SipHash

---

title: "SipHash" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["hash-function-(non-cryptographic)", "public-domain-software-with-source-code", "creative-commons-licensed-works"] description: "Hash functions" topic_path: "general/hash-function-non-cryptographic" source: "https://en.wikipedia.org/wiki/SipHash" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Hash functions ::

SipHash is an add–rotate–xor (ARX) based family of pseudorandom functions created by Jean-Philippe Aumasson and Daniel J. Bernstein in 2012,{{cite journal |url=https://eprint.iacr.org/2012/351 |title=SipHash: a fast short-input PRF |author1=Jean-Philippe Aumasson |author2=Daniel J. Bernstein |journal=Cryptology ePrint Archive |author-link2=Daniel J. Bernstein |name-list-style=amp |date=2012-09-18 |title=Hash Table Vulnerability Enables Wide-Scale DDoS Attacks |first=Mike |last=Lennon |date=2011-12-28 |journal=SecurityWeek |url=https://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale/

SipHash is designed as a secure pseudorandom function and can also be used as a secure message authentication code (MAC). SipHash, however, is not a general purpose key-less hash function such as Secure Hash Algorithms (SHA) and therefore must always be used with a secret key in order to be secure. That is, SHA is designed so that it is difficult for an attacker to find two messages X and Y such that SHA(X) = SHA(Y), even though anyone may compute SHA(X). SipHash instead guarantees that, having seen Xi and SipHash(Xi, k), an attacker who does not know the key k cannot find (any information about) k or SipHash(Y, k) for any message Y ∉ {Xi} which they have not seen before.

Overview

SipHash computes a 64-bit message authentication code from a variable-length message and 128-bit secret key. It was designed to be efficient even for short inputs, with performance comparable to non-cryptographic hash functions, such as CityHash; this can be used to prevent denial-of-service attacks against hash tables ("hash flooding"),{{Cite conference |title=Hash-flooding DoS reloaded: attacks and defenses |first1=Jean-Philippe |last1=Aumasson |first2=Daniel J. |last2=Bernstein |author-link2=Daniel J. Bernstein |first3=Martin |last3=Boßlet |url=https://131002.net/siphash/siphashdos_appsec12_slides.pdf |conference=Application Security Forum – Western Switzerland 2012 |conference-url=http://www.appsec-forum.ch/ |date=2012-11-08 |archive-url=https://web.archive.org/web/20130913185247/https://131002.net/siphash/siphashdos_appsec12_slides.pdf |archive-date=2013-09-13

An unkeyed hash function such as SHA is collision-resistant only if the entire output is used. If used to generate a small output, such as an index into a hash table of practical size, then no algorithm can prevent collisions; an attacker need only make as many attempts as there are possible outputs.

For example, suppose a network server is designed to be able to handle up to a million requests at once. It keeps track of incoming requests in a hash table with two million entries, using a hash function to map identifying information from each request to one of the two million possible table entries. An attacker who knows the hash function need only feed it arbitrary inputs; one out of two million will have a specific hash value. If the attacker now sends a few hundred requests all chosen to have the same hash value to the server, that will produce a large number of hash collisions, slowing (or possibly stopping) the server with an effect similar to a packet flood of many million requests.{{cite conference | title=Denial of Service via Algorithmic Complexity Attacks | first1=Scott A. |last1=Crosby | first2=Dan S. |last2=Wallach | conference=Usenix Security Symposium | location=Washington, D.C. | date=2003-08-06 | url=https://www.usenix.org/legacy/events/sec03/tech/crosby.html | conference-url=https://www.usenix.org/legacy/events/sec03/tech.html}}

By using a key unknown to the attacker, a keyed hash function like SipHash prevents this sort of attack. While it is possible to add a key to an unkeyed hash function (HMAC is a popular technique), SipHash is much more efficient.

Functions in SipHash family are specified as SipHash-c-d, where c is the number of rounds per message block and d is the number of finalization rounds. The recommended parameters are SipHash-2-4 for best performance, and SipHash-4-8 for conservative security. A few languages use SipHash-1-3 for performance at the risk of yet-unknown DoS attacks.

The reference implementation was released as public domain-like software under the CC0.{{cite web | url=https://131002.net/siphash/ | title=SipHash: a fast short-input PRF | quote=Intellectual property: We aren't aware of any patents or patent applications relevant to SipHash, and we aren't planning to apply for any. The reference code of SipHash is released under CC0 license, a public domain-like license. | date=2016-08-01 | access-date=2017-01-21 | archive-url=https://web.archive.org/web/20170202184819/https://131002.net/siphash/ | archive-date=2017-02-02

Usage

SipHash is used in hash table implementations of various software:{{cite web | url=https://131002.net/siphash/#us | title=SipHash: a fast short-input PRF, Users | last1=Aumasson |first1=Jean-Philippe | last2=Bernstein |first2=Daniel J. | date=2016-08-01 | access-date=2017-01-21 | archive-url=https://web.archive.org/web/20170202184819/https://131002.net/siphash/#us | archive-date=2017-02-02

• Programming languages

  • JavaScript
    • Node.js{{cite web | url = https://github.com/nodejs/node/pull/26367 | title = build: enable v8's SipHash for hash seed creation | last = Vagg | first = Rod | work = Node.js | via = GitHub | date = 2019-02-28 | access-date = 2021-10-21
      • V8 (JavaScript engine) (available as a compile-time option){{cite web | url=https://chromium-review.googlesource.com/c/v8/v8/+/1382463/ | title=Optionally use halfsiphash for integer hashing | last=Guo | first=Yang | work = V8 | date=2019-01-09 | access-date=2021-10-21}}
  • OCaml{{cite web | url=https://v2.ocaml.org/api/Hashtbl.html | title=OCaml Library: Hashtbl | access-date=2024-02-17}}
  • Perl 5 (available as a compile time option){{cite web | url = https://perldoc.perl.org/perlsec#Algorithmic-Complexity-Attacks | title = Perl security – Algorithmic Complexity Attacks | website = Perldoc Browser | date = 2016-05-16 | access-date = 2021-10-21}}
  • Python (starting in version 3.4,{{cite web | url=https://www.python.org/dev/peps/pep-0456/ | title=PEP 456 – Secure and interchangeable hash algorithm | last=Heimes |first=Christian | date=2013-09-27 | access-date=2017-01-21}} SipHash 1-3 since 3.11)
  • Raku{{cite web | url = https://github.com/MoarVM/MoarVM/commit/d9a3270aa290c8dd3b547d4deceb5e76dc8c8e47 | title = Implement SipHash, use as our hashing function w/ 64-bit hashvals | last = McVey | first = Samantha | work = MoarVM | via = GitHub | date = 2018-07-16 | access-date = 2018-07-16}}
  • Ruby (SipHash 1-3)
  • Swift
  • Rust

• Operating systems

  • Linux
    • systemd{{cite web | url=https://cgit.freedesktop.org/systemd/systemd/commit/?id=9bf3b53533cdc9b95c921b71da755401f223f765 | title=shared: switch our hash table implementation over to SipHash | last=Poettering | first=Lennart | author-link=Lennart Poettering | work = systemd | via = freedesktop.org | date=2013-12-22 | access-date=2017-01-21}}
  • OpenBSD
  • FreeBSD
  • OpenDNS
  • WireGuard

The following programs use SipHash in other ways:

• Bitcoin for short transaction IDs
• Bloomberg BDE as a C++ object hasher
• InterPlanetary File System (IPFS) for its seven Bloom filter hashes

Implementations

• C (reference implementation)
• C++ (Wassenberg & Alakuijala 2017, part of their "highwayhash" work)
• C#
• Common Lisp
• Crypto++
• Go
• Haskell
• JavaScript
• PicoLisp
• Rust
• Swift
• Verilog
• VHDL

References

References

1. (29 November 2014). "Selected Areas in Cryptography -- SAC 2014".
2. (2013). "Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM".
3. (Nov 12, 2015). "Comment on: change Siphash to use one of the faster variants of the algorithm (Siphash13, Highwayhash) · Issue #29754 · rust-lang/rust".
4. "Moving to SipHash-1-3 #73596".
5. "Feature #13017: Switch SipHash from SipHash24 to SipHash13 - Ruby master - Ruby Issue Tracking System".
6. "SRC/Sys/Crypto/Siphash.h at master · openbsd/SRC".
7. "[base] Index of /Head/Sys/Crypto/Siphash".
8. "Use siphash for hashtables · WireGuard/Wg-dynamic@360b9c8".
9. "Compact Block Relay".
10. [https://github.com/bloomberg/bde/blob/master/groups/bsl/bslh/bslh_siphashalgorithm.h bslh_siphashalgorithm.h]
11. "Bbloom/SipHash.go at 73e3f896a4f8bbed8589df6ff5c28ebfbd728e31 · ipfs/Bbloom".

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::