Hacking Incorrect XOR Hashing with mt19937_64

№	Пользователь	Рейтинг
1	Benq	3792
2	VivaciousAubergine	3647
3	Kevin114514	3611
4	jiangly	3583
5	strapple	3515
6	tourist	3470
7	Radewoosh	3415
8	Um_nik	3376
9	maroonrk	3361
10	XVIII	3345

№	Пользователь	Вклад
1	Qingyu	162
2	adamant	148
3	Um_nik	146
4	Dominater069	143
5	errorgorn	141
6	cry	138
7	Proof_by_QED	136
8	YuukiS	135
9	chromate00	134
10	soullless	133

Let us start with 2014H - Robin Hood Archery. A common solution assigns each value a random integer in $$$[0,L)$$$ and XORs the values in the interval. If every value appears an even number of times, the result is $$$0$$$. Otherwise, the result is $$$0$$$ with probability at most $$$1/L$$$.

Inspired by the hack used on 282284449 with xorshift, I found that many other submissions can also be hacked. The pitfalls of XOR hashing with mt19937_64 do not seem to be widely known, so I wrote this blog.

If we view both the internal state and the outputs as vectors over $$$\mathbb{F}_2$$$, then the $$$i$$$-th output of mt19937_64 with initial state $$$x$$$ can be written as $$$o_i = BA^i x$$$, where $$$A$$$ is the state transition matrix and $$$B$$$ is the output matrix over $$$\mathbb{F}_2$$$.

Thus, to make the XOR zero for every seed, it is enough to find a nonzero polynomial $$$p(t)=\sum_i a_i t^i$$$ such that $$$p(A)=0$$$. Then

$$$ \bigoplus_i a_i o_i = \bigoplus_i a_i BA^i x = B\left(\bigoplus_i a_i A^i\right)x = Bp(A)x = 0. $$$

Such a polynomial can be the minimal polynomial of $$$A$$$, whose degree is $$$19937$$$ for mt19937_64. By observing the least significant bit of the first $$$2 \times 19937$$$ outputs, we can recover the recurrence of this bit sequence using Berlekamp–Massey. This recurrence divides the minimal polynomial. Since mt19937_64 is designed to have maximal period, the corresponding polynomial is primitive, hence irreducible. Thus any nonzero recovered recurrence must be the full minimal polynomial.

The following is the test case generator.

Test Case Generator

#include <bits/stdc++.h>
using namespace std;
template <typename RNG, size_t DEG> auto hack() -> bitset<DEG + 1> {
  RNG rng;
  bitset<DEG + 1> a, b, c;
  b[DEG] = c[DEG] = 1;
  for (size_t l = 0, shift = 1; size_t n : views::iota(0u, DEG * 2)) {
    a >>= 1;
    a[DEG] = rng() & 1;
    if ((c & a).count() % 2 == 0) {
      shift += 1;
      continue;
    }
    auto oc = exchange(c, c ^ (b >> shift));
    if (2 * l <= n) {
      l = n + 1 - l;
      b = oc;
      shift = 1;
    } else {
      shift += 1;
    }
  }
  return c;
}
auto main() -> int {
  constexpr size_t DEG = 19937;
  auto a = hack<mt19937_64, DEG>();
  int64_t seed = 0;
  cin >> seed;
  mt19937_64 rng(seed);
  size_t hash = 0;
  for (size_t i = 0; i <= DEG; i += 1) {
    auto h = rng();
    if (a[i]) {
      hash ^= h;
    }
  }
  std::cout << hash << "\n";
  assert(hash == 0);
}

Using uniform_int_distribution(0, L) incorrectly can still cause the same issue. For example, the implementation is unsafe on common standard-library implementations when $$$L = 2^n-1$$$, because the distribution may degenerate into taking the low $$$n$$$ bits of rng(), which is still linear over $$$\mathbb{F}_2$$$.

Комментарии (21)

Написать комментарий?

Misuki

3 недели назад, скрыть # |

+27

Does it means we can hack a fixed seeded solution or even randomized seed? I can't understand the math part ><

→ Ответить

Sugar_fan

3 недели назад, скрыть # ^ |

Even randomized seed. For example, 282285096 can be hacked. You can check the main function in the test case generator: for any seed, the hash is always $$$0$$$.

shashwat1511

So is this an issue only for XOR hashing or for most randomized algorithms which use the Mersenne Twister? I guess the solution would be to use other PRNGs like splitmix for most purposes? I'm not that good at math :/

123gjweq2

-38

when the man............... comes around.

-43

Hear the trumpets, hear the pipers......

-41

one hundred million angels singing!

-40

Multitudes are marching to the big kettle drum!

I would've loved to continue but I got an exam in an hour :)

Voices calling voices crying; some are born and some are dying; it's Alpha and Omega's Kingdom Come.

Also, good luck on your exam. (not part of the song)

AksLolCoding

+40

Time to switch to splitmix64

oToToT

+11

Just use aesctr. fast and (mostly) secure https://github.com/lemire/testingRNG/tree/master#visual-summary

simplified version (1937 ms)

#include <cstdint>
#include <immintrin.h>
#include <iostream>

class AesCtrRng {
public:
  __attribute__((__target__("rdrnd")))
  AesCtrRng() : p(1) {
    alignas(16) unsigned long long seed[6];
    for (int i = 0; i < 6; ++i) {
      _rdrand64_step(&seed[i]);
    }
    c0 = seed[0], c1 = seed[1];
    key1 = _mm_set_epi64x(seed[2], seed[3]);
    key2 = _mm_set_epi64x(seed[4], seed[5]);
  }

  __attribute__((__target__("aes")))
  uint64_t operator()() {
    if (p) {
      if (++c0 == 0) {
        ++c1;
      }
      __m128i state = _mm_set_epi64x(c1, c0);
      state = _mm_aesenc_si128(state, key1);
      state = _mm_aesenc_si128(state, key2);
      state = _mm_aesenc_si128(state, key1);
      _mm_store_si128((__m128i *)v, state);
    }
    return v[p ^= 1];
  }

private:
  bool p;
  alignas(16) uint64_t v[2];
  uint64_t c0, c1;
  __m128i key1, key2;
};

uint64_t x;
int n = 1'000'000'000;

int main() {
  AesRng rnd;
  for (int i = 0; i < n; ++i)
    x = rnd();
  std::cout << rnd() << '\n';
  return 0;
}

(In comparison, std::mt19937_64 uses 2906 ms).

SabirM

i just learned xor hashing bro why :(

XiaoXia

It is easy to avoid being hacked, just make some non-bitwise operation on rng() randomly.

Like this:

std::mt19937_64 rng(std::chrono::steady_clock::now().time_since_epoch().count());
for (int i = 0; i < n; i++) {
    a[i] = rng() / 3;
}

Do not just divide or multiply it by $$$2^k$$$ or it will just degenerate into taking a subset of rng(). (which is still hackable)

oh okay thanks !!!

ibrm

Will shuffling the indexes in the beginning solve it?

Yes. Most small modifications can fix it.

rgnerdplayer

So what is the “correct” xor hashing?

+24

Most approaches are correct:

rng() % x or rng() / x, where $$$x$$$ is not a power of two, e.g. rng() / 3;
rng() + x, where $$$x \ne 0$$$, e.g. rng() + 1;
using a non-linear generator, e.g., splitmix64;
shuffling the mapping.

Interestingly, though, the incorrect approach is the most commonly used one.

maxplus

rng() + 1 is actually not a good choice, because then the non-linear part has very low entropy

Fostok

What is entropy?

+19

Entropy (information theory). To put it simpler, just consider x ^ x + 1 with x sampled as rng(). It is usually very small, so the xor sum over a hashed set is usually very small. So the xor difference between the "patched" rng() + 1 and the "broken" rng() hash values is usually very small, and since on a set constructed as described in the blog the latter is zero, the former will usually be very small

Yeah, you're right. I found a test case with $$$n, q \le 2 \cdot 10^5$$$ where using rng() + 1 leads to a hash collision with probability over 99%. :(

Блог пользователя Sugar_fan