On Thu, Dec 29, 2011 at 11:07 AM, Javier Guerra Giraldez <firstname.lastname@example.org>
I think that a simple solution, like making the char-skipping method
different for every Lua State should be enough.
The question is: how likely would it be to select, say, 4 character positions at random and not select any of the positions a perfectly randomized skipping method uses to calculate the hash.
On an N-character string and a K (31 for Lua) character hash there are C(N,K) hash positions and the likelyhood of selecting those positions is C(N-K,4)/C(N,4).
If my math is correct an adversary would have about 50% chance of selecting 4 different (unequal to the 31 being used by Lua) positions if N=200, and still have about 20% chance if N=100. And the adversary can try again with different values. Probably not good enough.