Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From Precise to Random: A Systematic Differential Fault Analysis of the Lightweight Block Cipher Lilliput

Peipei Xie, Siwei Chen, Zejun Xiang, Shasha Zhang, Xiangyong Zeng

Abstract

At SAC 2013, Berger et al. first proposed the Extended Generalized Feistel Networks (EGFN) structure for the design of block ciphers with efficient diffusion. Later, based on the Type-2 EGFN, they instantiated a new lightweight block cipher named Lilliput (published in IEEE Transactions on Computers, Vol. 65, Issue 7, 2016). According to published cryptanalysis results, Lilliput is sufficiently secure against theoretical attacks such as differential, linear, boomerang, and integral attacks, which rely on the statistical properties of plaintext and ciphertext. However, there is a lack of analysis regarding its resistance to physical attacks in real-world scenarios, such as fault attacks. In this paper, we present the first systematic differential fault analysis (DFA) of Lilliput under three nibble-oriented fault models with progressively relaxed adversarial assumptions to comprehensively assess its fault resilience. In Model I (multi-round fixed-location), precise fault injections at specific rounds recover the master key with a 98% success rate using only 8 faults. Model II (single-round fixed-location) relaxes the multi-round requirement, demonstrating that 8 faults confined to a single round are still sufficient to achieve a 99% success rate by exploiting Lilliput's diffusion properties and DDT-based constraints. Model III (single-round random-location) further weakens the assumption by allowing faults to occur randomly among the eight rightmost branches of round 27. By uniquely identifying the fault location from ciphertext differences with high probability, the attack remains highly feasible, achieving over 99% success with 33 faults and exceeding 99.5% with 36 faults. Our findings reveal a significant vulnerability of Lilliput to practical fault attacks across different adversary capabilities in real-world scenarios, providing crucial insights for its secure implementation.

From Precise to Random: A Systematic Differential Fault Analysis of the Lightweight Block Cipher Lilliput

Abstract

At SAC 2013, Berger et al. first proposed the Extended Generalized Feistel Networks (EGFN) structure for the design of block ciphers with efficient diffusion. Later, based on the Type-2 EGFN, they instantiated a new lightweight block cipher named Lilliput (published in IEEE Transactions on Computers, Vol. 65, Issue 7, 2016). According to published cryptanalysis results, Lilliput is sufficiently secure against theoretical attacks such as differential, linear, boomerang, and integral attacks, which rely on the statistical properties of plaintext and ciphertext. However, there is a lack of analysis regarding its resistance to physical attacks in real-world scenarios, such as fault attacks. In this paper, we present the first systematic differential fault analysis (DFA) of Lilliput under three nibble-oriented fault models with progressively relaxed adversarial assumptions to comprehensively assess its fault resilience. In Model I (multi-round fixed-location), precise fault injections at specific rounds recover the master key with a 98% success rate using only 8 faults. Model II (single-round fixed-location) relaxes the multi-round requirement, demonstrating that 8 faults confined to a single round are still sufficient to achieve a 99% success rate by exploiting Lilliput's diffusion properties and DDT-based constraints. Model III (single-round random-location) further weakens the assumption by allowing faults to occur randomly among the eight rightmost branches of round 27. By uniquely identifying the fault location from ciphertext differences with high probability, the attack remains highly feasible, achieving over 99% success with 33 faults and exceeding 99.5% with 36 faults. Our findings reveal a significant vulnerability of Lilliput to practical fault attacks across different adversary capabilities in real-world scenarios, providing crucial insights for its secure implementation.
Paper Structure (25 sections, 2 theorems, 44 equations, 19 figures, 9 tables)

This paper contains 25 sections, 2 theorems, 44 equations, 19 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Paper Organization
  4. Preliminaries
  5. Lilliput Block Cipher
  6. Encryption Process
  7. Key Schedule
  8. Differential Fault Attack
  9. Overview of Three Fault Injection Models for Lilliput's Security Assessment
  10. DFA under Multi-Round Fixed-Location Faults
  11. Selecting Fault Injection Rounds and Locations
  12. Direct Fault Recovery from Ciphertext Differences
  13. Experimental Evaluation of Fault Complexity and Success Rate
  14. Simultaneous Key Recovery under Single-Round Fixed-Location Faults
  15. Optimal Fault Localization for Maximum Information Leakage
  16. ...and 10 more sections

Key Result

Proposition 1

If the fault is randomly injected at $X^{27}_i$ for any $0\le i\le 6$, then the exact injection location can be uniquely determined.

Figures (19)

  • Figure 1: Overview of Lilliput's encryption process.
  • Figure 2: The $r$-th round encryption of Lilliput.
  • Figure 3: The overview of Lilliput's key schedule.
  • Figure 4: The update function of LFSM.
  • Figure 5: Fault propagation after fault injection at $X^{28}_7$. For clarity, in the fault propagation diagram, the eight S-boxes in each round are labeled from top to bottom as $S_0$--$S_7$, with the first S-box denoted by $S_0$ and the others numbered consecutively.
  • ...and 14 more figures

Theorems & Definitions (4)

  • Proposition 1
  • proof
  • Proposition 2
  • proof