It pretty much has to be true of any keyed hash if you think about it. If it didn't distribute the hashes differently each time it wouldn't be working, if it distributes the hashes differently, performance has to be key dependent. And with a hash size the same as the key, at least one of the possible combinations has to be the pathological case.

I can't currently see any possible vector for a flooding attack, well O.K., I certainly can if you use SipHash with random keys :) and even that would be hard to exploit, but otherwise no. If it's significantly faster using it with a pre-tested fixed key is probably fine, but it gives up the security characteristic you were after. My suspicion is also that simply compressing the string with XOR will work at least as well.


-----"openssl-dev" <> wrote: -----
From: "J. J. Farrell"
Sent by: "openssl-dev"
Date: 01/12/2017 10:05AM
Subject: Re: [openssl-dev] use SIPhash for OPENSSL_LH_strhash?

Are the issues you raise true of SipHash, given that a prime motivator for its design was generating hash tables for short inputs while being secure against hash flooding attacks? It achieves this with the performance of a portable C implementation the order of four times faster than MD5, and not much slower than other modern hash algorithms.

I'd have thought the main thing to consider is whether or not there is any practical way a hash flooding attack could be used against OpenSSL's hash tables, and it sounds like there isn't. In that case, the fastest algorithm for the usage patterns would be best.


On 11/01/2017 22:25, Peter Waltenberg wrote:
And the reason I said you certainly don't need a keyed hash ?

Behaviour of the hash function will change with key and in some cases performance would degenerate to that of a linked list. (Ouch). And since the obvious thing to do is use a random key, OpenSSL's performance would get *very* erratic.

Simpler functions than cryptographic hashes will almost certainly yield better results here. I note someone further up the thread someone else has pointed that out.


From:        "Salz, Rich" <>
To:        "" <>
Date:        11/01/2017 13:14
Subject:        Re: [openssl-dev] use SIPhash for OPENSSL_LH_strhash?
Sent by:        "openssl-dev" <>

The needs for OpenSSL's LHASH are exactly what SipHash was designed for: fast on short strings.
OpenSSL's hash currently *does not* call MD5 or SHA1; the MD5 code is commented out.
Yes, performance tests would greatly inform the decision.

J. J. Farrell
Not speaking for Oracle
openssl-dev mailing list
To unsubscribe:

openssl-dev mailing list
To unsubscribe:

Reply via email to