Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Hash has arbitrary seed-independent multicollisions, is not DoS resistant #83

Open
orlp opened this issue Jun 2, 2024 · 6 comments · May be fixed by #88
Open

Hash has arbitrary seed-independent multicollisions, is not DoS resistant #83

orlp opened this issue Jun 2, 2024 · 6 comments · May be fixed by #88
Assignees
@ogxd
Labels
security 🔒
Milestone
GxHash 4

Comments

@orlp
Copy link

orlp commented Jun 2, 2024
edited
Loading

There are probably other issues as well, but this line is particularly problematic:

gxhash/src/gxhash/platform/x86.rs

Line 86 in 8bee61e

let mut tmp1 = aes_encrypt(v0, v2);

This is trivial to invert and allows you to create arbitrary seed-independent multicollisions. I would suggest not advertising DoS resistance on this hash at all.

// Not an endorsement of aes_crypto, just the first crate
// I could find that allows cross-platform single-round encryption.
use aes_crypto::AesBlock;

fn main() {
    let zero_key = AesBlock::zero();

    let mut s0 = [0u8; 192];
    let mut s1 = [0u8; 192];

    s0[64] = 100;
    s1[64] = 42;
    
    let v0 = AesBlock::new(s0[64..64 + 16].try_into().unwrap());
    v0.enc(zero_key).store_to(&mut s0[64 + 32..]);

    let v0 = AesBlock::new(s1[64..64 + 16].try_into().unwrap());
    v0.enc(zero_key).store_to(&mut s1[64 + 32..]);

    // Different strings.
    assert!(s0 != s1);
    
    // Collide regardless of seed.
    assert!(gxhash::gxhash128(&s0, 0) == gxhash::gxhash128(&s1, 0));
    assert!(gxhash::gxhash128(&s0, 0xdeadbeef) == gxhash::gxhash128(&s1, 0xdeadbeef));
}
@ogxd
Copy link
Owner

ogxd commented Jun 2, 2024

Thanks a lot for this analysis @orlp! Let's see if we can improve DoS resistance without compromising performance. I don't know if it can be made 100% proof but I'm sure it can be improved (maybe using the seed in the main construction).

Btw DoS resistance is not advertised (unless I missed something?). See in readme:

This does not mean however that it is completely DOS resistant. This has to be analyzed further.

@orlp
Copy link
Author

orlp commented Jun 2, 2024
edited
Loading

Btw DoS resistance is not advertised

I disagree. The way it is worded it sounds like it has some DoS resistance when there is none at all. Similarly with multicollision resistance.

@ogxd
Copy link
Owner

ogxd commented Jun 3, 2024

Let's see first if we can address this 😄 Feel free to submit a PR if you want.
After that, depending on the results, we can reword the DoS resistance section more accurately.

@ogxd ogxd self-assigned this Jun 3, 2024
@ogxd ogxd linked a pull request Jun 12, 2024 that will close this issue
Improve DOS resistance #88
Draft
@ogxd
Copy link
Owner

ogxd commented Nov 5, 2024

Did not has much time to work on this, so in the meantime I've clarified the DOS resistance part in the readme https://github.com/ogxd/gxhash?tab=readme-ov-file#security

@ogxd ogxd mentioned this issue Nov 5, 2024
Closed
@ogxd ogxd added this to the GxHash 4 milestone Nov 11, 2024
@purplesyringa
Copy link

There's probably a lot more problems with DoS resistance here. The most obvious one, IMO, is

https://github.com/ogxd/gxhash/blob/main/src/hasher.rs#L113-L117

compress_all is completely independent from the seed, so a collision in compress_all affects all seeds.

@ogxd
Copy link
Owner

ogxd commented Dec 10, 2024

Mixing the seed at the start instead of the end should significantly improve DoS resistance. I'm currently (slowly) exploring this path.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@ogxd ogxd

Labels
security 🔒
Projects
None yet
Milestone
GxHash 4
Development

Successfully merging a pull request may close this issue.

Improve DOS resistance ogxd/gxhash
3 participants
@orlp @ogxd @purplesyringa