I've long warned against the Rust "ahash" construction, which is the default in `hashbrown` (but fortunately not `std`), due to what I thought was a poor cryptographic design which misuses cryptographic primitives, including using the AES round function with insufficient rounds (i.e. 1 round!) to achieve required diffusion.
Turns out someone found a full key recovery attack against it:
https://github.com/tkaitchuck/aHash/issues/163
Tony Arcieri ๐น๐ฆ /
npub1esโฆ2z8gv
2024-02-29 15:31:32
Author Public Key
npub1ese6na4ymxez6faql2zmqwp5f6vt5rc0zkhd54ykxwezk7ucry9sq2z8gvPublished at
2024-02-29 15:31:32Event JSON
{
"id": "d1549affc09ec56a5eded3e39a05e47dbf5df72370df63c1ac1c3fa16929964a",
"pubkey": "cc33a9f6a4d9b22d27a0fa85b038344e98ba0f0f15aeda549633b22b7b98190b",
"created_at": 1709220692,
"kind": 1,
"tags": [
[
"proxy",
"https://mas.to/users/bascule/statuses/112015487332286854",
"activitypub"
]
],
"content": "I've long warned against the Rust \"ahash\" construction, which is the default in `hashbrown` (but fortunately not `std`), due to what I thought was a poor cryptographic design which misuses cryptographic primitives, including using the AES round function with insufficient rounds (i.e. 1 round!) to achieve required diffusion.\n\nTurns out someone found a full key recovery attack against it: \n\nhttps://github.com/tkaitchuck/aHash/issues/163",
"sig": "05c431401c635ccbedd22d8a9ae1c79f71e98f27dbf350552c051c7f3f33a0e660a4ce72a4c7c6cc3dfa2b768a8fa615c2e1ff3065d0acc677ab533b4df70f06"
}