Paper 2016/436
Cryptanalysis of Reduced NORX
Nasour Bagheri, Tao Huang, Keting Jia, Florian Mendel, and Yu Sasaki
Abstract
NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 (out of 4) rounds. The time complexity of the attack for NORX32 and NORX64 is $2^{119}$ and $2^{234}$ respectively, while the data complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are $2^{7.3}$, $2^{124.3}$ and $2^{115}$ respectively and for NORX64 are $2^{6.2}$, $2^{232.8}$ and $2^{225}$ respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.
Metadata
- Available format(s)
- Publication info
- Published by the IACR in FSE 2016
- Keywords
- Authenticated encryptionCAESARNORXGuess and determineInternal differential attackState recoveryNonce respect
- Contact author(s)
- sasaki yu @ lab ntt co jp
- History
- 2016-05-04: revised
- 2016-05-04: received
- See all versions
- Short URL
- https://ia.cr/2016/436
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/436, author = {Nasour Bagheri and Tao Huang and Keting Jia and Florian Mendel and Yu Sasaki}, title = {Cryptanalysis of Reduced {NORX}}, howpublished = {Cryptology {ePrint} Archive, Paper 2016/436}, year = {2016}, url = {https://eprint.iacr.org/2016/436} }