Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature
The Pointer Authentication Code (PAC) feature in the Arm architecture is used to enforce the Code Flow Integrity (CFI) of running programs. It does so by generating a short MAC — called the PAC — of the return address and some additional context information upon function entry, and checking it upon...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2025-03-01
|
| Series: | IACR Transactions on Symmetric Cryptology |
| Subjects: | |
| Online Access: | https://tosc.iacr.org/index.php/ToSC/article/view/12082 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850028005739462656 |
|---|---|
| author | Roberto Avanzi Orr Dunkelman Shibam Ghosh |
| author_facet | Roberto Avanzi Orr Dunkelman Shibam Ghosh |
| author_sort | Roberto Avanzi |
| collection | DOAJ |
| description |
The Pointer Authentication Code (PAC) feature in the Arm architecture is used to enforce the Code Flow Integrity (CFI) of running programs. It does so by generating a short MAC — called the PAC — of the return address and some additional context information upon function entry, and checking it upon exit. An attacker that wants to overwrite the stack with manipulated addresses now faces an additional hurdle, as they now have to guess, forge, or reuse PAC values. PAC is deployed on billions of devices as a first line of defense to harden system software and complex programs against software exploitation.
The original version of the feature uses a 12-round version the QARMA-64 block cipher. The output is then truncated to between 3 and 32 bits, in order to be inserted into unused bits of 64-bit pointers. A later revision of the specification allows the use of an 8-round version of QARMA-64. This reduction may introduce vulnerabilities such as high-probability distinguishers, potentially enabling key recovery attacks. The present paper explores this avenue.
A cryptanalysis of the PAC computation function entails restricting the inputs to valid virtual addresses, meaning that certain most significant bits are fixed to zero, and considering only the truncated output. Within these constraints, we present practical attacks on various PAC configurations. These attacks, while not presenting immediate threat to the PAC mechanism, show that some versions of the feature do miss the security targets made for the original function. This offers new insights into the practical security of constructing MAC from truncated block ciphers, expanding on the mostly theoretical understanding of creating PRFs from truncated PRPs.
We note that the results do not affect the security of QARMA-64 when used with the recommended number of rounds for general purpose applications.
|
| format | Article |
| id | doaj-art-7c2dddc253c744d4887f72437359907a |
| institution | DOAJ |
| issn | 2519-173X |
| language | English |
| publishDate | 2025-03-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | IACR Transactions on Symmetric Cryptology |
| spelling | doaj-art-7c2dddc253c744d4887f72437359907a2025-08-20T02:59:57ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2025-03-012025110.46586/tosc.v2025.i1.380-419Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 FeatureRoberto Avanzi0Orr Dunkelman1Shibam Ghosh2Caesarea Rothschild Institute, University of Haifa, Haifa, IsraelComputer Science Department, University of Haifa, Haifa, Israel; Faculty of Electrical Engineering and Computer Science, TU Berlin, Berlin, GermanyComputer Science Department, University of Haifa, Haifa, Israel; Inria, Paris, France The Pointer Authentication Code (PAC) feature in the Arm architecture is used to enforce the Code Flow Integrity (CFI) of running programs. It does so by generating a short MAC — called the PAC — of the return address and some additional context information upon function entry, and checking it upon exit. An attacker that wants to overwrite the stack with manipulated addresses now faces an additional hurdle, as they now have to guess, forge, or reuse PAC values. PAC is deployed on billions of devices as a first line of defense to harden system software and complex programs against software exploitation. The original version of the feature uses a 12-round version the QARMA-64 block cipher. The output is then truncated to between 3 and 32 bits, in order to be inserted into unused bits of 64-bit pointers. A later revision of the specification allows the use of an 8-round version of QARMA-64. This reduction may introduce vulnerabilities such as high-probability distinguishers, potentially enabling key recovery attacks. The present paper explores this avenue. A cryptanalysis of the PAC computation function entails restricting the inputs to valid virtual addresses, meaning that certain most significant bits are fixed to zero, and considering only the truncated output. Within these constraints, we present practical attacks on various PAC configurations. These attacks, while not presenting immediate threat to the PAC mechanism, show that some versions of the feature do miss the security targets made for the original function. This offers new insights into the practical security of constructing MAC from truncated block ciphers, expanding on the mostly theoretical understanding of creating PRFs from truncated PRPs. We note that the results do not affect the security of QARMA-64 when used with the recommended number of rounds for general purpose applications. https://tosc.iacr.org/index.php/ToSC/article/view/12082Tweakable Block CiphersLightweight CryptographyPseudo-Random FunctionsPseudo-Random Permutations |
| spellingShingle | Roberto Avanzi Orr Dunkelman Shibam Ghosh Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature IACR Transactions on Symmetric Cryptology Tweakable Block Ciphers Lightweight Cryptography Pseudo-Random Functions Pseudo-Random Permutations |
| title | Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature |
| title_full | Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature |
| title_fullStr | Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature |
| title_full_unstemmed | Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature |
| title_short | Differential Cryptanalysis of the Reduced Pointer Authentication Code Function Used in Arm’s FEAT_PACQARMA3 Feature |
| title_sort | differential cryptanalysis of the reduced pointer authentication code function used in arm s feat pacqarma3 feature |
| topic | Tweakable Block Ciphers Lightweight Cryptography Pseudo-Random Functions Pseudo-Random Permutations |
| url | https://tosc.iacr.org/index.php/ToSC/article/view/12082 |
| work_keys_str_mv | AT robertoavanzi differentialcryptanalysisofthereducedpointerauthenticationcodefunctionusedinarmsfeatpacqarma3feature AT orrdunkelman differentialcryptanalysisofthereducedpointerauthenticationcodefunctionusedinarmsfeatpacqarma3feature AT shibamghosh differentialcryptanalysisofthereducedpointerauthenticationcodefunctionusedinarmsfeatpacqarma3feature |