1
$\begingroup$

I came across a 128 bit variant of the SipHash-1-3 function (as opposed to the original 64 bit output). I tried looking for any public cryptanalysis of this function but couldn't find any. Moreover, in this particular usage of sip128-1-3 the keys are constant (k0=0, k1=0)--which to my understanding reduces the randomness.

How much do these factors reduce the function's collision-resistance?

Could you direct me to some resources that have researched this function, in case I missed it?

I'm very new to crypto, and don't have much knowledge. Is it possible for me perform some basic cryptanalysis on this function? I ran some randomness tests and the function (marginally) passed.

Thank you

Improve this question
$\endgroup$
1
  • 1
    $\begingroup$ Are you referring to this library? That may just be an API/trait consistency thing. I don't know anything about Rust. The documentation doesn't recommend using those methods. See this answer for the 128-bit version. SipHash isn't meant to be collision resistant and probably shouldn't be used outside the context of hash tables. The 128-bit variant definitely shouldn't be used if it hasn't been documented properly/peer reviewed much. $\endgroup$ Commented Apr 13 at 20:32

1 Answer 1

Reset to default
1
$\begingroup$

Moreover, in this particular usage of sip128-1-3 the keys are constant (k0=0, k1=0)--which to my understanding reduces the randomness.

What randomness and compared to what kind of random function?

When you have a static key then there cannot be any domain separation. Having a secret key, i.e. a keyed hash / PRF would mean that it is hard for an adversary to find collisions under the same key, as the adversary doesn't know the key to create the output in the first place. With a random but public key this would be possible to create a (rainbow) table and to find collisions for that specific key.

With a specific key such as an all-zero key it would be possible to do this just as easily, but the result would be applicable to all messages that use that specific key. For that specific key the function would indeed have the same message space and constantly sized output parameter as a cryptographic hash such as SHA-256.

The problem here is that the output size is way too small to be taken seriously for a cryptographic hash. As such there is no need to test SipHash as a cryptographic hash. Nobody seems to have claimed that it has collisions resistance. A 128 bit output would indicate 64 bit collision resistance for generic brute force attacks that treat the algorithm as a black box. This is far below the minimum of 128 bits of security we normally aim for. As such there is simply no incentive to study the collision resistance.

As a MAC with a random, secret key the security in bits is only slightly smaller than the size of the authentication tag, so in that case SipHash-1-3 may have enough security at around 128 bits assuming that no efficient attack is found. I'd rather opt for a well studied HMAC, CMAC or an authenticated cipher though.

Improve this answer
$\endgroup$

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.