Tony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024

I've long warned against the Rust "ahash" construction, which is the default in `hashbrown` (but fortunately not `std`), due to what I thought was a poor cryptographic design which misuses cryptographic primitives, including using the AES round function with insufficient rounds (i.e. 1 round!) to achieve required diffusion.

Turns out someone found a full key recovery attack against it:

https://github.com/tkaitchuck/aHash/issues/163

Critical vulnerability: complete key recovery of AES-based hash through side-channels · Issue #163 · tkaitchuck/aHash

The AES version of aHash only performs a single round of AES between inputs. This is not sufficient, a single-bit difference only gets amplified once in the SubBytes step, leading to one of 256 pos...

GitHub
Show threadIan McKellar
@bascule
In my experience, the Rust community does not seem to be particularly interested in DoS safety.
Feb 29, 2024 at 4:22pmWeb
Show threadTony “Abolish ICE” Arcieri🌹🦀Feb 29, 2024

@ian the developers of rustc have cared quite a bit and the standard library uses SipHash, despite using hashbrown under the hood.

But people were mad SipHash is "too slow", and ahash provided an alternative that claimed to defeat hashDoS as well as being faster.