[Resource Topic] 2020/1463: Observations on the Tightness of the Security Bounds of GIFT-COFB and HyENA

Resource Secret-key cryptography
#1

Welcome to the resource topic for 2020/1463

Title:
Observations on the Tightness of the Security Bounds of GIFT-COFB and HyENA

Authors: Mustafa Khairallah

Abstract:

In this article, we analyze and investigate two authenticated encryption algorithms: GIFT-COFB and HyENA. The two modes differ in some low levels details in both the design and security proofs. However, they share a lot of similarities. We take a look at the best-known attacks and security proofs of these designs. We show that the best-known attack is not a matching attack to the security bounds provided by the designers in the security proof. Second, we give a new attack that we characterize as an {\it “almost matching”} attack. It is significantly closer to the provable security bounds. The new attack requires O(2^{n/4}) encryptions and O(2^{n/2}) decryptions, as opposed to O(2^{n/2}) encryptions and O(2^{n/2}) decryptions shown previously. However, there is still a substantial logarithmic gap between this attack and the corresponding security bound. Next, we analyze why this gap still exists and why it is unlikely to find matching attacks. We give two arguments. The first argument is by analyzing the security proof and showing how it masks a term with non-negligible encryption complexity. The second argument looks at the attacker’s point of view. A successful attack requires satisfying a non-trivial linear equation over secret random variables. Satisfying such an equation requires more decryption queries than what is bounded by the security proof. It is worth emphasizing that the analysis and attacks presented in this paper {\it do not} threaten the security claims made by the designers or the security of these designs within the parameters required by the NIST lightweight cryptography project. The results increase confidence in the security claims of GIFT-COFB and HyENA while showing their limitations by relying mostly on bounding the number of unsuccessful forgeries.

ePrint: https://eprint.iacr.org/2020/1463

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .