QARMA
QARMA is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code. The cipher was proposed by Roberto Avanzi in 2016. Two versions of QARMA are defined: QARMA-64 and QARMA-128. The design of the QARMA was influenced by PRINCE and MANTIS. The cipher is intended for fully-unrolled hardware implementations with low latency. Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.
Architecture
QARMA is an Even–Mansour cipher using three stages, with whitening keys w0 and w1 XORed in between:- permutation F is using core key k0 and parameterized by a tweak T. It has r rounds inside ;
- "central" permutation C is using key k1 and is designed to be reversible via a simple key transformation ;
- the third permutation is an inverse of the first.
- K is partitioned into halves as w0 Concatenation k0, each will have halfsize bits;
- for encryption w1 = + ;
- for encryption k1 = k0;
- for decryption, the same design can be used as long as k0+α is used as a core key, k1 = Q•k0, w1 and w0 are swapped. α here is a special constant and Q a special involutary matrix. This construct is similar to the alpha reflection in PRINCE.
- is ShuffleCells, a MIDORI permutation of cells ;
- is MixColumns: each column is multiplied by a fixed matrix M;
- is SubCells: each cell is transformed using an S-box.
- is a cell permutation from MANTIS ;
- is an LFSR applied to each of the cells with numbers . For QARMA-64, the LFSR is ⇒, for QARMA-128, ⇒,
Central rounds, in addition to two rounds, include multiplication of the state by an involutary matrix Q.