IETF Logo Mail Archive

Re: [CFRG] SipHash recommendation?

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Wed, 16 December 2020 16:43 UTC

Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 536FF3A10E8 for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:43:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.097
X-Spam-Level:
X-Spam-Status: No, score=-1.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dF-SZgh6uI1a for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:43:28 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145183A10E6 for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:43:26 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id m25so49926610lfc.11 for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:43:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tx9tAOw6gpP4tNiMY863QtbAgbyptrUvXeGXOV93t50=; b=DT2Ay7PdTjUoVohtsr8/OZYvOxUzGI6T7nfULaNHWsQTe7YtWr+2Aulbl/dq5tmiB5 2JIYBBxtGdxuNmFyoDK6/cLJAhGe/6WhDDLrh936aLEWBqD69tfHRyorCMnIVtloPdBt YLboVL4obkqwjBINrCRe5jrrL6BgBEEgBwhEvslnXGS9sOFmJGyz4aPis+Wmj9wHYTpX bYfBZBV4YNzifHaBnqDqHo14nqwF5AfcgKIN57ALLFDwgUgHLtEiUtvVrvu1tDsT5IK/ 64w31HIlcGxAWhY3x7siaeXsj0RPOfHZPyiJor+oM3jitfbP/cSWf71jPmiJ7L/1cX++ kOOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tx9tAOw6gpP4tNiMY863QtbAgbyptrUvXeGXOV93t50=; b=TnAuAyhWDa+C3nvxQx8HYKZmHBGBkEW5qU5zwTz/BXGzPg+fBCmZWoO8uikT+H5OP0 OnaJottG55sTyTcNlJvV/RNGtlJFJXJQ9TZLtyCM6K7/BCryJXxHZ6x3xsPRDMem1It2 UtIQisSIBUCS1yN25oOMg7gIUz6Ap+FrI8NjitfL2SY8Me2tkla6kkSoK0uqA7hJRWkr NLlHBu82jX6/tFzEybpJzZFd/fv79qEiTBaZg3HWD4LkCao+8Dq06faUcPa7OO18fH1g eRjXjeQocbsWvqcZZfgX+H+pWXp2Gbrt3XqF1/J/4f76alEDmK/MsbZcbDzo75BGTKj7 sI3g==
X-Gm-Message-State: AOAM5318mLTN+6Wzm4iyZ/8NOFP/K0oGepqoFv6eQ5/6MnMwic3brfq7 Zxo8N7wTIOYOjJhpJZeogI+ViQF7FhjV9iQbKCI=
X-Google-Smtp-Source: ABdhPJy2Q3mEwBaRGZpFpCxEgPnS2rsco1JyNJ5GoCyZj4VP7DDIAT6tI4Pp/ucHRd6uY7vDoVxe9gKg6sGMQUbKr98=
X-Received: by 2002:a19:c6c1:: with SMTP id w184mr14008220lff.553.1608137004370; Wed, 16 Dec 2020 08:43:24 -0800 (PST)
MIME-Version: 1.0
References: <20201216000229.GG64351@kduck.mit.edu> <CAGiyFdcaqyEhxhJTys0sZ6YvyRAZ9MM7=Kh1z2TqWVFckUrNrg@mail.gmail.com> <db703fe0-073d-07d0-3c81-c820e9497970@gmail.com> <CAGiyFdfd99MUQm1paypoGR8v1uV9f4tfKbnG51CCnMhu7VLDVA@mail.gmail.com> <1cdfad53-eed6-e619-8ed8-a3ec5b8d5d9b@gmail.com> <CAGiyFdeiZ3OYj4OD=gXwuCv=JDW=A_+3QB8noa7yTxuYM50WRA@mail.gmail.com> <ee16188b-4ae3-a74b-a1ff-31b55c19433d@gmail.com>
In-Reply-To: <ee16188b-4ae3-a74b-a1ff-31b55c19433d@gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Wed, 16 Dec 2020 17:43:13 +0100
Message-ID: <CAGiyFdem3gmXueO5Z7hGrbMLVr9EhhnBzs4fCpOj-t20ymEsGA@mail.gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org
Content-Type: multipart/related; boundary="000000000000e5f51705b697927a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hRNyj__0Fy1Xb2FmJA2BXLn-_9s>
X-Mailman-Approved-At: Mon, 21 Dec 2020 08:58:31 -0800
Subject: Re: [CFRG] SipHash recommendation?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 16:43:30 -0000

This kind of claim without absolute evidence is usually how new symmetric
cryptography designs do. Unless you have a formal security proof with
reduction (rare in symkey), the best you can do is make security claims and
offer supporting arguments based on preliminary analysis and differential
cryptanalysis observations (as we have in the SipHash paper).

"I've not checked but believe": at the moment I only had time to do cursory
review and am not 100% sure of my claim's correctness, thus this
disclaimer. Sorry at the moment I don't have time to make an in-depth
review of these works.

There's been extensive discussions in the context of the Linux integration,
you may find them if you search in LKML archives.

SipHash was published in 2012 and we have evidence that some of the best
cryptanalysts in the world attempted to break it, so in my experience a
major cryptanalysis breakthrough is unlikely.







On Wed, Dec 16, 2020 at 5:34 PM Rene Struik <rstruik.ext@gmail.com> wrote:

> My point was that one should not make all kind of claims and then not
> provide any supporting evidence. (It has, sadly, been a common refrain in
> some crypto papers, where it is hard for the reader to distinguish promise
> from overpromise/hype.)
>
> In the same vain, why reference subsequent papers as purported evidence if
> one adds disclaimer language "I've not checked but believe" in.
>
> For clarity: this does not mean SipHash is necessarily suspect, but
> perhaps there are some loose ends that, by uncareful language, may or may
> not have been brushed under the carpet.
>
> Rene
>
>
> On 2020-12-16 11:22 a.m., Jean-Philippe Aumasson wrote:
>
> The security goal of a PRF is to be indistinguishable from a random
> function, according to some formal and precise definition. I've not checked
> but I believe that these papers' distinguishers fall in this category (as
> opposed, for example, to "known-key distinguishers").
>
> AFAIU, these results don't seem to violate the claim of
> indistinguishability on Siphash-2-4 or 4-8.
>
> One limitation of SipHash is its tag size (64 bits). We've a 128-bit
> version in the github repo, but it's not in the paper, and arguably less
> analyzed than the original. Linux also has this "halfsiphash".
>
> What's important to keep in mind is that SipHash is a PRF/MAC, not a hash
> function (probably bad name choice), and should thus not be used as an
> unkeyed hash (unless you dont worry about collision resistance).
>
>
>
> On Wed, Dec 16, 2020 at 5:17 PM Rene Struik <rstruik.ext@gmail.com> wrote:
>
>> Hi Jean-Philippe:
>>
>> So, it seems your 2012 paper does not provide any evidence of the
>> indistinguishability claim in the introduction hereof, but there has been
>> some subsequent work in this direction (your 2019 pointers). Isn't an
>> indistinguishability claim different from an attack actually building a
>> distinguisher with high complexity?
>>
>> Best regards, Rene
>>
>> On 2020-12-16 11:05 a.m., Jean-Philippe Aumasson wrote:
>>
>> The most recent results are these 2019 works:
>>
>> https://eprint.iacr.org/2019/865.pdf
>> and
>>
>> https://askworkshop.github.io/ask2019/assets/slides/ask2019talk_yunwenliu.pdf
>>
>> Summary tables below, where distinguishers are the type of attacks
>> related to indistinguishabilty:
>>
>> [image: image.png]
>> [image: image.png]
>>
>> On Wed, Dec 16, 2020 at 4:59 PM Rene Struik <rstruik.ext@gmail.com>
>> wrote:
>>
>>> Hi Jean-Philippe:
>>>
>>> Section 3 of the SipHash paper [1] writes "We de fine SipHash-c-d for
>>> smaller c and d to provide targets for cryptanalysis. Cryptanalysts are
>>> thus invited to break", while Section 1 writes "Our concrete proposal
>>> SipHash-2-4 was designed and evaluated to be a cryptographically strong PRF
>>> (pseudorandom function), i.e., indistinguishable from a uniform random
>>> function.
>>> This implies its strength as a MAC."
>>>
>>> I am curious about the cryptanalysis that went into supporting the
>>> indistinguishability claim. From a cursory look at [1] and [2] I could not
>>> immediately find this.
>>>
>>> Is indistinguishability the (or one of the) "security goals" alluded to,
>>> but not mentioned, on the last slide of the presentation [2]?
>>>
>>> Best regards, Rene
>>>
>>> Ref:
>>> [1] Hash Functions - SipHash, A Fast Short-Input PRF (Jean-Philippe
>>> Aumasson, Daniel Bernstein, DIAC 2012)
>>> [2] https://cr.yp.to/talks/2012.12.12/slides.pdf
>>>
>>> On 2020-12-16 9:58 a.m., Jean-Philippe Aumasson wrote:
>>>
>>> SipHash co-author here, that draft uses the 2-4 versions (like the Linux
>>> kernel,
>>> https://www.kernel.org/doc/html/latest/security/siphash.html), which
>>> has lower security margin than 4-8, but I’m not aware of any cryptanalysis
>>> result that would affect any of these in the context of this proposed
>>> application.
>>>
>>>
>>>
>>> On Wed 16 Dec 2020 at 01:03, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>
>>>> Hi all,
>>>>
>>>> We have a document (draft-ietf-dnsop-server-cookies) in front of the
>>>> IESG
>>>> that proposes to use the SipHash-2-4 algorithm
>>>> (https://www.aumasson.jp/siphash/,
>>>> https://www.aumasson.jp/siphash/siphash.pdf) as a MAC over what is in
>>>> some
>>>> sense a return-routability and freshness token, the "DNS cookie"
>>>> originally
>>>> specified in RFC 7873.
>>>>
>>>> Unfortunately, the authors of this draft have not yet written down a
>>>> clear
>>>> description of what properties they believe are needed from this MAC for
>>>> this usage, which makes it slightly hard to confirm that SipHash is a
>>>> suitable algorithm for this purpose, though that is certainly a question
>>>> that I am interested in.
>>>>
>>>> Regardless of that, I would also like to get the CFRG's input on whether
>>>> SipHash is a suitable algorithm for its stated goals (paraphrasing
>>>> slightly): a performant keyed (family of) PRF suitable for use as a MAC,
>>>> with the security goal for a MAC being considered to be that an
>>>> attacker,
>>>> even after seeing tags for many messages (perhaps selected by the
>>>> attacker), is unable to guess tags for any other messages.
>>>>
>>>> In short: is SipHash fit for this purpose?
>>>>
>>>> There does seem to be a decent amount of literature analyzing SipHash,
>>>> but
>>>> I have not attempted to review it to any significant degree.
>>>>
>>>> Thanks,
>>>>
>>>> Ben
>>>>
>>>> _______________________________________________
>>>> CFRG mailing list
>>>> CFRG@irtf.org
>>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>>
>>>
>>> _______________________________________________
>>> CFRG mailing listCFRG@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg
>>>
>>>
>>> --
>>> email: rstruik.ext@gmail.com | Skype: rstruik
>>> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>>>
>>>
>> --
>> email: rstruik.ext@gmail.com | Skype: rstruik
>> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>>
>>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>
>

v2.23.0 | Report a Bug | By Email