Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle

May 11, 2022


Tetsu Iwata - Nagoya University


We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using qe encryption queries and no decryption query to break privacy (IND-CPA). The success probability is O(qe/2n/2) for n-bit block while the claimed bound contains O(q2 e/2n). This positively solves an open question posed in [Khairallah, ePrint 2021/648 (also accepted at FSE 2022)]. For Photon-Beetle, we show an attack using qe encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is O(q2 e/2b) for a b-bit block permutation, and it is significantly larger than what the claimed bound tells, which is independent of the number of encryption queries. We also show a simple tag guessing attack that violates the INT-CTXT bound when the rate r = 32.  Then, we analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers [Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint 2019/1475]. As a side result of our security analysis of Photon-Beetle, we point out that a simple and efficient forgery attack is possible in the related-key setting. We emphasize that our results do not contradict the claimed “bit security” in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is (n/2−log n)-bit  secure for n = 128, and Photon-Beetle is (b/2 − log b/2)-bit secure for b = 256 and r = 128, where r is a rate. We also note that the security against related-key attacks is not included in the security requirements of NIST LwC, and is not claimed by the designers.

Presented at

LWC Workshop 2022

Event Details



Related Topics

Security and Privacy: cryptography

Created May 05, 2022, Updated May 12, 2022