The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes

The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes

This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflect...

Full description

Bibliographic Details
Main Author: Roberto Avanzi
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2017-03-01
Series:IACR Transactions on Symmetric Cryptology
Subjects:
Tweakable Block Ciphers
Reflection Ciphers
Even-Mansour Schemes
Almost MDS Matrices
S-Box Search Heuristics
Memory Encryption
Pointer Authentication
Short Hashes
Tweak Masking
Tweak Extension
Online Access:https://tosc.iacr.org/index.php/ToSC/article/view/583
id doaj-2d0d288902b0483087ab4ce9dff16465
record_format Article
spelling doaj-2d0d288902b0483087ab4ce9dff164652021-03-02T08:38:07ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2017-03-0144410.13154/tosc.v2017.i1.4-44583The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-BoxesRoberto Avanzi0Qualcomm Product Security, MunichThis paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints determined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported. Finally, we propose a technique to extend the length of the tweak by using, for instance, a universal hash function, which can also be used to strengthen the security of QARMA.https://tosc.iacr.org/index.php/ToSC/article/view/583Tweakable Block CiphersReflection CiphersEven-Mansour SchemesAlmost MDS MatricesS-Box Search HeuristicsMemory EncryptionPointer AuthenticationShort HashesTweak MaskingTweak Extension
collection DOAJ
language English
format Article
sources DOAJ
author Roberto Avanzi
spellingShingle Roberto Avanzi
The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
IACR Transactions on Symmetric Cryptology
Tweakable Block Ciphers
Reflection Ciphers
Even-Mansour Schemes
Almost MDS Matrices
S-Box Search Heuristics
Memory Encryption
Pointer Authentication
Short Hashes
Tweak Masking
Tweak Extension
author_facet Roberto Avanzi
author_sort Roberto Avanzi
title The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
title_short The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
title_full The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
title_fullStr The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
title_full_unstemmed The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
title_sort qarma block cipher family. almost mds matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency s-boxes
publisher Ruhr-Universität Bochum
series IACR Transactions on Symmetric Cryptology
issn 2519-173X
publishDate 2017-03-01
description This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints determined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported. Finally, we propose a technique to extend the length of the tweak by using, for instance, a universal hash function, which can also be used to strengthen the security of QARMA.
topic Tweakable Block Ciphers
Reflection Ciphers
Even-Mansour Schemes
Almost MDS Matrices
S-Box Search Heuristics
Memory Encryption
Pointer Authentication
Short Hashes
Tweak Masking
Tweak Extension
url https://tosc.iacr.org/index.php/ToSC/article/view/583
work_keys_str_mv AT robertoavanzi theqarmablockcipherfamilyalmostmdsmatricesoverringswithzerodivisorsnearlysymmetricevenmansourconstructionswithnoninvolutorycentralroundsandsearchheuristicsforlowlatencysboxes
AT robertoavanzi qarmablockcipherfamilyalmostmdsmatricesoverringswithzerodivisorsnearlysymmetricevenmansourconstructionswithnoninvolutorycentralroundsandsearchheuristicsforlowlatencysboxes
_version_ 1724240490942955520

Similar Items