Cryptology ePrint Archive: Report 2019/867

A Practical Forgery Attack on Lilliput-AE

Orr Dunkelman and Nathan Keller and Eran Lambooij and Yu Sasaki

Abstract: Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin.

In this note we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about 2^36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is re-used in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.

Category / Keywords: secret-key cryptography / Lilliput-AE, lightweight, cryptanalysis

Date: received 25 Jul 2019

Contact author: orrd at cs haifa ac il, nkeller at math biu ac il, yu sasaki sk at hco ntt co jp

Available format(s): PDF | BibTeX Citation

Version: 20190725:114840 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]