The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes

This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed . We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints determined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported. Finally, we propose a technique to extend the length of the tweak by using, for instance, a universal hash function, which can also be used to strengthen the security of QARMA.

[1]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[2]  María Naya-Plasencia,et al.  Cryptanalysis of KLEIN , 2014, FSE.

[3]  Gregor Leander,et al.  On the Classification of 4 Bit S-Boxes , 2007, WAIFI.

[4]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[5]  Rui Zong,et al.  Meet-in-the-Middle Attack on QARMA Block Cipher , 2016, IACR Cryptol. ePrint Arch..

[6]  Xiaoli Yu,et al.  Reflection Cryptanalysis of PRINCE-Like Ciphers , 2013, Journal of Cryptology.

[7]  Phillip Rogaway The Security of DESX , 1996 .

[8]  Itai Dinur,et al.  Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE , 2015, EUROCRYPT.

[9]  Vincent Rijmen,et al.  Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis , 2016, EUROCRYPT.

[10]  Yu Sasaki,et al.  Invariant Subspace Attack Against Full Midori64 , 2015, IACR Cryptol. ePrint Arch..

[11]  Adi Shamir,et al.  Reflections on slide with a twist attacks , 2015, Des. Codes Cryptogr..

[12]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[13]  Christian Rechberger,et al.  Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE , 2016, INDOCRYPT.

[14]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[15]  Markku-Juhani O. Saarinen Cryptographic Analysis of All 4 x 4 - Bit S-Boxes , 2011, IACR Cryptol. ePrint Arch..

[16]  François-Xavier Standaert,et al.  Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices , 2010, AFRICACRYPT.

[17]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[18]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[19]  Daniel Kales,et al.  Practical Key-Recovery Attack on MANTIS5 , 2016, IACR Trans. Symmetric Cryptol..

[20]  Paul Crowley,et al.  Mercy: A Fast Large Block Cipher for Disk Sector Encryption , 2000, FSE.

[21]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[22]  キャン・エイカー,et al.  Code Pointer authentication for hardware flow control , 2015 .

[23]  E. McCluskey Minimization of Boolean functions , 1956 .

[24]  Willard Van Orman Quine,et al.  The Problem of Simplifying Truth Functions , 1952 .

[25]  B. Rogers,et al.  Improving Cost, Performance, and Security of Memory Encryption and Authentication , 2006, ISCA 2006.

[26]  Seyed Mojtaba Dehnavi,et al.  Construction of New Families of ‎MDS‎ Diffusion Layers , 2014, IACR Cryptol. ePrint Arch..

[27]  Stafford E. Tavares,et al.  On the Design of S-Boxes , 1985, CRYPTO.

[28]  Anne Canteaut,et al.  PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications (Full version) , 2012, IACR Cryptol. ePrint Arch..

[29]  Stephen Taylor,et al.  Memory encryption , 2014, ACM Comput. Surv..

[30]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[31]  Bogdanov Andrey,et al.  Midori: A Block Cipher for Low Energy , 2016 .

[32]  Luther Martin,et al.  XTS: A Mode of AES for Encrypting Hard Disks , 2010, IEEE Security & Privacy.

[33]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[34]  Kazue Sako,et al.  Advances in cryptology - ASIACRYPT 2013 : 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013 : proceedings , 2013 .

[35]  Khoongming Khoo,et al.  New Applications of Differential Bounds of the SDS Structure , 2008, ISC.

[36]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[37]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[38]  Christian Rechberger,et al.  Subspace Trail Cryptanalysis and its Applications to AES , 2017, IACR Trans. Symmetric Cryptol..

[39]  Yee Wei Law,et al.  KLEIN: A New Family of Lightweight Block Ciphers , 2010, RFIDSec.

[40]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[41]  G. Edward Suh,et al.  Efficient Memory Integrity Verification and Encryption for Secure Processors , 2003, MICRO.

[42]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[43]  Thomas Shrimpton,et al.  A Modular Framework for Building Variable-Input-Length Tweakable Ciphers , 2013, ASIACRYPT.

[44]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[45]  Eli Biham,et al.  Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys , 2014, IACR Cryptol. ePrint Arch..

[46]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[47]  John B. Kam,et al.  Structured Design of Substitution-Permutation Encryption Networks , 1979, IEEE Transactions on Computers.

[48]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[49]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[50]  Yu Sasaki,et al.  Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs , 2016, IACR Trans. Symmetric Cryptol..

[51]  Johann Großschädl,et al.  Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box , 2006, SAMOS.

[52]  Adi Shamir,et al.  Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2 , 2013, IACR Cryptol. ePrint Arch..

[53]  Thomas Shrimpton,et al.  Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[54]  Sumanta Sarkar,et al.  Lightweight Diffusion Layer: Importance of Toeplitz Matrices , 2016, IACR Trans. Symmetric Cryptol..

[55]  George Varghese,et al.  Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[56]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[57]  Orhun Kara Reflection Attacks on Product Ciphers , 2007, IACR Cryptol. ePrint Arch..

[58]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[59]  Seyed Mojtaba Dehnavi,et al.  Bitwise Linear Mappings with Good Cryptographic Properties and Efficient Implementation , 2015, IACR Cryptol. ePrint Arch..

[60]  Cyril Prissette An Algorithm to List All the Fixed-Point Free Involutions on a Finite Set , 2010, ArXiv.

[61]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[62]  Iwata Tetsu,et al.  The 128-bit Blockcipher CLEFIA , 2007 .

[63]  Seyed Mojtaba Dehnavi,et al.  New concepts in design of lightweight MDS diffusion layers , 2014, 2014 11th International ISC Conference on Information Security and Cryptology.

[64]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.