# mHash - A Cryptographic Hashing Algorithm
#### Mano Rajesh Robotics Honors
Spring 2022

---

# Introduction
To test my knowledge of Python, I decided to embark on creating my own hashing algorithm made entirely in Python. A hashing algorithm is where you have a given input and a fixed length output. Simply, this means that the string `hello, world` will have a totally unique output such as `@OOk##x39aVXMyUBu?(*hNx9PGHTjzHCx`. 
<figure><img src="/work/image-20220525-090111.png"><figcaption align ="center"><b>Fig.1 - Visual Example of Hashing, from Brilliant.org; 2022</b></figcaption></figure><br>

In reality, creating a perfect **cryptographic** (a hashing algorithm that's impossible to break) hashing algorithm is practically impossible since the only real way to test all the possibilities is to brute force every piece of data possible and check for collisions. A hashing collision is where _two different pieces_ of data produce the _same or similar_ data. For example, if we go back to our `hello, world` example and `hello, earth` produces that same hash (`@OOk##x39aVXMyUBu?(*hNx9PGHTjzHCx`), then there is a **collision**. In simpler terms, it is when two different input share an output. Collisions means that data can be mimiced, altered, or accessed. If the hashing algorithm is used widely (e.g. SHA, CRC32, etc.) then the collisions can be used to implement malicious code or other malevolent actions.

My goal was to create a cryptographic hashing algorithm made entirely in Python. This requires quite a bit of math, planning, testing, and analyzing. 

# Method
To begin, I started simply using knowledge of encryption algorithms and hashing algorithms to create a base for my own hashing algorithm. This way, I could make my own algorithm rather than making a copy of an existing one. 

<sub>Note: You can interact with any of the hashing algorithms. Simply type your input, click Apply, and run the code block below</sub>

In [1]:
plaintext_input_1 = 'gnof'

In [2]:
def hashing(plaintext, length=32):
    seed = 0
    hash = []
    salt = 0
    random_length_num = 1
    text = "abcdefghjiklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ)(*&%$#@!"

    for char in plaintext:
        random_length_num += ord(char)

    while salt <= length:
        seed += ord(plaintext[salt % len(plaintext)]) + salt * random_length_num
        hash.append(text[(seed**salt*random_length_num) % len(text)])
        salt += 1
    return hash

print("".join(hashing(plaintext_input_1))) 

bbddO5AK4BB%J7S7Bwmu7fq0JDp9SmM!t


##### With a hashing algorithm that _seems_ to work, I began implementing a testing program. Below is the pseudo-code: 

In [3]:
def generate string(seed):
    generate a string like 'a' or 'b' depending on the seed

    if seed is greater than 26
    return 'aa' or 'ab' depending on seed
    # incrementing the letter depending on seed

while True:
    hash(generate string(number))
    write hash result to file
    increment number by 1

for word1 in file:
    for word2 in file:
        if word2 is similar word2: # Check every word against every other
            file write word2
            print("Collision found")

SyntaxError: invalid syntax (<ipython-input-3-1ec39f44bcc2>, line 1)

This testing program is going to brute force the hashing algorithm. This means that it is very, very slow; however, it is very effective in finding collisions as mentioned previously. Below is a cross-section of one of the outputs. The output (or ciphertext) is on the left, and the input (or plaintext) is on the right. This format allows for very easy reading, analyzing, and error-checking because it is very simple and consistent.

```
.
.
.
qx@6JYGBY01SnvviOs2Mz1IzlJ?njcCmq jjjj
7v!m53p@z)YhLOXJx&mB19&UU5?4ER84P kkkk
8t<%p@Z3(qv8jgyj@D!12Gno3p?J?63Kn llll
Lr?LaB9Y3HTXG0)IGnTp3O9Jaa?Z6ix(M mmmm
Epa3Wfht%!qmd*2hpYEe4WTdJW?e(Yshk nnnn
wnbiHKRP6yOCBu&HZ9z%5%d9rH?uwCnyJ oooo
8lc(3o1k@Pl*<N5g9jkT6by&)3?ASqjFh pppp
oidInT?G9fJr7f#GhT#I7iJx9n?Qn$dWG qqqq
vhez<xJb?7gH%98fR4R88r%Sg<?#JJ<ce rrrr
XffgU*s8BXE@2(<F1dCw9zomPU?lex%tD ssss
cdgYF7*&cnbwZtAe?Oxl080HxF?2AbZAb tttt
dbhF1aByEE0MwMbEJyjaAFUb#1?H#QURA uuuu
r?jwlFkUf$@bUeDds<%)BNe7El?X25P!< vvvv
k!id@iUpHv52r8eD*JPPCVz(m@?cXjKo8 wwww
&#kVSO4LjM*RP)GcBtAED&KvVS?ssXF6# xxxx
d%lCDscgKczgmshCk%v4Ea$Q4D?9OBAM5 yyyy
V*mtyXMCl4X7KLJbUEgsFjpkby?Oip6&& zzzz
$qmkF%XC%?)wL9v0VziexJ1csv?4G1bmw aaaa
fon*197!61xMj(X<5?$%yRL8(g?Jbe@4V bbbbb
XmoJlcf4@RVbGty9dKQTzZ#*0*?Z8T*Kt ccccc
%kp1@HPZ9hs2dM)!NuBI1@qwhN?e&8X(S ddddd
6jqhSlyu?9QRBe28w$w82eBRQ9?uylShq eeeee
LgrZDQ!QBZng<8&@#Fhw3mWlyt?AU)NyP fffff
MesGyuHlcpL77)57Fp&l4ugG@e?QpEIFn ggggg
)ctxiZqHEGjW%s##o)Oa532aF)?#LsDWM hhhhh
Taue$4)cf@Gl2L86YA0)6AM6nL?lg@9ck iiiii
B<vWQ!09HxdBZd<$8kuP7I@)W7?2CL4tJ jjjjj
M@wDBCj%jOB(w7A5gVfE8Qru5r?H!zyAh kkkkk
4$xuwgSzKe<qUZb%Q6(49YCPcc?X4dtRG lllll
A&ybhL2Vl67GrrD4zfMs0#XiLY?cZSo!e mmmmm
b(zT&paqNW%#PKe&<Q8hAdhEtJ?su7ioD nnnnn
rZ1AOUKMom2vmcG3I1s@Bl3<*5?9Qke6b ooooo
.
.
.
```

The amount of collisions found in the first version of the hash was signifcant; there were around a 1000 collisions in a million hashing. In other words, there was one collision for every 1000 hashes. This may seem like a practical amount of collisions (only 0.1% of hashes are collisions); however, SHA or the Secure Hashing Algorithm (the standard hashing algorithm for the US Government) has **no** collisions at all. 

In light of this, I aimed to deconstruct my hashing algorithm and find how those collisions were created.

---

To understand the hashing algorithm, we must deconstruct each section of the algorithm. Broadly, the algorithm is split into two parts: a number linked to the length of the input and the assignment of letters to output. Firstly, the number linked to the length of the input is important since you want the length of the input to drastically change the output. If it is drastically different, the input `i` and `ii` should be very different even though they contain the same character.

With that said, this version of the hash does not account for this as seen by the example of `gn` and `gnof`. the hash for `gn` is `bbsdO54K4B7%J7V7Bwiu7fb0JDs9Sma!t`, yet the hash for `gnof` is `bbddO5AK4BB%J7S7Bwmu7fq0JDp9SmM!t`. The resultant hashes are extremely close since the input strings are also very similar to each other. This is a major fault since an attacker can use this knowledge to estimate the data in a hash. For example, if the attacker knows that a particular secret hash is similar to another hash, they can estimate what the secret data is by using the hash input they already know.

In [None]:
plaintext = plaintext_input_1

seed = 0
hash = []
salt = 0
random_length_num = 1
text = "abcdefghjiklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ)(*&%$#@!"

for char in plaintext:
    random_length_num += ord(char)

print(random_length_num)

427


In [None]:
while salt <= 32:
    seed += ord(plaintext[salt % len(plaintext)]) + salt * random_length_num
    hash.append(text[(seed**salt*random_length_num) % len(text)])
    salt += 1

print("".join(hash))

bbddO5AK4BB%J7S7Bwmu7fq0JDp9SmM!t


This section of the hash is where in combination with the `seed` variable, `salt` variable, and `random_length_num` variable come together to calculate a random (yet consistent) letter for each place in the hash. Since the length of the hash is 32 characters, the loop will go on 32 times.

Since the `random_length_num` variable is vulnerable, the entire main loop is thereby affected. This area is also of concern since it has a lot of very compute-intensive calculations (like exponents and division). This means that this area is an inefficient part of the algorithm and can be improved.

---

Now, the algorithm can be improved if the varible `random_length_num` is changed drastically with the input length, and the character assignment section is adjusted for speed. Below is the new algorithm:

In [None]:
plaintext_input_1 = 'fffffffffffffffffffffffffffffffffffffff'

In [None]:
plaintext = plaintext_input_1

def hashing(plaintext, length=32):
    seed = 0
    hash = []
    salt = 0
    random_length_num = 1
    text = "abcdefghjiklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ)(*&%$#@!"

    for char in plaintext:
        random_length_num += ord(char)
        random_length_num += ~ len(plaintext)

    while salt <= length:
        seed += ord(plaintext[salt % len(plaintext)]) + salt * random_length_num
        hash.append(text[(seed**salt*random_length_num) % len(text)])
        salt += 1
        random_length_num += 1
    return hash

print("".join(hashing(plaintext_input_1))) 

fR&35y91@gAqUWNB95%fcTi!cJ$bxQUeu


The algorithm was changed very minimally, but those changes were very important. The first and most important change was the line `random_length_num += ~ len(plaintext)`. This was important as the result of the line is heavily dependent on the length of the input. This is beacuse it takes the length of the input and inverts the bits (0 will be 1 and 1 will be 0). This is then added to the `random_length_num` variable to get a large number. The variable is then dependent on not only the actual character inputted (as shown with the `ord()` function) but also the length of the input.

Additionally, I added the line `random_length_num += 1` within the second part in order to make the chance of repeated values of it (with different inputs) nearly impossible.

These two changes made the chance of collisions nearly impossible with no collisions found in 10,000 hashes and only one collision found in 1,000,000 hashes.

# Results

To analyze the result, I used the aforementioned testing algorithm, hashing time program, and a plotting program.  

# Discussion

# Conclusion

<a style='text-decoration:none;line-height:16px;display:flex;color:#5B5B62;padding:10px;justify-content:end;' href='https://deepnote.com?utm_source=created-in-deepnote-cell&projectId=764b8806-990e-4d16-80ea-8c890893c289' target="_blank">
 </img>
Created in <span style='font-weight:600;margin-left:4px;'>Deepnote</span></a>