Abstract
COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to the birthday bound in the nonce-respecting model. However, the designers offer multiple versions of the analysis with different details and the implications of attacks against the scheme are not discussed deeply. In this article, we look at a group of possible forgery and privacy attacks against COFB. We show that the security for both forgery and privacy is bounded by the number of forgery attempts. We show the existence of forgery and privacy attacks with success probability qd/2n/2, given qd forgery attempts. In particular, we show an attack with 2n/2 attempts using only a single known-plaintext encryption query against COFB. While these attacks do not contradict the claims made by the designers of GIFT-COFB, they show its limitations in terms of the number of forgery attempts. They also show that, while COFB generates a 128-bit tag, it behaves in a very similar manner to an AEAD scheme with 64-bit tag. As a result of independent interest, our analysis provides a contradiction to the main theorem of Journal of Cryptology volume 33, pages 703–741 (2020), which includes an improved security proof of COFB compared to the CHES 2017 version. Finally, we discuss the term nqd/2n/2 that appears in the security proof of GIFT-COFB and CHES 2017, showing why there is a security gap between the provable results and the attacks. We emphasize that the results in this article do not threaten the security of GIFT-COFB in the scope of the NIST lightweight cryptography requirements or the claims made by the designers in the specification document of the design.
Highlights
Lightweight cryptography is the field of cryptology that deals with designing algorithms with a small footprint or low computational complexity targeted towards constrained devices, e.g., micro-controllers and low area/power integrated circuits
The attacks presented in this article show that the attack complexity against COmbined FeedBack (COFB) is mainly dominated by the mask size, i.e., an instance of COFB with mask size ζ can be attacked for both privacy and integrity with advantage of the form qd 2ζ Besides, the existence of attacks that are bounded by the birthday bound for the number of encryption queries is well-established for privacy through attacks on the Pseudo-Random Permutation (PRP)-Pseudo-Random Function (PRF) switching for privacy and through the work of Inoue and Minematsu [IM21] which shows forgery attacks with advantage σe2 2n With the accumulation of these results, we find it reasonable to set the tag size τ = ζ
We have analyzed the COFB algorithm showing that it is secure against IND$-Chosen-Ciphertext Adversaries (CCA) adversaries at most up to 2n/2 forgery attempts
Summary
Lightweight cryptography is the field of cryptology that deals with designing algorithms with a small footprint or low computational complexity targeted towards constrained devices, e.g., micro-controllers and low area/power integrated circuits. Over the past few years, the National Institute for Standardization and Technology (NIST), USA, has been running a lightweight cryptography standardization project. One of the categories of the project called for Authenticated Encryption with Associated Data (AEAD) algorithms where the amount of data that can be processed under one key is at least 250 − 1 bytes and the cryptanalytic attacks against the algorithms are of at least 2112 computational complexity [nis18]. In March 2021, 10 proposals were announced as finalists. Among these candidates, GIFT-COFB [BCI+20] is a block cipherbased proposal and will be the focus of this article
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
