Status Quo of NORX

The Competition for Authenticated Encryption: Security, Applicability, and Robustness, alias CAESAR, officially started on March 15, 2014. Today, on June 15, it's been three months after the submission deadline, and I want to take this as an opportunity to present a small status report of NORX, the CAESAR candidate of Jean-Philippe Aumasson, Samuel Neves and yours truly.

First of all: The starting hurdles are taken and, more importantly, NORX is still in the race! Of course, after such a short period this doesn't have to mean anything at all. It usually takes years before enough analysis of a new cryptographic primitive is available and a certain level of confidence in its security has been built up. Obviously, this is also one of the main motivations behind running a crypto comptetition after all. Anyway, it happened already quite a lot in the first three months of CAESAR. Those of you who are interested in the latest developments should have a look at the crypto competitions mailing list. For a general overview on all the submissions, I can recommend the Authenticated Encryption Zoo, maintained by the crypto groups of DTU Compute, Denmark. , and IAIK - TU Graz, Austria. Next to providing all the specifications for download, they list information about the basic building blocks of the candidates, present some of their core features, and show the status of the algorithms with respect to cryptanalysis. So go and check it out, if you haven't done it already.

Some of you might have read my last blog post where I presented benchmarking results for BLAKE2 and NORX on the Apple A7 chip. However, this was not the only thing that we've been working on over the last couple of months. The following list summarises the latest results concerning NORX:

  • Only two days ago we received confirmation that NORX has been accepted for presentation at the 19th European Symposium on Research in Computer Security (ESORICS). We are very happy about that, and look forward to present and discuss our cipher at the conference.
  • The specification of NORX received an update to version 1.1. We've included a changelog (see chapter 10) detailing all the modifications compared to version 1.0. The most significant change is the way plaintext messages are padded for the parallel modes. It turned out that we did quite some unneccessary message extensions in these cases and that they can be removed without reducing the security of the scheme.
  • All of you following our updates on Twitter (@daeinar, @sevenps, @veorq) probably already know, so this is more of a pointer for new readers: Reference and optimised versions of the NORX source code are available on GitHub, licensed under CC0 1.0 Universal. Go check it out!
  • Report 2014/317 of the IACR Cryptology ePrint Archive shows our thorough analysis concerning differential and rotational properties of the core permutation. Through this we were able to derive first security bounds for NORX with respect to differential and rotational cryptanalysis. Additionally, we hope that the introduced theoretical tools are useful for future analysis of NORX and other LRX-schemes.
  • The (NO)RX (D)ifferential Search (E)ngine, alias NODE, is a Python framework for differential cryptanalysis of the core permutation and was developed alongside the research described in the paper above. The search for differentials is conducted with the help of SMT and/or SAT solvers like Boolector, STP or CryptoMiniSat. The NODE source code is also available on GitHub.
  • Report 2014/373 of the IACR Cryptology ePrint Archive discusses security proofs for the NORX mode of operation. It shows that sequential and parallel versions of the mode satisfy certain good security bounds, under the assumptions that the underlying permutation is ideal and nonce-freshness is guaranteed. The derived security bounds would even allow to increase the rate for all of the NORX variants by two words, i.e. by 2 × 64 bit in case of NORX64 and by 2 × 32 bit in case of NORX32. This would obviously increase the speed of the algorithms quite a bit. Another nice result is that the proofs can be easily adapted to five other Sponge-based modes, namely to those of Ascon, CBEAM (now withdrawn)/STRIBOB, ICEPOLE, Keyak, and HANUMAN/GIBBON (from PRIMATES). Security-Proof-Stickers for everyone!
  • There are already two 3rd-party implementations of NORX written in Python (by @mik325) and C++ (by @EsGeh). Thanks to the contributors at this point! Moreover, I also got my hands dirty and implemented a version in Go.
  • Finally, according to this SUPERCOP benchmark (architecture: AMD64, date: 05-30-14) our reference implementation of NORX is not only the fastest Sponge-based scheme but the 3rd fastest cipher among all submissions (!), with only MORUS and HS1-SIV being faster. This was quite a nice and unexpected surprise. I extracted and sorted the relevant data from the page above and uploaded it here. By dividing those values by the constant factor 4 × 1536 = 6144 one gets an approximation in cycles per byte. At the time of writing this blog post not all submissions had optimised versions available and thus it doesn't make too much sense to compare these already. However, one can expect that all the AES modes will receive big performance improvements due to the AES New Instructions (a.k.a. cheating mode ;) and it can be taken for sure that the final list will look very differently.

So you see, the first three months of CAESAR have been quite busy, but we still have some stuff in the pipeline, which we hope to release in the coming months.

Before finishing this post, always remember that NORX is still an ongoing research project and not ready to be used in a production environment! So please don't use it in your applications, yet. You have been warned!

However, we are always happy to hear about your experiments with NORX. Let us know if you have a new implementation or find out something else of potential interest.

Update (15.06.14): Thanks to Martin Lauridsen (@mmlauridsen) for pointing out that IAIK - TU Graz is not involved in the AEZoo. I got that wrong from the page.

Update (29.06.14): CronorX is a 180nm ASIC implementing NORX in about 59kGE. It achieves a throughput of about 10Gbps at a frequency of 125MHz. The chip was designed, under the supervision of Frank K. Gürkaynak and Christoph Keller, by Mauro Salomon and Tibor Keresztfalvi, two students from ETH Zürich. More information can be found on their project page.