Cryptanalysis of Reduced-Round SipHash

SipHash is a family of ARX-based MAC algorithms optimized for short inputs. So far, a lot of implementations and applications for SipHash have been proposed, whereas the cryptanalysis of SipHash still lags behind. In this paper, we study the property of truncated differential in reduced-round SipHash. By exhaustively testing all kinds of 1-bit input differences, we find out the greatest differential biases from corresponding output bits through 3 or 4 SipRounds. Making use of these results, we construct distinguishers for SipHash-2-1 and SipHash-2-2 with practical complexities of 2(12 )and 2(36), respectively. However, one limitation of the latter is that it begins with 1-bit input differences on the most significant message bit, which means it can only work when neglecting the padding rules of SipHash. Furthermore, we reveal the relations between the value of output bias and the difference after the first modular addition step, which is directly determined by corresponding key bits. Based on these relations, we propose a key recovery method for SipHash-2-1 that can obtain a significantly nonuniform distribution of the 128-bit secret key. It is summarized that about 97% of random keys can be fully recovered under this method within a complexity of 2(83).