QARMA

Last updated January 05, 2024

QARMA (from Qualcomm ARMAuthenticator^[1]) is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code.^[2] The cipher was proposed by Roberto Avanzi in 2016.^[2]^[3] Two versions of QARMA are defined: QARMA-64 (64-bit block size with a 128-bit encryption key) and QARMA-128 (128-bit block size with a 256-bit key). The design of the QARMA was influenced by PRINCE and MANTIS.^[3] The cipher is intended for fully-unrolled hardware implementations with low latency (like memory encryption). Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

Architecture

QARMA is an Even–Mansour cipher using three stages, with whitening keys w⁰ and w¹ XORed in between:

permutation F is using core key k⁰ and parameterized by a tweak T. It has r rounds inside (r = 7 for QARMA-64, r = 11 for QARMA-128);
"central" permutation C is using key k¹ and is designed to be reversible via a simple key transformation (contains two central rounds);
the third permutation is an inverse of the first (r more rounds).

All keys are derived from the master encryption key K using specialisation:

K is partitioned into halves as w⁰ Concatenation k⁰, each will have halfsize bits;
for encryption w¹ = (w⁰ >>> 1) + (w⁰ >> (halfsize-1));
for encryption k¹ = k⁰;
for decryption, the same design can be used as long as k⁰+α is used as a core key, k¹ = Q•k⁰, w¹ and w⁰ are swapped. α here is a special constant and Q a special involutary matrix. This construct is similar to the alpha reflection in PRINCE.

The data is split into 16 cells (4-bit nibbles for QARMA-64, 8-bit bytes for QARMA-128). Internal state also contains 16 cells, arranged in a 4x4 matrix, and is initialized by plaintext (XORed with w⁰). In each round of $\digamma$ , the state is transformed via operations $\tau ,M,S$ :

$\tau$ is ShuffleCells, a MIDORI permutation of cells ([ 0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]);
$M$ is MixColumns: each column is multiplied by a fixed matrix M;
$S$ is SubCells: each cell is transformed using an S-box.

The tweak for each round is updated using $h,\omega$ :

$h$ is a cell permutation from MANTIS ([ 6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11]);
$\omega$ is an LFSR applied to each of the cells with numbers [0, 1, 3, 4, 8, 11, 13]. For QARMA-64, the LFSR is (b3, b2, b1, b0) ⇒ (b0 + b1, b3, b2, b1), for QARMA-128, (b7, b6, ..., b0) ⇒ (b0 + b2, b7, b6, ..., b1),

The rounds of ${\overline {\digamma }}$ consist of inverse operations ${\overline {\tau }},{\overline {M}},{\overline {S}},{\overline {h}},{\overline {\omega }}$ . Central rounds, in addition to two rounds ( $\tau ,M,S$ and ${\overline {\tau }},{\overline {M}},{\overline {S}}$ ), include multiplication of the state by an involutary matrix Q.

Related Research Articles

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

In cryptography, Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM. Lucifer was a direct precursor to the Data Encryption Standard. One version, alternatively named DTD-1, saw commercial use in the 1970s for electronic banking.

<span class="mw-page-title-main">Serpent (cipher)</span>

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, in which it ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

<span class="mw-page-title-main">GOST (block cipher)</span> Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

<span class="mw-page-title-main">Tiny Encryption Algorithm</span> Block cipher

In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

In cryptography, confusion and diffusion are two properties of the operation of a secure cipher identified by Claude Shannon in his 1945 classified report A Mathematical Theory of Cryptography. These properties, when present, work together to thwart the application of statistics and other methods of cryptanalysis.

In cryptography, SAFER is the name of a family of block ciphers designed primarily by James Massey on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions — SAFER+ and SAFER++ — were submitted as candidates to the AES process and the NESSIE project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.

In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, Mercy is a tweakable block cipher designed by Paul Crowley for disk encryption.

In cryptography, Hierocrypt-L1 and Hierocrypt-3 are block ciphers created by Toshiba in 2000. They were submitted to the NESSIE project, but were not selected. Both algorithms were among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, both have been dropped to "candidate" by CRYPTREC revision in 2013.

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Simon has been optimized for performance in hardware implementations, while its sister algorithm, Speck, has been optimized for software implementations.

Prince is a block cipher targeting low latency, unrolled hardware implementations. It is based on the so-called FX construction. Its most notable feature is the alpha reflection: the decryption is the encryption with a related key which is very cheap to compute. Unlike most other "lightweight" ciphers, it has a small number of rounds and the layers constituting a round have low logic depth. As a result, fully unrolled implementation are able to reach much higher frequencies than AES or PRESENT. According to the authors, for the same time constraints and technologies, PRINCE uses 6–7 times less area than PRESENT-80 and 14–15 times less area than AES-128.

Kalyna is a symmetric block cipher. It supports block sizes of 128, 256 or 512 bits; the key length is either equal to or double the block size.

References

Sources

Avanzi, Roberto (2016). The QARMA Block Cipher Family (PDF). IACR Transactions on Symmetric Cryptology (ToSC). Vol. 17 (published 8 March 2017). pp. 4–44. doi:10.13154/tosc.v2017.i1.4-44. Archived from the original (PDF) on May 13, 2020.
Zong, Rui; Dong, Xiaoyang (2016). "Meet-in-the-Middle Attack on QARMA Block Cipher" (PDF). iacr.org. IACR . Retrieved 10 June 2022.
Kaur, Jasmin; Kermani, Mehran Mozaffari; Azarderakhsh, Reza (1 January 2022). "Hardware Constructions for Lightweight Cryptographic Block Cipher QARMA With Error Detection Mechanisms". IEEE Transactions on Emerging Topics in Computing. 10 (1): 514–519. doi: 10.1109/TETC.2020.3027789 . eISSN 2376-4562. S2CID 226665710.
Li, Rongjia; Jin, Chenhui (4 May 2018). "Meet-in-the-Middle Attacks on Reduced-Round QARMA-64/128". The Computer Journal. 61 (8): 1158–1165. doi:10.1093/comjnl/bxy045. eISSN 1460-2067. ISSN 0010-4620.
Yang, Dong; Qi, Wen-feng; Chen, Hua-jin (2018). "Impossible Differential Attack on QARMA Family of Block Ciphers". Cryptology ePrint Archive.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Qameleon v. 1.0: A Submission to the NIST Lightweight Cryptography Standardization Process

[FOOTNOTEZongDong2016-2] 1 2 Zong & Dong 2016.

[FOOTNOTEAvanzi2016-3] 1 2 Avanzi 2016.

[1]

[2]

[3]