A Preimage Attack on Reduced Gimli-Hash

Yongseong Lee, Jinkeon Kang, Donghoon Chang, Seokhie Hong

Research output: Chapter in Book/Report/Conference proceedingConference contribution


In CHES 2017, Bernstein et al. proposed Gimli, a 384-bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full-round (24 rounds) Gimli permutation was used as an underlying primitive for building AEAD Gimli-Cipher and hash function Gimli-Hash. They were submitted to the NIST Lightweight Cryptography Standardization process and selected as one of the second-round candidates. In ToSC 2021, Liu et al. presented a preimage attack with a divide-and-conquer method on round-reduced Gimli-Hash, which uses 5-round Gimli. In this paper, we present preimage attacks on a round-reduced variant of Gimli-Hash, in which the message absorbing phase uses 5-round Gimli and the squeezing phase uses 9-round Gimli. We call this variant as 5-9-round Gimli-Hash. Our first preimage attack on 5-9-round Gimli-Hash requires 2 96.44 time complexity and 2 97 memory complexity. This attack requires the memory for storing several precomputation tables in Gimli SP-box operations. In our second preimage attack, we take a time-memory trade-off approach, reducing memory requirements for precomputation tables but increasing computing time for solving SP-box equations by SAT solver. This attack requires 2 66.17 memory complexity and 2 96+ϵ time complexity, where ϵ is a time complexity for solving SP-box equations. Our experiments using CryptoMiniSat SAT solver show that the maximum time complexity for ϵ is about 2 20.57 9-round Gimli.

Original languageEnglish
Title of host publicationInformation Security and Cryptology – ICISC 2021 - 24th International Conference, Revised Selected Papers
EditorsJong Hwan Park, Seung-Hyun Seo
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages21
ISBN (Print)9783031088957
Publication statusPublished - 2022
Event24th International Conference on Information Security and Cryptology, ICISC 2021 - Seoul, Korea, Republic of
Duration: 2021 Dec 12021 Dec 3

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13218 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference24th International Conference on Information Security and Cryptology, ICISC 2021
Country/TerritoryKorea, Republic of


  • Gimli
  • Gimli-Hash
  • Hash function
  • Preimage attack

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'A Preimage Attack on Reduced Gimli-Hash'. Together they form a unique fingerprint.

Cite this