Cryptology ePrint Archive: Report 2020/744

New results on Gimli: full-permutation distinguishers and improved collisions

Antonio Flórez Gutiérrez and Gaëtan Leurent and María Naya-Plasencia and Léo Perrin and André Schrottenloher and Ferdinand Sibleyras

Abstract: Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in Gimli and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity 2^64 . We also provide a practical distinguisher on 23 out of the full 24 rounds of Gimli that has been implemented.

Next, we give (full state) collision and semi-free-start collision attacks on Gimli-Hash, reaching respectively up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round Gimli-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in the permutation, and we propose differential-linear cryptanalysis that reach up to 17 rounds of Gimli.

Category / Keywords: secret-key cryptography / Gimli, symmetries, symmetric cryptanalysis, full-round distinguisher, collision attacks, linear approximations

Date: received 18 Jun 2020, last revised 18 Jun 2020

Contact author: antonio florez-gutierrez at inria fr, gaetan leurent@inria fr, maria naya_plasencia@inria fr, leo perrin@inria fr, andre schrottenloher@inria fr, ferdinand sibleyras@inria fr

Available format(s): PDF | BibTeX Citation

Version: 20200621:172956 (All versions of this report)

Short URL: ia.cr/2020/744


[ Cryptology ePrint archive ]