Improved Cryptanalysis on SipHash

Abstract

SipHash is an ARX-based pseudorandom function designed by Aumasson and Bernstein for short message inputs. Recently, Ashur et al. proposed an efficient analysis method against ARX algorithm—“Rotational-XOR cryptanalysis”. Inspired by their work, we mount differential and Rotational-XOR cryptanalysis on two instances of SipHash-1-x and SipHash-2-x in this paper, where SipHash-1-x (or SipHash-2-x) represents the Siphash instance with one (or two) compression round and x finalization rounds.

Firstly, we construct the search model for colliding characteristic and RX-colliding characteristic on SipHash. Based on the model, we find the colliding characteristics and RX-colliding characteristics of SipHash by the SMT-based automatic search tool. Moreover, we give a formula for the selection of initial constants to improve the resistance of Siphash against Rotational-XOR cryptanalysis to make the algorithm safer. In addition, we find an RX-colliding characteristic with probability \(2^{-93.6}\) for a revised version of SipHash-1-x with one message block, and an RX-colliding characteristic with probability \(2^{-160}\) for a revised version of SipHash-1-x with two message blocks. With the SMT-based technique, which outputs one message pair of the RX-collision if the given characteristic has a nonzero probability. Finally, with the RX-colliding characteristic we found earlier, we give the RX-collision with message pair and key of a revised version of SipHash-1-x with one message block.

This work was supported by the Natural Science Foundation of China (NSFC) under Grant 61772545, Grant 61672530, and Grant 61902414.

A Proofs

Lemma 2. Suppose that there exists an RX-characteristic \((\overleftarrow{\varDelta } {a_1},\overleftarrow{\varDelta } {b_1},\overleftarrow{\varDelta } {c_1},\overleftarrow{\varDelta } {d_1}) \rightarrow (\overleftarrow{\varDelta } {a_2},\overleftarrow{\varDelta } {b_2},\overleftarrow{\varDelta } {c_2},\overleftarrow{\varDelta } {d_2})\) which produces an internal RX-collision for SipHash-1-x with one message block. Then, it has the following active pattern,

$$ (C_1,C_0,C_2,C_3\oplus {\varDelta })\rightarrow (0,\varDelta ,C_4,0), $$

where \(C_0=V_0\oplus \overleftarrow{V_0},C_1=V_1\oplus \overleftarrow{V_1},C_2=V_2\oplus \overleftarrow{V_2},C_3=V_3\oplus \overleftarrow{V_3},C_4=\texttt {0xff}\oplus \overleftarrow{\texttt {0xff}}\).

Proof

For a pair of messages \(m_0,m_0^{\prime }\), RX-difference \(\varDelta =m_0\oplus \overleftarrow{m_0^{\prime }}\). \(a_1,b_1,c_1,d_1\) and \(a_1^{\prime },b_1^{\prime },c_1^{\prime },d_1^{\prime }\) are the inputs of the first round to the compression phase

$$\begin{aligned} \begin{aligned} a_1&=V_0\oplus k_0,&a_1^{\prime }=V_0\oplus \overleftarrow{k_0},\\ b_1&=V_1\oplus k_1,&b_1^{\prime }=V_1\oplus \overleftarrow{k_1},\\ c_1&=V_2\oplus k_0,&c_1^{\prime }=V_2\oplus \overleftarrow{k_0},\\ d_1&=V_3\oplus k_1\oplus m_0.&d_1^{\prime } =V_3\oplus \overleftarrow{k_1}\oplus m_0^{\prime }. \end{aligned} \end{aligned}$$

where \(V_0,V_1,V_2,V_3\) and \(k_0,k_1\) denote the initial constants states and two 64-bit keys, respectively. The message \(m_0^{\prime }\) is processed by the keys \(\overleftarrow{k_0},\overleftarrow{k_1}\).

Then, the RX-differences \(\overleftarrow{\varDelta } {a_1},\overleftarrow{\varDelta } {b_1},\overleftarrow{\varDelta } {c_1},\overleftarrow{\varDelta } {d_1}\) between \(a_1,b_1,c_1,d_1\) and \(a_1^{\prime },b_1^{\prime }, c_1^{\prime },d_1^{\prime }\) equal to \((C_1,C_0,C_2,C_3\oplus \varDelta )\). Similarly, we have \((b_2,a_2,c_2,d_2)\) equal to \((0,\varDelta ,C_4,0)\)   \(\square \)

Fig. 3.

The propagation of the intermediate differences in SipHahs-1-x processing one message block.

Theorem 1. Given any non-zero value \(\varDelta \in \mathbb {F}_2^{64}\), \((0,0,0,\varDelta )\rightarrow (0,\varDelta ,0,0)\) is an impossible differential characteristic of SipHash-1-x with one message block.

Proof

Suppose that there exists a non-zero \(\varDelta \in \mathbb {F}_2^{64} \), such that \((0,0,0,\varDelta )\rightarrow (0,\varDelta ,0,0) \) is a possible differential characteristic. Then the differential propagation at the four modular addition in Fig. 3 should satisfy the differential propagation rules given by Lemma 1. We have

$$\begin{aligned} \begin{aligned} (0,0)&\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, 0,\quad \quad \qquad (0,\varDelta ){\mathop {\longrightarrow }\limits ^{\boxplus }}\alpha ,\\ (0,\alpha )&\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, 0,\,\quad (0,\varDelta \ggg 21){\mathop {\longrightarrow }\limits ^{\boxplus }}\varDelta .\\ \end{aligned} \end{aligned}$$

(10)

In each equation, the characteristic function defined in Lemma 1 is derived from the input and output differences, and evaluates to 1. Particular, when \((0,\alpha )\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, 0\) is a possible differential characteristic, we have

$$\begin{aligned} ((0\oplus \alpha \oplus 0)\oplus (0\oplus \alpha \oplus 0)_{<<1}) \preceq ((0\oplus 0)|(\alpha \oplus 0)). \end{aligned}$$

which is equivalent to \((\alpha \oplus \alpha _{\ll 1}) \preceq \alpha _{\ll 1}.\) Therefore, we have

$$\begin{aligned} ((\alpha _{63},\cdots , \alpha _{0})\oplus (\alpha _{62}, \cdots \alpha _0,0)) \preceq (\alpha _{62},\cdots ,\alpha _0,0). \end{aligned}$$

(11)

Then \(\alpha _0=0, \cdots , \alpha _{63}=0\), namely, \(\alpha =0\). Analogously, we have \(\varDelta =0\).

Hence, the characteristic \((0,0,0,\varDelta )\rightarrow (0,\varDelta ,0,0) \) is trivial with \(\varDelta =0\). So, we can’t get right message pair that could lead to an internal collision when only one a message block is injected into SipHash-1-x.   \(\square \)

Fig. 4.

Notations on RX-differences of SipHash-1-x with one message block

Theorem 2. For any non-zero \(\varDelta \in \mathbb {F}_2^{64}\), \((C_1,C_0,C_2,C_3\oplus \varDelta )\rightarrow (0,\varDelta ,C_4,0)\) is an impossible RX-characteristic of SipHash-1-x with one message block.

Proof

Figure 4 shows the notations for RX-differences in SipHash-1-x with one message block, \(\overleftarrow{\varDelta } {m_0}=\varDelta \) is injected before and after one round of SipHash. For the characteristic \((C_1,C_0,C_2,C_3\oplus \varDelta )\rightarrow (0,\varDelta ,C_4,0)\), the RX-difference propagation at the modular additions in Fig. 4 should satisfy the propagation rule given by Proposition 1.

$$\begin{aligned} \begin{aligned} (C_1,C_0)&\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, \alpha ,\\ (C_2,C_3\oplus \varDelta )&\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, \beta ,\\ ((C_4\ggg 49),\beta )&{\mathop {\longrightarrow }\limits ^{\boxplus }}(C_4\ggg 32),\\ ((\alpha \lll 32),(\varDelta \ggg 21))&\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, \varDelta . \end{aligned} \end{aligned}$$

(12)

where \(C_1=V_1\oplus \overleftarrow{V_1}=\texttt {0xacb196a3b2acb1b7}, C_2=V_2\oplus \overleftarrow{V_2}=\texttt {0x95b1b7af9095af9f}\), \(C_4=\texttt {0xff}\oplus \overleftarrow{\texttt {0xff}}\), \(V_1,V_2\) are the initial constants state given by SipHash design document.

By the relation between \(C_1,C_4,\alpha \) from Fig. 4, one gets \(\alpha = (C_1\lll 13)\oplus ((C_{4}\ggg 32)\ggg 17)=\texttt {0x32d4765596b67596}\). However, a necessary condition for the transition \((C_1,C_0)\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, \alpha \) is \(1_{(I\oplus SHL)(C_0 \oplus C_1 \oplus \alpha )\preceq SHL((C_0\oplus \alpha )|(C_1\oplus \alpha ))}\) or \(1_{(I\oplus SHL)(C_0 \oplus C_1 \oplus \alpha )\oplus 1\preceq SHL((C_0\oplus \alpha )|(C_1\oplus \alpha ))}\), which leads to a contradiction. Therefore, the characteristic \((C_1,C_0,C_2,C_3\oplus \varDelta )\rightarrow (0,\varDelta ,C_4,0)\) is impossible.   \(\square \)