Analysis of NORX: Investigating differential and rotational properties

Abstract

This paper presents a thorough analysis of the AEAD scheme NORX, focussing on differential and rotational properties. We first introduce mathematical models that describe differential propagation with respect to the non-linear operation of NORX. Afterwards, we adapt a framework previously proposed for ARX designs allowing us to automatise the search for differentials and characteristics. We give upper bounds on the differential probability for a small number of steps of the NORX core permutation. For example, in a scenario where an attacker can only modify the nonce during initialisation, we show that characteristics have probabilities of less than 2−60 (32-bit) and 2−53 (64-bit) after only one round. Furthermore, we describe how we found the best characteristics for four rounds, which have probabilities of 2−584 (32-bit) and 2−836 (64-bit), respectively. Finally, we discuss some rotational properties of the core permutation which yield some first, rough bounds and can be used as a basis for future studies.