vnmakarov
commented
6 years ago I thought about possible ways to break it and did not figured out anything but brute force attack. I believe brute force preimage attack requires 2^64. But in constrast to siphash, nobody made a differential crypto-analysis of mum-hash. I am not going to do this. It is a big job. But anybody is welcomed to do this. Also mum-hash is fast for 64-bit machines. For 32-bit machines, it is much slower.
linux kernel now use siphash_4u32 in net/ipv4/syncookies.c & net/ipv6/syncookies.c: ( https://github.com/torvalds/linux/tree/master ) static u32 cookie_hash(be32 saddr, be32 daddr, be16 sport, be16 dport, u32 count, int c) { net_get_random_once(syncookie_secret, sizeof(syncookie_secret)); return siphash_4u32((force u32)saddr, (force u32)daddr, (force u32)sport << 16 | (force u32)dport, count, &syncookie_secret[c]); }
siphash maybe too heavy or slow to generate tcp syncookie, just a message authentication code can do it, syncookie not need second pre-image resistance or collision resistance, pre-image resistance may be enough, how to prove mum-hash can do it?