5

First of all, this is purely a thought experiment. The width of Gimli isn't even a power of two (384 bits), and secondary storage bus speeds aren't even worth using a high performance permutation like Gimli. So from a practical perspective, this is totally pointless.

But it's nonetheless an interesting one. And from it, I have three concrete questions that can be considered:

  1. Can we build a tweakable bijective keyed permutation from just a pseudo-random forward permutation?

  2. Is there a practical disk encryption system using only forward permutation?

  3. How do we interpret the "new conventional wisdom" that "a permutation is a better unified primitive than a block cipher"?

Gimli paper can be here.

SEJPM
  • 46,697
  • 9
  • 103
  • 214
DannyNiu
  • 10,640
  • 2
  • 27
  • 64

1 Answers1

7

Disclaimer: I'm one of the authors of the said permutation.

  1. Gimli does not aim to be used as a block cipher (in the traditional sense of it: $x \to (\sigma \circ K_{\mathit{add}})^{\mathit{nb}_{\mathit{rounds}}}$ with a block size of 384 bits or similar constructions); it is better to use it with a sponge construction such a Monkey-Duplex/Monkey-Wrap or Farfalle.
    An example of such a construction would be the design of Ketje Sr.

  2. No Idea.

  3. Imagine there's no blockciphers, it's easy if you try :-)

    Joan Daemen at FSE 2017 [abstract] [slides]

    (I really advise you to have a look at the slides.)

    The idea is here is to have a unique permutation (Gimli? :D) on which you can derive the rest (hash functions, CPRNG, etc.). Sure you can use a Davies–Mayer or Even–Mansour with Merkle–Damgård construction to build a hash function from a blockcipher. But using a sponge construction is more elegant and efficient: you only have one code for the permutation and the design is easier to read (thus understand and verify).

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
Biv
  • 10,088
  • 2
  • 42
  • 68