×

Differential cryptanalysis of SipHash. (English) Zbl 1382.94097

Joux, Antoine (ed.) et al., Selected areas in cryptography – SAC 2014. 21st international conference, Montreal, QC, Canada, August 14–15, 2014. Revised selected papers. Cham: Springer (ISBN 978-3-319-13050-7/pbk; 978-3-319-13051-4/ebook). Lecture Notes in Computer Science 8781, 165-182 (2014).
Summary: SipHash is an ARX based message authentication code developed by J.-P. Aumasson and D. J. Bernstein [Indocrypt 2012, Lect. Notes Comput. Sci. 7668, 489–508 (2012; Zbl 1295.94009)]. SipHash was designed to be fast on short messages. Already, a lot of implementations and applications for SipHash exist, whereas the cryptanalysis of SipHash lacks behind. In this paper, we provide the first published third-party cryptanalysis of SipHash regarding differential cryptanalysis. We use existing automatic tools to find differential characteristics for SipHash. To improve the quality of the results, we propose several extensions for these tools to find differential characteristics. For instance, to get a good probability estimation for differential characteristics in SipHash, we generalize the concepts presented by N. Mouha et al. [SAC 2010, Lect. Notes Comput. Sci. 6544, 36–56 (2011; Zbl 1290.94112)] and V. Velichkov et al. [FSE 2011, Lect. Notes Comput. Sci. 6733, 342–358 (2011; Zbl 1307.94105)] to calculate the probability of ARX functions. Our results are a characteristic for SipHash-2-4 with a probability of \(2^{-236.3}\) and a distinguisher for the finalization of SipHash-2-4 with practical complexity. Even though our results do not pose any threat to the security of SipHash-2-4, they significantly improve the results of the designers and give new insights in the security of SipHash-2-4.
For the entire collection see [Zbl 1332.94006].

MSC:

94A60 Cryptography
94A62 Authentication, digital signatures and secret sharing
PDFBibTeX XMLCite
Full Text: DOI