Paper 2020/698

Forgery attack on the authentication encryption GIFT-COFB

Zhe CEN, Xiutao FENG, Zhangyi Wang, and Chunping CAO

Abstract

GIFT-COFB is one of the round 2 candidate algorithms of NIST lightweight cryptography. In this paper we present a forgery attack on GIFT-COFB. In our attack, the block cipher GIFT is viewed as a block box, and for an arbitrary ciphertext $(C, T)$ with at least twice the block length of GIFT-COFB, if an attacker knows arbitrary two successive blocks of message $M$ corresponding to $C$, he/she can forge infinite new valid ciphertexts $(C', T')$ such that for each $(C', T')$, there exists a plaintext $M'$ satisfying $(C', T')$=GIFT-COFB($M'$). The above result shows that GIFT-COFB can not resist against the forgery attack.

Note: In our attack the value of the variable $L$ is viewed to be known, but it is unknown indeed since the block length of the associated data AD after padding is at least one. We only know $Y[1]$ not $Y[0]$ under known plaintext attacks when the associate data is empty. Though we can guess the value of $L$ directly with complexity $2^64$, it does not downgrade the security of GIFT-COFB in the sense of IND-CPA. So our forgery attack is invalid for GIFT-COFB.