**Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle**

*Akiko Inoue and Tetsu Iwata and Kazuhiko Minematsu*

**Abstract: **We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents.
For GIFT-COFB, we show an attack using $q_e$ encryption queries and no decryption query to break privacy (IND-CPA). The success probability is $O(q_e/2^{n/2})$ for $n$-bit block while the claimed bound contains $O(q^2_e/2^{n})$. This positively solves an open question posed in~[Khairallah, ePrint~2021/648 (also accepted at FSE~2022)].
For Photon-Beetle, we show an attack using $q_e$ encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is $O(q^2_e/2^{b})$ for a $b$-bit block permutation, and it is significantly larger than what the claimed bound tells,
which is independent of the number of encryption queries.
We also show a simple tag guessing attack that violates the INT-CTXT bound when the rate $r=32$.
Then, we analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475].
As a side result of our security analysis of Photon-Beetle,
we point out that a simple and efficient forgery attack is possible in the related-key setting.

We emphasize that our results do not contradict the claimed ``bit security'' in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is $(n/2 - \log n)$-bit secure for $n=128$, and Photon-Beetle is $(b/2 - \log b/2)$-bit secure for $b=256$ and $r=128$, where $r$ is a rate. We also note that the security against related-key attacks is not included in the security requirements of NIST LwC, and is not claimed by the designers.

**Category / Keywords: **secret-key cryptography / Authenticated encryption, NIST Lightweight Cryptography, GIFT-COFB, Photon-Beetle

**Original Publication**** (in the same form): **ACNS 2022

**Date: **received 31 Dec 2021, last revised 30 Mar 2022

**Contact author: **a_inoue at nec com, tetsu iwata at nagoya-u jp, k-minematsu at nec com

**Available format(s): **PDF | BibTeX Citation

**Version: **20220330:074756 (All versions of this report)

**Short URL: **ia.cr/2022/001

[ Cryptology ePrint archive ]