Seahash weaknesses
Created by: Veedrac
Your comments say
/// It is generally suspected that this is at least partially secure (i.e. you cannot deduce the
/// seed, even with unlimited "black box" access to the function), but it has not yet been subject
/// to proper cryptoanalysis.
This seems fairly naïve, since it's relatively simple to deduce k ^ diffuseⁿ(k)
(n ≥ 1
) for any of the keys k
. Though I don't personally know how you would invert this function, diffuse(a)
is trivially reversible and this is a lot of information to give an attacker. Is there any particular reason you believe this to be hard to invert?
To deduce a ^ diffuse(a)
, just take
let abcd = undiffuse(hash(&[0; 0])) ^ 0;
let Abcd = undiffuse(hash(&[0; 8])) ^ 8;
let aA = abcd ^ Abcd;
where undiffuse
is the inverse of diffuse
. a ^ diffuse²(a)
just requires replacing Abcd
in the above with undiffuse(hash(to_bytes(Aa))) ^ 8
, and so on for higher powers. The other keys just require different array lengths.