## Cryptology ePrint Archive: Report 2022/001

Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle

Akiko Inoue and Tetsu Iwata and Kazuhiko Minematsu

Abstract: We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using $q_e$ encryption queries and no decryption query to break privacy (IND-CPA). The success probability is $O(q_e/2^{n/2})$ for $n$-bit block while the claimed bound contains $O(q^2_e/2^{n})$. This positively solves an open question posed in~[Khairallah, ePrint~2021/648]. For Photon-Beetle, we show attacks using $q_e$ encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is $O(q^2_e/2^{b})$ for $b$-bit block permutation, and it is significantly larger than what the claimed bound tells. We also analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475].

We emphasize that our results do not contradict the claimed bit security'' in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is $(n/2 - \log n)$-bit secure for $n=128$, and Photon-Beetle is $(b/2 - \log b/2)$-bit secure for $b=256$ and $r=128$, where $r$ is a rate.

Category / Keywords: secret-key cryptography / Authenticated encryption, NIST Lightweight Cryptography, GIFT-COFB, Photon-Beetle

Date: received 31 Dec 2021, last revised 31 Dec 2021

Contact author: a_inoue at nec com, tetsu iwata at nagoya-u jp, k-minematsu at nec com

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2022/001

[ Cryptology ePrint archive ]