SipHash

SipHash is an Add-Rotate-Xor (ARX) based family of pseudorandom functions created by Jean-Philippe Aumasson and Daniel J. Bernstein in 2012,^[1] in response to a spate of "hash flooding" denial-of-service attacks in late 2011.^[2]

Although designed for use as a hash function in the computer science sense, SipHash is a fundamentally different from cryptographic hash functions like SHA in that it is only suitable as a message authentication code: a keyed hash function like HMAC. That is, SHA is designed so that it is difficult for an attacker to find two messages X and Y such that SHA(X) = SHA(Y), even though anyone may compute SHA(X). SipHash instead guarantees that, having seen X_i and SipHash(X_i, k), an attacker who does not know the key k cannot find (any information about) k or SipHash(Y, k) for any message Y ∉ {X_i} which they have not seen before.

Overview

SipHash computes 64-bit message authentication code from a variable-length message and 128-bit secret key. It was designed to be efficient even for short inputs, with performance comparable to non-cryptographic hash functions, such as CityHash,^[1] thus can be used to prevent denial-of-service attacks against hash tables ("hash flooding"),^[3] or to authenticate network packets.

An unkeyed hash function such as SHA is only collision-resistant if the entire output is used. If used to generate a small output, such as an index into a hash table of practical size, then no algorithm can prevent collisions; an attacker need only make as many attempts as there are possible outputs.

For example, suppose a network server is designed to be able to handle up to a million requests at once. It keeps track of incoming requests in a hash table with two million entries, using a hash function to map identifying information from each request to one of the two million possible table entries. An attacker who knows the hash function need only feed it arbitrary inputs; one out of two million will have a specific hash value. If the attacker now sends a few hundred requests all chosen to have the same hash value to the server, that will produce a large number of hash collisions, slowing (or possibly stopping) the server with an effect similar to a packet flood of many million requests.^[4]

By using a key unknown to the attacker, a keyed hash function like SipHash prevents this sort of attack. While it is possible to add a key to an unkeyed hash function (HMAC is a popular technique), SipHash is much more efficient.

Functions in SipHash family are specified as SipHash-c-d, where c is the number of rounds per message block and d is the number of finalization rounds. The recommended parameters are SipHash-2-4 for best performance, and SipHash-4-8 for conservative security.

The reference implementation was released as public domain software under the CC0.^[5]

Criticism

Reini Urban, who maintains an improved fork of SMHasher (which tests many hashes for speed and quality), has stated that "the usage of siphash for their hash table [...] is pure security theatre. siphash is not secure enough for security purposes and not fast enough for general usage."^[6] Urban goes on to conclude that the security claims for SipHash are overstated and that "attack avoidance cannot not be the problem of the hash function, but the hash table collision resolution scheme".

Specifically, the complaint is that an attacker can often detect collisions via a timing channel. Simply generating many keys and observing how long the hash table access takes allows one to find collisions in any hash function (even an ideal random oracle) with a practical number of queries.

Usage

SipHash is used in hash table implementations of various software:^[7]

• Perl (available as compile-time option)^[8]
• Python (starting in version 3.4)^[9]
• Ruby
• Rust ^[10]
• systemd ^[11]
• OpenDNS
• Haskell
• OpenBSD

Native Implementations

• C++
• Rust
• Crypto++
• C#
• Haskell
• JavaScript
• VHDL
• Go

See also

• Cryptographic hash function
• Hash function
• Message authentication code
• List of hash functions

References

1. Jean-Philippe Aumasson; Daniel J. Bernstein (2012-09-18). "SipHash: a fast short-input PRF" (PDF). {{cite web}}: Unknown parameter |lastauthoramp= ignored (|name-list-style= suggested) (help)
2. Lennon, Mike (28 December 2011). "Hash Table Vulnerability Enables Wide-Scale DDoS Attacks". SecurityWeek.
3. Aumasson, Jean-Philippe; Bernstein, Daniel J.; Boßlet, Martin (6–8 Nov 2012). Hash-flooding DoS reloaded: attacks and defenses (PDF). Application Security Forum - Western Switzerland 2012.
4. Crosby, Scott A.; Wallach, Dan S. (6 August 2003). Denial of Service via Algorithmic Complexity Attacks (PDF). Usenix Security Symposium. Washington, D.C.
5. siphash "Intellectual property: We aren't aware of any patents or patent applications relevant to SipHash, and we aren't planning to apply for any. The reference code of SipHash is released under CC0 license, a public domain-like license."
6. "SIPHash Security Theater".
7. Jean-Philippe Aumasson; Daniel J. Bernstein. "SipHash: a fast short-input PRF, Users".
8. "Perl security – Algorithmic Complexity Attacks".
9. Christian Heimes. "PEP 456 -- Secure and interchangeable hash algorithm". Retrieved 20 November 2013.
10. Graydon Hoare. "Add core::hash containing SipHash-2-4 implementation. Re: #1616 and #859". Retrieved 4 December 2014.
11. Lennart Poettering. "shared: switch our hash table implementation over to SipHash". Retrieved 4 December 2014.

External links

• Jean-Philippe Aumasson; Daniel J. Bernstein. "SipHash: a fast short-input PRF - Project Page".

• Jean-Philippe Aumasson; Daniel J. Bernstein (2012-09-18). "SipHash: a fast short-input PRF" (PDF). {{cite web}}: Unknown parameter |lastauthoramp= ignored (|name-list-style= suggested) (help)

• Jean-Philippe Aumasson; Daniel J. Bernstein (2012-08-15). "SipHash: a fast short-input PRF - Presentation slides" (PDF).

• Jean-Philippe Aumasson; Daniel J. Bernstein; Martin Boßlet (2012-12-29). "Hash-flooding DoS reloaded: attacks and defenses (video)".