QARMA

QARMA (from Qualcomm ARM AuthenticatorQameleon v. 1.0: A Submission to the NIST Lightweight Cryptography Standardizaࢼon Process
/ref>) is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code. The cipher was proposed by Roberto Avanzi in 2016. Two versions of QARMA are defined: QARMA-64 (64-bit block size with a 128-bit encryption key) and QARMA-128 (128-bit block size with a 256-bit key). The design of the QARMA was influenced by PRINCE and MANTIS. The cipher is intended for fully-unrolled hardware implementations with low latency (like memory encryption). Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

Architecture

QARMA is an Even-Mansour cipher using three stages, with whitening keys ''w⁰'' and ''w¹'' XORed in between:
# permutation F is using ''core'' key ''k⁰'' and parameterized by a tweak ''T''. It has ''r'' rounds inside (r = 7 for QARMA-64, r = 11 for QARMA-128);
# "central" permutation C is using key ''k¹'' and is designed to be reversible via a simple key transformation (contains two ''central rounds'');
# the third permutation is an inverse of the first (''r'' more rounds).
All keys are derived from the ''master'' encryption key K using ''specialisation'':
* K is partitioned into halves as w⁰ Concatenation k⁰, each will have ''halfsize'' bits;
* for encryption w¹ = (w⁰ >>> 1) + (w⁰ >> (halfsize-1));
* for encryption k¹ = k⁰;
* for decryption, the same design can be used as long as k⁰+α is used as a core key, k¹ = Q•k⁰, w¹ and w⁰ are swapped. α here is a special constant and Q a special involutary matrix. This construct is similar to the alpha reflection in PRINCE.

The data is split into 16 ''cells'' (4-bit nibbles for QARMA-64, 8-bit bytes for QARMA-128). Internal state also contains 16 cells, arranged in a 4x4 matrix, and is initialized by plaintext (XORed with w⁰). In each round of $\digamma$, the state is transformed via operations $\tau, M, S$:
* $\tau$ is ''ShuffleCells'', a MIDORI permutation of cells ( 0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2;
* $M$ is ''MixColumns'': each column is multiplied by a fixed matrix M;
* $S$ is ''SubCells'': each cell is transformed using an S-box.
The tweak for each round is updated using $h, \omega$:
* $h$ is a cell permutation from MANTIS ( 6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11;
* $\omega$ is an LFSR applied to each of the cells with numbers , 1, 3, 4, 8, 11, 13 For QARMA-64, the LFSR is (b3, b2, b1, b0) ⇒ (b0 + b1, b3, b2, b1), for QARMA-128, (b7, b6, ..., b0) ⇒ (b0 + b2, b7, b6, ..., b1),
The rounds of $\overline \digamma$ consist of inverse operations $\overline \tau, \overline M, \overline S, \overline h, \overline \omega$.
Central rounds, in addition to two rounds ($\tau, M, S$ and $\overline \tau, \overline M, \overline S$), include multiplication of the state by an involutary matrix ''Q''.

References

Sources

*
*
*
*
* {{cite web , last1=Yang , first1=Dong , last2=Qi , first2=Wen-feng , last3=Chen , first3=Hua-jin , title=Impossible Differential Attack on QARMA Family of Block Ciphers , url=https://eprint.iacr.org/2018/334 , publisher=Cryptology ePrint Archive , date=2018

External links

Public-domain Python implementation of QARMA-64

Open-source (MIT license) implementation of QARMA-64 in C

Block ciphers