Cryptanalysis of NORX v2.0 View Full Text


Ontology type: schema:ScholarlyArticle      Open Access: True


Article Info

DATE

2018-06-06

AUTHORS

Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jérémy Jean, Jean-René Reinhard

ABSTRACT

NORX is an authenticated encryption scheme with associated data that was selected, along with 14 other primitives, for the third phase of the ongoing CAESAR competition. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). The main result of this paper is a cryptanalysis of the full NORX v2.0 that successfully passed, in 2016, the second round of the CAESAR competition. We exhibit a strong symmetry preservation property of the underlying sponge permutation and show that this property can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{66}$$\end{document} (resp. 2130\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{130}$$\end{document}) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit (resp. 256-bit) security. We further show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX v2.0. We also investigate the security of the NORX v3.0, a tweaked version of NORX v2.0 introduced at the beginning of the third round of the CAESAR competition. The introduction in NORX v3.0 of an extra initial and final key addition thwarts the former forgery and key-recovery attacks. We exhibit, however, a long-message forgery attack on both NORX v2.0 and NORX v3.0 that, given the ciphertext of a 2m\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^m$$\end{document}-block message, allows to forge another 2m\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^m$$\end{document}-block ciphertext with a success probability of about 2m-128\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{m-128}$$\end{document} (resp. 2m-256\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{m-256}$$\end{document}) instead of 2-128\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{-128}$$\end{document} (resp. 2-256\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{-256}$$\end{document}) as one would ideally expect. We further show that since the symmetry preservation of the NORX v2.0 permutation persists in NORX v3.0, the former long-message forgery attack can be extended in both versions to a state-recovery attack. This high-complexity attack does not threaten the practical security of NORX v3.0, but show that the security loss once a successful forgery has been issued is larger than one would expect. More... »

PAGES

1423-1447

References to SciGraph publications

  • 2014. How to Securely Release Unverified Plaintext in Authenticated Encryption in ADVANCES IN CRYPTOLOGY – ASIACRYPT 2014
  • 2016-07-20. Cryptanalysis of Reduced NORX in FAST SOFTWARE ENCRYPTION
  • 2014. Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes in ADVANCES IN CRYPTOLOGY – ASIACRYPT 2014
  • 1997. Cryptanalysis of Alleged A5 Stream Cipher in ADVANCES IN CRYPTOLOGY — EUROCRYPT ’97
  • 2016-10-28. Sandwich Construction for Keyed Sponges: Independence Between Capacity and Online Queries in CRYPTOLOGY AND NETWORK SECURITY
  • 2013. BLAKE2: Simpler, Smaller, Fast as MD5 in APPLIED CRYPTOGRAPHY AND NETWORK SECURITY
  • 2012. Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications in SELECTED AREAS IN CRYPTOGRAPHY
  • 2015-03-29. Analysis of NORX: Investigating Differential and Rotational Properties in PROGRESS IN CRYPTOLOGY - LATINCRYPT 2014
  • 2010. Rotational Cryptanalysis of ARX in FAST SOFTWARE ENCRYPTION
  • 1995. MDx-MAC and Building Fast MACs from Hash Functions in ADVANCES IN CRYPTOLOGY — CRYPT0’ 95
  • 2015-04-14. A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro in ADVANCES IN CRYPTOLOGY -- EUROCRYPT 2015
  • Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1007/s00145-018-9297-9

    DOI

    http://dx.doi.org/10.1007/s00145-018-9297-9

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1104422652


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0804", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Data Format", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "alternateName": "UVSQ, Versailles, France", 
              "id": "http://www.grid.ac/institutes/grid.12832.3a", 
              "name": [
                "UVSQ, Versailles, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Chaigneau", 
            "givenName": "Colin", 
            "id": "sg:person.010046040634.26", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010046040634.26"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "ANSSI Crypto Lab, Paris 07 SP, France", 
              "id": "http://www.grid.ac/institutes/None", 
              "name": [
                "ANSSI Crypto Lab, Paris 07 SP, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Fuhr", 
            "givenName": "Thomas", 
            "id": "sg:person.010445664364.38", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010445664364.38"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "ANSSI Crypto Lab, Paris 07 SP, France", 
              "id": "http://www.grid.ac/institutes/None", 
              "name": [
                "UVSQ, Versailles, France", 
                "ANSSI Crypto Lab, Paris 07 SP, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Gilbert", 
            "givenName": "Henri", 
            "id": "sg:person.012771236207.08", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012771236207.08"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "ANSSI Crypto Lab, Paris 07 SP, France", 
              "id": "http://www.grid.ac/institutes/None", 
              "name": [
                "ANSSI Crypto Lab, Paris 07 SP, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Jean", 
            "givenName": "J\u00e9r\u00e9my", 
            "id": "sg:person.014232271321.52", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014232271321.52"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "ANSSI Crypto Lab, Paris 07 SP, France", 
              "id": "http://www.grid.ac/institutes/None", 
              "name": [
                "ANSSI Crypto Lab, Paris 07 SP, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Reinhard", 
            "givenName": "Jean-Ren\u00e9", 
            "id": "sg:person.011071447265.99", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011071447265.99"
            ], 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "sg:pub.10.1007/978-3-642-13858-4_19", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1022745956", 
              "https://doi.org/10.1007/978-3-642-13858-4_19"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-319-16295-9_17", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1016618707", 
              "https://doi.org/10.1007/978-3-319-16295-9_17"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-28496-0_19", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1026500802", 
              "https://doi.org/10.1007/978-3-642-28496-0_19"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/3-540-44750-4_1", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1026318663", 
              "https://doi.org/10.1007/3-540-44750-4_1"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-662-45611-8_5", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1041827519", 
              "https://doi.org/10.1007/978-3-662-45611-8_5"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-662-45611-8_6", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1041289906", 
              "https://doi.org/10.1007/978-3-662-45611-8_6"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-38980-1_8", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1034905699", 
              "https://doi.org/10.1007/978-3-642-38980-1_8"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-319-48965-0_15", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1084919229", 
              "https://doi.org/10.1007/978-3-319-48965-0_15"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/3-540-69053-0_17", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1028362929", 
              "https://doi.org/10.1007/3-540-69053-0_17"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-662-52993-5_28", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1031728354", 
              "https://doi.org/10.1007/978-3-662-52993-5_28"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-662-46800-5_11", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1045543954", 
              "https://doi.org/10.1007/978-3-662-46800-5_11"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2018-06-06", 
        "datePublishedReg": "2018-06-06", 
        "description": "NORX is an authenticated encryption scheme with associated data that was selected, along with 14 other primitives, for the third phase of the ongoing CAESAR competition. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). The main result of this paper is a cryptanalysis of the full NORX v2.0 that successfully passed, in 2016, the second round of the CAESAR competition. We exhibit a strong symmetry preservation property of the underlying sponge permutation and show that this property can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^{66}$$\\end{document} (resp. 2130\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^{130}$$\\end{document}) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers\u2019 claim of a 128-bit (resp. 256-bit) security. We further show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX v2.0. We also investigate the security of the NORX v3.0, a tweaked version of NORX v2.0 introduced at the beginning of the third round of the CAESAR competition. The introduction in NORX v3.0 of an extra initial and final key addition thwarts the former forgery and key-recovery attacks. We exhibit, however, a long-message forgery attack on both NORX v2.0 and NORX v3.0 that, given the ciphertext of a 2m\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^m$$\\end{document}-block message, allows to forge another 2m\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^m$$\\end{document}-block ciphertext with a success probability of about 2m-128\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^{m-128}$$\\end{document} (resp. 2m-256\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^{m-256}$$\\end{document}) instead of 2-128\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^{-128}$$\\end{document} (resp. 2-256\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$2^{-256}$$\\end{document}) as one would ideally expect. We further show that since the symmetry preservation of the NORX v2.0 permutation persists in NORX v3.0, the former long-message forgery attack can be extended in both versions to a state-recovery attack. This high-complexity attack does not threaten the practical security of NORX v3.0, but show that the security loss once a successful forgery has been issued is larger than one would expect.", 
        "genre": "article", 
        "id": "sg:pub.10.1007/s00145-018-9297-9", 
        "isAccessibleForFree": true, 
        "isFundedItemOf": [
          {
            "id": "sg:grant.4519774", 
            "type": "MonetaryGrant"
          }
        ], 
        "isPartOf": [
          {
            "id": "sg:journal.1136278", 
            "issn": [
              "0933-2790", 
              "1432-1378"
            ], 
            "name": "Journal of Cryptology", 
            "publisher": "Springer Nature", 
            "type": "Periodical"
          }, 
          {
            "issueNumber": "4", 
            "type": "PublicationIssue"
          }, 
          {
            "type": "PublicationVolume", 
            "volumeNumber": "32"
          }
        ], 
        "keywords": [
          "forgery attack", 
          "CAESAR competition", 
          "data complexity", 
          "key recovery attack", 
          "sponge construction", 
          "ongoing CAESAR competition", 
          "encryption scheme", 
          "practical security", 
          "successful forgery", 
          "security loss", 
          "forgery", 
          "security", 
          "block message", 
          "ciphertext", 
          "state recovery attack", 
          "primitives", 
          "attacks", 
          "cryptanalysis", 
          "versatile implementation", 
          "success probability", 
          "key addition", 
          "v2.0", 
          "complexity", 
          "toy version", 
          "NORX", 
          "permutations", 
          "preservation properties", 
          "version", 
          "same time", 
          "correctness", 
          "v3.0", 
          "simple permutations", 
          "ChaCha", 
          "designers", 
          "messages", 
          "implementation", 
          "scheme", 
          "third phase", 
          "key", 
          "construction", 
          "thanks", 
          "main versions", 
          "rounds", 
          "design", 
          "time", 
          "data", 
          "competition", 
          "probability", 
          "main results", 
          "results", 
          "variants", 
          "second round", 
          "introduction", 
          "preservation", 
          "third round", 
          "addition", 
          "phase", 
          "properties", 
          "claims", 
          "Blake", 
          "loss", 
          "symmetry preservation", 
          "beginning", 
          "paper"
        ], 
        "name": "Cryptanalysis of NORX v2.0", 
        "pagination": "1423-1447", 
        "productId": [
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1104422652"
            ]
          }, 
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1007/s00145-018-9297-9"
            ]
          }
        ], 
        "sameAs": [
          "https://doi.org/10.1007/s00145-018-9297-9", 
          "https://app.dimensions.ai/details/publication/pub.1104422652"
        ], 
        "sdDataset": "articles", 
        "sdDatePublished": "2022-11-24T21:01", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-springernature-scigraph/baseset/20221124/entities/gbq_results/article/article_764.jsonl", 
        "type": "ScholarlyArticle", 
        "url": "https://doi.org/10.1007/s00145-018-9297-9"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/s00145-018-9297-9'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/s00145-018-9297-9'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/s00145-018-9297-9'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/s00145-018-9297-9'


     

    This table displays all metadata directly associated to this object as RDF triples.

    199 TRIPLES      21 PREDICATES      99 URIs      80 LITERALS      6 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1007/s00145-018-9297-9 schema:about anzsrc-for:08
    2 anzsrc-for:0804
    3 schema:author N405cbedb8d7943c2b743fa330609f23b
    4 schema:citation sg:pub.10.1007/3-540-44750-4_1
    5 sg:pub.10.1007/3-540-69053-0_17
    6 sg:pub.10.1007/978-3-319-16295-9_17
    7 sg:pub.10.1007/978-3-319-48965-0_15
    8 sg:pub.10.1007/978-3-642-13858-4_19
    9 sg:pub.10.1007/978-3-642-28496-0_19
    10 sg:pub.10.1007/978-3-642-38980-1_8
    11 sg:pub.10.1007/978-3-662-45611-8_5
    12 sg:pub.10.1007/978-3-662-45611-8_6
    13 sg:pub.10.1007/978-3-662-46800-5_11
    14 sg:pub.10.1007/978-3-662-52993-5_28
    15 schema:datePublished 2018-06-06
    16 schema:datePublishedReg 2018-06-06
    17 schema:description NORX is an authenticated encryption scheme with associated data that was selected, along with 14 other primitives, for the third phase of the ongoing CAESAR competition. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). The main result of this paper is a cryptanalysis of the full NORX v2.0 that successfully passed, in 2016, the second round of the CAESAR competition. We exhibit a strong symmetry preservation property of the underlying sponge permutation and show that this property can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{66}$$\end{document} (resp. 2130\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{130}$$\end{document}) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit (resp. 256-bit) security. We further show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX v2.0. We also investigate the security of the NORX v3.0, a tweaked version of NORX v2.0 introduced at the beginning of the third round of the CAESAR competition. The introduction in NORX v3.0 of an extra initial and final key addition thwarts the former forgery and key-recovery attacks. We exhibit, however, a long-message forgery attack on both NORX v2.0 and NORX v3.0 that, given the ciphertext of a 2m\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^m$$\end{document}-block message, allows to forge another 2m\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^m$$\end{document}-block ciphertext with a success probability of about 2m-128\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{m-128}$$\end{document} (resp. 2m-256\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{m-256}$$\end{document}) instead of 2-128\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{-128}$$\end{document} (resp. 2-256\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{-256}$$\end{document}) as one would ideally expect. We further show that since the symmetry preservation of the NORX v2.0 permutation persists in NORX v3.0, the former long-message forgery attack can be extended in both versions to a state-recovery attack. This high-complexity attack does not threaten the practical security of NORX v3.0, but show that the security loss once a successful forgery has been issued is larger than one would expect.
    18 schema:genre article
    19 schema:isAccessibleForFree true
    20 schema:isPartOf N5cb88c5497444fbbbb718903f60253d1
    21 Ndca3ebc2a3114cb6b9facff446800415
    22 sg:journal.1136278
    23 schema:keywords Blake
    24 CAESAR competition
    25 ChaCha
    26 NORX
    27 addition
    28 attacks
    29 beginning
    30 block message
    31 ciphertext
    32 claims
    33 competition
    34 complexity
    35 construction
    36 correctness
    37 cryptanalysis
    38 data
    39 data complexity
    40 design
    41 designers
    42 encryption scheme
    43 forgery
    44 forgery attack
    45 implementation
    46 introduction
    47 key
    48 key addition
    49 key recovery attack
    50 loss
    51 main results
    52 main versions
    53 messages
    54 ongoing CAESAR competition
    55 paper
    56 permutations
    57 phase
    58 practical security
    59 preservation
    60 preservation properties
    61 primitives
    62 probability
    63 properties
    64 results
    65 rounds
    66 same time
    67 scheme
    68 second round
    69 security
    70 security loss
    71 simple permutations
    72 sponge construction
    73 state recovery attack
    74 success probability
    75 successful forgery
    76 symmetry preservation
    77 thanks
    78 third phase
    79 third round
    80 time
    81 toy version
    82 v2.0
    83 v3.0
    84 variants
    85 versatile implementation
    86 version
    87 schema:name Cryptanalysis of NORX v2.0
    88 schema:pagination 1423-1447
    89 schema:productId N0d20ced1df47446b889b63585faecff8
    90 N4496fbd5157a4e9894749fac1d1a5440
    91 schema:sameAs https://app.dimensions.ai/details/publication/pub.1104422652
    92 https://doi.org/10.1007/s00145-018-9297-9
    93 schema:sdDatePublished 2022-11-24T21:01
    94 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    95 schema:sdPublisher N8c23a0ac50db40d0922f2e570d8aa466
    96 schema:url https://doi.org/10.1007/s00145-018-9297-9
    97 sgo:license sg:explorer/license/
    98 sgo:sdDataset articles
    99 rdf:type schema:ScholarlyArticle
    100 N0d20ced1df47446b889b63585faecff8 schema:name doi
    101 schema:value 10.1007/s00145-018-9297-9
    102 rdf:type schema:PropertyValue
    103 N11e5351d1f654fd3bc2b413ea6ff9cfc rdf:first sg:person.012771236207.08
    104 rdf:rest N11f0c335141f4f7c91499aaed17bb313
    105 N11f0c335141f4f7c91499aaed17bb313 rdf:first sg:person.014232271321.52
    106 rdf:rest N979a152b1c304878ad34225b3738a86f
    107 N405cbedb8d7943c2b743fa330609f23b rdf:first sg:person.010046040634.26
    108 rdf:rest Nca45b69794634e32916f801738114f25
    109 N4496fbd5157a4e9894749fac1d1a5440 schema:name dimensions_id
    110 schema:value pub.1104422652
    111 rdf:type schema:PropertyValue
    112 N5cb88c5497444fbbbb718903f60253d1 schema:issueNumber 4
    113 rdf:type schema:PublicationIssue
    114 N8c23a0ac50db40d0922f2e570d8aa466 schema:name Springer Nature - SN SciGraph project
    115 rdf:type schema:Organization
    116 N979a152b1c304878ad34225b3738a86f rdf:first sg:person.011071447265.99
    117 rdf:rest rdf:nil
    118 Nca45b69794634e32916f801738114f25 rdf:first sg:person.010445664364.38
    119 rdf:rest N11e5351d1f654fd3bc2b413ea6ff9cfc
    120 Ndca3ebc2a3114cb6b9facff446800415 schema:volumeNumber 32
    121 rdf:type schema:PublicationVolume
    122 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    123 schema:name Information and Computing Sciences
    124 rdf:type schema:DefinedTerm
    125 anzsrc-for:0804 schema:inDefinedTermSet anzsrc-for:
    126 schema:name Data Format
    127 rdf:type schema:DefinedTerm
    128 sg:grant.4519774 http://pending.schema.org/fundedItem sg:pub.10.1007/s00145-018-9297-9
    129 rdf:type schema:MonetaryGrant
    130 sg:journal.1136278 schema:issn 0933-2790
    131 1432-1378
    132 schema:name Journal of Cryptology
    133 schema:publisher Springer Nature
    134 rdf:type schema:Periodical
    135 sg:person.010046040634.26 schema:affiliation grid-institutes:grid.12832.3a
    136 schema:familyName Chaigneau
    137 schema:givenName Colin
    138 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010046040634.26
    139 rdf:type schema:Person
    140 sg:person.010445664364.38 schema:affiliation grid-institutes:None
    141 schema:familyName Fuhr
    142 schema:givenName Thomas
    143 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010445664364.38
    144 rdf:type schema:Person
    145 sg:person.011071447265.99 schema:affiliation grid-institutes:None
    146 schema:familyName Reinhard
    147 schema:givenName Jean-René
    148 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011071447265.99
    149 rdf:type schema:Person
    150 sg:person.012771236207.08 schema:affiliation grid-institutes:None
    151 schema:familyName Gilbert
    152 schema:givenName Henri
    153 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012771236207.08
    154 rdf:type schema:Person
    155 sg:person.014232271321.52 schema:affiliation grid-institutes:None
    156 schema:familyName Jean
    157 schema:givenName Jérémy
    158 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014232271321.52
    159 rdf:type schema:Person
    160 sg:pub.10.1007/3-540-44750-4_1 schema:sameAs https://app.dimensions.ai/details/publication/pub.1026318663
    161 https://doi.org/10.1007/3-540-44750-4_1
    162 rdf:type schema:CreativeWork
    163 sg:pub.10.1007/3-540-69053-0_17 schema:sameAs https://app.dimensions.ai/details/publication/pub.1028362929
    164 https://doi.org/10.1007/3-540-69053-0_17
    165 rdf:type schema:CreativeWork
    166 sg:pub.10.1007/978-3-319-16295-9_17 schema:sameAs https://app.dimensions.ai/details/publication/pub.1016618707
    167 https://doi.org/10.1007/978-3-319-16295-9_17
    168 rdf:type schema:CreativeWork
    169 sg:pub.10.1007/978-3-319-48965-0_15 schema:sameAs https://app.dimensions.ai/details/publication/pub.1084919229
    170 https://doi.org/10.1007/978-3-319-48965-0_15
    171 rdf:type schema:CreativeWork
    172 sg:pub.10.1007/978-3-642-13858-4_19 schema:sameAs https://app.dimensions.ai/details/publication/pub.1022745956
    173 https://doi.org/10.1007/978-3-642-13858-4_19
    174 rdf:type schema:CreativeWork
    175 sg:pub.10.1007/978-3-642-28496-0_19 schema:sameAs https://app.dimensions.ai/details/publication/pub.1026500802
    176 https://doi.org/10.1007/978-3-642-28496-0_19
    177 rdf:type schema:CreativeWork
    178 sg:pub.10.1007/978-3-642-38980-1_8 schema:sameAs https://app.dimensions.ai/details/publication/pub.1034905699
    179 https://doi.org/10.1007/978-3-642-38980-1_8
    180 rdf:type schema:CreativeWork
    181 sg:pub.10.1007/978-3-662-45611-8_5 schema:sameAs https://app.dimensions.ai/details/publication/pub.1041827519
    182 https://doi.org/10.1007/978-3-662-45611-8_5
    183 rdf:type schema:CreativeWork
    184 sg:pub.10.1007/978-3-662-45611-8_6 schema:sameAs https://app.dimensions.ai/details/publication/pub.1041289906
    185 https://doi.org/10.1007/978-3-662-45611-8_6
    186 rdf:type schema:CreativeWork
    187 sg:pub.10.1007/978-3-662-46800-5_11 schema:sameAs https://app.dimensions.ai/details/publication/pub.1045543954
    188 https://doi.org/10.1007/978-3-662-46800-5_11
    189 rdf:type schema:CreativeWork
    190 sg:pub.10.1007/978-3-662-52993-5_28 schema:sameAs https://app.dimensions.ai/details/publication/pub.1031728354
    191 https://doi.org/10.1007/978-3-662-52993-5_28
    192 rdf:type schema:CreativeWork
    193 grid-institutes:None schema:alternateName ANSSI Crypto Lab, Paris 07 SP, France
    194 schema:name ANSSI Crypto Lab, Paris 07 SP, France
    195 UVSQ, Versailles, France
    196 rdf:type schema:Organization
    197 grid-institutes:grid.12832.3a schema:alternateName UVSQ, Versailles, France
    198 schema:name UVSQ, Versailles, France
    199 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...