qarma
play

QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , - PowerPoint PPT Presentation

Apr 01, 2024 •777 likes •950 views

Rump Session 2016 QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 RC 0 k 1 RC 1 k 1 RC 2 k 1 RC 3 k 1 RC 4 k 1

  1. Rump Session 2016 QARMA Roberto Avanzi Qualcomm

  2. QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 ⊕ RC 0 k 1 ⊕ RC 1 k 1 ⊕ RC 2 k 1 ⊕ RC 3 k 1 ⊕ RC 4 k 1 ⊕ RC 5 in S M S M S M S M S M S M ′ out S M S M S M S M S M S k 1 ⊕ RC 0 ⊕ α k 1 ⊕ RC 1 ⊕ α k 1 ⊕ RC 2 ⊕ α k 1 ⊕ RC 3 ⊕ α k 1 ⊕ RC 4 ⊕ α k 1 ⊕ RC 5 ⊕ α Because it’s a Mozartkugel! A (involutory) core surrounded by several symmetric layers, wrapped in a thin but opaque skin (the brownwhitening) (Bar over function denotes inverse) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 1/ 6

  3. QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 ⊕ RC 0 k 1 ⊕ RC 1 k 1 ⊕ RC 2 k 1 ⊕ RC 3 k 1 ⊕ RC 4 k 1 ⊕ RC 5 in S M S M S M S M S M S M ′ out S M S M S M S M S M S k 1 ⊕ RC 0 ⊕ α k 1 ⊕ RC 1 ⊕ α k 1 ⊕ RC 2 ⊕ α k 1 ⊕ RC 3 ⊕ α k 1 ⊕ RC 4 ⊕ α k 1 ⊕ RC 5 ⊕ α Because it’s a Mozartkugel! A (involutory) core surrounded by several symmetric layers, wrapped in a thin but opaque skin (the brownwhitening) (Bar over function denotes inverse) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 1/ 6

  4. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  5. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  6. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  7. QARMA Problem Context: Memory encryption with no memory overhead ◮ ECB mode: Sadly, traces of Herr Drumpf left... ◮ XEX mode: encrypted block = W ⊕ PRINCE k ( clear block ⊕ W ) with W securely derived from address ⇒ more latency Idea: ◮ Use a tweakable cipher encrypted block = TWEAKABLE-PRINCE K , T = addr ( clear block ) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 2/ 6

  8. QARMA QARMA: Beyond the Mozart Ball w 0 w 0 w 1 = o ( w 0 ) w 1 P C F C F k 0 + α k 0 T T k 1 3-Round Even-Mansour with outer perms keyed & tweaked, middle perm C keyed, not involutory Whitening key derivation w 0 �→ w 1 = o ( w 0 ) with o ( · ) orthomorphism (taken from PRINCE ) Crucial difgerence w.r.t. PRINCE : we use upper indexes ( k 0 ) instead of lower indexes ( k 0 ) ! Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 3/ 6

  9. QARMA QARMA: Just Another Bricklayer in the Crypto Wall? T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ Q k 1 C S τ M S τ M S · · · τ M S τ M S τ M S τ k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 h h h · · · h h ω ω ω ω ω τ , h = Shufgles of the cells, M , Q = Almost MDS matrices, Q involutory, S = S-Box layer, ω = LSFR Reuses tweak shufgle from MANTIS (a PRINCE -like FX construction with MIDORI round function) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 4/ 6

  10. QARMA QARMA: Just Another Bricklayer in the Crypto Wall? T h h h h h ω ω ω · · · ω ω k 0 k 0 k 0 k 0 k 0 w 0 w 1 c 0 c 1 c 2 c 3 c r − 1 P S τ M S τ M S τ M S τ M S τ M S · · · τ Q k 1 C S τ M S τ M S · · · τ M S τ M S τ M S τ k 0 k 0 k 0 k 0 k 0 w 1 w 0 α α α α α c 0 c 1 c 2 c 3 c r − 1 h h h · · · h h ω ω ω ω ω τ , h = Shufgles of the cells, M , Q = Almost MDS matrices, Q involutory, S = S-Box layer, ω = LSFR Reuses tweak shufgle from MANTIS (a PRINCE -like FX construction with MIDORI round function) Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 4/ 6

  11. QARMA New Central Construction Properties of central rounds: T ◮ Use whitening key(s) instead of core key w 1 ◮ Thwarts refmection attacks M S τ τ · · · ◮ Non involutory Pseudo-Refmector ◮ Add key k 1 , not tweak Q ◮ Easy to invert ◮ Also makes refmection attacks more difgicult k 1 ◮ Chosen Q , M ’s have � 2 n / 2 fjxed points ◮ The { 0 , 1 } MIDORI circulant has 2 3 n / 4 ! M S · · · τ τ ◮ New almost MDS family over F 2 [ ρ ] = = F 2 [ X ] / ( X m + 1 ) with optimal critical path w 0 (circulants, classifjcation) ◮ Also makes attacks more difgicult T Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 5/ 6

  12. QARMA New Central Construction Properties of central rounds: T ◮ Use whitening key(s) instead of core key w 0 ◮ Thwarts refmection attacks M S τ τ · · · ◮ Non involutory Pseudo-Refmector ◮ Add key k 1 , not tweak Q · k 1 ◮ Easy to invert ◮ Also makes refmection attacks more difgicult Q ◮ Chosen Q , M ’s have � 2 n / 2 fjxed points ◮ The { 0 , 1 } MIDORI circulant has 2 3 n / 4 ! M S · · · τ τ ◮ New almost MDS family over F 2 [ ρ ] = = F 2 [ X ] / ( X m + 1 ) with optimal critical path w 1 (circulants, classifjcation) ◮ Also makes attacks more difgicult T Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 5/ 6

  13. http:/ /ia.cr/2016/444 PRINCE QARMA Implementation Depth Area Cipher We consider here gate depth (GE) (GE) QARMA -64 5 - σ 0 100 8971 (and to a lesser extent, area) QARMA -64 6 - σ 0 117 10451 QARMA -64 7 - σ 0 134 11929 σ 0 , σ 2 difgerent S-Boxes QARMA -64 5 - σ 2 107 9484 QARMA -64 6 - σ 2 125 11048 Values are estimates QARMA -64 7 - σ 2 143 12616 100 8703 MANTIS 5 Details in tech report 117 10155 MANTIS 6 134 11605 MANTIS 7 114 7424 Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 6/ 6

  14. /ia.cr/2016/444 http:/ QARMA Implementation Depth Area Cipher We consider here gate depth (GE) (GE) QARMA -128 8 - σ 0 152 26592 (and to a lesser extent, area) QARMA -128 9 - σ 0 168 29521 QARMA -128 10 - σ 0 185 32450 σ 0 , σ 2 difgerent S-Boxes QARMA -128 11 - σ 0 201 35379 QARMA -128 8 - σ 2 164 28127 Values are estimates QARMA -128 9 - σ 2 183 31228 QARMA -128 10 - σ 2 201 34328 Details in tech report QARMA -128 11 - σ 2 219 37429 AES -128 554 63234 (Encryption only) 294 143888 Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 6/ 6

  15. /ia.cr/2016/444 http:/ QARMA Implementation Depth Area Cipher We consider here gate depth (GE) (GE) QARMA -128 8 - σ 0 152 26592 (and to a lesser extent, area) QARMA -128 9 - σ 0 168 29521 QARMA -128 10 - σ 0 185 32450 σ 0 , σ 2 difgerent S-Boxes QARMA -128 11 - σ 0 201 35379 QARMA -128 8 - σ 2 164 28127 Values are estimates QARMA -128 9 - σ 2 183 31228 QARMA -128 10 - σ 2 201 34328 Details in tech report QARMA -128 11 - σ 2 219 37429 AES -128 554 63234 (Encryption only) 294 143888 Roberto Avanzi : QARMA, a Lightweight Tweakable Block cipher 6/ 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7,

The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7,

Qualcomm QARMA T E C H N O L O G I E S , I N C PRODUCT SECURITY Use cases The road to QARMA Analysis Implementation Conclusion The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7, 2017 Roberto

537 views • 52 slides
Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA Muzhou Li Key Lab

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA Muzhou Li Key Lab

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA Muzhou Li Key Lab of Cryptologic Technology and Information Security Ministry of Education, Shandong University, China Joint work with Kai Hu, Meiqin Wang March 27,

625 views • 30 slides
Quantum Machine Learning Giuseppe Di Molfetta & Hachem Kadri CANA & QARMA , Lab.

Quantum Machine Learning Giuseppe Di Molfetta & Hachem Kadri CANA & QARMA , Lab.

Quantum Machine Learning Giuseppe Di Molfetta & Hachem Kadri CANA & QARMA , Lab. dInformatique Fondamentale de Marseille Aix-Marseille Universit e, France Outline I Machine Learning I Quantum Computing I Quantum Machine Learning

1.47k views • 66 slides
Scikit Spectral Learning (SpLearn): a toolbox for the spectral learning of weighted automata Denis

Scikit Spectral Learning (SpLearn): a toolbox for the spectral learning of weighted automata Denis

Scikit Spectral Learning (SpLearn): a toolbox for the spectral learning of weighted automata Denis Arrivault 1 Dominique Benielli 1 cois Denis 2 Fran emi Eyraud 2 R 1 LabEx Archim` ede, Aix-Marseille University, France 2 QARMA team,

363 views • 25 slides
GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens

GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens

GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens equation Lensing potential From last lecture DEFLECTION OF LIGHT IN GENERAL RELATIVITY How to define the effective diffraction index? DEFLECTION

807 views • 28 slides
Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph

Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph

Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph jason@thinkrelevance.com Published under the Creative Commons Attribution Noncommercial Share Alike License Version 2.5. (Please see

758 views • 59 slides
Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universitt Bochum, Germany Inria Paris, France BFA 2017, July 2017 Outline A new condition

442 views • 27 slides
d 1 g g = . d d 2 x d d AND Use indices , , etc.,

d 1 g g = . d d 2 x d d AND Use indices , , etc.,

Alan Guth, Black-Body Radiation and the Early History of the Universe, 8.286 Lecture 15, October 31, 2013, p. 1. Summary of Leture 14: 8.286 Leture 15 THE SPACETIME GEODESIC EQUATION Otober 31, 2013 d x d x BLACK-BODY

262 views • 3 slides
Towards Refinement and Generalization of Reliability Models Based on Component States Natasha

Towards Refinement and Generalization of Reliability Models Based on Component States Natasha

Towards Refinement and Generalization of Reliability Models Based on Component States Natasha Jarus, Sahra Sedigh Sarvestani, and Ali Hurson Department of Electrical and Computer Engineering Missouri University of Science and Technology Rolla,

579 views • 26 slides
Lecture 6 Biaxial Bending of Short Colum ns Dr. Hazim Dwairi Dr Hazim Dwairi Dr. Hazim

Lecture 6 Biaxial Bending of Short Colum ns Dr. Hazim Dwairi Dr Hazim Dwairi Dr. Hazim

Reinforced Concrete II Hashemite University The Hashem ite University Departm ent of Civil Engineering Lecture 6 Biaxial Bending of Short Colum ns Dr. Hazim Dwairi Dr Hazim Dwairi Dr. Hazim Dwairi The Hashemite University Reinforced

330 views • 15 slides
ComputationalModeling February 11, 2020 1 Lecture 14: Computational Modeling CBIO (CSCI)

ComputationalModeling February 11, 2020 1 Lecture 14: Computational Modeling CBIO (CSCI)

ComputationalModeling February 11, 2020 1 Lecture 14: Computational Modeling CBIO (CSCI) 4835/6835: Introduction to Computational Biology 1.1 Overview and Objectives So far, weve discussed Hidden Markov Models as way to encapsulate and

613 views • 15 slides
A Dataspace Odyssey: The iMeMex Personal DataSpace Management System Lukas Blunschi, Jens

A Dataspace Odyssey: The iMeMex Personal DataSpace Management System Lukas Blunschi, Jens

A Dataspace Odyssey: The iMeMex Personal DataSpace Management System Lukas Blunschi, Jens Dittrich, Olivier Girard, Shant Karakashian, Marcos Salles ETH Zurich, iMeMex.org What is a DataSpace Management System? Vision paper by Mike Franklin,

556 views • 20 slides
Proofs and computations Helmut Schwichtenberg (j.w.w. Kenji Miyamoto) Mathematisches Institut,

Proofs and computations Helmut Schwichtenberg (j.w.w. Kenji Miyamoto) Mathematisches Institut,

Proofs and computations Helmut Schwichtenberg (j.w.w. Kenji Miyamoto) Mathematisches Institut, LMU, M unchen Leeds University, 7. March 2012 Helmut Schwichtenberg Proofs and computations Formalization and extraction One can extract from a

267 views • 26 slides
TITANS OF THE EARLY UNIVERSE The origin of the first supermassive black holes Tyrone E. Woods

TITANS OF THE EARLY UNIVERSE The origin of the first supermassive black holes Tyrone E. Woods

TITANS OF THE EARLY UNIVERSE The origin of the first supermassive black holes Tyrone E. Woods Monash Centre for Astrophysics July 18, 2018 With Alex Heger, Ralf Klessen, Lionel Haemmerle, and Daniel J. Whalen Tyrone E. Woods July 18, 2018 1

596 views • 31 slides
Accurate Performance Estimation for Stochastic Marked Graphs by Bottleneck Regrowing Ricardo J.

Accurate Performance Estimation for Stochastic Marked Graphs by Bottleneck Regrowing Ricardo J.

Accurate Performance Estimation for Stochastic Marked Graphs by Bottleneck Regrowing Ricardo J. Rodr guez and Jorge J ulvez { rjrodriguez, julvez } @unizar.es Universidad de Zaragoza Zaragoza, Spain September 24 th , 2010 EPEW10: 7 th

707 views • 54 slides
Preparing a Sust ainable Tourism St rat egy Why do we need a st rat egy? What would be t

Preparing a Sust ainable Tourism St rat egy Why do we need a st rat egy? What would be t

Preparing a Sust ainable Tourism St rat egy Why do we need a st rat egy? What would be t he aims of t he st rat egy? What do we mean by "sust ainable" (& "t ourism")? Who should produce/ lead t he st

802 views • 53 slides
R e p o r t o n F Y 2 0 0 1 E v a l u a t i o n o f S y m m e t r

R e p o r t o n F Y 2 0 0 1 E v a l u a t i o n o f S y m m e t r

R e p o r t o n F Y 2 0 0 1 E v a l u a t i o n o f S y m m e t r i c - K e y C r y p t o g r a p h i c T e c h n i q u e s April 16, 2002 Toshinobu Kaneko Chair, Symmetric-Key

608 views • 35 slides
Introduction to Risk Parity and Budgeting Chapter 2 Risk Budgeting Approach Thierry

Introduction to Risk Parity and Budgeting Chapter 2 Risk Budgeting Approach Thierry

Introduction to Risk Parity and Budgeting Chapter 2 Risk Budgeting Approach Thierry Roncalli & CRC Press c Evry University & Lyxor Asset Management, France Instructors may find the description of the book at the following

826 views • 36 slides
William Sandqvist william@kth.se Comparator an 1 bit AD-converter A comparator is a sensitive

William Sandqvist william@kth.se Comparator an 1 bit AD-converter A comparator is a sensitive

William Sandqvist william@kth.se Comparator an 1 bit AD-converter A comparator is a sensitive amplifier for the difference between input voltages. The slightest positive difference means that the output get (1) or negative difference get (0).

786 views • 34 slides
where validation means correct modeling Gergely Mezei, Zoltn Theisz, Dniel Urbn, Sndor

where validation means correct modeling Gergely Mezei, Zoltn Theisz, Dniel Urbn, Sndor

The bicycle challenge in DMLA, where validation means correct modeling Gergely Mezei, Zoltn Theisz, Dniel Urbn, Sndor Bcsi Budapest University of Technology and Economics Department of Automation and Applied Informatics Multi 2018

473 views • 15 slides
Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI

Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI

Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI Technical Services Manager Acquia India www.tanay.co.in @saitanay JAYAKRISHNAN JAYABAL Technical Architect Acquia India @jayakrishnanjay

585 views • 32 slides
Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob

Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob

Hybrid Heterogeneous Electric Vehicle Routing Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob Puchinger 1 , Richard Hartl 3 1 AIT Austrian Institute of Technology 2 PUC-Rio Pontifical Catholic

701 views • 44 slides
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

359 views • 15 slides
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian

749 views • 30 slides

More recommend