Tight Bounds of Differentially and Linearly Active S-Boxes and Division Property of Lilliput

Abstract

This paper provides security analysis of a lightweight block cipher called Lilliput , which was proposed in IEEE Transactions on Computers in 2015. Lilliput adopts an extended generalized Feistel network (EGFN). EGFN consists of non-linear, linear, and permutation layers, and the linear layer updates a part of the state only linearly, which causes several security concerns. Our first discovery is that the lower bounds of the number of differentially active S-boxes provided by the designers are incorrect. Thus the new bounds are derived by using mixed integer linear programming (MILP). We apply a two-stage search procedure introduced by Sun et al. that leads to tight bounds even for a large number of rounds. The search tool is then converted for linear cryptanalysis. With those updates, the challenging problem of evaluating Lilliput 's security against differential and linear cryptanalysis is closed. Another contribution is the best third-party cryptanalysis. The designers expected EGFN to efficiently enhance security against integral cryptanalysis. However, security is not as enhanced as the designers expected. In fact, division property finds a 13-round distinguisher that improves on the previous distinguisher by 4 rounds. The distinguisher is further extended to a 17-round key recovery that improves on the previous best attack by 3 rounds.