On Tue, Nov 10, 2015 at 7:21 PM, John Cowan <xxxxxx@mercury.ccil.org> wrote:

This forbids a particularly paranoid implementation from using a
distinct salt for each hash table and storing it with the hash table.
I've made several tries at rewording to allow this use case, but I
can't think how to put it.

Doesn't necessarily a paranoid; suppose a long running server that

detects some hashtables behaving poorly and wants to switch

hash strategy and rehash that particular table. You don't want to stop

and switch global parameters and rehash everything, so there'll be

inevitably hashtables with different salts.

(Given that each process can have different salts, it's very unlikely

that an attacker can prepare a particular key sets that certainly causes

poor hash distribution, so the above case can still be regarded

as an extra protection. But I've experienced long-running servers hit

unlike scenarios so I don't think the above strategy is too much

paranoid.)