Security of COFB against chosen ciphertext attacks
COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to t...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2022
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/160509 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-160509 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1605092023-02-28T20:05:15Z Security of COFB against chosen ciphertext attacks Khairallah, Mustafa School of Physical and Mathematical Sciences Science::Mathematics Block Cipher Authenticated Encryption COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to the birthday bound in the nonce-respecting model. However, the designers offer multiple versions of the analysis with different details and the implications of attacks against the scheme are not discussed deeply. In this article, we look at a group of possible forgery and privacy attacks against COFB. We show that the security for both forgery and privacy is bounded by the number of forgery attempts. We show the existence of forgery and privacy attacks with success probability qd/2n/2, given qd forgery attempts. In particular, we show an attack with 2n/2 attempts using only a single known-plaintext encryption query against COFB. While these attacks do not contradict the claims made by the designers of GIFT-COFB, they show its limitations in terms of the number of forgery attempts. They also show that, while COFB generates a 128-bit tag, it behaves in a very similar manner to an AEAD scheme with 64-bit tag. As a result of independent interest, our analysis provides a contradiction to the main theorem of Journal of Cryptology volume 33, pages 703–741 (2020), which includes an improved security proof of COFB compared to the CHES 2017 version. Finally, we discuss the term nqd/2n/2 that appears in the security proof of GIFT-COFB and CHES 2017, showing why there is a security gap between the provable results and the attacks. We emphasize that the results in this article do not threaten the security of GIFT-COFB in the scope of the NIST lightweight cryptography requirements or the claims made by the designers in the specification document of the design. Nanyang Technological University Published version This work was funded under the MALEC project, Temasek Laboratories NTU grant DSOCL17101. 2022-07-26T02:30:44Z 2022-07-26T02:30:44Z 2022 Journal Article Khairallah, M. (2022). Security of COFB against chosen ciphertext attacks. IACR Transactions On Symmetric Cryptology, 2022(1), 138-157. https://dx.doi.org/10.46586/TOSC.V2022.I1.138-157 2519-173X https://hdl.handle.net/10356/160509 10.46586/TOSC.V2022.I1.138-157 2-s2.0-85129833707 1 2022 138 157 en DSOCL17101 IACR Transactions on Symmetric Cryptology © 2022 Mustafa Khairallah. This work is licensed under a Creative Commons Attribution 4.0 International License. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Science::Mathematics Block Cipher Authenticated Encryption |
| spellingShingle |
Science::Mathematics Block Cipher Authenticated Encryption Khairallah, Mustafa Security of COFB against chosen ciphertext attacks |
| description |
COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to the birthday bound in the nonce-respecting model. However, the designers offer multiple versions of the analysis with different details and the implications of attacks against the scheme are not discussed deeply. In this article, we look at a group of possible forgery and privacy attacks against COFB. We show that the security for both forgery and privacy is bounded by the number of forgery attempts. We show the existence of forgery and privacy attacks with success probability qd/2n/2, given qd forgery attempts. In particular, we show an attack with 2n/2 attempts using only a single known-plaintext encryption query against COFB. While these attacks do not contradict the claims made by the designers of GIFT-COFB, they show its limitations in terms of the number of forgery attempts. They also show that, while COFB generates a 128-bit tag, it behaves in a very similar manner to an AEAD scheme with 64-bit tag. As a result of independent interest, our analysis provides a contradiction to the main theorem of Journal of Cryptology volume 33, pages 703–741 (2020), which includes an improved security proof of COFB compared to the CHES 2017 version. Finally, we discuss the term nqd/2n/2 that appears in the security proof of GIFT-COFB and CHES 2017, showing why there is a security gap between the provable results and the attacks. We emphasize that the results in this article do not threaten the security of GIFT-COFB in the scope of the NIST lightweight cryptography requirements or the claims made by the designers in the specification document of the design. |
| author2 |
School of Physical and Mathematical Sciences |
| author_facet |
School of Physical and Mathematical Sciences Khairallah, Mustafa |
| format |
Article |
| author |
Khairallah, Mustafa |
| author_sort |
Khairallah, Mustafa |
| title |
Security of COFB against chosen ciphertext attacks |
| title_short |
Security of COFB against chosen ciphertext attacks |
| title_full |
Security of COFB against chosen ciphertext attacks |
| title_fullStr |
Security of COFB against chosen ciphertext attacks |
| title_full_unstemmed |
Security of COFB against chosen ciphertext attacks |
| title_sort |
security of cofb against chosen ciphertext attacks |
| publishDate |
2022 |
| url |
https://hdl.handle.net/10356/160509 |
| _version_ |
1759853050612154368 |