Abstract
We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using \(q_e\) encryption queries and no decryption query to break privacy (IND-CPA). The success probability is \(O(q_e/2^{n/2})\) for n-bit block while the claimed bound contains \(O(q^2_e/2^{n})\). This positively solves an open question posed in [Khairallah, ePrint 2021/648 (also accepted at FSE 2022)]. For Photon-Beetle, we show an attack using \(q_e\) encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is \(O(q^2_e/2^{b})\) for a b-bit block permutation, and it is significantly larger than what the claimed bound tells, which is independent of the number of encryption queries. We also show a simple tag guessing attack that violates the INT-CTXT bound when the rate \(r=32\). Then, we analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers [Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint 2019/1475]. As a side result of our security analysis of Photon-Beetle, we point out that a simple and efficient forgery attack is possible in the related-key setting.
We emphasize that our results do not contradict the claimed “bit security” in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is \((n/2 - \log n)\)-bit secure for \(n=128\), and Photon-Beetle is \((b/2 - \log b/2)\)-bit secure for \(b=256\) and \(r=128\), where r is a rate. We also note that the security against related-key attacks is not included in the security requirements of NIST LwC, and is not claimed by the designers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Following the literature (e.g., [28]), we conventionally refer to it as privacy, but in practice, it may be more intuitive to call it confidentiality.
- 3.
We do not know the difference between \(\sigma \) and \(\sigma _e\).
References
Information technology-Security techniques-Lightweight cryptography-Part 5: Hash-functions. ISO/IEC 29192–5:2016 (2016)
Banik, S., et al.: GIFT-COFB. Cryptology ePrint Archive, Report 2020/738 (2020). https://ia.cr/2020/738
Banik, S., et al.: GIFT-COFB v1.1. A submission to the NIST lightweight cryptography standardization process (2021). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/gift-cofb-spec-final.pdf
Banik, S., Maitra, S., Sarkar, S., Meltem Sönmez, T.: A chosen IV related key attack on grain-128a. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 13–26. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_2
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
Bao, Z., et al.: PHOTON-beetle authenticated encryption and hash family. A submission to the NIST lightweight cryptography standardization process (2021). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/photon-beetle-spec-final.pdf
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_31
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_34
Biryukov, C.B.A., et al.: SPARKLE (SCHWAEMM and ESCH). A submission to the NIST lightweight cryptography standardization process (2021). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/sparkle-spec-final.pdf
Chakraborti, A., Datta, N., Nandi, M., Yasuda, K.: Beetle family of lightweight and secure authenticated encryption ciphers. IACR TCHES 2018(2), 218–241 (2018). https://doi.org/10.13154/tches.v2018.i2.218-241, https://tches.iacr.org/index.php/TCHES/article/view/881
Chakraborti, A., Datta, N., Nandi, M., Yasuda, K.: Beetle family of lightweight and secure authenticated encryption ciphers. Cryptology ePrint Archive, Report 2018/805 (2018). https://eprint.iacr.org/2018/805
Chakraborti, A., Iwata, T., Minematsu, K., Nandi, M.: Blockcipher-based authenticated encryption: how small can we go? In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 277–298. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_14
Chakraborti, A., Iwata, T., Minematsu, K., Nandi, M.: Blockcipher-based authenticated encryption: how small can we go? J. Cryptol. 33(3), 703–741 (2019). https://doi.org/10.1007/s00145-019-09325-z
Chakraborty, B., Jha, A., Nandi, M.: On the security of sponge-type authenticated encryption modes. Cryptology ePrint Archive, Report 2019/1475 (2019). https://eprint.iacr.org/2019/1475
Chakraborty, B., Jha, A., Nandi, M.: On the security of sponge-type authenticated encryption modes. IACR Trans. Symmetric Cryptol. 2020(2), 93–119 (2020). https://doi.org/10.13154/tosc.v2020.i2.93-119
Dobraunig, C., Eichlseder, M., Mendel, F.: Related-key forgeries for Prøst-OTR. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 282–296. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_14
Dobraunig, C., Mennink, B.: Key recovery attack on PHOTON-Beetle. OFFICIAL COMMENT: PHOTON-Beetle (2020). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/official-comments/photon-beetle-round2-official-comment.pdf
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_13
Inoue, A., Minematsu, K.: GIFT-COFB is tightly birthday secure with encryption queries. Cryptology ePrint Archive, Report 2021/737 (2021). https://ia.cr/2021/737
Khairallah, M.: Weak keys in the rekeying paradigm: Application to COMET and mixFeed. IACR Trans. Symmetric Cryptol. 2019(4), 272–289 (2019). https://doi.org/10.13154/tosc.v2019.i4.272-289
Khairallah, M.: Observations on the tightness of the security bounds of GIFT-COFB and HyENA. Cryptology ePrint Archive, Report 2020/1463 (2020). https://eprint.iacr.org/2020/1463
Khairallah, M.: Security of COFB against chosen ciphertext attacks. Cryptology ePrint Archive, Report 2021/648 (2021). https://eprint.iacr.org/2021/648, (also accepted at FSE 2022)
Lee, Y., Jeong, K., Sung, J., Hong, S.: Related-key chosen IV attacks on Grain-v1 and Grain-128. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 321–335. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_24
Lu, X., Li, B., Jia, D.: KDM-CCA security from RKA secure authenticated encryption. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 559–583. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_22
Lucks, S.: Ciphers secure against related-key attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_23
Mège, A.: OFFICIAL COMMENT: PHOTON-Beetle (2021). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/official-comments/photon-beetle-round2-official-comment.pdf
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Specifications of \(\textsf {GIFT\text {-}COFB}\) and \(\textsf {Photon\text {-}Beetle}\)
A Specifications of \(\textsf {GIFT\text {-}COFB}\) and \(\textsf {Photon\text {-}Beetle}\)
Algorithms of \(\textsf {GIFT\text {-}COFB}\) [3, Fig. 2.3]
\(\textsf {GIFT\text {-}COFB}\).
Algorithms of \(\textsf {Photon\text {-}Beetle}\) [6, Fig. 3.6]
\(\textsf {Photon\text {-}Beetle}\).
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Inoue, A., Iwata, T., Minematsu, K. (2022). Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle. In: Ateniese, G., Venturi, D. (eds) Applied Cryptography and Network Security. ACNS 2022. Lecture Notes in Computer Science, vol 13269. Springer, Cham. https://doi.org/10.1007/978-3-031-09234-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-09234-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09233-6
Online ISBN: 978-3-031-09234-3
eBook Packages: Computer ScienceComputer Science (R0)