Related-Tweakey Impossible Differential Attack On QARMA

QARMA is a family of lightweight tweakable block ciphers presented at TOSC 2017.It contains two versions,which supports block sizes of 64 and 128 bits.denoted by QARMA-64 and QARMA-128,respectively.Denote n(n = 64 or 128)as the block size,then the tweak size of the two versions is n bits,while the key size is 2n bits.The designers claimed that the algorithm provide 2n-bit secure level.There are some results for QARMA till now.Zong et al.provided meet-in-the-middle attacks on reduced-round QARMA in 2016.Yang et al.proposed an impossible differential attack but the results are invalid due to the security claim of the designers.So far,he best result of QARMA-64 is t.he 10-round related-tweak statistical saturation cryptanalysis proposed by Li et al.in 2019.The time complexity of this attack is 259 10-round encryptions and the data complexity is 259 chosen pla.intexts.The best result of QARA1A-128 is the 11-round tweak difference invariant bias attack proposed by Li et al.,the time complexity of this attack is 2126.1 11-round encryptions and the data complexity is 2126.1 chosen plaint,exts,which means DT=2252.2,so that the attack is valid.Zong et al.proposed an interesting method to search related-key impossible d-ifferentials from single key impossible differentials.Inspired by their idea.we a.lso perform automatic sear-ch first.However:in order to reduce the data complexity,more active cells at the beginning of the distinguishers are preferred and plaintexts structures are constructed.Therefore.by combining our differential properties of matrix M and transition properties proposed by the designers,we revise,the result of our automatic search.and obtain two families of 6-round related-tweakey im-possible differential distinguisher for QARMA.which are placed between Round 7 and Round 12.Firstly,we investigate the properties of the diffusion matrix M and found that when some constraints of the input difference are satisfied,we can predict the activeness of each byte of output difference.Then,combining our differential properties of matrix M with the transition properties proposed by the designers,two families of 6-round related-tweakey impossible differential distinguishers are provided.Then,we study the ability of QARMA to resist related-tweakey im-possible differential attacks.Based on two parallel distinguishers,key recovery attacks on 10-round QARMA-128 can be derived by applying the equivalent key.It is ea.sy to know that DT = 2224.96(Data×Time),which is less than 2256.the attack is valid.Notice that both the time and memory complexities are signifi-cantly decreased compared to the previous works.We also show a key recovery attack on 10-round QARMA-64.Finally,based on the 6-round distinguisher,we proceed 11-round key recovery attacks on two versions of QARMA omitting the outer whitening keys,and it is easy to verify the effectiveness of these attacks.