Gimli认证加密方案的不可能差分分析

doi:10.19665/j.issn1001-2400.2022.05.024

Abstract

Abstract:

Gimli is a candidate for the second round of lightweight encryption algorithm standards initiated by the National Institute of Standards and Technology of the United States.The current security analysis of Gimli focuses mainly on the Gimli permutation,Gimli hash function,and Gimli authenticated encryption with associated data.The Gimli authenticated encryption scheme generally adopts a sponge structure,which is suitable for data encryption scenarios in restricted environments.At present,the best result of the state recovery attack on the Gimli authenticated encryption scheme is 9 rounds,with a time complexity of 2¹⁹⁰ and a data complexity of 2¹⁹².This paper designs a differential propagation system based on Gimli permutation,and finds a 7-round impossible differential suitable for analyzing the sponge structure authenticated encryption scheme.This impossible differential only limits the value of the 1-bit output difference,which significantly reduces the time complexity and data complexity of the state recovery phase.In this paper,7 rounds of the impossible differential are extended forward for 4 rounds,and the state recovery attack on 11 rounds of the Gimli authenticated encryption scheme is successfully realized.In the state recovery phase,based on the weak diffusion of the first two rounds of Gimli replacement,the 2¹²⁸ key guesses are reduced to two 2⁶⁴ key guesses.The time complexity of this state recovery attack is about 2¹¹⁰ times encryption,and the data complexity is about 2^52.5,which is better than the state restoration attack result of the Gimli authenticated encryption scheme in the existing public literature.

Key words: gimli, lightweight cipher, authenticated encryption scheme, difference propagation system, impossible differential

CLC Number:

TN918

TAN Hao,SHEN Bing,MIAO Xudong,ZHANG Wenzheng. Impossible differential cryptanalysis of the Gimli authenticated encryption scheme[J].Journal of Xidian University, 2022, 49(5): 213-220.

Figures/Tables 10

符号	说明	符号	说明
N	128 bit nonce	Δ $g i k$	经过k轮加密的状态中第i个比特的差分
T	128 bit标签	⊕	按位异或运算符
K	256 bit密钥	∧	按位逻辑与运算符
M	待加密消息	∨	按位逻辑或运算符
A	关联数据AD(Associated Data)	<<<	循环左移运算符
s_i_,_j	状态中第i行第j列的字	<<	左移运算符
$s i, j k$	经过k轮加密的状态中第i行第j列的字	‖	级联运算符
Δ $s i, j k$	经过k轮加密的状态中第i行第j列字的差分	tounit32()	将4 B转换成32 bit无符号整数
$g i k$	经过k轮加密的状态中第i个比特	tobytes()	将32 bit无符号整数转换成4 B

References 12

[1]	BERNSTEIN D J, KOELBL S, LUCKS S, et al. Gimli: A Cross-Platform Permutation[C]//Lecture Notes in Computer Science:10529. Heidelberg: Springer Verlag, 2017:299-320.
[2]	BERNSTEIN D J, KOELBL S, LUCKS S, et al. Gimli[R/OL].[2021-09-20]. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/submissions-rnd2/gimli.zip .
[3]	HAMBURG M. Cryptanalysis of 22 1/2 Rounds of Gimli[R/OL].[2021-09-20]. http://eprint.iacr.org/2017/743 .
[4]	LIU F, ISOBE T, MEIER W. Automatic Verification of Differential Characteristics: Application to Reduced Gimli[C]//Lecture Notes in Computer Science:12172. Heidelberg: Springer Verlag, 2020:219-248.
[5]	LIU F, ISOBE T, MEIER W. Exploiting Weak Diffusion of Gimli:Improved Distinguishers and Preimage Attacks[J]. IACR Transactions on Symmetric Cryptology, 2021(1):185-216.
[6]	GUTIERREZ A F, LEURENT G, NAYA-PLASENCIA M, et al. New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions[C] //Lecture Notes in Computer Science:12491. Heidelberg: Springer Verlag, 2020:33-63.
[7]	BIHAM E, BIRYUKOV A, SHAMIR A. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials[C]//Lecture Notes in Computer Science:1592. Heidelberg: Springer Verlag, 1999:12-23.
[8]	魏悦川, 潘晓中, 戎宜生, 等. 对PRINCE分组密码的不可能差分攻击[J]. 西安电子科技大学学报, 2017, 44(1):119-124.
	WEI Yuechuan, PAN Xiaozhong, RONG Yisheng, et al. Impossible Differential Cryptanalysis on the PRINCE[J]. Journal of Xidian University, 2017, 44(1):119-124.
[9]	KIM J, HONG S, Lee S, et al. Impossible Differential Cryptanalysis for Block Cipher Structures[C]//Lecture Notes in Computer Science:2904. Heidelberg: Springer Verlag, 2003:82-96.
[10]	WU S, WANG M. Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers[C]//Lecture Notes in Computer Science:7668. Heidelberg: Springer Verlag, 2012:283-302.
[11]	CUI T, CHEN S, FU K, et al. New Automatic Tool for Finding Impossible Differentials and Zero-Correlation Linear Approximations[J/OL].[2021-02-01].DOI:10.1007/s11432-018-1506-4. doi: 10.1007/s11432-018-1506-4
[12]	SUN S, HU L, WANG P, et al. Automatic Security Evaluation and(Related-key) Differential Characteristic Search:Application to SIMON,PRESENT,LBlock,DES(L) and Other Bit-Oriented Block Ciphers[C]//Lecture Notes in Computer Science:8873. Heidelberg: Springer Verlag, 2014:158-178.

方案	攻击类型	轮数	数据复杂度	时间复杂度	文献
Gimli AE方案	状态恢复	9	2¹⁹²	2¹⁹⁰	[4]
Gimli AE方案	状态恢复	11	2^52.5	2¹¹⁰	文中
Gimli置换	区分器	24	可忽略	2⁶⁴	[6]
Gimli置换	区分器	24	可忽略	2⁵²	[5]
Gimli杂凑函数	碰撞	6	2⁶⁴	2⁶⁴	[4]
Gimli杂凑函数	碰撞	12^a	可忽略	2⁹⁶	[6]

Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂	Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂
		0	0	0	0	0			0	0	0	0	1
0	0	0	1	1	0	0	0	1	0	0	0	1	0
		0	0	0	1	1			1	1	1	0	1
		0	1	1	1	1			1	1	1	1	0
		1	0	1	1	1			0	0	1	1	0
1	0	0	0	1	0	0	1	1	1	0	1	0	1
		0	1	0	0	0			1	1	0	1	0
		1	1	0	1	1			0	1	0	0	1

Impossible differential cryptanalysis of the Gimli authenticated encryption scheme

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 12

Related Articles 3

Metrics

Comments

Recommended 0

Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂	Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂
		0	0	0	0	0			0	0	0	0	1
0	0	0	1	1	0	0	0	1	0	0	0	1	0
		0	0	0	1	1			1	1	1	0	1
		0	1	1	1	1			1	1	1	1	0
		1	0	1	1	1			0	0	1	1	0
1	0	0	0	1	0	0	1	1	1	0	1	0	1
		0	1	0	0	0			1	1	0	1	0
		1	1	0	1	1			0	1	0	0	1

[1]	LIU Ya,GONG Jiaxin,ZHAO Fengyu. Impossible differential attack on the encryption algorithm Simpira v2 [J]. Journal of Xidian University, 2022, 49(5): 201-212.
[2]	CHEN Jie;HU Yu-pu;ZHANG Yue-yu. Impossible differential attack on the 17-round block cipher SMS4 [J]. J4, 2008, 35(3): 455-458.
[3]	CHEN Jie;ZHANG Yue-yu;HU Yu-pu. A new method for impossible differential cryptanalysis of the 6-round advanced encryption standard [J]. J4, 2006, 33(4): 598-601.

Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂	Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂
		0	0	0	0	0			0	0	0	0	1
0	0	0	1	1	0	0	0	1	0	0	0	1	0
		0	0	0	1	1			1	1	1	0	1
		0	1	1	1	1			1	1	1	1	0
		1	0	1	1	1			0	0	1	1	0
1	0	0	0	1	0	0	1	1	1	0	1	0	1
		0	1	0	0	0			1	1	0	1	0
		1	1	0	1	1			0	1	0	0	1

Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂	Δa	Δb	η(Δa,Δb,∧)	a₁	a₂	b₁	b₂
		0	0	0	0	0			0	0	0	0	1
0	0	0	1	1	0	0	0	1	0	0	0	1	0
		0	0	0	1	1			1	1	1	0	1
		0	1	1	1	1			1	1	1	1	0
		1	0	1	1	1			0	0	1	1	0
1	0	0	0	1	0	0	1	1	1	0	1	0	1
		0	1	0	0	0			1	1	0	1	0
		1	1	0	1	1			0	1	0	0	1