Gimli: NIST LWC Second-round Candidate Status Update

This is a short update on Gimli. Gimli is the simplest submission to the NIST Lightweight Cryptography Standardization Process. It naturally fits into very little code and very little hardware area, handles both hashing and AEAD with healthy security margins, and provides good speeds across a wide range of platforms. Applications that communicate across different platforms are particularly favorable to Gimli, but Gimli is designed to do reasonably well in all applications. Gimli has already been demonstrated to outperform existing NIST standards on a variety of platforms. For example, the permutation takes 67 ns on a Xilinx Spartan 6 LX75 FPGA using just 221 slices (815 LUTs and 392 flip-flops), 20000 cycles on an AVR ATmega using just 778 bytes of code, and 419 cycles on an ARM Cortex-A8 using just 480 bytes of code, with many tradeoffs being possible. A recent Intel paper “Gimli encryption in 715.9 psec” [2] concludes that “Gimli stands out as a much faster encryption technique, when compared to other known algorithms including AES and PRINCE.” We do not plan to propose tweaks. Implementations have not encountered any performance problems. Third-party cryptanalysis (see Section 2) confirms the large security margin of both Gimli-Hash and Gimli-AEAD. A third-party library (libhydrogen.org) shows how easily Gimli can be integrated into software applications, and the Intel results show Gimli’s suitability for integration into low-latency hardware applications.