[Resource Topic] 2022/001: Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle

Welcome to the resource topic for 2022/001

Title:
Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle

Authors: Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu

Abstract:

We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using q_e encryption queries and no decryption query to break privacy (IND-CPA). The success probability is O(q_e/2^{n/2}) for n-bit block while the claimed bound contains O(q^2_e/2^{n}). This positively solves an open question posed in~[Khairallah, ePrint~2021/648 (also accepted at FSE~2022)]. For Photon-Beetle, we show an attack using q_e encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is O(q^2_e/2^{b}) for a b-bit block permutation, and it is significantly larger than what the claimed bound tells, which is independent of the number of encryption queries. We also show a simple tag guessing attack that violates the INT-CTXT bound when the rate r=32. Then, we analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475]. As a side result of our security analysis of Photon-Beetle, we point out that a simple and efficient forgery attack is possible in the related-key setting. We emphasize that our results do not contradict the claimed ``bit security’’ in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is (n/2 - \log n)-bit secure for n=128, and Photon-Beetle is (b/2 - \log b/2)-bit secure for b=256 and r=128, where r is a rate. We also note that the security against related-key attacks is not included in the security requirements of NIST LwC, and is not claimed by the designers.

ePrint: https://eprint.iacr.org/2022/001

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .