QARMA

From Wikipedia, the free encyclopedia

QARMA (fromQualcommARMAuthenticator^[1]) is alightweight tweakable block cipher primarily known for its use in theARMv8 architecture for protection of software as acryptographic hash for thePointer Authentication Code.^[2] The cipher was proposed by Roberto Avanzi in 2016.^[2]^[3] Two versions of QARMA are defined: QARMA-64 (64-bit block size with a 128-bitencryption key) and QARMA-128 (128-bit block size with a 256-bit key). The design of the QARMA was influenced byPRINCE andMANTIS.^[3] The cipher is intended for fully-unrolled hardware implementations with low latency (likememory encryption). Unlike theXTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

Architecture

[edit]

QARMA overview (anoverbar indicates an inverse transformation)

QARMA is anEven–Mansour cipher using three stages, withwhitening keysw⁰ andw¹XORed in between:

permutation F is usingcore keyk⁰ and parameterized by a tweakT. It hasr rounds inside (r = 7 for QARMA-64, r = 11 for QARMA-128);
"central" permutation C is using keyk¹ and is designed to be reversible via a simple key transformation (contains twocentral rounds);
the third permutation is an inverse of the first (r more rounds).

All keys are derived from themaster encryption key K usingspecialisation:

K is partitioned into halves as w⁰Concatenation k⁰, each will havehalfsize bits;
for encryption w¹ = (w⁰>>> 1) + (w⁰>> (halfsize-1));
for encryption k¹ = k⁰;
for decryption, the same design can be used as long as k⁰+α is used as a core key, k¹ = Q•k⁰, w¹ and w⁰ are swapped. α here is a special constant and Q a specialinvolutary matrix. This construct is similar to thealpha reflection in PRINCE.

QARMA details. Rounds of $\digamma$ are at the top, rounds of ${\overline {\digamma }}$ are at the bottom, $C {\displaystyle C}$ is on the right. Inner path describes the transformation of the internal state, outer path corresponds to the tweak update.c_i areround constants.

{\displaystyle \digamma } — QARMA details. Rounds of $\digamma$ are at the top, rounds of ${\overline {\digamma }}$ are at the bottom, $C {\displaystyle C}$ is on the right. Inner path describes the transformation of the internal state, outer path corresponds to the tweak update.c_i areround constants.

The data is split into 16cells (4-bitnibbles for QARMA-64, 8-bitbytes for QARMA-128). Internal state also contains 16 cells, arranged in a 4x4 matrix, and is initialized by plaintext (XORed with w⁰). In each round of $\digamma$ , the state is transformed via operations $\tau ,M,S$ :

$\tau$ isShuffleCells, aMIDORI permutation of cells ([ 0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]);
$M {\displaystyle M}$ isMixColumns: each column is multiplied by a fixed matrix M;
$S {\displaystyle S}$ isSubCells: each cell is transformed using anS-box.

The tweak for each round is updated using $h,\omega$ :

$h {\displaystyle h}$ is a cell permutation from MANTIS ([ 6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11]);
$\omega$ is anLFSR applied to each of the cells with numbers [0, 1, 3, 4, 8, 11, 13]. For QARMA-64, the LFSR is (b3, b2, b1, b0) ⇒ (b0 + b1, b3, b2, b1), for QARMA-128, (b7, b6, ..., b0) ⇒ (b0 + b2, b7, b6, ..., b1),