In this paper, we evaluate the security of the message authentication code SipHash against forgery attacks. Existing evaluations focused on internal collisions for SipHash-1-x and SipHash-2-x, where the internal compression rounds are reduced to one and two rounds out of four, respectively, and the finalization rounds are set to an arbitrary number. In this paper, we extend this analysis by expanding the search space to provide a more comprehensive evaluation of SipHash-1-x and SipHash-2-x, and we also evaluate internal collisions for SipHash-3-x and SipHash-4-x by using a method involving SAT solvers. In addition, we perform the first security evaluation of forgery attacks exploiting tag collisions during the finalization process. As a result, we update existing bounds on internal collisions of SipHash-1-x and SipHash-2-x and derive first bounds of SipHash-3-x and SipHash-4-x. Moreover, we demonstrate that forgery attacks using tag collisions are feasible for SipHash-1-1, SipHash-1-0, and SipHash-2-0. These findings represent the first forgery attacks against SipHash with reduced rounds. Additionally, we conducted a clustering-based evaluation of collision attacks to provide a more attacker-oriented security analysis. Finally, we demonstrate that modifying rotation parameters in the round function achieves a substantial improvement in security.
Sasaki et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: