Tony “Abolish ICE” Arcieri🌹🦀

I've long warned against the Rust "ahash" construction, which is the default in `hashbrown` (but fortunately not `std`), due to what I thought was a poor cryptographic design which misuses cryptographic primitives, including using the AES round function with insufficient rounds (i.e. 1 round!) to achieve required diffusion.

Turns out someone found a full key recovery attack against it:

https://github.com/tkaitchuck/aHash/issues/163

Critical vulnerability: complete key recovery of AES-based hash through side-channels · Issue #163 · tkaitchuck/aHash

The AES version of aHash only performs a single round of AES between inputs. This is not sufficient, a single-bit difference only gets amplified once in the SubBytes step, leading to one of 256 pos...

GitHub
Feb 29, 2024 at 3:31pmWeb
Show threadTony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024
The "fix" is likely still insecure against the "hashDoS Reloaded" attack which leverages differential cryptanalysis.
Show threadTony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024
This issue also looks pretty bad: https://github.com/tkaitchuck/aHash/issues/210
RandomState has too many collisions · Issue #210 · tkaitchuck/aHash

See my repro repository. I just happened to get a bad random seed the first time I ever used ahash, and the collision rate in my hash table was far higher than expected. When inserting entries into...

GitHub
Show threadEmelia 👸🏻Feb 29, 2024
@bascule why do so many projects not setup vulnerability reporting?
Show threadAydın Mercan (Jaiden) 🐙Feb 29, 2024
@bascule Honestly even thought std doesn't use ahash I am annoyed that ahash will be inevitably pulled though an indirect dependency
Show threadCassandrichMar 1, 2024
@jaidenmercan @bascule Yay for LPMs and bad code that's "fine because it's Rust and Rust is mEmOrY-SaFe" 🙃
Show threadTony “Abolish ICE” Arcieri🌹🦀Mar 1, 2024
@jaidenmercan yeah, it shows up anywhere that pulls in `hashbrown` directly, annoying
Show threadIan McKellarFeb 29, 2024
@bascule
In my experience, the Rust community does not seem to be particularly interested in DoS safety.
Show threadTony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024

@ian the developers of rustc have cared quite a bit and the standard library uses SipHash, despite using hashbrown under the hood.

But people were mad SipHash is "too slow", and ahash provided an alternative that claimed to defeat hashDoS as well as being faster.

Show threadnmFeb 29, 2024
@bascule I thought Rust's std called hashbrown under the hood?
Show threadJalilFeb 29, 2024
@nmott @bascule yeah but with a different hasher (sip hash), not ahash
Show threadnmFeb 29, 2024
@teivel @bascule got it. thanks for the reply!
Show threadTony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024
@teivel @nmott fortunately the `std` developers switched out the YOLO crypto for something boring