[Python-Dev] Hash collision security issue (now public)

Terry Reedy tjreedy at udel.edu
Thu Dec 29 23:19:58 CET 2011

The talk was a presentation yesterday by Alexander Klink and Julian 
Wälde at the Chaos Communication Congress in Germany hashDoS at alech.de
I read the non-technical summary at

and watched the video of the talk at

My summary: hash table creation with N keys changes from amortized O(N)
to O(N**2) time if the hash values of all the keys are the same. This 
should only happen for large N if done intentionally. This is easy to 
accomplish with a linear multiply and add hash function, such as used in 
PHP4 (but nowhere else that the authors found). A nonlinear multiply and 
xor hash function, used in one form or another by everything else, is 
much harder to break. It is *theoretically* vulnerable to brute-force 
search and this has been known for years. With a more cleaver 
meet-in-the-middle strategy, that builds a dict of suffixes and then 
searches for matching prefixes, 32-bit hashes are *practically* 
vulnerable. The attack depends on, for instance, 2**16 (64K) being 1/64K 
of 2**32. (I did not hear when this strategy was developed, but it is 
certainly more practical on a desktop now than even 8 years ago.)

[64-bit hashes are much, much less vulnerable to attack, at least for 
now. So it seems to me that anyone who hashes potential attack data can 
avoid the problem by using 64-bit Python with 64-bit hash values. If I 
understood Antoine, that should be all 64-bit builds.]

More summary: Perl added an #define option to start the hash calculation 
with non-zero value instead of 0 years ago to "avoid algorithmic 
complexity attacks". The patch is at 47:20 in the video. The authors 
believe all should do similarly.

[The change amounts to adding a char, unknown to attackers, to the 
beginning of every string before hashing. So it adds a small bit of 
time. The code patch shown did not show the source of the non-zero seed 
or the timing and scope of any randomization. As the discussion here has 
shown, this is an important issue to applications. So 'do the same' is 
inadequate and over-simplified advice. I believe Armin's patch is 
similar to the Perl patch.]

Since the authors sent out CERT alert about Nov 1, PHP has added to PHP5 
a new function to limit the number of vars hashed. Microsoft will do 
something similar now with hash randomization to follow (maybe?). JRuby 
is going to do something. Java does not think it needs to change Java 
itself, but will leave all to the frameworks.

[The discussion here suggests that this is an inadequate response for 
32-bit systems like Java since one person/group may not control all the 
pieces of a server system. However, a person or group can run all pieces 
on a system Python with an option turned on.]

Terry Jan Reedy

More information about the Python-Dev mailing list