Observations on the Security of COMET

Abstract This paper investigates the security of counter mode encryption with authentication tag (COMET), one of the 32 second-round candidates in National Institute of Standards and Technology’s lightweight cryptography standardization process, against differential cryptanalysis. CHAM-64/128 is a block cipher chosen as one of the underlying block ciphers in COMET for hardware-oriented applications, and a differential characteristic with a high probability for CHAM-64/128 is useful for forgery attacks on COMET. However, we find that the optimal $\mathbf{39}$-round differential characteristic for CHAM-64/128 proposed by Roh et al., which is the longest differential characteristic of CHAM-64/128, is invalid. Then, we propose a new method of distinguishing an $\mathbf{m}$-bit block cipher from an $\mathbf{m}$-bit random permutation using a differential characteristic with a probability not higher than $\mathbf{2^{-m}}$. Using our method, we use two $\mathbf{39}$-round differential characteristics with a probability of $\mathbf{2^{-64}}$ for CHAM-64/128 to distinguish $\mathbf{39}$-round-reduced CHAM-64/128 from a $\mathbf{64}$-bit random permutation, respectively. Furthermore, we refine the probabilities of two differentials with the same input and output differential masks as the two $\mathbf{39}$-round differential characteristics, respectively. Finally, we present the first forgery attacks on COMET with the two differentials without using weak keys. Our forgery attacks follow the nonce-misuse scenario. It should be noticed that this attack does not invalidate the security claims of the designers.