Cryptanalysis of NORX v2.0

Cryptanalysis of NORX v2.0

NORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementa...

Full description

Bibliographic Details
Main Authors: Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jérémy Jean, Jean-René Reinhard
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2017-03-01
Series:IACR Transactions on Symmetric Cryptology
Subjects:
CAESAR Competition
NORX
Cryptanalysis
Forgery Attack
Symmetry
Online Access:https://tosc.iacr.org/index.php/ToSC/article/view/589
id doaj-288ebd2402074ee78854ddef5102f471
record_format Article
spelling doaj-288ebd2402074ee78854ddef5102f4712021-03-02T05:00:29ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2017-03-0115617410.13154/tosc.v2017.i1.156-174589Cryptanalysis of NORX v2.0Colin Chaigneau0Thomas Fuhr1Henri Gilbert2Jérémy Jean3Jean-René Reinhard4UVSQ, VersaillesANSSI Crypto Lab 51, boulevard de La Tour-Maubourg 75700 Paris 07 SPANSSI Crypto Lab, ParisANSSI Crypto Lab, ParisANSSI Crypto Lab 51, boulevard de La Tour-Maubourg 75700 Paris 07 SPNORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). In this paper, we investigate the security of the full NORX v2.0 primitive that has been accepted as third-round candidate in the CAESAR competition. We show that some non-conservative design decisions probably motivated by implementation efficiency considerations result in at least one strong structural distinguisher of the underlying sponge permutation that can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266 (resp. 2130) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit, resp. 256-bit security. Furthermore, we show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX. We emphasize that the scheme has recently been tweaked to NORX v3.0 at the beginning of the third round of the CAESAR competition: the main change introduces some key-dependent internal operations, which make NORX v3.0 immune to our attacks. However, the structural distinguisher of the permutation persists.https://tosc.iacr.org/index.php/ToSC/article/view/589CAESAR CompetitionNORXCryptanalysisForgery AttackSymmetry
collection DOAJ
language English
format Article
sources DOAJ
author Colin Chaigneau
Thomas Fuhr
Henri Gilbert
Jérémy Jean
Jean-René Reinhard
spellingShingle Colin Chaigneau
Thomas Fuhr
Henri Gilbert
Jérémy Jean
Jean-René Reinhard
Cryptanalysis of NORX v2.0
IACR Transactions on Symmetric Cryptology
CAESAR Competition
NORX
Cryptanalysis
Forgery Attack
Symmetry
author_facet Colin Chaigneau
Thomas Fuhr
Henri Gilbert
Jérémy Jean
Jean-René Reinhard
author_sort Colin Chaigneau
title Cryptanalysis of NORX v2.0
title_short Cryptanalysis of NORX v2.0
title_full Cryptanalysis of NORX v2.0
title_fullStr Cryptanalysis of NORX v2.0
title_full_unstemmed Cryptanalysis of NORX v2.0
title_sort cryptanalysis of norx v2.0
publisher Ruhr-Universität Bochum
series IACR Transactions on Symmetric Cryptology
issn 2519-173X
publishDate 2017-03-01
description NORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). In this paper, we investigate the security of the full NORX v2.0 primitive that has been accepted as third-round candidate in the CAESAR competition. We show that some non-conservative design decisions probably motivated by implementation efficiency considerations result in at least one strong structural distinguisher of the underlying sponge permutation that can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266 (resp. 2130) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit, resp. 256-bit security. Furthermore, we show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX. We emphasize that the scheme has recently been tweaked to NORX v3.0 at the beginning of the third round of the CAESAR competition: the main change introduces some key-dependent internal operations, which make NORX v3.0 immune to our attacks. However, the structural distinguisher of the permutation persists.
topic CAESAR Competition
NORX
Cryptanalysis
Forgery Attack
Symmetry
url https://tosc.iacr.org/index.php/ToSC/article/view/589
work_keys_str_mv AT colinchaigneau cryptanalysisofnorxv20
AT thomasfuhr cryptanalysisofnorxv20
AT henrigilbert cryptanalysisofnorxv20
AT jeremyjean cryptanalysisofnorxv20
AT jeanrenereinhard cryptanalysisofnorxv20
_version_ 1724242774863118336

Similar Items