3

So I am curious about the security analysis of Marvin32, the randomized hash algorithm used in .NET (to prevent hash-table DoS). I found the source code here: marvin32.h, marvin32.c.

At first glance, the construction looks really similar to that of SipHash, but:

  • Marvin32: 1 round per block and 2 finalization rounds
    SipHash: 2 rounds per block and 4 finalization rounds
  • Marvin32: 64-bit key space (seed)
    SipHash: 128-bit key space

Nevertheless, the construction seems so similar that it looks like MS was trying to build something like a PRF. The 64-bit key space is certainly too small for a general-purpose PRF, but assuming that 64-bit is enough, is this a secure PRF? Do you see anything else wrong with the construction (key expansion, hash)?

To me it looks like the rounds are too short for this to be a crypto-grade PRF (again, ignoring the key-space for a moment), but maybe it's enough to thwart the hash-table DoS assuming the key is changed from time to time using a CSPRNG?

otus
  • 32,462
  • 5
  • 75
  • 167
Paya
  • 189
  • 10

2 Answers2

2

It isn't a good cryptographical PRF (and, to be fair to the inventor, he never claimed it was).

Marvin32 starts with a secret state, and processing the message and the state to give a new state, and at the end, outputs the state. However, it outputs the entire state, and the state update process is invertible (if you know the message); hence if you know the message and the output, you can reconstruct the original state (and with that, compute the output for any other arbitrary message).

Even if we ignore the state recovery attack, there are also issues with propagating deltas from the final message bits into the output; if we take a message and flip a bit in the final byte, it wouldn't appear that that change gets propagated to all the bits of the output with probability anywhere close to 0.5 (this effect is stronger if the message length isn't a multiple of 4); this raises questions whether it's a good statistical PRF.

poncho
  • 154,064
  • 12
  • 239
  • 382
1

Looks like Marvin32 is a part of a patent :-) And Microsoft really do believe it is resistant to Hash Flood attack.

http://www.google.com/patents/US20130262421

funny_falcon
  • 109
  • 5