International Association
for Cryptologic Research

This paper presents a thorough security analysis of the AEAD scheme NORX,

focussing on differential and rotational properties of the core permutation.

To examine its differential properties, we first introduce mathematical models

that describe differential propagation with respect to the non-linear operation

of NORX. Then we adapt the framework previously proposed for ARX designs,

which allows us to automatise the search for differentials and differential

characteristics. We give upper bounds on the differential probability of a

small number of steps of the NORX core permutation, and show how we found the

best characteristics for four rounds, which have probabilities of $2^{-584}$

($32$-bit) and $2^{-836}$ ($64$-bit), respectively. Finally, we discuss some

rotational properties of the core permutation which can be used as a basis for

future studies.