Is it possible to convert NORX into a hash algorithm?

[DonaldTsang]

Since SHA3 is a hash algorithm of the keccak permutation (also used in LibDisco/Strobe as AEAD),
is it possible to turn NORX into a hash function, and if so, how fast is it (in C, Go and Python3)?

[Daeinar]

You could do that but we know little about the security of such a NORX-based hash function. My intuition is that you would need to have many more rounds of the NORX permutation to turn it into a secure hash function which would obviously impact performance.

Why are you interested in that if I may ask?

[DonaldTsang]

@Daeinar because I am interested in sponge functions that are two-dimensional based on BLAKE/BLAKE2/Salsa/ChaCha, and not three-dimensional (see Keccak/SHA3/KangarooTwelve) and since they are easier to implement and conceptualize, why not turn this into a full fledged hash algorithm?

Side note: I have challenged myself to create "the most easy to explain (ELI5 but for middle/high school) sponge construction that is 128 or 256 bit secure" and I think NORX is a better candidate than Keccak (SHA3/KangarooTwelve) or Skein (which skein denies to be a sponge function). Cubehash and JH are both unsecure by nature, so I would not like to use them.

Reference to Skein-as-a-Sponge (SkaaSp): https://eprint.iacr.org/2010/432.pdf

Another thing is that I do not consider Ascon (https://ascon.iaik.tugraz.at/specification.html) to be a good hash candidate from the CAESAR competition, as it has a 320-bit state, which is expected to be a "light" sponge function.

[DonaldTsang]

Here is a list of other hashes to be considered to turn into a sponge function:

• Grøstl (hard to convert into a sponge function as it is contains a scrambling function Q and a Miyaguchi–Preneel like compression P)
  • http://www.groestl.info/Groestl.pdf (diagram at page 6)
• Blue Midnight Wish (hard to convert into a sponge function as it has complex pipes throughout the hash functions)
  • http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf
  • Image reference https://www.researchgate.net/figure/A-graphic-representation-of-the-fully-decomposed-Blue-Midnight-Wish-hash-algorithm_fig1_264884738
• ECHO (smaller input message, larger chaining value and xoring would be added in order to turn this into a AES-based sponge)
  • https://crypto.orange-labs.fr/echo/doc/echo_description_2-0.pdf
• Fugue
  • https://researcher.watson.ibm.com/researcher/files/us-csjutla/fugue_Oct09.pdf
• Hamsi (hard to convert into a sponge function as it is a pure compression function)
  • https://www.esat.kuleuven.be/cosic/publications/article-1203.pdf (diagram at page 8)
• Luffa (is based on a sponge function, MI can be modified to be more Sponge-friendly)
  • http://www.hitachi.com/rd/yrl/crypto/luffa/Luffa_v2_Specification_20091002.pdf (diagram at page 10)
• Shabal (can be converted into a simple sponge if the message is only used in the permutation and the counter is removed)
  • https://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf (diagram at page 22)
• SHAvite-3 (round expansions has to be removed in order to turn this into a AES-based sponge)
  • http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf
• SIMD (hard to modify as it uses a modded Davies-Meyer construction with key expansion)
  • https://who.rocq.inria.fr/Gaetan.Leurent/files/SIMD.pdf