Title: Cryptanalysis of NORX v2.0
Abstract: NORX is a family of authentication encryption (AE) algorithms submitted in 2014 to the CAESAR competition. Its NORX v2.0 version is one of the 15 candidates selected in August 2016 for the third round of the competition. A tweaked version NORX v3.0 was published shortly afterwards and will be the basis for the third round evaluation. We present: - a non-random property on the NORX state permutation than has some connection with a weak states property highlighted in an earlier paper, by the NORX designers; - a resulting ciphertext-only forgery with time and data complexity about 2^66 for the NORX v2.0 instance that uses 128-bit keys (about 2^72 if the algorithm exclusively operates on byte strings). This forgery attack can be extended to a key-recovery attack with the same time and data complexity. While the leveraged properties of NORX v2.0 still hold for NORX v3.0, the introduction of key-dependent internal operations in NORX v3.0 appears to render it immune to these attacks; - a few extra security analysis results related to the various variants and instances of the NORX family of AE algorithms. This is joint work with joint work with Colin Chaigneau (U. of Versailles) and Thomas Fuhr, Jérémy Jean, Jean-René Reinhard (ANSSI).