Paper 2015/186

Higher Order Differential Analysis of NORX

Sourav Das, Subhamoy Maitra, and Willi Meier


In this paper, we analyse the higher order differential properties of NORX, an AEAD scheme submitted to CAESAR competition. NORX is a sponge based construction. Previous efforts, by the designers themselves, have focused on the first order differentials and rotational properties for a small number of steps of the NORX core permutation, which turn out to have quite low biases when extended to the full permutation. In our work, the higher order differential properties are identified that allow to come up with practical distinguishers of the 4-round full permutation for NORX64 and half round less than the full permutation (i.e., 3.5-round) for NORX32. These distinguishers are similar to zero-sum distinguishers but are probabilistic in nature rather than deterministic, and are of order as low as four. The distinguishers have very low complexities, and are significantly more efficient than the generic generalized birthday attack for the same configurations of zero-sums. While these distinguishers identify sharper non-randomness than what the designers identified, our results do not lend themselves for cryptanalysis of full-round NORX encryption or authentication.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
NORXAuthenticated EncryptionCAESARARXHigher-order DifferentialBias.
Contact author(s)
sourav10101976 @ gmail com
2015-03-04: received
Short URL
Creative Commons Attribution


      author = {Sourav Das and Subhamoy Maitra and Willi Meier},
      title = {Higher Order Differential Analysis of NORX},
      howpublished = {Cryptology ePrint Archive, Paper 2015/186},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.