Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hash Range Queries
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
luke crouch
December 18, 2018
Technology
140
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Hash Range Queries
For simple, privacy-preserving data-sharing.
luke crouch
December 18, 2018
More Decks by luke crouch
See All by luke crouch
Mr. Brokebot: Lethal language attacks against AI agents
groovecoder
0
120
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
110
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
85
Cryptography: 500 BC to https
groovecoder
0
220
Mozilla Observatory First Draft
groovecoder
0
150
VPNs
groovecoder
0
160
Digital Privacy & Security
groovecoder
0
280
Cryptography: 500 BC to Quantum Computing
groovecoder
0
1k
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
120
Other Decks in Technology
See All in Technology
AIAU_UMEMOGU_ninomiya_slide
ninomiya_ii
0
260
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
400
IaC コードを資産へ:AWS CDK 社内ライブラリと横断展開 / aws-summit-japan-2026
gotok365
10
1.6k
【セミナー資料】Claude Code をセキュアに使うための考え方と設定の勘どころ / Claude Code Webinar 20260616
masahirokawahara
2
460
FPC(フレキシブル)基板にZephyr実装してみた。
iotengineer22
0
170
Lightning近況報告
kozy4324
0
220
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
minorun365
PRO
10
2.5k
アジャイルな経理と Claude Code と経営の未来
kawaguti
PRO
3
190
螺旋型キャリアの生存戦略 / kinoko-conf2026
rakus_dev
1
940
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
220
千葉での単身赴任からAWSをやり続け、千葉に戻ってきた話
yama3133
1
120
フィジカル版Github Onshapeの紹介
shiba_8ro
0
320
Featured
See All Featured
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
400
Java REST API Framework Comparison - PWX 2021
mraible
34
9.4k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
850
Embracing the Ebb and Flow
colly
88
5.1k
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
240
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
370
Building Applications with DynamoDB
mza
96
7.1k
Between Models and Reality
mayunak
4
350
The Cult of Friendly URLs
andyhume
79
6.9k
Transcript
Hash Range Queries For simple, privacy-preserving data-sharing
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea
https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is
interested in this password. Maybe not that interesting for a widely-used value …
https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my
little pony character with vowels replaced with numbers?
Do you trust the person operating the service? • Are
they doing something else with the data? • Are they securing the data?
None
How can a client get a single record from a
server without revealing the record identifier to the server?
The Easiest Way: Hashed Identifiers
None
None
But rainbow tables exist
None
The Hard Way: Private Set Intersection
None
None
The Middle Way: k-Anonymity
https://en.wikipedia.org/wiki/K-anonymity Every record is unique
https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender
+ State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate
hashes into anonymized "buckets".
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash
…
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same
anonymized "bucket" as that hash … {
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.