Exploiting Weak Diffusion of Gimli: Improved Distinguishers and Preimage Attacks

• Main Authors: Fukang Liu, Takanori Isobe, Willi Meier
• Format: Article
• Language: English
• Published: Ruhr-Universität Bochum 2021-03-01
• Series: IACR Transactions on Symmetric Cryptology
• Subjects: hash function; Gimli; Gimli-Hash; Gimli-XOF; preimage attack; distinguisher
• Online Access: https://tosc.iacr.org/index.php/ToSC/article/view/8837

The Gimli permutation proposed in CHES 2017 was designed for cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. The above two facts have been recently exploited to construct a distinguisher for the full Gimli permutation with time complexity 264. By utilizing a new property of the SP-box, we demonstrate that the time complexity of the full-round distinguisher can be further reduced to 252 while a significant bias still remains. Moreover, for the 18-round Gimli permutation, we could construct a distinguisher even with only 2 queries. Apart from the permutation itself, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 can reach up to 5 rounds and 9 rounds, respectively. Since Gimli is included in the second round candidates in NIST’s Lightweight Cryptography Standardization process, we expect that our analysis can further advance the understanding of Gimli. To the best of our knowledge, the distinguishing attacks and preimage attacks are the best so far.