Differential Cryptanalysis of the Reduced Pointer Authentication Code Function used in Arm’s FEAT_PACQARMA3 Feature

Roberto Avanzi; Orr Dunkelman; Shibam Ghosh

Paper 2025/321

Differential Cryptanalysis of the Reduced Pointer Authentication Code Function used in Arm’s FEAT_PACQARMA3 Feature

Roberto Avanzi, University of Haifa, Haifa, Israel

Orr Dunkelman, University of Haifa, Haifa, Israel, TU Berlin, Germany

Shibam Ghosh, University of Haifa, Haifa, Israel, Inria, Paris, France

Abstract

The Pointer Authentication Code ( $PAC$ ) feature in the Arm architecture is used to enforce the Code Flow Integrity ( $CFI$ ) of running programs. It does so by generating a short $MAC$ - called the $PAC$ - of the return address and some additional context information upon function entry, and checking it upon exit. An attacker that wants to overwrite the stack with manipulated addresses now faces an additional hurdle, as they now have to guess, forge, or reuse values. is deployed on billions of devices as a first line of defense to harden system software and complex programs against software exploitation. The original version of the feature uses a 12-round version the block cipher. The output is then truncated to between 3 and 32 bits, in order to be inserted into unused bits of 64-bit pointers. A later revision of the specification allows the use of an 8-round version of . This reduction may introduce vulnerabilities such as high-probability distinguishers, potentially enabling key recovery attacks. The present paper explores this avenue. A cryptanalysis of the computation function entails restricting the inputs to valid virtual addresses, meaning that certain most significant bits are fixed to zero, and considering only the truncated output. Within these constraints, we present practical attacks on various configurations. These attacks, while not presenting immediate threat to the mechanism, show that some versions of the feature do miss the security targets made for the original function. This offers new insights into the practical security of constructing from truncated block ciphers, expanding on the mostly theoretical understanding of creating PRFs from truncated PRPs. We note that the results do not affect the security of when used with the recommended number of rounds for general purpose applications.

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: Published by the IACR in TOSC 2025
Keywords: Tweakable Block Ciphers Lightweight Cryptography Pseudo-Random Functions Pseudo-Random Permutations
Contact author(s): roberto avanzi @ icloud com
orrd @ cs haifa ac il
shibam ghosh @ inria fr
History: 2025-02-26: revised; 2025-02-21: received; See all versions
Short URL: https://ia.cr/2025/321
License: CC BY

BibTeX

@misc{cryptoeprint:2025/321,
      author = {Roberto Avanzi and Orr Dunkelman and Shibam Ghosh},
      title = {Differential Cryptanalysis of the Reduced Pointer Authentication Code Function used in Arm’s {FEAT_PACQARMA3} Feature},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/321},
      year = {2025},
      url = {https://eprint.iacr.org/2025/321}
}