Home

Awesome

SPARK_SipHash

Introduction

This is an Ada 2012 / SPARK 2014 project that implements the SipHash keyed hash function. SipHash was designed by Jean-Philippe Aumasson and Daniel J. Bernstein, although this implementation is independent of them. SipHash is a hash function optimised for speed on short messages, but which uses modern cryptographic design concepts in order to be as close to a true PRF (Pseudo-Random Function) as possible.

This project is free software (ISC permissive licence) and is provided with no warranties, as set out in the file LICENSE. The original reference C code was released by the designers under the CC0 license, a public domain-like license. A copy is provided as src/tests/reference_siphash_24.c and is only used to check that the Ada library produces results which match the reference implementation.

Rationale - Hash-flooding DoS protection

A hash-flooding Denial of Service attack occurs when an attacker is able to inject values under chosen keys into a hash table, for example by making requests for resources which he knows will be tracked in a hash table using the requested resource name as the key. If the hash function is not secure, it may be possible to deliberately choose names/keys which will all hash to the same bucket. Searches of the hash table performed by the server software will only use this bucket and so will start to take O(n) time, rather than the constant O(1) time which hash tables usually achieve (on average). A server that might, in normal use, appear to be generously over-provisioned can be slowed to a crawl using only limited network resources.

There are several very fast hash functions that are perfectly adequate for hash table use in safe environments but which are unsafe if exposed to possible hash-flooding attacks. SipHash resists these attacks in two ways. Firstly, it is not a single hash function but a (very large) family of hash functions parametised by a key. Secondly, it is designed to make it as hard as possible to find collisions, even if the attacker can gather some information about the use of the hash. SipHash is also fast enough to be competitive for hash table use. SipHash is probably not suitable for most general purpose cryptographic uses due to the small output size.

This project is an implementation in SPARK 2014 which provides a verified implementation of SipHash. The verification does not address the cryptographic properties of the hash, but concentrates on proving the lack of classes of errors such as overflows. The result should be sufficiently trustworthy to function as a drop-in replacement for Ada.Strings.Hash in conjunction with Ada.Containers.

Overview of the packages

The packages provide both generic versions of SipHash and instantiations using typical parameters. Typical use will involve calling a routine in SipHash24.System_Entropy to set a random key using a system entropy source, and using one of the hash routines in SipHash24_String_Hashing for an instantiation of the hash containers in Ada.Containers.

Package SipHash

This is the main generic package that implements the algorithm as described in the original paper. The parameters c_rounds and d_rounds allow the specification of the parameters labelled c and d in the paper. The default key is also specified in k0 and k1.

The Set_Key procedures allow the key to be set either from a Storage_Array of length 16, or from two unsigned 64-bit modular types. The key is part of the package state, as for the intended uses of this project it is not necessary to be able to stipulate the key for each hash operation.

It is important to set the key to a value that cannot be predicted by an attacker. The easiest way of achieving this is to set a random key when the software starts up. Most systems have facilities for producing random numbers suitable for this purpose - see the SipHash.Entropy package.

The SipHash function is responsible for producing a hash of an input block of memory in the form of a Storage_Array. The output is a 64-bit modular value.

Packages SipHash.Discrete, SipHash.Wide_Discrete and SipHash.Wide_Wide_Discrete

These generic functions allow the calculation of SipHash over arrays of discrete types that fit into 1, 2 and 4 bytes respectively. They can therefore be instantiated for the various string types. The output hash type can also be chosen. This is necessary to ensure the instantiated function has the right output to be used with Ada.Containers. In most imaginable Ada runtimes, this will involve (internally) truncating the native 64-bit output of SipHash to fit.

Package SipHash.General

This generic package can hash any type by using Storage_IO to turn values into a Storage_Array. Once again, the output hash type can be chosen.

Package SipHash.Entropy

This package provides routines to indicate if a system entropy source is available, and to attempt to set the SipHash key using it. Three implementations of this package are currently included, one that assumes no system entropy source is available, one that uses /dev/urandom on Linux or other Unix-like systems and one that uses the getrandom system call on Linux. A suitable implementation should be compiled into the library to provide randomisation - if an attacker can predict the key used for SipHash, the benefit provided by using the package will be very limited.

Note that the facilities in Ada.Numerics.Discrete_Random may not be sufficient to set the key. The time-dependent reset function may lead to a different key on each execution, but if the approximate server start time can be guessed the number of possible keys will be limited. The implementation requirements in ARM A.5.2 and ARM G.2.5 relate to the statistical quality of the output, not the cryptographic quality.

Packages SipHash24, SipHash24.System_Entropy

These are instantiations of SipHash and SipHash.Entropy using the standard (c => 2, d => 4) parameters recommended in the SipHash paper.

Package SipHash24_String_Hashing

This package contains a range of routines for hashing String, Wide_String, Wide_Wide_String and UTF_8_String in both case-sensitive and case-insensitive variants.

Packages in src/general-provable

These packages are not compiled into the library in normal conditions, but exist to address an issue with the formal verification of SipHash.General described in a later section.

Project files and examples

A project file spark_siphash.gpr has been provided for use with GNAT and GNATprove. This takes two parameters. The mode parameter can be set to debug or optimize to produce the library itself with GNAT, or set to analyze (equivalently - analyse) to use settings suitable for use with GNATprove. The entropy parameter can be set to the desired implementation of SipHash.Entropy. Currently the choices are getrandom to use this system call on Linux, urandom to use /dev/urandom, or none to compile a null implementation that raises an exception.

The project file spark_siphash_external.gpr enables use of the library in external projects without prompting the builder to recompile it.

The project file spark_siphash_examples.gpr can be used to compile two example programs. test_siphash.adb ensures that the Ada routine produces the same output as the reference C implementation for the test vector described in the SipHash paper, a sample 'Lorem Ipsum' string, and a series of arbitrary memory blocks of each length from 1 to 2,000 bytes. example_hashed_maps.adb demonstrates the use of this project with the Ada standard library containers.

Using GNATprove for verification

A standard invocation of GNATprove on this project is:

gnatprove -P spark_siphash.gpr -Xmode=analyze -Xentropy=none

This uses standard settings that are equivalent to:

gnatprove -P spark_siphash.gpr -Xmode=analyze -Xentropy=none -j0 --timeout=5 --level=2 --proof=progressive --warnings=continue

The settings should be adjusted based on the speed of your system.

SPARK does not fully analyse generic packages. The proofs are therefore generated for the specific instantiations in the SipHash24 packages, which cover the common use cases of hasing strings and storage blocks.

SPARK and Ada.Storage_IO

SPARK is incompatible with Ada.Storage_IO, as the latter has no SPARK annotations and implementations of the package tend to use SPARK-unfriendly methods such as access values and unchecked conversions. It is therefore not possible to directly verify SipHash.General due to its reliance on Storage_IO.

The solution found was to make a copy of SipHash.General called SipHash.General_SPARK which uses a simplified version of Storage_IO with the appropriate annotations to allow GNATprove to understand the specification but to prevent GNATprove from analysing the body. An instantiation of this package is also proved to act as a target for GNATprove. Running a diff between SipHash.General and SipHash.General_SPARK shows how minimal the differences are, and so provides a justification for believing that the proof of the latter provides evidence of the correctness of the former.

These files are stored in src/general-provable and the project file is designed so they are only visible when -Xmode=analyze is passed to GNAT or GNATprove. They are not compiled into the library in the debug or optimize modes.