Paper 2019/865

Cryptanalysis of Reduced-Round SipHash

Le He and Hongbo Yu


SipHash is a family of ARX-based MAC algorithms optimized for short inputs. Already, a lot of implementations and applications for SipHash have been proposed, whereas the cryptanalysis of SipHash still lags behind. In this paper, we study the property of truncated differential in SipHash and find out the output bits with the most imbalanced differential biases. Making use of these results, we construct distinguishers with practical complexity $2^{10}$ for SipHash-2-1 and $2^{36}$ for SipHash-2-2. We further reveal the relations between the value of output bias and the difference after first modular addition step, which is directly determined by corresponding key bits. Based on these relations, we propose a key recovery method for SipHash-2-1 that can obtain a nonuniform distribution of the 128-bit key through several bias tests. It is found that the highest probability can reach $2^{-41}$ and the nonuniform distribution can lead to a $2^{29}$ gain of search cost in average.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
SipHashDistinguish attackKey recoveryTruncated differential cryptanalysis
Contact author(s)
he-l17 @ mails tsinghua edu cn
2019-12-24: revised
2019-07-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Le He and Hongbo Yu},
      title = {Cryptanalysis of Reduced-Round SipHash},
      howpublished = {Cryptology ePrint Archive, Paper 2019/865},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.