Tony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024

I've long warned against the Rust "ahash" construction, which is the default in `hashbrown` (but fortunately not `std`), due to what I thought was a poor cryptographic design which misuses cryptographic primitives, including using the AES round function with insufficient rounds (i.e. 1 round!) to achieve required diffusion.

Turns out someone found a full key recovery attack against it:

https://github.com/tkaitchuck/aHash/issues/163

Critical vulnerability: complete key recovery of AES-based hash through side-channels · Issue #163 · tkaitchuck/aHash

The AES version of aHash only performs a single round of AES between inputs. This is not sufficient, a single-bit difference only gets amplified once in the SubBytes step, leading to one of 256 pos...

GitHub
Show threadTony “Abolish ICE” Arcieri🌹🦀
The "fix" is likely still insecure against the "hashDoS Reloaded" attack which leverages differential cryptanalysis.
Feb 29, 2024 at 3:33pmWeb
Show threadTony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024
This issue also looks pretty bad: https://github.com/tkaitchuck/aHash/issues/210
RandomState has too many collisions · Issue #210 · tkaitchuck/aHash

See my repro repository. I just happened to get a bad random seed the first time I ever used ahash, and the collision rate in my hash table was far higher than expected. When inserting entries into...

GitHub