I am interested to see a "toy" version of the Gimli permutation for three (instead of twelve) 32-bit words. I see that the "core" sub-permutation of Gimli operates on three 32-bit words, but I don't know how to use it for constructing a 96-bit unkeyed permutation. Is it possible to modify the Gimli algorithm to devise such a function? If yes, how?
Asked
Active
Viewed 236 times
1 Answers
4
According to the spec, the Gimli state consists of four columns of three rows of 32-bit words, for a total of 4 × 3 × 32 = 4 × 96 = 384 bits. Each Gimli round consist of:
- a non-linear SP-box applied to each 96-bit column individually,
- on every second round, a linear mixing step that just swaps the first words of pairs of columns, and
- on every fourth round, a constant addition step that XORs the first word of the first column with a 32-bit round constant.
Probably the simplest way to reduce the Gimli permutation to 96 bits would therefore be to simply drop all but the first 96-bit column and omit the linear mixing step entirely, as it's the only part of Gimli that actually mixes the columns together. This will naturally give a 96-bit permutation that should resemble the full Gimli permutation in most respects, other than having a smaller state size.
Ilmari Karonen
- 46,700
- 5
- 112
- 189