Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli
Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli , which was presented at CHES 2017. In this pap...
Saved in:
Published in | Journal of cryptology Vol. 34; no. 4 |
---|---|
Main Authors | , , , , , |
Format | Journal Article |
Language | English |
Published |
New York
Springer US
01.10.2021
Springer Nature B.V Springer Verlag |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Gimli
is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate
Gimli
is based on the permutation
Gimli
, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in
Gimli
and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity
2
64
. We also provide a practical distinguisher on 23 out of the full 24 rounds of
Gimli
that has been implemented. Next, we give (full state) collision and semi-free start collision attacks on
Gimli
-Hash, reaching, respectively, up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round
Gimli
-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in
Gimli
, and we find a linear distinguisher on the full permutation. |
---|---|
ISSN: | 0933-2790 1432-1378 |
DOI: | 10.1007/s00145-021-09413-z |