## Cryptology ePrint Archive: Report 2019/865

Cryptanalysis of Reduced-Round SipHash

Le He and Hongbo Yu

Abstract: SipHash is a family of ARX-based MAC algorithms optimized for short inputs. Already, a lot of implementations and applications for SipHash have been proposed, whereas the cryptanalysis of SipHash still lags behind. In this paper, we study the property of truncated differential in SipHash and find out the output bits with the most imbalanced differential biases. Making use of these results, we construct distinguishers with practical complexity $2^{10}$ for SipHash-2-1 and $2^{36}$ for SipHash-2-2. We further reveal the relations between the value of output bias and the difference after first modular addition step, which is directly determined by corresponding key bits. Based on these relations, we propose a key recovery method for SipHash-2-1 that can obtain a nonuniform distribution of the 128-bit key through several bias tests. It is found that the highest probability can reach $2^{-41}$ and the nonuniform distribution can lead to a $2^{29}$ gain of search cost in average.

Category / Keywords: secret-key cryptography / SipHash, Distinguish attack, Key recovery, Truncated differential cryptanalysis

Date: received 24 Jul 2019, last revised 24 Dec 2019

Contact author: he-l17 at mails tsinghua edu cn

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2019/865

[ Cryptology ePrint archive ]