Authenticated encryption schemes, cryptographic functions that aim to simultaneously provide data privacy and integrity, have gained renewed attention in light of the CAESAR competition [25]. A common approach to building such schemes is to design a block cipher mode of operation, as in CCM [95], OCB1-3 [55, 78, 79], EAX [14], GCM [57], COPA [5], OTR [63], AEZ [48], and SCT [72]. Nevertheless a significant fraction of the CAESAR competition submissions use modes of operation for permutations.

Most of the permutation-based modes follow the basic Sponge design [16]: a state is maintained and regularly updated using a permutation. The state is divided into an outer part of r bits, through which the user enters or extracts data, and an inner part of c bits, which is out of the user’s control. The rate r determines how much plaintext can be processed per permutation call, which gives an estimate of the algorithm’s performance. Keccak, the eventual winner of the competition and now standardized as SHA-3 [35], internally uses the Sponge construction. The Sponge design also found adoption in the field of lightweight hash functions [24, 45].

Security of the Sponge construction as a hash function follows from the fact that the user can only affect the outer state, hence adversaries only succeed with significant probability if they make on the order of \(2^{c/2}\) permutation queries, as this many are needed to produce an inner state collision [16]. Bertoni et al. [17] proved tightness of this bound in the indifferentiability framework of Maurer et al. [56]. Keyed versions of the Sponge construction, such as KeyedSponge [20] and SpongeWrap [19], are proven up to a similar bound of \(2^{c-a}\) (pseudorandom function security for the former and privacy and authenticity for the latter), assuming a limit of \(2^a\) on online complexity, but are additionally restricted by the key size \(\kappa \) to \(2^\kappa \). The permutation-based CAESAR candidates are no exception and recommend parameters based on either the \(2^{c/2}\) or \(2^{c-a}\) bound, as shown in Table 1.

Beyond Conventional Security

Contrary to intuition, a wide range of permutation-based authenticated encryption schemes actually achieve significantly higher mode security: the privacy and authenticity bound on the total complexity can be improved from \(\min \{2^{c/2},2^\kappa \}\) to \(\min \{2^{(r+c)/2},2^c,2^\kappa \}\). Intuitively, the improvement demonstrates that, in the nonce-respecting setting, inner collisions are not relevant to the adversary; only full state collisions are. We remark that in the nonce-reuse scenario [37, 80] the privacy of the scheme can be broken [19], and for authenticity the old bounds hold at best.

The main proof in this work concerns NORX mode v1 and v2 [7, 8], but we demonstrate its applicability to the CAESAR submissions Ascon v1 and v1.1 [33, 34], CBEAM  v1 [83, 84],Footnote 1 ICEPOLE v1 and v2 [65, 66], Keyak v1 [22],Footnote 2 two out of three PRIMATEs v1 and v1.02 [2, 3], and STRIBOB v1 and v2 [81, 85, 86].Footnote 3 Additionally, we note that it directly applies to SpongeWrap [19] and DuplexWrap [22], upon which Keyak v1 is built.

Our results imply that the initial submissions of these CAESAR candidates were overly conservative in choosing their parameters, since reducing c would have lead to the same bound. For instance, Ascon-128 could take \((c,r)=(128,192)\) instead of (256, 64), NORX64 (the proposed mode with 256-bit security) could increase its rate by 128 bits, and GIBBON-120 and HANUMAN-120 could increase their rate by a factor of 4, without affecting their mode security levels.

These observations only concern the mode security, where characteristics of the underlying permutation are set aside. Specifically, the concrete security of the underlying permutations plays a fundamental role in the choice of parameters. For instance, the authors of Ascon [33, 34], NORX [7, 8], and PRIMATEs  [2, 3] acknowledge that non-random properties of some of the underlying primitives exist. Furthermore, the authenticity bound degrades as a function of the number of forgery attempts f: \(\min \{2^{(r+c)/2},2^c/f,2^\kappa \}\). In practical applications, the amount of forgery attempts may be limited, but if this is not possible, caution must be taken. We refer to [75] for a discussion.

Table 1 Parameters and the achieved mode security levels of seven CAESAR submissions

Tightness of the Result

The earlier version of this article by Jovanovic et al. [53] had a security bound of the form \(\min \{2^{(r+c)/2},2^c/r,2^\kappa \}\), showing a security loss logarithmic relative to the rate. This loss was, however, not justified by any existing attack; it arose as an artifact of naively bounding the probability of a multi-collision occurring in the outer state, where multiple evaluations of the underlying primitive map to the same outer value.

In this article, we thoroughly analyze multi-collisions and derive bounds on the size of multi-collisions for various possible choices of r and c. Most importantly, we can conclude that if \(r\ll c\) or \(r\gg c\), multi-collisions have no effect on the security. If \(r\approx c\), the security loss approaches \(\frac{1.4c}{\log _2 c - 2}\), as opposed to the factor r loss from [53]. We refer to Table 2 for a comprehensive description of the bound. Note that for all schemes in Table 1, \(r\ll c\) or \(r\gg c\).

The rigorous analysis of multi-collisions relies on an application of Stirling’s approximation and the Lambert W function. It is not only applicable to Sponge-based modes. For example, there are quite a few cryptographic schemes that have been attacked using multi-collisions, such as block-cipher-based hashing schemes [73], identification schemes [41], JH hash function [58], MDC-2 hash function [54], HMAC and ChopMD MAC [68], the LED block cipher [70], iterated Even-Mansour [32], and strengthened HMAC [88]. Multi-collisions have also influenced various security upper bounds. Typical examples are the indifferentiability proof for the ChopMD construction [27], the collision resistance proof for the Lesamnta-LW hash function [46], and the indistinguishability proof for RMAC [52], where the bound is \(\mathcal {O}(2^n/n)\) due to the existence of n-collisions. The compression function proposed by Hirose et al. [47] has a similar type of bound. Finally, the recent line of research on the keyed Sponge and Duplex constructions [6, 18, 20, 26, 31, 38, 60, 69] strongly relies on “multiplicities.” Some of these security analyses can be improved using our rigorous analysis of multi-collisions.

For \(r<c\), the old bound of [53] is dominated by \(2^{(r+c)/2}\) and is in fact tight. The new bound improves over the one of [53] for \(r\ge c\), and in this work we additionally show that the new bound is tight for all possible choices of (rc). To this end, we present a multi-collision-based adversary that meets the bound proven in our analysis. The attack is described for a generalized Sponge construction that covers CBEAM, ICEPOLE, Keyak v1, NORX, and STRIBOB. Even for variants with the additional XOR of the secret key at the end, (Ascon, GIBBON, and HANUMAN, see Fig. 4), a similar adversary with slightly higher complexity can meet the bound. A comparison of the earlier bound of [53], the new bound, and the attack complexity for the case of \(c=256\) and \(r\ge c\) is given in Fig. 1.

Fig. 1
figure 1

Comparison of the bound by Jovanovic et al. [53], our improved bound, and the matching attack complexity for the case of \(c=256\) and \(r>c\)


One of the interesting questions triggered by the publication of [53] was regarding APE, the third of the PRIMATEs. In more detail, the schemes listed in Table 1 are proven to achieve a beyond \(2^{c/2}\) security level against nonce-respecting adversaries, but the schemes are insecure against nonce-misusing adversaries. In contrast, APE  is proven to achieve \(2^{c/2}\) security in the nonce-reuse scenario [4], and it is of interest to investigate what security guarantees APE  offers against nonce-respecting adversaries. In this work, we include an analysis of APE  in this setting and show that there exists a nonce-respecting blockwise adaptive adversary that can break the privacy with a total complexity of about \(2^{c/2}\). In other words, while APE  is more robust against nonce-misusing adversaries up to common prefix, in the nonce-respecting setting the schemes listed in Table 1 achieve higher security. (We remark that the analysis in this work can be easily extended to the case of blockwise adaptive adversaries.)

Publication History and Subsequent Work

An extended abstract of this article has appeared in the proceedings of ASIACRYPT 2014 [53]. This article is the full version of [53], and additionally includes the proofs that were absent in the proceedings version. New with respect to the full version of [53] are

  1. (i)

    a more rigorous analysis of multi-collisions and the therewith induced improved security bound (Sect. 3),

  2. (ii)

    the generic attack on Sponge-based authenticated encryption schemes demonstrating tightness of the bound (Sect. 5),

  3. (iii)

    a proof that, unlike the schemes of Table 1, APE does not achieve beyond \(2^{c/2}\) security in the nonce-respecting setting (Sect. 7).

Parts (i) and (ii) are due to Sasaki and Yasuda [90], with whom we have collaborated to combine their ideas for a complete analysis of the Sponge-based modes.

In response to the observations made in [53], the designers of Ascon and NORX have reconsidered their parameter choices. The new parameter choices are also listed in Table 1 and testify of a significant security gain for Ascon v1.1 [34] without sacrificing efficiency, and a significant efficiency gain for NORX v2 [8] without sacrificing security. The adjustments will make the schemes faster and more competitive. Mihajloska et al. [61] recently generalized the analysis of [53] to CAESAR submission \(\pi \)-Cipher [42, 43], which is structurally different from NORX in the way it maintains state: a so-called “common internal state” is used throughout the evaluation.

From a more general perspective, the work has triggered analysis in the direction of high-efficiency full-state keyed Duplexes [31, 60, 89]. The result of Mennink et al. [60] on the full-state keyed Duplex has triggered the designers of Keyak to perform a major revision to their scheme. In more detail, Keyak v2 [23] is built on top of the “Motorist” mode, an alternative to the full-state keyed Duplex that was analyzed by Daemen et al. [31]. We remark that the results on the full-state keyed Sponges and Duplexes are more general than the target design in this work. The most important difference between [31, 60] and our work is that we explicitly target nonce-based designs, and this allows for beyond \(2^{c/2}\) security. The work has, to certain extent, furthermore triggered the use of permutations for nonce-reuse secure authenticated encryption schemes [29, 44, 59] beyond APE.

Parallel to the research on keyed Duplexes is the research on the keyed Sponges, i.e., keyed versions of the Sponge that only aim for authenticity. Bertoni et al. [18] introduced the original keyed Sponge. Chang et al. [26] suggested to put the key in the inner part of the Sponge. Andreeva et al. [6] formalized and improved the analysis of the outer- and inner-keyed sponges. The analysis was generalized to the full-state Sponge in [31, 38, 60, 69], following upon ideas that date back to the donkeySponge [21]. Beyond authentication (and encryption), keyed versions of the Sponge have found applications in reseedable pseudorandom sequence generation [18, 39].


We present our security model in Sect. 2. In Sect. 3, we perform an in-depth analysis of multi-collisions with respect to Sponges. A security proof for NORX is derived in Sect. 4. Tightness of the bound is proven in Sect. 5. In Sect. 6, we show that the proof of NORX generalizes to other CAESAR submissions, as well as to SpongeWrap and DuplexWrap. We consider the security of APE against nonce-respecting adversaries in Sect. 7. The work is concluded in Sect. 8, where we also discuss possible generalizations to Artemia [1].

Security Model

For \(n\in \mathbb {N}\), let \(\mathsf {Perm}(n)\) denote the set of all permutations on n bits. When writing \(x\xleftarrow {{\scriptscriptstyle \$}}\mathcal {X}\) for some finite set \(\mathcal {X}\), we mean that x gets sampled uniformly at random from \(\mathcal {X}\). For \(x\in \{0,1\}^{n}\), and \(a,b\le n\), we denote by \([x]^a\) and \([x]_b\) the a leftmost and b rightmost bits of x, respectively. For tuples \((j,k),(j',k')\) we use lexicographical order: \((j,k)>(j',k')\) means that \(j>j'\), or \(j=j'\) and \(k>k'\).

Let \(\varPi \) be an authenticated encryption scheme, with an encryption function \(\mathcal {E}\) and a decryption function \(\mathcal {D}\), where

$$\begin{aligned} (C,A) \longleftarrow \mathcal {E}_K(N;H,M,T) \qquad \text {and}\qquad M/\bot \longleftarrow \mathcal {D}_K(N;H,C,T;A). \end{aligned}$$

Here, N denotes a nonce value, H a header, M a message, C a ciphertext, T a trailer, and A an authentication tag. The values (HT) will be referred to as associated data. If verification is successful, then the decryption function \(\mathcal {D}_K\) outputs M, and \(\bot \) otherwise. The scheme \(\varPi \) is also determined by a set of parameters such as the key size, state size, and block size, but these are left implicit. In addition, we define $ to be an ideal version of \(\mathcal {E}_K\), where $ returns \((C,A)\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{|M|+\tau }\) for every query (NHMT).

We follow the convention in analyzing modes of operation for permutations by modeling the underlying permutations as being drawn uniformly at random from \(\mathsf {Perm}(b)\), where b is a parameter determined by the scheme.

An adversary \(\mathcal {A}\) is a probabilistic algorithm that has access to one or more oracles \(\mathcal {O}\), denoted \(\mathcal {A}^{\mathcal {O}}\). By \(\mathcal {A}^\mathcal {O}=1\) we denote the event that \(\mathcal {A}\), after interacting with \(\mathcal {O}\), outputs 1. We consider adversaries \(\mathcal {A}\) that have unbounded computational power and whose complexity is solely measured by the number of queries made to their oracles. These adversaries have query access to (i) the underlying idealized permutations, (ii) \(\mathcal {E}_K\) or its counterpart $, and possibly (iii) \(\mathcal {D}_K\). The key K is randomly drawn from \(\{0,1\}^{\kappa }\) at the beginning of the security experiment. The security definitions below follow [11, 37, 51, 77, 80].


Let \(\mathbf{p}\) denote a list of idealized permutations, which \(\varPi \) may depend on. We define the advantage of an adversary \(\mathcal {A}\) in breaking the privacy of \(\varPi \) as follows:

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {priv}}(\mathcal {A}) = \left| \mathbf {Pr}_{\mathbf{p},K}\left( \mathcal {A}^{\mathbf{p}^\pm ,\mathcal {E}_K} = 1 \right) - \mathbf {Pr}_{\mathbf{p},\$}\left( \mathcal {A}^{\mathbf{p}^\pm ,\$} = 1 \right) \right| , \end{aligned}$$

where the probabilities are taken over the random choices of \(\mathbf{p},\$,K\), and \(\mathcal {A}\), if any. The fact that the adversary has access to both the forward and inverse permutations in \(\mathbf{p}\) is denoted by \(\mathbf{p}^{\pm }\). We assume that adversary \(\mathcal {A}\) is nonce-respecting, which means that it never makes two queries to \(\mathcal {E}_K\) or $ with the same nonce. By \(\mathbf {Adv}_{\varPi }^{\mathrm {priv}}(q_p,q_\mathcal {E},\lambda _\mathcal {E})\) we denote the maximum advantage taken over all adversaries that query \(\mathbf{p}^\pm \) at most \(q_p\) times, and that make at most \(q_\mathcal {E}\) queries of total length (over all queries) at most \(\lambda _\mathcal {E}\) blocks to \(\mathcal {E}_K\) or $. We remark that this privacy notion is also known as the indistinguishability under chosen plaintext attack (IND-CPA) security of an (authenticated) encryption scheme.


As above, let \(\mathbf{p}\) denote the list of underlying idealized permutations of \(\varPi \). We define the advantage of an adversary \(\mathcal {A}\) in breaking the integrity of \(\varPi \) as follows:

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {auth}}(\mathcal {A}) = \mathbf {Pr}_{\mathbf{p},K}\left( \mathcal {A}^{\mathbf{p}^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { forges} \right) , \end{aligned}$$

where the probability is taken over the random choices of \(\mathbf{p},K\), and \(\mathcal {A}\), if any. We say that “\(\mathcal {A}\) forges” if \(\mathcal {D}_K\) ever returns a message other than \(\bot \) on input of (NHCTA) where (CA) has never been output by \(\mathcal {E}_K\) on input of a query (NHMT) for some M. We assume that adversary \(\mathcal {A}\) is nonce-respecting, which means that it never makes two queries to \(\mathcal {E}_K\) with the same nonce. Nevertheless, \(\mathcal {A}\) is allowed to repeat nonces in decryption queries. By \(\mathbf {Adv}_{\varPi }^{\mathrm {auth}}(q_p,q_\mathcal {E},\lambda _\mathcal {E},q_\mathcal {D},\lambda _\mathcal {D})\) we denote the maximum advantage taken over all adversaries that query \(\mathbf{p}^\pm \) at most \(q_p\) times, make at most \(q_\mathcal {E}\) queries of total length (over all queries) at most \(\lambda _\mathcal {E}\) blocks to \(\mathcal {E}_K\), and at most \(q_\mathcal {D}\) queries of total length at most \(\lambda _\mathcal {D}\) blocks to \(\mathcal {D}_K\).


Consider the following game of balls and bins. Let \(R\ge 1\) be the number of bins and \(\sigma \) the number of balls. The \(\sigma \) balls are thrown uniformly at random into the R bins. By \(\mathsf {multcol}(R,\sigma ,\rho )\) we denote a \(\rho \)-collision, namely the event that there exists a bin that contains \(\rho \) or more balls after all \(\sigma \) balls are thrown.

A folklore result [67, Theorem 3.1], [64, Lemma 5.1] states the following upper bound on the probability of a \(\rho \)-collision for \(\rho \ge 2\):

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \le \frac{1}{R^{\rho -1}} \left( {\begin{array}{c}\sigma \\ \rho \end{array}}\right) \,, \end{aligned}$$

where \(R\ge 1\) and \(\sigma \ge \rho \). Note that \(\sigma \) can be smaller or larger than R.

The bound of (1) involves a binomial coefficient and hence factorials. To evaluate these factorials we rely on Stirling’s approximation. Formally, Stirling’s approximation can be written as an inequality as [71]

$$\begin{aligned} x!\ge \sqrt{2\pi x}\left( \frac{x}{e}\right) ^x\ge \sqrt{x}\left( \frac{x}{e}\right) ^x\,, \end{aligned}$$

where \(\pi =3.14\ldots \) and \(e=2.71\ldots \), which holds for all \(x\ge 1\).

For the purpose of the paper we combine inequalities (1) and (2) in the following way. Let S be some positive number limiting the maximum value of \(\sigma \), i.e., \(\sigma \le S\). From (1) and (2), we get

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right)&\le \frac{1}{R^{\rho -1}}\frac{\sigma ^\rho }{\rho !} \le \left( \frac{S}{R}\right) ^{\rho -1} \frac{\sigma }{\rho !} \end{aligned}$$
$$\begin{aligned}&\le \left( \frac{S}{R}\right) ^{\rho -1} \frac{\sigma }{\sqrt{\rho }\,(\rho /e)^\rho } =\left( \frac{eS}{\rho R}\right) ^{\rho } \frac{R}{\sqrt{\rho }}\frac{\sigma }{S}. \end{aligned}$$

This derivation is identical to that in [67, Theorem 3.1], [64, Lemma 5.1], be it with a slightly more accurate bound for x!. In the remainder of the section, we will introduce the Lambert W function in Sect. 3.1, and derive simplified bounds on \(\mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \) in Sect. 3.2.

Remark 1

The probability that \(\mathsf {multcol}(R,\sigma ,\rho )\) occurs can also be bounded using the Chernoff bound [28]. Consider any fixed bin, and for \(i=1,\ldots ,\sigma \), denote

$$\begin{aligned} X_i ={\left\{ \begin{array}{ll} 1 \text { with probability } 1/R\,,\\ 0 \text { with probability } 1-1/R. \end{array}\right. } \end{aligned}$$

Defining \(X=\sum _{i=1}^\sigma X_i\) as the number of balls in that specific bin, the Chernoff bound states that for any \(t>0\) [64, Section 4.2],

$$\begin{aligned} \mathbf {Pr}\left( X\ge \rho \right) \le \mathbf {Pr}\left( e^{tX}\ge e^{t\rho }\right) \le \frac{\mathbf {Ex}\left( e^{tX}\right) }{e^{t\rho }}. \end{aligned}$$

As in our case the events \(X_i\) are mutually independent,

$$\begin{aligned} \mathbf {Ex}\left( e^{tX}\right) = \prod _{i=1}^\sigma \mathbf {Ex}\left( e^{tX_i}\right) = \left( 1 + \frac{e^t-1}{R}\right) ^\sigma . \end{aligned}$$

One therefore finds, for any \(t>0\),

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \le R\cdot \frac{\left( 1 + \frac{e^t-1}{R}\right) ^\sigma }{e^{t\rho }}. \end{aligned}$$

Looking ahead, in our applications we will need an upper bound of this term of the form \(\sigma /S\), where \(\rho \) is a function of R and S. The bound of (4) is more suited for that.

Likewise, specific variants of (5) such as

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,(1+\delta )\sigma /R)\right) \le R\cdot \left( \frac{e^{\delta }}{(1+\delta )^{1+\delta }} \right) ^{\sigma /R}, \end{aligned}$$

obtained from (5) by setting \(\rho =(1+\delta )\sigma /R\) and \(t=\ln (1+\delta )\) [67, Theorem 4.1], [64, Theorem 4.4], do not directly seem to give an improved result for our specific parameter setting.

An alternative approach to bound the probability that \(\mathsf {multcol}(R,\sigma ,\rho )\) occurs, is via the first and second moments, as done by Raab and Steger [74]. In detail, Raab and Steger demonstrate that \(\mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho (R,\sigma ))\right) =o(1)\) for various parameter settings and choices of \(\rho \) as a function of R and \(\sigma \) [74, Theorem 1]. This approach, as well as the related approaches in the field of cryptography [10, 49], again does not fit our targeted upper bound.

Lambert W Function

Stirling’s approximation contains a “self-exponential” function \(x^x\), and we will need to solve equations of the form

$$\begin{aligned} \xi ^\xi =d \end{aligned}$$

for variable \(\xi \). For this purpose we utilize the Lambert W function [71]. Consider the function \(f(w)=we^w\) defined for complex numbers w. Then, the Lambert W function is the inverse relation of f. More precisely, \(Z=W(Z)e^{W(Z)}\) is the defining equation for W, and Eq. (6) can be solved, using W, as

$$\begin{aligned} \xi =e^{W(D)}\,, \end{aligned}$$

where \(D:=\ln d\) [30].

In this work, we can restrict the domain of W to real numbers \(X\ge -1/e\) and the range to real numbers \(W(X)\ge -1\), and we focus on the principal branch \({W_{\mathrm {p}}}\), which is a single-valued function. Hoornar and Hassani [50] derived the following inequality on \({W_{\mathrm {p}}}(X)\) for any \(X\ge e\):

$$\begin{aligned} {W_{\mathrm {p}}}(X)\le \ln X-\ln \ln X + \ln (1+e^{-1}). \end{aligned}$$

Back to (6), when \(\xi \) is restricted to real numbers, the solution (7) becomes

$$\begin{aligned} \xi =e^{{W_{\mathrm {p}}}(D)} \le e^{\ln D-\ln \ln D+\ln (1+e^{-1})}=\frac{(1+e^{-1})D}{\ln D}. \end{aligned}$$

It should be emphasized that this bound is valid only under the condition \(D\ge e\), or equivalently, \(d\ge e^e\).

Bounding Multi-Collision Probability

We will derive Sponge-oriented bounds for \(\rho \). In more detail, consider parameters brc such that \(b=r+c\), write \(R=2^r\), and \(S=\min \{2^{b/2},2^c\}\). We will derive choices for \(\rho \) (depending on r and c), such that the probability of a multi-collision of (1) is bounded by \(\sigma /S\).

Lemma 1

Write \(b=r+c\), \(R=2^r\), and \(S=\min \{2^{b/2},2^c\}\). Assume that \(c\ge 13\). Then,

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho (r,c))\right) \le \frac{\sigma }{S}, \end{aligned}$$


$$\begin{aligned}&\rho (r,c)\\&\quad :={\left\{ \begin{array}{ll} \left\lceil e2^{(c-r)/2} \right\rceil &{}\text {if }\, r \le c/5 \text { (case (i))}\,,\\ \left\lceil 3.4\cdot 2^{(c-r)/2} \right\rceil &{}\text {if }\, c/5< r \le c-2\log _2c \text { (case (ii))}\,,\\ \left\lceil 8.0\cdot 2^{(c-r)/2} \right\rceil &{}\text {if }\, c-2\log _2c< r \le c-2\log _2c+7.2 \text { (case (iii))}\,,\\ \left\lceil \dfrac{0.7(5r-c)}{2\log _2(5r-c) + r-c-8} \right\rceil &{}\text {if }\, c-2\log _2c+7.2< r< c \text { (case (iv))}\,,\\ \left\lceil \dfrac{1.4r}{\log _2r+r-c-2} \right\rceil &{}\text {if }\, c \le r \le c + e\log _2c - e\beta \text { (case (v))}\,,\\ \left\lceil \dfrac{r}{r-c} \right\rceil &{}\text {if }\, c + e\log _2c - e\beta< r < 2c \text { (case (vi))}\,,\\ 2 &{}\text {if }\, 2c \le r \text { (case (vii))}, \end{array}\right. } \end{aligned}$$

where \(\beta :=\log _2e+\log _2\log _2e\).

The proof of Lemma 1 is constructive, and the bounds for \(\rho \) are derived constructively rather than simply proven to hold. However, the reasoning is structurally different for the cases where \(r<c\) (cases (i-iv)) and for the cases where \(r\ge c\) (cases (v-vii)).

Proof of Lemma 1(i-iv)

For the case \(r<c\), our basic strategy is to bound \(\mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \) by \(\sigma /S\), where \(S=2^{b/2}\), by means of setting

$$\begin{aligned} \rho :=\bigl \lceil \theta 2^{(c-r)/2}\bigr \rceil \end{aligned}$$

for sufficiently large parameter \(\theta \). Note that, by the generalized pigeonhole principle, \(2^{(c-r)/2}\) is the minimum value of \(\rho \) when \(\sigma \) reaches \(S=2^{b/2}\).

Assume that \(\rho \ge eS/R=e2^{b/2}/2^r=e2^{(c-r)/2}\), i.e., \(\theta \ge e\). Then, (4) becomes

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \le \left( \frac{eS}{\rho R}\right) ^\rho \frac{R}{\sqrt{\rho }}\frac{\sigma }{S}&\le \left( \frac{e2^{b/2}}{\theta 2^{(c-r)/2}2^r}\right) ^{\theta 2^{(c-r)/2}}\frac{2^r}{\sqrt{\theta 2^{(c-r)/2}}}\frac{\sigma }{S}\nonumber \\&=\left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}}\frac{2^{(5r-c)/4}}{\sqrt{\theta }} \frac{\sigma }{S}\,, \end{aligned}$$

and we start from this equation for the cases (i-iv).

Case (i)::

\({{\varvec{r}}} \le {{\varvec{c}}}/\mathbf{5}\). Since \(r\le c/5\), we have \(2^{(5r-c)/4}\le 1\). Therefore, the bound of (9) satisfies

$$\begin{aligned} \left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}}\frac{2^{(5r-c)/4}}{\sqrt{\theta }}\frac{\sigma }{S} \le \left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}}\frac{1}{\sqrt{e}}\frac{\sigma }{S}\le \left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}}\frac{\sigma }{S}. \end{aligned}$$

We can choose the minimum \(\theta :=e=2.71\ldots \) so that \((e/\theta )^{\theta 2^{(c-r)/2}}=1\), which implies that (10) is upper bounded by \(\sigma /S\), as desired. The size of a multi-collision is bounded by

$$\begin{aligned} \rho =\left\lceil e2^{(c-r)/2} \right\rceil . \end{aligned}$$
Case (ii): :

\({{\varvec{c}}}/\mathbf{5} < {{\varvec{r}}} \le {{\varvec{c}}}-\mathbf{2}{} \mathbf{log}_{\mathbf{2}}{{\varvec{c}}}\). If \(r>c/5\), then the factor \(2^{(5r-c)/4}\) in the bound (9) becomes larger than 1, and we need to somehow cancel this factor by increasing the value of \(\theta \). The factor \(\sqrt{\theta }\) is too small for this purpose, and hence we aim at the factor \((e/\theta )^{\theta 2^{(c-r)/2}}\). The following observation suggests that we need to increase the value of \(\theta \) by only a small amount, as long as \(r\le c-2\log _2c\):

\(\square \)


If \(r\le c-2\log _2c\), then we have \(2^{(c-r)/2}\ge (5r-c)/4\).

Proof of claim

Direct computation yields \(2^{(c-r)/2}\ge 2^{\log _2c}=c\ge (5r-c)/4\). \(\square \)

Hence, it remains to ensure that \((e/\theta )^\theta \le 1/2\). For this we set \(\theta :=3.4\), so that \((\mathrm {e}/\theta )^\theta =(2.71\ldots /3.4)^{3.4}=0.46\ldots \le 1/2\). Then, the bound of (9) satisfies

$$\begin{aligned} \left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}} \frac{2^{(5r-c)/4}}{\sqrt{\theta }}\frac{\sigma }{S} \le \left( \frac{1}{2}\right) ^{2^{(c-r)/2}}\frac{2^{(5r-c)/4}}{\sqrt{3.4}}\frac{\sigma }{S}\le \frac{\sigma }{S} \end{aligned}$$

by the above claim. The size of a multi-collision is bounded by

$$\begin{aligned} \rho =\left\lceil 3.4\cdot 2^{(c-r)/2} \right\rceil . \end{aligned}$$
Case (iii): :

\({{\varvec{c}}}-\mathbf{2log}_{\mathbf{2}}{{\varvec{c}}} < {{\varvec{r}}} \le {{\varvec{c}}}-\mathbf{2log}_{\mathbf{2}}{{\varvec{c}}}+\mathbf{7.2}\). This is a technical case to bridge a gap between case (ii) and case (iv). The reason behind the constant 7.2 will become clear in the analysis of case (iv).

Set \(\delta :=r-c+2\log _2c\), so that \(\delta \in (0,\,7.2]\). Then we have \(2^{(c-r)/2}=2^{\log _2c-\delta /2}=2^{-\delta /2}c\ge 2^{-\delta /2}(5r-c)/4\). Hence, the bound of (9) satisfies

$$\begin{aligned} \left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}}\frac{2^{(5r-c)/4}}{\sqrt{\theta }}\frac{\sigma }{S} \le&\left( \frac{e}{\theta }\right) ^{\theta 2^{-\delta /2}(5r-c)/4}\frac{2^{(5r-c)/4}}{\sqrt{\theta }}\frac{\sigma }{S} \\ =&\left( 2\left( \frac{e}{\theta }\right) ^{\theta 2^{-\delta /2}}\right) ^{(5r-c)/4} \frac{1}{\sqrt{\theta }}\frac{\sigma }{S}, \end{aligned}$$

and we want to ensure that \((e/\theta )^{\theta 2^{-\delta /2}}\le 1/2\). Given the previous constant 3.4 and the new factor \(2^{-\delta /2}\), let us put \(\theta :=3.4\cdot 2^{0.17\delta }\) and define \(\varphi (\zeta ):=\bigl (e/(3.4\cdot 2^{0.17\zeta })\bigr )^{3.4\cdot 2^{0.17\zeta }2^{-\zeta /2}}=\bigl (e/(3.4\cdot 2^{0.17\zeta })\bigr )^{3.4\cdot 2^{-0.33\zeta }}\) that is defined for real numbers \(\zeta \in [0,\,7.2]\). It remains to show the following:


We have \(\varphi (\zeta )\le 0.495\le 1/2\).

Proof of claim

The derivative of \(\varphi \) is computed as

$$\begin{aligned} \varphi '(\zeta )=3.4\cdot 2^{-0.33\zeta }\ln 2\left( \frac{e}{3.4\cdot 2^{0.17\zeta }}\right) ^{3.4\cdot 2^{-0.33\zeta }}\left( 0.33\ln (3.4\cdot 2^{0.17\zeta })-0.5\right) , \end{aligned}$$

and equation \(\varphi '(\zeta )=0\) has a unique solution \(\zeta _0:=\log _2(e^{0.5/0.33}/3.4)/0.17=2.47\ldots \). Direct computation shows that the second-order derivative \(\varphi ''(\zeta )\) is positive for \(\zeta \in [0,\,7.2]\), implying that \(\varphi (\zeta )\) is minimum at \(\zeta _0\). We already know that \(\varphi (0)=(e/3.4)^{3.4}=0.46\cdots \le 1/2\), and so we end the proof by computing \(\varphi (7.2)=\bigl (e/(3.4\cdot 2^{0.17\cdot 7.2})\bigr )^{3.4\cdot 2^{-0.33\cdot 7.2}}=0.495\ \ldots \le 1/2\). \(\square \)

The value of \(\theta \) grows as \(\delta \) increases, from 3.4 to \(3.4\cdot 2^{0.17\cdot 7.2}=7.94\ldots \le 8.0\).

Case (iv): :

\({{\varvec{c}}}-\mathbf{2log}_{\mathbf{2}}{{\varvec{c}}}+\mathbf{7.2}< {{\varvec{r}}} < {{\varvec{c}}}\). The value of \(\theta \) needs to increase as r approaches to c, and in general \(\theta \) cannot be bounded by a constant but is rather a function of r and c. The Lambert W function can handle such a case, yielding a fairly sharp bound.

Put \(\varphi (\zeta ):=(e/\zeta )^{\zeta 2^{(c-r)/2}}2^{(5r-c)/4}\), defined for real numbers \(\zeta \ge e\). Then \(\varphi (\zeta )\) is strictly decreasing. This leads us to solve equation \(\varphi (\zeta )=1\) to determine the value of \(\theta \), as a function of r and c. Let \(\zeta _0\) be a solution of this equation. Then the equality \(\varphi (\zeta _0)=1\) becomes \((\zeta _0/e)^{\zeta _02^{(c-r)/2}}=2^{(5r-c)/4}\), which is equivalent to

$$\begin{aligned} \left( \frac{\zeta _0}{e}\right) ^{\zeta _0/e}=2^{(5r-c)/ \big (4e2^{(c-r)/2}\big )}. \end{aligned}$$

We can solve Eq. (11) for \(\zeta _0\) using formula (7) by the Lambert W function, via setting \(\xi =\zeta _0/e\) and \(d=2^{(5r-c)/4e2^{(c-r)/2}}\), as

$$\begin{aligned} \frac{\zeta _0}{e}=e^{{W}(E)}\,, \end{aligned}$$

where \(E:=\ln 2^{(5r-c)/4e2^{(c-r)/2}}=(5r-c)/\big (4e2^{(c-r)/2} \log _2e\big )\). Now we want to use inequality (8) for the function \(W_{\mathrm {p}}\) to upper bound \(\zeta _0\), but for that purpose we need to make sure that \(E\ge e\). It is exactly for this reason that we have chosen the constant 7.2, as shown by the following claim.


Let \(c\ge 13\). The inequality

$$\begin{aligned} E\ge 2.75 \ge e \end{aligned}$$

holds for all \(r\in [c-2\log _2c+7.2,\,c\,]\). (The condition \(c\ge 13\) is to make the range of r non-empty.)

Proof of claim

We have

$$\begin{aligned} E=\frac{5r-c}{4e2^{(c-r)/2}\log _2e}\ge \frac{5(c-2\log _2c+7.2)-c}{4e2^{\log _2c-3.6}\log _2e} =\frac{2^{2.6}(2c-5\log _2c+18)}{ec\log _2e}, \end{aligned}$$

which leads us to study the function \(\psi (\omega ):=2^{2.6}(2\omega -5\log _2\omega +18)/e\omega \log _2e\) defined for real numbers \(\omega \ge 13\). We compute the derivative of \(\psi (\omega )\) as \(\psi '(\omega )=2^{2.6}(5\log _2 \omega +18-5\log _2e)/e\omega ^2\log _2e\), and equation \(\psi '(\omega )=0\) has a unique solution \(\omega _0=2^{18/5}e=32.9\ldots \), at which \(\psi (\omega _0)=2.75\ldots \). Since the second-order derivative \(\psi ''(\omega )=2^{2.6}(-10\log _2\omega +36+15\log _2e)/e\omega ^3\log _2e\) is positive for \(13\le \omega <2^{18/5}e^{3/2}=54.3\ldots \), we conclude that \(\psi (\omega )\ge 2.75\) for all \(\omega \ge 13\), and hence \(E\ge 2.75\ge e\) for all \(c\ge 13\) and \(r\in [c-\log _2c+7.2,\,c\,]\), as desired. \(\square \)

Now we can apply inequality (8) to our case (12) to get

$$\begin{aligned} \frac{\zeta _0}{e}\le \frac{(1+e^{-1})E}{\ln E} =\frac{(1+e^{-1})(5r-c)/\big (2e2^{(c-r)/2}\big )}{2\log _2(5r-c)+r-c-4-2\beta }. \end{aligned}$$

We compute \((1+e^{-1})/2=0.68\ldots \) and \(-4-2\beta =-7.94\ldots \). Set

$$\begin{aligned} \theta :=0.7(5r-c)/2^{(c-r)/2}/\bigl (2\log _2(5r-c)+r-c-8\bigr ) \end{aligned}$$

so that \(\theta \ge \zeta _0\) and \(\varphi (\theta )\le 1\) (recall that \(\varphi (\zeta )\) is strictly decreasing). In addition, since \(E\ge e\) from condition (13), we have \(\theta /e\ge \zeta _0/e=e^{{W_{\mathrm {p}}}(E)}\ge e\), meaning \(\theta \ge e^2=7.38\ldots \). Therefore, the bound of (9) satisfies

$$\begin{aligned} \left( \frac{e}{\theta }\right) ^{\theta 2^{(c-r)/2}}\frac{2^{(5r-c)/4}}{\sqrt{\theta }}\frac{\sigma }{S} =\frac{\varphi (\theta )}{\sqrt{\theta }}\frac{\sigma }{S}\le \frac{1}{\sqrt{e^2}}\frac{\sigma }{S}\le \frac{\sigma }{S}. \end{aligned}$$

We thus obtain

$$\begin{aligned} \rho = \bigl \lceil \theta 2^{(c-r)/2}\,\bigr \rceil = \left\lceil \frac{0.7(5r-c)}{2\log _2(5r-c)+r-c-8}\right\rceil . \end{aligned}$$

\(\square \)

Proof of Lemma 1(v-vii)

The analysis is different from the cases (i-iv) in the sense that we do not need to rely on the factor \(\sqrt{\rho }\) in Stirling’s approximation, and the Lambert W function is more easily applicable.

Case (v): :

\({{\varvec{c}}} \le {{\varvec{r}}} \le {{\varvec{c}}} + {{\varvec{e}}}{} \mathbf{log}_{\mathbf{2}}{{\varvec{c}}} - {{\varvec{e}}}{\varvec{\beta }}\). Consider bound (4). We have \(R=2^r\) and \(S=2^c\), and hence,

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \le \left( \frac{eS}{\rho R}\right) ^\rho \frac{R}{\sqrt{\rho }}\frac{\sigma }{S} =\left( \frac{e2^c}{\rho 2^r}\right) ^\rho \frac{2^r}{ \sqrt{\rho }}\frac{\sigma }{S} =\left( \frac{e}{\rho 2^{r-c}}\right) ^\rho \frac{2^r}{\sqrt{\rho }}\frac{\sigma }{S}. \end{aligned}$$

Put \(\varphi (\zeta ):=(e/\zeta 2^{r-c})^\zeta 2^r\) that is defined for real numbers \(\zeta \ge 2\). We see that \(\varphi (\zeta )\) is strictly decreasing, and at \(\zeta =2\) we have \(\varphi (2)=(e/2)^22^{2c-r}\) which is greater than 1 because \(2c\ge r\). So we would like to solve equation \(\varphi (\zeta )=1\). Let \(\zeta _0\) be a solution of this equation. This means that \((\zeta _02^{r-c}/e)^{\zeta _0}=2^r\), which is equivalent to

$$\begin{aligned} \left( \frac{\zeta _02^{r-c}}{e}\right) ^{\zeta _02^{r-c}/e} =2^{r2^{r-c}/e}. \end{aligned}$$

To apply (7) to solve (14), set \(\xi =\zeta _02^{r-c}/e\) and \(d=2^{r2^{r-c}/e}\). We obtain

$$\begin{aligned} \frac{\zeta _0 2^{r-c}}{e}=e^{W(G)}, \end{aligned}$$

where \(G:=\ln 2^{r2^{r-c}/e}=r2^{r-c}(\ln 2)/e\). As \(r\ge c\ge 13\ge 11\), we have \(G\ge 11\cdot (\ln 2)/e=2.80\ldots \ge e\). Using (8),

$$\begin{aligned} \frac{\zeta _02^{r-c}}{e}=e^{W_{\mathrm {p}}(G)}\le \frac{(1+e^{-1})G}{\ln G}=\frac{(1+e^{-1})r2^{r-c}/e}{\log _2r+r-c-\beta }, \end{aligned}$$

where \(\beta =\log _2e+\log _2\log _2e=1.97\ldots \). Since \((1+e^{-1})=1.36\ldots \), we can set

$$\begin{aligned} \zeta _0\le \rho :=\left\lceil \frac{1.4r}{\log _2r+r-c-2}\right\rceil . \end{aligned}$$
Case (vi): :

\({{\varvec{c}}} + {{\varvec{e}}}{} \mathbf{log}_{\mathbf{2}}{{\varvec{c}}} - {{\varvec{e}}}{\varvec{\beta }}< {{\varvec{r}}} < \mathbf{2}{{\varvec{c}}}\). Technically, the bound of case (v) is valid only for \(r\le 2c\). To obtain bounds for \(r\ge 2c\) we perform a different kind of analysis. We do not start with (4) but go back further to (3), and consider a simplified bound

$$\begin{aligned} \rho :=\left\lceil \frac{r}{r-c}\right\rceil . \end{aligned}$$

The intuition behind (16) is as follows. The “folklore” approach to obtaining a \(\rho \)-collision on r-bit values takes about \(2^{(\rho -1)r/\rho }\) trials. Suzuki et al. showed that even under this amount of trials, the probability of finding a \(\rho \)-collision is actually quite low, about \(1/\rho !\) [91, 92]. Inspired by this, we consider equation \(2^c=2^{(\rho -1)r/\rho }\). Solving this equation for variable \(\rho \) yields \(\rho =r/(r-c)\), as desired.

As we will show, the bound (16) “works” not only for \(r\ge 2c\) but for all \(r> c\). Moreover, it turns out that (16) is actually better than (15) for a large part of \(r\in (c,\,2c\,]\), except where \(r\approx c\). \(\square \)


Let \(r>c\). For \(\rho \) of (16), we have \(\mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \le \sigma /S\).

Proof of claim

We go back to (3). Set \(R=2^r\) and \(S=2^c\). We have

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multcol}(R,\sigma ,\rho )\right) \le \left( \frac{S}{R} \right) ^{\rho -1}\frac{\sigma }{\rho !}&=\left( \frac{2^c}{2^r}\right) ^{\left\lceil r/(r-c)\right\rceil -1}\frac{\sigma }{\rho !}\\&\le \left( \frac{1}{2^{r-c}}\right) ^{r/(r-c)-1}\frac{\sigma }{\rho !}\\&=\left( \frac{1}{2^{r-c}}\right) ^{c/(r-c)} \frac{\sigma }{\rho !}=\left( \frac{1}{2^c}\right) \frac{\sigma }{\rho !}=\frac{1}{\rho !} \,\frac{\sigma }{S}\le \frac{\sigma }{S}, \end{aligned}$$

as desired. \(\square \)


Let \(r>c\ge 11\). Then, (16) is better (smaller) than (15) if \(r>c+e\log _2r-e\beta \).

Proof of claim

Define the function

$$\begin{aligned} \varDelta _c(u):=\frac{(1+e^{-1})u}{u-c+\log _2u-\beta }-\frac{u}{u-c} \end{aligned}$$

whose domain is the real numbers \(u\in (c,\,2c\,]\) with \(c\ge 11\) and \(\beta =\log _2e+\log _2\log _2e=1.97\ldots \). Then equation \(\varDelta _c(u)=0\) becomes \(u=c+e\log _2u-e\beta \), whose solution we denote by \(u_0\). We differentiate \(\varDelta _c\) with respect to u as

$$\begin{aligned} \frac{\partial \varDelta _c}{\partial u}=\frac{(1+e^{-1})(-c+\log _2u-\beta -\log _2e)}{(u-c+\log _2u-\beta )^2}+\frac{c}{(u-c)^2}, \end{aligned}$$

and at \(u=u_0\) we have

$$\begin{aligned} \left. \frac{\partial \varDelta _c}{\partial u}\right| _{u=u_0}=\frac{u_0-e\log _2e}{(1+e)(u_0-c)^2} \end{aligned}$$

using \(u_0=c+e\log _2u_0-e\beta \). We see that \(u_0\ge e\log _2e=3.92\ldots \) because \(r>c\ge 11\). \(\square \)

Note that \(c+e\log _2r-e\beta >c+e\log _2c-e\beta \), making the distinction between this case (vi) and the previous case (v) clear.

Case (vii): :

\(\mathbf{2}{{\varvec{c}}} \le {{\varvec{r}}}\). In this case, we can use the reasoning of case (vi), with \(\rho =2\) by (16). \(\square \)


We introduce NORX  at a level required for the understanding of the security proof and refer to Aumasson et al. [7, 8] for the formal specification. Let p be a permutation on b bits. All b-bit state values are split into an outer part of r bits and an inner part of c bits. We denote the key size of NORX  by \(\kappa \) bits, the nonce size by \(\nu \) bits, and the tag size by \(\tau \) bits. The header, message, and trailer can be of arbitrary length and are padded using \(10^*1\)-padding to a length of a multiple of r bits. Throughout, we denote the r-bit header blocks by \(H_1,\ldots ,H_u\), message blocks by \(M_1,\ldots ,M_v\), ciphertext blocks by \(C_1,\ldots ,C_v\), and trailer blocks by \(T_1,\ldots ,T_w\).

Unlike other permutation-based schemes, NORX  allows for parallelism in the encryption part, which is described using a parameter \(D\in \{0,\ldots ,255\}\) corresponding to the number of parallel chains. Specifically, if \(D\in \{1,\ldots ,255\}\) NORX  has D parallel chains, and if \(D=0\) it has v parallel chains, where v is the block length of M or C.

NORX  consists of five proposed parameter configurations: NORX W-R-D for \((W,R,D)\in \{(64,4,1),(32,4,1),(64,6,1),(32,6,1),(64,4,4)\}\). The parameter R denotes the number of rounds of the underlying permutation p, and W denotes the word size which we use to set \(r=10W\) and \(c=6W\). The default key and tag size are \(\kappa =\nu =4W\). The corresponding parameters for the two different choices of W, 64 and 32, are given in Table 1.

Although NORX  starts with an initialization function \(\mathsf {init}\) which requires the parameters \((D, R, \tau )\) as input, as soon as our security experiment starts, we consider \((D,R,\tau )\) fixed and constant. Hence, we can view \(\mathsf {init}\) as a function that maps (KN) to \((K\Vert N\Vert 0^{b-\kappa -\nu })\oplus \mathsf {const}\), where \(\mathsf {const}\) is irrelevant to the mode security analysis of NORX, and will be ignored in the remaining analysis.

After \(\mathsf {init}\) is called, the header H is compressed into the rate, then the state is branched into D states (if necessary), the message blocks are encrypted in a streaming way, the D states are merged into one state (if necessary), the trailer is compressed, and finally the tag A is computed. All rounds are preceded with a domain separation constant XORed into the capacity: \(\mathtt {01}\) for header compression, \(\mathtt {02}\) for message encryption, \(\mathtt {04}\) for trailer compression, and \(\mathtt {08}\) for tag generation. If \(D\ne 1\), domain separators \(\mathtt {10}\) and \(\mathtt {20}\) are used for branching and merging, along with pairwise distinct lane indices \(id_k\) for \(k=1,\ldots ,D\) (if \(D=1\) we write \(id_1=\mathtt {0}\)). In Fig. 2 we depict NORX for \(D=1\) and \(D=2\).

Fig. 2
figure 2

NORX with \(D=1\) (top) and \(D=2\) (bottom)

The privacy of NORX is proven in Sect. 4.1 and the integrity in Sect. 4.2. In both proofs we consider an adversary that makes \(q_p\) permutation queries and \(q_\mathcal {E}\) encryption queries of total length \(\lambda _\mathcal {E}\). In the proof of integrity, the adversary can additionally make \(q_\mathcal {D}\) decryption queries of total length \(\lambda _\mathcal {D}\). To aid the analysis, we compute the number of permutation calls made via the \(q_\mathcal {E}\) encryption queries. The exact same computation holds for decryption queries with the parameters defined analogously.

Consider a query to \(\mathcal {E}_K\), consisting of u header blocks, v message blocks, and w trailer blocks. We denote its corresponding state values by

$$\begin{aligned} \left( s^{\text {init}};\; s_0^H,\ldots ,s_u^H ; \left[ \begin{array}{c} s_{1,0}^M,\ldots ,s_{1,v_1}^M\\ \vdots \qquad \;\;\;\quad \vdots \\ s_{D,0}^M,\ldots ,s_{D,v_D}^M\\ \end{array}\right] ;\; s_0^T,\ldots ,s_w^T;\;s^\text {tag} \right) , \end{aligned}$$

as outlined in Fig. 2. Here, \(\sum _{k=1}^D v_k = v\). If there are no branching and merging phases, i.e., \(D=1\), then the state values corresponding to the branching and merging, \(\{s_{1,0}^M,\ldots ,s_{D,0}^M\}\) and \(s_0^T\), are left out of the tuple. Note that the length of this tuple equals the number of primitive calls made in this encryption query, as every state value corresponds to the input of exactly one primitive call. A simple calculation shows that if the \(j\hbox {th} \mathcal {E}_K\) query is of length \(u+v+w\) blocks, it results in \(u+v+w+3\) state values if \(D=1\), in \(u+v+w+D+4\) state values if \(D>1\), and in \(u+2v+w+4\) state values if \(D=0\).Footnote 4 We denote the number of state values by \(\sigma _{\mathcal {E},j}\), where the dependence on D is suppressed as D does not change during the security game. In other words, \(\sigma _{\mathcal {E},j}\) denotes the number of primitive calls in the \(j\hbox {th}\) query to \(\mathcal {E}_K\). Furthermore, we define \(\sigma _\mathcal {E}\) to be the total number of primitive evaluations via the encryption queries, and find that

$$\begin{aligned} \sigma _\mathcal {E}:= \sum _{j=1}^{q_\mathcal {E}} \sigma _{\mathcal {E},j} \le {\left\{ \begin{array}{ll} 2\lambda _\mathcal {E}+ 4q_\mathcal {E}\text {, if } D=0\,,\\ \lambda _\mathcal {E}+ 3q_\mathcal {E}\text {, if } D=1\,,\\ \lambda _\mathcal {E}+ (D+4)q_\mathcal {E}\text {, if }D>1. \end{array}\right. } \end{aligned}$$

This bound is rather tight. Particularly, for \(D=0\) an adversary can meet this bound by only making queries without header and trailer. For queries to \(\mathcal {D}_K\) we define \(\sigma _{\mathcal {D},j}\) and \(\sigma _\mathcal {D}\) analogously.

Privacy of NORX

Theorem 1

Let \(\varPi =(\mathcal {E},\mathcal {D})\) be NORX based on an ideal underlying primitive p. Then,

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {priv}}(q_p,q_\mathcal {E},\lambda _\mathcal {E}) \le \dfrac{3(q_p+\sigma _\mathcal {E})^2}{2^{b+1}} + \dfrac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \dfrac{2\rho q_p}{2^c} + \dfrac{q_p+\sigma _\mathcal {E}}{2^\kappa }, \end{aligned}$$

where \(\sigma _\mathcal {E}\) is defined in (18), and where \(\rho =\rho (r,c)\) is the function defined in Lemma 1.

Theorem 1 can be interpreted as implying that NORX  provides privacy security as long as the total complexity \(q_p+\sigma _\mathcal {E}\) does not exceed \(\min \{2^{b/2},2^\kappa \}\) and the total number of primitive queries \(q_p\), also known as the offline complexity, does not exceed \(2^c/\rho \). The presence of the term \(\rho \) makes the bound a bit unclear; in Table 2 we give the main implication of this bound for the various possible values of r and c as outlined in Lemma 1. See Table 1 for the security level of the various parameter choices of NORX: for NORX v1 [7], we are concerned with case (vi), where \(\rho =\lceil 2.5\rceil =3\) for both \(b\in \{512,1024\}\); for NORX v2 [8], we are in case (vii), where \(\rho =2\).

Table 2 High-level security bounds of Theorem 1

The proof is based on the observation that NORX  is indistinguishable from a random scheme as long as there are no collisions among the (direct and indirect) evaluations of p. Due to uniqueness of the nonce, state values from evaluations of \(\mathcal {E}_K\) collide with probability approximately \(1/2^b\). Regarding collisions between direct calls to p and calls via \(\mathcal {E}_K\): while these may happen with probability about \(1/2^c\), they turn out not to significantly influence the bound. The latter is demonstrated in part using the principle of multiplicities [18]: roughly stated, the maximum number of state values with the same outer part. We use Lemma 1 to bound multiplicities. The formal security proof is more detailed. Furthermore, we remark that, at the cost of readability and simplicity of the proof, the bound could be improved by a constant factor.


Consider any adversary \(\mathcal {A}\) with access to either \((p^\pm ,\mathcal {E}_K)\) or \((p^\pm ,\$)\) and whose goal is to distinguish these two worlds. For brevity, we write

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {priv}}(\mathcal {A}) = \varDelta _\mathcal {A}(p^\pm ,\mathcal {E}_K;p^\pm ,\$). \end{aligned}$$

We start by replacing \(p^\pm \) by a random function to simplify analysis. This is done with a “URP-URF” switch [13], in which we make a transition from \(p^\pm \) to a primitive \(f^\pm \) defined as follows (as done by Andreeva et al. [4]).

The primitive \(f^\pm \) maintains an initially empty list \(\mathcal {F}\) of query/response tuples (xy) where the set of domain and range values are denoted by \(\mathrm {dom}(\mathcal {F})\) and \(\mathrm {rng}(\mathcal {F})\), respectively. For a forward query f(x) with \(x\in \mathrm {dom}(\mathcal {F})\), the value in \(\{y \mid (x,y)\in \mathcal {F}\}\) which occurs lexicographically first is returned. For a new forward query f(x), the response y is randomly drawn from \(\{0,1\}^{b}\), then the tuple (xy) is added to \(\mathcal {F}\). The description for \(f^{-1}\) is similar. We let \(\mathsf {abort}\) denote the event that a new query f(x) results in a value y where y is already in \(\mathrm {rng}(\mathcal {F})\), or a new query \(f^{-1}(y)\) results in a value x where x is already in \(\mathrm {dom}(\mathcal {F})\).

By applying the triangle inequality, we have

$$\begin{aligned} \varDelta _\mathcal {A}(p^\pm ,\mathcal {E}_K;p^\pm ,\$)\le & {} \varDelta _\mathcal {A}(f^\pm ,\mathcal {E}_K;f^\pm ,\$) + \varDelta _\mathcal {A}(p^\pm ,\mathcal {E}_K;f^\pm ,\mathcal {E}_K) \nonumber \\&+ \varDelta _\mathcal {A}(p^\pm ,\$;f^\pm ,\$). \end{aligned}$$

The two rightmost terms are bounded above by the maximum advantage of any adversary distinguishing \(p^{\pm }\) and \(f^{\pm }\) in at most \(q_p+\sigma _\mathcal {E}\) queries. Since \(p^\pm \) and \(f^\pm \) are identical until \(\mathsf {abort}\), by the Fundamental Lemma of Game Playing [12, 13] we have that the two rightmost terms are in turn bounded by \({q_p+\sigma _\mathcal {E}\atopwithdelims ()2}/2^b \le (q_p+\sigma _\mathcal {E})^2/2^{b+1}\), hence

$$\begin{aligned} \varDelta _\mathcal {A}(p^\pm ,\mathcal {E}_K;p^\pm ,\$) \le \varDelta _\mathcal {A}(f^\pm ,\mathcal {E}_K;f^\pm ,\$) + \frac{(q_p+\sigma _\mathcal {E})^2}{2^b}. \end{aligned}$$

We restrict our attention to \(\mathcal {A}\) with oracle access to \((f^\pm ,F)\), where \(F\in \{\mathcal {E}_K,\$\}\). Without loss of generality, we can assume that the adversary only queries full blocks and that no padding rules are involved since the padding rules are injective, allowing the proof to carry over to the case of fractional blocks with \(10^*1\)-padding.

We introduce some terminology. Queries to \(f^\pm \) are denoted \((x_i,y_i)\) for \(i=1,\ldots ,q_p\), while queries to F are written as elements \((N_j;H_j,M_j,T_j;C_j,A_j)\) for \(j=1,\ldots ,q_\mathcal {E}\). If \(F=\mathcal {E}_K\), the state values are denoted as in (17), subscripted with a j:

$$\begin{aligned} \left( s_j^{\text {init}};\; s_{j,0}^H,\ldots ,s_{j,u}^H ; \left[ \begin{array}{c} s_{j,1,0}^M,\ldots ,s_{j,1,v_1}^M\\ \vdots \qquad \;\;\;\quad \vdots \\ s_{j,D,0}^M,\ldots ,s_{j,D,v_D}^M\\ \end{array}\right] ;\; s_{j,0}^T,\ldots ,s_{j,w}^T;\;s_j^\text {tag} \right) . \end{aligned}$$

If the structure of (22) is irrelevant we refer to the tuple as \((s_{j,1},\ldots ,s_{j,\sigma _{\mathcal {E},j}})\), where we use the convention to list the elements of the matrix column-wise. In this case, we write \(\mathrm {parent}(s_{j,k})\) to denote the state value that lead to \(s_{j,k}\), with \(\mathrm {parent}(s_{j,1}):=\varnothing \) and \(\mathrm {parent}(s_{j,0}^T):=(s_{j,1,v_1}^M,\ldots , s_{j,D,v_D}^M)\). We remark that the characteristic structure of NORX, with the D parallel states, only becomes relevant in the two technical lemmas that will be used at the end of the proof. We point out that \(s_{j,1}\) corresponds to the initial state value of the evaluation, which requires special attention throughout the remainder of the proof.

We define two collision events, \(\mathsf {guess}\) and \(\mathsf {hit}\). Let \(i\in \{1,\ldots ,q_p\}\), \(j,j'\in \{1,\ldots ,q_\mathcal {E}\}\), \(k\in \{1,\ldots ,\sigma _{\mathcal {E},j}\}\), and \(k'\in \{1,\ldots ,\sigma _{\mathcal {E},j'}\}\):

$$\begin{aligned} \mathsf {guess}(i;j,k)&\quad \equiv \quad x_i=s_{j,k}\,,\\ \mathsf {hit}(j,k;j',k')&\quad \equiv \quad \mathrm {parent}(s_{j,k}) \ne \mathrm {parent}(s_{j',k'})\ \wedge \ s_{j,k}=s_{j',k'}. \end{aligned}$$

Event \(\mathsf {guess}(i;j,k)\) corresponds to a primitive call in an encryption query hitting a direct primitive query, or vice versa, while \(\mathsf {hit}(j,k;j',k')\) corresponds to non-trivial primitive calls colliding in encryption queries. We write \(\mathsf {guess}= \vee _{i;j,k}\,\mathsf {guess}(i;j,k)\), \(\mathsf {hit}= \vee _{j,k;j',k'}\,\mathsf {hit}(j,k;j',k')\), and set \(\mathsf {event}=\mathsf {guess}\vee \mathsf {hit}\).

The remainder of the proof is divided as follows. In Lemma 2 we prove that \((f^\pm ,\mathcal {E}_K)\) and \((f^\pm ,\$)\) are identical until \(\mathsf {event}\) occurs. In other words, by applying the Fundamental Lemma of Game Playing [12, 13],

$$\begin{aligned} \varDelta _\mathcal {A}(f^\pm ,\mathcal {E}_K;f^\pm ,\$) \le \mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K} \text { sets } \mathsf {event}\right) . \end{aligned}$$

Then, in Lemma 3 we bound this term by

$$\begin{aligned} \frac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b} + \frac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \frac{2\rho q_p}{2^c} + \frac{q_p+\sigma _\mathcal {E}}{2^\kappa }, \end{aligned}$$

where \(\rho =\rho (r,c)\) is the function defined in Lemma 1. Noting that \(\dfrac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b}\le \dfrac{(q_p+\sigma _\mathcal {E})^2}{2^{b+1}}\), this completes the proof via equations (19, 21, 23). \(\square \)

Lemma 2

The outputs of \((f^\pm ,\mathcal {E}_K)\) and \((f^\pm ,\$)\) are identically distributed until \(\mathsf {event}\) occurs.


The outputs of \(f^\pm \) are sampled independently and uniformly at random in \((f^\pm , \$)\). This holds in the real world as well, unless a query to \(f^\pm \) collides with an \(f^\pm \) query made via \(\mathcal {E}_K\). Therefore, until \(\mathsf {guess}\) occurs, the outputs of \(f^\pm \) are distributed identically in both worlds. Furthermore, \(f^\pm \)’s outputs are independent of the distinguisher’s query history, hence, assuming all past queries were identically distributed across worlds, a query to \(f^\pm \) will not change the fact that both worlds are identically distributed, until \(\mathsf {guess}\) occurs.

Let \(N_j\) be a new nonce used in the F-query \((N_j;H_j,M_j,T_j)\), with corresponding ciphertext and authentication tag \((C_j, A_j)\). Denote the query’s state values as in (22). Let u, v, and w denote the number of padded header blocks, padded message blocks, and padded trailer blocks, respectively.

Consider the \(j\hbox {th}\) query. By the definition of $, in the ideal world we have \((C_j,A_j)\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{|M_j|+\tau }\). We will prove that \((C_j,A_j)\) is identically distributed in the real world, under the assumption that \(\mathsf {guess}\vee \mathsf {hit}\) has not yet occurred. Denote the message blocks of \(M_j\) by \(M_{j,k,\ell }\) for \(k=1,\ldots ,D\) and \(\ell =1,\ldots ,v_k\).

We know that \(s_{j,u}^H\) is new and that \(f(s_{j,u}^H)\) does not collide with any other f-query because otherwise \(\mathsf {event}\) would have occurred. Since \(s_{j,k,0}^M = f(s_{j,u}^H)\oplus id_k\) we conclude that \(s_{j,k,0}^M\) is new for \(k=1,\ldots ,D\), as, again, \(\mathsf {event}\) would be set otherwise. Similarly, \(s_{j,k,\ell }^M\) is new for all \(\ell > 0\). The ciphertext blocks \(C_{j,k,\ell }\) are computed as

$$\begin{aligned} C_{j,k,\ell } = M_{j,k,\ell } \oplus [f(s_{j,k,\ell -1}^M)]^r. \end{aligned}$$

As the state value \(s_{j,k,\ell -1}^M\) has not been evaluated by f before (neither directly nor indirectly via an encryption query), \(f(s_{j,k,\ell -1}^M)\) outputs a uniformly random value from \(\{0,1\}^{b}\), hence \(C_{j,k,\ell }\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{r}\). We remark that similar reasoning shows that a ciphertext block corresponding to a truncated message block is uniformly randomly drawn as well, yet from a smaller set. The fact that \(A_j\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\tau }\) follows the same reasoning, using that \(s_j^\text {tag}\) is a new input to f. Thus, \(A_j=[f(s_j^\text {tag})]^\tau \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\tau }\). \(\square \)

Looking at the reasoning of the proof of Lemma 2 above, we notice that if \(\mathsf {event}\) has not yet occurred, then each state value in an F-query is sampled independently and uniformly at random. In particular, once the adversary fixes the inputs to an F-query, each state value in that F-query is independent of the adversary’s input, and independent of each other. Furthermore, the inner part of those state values are never released to the adversary, hence the adversary’s future queries are independent of the inner parts of the state values. Hence, we have the following result:

Corollary 1

Until \(\mathsf {event}\) occurs, the state values in an \(\mathcal {E}_K\) query are distributed independently and uniformly from each other and from the adversary’s input to that \(\mathcal {E}_K\) query. Furthermore, the inner parts of the state values in all \(\mathcal {E}_K\) queries are distributed independently and uniformly from each other and from all of the adversary’s oracle-inputs, until \(\mathsf {event}\) occurs.

Lemma 3

\(\mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K} \text { sets } \mathsf {event}\right) \le \dfrac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b} + \dfrac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \dfrac{2\rho q_p}{2^c} + \dfrac{q_p+\sigma _\mathcal {E}}{2^\kappa }\), where \(\rho =\rho (r,c)\) is the function defined in Lemma 1.


Consider the adversary interacting with \((f^\pm ,\mathcal {E}_K)\), and let \(\mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\right) \) denote the probability we aim to bound. For \(i\in \{1,\ldots ,q_p\}\), define

$$\begin{aligned} \mathsf {key}(i)&\quad \equiv \quad [x_i]^\kappa =K, \end{aligned}$$

and \(\mathsf {key}= \vee _i\,\mathsf {key}(i)\), which corresponds to a primitive query hitting the key. Let \(j\in \{1,\ldots ,q_\mathcal {E}\}\) and \(k\in \{1,\ldots ,\sigma _{\mathcal {E},j}\}\), and consider any threshold \(\rho \ge 1\), then define

$$\begin{aligned}&\mathsf {multi}(j,k) \quad \equiv \quad \Big [{\max }_{\alpha \in \{0,1\}^{r}} \; \left| \big \{j'\le j, 1 < k'\le k \;:\;\right. \\&\left. \quad \alpha \in \{[s_{j',k'}]^r,[f(s_{j',k'})]^r\} \big \}\right| \Big ] > \rho . \end{aligned}$$

Event \(\mathsf {multi}(j,k)\) is used to bound the number of states that collide in the outer part. Note that state values \(s_{j',1}\) are not considered here as they will be covered by \(\mathsf {key}\). We define \(\mathsf {multi}=\mathsf {multi}(q_\mathcal {E},\sigma _{\mathcal {E},q_\mathcal {E}})\), which is a monotone event. By basic probability theory,

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\right) \le \mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right) + \mathbf {Pr}\left( \mathsf {key}\vee \mathsf {multi}\right) . \end{aligned}$$

In the remainder of the proof, we bound these probabilities as follows (a formal explanation of the proof technique is given in “Appendix”): we consider the \(i\hbox {th}\) forward or inverse primitive query (for \(i\in \{1,\ldots ,q_p\}\)) or the kth state of the \(j\hbox {th}\) construction query (for \(j\in \{1,\ldots ,q_\mathcal {E}\}\) and \(k\in \{1,\ldots ,\sigma _{\mathcal {E},j}\}\)), and bound the probability that this evaluation makes \(\mathsf {guess}\vee \mathsf {hit}\) satisfied, under the assumption that this query does not set \(\mathsf {key}\vee \mathsf {multi}\) and also that \(\mathsf {guess}\vee \mathsf {hit}\vee \mathsf {key}\vee \mathsf {multi}\) has not been set before. For the analysis of \(\mathbf {Pr}\left( \mathsf {key}\vee \mathsf {multi}\right) \) a similar technique is employed.

Event\({\varvec{\mathsf {guess}}}\). This event can be set in the \(i\hbox {th}\) primitive query (for \(i=1,\ldots ,q_p\)) or in any state evaluation of the \(j\hbox {th}\) construction query (for \(j=1,\ldots ,q_\mathcal {E}\)). Denote the state values of the \(j\hbox {th}\) construction query as in (22). Consider any evaluation, assume this query does not set \(\mathsf {key}\vee \mathsf {multi}\) and assume that \(\mathsf {guess}\vee \mathsf {hit}\vee \mathsf {key}\vee \mathsf {multi}\) has not been set before. Firstly, note that \(x_i=s_j^{\text {init}}\) for some ij would imply \(\mathsf {key}(i)\) and hence invalidate our assumption. Therefore, we can exclude \(s_j^{\text {init}}\) from further analysis on \(\mathsf {guess}\). For \(i=1,\ldots ,q_p\), let \(j_i\in \{1,\ldots ,q_\mathcal {E}\}\) be the number of encryption queries made before the \(i\hbox {th}\) primitive query. Similarly, for \(j=1,\ldots ,q_\mathcal {E}\), denote by \(i_j\in \{1,\ldots ,q_p\}\) the number of primitive queries made before the \(j\hbox {th}\) encryption query.

  • Consider a primitive query \((x_i,y_i)\) for \(i\in \{1,\ldots ,q_p\}\), which may be a forward or an inverse query, and assume it has not been queried to \(f^\pm \) before. If it is a forward query \(x_i\), by \(\lnot \mathsf {multi}\) there are at most \(\rho \) state values s with \([x_i]^r=[s]^r\), and thus \(x_i=s\) with probability at most \(\rho /2^c\). Here, we remark that the inner part of s is unknown to the adversary and it guesses it with probability at most \(1/2^c\), as established by Corollary 1. A slightly more complicated reasoning applies for inverse queries. Denote the query by \(y_i\). By \(\lnot \mathsf {multi}\) there are at most \(\rho \) state values s with \([y_i]^r=[f(s)]^r\), hence, using Corollary 1 again, \(y_i = f(s)\) with probability at most \(\rho /2^c\). If \(y_i\) equals f(s) for any of these states, then \(x_i = s\), otherwise \(x_i = s\) with probability at most \(\sum _{j=1}^{j_i}\sigma _{\mathcal {E},j}/2^b\). Therefore, the probability that \(\mathsf {guess}\) is set via a direct query is at most \(\frac{q_p\rho }{2^c} + \sum _{i=1}^{q_p}\sum _{j=1}^{j_i}\frac{\sigma _{\mathcal {E},j}}{2^b}\);

  • Next, consider the probability that the \(j\hbox {th}\) construction query sets \(\mathsf {guess}\), for \(j\in \{1,\ldots ,q_\mathcal {E}\}\). For simplicity, first consider \(D=1\), hence the message is processed in one lane and we can use state labeling \((s_{j,1},\ldots ,s_{j,\sigma _{\mathcal {E},j}})\). We range from \(s_{j,2}\) to \(s_{j,\sigma _{\mathcal {E},j}}\) (recall that \(s_{j,1}=s_j^{\text {init}}\) can be excluded) and consider the probability that this state sets \(\mathsf {guess}\) assuming it has not been set before. Let \(k\in \{2,\ldots ,\sigma _{\mathcal {E},j}\}\). The state value \(s_{j,k}\) equals \(f(s_{j,k-1})\oplus v\), where v is some value determined by the adversarial input prior to the evaluation of \(f(s_{j,k-1})\), including input from \((H_j,M_j,T_j)\) and constants serving as domain separators. By assumption, \(\mathsf {guess}\vee \mathsf {hit}\) has not been set before, and \(f(s_{j,k-1})\) is thus randomly drawn from \(\{0,1\}^{b}\). It hits any \(x_i\) (\(i\in \{1,\ldots ,i_j\}\)) with probability at most \(i_j/2^b\). Next, consider the general case \(D>1\). We return to the labeling of (22). A complication occurs for the branching states \(s_{j,1,0}^M,\ldots ,s_{j,D,0}^M\) and the merging state \(s_{j,0}^T\). Starting with the branching states, these are computed from \(s_{j,u}^H\) as

    $$\begin{aligned} \left( \begin{array}{c} s_{j,1,0}^M \\ \vdots \\ s_{j,D,0}^M \end{array}\right) = f(s_{j,u}^H) \oplus \left( \begin{array}{c} v_1 \\ \vdots \\ v_D \end{array}\right) , \end{aligned}$$

    where \(v_1,\ldots ,v_D\) are some distinct values determined by the adversarial input prior to the evaluation of the \(j\hbox {th}\) construction query. These are distinct by the XOR of the lane numbers \(id_1,\ldots ,id_D\). Any of these nodes equals \(x_i\) for \(i\in \{1,\ldots ,q_p\}\) with probability at most \(i_jD/2^b\). Finally, for the merging node \(s_{j,0}^T\) we can apply the same analysis, noting that it is derived from a sum of D new f-evaluations. Concluding, the \(j\hbox {th}\) construction query sets \(\mathsf {guess}\) with probability at most \(i_j\sigma _{\mathcal {E},j}/2^b\) (we always have in total at most \(\sigma _{\mathcal {E},j}\) new state values). Summing over all \(q_\mathcal {E}\) construction queries, we get \(\sum _{j=1}^{q_\mathcal {E}}i_j\sigma _{\mathcal {E},j}/2^b\).


$$\begin{aligned} \mathbf {Pr}\left( \mathsf {guess}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right) \le \frac{q_p\rho }{2^c} + \sum _{i=1}^{q_p}\sum _{j=1}^{j_i}\frac{\sigma _{\mathcal {E},j}}{2^b} + \sum _{j=1}^{q_\mathcal {E}}\frac{i_j\sigma _{\mathcal {E},j}}{2^b} = \frac{q_p\rho }{2^c} + \frac{q_p\sigma _\mathcal {E}}{2^b}. \end{aligned}$$

Here we use that \(\sum _{i=1}^{q_p}\sum _{j=1}^{j_i}\sigma _{\mathcal {E},j} + \sum _{j=1}^{q_\mathcal {E}}\sum _{k=1}^{\sigma _{\mathcal {E},j}}i_j\sigma _{\mathcal {E},j}=q_p\sigma _\mathcal {E}\), which follows from a simple counting argument.

Event\({\varvec{\mathsf {hit}}}\). We again employ ideas of \(\mathsf {guess}\), and particularly that as long as \(\mathsf {guess}\vee \mathsf {hit}\) is not set, we can consider all new state values (except for the initial states) to be randomly drawn from a set of size \(2^b\). Particularly, we can refrain from explicitly discussing the branching and merging nodes (the detailed analysis of \(\mathsf {guess}\) applies) and label the states as \((s_{j,1},\ldots ,s_{j,\sigma _{\mathcal {E},j}})\). Clearly, \(s_{j,1}\ne s_{j',1}\) for all \(j,j'\) by uniqueness of the nonce. Any state value \(s_{j,k}\) for \(k>1\) (at most \(\sigma _\mathcal {E}-q_\mathcal {E}\) in total) hits an initial state value \(s_{j',1}\) only if \([s_{j,k}]^\kappa =K\), which happens with probability at most \(\sigma _\mathcal {E}/2^\kappa \), assuming \(s_{j,k}\) is generated randomly. Finally, any two other states \(s_{j,k},s_{j',k'}\) for \(k,k'>1\) collide with probability at most \({\sigma _\mathcal {E}-q_\mathcal {E}\atopwithdelims ()2}/2^b\). Concluding, \(\mathbf {Pr}\left( \mathsf {hit}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right) \le {\sigma _\mathcal {E}\atopwithdelims ()2}/2^b + \sigma _\mathcal {E}/2^\kappa \).

Event\({\varvec{\mathsf {key}}}\). For \(i\in \{1,\ldots ,q_p\}\), the query sets \(\mathsf {key}(i)\) if \([x_i]^\kappa =K\), which happens with probability \(1/2^\kappa \) (assuming it did not happen in queries \(1,\ldots ,i-1\)). The adversary makes \(q_p\) attempts, and hence \(\mathbf {Pr}\left( \mathsf {key}\right) \le q_p/2^\kappa \).

Event\({\varvec{\mathsf {multi}}}\). Event \(\mathsf {multi}\) can be related to \(\mathsf {multcol}\) of Sect. 3, in the following way. Consider any new state value \(s_{j,k-1}\); then it contributes to the bin \(\alpha \) if \([f(s_{j,k-1})]^r=\alpha \) or \([s_{j,k}]^r=[f(s_{j,k-1})\oplus v]^r=\alpha \). If a threshold \(\rho \) needs to be exceeded for some \(\alpha \), at least \(\rho /2\) of them are either of the first kind or of the second kind. The event \(\mathsf {multi}\) can henceforth be seen as a balls and bins game with \(2^r\) bins, \(\sigma _\mathcal {E}\) balls, and threshold \(\rho '=\rho /2\):

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {multi}\right) \le \mathbf {Pr}\left( \mathsf {multcol}(2^r,\sigma _\mathcal {E},\rho ')\right) . \end{aligned}$$

By Lemma 1, we know that \(\mathbf {Pr}\left( \mathsf {multcol}(2^r,\sigma _\mathcal {E},\rho ')\right) \le \frac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}}\), where \(\rho '\) is the function described in Lemma 1 (parameters rc are implicit). Note that we put \(\rho =2\rho '\).

Addition of the four bounds via (25) gives

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\right) \le \frac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b} + \frac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \frac{2\rho 'q_p}{2^c} + \frac{q_p+\sigma _\mathcal {E}}{2^\kappa }. \end{aligned}$$

where \(\rho '=\rho (r,c)\) is the function defined in Lemma 1. \(\square \)

Authenticity of NORX

Theorem 2

Let \(\varPi =(\mathcal {E},\mathcal {D})\) be NORX  based on an ideal underlying primitive p. Then,

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {auth}}(q_p,q_\mathcal {E},\lambda _\mathcal {E},q_\mathcal {D},\lambda _\mathcal {D}) \le&\;\dfrac{(q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D})^2}{2^b} + \dfrac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \dfrac{2\rho q_p}{2^c}\\&+\dfrac{q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D}}{2^\kappa } + \dfrac{(q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D})\sigma _\mathcal {D}}{2^c} + \dfrac{q_\mathcal {D}}{2^\tau }, \end{aligned}$$

where \(\sigma _\mathcal {E},\sigma _\mathcal {D}\) are defined in (18), and where \(\rho =\rho (r,c)\) is the function defined in Lemma 1.

The bound is more complex than the one of Theorem 1, but intuitively implies that NORX  offers integrity as long as it offers privacy and the number of forgery attempts \(\sigma _\mathcal {D}\) is limited, where the total complexity \(q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D}\) should not exceed \(2^c/\sigma _\mathcal {D}\). See Table 1 for the security level for the various parameter choices of NORX. Needless to say, the exact bound is more fine-grained.


We consider any adversary \(\mathcal {A}\) that has access to \((p^\pm ,\mathcal {E}_K,\mathcal {D}_K)\) and attempts to make \(\mathcal {D}_K\) output a non-\(\bot \) value. As in the proof of Theorem 1, we apply a URP-URF switch to find

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {auth}}(\mathcal {A})&= \mathbf {Pr}\left( \mathcal {A}^{p^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { forges}\right) \le \mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { forges}\right) \nonumber \\&\quad +\frac{(q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D})^2}{2^{b+1}}. \end{aligned}$$

Then we focus on \(\mathcal {A}\) having oracle access to \((f^\pm ,\mathcal {E}_K,\mathcal {D}_K)\). As before, we assume without loss of generality that the adversary only makes full-block queries.

We inherit terminology from Theorem 1. The state values corresponding to encryption and decryption queries will both be labeled (jk), where j indicates the query and k the state value within the \(j\hbox {th}\) query. If needed we will add another parameter \(\delta \in \{\mathcal {D},\mathcal {E}\}\) to indicate that a state value \(s_{\delta ,j,k}\) is in the \(j\hbox {th}\) query to oracle \(\delta \), for \(\delta \in \{\mathcal {D},\mathcal {E}\}\) and \(j\in \{1,\ldots ,q_\delta \}\). Particularly, this means we will either label the state values as in (22) with a \(\delta \) appended to the subscript, or simply as \((s_{\delta ,j,1},\ldots ,s_{\delta ,j, \sigma _{\delta ,j}})\).

As before, we employ the collision events \(\mathsf {guess}\) and \(\mathsf {hit}\), but expanded to the new notation with \(\delta =\mathcal {E}\). Next, we define two \(\mathcal {D}\)-related collision events \(\mathcal {D}\mathsf {guess}\) and \(\mathcal {D}\mathsf {hit}\). Let \(i\in \{1,\ldots ,q_p\}\), \((\mathcal {D},j,k)\) be a decryption query index, and \((\delta ',j',k')\) be an encryption or decryption query index:

$$\begin{aligned} \mathcal {D}\mathsf {guess}(i;j,k)&\quad \equiv \quad x_i=s_{\mathcal {D},j,k},\\ \mathcal {D}\mathsf {hit}(j,k;\delta ',j',k')&\quad \equiv \quad \mathrm {parent}(s_{\mathcal {D},j,k})\ne \mathrm {parent}(s_{\delta ',j',k'}) \wedge s_{\mathcal {D},j,k}=s_{\delta ',j',k'}, \end{aligned}$$

We write \(\mathcal {D}\mathsf {guess}= \vee _{i;j,k}\,\mathcal {D}\mathsf {guess}(i;j,k)\) and \(\mathcal {D}\mathsf {hit}= \vee _{j,k;\delta ',j',k'}\,\mathcal {D}\mathsf {hit}(j,k;\delta ',j',k')\), and define \(\mathsf {event}=\mathsf {guess}\vee \mathsf {hit}\vee \mathcal {D}\mathsf {guess}\vee \mathcal {D}\mathsf {hit}\).

Observe that from (26) we get

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { forges}\right)&\le \mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { forges} \mid \lnot \mathsf {event}\right) \nonumber \\&\quad + \mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { sets } \mathsf {event}\right) . \end{aligned}$$

A bound on the probability that \(\mathcal {A}\) sets \(\mathsf {event}\) is derived in Lemma 4.

The remainder of this proof centers on the probability that \(\mathcal {A}\) forges given that \(\mathsf {event}\) does not happen. Such a forgery requires that \([f(s_{\mathcal {D},j}^\text {tag})]^\tau =A_j\) for some decryption query j. By \(\lnot \mathsf {event}\), we know that \(s_{\mathcal {D},j}^\text {tag}\) is a new state value for all \(j\in \{1, \ldots , q_\mathcal {D}\}\), hence f’s output under \(s_{\mathcal {D},j}^\text {tag}\) is independent of all other values and uniformly distributed for all j. As a result, we know that the \(j\hbox {th}\) forgery attempt is successful with probability at most \(1/2^\tau \). Summing over all \(q_\mathcal {D}\) queries, we get

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { forges} \mid \lnot \mathsf {event}\right) \le \frac{q_\mathcal {D}}{2^\tau }, \end{aligned}$$

and the proof is completed via (26, 27) and the bound of Lemma 4, where we again use that \(\dfrac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b}\le \dfrac{(q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D})^2}{2^{b+1}}\). \(\square \)

Lemma 4

\(\mathbf {Pr}\left( \mathcal {A}^{f^\pm ,\mathcal {E}_K,\mathcal {D}_K} \text { sets } \mathsf {event}\right) \le \dfrac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b} + \dfrac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \dfrac{2\rho q_p}{2^c} + \dfrac{q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D}}{2^\kappa } + \dfrac{(q_p+\sigma _\mathcal {E})\sigma _\mathcal {D}+ \sigma _\mathcal {D}^2/2}{2^c}\), where \(\rho =\rho (r,c)\) is the function defined in Lemma 1.


Recall that \(\mathsf {event}=\mathsf {guess}\vee \mathsf {hit}\vee \mathcal {D}\mathsf {guess}\vee \mathcal {D}\mathsf {hit}\). Employing events \(\mathsf {key}\) and \(\mathsf {multi}\) from Lemma 3, we find:

$$\begin{aligned}&\mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\vee \mathcal {D}\mathsf {guess}\vee \mathcal {D}\mathsf {hit}\right) \nonumber \\&\quad \le \mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\vee \mathcal {D}\mathsf {guess}\vee \mathcal {D}\mathsf {hit}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right) \nonumber \\&\qquad + \mathbf {Pr}\left( \mathsf {key}\vee \mathsf {multi}\right) . \end{aligned}$$

The proof builds upon Lemma 3, and in particular we will use the same proof technique of running over all queries and computing the probability that a query sets \(\mathsf {event}\), assuming \(\mathsf {event}\) has not been set before. The bounds on \(\mathbf {Pr}\left( \mathsf {guess}\vee \mathsf {hit}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right) \) and \(\mathbf {Pr}\left( \mathsf {key}\vee \mathsf {multi}\right) \) carry over from Lemma 3 verbatim, where we additionally note that for a given query, the previous decryption queries are of no influence as by hypothesis \(\mathcal {D}\mathsf {guess}\vee \mathcal {D}\mathsf {hit}\) was not set before the query in question. We continue with the analysis of \(\mathcal {D}\mathsf {guess}\) and \(\mathcal {D}\mathsf {hit}\).

Event\({\varvec{\mathcal {D}\mathsf {guess}}}\). Note that the adversary may freely choose the outer part in decryption queries and primitive queries. Indeed, the ciphertext values that \(\mathcal {A}\) chooses in decryption queries define the outer parts of the state values. Consequently, \(\mathcal {D}\mathsf {guess}\) gets set as soon as there is a primitive state and a decryption state whose capacities are equal. This happens with probability at most \(\mathbf {Pr}\left( \mathcal {D}\mathsf {guess}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right) \le q_p\sigma _\mathcal {D}/2^c\).

Event\({\varvec{\mathcal {D}\mathsf {hit}}}\). A technicality occurs in that the adversary can reuse nonces in decryption. To increase readability, we first state that any decryption state s satisfies \([s]^\kappa =K\) only with probability at most \(\sigma _\mathcal {D}/2^\kappa \), and in the remainder we can exclude this case. Next, we define an event \(\mathsf {innerhit}\). Let \((\delta ,j,k)\) and \((\delta ',j',k')\) be two decryption query indices, and let \(\textsf {const}\in \{\mathtt {0}, \mathtt {01}\oplus \mathtt {02}, \mathtt {01}\oplus \mathtt {04}, \mathtt {01}\oplus \mathtt {08}, \mathtt {01}\oplus \mathtt {10}, \mathtt {02}\oplus \mathtt {04}, \mathtt {02}\oplus \mathtt {08}, \mathtt {02}\oplus \mathtt {20}, \mathtt {02}\oplus \mathtt {20}\oplus id_i, \mathtt {04}\oplus \mathtt {08}\}\):

$$\begin{aligned} \begin{array}{lll} \mathsf {innerhit}(\delta ,j,k;\delta ',j',k';\mathsf {const}) &{}\equiv &{} \mathrm {parent}(s_{\delta ,j,k})\ne \mathrm {parent}(s_{\delta ',j',k'}) \,\wedge \\ &{} &{} [s_{\delta ,j,k}]_c=[s_{\delta ',j',k'}]_c\oplus \textsf {const}. \end{array} \end{aligned}$$

Note that for any choice of indices and \(\mathsf {const}\), we have \({\mathbf {Pr}}({\mathsf {innerhit}} (\delta ,j,k;\delta ',j',k'; {\mathsf {const}))}\le 1/2^c\).

We consider the general case \(D\ne 1\). Consider the \(\bar{j}\)th decryption query (NHCTA). Say it consists of u header blocks \(H_1\ldots H_u\), v ciphertext blocks \(C_1\ldots C_v\), and w trailer blocks \(T_1\ldots T_w\), and write its state values as in (17). Let \((N_{\delta ,j};H_{\delta ,j},C_{\delta ,j},T_{\delta ,j};A_{\delta ,j})\) be an older ciphertext tuple that shares the longest common blockwise prefix with (NHCTA). Note that this tuple may not be unique (for instance if N is new), and that it may come from an encryption or decryption query. Say that this query consists of \(u_{\delta ,j}\) header blocks, \(v_{\delta ,j}\) ciphertext blocks, and \(w_{\delta ,j}\) trailer blocks, and write its state values as in (22). We proceed with a case distinction.

  1. (1)

    \(({{\varvec{N}}};{{\varvec{H}}},{{\varvec{C}}},{{\varvec{T}}}) =({{\varvec{N}}}_{{\varvec{\delta }},{{\varvec{j}}}}; {{\varvec{H}}}_{{\varvec{\delta }},{{\varvec{j}}}}, {{\varvec{C}}}_{{\varvec{\delta }},{{\varvec{j}}}}, {{\varvec{T}}}_{{\varvec{\delta }},{{\varvec{j}}}})\)but  \({{\varvec{A}}}\ne {{\varvec{A}}}_{{\varvec{\delta }}, {{\varvec{j}}}}\). In this case the query renders no new states and \(\mathcal {D}\mathsf {hit}\) cannot be set by definition;

  2. (2)

    \(({{\varvec{N}}};{{\varvec{H}}},{{\varvec{C}}}) =({{\varvec{N}}}_{{\varvec{\delta }},{{\varvec{j}}}}; {{\varvec{H}}}_{{\varvec{\delta }},{{\varvec{j}}}}, {{\varvec{C}}}_{{\varvec{\delta }},{{\varvec{j}}}})\)but  \({{\varvec{T}}}\ne {{\varvec{T}}}_{{\varvec{\delta }},{{\varvec{j}}}}\). Let \(\ell \in \{1,\ldots ,\min \{w,w_{\delta ,j}\},\infty \}\) be minimal such that \(T_\ell \ne T_{\delta ,j,\ell }\), where \(\ell =\infty \) means that T is a substring of \(T_{\delta ,j}\) (if \(w<w_{\delta ,j}\)) or vice versa (if \(w>w_{\delta ,j}\)). We make a further distinction between \(\ell =\infty \) and \(\ell <\infty \).

    1. (a)

      \({\varvec{\ell }}={\varvec{\infty }}\). Note that \(s_{\min \{w,w_{\delta ,j}\}}^T=s_{\delta ,j,\min \{w,w_{\delta ,j}\}}^T\oplus \mathtt {04}\oplus \mathtt {08}\). If this input to f is old, it implies \(\mathsf {innerhit}(\delta ,j, \min \{w,w_{\delta ,j}\};\delta ',j',k';\mathtt {04}\oplus \mathtt {08})\) for some \((\delta ',j',k')\) older than the current query \((\mathcal {D},\bar{j},\min \{w,w_{\delta ,j}\})\), which is the case with probability at most \(1/2^c\) (for all possible index tuples). Otherwise, f generates a new value and new state value s (\(s_{w+1}^T\) if \(w>w_{\delta ,j}\) or \(s^\text {tag}\) if \(w<w_{\delta ,j}\)), which sets \(\mathcal {D}\mathsf {hit}\) if it sets \(\mathsf {innerhit}\) with an older state \(s_{\delta ',j',k'}\) under \(\mathsf {const}=0\). This also happens with probability at most \(1/2^c\) for any \((\delta ',j',k')\). This procedure propagates to \(s^\text {tag}\). In total, the \(\bar{j}\)th decryption query sets \(\mathcal {D}\mathsf {hit}\) with probability at most \(\sum _{k=1}^{\sigma _{\mathcal {D},\bar{j}}}\frac{\sigma _\mathcal {E}+\sigma _{\mathcal {D},1} +\cdots +\sigma _{\mathcal {D},\bar{j}-1} + (k-1)}{2^c}\);

    2. (b)

      \({\varvec{\ell }}<{\varvec{\infty }}\). In this case \(s_{\ell -1}^T=s_{\delta ,j,\ell -1}^T\) and \(s_\ell ^T =s_{\delta ,j,\ell }^T\oplus (T_\ell \Vert 0^c)\oplus (T_{\delta ,j,\ell } \Vert 0^c)\ne s_{\delta ,j,\ell }^T\).Footnote 5 As before, \(s_\ell ^T\) is a new input to f, except if \(\mathsf {innerhit}(\delta ,j,\ell ;\delta ',j',k'; \mathtt {0})\) for some \((\delta ',j',k')\) older than the current query \((\mathcal {D},\bar{j},\ell )\). This is the case with probability at most \(1/2^c\) for all possible older queries. The procedure propagates to \(s^\text {tag}\) as before, and the same bound holds;

  3. (3)

    \(({{\varvec{N}}};{{\varvec{H}}}) =({{\varvec{N}}}_{{\varvec{\delta }}, {{\varvec{j}}}};{{\varvec{H}}}_{{\varvec{\delta }}, {{\varvec{j}}}})\)but  \({{\varvec{C}}}\ne {{\varvec{C}}}_{{\varvec{\delta }},{{\varvec{j}}}}\). The analysis is similar but a special treatment is required to deal with the merging phase. Consider the ciphertext C to be divided into blocks \(C_{k,\ell }\) for \(k=1,\ldots ,D\) and \(\ell =1,\ldots ,v_k\). Similarly for \(C_{\delta ,j}\). For \(k=1,\ldots ,D\), let \(\ell _k\in \{1,\ldots ,\min \{v_k,v_{\delta ,j,k}\},\infty \}\) be minimal such that \(C_{k,\ell _k}\ne C_{\delta ,j,k,\ell _k}\). Again, \(\ell _k=\infty \) means that \(C_k\) is a substring of \(C_{\delta ,j,k}\) (if \(v_k\le v_{\delta ,j,k}\)) or vice versa (if \(v_k\ge v_{\delta ,j,k}\)). We make a further distinction between whether or not \((\ell _1,\ldots ,\ell _D)=(\infty ,\ldots ,\infty )\).

    1. (a)

      \(({\varvec{\ell }}_{\mathbf{1}},\ldots , {\varvec{\ell }}_{{\varvec{D}}})=({\varvec{\infty }}, \ldots ,{\varvec{\infty }})\). As \(C\ne C_{\delta ,j}\), there must be a k such that \(v_k\ne v_{\delta ,j,k}\) and thus that \(C_k\) is a strictly smaller substring of \(C_{\delta ,j,k}\) or vice versa. Consequently, \(s_{k,v_k}^C = s_{\delta ,j,k,v_k}^C\oplus \mathtt {02}\oplus \mathtt {20}\oplus id_k[\min \{v_k,v_{\delta ,j,k}\}=1]\) (or \(\oplus \;\mathtt {02}\oplus \mathtt {04}\) if \(D=1\) and there is no merging phase, or \(\oplus \;\mathtt {02}\oplus \mathtt {08}\) if there is furthermore no trailer). Then, this state is new to f except if \(\mathsf {innerhit}(\delta ,j,k,v_k;\delta ',j',k';\mathsf {const})\) is set for the \(\mathsf {const}\) described above. (We slightly misuse notation here in that \(v_k\) is input to \(\mathsf {innerhit}\).) This means that also \(s_0^T\) will be new except if it hits a certain older state, which happens with probability \(1/2^c\). The reasoning propagates up to \(s^\text {tag}\) as before, and the same bound holds;

    2. (b)

      \(({\varvec{\ell }}_{\mathbf{1}},\ldots , {\varvec{\ell }}_{{\varvec{D}}})<({\varvec{\infty }}, \ldots ,{\varvec{\infty }})\). Let k be such that \(\ell _k<\infty \). Then, \(s_{k,\ell _k-1}^C=s_{\delta ,j,k,\ell _k-1}^C\) and \(s_{k,\ell _k}^C=C_{k,\ell _k}\Vert [s_{\delta ,j,k,\ell _k}^C]_c\ne s_{\delta ,j,k,\ell _k}^C\). The reasoning of case (2b) carries over for all future state values;

  4. (4)

    \({{\varvec{N}}}={{\varvec{N}}}_{{\varvec{\delta }}, {{\varvec{j}}}}\)but  \({{\varvec{H}}}\ne {{\varvec{H}}}_{{\varvec{\delta }},{{\varvec{j}}}}\). The analysis follows fairly the same principles, albeit using \(\mathsf {const}\in \{\mathtt {0},\mathtt {01}\oplus \mathtt {02}, \mathtt {01}\oplus \mathtt {04}, \mathtt {01}\oplus \mathtt {08}, \mathtt {01}\oplus \mathtt {10}\}\);

  5. (5)

    \({{\varvec{N}}}\ne {{\varvec{N}}}_{{\varvec{\delta }}, {{\varvec{j}}}}\). The nonce N is new (hence the query shares no prefix with any older query). There has not been an earlier state s that satisfies \([s]^\kappa =K\) (by virtue of the analysis in \(\mathsf {hit}\) and \(\mathsf {key}\), and the first step of this event \(\mathcal {D}\mathsf {hit}\)). Therefore, \(s^{\text {init}}\) is new by construction and a simplification of above analysis applies.

Summing over all queries:

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {D}\mathsf {hit}\mid \lnot (\mathsf {key}\vee \mathsf {multi})\right)&\le \sum _{\bar{j}=1}^{q_\mathcal {D}} \sum _{k=1}^{\sigma _{\mathcal {D},\bar{j}}}\frac{\sigma _\mathcal {E}+\sigma _{\mathcal {D},1}+\cdots +\sigma _{\mathcal {D},\bar{j}-1} + (k-1)}{2^c} + \frac{\sigma _\mathcal {D}}{2^\kappa }\\&\le \frac{\sigma _\mathcal {E}\sigma _\mathcal {D}+ {\sigma _\mathcal {D}\atopwithdelims ()2}}{2^c} + \frac{\sigma _\mathcal {D}}{2^\kappa }, \end{aligned}$$

where the last term comes from the exclusion of the event that any decryption state satisfies \([s]^\kappa =K\).

Together with the bound of Lemma 3 we find via (28),

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {event}\right) \le&\frac{q_p\sigma _\mathcal {E}+ \sigma _\mathcal {E}^2/2}{2^b} + \frac{\sigma _\mathcal {E}}{\min \{2^{b/2},2^c\}} + \frac{2\rho 'q_p}{2^c} + \frac{q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D}}{2^\kappa } \\&+ \frac{(q_p+\sigma _\mathcal {E})\sigma _\mathcal {D}+ \sigma _\mathcal {D}^2/2}{2^c}, \end{aligned}$$

where \(\rho '=\rho (r,c)\) is the function defined in Lemma 1. \(\square \)

Tightness of the Bound

We derive a generic attack on Sponge-based authenticated encryption schemes. The attack exploits multi-collisions on the outer part of the internal state. Using the multi-collision bounds of Suzuki et al. [91, 92], we demonstrate that the attack actually matches the proven security bound, meaning that the bounds of Sect. 4 are tight. Therefore, we first describe our simplified target structure in Sect. 5.1. The attack is described in Sect. 5.2 and evaluated in Sect. 5.3.

Target Structure

We consider the simplified structure of Fig. 3. Without loss of generality, we consider a key \(K\in \{0,1\}^{\kappa }\), nonce \(N\in \{0,1\}^{b-\kappa }\) (hence \(\nu =b-\kappa \)), and we assume that \(\mathsf {init}\) initializes the state as \((K,N)\mapsto K\Vert N\). (The attack can be generalized to the setting where the key is absorbed in multiple evaluations of p, or where the key is XORed into the state before outputting A. See also Sect. 5.4.) We consider no associated data, or in terminology of Sect. 2, we put \(H,T\leftarrow \mathtt{Null}\). The message size must be at least one complete block. Note that, in many schemes, the message of one complete block will expand to two blocks by a padding procedure. We consider a general setting where the \(\tau \)-bit authentication tag A may be generated in multiple extraction rounds (two in Fig. 3), and we assume that \(\tau \ge c\). We ignore minor issues irrelevant to our attack, such as padding, frame bits, domain separation for message processing and tag generation parts, and truncation of the tag.

Fig. 3
figure 3

Target structure in key recovery attack

As shown in Fig. 3, the b-bit state after the first permutation call is denoted \(s_1\). Its outer and inner part are denoted \([s_1]^r\) and \([s_1]_c\), respectively. Then, an r-bit message block \(M_1\) is XORed into \([s_1]^r\) and the first ciphertext block \(C_1 = [s_1]^r\oplus M_1\) is output. The state is evaluated using the permutation, and the resulting state is \(s_2\). Note that the values \(M_i\) and \(C_i\) reveal the outer part of state \(s_i\) as \([s_i]^r=M_i\oplus C_i\).

Distinguishing Attacks via Key Recovery

Let \(\rho \ge 2\). If \(2^\kappa \le 2^c/\rho \) a naive key recovery attack can be performed in complexity \(2^\kappa \), and we assume that \(2^\kappa >2^c/\rho \).

We first give an overview of the attack. Once a b-bit state in the structure of Fig. 3 is recovered, the secret key K can be recovered immediately by computing the inverse of the permutation. Our attack aims to recover the internal state \(s_1\) after the first permutation call. It consists of an online phase followed by an offline phase.

In the online phase, the adversary searches for a \(\rho \)-collision on the r-bit value \(C_1\). It makes a certain amount of encryption oracle queries for different N and possibly different \(M_1\). Let q denote the total number of encryption queries needed. The online phase results in \(\rho \) pairs of \((N,M_1)\) which produce the same \(C_1\) but different \([s_1]_c\). The adversary also stores the tag A for each pair.

In the offline phase, the adversary recovers an inner part \([s_1]_c\). Using the value \(C_1\), the same for all tuples, the value \([s_1]_c\) is exhaustively guessed. In a bit more detail, the adversary computes the authentication tag A from \(C_1\Vert [s_1]_c\) offline, and checks if there is a match with any stored tag. Because \(\rho \) tags are stored, the attack cost is about \(2^c/\rho \). Once \([s_1]_c\) is recovered, the adversary can compute \(p^{-1}((M_1 \oplus C_1)\Vert [s_1]_c)\) and recover K.

The formal description of the attack is given below. Here, we denote the data D for the kth block in the \(j\hbox {th}\) query by \(D_{j,k}\). We omit the second subscript for the data where the block length is always 1, e.g., nonce \(N_j\).

Online Phase

  1. 1.

    Choose q different pairs \((N_{q},M_{q,1})\) for \(i=1,2,\ldots ,q\);

  2. 2.

    Query \((N_{i},M_{i,1})\) for \(i=1,2,\ldots ,q\) and receive \((C_{i,1},A_{i,1}\Vert A_{i,2}\Vert \ldots )\);

  3. 3.

    Find a \(\rho \)-collision on \(C_{\cdot ,1}\);

  4. 4.

    Store \(\rho \) triplets of \((N_i,M_{i,1},A_{i,1}\Vert A_{i,2}\Vert \ldots )\) contributing to the \(\rho \)-collision. We denote the colliding value of \(C_{\cdot ,1}\) by \(\overline{C}\), which is also stored.

Offline Phase

  1. 1.

    Re-define the outer part of the state after the computation of \([s_{\cdot ,1}]^r \oplus M_{\cdot ,1}\) by \(\overline{C}\);

  2. 2.

    Make \(2^c/\rho \) guesses for \([s_{\cdot ,1}]_c\), denoted by \([s_{j,1}]_c\) for \(j=1,2,\ldots ,2^c/\rho \);

  3. 3.

    For each j, generate the tag \(A_{j,1}\Vert A_{j,2}\Vert \ldots \) with the state \(\overline{C}\Vert [s_{j,1}]_c\);

  4. 4.

    Check if \(A_{j,1}\Vert A_{j,2}\Vert \ldots \) matches one of the \(\rho \) values \(A_{i,1}\Vert A_{i,2}\Vert \ldots \) stored in the online phase. If so, assume that \([s_{j,1}]_c\) is the right value. Let \(i'\) and \(j'\) be matching indices;

  5. 5.

    Compute \(p^{-1}\bigl ( (M_{i',1} \oplus \overline{C}) \Vert [s_{j',1}]_c \bigr )\). If the resulting value matches nonce \(N_{i'}\), output the first \(\kappa \) bits of the state as the recovered key K.

Attack Evaluation

In the online phase, the adversary does not strictly need to choose N and \(M_1\), a given list of q different tuples suffices. Thus, the attack is a known plaintext attack. The data complexity is q one-block messages and the memory to store q triples \((N_i,M_{i,1},A_{i,1}\Vert A_{i,2}\Vert \ldots )\) for \(i=1,\ldots ,q\) is required. The time complexity of at least q memory access is also required. Intuitively, all the complexities in the online phase are q.

In the offline phase, because \(\rho \) candidates are stored in the online phase and \(2^c/\rho \) guesses are examined, one match is expected. If the internal state values match, the corresponding tag values also match. Thus, the right guess is identified. Due to the assumption that the tag size is at least c bits, the match likely only suggests the right guess. In addition, we can further filter out the false positive by r bits with the match of N in the last step. Thus, with a very high probability the key is successfully recovered. For the complexity, the only important factor is the time complexity of \(2^c/\rho \) tag generation functions.

What remains is to appropriately choose parameters for q and \(\rho \) so that the total complexity \(\max \{ q, 2^c/\rho \}\) is minimized. Suzuki et al. [91, 92] showed that, when \(c \le r\), the complexity q to find a \(\rho \)-collision with probability about 0.5 is given by

$$\begin{aligned} q = (\rho !)^{\frac{1}{\rho }} \cdot 2^{\frac{\rho -1}{\rho }r} + \rho -1. \end{aligned}$$

\({{\varvec{c}}}={{\varvec{r}}}\). We demonstrate tightness of the bound for the cases \(c=r=128\), \(c=r=256\), and \(c=r=512\). Note that, provided \(\kappa \) is large enough, the bound of Theorem 1 is dominated by \(2^c/\alpha \) with \(\alpha =\frac{1.4r}{\log _2r+r-c-2}\) (cf., Table 2). In Table 3 we evaluate the attack complexity so that \(\max \{ q, 2^r/\rho \}\) is minimized. This complexity is always bigger but very close to the proven bound, which shows tightness of security bound.

Table 3 Comparison of attack complexity and security bound

\({{\varvec{c}}}<{{\varvec{r}}}\). It is common practice to enlarge the rate of Sponge-based authenticated encryption so that more data can be processed per permutation call. We demonstrate tightness of our attack for the case of \(c=256\) and \(r\in [257,768]\). Figure 1 depicts the evaluated attack complexity and our security bound for \(c=256\). For the sake of completeness, it also includes the \(2^c/r\) bound of the original ASIACRYPT 2014 article [53], which decreases by approximately a logarithmic factor \(\log _2 r\).

Note that the adversary needs to find a multi-collision on r bits with only \(2^c\) trials. When the rate increases, and particularly when \(r>2c\), the adversary cannot even find an ordinary collision within \(2^c\) trials. In this case, the multi-collision-based attack will not be influential. Due to this, our bound is getting close to \(2^c\) when r becomes large. The advantage of the attack comes from the number of generated multi-collisions. Considering that the number of multi-collisions can only take discrete values while our bound can take sequential values, our bound is strictly tight.

\({{\varvec{c}}}>{{\varvec{r}}}\). Note that, for \(c>r\), the security bound of Theorem 1 is not dominated by \(2^c/\alpha \) but rather by \(2^{b/2}\), omitting constants (cf., Table 2). Tightness of the bound follows by a naive attack that aims to find collisions on the b-bit state.

Distinguishing Attacks Without Key Recovery

As later explained in Fig. 4, several practical designs use key K for the initialization as well as for the tag generation. Those schemes cannot be distinguished with a straightforward application of the above generic procedure, yet it is still possible to distinguish them by increasing the attack complexity only by 1 bit or so.

We focus on Ascon, GIBBON and HANUMAN, in which K in the tag computation prevents the adversary from computing tag A offline. This can be solved by extending the number of message blocks in each query. Instead of the tag \(A_{i,1}\Vert A_{i,2}\Vert \ldots \), outer parts of the subsequent blocks \([s_{i,2}]^r\Vert [s_{i,3}]^r\Vert \ldots \) take a role of filter to identify the correct guess. If the number of filtered bits is much bigger than c, a match suggests the correct guess with very high probability. Owing to the additional message blocks, the attack complexity increases by 1 bit or so, depending how many message blocks are added.

In HANUMAN, K can be recovered from the internal state by inverting the permutation to the initial value. Meanwhile in Ascon and GIBBON, K cannot be recovered and the adversary only can mount distinguishing attacks.

Other CAESAR Submissions

In this section we discuss how the mode security proof of NORX  generalizes to the CAESAR submissions Ascon, the BLNK mode underlying CBEAM/STRIBOB, ICEPOLE, Keyak (v1 only), and two out of the three PRIMATEs. Before doing so, we make a number of observations and note how the proof can accommodate small design differences.

  • NORX  uses domain separation constants at all rounds, but this is not strictly necessary and other solutions exist. In the privacy and integrity proofs of NORX, and more specifically at the analysis of state collisions caused by a decryption query in Lemma 4, the domain separations are only needed at the transitions between variable-length inputs, such as header to message data or message to trailer data. This means that the proofs would equally hold if there were simpler transitions at these positions, such as in Ascon. Alternatively, the domain separation can be done by using a different primitive, as in GIBBON  and HANUMAN, or a slightly more elaborated padding, as in BLNK, ICEPOLE, and Keyak;

  • The extra permutation evaluations at the initialization and finalization of NORX  are not strictly necessary: in the proof we consider the monotone event that no state collides assuming no earlier state collision occurred. For instance, in the analysis of \(\mathcal {D}\mathsf {hit}\) in the proof of Lemma 4, we necessarily have a new input to p at some point, and consequently all next inputs to p are new (except with some probability);

  • NORX  starts by initializing the state with \(\mathsf {init}(K,N)=(K\Vert N\Vert 0^{b-\kappa -\nu })\oplus \mathsf {const}\) for some constant \(\mathsf {const}\) and then permuting this value. Placing the key and nonce at different positions of the state does not influence the security analysis. The proof would also work if, for instance, the header is preceded with \(K\Vert N\) or a properly padded version thereof and the starting state is \(0^b\);

  • In a similar fashion, there is no problem in defining the tag to be a different \(\tau \) bits of the final state; for instance, the rightmost \(\tau \) bits;

  • Key additions into the inner part after the first permutation are harmless for the mode security proof. Particularly, as long as these are done at fixed positions, these have the same effect as XORing a domain separation constant.

These five modifications allow one to generalize the proof of NORX  to Ascon, CBEAM and STRIBOB, ICEPOLE, Keyak, and two PRIMATEs, GIBBON  and HANUMAN. The only major difference lies in the fact none of these designs accommodates a trailer, hence all are functions of the form

$$\begin{aligned} (C,A) \longleftarrow \mathcal {E}_K(N;H,M) \qquad \text {and}\qquad M/\bot \longleftarrow \mathcal {D}_K(N;H,C;A), \end{aligned}$$

except for one instance of ICEPOLE which accommodates a secret message number. Additionally, these designs have \(\sigma _\delta \le \lambda _\delta +q_\delta \) for \(\delta \in \{\mathcal {D},\mathcal {E}\}\) (or \(\sigma _\delta \le \lambda _\delta +2q_\delta \) for CBEAM/STRIBOB). We always write \(H=(H_1,\ldots ,H_u)\) and \(M=(M_1,\ldots ,M_v)\) whenever notation permits. In below sections we elaborate on these designs separately, where we slightly deviate from the alphabetical order to suit the presentation. Diagrams of all modes are given in Fig. 4. The parameters and achieved provable security levels of the schemes are given in Table 1.

Fig. 4
figure 4

CAESAR submission modes discussed in Sect. 6, a Ascon, b BLNK (used in CBEAM and STRIBOB), c ICEPOLE, d Keyak v1, e GIBBON  (PRIMATEs) and f HANUMAN  (PRIMATEs)

We remark that the attack of Sect. 5 carries over to CBEAM and STRIBOB, ICEPOLE and a simplified version of Keyak v1 (with only one round of key absorption). It does not apply to Ascon, GIBBON, and HANUMAN  due to the additional XOR of the secret key at the end.


Ascon is a submission by Dobraunig et al. [33, 34] and is depicted in Fig. 4a. It is originally defined based on two permutations \(p_1,p_2\) that differ in the number of underlying rounds. We discard this difference, considering Ascon with one permutation p.

Ascon initializes its state using \(\mathsf {init}\) that maps (KN) to \((0^{b-\kappa -\nu }\Vert K\Vert N)\oplus \mathsf {const}\), where \(\mathsf {const}\) is determined by some design-specific parameters set prior to the security experiment. The header and message can be of arbitrary length and are padded to length a multiple of r bits using \(10^*\)-padding. An XOR with 1 separates header processing from message processing. From the above observations, it is clear that the proofs of NORX  directly carry over to Ascon.


ICEPOLE is a submission by Morawiecki et al. [65, 66] and is depicted in Fig. 4c. It is originally defined based on two permutations, \(p_1\) and \(p_2\), that differ in the number of underlying rounds. We discard this difference, considering ICEPOLE with one permutation p.

ICEPOLE initializes its state as NORX  does, be it with a different constant. The header and message can be of arbitrary length and are padded as follows. Every block is first appended with a frame bit: \(\mathtt {0}\) for header blocks \(H_1,\ldots ,H_{u-1}\) and message block \(M_v\), and \(\mathtt {1}\) for header block \(H_u\) and message blocks \(M_1,\ldots ,M_{v-1}\). Then, the blocks are padded to length a multiple of r bits using \(10^*\)-padding. In other words, every padded block of r bits contains at most \(r-2\) data bits. This form of domain separation using frame bits suffices for the proof to go through. One variant of ICEPOLE also allows for a secret message number \(M_\text {secret}\), which consists of one block and is encrypted prior to the processing of the header, similar to the message. As this secret message number is of fixed length, no domain separation is required and the proof can easily be adapted. From above observations, it is clear that the proofs of NORX  directly carry over to ICEPOLE. Without going into detail, we note that the same analysis can be generalized to the parallelized mode of ICEPOLE [65, 66].


Keyak v1 is a submission by Bertoni et al. [22]. The basic mode for the serial case is depicted in Fig. 4d, yet due to its hybrid character it is slightly more general in nature. It is built on top of SpongeWrap [19]. We remark that the discussion does not apply to Keyak v2, which is built on top of the full-state keyed Duplex [31, 60].

Keyak initializes its state by \(0^b\), and concatenates K, N, and H using a special padding rule:

$$\begin{aligned} \mathsf{H}_{\text {pad}}(K,N,H) = \mathsf {keypack}(K,240)\parallel \mathsf {enc}_8(1)\parallel \mathsf {enc}_8(0)\parallel N\parallel H, \end{aligned}$$

where \(\mathsf {enc}_8(x)\) is an encoding of x as a byte and \(\mathsf {keypack}(K,\ell ) = \mathsf {enc}_8(\ell /8)\Vert K\Vert 10^{-\kappa -1\bmod (\ell -8)}\). The key-nonce-header combination \(\mathsf{H}_{\text {pad}}(K,N,H)\) and message M can be of arbitrary length, and are padded as follows: first, every block is appended with two frame bits, being \(\mathtt {00}\) for header blocks \((\mathsf{H}_{\text {pad}}(K,N,H))_1,\ldots ,(\mathsf{H}_{\text {pad}}(K,N,H))_{u-1}\) and \(\mathtt {01}\) for \((\mathsf{H}_{\text {pad}}(K,N,H))_u\), and \(\mathtt {11}\) for message blocks \(M_1,\ldots ,M_{v-1}\) and \(\mathtt {10}\) for \(M_v\). Then, the blocks are padded to length a multiple of r bits using \(10^*1\)-padding. In other words, every padded block of r bits contains at most \(r-2\) data bits. This form of domain separation using frame bits suffices for the proof to go through. Due to above observations, our proof readily generalizes to SpongeWrap [19] and DuplexWrap [22], and thus to Keyak. Without going into detail, we note that the same analysis can be generalized to the parallelized mode of Keyak [22]. Additionally, Keyak also supports sessions, where the state is re-used for a next evaluation. Our proof generalizes to this case, simply with a more extended description of (17).


CBEAM and STRIBOB  are submissions by Saarinen [81, 83,84,85,86]. Minaud identified an attack on CBEAM [62], but we focus on the modes of operation. Both modes are based on the BLNK Sponge mode [82], which is depicted in Fig. 4b.

The BLNK mode initializes its state by \(0^b\), compresses K into the state (using one or two permutation calls, depending on \(\kappa \)), and does the same with N. Then, the mode is similar to SpongeWrap [19], though using a slightly more involved domain separation system similar to the one of NORX. Due to above observations, our proof readily generalizes to BLNK [82], and thus to CBEAM and STRIBOB.


PRIMATEs  is a submission by Andreeva et al. [2, 3], and consists of three algorithms: APE, GIBBON, and HANUMAN. The APE  mode is the more robust one, and significantly differs from the other two, and from the other CAESAR submissions discussed in this work, in the way that ciphertexts are derived and because the mode is secure against nonce-misusing adversaries up to common prefix [4]. (See Sect. 7 for a discussion on APE.) We now focus on GIBBON  and HANUMAN, which are depicted in Fig. 4e, f. GIBBON  is based on three related permutations \(\mathbf{p}=(p_1,p_2,p_3)\), where the difference in \(p_2,p_3\) is used as domain separation of the header compression and message encryption phases (the difference of \(p_1\) from \((p_2,p_3)\) is irrelevant for the mode security analysis). Similarly, HANUMAN  uses two related permutations \(\mathbf{p}=(p_1,p_2)\) for domain separation.Footnote 6

GIBBON  and HANUMAN  initialize their state using \(\mathsf {init}\) that maps (KN) to \(0^{b-\kappa -\nu }\Vert K\Vert N\). The header and message can be of arbitrary length, and are padded to length a multiple of r bits using \(10^*\)-padding. In case the true header (or message) happens to be a multiple of r bits long, the \(10^*\)-padding is considered to spill over into the capacity. From above observations, it is clear that the proofs of NORX  directly carry over to GIBBON  and HANUMAN. A small difference appears due to the usage of two different permutations: we need to make two RP-RF switches for each world. Concretely this means that the first term in Theorem 1 becomes \(\frac{5(q_p+\sigma _\mathcal {E})^2}{2^{b+1}}\) and the first term in Theorem 2 becomes \(\frac{3(q_p+\sigma _\mathcal {E}+\sigma _\mathcal {D})^2}{2^{b+1}}\).


Unlike GIBBON  and HANUMAN, the APE  authenticated encryption scheme follows a different design strategy. It is depicted in Fig. 5. APE  is based on one permutation p, and characteristic to the design is the way the ciphertexts are derived and verified.

Fig. 5
figure 5

APE  (PRIMATEs) discussed in Sect. 7

APE  uses a key of size c bits, and the initialization \(\mathsf {init}\) places K into the inner part of the state. In case of a present nonce N, in APE  it is prepended to the header H, denoted \(N\Vert H\). The nonce is of fixed length, and of suggested size 2r bits [2, 3]. The header and message can be of arbitrary length and are padded to length a multiple of r bits using \(10^*\)-padding. In case the true header (or message) happens to be a multiple of r bits long, the \(10^*\)-padding is considered to spill over into the capacity. In case the message is not a multiple of r bits long, the last ciphertext is derived slightly differently, and we refer to [2, 3].

The scheme is designed and proven to be \(2^{c/2}\) secure against nonce-misusing adversaries up to common prefix [4]. We now consider the security of APE  in the nonce-respecting setting, and present an adversary that breaks the privacy with a complexity of about \(2^{c/2}\). We assume that the adversary can make blockwise queries to the scheme. In more detail, upon an authenticated encryption of \(M_1,\ldots ,M_v\), it only needs to input the \(j\hbox {th}\) message block after it receives the \(j-1\) ciphertext block, for \(j=2,\ldots ,v\).

Proposition 1

Let \(\varPi =(\mathcal {E},\mathcal {D})\) be APE  based on an ideal underlying primitive p. Then,

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {priv}}(0,q_\mathcal {E},\lambda _\mathcal {E}) \ge 1-2/2^r\,, \end{aligned}$$

where all \(q_\mathcal {E}\) queries are of length \((2^{(c+1)/2}+1)/q_\mathcal {E}+\rho +1\).


We first consider a simplified setting, where \(q_\mathcal {E}=1\) and \(\lambda _\mathcal {E}\approx 2^{c/2}\), and will generalize the attack to arbitrary \(q_\mathcal {E}\) afterward. Denote \(\rho =\lceil c/r\rceil \). The adversary makes one query of length \(\lambda _\mathcal {E}=2^{(c+1)/2}+\rho +2\) as follows. Let N be some nonce, the header H is absent. \(\mathcal {A}\) puts \(M_1=0\), and \(M_i=C_{i-1}\) for \(k\in \{2,\ldots ,\lambda _\mathcal {E}\}\). If there exist distinct \(k,k'\in \{2,\ldots ,\lambda _\mathcal {E}-\rho \}\) such that

$$\begin{aligned} (C_k,\ldots ,C_{k+\rho }) = (C_{k'},\ldots ,C_{k'+\rho })\,, \end{aligned}$$

then it outputs 1; otherwise it outputs 0. Note that if \(\mathcal {A}\) converses with \(\mathcal {E}_K\), then (31) holds if the permutation calls for \(M_k\) and \(M_{k'}\) are the same. As the outer parts are 0 for both, this holds with probability at least \(1/2^c\). Therefore, any such \(k\ne k'\) exist with probability at least \({\lambda _\mathcal {E}-\rho -1\atopwithdelims ()2}/2^c\). On the other hand, if \(\mathcal {A}\) converses with $, then this would only hold with probability \({\lambda _\mathcal {E}-\rho -1\atopwithdelims ()2}/2^{(\rho +1)r}\). Thus,

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {priv}}(0,1,\lambda _\mathcal {E}) \ge {\lambda _\mathcal {E}-\rho -1\atopwithdelims ()2}/2^c - {\lambda _\mathcal {E}-\rho -1\atopwithdelims ()2}/2^{(\rho +1)r}. \end{aligned}$$

Putting \(\lambda _\mathcal {E}=2^{(c+1)/2}+\rho +2\) gives \(2^c\le {\lambda _\mathcal {E}-\rho -1\atopwithdelims ()2}\le 2^{c+1}\), and subsequently \(\mathbf {Adv}_{\varPi }^{\mathrm {priv}}(0,1,2^{(c+1)/2}+\rho +2) \ge 1-2/2^r\).

The analysis straightforwardly generalizes to \(q_\mathcal {E}\) queries of total length \(\lambda _\mathcal {E}\). Denote \(\mu _\mathcal {E}=\lambda _\mathcal {E}/q_\mathcal {E}\), without loss of generality assuming that \(\lambda _\mathcal {E}\) is a multiple of \(q_\mathcal {E}\). For the \(j\hbox {th}\) query for \(j\in \{1,\ldots ,q_\mathcal {E}\}\), the adversary proceeds as follows. Let \(N_j\) be the unique nonce, the adversary does not query a header, as before. It takes \(M_{j,1}=0\), and sets \(M_{j,k}=C_{j,k-1}\) for \(k\in \{2,\ldots ,\mu _\mathcal {E}\}\). If there exist \(j,j'\in \{1,\ldots ,q_\mathcal {E}\}\) and \(k,k'\in \{2,\ldots ,\mu _\mathcal {E}-\rho \}\) with \((j,k)\ne (j',k')\) such that

$$\begin{aligned} (C_{j,k},\ldots ,C_{j,k+\rho }) = (C_{j',k'},\ldots ,C_{j',k'+\rho })\,, \end{aligned}$$

then it outputs 1; otherwise it outputs 0. The same analysis as before gives

$$\begin{aligned} \mathbf {Adv}_{\varPi }^{\mathrm {priv}}(0,q_\mathcal {E},q_\mathcal {E}\mu _\mathcal {E}) \ge {q_\mathcal {E}(\mu _\mathcal {E}-\rho -1)\atopwithdelims ()2}/2^c - {q_\mathcal {E}(\mu _\mathcal {E}-\rho -1)\atopwithdelims ()2}/2^{(\rho +1)r}. \end{aligned}$$

Consequently, for \(q_\mathcal {E}\mu _\mathcal {E}=2^{(c+1)/2}+(\rho +1)q_\mathcal {E}+1\), we have \(\mathbf {Adv}_{\varPi }^{\mathrm {priv}}(0,q_\mathcal {E},2^{(c+1)/2}+(\rho +1)q_\mathcal {E}+1) \ge 1-2/2^r\). Each of the \(q_\mathcal {E}\) queries is of length approximately \((2^{(c+1)/2}+1)/q_\mathcal {E}+\rho +1\). \(\square \)


In this work we analyzed one of the Sponge-based authenticated encryption designs in detail, NORX, and proved that it achieves security of approximately \(\min \{2^{b/2},2^c,2^\kappa \}\), significantly improving upon the traditional bound of \(\min \{2^{c/2},2^\kappa \}\). Additionally, we showed that this proof straightforwardly generalizes to five other CAESAR modes, Ascon, BLNK (of CBEAM/STRIBOB), ICEPOLE, Keyak v1, and PRIMATEs. Our findings indicate an overly conservative parameter choice made by the designers, implying that some designs can improve speed by a factor of 4 at barely any security loss. It is expected that the security proofs also generalize to the modes of Artemia [1]. However, this mode is based on the JH hash function [96] and XORs data blocks in both the rate and inner part. It does not use domain separations, rather it encodes the lengths of the inputs into the padding at the end [9]. Therefore, a generalization of the proof of NORX  to Artemia is not entirely straightforward.

The results in this work are derived in the ideal permutation model, where the underlying primitive is assumed to be ideal. We acknowledge that this model does not perfectly reflect the properties of the primitives. For instance, it is stated by the designers of Ascon, NORX, and PRIMATEs  that non-random (but harmless) properties of the underlying permutation exist. Furthermore, it is important to realize that the proofs of security for the modes of operation in the ideal model do not have a direct connection with security analysis performed on the permutations, as is the case with block ciphers modes of operation. Nevertheless, we can use these proofs as heuristics to guide cryptanalysts to focus on the underlying permutations, rather than the modes themselves.