IETF Logo Mail Archive

Re: [CFRG] SipHash recommendation?

Rene Struik <rstruik.ext@gmail.com> Wed, 16 December 2020 16:17 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A343A108E for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id juBDX11L9hcP for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:17:25 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33B8F3A1086 for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:17:25 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id w79so22990937qkb.5 for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:17:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=qlUWDIQ3Np3RZsWl4YZxDzMEF8iewFdd1cg7aaDVIu4=; b=Ej68yxq3NJdOL+gl79zSGa9f47JEbRbUvWMVEEnu+B5Omp84ukyg8oPLCaYtChPK13 5OSPWN0fV2gwedIDU2v4MDHGpuLH+lbVtkPGTEfHRNoOxYEnOBSnDE+bhDljaDwo2ey2 MWVkWQen1FT2XkvqRQmbT062aDtFQqRlF9tE3dL8RIVYEeNYpvXevOL6tKK3W+OsXRJi +0eRlVmB21JsZDWh0yAMFcGAomZI0oDQ9HD0XylESBmdBpL5Y0Zy6q+Au7m3J5oP6LVi EpwYs1tiaOXrjC9UyJVlbqhFiX5SRwG2HfFv3kxOZdmy6XFyn3c9jh6Cf8BswKNR+N+t qwfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=qlUWDIQ3Np3RZsWl4YZxDzMEF8iewFdd1cg7aaDVIu4=; b=XQE4cpJVt5L8OamTyQiYMzsjQaxAKw0p5fPF+yQJP+u+arWU3rZ091dgN67Ju/O2bV HNLm9CnTjQrsE2IVVYSSsDjzMZJSaNYrrUu8m+58sv6VEbHte7+4LrJmv+zqPQcTEGtX 3KclsOZE5QEZppJOxV+P6+dLaAp+pFr/DCchy+RudToghIam6Z9+kPf9JmtOuV8VNa5k 4X5e+DW+UyEB77pjjC72kgpdFdwJqei+Gwwrheg3qVVZSixsFV+yuS6SmTfpGfq6pDzL Rq235CDU7SiY2wke87OhY7/aCu2rZ5s60NdURzoiQwQ32rAG4OSMz2y/uQKWHynqPS80 x1sw==
X-Gm-Message-State: AOAM531YKBW02VITZIopse4LrAr2TS7+6wljzHObGidDW9x0lPxe0Z0o 4+gPyQqZdGchSKwFXp3CfDmmuW7+h8M=
X-Google-Smtp-Source: ABdhPJzi8e+c1bnFSslwcNJk92bNDF7AYyzTSkQIwap8tx6Z+uDTLQFrNFegDk1KsMxKYNFO9E9Juw==
X-Received: by 2002:a37:7402:: with SMTP id p2mr44918724qkc.412.1608135443774; Wed, 16 Dec 2020 08:17:23 -0800 (PST)
Received: from ?IPv6:2607:fea8:8a0:1397:41ad:2c35:b491:93a2? ([2607:fea8:8a0:1397:41ad:2c35:b491:93a2]) by smtp.gmail.com with ESMTPSA id v5sm1362682qkv.64.2020.12.16.08.17.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 16 Dec 2020 08:17:22 -0800 (PST)
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org
References: <20201216000229.GG64351@kduck.mit.edu> <CAGiyFdcaqyEhxhJTys0sZ6YvyRAZ9MM7=Kh1z2TqWVFckUrNrg@mail.gmail.com> <db703fe0-073d-07d0-3c81-c820e9497970@gmail.com> <CAGiyFdfd99MUQm1paypoGR8v1uV9f4tfKbnG51CCnMhu7VLDVA@mail.gmail.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <1cdfad53-eed6-e619-8ed8-a3ec5b8d5d9b@gmail.com>
Date: Wed, 16 Dec 2020 11:17:19 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <CAGiyFdfd99MUQm1paypoGR8v1uV9f4tfKbnG51CCnMhu7VLDVA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------14BFF278FDCD7610AB5923D2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HM9oTnY5pcA7RV2gjWS8ug-Dfw0>
X-Mailman-Approved-At: Mon, 21 Dec 2020 08:58:30 -0800
Subject: Re: [CFRG] SipHash recommendation?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 16:17:28 -0000

Hi Jean-Philippe:

So, it seems your 2012 paper does not provide any evidence of the 
indistinguishability claim in the introduction hereof, but there has 
been some subsequent work in this direction (your 2019 pointers). Isn't 
an indistinguishability claim different from an attack actually building 
a distinguisher with high complexity?

Best regards, Rene

On 2020-12-16 11:05 a.m., Jean-Philippe Aumasson wrote:
> The most recent results are these 2019 works:
>
> https://eprint.iacr.org/2019/865.pdf 
> <https://eprint.iacr.org/2019/865.pdf>
> and
> https://askworkshop.github.io/ask2019/assets/slides/ask2019talk_yunwenliu.pdf 
> <https://askworkshop.github.io/ask2019/assets/slides/ask2019talk_yunwenliu.pdf>
>
> Summary tables below, where distinguishers are the type of attacks 
> related to indistinguishabilty:
>
> image.png
> image.png
>
> On Wed, Dec 16, 2020 at 4:59 PM Rene Struik <rstruik.ext@gmail.com 
> <mailto:rstruik.ext@gmail.com>> wrote:
>
>     Hi Jean-Philippe:
>
>     Section 3 of the SipHash paper [1] writes "We define SipHash-c-d
>     for smaller c and d to provide targets for cryptanalysis.
>     Cryptanalysts are thus invited to break", while Section 1 writes
>     "Our concrete proposal SipHash-2-4 was designed and evaluated to
>     be a cryptographically strong PRF (pseudorandom function), i.e.,
>     indistinguishable from a uniform random function.
>     This implies its strength as a MAC."
>
>     I am curious about the cryptanalysis that went into supporting the
>     indistinguishability claim. From a cursory look at [1] and [2] I
>     could not immediately find this.
>
>     Is indistinguishability the (or one of the) "security goals"
>     alluded to, but not mentioned, on the last slide of the
>     presentation [2]?
>
>     Best regards, Rene
>
>     Ref:
>     [1] Hash Functions - SipHash, A Fast Short-Input PRF
>     (Jean-Philippe Aumasson, Daniel Bernstein, DIAC 2012)
>     [2] https://cr.yp.to/talks/2012.12.12/slides.pdf
>     <https://cr.yp.to/talks/2012.12.12/slides.pdf>
>
>     On 2020-12-16 9:58 a.m., Jean-Philippe Aumasson wrote:
>>     SipHash co-author here, that draft uses the 2-4 versions (like
>>     the Linux kernel,
>>     https://www.kernel.org/doc/html/latest/security/siphash.html
>>     <https://www.kernel.org/doc/html/latest/security/siphash.html>),
>>     which has lower security margin than 4-8, but I’m not aware of
>>     any cryptanalysis result that would affect any of these in the
>>     context of this proposed application.
>>
>>
>>
>>     On Wed 16 Dec 2020 at 01:03, Benjamin Kaduk <kaduk@mit.edu
>>     <mailto:kaduk@mit.edu>> wrote:
>>
>>         Hi all,
>>
>>         We have a document (draft-ietf-dnsop-server-cookies) in front
>>         of the IESG
>>         that proposes to use the SipHash-2-4 algorithm
>>         (https://www.aumasson.jp/siphash/
>>         <https://www.aumasson.jp/siphash/>,
>>         https://www.aumasson.jp/siphash/siphash.pdf
>>         <https://www.aumasson.jp/siphash/siphash.pdf>) as a MAC over
>>         what is in some
>>         sense a return-routability and freshness token, the "DNS
>>         cookie" originally
>>         specified in RFC 7873.
>>
>>         Unfortunately, the authors of this draft have not yet written
>>         down a clear
>>         description of what properties they believe are needed from
>>         this MAC for
>>         this usage, which makes it slightly hard to confirm that
>>         SipHash is a
>>         suitable algorithm for this purpose, though that is certainly
>>         a question
>>         that I am interested in.
>>
>>         Regardless of that, I would also like to get the CFRG's input
>>         on whether
>>         SipHash is a suitable algorithm for its stated goals
>>         (paraphrasing
>>         slightly): a performant keyed (family of) PRF suitable for
>>         use as a MAC,
>>         with the security goal for a MAC being considered to be that
>>         an attacker,

>>         even after seeing tags for many messages (perhaps selected by the
>>         attacker), is unable to guess tags for any other messages.
>>
>>         In short: is SipHash fit for this purpose?
>>
>>         There does seem to be a decent amount of literature analyzing
>>         SipHash, but
>>         I have not attempted to review it to any significant degree.
>>
>>         Thanks,
>>
>>         Ben
>>
>>         _______________________________________________
>>         CFRG mailing list
>>         CFRG@irtf.org <mailto:CFRG@irtf.org>
>>         https://www.irtf.org/mailman/listinfo/cfrg
>>         <https://www.irtf.org/mailman/listinfo/cfrg>
>>
>>
>>     _______________________________________________
>>     CFRG mailing list
>>     CFRG@irtf.org  <mailto:CFRG@irtf.org>
>>     https://www.irtf.org/mailman/listinfo/cfrg  <https://www.irtf.org/mailman/listinfo/cfrg>
>
>
>     -- 
>     email:rstruik.ext@gmail.com  <mailto:rstruik.ext@gmail.com>  | Skype: rstruik
>     cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>

-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email