Abstract
QARMA is a new tweakable block cipher used for memory encryption, the generation of short tags and the construction of the keyed hash functions in future. It adopts a three-round Even-Mansour scheme and supports 64 and 128 bits of block size, denoted by QARMA-64 and QARMA-128, respectively. Their tweak lengths equal the block sizes and their keys are twice as long as the blocks. In this paper, we improve the security analysis of reduced-version QARMA against impossible differential and meet-in-the-middle attacks. Specifically, first exploit some properties of its linear operations and the redundancy of key schedule. Based on them, we propose impossible differential attacks on 11-round QARMA-64/128, and meet-in-the-middle attacks on 10-round symmetric QARMA-128 and the last 12 rounds of asymmetric QARMA-128. Compared with the previously best known results on QARMA-64, our attack can recover 16 more bits of master key with the almost complexities. Compared with the previously best known results on symmetric QARMA-128, the memory complexity of our attack in Section IV is reduced by a factor of 248. Moreover, the meet-in-the-middle attack on 12-round QARMA-128 is the best known attack on QARMA-128 in terms of the number of rounds.
Highlights
In 2002, Liskov et al proposed the tweakable block cipher which is widely applied in complex and diversified applications [1]
QARMA is a hardware-oriented lightweight tweakable block cipher proposed by Roberto Avanzi in 2017 [4]
By appending 3 rounds at its top and 2.5 rounds at its bottom, we present a meet-in-the-middle attack on 12-round QARMA-128, which requires 288 chosen plaintext-tweak combinations, 2155.88 encryptions and 2154 blocks, respectively
Summary
In 2002, Liskov et al proposed the tweakable block cipher which is widely applied in complex and diversified applications [1]. In 2018, Zong et al gave an impossible differential attack on 11 rounds of QARMA-64 with 261 chosen plaintexts, 264.4 encryptions and 264 blocks [31] They only gave the time complexity to retrieve 48-bit round subkeys of QARMA-64. For reduced-version QARMA with symmetric structures, there is only one cryptanalytic result, i.e., Li and Jin presented an meet-in-themiddle attack on 10 rounds of QARMA-128 with 288 chosen plaintexts, 2156 encryptions and 2145 blocks in 2018 [33]. Since they selected two cells as the ordered sequence, their attack required more time and memory complexities.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
