siphash a fast short input prf
play

SipHash: a fast short-input PRF Jean-Philippe Aumasson, Daniel J. - PowerPoint PPT Presentation

May 11, 2023 •180 likes •620 views

SipHash: a fast short-input PRF Jean-Philippe Aumasson, Daniel J. Bernstein SipHash: a fast short-input MAC Jean-Philippe Aumasson, Daniel J. Bernstein UMAC (Black, Halevi, Krawczyk, Krovetz, Rogaway; 2000)

  1. SipHash: a fast short-input PRF Jean-Philippe Aumasson, Daniel J. Bernstein

  2. SipHash: a fast short-input MAC Jean-Philippe Aumasson, Daniel J. Bernstein

  3. UMAC (Black, Halevi, Krawczyk, Krovetz, Rogaway; 2000) http://fastcrypto.org/umac/update.pdf 1 cycle/byte on a Pentium III !

  4. UMAC(m) = H(k1, m) ⊕ AES(k2, n)

  5. UMAC’s universal hash Polynomial-evaluation using 64-bit multipliers with Horner’s rule

  6. UMAC fast C implementation 2000+ LoC (without AES) Not portable

  7. http://fastcrypto.org/umac/2004/src/umac.c

  8. UMAC uses a PRG to expand the key to 33280 bits

  9. RFC4418 replaces UMAC’s PRG with an AES-based KDF...

  10. … and uses AES and this KDF in a “Pad - Derivation Function”

  11. Not so simple

  12. SipHash Simple ARX round function Simple JH-like message injection No key expansion No external primitive No state between messages

  13. SipHash initialization 256-bit state v0 v1 v2 v3 128-bit key k0 k1 v0 = k0 ⊕ 736f6d6570736575 v1 = k1 ⊕ 646f72616e646f6d v2 = k0 ⊕ 6c7967656e657261 v3 = k1 ⊕ 7465646279746573

  14. SipHash initialization 256-bit state v0 v1 v2 v3 128-bit key k0 k1 v0 = k0 ⊕ “somepseu” v1 = k1 ⊕ “dorandom” v2 = k0 ⊕ “lygenera” v3 = k1 ⊕ “tedbytes”

  15. SipHash compression Message parsed as 64-bit words m0 , m1 , … v3 ⊕ = m0 c iterations of SipRound v0 ⊕ = m0

  16. SipHash compression Message parsed as 64-bit words m0 , m1 , … v3 ⊕ = m1 c iterations of SipRound v0 ⊕ = m1

  17. SipHash compression Message parsed as 64-bit words m0 , m1 , … v3 ⊕ = m2 c iterations of SipRound v0 ⊕ = m2

  18. SipHash compression Message parsed as 64-bit words m0 , m1 , … Etc .

  19. SipRound

  20. SipHash finalization v2 ⊕ = 255 d iterations of SipRound Return v0 ⊕ v1 ⊕ v2 ⊕ v3

  21. SipHash-2-4 hashing 15 bytes

  22. Family SipHash- c - d Fast proposal: SipHash- 2 - 4 Conservative proposal: SipHash- 4 - 8 Weaker versions for cryptanalysis: SipHash-1-0, SipHash-2-0, etc. SipHash-1-1, SipHash-2-1, etc. Etc.

  23. (Many) short inputs?

  25. Hash tables h = {} # empty table h[‘foo’] = ‘bar’ # insert ‘bar’ Print h[‘foo’] # lookup Non- crypto functions to produce ‘foo’: for (; nKeyLength > 0; nKeyLength -=1) { hash = ((hash << 5) + hash) + *arKey++; }

  26. Hash flooding attacks Multicollisions forcing worst-case complexity of Θ (n 2 ), instead of Θ (n) [when table implemented as linked lists]

  27. djbdns/cache.c, 1999

  28. USENIX 2003 Vulnerabilities in Perl, web proxy, IDS

  29. CCC 2011 Affected: PHP, ASP.net, Python, etc.

  31. How short? OpenDNS cache: 27 bytes on average Ruby on Rails web application: <20 bytes

  32. Why SipHash? Minimizes hash flooding → impact limited to sqrt(communication) Well-defined security goal (PRF) Competitive in speed with non-crypto hashes

  33. How fast? SipHash-2-4 on an AMD Athlon II Neo Byte length 8 16 32 64 Cycles 123 134 158 204 (per byte) (15.38) (8.38) (4.25) (3.19) Long data: 1.44 cycles/byte

  36. amd64; K10 45nm; 2010 AMD Phenom II X6 1090T

  37. x86; K10 45nm; 2010 AMD Phenom II X6 1090T

  38. Cryptanalysis

  39. Generic attacks ≈ 2 128 key recovery ≈ 2 192 state recovery ≈ 2 128 internal-collision forgeries ≈ 2 s forgery attack with success probability 2 s-64

  40. Characteristic verified with ARXtools http://www.di.ens.fr/~leurent/arxtools.html

  41. Proof of insecurity SipRound( 0 ) = 0 That is, SipRound is not ideal Therefore SipHash is insecure

  42. Proof of simplicity June 20 : paper published online June 28 : 18 third-party implementations C (Floodyberry, Boßlet, Neves); C# (Haynes) Cryptol (Lazar); Erlang , Javascript , PHP (Denis) Go (Chestnykh); Haskell (Hanquez); Java , Ruby (Boßlet); Lisp (Brown);

  43. More on SipHash: http://131002.net/siphash Thanks to all implementers!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SipHash: a fast short-input PRF D. J. Bernstein, University of Illinois at Chicago &amp;

SipHash: a fast short-input PRF D. J. Bernstein, University of Illinois at Chicago &amp;

SipHash: a fast short-input PRF D. J. Bernstein, University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Jean-Philippe Aumasson, Kudelski Security (NAGRA) https://131002.net/siphash/ Advertisement:

578 views • 28 slides
SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky Department of Computer Science Rochester Institute of Technology Agenda SipHash Boolean Satisfiability Problem SAT Solver Attack

621 views • 35 slides
Opportunities for Crystal Acceleration Research at FAST Vladimir SHILTSEV , with input from

Opportunities for Crystal Acceleration Research at FAST Vladimir SHILTSEV , with input from

Opportunities for Crystal Acceleration Research at FAST Vladimir SHILTSEV , with input from Sergey Striganov IOTA/FAST Collaboration Meeting and Workshop on High Intensity Beams in rings June 12, 2019 - Fermilab Motivation: Ultimate

490 views • 38 slides
The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J.

The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J.

The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J. Bernstein Each number in 1 2 represented in binary. Thanks to: University of Illinois at Chicago Output:

786 views • 67 slides
Evaluating short term tourism economic impacts: Factors to consider under an Input Output

Evaluating short term tourism economic impacts: Factors to consider under an Input Output

Presentation at the University of Las Palmas de Gran Canaria, Spain Evaluating short term tourism economic impacts: Factors to consider under an Input Output Model Dr. Ya Yen Sun Department of Kinesiology, Health and Leisure Studies,

564 views • 35 slides
Short-Maturity Asymptotics for Fast Mean-Reverting Stochastic Volatility Models Jean-Pierre

Short-Maturity Asymptotics for Fast Mean-Reverting Stochastic Volatility Models Jean-Pierre

Short-Maturity Asymptotics for Fast Mean-Reverting Stochastic Volatility Models Jean-Pierre Fouque University of California Santa Barbara Joint work with Jin Feng (Kansas Univ.) and Martin Forde (Dublin City Univ.) Conference on small time

704 views • 46 slides
Efficient Generation of Short and Fast Repeater Tree Topologies Christoph Bartoschek, Dieter

Efficient Generation of Short and Fast Repeater Tree Topologies Christoph Bartoschek, Dieter

Efficient Generation of Short and Fast Repeater Tree Topologies Christoph Bartoschek, Dieter Rautenbach, Jens Vygen, Stephan Held Research Institute for Discrete Mathematics University of Bonn Aussois, 2006 The Repeater Tree Problem source

659 views • 32 slides
Efficient Generation of Short and Fast Repeater Tree Topologies Christoph Bartoschek, Stephan

Efficient Generation of Short and Fast Repeater Tree Topologies Christoph Bartoschek, Stephan

Efficient Generation of Short and Fast Repeater Tree Topologies Christoph Bartoschek, Stephan Held, Dieter Rautenbach, Jens Vygen Research Institute for Discrete Mathematics University of Bonn 11. April 2006 Outline Repeater Tree Problem

1.05k views • 29 slides
Consulted key stakeholders Report: regulations Nov and Dec 2017 Understanding short-term

Consulted key stakeholders Report: regulations Nov and Dec 2017 Understanding short-term

Proposed Rules for Short-term Rentals Presentation - September 2017 Agenda 1. How we got here 2. Background on short-term rentals 3. Proposed regulations 4. How you can provide input How we got here Council directive Jan 2016 Staff

191 views • 6 slides
Short-output universal hash functions &amp; their use in fast and secure data authentication

Short-output universal hash functions &amp; their use in fast and secure data authentication

Short-output universal hash functions &amp; their use in fast and secure data authentication Long Nguyen and Bill Roscoe Oxford University Department of Computer Science -almost universal hash functions (UHF) Definition : given R is the set

515 views • 22 slides
DNA sequencing applica0ons: iden0fying gene0c varia0on Short sequencing

DNA sequencing applica0ons: iden0fying gene0c varia0on Short sequencing

DNA sequencing applica0ons: iden0fying gene0c varia0on Short sequencing reads from an individual Sequence from the reference genome Short read alignment problem INPUT: A few million

343 views • 13 slides
CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu,

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu,

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March 3, 2014, London, UK 1 Outline A new

668 views • 33 slides
The Endocrine System Nervous system short term/ fast Endocrine system long

The Endocrine System Nervous system short term/ fast Endocrine system long

HIHIM 409 Interrelationship between nervous and endocrine system The Endocrine System Nervous system short term/ fast Endocrine system long term/slow l / l http://www.youtube.com/watch?v=Ry5fTZfZHIs&amp;feature=related

362 views • 18 slides
Survey results slow/ fast/ easy/ difficult/ just short long right (-1) (+1) average (0)

Survey results slow/ fast/ easy/ difficult/ just short long right (-1) (+1) average (0)

too too Survey results slow/ fast/ easy/ difficult/ just short long right (-1) (+1) average (0) Pace of lectures 4 3 37 -0.01 Difficulty of material in class 1 8 33 0.17 Difficulty of in-class quizzes 2 3 37 0.03

524 views • 10 slides
The dream TDAQ Powerful intelligent algorithms Sophisticated algorithms

The dream TDAQ Powerful intelligent algorithms Sophisticated algorithms

Tools (e.g. for streaming DAQ, fast ML, automation/self running DAQ,) Mia Liu, Nhan Tran, Fermilab + input from many in Fast ML and broader community! DOE Basic Research Needs Study (Community meeting for TDAQ) In partnership with: December

468 views • 13 slides
Community Update MST T Fast st Facts cts MST T Fast st Facts cts MST T Fast st Facts

Community Update MST T Fast st Facts cts MST T Fast st Facts cts MST T Fast st Facts

Monter nterey-Sali Salinas nas Transit ansit Community Update MST T Fast st Facts cts MST T Fast st Facts cts MST T Fast st Facts cts MST T Fast ast Facts acts 231,706 miles between preventable accidents 89% on time

198 views • 19 slides
ASP.NET MVC / Ruby on Rails Death Match Saturday, October 6, 12 1 ASP .NET MVC / R

ASP.NET MVC / Ruby on Rails Death Match Saturday, October 6, 12 1 ASP .NET MVC / R

ASP.NET MVC / Ruby on Rails Death Match Saturday, October 6, 12 1 ASP .NET MVC / R UBY ON R AILS D EATH M ATCH James Kovacs Technical Evangelist, JetBrains @jameskovacs | jameskovacs.com james.kovacs@jetbrains.com Saturday,

470 views • 23 slides
On the Dynamics of Topic-Based Communites in Online Knowledge-Sharing Networks Anna Guimar

On the Dynamics of Topic-Based Communites in Online Knowledge-Sharing Networks Anna Guimar

On the Dynamics of Topic-Based Communites in Online Knowledge-Sharing Networks Anna Guimar aes, Ana Paula Couto da Silva, Jussara Almeida Department of Computer Science - UFMG (Brazil) September 21, 2015 Introduction Online

505 views • 34 slides
Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2

Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2

I went to a I went to a Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2 http://railsgirls.com/geneva 3 Our aim is to give tools and a community for women to understand technology and to build their ideas. We do

738 views • 14 slides
EECS 394 Software Development Chris Riesbeck Communicating 1 The Problem I never have a clue

EECS 394 Software Development Chris Riesbeck Communicating 1 The Problem I never have a clue

EECS 394 Software Development Chris Riesbeck Communicating 1 The Problem I never have a clue what the developers are talking about. When I ask what they're doing, they say they're When I ask where XMLing the CSS SQL they're at, they say

944 views • 27 slides
Ruby Conference 2011 THE SAFE INFORMATION CONTROL TOOL WHICH ACHIEVES THE HIGH COMPRESSION, HIGH

Ruby Conference 2011 THE SAFE INFORMATION CONTROL TOOL WHICH ACHIEVES THE HIGH COMPRESSION, HIGH

Ruby Conference 2011 THE SAFE INFORMATION CONTROL TOOL WHICH ACHIEVES THE HIGH COMPRESSION, HIGH SECURITY, AND LOW LOAD USING RUBY ON RAILS JUN ROKUI SHIMANE UNIVERSITY RESEARCH OUTLINE 3D Color Barcode We developed 3D Color Barcode in 2007.

412 views • 7 slides
API Ruby on Rails UI ES API Hedtek Wijiti API API Elasticsearch Depositing user Build

API Ruby on Rails UI ES API Hedtek Wijiti API API Elasticsearch Depositing user Build

Consuming user API Ruby on Rails UI ES API Hedtek Wijiti API API Elasticsearch Depositing user Build index Updates DSpace Solr Discovery Stats Depositing Consuming user user Ruby on Rails UI DSpace REST API Updates DSpace

172 views • 5 slides
Benefits and pitfalls of integrating Drupal into a decoupled, static site build process for VA.gov

Benefits and pitfalls of integrating Drupal into a decoupled, static site build process for VA.gov

Benefits and pitfalls of integrating Drupal into a decoupled, static site build process for VA.gov Presenters: Elijah Lynn, VA.gov CMS DevOps Lead @ Robbie Holmes, U.S. Digital Service Alumni &amp; VA.gov CMS Technical Product Owner @

316 views • 14 slides
The Good, The Bad &amp; The Ugly (Clojure &amp; JRuby) Allen Rohner @arohner @circleci

The Good, The Bad &amp; The Ugly (Clojure &amp; JRuby) Allen Rohner @arohner @circleci

The Good, The Bad &amp; The Ugly (Clojure &amp; JRuby) Allen Rohner @arohner @circleci Clojure/West 2012 Monday, March 19, 12 Who Am I Using Clojure in production since 2008 Author of Scriptjure, a DSL for writing javascript, two

712 views • 59 slides

More recommend