1

In general terms, NORX works combining a cryptographic hash function and an stream cipher. At the end of an encryption operation you end with a ciphered message plus its authenticated hash. If you call AEADEnc() whith a zero length secret and postfix message, you basically get a hash function for each $(key, nonce)$ pair.

My question is, given a fixed and public $(key, nonce)$ pair, can NORX AEADEnc() work as a secure cryptographic hash function?

user3368561
  • 603
  • 5
  • 13

1 Answers1

4

What security goals are you hoping for?

If NORX is a secure nonce-based AEAD as advertised (which it may or may not be—CAESAR dropped it and it's not widely deployed, so there's little incentive to study it), then what it will guarantee, as a nonce-based MAC, is antiforgery. Specifically, no cost-limited adversary who can query an oracle ‘NORX-MAC’ for a single message under a single nonce can forge an authenticator for another message under that nonce.

But, for this security goal, there are much faster choices like Poly1305-AES. If you want a stronger security goal, like a nonceless MAC or a PRF such as HMAC-SHA256 or keyed BLAKE2s or KMAC256 are conjectured to be, NORX may or may not provide that: it's not advertised as a security goal of NORX. If you're looking for collision resistance, it's unlikely that you'll find it in NORX as is.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • The nice thing about NORX vs AES/ChaCha20-Poly1305 is its that its unoptimized reference C implementation is very fast (3 CPB in my machine). Sure an optimized implementation of AES/ChaCha20-Poly1305 outperforms an optimized implementation of NORX (with p=1), but not all platforms have the luxury of having one. Moreover, AES/ChaCha20-Poly1305 plus a hash are three algorithms. This means a greater attack surface, greater opportunities to introduce bugs, and three times more effort to deploy it on new platforms. – user3368561 Jul 05 '18 at 08:30
  • My security goal is at least 128 bits of security. – user3368561 Jul 05 '18 at 08:32
  • @user3368561 ‘128-bit security’ is not a security goal. Examples of security goals: pseudorandom function family, or PRF security meaning adversary can't distinguish the family under uniform random key from a uniform random function; message authentication code, or EUF-CMA (existential unforgeability under chosen message attack) meaning adversary mounting chosen-message attack can't find any message and authenticator pair; collision resistance, meaning adversary given random key can't find collision with nonnegligible probability; ((enhanced) target) preimage resistance; etc. – Squeamish Ossifrage Jul 05 '18 at 22:26
  • @user3368561 Can a fork function as a spoon? Well, yes, you can get a few drops of soup on a fork, so with a lot more forkfuls of soup you can eat it as if you had a spoon. I'm not asking how big a utensil you're looking for—I'm asking what kind of utensil you're looking for. – Squeamish Ossifrage Jul 05 '18 at 22:27
  • A security goal similar to Blake2s will do. Can NORX or a NORX variant using same permutation function achieve it? – user3368561 Jul 05 '18 at 23:25
  • @user3368561 Almost certainly not NORX as is—it is unlikely to be collision-resistant. But I have to backtrack here before saying any more about NORX. What is ‘AES/ChaCha20-Poly1305 plus a hash’? You have a block cipher, a stream cipher, a one-time authenticator, and a ‘hash’ of unspecified nature in one sentence. What are you trying to accomplish with that juxtaposition? Forget performance for a moment. Please ask questions on this site about security goals so you can understand what cryptography is actually doing for you. – Squeamish Ossifrage Jul 05 '18 at 23:35
  • "AES/ChaCha20-Poly1305 plus a hash" is basically libsodium. An small enough library to fit in embedded devices but only fast in x86 computers. Implementing the fast paths for new architectures requires implementing many completely unrelated algorithms. Having a shared primitive will help immensely. Something similar to libhydrogen but without the intrinsic slowness of Gimli permutation. – user3368561 Jul 05 '18 at 23:53
  • @user3368561 This is a complex multidimensional question. libsodium provides many security goals using different constructions. If you mean crypto_aead_chacha20poly1305 or crypto_aead_aes256gcm, those are secret-key authenticated ciphers. If you mean crypto_auth_hmacsha512256, that's a message authentication code. If you mean crypto_generichash_blake2b, then I imagine (although the libsodium documentation is apparently deficient in the ‘identifying security goals’ department, which is disappointing) it's supposed to provide collision resistance. – Squeamish Ossifrage Jul 06 '18 at 00:23
  • 1
    @user3368561 libhydrogen is cute because it is conceptually simple using the versatile tool of sponge constructions, and admits a small implementation. But small implementation doesn't mean efficient implementation, and things like collision resistance cost much more than things like low collision probability. Gimli is still a new design; NORX is not as new, but it's not likely to receive any new scrutiny. Can you get high performance for standard security levels in a variety of security goals on a variety of architectures using a single primitive? Crypto.SE can't really tell you. – Squeamish Ossifrage Jul 06 '18 at 00:28