Meet-in-the-Middle Attack on QARMA Block Cipher

QARMA is a recently published lightweight tweakable block cipher, which has been used by the ARMv8 architecture to support a software protection feature. In this paper, using the method of MITM, we give the first distinguisher of QARMA block cipher. It is made up of the Pseudo-Reflector construction with two forward rounds and three backward rounds. By adding two rounds on the top and three rounds on the bottom of the distinguisher, together with the idea of the differential enumeration technique and the key-dependent sieve skill, we achieve a 10-round (of 16-round) key recovery attack with memory complexity of 2 192-bit space, data complexity of 2 chosen plaintexts and time complexity of 2 encryption units. Furthermore, we use the same distinguisher to attack QARMA-128 which also includes 10 (of 24) round functions and the Pseudo-Refector construction. The memory complexity is 2 384-bit space, the data complexity is 2 chosen plaintexts and the time complexity is 2 encryption units. These are the first attacks on QARMA and do not threaten the security of full round QARMA.

[1]  Keting Jia,et al.  Improved Meet-in-the-Middle Attacks on AES-192 and PRINCE , 2013, IACR Cryptol. ePrint Arch..

[2]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[3]  Ralph C. Merkle,et al.  A fast software one-way hash function , 1990, Journal of Cryptology.

[4]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.

[5]  Roberto Avanzi,et al.  The QARMA Block Cipher Family , 2017 .

[6]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[7]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[8]  Kyoji Shibutani,et al.  Midori: A Block Cipher for Low Energy , 2015, ASIACRYPT.

[9]  Keting Jia,et al.  Improved Single-Key Attacks on 9-Round AES-192/256 , 2014, FSE.

[10]  Xiaoyun Wang,et al.  The Second-Preimage Attack on MD4 , 2005, CANS.

[11]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[12]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[13]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[14]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[15]  Yu Sasaki,et al.  Meet-in-the-Middle Attacks on Generic Feistel Constructions , 2014, ASIACRYPT.

[16]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[17]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[18]  Ralph Howard,et al.  Data encryption standard , 1987 .

[19]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[20]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.