A Preimage Attack on Reduced Gimli-Hash

Yongseong Lee; Jinkeon Kang; Donghoon Chang; Seokhie Hong

doi:10.1007/978-3-031-08896-4_11

A Preimage Attack on Reduced Gimli-Hash

Yongseong Lee, Jinkeon Kang, Donghoon Chang, Seokhie Hong

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In CHES 2017, Bernstein et al. proposed Gimli, a 384-bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full-round (24 rounds) Gimli permutation was used as an underlying primitive for building AEAD Gimli-Cipher and hash function Gimli-Hash. They were submitted to the NIST Lightweight Cryptography Standardization process and selected as one of the second-round candidates. In ToSC 2021, Liu et al. presented a preimage attack with a divide-and-conquer method on round-reduced Gimli-Hash, which uses 5-round Gimli. In this paper, we present preimage attacks on a round-reduced variant of Gimli-Hash, in which the message absorbing phase uses 5-round Gimli and the squeezing phase uses 9-round Gimli. We call this variant as 5-9-round Gimli-Hash. Our first preimage attack on 5-9-round Gimli-Hash requires 2 ^96.44 time complexity and 2 ⁹⁷ memory complexity. This attack requires the memory for storing several precomputation tables in Gimli SP-box operations. In our second preimage attack, we take a time-memory trade-off approach, reducing memory requirements for precomputation tables but increasing computing time for solving SP-box equations by SAT solver. This attack requires 2 ^66.17 memory complexity and 2 ⁹⁶⁺^ϵ time complexity, where ϵ is a time complexity for solving SP-box equations. Our experiments using CryptoMiniSat SAT solver show that the maximum time complexity for ϵ is about 2 ^20.57 9-round Gimli.

Original language	English
Title of host publication	Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers
Editors	Jong Hwan Park, Seung-Hyun Seo
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	217-237
Number of pages	21
ISBN (Print)	9783031088957
DOIs	https://doi.org/10.1007/978-3-031-08896-4_11
Publication status	Published - 2022
Event	24th International Conference on Information Security and Cryptology, ICISC 2021 - Seoul, Korea, Republic of Duration: 2021 Dec 1 → 2021 Dec 3

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13218 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	24th International Conference on Information Security and Cryptology, ICISC 2021
Country/Territory	Korea, Republic of
City	Seoul
Period	21/12/1 → 21/12/3

Keywords

Gimli
Gimli-Hash
Hash function
Preimage attack

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-031-08896-4_11

Cite this

Lee, Y., Kang, J., Chang, D., & Hong, S. (2022). A Preimage Attack on Reduced Gimli-Hash. In J. H. Park, & S-H. Seo (Eds.), Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers (pp. 217-237). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13218 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-08896-4_11

A Preimage Attack on Reduced Gimli-Hash. / Lee, Yongseong; Kang, Jinkeon; Chang, Donghoon et al.

Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers. ed. / Jong Hwan Park; Seung-Hyun Seo. Springer Science and Business Media Deutschland GmbH, 2022. p. 217-237 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13218 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Lee, Y, Kang, J, Chang, D & Hong, S 2022, A Preimage Attack on Reduced Gimli-Hash. in JH Park & S-H Seo (eds), Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13218 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 217-237, 24th International Conference on Information Security and Cryptology, ICISC 2021, Seoul, Korea, Republic of, 21/12/1. https://doi.org/10.1007/978-3-031-08896-4_11

Lee Y, Kang J, Chang D, Hong S. A Preimage Attack on Reduced Gimli-Hash. In Park JH, Seo S-H, editors, Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers. Springer Science and Business Media Deutschland GmbH. 2022. p. 217-237. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-08896-4_11

Lee, Yongseong ; Kang, Jinkeon ; Chang, Donghoon et al. / A Preimage Attack on Reduced Gimli-Hash. Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers. editor / Jong Hwan Park ; Seung-Hyun Seo. Springer Science and Business Media Deutschland GmbH, 2022. pp. 217-237 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8a991ae4cd05432aa8b50c9bac0999f0,

title = "A Preimage Attack on Reduced Gimli-Hash",

abstract = "In CHES 2017, Bernstein et al. proposed Gimli, a 384-bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full-round (24 rounds) Gimli permutation was used as an underlying primitive for building AEAD Gimli-Cipher and hash function Gimli-Hash. They were submitted to the NIST Lightweight Cryptography Standardization process and selected as one of the second-round candidates. In ToSC 2021, Liu et al. presented a preimage attack with a divide-and-conquer method on round-reduced Gimli-Hash, which uses 5-round Gimli. In this paper, we present preimage attacks on a round-reduced variant of Gimli-Hash, in which the message absorbing phase uses 5-round Gimli and the squeezing phase uses 9-round Gimli. We call this variant as 5-9-round Gimli-Hash. Our first preimage attack on 5-9-round Gimli-Hash requires 2 96.44 time complexity and 2 97 memory complexity. This attack requires the memory for storing several precomputation tables in Gimli SP-box operations. In our second preimage attack, we take a time-memory trade-off approach, reducing memory requirements for precomputation tables but increasing computing time for solving SP-box equations by SAT solver. This attack requires 2 66.17 memory complexity and 2 96+ϵ time complexity, where ϵ is a time complexity for solving SP-box equations. Our experiments using CryptoMiniSat SAT solver show that the maximum time complexity for ϵ is about 2 20.57 9-round Gimli.",

keywords = "Gimli, Gimli-Hash, Hash function, Preimage attack",

author = "Yongseong Lee and Jinkeon Kang and Donghoon Chang and Seokhie Hong",

note = "Funding Information: This work was supported as part of Military Crypto Research Center(UD210027 XD) funded by Defense Acquisition Program Administra-tion(DAPA) and Agency for Defense Development(ADD). Funding Information: Acknowledgments. This work was supported as part of Military Crypto Research Center(UD210027 XD) funded by Defense Acquisition Program Administration(DAPA) and Agency for Defense Development(ADD). Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 24th International Conference on Information Security and Cryptology, ICISC 2021 ; Conference date: 01-12-2021 Through 03-12-2021",

year = "2022",

doi = "10.1007/978-3-031-08896-4_11",

language = "English",

isbn = "9783031088957",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "217--237",

editor = "Park, {Jong Hwan} and Seung-Hyun Seo",

booktitle = "Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers",

address = "Germany",

}

TY - GEN

T1 - A Preimage Attack on Reduced Gimli-Hash

AU - Lee, Yongseong

AU - Kang, Jinkeon

AU - Chang, Donghoon

AU - Hong, Seokhie

N1 - Funding Information: This work was supported as part of Military Crypto Research Center(UD210027 XD) funded by Defense Acquisition Program Administra-tion(DAPA) and Agency for Defense Development(ADD). Funding Information: Acknowledgments. This work was supported as part of Military Crypto Research Center(UD210027 XD) funded by Defense Acquisition Program Administration(DAPA) and Agency for Defense Development(ADD). Publisher Copyright: © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

PY - 2022

Y1 - 2022

N2 - In CHES 2017, Bernstein et al. proposed Gimli, a 384-bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full-round (24 rounds) Gimli permutation was used as an underlying primitive for building AEAD Gimli-Cipher and hash function Gimli-Hash. They were submitted to the NIST Lightweight Cryptography Standardization process and selected as one of the second-round candidates. In ToSC 2021, Liu et al. presented a preimage attack with a divide-and-conquer method on round-reduced Gimli-Hash, which uses 5-round Gimli. In this paper, we present preimage attacks on a round-reduced variant of Gimli-Hash, in which the message absorbing phase uses 5-round Gimli and the squeezing phase uses 9-round Gimli. We call this variant as 5-9-round Gimli-Hash. Our first preimage attack on 5-9-round Gimli-Hash requires 2 96.44 time complexity and 2 97 memory complexity. This attack requires the memory for storing several precomputation tables in Gimli SP-box operations. In our second preimage attack, we take a time-memory trade-off approach, reducing memory requirements for precomputation tables but increasing computing time for solving SP-box equations by SAT solver. This attack requires 2 66.17 memory complexity and 2 96+ϵ time complexity, where ϵ is a time complexity for solving SP-box equations. Our experiments using CryptoMiniSat SAT solver show that the maximum time complexity for ϵ is about 2 20.57 9-round Gimli.

AB - In CHES 2017, Bernstein et al. proposed Gimli, a 384-bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full-round (24 rounds) Gimli permutation was used as an underlying primitive for building AEAD Gimli-Cipher and hash function Gimli-Hash. They were submitted to the NIST Lightweight Cryptography Standardization process and selected as one of the second-round candidates. In ToSC 2021, Liu et al. presented a preimage attack with a divide-and-conquer method on round-reduced Gimli-Hash, which uses 5-round Gimli. In this paper, we present preimage attacks on a round-reduced variant of Gimli-Hash, in which the message absorbing phase uses 5-round Gimli and the squeezing phase uses 9-round Gimli. We call this variant as 5-9-round Gimli-Hash. Our first preimage attack on 5-9-round Gimli-Hash requires 2 96.44 time complexity and 2 97 memory complexity. This attack requires the memory for storing several precomputation tables in Gimli SP-box operations. In our second preimage attack, we take a time-memory trade-off approach, reducing memory requirements for precomputation tables but increasing computing time for solving SP-box equations by SAT solver. This attack requires 2 66.17 memory complexity and 2 96+ϵ time complexity, where ϵ is a time complexity for solving SP-box equations. Our experiments using CryptoMiniSat SAT solver show that the maximum time complexity for ϵ is about 2 20.57 9-round Gimli.

KW - Gimli

KW - Gimli-Hash

KW - Hash function

KW - Preimage attack

UR - http://www.scopus.com/inward/record.url?scp=85135174105&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-08896-4_11

DO - 10.1007/978-3-031-08896-4_11

M3 - Conference contribution

AN - SCOPUS:85135174105

SN - 9783031088957

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 217

EP - 237

BT - Information Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers

A2 - Park, Jong Hwan

A2 - Seo, Seung-Hyun

PB - Springer Science and Business Media Deutschland GmbH

T2 - 24th International Conference on Information Security and Cryptology, ICISC 2021

Y2 - 1 December 2021 through 3 December 2021

ER -