Siphash: a Fast Short-Input PRF

SipHash: a fast short-input PRF

DOWNLOADS | ATTACKS | USERS | CRYPTANALYSIS | THIRD-PARTY IMPLEMENTATIONS

SipHash is a family of pseudorandom functions (a.k.a. keyed hash functions) optimized for speed on short messages.

Target applications include network traffic authentication and defense against hash-flooding DoS attacks.

SipHash is secure, fast, and simple (for real):

SipHash is simpler and faster than previous cryptographic algorithms (e.g. MACs based on universal hashing) SipHash is competitive in performance with insecure non-cryptographic algorithms (e.g. MurmurHash)

We propose that hash tables switch to SipHash as a hash function. Users of SipHash already include FreeBSD, OpenDNS, Perl 5, Ruby, or Rust.

The original SipHash returns 64-bit strings. A version returning 128-bit strings was later created, based on demand from users.

Intellectual property: We aren't aware of any patents or patent applications relevant to SipHash, and we aren't planning to apply for any. The reference code of SipHash is released under CC0 license, a public domain-like license.

SipHash was designed by

Jean-Philippe Aumasson (Kudelski Security, Switzerland) Daniel J. Bernstein (University of Illinois at Chicago, USA)

Contact: [email protected] [email protected]

Downloads

Research paper "SipHash: a fast short-input PRF" (accepted for presentation at the DIAC workshop and at INDOCRYPT 2012) Slides of the presentation of SipHash at INDOCRYPT 2012 (Bernstein) Slides of the presentation of SipHash at DIAC (Aumasson) Reference C implementation.

Attacks

Jointly with Martin Boßlet, we demonstrated weaknesses in MurmurHash (used in Ruby, Java, etc.), CityHash (used in Google), and in Python's hash. Some of the technologies affected have switched to SipHash. See this oCERT advisory, and the following resources:

Slides of the presentation "Hash-flooding DoS reloaded: attacks and defenses" at the 29th Chaos Communications Congress (Aumasson, Bernstein, Boßlet) Slides of the presentation "Hash-flooding DoS reloaded: attacks and defenses" at Application Security Forum Western Switzerland 2012 (Aumasson, Boßlet) Proof-of-concept code for CRuby, JRuby, Rubinius, and Java C++ program to find universal (key-independent) multicollisions for CityHash64 C++ program to find universal (key-independent) multicollisions for MurmurHash2 C++ program to find universal (key-independent) multicollisions for MurmurHash3 Python script to recover the secret seed of the hash randomization in Python 2.7.3 and 3.2.3 Users

Users of SipHash include:

OpenSSL: libcrypto includes SipHash Sodium: SipHash-2-4 is the "shorthash" function in libsodium Rust: SipHash-2-4 is used in the hash tables implementation of this "safe, concurrent, practical language" developed by Mozilla (patch, sip.rs). Python: SipHash-2-4 is used as hash() "on all major platforms" (patch, PEP) Wireguard: SipHash-2-4 is used in hash tables of the Wireguard VPN Expat: libexpat uses SipHash in its XML parser Bloomberg: SipHash-2-4 is one of the hashes in Bloomberg's Basic Development Environment (documentation, code) OpenBSD: SipHash-2-4 and SipHash-4-8 have been committed under sys/crypto, and SipHash-2-4 is to be used in the in_pcb hashing, and in other places Shardmap: SipHash-2-4 is the hash function of this directory indexing system, "the designated successor of HTree" SoundHound, which "makes heavy use" of SipHash FreeBSD: SipHash-2-4 is used to protect SYN cookies from forgeries (code, revision) Hashable: SipHash-2-4 is used to hash objects in this Haskell package part of the Haskell Platform (blog) Rubinius: SipHash-2-4 is used in the hash tables implementation (commit) JRuby: SipHash-2-4 is the optional algorithm in the hash tables implementation (commit) Perl 5: SipHash-2-4 is optional in Perl builds (commit, code) Redis: SipHash-2-4 is used in the hash tables implementation of this advanced key-value data store (pull request) Ruby: SipHash-2-4 is used in the hash tables implementation (vulnerability report, changelog) OpenDNS: SipHash-2-4 is used in the dnscache instances of all OpenDNS resolvers (patch).

Cryptanalysis

20140916: Christoph Dobraunig, Florian Mendel, Martin Schläffer. Differential Cryptanalysis of SipHash. IACR ePrint archive, report 2014/722.

Third-party implementations

2016 Aug 2: Pavel Werl. siphash. Main result: C# implementation

2016 Mar 21: Sedat Kapanoglu. HashDepot. Main result: C# implementation for .NET

2016 Mar 3: Frank Denis. siphash-avx2. Main result: C version of the C++ AVX2 implementation

2016 Mar 2: Jan Wassenberg and Jyrki Alakuijala. highwayhash. Main result: C++ implementation using AVX2, tree-based version

2016 Feb 23: Joel Holdsworth. siphashsum. Main result: command line utility

2015 Mar 6: InfraRuby Vision. siphash-ir. Main result: InfraRuby implementation

2015 Feb 13: Pedro Emílio Machado de Brito. siphash. Main result: VHDL implementation

2014 Sep 6: Damien Gryski. SipHash. Main result: Go interface to SipHash assembly

2014 Feb 8: Sylvain Laperche. SipHash. Main result: Ada implementation

2014 Jan 19: Twoje radio. siple. Main result: C++ implementation

2013 Aug 8: Evan Hanson. siphash. Main result: Scheme implementation

2013 Jul 6: Sebastian Gesemann. siphashxx. Main result: C++ implementation

2013 Jun 13: Matthew Ford. SipHash Java Library. Main result: streaming Java implementation

2013 Jun 10: Matthew Ford. SipHash Library for Arduino. Main result: streaming implementation for Arduino (C++, assembler)

2013 Apr 7: Joachim Strömbergson. siphash_6502. Main result: MOS6502 8-bit assembler implementation

2013 Feb 18: Dan Kogai. p5-digest-siphash. Main result: Perl implementation (C binding and pure Perl)

2013 Feb 6: Marek Majkowski. Bitsliced SipHash. Main result: bitsliced C implementation

2013 Feb 6: Marek Majkowski. csiphash. Main result: C implementation

2013 Feb 6: Marek Majkowski. pysiphash. Main result: Python implementation

2013 Feb 3: Philipp Jovanovic. siphash. Main result: Python implementation

2013 Jan 25: Ulrik Sverdrup. siphash. Main result: SipHash C module in the Comprehensive C Archive Network

2013 Jan 16: Joachim Strömbergson. siphash_core. Main result: Verilog 2001 implementation of SipHash

2012 Dec 19: Clifford Hammerschmidt. ch-siphash. Main result: C# implementation (package)

2012 Dec 16: Bo Zhu. siphash-python. Main result: Python implementation

2012 Dec 4: Masahiro Nakagawa. siphash-d. Main result: D implementation

2012 Nov 6: Hiroshi Nakamura. siphash-java-inline. Main result: Java implementation (inline rounds)

2012 Nov 6: William Ahern. siphash.h: SipHash-2-4. Main result: C implementation (static inline, macro based)

2012 Nov 6: Gregory Petrosyan. siphash. Main result: C implementation (simple, compact)

2012 Oct 4: Brian S. Julin. SipHash.pm6. Main result: Perl 6 implementation

2012 Oct 2: Bryan O'Sullivan. SipHash.hs. Main result: Haskell implementation

2012 Aug 8: Damian Gryski. siphash-rust. Main result: Rust implementation

2012 Jul 4: Samuel Neves. Main result: C implementations "little", "mmx", "sse2-1", "sse41" (available in SUPERCOP)

2012 Jun 29: David Lazar. siphash-cryptol. Main result: Cryptol implementation

2012 Jun 28: Frank Denis. siphash-erlang. Main result: Erlang NIF wrapper

2012 Jun 26: Brandon Haynes. siphash-chsarp. Main result: C# implementation (streaming and one-pass modes)

2012 Jun 24: Vincent Hanquez. hs-siphash. Main result: Haskell implementation

2012 Jun 24: Martin Boßlet. siphash-ruby. Main result: Ruby implementation

2012 Jun 24: Martin Boßlet. siphash-java. Main result: Java implementation

2012 Jun 23: Robert Brown. sip-hash. Main result: Lisp implementation

2012 Jun 23: Martin Boßlet. siphash-c. Main result: C implementation (streaming and one-pass modes)

2012 Jun 23: Frank Denis. siphash-js. Main result: Javascript implementation

2012 Jun 23: Frank Denis. siphash-php. Main result: PHP extension (using Floodyberry's C)

2012 Jun 21: Floodyberry. siphash. Main result: C implementation (using SSE2 and SSSE3 extensions)

2012 Jun 20: Dmitry Chestnykh. siphash. Main result: Go implementation

Index