Questions tagged [gimli]
Question related to Gimli : usage, security, cryptanalysis.
13 questions
5
votes
1
answer
300
views
What is the security model of a public random permutation?
Security proofs of schemes like the sponge construction assumes that a permutation $P$ is chosen uniformly at random and the attacker is given access to oracles for $P$ and $P^{-1}$. When the sponge ...
- 133
0
votes
1
answer
204
views
What is the inverse of this variant of the Gimli SP-box?
Consider a slightly modified variant of the Gimli SP-box:
...
- 1,478
4
votes
1
answer
695
views
Are libhydrogen's Gimli permutations production ready?
I've recently had a situation in which a recommendation for an easy-to-use, hard-to-misuse cryptographic library for Java was required. The first choice was Google's Tink, since it was designed ...
- 445
3
votes
0
answers
229
views
Does the security proof of HMAC somehow change if it's instantiated with sponge-based hash functions with small rate and large capacity?
HMAC was introduced in [1], as a MAC that has its security proof based on the properties on the underlaying hash function.
The hash functions considered in that paper were ones based on the Merkle-...
- 11.7k
5
votes
1
answer
217
views
How to fix the issue with Gimli full permutation distinguisher?
A new paper "New results on Gimli: full-permutation distinguishers and improved collisions" has been published stating a full 24-round permutation distinguisher with a cost of $2^{64}$ and ...
- 2,318
1
vote
0
answers
96
views
CSPRNG for Contract Bridge (RAND_MAX = 0xAD55E315634DDA658BF49200)
Some background information:
In contract bridge, there are 0xAD55E315634DDA658BF49200 (just under 2^96) possible bridge deals. Since the 1990s, bridge deals for major tournaments were generated on ...
- 11
1
vote
1
answer
195
views
The Gimli non-linear operator
NORX replaces all the additions of the Chacha20 quarter-round function with the non-linear $x \oplus y \oplus ((x \land y) \ll 1)$ operation. Gimli supposedly improves on it with $x \oplus y \oplus ((...
- 143
3
votes
0
answers
128
views
Provably secure way of expanding permutations
Gimli is a 384-bit permutation that makes use of an internal 96-bit permutation which works on columns. Every 4 rounds starting from the 1st a "small swap" is performed and every 4 rounds ...
- 143
4
votes
1
answer
1k
views
How strong is XooDoo vs AES?
What is Gimli, and how does XooDoo compare to symmetric ciphers such as AES or ChaCha?
I am looking at this library, called charm.
Interesting paper here.
I also ...
- 1,464
4
votes
1
answer
253
views
How to construct a "toy" version of Gimli permutation for three (instead of twelve) 32-bit words?
I am interested to see a "toy" version of the Gimli permutation for three (instead of twelve) 32-bit words. I see that the "core" sub-permutation of Gimli operates on three 32-bit words, but I don't ...
- 1,478
6
votes
1
answer
951
views
Can ChaCha20 be repurposed as a general purpose permutation function like Gimli?
I like the idea behind Gimli and libhydrogen but in my benchmarks Gimli permutation function is considerably slower than ChaCha20 one. By considerably I mean four times slower using SIMD builtins. ...
- 643
15
votes
1
answer
1k
views
Doubt about published test vectors for gimli hash
In https://eprint.iacr.org/2017/630.pdf and https://gimli.cr.yp.to/gimli-20170627.pdf there are test vectors for the gimli hash function. I have compile the reference C code test_hash.c from https://...
- 1,015
5
votes
1
answer
976
views
How to build disk encryption system using forward permutations like Gimli?
First of all, this is purely a thought experiment. The width of Gimli isn't even a power of two (384 bits), and secondary storage bus speeds aren't even worth using a high performance permutation like ...
- 11.7k