International Association
for Cryptologic Research

The Pointer Authentication Code (PAC) feature in the Arm architecture is used to enforce the Code Flow Integrity (CFI) of running programs. It does so by generating a short MAC — called the PAC — of the return address and some additional context information upon function entry, and checking it upon exit. An attacker that wants to overwrite the stack with manipulated addresses now faces an additional hurdle, as they now have to guess, forge, or reuse PAC values. PAC is deployed on billions of devices as a first line of defense to harden system software and complex programs against software exploitation.The original version of the feature uses a 12-round version the QARMA-64 block cipher. The output is then truncated to between 3 and 32 bits, in order to be inserted into unused bits of 64-bit pointers. A later revision of the specification allows the use of an 8-round version of QARMA-64. This reduction may introduce vulnerabilities such as high-probability distinguishers, potentially enabling key recovery attacks. The present paper explores this avenue.A cryptanalysis of the PAC computation function entails restricting the inputs to valid virtual addresses, meaning that certain most significant bits are fixed to zero, and considering only the truncated output. Within these constraints, we present practical attacks on various PAC configurations. These attacks, while not presenting immediate threat to the PAC mechanism, show that some versions of the feature do miss the security targets made for the original function. This offers new insights into the practical security of constructing MAC from truncated block ciphers, expanding on the mostly theoretical understanding of creating PRFs from truncated PRPs.We note that the results do not affect the security of QARMA-64 when used with the recommended number of rounds for general purpose applications.

We introduce the QARMAv2 family of tweakable block ciphers. It is a redesign of QARMA (from FSE 2017) to improve its security bounds and allow for longer tweaks, while keeping similar latency and area. The wider tweak input caters to both specific use cases and the design of modes of operation with higher security bounds. This is achieved through new key and tweak schedules, revised S-Box and linear layer choices, and a more comprehensive security analysis. QARMAv2 offers competitive latency and area in fully unrolled hardware implementations.Some of our results may be of independent interest. These include: new MILP models of certain classes of diffusion matrices; the comparative analysis of a full reflection cipher against an iterative half-cipher; our boomerang attack framework; and an improved approach to doubling the width of a block cipher.