Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Cryptanalysis of NORX v2.0

Cryptanalysis of NORX v2.0 NORX is an authenticated encryption scheme with associated data that was selected, along with 14 other primitives, for the third phase of the ongoing CAESAR competition. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). The main result of this paper is a cryptanalysis of the full NORX v2.0 that successfully passed, in 2016, the second round of the CAESAR competition. We exhibit a strong symmetry preservation property of the underlying sponge permutation and show that this property can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity $$2^{66}$$ 2 66 (resp. $$2^{130}$$ 2 130 ) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit (resp. 256-bit) security. We further show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX v2.0. We also investigate the security of the NORX v3.0, a tweaked version of NORX v2.0 introduced at the beginning of the third round of the CAESAR competition. The introduction in NORX v3.0 of an extra initial and final key addition thwarts the former forgery and key-recovery attacks. We exhibit, however, a long-message forgery attack on both NORX v2.0 and NORX v3.0 that, given the ciphertext of a $$2^m$$ 2 m -block message, allows to forge another $$2^m$$ 2 m -block ciphertext with a success probability of about $$2^{m-128}$$ 2 m - 128 (resp. $$2^{m-256}$$ 2 m - 256 ) instead of $$2^{-128}$$ 2 - 128 (resp. $$2^{-256}$$ 2 - 256 ) as one would ideally expect. We further show that since the symmetry preservation of the NORX v2.0 permutation persists in NORX v3.0, the former long-message forgery attack can be extended in both versions to a state-recovery attack. This high-complexity attack does not threaten the practical security of NORX v3.0, but show that the security loss once a successful forgery has been issued is larger than one would expect. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Journal of Cryptology Springer Journals

Loading next page...
 
/lp/springer_journal/cryptanalysis-of-norx-v2-0-AmlWyKFR0N

References (32)

Publisher
Springer Journals
Copyright
Copyright © 2018 by International Association for Cryptologic Research
Subject
Computer Science; Coding and Information Theory; Computational Mathematics and Numerical Analysis; Combinatorics; Probability Theory and Stochastic Processes; Communications Engineering, Networks
ISSN
0933-2790
eISSN
1432-1378
DOI
10.1007/s00145-018-9297-9
Publisher site
See Article on Publisher Site

Abstract

NORX is an authenticated encryption scheme with associated data that was selected, along with 14 other primitives, for the third phase of the ongoing CAESAR competition. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). The main result of this paper is a cryptanalysis of the full NORX v2.0 that successfully passed, in 2016, the second round of the CAESAR competition. We exhibit a strong symmetry preservation property of the underlying sponge permutation and show that this property can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity $$2^{66}$$ 2 66 (resp. $$2^{130}$$ 2 130 ) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit (resp. 256-bit) security. We further show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX v2.0. We also investigate the security of the NORX v3.0, a tweaked version of NORX v2.0 introduced at the beginning of the third round of the CAESAR competition. The introduction in NORX v3.0 of an extra initial and final key addition thwarts the former forgery and key-recovery attacks. We exhibit, however, a long-message forgery attack on both NORX v2.0 and NORX v3.0 that, given the ciphertext of a $$2^m$$ 2 m -block message, allows to forge another $$2^m$$ 2 m -block ciphertext with a success probability of about $$2^{m-128}$$ 2 m - 128 (resp. $$2^{m-256}$$ 2 m - 256 ) instead of $$2^{-128}$$ 2 - 128 (resp. $$2^{-256}$$ 2 - 256 ) as one would ideally expect. We further show that since the symmetry preservation of the NORX v2.0 permutation persists in NORX v3.0, the former long-message forgery attack can be extended in both versions to a state-recovery attack. This high-complexity attack does not threaten the practical security of NORX v3.0, but show that the security loss once a successful forgery has been issued is larger than one would expect.

Journal

Journal of CryptologySpringer Journals

Published: Jun 6, 2018

There are no references for this article.