Known exploits

[rurban]

So far we didn't list the known exploit schemes. But since I started evaluating and listing Bad Seeds #99, we could as well list all known exploits, e.g. BadKeys which will always lead to collisions.

• o1hash:
  with binary keys: if key len>=4 and key[len/2 -2]..[len/2 +2] (the middle) being 0.
  eg { '\0\0\0\0', 'x\0\0\0\0x' }
  with text keys: if len >=4 and the first 4 bytes + the last 4 bytes == 0

• FNV1 variants with binary keys, just add \0's

• HalfSiphash: ...

• City all 144-byte strings with 3 bits set CityHash128 isn't thorough enough google/cityhash#4

• Murmur http://emboss.github.io/blog/2012/12/14/breaking-murmur-hash-flooding-dos-reloaded/

• JenkinsOAAT: with binary keys, just add \0's

• fasthash: expose the seed by using len=0 keys, the seed is then the reverse of the simple mix function.

• md5 https://eprint.iacr.org/2013/170.pdf

• sha1 https://marc-stevens.nl/research/papers/PhD%20Thesis%20Marc%20Stevens%20-%20Attacks%20on%20Hash%20Functions%20and%20Applications.pdf

[rurban]

• meow hash https://peter.website/meow-hash-cryptanalysis

[flyingmutant]

• wyhash fails BadSeeds even with WYHASH_CONDOM 2 (smhasher output)

[wangyi-fudan]

• wyhash fails BadSeeds even with WYHASH_CONDOM 2 (smhasher output)

In fact I dont't buy the BadSeeds test as it "invades hasher's personal space". The BadSeeds test make use of hasher's default internal secrets. It is like: "I use (public) password of your public account and I found you have only 100 dollars left and I announce that to the media saying you are a poor man". The fact is that I have 2^32 "accounts" each of which has 100 dollars :-D
But I don't want to involve too much to the this problem as wyhash is almost complete and there are more important things to do. So usually I keep calm and satisfied with the nominal "second place" in the speed list :-D
To your problem this WYHASH_CONDOM protects for entropy loss but not password lost.