Paper 2016/436

Cryptanalysis of Reduced NORX

Nasour Bagheri, Tao Huang, Keting Jia, Florian Mendel, and Yu Sasaki


NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 (out of 4) rounds. The time complexity of the attack for NORX32 and NORX64 is $2^{119}$ and $2^{234}$ respectively, while the data complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are $2^{7.3}$, $2^{124.3}$ and $2^{115}$ respectively and for NORX64 are $2^{6.2}$, $2^{232.8}$ and $2^{225}$ respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.

Available format(s)
Publication info
Published by the IACR in FSE 2016
Authenticated encryptionCAESARNORXGuess and determineInternal differential attackState recoveryNonce respect
Contact author(s)
sasaki yu @ lab ntt co jp
2016-05-04: revised
2016-05-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nasour Bagheri and Tao Huang and Keting Jia and Florian Mendel and Yu Sasaki},
      title = {Cryptanalysis of Reduced NORX},
      howpublished = {Cryptology ePrint Archive, Paper 2016/436},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.