Abstract
Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about 2 36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.
Original language | English |
---|---|
Pages (from-to) | 910-916 |
Number of pages | 7 |
Journal | Journal of Cryptology |
Volume | 33 |
Issue number | 3 |
DOIs | |
State | Published - 1 Jul 2020 |
Bibliographical note
Publisher Copyright:© 2019, International Association for Cryptologic Research.
Funding
We are grateful to the Lilliput-AE team for confirming our findings and for allowing us to use the figures from the specification document in this note.
Funders | Funder number |
---|---|
Lilliput-AE team |
Keywords
- Authenticated encryption
- Cryptanalysis
- Differential cryptanalysis
- Lilliput