International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Symmetric Cryptology, Volume 2025

Differential Cryptanalysis of the Reduced Pointer Authentication Code Function used in Arm’s FEAT_PACQARMA3 Feature


Shibam Ghosh
Inria, Paris, France; University of Haifa, Haifa, Israel

Orr Dunkelman
University of Haifa, Haifa, Israel; TU Berlin, Germany

Roberto Avanzi
University of Haifa, Haifa, Israel


Keywords: Tweakable Block Ciphers, Lightweight Cryptography, Pseudo-Random Functions, Pseudo-Random Permutations


Abstract

The Pointer Authentication Code (PAC) feature in the Arm architecture is used to enforce the Code Flow Integrity (CFI) of running programs. It does so by generating a short MAC — called the PAC — of the return address and some additional context information upon function entry, and checking it upon exit. An attacker that wants to overwrite the stack with manipulated addresses now faces an additional hurdle, as they now have to guess, forge, or reuse PAC values. PAC is deployed on billions of devices as a first line of defense to harden system software and complex programs against software exploitation. The original version of the feature uses a 12-round version the QARMA-64 block cipher. The output is then truncated to between 3 and 32 bits, in order to be inserted into unused bits of 64-bit pointers. A later revision of the specification allows the use of an 8-round version of QARMA-64. This reduction may introduce vulnerabilities such as high-probability distinguishers, potentially enabling key recovery attacks. The present paper explores this avenue. A cryptanalysis of the PAC computation function entails restricting the inputs to valid virtual addresses, meaning that certain most significant bits are fixed to zero, and considering only the truncated output. Within these constraints, we present practical attacks on various PAC configurations. These attacks, while not presenting immediate threat to the PAC mechanism, show that some versions of the feature do miss the security targets made for the original function. This offers new insights into the practical security of constructing MAC from truncated block ciphers, expanding on the mostly theoretical understanding of creating PRFs from truncated PRPs. We note that the results do not affect the security of QARMA-64 when used with the recommended number of rounds for general purpose applications.

Publication

Transactions on Symmetric Cryptology, Volume 2025, Issue 1

Paper

Artifact

Artifact number
fse/2025/a10

Artifact published
September 18, 2025

Badge
IACR FSE Artifacts Available

README

ZIP (3295188 Bytes)  

View on Github

License
This work is licensed under the 2-Clause BSD License.

Note that license information is supplied by the authors and has not been confirmed by the IACR.


BibTeX How to cite

Avanzi, R., Dunkelman, O., & Ghosh, S. (2025). Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature. IACR Transactions on Symmetric Cryptology, 2025(1), 380-419. https://doi.org/10.46586/tosc.v2025.i1.380-419. Artifact available at https://artifacts.iacr.org/fse/2025/a10