botan icon indicating copy to clipboard operation
botan copied to clipboard
verified publisher icon randombit

SipHash-2-4: Wrong byte order?

Open lars-du opened this issue 1 year ago • 1 comments

Hi, I have some problems with generation of MACs based on SipHash-2-4. At the end it showed up that Botan generates a MAC with an unexpected byte order.

Example: Take the test values defined in Appendix A of https://cr.yp.to/siphash/siphash-20120918.pdf: Input: 000102030405060708090A0B0C0D0E Key: 000102030405060708090A0B0C0D0E0F MAC: a129ca6149be45e5

However, Botan returns the MAC e545be4961ca29a1. This is the same value as defined in the SipHash documentation - but in another byte order. So what value is the correct one?

lars-du avatar Feb 15 '24 13:02 lars-du

SipHash does everything in little-endian, and the value they are showing in the document is the value of the 64 bit word that is the result. When that word is converted to bytes, it is done little endian, and so reversed.

You can see a similar byte swap being performed for example in OpenSSL at https://github.com/openssl/openssl/blob/master/crypto/siphash/siphash.c#L253

randombit avatar Feb 15 '24 22:02 randombit

You should be able to verify Botan produces the same SipHash values in practice using another library such as OpenSSL or Python, etc. If you have any issues in this regard please feel free to reopen.

randombit avatar Feb 20 '24 11:02 randombit