SipHash: a fast short-input PRF D. J. Bernstein, University of Illinois ...

RFis at Chicago &iteit Eindhovenasson,NAGRA)net/siphash/g sooniphers!Several motivations:1. Optimize secret-key cryptofor short messages.2. Build a PRF/MAC that’ssecure, efficient, simple.3. Application:authenticate Internet packets.4. Application:defend against hash flooding.5. Analyze security ofother hash-flooding defenses.Followup work with Martin Boßletpushes this much further.Today’s focus: hasJuly 1998 article“Designing and atport scan detectionby Solar DesignerPeslyak) in Phrack“In scanlogd, I’mtable to lookup souThis works very wetypical case : : : avtime is better thanbinary search. : : :

go &hovenash/Several motivations:1. Optimize secret-key cryptofor short messages.2. Build a PRF/MAC that’ssecure, efficient, simple.3. Application:authenticate Internet packets.4. Application:defend against hash flooding.5. Analyze security ofother hash-flooding defenses.Followup work with Martin Boßletpushes this much further.Today’s focus: hash floodingJuly 1998 article“Designing and attackingport scan detection tools”by Solar Designer (AlexandePeslyak) in Phrack Magazine“In scanlogd, I’m using a htable to lookup source addreThis works very well for thetypical case : : : average looktime is better than that of abinary search. : : :

Several motivations:1. Optimize secret-key cryptofor short messages.2. Build a PRF/MAC that’ssecure, efficient, simple.3. Application:authenticate Internet packets.4. Application:defend against hash flooding.5. Analyze security ofother hash-flooding defenses.Followup work with Martin Boßletpushes this much further.Today’s focus: hash floodingJuly 1998 article“Designing and attackingport scan detection tools”by Solar Designer (AlexanderPeslyak) in Phrack Magazine:“In scanlogd, I’m using a hashtable to lookup source addresses.This works very well for thetypical case : : : average lookuptime is better than that of abinary search. : : :

otivations:ize secret-key cryptomessages.a PRF/MAC that’sfficient, simple.cation:cate Internet packets.cation:gainst hash flooding.ze security ofsh-flooding defenses.work with Martin Boßlethis much further.Today’s focus: hash floodingJuly 1998 article“Designing and attackingport scan detection tools”by Solar Designer (AlexanderPeslyak) in Phrack Magazine:“In scanlogd, I’m using a hashtable to lookup source addresses.This works very well for thetypical case : : : average lookuptime is better than that of abinary search. : : :Howeverchoose hlikely spocollisionsthe hashlinear seamany enmake scanew packsolved ththe numdiscardinthe samelimit is r

s:-key crypto.AC that’smple.et packets.h flooding.ofg defenses.h Martin Boßleturther.Today’s focus: hash floodingJuly 1998 article“Designing and attackingport scan detection tools”by Solar Designer (AlexanderPeslyak) in Phrack Magazine:“In scanlogd, I’m using a hashtable to lookup source addresses.This works very well for thetypical case : : : average lookuptime is better than that of abinary search. : : :However, an attacchoose her addresslikely spoofed) to ccollisions, effectivethe hash table looklinear search. Depmany entries we kemake scanlogd notnew packets up insolved this problemthe number of hasdiscarding the oldethe same hash valulimit is reached.

os...oßletToday’s focus: hash floodingJuly 1998 article“Designing and attackingport scan detection tools”by Solar Designer (AlexanderPeslyak) in Phrack Magazine:“In scanlogd, I’m using a hashtable to lookup source addresses.This works very well for thetypical case : : : average lookuptime is better than that of abinary search. : : :However, an attacker canchoose her addresses (mostlikely spoofed) to cause hashcollisions, effectively replacinthe hash table lookup with alinear search. Depending onmany entries we keep, this mmake scanlogd not be able tnew packets up in time. : : :solved this problem by limitithe number of hash collisiondiscarding the oldest entry wthe same hash value when thlimit is reached.

L’organizzazione in Inghilterra8C Centri tidiRif Riferimentoi Prescrivibilità dei farmaciCentro Ipertensione PolmonareSapienza Università di Roma

ker canes (mostause hashly replacingup with aending on howep, this mightbe able to picktime. : : : I’veby limitingh collisions, andst entry withe when theThis is acceptable for port scans(remember, we can’t detectall scans anyway), but mightnot be acceptable for detectingother attacks. : : : It is probablyworth mentioning that similarissues also apply to things likeoperating system kernels. Forexample, hash tables are widelyused there for looking up activeconnections, listening ports, etc.There’re usually other limitswhich make these not reallydangerous though, butmore research might be needed.”December 1999, Bdnscache softwareif (++loop > 10/* to protecthash floodDiscarding cache etrivially maintainsif attacker floods hBut what about hageneral-purpose prlanguages and libraCan’t throw entrie

cceptable for port scanser, we can’t detectanyway), but mightcceptable for detectingacks. : : : It is probablyentioning that similaro apply to things likeg system kernels. Forhash tables are widelyre for looking up activeons, listening ports, etc.usually other limitsake these not reallys though, butearch might be needed.”December 1999, Bernstein,dnscache software:if (++loop > 100) return 0;/* to protect againsthash flooding */Discarding cache entriestrivially maintains performanceif attacker floods hash table.But what about hash tables ingeneral-purpose programminglanguages and libraries?Can’t throw entries away!2003 USSymposi“Denialalgorithm“We prelow-bandattacks :hashes tothe hashdegeneraAttack ePerl progSquid weNo attac

for port scans’t detectbut mightfor detectingIt is probablythat similarthings likeernels. Forles are widelying up activeing ports, etc.her limitsnot reallybutht be needed.”December 1999, Bernstein,dnscache software:if (++loop > 100) return 0;/* to protect againsthash flooding */Discarding cache entriestrivially maintains performanceif attacker floods hash table.But what about hash tables ingeneral-purpose programminglanguages and libraries?Can’t throw entries away!2003 USENIX SecSymposium, Crosb“Denial of servicealgorithmic comple“We present a newlow-bandwidth denattacks : : : if eachhashes to the samethe hash table willdegenerate to a linAttack examples:Perl programmingSquid web cache, eNo attack on dnsc

ansingblyrerelytiveetc.ed.”December 1999, Bernstein,dnscache software:if (++loop > 100) return 0;/* to protect againsthash flooding */Discarding cache entriestrivially maintains performanceif attacker floods hash table.But what about hash tables ingeneral-purpose programminglanguages and libraries?Can’t throw entries away!2003 USENIX SecuritySymposium, Crosby–Wallach“Denial of service viaalgorithmic complexity attac“We present a new class oflow-bandwidth denial of servattacks : : : if each elementhashes to the same bucket,the hash table will alsodegenerate to a linked list.”Attack examples:Perl programming language,Squid web cache, etc.No attack on dnscache.

December 1999, Bernstein,dnscache software:if (++loop > 100) return 0;/* to protect againsthash flooding */Discarding cache entriestrivially maintains performanceif attacker floods hash table.But what about hash tables ingeneral-purpose programminglanguages and libraries?Can’t throw entries away!2003 USENIX SecuritySymposium, Crosby–Wallach,“Denial of service viaalgorithmic complexity attacks”:“We present a new class oflow-bandwidth denial of serviceattacks : : : if each elementhashes to the same bucket,the hash table will alsodegenerate to a linked list.”Attack examples:Perl programming language,Squid web cache, etc.No attack on dnscache.

1999, Bernstein,e software:loop > 100) return 0;o protect againstash flooding */g cache entriesaintains performanceer floods hash table.t about hash tables inurpose programmings and libraries?row entries away!2003 USENIX SecuritySymposium, Crosby–Wallach,“Denial of service viaalgorithmic complexity attacks”:“We present a new class oflow-bandwidth denial of serviceattacks : : : if each elementhashes to the same bucket,the hash table will alsodegenerate to a linked list.”Attack examples:Perl programming language,Squid web cache, etc.No attack on dnscache.2011 (28“Efficienon web aoCERT aNo attacfixed Perbut stillPHP 4,3, RubinGeronimOracle GRack, V8

ernstein,:0) return 0;againsting */ntriesperformanceash table.sh tables inogrammingries?s away!2003 USENIX SecuritySymposium, Crosby–Wallach,“Denial of service viaalgorithmic complexity attacks”:“We present a new class oflow-bandwidth denial of serviceattacks : : : if each elementhashes to the same bucket,the hash table will alsodegenerate to a linked list.”Attack examples:Perl programming language,Squid web cache, etc.No attack on dnscache.2011 (28C3), Klink“Efficient denial ofon web applicationoCERT advisory 2No attack on dnscfixed Perl, fixed Sqbut still problems iPHP 4, PHP 5, Py3, Rubinius, Ruby,Geronimo, ApacheOracle Glassfish, JRack, V8 Javascrip

n 0;ceing2003 USENIX SecuritySymposium, Crosby–Wallach,“Denial of service viaalgorithmic complexity attacks”:“We present a new class oflow-bandwidth denial of serviceattacks : : : if each elementhashes to the same bucket,the hash table will alsodegenerate to a linked list.”Attack examples:Perl programming language,Squid web cache, etc.No attack on dnscache.2011 (28C3), Klink–Wälde,“Efficient denial of service aon web application platformsoCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRPHP 4, PHP 5, Python 2, P3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, PloneRack, V8 Javascript Engine.

2003 USENIX SecuritySymposium, Crosby–Wallach,“Denial of service viaalgorithmic complexity attacks”:“We present a new class oflow-bandwidth denial of serviceattacks : : : if each elementhashes to the same bucket,the hash table will alsodegenerate to a linked list.”Attack examples:Perl programming language,Squid web cache, etc.No attack on dnscache.2011 (28C3), Klink–Wälde,“Efficient denial of service attackson web application platforms”;oCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRuby,PHP 4, PHP 5, Python 2, Python3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, Plone,Rack, V8 Javascript Engine.

ENIX Securityum, Crosby–Wallach,of service viaic complexity attacks”:sent a new class ofwidth denial of service: : if each elementthe same bucket,table will alsote to a linked list.”xamples:ramming language,b cache, etc.k on dnscache.2011 (28C3), Klink–Wälde,“Efficient denial of service attackson web application platforms”;oCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRuby,PHP 4, PHP 5, Python 2, Python3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, Plone,Rack, V8 Javascript Engine.DefendinMy favorswitch frto crit-bGuaranteextra loo“find nex

urityy–Wallach,viaxity attacks”:class ofial of serviceelementbucket,alsoked list.”language,tc.ache.2011 (28C3), Klink–Wälde,“Efficient denial of service attackson web application platforms”;oCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRuby,PHP 4, PHP 5, Python 2, Python3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, Plone,Rack, V8 Javascript Engine.Defending againstMy favorite solutioswitch from hash tto crit-bit trees.Guaranteed high spextra lookup featu“find next entry af

,ks”:ice2011 (28C3), Klink–Wälde,“Efficient denial of service attackson web application platforms”;oCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRuby,PHP 4, PHP 5, Python 2, Python3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, Plone,Rack, V8 Javascript Engine.Defending against hash floodMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such a“find next entry after x.”

2011 (28C3), Klink–Wälde,“Efficient denial of service attackson web application platforms”;oCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRuby,PHP 4, PHP 5, Python 2, Python3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, Plone,Rack, V8 Javascript Engine.Defending against hash floodingMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such as“find next entry after x.”

2011 (28C3), Klink–Wälde,“Efficient denial of service attackson web application platforms”;oCERT advisory 2011–003:No attack on dnscache,fixed Perl, fixed Squid;but still problems in Java, JRuby,PHP 4, PHP 5, Python 2, Python3, Rubinius, Ruby, ApacheGeronimo, Apache Tomcat,Oracle Glassfish, Jetty, Plone,Rack, V8 Javascript Engine.Defending against hash floodingMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such as“find next entry after x.”But hash tablesare perceived as beingsmaller, faster, simplerthan other data structures.Can we protect hash tables?

C3), Klink–Wälde,t denial of service attackspplication platforms”;dvisory 2011–003:k on dnscache,l, fixed Squid;problems in Java, JRuby,PHP 5, Python 2, Pythonius, Ruby, Apacheo, Apache Tomcat,lassfish, Jetty, Plone,Javascript Engine.Defending against hash floodingMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such as“find next entry after x.”But hash tablesare perceived as beingsmaller, faster, simplerthan other data structures.Can we protect hash tables?Classic h` separatfor someStore strwhere i =With n eexpect in each lChoose `expect vso very f(What ifRehash:

–Wälde,service attacksplatforms”;011–003:ache,uid;n Java, JRuby,thon 2, PythonApacheTomcat,etty, Plone,t Engine.Defending against hash floodingMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such as“find next entry after x.”But hash tablesare perceived as beingsmaller, faster, simplerthan other data structures.Can we protect hash tables?Classic hash table:` separate linked lifor some ` 2 f1; 2;Store string s in liswhere i = H(s) mWith n entries in texpect n=` entrin each linked list.Choose ` n:expect very short lso very fast list op(What if n becomRehash: replace `

ttacks”;uby,ython,Defending against hash floodingMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such as“find next entry after x.”But hash tablesare perceived as beingsmaller, faster, simplerthan other data structures.Can we protect hash tables?Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : :Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked listsso very fast list operations.(What if n becomes too bigRehash: replace ` by 2`.)

Defending against hash floodingMy favorite solution:switch from hash tablesto crit-bit trees.Guaranteed high speed +extra lookup features such as“find next entry after x.”But hash tablesare perceived as beingsmaller, faster, simplerthan other data structures.Can we protect hash tables?Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.(What if n becomes too big?Rehash: replace ` by 2`.)

g against hash floodingite solution:om hash tablesit trees.ed high speed +kup features such ast entry after x.”tablesived as beingfaster, simplerer data structures.rotect hash tables?Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.(What if n becomes too big?Rehash: replace ` by 2`.)Basic haattackers 1 ; : : : ; s¡ ¡ ¡ = H(Then allin the saLinked li

hash floodingn:ableseed +res such aster x.”ingplerructures.sh tables?Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.(What if n becomes too big?Rehash: replace ` by 2`.)Basic hash floodinattacker provides ss 1 ; : : : ; sn with H(¡ ¡ ¡ = H(sn) mod `Then all strings arin the same linkedLinked list become

singClassic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.(What if n becomes too big?Rehash: replace ` by 2`.)Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod `¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow

Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.(What if n becomes too big?Rehash: replace ` by 2`.)

Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.(What if n becomes too big?Rehash: replace ` by 2`.)

Classic hash table:` separate linked listsfor some ` 2 f1; 2; 4; 8; 16; : : :g.Store string s in list #iwhere i = H(s) mod `.With n entries in table,expect n=` entriesin each linked list.Choose ` n:expect very short linked lists,so very fast list operations.(What if n becomes too big?Rehash: replace ` by 2`.)Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.But implementors are unhappy:this solution throws away thesimplicity of hash tables.

ash table:e linked lists` 2 f1; 2; 4; 8; 16; : : :g.ing s in list #iH(s) mod `.ntries in table,n=` entriesinked list. n:ery short linked lists,ast list operations.n becomes too big?replace ` by 2`.)Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.But implementors are unhappy:this solution throws away thesimplicity of hash tables.Non-soluUse SHASHA-3 is

sts4; 8; 16; : : :g.t #iod `.able,iesinked lists,erations.es too big?by 2`.)Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.But implementors are unhappy:this solution throws away thesimplicity of hash tables.Non-solution:Use SHA-3 for H.SHA-3 is collision-

,?:g.Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.But implementors are unhappy:this solution throws away thesimplicity of hash tables.Non-solution:Use SHA-3 for H.SHA-3 is collision-resistant!

Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Non-solution:Use SHA-3 for H.SHA-3 is collision-resistant!Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.But implementors are unhappy:this solution throws away thesimplicity of hash tables.

Basic hash flooding:attacker provides stringss 1 ; : : : ; sn with H(s 1 ) mod ` =¡ ¡ ¡ = H(sn) mod `.Then all strings are storedin the same linked list.Linked list becomes very slow.Solution: Replace linked listby a safe tree structure,at least if list is big.Non-solution:Use SHA-3 for H.SHA-3 is collision-resistant!Why this is bad: H(s) mod `is not collision-resistant.` is small: e.g., ` = 2 20 .No matter how strong H is,attacker can easily computeH(s) mod 2 20 for many sto find multicollisions.But implementors are unhappy:this solution throws away thesimplicity of hash tables.

sh flooding:provides stringsn with H(s 1 ) mod ` =sn) mod `.strings are storedme linked list.st becomes very slow.: Replace linked listtree structure,f list is big.lementors are unhappy:tion throws away they of hash tables.Non-solution:Use SHA-3 for H.SHA-3 is collision-resistant!Why this is bad: H(s) mod `is not collision-resistant.` is small: e.g., ` = 2 20 .No matter how strong H is,attacker can easily computeH(s) mod 2 20 for many sto find multicollisions.1977, Caclasses opaper givaveragestorage aalgorithmof hash fclass of h2003 CroAbout 6H(m 1 ; mm 1 k 1 +k 1 ; k 2 ; : :This is “

g:tringss 1 ) mod ` =.e storedlist.s very slow.linked listture,.are unhappy:s away thetables.Non-solution:Use SHA-3 for H.SHA-3 is collision-resistant!Why this is bad: H(s) mod `is not collision-resistant.` is small: e.g., ` = 2 20 .No matter how strong H is,attacker can easily computeH(s) mod 2 20 for many sto find multicollisions.1977, Carter–Wegmclasses of hash funpaper gives an inpaverage linear timestorage and retrievalgorithm makes aof hash function frclass of hash funct2003 Crosby–WallaAbout 6 cycles/byH(m 1 ; m 2 ; : : : ; m 1m 1 k 1 + m 2 k 2 + ¡k 1 ; k 2 ; : : : ; k 12 : raThis is “provably s

=.py:eNon-solution:Use SHA-3 for H.SHA-3 is collision-resistant!Why this is bad: H(s) mod `is not collision-resistant.` is small: e.g., ` = 2 20 .No matter how strong H is,attacker can easily computeH(s) mod 2 20 for many sto find multicollisions.1977, Carter–Wegman, “Uniclasses of hash functions”: “paper gives an input indepenaverage linear time algorithmstorage and retrieval on keysalgorithm makes a random cof hash function from a suitaclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 fH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 kk 1 ; k 2 ; : : : ; k 12 : random, 20-This is “provably secure”!

Non-solution:Use SHA-3 for H.SHA-3 is collision-resistant!Why this is bad: H(s) mod `is not collision-resistant.` is small: e.g., ` = 2 20 .No matter how strong H is,attacker can easily computeH(s) mod 2 20 for many sto find multicollisions.1977, Carter–Wegman, “Universalclasses of hash functions”: “Thispaper gives an input independentaverage linear time algorithm forstorage and retrieval on keys. Thealgorithm makes a random choiceof hash function from a suitableclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 forH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .k 1 ; k 2 ; : : : ; k 12 : random, 20-bit.This is “provably secure”!

tion:-3 for H.collision-resistant!is bad: H(s) mod `llision-resistant.l: e.g., ` = 2 20 .er how strong H is,can easily computed 2 20 for many sulticollisions.1977, Carter–Wegman, “Universalclasses of hash functions”: “Thispaper gives an input independentaverage linear time algorithm forstorage and retrieval on keys. Thealgorithm makes a random choiceof hash function from a suitableclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 forH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .k 1 ; k 2 ; : : : ; k 12 : random, 20-bit.This is “provably secure”!We don’The secuassumesis indepe

esistant!(s) mod `stant.2 20 .ong H is,computemany sns.1977, Carter–Wegman, “Universalclasses of hash functions”: “Thispaper gives an input independentaverage linear time algorithm forstorage and retrieval on keys. Thealgorithm makes a random choiceof hash function from a suitableclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 forH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .k 1 ; k 2 ; : : : ; k 12 : random, 20-bit.This is “provably secure”!We don’t recommeThe security guaraassumes that randis independent of i

`1977, Carter–Wegman, “Universalclasses of hash functions”: “Thispaper gives an input independentaverage linear time algorithm forstorage and retrieval on keys. Thealgorithm makes a random choiceof hash function from a suitableclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 forH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .k 1 ; k 2 ; : : : ; k 12 : random, 20-bit.This is “provably secure”!We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.

1977, Carter–Wegman, “Universalclasses of hash functions”: “Thispaper gives an input independentaverage linear time algorithm forWe don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.storage and retrieval on keys. Thealgorithm makes a random choiceof hash function from a suitableclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 forH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .k 1 ; k 2 ; : : : ; k 12 : random, 20-bit.This is “provably secure”!

1977, Carter–Wegman, “Universalclasses of hash functions”: “Thispaper gives an input independentaverage linear time algorithm forstorage and retrieval on keys. Thealgorithm makes a random choiceof hash function from a suitableclass of hash functions.”2003 Crosby–Wallach:About 6 cycles/byte on P2 forH(m 1 ; m 2 ; : : : ; m 12 ) =m 1 k 1 + m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .k 1 ; k 2 ; : : : ; k 12 : random, 20-bit.We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.This is “provably secure”!

ter–Wegman, “Universalf hash functions”: “Thises an input independentlinear time algorithm fornd retrieval on keys. Themakes a random choiceunction from a suitableash functions.”sby–Wallach:cycles/byte on P2 for2; : : : ; m 12 ) =m 2 k 2 + ¡ ¡ ¡ + m 12 k 12 .: ; k 12 : random, 20-bit.provably secure”!We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.Even wo(e.g., anprints taleak morSome apH(s) mo

an, “Universalctions”: “Thisut independentalgorithm foral on keys. Therandom choiceom a suitableions.”ch:te on P2 for2) =¡ ¡ + m 12 k 12 .ndom, 20-bit.ecure”!We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.Even worse: Some(e.g., any applicatiprints table withouleak more informatSome applicationsH(s) mod `, or eve

versalThisdentfor. Thehoicebleor12.bit.We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.Even worse: Some applicatio(e.g., any application thatprints table without sorting)leak more information aboutSome applications simply priH(s) mod `, or even H(s).

We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.

We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.

We don’t recommend this.The security guaranteeassumes that randomnessis independent of inputs.Advanced hash flooding:use, e.g., server timingto detect hash collisions;figure out the hash key;choose inputs accordingly.2005 Crosby: Maybe trouble forany function with a short key,and for m 1 k 1 + m 2 k 2 + ¡ ¡ ¡.Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.Finding n-collision in H(s) mod `requires trying n` n 2 p inputs.Damage is only communication.

t recommend this.rity guaranteethat randomnessndent of inputs.d hash flooding:, server timinghash collisions;t the hash key;puts accordingly.sby: Maybe trouble fortion with a short key,1k 1 + m 2 k 2 + ¡ ¡ ¡.Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.Finding n-collision in H(s) mod `requires trying n` n 2 p inputs.Damage is only communication.The impCrypto dWow, Monly aboLet’s use

nd this.nteeomnessnputs.oding:ingisions;key;rdingly.be trouble fora short key,2k 2 + ¡ ¡ ¡.Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.Finding n-collision in H(s) mod `requires trying n` n 2 p inputs.Damage is only communication.The importance ofCrypto design, 199Wow, MD5 is reallonly about 5 cycleLet’s use HMAC-M

Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a Py,forWe recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.Finding n-collision in H(s) mod `requires trying n` n 2 p inputs.Damage is only communication.

Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.Finding n-collision in H(s) mod `requires trying n` n 2 p inputs.Damage is only communication.

Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.Crypto design, 2000s:Multipliers are even faster;can reach 1 or 2 cycles/byte.Poly1305-AES, UMAC-AES, et al.Finding n-collision in H(s) mod `requires trying n` n 2 inputs.Damage is only p communication.

Even worse: Some applications(e.g., any application thatprints table without sorting)leak more information about H.Some applications simply printH(s) mod `, or even H(s).We recommend choosing Has a strong PRF. )Seeing many H valuesis of no use in predicting others.Finding n-collision in H(s) mod `requires trying n` n 2 p inputs.Damage is only communication.The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.Crypto design, 2000s:Multipliers are even faster;can reach 1 or 2 cycles/byte.Poly1305-AES, UMAC-AES, et al.The hash-table perspective:These speed advertisementsare only for long inputs,ignoring huge overheads!

se: Some applicationsy application thatble without sorting)e information about H.plications simply printd `, or even H(s).mend choosing Hng PRF. )any H valuesuse in predicting others.n-collision in H(s) mod `trying n` n 2 p inputs.is only communication.The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.Crypto design, 2000s:Multipliers are even faster;can reach 1 or 2 cycles/byte.Poly1305-AES, UMAC-AES, et al.The hash-table perspective:These speed advertisementsare only for long inputs,ignoring huge overheads!SipRounv 0+

applicationson thatt sorting)ion about H.simply printn H(s).oosing Hluesicting others.in H(s) mod `` n 2 inputs.communication.The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.Crypto design, 2000s:Multipliers are even faster;can reach 1 or 2 cycles/byte.Poly1305-AES, UMAC-AES, et al.The hash-table perspective:These speed advertisementsare only for long inputs,ignoring huge overheads!SipRound and SipHv 0 v 1 +

nsH.nters.od `puts.ation.The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.Crypto design, 2000s:Multipliers are even faster;can reach 1 or 2 cycles/byte.Poly1305-AES, UMAC-AES, et al.The hash-table perspective:These speed advertisementsare only for long inputs,ignoring huge overheads!SipRound and SipHashv 0 v 1v 2 v +

The importance of overheadCrypto design, 1990s:Wow, MD5 is really fast;only about 5 cycles/byte.Let’s use HMAC-MD5 as a PRF.Crypto design, 2000s:Multipliers are even faster;can reach 1 or 2 cycles/byte.Poly1305-AES, UMAC-AES, et al.The hash-table perspective:These speed advertisementsare only for long inputs,ignoring huge overheads!SipRound and SipHashv 0 v 1v 2 v 3 +

ortance of overheadSipRound and SipHashcesign, 1990s:D5 is really fast;ut 5 cycles/byte.HMAC-MD5 as a PRF.v 0 v 1v 2 v 3 +

overheadSipRound and SipHashc 0 c 10s:y fast;s/byte.D5 as a PRF.v 0 v 1v 2 v 3 +

RF.SipRound and SipHashv 0 v 1v 2 v 3 +

SipRound and SipHashv 0 v 1v 2 v 3 +

d and SipHashv 1v 2 v 3

ashv 2 v 3 +

31621c 0 c 1 c 2 c 3k 0 ¨ ¨ k 0k 1 ¨ ¨ k 1¨ m 0m 0 ¨ ¨ m 1m 1 ¨ ¨ ffMuch more in paper: Specification: padding etc Discussion of features. Statement of security goal Design rationale and credi Preliminary cryptanalysis. Benchmarks. e.g. Ivy Brid1:65 cycles/byte + 27 cyclPositive SipHash reception:third-party implementations;now used for hash tables inRedis, Rust, OpenDNS, Perl03:tes.¨

c 0 c 1 c 2 c 3k 0 ¨ ¨ k 0k 1 ¨ ¨ k 1¨ m 0Much more in paper: Specification: padding etc. Discussion of features. Statement of security goals. Design rationale and credits. Preliminary cryptanalysis.m 0 ¨ ¨ m 1 Benchmarks. e.g. Ivy Bridge:1:65 cycles/byte + 27 cycles.Positive SipHash reception: manym 1 ¨ ¨ ffthird-party implementations;now used for hash tables in Ruby,Redis, Rust, OpenDNS, Perl 5.¨