cipher |url=https://eprint.iacr.org/2016/1160.pdf |website=iacr.org |publisher=IACR |access-date=10 June 2022|date=2016}}
{{cite journal | last1 = Kaur | first1 = Jasmin | last2 = Kermani | first2 = Mehran Mozaffari | last3 = Azarderakhsh | first3 = Reza | title = Hardware Constructions for Lightweight Cryptographic Block Cipher QARMA With Error Detection Mechanisms | journal = IEEE Transactions on Emerging Topics in Computing | date = 1 January 2022 | volume = 10 | issue = 1 | pages = 514–519 | eissn = 2376-4562 | doi = 10.1109/TETC.2020.3027789 | pmid = | s2cid = 226665710 | url = | doi-access = free }}
{{cite journal | last1 = Li | first1 = Rongjia | last2 = Jin | first2 = Chenhui | title = Meet-in-the-Middle Attacks on Reduced-Round QARMA-64/128 | journal = The Computer Journal | date = 4 May 2018 | volume = 61 | issue = 8 | pages = 1158–1165 | issn = 0010-4620 | eissn = 1460-2067 | doi = 10.1093/comjnl/bxy045 | pmid = | url = }}
{{cite journal |last1=Yang |first1=Dong |last2=Qi |first2=Wen-feng |last3=Chen |first3=Hua-jin |title=Impossible Differential Attack on QARMA Family of Block Ciphers |url=https://eprint.iacr.org/2018/334 |journal=Cryptology ePrint Archive |date=2018}}

External links

[https://github.com/dkales/qarma64-python/ Public-domain Python implementation of QARMA-64]
[https://github.com/Phantom1003/QARMA64 Open-source (MIT license) implementation of QARMA-64 in C]

Category:Block ciphers