## Cryptology ePrint Archive: Report 2020/698

Forgery attack on the authentication encryption GIFT-COFB

Zhe CEN and Xiutao FENG and Zhangyi Wang and Chunping CAO

Abstract: GIFT-COFB is one of the round 2 candidate algorithms of NIST lightweight cryptography. In this paper we present a forgery attack on GIFT-COFB. In our attack, the block cipher GIFT is viewed as a block box, and for an arbitrary ciphertext $(C, T)$ with at least twice the block length of GIFT-COFB, if an attacker knows arbitrary two successive blocks of message $M$ corresponding to $C$, he/she can forge infinite new valid ciphertexts $(C', T')$ such that for each $(C', T')$, there exists a plaintext $M'$ satisfying $(C', T')$=GIFT-COFB($M'$). The above result shows that GIFT-COFB can not resist against the forgery attack.

Category / Keywords: secret-key cryptography / Lightweight cryptography, GIFT-COFB, forgery attack

Date: received 10 Jun 2020, withdrawn 15 Jun 2020

Contact author: fengxt at amss ac cn

Available format(s): (-- withdrawn --)

Note: In our attack the value of the variable $L$ is viewed to be known, but it is unknown indeed since the block length of the associated data AD after padding is at least one. We only know $Y[1]$ not $Y[0]$ under known plaintext attacks when the associate data is empty. Though we can guess the value of $L$ directly with complexity $2^64$, it does not downgrade the security of GIFT-COFB in the sense of IND-CPA. So our forgery attack is invalid for GIFT-COFB.

Short URL: ia.cr/2020/698

[ Cryptology ePrint archive ]