At SAC 2013, Berger et al. first proposed the Extended Generalized Feistel Networks (EGFN) structure for the design of block ciphers with efficient diffusion. Later, based on the Type-2 EGFN, they instantiated a new lightweight block cipher named Lilliput (published in IEEE Transactions on Computers, Vol. 65, Issue 7, 2016). According to published cryptanalysis results, Lilliput is sufficiently secure against theoretical attacks such as differential, linear, boomerang, and integral attacks, which rely on the statistical properties of plaintext and ciphertext. However, there is a lack of analysis regarding its resistance to physical attacks in real-world scenarios, such as fault attacks. In this paper, we present the first systematic differential fault analysis (DFA) of Lilliput under three nibble-oriented fault models with progressively relaxed adversarial assumptions to comprehensively assess its fault resilience. In Model I (multi-round fixed-location), precise fault injections at specific rounds recover the master key with a 98% success rate using only 8 faults. Model II (single-round fixed-location) relaxes the multi-round requirement, demonstrating that 8 faults confined to a single round are still sufficient to achieve a 99% success rate by exploiting Lilliput's diffusion properties and DDT-based constraints. Model III (single-round random-location) further weakens the assumption by allowing faults to occur randomly among the eight rightmost branches of round 27. By uniquely identifying the fault location from ciphertext differences with high probability, the attack remains highly feasible, achieving over 99% success with 33 faults and exceeding 99.5% with 36 faults. Our findings reveal a significant vulnerability of Lilliput to practical fault attacks across different adversary capabilities in real-world scenarios, providing crucial insights for its secure implementation.

翻译：在2013年SAC会议上，Berger等人首次提出扩展广义Feistel网络（EGFN）结构用于设计具有高效扩散性的分组密码。随后基于Type-2 EGFN，他们实例化了一种名为Lilliput的新型轻量级分组密码（发表于《IEEE Transactions on Computers》第65卷第7期，2016年）。根据已发表的密码分析结果，Lilliput对依赖明文与密文统计特性的理论攻击（如差分分析、线性分析、反弹球攻击和积分攻击）具有足够安全性。然而，关于其在真实场景下对物理攻击（如故障攻击）的抵抗性尚缺乏分析。本文首次在三种逐步放宽敌手假设的面向半字节故障模型下，对Lilliput进行系统性差分故障分析（DFA），以全面评估其故障鲁棒性。模型I（多轮固定位置）中，在特定轮次进行精确故障注入，仅需8个故障即可实现98%的主密钥恢复成功率。模型II（单轮固定位置）放宽了多轮要求，通过利用Lilliput的扩散特性与基于差分分布表（DDT）的约束条件，表明仅需8个局限于单轮的故障即可达到99%的成功率。模型III（单轮随机位置）进一步弱化假设，允许故障随机出现在第27轮最右侧的八个分支中。通过从密文差异中以高概率唯一识别故障位置，此攻击仍保持高度可行性：33个故障即可实现超过99%的成功率，36个故障时成功率超过99.5%。我们的研究揭示了Lilliput在真实场景中面对不同敌手能力时存在显著的实际故障攻击脆弱性，为其安全实现提供了关键见解。