## Cryptology ePrint Archive: Report 2016/436

Cryptanalysis of Reduced NORX

Nasour Bagheri and Tao Huang and Keting Jia and Florian Mendel and Yu Sasaki

Abstract: NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 (out of 4) rounds. The time complexity of the attack for NORX32 and NORX64 is $2^{119}$ and $2^{234}$ respectively, while the data complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are $2^{7.3}$, $2^{124.3}$ and $2^{115}$ respectively and for NORX64 are $2^{6.2}$, $2^{232.8}$ and $2^{225}$ respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.

Category / Keywords: Authenticated encryption, CAESAR, NORX, Guess and determine, Internal differential attack, State recovery, Nonce respect

Original Publication (in the same form): IACR-FSE-2016

Date: received 3 May 2016, last revised 4 May 2016

Contact author: sasaki yu at lab ntt co jp

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2016/436

[ Cryptology ePrint archive ]