## Cryptology ePrint Archive: Report 2020/561

Exploiting Weak Diffusion of Gimli: Improved Distinguishers and Preimage Attacks

Fukang Liu and Takanori Isobe and Willi Meier

Abstract: The Gimli permutation proposed in CHES 2017 was designed for cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. The above two facts have been recently exploited to construct a distinguisher for the full Gimli permutation with time complexity $2^{64}$. By utilizing a new property of the SP-box, we demonstrate that the time complexity of the full-round distinguisher can be further reduced to $2^{52}$ while a significant bias still remains. Moreover, for the 18-round Gimli permutation, we could construct a distinguisher even with only 2 queries. Apart from the permutation itself, combined with some new properties of the SP-box, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 can reach up to 5 rounds and 9 rounds, respectively. Since Gimli is included in the second round candidates in NIST's Lightweight Cryptography Standardization process, we expect that our analysis can further advance the understanding of Gimli. To the best of our knowledge, the distinguishing attacks and preimage attacks are the best so far.

Category / Keywords: secret-key cryptography / hash function, Gimli, Gimli-Hash, Gimli-XOF, preimage attack, distinguisher

Date: received 13 May 2020, last revised 26 Aug 2020

Contact author: liufukangs at 163 com,takanori isobe@ai u-hyogo ac jp,willimeier48@gmail com

Available format(s): PDF | BibTeX Citation

Note: This is a major revision. We removed the 21-round and 24-round distinguisher and will focus on the 18-round distinguisher as well as the improved full-round distinguisher based on a new property of the SP-box.

Short URL: ia.cr/2020/561

[ Cryptology ePrint archive ]