Cryptanalysis of QARMAv2

IACR Cryptol. ePrint Arch. Pub Date : 2024-03-01 DOI:10.46586/tosc.v2024.i1.188-213

Hosein Hadipour, Yosuke Todo

{"title":"Cryptanalysis of QARMAv2","authors":"Hosein Hadipour, Yosuke Todo","doi":"10.46586/tosc.v2024.i1.188-213","DOIUrl":null,"url":null,"abstract":"QARMAv2 is a general-purpose and hardware-oriented family of lightweight tweakable block ciphers (TBCs) introduced in ToSC 2023. QARMAv2, as a redesign of QARMAv1 with a longer tweak and tighter security margins, is also designed to be suitable for cryptographic memory protection and control flow integrity. The designers of QARMAv2 provided a relatively comprehensive security analysis in the design specification, e.g., some bounds for the number of attacked rounds in differential and boomerang analysis, together with some concrete impossible differential, zerocorrelation, and integral distinguishers. As one of the first third-party cryptanalysis of QARMAv2, Hadipour et al., [HGSE24] significantly improved the integral distinguishers of QARMAv2, and provided the longest concrete distinguishers of QARMAv2 up to now. However, they provided no key recovery attack based on their distinguishers. This paper delves into the cryptanalysis of QARMAv2 to enhance our understanding of its security. Given that the integral distinguishers of QARMAv2 are the longest concrete distinguishers for this cipher so far, we focus on integral attack. To this end, we first further improve the automatic tool introduced by Hadipour et al. [HSE23,HGSE24] for finding integral distinguishers of TBCs following the TWEAKEY framework. This new tool exploits the MixColumns property of QARMAv2 to find integral distinguishers more suitable for key recovery attacks. Then, we combine several techniques for integral key recovery attacks, e.g., Meet-in-the-middle and partial-sum techniques to build a fine-grained integral key recovery attack on QARMAv2. Notably, we demonstrate how to leverage the low data complexity of the integral distinguishers of QARMAv2 to reduce the memory complexity of the meet-in-the-middle technique. As a result, we successfully present the first concrete key recovery attacks on reduced-round versions of QARMAv2. This includes attacking 13 rounds of QARMAv2-64-128 with a single tweak block (T = 1), 14 rounds of QARMAv2-64-128 with two independent tweak blocks (T = 2), and 16 rounds of QARMAv2-128-256 with two independent tweak blocks (T = 2), all in an unbalanced setting. Our attacks do not compromise the claimed security of QARMAv2, but they shed more light on the cryptanalysis of this cipher.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"24 10","pages":"1833"},"PeriodicalIF":0.0000,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2024.i1.188-213","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

QARMAv2 is a general-purpose and hardware-oriented family of lightweight tweakable block ciphers (TBCs) introduced in ToSC 2023. QARMAv2, as a redesign of QARMAv1 with a longer tweak and tighter security margins, is also designed to be suitable for cryptographic memory protection and control flow integrity. The designers of QARMAv2 provided a relatively comprehensive security analysis in the design specification, e.g., some bounds for the number of attacked rounds in differential and boomerang analysis, together with some concrete impossible differential, zerocorrelation, and integral distinguishers. As one of the first third-party cryptanalysis of QARMAv2, Hadipour et al., [HGSE24] significantly improved the integral distinguishers of QARMAv2, and provided the longest concrete distinguishers of QARMAv2 up to now. However, they provided no key recovery attack based on their distinguishers. This paper delves into the cryptanalysis of QARMAv2 to enhance our understanding of its security. Given that the integral distinguishers of QARMAv2 are the longest concrete distinguishers for this cipher so far, we focus on integral attack. To this end, we first further improve the automatic tool introduced by Hadipour et al. [HSE23,HGSE24] for finding integral distinguishers of TBCs following the TWEAKEY framework. This new tool exploits the MixColumns property of QARMAv2 to find integral distinguishers more suitable for key recovery attacks. Then, we combine several techniques for integral key recovery attacks, e.g., Meet-in-the-middle and partial-sum techniques to build a fine-grained integral key recovery attack on QARMAv2. Notably, we demonstrate how to leverage the low data complexity of the integral distinguishers of QARMAv2 to reduce the memory complexity of the meet-in-the-middle technique. As a result, we successfully present the first concrete key recovery attacks on reduced-round versions of QARMAv2. This includes attacking 13 rounds of QARMAv2-64-128 with a single tweak block (T = 1), 14 rounds of QARMAv2-64-128 with two independent tweak blocks (T = 2), and 16 rounds of QARMAv2-128-256 with two independent tweak blocks (T = 2), all in an unbalanced setting. Our attacks do not compromise the claimed security of QARMAv2, but they shed more light on the cryptanalysis of this cipher.

查看原文本刊更多论文

QARMAv2 的密码分析

QARMAv2 是 ToSC 2023 中推出的通用型、面向硬件的轻量级可调整块密码（TBC）系列。QARMAv2 是对 QARMAv1 的重新设计，具有更长的调整时间和更严格的安全系数，其设计还适用于加密内存保护和控制流完整性。QARMAv2 的设计者在设计规范中提供了相对全面的安全分析，例如差分分析和回旋镖分析中攻击轮数的一些界限，以及一些具体的不可能差分、零相关和积分区分器。作为 QARMAv2 的首批第三方密码分析之一，Hadipour 等人[HGSE24] 显著改进了 QARMAv2 的积分区分器，并提供了迄今为止 QARMAv2 最长的具体区分器。然而，他们没有提供基于其区分器的密钥恢复攻击。本文深入研究了 QARMAv2 的密码分析，以加深我们对其安全性的理解。鉴于 QARMAv2 的积分区分器是迄今为止该密码最长的具体区分器，我们将重点放在积分攻击上。为此，我们首先进一步改进了哈迪普尔等人[HSE23,HGSE24]推出的自动工具，以根据 TWEAKEY 框架找到 TBC 的积分区分器。这个新工具利用 QARMAv2 的 MixColumns 特性，找到了更适合密钥恢复攻击的积分区分器。然后，我们结合了几种积分密钥恢复攻击技术，如中间相遇技术和部分和技术，构建了针对 QARMAv2 的细粒度积分密钥恢复攻击。值得注意的是，我们展示了如何利用 QARMAv2 积分区分器的低数据复杂度来降低中间相遇技术的内存复杂度。因此，我们成功地提出了对 QARMAv2 减少回合版本的首次具体密钥恢复攻击。这包括在非平衡设置下，攻击带有单个调整块（T = 1）的 13 轮 QARMAv2-64-128、带有两个独立调整块（T = 2）的 14 轮 QARMAv2-64-128，以及带有两个独立调整块（T = 2）的 16 轮 QARMAv2-128-256。我们的攻击并没有损害 QARMAv2 声称的安全性，但却为该密码的密码分析提供了更多启示。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量