A Practical Forgery Attack on Lilliput-AE

Orr Dunkelman, Nathan Keller, Eran Lambooij, Yu Sasaki

Research output: Contribution to journalArticlepeer-review

3 Scopus citations

Abstract

Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about 2 36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.

Original languageEnglish
Pages (from-to)910-916
Number of pages7
JournalJournal of Cryptology
Volume33
Issue number3
DOIs
StatePublished - 1 Jul 2020

Bibliographical note

Publisher Copyright:
© 2019, International Association for Cryptologic Research.

Funding

We are grateful to the Lilliput-AE team for confirming our findings and for allowing us to use the figures from the specification document in this note.

FundersFunder number
Lilliput-AE team

    Keywords

    • Authenticated encryption
    • Cryptanalysis
    • Differential cryptanalysis
    • Lilliput

    Fingerprint

    Dive into the research topics of 'A Practical Forgery Attack on Lilliput-AE'. Together they form a unique fingerprint.

    Cite this