Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about $$2^{36}$$ 2 36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.

中文翻译：

---

对 Lilliput-AE 的实际伪造攻击

Lilliput-AE 是一种可调整的分组密码，作为 NIST 轻量级密码标准化过程的候选提交。它基于轻量级分组密码 Lilliput，迄今为止的密码分析表明它具有很大的安全余量。在这篇笔记中，我们提出了一种对 Lilliput-AE 的极其有效的伪造攻击：给定一条长度约为 $$2^{36}$$ 2 36 字节的任意消息，我们可以立即生成另一个导致相同标签的有效消息，以及相应的密文。该攻击利用了 Lilliput-AE 的tweakey 计划中的一个弱点，这导致在底层分组密码中存在概率为 1 的相关微分特征。我们利用的弱点，在小人国不存在，演示了使用非常简单的tweakey 调度的潜在安全风险，其中密钥/tweak 的相同部分在每一轮中重复使用，即使使用轮常量来防止滑动攻击也是如此。在这次攻击之后，向 NIST 提交的 Lilliput-AE 进行了调整。