GIFT-COFB Authenticated Encryption

GIFT-COFB instantiates the COFB (COmbined FeedBack) block cipher based AEAD mode with the GIFT block cipher.GIFT-COFB primarily focuses on the hardware implementation size. Here, we consider the overhead in size, thus the state memory size beyond the underlying block cipher itself (including the key schedule) is the criteria we want to minimize, which is particularly relevant for hardware implementation. An initial version of GIFT-COFB was presented in [1][2] and this latest version of GIFT-COFB is a minor modification over the original COFB mode.


Features

1. Block cipher based AE mode with high rate but with small memory: GIFT-COFB can be implemented with a very low state size of only 1.5n+k (n be the block cipher state size and k be the key length) as well as it achieves the optimal rate of 1.

2. High Security Bound: Use of combined feedback uplifts the security level. The bound increased to almost birthday bound.

3. Highly Flexible Mode: GIFT-COFB achieves high Flexibility. It is easy to fit any block cipher into this structure. This depicts that, when used with lighter block ciphers, it consumes lower hardware footprints.

4. Inverse-Free: GIFT-COFB is an inverse-free authenticated encryption algorithm. Both encryption and decryption algorithms do not require any decryption call to the underlying block cipher. This significantly reduces the overall hardware footprint in combined encryption-decryption implementations.

5. Low Overhead: Apart from the block cipher call it requires just 5n/2-bit XOR per block of data + 1-bit right rotation of an n/4-bit state , which seems to be a very small overhead.

6. Low number of block cipher calls: GIFT-COFB requires only a+m+1 many primitive invocations to process an a block associateddata and an m block message.

7. Short message Efficiency :  The optimality on the number of calls and low overhead help it to get very high performance for short messages.

GIFT-COFB Specification

GIFT-COFB is a block cipher based AEAD design that uses GIFT-128 as the underlying blockcipher. GIFT-COFB receives an (1) 128-bit encryption key K, (2) an 128-bit nonce N, (3) an associated data A of arbitrary length, (4) and a message M of arbitrary length as inputs, and returns a (5) ciphertext C of same length as that of the message, and (6) an 128-bit tag T. Below is the figure for the GIFT-COFB mode.

GIFT-COFB for a associated data blocks and m message blocks

GIFT Block Cipher

In this design, we use the 128-bit block cipher version of GIFT and the details are given in[3].


Recommended Instantiations

We propose a construction GIFT-COFB with the underlying block cipher as the only parameter. The block cipher can be chosen by the following recommendation.

  • n: Length of the block cipher state in bits. The recommended choice is n = 128.
  • τ : Length of the tag in bits. The recommended choice is τ = 128.
  • Block cipher E: The recommended choice of E is the block cipher GIFT-128.
  • Updates

    The versions can be obtained from [14], [15], and [16]
  • First draft: GIFT-COFB v1.0 [pdf] (Submission for the first round)
  • Second Draft: GIFT-COFB v1.0 [pdf] (Submission for the second round, No Change in the specification)
  • Third Draft: GIFT-COFB v1.1 [pdf] (Submission for the final round). No change in GIFT-COFB AE specification. However, the following updates have been added.
        - Performance results and analysis results have been added.
        - A hash function proposal has been been added.
  • Latest Draft: GIFT-COFB v1.2 is available here (v1.2 can be downloaded from this link). Note that, no specification has been changed. Only performance results and third party analyses results have been added, and the security proof has been updated. Akiko Inoue (NEC) joined our team.
  • Rationale

    1. Choice of the Mode: GIFT-COFB is a block cipher based authenticated encryption scheme that uses GIFT-128 as the underlying block cipher and GIFT-COFB can be viewed as an efficient integration of the COFB mode and GIFT-128 block cipher. GIFT-128 maintains an 128-bit state and 128-bit key. To be precise, GIFT is a family of block ciphers parametrized by the state size and the key size and all the members of this family are lightweight and can be efficiently deployed on lightweight applications. COFB mode on the other hand, computes of "COmbined FeedBack" (of block cipher output and data block) to uplift the security level. This actually helps us to design a scheme with low state size and eventually to have a low state implementation. This technique actually resist the attacker to control the input block and next block cipher input simultaneously. Overall, a combination of GIFT and COFB can be considered to be one of the most efficient lightweight, low state block cipher based AEAD construction.

    2. Choice of the block cipher: GIFT is considered to be one of the lightest design existing in the literature. It is denoted as "Small PRESENT" as the design rationale of GIFT follows that of PRESENT[4] . However, GIFT has got rid of several well known weaknesses existing in PRESENT with regards to linear cryptanalysis. Overall GIFT promises much increased efficiency (both lighter and faster) over PRESENT. GIFT is a very simple design that outperforms even SIMON and SKINNY for round based implementations. It consists of very simple operations such that the total hardware footprint is almost consumed by the underlying and the cipher storage. The design is somewhat "optimal" as a weaker S-box (than GIFT S-box) would lead to a weaker design. The linear layer is completely free for a round-based implementation in hardware (consisting of simply bit-wiring) and the constants are generated thanks to a very lightweight LFSR. The key schedule is also very 21 light, simply consisting of shifts.

    Security of GIFT-COFB

    Security claims for GIFT-COFB are summarized in the table below.
    Construction State Size (bits) IND-CPA (bits) INT-CTXT (bits)
    GIFT-COFB 192 (excluding key state) 64 58

    We provide a brief provable security argument for GIFT-COFB namely the security of GIFT-COFB against generic attacks (assuming the underlying block cipher is ideal, i.e. random permutation). The possible attack strategies along with a rough lower bound estimate on the data and time complexity of each strategy is given. In the following discussion:

  • D denotes the total (both encryption and decryption) data complexity. This parameter quantifies the online resource requirements, and includes the total number of blocks (among all messages and associated data) processed through the underlying block cipher for a fixed master key. We use De and Dv to account for the data complexity of encryption and decryption/verification queries.
  • T denotes the time complexity. This parameter quantifies the offline resource requirements, and includes the total time required to process the offline evaluations of the underlying block cipher. Since one call of the block cipher can be assumed to take a constant amount of time, we generally take T as the total number of offline calls to the block cipher.
    • Privacy of GIFT-COFB:
    In privacy attacks the adversary is concerned with distinguishing the GIFT-COFB mode with an ideal authenticated encryption scheme, by exploiting access to the encryption algorithm. In other words, we are interested in the usual IND-CPA security notion. The adversary can distinguish the mode from ideal if there is no randomness in some ciphertext (or tag) blocks. We follow the approach to match two block cipher inputs in the same encryption query or between two different encryption queries (with different nonces). For a pair of distinct encryption query blocks, the internal states matches. Then, the block that appears later will definitely have non-random behavior, though the adversary may not be able to detect it. In any case it is sufficient to bound the occurrence of this event. This is possible in the following ways:

  • Block matching in the Same Encryption Query- If the two blocks belong to the same query, then they must have different indices and hence we can again bound the probability of full state collision by at most De2/2n (for the upper part of the internal state, we have n/2-bit entropy from the second ciphertext block and for the lower part we have n/2-bit entropy from Δ and overall we have De2 internal blocks).
  • Block matching in the Two Different Encryption Queries- In this case, the two blocks belong to different query, in which case the nonce is different, and we can bound the probability of full state collisions, which is roughly De2/2n.
    • Integrity Security of GIFT-COFB:
    Here the adversary has to generate fresh ciphertext-tag pair (not obtained through encryption queries). To obtain a valid forgery, the adversary can take any of the following approaches.

  • Guessing a valid Tag- : The adversary can simply guess the tag in each of the decryption queries. The probability of correct guess is roughly Dv/2n/2.
  • Block matching between an Encryption Query and a Decryption Query- Some decryption query block might match some encryption query block. Now depending upon the type of encryption query block the adversary can have two approaches. In one approach, a decryption block mathches with a nonce queried during encryption queries. More formally, the decryption block matches with the initial internal state for an encryption query. For this case, the probability for this match is bounded by Dv/2n/2. In the other approach the adversary can match a decryption block with a non-initial internal state for an encryption query. The probablity for this match is bounded by n/2Dv/2n/2. The factor n comes from the possibility of n-multicollision in the lower part of the internal state during the encryption queries.
  • Guessing Internal State- : The adversary can simply guess the internal secret mask and tries to forge for each of the guesses. The correct guess will led to a valid forgery. This attack only one encryption query and 2n/2 forging attempts. he probability the probability for a valid forgery is roughly Dv/2n.
  • Detecting Collision in the Secret Mask-: The adversary can detect a collision in the mask between two encryption queries. As the mask size is n/2-bits, we can expect with O(2n/4) encryption queries, the adversary gets two messages encrypted with the same mask. However, the adversary needs to detect this collision by guessing through 2n/2 forgeries (as the probability of the event that the guess for the colliding pair is correct is 2-n/2). simply guess the internal secret mask and tries to forge for each of the guesses. The correct guess will led to a valid forgery. This attack needs 2n/4 encryption queries and 2n/2 forging attempts.
  • Below in Table, we provide the provable security bounds for the GIFT-COFB mode with n = 128 and assuming the adversary is nonce respecting (i.e, the adversary does not repeat nonce during encryption queries under the same key) and the underlying block cipher is a PRP. We remark that the security may even hold when the public nonce value is sampled uniformly at random from the nonce space for each encryption query. The table below summerizes the security claims for GIFT-COFB. The data and time limits indicate the amount of data and time required to make the attack advantage close to 1.

    The security analyses details of GIFT-128 are provided in Section 4 of [6]. Here we highlight several other previous third party cryptanalyses.

    Previous Third Party Security Analyses of GIFT:

  • Differential cryptanalysis: Zhu et al. applied the mixed-integer-linear-programming based differential characteristic search method for GIFT-128 and found an 18-round differential characteristic with probability 2-109 [8] , which was further extended to a 23-round key recovery attack with complexity (Data, T ime, Memory) = (2120, 2120, 280). We expect that full (40) rounds are secure against differential cryptanalysis.
  • Linear cryptanalysis: GIFT-128 has a 9-round linear hull effect of 2-45.99, which means that we would need around 27 rounds to achieve correlation potentially lower than 2-128. Therefore, we expect that 40-round GIFT-128 is enough to resist against linear cryptanalysis.
  • Integral attacks: The lightweight 4-bit S-box in GIFT may allow efficient integral attacks. The bit-based division property is evaluated against GIFT128 by the designers, which detected a 11-round integral distinguisher.
  • Meet-in-the-middle attacks: Meet-in-the-middle attack exploits the property that a part of key does not appear during a certain number of rounds. The designers and the follow-up work by Sasaki[7] showed the attack against 15-rounds of GIFT-64 and mentioned the difficulty of applying it to GIFT-128 because of the larger ratio of the number of subkey bits to the entire key bits per round; each round uses 32 bits and 64 bits of keys per round in GIFT-64 and GIFT-128, respectively, while the entire key size is 128 bits for both.
  • Latest Third Party Security Analyses of GIFT: Regarding GIFT-128 block cipher, several third-party security evaluations have continued to be published. With respect to linear attacks, the number of attacked rounds has increased significantly, but this does not change the fact that differential cryptanalysis remains more effective against GIFT-128. These attacks were discovered using automated evaluation tools and research on more efficient tools for the GIFT network have also been presented[17]. No progress has been made on differential cryptanalysis, and no new (unknown) cryptanalysis method has been discovered. This is a strong evidence of the reliability of GIFT-128. We give below some comments on a few references.

  • Sun et al.[19] and its addendum [18] detected a 25-round linear cryptanalysis against GIFT-128. An attack taking into account the AEAD restrictions was also proposed, which recovers the key of GIFT-COFB if the primitive is reduced to 16 rounds. Note that differential cryptanalysis still works better on GIFT for the moment.
  • Cui et al. proposed a 20-round linear cryptanalysis against GIFT-128 [20], which only works for a smaller number of rounds than previous results.
  • The work by Khalesi and Ahmadian searches for minimum data complexity of the integral distinguisher[21]. Regarding GIFT-128, it confirms that the previously known result is actually the best.
  • The paper by Hu et al.[22] proves the non-existence of impossible differential with one active superbox in both ends for 8-round reduced GIFT-128.
  • The paper by Anubhab Baksi [23] presents the optimal linear bounds for 11 and 12 rounds of GIFT-128, extending from the best-known result on 10- rounds.
  • Zong et al. [33] applied their linear cryptanalysis to mount the key-recovery attack on the reduced-round variant of GIFT-COFB, in which the number of rounds of GIFT is reduced to 15 rounds. The attack complexity is (T ime, Data, Memory) = (290.7, 262, 296). Note that the number of attacked rounds is significantly smaller than that of GIFT, because of the limited degrees of freedom for the attacker to set the active bit positions. Also note that Zong et al. [33] show that the similar attack can be mounted on SUNDAE-GIFT up to 16 rounds, 1 round longer than GIFT-COFB because of the difference of the bit-positions to extract the key stream. This illustrates the validity of GIFT-COFB on the bit-positions of extracting the key stream.
  • We recall that GIFT-128 has 40 rounds, while the best known attack can only reach 27 rounds (which does not apply to GIFT-COFB due to the data limitation, etc.). This leaves a very ample security margin.

    Below, we summerize all the existing attacks against GIFT.In the Table below, Rounds with asterisk (*) are optimal results. SK – single-key, RK – related-key, LC – linear cryptanalysis, DC – differential cryptanalysis. All the other references of the attacks are available in Table 1 of [5].

    Setting

    Rounds

    Approach

    Prob.

    Time

    Data

    Mem.
    Distinguisher
    SK 11 Integral 1 - 2127 -
    SK 11* Integral 1 - 2127 -
    SK 9* LC 2-44
    - - -
    SK 10* LC 2-52 - - -
    SK 15 LC 2-109 - - -
    SK 16 LC 2-122 - - -
    SK
    19 LC 2-117.43 - - -
    SK 19 LC 2-123.11 - - -
    SK 9* DC 2-45.4 - - -
    SK 10* DC 2-49.4 - - -
    SK 11* DC 2-54.4 - - -
    SK 12* DC 2-60.4 - - -
    SK 13* DC 2-67.8 - - -
    SK 14* DC 2-79 - - -
    SK 15* DC 2-85.415 - - -
    SK 16* DC 2-90.415 - - -
    SK 17* DC 2-96.415 - - -
    SK 18 DC 2-109 - - -
    SK 18* DC 2-103.415 - - -
    SK 19 DC 2-110.83 - - -
    SK 20 DC 2-121.415 - - -
    SK 20 DC 2-120.245 - - -
    SK 20 DC 2-121.813 - - -
    SK 21 DC 2-126.4 - - -
    RK 7 DC 2-15.83 - - -
    RK 10 DC 2-72.66 - - -
    RK 19 Boomerang 2-121.2 - - -
    RK 19 Boomerang 2-109.626 - - -
    Key Recovery
    SK 20 LC - 2112.28 2126 265
    SK 22 LC - 2117 2117 278
    SK 24 LC - 2124.45 2122.55 2105
    SK 25 LC - 2124.75 2126.77 296
    SK 22 DC - 2114 2114 253
    SK 26 DC - 2124.415 2109 2109
    SK 26 DC - 2123.245 2123.245 2109
    SK 27 DC - 2124.83 2123.53 280
    RK 21 Boomerang - 2126.6 2126.6 2126.6
    RK 22 Boomerang - 2112.63 2112.63 2112.63
    RK 23 Rectangle - 2126.89 2112.31 2121.31
    Third Party and Internal Provable Security Analyses of GIFT-COFB:

    The provable security aspects of GIFT-COFB and its variants have been studied and updated since the last revision of our specification document. We list the relevant works below.

  • Khairallah in 2019 [34] a forgery attack against GIFT-COFB that makes O(2n/2) encryption queries and O(2n/2) decryption queries in a single key setting is presented. An analysis in the multi-key setting is also presented. This work was later improved in [35] to a forgery attack that makes O(2n/4) encryption queries and O(2n/2) decryption queries.
  • There was a paper [36] posted on Cryptology ePrint Archive 2020/698 claiming forgery attack on GIFT-COFB, but we have contacted and clarified with the authors that the attack is invalid due to an oversight of the GIFT-COFB specification and the authors have since been withdrawn their paper.
  • Khairallah [24] (ToSC 2022) presented an attack against a version of COFB mode shown in Journal of Cryptology [2] . Due to the difference in the modes, the presented attack is not applicable to GIFT-COFB.
  • As an internal security evaluation of GIFT-COFB, Inoue, Iwata and Minematsu (IIM22, ACNS 2022 and NIST LWC workshop 2022) [25] [26] showed an attack that has a higher success probability than claimed. Their attack does not break the claimed bit security. A revised version of the proof (and the bound) maintaining the original bit security was presented in[27].
  • Liu et al. [28] presented fault/side-channel attacks against unprotected implementation of GIFT-COFB.
  • Reshma et al. [29] showed neural network-based distinguishers on reduced GIFT-COFB. The attack is very weak, as it only distinguishes between 2 and 6 rounds of GIFT-COFB’s ciphertext from random data.
  • Third Party Analyses of GIFT-COFB from Various Viewpoints:

    In addition to conventional cryptanalyses, GIFT-COFB receives third-party evaluation from different viewpoints.

  • Hou et al. [37] investigated physical security of GIFT-COFB, in particular differential ciphertext side-channel attacks.
  • Jang et al. [38] and Bijwe et al. [39] evaluated the post-quantum security of GIFT, in particular, amount of quantum resource to implement the Grover search on GIFT.
  • Hardware Implementations

    The GIFT-COFB mode was designed with rate 1, that is every message block is processed only once. Such designs are not only beneficial for throughput, but also energy consumption. However the design does need to maintain an additional 64 bit state, which requires a 64-bit register to additionally included in any hardware circuit that implements it. Although this might not be energy efficient for short messages, in the long run GIFT-COFB performs excellently with respect to energy consumption. The GIFT block cipher was designed with a motivation for good performance on lightweight platforms. The roundkey additon for the cipher is over only half the state and the keyschedule being only a bit permutation does not require logic gates. These characteristics make the GIFT well suited for lightweight applications. In fact as reported in [3], among the block ciphers defined for 128-bit block size GIFT-128 has the lowest hardware footprint and very low energy consumption. Thus GIFT-COFB combines the best of both the advantages of the design ideologies. Below, we provide the existing implementation results both on ASIC and FPGA.

      ASIC Results
    We first provide our first ASIC implementation for GIFT-COFB. The figure below describes the component wise break up of different hardware components.
    Implementation results for GIFT-COFB is given below.
    Block Cipher Area (GE) Power (μ W) Energy (nJ)
    A M A M A M
    0 BYTE 16 BYTE 0 BYTE 16 BYTE 0 BYTE 16 BYTE
    GIFT-128 3927 156.3 1.31 2.00 2.69
    We also provide a recent hardware optimized ASIC implementation results of GIFT-COFB. The recent work [6] addresses the issue regarding efficient field arithmetic in bit- serial circuits has been addressed. As a result lightweight circuit for GIFT-COFB is proposed, that occupies less than 1500 GE, making it the to-date most area-efficient implementation of this construction. We compare these results with some of the other NIST LWC candidates. The results are given below. Note that, these are the synthesis results overview for lightweight block cipher based NIST LWC competitors using the STM 90 nm cell library at a clock frequency of 10 MHz. Latency and energy correspond to the encryption of 128 bits of AD and 1024 message bits. Among these implemented candidates GIFT-COFB and Romulus are also NIST LWC finalists. We can observe that, GIFT-COFB also provides a highly competitive power and energy values.
    Datapath Area Latency Power Energy
    Reference
    Bits GE Cycles µW nJ
    SUNDAE-GIFT 1 1201 92544 55.48 513.4 [30]
    SAEAES 1 1350 24448 84.47 206.5 [30]
    ROMULUS 1 1778 55431 82.28 456.1 [30]
    SKINNY-AEAD 1 3589 72960 143.7 1048 [30]
    GIFT-COFB-SER-S 1 1443 54784 50.11 275.8 [31]
    GIFT-COFB-SER-F 1 1485 51328 62.15 319.8 [31]
    GIFT-COFB-SER-TI 1 3384 51328 158.1 813.5 [31]
      FPGA Results
    Below, we show the existing FPGA implementation results implemented by the researchers from George Mason University (GMU) and Virginia-Tech (VT). The VT research group presents only basic iterative implementations, whereas the GMU research group (CERG) presents both basic iterative and various loop-unrolled implementations. Below, we provide those results on Xilinx Artix-7. The results depict that, COFB-GIFT exhibits very competitive results on FPGA.

    Variants
    Implementation
    Features

    # LUTs

    #FFs

    # Slices

    MHz

    Encryption AD+PT Throughput for Long Messages
    (Mbps)

    Reference
    GIFT-COFB-VT-v1 Basic Iterative 1041 604 321 675 733.3





    [32]
    GIFT-COFB-GMU-v1 Basic Iterative 1223 887 379 263 821.1
    GIFT-COFB-GMU-v2 2 × Unrolled 1,380 880 417 261 1590.9
    GIFT-COFB-GMU-v3 4 × Unrolled 1,641 882 499 249 2897.5
    GIFT-COFB-GMU-v4 5 × Unrolled 1,730 873 539 213 3029.3
    GIFT-COFB-GMU-v5 8 × Unrolled 2,051 873 655 137 2922.7
    GIFT-COFB-GMU-v6 10 × Unrolled 2363 872 696 110 2816.0

    Software Implementations

    The paper[9] adopts the fix-slicing strategy (will be presented at CHES 2020, software implementation codes can be found in[12]) to make a new representation of the GIFT-64 and GIFT-128 bit permutations that makes it efficient and simple to implement in software. This strategy indeed leads to very efficient one-block constant-time GIFT-128 implementations on 32-bit architectures such as ARM Cortex-M family of processors (79 cycles/ byte on ARM Cortex-M3), making GIFT-COFB one of the most efficient candidate according to microcontroller benchmarks[9] [11]. Using smaller architecture will not be an issue as we will actually save more operations comparatively, since part of the bit permutation can be done by proper unrolling and register scheduling. This is confirmed with 8-bit AVR benchmarks [10] [11] described below. Here GIFT-COFB is again ranked among the top candidates. Note that using exactly this implementation will also provide decent performance on recent high-end processors (and excellent performances if parallel computations of GIFT-COFB instances are considered and vector instructions are used).

    Latest software implementation results will be given later.

    References

    1. ^ Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, and Mridul Nandi. Blockcipher-based authenticated encryption: How small can we go? In Cryptographic Hardware and Embedded Systems - CHES 2017 - 19th International Conference, Taipei, Taiwan, September 25-28, 2017, Proceedings, pages 277-298, 2017
    2. ^ Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, and Mridul Nandi. Blockcipher-based authenticated encryption: How small can we go? Journal of Cryptology 2020 (vol 33(3), page 703-741), 2020.
    3. ^ Subhadeep Banik, Sumit Kumar Pandey, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT: A small present - towards reaching the limit of lightweight encryption. In Cryptographic Hardware and Embedded Systems - CHES 2017 - 19th International Conference, Taipei, Taiwan, September 25-28, 2017, Proceedings, pages 321–345, 2017.
    4. ^ Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. PRESENT: An Ultra-Lightweight Block Cipher. In CHES 2007, pages 450-466, 2007.
    5. ^ Subhadeep Banik, Avik Chakraborti, Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT-COFB Final Round Updates. NIST LWC, Final Round Status Update, 2022. https://csrc.nist.gov/csrc/media/Projects/lightweight-cryptography/documents/finalist-round/status-updates/gift-cofb-update.pdf.
    6. ^ Subhadeep Banik, Sumit Kumar Pandey, Thomas Peyrin, Siang Meng Sim, Yosuke Todo, and Yu Sasaki. Gift: A small present. Cryptology ePrint Archive, Report 2017/622, 2017. https://eprint.iacr.org/2017/622.
    7. ^ Yu Sasaki. Integer linear programming for three-subset meet-in-the-middle attacks: Application to gift. In Atsuo Inomata and Kan Yasuda, editors, Advances in Information and Computer Security, pages 227-243, Cham, 2018. Springer International Publishing.
    8. ^ Baoyu Zhu, Xiaoyang Dong, and Hongbo Yu. Milp-based differential attack on round-reduced gift. Cryptology ePrint Archive, Report 2018/390, 2018. https://eprint.iacr.org/2018/390.
    9. ^ Alexandre Adomnicai, Zakaria Najm, and Thomas Peyrin. Fixslicing: A new GIFT representation. IACR Cryptol. ePrint Arch., 2020:412, 2020.
    10. ^ Sebastian Renner, Enrico Pozzobon, and Jürgen Mottok. NIST LWC Software Performance Benchmarks on Microcontrollers, 2020.
    11. ^ Rhys Weatherley. Lightweight Cryptography Primitives, 2020.
    12. ^ https://github.com/aadomn/gift
    13. ^ https://github.com/rweather/lightweight-crypto
    14. ^ Subhadeep Banik, Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT-COFB v1.0 Specification (NIST LWC First Round Submission). https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/GIFT-COFB-spec.pdf.
    15. ^ Subhadeep Banik, Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT-COFB v1.0 Specification (NIST LWC Second Round Submission). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/gift-cofb-spec-round2.pdf.
    16. ^ Subhadeep Banik, Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT-COFB v1.1 Specification (NIST LWC Final Round Submission). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/gift-cofb-spec-final.pdf.
    17. ^ Seonggyeom Kim, Deukjo Hong, Jaechul Sung, and Seokhie Hong. Accelerating the Best Trail Search on AES-Like Ciphers. IACR ToSC 2022 (Vol 2, page 201-252). https://tosc.iacr.org/index.php/ToSC/article/view/9719/9247.
    18. ^ Ling Sun, Wei Wang, and Meiqin Wang. Addendum to Linear Cryptanalyses of Three AEADs with GIFT-128 as Underlying Primitives. IACR Cryptol. ePrint Arch., 2022:151, 2022.
    19. ^ Ling Sun, Wei Wang, and Meiqin Wang. Linear Cryptanalyses of Three AEADs withGIFT-128 as Underlying Primitives. IACR ToSC 2021 (Vol 2, page 199-221). https://tosc.iacr.org/index.php/ToSC/article/view/9719/9247.
    20. ^ CUI Yaxin, XU Hong, and QI Wenfeng. MILP-Based Linear Attacks on Round-Reduced GIFT. Chinese Journal of Electronics 2022 (Vol 31(1), page 89-98). https://tosc.iacr.org/index.php/ToSC/article/view/9719/9247.
    21. ^ Akram Khalesi and Zahra Ahmadian. Provably Minimum Data Complexity Integral Distinguisher Based on Conventional Division Property. IACR Cryptol. ePrint Arch., 2022:752, 2022.
    22. ^ Kai Hu, Thomas Peyrin, and Meiqin Wang. Finding All Impossible Differentials When Considering the DDT. IACR Cryptol. ePrint Arch., 2022:1034, 2022.
    23. ^ Anubhab Bakshi. Finding All Impossible Differentials When Considering the DDT. SECITC, 2020(page 41-54), 2020.
    24. ^ Mustafa Khairallah. Security of COFB against Chosen Ciphertext Attacks. IACR ToSC 2022 (Vol 1, page 138-157). https://tosc.iacr.org/index.php/ToSC/article/view/9719/9247.
    25. ^ Akiko Inoue, Kazuhiko Minematsu, and Tetsu Iwata. Analyzing the provable security bounds of GIFT-COFB and photon-beetle. Fifth NIST Lightweight Cryptography Workshop 2022 (2022).
    26. ^ Akiko Inoue, Kazuhiko Minematsu, and Tetsu Iwata. Analyzing the provable security bounds of GIFT-COFB and photon-beetle. ACNS 2022 (vol 13269, page 67-84), 2022. https://tosc.iacr.org/index.php/ToSC/article/view/9719/9247.
    27. ^ Subhadeep Banik, Avik Chakraborti, Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT-COFB. IACR Cryptol. ePrint Arch., 2020:738, 2020.
    28. ^ Shuai Liu, Jie Guan, and Bin Hu. Fault attacks on authenticated encryption modes for GIFT. IET Inf. Secur. (Vol 16(1), page 51–63), 2022
    29. ^ Reshma Rajan, Rupam Kumar Roy, Diptakshi Sen, and Girish Mishra. Deep Learning based Differential Distinguisher for Lightweight Cipher gift-cofb. Machine Intelligence and Smart Systems 2022 (page 397-406). Springer Nature Singapore, Singapore 2022
    30. ^ Fatih Balli, Andrea Caforio, and Subhadeep Banik. The Area-Latency Symbiosis: Towards Improved Serial Encryption Circuits. IACR TCHES 2021 (Vol 1, page 239-278).
    31. ^ Andrea Caforio, Daniel Collins, Subhadeep Banik, and Francesco Regazzoni. A Small GIFT-COFB: Lightweight Bit-Serial Architectures. IACR Cryptol. ePrint Arch., 2022:955, 2022.
    32. ^ Jens-Peter Kaps, William Diehl, Michael Tempelmeier, Farnoud Farahmand, Ekawat Homsirikamol, and Kris Gaj. A Comprehensive Framework for Fair and Efficient Benchmarking of Hardware Implementations of Lightweight Cryptography. IACR Cryptol. ePrint Arch., 2019:1273, 2019.
    33. ^ Rui Zong, Xiaoyang Dong, Huaifeng Chen, Yiyuan Luo, Si Wang, and Zheng Li. Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128. IACR ToSC 2021 (Vol 1, page 156-184). https://tosc.iacr.org/index.php/ToSC/article/view/8836/8439.
    34. ^ Mustafa Khairallah. Weak Keys in the Rekeying Paradigm: Application to COMET 841 and mixFeed. IACR ToSC 2019 (Vol 4, page 272-289). https://tosc.iacr.org/index.php/ToSC/article/view/8465/8031
    35. ^ Mustafa Khairallah. Observations on the Tightness of the Security Bounds of GIFT-COFB and HyENA. IACR Cryptol. ePrint Arch., 2020:1463, 2020.
    36. ^ Zhe CEN, Xiutao FENG, Zhangyi Wang, and Chunping CAO. (–Withdrawn–) Forgery attack on the authentication encryption GIFT-COFB. IACR Cryptol. ePrint Arch., 2020:698, 2020.
    37. ^ Xiaolu Hou, Jakub Breier, and Shivam Bhasin. DNFA: Differential No-Fault Analysis 824 of Bit Permutation Based Ciphers Assisted by Side-Channel. IACR Cryptol. ePrint Arch., 2020:1554, 2020.
    38. ^ Kyoungbae Jang, Hyunjun Kim, Siwoo Eum, and Hwajeong Seo. Grover on GIFT. IACR Cryptol. ePrint Arch., 2020:1405, 2020.
    39. ^ Subodh Bijwe, Amit Kumar Chauhan, and Somitra Kumar Sanadhya. Quantum Search for Lightweight Block Ciphers: GIFT, SKINNY, SATURNIN. IACR Cryptol. ePrint Arch., 2020:1485, 2020.