IETF Logo Mail Archive

Re: [CFRG] SipHash recommendation?

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Wed, 16 December 2020 16:05 UTC

Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 731EC3A105B for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.097
X-Spam-Level:
X-Spam-Status: No, score=-1.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gT1sKQbNXsxB for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:05:26 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7EC43A105D for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:05:25 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id 23so49643753lfg.10 for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:05:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=agvKBYFqH026F9BrNp12qWfVd0NLx7Shdbsp/fB0n0g=; b=Rk5DcSw/zlnhFgTHyrACM1sNt5Ai0xiym/ejF6b1ewk1AfLYkhhsqNUgDCO+elG5bj E0v/58U+QYL3XwyM0086eb8fmz3OlCYNrvq7DmXTYhsdWMKgunFVNuCa2uP/loOCRYFD MF3i0SO1W9fbihUS/e4aAaRVQ/WmpYjiwpwhvmv2cp+Ap7Ep5G3lDCdWSYCQ9/PuqaaY /CdPyoBh2Vebjk8bNhG0mcl0bxSKvUJuykrhOB8JridXifQZNAxZyk10kbUha2NSxKBh EK33rqCSbYfJZ61MAHgBUolAtKM6tlX3oFEiIDAaZuuXvFmSHEJCdj33IxpTBO5f7fXI uXkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=agvKBYFqH026F9BrNp12qWfVd0NLx7Shdbsp/fB0n0g=; b=e/J+3sHovvxhfsoTszoUKzPBh5pA8CuzBHGmOS5K55mhFuoHO5kNdtGBmWqc4xjXRo aVWL6iEEmx+ybCOM305LbSIXRTLpisFj7MJknS3Xq7Vhy6OYjwlFQ2JlZ5j9kSpvDHnk AwFuZA7VZctHV0JndGkni9K1GZ2WsnyZvt+gNJpp75NhH22aQZ3GX+zquFZmkBMspvX8 tswX00ctLELnVC1wvzF76eX4o09A1qExmoAoHM/FjTgTFzvdATngcdh1rW9RIcqKEufP HtR5tTRwnmLHANyEfZ6lpGnMkmRqmI9SXAbqQqyOhCOEkInAp/7fgNHU9P3a66Vl8RKb GvlA==
X-Gm-Message-State: AOAM533CtTV+uDampL3UxWJKXhsbFdr2GXDdsGiMJWj3jKbUvf7ujUmV yTU64V7ODQ0BIK8BR2wdLvt+dFW31yaZMpd7tmY=
X-Google-Smtp-Source: ABdhPJyfs8GfDhh7sOe2deufMO2nWp2TttiFehpDYP5bma97iX96fQlDlPvpTzz0zHbsGU5ucqA4OPTnxgTaVzvtM4k=
X-Received: by 2002:a19:7b16:: with SMTP id w22mr13060178lfc.657.1608134723074; Wed, 16 Dec 2020 08:05:23 -0800 (PST)
MIME-Version: 1.0
References: <20201216000229.GG64351@kduck.mit.edu> <CAGiyFdcaqyEhxhJTys0sZ6YvyRAZ9MM7=Kh1z2TqWVFckUrNrg@mail.gmail.com> <db703fe0-073d-07d0-3c81-c820e9497970@gmail.com>
In-Reply-To: <db703fe0-073d-07d0-3c81-c820e9497970@gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Wed, 16 Dec 2020 17:05:11 +0100
Message-ID: <CAGiyFdfd99MUQm1paypoGR8v1uV9f4tfKbnG51CCnMhu7VLDVA@mail.gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org
Content-Type: multipart/related; boundary="000000000000ebe98605b6970a1c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/--uMicutloR1G1syRhldemVnPEM>
X-Mailman-Approved-At: Mon, 21 Dec 2020 08:58:31 -0800
Subject: Re: [CFRG] SipHash recommendation?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 16:05:29 -0000

The most recent results are these 2019 works:

https://eprint.iacr.org/2019/865.pdf
and
https://askworkshop.github.io/ask2019/assets/slides/ask2019talk_yunwenliu.pdf

Summary tables below, where distinguishers are the type of attacks related
to indistinguishabilty:

[image: image.png]
[image: image.png]

On Wed, Dec 16, 2020 at 4:59 PM Rene Struik <rstruik.ext@gmail.com> wrote:

> Hi Jean-Philippe:
>
> Section 3 of the SipHash paper [1] writes "We de fine SipHash-c-d for
> smaller c and d to provide targets for cryptanalysis. Cryptanalysts are
> thus invited to break", while Section 1 writes "Our concrete proposal
> SipHash-2-4 was designed and evaluated to be a cryptographically strong PRF
> (pseudorandom function), i.e., indistinguishable from a uniform random
> function.
> This implies its strength as a MAC."
>
> I am curious about the cryptanalysis that went into supporting the
> indistinguishability claim. From a cursory look at [1] and [2] I could not
> immediately find this.
>
> Is indistinguishability the (or one of the) "security goals" alluded to,
> but not mentioned, on the last slide of the presentation [2]?
>
> Best regards, Rene
>
> Ref:
> [1] Hash Functions - SipHash, A Fast Short-Input PRF (Jean-Philippe
> Aumasson, Daniel Bernstein, DIAC 2012)
> [2] https://cr.yp.to/talks/2012.12.12/slides.pdf
>
> On 2020-12-16 9:58 a.m., Jean-Philippe Aumasson wrote:
>
> SipHash co-author here, that draft uses the 2-4 versions (like the Linux
> kernel,
> https://www.kernel.org/doc/html/latest/security/siphash.html), which has
> lower security margin than 4-8, but I’m not aware of any cryptanalysis
> result that would affect any of these in the context of this proposed
> application.
>
>
>
> On Wed 16 Dec 2020 at 01:03, Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> Hi all,
>>
>> We have a document (draft-ietf-dnsop-server-cookies) in front of the IESG
>> that proposes to use the SipHash-2-4 algorithm
>> (https://www.aumasson.jp/siphash/,
>> https://www.aumasson.jp/siphash/siphash.pdf) as a MAC over what is in
>> some
>> sense a return-routability and freshness token, the "DNS cookie"
>> originally
>> specified in RFC 7873.
>>
>> Unfortunately, the authors of this draft have not yet written down a clear
>> description of what properties they believe are needed from this MAC for
>> this usage, which makes it slightly hard to confirm that SipHash is a
>> suitable algorithm for this purpose, though that is certainly a question
>> that I am interested in.
>>
>> Regardless of that, I would also like to get the CFRG's input on whether
>> SipHash is a suitable algorithm for its stated goals (paraphrasing
>> slightly): a performant keyed (family of) PRF suitable for use as a MAC,
>> with the security goal for a MAC being considered to be that an attacker,
>> even after seeing tags for many messages (perhaps selected by the
>> attacker), is unable to guess tags for any other messages.
>>
>> In short: is SipHash fit for this purpose?
>>
>> There does seem to be a decent amount of literature analyzing SipHash, but
>> I have not attempted to review it to any significant degree.
>>
>> Thanks,
>>
>> Ben
>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
> _______________________________________________
> CFRG mailing listCFRG@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg
>
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>
>

v2.23.0 | Report a Bug | By Email