Re: [CFRG] SipHash recommendation?
Rene Struik <rstruik.ext@gmail.com> Wed, 16 December 2020 16:34 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79C2B3A10D7 for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:34:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id taTXdDJ08WE8 for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2020 08:34:21 -0800 (PST)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B23433A10DA for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:34:20 -0800 (PST)
Received: by mail-qv1-xf35.google.com with SMTP id h16so7196539qvu.8 for <cfrg@ietf.org>; Wed, 16 Dec 2020 08:34:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=vGqOHt/a5EgxNcu3g0NDK8yC3kIp4y3kmXHH8dE6xEA=; b=UwpjLYO7U6ECM+AoxIlWqL+khp6Hodm1fOZb/Cpva+61T+OGDbc0Pee32MeaW0fGoj ZakZKYAqgfPDnW8lT47RFd2bBtnbnLEOTpEluZ94MhKREMa4rwyK0qIea+c6u1aQvp1O w12bLfG5jeMv5Z2eBzAKULtnbWoLytp+OohI2PJhzf1/jjowk84jF48IXE4yCkmnP4eO jAk2yr3ljiGVynfzu5nkFdh1u5Nm13d5unFeB77rSnMhnlae+vsdz3Bej6p/5L88tULB 6MfWnxd8jc6YjJadBeo5rV49Shvwx6dZaaL8YcSl12YJ2oyR/V3kT3Cz2gpVfWnkKTWL oe9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=vGqOHt/a5EgxNcu3g0NDK8yC3kIp4y3kmXHH8dE6xEA=; b=CvZ9DGSwP1LVRDgEz2DlDKWHwEb/2uR1cG+KRhRNdp9vLyfDcKDXHyjHQNmExnMNx3 OA8C2OBDB6Ttardckj0HPStUS4mWvRGMqD8oqnJVbkk3LJC94i2OMXLHBwxdWYPZIlIi g50py51NpvWbyyxd+h+oN0hU6fesLxUlUzogQr2CFaWSkU8NGwtp1lgXKo0GCkdSSJpT JfwK7QQ+7iik3hK8kkkh1YfLuLVzzEG0m6lkrC8L7Ex/QybhBo6QE6S0IXnfFYe5AAuc gn5w2IB04gkEpp8xkvpxrxjc1uNGRgw6x3KNT9C9owRvA71Ah4O3mT7iyoW0+8BI913A qOKg==
X-Gm-Message-State: AOAM533YGITDFLeUajG8p8CskOWMR7pzpM6DvKhz2KAQzdiEs+vJnCd2 DoE0eLgYU6PiFhPVUOlYp1biqXhRTxw=
X-Google-Smtp-Source: ABdhPJwhp/903TlGqgjvKawKQYkOqfUvsVg5PT8BmceN6qSnwOpHXFYReCRtn0JIqcLrHC1u3s1/KA==
X-Received: by 2002:a0c:8485:: with SMTP id m5mr42104927qva.39.1608136458453; Wed, 16 Dec 2020 08:34:18 -0800 (PST)
Received: from ?IPv6:2607:fea8:8a0:1397:41ad:2c35:b491:93a2? ([2607:fea8:8a0:1397:41ad:2c35:b491:93a2]) by smtp.gmail.com with ESMTPSA id a9sm1270593qtm.80.2020.12.16.08.34.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 16 Dec 2020 08:34:17 -0800 (PST)
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org
References: <20201216000229.GG64351@kduck.mit.edu> <CAGiyFdcaqyEhxhJTys0sZ6YvyRAZ9MM7=Kh1z2TqWVFckUrNrg@mail.gmail.com> <db703fe0-073d-07d0-3c81-c820e9497970@gmail.com> <CAGiyFdfd99MUQm1paypoGR8v1uV9f4tfKbnG51CCnMhu7VLDVA@mail.gmail.com> <1cdfad53-eed6-e619-8ed8-a3ec5b8d5d9b@gmail.com> <CAGiyFdeiZ3OYj4OD=gXwuCv=JDW=A_+3QB8noa7yTxuYM50WRA@mail.gmail.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <ee16188b-4ae3-a74b-a1ff-31b55c19433d@gmail.com>
Date: Wed, 16 Dec 2020 11:34:15 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <CAGiyFdeiZ3OYj4OD=gXwuCv=JDW=A_+3QB8noa7yTxuYM50WRA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9E190D4717DB8382E58C7096"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ncARxoMJm2POsGObPTLdKCkpYjs>
X-Mailman-Approved-At: Mon, 21 Dec 2020 08:58:30 -0800
Subject: Re: [CFRG] SipHash recommendation?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 16:34:24 -0000
My point was that one should not make all kind of claims and then not provide any supporting evidence. (It has, sadly, been a common refrain in some crypto papers, where it is hard for the reader to distinguish promise from overpromise/hype.) In the same vain, why reference subsequent papers as purported evidence if one adds disclaimer language "I've not checked but believe" in. For clarity: this does not mean SipHash is necessarily suspect, but perhaps there are some loose ends that, by uncareful language, may or may not have been brushed under the carpet. Rene On 2020-12-16 11:22 a.m., Jean-Philippe Aumasson wrote: > The security goal of a PRF is to be indistinguishable from a random > function, according to some formal and precise definition. I've not > checked but I believe that these papers' distinguishers fall in this > category (as opposed, for example, to "known-key distinguishers"). > > AFAIU, these results don't seem to violate the claim of > indistinguishability on Siphash-2-4 or 4-8. > > One limitation of SipHash is its tag size (64 bits). We've a 128-bit > version in the github repo, but it's not in the paper, and arguably > less analyzed than the original. Linux also has this "halfsiphash". > > What's important to keep in mind is that SipHash is a PRF/MAC, not a > hash function (probably bad name choice), and should thus not be used > as an unkeyed hash (unless you dont worry about collision resistance). > > > > On Wed, Dec 16, 2020 at 5:17 PM Rene Struik <rstruik.ext@gmail.com > <mailto:rstruik.ext@gmail.com>> wrote: > > Hi Jean-Philippe: > > So, it seems your 2012 paper does not provide any evidence of the > indistinguishability claim in the introduction hereof, but there > has been some subsequent work in this direction (your 2019 > pointers). Isn't an indistinguishability claim different from an > attack actually building a distinguisher with high complexity? > > Best regards, Rene > > On 2020-12-16 11:05 a.m., Jean-Philippe Aumasson wrote: >> The most recent results are these 2019 works: >> >> https://eprint.iacr.org/2019/865.pdf >> <https://eprint.iacr.org/2019/865.pdf> >> and >> https://askworkshop.github.io/ask2019/assets/slides/ask2019talk_yunwenliu.pdf >> <https://askworkshop.github.io/ask2019/assets/slides/ask2019talk_yunwenliu.pdf> >> >> Summary tables below, where distinguishers are the type of >> attacks related to indistinguishabilty: >> >> image.png >> image.png >> >> On Wed, Dec 16, 2020 at 4:59 PM Rene Struik >> <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>> wrote: >> >> Hi Jean-Philippe: >> >> Section 3 of the SipHash paper [1] writes "We de fine >> SipHash-c-d for smaller c and d to provide targets for >> cryptanalysis. Cryptanalysts are thus invited to break", >> while Section 1 writes "Our concrete proposal SipHash-2-4 was >> designed and evaluated to be a cryptographically strong PRF >> (pseudorandom function), i.e., indistinguishable from a >> uniform random function. >> This implies its strength as a MAC." >> >> I am curious about the cryptanalysis that went into >> supporting the indistinguishability claim. From a cursory >> look at [1] and [2] I could not immediately find this. >> >> Is indistinguishability the (or one of the) "security goals" >> alluded to, but not mentioned, on the last slide of the >> presentation [2]? >> >> Best regards, Rene >> >> Ref: >> [1] Hash Functions - SipHash, A Fast Short-Input PRF >> (Jean-Philippe Aumasson, Daniel Bernstein, DIAC 2012) >> [2] https://cr.yp.to/talks/2012.12.12/slides.pdf >> <https://cr.yp.to/talks/2012.12.12/slides.pdf> >> >> On 2020-12-16 9:58 a.m., Jean-Philippe Aumasson wrote: >>> SipHash co-author here, that draft uses the 2-4 versions >>> (like the Linux kernel, >>> https://www.kernel.org/doc/html/latest/security/siphash.html >>> <https://www.kernel.org/doc/html/latest/security/siphash.html>), >>> which has lower security margin than 4-8, but I’m not aware >>> of any cryptanalysis result that would affect any of these >>> in the context of this proposed application. >>> >>> >>> >>> On Wed 16 Dec 2020 at 01:03, Benjamin Kaduk <kaduk@mit.edu >>> <mailto:kaduk@mit.edu>> wrote: >>> >>> Hi all, >>> >>> We have a document (draft-ietf-dnsop-server-cookies) in >>> front of the IESG >>> that proposes to use the SipHash-2-4 algorithm >>> (https://www.aumasson.jp/siphash/ >>> <https://www.aumasson.jp/siphash/>, >>> https://www.aumasson.jp/siphash/siphash.pdf >>> <https://www.aumasson.jp/siphash/siphash.pdf>) as a MAC >>> over what is in some >>> sense a return-routability and freshness token, the "DNS >>> cookie" originally >>> specified in RFC 7873. >>> >>> Unfortunately, the authors of this draft have not yet >>> written down a clear >>> description of what properties they believe are needed >>> from this MAC for >>> this usage, which makes it slightly hard to confirm that >>> SipHash is a >>> suitable algorithm for this purpose, though that is >>> certainly a question >>> that I am interested in. >>> >>> Regardless of that, I would also like to get the CFRG's >>> input on whether >>> SipHash is a suitable algorithm for its stated goals >>> (paraphrasing >>> slightly): a performant keyed (family of) PRF suitable >>> for use as a MAC, >>> with the security goal for a MAC being considered to be >>> that an attacker, >>> even after seeing tags for many messages (perhaps >>> selected by the >>> attacker), is unable to guess tags for any other messages. >>> >>> In short: is SipHash fit for this purpose? >>> >>> There does seem to be a decent amount of literature >>> analyzing SipHash, but >>> I have not attempted to review it to any significant degree. >>> >>> Thanks, >>> >>> Ben >>> >>> _______________________________________________ >>> CFRG mailing list >>> CFRG@irtf.org <mailto:CFRG@irtf.org> >>> https://www.irtf.org/mailman/listinfo/cfrg >>> <https://www.irtf.org/mailman/listinfo/cfrg> >>> >>> >>> _______________________________________________ >>> CFRG mailing list >>> CFRG@irtf.org <mailto:CFRG@irtf.org> >>> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg> >> >> >> -- >> email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 >> > > -- > email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
- [CFRG] SipHash recommendation? Benjamin Kaduk
- Re: [CFRG] SipHash recommendation? Jean-Philippe Aumasson
- Re: [CFRG] SipHash recommendation? Rene Struik
- Re: [CFRG] SipHash recommendation? Jean-Philippe Aumasson
- Re: [CFRG] SipHash recommendation? Rene Struik
- Re: [CFRG] SipHash recommendation? Jean-Philippe Aumasson
- Re: [CFRG] SipHash recommendation? Rene Struik
- Re: [CFRG] SipHash recommendation? Jean-Philippe Aumasson