[Python-Dev] Hash collision security issue (now public)

Terry Reedy tjreedy at udel.edu
Sat Dec 31 06:02:43 CET 2011

On 12/30/2011 8:04 PM, Jim Jewett wrote:

> I'll state it more strongly.  hash probably should not change (at
> least for this),

I agree, especially since the vulnerability can be avoided by using 64 
bit servers and will generally abate as more switch anyway.

 > but we may
> want to consider a different conflict resolution strategy when the
> first slot is already filled.
> Remember that there was a fair amount of thought and timing effort put
> into selecting the
> current strategy; it is deliberately sub-optimal for random input, in
> order to do better with
> typical input.<
> http://hg.python.org/cpython/file/7010fa9bd190/Objects/dictnotes.txt>

It would be good to have a set of attack strings to see how vulernerable 
Py dicts actually are (Python may not have been actually tested with 
data) and the affect of any change. I gave the project email of the 2 
presenters in my first post. They apparently want to work with language 
developers to improve defenses against attack.

Terry Jan Reedy

More information about the Python-Dev mailing list