Abstract
SipHash is an ARX-based pseudorandom function designed by Aumasson and Bernstein for short message inputs. Recently, Ashur et al. proposed an efficient analysis method against ARX algorithm—“Rotational-XOR cryptanalysis”. Inspired by their work, we mount differential and Rotational-XOR cryptanalysis on two instances of SipHash-1-x and SipHash-2-x in this paper, where SipHash-1-x (or SipHash-2-x) represents the Siphash instance with one (or two) compression round and x finalization rounds.
Firstly, we construct the search model for colliding characteristic and RX-colliding characteristic on SipHash. Based on the model, we find the colliding characteristics and RX-colliding characteristics of SipHash by the SMT-based automatic search tool. Moreover, we give a formula for the selection of initial constants to improve the resistance of Siphash against Rotational-XOR cryptanalysis to make the algorithm safer. In addition, we find an RX-colliding characteristic with probability \(2^{-93.6}\) for a revised version of SipHash-1-x with one message block, and an RX-colliding characteristic with probability \(2^{-160}\) for a revised version of SipHash-1-x with two message blocks. With the SMT-based technique, which outputs one message pair of the RX-collision if the given characteristic has a nonzero probability. Finally, with the RX-colliding characteristic we found earlier, we give the RX-collision with message pair and key of a revised version of SipHash-1-x with one message block.
This work was supported by the Natural Science Foundation of China (NSFC) under Grant 61772545, Grant 61672530, and Grant 61902414.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_27
Ankele, R., List, E.: Differential cryptanalysis of round-reduced Sparx-64/128. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 459–475. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_24
Aumasson, J.-P., Bernstein, D.J.: SipHash: a fast short-input PRF. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 489–508. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_28
Ashur T., Liu Y.: Rotational cryptanalysis in the presence of constants. In: IACR Transactions on Symmetric Cryptology, pp. 57–70 (2016)
Biryukov, A., Velichkov, V., Le Corre, Y.: Automatic search for the best trails in ARX: application to block cipher Speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 289–310. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_15
Dinur, I.: Improved differential cryptanalysis of round-reduced speck. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 147–164. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_9
Dobraunig, C., Mendel, F., Schläffer, M.: Differential cryptanalysis of SipHash. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 165–182. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_10
Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_14
Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_15
Leurent, G.: Construction of differential characteristics in ARX designs application to Skein. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 241–258. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_14
Liu, Y., De Witte, G., Ranea, A., Ashur, T.: Rotational-XOR cryptanalysis of reduced-round SPECK. IACR Transactions on Symmetric Cryptology, 2017(1), 24–36 (2017)
Mouha, N., Velichkov, V., De Cannière, C., Preneel, B.: The differential analysis of S-functions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 36–56. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_3
Nyberg, K., Wallén, J.: Improved linear distinguishers for SNOW 2.0. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 144–162. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_10
Schulte-Geers, E.: On CCA-equivalence of addition mod \(2^n\). Des. Codes Crypt. 66, 111–127 (2013)
Siddappa, S.K., Kaminsky, A.: SAT based attacks on SipHash. Rochester Institute of Technology (2014)
Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 379–394. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_24
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
Lemma 2. Suppose that there exists an RX-characteristic \((\overleftarrow{\varDelta } {a_1},\overleftarrow{\varDelta } {b_1},\overleftarrow{\varDelta } {c_1},\overleftarrow{\varDelta } {d_1}) \rightarrow (\overleftarrow{\varDelta } {a_2},\overleftarrow{\varDelta } {b_2},\overleftarrow{\varDelta } {c_2},\overleftarrow{\varDelta } {d_2})\) which produces an internal RX-collision for SipHash-1-x with one message block. Then, it has the following active pattern,
where \(C_0=V_0\oplus \overleftarrow{V_0},C_1=V_1\oplus \overleftarrow{V_1},C_2=V_2\oplus \overleftarrow{V_2},C_3=V_3\oplus \overleftarrow{V_3},C_4=\texttt {0xff}\oplus \overleftarrow{\texttt {0xff}}\).
Proof
For a pair of messages \(m_0,m_0^{\prime }\), RX-difference \(\varDelta =m_0\oplus \overleftarrow{m_0^{\prime }}\). \(a_1,b_1,c_1,d_1\) and \(a_1^{\prime },b_1^{\prime },c_1^{\prime },d_1^{\prime }\) are the inputs of the first round to the compression phase
where \(V_0,V_1,V_2,V_3\) and \(k_0,k_1\) denote the initial constants states and two 64-bit keys, respectively. The message \(m_0^{\prime }\) is processed by the keys \(\overleftarrow{k_0},\overleftarrow{k_1}\).
Then, the RX-differences \(\overleftarrow{\varDelta } {a_1},\overleftarrow{\varDelta } {b_1},\overleftarrow{\varDelta } {c_1},\overleftarrow{\varDelta } {d_1}\) between \(a_1,b_1,c_1,d_1\) and \(a_1^{\prime },b_1^{\prime }, c_1^{\prime },d_1^{\prime }\) equal to \((C_1,C_0,C_2,C_3\oplus \varDelta )\). Similarly, we have \((b_2,a_2,c_2,d_2)\) equal to \((0,\varDelta ,C_4,0)\) \(\square \)
Theorem 1. Given any non-zero value \(\varDelta \in \mathbb {F}_2^{64}\), \((0,0,0,\varDelta )\rightarrow (0,\varDelta ,0,0)\) is an impossible differential characteristic of SipHash-1-x with one message block.
Proof
Suppose that there exists a non-zero \(\varDelta \in \mathbb {F}_2^{64} \), such that \((0,0,0,\varDelta )\rightarrow (0,\varDelta ,0,0) \) is a possible differential characteristic. Then the differential propagation at the four modular addition in Fig. 3 should satisfy the differential propagation rules given by Lemma 1. We have
In each equation, the characteristic function defined in Lemma 1 is derived from the input and output differences, and evaluates to 1. Particular, when \((0,\alpha )\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, 0\) is a possible differential characteristic, we have
which is equivalent to \((\alpha \oplus \alpha _{\ll 1}) \preceq \alpha _{\ll 1}.\) Therefore, we have
Then \(\alpha _0=0, \cdots , \alpha _{63}=0\), namely, \(\alpha =0\). Analogously, we have \(\varDelta =0\).
Hence, the characteristic \((0,0,0,\varDelta )\rightarrow (0,\varDelta ,0,0) \) is trivial with \(\varDelta =0\). So, we can’t get right message pair that could lead to an internal collision when only one a message block is injected into SipHash-1-x. \(\square \)
Theorem 2. For any non-zero \(\varDelta \in \mathbb {F}_2^{64}\), \((C_1,C_0,C_2,C_3\oplus \varDelta )\rightarrow (0,\varDelta ,C_4,0)\) is an impossible RX-characteristic of SipHash-1-x with one message block.
Proof
Figure 4 shows the notations for RX-differences in SipHash-1-x with one message block, \(\overleftarrow{\varDelta } {m_0}=\varDelta \) is injected before and after one round of SipHash. For the characteristic \((C_1,C_0,C_2,C_3\oplus \varDelta )\rightarrow (0,\varDelta ,C_4,0)\), the RX-difference propagation at the modular additions in Fig. 4 should satisfy the propagation rule given by Proposition 1.
where \(C_1=V_1\oplus \overleftarrow{V_1}=\texttt {0xacb196a3b2acb1b7}, C_2=V_2\oplus \overleftarrow{V_2}=\texttt {0x95b1b7af9095af9f}\), \(C_4=\texttt {0xff}\oplus \overleftarrow{\texttt {0xff}}\), \(V_1,V_2\) are the initial constants state given by SipHash design document.
By the relation between \(C_1,C_4,\alpha \) from Fig. 4, one gets \(\alpha = (C_1\lll 13)\oplus ((C_{4}\ggg 32)\ggg 17)=\texttt {0x32d4765596b67596}\). However, a necessary condition for the transition \((C_1,C_0)\,{\mathop {\longrightarrow }\limits ^{\boxplus }}\, \alpha \) is \(1_{(I\oplus SHL)(C_0 \oplus C_1 \oplus \alpha )\preceq SHL((C_0\oplus \alpha )|(C_1\oplus \alpha ))}\) or \(1_{(I\oplus SHL)(C_0 \oplus C_1 \oplus \alpha )\oplus 1\preceq SHL((C_0\oplus \alpha )|(C_1\oplus \alpha ))}\), which leads to a contradiction. Therefore, the characteristic \((C_1,C_0,C_2,C_3\oplus \varDelta )\rightarrow (0,\varDelta ,C_4,0)\) is impossible. \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Xin, W., Liu, Y., Sun, B., Li, C. (2019). Improved Cryptanalysis on SipHash. In: Mu, Y., Deng, R., Huang, X. (eds) Cryptology and Network Security. CANS 2019. Lecture Notes in Computer Science(), vol 11829. Springer, Cham. https://doi.org/10.1007/978-3-030-31578-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-31578-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31577-1
Online ISBN: 978-3-030-31578-8
eBook Packages: Computer ScienceComputer Science (R0)