## CryptoDB

### Paper: A Practical Forgery Attack on Lilliput-AE

Authors: Orr Dunkelman Nathan Keller Eran Lambooij Yu Sasaki DOI: 10.1007/s00145-019-09333-z Search ePrint Search Google Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about $2^{36}$ 2 36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.
##### BibTeX
@article{jofc-2019-30127,
title={A Practical Forgery Attack on Lilliput-AE},
journal={Journal of Cryptology},
publisher={Springer},
doi={10.1007/s00145-019-09333-z},
author={Orr Dunkelman and Nathan Keller and Eran Lambooij and Yu Sasaki},
year=2019
}