International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Exploiting Weak Diffusion of Gimli: Improved Distinguishers and Preimage Attacks

Authors:
Fukang Liu , Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, China; University of Hyogo, Hyogo, Japan
Takanori Isobe , University of Hyogo, Hyogo, Japan; National Institute of Information and Communications Technology, Tokyo, Japan; PRESTO, Japan Science and Technology Agency, Tokyo, Japan
Willi Meier , University of Applied Sciences and Arts Northwestern Switzerland, Windisch, Switzerland
Download:
DOI: 10.46586/tosc.v2021.i1.185-216
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8837
Search ePrint
Search Google
Abstract: The Gimli permutation proposed in CHES 2017 was designed for cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. The above two facts have been recently exploited to construct a distinguisher for the full Gimli permutation with time complexity 264. By utilizing a new property of the SP-box, we demonstrate that the time complexity of the full-round distinguisher can be further reduced to 252 while a significant bias still remains. Moreover, for the 18-round Gimli permutation, we could construct a distinguisher even with only 2 queries. Apart from the permutation itself, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 can reach up to 5 rounds and 9 rounds, respectively. Since Gimli is included in the second round candidates in NIST’s Lightweight Cryptography Standardization process, we expect that our analysis can further advance the understanding of Gimli. To the best of our knowledge, the distinguishing attacks and preimage attacks are the best so far.
BibTeX
@article{tosc-2021-30949,
  title={Exploiting Weak Diffusion of Gimli: Improved Distinguishers and Preimage Attacks},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2021, Issue 1},
  pages={185-216},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8837},
  doi={10.46586/tosc.v2021.i1.185-216},
  author={Fukang Liu and Takanori Isobe and Willi Meier},
  year=2021
}