Abstract
In ToSC 2021(2), Sun et al. implemented an automatic search with the Boolean satisfiability problem (SAT) method on GIFT-128 and identified a 19-round linear approximation with the expected linear potential being 2−117.43, which is utilised to launch a 24-round attack on the cipher. In this addendum, we discover a new 19-round linear approximation with a lower expected linear potential. However, in the attack, one more round can be appended after the distinguisher. As a result, we improve the previous optimal linear attack by one round and put forward a 25-round linear attack. Given that the optimal differential attack on GIFT-128, for now, covers 27-round, the resistances of the cipher against differential and linear attacks still have a 2-round gap.
Highlights
In [SWW21], Sun et al conducted linear cryptanalyses on three Authenticated Encryptions with Associated Data (AEADs) with GIFT-128 [BPP+17] as underlying primitives and the block cipher in itself
The dominating trail in the 19-round linear approximation is an optimal trail with the maximum correlation 2−59
We notice that the dominating trails utilised in the attacks on three AEADs do not possess the maximum correlation, and the authors mentioned that the optimal 10-round trails could not lead to good performances in the keyrecovery attacks
Summary
In [SWW21], Sun et al conducted linear cryptanalyses on three Authenticated Encryptions with Associated Data (AEADs) with GIFT-128 [BPP+17] as underlying primitives and the block cipher in itself. The time complexity of this step is equal to N 25-round encryptions. The dominant time complexity is N memory accesses to a table with 296 elements. To the case in S1, the dominant time complexity of this step is 296 · 219 = 2115 memory accesses to a table with 265 elements. The dominant time complexity of this step is 265 · 219 · 224 = 2108 memory accesses to a table with 233 elements. Complexity Analysis We set the advantage of the attack as a = 2.2 and the number of plaintext-ciphertext pairs N as 2124.75. Following the idea in [SN14], we regard one memory access to the largest counter C1[z1] as one 25-round encryption. The time complexity of the attack is about 2126.77 25-round encryptions. The success probability is 75%, the data requirement is 2125.75, the time complexity is 2127.77, and the memory complexity is still 296
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
