Paper 2020/698

Forgery attack on the authentication encryption GIFT-COFB

Zhe CEN, Xiutao FENG, Zhangyi Wang, and Chunping CAO

Abstract

GIFT-COFB is one of the round 2 candidate algorithms of NIST lightweight cryptography. In this paper we present a forgery attack on GIFT-COFB. In our attack, the block cipher GIFT is viewed as a block box, and for an arbitrary ciphertext $(C,T)$ with at least twice the block length of GIFT-COFB, if an attacker knows arbitrary two successive blocks of message $M$ corresponding to $C$, he/she can forge infinite new valid ciphertexts $(C^{\prime },T^{\prime })$ such that for each $(C^{\prime },T^{\prime })$, there exists a plaintext $M^{\prime }$ satisfying $(C^{\prime },T^{\prime })$=GIFT-COFB($M^{\prime }$). The above result shows that GIFT-COFB can not resist against the forgery attack.

Note: In our attack the value of the variable $$ is viewed to be known, but it is unknown indeed since the block length of the associated data AD after padding is at least one. We only know $$ not $$ under known plaintext attacks when the associate data is empty. Though we can guess the value of $$ directly with complexity $$, it does not downgrade the security of GIFT-COFB in the sense of IND-CPA. So our forgery attack is invalid for GIFT-COFB.