Improved Cryptanalysis on SipHash

Abstract

SipHash is an ARX-based pseudorandom function designed by Aumasson and Bernstein for short message inputs. Recently, Ashur et al. proposed an efficient analysis method against ARX algorithm—“Rotational-XOR cryptanalysis”. Inspired by their work, we mount differential and Rotational-XOR cryptanalysis on two instances of SipHash-1-x and SipHash-2-x in this paper, where SipHash-1-x (or SipHash-2-x) represents the Siphash instance with one (or two) compression round and x finalization rounds. Firstly, we construct the search model for colliding characteristic and RX-colliding characteristic on SipHash. Based on the model, we find the colliding characteristics and RX-colliding characteristics of SipHash by the SMT-based automatic search tool. Moreover, we give a formula for the selection of initial constants to improve the resistance of Siphash against Rotational-XOR cryptanalysis to make the algorithm safer. In addition, we find an RX-colliding characteristic with probability 2-93.6 for a revised version of SipHash-1-x with one message block, and an RX-colliding characteristic with probability 2-160 for a revised version of SipHash-1-x with two message blocks. With the SMT-based technique, which outputs one message pair of the RX-collision if the given characteristic has a nonzero probability. Finally, with the RX-colliding characteristic we found earlier, we give the RX-collision with message pair and key of a revised version of SipHash-1-x with one message block.