Paper 2019/867

A Practical Forgery Attack on Lilliput-AE

Orr Dunkelman, Nathan Keller, Eran Lambooij, and Yu Sasaki

Abstract

Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about 2^36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is re-used in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. Minor revision.
Keywords
Lilliput-AElightweightcryptanalysis
Contact author(s)
orrd @ cs haifa ac il
nkeller @ math biu ac il
yu sasaki sk @ hco ntt co jp
History
2019-07-25: received
Short URL
https://ia.cr/2019/867
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/867,
      author = {Orr Dunkelman and Nathan Keller and Eran Lambooij and Yu Sasaki},
      title = {A Practical Forgery Attack on Lilliput-AE},
      howpublished = {Cryptology ePrint Archive, Paper 2019/867},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/867}},
      url = {https://eprint.iacr.org/2019/867}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.