This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Vlado.Boza
Recipients Vlado.Boza
Date 2012-04-19.17:58:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Fix of this is broken.

tl;dr: There only 256 different hash functions (compare it to size of _Py_HashSecret prefix and suffix). And whether keys collide or not depends only on the last 8 bits of prefix. 

Problem with current randomization of hash function is following:
Suffix does not influence whether two keys have some hash or not (it is xor-ed after everything). 
Everything except last 8 bits in prefix does not influence it also. Try adding 0x474200 to prefix and see what happens (it will add 0x474200 to resulting hash). 

To make a DoS attack, attacker must do the following:
Generate sets of colliding keys for every 256 possible combinations of last 8 bits. Try each one of these sets - one will have significantly bigger response time, and then repeat this one.
Date User Action Args
2012-04-19 17:58:09Vlado.Bozasetrecipients: + Vlado.Boza
2012-04-19 17:58:09Vlado.Bozasetmessageid: <>
2012-04-19 17:58:09Vlado.Bozalinkissue14621 messages
2012-04-19 17:58:08Vlado.Bozacreate