Portal de Periódicos da CAPES

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

2020; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-030-64837-4_2

1611-3349

Antonio Flórez Gutiérrez, Gaëtan Leurent, Maŕıa Naya-Plasencia, Léo Perrin, André Schrottenloher, Ferdinand Sibleyras,

Quantum-Dot Cellular Automata

$$\mathsf {Gimli}$$ is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate $$\mathsf {Gimli}$$ is based on the permutation $$\mathsf {Gimli}$$ , which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in $$\mathsf {Gimli}$$ and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity $$2^{64}$$ . We also provide a practical distinguisher on 23 out of the full 24 rounds of $$\mathsf {Gimli}$$ that has been implemented. Next, we give (full state) collision and semi-free-start collision attacks on $$\mathsf {Gimli}$$ -Hash, reaching respectively up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round $$\mathsf {Gimli}$$ -Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in the permutation, and we propose differential-linear cryptanalysis that reach up to 17 rounds of $$\mathsf {Gimli}$$ .