[Python-Dev] Hash collision security issue (now public)

Antoine Pitrou solipsis at pitrou.net
Mon Jan 2 13:01:05 CET 2012

On Sun, 1 Jan 2012 21:55:52 -0800
Paul McMillan <paul at mcmillan.ws> wrote:
> This is similar to the change proposed by Christian Heimes.
> Most importantly, I moved the xor with r[x % len_r] down a line.
> Before, it wasn't being applied to the last character.

Shouldn't it be r[i % len(r)] instead?
(refer to yesterday's #python-dev discussion)

> I think Ruby uses FNV-1 with a salt, making it less vulnerable to
> this. FNV is otherwise similar to our existing hash function.

Again, we could re-use FNV-1's primes, since they claim they have
better dispersion properties than the average prime.



More information about the Python-Dev mailing list