Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Avatar for luke crouch luke crouch
December 18, 2018
Technology
0
110

Hash Range Queries

For simple, privacy-preserving data-sharing.

Avatar for luke crouch

luke crouch

December 18, 2018
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
69
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
55
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
160
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
120
VPNs
Avatar for luke crouch groovecoder
0
120
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
250
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
690
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
99
Can we protect Privacy without breaking the web
Avatar for luke crouch groovecoder
0
160

Other Decks in Technology

See All in Technology
普通のチームがスクラムを会得するたった一つの冴えたやり方 / the best way to scrum
Avatar for 岡本卓也 okamototakuyasr2
0
110
KotlinConf 2025_イベントレポート
Avatar for ソニー株式会社 sony
1
140
CDK CLIで使ってたあの機能、CDK Toolkit Libraryではどうやるの?
Avatar for Makky12 smt7174
4
190
LLMを搭載したプロダクトの品質保証の模索と学び
Avatar for SmartHR 品質保証部 qa
0
1.1k
【NoMapsTECH 2025】AI Edge Computing Workshop
Avatar for ITO Akihiro akit37
0
230
Snowflake×dbtを用いたテレシーのデータ基盤のこれまでとこれから
Avatar for Sagara sagara
0
120
JTCにおける内製×スクラム開発への挑戦〜内製化率95%達成の舞台裏/JTC's challenge of in-house development with Scrum
Avatar for AEON aeonpeople
0
270
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
Avatar for daitasu daitasu
0
170
いま注目のAIエージェントを作ってみよう
Avatar for Marimo supermarimobros
0
350
「その開発、認知負荷高すぎませんか?」Platform Engineeringで始める開発者体験カイゼン術
Avatar for SansanTech sansantech
PRO
2
680
要件定義・デザインフェーズでもAIを活用して、コミュニケーションの密度を高める
Avatar for KazukiHayase kazukihayase
0
120
Unlocking the Power of AI Agents with LINE Bot MCP Server
Avatar for LINE Developers Thailand linedevth
0
120

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
36
2.5k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
188
55k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7.1k
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
3
620
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
Visualization
Avatar for Eitan Lees eitanlees
148
16k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.4k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
113
20k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
352
21k

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.