Abstract
Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about \(2^{36}\) bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
A. Adomnicai, T.P. Berger, C. Clavier, J. Francq, P. Huynh, V. Lallemand, K. Le Gouguec, M. Minier, L. Reynaud, G. Thomas, Lilliput-AE: a new lightweight tweakable block cipher for authenticated encryption with associated data. Submission to the NIST Lightweight Cryptography Standardization Process (2019). https://csrc.nist.gov/Projects/Lightweight-Cryptography
T.P. Berger, J. Francq, M. Minier, G. Thomas, Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Comput.65(7), 2074–2089 (2016)
B. Gérard, V. Grosso, M. Naya-Plasencia, F.X. Standaert, Block ciphers that are easier to mask: how far can we go? in Proceedings of CHES (2013), pp. 383–399.
P. Rogaway, Nonce-based symmetric encryption, in Proceedings of FSE (2004), pp. 348–359
Y. Sasaki, Y. Todo, Tight bounds of differentially and linearly active S-Boxes and division property of Lilliput. IEEE Trans. Comput.67(5), 717–732 (2018)
Acknowledgements
We are grateful to the Lilliput-AE team for confirming our findings and for allowing us to use the figures from the specification document in this note.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Vincent Rijmen.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Orr Dunkelman and Eran Lambooij were supported in part by the Israel Ministry of Science and Technology, the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through Grant No. 880/18. Nathan Keller was supported by the European Research Council under the ERC starting Grant Agreement No. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.
Rights and permissions
About this article
Cite this article
Dunkelman, O., Keller, N., Lambooij, E. et al. A Practical Forgery Attack on Lilliput-AE. J Cryptol 33, 910–916 (2020). https://doi.org/10.1007/s00145-019-09333-z
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-019-09333-z