Cryptanalysis of Reduced NORX

  • Nasour Bagheri
  • Tao Huang
  • Keting Jia
  • Florian Mendel
  • Yu Sasaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9783)


NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 (out of 4) rounds. The time and data complexities of the attack for NORX32 are \(2^{119}\) and \( 2^{66} \) respectively, and for NORX64 are \( 2^{234} \) and \( 2^{132} \) respectively, while the memory complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are \(2^{7.3}\), \(2^{124.3}\) and \(2^{115}\) respectively and for NORX64 are \(2^{6.2}\), \(2^{232.8}\) and \(2^{225}\) respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.


Authenticated encryption CAESAR NORX Guess and determine Internal differential attack State recovery Nonce respect 



The authors would like to thank the organizers of ASK 2015 that initiated this work. Keting Jia is supported by the National Natural Science Foundation of China (Nos. 61133013 and 61402256) and 973 Program (No. 2013CB834205). Part of this work was done while Florian Mendel was visiting NTU and has been supported in part by the Austrian Science Fund (project P26494-N15).


  1. 1.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (2013).
  2. 2.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: NORX: parallel and scalable AEAD. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 19–36. Springer, Heidelberg (2014)Google Scholar
  3. 3.
    Aumasson, J., Jovanovic, P., Neves, S.: NORX V1 (2014).
  4. 4.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306–323. Springer, Heidelberg (2015)Google Scholar
  5. 5.
    Aumasson, J., Jovanovic, P., Neves, S.: NORX V2.0 (2015).
  6. 6.
    Aumasson, J., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. NIST mailing list (2009).
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Keyak v2 (2015).
  9. 9.
    Biham, E., Shamir, A.: Differential cryptanalysis of the full 16-round DES. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 487–496. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  10. 10.
    Bilgin, B., Bogdanov, A., Knežević, M., Mendel, F., Wang, Q.: Fides: lightweight authenticated cipher with side-channel resistance for constrained hardware. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 142–158. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Das, S., Maitra, S., Meier, W.: Higher order differential analysis of NORX. IACR Cryptol. ePrint Arch. 2015, 186 (2015). Google Scholar
  12. 12.
    Dinur, I., Jean, J.: Cryptanalysis of FIDES. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 224–240. Springer, Heidelberg (2015)Google Scholar
  13. 13.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.1 Submission to the CAESAR Competition (2014).
  14. 14.
    Jean, J., Sasaki, Y., Wang, L.: Analysis of the CAESAR candidate silver. In: Dunkelman, O., et al. (eds.) SAC 2015. LNCS, vol. 9566, pp. 493–509. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-31301-6_28 CrossRefGoogle Scholar
  15. 15.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  16. 16.
    Nikolic, I.: CAESAR candidates speed comparison (2014). syllab/speed/
  17. 17.
    Penazzi, D., Montes, M.: Silver v.1. Submitted to the CAESAR competition (2014)Google Scholar
  18. 18.
    Peyrin, T.: Improved differential attacks for ECHO and Grøstl. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 370–392. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Nasour Bagheri
    • 1
  • Tao Huang
    • 2
  • Keting Jia
    • 3
    • 4
  • Florian Mendel
    • 5
  • Yu Sasaki
    • 2
    • 6
  1. 1.SRTTU and IPMTehranIran
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  4. 4.State Key Laboratory of CryptologyBeijingChina
  5. 5.Graz University of TechnologyGrazAustria
  6. 6.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations