QARMA

QARMA (from Qualcomm ARM Authenticator¹) is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code.² The cipher was proposed by Roberto Avanzi in 2016.²³ Two versions of QARMA are defined: QARMA-64 (64-bit block size with a 128-bit encryption key) and QARMA-128 (128-bit block size with a 256-bit key). The design of the QARMA was influenced by PRINCE and MANTIS.³ The cipher is intended for fully-unrolled hardware implementations with low latency (like memory encryption). Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

QARMA is an Even–Mansour cipher using three stages, with whitening keys w⁰ and w¹ XORed in between:

1. permutation F is using core key k⁰ and parameterized by a tweak T. It has r rounds inside (r = 7 for QARMA-64, r = 11 for QARMA-128);
2. "central" permutation C is using key k¹ and is designed to be reversible via a simple key transformation (contains two central rounds);
3. the third permutation is an inverse of the first (r more rounds).

All keys are derived from the master encryption key K using specialisation:

• K is partitioned into halves as w⁰ Concatenation k⁰, each will have halfsize bits;
• for encryption w¹ = (w⁰ >>> 1) + (w⁰ >> (halfsize-1));
• for encryption k¹ = k⁰;
• for decryption, the same design can be used as long as k⁰+α is used as a core key, k¹ = Q•k⁰, w¹ and w⁰ are swapped. α here is a special constant and Q a special involutary matrix. This construct is similar to the alpha reflection in PRINCE.

The data is split into 16 cells (4-bit nibbles for QARMA-64, 8-bit bytes for QARMA-128). Internal state also contains 16 cells, arranged in a 4x4 matrix, and is initialized by plaintext (XORed with w⁰). In each round of ${\displaystyle \digamma }$, the state is transformed via operations ${\displaystyle \tau ,M,S}$:

• ${\displaystyle \tau }$ is ShuffleCells, a MIDORI permutation of cells ([ 0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]);
• ${\displaystyle M}$ is MixColumns: each column is multiplied by a fixed matrix M;
• ${\displaystyle S}$ is SubCells: each cell is transformed using an S-box.

The tweak for each round is updated using ${\displaystyle h,\omega }$:

• ${\displaystyle h}$ is a cell permutation from MANTIS ([ 6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11]);
• ${\displaystyle \omega }$ is an LFSR applied to each of the cells with numbers [0, 1, 3, 4, 8, 11, 13]. For QARMA-64, the LFSR is (b3, b2, b1, b0) ⇒ (b0 + b1, b3, b2, b1), for QARMA-128, (b7, b6, ..., b0) ⇒ (b0 + b2, b7, b6, ..., b1),

The rounds of ${\displaystyle {\overline {\digamma }}}$ consist of inverse operations ${\displaystyle {\overline {\tau }},{\overline {M}},{\overline {S}},{\overline {h}},{\overline {\omega }}}$. Central rounds, in addition to two rounds (${\displaystyle \tau ,M,S}$ and ${\displaystyle {\overline {\tau }},{\overline {M}},{\overline {S}}}$), include multiplication of the state by an involutary matrix Q.