Meet-in-the-Middle Attack on QARMA Block Cipher

QARMA is a recently published lightweight tweakable block cipher, which has been used by the ARMv8 architecture to support a software protection feature. In this paper, using the method of MITM, we give the first distinguisher of QARMA block cipher. It is made up of the Pseudo-Reflector construction with two forward rounds and three backward rounds. By adding two rounds on the top and three rounds on the bottom of the distinguisher, together with the idea of the differential enumeration technique and the key-dependent sieve skill, we achieve a 10-round (of 16-round) key recovery attack with memory complexity of 2 192-bit space, data complexity of 2 chosen plaintexts and time complexity of 2 encryption units. Furthermore, we use the same distinguisher to attack QARMA-128 which also includes 10 (of 24) round functions and the Pseudo-Refector construction. The memory complexity is 2 384-bit space, the data complexity is 2 chosen plaintexts and the time complexity is 2 encryption units. These are the first attacks on QARMA and do not threaten the security of full round QARMA.