[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-hackers] On Hash Collisions (28C3)

From: John Cowan
Subject: Re: [Chicken-hackers] On Hash Collisions (28C3)
Date: Sun, 1 Jan 2012 10:29:18 -0500
User-agent: Mutt/1.5.18 (2008-05-17)

Peter Bex scripsit:

> Yes, and doing it in *every* *freaking* program.  Including
> third-party libraries written long ago or by people assuming a sane
> srfi-69 implementation (or more likely, not having thought about it).

Not at all.  Only fixing programs that are exposed to potentially
malicious data, like HTTP request parameters.

> There is almost no cost; just one call to get a random number when
> creating the hash table and one extra xor when hashing a value.

Well, that would certainly be reassuring, except for this:

1) If the number is only pseudo-random a la SRFI 27, you have only
increased the resistance but not eliminated the problem.  The algorithm
is still published and predictable, just more complex.

2) If the number is truly random (from /dev/random or what not) it is
definitely not cheap.  A program that allocates lots of hash tables will
find itself running very slow indeed.

I marvel at the creature: so secret and         John Cowan
so sly as he is, to come sporting in the pool   address@hidden
before our very window.  Does he think that
Men sleep without watch all night?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]