Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79918 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51184 invoked from network); 24 Dec 2014 10:11:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Dec 2014 10:11:13 -0000 Authentication-Results: pb1.pair.com header.from=php@bof.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=php@bof.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain bof.de designates 80.242.145.70 as permitted sender) X-PHP-List-Original-Sender: php@bof.de X-Host-Fingerprint: 80.242.145.70 mars.intermailgate.com Received: from [80.242.145.70] ([80.242.145.70:33287] helo=mars.intermailgate.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6A/00-50910-F319A945 for ; Wed, 24 Dec 2014 05:11:12 -0500 Received: (qmail 9366 invoked by uid 1009); 24 Dec 2014 11:11:09 +0100 Received: from 209.85.216.174 by mars (envelope-from , uid 89) with qmail-scanner-1.25-st-qms (clamdscan: 0.96.2/19831. spamassassin: 3.3.1. perlscan: 1.25-st-qms. Clear:RC:1(209.85.216.174):. Processed in 0.274088 secs); 24 Dec 2014 10:11:09 -0000 X-Antivirus-MYDOMAIN-Mail-From: php@bof.de via mars X-Antivirus-MYDOMAIN: 1.25-st-qms (Clear:RC:1(209.85.216.174):. Processed in 0.274088 secs Process 9356) Received: from mail-qc0-f174.google.com (gmail@bof.de@209.85.216.174) by mars.intermailgate.com with RC4-SHA encrypted SMTP; 24 Dec 2014 11:11:08 +0100 Received: by mail-qc0-f174.google.com with SMTP id c9so5646714qcz.5 for ; Wed, 24 Dec 2014 02:11:07 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.224.172.131 with SMTP id l3mr53542046qaz.32.1419415867124; Wed, 24 Dec 2014 02:11:07 -0800 (PST) Received: by 10.140.98.97 with HTTP; Wed, 24 Dec 2014 02:11:06 -0800 (PST) Received: by 10.140.98.97 with HTTP; Wed, 24 Dec 2014 02:11:06 -0800 (PST) In-Reply-To: References: <09B14273-C621-4AB9-9129-A149A9480A03@ajf.me> Date: Wed, 24 Dec 2014 11:11:06 +0100 Message-ID: To: Yasuo Ohgaki Cc: Scott Arciszewski , Pierre Joye , internals , Andrea Faulds Content-Type: multipart/alternative; boundary=047d7b673fb68c7506050af38263 Subject: Re: [PHP-DEV] JSON HASHDOS From: php@bof.de (Patrick Schaaf) --047d7b673fb68c7506050af38263 Content-Type: text/plain; charset=UTF-8 Hi all, Am 24.12.2014 10:47 schrieb "Yasuo Ohgaki" : > > On Wed, Dec 24, 2014 at 6:29 PM, Pierre Joye wrote: > > > I do not see how it solves the problem. It only reduces it, slightly. > > Having a couple of medium instances generating crafted requests will > > just have the same effect. So far the more realistic suggestions are > > about having collision safe implementation, not implementation with > > limited collisions. > > > > It's ideal, but other languages are just switched to more secure hash and > random > seed. I'm not sure how feasible it would be. See http://en.m.wikipedia.org/wiki/SipHash - in addition to e.g. Perl and Python listed there, I think the same hash is also used in redis. What could be the specific PHP issues that make it unfeasible, compared to other languages that adopted the approach? Iteration instability was one of the issues I remember from discussions about introducing a per-run randomized hash in perl, but the PHP ordered array / linked list thing already avoids that. Getting the random seed at RINIT time might be a bit problematic, doing it in MINIT would already help? Other issues? best regards Patrick --047d7b673fb68c7506050af38263--