Skip to content

Seahash weaknesses

Created by: Veedrac

Your comments say

/// It is generally suspected that this is at least partially secure (i.e. you cannot deduce the
/// seed, even with unlimited "black box" access to the function), but it has not yet been subject
/// to proper cryptoanalysis.

This seems fairly naïve, since it's relatively simple to deduce k ^ diffuseⁿ(k) (n ≥ 1) for any of the keys k. Though I don't personally know how you would invert this function, diffuse(a) is trivially reversible and this is a lot of information to give an attacker. Is there any particular reason you believe this to be hard to invert?

To deduce a ^ diffuse(a), just take

let abcd = undiffuse(hash(&[0; 0])) ^ 0;
let Abcd = undiffuse(hash(&[0; 8])) ^ 8;
let aA = abcd ^ Abcd;

where undiffuse is the inverse of diffuse. a ^ diffuse²(a) just requires replacing Abcd in the above with undiffuse(hash(to_bytes(Aa))) ^ 8, and so on for higher powers. The other keys just require different array lengths.