Analysis of NORX: Investigating Differential and Rotational Properties

  • Jean-Philippe Aumasson
  • Philipp Jovanovic
  • Samuel Neves
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8895)


This paper presents a thorough analysis of the AEAD scheme NORX, focussing on differential and rotational properties. We first introduce mathematical models that describe differential propagation with respect to the non-linear operation of NORX. Afterwards, we adapt a framework previously proposed for ARX designs allowing us to automatise the search for differentials and characteristics. We give upper bounds on the differential probability for a small number of steps of the NORX core permutation. For example, in a scenario where an attacker can only modify the nonce during initialisation, we show that characteristics have probabilities of less than \(2^{-60}\) (\(32\)-bit) and \(2^{-53}\) (\(64\)-bit) after only one round. Furthermore, we describe how we found the best characteristics for four rounds, which have probabilities of \(2^{-584}\) (\(32\)-bit) and \(2^{-836}\) (\(64\)-bit), respectively. Finally, we discuss some rotational properties of the core permutation which yield some first, rough bounds and can be used as a basis for future studies.


NORX AEAD LRX Differential cryptanalysis Rotational cryptanalysis 



The authors would like to thank the anonymous reviewers for their comprehensive commentaries which helped to improve the quality of this paper.

Supplementary material


  1. 1.
    CAESAR – Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014).
  2. 2.
    NODE – The NORX Differential Search Engine (2014).
  3. 3.
    Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 470–488. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  4. 4.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: NORX: Parallel and Scalable AEAD. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014, Part II. LNCS, vol. 8713, pp. 19–36. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  5. 5.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J.: ChaCha, a Variant of Salsa20. In: Workshop Record of SASC 2008: The State of the Art of Stream Ciphers (2008).
  7. 7.
    Bernstein, D.J.: The Salsa20 Family of Stream Ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: On Alignment in Keccak. In: ECRYPT II Hash Workshop, May 2011Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M.,Assche, G.V.: Permutation-based Encryption, Authentication and Authenticated Encryption, presented at DIAC, Stockholm, Sweden, 05–06 July 2012Google Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Cryptographic Sponge Functions, January 2011.
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the Sponge: Single-pass Authenticated Encryption and Other Applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak Reference, January 2011.
  13. 13.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. J. Cryptol. 4(1), 3–72 (1991)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Brummayer, R., Biere, A.: Boolector: An Efficient SMT Solver for Bit-vectors and Arrays. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 174–177. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: Nessie Proposal: the Block Cipher Noekeon. Nessie submission (2000).
  16. 16.
    Daemen, J., Rijmen, V.: The Wide Trail Design Strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  17. 17.
    Daemen, J., Van Assche, G.: Differential Propagation Analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  18. 18.
    Ganesh, V., Govostes, R., Phang, K.Y., Soos, M., Schwartz, E.: STP – A Simple Theorem Prover (2006–2013).
  19. 19.
    Guo, J., Karpman, P., Nikolić, I., Wang, L., Wu, S.: Analysis of BLAKE2. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 402–423. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  20. 20.
    Khovratovich, D., Nikolić, I.: Rotational Cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  21. 21.
    Knuth, D.E.: The Art of Computer Programming, Volume 4A: Combinatorial Algorithms, Part 1, vol. 4A. Addison-Wesley, Upper Saddle River (2011).
  22. 22.
    Lipmaa, H., Moriai, S.: Efficient Algorithms for Computing Differential Properties of Addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  23. 23.
    Mate Soos: CryptoMinisat (2009–2014).
  24. 24.
    Mouha, N., Preneel, B.: Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20. Cryptology ePrint Archive, Report 2013/328 (2013)Google Scholar
  25. 25.
    Shi, Z., Zhang, B., Feng, D., Wu, W.: Improved Key Recovery Attacks on Reduced-round Salsa20 and ChaCha. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 337–351. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  26. 26.
    Shoup, V.: Computational Introduction to Number Theory and Algebra, 2nd edn. Cambridge University Press, Cambridge (2009). zbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Philipp Jovanovic
    • 2
  • Samuel Neves
    • 3
  1. 1.Kudelski SecurityLausanneSwitzerland
  2. 2.University of PassauPassauGermany
  3. 3.University of CoimbraCoimbraPortugal

Personalised recommendations