Beruflich Dokumente
Kultur Dokumente
r t
r 0 \ \ T
c Fl Fl Fl Fl Fl Fl Fl Fl Fl
c 0 \
01 01 02 02 04 04 08
NORX is viewed as a concatenation of 16 words, i.e. goals are achieved as in the case of NORX32 and
S = s0 k · · · k s15 , which are conceptually arranged in NORX64 [1], [8]. In particular, full diffusion is provided
a 4 × 4 matrix. The so-called rate words are used for after F2 in both cases.
data block injection which are s0 , . . . , s4 for NORX8
and s0 , . . . , s7 for NORX16. The capacity words on the D. Encryption and Tag Generation
other hand are unchanged during data processing and NORX encryption can be divided into three main
ensure the security of the scheme. These are s5 , . . . , s15 phases: initialisation, message processing, and tag gen-
and s8 , . . . , s15 for NORX8 and NORX16, respectively. eration. Processing of a datagram A k M k Z is done in
Proposals for concrete parameters are given in Table I. up to three steps: header processing, payload processing,
We consider NORX8 and NORX16 with l = 4 to be the and trailer processing. The number of steps depends on
default instances. whether A, M , or Z are empty or not. NORX skips
processing phases of empty message parts. For example,
TABLE I
P ROPOSED PARAMETER COMBINATIONS OF THE LIGHTWEIGHT in the simplest case when |A| = |Z| = 0, |M | > 0,
NORX VARIANTS . message processing is done in one step, since only the
payload M needs to be encrypted and authenticated.
w l b r c k n t Below, we first describe the padding and domain
8 4 or 6 128 40 88 80 32 80 separation rules, then each of the aforementioned phases.
16 4 or 6 256 128 128 96 32 96
1) Padding: NORX uses the multi-rate padding [6],
defined by padr : X 7−→ X k 10q 1 with bitstrings X
C. The Round Function F and 10q 1, and q = (−|X| − 2) mod r. This extends X
to a multiple of the rate r and guarantees that the last
F processes a state S by first transforming its four
block of padr (X) differs from the all-zero block 0r .
columns with
2) Domain Separation: NORX performs domain sep-
G(s0 , s4 , s8 , s12 ) G(s1 , s5 , s9 , s13 ) aration by XORing a domain separation constant to the
G(s2 , s6 , s10 , s14 ) G(s3 , s7 , s11 , s15 ) least significant byte of s15 each time before the state is
and then transforming its four diagonals with transformed by the permutation Fl . Distinct constants are
used for the different phases of message processing and
G(s0 , s5 , s10 , s15 ) G(s1 , s6 , s11 , s12 ) tag generation. Table II gives the specification of those
G(s2 , s7 , s8 , s13 ) G(s3 , s4 , s9 , s14 ) constants and Figure 1 illustrates their integration into
Those two operations are called column step and di- the state of NORX.
agonal step, as in BLAKE2 [7] and NORX [1], [8]. TABLE II
The permutation G transforms four words a, b, c, d by D OMAIN SEPARATION CONSTANTS .
computing (top-down, left-to-right):
header payload trailer tag
01 02 04 08
1. a ←− (a ⊕ b) ⊕ (a ∧ b) 1 5. a ←− (a ⊕ b) ⊕ (a ∧ b) 1
2. d ←− (a ⊕ d) ≫ r0 6. d ←− (a ⊕ d) ≫ r2
3) Initialisation: This phase processes a secret key K ,
3. c ←− (c ⊕ d) ⊕ (c ∧ d) 1 7. c ←− (c ⊕ d) ⊕ (c ∧ d) 1
4. b ←− (b ⊕ c) ≫ r1 8. b ←− (b ⊕ c) ≫ r3
a nonce N and the parameters w, l, p, and t. For w = 8,
The rotation offsets (r0 , r1 , r2 , r3 ) are (1, 3, 5, 7) for we have K = k0 k · · · k k9 and N = n0 k · · · k n3 of
NORX8, and (8, 11, 12, 15) for NORX16. They were sizes 80 and 32 bits, respectively. For w = 16, we have
chosen such that similar performance and security K = k0 k · · · k k5 and N = n0 k n1 of sizes 96 and 32
bits, respectively. First, the state S = s0 k · · · k s15 is c) Trailer Processing: Trailer data Z is processed
initialised. For NORX8 this is done by in a similar way as header data. The only difference is
that the domain separation constant 04 is used instead
s0 s1 s2 s3
n0 n1 n2 n3
of 02, see Table II.
s4 s5 s6 s7 k0 k1 k2 k3
s ←− 5) Tag Generation: Computation of the authentica-
8 s9 s10 s11 k4 k5 k6 k7
s12 s13 s14 s15 k8 u13 u14 k9 tion tag T is handled slightly different for NORX8 and
NORX16. Both variants first execute the following steps:
For NORX16 state initialisation is
s0 s1 s2 s3
k0 n0 n1 k1
s15 ←− s15 ⊕ 08
s4 s5 s6 s7 k2 k3 k4 k5
s s9 s10 s11
←−
u8 u9 u10 u11
S ←− Fl (S)
8
s12 s13 s14 s15 u12 u13 u14 u15 S ←− Fl (S)
The constants can be computed in both cases through T ←− T k s0 k · · · k sr/l−1
(u0 , . . . , u15 ) ←− F2 (0, . . . , 15) While the tag can be extracted at once for NORX16,
this is not possible for NORX8 in most cases as the rate
using the respective variants of F2 . Note, however that only has a size of 40 bits. Thus, NORX8 performs the
only a particular subset of the generated constants is following operations for each block required after the
used: u13 and u14 for NORX8 and u8 , . . . , u15 for first:
NORX16. Afterwards, the parameters w, l, p, and t are
integrated into the state S by XORing them to s12 , s13 ,
s15 ←− s15 ⊕ 08
s14 , and s15 , respectively. Finally, S is updated with Fl .
4) Message Processing: Message processing is the S ←− Fl (S)
main phase of NORX encryption or decryption. T ←− T k s0 k · · · k sr/l−1
a) Header Processing: If |A| = 0, this step is
skipped, otherwise let padr (A) = A0 k · · · k Aa−1 In summary, 3l rounds are necessary to extract an 80-bit
denote the padded header data, with r-bit sized header tag for NORX8.
blocks Ai = ai,0 k · · · k ai,r/l−1 and 0 ≤ i ≤ a − 1.
Then Ai is processed by: E. Decryption and Tag Verification
s15 ←− s15 ⊕ 01 NORX decryption mode is similar to the encryption
S ←− Fl (S) mode. The only two differences are described below.
sj ←− sj ⊕ ai,j , for 0 ≤ j ≤ r/l − 1 1) Message Processing: Processing header A and
trailer Z of A k C k Z is done in the same way as
b) Payload Processing: If |M | = 0, this step is for encryption. Decryption of the encrypted payload C
skipped. Otherwise, payload data is padded using the is achieved as follows:
multi-rate padding and then encrypted. Let padr (M ) =
M0 k · · · k Mm−1 . To encrypt Mi = mi,0 k · · · k s15 ←− s15 ⊕ 02
mi,r/l−1 and get a new ciphertext block Ci = ci,0 k
S ←− Fl (S)
· · · k ci,r/l−1 the following steps are executed
mi,j ←− sj ⊕ ci,j , for 0 ≤ j ≤ r/l − 1
s15 ←− s15 ⊕ 02 sj ←− ci,j
l
S ←− F (S)
sj ←− sj ⊕ mi,j , for 0 ≤ j ≤ r/l − 1 Like in encryption, as many bits are extracted and written
to M as unpadded encrypted payload bits.
ci,j ←− sj
2) Tag Verification: This step is executed after tag
for 0 ≤ i < m − 1. For i = m − 1, the procedure is generation. Let T and T 0 denote the received and the
almost the same, but only a truncated ciphertext block is generated tag. If T = T 0 , tag verification succeeds;
created such that C has the same length as (unpadded) otherwise it fails, the decrypted payload is discarded and
M . In other words, padding bits are never written to C . an error is returned.
III. H ARDWARE R EQUIREMENTS for the trivial one G(0, 0, 0, 0) = (0, 0, 0, 0). As a
In this section, we present preliminary estimates of the consequence, Fl also has no fixed points except for the
required gate-equivalents (GE) when realising NORX8 all-zero point. Our SMT/SAT-solver-based differential
and NORX16 in hardware. We assume that the ciphers cryptanalysis of F2 showed that the probabilities of
are implemented for a technology that needs 7 GE per D- differential characteristics are upper-bounded by 2−29
flip-flop, 3 GE per XOR and 2 GE per AND. To store the (w = 8) and 2−37 (w = 16). Moreover, the differen-
states of NORX8 and NORX16 a total of 128 and 256 D- tial probabilities for F during initialisation are upper-
flip-flops are necessary amounting to 7 · 128 = 896 GE bounded by 2−31 (w = 8) and 2−53 (w = 16) for the
and 7 · 256 = 1792 GE, respectively. Implementing G case where only the nonce words can be modified. In
requires 12 XORs, 4 ANDs, and some bit shifts for 1 this scenario, 7 rounds of initialisation can be roughly
and cyclic rotations ≫ r. Bit shifts can be ignored upper-bounded by 2−31+3·(−29) = 2−118 (NORX8) and
for GE estimations since they are realised through re- 2−53+3·(−37) = 2−164 (NORX16), respectively.
wiring. The 8- and 16-bit G functions therefore need VI. C ONCLUSION
(3 · 12 + 2 · 4) · 8 = 44 · 8 = 352 GE and 44 · 16 = 704 GE,
In this work, we presented NORX8 and NORX16, the
respectively. The difference between the column and
two latest members of the NORX family of authenticated
diagonal steps is also just a re-wiring of state elements
encryption schemes targeted at low-end systems. The
and therefore requires no additional GE. Absorption of
reference source code for both new variants of NORX
r-bit data blocks is realised through bitwise XOR. Thus,
will be released on the official NORX website [10]. The
an additional number of 3 · 40 = 120 GE (NORX8) and
NORX family of authenticated encryption algorithms
3 · 128 = 384 GE (NORX16) are necessary. In summary,
is free for everyone to use and we have neither filed
the lower bounds for hardware implementations can be
nor have we planned to file a patent application for the
estimated by 896 + 352 + 120 = 1368 GE for NORX8
algorithm.
and 1792 + 704 + 384 = 2880 GE for NORX16.
R EFERENCES
IV. S ECURITY G OALS
[1] J.-P. Aumasson, P. Jovanovic, and S. Neves, “NORX,” in
NORX8 and NORX16 follow the same security CAESAR Proposal, 2014.
paradigms like their bigger siblings NORX32 and [2] “CAESAR — Competition for Authenticated Encryption: Secu-
rity, Applicability, and Robustness,” 2014, http://competitions.
NORX64, i.e. it is assumed that adversaries are nonce-
cr.yp.to/caesar.html.
respecting and that nothing but an error is returned on [3] J.-P. Aumasson, P. Jovanovic, and S. Neves, “Analysis of
a tag verification failure. The security of the schemes is NORX,” in LATINCRYPT 2014, 2014, to appear.
limited by key and tag sizes of k = t = 80 bits (NORX8) [4] P. Jovanovic, A. Luykx, and B. Mennink, “Beyond 2c/2 Se-
curity in Sponge-Based Authenticated Encryption Modes,” in
and of k = t = 96 bits (NORX16) for our proposed Advances in Cryptology — ASIACRYPT 2014, ser. Lecture
instances, see Table I. We set the usage exponent e to 24 Notes in Computer Science, T. Iwata and P. Sarkar, Eds., vol.
(NORX8) and 32 (NORX16) which limits the number of 8873. Springer, 2014, pp. 85–104.
initialisations to 2e before a given key has to be changed. [5] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche,
“Permutation-based Encryption, Authentication and Authenti-
According to the results for keyed sponge constructions cated Encryption,” presented at DIAC 2012, 05–06 July 2012,
presented in [9], NORX8 and NORX16 are expected to Stockholm, Sweden.
indeed achieve the generic security bounds of 80 and 96 [6] ——, “Duplexing the Sponge: Single-Pass Authenticated En-
cryption and Other Applications,” in SAC 2011, ser. LNCS,
bits, respectively. A. Miri and S. Vaudenay, Eds., vol. 7118. Springer, 2011, pp.
320–337.
V. P RELIMINARY C RYPTANALYSIS [7] J.-P. Aumasson, S. Neves, Z. Wilcox-O’Hearn, and C. Win-
We conducted a preliminary analysis of certain prop- nerlein, “BLAKE2: Simpler, Smaller, Fast as MD5,” in ACNS
erties of NORX with w ∈ {8, 16}, and used similar 2013, ser. LNCS, M. Jacobson, M. Locasto, P. Mohassel, and
R. Safavi-Naini, Eds., vol. 7954. Springer, 2013, pp. 119–135.
techniques as presented in [3] for w ∈ {32, 64}. The [8] J.-P. Aumasson, P. Jovanovic, and S. Neves, “NORX: Parallel
rotation offsets (1, 3, 5, 7), for w = 8, and (8, 11, 12, 15), and Scalable AEAD,” in ESORICS 2014, ser. LNCS, M. Kuty-
for w = 16, of the round function were chosen such lowski and J. Vaidya, Eds., vol. 8713. Springer, 2014, pp.
19–36.
that F2 provides full diffusion, as already mentioned [9] E. Andreeva, J. Daemen, B. Mennink, and G. V. Assche,
in Section II-C. Additionally, the above rotation offsets “Security of Keyed Sponge Constructions Using a Modular
ensure that the function G has no fixed points, which Proof Approach,” in FSE 2015, to appear.
are values that satisfy G(a, b, c, d) = (a, b, c, d), except [10] “Official website of NORX,” 2014, https://www.norx.io.