Skip to main content

Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli

Journal of Cryptology volume 34, Article number: 45 (2021) Cite this article

Abstract

\(\mathsf {Gimli}\) is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate \(\mathsf {Gimli}\) is based on the permutation \(\mathsf {Gimli}\), which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in \(\mathsf {Gimli}\) and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity \(2^{64}\). We also provide a practical distinguisher on 23 out of the full 24 rounds of \(\mathsf {Gimli}\) that has been implemented. Next, we give (full state) collision and semi-free start collision attacks on \(\mathsf {Gimli}\)-Hash, reaching, respectively, up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round \(\mathsf {Gimli}\)-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in \(\mathsf {Gimli}\), and we find a linear distinguisher on the full permutation.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price includes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Notes

  1. This behavior appears because the linear layer of \(\mathsf {Gimli}\) is round dependent.

  2. https://project.inria.fr/quasymodo/files/2020/05/gimli_cryptanalysis_eprint.tar.gz.

  3. Note that the formulas given page 15 of the specification of \(\mathsf {Gimli}\) are erroneous. In the line \(z_n' \leftarrow z_n + y_n + (x_{n-3} \wedge z_{n-3})\), \(z_{n-3}\) should be replaced by \(y_{n-3}\) and \(x_j \wedge z_j\) must be replaced by \(x_j \wedge y_j\) in the subsequent formulas.

References

  1. A. Abdelkhalek, Y. Sasaki, Y. Todo, M. Tolba, A.M. Youssef, MILP modeling for (large) s-boxes to optimize probability of differential characteristics. IACR Trans. Symm. Cryptol. 2017(4), 99–129 (2017)

    Article  Google Scholar 

  2. D. Bellizia, F. Berti, O. Bronchain, G. Cassiers, S. Duval, C. Guo, G. Leander, G. Leurent, I. Levi, C. Momin, O. Pereira, T. Peters, F.X. Standaert, B. Udvarhelyi, F. Wiemer, Spook: Sponge-based leakage-resistant authenticated encryption with a masked tweakable block cipher. IACR Trans. Symm. Cryptol. 2020(S1), 295–349 (2020)

    Article  Google Scholar 

  3. C.H. Bennett, Time/space trade-offs for reversible computation. SIAM J. Comput. 18(4), 766–776 (1989)

    MathSciNet  Article  Google Scholar 

  4. D.J. Bernstein, S. Kölbl, S. Lucks, P.M.C. Massolino, F. Mendel, K. Nawaz, T. Schneider, P. Schwabe, F.X. Standaert, Y. Todo, B. Viguier, Gimli : A cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Heidelberg (Sep 2017)

  5. D.J. Bernstein, S. Kölbl, S. Lucks, P.M.C. Massolino, F. Mendel, K. Nawaz, T. Schneider, P. Schwabe, F.X. Standaert, Y. Todo, B. Viguier, Gimli. Submission to the NIST Lightweight Cryptography project. Available online https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/gimli-spec.pdf. (2019)

  6. D.J. Bernstein, S. Kölbl, S. Lucks, P.M.C. Massolino, F. Mendel, K. Nawaz, T. Schneider, P. Schwabe, F.X. Standaert, Y. Todo, B. Viguier, Gimli: NIST LWC second-round candidate status update. Available online https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/gimli_update.pdf. (2020)

  7. G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge functions. In: ECRYPT hash workshop (2007)

  8. G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (Apr 2008)

  9. G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (Aug 2010)

  10. G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Duplexing the sponge: Single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (Aug 2012)

  11. E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)

    MathSciNet  Article  Google Scholar 

  12. A. Biryukov, C. De Cannière, M. Quisquater, On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (Aug 2004)

  13. G. Brassard, P. Hoyer, M. Mosca, A. Tapp, Quantum amplitude amplification and estimation. Contemporary Mathematics 305, 53–74 (2002)

    MathSciNet  MATH  Google Scholar 

  14. G. Brassard, P. Høyer, A. Tapp, Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (Apr 1998)

  15. J. Cai, Z. Wei, Y. Zhang, S. Sun, L. Hu, Zero-sum distinguishers for round-reduced Gimli permutation. In: Mori, P., Furnell, S., Camp, O. (eds.) Proceedings of the 5th International Conference on Information Systems Security and Privacy, ICISSP 2019, Prague, Czech Republic, February 23-25, 2019. pp. 38–43. SciTePress (2019)

  16. P. Derbez, P. Huynh, V. Lallemand, M. Naya-Plasencia, L. Perrin, A. Schrottenloher, Cryptanalysis results on Spook - bringing full-round Shadow-512 to the light. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 359–388. Springer, Heidelberg (Aug 2020)

  17. D. Dinu, L. Perrin, A. Udovenko, V. Velichkov, J. Großschädl, A. Biryukov, Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 484–513. Springer, Heidelberg (Dec 2016)

  18. A. Flórez-Gutiérrez, G. Leurent, M. Naya-Plasencia, L. Perrin, A. Schrottenloher, F. Sibleyras, New results on Gimli: full-permutation distinguishers and improved collisions. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 33–63. Springer, Heidelberg (Dec 2020)

  19. H. Gilbert, A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 200–222. Springer, Heidelberg (Dec 2014)

  20. H. Gilbert, T. Peyrin, Super-sbox cryptanalysis: Improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (Feb 2010)

  21. A. Gleixner, M. Bastubbe, L. Eifler, T. Gally, G. Gamrath, R.L. Gottwald, G. Hendel, C. Hojny, T. Koch, M.E. Lübbecke, S.J. Maher, M. Miltenberger, B. Müller, M.E. Pfetsch, C. Puchert, D. Rehfeldt, F. Schlösser, C. Schubert, F. Serrano, Y. Shinano, J.M. Viernickel, M. Walter, F. Wegscheider, J.T. Witt, J. Witzig, The SCIP Optimization Suite 6.0. Technical report, Optimization Online (July 2018), http://www.optimization-online.org/DB_HTML/2018/07/6692.html

  22. A. Gleixner, M. Bastubbe, L. Eifler, T. Gally, G. Gamrath, R.L. Gottwald, G. Hendel, C. Hojny, T. Koch, M.E. Lübbecke, S.J. Maher, M. Miltenberger, B. Müller, M.E. Pfetsch, C. Puchert, D. Rehfeldt, F. Schlösser, C. Schubert, F. Serrano, Y. Shinano, J.M. Viernickel, M. Walter, F. Wegscheider, J.T. Witt, J. Witzig, The SCIP Optimization Suite 6.0. ZIB-Report 18-26, Zuse Institute Berlin (July 2018), http://nbn-resolving.de/urn:nbn:de:0297-zib-69361

  23. L.K. Grover, A fast quantum mechanical algorithm for database search. In: 28th ACM STOC. pp. 212–219. ACM Press (May 1996)

  24. M. Hamburg, Cryptanalysis of 22 1/2 rounds of Gimli. Cryptology ePrint Archive, Report 2017/743 (2017), https://eprint.iacr.org/2017/743

  25. A. Hosoyamada, Y. Sasaki, Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 249–279. Springer, Heidelberg (May 2020)

  26. M. Iwamoto, T. Peyrin, Y. Sasaki, Limited-birthday distinguishers for hash functions - collisions beyond the birthday bound can be meaningful. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 504–523. Springer, Heidelberg (Dec 2013)

    Google Scholar 

  27. S. Jaques, M. Naehrig, M. Roetteler, F. Virdia, Implementing grover oracles for quantum key search on AES and LowMC. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 280–310. Springer, Heidelberg (May 2020)

    Chapter  Google Scholar 

  28. E. Knill, An analysis of Bennett’s pebble game. CoRR arXiv:abs/math/9508218 (1995)

  29. M. Lamberger, F. Mendel, M. Schläffer, C. Rechberger, V. Rijmen, The rebound attack and subspace distinguishers: Application to Whirlpool. Journal of Cryptology 28(2), 257–296 (2015)

    MathSciNet  Article  Google Scholar 

  30. G. Leurent, Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 344–371. Springer, Heidelberg (May 2016)

    Chapter  Google Scholar 

  31. R.Y. Levin, A.T. Sherman, A note on Bennett’s time-space tradeoff for reversible computation. SIAM J. Comput. 19(4), 673–677 (1990)

  32. F. Liu, T. Isobe, W. Meier, Preimages and collisions for up to 5-round Gimli-Hash using divide-and-conquer methods. Cryptology ePrint Archive, Report 2019/1080 (2019), https://eprint.iacr.org/2019/1080

  33. F. Liu, T. Isobe, W. Meier, Automatic verification of differential characteristics: Application to reduced Gimli. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 219–248. Springer, Heidelberg (Aug 2020)

    Google Scholar 

  34. F. Liu, T. Isobe, W. Meier, Exploiting weak diffusion of Gimli: A full-round distinguisher and reduced-round preimage attacks. Cryptology ePrint Archive, Report 2020/561 (2020), https://eprint.iacr.org/2020/561

  35. M. Matsui, Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT’93. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (May 1994)

    Google Scholar 

  36. M.A. Nielsen, I.L. Chuang, Quantum information and quantum computation. Cambridge: Cambridge University Press 2(8),  23 (2000)

  37. K. Nyberg, Linear approximation of block ciphers (rump session). In: Santis, A.D. (ed.) EUROCRYPT’94. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (May 1995)

    Google Scholar 

  38. M. Soos, K. Nohl, C. Castelluccia, Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) Theory and Applications of Satisfiability Testing - SAT 2009, 12th International Conference, SAT 2009, Swansea, UK, June 30 - July 3, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5584, pp. 244–257. Springer (2009)

  39. R. Zong, X. Dong, X. Wang, Collision attacks on round-reduced Gimli-Hash/Ascon-Xof/Ascon-Hash. Cryptology ePrint Archive, Report 2019/1115 (2019), https://eprint.iacr.org/2019/1115

Download references

Acknowledgements

The authors would like to thank all the members of the cryptanalysis party meetings, for many useful comments and discussions, in particular many thanks to Anne Canteaut, Virginie Lallemand and Thomas Fuhr for many interesting discussions over previous versions of this work. Thanks to Donghoon Chang for finding some mistakes and inaccuracies, including an error in a 32-round version of our distinguisher. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 714294 - acronym QUASYModo).

Author information

Authors and Affiliations

  1. Inria, Paris, France

    Antonio Flórez-Gutiérrez, Gaëtan Leurent, María Naya-Plasencia, Léo Perrin & Ferdinand Sibleyras

  2. Cryptology Group, CWI, Amsterdam, The Netherlands

    André Schrottenloher

Authors
  1. Antonio Flórez-Gutiérrez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gaëtan Leurent
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. María Naya-Plasencia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Léo Perrin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. André Schrottenloher
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ferdinand Sibleyras
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to André Schrottenloher.

Additional information

Communicated by Tetsu Iwata

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is an extended version of the paper “New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions” which appeared in the proceedings of ASIACRYPT 2020 [18].

This work was carried out while André Schrottenloher was at Inria.

Appendix

Appendix

SP-Box Inverse

The SP-Box is a bijective operation, but its inverse is difficult to write (and it is never used).

  1. 1.

    Swap x and z

  2. 2.

    Perform:Footnote 3

    $$\begin{aligned} x_0&\leftarrow x_0' \\ y_0&\leftarrow y_0' + x_0' \\ z_0&\leftarrow z_0' + x_0' + y_0' \\ x_1&\leftarrow x_1' + z_0 \\ y_1&\leftarrow y_1' + x_1' + z_0 + (x_0 \vee z_0) \\ z_1&\leftarrow z_1' + y_1' + x_1' + z_0 + (x_0 \vee z_0) \\ x_2&\leftarrow x_2' + z_1 + (y_0 \wedge z_0) \\ y_2&\leftarrow y_2' + x_2' + z_1 + (y_0 \wedge z_0) + (x_1 \vee z_1) \\ z_2&\leftarrow z_2' + y_2' + x_2' + z_1 + (y_0 \wedge z_0) + (x_1 \vee z_1) \\ \forall 3 \le i \le 32, x_i&\leftarrow x_i' + z_{i-1} + (y_{i-2} \wedge z_{i-2}) \\ y_i&\leftarrow y_i' + x_i + (x_{i-1} \vee z_{i-1}) \\ z_i&\leftarrow z_i' + y_i + (x_{i-3} \wedge y_{i-3}) \end{aligned}$$
  3. 3.

    Rotate x and y: \(x_i = x_{i+24 \mod 32}\) and \(y_i = y_{i+9 \mod 32}\)

Gimli-Hash

figure e

Representation of Full Gimli

See Fig 10.

Fig. 10
figure 10

A representation of full Gimli

Full size image

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Flórez-Gutiérrez, A., Leurent, G., Naya-Plasencia, M. et al. Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli. J Cryptol 34, 45 (2021). https://doi.org/10.1007/s00145-021-09413-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09413-z

Keywords

  • \(\mathsf {Gimli}\)
  • Symmetries
  • Symmetric cryptanalysis
  • Full-round distinguisher
  • Collision attacks
  • Linear approximations