Meet-in-the-Middle Attacks on Reduced-Round QARMA-64/128

Meet-in-the-Middle Attacks on Reduced-Round QARMA-64/128 Abstract QARMA is a new family of lightweight tweakable block ciphers which is used in the Pointer Authentication of ARMv8.3-A. In this paper, we apply meet-in-the-middle attack to QARMA-64 and QARMA-128 including the outer whitening keys. First, we observe that a linear relation exists between four cells out of the eight input/output cells in the MixColumns operation. Then, the idea of canceling the state difference with the tweak difference is used to make one blank round. Finally, we construct meet-in-the-middle distinguishers on 5-round QARMA-128 and QARMA-64, respectively. Therefore, the attack on QARMA4-128 is obtained by appending three rounds on the top of the distinguisher and two round on the bottom. Similarly, the attack on QARMA3-64 is obtained. Besides, this attack can be extended to attack on 9-round QARMA-64 without increasing the overall complexity. To the best of our knowledge, these are the first attacks on QARMA block ciphers including the outer whitening keys. 1. INTRODUCTION ARMv8.3-A [1, 2], the 2016 additions to the ARMv8-A architecture, is announced by ARM in 2016. Among these additions, Pointer Authentication scheme is a software security primitive for enhanced security associated with pointer authentication. It can prevent an attacker to modify protected pointers in memory without being detected. A new block cipher QARMA [3] is used in the Pointer Authentication scheme as a critical part. QARMA is a new family of tweakable block ciphers (TBC) designed by Avanzi in 2016. Tweakable means that a user selectable tweak T and a secret key K together determine the permutation computed by the cipher. Besides the Pointer Authentication, QARMA can also be used in memory encryption, disk encryption and the construction of keyed hash functions. QARMA is a bricklayer SPN and borrows some concepts from PRINCE [4], MIDORI [5] and MANTIS [6], but has important differences in structure and choice of components. In [3], the designer provides thorough security analysis of QARMA against various attacks, such as linear and differential cryptanalysis, slide attack, algebraic attacks, invariant subspace cryptanalysis, etc. Meet-in-the-middle attack is first introduced into the cryptanalysis of AES in 2008 by Demirci and Selçuk [7]. Then, Dunkelman et al. [8] improve the attack with multi-set technique and differential enumerate technique. In 2013, Derbez et al. [9, 10] further improve the attack using rebound-like arguments and many trade-off techniques. Recently, meet-in-the-middle attack has been used in the cryptanalysis of many other ciphers, e.g., PRINCE [11], TWINE [12], CLEFIA [13] and so on. As for the tweakable block cipher, Dobraunig et al. [14] first introduce the idea that one can use the freedom of the tweak to cancel the state difference and thus create longer distinguishers in the square attack on Kiasu-BC, since the tweak can be fully controlled by users. Then this idea is used in the impossible differential attack [15] and meet-in-the-middle attack [16]. This idea is also used in this paper to extend the length of the meet-in-the-middle distinguishers. Our contributions. In this paper, we apply the meet-in-the-middle attack to the cryptanalysis of QARMA block ciphers. First, we find a linear relation between four cells out of the eight input/output cells in the MixColumns operation of QARMA. Then, we utilize the tweak difference to cancel the state difference and thus make one blank round. Combined with these two methods, five-round meet-in-the-middle distinguishers on QARMA-64/128 are proposed. Based on these distinguishers, we can mount the attacks on QARMA4-128 and QARMA3-64, respectively. Moreover, the attack on QARMA3-64 can be extended to attack on nine-round QARMA-64 without increasing the complexity. All our attacks focus on QARMA block ciphers including the outer whitening keys. Table 1 summarizes our results along with previous attack results of QARMA. The rest of this paper is organized as follows. In Section 2, we briefly describe the QARMA block ciphers and related properties. Then, in Sections 3 and 4 , we present the attacks on QARMA-128 and QARMA-64, respectively. Finally, we conclude this paper in Section 5. Table 1. Cryptanalytic results on QARMA in the single-key setting. Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper aTime complexity measures both the online time and offline time. View Large Table 1. Cryptanalytic results on QARMA in the single-key setting. Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper aTime complexity measures both the online time and offline time. View Large 2. PRELIMINARIES 2.1. Notations We use the following notations throughout the paper: x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; 2.2. Description of QARMA block ciphers QARMA is a family of two tweakable block ciphers: QARMA-64 and QARMA-128. We denote n the block size and n=64 for QARMA-64 and n=128 for QARMA-128. In both versions, the n-bit internal state is represented as 4×4 matrix of m-bit cells, where m=4 for QARMA-64 and m=8 for QARMA-128. The 16 cells of the square matrix is numbered as follows: 0123456789101112131415. The overall scheme of QARMA is depicted in Fig. 1, which is a three-round Even-Mansour construction where the first and third permutations are functionally the inverse of each other and the central permutation is designed to be easily inverted. The keys k0, k1, w0 and w1 are derived from a master key K as follows: the 2n-bit master key K is first partitioned as w0∣∣k0, where w0 and k0 are n bits each, and then extended to 4n bits by the mapping: (w0∣∣k0)→(w0∣∣w1∣∣k0∣∣k1)≔(w0∣∣(w0⋙1)⊕(w0≫(16m−1))∣∣k0∣∣k0). Figure 1. View largeDownload slide The overall scheme of QARMA. Figure 1. View largeDownload slide The overall scheme of QARMA. We denote QARMAr the ( 2r+2)-round QARMA which keep the symmetry of the cipher, that is to say, there are r rounds before the central permutation and r rounds after the central permutation. QARMAr is composed of rForward Round Functions, rBackward Round Functions and two Central Rounds. Moreover, the whitening key w0 is XORed with the plaintext before the first round and w1 is XORed to the internal state after the last round to get the ciphertext. The Forward Round Function R(IS;tk) consists of the following four operations: AddRoundTweakey: The round tweakey tk is XORed to the internal state IS. tk denotes the XOR sum of the round key, the tweak and the round constant. ShuffleCells: This operation is the same as the cell permutation of MIDORI block cipher, i.e. τ=[0,11,6,13,10,1,12,7,5,14,3,8,15,4,9,2]. MixColumns: Each column of the internal state matrix is multiplied by the matrix M, i.e. IS←M·IS. SubCells: For the chosen S-Box σ, the S layer acts on the state as follows: IS[i]←σ(IS[i]) for 0≤i≤15. In the first round, a short version of the Forward Round Function is used, which omits the ShuffleCells and MixColumns operations. Besides, the tweak T is updated by a tweak update function after AddRoundTweakey. In the tweak update function, the cells of the tweak are first permuted as h(T)=T[h(0)]∣∣T[h(1)]∣∣⋯∣∣T[h(15)], where h is defined by h=[6,5,14,15,0,1,2,3,7,12,13,4,8,9,10,11]. Then, a LFSR ω updates the tweak cells with indexes 0, 1, 3, 4, 8, 11 and 13. For m = 4, l is a maximal period LFSR that maps cell (b3,b2,b1,b0) to (b0+b1,b3,b2,b1). For m=8, it maps cell (b7,b6,…,b0) to (b0+b2,b7,b6,…,b1). The Backward Round Function R¯(IS;tk) is the inverse of the forward round function. The tweak update using the inverse LFSR ω¯ and the inverse permutation h¯ must be applied before AddRoundTweakey. Besides, an additional constant α is always XORed to the tweakey tk. The Central Construction is defined as follows: A forward round R. The pseudo-reflector (IS;tk) i.e. ShuffleCells. Multiplication of the state by the involutory matrix Q, which equals to M. AddRoundTweakey. The round tweakey tk is XORed to the state. Inverse ShuffleCells. A backward round R¯. For the first r+1 rounds of QARMAr, we respectively denote the internal state after AddRoundTweakey, ShuffleCells, MixColumns, SubCells operations in round i by xi,yi,zi and vi, while for the last r+1 rounds, we denote the corresponding states by xi′,yi′,zi′ and vi′ as shown in Fig. 2. Sometimes, we perform the key addition after the MixColumns operation. In such case, we use the equivalent key u0 which equals to M·τ(k0) and the resulting state is denoted by si. Figure 2. View largeDownload slide Meet-in-the-middle-attack on QARMA4-128. Black (gray) bytes are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. Note that M and Q are the same involutory matrix. Figure 2. View largeDownload slide Meet-in-the-middle-attack on QARMA4-128. Black (gray) bytes are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. Note that M and Q are the same involutory matrix. For QARMAr-64, the designer chooses r=7, i.e. 16 rounds and for QARMAr-128 he chooses r=11, i.e. 24 rounds. For more details about QARMA, one can refer to [3]. 2.3. Some definitions and properties The following definitions and properties are used in our attacks. Definition 1 ( δ-set and ordered δ-set [11]) Let a δ-set be a set of 2mQARMA states that are all different in one state cell (the active cell) and all fixed in the other state cells (the inactive cells). An ordered δ-set is a δ-set {x0,x1,…,x2m−1}such that the difference in the active cell between x0and xiis equal to ifor 0≤i≤2m−1. The matrix M used in the MixColumns operation is an Almost MDS matrix over quotient rings Rm=F2[X]/(Xm+1). The image ρ of X satisfies that ρm=1 and {1,ρ,ρ2,…,ρm−1} is a basis for Rm as a F2-algebra. Thus the multiplication by ρi in the ring Rm is just a simple circular left rotation by i bits, i.e., ρi·x=x⋘i. More specifically, M1 is used for QARMA-64 and M2 is used for QARMA-128: M1=0ρ1ρ2ρ1ρ10ρ1ρ2ρ2ρ10ρ1ρ1ρ2ρ10,M2=0ρ1ρ4ρ5ρ50ρ1ρ4ρ4ρ50ρ1ρ1ρ4ρ50. For the Almost MDS matrix M1 used in QARMA-64, we have the following property: Property 1 Consider a pair (a,b) of 4-nibble vectors, such that b=M1·a. If a=(a[0],a[1],a[2],a[3]) and b=(b[0],b[1],b[2],b[3]), then b[i]⊕b[i+2]=ρ2·a[i]⊕ρ2·a[i+2] for i = 0, 1. Proof Since b[0]=ρ1·a[1]⊕ρ2·a[2]⊕ρ1·a[3] and b[2]=ρ2·a[0]⊕ρ1·a[1]⊕ρ1·a[3], then b[0]⊕b[2]=ρ2·a[0]⊕ρ2·a[2]. Similarly, we have b[1]⊕b[3]=ρ2·a[1]⊕ρ2·a[3].□ For the Almost MDS matrix M2 used in QARMA-128, we have the similar property: Property 2 Consider a pair (a,b) of 4-byte vectors, such that b=M2·a. If a=(a[0],a[1],a[2],a[3]) and b=(b[0],b[1],b[2],b[3]), then ρ4·b[i]⊕b[i+2]=ρ4·a[i]⊕a[i+2] for i = 0, 1. Note that since both the matrices are involutory, the above two properties can also be applied to the corresponding inverse matrices M1¯ and M2¯. 2.4. Related work In [3], the designer claims security of QARMA in the following security model: We shall assume the attacker does not have control on the key, but she may have full control on the tweak. A TBC is understood to offer n bits of (time-data tradeoff) security if no better attacks are possible than time 2n−d−ϵwith 2dchosen or known {plaintext, ciphertext, tweak} triples, for a small ϵ(e.g. 2). From above statement, we know that for an valid attack on QARMA- n with a data complexity of 2D, the time complexity should be less than 22n−D−ϵ. Zong and Dong [17] propose meet-in-the-middle attacks on 10-round QARMA with the outer whitening removed. But both their attacks do not keep the symmetry of QARMA, more specifically, they attack 10-round QARMA with four Forward Rounds and six Backward Rounds. More importantly, the offline complexity of their attack is very high. For QARMA-64, their data complexity is 253 while offline time complexity is about 2116 which exceeds 2128−53=275. For QARMA-128, their data complexity is 2105 while the offline time complexity is about 2232 which exceeds 2256−105=2151. 3. MEET-IN-THE-MIDDLE ATTACK ON QARMA4-128 In the meet-in-the-middle attack, a block cipher is first divided into three parts: Ek=Ek22◦Ed◦Ek11, where we need to construct a meet-in-the-middle distinguisher in the middle rounds Ed. The attack consists of two phases: offline phase and online phase. In the offline phase, the distinguisher is constructed and all possible values of a sequence is stored in a hash table. In the online phase, some key bits of k1 and k2 are guessed and only the right one will be kept. In this section, meet-in-the-middle attack is applied to QARMA4-128 including the outer whitening as in Fig. 2. First, we propose five-round meet-in-the-middle distinguisher on QARMA-128 by using the freedom of the tweak and the property of MixColumns operation. Then, we mount an attack on QARMA4-128 by extending three rounds on the top and two rounds on the bottom. 3.1. Distinguisher on five-round QARMA-128 The following Theorem 3.1 describes the five-round meet-in-the-middle distinguisher we construct, where e represents ρ4·z2′[5]⊕z2′[13] which equals to ρ4·y2′[5]⊕y2′[13], according to Property 2. Theorem 3.1 Let {v20,v21,…,v2255}and {t30,t31,…,t3255}be two ordered δ-sets and v2d[1]⊕v20[1]=t3d[1]⊕t20[1]=dfor 0≤d≤255. Consider the encryption of v2a(0≤a≤31)under tweak t3athrough5-round QARMA-128, then the corresponding 248-bit ordered sequence (e1⊕e0,e2⊕e0,…,e31⊕e0)only takes about 2144 values(out of the 2248theoretically values). Proof To prove this, we show that the sequence (e1⊕e0,e2⊕e0,…,e31⊕e0) is determined by 18 bytes, namely: z40[0,4,12]∣∣v4′0[1,3,5,6,9,10,11,14,15]∣∣v3′0[4,7,11,12]∣∣v2′0[5,13]. In the following proof, we denote ΔXa the difference between Xa and X0. Since the tweak update function is linear, we can deduce Δt4a with the knowledge of Δt3a. As Δv2a[1]=Δt3a[1], Δx3a=0. Therefore, we can propagate t4a through the linear operations to obtain Δz4a[0,4,12]. Then, we can bypass the S-box operation to get Δv4a[0,4,12] with the knowledge of z40[0,4,12]. Similarly, we can deduce the difference Δz4′a[1,3,5,6,9,10,11,14,15] with the value v4′0[1,3,5,6,9,10,11,14,15]. Furthermore, we can deduce the difference Δz3′a[4,7,11,12] with the value v3′0[4,7,11,12]. Since Δz3′a[0,15]=0, we can deduce Δy3′a[3,8]. Finally, with the value v2′a[5,13], we can get the difference Δy2′a[5,13] which can be used to deduce ea⊕e0. So, the sequence (e1⊕e0,e2⊕e0,…,e31⊕e0) takes about 2144 values.□ 3.2. Attack on QARMA4-128 Based on the above five-round distinguisher, we mount an attack on QARMA4-128. First, in the offline phase we precompute all the 2144 sequences according to the proof of Theorem 3.1 and store them in a hash table H. Secondly, in the online phase we need to guess some key bits, identify a δ-set and compute the corresponding sequence. Then, we check whether the sequence exists in H. In the online phase, we fully use the relations between the round keys to reduce the time complexity. The following steps give the attack procedure of the online phase. Choose a set of 280 plaintexts where P[0,1,3,4,5,6,11,12,14,15] take all the possible values while the other six bytes are constants. Ask for encryption of each plaintext in the set under 28 tweaks where T[5] takes all the 28 possible values while the other 15 bytes are constants. In total, we require the ciphertext of 288 plaintext-tweak combinations. Pick one of the plaintext-tweak combinations, then denote the plaintext by P0 and, the tweak by T0 and the corresponding ciphertext by C0. Deduce the value t10,t20,t30 with T0. Guess (w0⊕k0)[0,1,3,4,5,6,11,12,14,15], and partially encrypt P0 under tweak T0 to get v00[0,1,3,4,5,6,11,12,14,15]. Then guess u0[1,4,5,14] to get the value v10[1,4,5,14] and v20[1]. Guess u0[0,8,9,12,13] and then deduce k0[0,1,4,5,10,11,14,15]. By XORing the corresponding bytes of k0 with w0⊕k0, we can get w0[0,1,4,5,14,15]. Since w1=(w0⋙1)⊕(w0≫127), w1[0,1,4,5,14,15] can be deduced by guessing w0[3]∣0 and w0[13]∣0. Then, we can obtain (w1⊕k0)[0,1,4,5,14,15]. Therefore, we can partially decrypt the ciphertext C0 under T0 to get x0′[0,1,4,5,14,15] and s1′[1,4]. For each of the 2154 guessed keys and their corresponding values of v00[0,1,3,4,5,6,11,12,14,15], v10[1,4,5,14],v20[1],x0′[0,1,4,5,14,15],s1′[1,4], do the following substeps: Denote the ordered δ-set containing v20 by {v20,v21,…,v2255} and the ordered δ-set containing t30 by {t30,t31,…,t3255}, where the active bytes of the two δ-sets are placed in the same position, i.e., the byte 1 of the corresponding state. For (v2i⊕v20,t2i⊕t20)(1≤i≤31), we can propagate the difference from the state v2 to the plaintext. Thus we can get the corresponding ciphertext difference Ci⊕C0 and then propagate the difference from the ciphertext to the state y2′. Therefore, we obtain the sequence (e1⊕e0,e2⊕e0,…,e31⊕e0). Check whether the sequence exists in the hash table H. If not, we can discard the corresponding subkey. Thus a wrong subkey will pass this test with probability 2144×2−248=2−104. In the end, there are about 1+2154×2−104≈250 keys u0[0,1,4,5,8,9,12,13,14],(w0⊕k0)[0,1,3,4,5,6,11,12,14,15] left. Then we can retrieve the master key by exhaustive search without increasing the overall complexity. Complexity analysis. The data complexity of the attack are 288 plaintext-tweak combinations and the memory complexity is about 2144×2=2145 128-bit blocks. The time complexity of the offline phase is about 2144×25×2−3=2146 QARMA4-128 encryptions while the time complexity of the online phase is about 2154×25×2−3=2156 QARMA4-128 encryptions since we assume that each value of the ordered δ-set roughly needs about 2−3 QARMA4-128 encryption. In total, the time complexity of the attack is 2156 which is much less than 2256−88=2168. 4. MEET-IN-THE-MIDDLE ATTACK ON QARMA3-64 In this section, we apply meet-in-the-middle attack to QARMA3-64 including the outer whitening as in Fig. 3. First, we propose five-round meet-in-the-middle distinguisher on QARMA-64. Then, we mount an attack on QARMA3-64 based on this distinguisher. Finally, we show that this attack can be extended to an attack on nine-round QARMA-64 without affecting the attack complexity. Figure 3. View largeDownload slide Meet-in-the-middle-attack on QARMA3-64. Black (gray) nibbles are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. Figure 3. View largeDownload slide Meet-in-the-middle-attack on QARMA3-64. Black (gray) nibbles are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. 4.1. Distinguisher on five-round QARMA-64 The meet-in-the-middle distinguisher on QARMA-64 presented in Theorem 4.1 is quite similar with the distinguisher on QARMA-128, except that the active nibble of the ordered δ-set takes a different position in order to decrease the number of guessed key bits in the online phase. Besides, we choose four nibbles to construct the sequence in order to give sufficiently small probability to filter the wrong keys. Hereinafter e represents (ρ2·z1′[1]⊕ρ2·z1′[9])∣∣(ρ2·z1′[3])⊕ρ2·z1′[11]) which equals to (y1′[1]⊕y1′[9])∣∣(y1′[3])⊕y1′[11]), according to Property 1. Theorem 4.1 Let {v10,v11,…,v115}and {t20,t21,…,t215}be two ordered δ-sets and v1d[4]⊕v10[4]=t2d[4]⊕t20[4]=dfor 0≤d≤15. Consider the encryption of v1dunder tweak t2dthrough five-round QARMA-64, then the corresponding 120-bit ordered sequence (e1⊕e0,e2⊕e0,…,e15⊕e0)only takes about 288 values(out of the 2120theoretically values). Proof Like the proof of Theorem 3.1, we can conclude that this 120-bit sequence is determined by the following nibbles: z30[5,9,13]∣∣v3′0[0,2,3,6,7,8,10,12,15]∣∣v2′0[2,5,6,9,10,13]∣∣v1′0[1,3,9,11]. □ 4.2. Attack on QARMA3-64 By appending two rounds on the top of the distinguisher and one round on the bottom, the attack on QARMA3-64 is obtained. In the offline phase, we precompute the 288 values of the sequence described in Theorem 4.1, and store them in a hash table H. The procedure of the online phase is as follows: Choose a set of 216 plaintexts where P[0,5,6,15] take all the possible values while the other 12 bytes are constants. Ask for encryption of each plaintext in the set under a tweak T satisfying that T[6]=P[6] while the other 15 bytes are constants. In total, we require the ciphertext of 216 plaintext-tweak combinations. Pick one of the plaintext-tweak combinations, then denote the plaintext by P0, the tweak by T0 and the corresponding ciphertext by C0. Deduce the value t10,t20 with T0. Guess (w0⊕k0)[0,5,15], and partially encrypt P0 under tweak T0 to get v00[0,5,15]. Then guess u0[4] to get the value v10[4]. Guess (w1⊕k0)[8,11,13,14] and then partially decrypt the ciphertext C0 under T0 to get x0′[8,11,13,14]. For each of the 232 guessed keys and their corresponding values of v00[0,5,15],v10[4],x0′[8,11,13,14], do the following substeps: Denote the ordered δ-set containing v10 by {v10,v11,…,v115} and the ordered δ-set containing t20 by {t20,t21,…,t215}, where the active nibbles of the two δ-sets are both placed in the nibble 4. For (v1i⊕v10,t2i⊕t20)(1≤i≤15), we can propagate the difference from the state v1 to the plaintext. Thus we can get the corresponding ciphertext difference Ci⊕C0 and then propagate the difference from the ciphertext to the state y1′. Therefore, we obtain the sequence (e1⊕e0,e2⊕e0,…,e15⊕e0). Check whether the sequence exists in the hash table H. If not, we can discard the corresponding subkey. Thus a wrong subkey will pass this test with probability 288×2−120=2−32. In the end, there are about 1+232×2−32≈2 values of the key nibbles (w0⊕k0)[0,5,15],(w1⊕k0)[8,11,13,14],u0[4] left. Complexity analysis. The data complexity of the attack are 216 plaintext-tweak combinations and the memory complexity is 288×2=289 64-bit blocks. The time complexity of the offline phase is about 288×24×2−3=289 QARMA3-64 encryptions while the time complexity of the online phase is about 232×24×2−3=233 QARMA3-64 encryptions since we assume each value of the ordered δ-set needs about 2−3 QARMA3-64 encryption. In total, the time complexity of the attack is 289 which is much less than 2128−16=2112. Recover the master key. In the above attack, only eight key nibbles are recovered. If we perform an exhaustive search to find the missing key nibbles, the complexity of the whole attack will drastically increase. Instead, we choose to replay the above attack by using a different distinguisher to recover other key nibbles. In the offline phase we firstly keep the active nibbles of the two ordered δ-sets unchanged and let e represent (ρ2·z1′[4]⊕ρ2·z1′[12])∣∣(ρ2·z1′[6])⊕ρ2·z1′[14]) which equals to (y1′[4]⊕y1′[12])∣∣(y1′[6])⊕y1′[14]) according to Property 1, then construct the corresponding sequence. Thus the value of the key nibbles (w1⊕k0)[9,10,12,15] can be recovered in the online phase. Now, we have recovered the value of the key nibbles (w0⊕k0)[0,5,15],(w1⊕k0)[8,9,10,11,12,13,14,15],u0[4]. Then an exhaustive search can be performed to recover the master key without increasing the overall complexity. The data complexity of this attack is still 216 while the time complexity and memory complexity increase by a factor of 2 and become 290 QARMA3-64 encryptions and 290 64-bit blocks, respectively. 4.3. Attack on nine-round QARMA-64 The above basic attack on QARMA3-64 which can recover the key nibbles (w0⊕k0)[0,5,15],(w1⊕k0)[8,11,13,14],u0[4], can be easily turned to an attack on nine-round QARMA-64 with four Forward Rounds and five Backward Rounds, by adding one round at the end. In order to perform this attack, we have to guess 12 more key nibbles and thus the time complexity of the online phase will increase by a factor of 248. Finally, the master key can be recovered an exhaustive search. Since the time complexity of the whole attack is still dominated by that of the offline phase, the complexity of this attack remains unchanged, i.e., the time complexity is 289 encryptions, the memory complexity is 288×2=289 64-bit blocks and the data complexity is 216 plaintext-tweak combinations. 5. CONCLUSION This paper studies the meet-in-the-middle attacks on reduced-round QARMA-64 and QARMA-128. By fully using the properties of the MixColumns operation and the freedom of the tweak, meet-in-the-middle distinguishers on 5-round QARMA-64 and QARMA-128 are proposed. Then, meet-in-the-middle attacks on QARMA4-128 and QARMA3-64 are respectively constructed based on corresponding distinguishers. Besides, the attack on QARMA3-64 can be extended to attack on 9-round QARMA-64. As far as we know, these are the first attacks on QARMA block ciphers including the outer whitening keys. FUNDING This work was supported by the National Natural Science Foundation of China [grant numbers 61772547, 61402523 and 61272488]. ACKNOWLEDGEMENTS We thank the anonymous reviewers for their insightful comments and suggestions. REFERENCES 1 ARM Connected Blog . ARMv8-A architecture--2016 additions. https://www.community.arm.com/processors/b/blog/posts/armv8-a-architecture-2016-additions (accessed November 30, 2017). 2 Qualcomm Product Security . Pointer Authentication on ARMv8.3-design and analysis of the new software security instructions. https://www.qualcomm.com/documents/whitepaper-pointer-authentication-armv83 (accessed November 30, 2017). 3 Avanzi , R. ( 2017 ) The QARMA block cipher family. Almost MDS matrices over rings with zero divisors, nearly symmetric Even-Mansour constructions with non-involutory central rounds, and search heuristics for low-latency S-boxes . IACR Trans. Symmetric Cryptol , 2017 , 4 – 44 . 4 Borghoff , J. et al. ( 2012 ) PRINCE—A low-latency block cipher for pervasive computing applications. In Proc. ASIACRYPT 2012, Beijing, China, December 2–6, pp. 208–225. Springer, Berlin. 5 Banik , S. , Bogdanov , A. , Isobe , T. , Shibutani , K. , Hiwatari , H. , Akishita , T. and Regazzoni , F. ( 2015 ) Midori: A block cipher for low energy. In Proc. ASIACRYPT 2015 Part II, New Zealand, November 29–December 3, pp. 411–436. Springer, Berlin. 6 Beierle , C. , Jean , J. , Kölbl , S. , Leander , G. , Moradi , A. , Peyrin , T. , Sasaki , Y. , Sasdrich , P. and Sim , S.M. ( 2016 ) The SKINNY family of block ciphers and its low-latency variant MANTIS. In Proc. CRYPTO 2016 Part II, Santa Barbara, CA, USA, August 14–18, pp. 123–153. Springer, Berlin. 7 Demirci , H. and Selçuk , A.A. ( 2008 ) A meet-in-the-middle attack on 8-round AES. In Proc. Fast Software Encryption 2008, Lausanne, Switzerland, February 10–13, pp. 116–126. Springer, Berlin. 8 Dunkelman , O. , Keller , N. and Shamir , A. ( 2010 ) Improved single-key attacks on 8-round AES-192 and AES-256. In Proc. ASIACRYPT 2010, Singapore, December 5-9, pp. 158--176. Springer, Berlin. 9 Derbez , P. , Fouque , P. and Jean , J. ( 2013 ) Improved key recovery attacks on reduced-round AES in the single-key setting. In Proc. EUROCRYPT 2013, Athens, Greece, May 26–30, pp. 371–387. Springer, Berlin. 10 Derbez , P. and Fouque , P. ( 2013 ) Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In Proc. Fast Software Encryption 2013, Singapore, March 11–13, pp. 541–560. Springer, Berlin. 11 Derbez , P. and Perrin , L. ( 2015 ) Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In Proc. Fast Software Encryption 2015, Istanbul, Turkey, March 8–11, pp. 190–216. Springer, Berlin. 12 Biryukov , A. , Derbez , P. and Perrin , L. ( 2015 ) Differential analysis and meet-in-the-middle attack against round-reduced TWINE. In Proc. Fast Software Encryption 2015, Istanbul, Turkey, March 8–11, pp. 3–27. Springer, Berlin. 13 Lin , L. , Wu , W. and Zheng , Y. ( 2015 ) Improved meet-in-the-middle distinguisher on Feistel schemes. In Proc. Selected Areas in Cryptography 2015, Sackville, NB, Canada, August 12–14, pp. 122–142. Springer, Berlin. 14 Dobraunig , C. , Eichlseder , M. and Mendel , F. ( 2016 ) Square attack on 7-round Kiasu-BC. In Proc. Applied Cryptography and Network Security 2016, Guildford, UK, June 19–22, pp. 500–517. Springer, Berlin. 15 Dobraunig , C. and List , E. ( 2017 ) Impossible-differential and boomerang cryptanalysis of round-reduced Kiasu-BC. In Proc. CT-RSA 2017, San Francisco, CA, USA, February 14–17, pp. 207–222. Springer, Berlin. 16 Tolba , M. , Abdelkhalek , A. and Youssef , A.M. ( 2016 ) A meet-in-the-middle attack on reduced round Kiasu-BC . IEICE Trans. Fundam. Electron. Commun. Comput. Sci. , E99-A , 1888 – 1890 . Google Scholar CrossRef Search ADS 17 Zong , R. and Dong , X. Meet-in-the-middle attack on QARMA block cipher. Cryptology ePrint Archive, Report 2016/1160, http://eprint.iacr.org/2016/1160 (accessed November 30, 2017). Author notes Handling editor: Keith Martin © The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png The Computer Journal Oxford University Press

Meet-in-the-Middle Attacks on Reduced-Round QARMA-64/128

Loading next page...
 
/lp/ou_press/meet-in-the-middle-attacks-on-reduced-round-qarma-64-128-U4Ivz0JjxE
Publisher
Oxford University Press
Copyright
© The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com
ISSN
0010-4620
eISSN
1460-2067
D.O.I.
10.1093/comjnl/bxy045
Publisher site
See Article on Publisher Site

Abstract

Abstract QARMA is a new family of lightweight tweakable block ciphers which is used in the Pointer Authentication of ARMv8.3-A. In this paper, we apply meet-in-the-middle attack to QARMA-64 and QARMA-128 including the outer whitening keys. First, we observe that a linear relation exists between four cells out of the eight input/output cells in the MixColumns operation. Then, the idea of canceling the state difference with the tweak difference is used to make one blank round. Finally, we construct meet-in-the-middle distinguishers on 5-round QARMA-128 and QARMA-64, respectively. Therefore, the attack on QARMA4-128 is obtained by appending three rounds on the top of the distinguisher and two round on the bottom. Similarly, the attack on QARMA3-64 is obtained. Besides, this attack can be extended to attack on 9-round QARMA-64 without increasing the overall complexity. To the best of our knowledge, these are the first attacks on QARMA block ciphers including the outer whitening keys. 1. INTRODUCTION ARMv8.3-A [1, 2], the 2016 additions to the ARMv8-A architecture, is announced by ARM in 2016. Among these additions, Pointer Authentication scheme is a software security primitive for enhanced security associated with pointer authentication. It can prevent an attacker to modify protected pointers in memory without being detected. A new block cipher QARMA [3] is used in the Pointer Authentication scheme as a critical part. QARMA is a new family of tweakable block ciphers (TBC) designed by Avanzi in 2016. Tweakable means that a user selectable tweak T and a secret key K together determine the permutation computed by the cipher. Besides the Pointer Authentication, QARMA can also be used in memory encryption, disk encryption and the construction of keyed hash functions. QARMA is a bricklayer SPN and borrows some concepts from PRINCE [4], MIDORI [5] and MANTIS [6], but has important differences in structure and choice of components. In [3], the designer provides thorough security analysis of QARMA against various attacks, such as linear and differential cryptanalysis, slide attack, algebraic attacks, invariant subspace cryptanalysis, etc. Meet-in-the-middle attack is first introduced into the cryptanalysis of AES in 2008 by Demirci and Selçuk [7]. Then, Dunkelman et al. [8] improve the attack with multi-set technique and differential enumerate technique. In 2013, Derbez et al. [9, 10] further improve the attack using rebound-like arguments and many trade-off techniques. Recently, meet-in-the-middle attack has been used in the cryptanalysis of many other ciphers, e.g., PRINCE [11], TWINE [12], CLEFIA [13] and so on. As for the tweakable block cipher, Dobraunig et al. [14] first introduce the idea that one can use the freedom of the tweak to cancel the state difference and thus create longer distinguishers in the square attack on Kiasu-BC, since the tweak can be fully controlled by users. Then this idea is used in the impossible differential attack [15] and meet-in-the-middle attack [16]. This idea is also used in this paper to extend the length of the meet-in-the-middle distinguishers. Our contributions. In this paper, we apply the meet-in-the-middle attack to the cryptanalysis of QARMA block ciphers. First, we find a linear relation between four cells out of the eight input/output cells in the MixColumns operation of QARMA. Then, we utilize the tweak difference to cancel the state difference and thus make one blank round. Combined with these two methods, five-round meet-in-the-middle distinguishers on QARMA-64/128 are proposed. Based on these distinguishers, we can mount the attacks on QARMA4-128 and QARMA3-64, respectively. Moreover, the attack on QARMA3-64 can be extended to attack on nine-round QARMA-64 without increasing the complexity. All our attacks focus on QARMA block ciphers including the outer whitening keys. Table 1 summarizes our results along with previous attack results of QARMA. The rest of this paper is organized as follows. In Section 2, we briefly describe the QARMA block ciphers and related properties. Then, in Sections 3 and 4 , we present the attacks on QARMA-128 and QARMA-64, respectively. Finally, we conclude this paper in Section 5. Table 1. Cryptanalytic results on QARMA in the single-key setting. Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper aTime complexity measures both the online time and offline time. View Large Table 1. Cryptanalytic results on QARMA in the single-key setting. Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper Cipher Outer whitening Symmetry Rounds Timea Data Memory Reference QARMA-64 Yes Yes 8 290 216 290 This paper Yes No 9 289 216 289 This paper No No 10 2116 253 2116 [17] QARMA-128 No No 10 2232 2105 2232 [17] Yes Yes 10 2156 288 2145 This paper aTime complexity measures both the online time and offline time. View Large 2. PRELIMINARIES 2.1. Notations We use the following notations throughout the paper: x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; x[i]: the cell in position i of state x; x[i]∣k: bit k of cell x[i] and each cell has m bits numbered m- 1,⋯,0 from left to right; x⋘k: left circular shift of x by k bits; x⋙k: right circular shift of x by k bits; x≫k: right non-circular shift of x by k bits; f◦g(x): the composite function f(g(x)); f¯: the inverse of function f; ∣∣: concatenation of two strings of bits; ⊕: bit-wise logical operations for XOR; 2.2. Description of QARMA block ciphers QARMA is a family of two tweakable block ciphers: QARMA-64 and QARMA-128. We denote n the block size and n=64 for QARMA-64 and n=128 for QARMA-128. In both versions, the n-bit internal state is represented as 4×4 matrix of m-bit cells, where m=4 for QARMA-64 and m=8 for QARMA-128. The 16 cells of the square matrix is numbered as follows: 0123456789101112131415. The overall scheme of QARMA is depicted in Fig. 1, which is a three-round Even-Mansour construction where the first and third permutations are functionally the inverse of each other and the central permutation is designed to be easily inverted. The keys k0, k1, w0 and w1 are derived from a master key K as follows: the 2n-bit master key K is first partitioned as w0∣∣k0, where w0 and k0 are n bits each, and then extended to 4n bits by the mapping: (w0∣∣k0)→(w0∣∣w1∣∣k0∣∣k1)≔(w0∣∣(w0⋙1)⊕(w0≫(16m−1))∣∣k0∣∣k0). Figure 1. View largeDownload slide The overall scheme of QARMA. Figure 1. View largeDownload slide The overall scheme of QARMA. We denote QARMAr the ( 2r+2)-round QARMA which keep the symmetry of the cipher, that is to say, there are r rounds before the central permutation and r rounds after the central permutation. QARMAr is composed of rForward Round Functions, rBackward Round Functions and two Central Rounds. Moreover, the whitening key w0 is XORed with the plaintext before the first round and w1 is XORed to the internal state after the last round to get the ciphertext. The Forward Round Function R(IS;tk) consists of the following four operations: AddRoundTweakey: The round tweakey tk is XORed to the internal state IS. tk denotes the XOR sum of the round key, the tweak and the round constant. ShuffleCells: This operation is the same as the cell permutation of MIDORI block cipher, i.e. τ=[0,11,6,13,10,1,12,7,5,14,3,8,15,4,9,2]. MixColumns: Each column of the internal state matrix is multiplied by the matrix M, i.e. IS←M·IS. SubCells: For the chosen S-Box σ, the S layer acts on the state as follows: IS[i]←σ(IS[i]) for 0≤i≤15. In the first round, a short version of the Forward Round Function is used, which omits the ShuffleCells and MixColumns operations. Besides, the tweak T is updated by a tweak update function after AddRoundTweakey. In the tweak update function, the cells of the tweak are first permuted as h(T)=T[h(0)]∣∣T[h(1)]∣∣⋯∣∣T[h(15)], where h is defined by h=[6,5,14,15,0,1,2,3,7,12,13,4,8,9,10,11]. Then, a LFSR ω updates the tweak cells with indexes 0, 1, 3, 4, 8, 11 and 13. For m = 4, l is a maximal period LFSR that maps cell (b3,b2,b1,b0) to (b0+b1,b3,b2,b1). For m=8, it maps cell (b7,b6,…,b0) to (b0+b2,b7,b6,…,b1). The Backward Round Function R¯(IS;tk) is the inverse of the forward round function. The tweak update using the inverse LFSR ω¯ and the inverse permutation h¯ must be applied before AddRoundTweakey. Besides, an additional constant α is always XORed to the tweakey tk. The Central Construction is defined as follows: A forward round R. The pseudo-reflector (IS;tk) i.e. ShuffleCells. Multiplication of the state by the involutory matrix Q, which equals to M. AddRoundTweakey. The round tweakey tk is XORed to the state. Inverse ShuffleCells. A backward round R¯. For the first r+1 rounds of QARMAr, we respectively denote the internal state after AddRoundTweakey, ShuffleCells, MixColumns, SubCells operations in round i by xi,yi,zi and vi, while for the last r+1 rounds, we denote the corresponding states by xi′,yi′,zi′ and vi′ as shown in Fig. 2. Sometimes, we perform the key addition after the MixColumns operation. In such case, we use the equivalent key u0 which equals to M·τ(k0) and the resulting state is denoted by si. Figure 2. View largeDownload slide Meet-in-the-middle-attack on QARMA4-128. Black (gray) bytes are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. Note that M and Q are the same involutory matrix. Figure 2. View largeDownload slide Meet-in-the-middle-attack on QARMA4-128. Black (gray) bytes are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. Note that M and Q are the same involutory matrix. For QARMAr-64, the designer chooses r=7, i.e. 16 rounds and for QARMAr-128 he chooses r=11, i.e. 24 rounds. For more details about QARMA, one can refer to [3]. 2.3. Some definitions and properties The following definitions and properties are used in our attacks. Definition 1 ( δ-set and ordered δ-set [11]) Let a δ-set be a set of 2mQARMA states that are all different in one state cell (the active cell) and all fixed in the other state cells (the inactive cells). An ordered δ-set is a δ-set {x0,x1,…,x2m−1}such that the difference in the active cell between x0and xiis equal to ifor 0≤i≤2m−1. The matrix M used in the MixColumns operation is an Almost MDS matrix over quotient rings Rm=F2[X]/(Xm+1). The image ρ of X satisfies that ρm=1 and {1,ρ,ρ2,…,ρm−1} is a basis for Rm as a F2-algebra. Thus the multiplication by ρi in the ring Rm is just a simple circular left rotation by i bits, i.e., ρi·x=x⋘i. More specifically, M1 is used for QARMA-64 and M2 is used for QARMA-128: M1=0ρ1ρ2ρ1ρ10ρ1ρ2ρ2ρ10ρ1ρ1ρ2ρ10,M2=0ρ1ρ4ρ5ρ50ρ1ρ4ρ4ρ50ρ1ρ1ρ4ρ50. For the Almost MDS matrix M1 used in QARMA-64, we have the following property: Property 1 Consider a pair (a,b) of 4-nibble vectors, such that b=M1·a. If a=(a[0],a[1],a[2],a[3]) and b=(b[0],b[1],b[2],b[3]), then b[i]⊕b[i+2]=ρ2·a[i]⊕ρ2·a[i+2] for i = 0, 1. Proof Since b[0]=ρ1·a[1]⊕ρ2·a[2]⊕ρ1·a[3] and b[2]=ρ2·a[0]⊕ρ1·a[1]⊕ρ1·a[3], then b[0]⊕b[2]=ρ2·a[0]⊕ρ2·a[2]. Similarly, we have b[1]⊕b[3]=ρ2·a[1]⊕ρ2·a[3].□ For the Almost MDS matrix M2 used in QARMA-128, we have the similar property: Property 2 Consider a pair (a,b) of 4-byte vectors, such that b=M2·a. If a=(a[0],a[1],a[2],a[3]) and b=(b[0],b[1],b[2],b[3]), then ρ4·b[i]⊕b[i+2]=ρ4·a[i]⊕a[i+2] for i = 0, 1. Note that since both the matrices are involutory, the above two properties can also be applied to the corresponding inverse matrices M1¯ and M2¯. 2.4. Related work In [3], the designer claims security of QARMA in the following security model: We shall assume the attacker does not have control on the key, but she may have full control on the tweak. A TBC is understood to offer n bits of (time-data tradeoff) security if no better attacks are possible than time 2n−d−ϵwith 2dchosen or known {plaintext, ciphertext, tweak} triples, for a small ϵ(e.g. 2). From above statement, we know that for an valid attack on QARMA- n with a data complexity of 2D, the time complexity should be less than 22n−D−ϵ. Zong and Dong [17] propose meet-in-the-middle attacks on 10-round QARMA with the outer whitening removed. But both their attacks do not keep the symmetry of QARMA, more specifically, they attack 10-round QARMA with four Forward Rounds and six Backward Rounds. More importantly, the offline complexity of their attack is very high. For QARMA-64, their data complexity is 253 while offline time complexity is about 2116 which exceeds 2128−53=275. For QARMA-128, their data complexity is 2105 while the offline time complexity is about 2232 which exceeds 2256−105=2151. 3. MEET-IN-THE-MIDDLE ATTACK ON QARMA4-128 In the meet-in-the-middle attack, a block cipher is first divided into three parts: Ek=Ek22◦Ed◦Ek11, where we need to construct a meet-in-the-middle distinguisher in the middle rounds Ed. The attack consists of two phases: offline phase and online phase. In the offline phase, the distinguisher is constructed and all possible values of a sequence is stored in a hash table. In the online phase, some key bits of k1 and k2 are guessed and only the right one will be kept. In this section, meet-in-the-middle attack is applied to QARMA4-128 including the outer whitening as in Fig. 2. First, we propose five-round meet-in-the-middle distinguisher on QARMA-128 by using the freedom of the tweak and the property of MixColumns operation. Then, we mount an attack on QARMA4-128 by extending three rounds on the top and two rounds on the bottom. 3.1. Distinguisher on five-round QARMA-128 The following Theorem 3.1 describes the five-round meet-in-the-middle distinguisher we construct, where e represents ρ4·z2′[5]⊕z2′[13] which equals to ρ4·y2′[5]⊕y2′[13], according to Property 2. Theorem 3.1 Let {v20,v21,…,v2255}and {t30,t31,…,t3255}be two ordered δ-sets and v2d[1]⊕v20[1]=t3d[1]⊕t20[1]=dfor 0≤d≤255. Consider the encryption of v2a(0≤a≤31)under tweak t3athrough5-round QARMA-128, then the corresponding 248-bit ordered sequence (e1⊕e0,e2⊕e0,…,e31⊕e0)only takes about 2144 values(out of the 2248theoretically values). Proof To prove this, we show that the sequence (e1⊕e0,e2⊕e0,…,e31⊕e0) is determined by 18 bytes, namely: z40[0,4,12]∣∣v4′0[1,3,5,6,9,10,11,14,15]∣∣v3′0[4,7,11,12]∣∣v2′0[5,13]. In the following proof, we denote ΔXa the difference between Xa and X0. Since the tweak update function is linear, we can deduce Δt4a with the knowledge of Δt3a. As Δv2a[1]=Δt3a[1], Δx3a=0. Therefore, we can propagate t4a through the linear operations to obtain Δz4a[0,4,12]. Then, we can bypass the S-box operation to get Δv4a[0,4,12] with the knowledge of z40[0,4,12]. Similarly, we can deduce the difference Δz4′a[1,3,5,6,9,10,11,14,15] with the value v4′0[1,3,5,6,9,10,11,14,15]. Furthermore, we can deduce the difference Δz3′a[4,7,11,12] with the value v3′0[4,7,11,12]. Since Δz3′a[0,15]=0, we can deduce Δy3′a[3,8]. Finally, with the value v2′a[5,13], we can get the difference Δy2′a[5,13] which can be used to deduce ea⊕e0. So, the sequence (e1⊕e0,e2⊕e0,…,e31⊕e0) takes about 2144 values.□ 3.2. Attack on QARMA4-128 Based on the above five-round distinguisher, we mount an attack on QARMA4-128. First, in the offline phase we precompute all the 2144 sequences according to the proof of Theorem 3.1 and store them in a hash table H. Secondly, in the online phase we need to guess some key bits, identify a δ-set and compute the corresponding sequence. Then, we check whether the sequence exists in H. In the online phase, we fully use the relations between the round keys to reduce the time complexity. The following steps give the attack procedure of the online phase. Choose a set of 280 plaintexts where P[0,1,3,4,5,6,11,12,14,15] take all the possible values while the other six bytes are constants. Ask for encryption of each plaintext in the set under 28 tweaks where T[5] takes all the 28 possible values while the other 15 bytes are constants. In total, we require the ciphertext of 288 plaintext-tweak combinations. Pick one of the plaintext-tweak combinations, then denote the plaintext by P0 and, the tweak by T0 and the corresponding ciphertext by C0. Deduce the value t10,t20,t30 with T0. Guess (w0⊕k0)[0,1,3,4,5,6,11,12,14,15], and partially encrypt P0 under tweak T0 to get v00[0,1,3,4,5,6,11,12,14,15]. Then guess u0[1,4,5,14] to get the value v10[1,4,5,14] and v20[1]. Guess u0[0,8,9,12,13] and then deduce k0[0,1,4,5,10,11,14,15]. By XORing the corresponding bytes of k0 with w0⊕k0, we can get w0[0,1,4,5,14,15]. Since w1=(w0⋙1)⊕(w0≫127), w1[0,1,4,5,14,15] can be deduced by guessing w0[3]∣0 and w0[13]∣0. Then, we can obtain (w1⊕k0)[0,1,4,5,14,15]. Therefore, we can partially decrypt the ciphertext C0 under T0 to get x0′[0,1,4,5,14,15] and s1′[1,4]. For each of the 2154 guessed keys and their corresponding values of v00[0,1,3,4,5,6,11,12,14,15], v10[1,4,5,14],v20[1],x0′[0,1,4,5,14,15],s1′[1,4], do the following substeps: Denote the ordered δ-set containing v20 by {v20,v21,…,v2255} and the ordered δ-set containing t30 by {t30,t31,…,t3255}, where the active bytes of the two δ-sets are placed in the same position, i.e., the byte 1 of the corresponding state. For (v2i⊕v20,t2i⊕t20)(1≤i≤31), we can propagate the difference from the state v2 to the plaintext. Thus we can get the corresponding ciphertext difference Ci⊕C0 and then propagate the difference from the ciphertext to the state y2′. Therefore, we obtain the sequence (e1⊕e0,e2⊕e0,…,e31⊕e0). Check whether the sequence exists in the hash table H. If not, we can discard the corresponding subkey. Thus a wrong subkey will pass this test with probability 2144×2−248=2−104. In the end, there are about 1+2154×2−104≈250 keys u0[0,1,4,5,8,9,12,13,14],(w0⊕k0)[0,1,3,4,5,6,11,12,14,15] left. Then we can retrieve the master key by exhaustive search without increasing the overall complexity. Complexity analysis. The data complexity of the attack are 288 plaintext-tweak combinations and the memory complexity is about 2144×2=2145 128-bit blocks. The time complexity of the offline phase is about 2144×25×2−3=2146 QARMA4-128 encryptions while the time complexity of the online phase is about 2154×25×2−3=2156 QARMA4-128 encryptions since we assume that each value of the ordered δ-set roughly needs about 2−3 QARMA4-128 encryption. In total, the time complexity of the attack is 2156 which is much less than 2256−88=2168. 4. MEET-IN-THE-MIDDLE ATTACK ON QARMA3-64 In this section, we apply meet-in-the-middle attack to QARMA3-64 including the outer whitening as in Fig. 3. First, we propose five-round meet-in-the-middle distinguisher on QARMA-64. Then, we mount an attack on QARMA3-64 based on this distinguisher. Finally, we show that this attack can be extended to an attack on nine-round QARMA-64 without affecting the attack complexity. Figure 3. View largeDownload slide Meet-in-the-middle-attack on QARMA3-64. Black (gray) nibbles are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. Figure 3. View largeDownload slide Meet-in-the-middle-attack on QARMA3-64. Black (gray) nibbles are required in the online (offline) phase to propagate the difference. Difference in dotted bytes can be deduced in the online or offline phase. There is no difference in the white bytes. Hatched nibbles play no role. 4.1. Distinguisher on five-round QARMA-64 The meet-in-the-middle distinguisher on QARMA-64 presented in Theorem 4.1 is quite similar with the distinguisher on QARMA-128, except that the active nibble of the ordered δ-set takes a different position in order to decrease the number of guessed key bits in the online phase. Besides, we choose four nibbles to construct the sequence in order to give sufficiently small probability to filter the wrong keys. Hereinafter e represents (ρ2·z1′[1]⊕ρ2·z1′[9])∣∣(ρ2·z1′[3])⊕ρ2·z1′[11]) which equals to (y1′[1]⊕y1′[9])∣∣(y1′[3])⊕y1′[11]), according to Property 1. Theorem 4.1 Let {v10,v11,…,v115}and {t20,t21,…,t215}be two ordered δ-sets and v1d[4]⊕v10[4]=t2d[4]⊕t20[4]=dfor 0≤d≤15. Consider the encryption of v1dunder tweak t2dthrough five-round QARMA-64, then the corresponding 120-bit ordered sequence (e1⊕e0,e2⊕e0,…,e15⊕e0)only takes about 288 values(out of the 2120theoretically values). Proof Like the proof of Theorem 3.1, we can conclude that this 120-bit sequence is determined by the following nibbles: z30[5,9,13]∣∣v3′0[0,2,3,6,7,8,10,12,15]∣∣v2′0[2,5,6,9,10,13]∣∣v1′0[1,3,9,11]. □ 4.2. Attack on QARMA3-64 By appending two rounds on the top of the distinguisher and one round on the bottom, the attack on QARMA3-64 is obtained. In the offline phase, we precompute the 288 values of the sequence described in Theorem 4.1, and store them in a hash table H. The procedure of the online phase is as follows: Choose a set of 216 plaintexts where P[0,5,6,15] take all the possible values while the other 12 bytes are constants. Ask for encryption of each plaintext in the set under a tweak T satisfying that T[6]=P[6] while the other 15 bytes are constants. In total, we require the ciphertext of 216 plaintext-tweak combinations. Pick one of the plaintext-tweak combinations, then denote the plaintext by P0, the tweak by T0 and the corresponding ciphertext by C0. Deduce the value t10,t20 with T0. Guess (w0⊕k0)[0,5,15], and partially encrypt P0 under tweak T0 to get v00[0,5,15]. Then guess u0[4] to get the value v10[4]. Guess (w1⊕k0)[8,11,13,14] and then partially decrypt the ciphertext C0 under T0 to get x0′[8,11,13,14]. For each of the 232 guessed keys and their corresponding values of v00[0,5,15],v10[4],x0′[8,11,13,14], do the following substeps: Denote the ordered δ-set containing v10 by {v10,v11,…,v115} and the ordered δ-set containing t20 by {t20,t21,…,t215}, where the active nibbles of the two δ-sets are both placed in the nibble 4. For (v1i⊕v10,t2i⊕t20)(1≤i≤15), we can propagate the difference from the state v1 to the plaintext. Thus we can get the corresponding ciphertext difference Ci⊕C0 and then propagate the difference from the ciphertext to the state y1′. Therefore, we obtain the sequence (e1⊕e0,e2⊕e0,…,e15⊕e0). Check whether the sequence exists in the hash table H. If not, we can discard the corresponding subkey. Thus a wrong subkey will pass this test with probability 288×2−120=2−32. In the end, there are about 1+232×2−32≈2 values of the key nibbles (w0⊕k0)[0,5,15],(w1⊕k0)[8,11,13,14],u0[4] left. Complexity analysis. The data complexity of the attack are 216 plaintext-tweak combinations and the memory complexity is 288×2=289 64-bit blocks. The time complexity of the offline phase is about 288×24×2−3=289 QARMA3-64 encryptions while the time complexity of the online phase is about 232×24×2−3=233 QARMA3-64 encryptions since we assume each value of the ordered δ-set needs about 2−3 QARMA3-64 encryption. In total, the time complexity of the attack is 289 which is much less than 2128−16=2112. Recover the master key. In the above attack, only eight key nibbles are recovered. If we perform an exhaustive search to find the missing key nibbles, the complexity of the whole attack will drastically increase. Instead, we choose to replay the above attack by using a different distinguisher to recover other key nibbles. In the offline phase we firstly keep the active nibbles of the two ordered δ-sets unchanged and let e represent (ρ2·z1′[4]⊕ρ2·z1′[12])∣∣(ρ2·z1′[6])⊕ρ2·z1′[14]) which equals to (y1′[4]⊕y1′[12])∣∣(y1′[6])⊕y1′[14]) according to Property 1, then construct the corresponding sequence. Thus the value of the key nibbles (w1⊕k0)[9,10,12,15] can be recovered in the online phase. Now, we have recovered the value of the key nibbles (w0⊕k0)[0,5,15],(w1⊕k0)[8,9,10,11,12,13,14,15],u0[4]. Then an exhaustive search can be performed to recover the master key without increasing the overall complexity. The data complexity of this attack is still 216 while the time complexity and memory complexity increase by a factor of 2 and become 290 QARMA3-64 encryptions and 290 64-bit blocks, respectively. 4.3. Attack on nine-round QARMA-64 The above basic attack on QARMA3-64 which can recover the key nibbles (w0⊕k0)[0,5,15],(w1⊕k0)[8,11,13,14],u0[4], can be easily turned to an attack on nine-round QARMA-64 with four Forward Rounds and five Backward Rounds, by adding one round at the end. In order to perform this attack, we have to guess 12 more key nibbles and thus the time complexity of the online phase will increase by a factor of 248. Finally, the master key can be recovered an exhaustive search. Since the time complexity of the whole attack is still dominated by that of the offline phase, the complexity of this attack remains unchanged, i.e., the time complexity is 289 encryptions, the memory complexity is 288×2=289 64-bit blocks and the data complexity is 216 plaintext-tweak combinations. 5. CONCLUSION This paper studies the meet-in-the-middle attacks on reduced-round QARMA-64 and QARMA-128. By fully using the properties of the MixColumns operation and the freedom of the tweak, meet-in-the-middle distinguishers on 5-round QARMA-64 and QARMA-128 are proposed. Then, meet-in-the-middle attacks on QARMA4-128 and QARMA3-64 are respectively constructed based on corresponding distinguishers. Besides, the attack on QARMA3-64 can be extended to attack on 9-round QARMA-64. As far as we know, these are the first attacks on QARMA block ciphers including the outer whitening keys. FUNDING This work was supported by the National Natural Science Foundation of China [grant numbers 61772547, 61402523 and 61272488]. ACKNOWLEDGEMENTS We thank the anonymous reviewers for their insightful comments and suggestions. REFERENCES 1 ARM Connected Blog . ARMv8-A architecture--2016 additions. https://www.community.arm.com/processors/b/blog/posts/armv8-a-architecture-2016-additions (accessed November 30, 2017). 2 Qualcomm Product Security . Pointer Authentication on ARMv8.3-design and analysis of the new software security instructions. https://www.qualcomm.com/documents/whitepaper-pointer-authentication-armv83 (accessed November 30, 2017). 3 Avanzi , R. ( 2017 ) The QARMA block cipher family. Almost MDS matrices over rings with zero divisors, nearly symmetric Even-Mansour constructions with non-involutory central rounds, and search heuristics for low-latency S-boxes . IACR Trans. Symmetric Cryptol , 2017 , 4 – 44 . 4 Borghoff , J. et al. ( 2012 ) PRINCE—A low-latency block cipher for pervasive computing applications. In Proc. ASIACRYPT 2012, Beijing, China, December 2–6, pp. 208–225. Springer, Berlin. 5 Banik , S. , Bogdanov , A. , Isobe , T. , Shibutani , K. , Hiwatari , H. , Akishita , T. and Regazzoni , F. ( 2015 ) Midori: A block cipher for low energy. In Proc. ASIACRYPT 2015 Part II, New Zealand, November 29–December 3, pp. 411–436. Springer, Berlin. 6 Beierle , C. , Jean , J. , Kölbl , S. , Leander , G. , Moradi , A. , Peyrin , T. , Sasaki , Y. , Sasdrich , P. and Sim , S.M. ( 2016 ) The SKINNY family of block ciphers and its low-latency variant MANTIS. In Proc. CRYPTO 2016 Part II, Santa Barbara, CA, USA, August 14–18, pp. 123–153. Springer, Berlin. 7 Demirci , H. and Selçuk , A.A. ( 2008 ) A meet-in-the-middle attack on 8-round AES. In Proc. Fast Software Encryption 2008, Lausanne, Switzerland, February 10–13, pp. 116–126. Springer, Berlin. 8 Dunkelman , O. , Keller , N. and Shamir , A. ( 2010 ) Improved single-key attacks on 8-round AES-192 and AES-256. In Proc. ASIACRYPT 2010, Singapore, December 5-9, pp. 158--176. Springer, Berlin. 9 Derbez , P. , Fouque , P. and Jean , J. ( 2013 ) Improved key recovery attacks on reduced-round AES in the single-key setting. In Proc. EUROCRYPT 2013, Athens, Greece, May 26–30, pp. 371–387. Springer, Berlin. 10 Derbez , P. and Fouque , P. ( 2013 ) Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In Proc. Fast Software Encryption 2013, Singapore, March 11–13, pp. 541–560. Springer, Berlin. 11 Derbez , P. and Perrin , L. ( 2015 ) Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In Proc. Fast Software Encryption 2015, Istanbul, Turkey, March 8–11, pp. 190–216. Springer, Berlin. 12 Biryukov , A. , Derbez , P. and Perrin , L. ( 2015 ) Differential analysis and meet-in-the-middle attack against round-reduced TWINE. In Proc. Fast Software Encryption 2015, Istanbul, Turkey, March 8–11, pp. 3–27. Springer, Berlin. 13 Lin , L. , Wu , W. and Zheng , Y. ( 2015 ) Improved meet-in-the-middle distinguisher on Feistel schemes. In Proc. Selected Areas in Cryptography 2015, Sackville, NB, Canada, August 12–14, pp. 122–142. Springer, Berlin. 14 Dobraunig , C. , Eichlseder , M. and Mendel , F. ( 2016 ) Square attack on 7-round Kiasu-BC. In Proc. Applied Cryptography and Network Security 2016, Guildford, UK, June 19–22, pp. 500–517. Springer, Berlin. 15 Dobraunig , C. and List , E. ( 2017 ) Impossible-differential and boomerang cryptanalysis of round-reduced Kiasu-BC. In Proc. CT-RSA 2017, San Francisco, CA, USA, February 14–17, pp. 207–222. Springer, Berlin. 16 Tolba , M. , Abdelkhalek , A. and Youssef , A.M. ( 2016 ) A meet-in-the-middle attack on reduced round Kiasu-BC . IEICE Trans. Fundam. Electron. Commun. Comput. Sci. , E99-A , 1888 – 1890 . Google Scholar CrossRef Search ADS 17 Zong , R. and Dong , X. Meet-in-the-middle attack on QARMA block cipher. Cryptology ePrint Archive, Report 2016/1160, http://eprint.iacr.org/2016/1160 (accessed November 30, 2017). Author notes Handling editor: Keith Martin © The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

Journal

The Computer JournalOxford University Press

Published: May 4, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off