On Tue, Jan 3, 2012 at 1:57 PM, Javier Guerra Giraldez
<javier@guerrag.com> wrote:
these languages already used the naïve 'all characters' hash proposed
by Vladimir, and still were vulnerable. their solution was to add some
randomization to the hash. we were discussing here if that solution
still held with the current 'sparse' hash used by Lua. it's not so
easy, but i think a clever use of random sampling would do the trick.
All hash functions that only sample a subset of the characters are vulnerable to attack, regardless of the cleverness of the sampling. The longer the string gets, the larger the likelihood that an attacker can correctly guess 3-4 character positions that do not get sampled, and then can generate plenty of collisions.
--