the qarma
play

The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product - PowerPoint PPT Presentation

Oct 23, 2023 •17 likes •537 views

Qualcomm QARMA T E C H N O L O G I E S , I N C PRODUCT SECURITY Use cases The road to QARMA Analysis Implementation Conclusion The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7, 2017 Roberto

  1. Qualcomm QARMA T E C H N O L O G I E S , I N C PRODUCT SECURITY Use cases The road to QARMA Analysis Implementation Conclusion The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7, 2017 Roberto Avanzi : The QARMA Block Cipher Family 1/ 33

  2. QARMA Use cases The road to QARMA Analysis Implementation Conclusion For industry, developing a new cipher is expensive ∗ . Deploying it is risky : With great power comes great responsibility. Hence, motivation must come from very strong use cases, ... ∗ Because qualifjed human resources are expensive. And, by the way, QPSI is hiring... Roberto Avanzi : The QARMA Block Cipher Family 2/ 33

  3. QARMA Use cases The road to QARMA Analysis Implementation Conclusion For industry, developing a new cipher is expensive ∗ . Deploying it is risky : With great power comes great responsibility. Hence, motivation must come from very strong use cases, ... ∗ Because qualifjed human resources are expensive. And, by the way, QPSI is hiring... Roberto Avanzi : The QARMA Block Cipher Family 2/ 33

  4. QARMA Use cases The road to QARMA Analysis Implementation Conclusion For industry, developing a new cipher is expensive ∗ . Deploying it is risky : With great power comes great responsibility. Hence, motivation must come from very strong use cases, ... ∗ Because qualifjed human resources are expensive. And, by the way, QPSI is hiring... Roberto Avanzi : The QARMA Block Cipher Family 2/ 33

  5. QARMA Use cases The road to QARMA Analysis Implementation Conclusion (... use cases) where “transparent” performance is the difgerence between possible customer acceptance and outright feature rejection: Memory Encryption Software Security Roberto Avanzi : The QARMA Block Cipher Family 3/ 33

  6. QARMA Use cases The road to QARMA Analysis Implementation Conclusion (... use cases) where “transparent” performance is the difgerence between possible customer acceptance and outright feature rejection: Memory Encryption Software Security Roberto Avanzi : The QARMA Block Cipher Family 3/ 33

  7. QARMA Use cases The road to QARMA Analysis Implementation Conclusion Tweakable Block Ciphers and applications ◮ Memory encryption : Just directly use address/nonce as tweak; no expensive XEX-like whitening value derivation: P Reduced initial latency – direct impact on performance! ◮ Software security : SW exploits that manipulate pointers . K Mitigations: Encrypt or hash these pointers... Q T But: Decipher before use and/or increased memory trafgic... Note: ARMv8 has 64-bit pointers and 52-bit address space Idea: Use a TBC to compute tag, truncated to just a few bits, key set by higher execution environment C tweak = pointer’s context then insert the tag in unused bits of the pointer! Roberto Avanzi : The QARMA Block Cipher Family 4/ 33

  8. QARMA Use cases The road to QARMA Analysis Implementation Conclusion Tweakable Block Ciphers and applications ◮ Memory encryption : Just directly use address/nonce as tweak; no expensive XEX-like whitening value derivation: P Reduced initial latency – direct impact on performance! ◮ Software security : SW exploits that manipulate pointers . K Mitigations: Encrypt or hash these pointers... Q T But: Decipher before use and/or increased memory trafgic... Note: ARMv8 has 64-bit pointers and 52-bit address space Idea: Use a TBC to compute tag, truncated to just a few bits, key set by higher execution environment C tweak = pointer’s context then insert the tag in unused bits of the pointer! Roberto Avanzi : The QARMA Block Cipher Family 4/ 33

  9. QARMA Use cases The road to QARMA Analysis Implementation Conclusion We had a look at all generic constructions and available primitives, but... ... they were all too large or too slow. Timing requirements point to a “real TBC” with low latency but no critical restrictions on total area. We want a cipher that goes well fully unrolled, pipelined. ... a “ TWEAKED-PRINCE ,” a bit fatter, but not much taller, than PRINCE . Roberto Avanzi : The QARMA Block Cipher Family 5/ 33

  10. QARMA Use cases The road to QARMA Analysis Implementation Conclusion I took the train from Munich to Bochum ... and MANTIS was born T h h h h h · · · k 0 k 0 k 0 k 0 k 0 k 0 w 0 c 0 c 1 c 2 c 3 c 4 c 5 P S τ M S τ M S τ M S τ M S τ M S · · · M = C S τ M S τ M S τ M S τ M S τ M S · · · k 0 k 0 k 0 k 0 k 0 k 0 w 1 α α α α α α c 0 c 1 c 2 c 3 c 4 c 5 h h h h h · · · Maria Eichlseder described it so well I could only do worse... Texts / tweak / state = vectors of sixteen 4-bit cells / 4 × 4 matrices τ , h = Cell Shufgles, M = Involutory Almost MDS 4 × 4 matrix, S = S-Box layer τ ◦ M ◦ S related to MIDORI round function – lighter than PRINCE ’s to ofgset the additional rounds. Roberto Avanzi : The QARMA Block Cipher Family 6/ 33

  11. QARMA Use cases The road to QARMA Analysis Implementation Conclusion Beyond MANTIS I had second thoughts about the 4-round SuperBox in the middle, some partners about the (re)use of MIDORI components. So I had to go back to the drawing board. Boring: spice it with mathematics. 1. New structure 2. Better difgusion matrices 3. Better S-Boxes (and new heuristics to fjnd them) 4. Provide a 128-bit variant with 256-bit key Shortly after that, security margins of MANTIS eroded a bit. Outcome: MANTIS has a new cousin ... Roberto Avanzi : The QARMA Block Cipher Family 7/ 33

  12. QARMA Q A Use cases The road to QARMA Analysis Implementation Conclusion ... a cipher partly designed on the slopes of the Mt. Carmel ... Authenticator ARM ↑ � �� � + A + R + M + ↓ � �� � Qualcomm Roberto M. Avanzi (and it might badly afgect my karma) Roberto Avanzi : The QARMA Block Cipher Family 8/ 33

  13. QARMA Use cases The road to QARMA Analysis Implementation Conclusion 1. New structure Roberto Avanzi : The QARMA Block Cipher Family 9/ 33

  14. QARMA Use cases The road to QARMA Analysis Implementation Conclusion QARMA has a new Structure w 0 w 0 w 1 = o ( w 0 ) w 1 P C F C F k 0 + α k 0 T T k 1 Whitening key derivation is s.t. w 0 �→ w 1 and w 0 �→ w 0 + w 1 both 1-1 (orthomorphism) It is a 3-round, 2-key, alternating-key (non ideal) Even-Mansour scheme (TD tradeofg may increase from TD � n − ǫ to TD � 2 3 2 n − ǫ ) Roberto Avanzi : The QARMA Block Cipher Family 10/ 33

  15. QARMA Use cases The road to QARMA Analysis Implementation Conclusion QARMA Encryption T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ M k 1 C S τ M S τ M S τ M S τ M S τ M S τ · · · k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 h h h h h ω ω ω · · · ω ω Texts / tweak / state = vectors of sixteen 4-bit cells / 4 × 4 matrices τ , h = Cell Shufgles; M = involutory Almost MDS 4 × 4 matrix; S = S-Box layer; ω = LSFR on 7/16 cells Roberto Avanzi : The QARMA Block Cipher Family 11/ 33

  16. QARMA Use cases The road to QARMA Analysis Implementation Conclusion QARMA Encryption T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ M k 1 C S τ M S τ M S τ M S τ M S τ M S τ · · · k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 h h h h h ω ω ω · · · ω ω Texts / tweak / state = vectors of sixteen 4-bit cells / 4 × 4 matrices τ , h = Cell Shufgles; M = involutory Almost MDS 4 × 4 matrix; S = S-Box layer; ω = LSFR on 7/16 cells Roberto Avanzi : The QARMA Block Cipher Family 11/ 33

  17. , replace k 1 M k 1 QARMA Use cases The road to QARMA Analysis Implementation Conclusion QARMA Decryption T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ k 1 M C S τ M S τ M S τ M S τ M S τ M S · · · τ k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 h h h h h ω ω ω · · · ω ω Texts / tweak / state = vectors of sixteen 4-bit cells / 4 × 4 matrices τ , h = Cell Shufgles; M = involutory Almost MDS 4 × 4 matrix; S = S-Box layer; ω = LSFR on 7/16 cells Decrypt with: k 0 �→ k 0 ⊕ α , swap w 0 and w 1 Roberto Avanzi : The QARMA Block Cipher Family 12/ 33

  18. QARMA Use cases The road to QARMA Analysis Implementation Conclusion QARMA Decryption T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ M M · k 1 C S τ M S τ M S τ M S τ M S τ M S · · · τ k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 h h h h h ω ω ω · · · ω ω Texts / tweak / state = vectors of sixteen 4-bit cells / 4 × 4 matrices τ , h = Cell Shufgles; M = involutory Almost MDS 4 × 4 matrix; S = S-Box layer; ω = LSFR on 7/16 cells Decrypt with: k 0 �→ k 0 ⊕ α , swap w 0 and w 1 , replace k 1 �→ M · k 1 Roberto Avanzi : The QARMA Block Cipher Family 12/ 33

More recommend