General | |
---|---|
Designers | Daniel J. Bernstein, Stefan Kölbl, Stefan Lucks, Pedro Maat Costa Massolino, Florian Mendel, Kashif Nawaz, Tobias Schneider, Peter Schwabe, François-Xavier Standaert, Yosuke Todo, Benoît Viguier |
First published | 27 June 2017 (7 years ago) (2017-06-27) |
Detail | |
Rounds | 24 |
Best public cryptanalysis | |
Distinguisher against full-round Gimli with 2 work |
Gimli is a 384-bit cryptographically secure pseudorandom permutation that can be used to construct a hash function or stream cipher by using it in a sponge construction.
One stated design goal is the ability to deliver high speeds on many different platforms from 8-bit AVR CPUs to 64-bit desktop CPUs while still maintaining high security.
It has been submitted to the second round of the NIST Lightweight Cryptography Standardization Process.
Algorithm
Gimli has a 384-bit state represented by a 3×4 matrix of 32-bit words. A column is represented by 3×32 = 96 bits while a row is represented by 4×32 = 128 bits.
Each round, each of the 4 columns is separately split into 3 32-bit words x, y and z.
Those are then transformed according to the following 3 steps in parallel.
Step 1:
Step 2:
Step 3:
After every fourth round starting from the first round, the first and second word and the third and fourth word are swapped. This is called "Small-Swap".
After every fourth round starting from the third round, the first and third word and the second and fourth word are swapped. This is called "Big-Swap".
The round number decrements starting from 24 and when it reaches 24, 20, 16, 12, 8 or 4, the round number or 0x9e377900 is xored into the first word of the state.
The magic constant 0x9e377900 is chosen to be the upper 3 bytes of ⌊2⁄𝜙⌋, which would be 0x9e3779b9, where 𝜙 is the golden ratio (as a nothing-up-my-sleeve number)
An implementation of the core permutation in C/C++ appears below.
#include <stdint.h> #define ROTL(x, b) (b == 0 ? x : ((x << b) | (x >> (32 - b)))) void gimli(uint32_t *state) { uint32_t x, y, z; for (int round = 24; round > 0; --round) { for (int column = 0; column < 4; ++column) { x = ROTL(state, 24); y = ROTL(state, 9); z = state; state = x ^ (z << 1) ^ ((y & z) << 2); state = y ^ x ^ ((x | z) << 1); state = z ^ y ^ ((x & y) << 3); } if ((round & 3) == 0) { x = state; state = state; state = x; x = state; state = state; state = x; } if ((round & 3) == 2) { x = state; state = state; state = x; x = state; state = state; state = x; } if ((round & 3) == 0) { state ^= (round | 0x9e377900); } } }
Implementation and usage
- The reference implementation provided with the specification
- libhydrogen: a cryptographic library that constructs all primitives using Gimli and Curve25519
- liblithium: like libhydrogen and maintained by Tesla
See also
- Keccak: another permutation.
References
- "New results on Gimli: full-permutation distinguishers and improved collisions". Retrieved 2024-11-24.
- "Gimli: a cross-platform permutation" (PDF). Retrieved 2024-11-24.
- "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process" (PDF). Retrieved 2024-11-24.
- "Gimli: Spec". Gimli. Retrieved 2024-11-24.
| |||||||||||||||||||||
|
This cryptography-related article is a stub. You can help Misplaced Pages by expanding it. |