2020
DOI: 10.1007/978-3-030-64837-4_2
|View full text |Cite
|
Sign up to set email alerts
|

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

Abstract: Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in Gimli and its internal symmetries to build, for the first time, a distinguisher on the fu… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
10
0

Year Published

2021
2021
2023
2023

Publication Types

Select...
5
2
1

Relationship

1
7

Authors

Journals

citations
Cited by 10 publications
(10 citation statements)
references
References 21 publications
(43 reference statements)
0
10
0
Order By: Relevance
“…Though our results do not pose a direct threat to the Gimli NIST candidate, lowcomplexity full-round distinguishers on the permutation or reduced-round attacks for a high proportion of the rounds (specially when not predicted by the designers) have been considered in some cases as an issue worth countering by proposing a tweak, as can be seen, for instance, in the modification proposed by the Spook team [2] to protect against the cryptanalysis results from [16]. In September 2020, after the results of [18] were made public, the NIST offered the submitters of second-round algorithms to propose status updates. In their document [6], the designers of Gimli acknowledged the collision attacks of Sect.…”
Section: Discussionmentioning
confidence: 99%
See 2 more Smart Citations
“…Though our results do not pose a direct threat to the Gimli NIST candidate, lowcomplexity full-round distinguishers on the permutation or reduced-round attacks for a high proportion of the rounds (specially when not predicted by the designers) have been considered in some cases as an issue worth countering by proposing a tweak, as can be seen, for instance, in the modification proposed by the Spook team [2] to protect against the cryptanalysis results from [16]. In September 2020, after the results of [18] were made public, the NIST offered the submitters of second-round algorithms to propose status updates. In their document [6], the designers of Gimli acknowledged the collision attacks of Sect.…”
Section: Discussionmentioning
confidence: 99%
“…2 Differences with [18]. This article is an extended version of the paper "New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions" which appeared in the proceedings of ASIACRYPT 2020 [18]. Our new contributions are the state-recovery attacks explored in Sect.…”
Section: Introductionmentioning
confidence: 99%
See 1 more Smart Citation
“…Security Analysis. Since the Gimli permutation was first introduced in 2017 [129], several in-depth analyses [89,[130][131][132][133][134][135] have been conducted. For each scheme, the best-known attacks are shown in Table 7.…”
Section: Nistir Second Round Status Reportmentioning
confidence: 99%
“…In Asiacrypt 2020, Flórez‐Gutiérrez et al. [5] performed 24‐round and 28‐round distinguishing attacks against round‐shifted GIMLI with time complexities of 2 32 and 2 64 , respectively. Although many rounds of round‐shifted GIMLI were analysed by the distinguishing attacks, there is no relation to the security of GIMLI‐CIPHER or GIMLI‐HASH .…”
Section: Introductionmentioning
confidence: 99%