qarma
play

QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , - PowerPoint PPT Presentation

Apr 01, 2024 •777 likes •950 views

Rump Session 2016 QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 RC 0 k 1 RC 1 k 1 RC 2 k 1 RC 3 k 1 RC 4 k 1

  1. Rump Session 2016 QARMA Roberto Avanzi Qualcomm

  2. QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 ⊕ RC 0 k 1 ⊕ RC 1 k 1 ⊕ RC 2 k 1 ⊕ RC 3 k 1 ⊕ RC 4 k 1 ⊕ RC 5 in S M S M S M S M S M S M ′ out S M S M S M S M S M S k 1 ⊕ RC 0 ⊕ α k 1 ⊕ RC 1 ⊕ α k 1 ⊕ RC 2 ⊕ α k 1 ⊕ RC 3 ⊕ α k 1 ⊕ RC 4 ⊕ α k 1 ⊕ RC 5 ⊕ α Because it’s a Mozartkugel! A (involutory) core surrounded by several symmetric layers, wrapped in a thin but opaque skin (the brownwhitening) (Bar over function denotes inverse) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 1/ 6

  3. QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 ⊕ RC 0 k 1 ⊕ RC 1 k 1 ⊕ RC 2 k 1 ⊕ RC 3 k 1 ⊕ RC 4 k 1 ⊕ RC 5 in S M S M S M S M S M S M ′ out S M S M S M S M S M S k 1 ⊕ RC 0 ⊕ α k 1 ⊕ RC 1 ⊕ α k 1 ⊕ RC 2 ⊕ α k 1 ⊕ RC 3 ⊕ α k 1 ⊕ RC 4 ⊕ α k 1 ⊕ RC 5 ⊕ α Because it’s a Mozartkugel! A (involutory) core surrounded by several symmetric layers, wrapped in a thin but opaque skin (the brownwhitening) (Bar over function denotes inverse) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 1/ 6

  4. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  5. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  6. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  7. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  8. QARMA QARMA: Beyond the Mozart Ball w 0 w 0 w 1 = o ( w 0 ) w 1 P C F C F k 0 + α k 0 T T k 1 3-Round Even-Mansour with outer perms keyed & tweaked, middle perm C keyed, not involutory Whitening key derivation w 0 �→ w 1 = o ( w 0 ) with o ( · ) orthomorphism (taken from PRINCE ) Crucial difgerence w.r.t. PRINCE : we use upper indexes ( k 0 ) instead of lower indexes ( k 0 ) ! Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 3/ 6

  9. QARMA QARMA: Just Another Bricklayer in the Crypto Wall? T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ Q k 1 C S τ M S τ M S · · · τ M S τ M S τ M S τ k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 h h h · · · h h ω ω ω ω ω τ , h = Shufgles of the cells, M , Q = Almost MDS matrices, Q involutory, S = S-Box layer, ω = LSFR Reuses tweak shufgle from MANTIS (a PRINCE -like FX construction with MIDORI round function) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 4/ 6

  10. QARMA QARMA: Just Another Bricklayer in the Crypto Wall? T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ Q k 1 C S τ M S τ M S · · · τ M S τ M S τ M S τ k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 h h h · · · h h ω ω ω ω ω τ , h = Shufgles of the cells, M , Q = Almost MDS matrices, Q involutory, S = S-Box layer, ω = LSFR Reuses tweak shufgle from MANTIS (a PRINCE -like FX construction with MIDORI round function) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 4/ 6

  11. QARMA New Central Construction Properties of central rounds: T ◮ Use whitening key(s) instead of core key w 1 ◮ Thwarts refmection attacks M S τ τ · · · ◮ Non involutory Pseudo-Refmector ◮ Add key k 1 , not tweak Q ◮ Easy to invert ◮ Also makes refmection attacks more difgicult k 1 ◮ Chosen Q , M ’s have � 2 n / 2 fjxed points ◮ The { 0 , 1 } MIDORI circulant has 2 3 n / 4 ! M S · · · τ τ ◮ New almost MDS family over F 2 [ ρ ] = = F 2 [ X ] / ( X m + 1 ) with optimal critical path w 0 (circulants, classifjcation) ◮ Also makes attacks more difgicult T Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 5/ 6

  12. QARMA New Central Construction Properties of central rounds: T ◮ Use whitening key(s) instead of core key w 0 ◮ Thwarts refmection attacks M S τ τ · · · ◮ Non involutory Pseudo-Refmector ◮ Add key k 1 , not tweak Q · k 1 ◮ Easy to invert ◮ Also makes refmection attacks more difgicult Q ◮ Chosen Q , M ’s have � 2 n / 2 fjxed points ◮ The { 0 , 1 } MIDORI circulant has 2 3 n / 4 ! M S · · · τ τ ◮ New almost MDS family over F 2 [ ρ ] = = F 2 [ X ] / ( X m + 1 ) with optimal critical path w 1 (circulants, classifjcation) ◮ Also makes attacks more difgicult T Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 5/ 6

  13. http:/ /ia.cr/2016/444 PRINCE QARMA Implementation Depth Area Cipher We consider here gate depth (GE) (GE) QARMA -64 5 - σ 0 100 8971 (and to a lesser extent, area) QARMA -64 6 - σ 0 117 10451 QARMA -64 7 - σ 0 134 11929 σ 0 , σ 2 difgerent S-Boxes QARMA -64 5 - σ 2 107 9484 QARMA -64 6 - σ 2 125 11048 Values are estimates QARMA -64 7 - σ 2 143 12616 100 8703 MANTIS 5 Details in tech report 117 10155 MANTIS 6 134 11605 MANTIS 7 114 7424 Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 6/ 6

  14. /ia.cr/2016/444 http:/ QARMA Implementation Depth Area Cipher We consider here gate depth (GE) (GE) QARMA -128 8 - σ 0 152 26592 (and to a lesser extent, area) QARMA -128 9 - σ 0 168 29521 QARMA -128 10 - σ 0 185 32450 σ 0 , σ 2 difgerent S-Boxes QARMA -128 11 - σ 0 201 35379 QARMA -128 8 - σ 2 164 28127 Values are estimates QARMA -128 9 - σ 2 183 31228 QARMA -128 10 - σ 2 201 34328 Details in tech report QARMA -128 11 - σ 2 219 37429 AES -128 554 63234 (Encryption only) 294 143888 Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 6/ 6

  15. /ia.cr/2016/444 http:/ QARMA Implementation Depth Area Cipher We consider here gate depth (GE) (GE) QARMA -128 8 - σ 0 152 26592 (and to a lesser extent, area) QARMA -128 9 - σ 0 168 29521 QARMA -128 10 - σ 0 185 32450 σ 0 , σ 2 difgerent S-Boxes QARMA -128 11 - σ 0 201 35379 QARMA -128 8 - σ 2 164 28127 Values are estimates QARMA -128 9 - σ 2 183 31228 QARMA -128 10 - σ 2 201 34328 Details in tech report QARMA -128 11 - σ 2 219 37429 AES -128 554 63234 (Encryption only) 294 143888 Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 6/ 6

More recommend