The NORX Bug Bounty Program

This post is on behalf of the team that designed the cipher NORX, namely Philipp Jovanovic (EPFL), Samuel Neves (Uni Coimbra), and JP Aumasson (Kudelski Security).

Are you a cryptanalysis-ninja with differentials, boomerangs, and bicliques being your weapons of choice? Do you know what IND-CPA, IND-CCA{1,2}, and INT-{P,C}TXT actually mean and that querying random oracles has nothing to do with randomly visiting astrologers? Or do your hacker-friends celebrate you as the personified american fuzzy lop?

Well, if you answered yes to any of these questions and are up for a challenge, then head over to and find some bugs in one (or all) of the following categories:

  • Bugs in the NORX algorithm (a.k.a. cryptanalysis)
  • Bugs in the NORX security proofs (evidence of a wrong proof and/or a wrong result)
  • Bugs in the NORX source code (software bugs or inconsistencies with the specs)

If you answered no but are nevertheless up for a challenge, then head over to the NORX website too and give it a try, as in each category you can win a bounty of $250! In order to get a reward, your submission has to be the winning entry in one of the above categories.

The deadline for submissions is May 31, 2016 at 23:59 (UTC+01:00). Send your findings to [email protected] and we will tell you if your results are eligible. The winners of the bug bounty program will be announced in the first week of June, 2016.

Happy hunting!

The NORX team

Acknowledgements: The NORX bug bounty program would not have been possible without our generous sponsors. We thank Bryan Ford, head of EPFL’s Decentralized and Distributed Systems Lab, and Kudelski Security, for providing financial support.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s