The Gimli non-linear operator

Question

NORX replaces all the additions of the Chacha20 quarter-round function with the non-linear $x \oplus y \oplus ((x \land y) \ll 1)$ operation. Gimli supposedly improves on it with $x \oplus y \oplus ((z \land y) \ll 1)$, adding a third input $z$ because as they claim it removes the need for the additional xor that NORX has. In addition the Gimli paper says "Gimli varies the 1-bit shift distance, improving diffusion compared to NORX and possibly even compared to ARX". So we end up with $$ a \gets z \oplus y \oplus ((x \land y) \ll 3) \\ b \gets y \oplus x \oplus ((x \lor z) \ll 1) \\ c \gets x \oplus (z \ll 1) \oplus ((y \land z) \ll 2) $$

My issue with this is that nowhere in the Gimli specification (as far as I could tell anyway) it explains why they did $z \ll 1$ or why they used bitwise or in $x \lor z$ nor does it explain the exact parameter choices for the non-linear operation (why $a \gets z \oplus y \oplus ((x \land y) \ll 3)$ rather than $a \gets z \oplus x \oplus ((z \land y) \ll 3)$ for example).

Is there any justification for these changes that I might have missed?

Answer 1

a bit late, if I had been pinged on this, I could have answered earlier.

• $x \vee z$ was chosen for the following reason:

  • $a \wedge b$ is biased towards 0. As a result if we only used $\wedge$ the linear weight of the equation would have a strong bias towards 0.
  • As $a \vee b$ is biased towards 1, this aims to compensate.

• The $z ≪ 1$ instead of just $z$ in the equation is necessary to ensure that this is a permutation, otherwise the equations do not have an inverse and we really wanted a permutation and not a transformation.

• As for the why $⊕⊕((∧)≪3)$, if you remove the $x \leftrightarrow z$ swap, you realize that the shape of the expression is:
  $x \leftarrow x \oplus z' \oplus EXPR$
  $y \leftarrow y \oplus x \oplus EXPR$
  $z \leftarrow z \oplus y \oplus EXPR$
  We already discussed why $z'$ is $z ≪ 1$, now if you look at $EXPR$ you notice that in all cases, the destination is not included in the non-linear binary expression, as a result, this increase the complexity of linear trails as you have to track more variables.