Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hash Range Queries
Search
luke crouch
December 18, 2018
Technology
0
110
Hash Range Queries
For simple, privacy-preserving data-sharing.
luke crouch
December 18, 2018
Tweet
Share
More Decks by luke crouch
See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
71
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
56
Cryptography: 500 BC to https
groovecoder
0
160
Mozilla Observatory First Draft
groovecoder
0
120
VPNs
groovecoder
0
120
Digital Privacy & Security
groovecoder
0
260
Cryptography: 500 BC to Quantum Computing
groovecoder
0
710
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
100
Can we protect Privacy without breaking the web
groovecoder
0
160
Other Decks in Technology
See All in Technology
AWSにおけるTrend Vision Oneの効果について
shimak
0
130
Escaping_the_Kraken_-_October_2025.pdf
mdalmijn
0
150
PLaMoの事後学習を支える技術 / PFN LLMセミナー
pfn
PRO
9
3.9k
データエンジニアがこの先生きのこるには...?
10xinc
0
450
英語は話せません!それでも海外チームと信頼関係を作るため、対話を重ねた2ヶ月間のまなび
niioka_97
0
120
社内お問い合わせBotの仕組みと学び
nish01
0
430
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
you
PRO
0
220
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
9.1k
How to achieve interoperable digital identity across Asian countries
fujie
0
120
動画データのポテンシャルを引き出す! Databricks と AI活用への奮闘記(現在進行形)
databricksjapan
0
150
M5製品で作るポン置きセルラー対応カメラ
sayacom
0
160
Shirankedo NOCで見えてきたeduroam/OpenRoaming運用ノウハウと課題 - BAKUCHIKU BANBAN #2
marokiki
0
150
Featured
See All Featured
Scaling GitHub
holman
463
140k
BBQ
matthewcrist
89
9.8k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Building an army of robots
kneath
306
46k
KATA
mclloyd
32
15k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
A better future with KSS
kneath
239
17k
Rails Girls Zürich Keynote
gr2m
95
14k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
Unsuck your backbone
ammeep
671
58k
Transcript
Hash Range Queries For simple, privacy-preserving data-sharing
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea
https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is
interested in this password. Maybe not that interesting for a widely-used value …
https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my
little pony character with vowels replaced with numbers?
Do you trust the person operating the service? • Are
they doing something else with the data? • Are they securing the data?
None
How can a client get a single record from a
server without revealing the record identifier to the server?
The Easiest Way: Hashed Identifiers
None
None
But rainbow tables exist
None
The Hard Way: Private Set Intersection
None
None
The Middle Way: k-Anonymity
https://en.wikipedia.org/wiki/K-anonymity Every record is unique
https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender
+ State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate
hashes into anonymized "buckets".
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash
…
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same
anonymized "bucket" as that hash … {
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.