Lua tables are using a hashing function. That hashing function is fast, but not intended to be secure (and it has been shown that it is not immune to collisions, that occur easily in easily reproducible cases, causing severe degradation of performances, and possibly can be targetted by DOS attacks (denial of services).
I do think that the default hashing function used by tables should be overridable (notably for tables indexing sensitive data, such as user accounts, or certificates if they are indexed by domain names instead of their own secure hashes which should be already SHA1 at least, or SHA256 now for most PKI providers). And there should be a standard API for security algorithm providers, like in Java or .Net or other languages, and a default security provider implemented in the core, implementing some core algorithms (see those enabled by default in Linux kernels for example; some may of these algorithms, be optional but would be required in Russia and China, they are present in Linux Kernel config, some are required in various web standards or common filesystems).
