Paper 2023/1833

Cryptanalysis of QARMAv2

Hosein Hadipour, Graz University of Technology, Austria
Yosuke Todo, NTT, Japan
Abstract

QARMAv2 is a general-purpose and hardware-oriented family of lightweight tweakable block ciphers (TBCs) introduced in ToSC 2023. QARMAv2, as a redesign of QARMAv1 with a longer tweak and tighter security margins, is also designed to be suitable for cryptographic memory protection and control flow integrity. The designers of QARMAv2 provided a relatively comprehensive security analysis in the design specification, e.g., some bounds for the number of attacked rounds in differential and boomerang analysis, together with some concrete impossible differential, zero-correlation, and integral distinguishers. As one of the first third-party cryptanalysis of QARMAv2, Hadipour et al. significantly improved the integral distinguishers of QARMAv2, and provided the longest concrete distinguishers of QARMAv2 up to now. However, they provided no key recovery attack based on their distinguishers. This paper delves into the cryptanalysis of QARMAv2 to enhance our understanding of its security. Given that the integral distinguishers of QARMAv2 are the longest concrete distinguishers for this cipher so far, we focus on integral attack. To this end, we first further improve the automatic tool introduced by Hadipour et al. for finding integral distinguishers of TBCs following the TWEAKEY framework. This new tool exploits the MixColumns property of QARMAv2 to find integral distinguishers more suitable for key recovery attacks. Then, we combine several techniques for integral key recovery attacks, e.g., Meet-in-the-middle and partial-sum techniques to build a fine-grained integral key recovery attack on QARMAv2. Notably, we demonstrate how to leverage the low data complexity of the integral distinguishers of QARMAv2 to reduce the memory complexity of the meet-in-the-middle technique. As a result, we successfully present the first concrete key recovery attacks on reduced-round versions of QARMAv2. This includes attacking 13 rounds of QARMAv2-64-128 with a single tweak block ($\mathscr{T} = 1$), 14 rounds of QARMAv2-64-128 with two independent tweak blocks ($\mathscr{T} = 2$), and 16 rounds of QARMAv2-128-256 with two independent tweak blocks ($\mathscr{T} = 2$), all in an unbalanced setting. Our attacks do not compromise the claimed security of QARMAv2, but they shed more light on the cryptanalysis of this cipher.

Note: We have slightly updated our attack to QARMAv2-64-128 (T = 1), and the source code of our tool is available at: https://github.com/hadipourh/QARMAnalysis

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
A minor revision of an IACR publication in TOSC 2024
DOI
10.46586/tosc.v2024.i1.188-213
Keywords
CryptanalysisIntegral attacksPartial-sum techniqueConstraint programming (CP)QARMAv2QARMA
Contact author(s)
hsn hadipour @ gmail com
todo yosuke @ gmail com
History
2024-06-16: last of 6 revisions
2023-11-29: received
See all versions
Short URL
https://ia.cr/2023/1833
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1833,
      author = {Hosein Hadipour and Yosuke Todo},
      title = {Cryptanalysis of {QARMAv2}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1833},
      year = {2023},
      doi = {10.46586/tosc.v2024.i1.188-213},
      url = {https://eprint.iacr.org/2023/1833}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.