International Association
for Cryptologic Research

We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to $\{0,1\}$-matrices. We also describe new S-Box search heuristics aimed at minimising the critical path.

These techniques are used to define some components of QARMA, a new family of lightweight tweakable block ciphers. QARMA is targeted to a very specific set of use cases, such as memory encryption, generation of very short tags by truncation, and the construction of keyed hash functions, in fully unrolled hardware implementations.

The structure of the cipher is inspired by PRINCE. However, it differs from reflector constructions in that it is a three-round Even-Mansour scheme with a non-involutory keyed middle permutation designed to thwart various classes of attacks. QARMA aims a providing conservative security margins while still achieving best-in-class latency.

QARMA exists in 64- and 128-bit block sizes, with 128- and 256-bit keys, respectively. Implementors are also offered a reduced set of S-Boxes to choose from.