lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 21 Feb 2007 11:54:06 +0300
From:	Evgeniy Polyakov <>
To:	"Michael K. Edwards" <>
Cc:	Eric Dumazet <>,
	David Miller <>,,,,
Subject: Re: Extensible hashing and RCU

On Tue, Feb 20, 2007 at 12:03:04PM -0800, Michael K. Edwards ( wrote:
> >I just shown a problem in jenkins hash - it is not how to find a
> >differnet input for the same output - it is a _law_ which allows to
> >break a hash. You will add some constant, and that law will be turned
> >into something different (getting into account what was written, it will
> >end up with the same law).
> Correct.  That's called a "weak hash", and Jenkins is known to be a
> thoroughly weak hash.  That's why you never, ever use it without a
> salt, and you don't let an attacker inspect the hash output either.

Again, where will be your salt?
I'm going to show you that having constant xor on fairly distributed
system will not change distribution as long as bad one.

> >Using jenkins hash is equal to the situation, when part of you hash
> >chains will be 5 times longer than median square value, with XOR one
> >there is no such distribution.
> Show us the numbers.  Salt properly this time to reduce the artifacts
> that come of applying a weak hash to a poor PRNG, and histogram your
> results.  If you don't get a Poisson distribution you probably don't
> know how to use gnuplot either.  :-)

I shown that numbers 4 times already, do you read mails and links?
Did you see an artifact Eric showed with his data?

> >Added somthing into permutations will not endup in different
> >distribution, since it is permutations which are broken, not its result
> >(which can be xored with something).
> I can't parse this.  Care to try again?

Whre are you going to add a salt into jenkins hash to fix its

In other words - jenkins hash is equal to simple shift - it is a hash
too, and it has bad distribution too, where will added salt ever help in
that scenario?

> Cheers,
> - Michael

	Evgeniy Polyakov
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists