**Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle**

*Akiko Inoue and Tetsu Iwata and Kazuhiko Minematsu*

**Abstract: **We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents.
For GIFT-COFB, we show an attack using $q_e$ encryption queries and no decryption query to break privacy (IND-CPA). The success probability is $O(q_e/2^{n/2})$ for $n$-bit block while the claimed bound contains $O(q^2_e/2^{n})$. This positively solves an open question posed in~[Khairallah, ePrint~2021/648]. For Photon-Beetle, we show attacks using $q_e$ encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is $O(q^2_e/2^{b})$ for $b$-bit block permutation, and it is significantly larger than what the claimed bound tells. We also analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475].

We emphasize that our results do not contradict the claimed ``bit security'' in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is $(n/2 - \log n)$-bit secure for $n=128$, and Photon-Beetle is $(b/2 - \log b/2)$-bit secure for $b=256$ and $r=128$, where $r$ is a rate.

**Category / Keywords: **secret-key cryptography / Authenticated encryption, NIST Lightweight Cryptography, GIFT-COFB, Photon-Beetle

**Date: **received 31 Dec 2021, last revised 31 Dec 2021

**Contact author: **a_inoue at nec com, tetsu iwata at nagoya-u jp, k-minematsu at nec com

**Available format(s): **PDF | BibTeX Citation

**Version: **20220101:210438 (All versions of this report)

**Short URL: **ia.cr/2022/001

[ Cryptology ePrint archive ]