DOCSLIB.ORG

Cryptography in Context

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptography in Context Cryptography in Context Cryptography in Context Gerard Tel iv Contents Contents v Preface ix 1 On the Secure Hash Algorithm family (Wouter Penard and Tim van Werkhoven) 1 1.1 Introduction . 1 1.2 Description of the SHA Algorithms . 4 1.3 Generic Attacks . 8 1.4 Specialized Attacks . 13 1.5 Implications of Attacks . 17 1.6 Conclusion . 17 2 Security and privacy of RFID tags (Jeroen van Wolffelaar) 19 2.1 RFID tags . 19 2.2 Case: Baja Beach Club . 20 2.3 Case: Biometric passports . 22 2.4 Case: OV-chipkaart . 24 2.5 Conclusions . 27 3 Xbox Securtity (Miloslav Valco) 29 3.1 Microsoft's Financial Gambles . 29 3.2 Andrew "bunnie" Huang . 31 3.3 RC4 . 33 3.4 Tiny Encryption Algorithm . 35 3.5 The Visor Hack . 36 3.6 Xbox Linux Project . 36 3.7 Discussion and conclusion . 37 4 Multiple Encryption (Ronald Chu & Mark Jeronimus) 39 4.1 Introduction . 39 4.2 definitions . 40 4.3 Known attacks . 40 4.4 Applications . 45 4.5 Summary and conclusions . 47 v vi Contents 5 Phishing (Marnix Kammer and Barbara Pieters) 49 5.1 Phishing and cryptography . 49 5.2 Forms of phishing . 50 5.3 Changes in human-computer interaction to prevent phishing . 53 5.4 Technical solutions to prevent phishing . 56 5.5 Summary and conclusions . 64 6 Electronic Voting 2.0 (Jeiel Schalkwijk) 67 6.1 The current state of voting machines . 67 6.2 Cryptographic systems . 70 6.3 ThreeBallot . 71 6.4 Moran and Naor's protocol . 72 6.5 Conclusion . 75 7 Coupon Systems (Eric van Dalen) 77 7.1 Coupon Security Requirements . 78 7.2 Multi-coupons . 80 7.3 Conclusion . 84 8 Broadcast Encryption (Henri Kas and Jeroen Weijers) 85 8.1 Introduction . 85 8.2 Algorithms . 87 8.3 Subset-Cover algorithms . 90 8.4 Free riders . 93 9 Software Implementation of Cryptographic Algorithms (Marco Devesas Campos, Jose Fernandes) 95 9.1 Introduction . 95 9.2 Anatomy of a modern processor . 97 9.3 Techniques for Efficient Implementations . 99 9.4 Side-channels . 102 9.5 Summary and Conclusions . 107 10 Reputation-Based Trust (Wesley van Beelen) 109 10.1 Reputation system attacks . 110 10.2 Automated Distributed Computation Environment . 110 10.3 Summary and Conclusions . 114 11 Advanced Encryption Standard (William van Hemert) 117 11.1 History about AES . 117 11.2 General properties of AES . 118 11.3 Different components of AES . 119 11.4 The encryption and decryption process . 125 11.5 Research about AES . 126 11.6 Known vulnerabilities . 127 11.7 Summary and conclusions . 129 11.8 Used resources . 130 Cryptography in Context vii 12 Certificates and Root Keys (Bas van Schaik and Steven Woudenberg) 131 12.1 Introduction . 131 12.2 Certificates and Certificate Authorities . 132 12.3 Possible attacks . 137 12.4 Certificate revocation . 138 12.5 Applications . 140 12.6 Other solutions . 142 12.7 Summary . 143 13 Quantum Factorisation (Bas den Heijer and Christiaan Ypma) 145 13.1 The Quantum World . 145 13.2 Integer Factorization . 147 13.3 Quantum Computer Implementations . 150 14 Steganography and Steganalysis (J.S. de Wit) 153 14.1 Hiding Information . 153 14.2 Steganography Detection . 155 14.3 Conclusion . 158 15 Multivariate Cryptography (Merel Rietbergen) 159 15.1 Preliminaries . 159 15.2 Multivariate Quadratic Cryptography . 162 15.3 Attack on HFE: Gr¨obnerBases . 165 15.4 Conclusion . 169 16 Montgomery Multiplications (Tessa van der Hoorn & Hugo Duivesteijn) 171 16.1 Montgomery . 171 16.2 Description of the algorithm . 172 16.3 Example . 174 16.4 Montgomery Multiplications with binary numbers . 177 16.5 Computation time . 177 16.6 Concluding remarks . 178 Bibliography 179 Index 187 viii Contents Preface This reader contains 16 papers, written by students of Utrecht University as part of the Cryptography course of Fall 2007. The course treats the theory of Cryptography, underlying many solutions in computer and IT security. The challenge for the students is, to connect this theory to actual security products in their project study. The papers were presented during a symposium on January 31, 2008. Photo's of this event can be found on gerardtel.nl (select the year 2008 and the series 5. Cryptography in Context). For the purpose of the symposium, the presentations were divided into four themes, namely Broken Dreams (Chapters 1 through 4), about systems of which the security was broken, Safe Digital Society (Chapters 5 through 8), about security used in a nation-wide scale to support the economical or democratic infrastructure, Deployed Systems (Chapters 9 through 12), about security products used in a smaller scale, and How to Compute (Chapters 13 through 16), about cryptographic algorithms. The session chairs during the symposium were Thomas van Dijk, Johan Kwisthout, Eelko Penninkx, and Marinus Veldhorst. I hope the reader will be a nice souvenir for the speakers and writers, and that it will provide for all others an interesting overview of some computer security topics. Two of the papers are especially recommended: the ones by Wouter Penard and Tim van Werkhoven, and by Merel Rietbergen received the highest grade possible: a 10 mark. Gerard Tel (course teacher), Utrecht, February 2008. ix Chapter 1 On the Secure Hash Algorithm family Written by Wouter Penard and Tim van Werkhoven. 1.1 Introduction This chapter is on the Secure Hash Algorithm family, better known as the SHA hash functions. We will first introduce secure hash algorithms as part of digital signature schemes and derive properties a hash function is required to have from this context. SHA was originally designed for this purpose. Next we give a short overview of the history of the SHA family, showing when new members of the family were introduced and note a couple important milestones in the academic analysis of the functions. In the second section we will review how the SHA algorithms work, focusing espe- cially on the SHA-1 hash function. After dissecting the SHA-1 hash function itself, we will relate and compare it to the other hash functions in the SHA family, SHA-0 and SHA-2. Besides analyzing the specific SHA functions, we will also treat the generic structure of hash functions, as these are relevant for the security of a hash function. We will cover the different aspects in some detail and illustrate how naive implementation of hash functions can be hazardous, some attacks can be mounted against any hash function if they are not implemented correctly. The main part of this chapter will focus on the weaknesses found in the SHA-0 hash function by different researchers. We will explain in more detail how the SHA-0 function was initially broken by treating the so-called differential collision search against this function. And in this way aim to provide the reader with some insight how attacks against the SHA functions are build up. After explaining how the idea works, we will 1 2 On the Secure Hash Algorithm family explain why this attack is less successful against the SHA-0 successor, SHA-1. Finally we will look at SHA-2 and summarize the cryptanalysis results for the SHA family. The last part will deal with the implications of broken hash functions, and how and in which scenarios these are especially dangerous. Although the weaknesses found may not seem all too severe, these attacks can indeed have serious consequences, as we will see in the final section. 1.1.1 Purpose of Cryptographic Hash Algorithms A hash function is a function which takes an arbitrary length input and produces a fixed length ‘fingerprint' string. Common usage of such a function is as index into a hashtable. Cryptographic hash functions have several additional properties which makes them suitable to use as a means to check the integrity of a message and as part of digital signature schemes. Such a scheme consists of a secret key ks, a public key kp and two functions Sign(M; ks), which produces signature S, and Verify(M; S; kp), which returns a boolean indicating if the given S is a valid signature for message M. Such a signature should prove the authenticity and integrity of the message; Such that we can be sure it really was the sender of the message who sent it, and that it really was this message he sent. Finally we can use the signature to prove that the sender sent it and no one else could have done so: non-repudiation A function requirement is that Verify(M; Sign(M; ks); kp) = true for a key pair (ks; kp). On the other hand it should be impossible to create a forged signature. It is possible to distinguish between two types of forgeries, Existential and Universal forg- eries. In the first case.
Load more

Recommended publications
  • Cryptography
    56 Protecting Information With Cryptography Chapter by Peter Reiher (UCLA) 56.1 Introduction In previous chapters, we’ve discussed clarifying your security goals, determining your security policies, using authentication mechanisms to identify principals, and using access control mechanisms to enforce poli- cies concerning which principals can access which computer resources in which ways. While we identified a number of shortcomings and prob- lems inherent in all of these elements of securing your system, if we re- gard those topics as covered, what’s left for the operating system to worry about, from a security perspective? Why isn’t that everything? There are a number of reasons why we need more. Of particular im- portance: not everything is controlled by the operating system. But per- haps you respond, you told me the operating system is all-powerful! Not really. It has substantial control over a limited domain – the hardware on which it runs, using the interfaces of which it is given control. It has no real control over what happens on other machines, nor what happens if one of its pieces of hardware is accessed via some mechanism outside the operating system’s control. But how can we expect the operating system to protect something when the system does not itself control access to that resource? The an- swer is to prepare the resource for trouble in advance. In essence, we assume that we are going to lose the data, or that an opponent will try to alter it improperly. And we take steps to ensure that such actions don’t cause us problems.
    [Show full text]
  • Hash Functions from Sigma Protocols and Improvements to VSH
    Hash Functions from Sigma Protocols and Improvements to VSH Mihir Bellare and Todor Ristov Department of Computer Science and Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, CA 92093-0404, USA. URL: www-cse.ucsd.edu/users/mihir, www-cse.ucsd.edu/users/tristov Abstract. We present a general way to get a provably collision-resistant hash function from any (suitable) Σ-protocol. This enables us to both get new designs and to unify and improve previous work. In the first category, we obtain, via a modified version of the Fiat-Shamir proto- col, the fastest known hash function that is provably collision-resistant based on the standard factoring assumption. In the second category, we provide a modified version VSH* of VSH which is faster when hash- ing short messages. (Most Internet packets are short.) We also show that Σ-hash functions are chameleon, thereby obtaining several new and efficient chameleon hash functions with applications to on-line/off-line signing, chameleon signatures and designated-verifier signatures. 1 Introduction The failure of popular hash functions MD5 and SHA-1 [42, 43] lends an impetus to the search for new ones. The contention of our paper is that there will be a \niche" market for proven-secure even if not-so-fast hash functions. Towards this we provide a general paradigm that yields hash functions provably secure under number-theoretic assumptions, and also unifies, clarifies and improves previous constructs. Our hash functions have extra features such as being chameleon [25]. Let us now look at all this in more detail.
    [Show full text]
  • Algebraic Cryptanalysis.Pdf
    EEAlgebraic E Cryptanalysis Gregory V. Bard Algebraic Cryptanalysis Gregory V. Bard Department of Mathematics Fordham University Bronx, NY 10458 USA [email protected] ISBN 978-0-387-88756-2 e-ISBN 978-0-387-88757-9 DOI 10.1007/978-0-387-88757-9 Springer Dordrecht Heidelberg London New York Library of Congress Control Number: 2009929845 © Springer Science+ Business Media, LLC 2009 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) Preface Algebraic Cryptanalysis is the process of breaking codes by solving polynomial systems of equations. In some ways this book began when the author began to ex- plore cryptanalysis as a beginning graduate student, and realized with frustration that no book whatsoever existed on the topic. Since that time, some books have been written about Linear Cryptanalysis or Differential Cryptanalysis (e.g. [211] and [214] cover both), but none on Algebraic Cryptanalysis, which is a rich and growing field.
    [Show full text]
  • Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor
    Hello, and welcome to this presentation of the STM32MP1 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 HASH1 is a secure peripheral (under ETZPC control through ETZPC_DECPROT0 bit 8) while HASH2 is a non secure peripheral. HASH1 instance can be allocated to: • The Arm® Cortex®-A7 secure core to be controlled in OP-TEE by the HASH OP-TEE driver or • The Arm® Cortex® -A7 non-secure core for using in Linux® with Linux Crypto framework HASH2 instance can be allocated to the Arm® Cortex®-M4 core to be controlled in the STM32Cube MPU Package using the STM32Cube HASH driver. HASH1 instance is used as boot device to support binary authentication. 3 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding.
    [Show full text]
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS
    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
    [Show full text]
  • PCI Assessment Evidence of PCI Policy Compliance
    PCI Assessment Evidence of PCI Policy Compliance CONFIDENTIALITY NOTE: The information contained in this report document is for the Prepared for: exclusive use of the client specified above and may contain confidential, privileged and non-disclosable information. If the recipient of this report is not the client or Prospect or Customer addressee, such recipient is strictly prohibited from reading, photocopying, distributing or otherwise using this report or its contents in any way. Prepared by: Your Company Name Evidence of PCI Policy Compliance PCI ASSESSMENT Table of Contents 1 - Overview 1.1 - Security Officer 1.2 - Overall Risk 2 - PCI DSS Evidence of Compliance 2.1 - Install and maintain firewall to protect cardholder data 2.1.1.1 - Requirements for firewall at each Internet connections and between DMZ and internal network zone 2.1.1.2 - Business justification for use of all services, protocols and ports allowed 2.1.2 - Build firewall and router configurations that restrict connections between untrusted networks and the cardholder data environment 2.1.2.1 - Restrict inbound and outbound to that which is necessary for the cardholder data environment 2.1.2.3 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet 2.1.2.4 - Implement stateful inspection (also known as dynamic packet filtering) 2.1.2.5 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet 2.2 - Prohibition of vendor-supplied default password for systems and security parameters 2.2.1
    [Show full text]
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives
    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
    [Show full text]
  • TS 102 176-1 V2.1.1 (2011-07) Technical Specification
    ETSI TS 102 176-1 V2.1.1 (2011-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms 2 ETSI TS 102 176-1 V2.1.1 (2011-07) Reference RTS/ESI-000080-1 Keywords e-commerce, electronic signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Cryptographic Control Standard, Version
    Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Standard Office Instruction: OCIO-CS-STD-2009 Office Instruction Title: Cryptographic Control Standard Revision Number: 2.0 Issuance: Date of last signature below Effective Date: October 1, 2017 Primary Contacts: Kathy Lyons-Burke, Senior Level Advisor for Information Security Responsible Organization: OCIO Summary of Changes: OCIO-CS-STD-2009, “Cryptographic Control Standard,” provides the minimum security requirements that must be applied to the Nuclear Regulatory Commission (NRC) systems which utilize cryptographic algorithms, protocols, and cryptographic modules to provide secure communication services. This update is based on the latest versions of the National Institute of Standards and Technology (NIST) Guidance and Federal Information Processing Standards (FIPS) publications, Committee on National Security System (CNSS) issuances, and National Security Agency (NSA) requirements. Training: Upon request ADAMS Accession No.: ML17024A095 Approvals Primary Office Owner Office of the Chief Information Officer Signature Date Enterprise Security Kathy Lyons-Burke 09/26/17 Architecture Working Group Chair CIO David Nelson /RA/ 09/26/17 CISO Jonathan Feibus 09/26/17 OCIO-CS-STD-2009 Page i TABLE OF CONTENTS 1 PURPOSE ............................................................................................................................. 1 2 INTRODUCTION ..................................................................................................................
    [Show full text]
  • The Substitution Cipher Chaining Mode
    THE SUBSTITUTION CIPHER CHAINING MODE Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV), Technische Universitat¨ Munchen¨ (TUM), 80333 Munich, Germany Keywords: Modes of operation, SCC, disk encryption, AES. Abstract: In this paper, we present a new tweakable narrow-block mode of operation, the Substitution Cipher Chaining mode (SCC), that can be efficiently deployed in disk encryption applications. SCC is characterized by its high throughout compared to the current solutions and it can be parallelized. We used this mode to modify Windows Vista’s disk encryption algorithm, to offer some parallelism in its original implementation and to improve its diffusion properties. 1 INTRODUCTION 2001). Bear, Lion and Beast are considered to be slow, as they process the data through multiple passes. And Mercy was broken in (Fluhrer, 2002). The other In todays computing environment, there are many method is to let a block cipher like the Advanced en- threats to the confidentiality of information stored on cryption standard AES (Daemen and Rijmen, 1998) end user devices, such as personal computers, con- (with 16-bytes as a block size) to process the data sumer devices (e.g. PDA), and removable storage me- within a mode of operation. These modes of operation dia like (e.g., USB or external hard drive). A common can be divided into two main classes the narrow-block threat against end user devices is device loss or theft, and wide-block modes. The narrow-block modes op- that can lead to identity theft and other frauds. Some- erate on relatively small portions of data (typically one with physical access to a device has many op- 16-bytes when AES is used), while the wide-block tions for attempting to view or copy the information modes encrypt or decrypt a whole sector (typically stored on that device.
    [Show full text]
  • Recommendation for Applications Using Approved Hash Algorithms
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-107 Title: Recommendation for Applications Using Approved Hash Algorithms Publication Date(s): February 2009 Withdrawal Date: August 2012 Withdrawal Note: SP 800-107 is superseded in its entirety by the publication of SP 800-107 Revision 1 (August 2012). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-107 Revision 1 Title: Recommendation for Applications Using Approved Hash Algorithms Author(s): Quynh Dang Publication Date(s): August 2012 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.107r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-107 Rev. 1 (as of August 12, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϭϮ, 2015 NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department of Commerce Otto J. Wolff, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NIST SP 800-107 Abstract Cryptographic hash functions that compute a fixed- length message digest from arbitrary length messages are widely used for many purposes in information security. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3.
    [Show full text]
  • The QARMA Block Cipher Family
    The QARMA Block Cipher Family Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes Roberto Avanzi Qualcomm Product Security, Munich, Germany [email protected], [email protected] Abstract. This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the con- struction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints de- termined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported.
    [Show full text]