 Hello everyone, the title of this talk is Exploiting Weak Defeating of Gimli, Improved Distinguishers and Pre-Image Attacks. This is a joint work with Takano Isobe and Willimere. This is our overview of this talk, so I will first describe Gimli and then describe our attacks. Finally, this talk will be summarized. Gimli is a cross-platform permutation designed by Bernstein et al. at chess 2017. It was one of the second-round candidates in a NIST lightweight cryptography competition to notable features of the Gimli permutation as low-defeating and high-symmetry. This is the Gimli state. It can be viewed as a 3 x 4 2-dimensional array. And each element in the array is a 32-bit state word. The total number of rounds of the Gimli permutation is 24. And the sequence of variations for the Gimli permutation is specified here. So at the first round, the SP operation, small-swap operation, 8-round constant operation will be applied. At the second round, only the SP operation will be applied. At the third round, the SP and the big-swap operation will be applied. As the fourth round, again only the SP operation will be applied. After repeating such operations for 6 times, we obtain the 24-round permutation. This is the summary of related attacks on Gimli in the classical setting. As you can see from this table, we can construct a distinguisher on 18-round Gimli with time complexity 2. In addition, we can improve the best four-round distinguisher by a factor of 2 to the 12. In addition, the preliminary attacks on Gimli harsh and Gimli XOF128 can reach up to 5 and 9 rounds respectively. So all the results are the best as far as we know. First I will describe the 18-round distinguisher. Let us consider the state A9, which is the state after 9-round Gimli. So we consider a state A9 such that the second column and the fourth column are the same for the first column and the third column. They only differ at the first row, and they justify the condition that the XO is exactly the used round constant. Then as the state A8, we can find that the third column will be equal to the first column, and the fourth column will be equal to the second column. Such symmetry will not be destroyed by the inverse of SP and the big swap operation. So as the state A5, we still have such symmetry. However, due to the 18-round constant addition and the small swap operation, at the state A4, we can only have that the first column is equal to the third column. Again, such a property will not be destroyed by the inverse of SP and the big swap operation. So as the state A1, so we still have the first column will be equal to the third column. Again at the state A5, we can have the last two rows of the first column and the third column they are still equal. However, for the input A0, we no longer have such a strong symmetry. However, by studying some property of the SP box, we can find that there are still some bits here, there are still some identical bits in the first column and the third column. So later I will give the details. Then we trace the symmetry forward from A9 for four rounds. As the state A10, we can only have that the second column is equal to the fourth column. However, the third column and the first column will not be equal anymore. Then at the state A12, we still have the second column is equal to the fourth column, while there is no such beautiful symmetric property between the third column and the first column. Then at the state A13, we can only have that as the last two rows of the second column and the fourth column they are identical. So if we further study A14, we can find that we completely lose such beautiful symmetric properties. So how to find a way to make such a symmetric property hold for as many rounds as possible? Let us consider a state B9, which is obtained by swapping the words at the first and third columns of the first row of A9. In this way, we can find that as the state B13, the second column B13 will be equal to the fourth column of A13, and the fourth column B13 will be equal to the second column of A13. Then we are interested in the evolution of the symmetry between A13 and B13 for more rounds. We can find that as the state B14, A14, A15, B15, A16, B16 such a symmetry will be preserved. Then at the state A17 and B17 for the last two rows, as the first column, as the second column and the fourth column, such a property will still be preserved. So our aim is to study whether we are still some symmetric bits in A18 and B18. We find that there are still some deterministic symmetry between A18 and B18. So we have some deterministic symmetry in A0 and B0 respectively. So we immediately obtain a distinguisher for 18-round game reprimatization with time complexity 2. This is the illustration of the comparison between our distinguisher and other distinguishers. In our world, in our distinguisher, we not only study the evolution of the symmetry for one state, but also study the evolution of the symmetry between different states. Then we describe our improved full-round distinguisher. At HLQ 2020, a full-round distinguisher on the game reprimatization with time complexity 2.64 was proposed. Constructing such a distinguisher consists of two steps. As the first step, we need to search for a solution for A, B, C, D, E, F, such that the second column and the fourth column of A24 are the same. The time complexity of this phase is 2 to the 3rd 2. Then as the second step, we need to ensure the first column and the third column of A0 are the same. This is equivalent to the condition AX equals to AY, which holds with probability 2 to the minus 32. So the time complexity to construct such a full-round distinguisher is 2 to the 32 plus 32 equals to 2 to the 64. Our ideal to improve the full-round distinguisher is to relax the constraints on the symmetry in A0. In other words, we will keep step 1 the same while changing step 2. Our critical observation is that when there are W's consecutive bits between AX and AY, which holds with probability 2 to the minus W, there will be 3 times W plus 2 symmetric relations between the third column and the first column of A0. In this way, we can find such an input-output pair with time complexity 2 to the 32 plus W, while for random permutation finding such an input-output pair will require time complexity 2 to the 3W plus 2. So by choosing W as 20, we construct a valid distinguisher with time complexity 2 to the 52. Now I will describe the primitive attacks on Gimli harsh. The general procedure can be divided into 3 phases. As the first phase, we need to find a valid inner part of SH0 such that it can match the outer part of SH1. As the second phase, our aim is to utilize the degree of freedom provided by the message words. Specifically, we will randomly choose a value for M3 and M4 to obtain a value for the inner part of S2. Then as the third phase, our aim is to match a valid inner part with two blocks. Specifically, our aim is to find a valid value for M0 and M1 such that the inner part of S2 can be matched. For the first phase of the primitive attack on file-run Gimli harsh, our aim is to find a valid inner part of S0 such that it can match the output part of S5. Specifically, this can be divided into 3 steps. At step 1, we randomly choose 2 to the 64 values for these 4 state words. Then we can compute these state words, these state words, these state words, these state words and these state words. Then at step 2, we guess where we randomly choose 2 to the 64 values for these 4 state words. And once for each guess, we can compute these state words, these state words and these state words. Then we try to do some match. We try to do some match in these 128 bits. And we can expect one match, because we have computed 2 to the 64 possible values for this part in this direction. And we also computed 2 to the 64 possible values for these 4 state words in the backward direction. After step 1 and step 2, so these values are fixed, these values are fixed, so these are fixed, these are fixed, these are fixed, these are fixed, these are also fixed, these are also fixed, these are also fixed. Our aim is to find a valid solution for these 4 state words. And they can be found in a very similar way with time complexity 2 to the 64. Then for the third phase of the 5 round premature attack, the aim is to find a solution for the first 2 message blocks M0 and M1. The general idea is very similar to that of the first phase. So we mainly exploit the load diffusion of the round function. Specifically, by guessing only a few state words, we can compute some state words after many rounds. This is the critical observation. So you can see the details in our paper. So in this way, after evaluating the time complexity for the 2 phases, we can find that the total time complexity of the 5 round premature attack is 2 to the 96, and the total memory complexity of the premature attack is 2 to the 65 by using the general attack procedure to find the premature and a useful property for the 2 round SP blocks, we could find, we could mount a practical 2 round premature attack on GimliHush. And this is a message which can lead to an all-day load state for 2 round GimliHush to support the correctness of our attack. Finally, I will describe the 9 round premature attack on Gimli X or X, and we can also attack on Gimli X or F128. The only difference is that we need to set some conditions on the second row of S0 to control the diffusion. In other words, we need these conditions to allow us to compute some state words by only guessing a few state words of S0. The general idea is indeed very similar to the premature attack on GimliHush. That's specifically by guessing only a few state words. We compute some state words after several rounds. So I will not explain the details. The total time complexity of our 9 round premature attack on Gimli X or X128 is 2 to the 104, and the total memory complexity is 2 to the 70. In summary, the symmetry and load diffusion are the weaknesses of the Gimli permutation, and they can be exploited to construct powerful distinguishes. Second, the load diffusion also makes the divide and conquer method feel real with the premature clean and distinguishing attacks on Gimli. Third, we constructed an almost practical full-on distinguisher with time complexity 2 to the 52. At the last, our premature attacks on GimliHush and Gimli X or F128 could reach up to 5 and 9 rounds respectively, which are the best attacks as far as we know. That's all. Thank you.