Questions tagged [gimli]

Question related to Gimli : usage, security, cryptanalysis.

The IACR Paper (also published at CHES 2017) can be found here.

Gimli is a 384-bit permutation designed to be fast on most of platforms (but not necessarily the fastest on each of them).

It aims to be used in constrained environment such as ARM-m3/m4 but can also be easily vectorized (AVX & SSE) to reach high performance on such CPUs.

Gimli aimed to be used as a permutation mostly in sponge constructions. The 384 bits width of the permutation allow r = 128, c = 256. This will provide a 128 bit security margin without sacrificing a lot in the rate. Such security cannot be attained with smaller permutation (e.g. for a width of 256 bits).

Note: Biv is one of the authors.

12 questions

votes

1 answer

Doubt about published test vectors for gimli hash

In https://eprint.iacr.org/2017/630.pdf and https://gimli.cr.yp.to/gimli-20170627.pdf there are test vectors for the gimli hash function. I have compile the reference C code test_hash.c from https://gimli.cr.yp.to/gimli-20170627.tar.gz on two…

hash test-vectors gimli

asked Aug 21 '17 at 18:40

gammatester

1,005
1
8
12

votes

1 answer

Can ChaCha20 be repurposed as a general purpose permutation function like Gimli?

I like the idea behind Gimli and libhydrogen but in my benchmarks Gimli permutation function is considerably slower than ChaCha20 one. By considerably I mean four times slower using SIMD builtins. This is a big difference. Moreover, ChaCha20 is more…

chacha gimli

asked Jul 03 '18 at 16:16

user3368561

votes

1 answer

How to fix the issue with Gimli full permutation distinguisher?

A new paper "New results on Gimli: full-permutation distinguishers and improved collisions" has been published stating a full 24-round permutation distinguisher with a cost of $2^{64}$ and 23-round permutation with a cost of $2^{32}$ and has been…

authenticated-encryption gimli

asked Jun 28 '20 at 05:42

hardyrama

2,288
1
17
41

votes

1 answer

How to build disk encryption system using forward permutations like Gimli?

First of all, this is purely a thought experiment. The width of Gimli isn't even a power of two (384 bits), and secondary storage bus speeds aren't even worth using a high performance permutation like Gimli. So from a practical perspective, this is…

block-cipher symmetric pseudo-random-permutation gimli

asked Aug 19 '17 at 12:28

DannyNiu

10,640
2
27
64

votes

1 answer

Are libhydrogen's Gimli permutations production ready?

I've recently had a situation in which a recommendation for an easy-to-use, hard-to-misuse cryptographic library for Java was required. The first choice was Google's Tink, since it was designed specifically for that purpose. Given it's association…

gimli

asked Jan 15 '21 at 15:42

MechMK1

votes

1 answer

How strong is XooDoo vs AES?

What is Gimli, and how does XooDoo compare to symmetric ciphers such as AES or ChaCha? I am looking at this library, called charm. Interesting paper here. I also note the paper on XooDoo here. There were no questions on XooDoo on this site, so I'm…

encryption symmetric permutation gimli

asked Aug 02 '19 at 16:56

Woodstock

1,454
1
15
26

votes

1 answer

How to construct a "toy" version of Gimli permutation for three (instead of twelve) 32-bit words?

I am interested to see a "toy" version of the Gimli permutation for three (instead of twelve) 32-bit words. I see that the "core" sub-permutation of Gimli operates on three 32-bit words, but I don't know how to use it for constructing a 96-bit…

algorithm-design gimli

asked Jul 17 '19 at 07:42

lyrically wicked

1,379
7
11

votes

0 answers

Does the security proof of HMAC somehow change if it's instantiated with sponge-based hash functions with small rate and large capacity?

HMAC was introduced in [1], as a MAC that has its security proof based on the properties on the underlaying hash function. The hash functions considered in that paper were ones based on the Merkle-Damgaard paradigm where in most cases, block sizes…

hash hmac lightweight gimli

asked Dec 01 '20 at 05:00

DannyNiu

10,640
2
27
64

votes

0 answers

Provably secure way of expanding permutations

Gimli is a 384-bit permutation that makes use of an internal 96-bit permutation which works on columns. Every 4 rounds starting from the 1st a "small swap" is performed and every 4 rounds starting from the 3rd round a "big swap" is performed, these…

provable-security permutation pseudo-random-permutation chacha gimli

asked Mar 29 '20 at 21:44

Bob Semple

vote

0 answers

CSPRNG for Contract Bridge (RAND_MAX = 0xAD55E315634DDA658BF49200)

Some background information: In contract bridge, there are 0xAD55E315634DDA658BF49200 (just under 2^96) possible bridge deals. Since the 1990s, bridge deals for major tournaments were generated on PCs and dealt using dealing machines. Initially, the…

random-number-generator ripemd gimli

asked Jun 09 '20 at 18:56

woefulwabbit

vote

1 answer

The Gimli non-linear operator

NORX replaces all the additions of the Chacha20 quarter-round function with the non-linear $x \oplus y \oplus ((x \land y) \ll 1)$ operation. Gimli supposedly improves on it with $x \oplus y \oplus ((z \land y) \ll 1)$, adding a third input $z$…

gimli

asked Mar 31 '20 at 14:59

Bob Semple

votes

1 answer

What is the inverse of this variant of the Gimli SP-box?

Consider a slightly modified variant of the Gimli SP-box: function spbox(s) { x = s[0]; y = s[1]; z = s[2]; X = x ^ (z << 1) ^ ((x ^ (y | ~z)) << 1); Y = y ^ x ^ ((y ^ (x | z)) << 1); Z = z ^ y ^ ((z ^ (x & y)) << 1); …

s-boxes decryption permutation gimli

asked Oct 17 '23 at 03:59

lyrically wicked

1,379
7
11