Cryptanalysis of Reduced NORX

NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 out of 4 rounds. The time and data complexities of the attack for NORX32 are $$2^{119}$$ and $$ 2^{66} $$ respectively, and for NORX64 are $$ 2^{234} $$ and $$ 2^{132} $$ respectively, while the memory complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are $$2^{7.3}$$, $$2^{124.3}$$ and $$2^{115}$$ respectively and for NORX64 are $$2^{6.2}$$, $$2^{232.8}$$ and $$2^{225}$$ respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.