Access the full text.
Sign up today, get DeepDyve free for 14 days.
S. Babbage (1995)
Improved “exhaustive search” attacks on stream ciphers
A. Dwivedi, Milos Kloucek, P. Morawiecki, I. Nikolic, J. Pieprzyk, Sebastian Wójtowicz (2016)
SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition
Gregor Leander, Brice Minaud, Sondre Rønjom (2015)
Advances in Cryptology -- EUROCRYPT 2015
Colin Chaigneau, T. Fuhr, H. Gilbert, J. Jean, Jean-René Reinhard (2017)
Cryptanalysis of NORX v 2 . 0
G. Leander, Brice Minaud, Sondre Rønjom (2015)
A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and ZorroIACR Cryptol. ePrint Arch., 2015
Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, Kan Yasuda (2014)
Lecture Notes in Computer Science
Dmitry Khovratovich, Ivica Nikolić (2010)
Fast Software Encryption
(2008)
ChaCha
D. Bernstein (2007)
What output size resists collisions in a xor of independent expansions ?
Yusuke Naito (2016)
Cryptology and Network Security
E. Andreeva, A. Bogdanov, Atul Luykx, Bart Mennink, N. Mouha, K. Yasuda (2014)
How to Securely Release Unverified Plaintext in Authenticated Encryption
Yusuke Naito (2016)
Sandwich Construction for Keyed Sponges: Independence Between Capacity and Online Queries
D. Bernstein (2008)
The Salsa20 Family of Stream Ciphers
Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, Christian Winnerlein (2013)
BLAKE2: Simpler, Smaller, Fast as MD5IACR Cryptol. ePrint Arch., 2013
B. Preneel, P. Oorschot (1995)
MDx-MAC and Building Fast MACs from Hash Functions
Jean-Philippe Aumasson, Philipp Jovanovic, Samuel Neves (2014)
Analysis of NORX: Investigating Differential and Rotational Properties
(1997)
Golić
Sourav Das, S. Maitra, W. Meier (2015)
Higher Order Differential Analysis of NORXIACR Cryptol. ePrint Arch., 2015
Jean-Philippe Aumasson, Philipp Jovanovic, Samuel Neves (2015)
Progress in Cryptology - LATINCRYPT 2014
Philipp Jovanovic, Atul Luykx, Bart Mennink (2014)
Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes
D. Khovratovich, I. Nikolic (2010)
Rotational Cryptanalysis of ARX
G. Bertoni, J. Daemen, Michaël Peeters, G. Assche (2011)
Duplexing the sponge: single-pass authenticated encryption and other applications
A. Biryukov, A. Udovenko, V. Velichkov (2017)
Analysis of the NORX Core PermutationIACR Cryptol. ePrint Arch., 2017
Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O’Hearn, Christian Winnerlein (2013)
Applied Cryptography and Network Security
Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche (2012)
Selected Areas in Cryptography
Jean-Philippe Aumasson, L. Henzen, W. Meier, R. Phan (2009)
SHA-3 proposal BLAKE
D. McGrew, J. Viega (2005)
The Galois/Counter Mode of Operation (GCM)
Jean-Philippe Aumasson, Philipp Jovanovic, Samuel Neves (2015)
NORX8 and NORX16: Authenticated Encryption for Low-End SystemsIACR Cryptol. ePrint Arch., 2015
J. Golic (1997)
Cryptanalysis of Alleged A5 Stream Cipher
N. Bagheri, Tao Huang, Keting Jia, Florian Mendel, Yu Sasaki (2016)
Cryptanalysis of Reduced NORXIACR Cryptol. ePrint Arch., 2016
Bart Preneel, Paul C. van Oorschot (1995)
Advances in Cryptology — CRYPT0’ 95
NORX is an authenticated encryption scheme with associated data that was selected, along with 14 other primitives, for the third phase of the ongoing CAESAR competition. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). The main result of this paper is a cryptanalysis of the full NORX v2.0 that successfully passed, in 2016, the second round of the CAESAR competition. We exhibit a strong symmetry preservation property of the underlying sponge permutation and show that this property can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity $$2^{66}$$ 2 66 (resp. $$2^{130}$$ 2 130 ) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit (resp. 256-bit) security. We further show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX v2.0. We also investigate the security of the NORX v3.0, a tweaked version of NORX v2.0 introduced at the beginning of the third round of the CAESAR competition. The introduction in NORX v3.0 of an extra initial and final key addition thwarts the former forgery and key-recovery attacks. We exhibit, however, a long-message forgery attack on both NORX v2.0 and NORX v3.0 that, given the ciphertext of a $$2^m$$ 2 m -block message, allows to forge another $$2^m$$ 2 m -block ciphertext with a success probability of about $$2^{m-128}$$ 2 m - 128 (resp. $$2^{m-256}$$ 2 m - 256 ) instead of $$2^{-128}$$ 2 - 128 (resp. $$2^{-256}$$ 2 - 256 ) as one would ideally expect. We further show that since the symmetry preservation of the NORX v2.0 permutation persists in NORX v3.0, the former long-message forgery attack can be extended in both versions to a state-recovery attack. This high-complexity attack does not threaten the practical security of NORX v3.0, but show that the security loss once a successful forgery has been issued is larger than one would expect.
Journal of Cryptology – Springer Journals
Published: Jun 6, 2018
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.