Cryptanalysis of Reduced NORX

摘要

NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 (out of 4) rounds. The time and data complexities of the attack for NORX32 are 2~(119) and 2~(66) respectively, and for NORX64 are 2~(234) and 2~(132) respectively, while the memory complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are 2~(7.3), 2~(124.3) and 2~(115) respectively and for NORX64 are 2~(6.2), 2~(232.8) and 2~(225) respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.