论文信息 - Exploiting Weak Diffusion of Gimli: A Full-Round Distinguisher and Reduced-Round Preimage Attacks

Exploiting Weak Diffusion of Gimli: A Full-Round Distinguisher and Reduced-Round Preimage Attacks

The Gimli permutation was proposed in CHES 2017, which is distinguished from other well-known permutation-based primitives for its cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. By exploiting the above two facts, We demonstrate that it is feasible to construct a distinguisher for the full Gimli permutation with time complexity 2. The corresponding technique is named as hybrid zero internal differential since the internal difference and XOR difference are simultaneously traced. Our distinguisher can be interpreted as a variant of the common differential distinguisher and zero-sum distinguisher. Apart from the permutation itself, combined with some new properties of the SP-box, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attack on 2round Gimli-Hash is practical and it can reach up to 5 rounds. For GimliXOF-128, our preimage attack can reach up to 9 rounds. To the best of our knowledge, this is the first attack on the full Gimli permutation and our preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 are the best so far. Since Gimli is included in the second round candidates in NIST’s Lightweight Cryptography Standardization process, we expect that our analysis can advance the understanding of Gimli. It should be emphasized that this work can not threaten the security of the hash scheme or authenticated encryption scheme built on Gimli.

Fukang Liu | Takanori Isobe | Willi Meier

[1] Takanori Isobe,et al. Automatic Verification of Differential Characteristics: Application to Reduced Gimli , 2020, IACR Cryptol. ePrint Arch..

[2] Guido Bertoni,et al. On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[3] Yao Sun,et al. Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach , 2019, IACR Cryptol. ePrint Arch..

[4] Thomas Peyrin,et al. Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[5] Lei Wang,et al. New zero-sum distinguishers on full 24-round Keccak-f using the division property , 2019, IET Inf. Secur..

[6] Florian Mendel,et al. Preliminary Analysis of Ascon-Xof and Ascon-Hash , 2019 .

[7] Michael Hamburg. Cryptanalysis of 22 1/2 rounds of Gimli , 2017, IACR Cryptol. ePrint Arch..

[8] B Guido,et al. Cryptographic sponge functions , 2011 .

[9] Yosuke Todo,et al. Gimli : A Cross-Platform Permutation , 2017, CHES.

[10] Eli Biham,et al. Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[11] Marian Srebrny,et al. Rotational Cryptanalysis of Round-Reduced Keccak , 2013, FSE.

[12] Jian Guo,et al. Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak , 2016, ASIACRYPT.

[13] Adi Shamir,et al. Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials , 2013, FSE.