Qameleon
A new Authenticated Encyption with Associated Data (AEAD) cipher based on well-understood technologies
Aim and Scope:
Welcome to the web site of Qameleon, a new Authenticated Encyption with Associated Data (AEAD) cipher based on well-understood technologies submitted to the NIST lightweight cryptography project.
Here you can find the full specification of the Qameleon, as well as reference implementations and related documentation.
Qameleon targets low-latency scenarios, such as memory encryption. To this purpose the scheme is ``perfectly'' parallelisable, i.e., as parallelisable as possible on a single task. The main use case is memory encryption, so we target scenarios in which the nonces are not repeated.
Qameleon is a clean design composed of a mode of operation called PANORAmA, which can be used together with any compatible Tweakable Block Cipher (TBC) and the TBC QARMA. PANORAmA is (roughly) a subset of the tweaked OCB mode ΘCB. Some simplifications, such as prefix-free encoding (padding) and the direct encryption of all blocks, make implementations less error-prone.
This choice of design has essentially no set-up time, is highly parallelisable, and can be effectively pipelined, in order to keep up also with extreme bandwidth requirements. The block cipher QARMA that is used with this mode of operation has been actually designed for such uses.
Different parameter sets and variants are suggested for various use cases: For RAM encryption a pure AE mode would suffice, but since we encompass also export of pages or areas of memory from secure process domains (a.k.a. ``enclaves,'' ``realms,'' or ``Secure Partitions'') to insecure mass storage, we provide also a general-purpose mode with variable message length and associated data. The AEAD variants of Qameleon provides full 128-bit or 256-bit security for plaintext confidentiality, whereas integrity and authenticity are limited by the tag size, which can be of 64 or 128 bits.
Qameleon performs very well in hardware, being significantly faster, smaller, and requiring far less energy than the most important alternatives with similar requisites.