Please use this identifier to cite or link to this item:
Title: Security of COFB against chosen ciphertext attacks
Authors: Khairallah, Mustafa
Keywords: Science::Mathematics
Issue Date: 2022
Source: Khairallah, M. (2022). Security of COFB against chosen ciphertext attacks. IACR Transactions On Symmetric Cryptology, 2022(1), 138-157.
Project: DSOCL17101
Journal: IACR Transactions on Symmetric Cryptology
Abstract: COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to the birthday bound in the nonce-respecting model. However, the designers offer multiple versions of the analysis with different details and the implications of attacks against the scheme are not discussed deeply. In this article, we look at a group of possible forgery and privacy attacks against COFB. We show that the security for both forgery and privacy is bounded by the number of forgery attempts. We show the existence of forgery and privacy attacks with success probability qd/2n/2, given qd forgery attempts. In particular, we show an attack with 2n/2 attempts using only a single known-plaintext encryption query against COFB. While these attacks do not contradict the claims made by the designers of GIFT-COFB, they show its limitations in terms of the number of forgery attempts. They also show that, while COFB generates a 128-bit tag, it behaves in a very similar manner to an AEAD scheme with 64-bit tag. As a result of independent interest, our analysis provides a contradiction to the main theorem of Journal of Cryptology volume 33, pages 703–741 (2020), which includes an improved security proof of COFB compared to the CHES 2017 version. Finally, we discuss the term nqd/2n/2 that appears in the security proof of GIFT-COFB and CHES 2017, showing why there is a security gap between the provable results and the attacks. We emphasize that the results in this article do not threaten the security of GIFT-COFB in the scope of the NIST lightweight cryptography requirements or the claims made by the designers in the specification document of the design.
ISSN: 2519-173X
DOI: 10.46586/TOSC.V2022.I1.138-157
Schools: School of Physical and Mathematical Sciences 
Rights: © 2022 Mustafa Khairallah. This work is licensed under a Creative Commons Attribution 4.0 International License.
Fulltext Permission: open
Fulltext Availability: With Fulltext
Appears in Collections:SPMS Journal Articles

Files in This Item:
File Description SizeFormat 
ToSC2022_1_06.pdf581.46 kBAdobe PDFThumbnail

Citations 50

Updated on Sep 22, 2023

Web of ScienceTM
Citations 50

Updated on Sep 20, 2023

Page view(s)

Updated on Sep 23, 2023


Updated on Sep 23, 2023

Google ScholarTM




Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.