= QARMA =

QARMA (from Qualcomm ARM Authenticator) is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code. The cipher was proposed by Roberto Avanzi in 2016. Two versions of QARMA are defined: QARMA-64 (64-bit block size with a 128-bit encryption key) and QARMA-128 (128-bit block size with a 256-bit key). The design of the QARMA was influenced by PRINCE and MANTIS. The cipher is intended for fully-unrolled hardware implementations with low latency (like memory encryption). Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

== Architecture ==

QARMA is an Even–Mansour cipher using three stages, with whitening keys w^{0} and w^{1} XORed in between:
1. permutation F is using core key k^{0} and parameterized by a tweak T. It has r rounds inside (r = 7 for QARMA-64, r = 11 for QARMA-128);
2. "central" permutation C is using key k^{1} and is designed to be reversible via a simple key transformation (contains two central rounds);
3. the third permutation is an inverse of the first (r more rounds).
All keys are derived from the master encryption key K using specialisation:
- K is partitioned into halves as w^{0} Concatenation k^{0}, each will have halfsize bits;
- for encryption w^{1} = (w^{0} >>> 1) + (w^{0} >> (halfsize-1));
- for encryption k^{1} = k^{0};
- for decryption, the same design can be used as long as k^{0}+α is used as a core key, k^{1} = Q•k^{0}, w^{1} and w^{0} are swapped. α here is a special constant and Q a special involutary matrix. This construct is similar to the alpha reflection in PRINCE.

The data is split into 16 cells (4-bit nibbles for QARMA-64, 8-bit bytes for QARMA-128). Internal state also contains 16 cells, arranged in a 4x4 matrix, and is initialized by plaintext (XORed with w^{0}). In each round of $\digamma$, the state is transformed via operations $\tau, M, S$:
- $\tau$ is ShuffleCells, a MIDORI permutation of cells ([ 0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]);
- $M$ is MixColumns: each column is multiplied by a fixed matrix M;
- $S$ is SubCells: each cell is transformed using an S-box.
The tweak for each round is updated using $h, \omega$:
- $h$ is a cell permutation from MANTIS ([ 6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11]);
- $\omega$ is an LFSR applied to each of the cells with numbers [0, 1, 3, 4, 8, 11, 13]. For QARMA-64, the LFSR is (b3, b2, b1, b0) ⇒ (b0 + b1, b3, b2, b1), for QARMA-128, (b7, b6, ..., b0) ⇒ (b0 + b2, b7, b6, ..., b1),
The rounds of $\overline \digamma$ consist of inverse operations $\overline \tau, \overline M, \overline S, \overline h, \overline \omega$.
Central rounds, in addition to two rounds ($\tau, M, S$ and $\overline \tau, \overline M, \overline S$), include multiplication of the state by an involutary matrix Q.

== Sources ==
- Avanzi, Roberto. "The QARMA Block Cipher Family"
- Zong, Rui. "Meet-in-the-Middle Attack on QARMA Block Cipher"
- Kaur, Jasmin. "Hardware Constructions for Lightweight Cryptographic Block Cipher QARMA With Error Detection Mechanisms"
- Li, Rongjia. "Meet-in-the-Middle Attacks on Reduced-Round QARMA-64/128"
- Yang, Dong. "Impossible Differential Attack on QARMA Family of Block Ciphers"
