Cryptology ePrint Archive: Report 2020/1463

Observations on the Tightness of the Security Bounds of GIFT-COFB and HyENA

Mustafa Khairallah

Abstract: In this article, we analyze and investigate two authenticated encryption algorithms: GIFT-COFB and HyENA. The two modes differ in some low levels details in both the design and security proofs. However, they share a lot of similarities. We take a look at the best-known attacks and security proofs of these designs. We show that the best-known attack is not a matching attack to the security bounds provided by the designers in the security proof. Second, we give a new attack that we characterize as an {\it "almost matching"} attack. It is significantly closer to the provable security bounds. The new attack requires $O(2^{n/4})$ encryptions and $O(2^{n/2})$ decryptions, as opposed to $O(2^{n/2})$ encryptions and $O(2^{n/2})$ decryptions shown previously. However, there is still a substantial logarithmic gap between this attack and the corresponding security bound. Next, we analyze why this gap still exists and why it is unlikely to find matching attacks. We give two arguments. The first argument is by analyzing the security proof and showing how it masks a term with non-negligible encryption complexity. The second argument looks at the attacker's point of view. A successful attack requires satisfying a non-trivial linear equation over secret random variables. Satisfying such an equation requires more decryption queries than what is bounded by the security proof. It is worth emphasizing that the analysis and attacks presented in this paper {\it do not} threaten the security claims made by the designers or the security of these designs within the parameters required by the NIST lightweight cryptography project. The results increase confidence in the security claims of GIFT-COFB and HyENA while showing their limitations by relying mostly on bounding the number of unsuccessful forgeries.

Category / Keywords: secret-key cryptography / authenticated encryption and cofb and hyena and nist and forgery and AEAD and multi-collisions

Date: received 19 Nov 2020, last revised 19 Nov 2020

Contact author: mustafam001 at e ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20201124:112746 (All versions of this report)

Short URL: ia.cr/2020/1463


[ Cryptology ePrint archive ]