explaingit

eternal-flame-ad/java-hashcode-chosen-prefix

Analysis updated 2026-07-16 · repo last pushed 2025-08-30

RustAudience · researcherComplexity · 4/5QuietSetup · hard

TLDR

A fast Rust tool that finds Java hashCode collisions, different text inputs producing the same hash value. It demonstrates why Java's hashCode should never be used for data integrity or security checks.

Mindmap

mindmap
  root((repo))
    What it does
      Finds hashCode collisions
      Generates modified JSON
      Same hash different text
    How it works
      Meet-in-the-middle technique
      SIMD CPU instructions
      Billions of hashes per second
    Use cases
      Test integrity checks
      Security research demos
      Find hash vulnerabilities
    Tech stack
      Rust
      SIMD AVX-512
    Performance
      15ms basic hardware
      2.5ms with AVX-512
    Audience
      Security researchers
      Engineers testing systems

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Test whether your system is vulnerable to hashCode-based data tampering attacks.

USE CASE 2

Demonstrate to a team why hashCode must not be relied on for data integrity verification.

USE CASE 3

Generate proof-of-concept collisions showing modified JSON that preserves the original hash value.

USE CASE 4

Benchmark hash collision performance across different CPU instruction sets.

What is it built with?

RustSIMDAVX-512

How does it compare?

eternal-flame-ad/java-hashcode-chosen-prefixbakome-hub/bakome-crypto-quant-enginecaspermeijn/nmea-test-messages
Stars0
LanguageRustRustRust
Last pushed2025-08-302024-09-16
MaintenanceQuietStale
Setup difficultyhardeasyeasy
Complexity4/53/51/5
Audienceresearcherdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires Rust toolchain and a CPU with SIMD support for best performance, sparse README provides no setup instructions.

No license information is provided in the README, so usage rights are unclear.

In plain English

This project finds "collisions" in Java's hashCode function, meaning it generates different pieces of text that produce the exact same hash value. The demo shows it taking JSON like {"uid":0,"account_balance":0 and finding a modified version {"uid":0,"account_balance":99999,"_fixup":"l5555550000OVH|4830083526" that shares the same hash. The practical implication: if a system uses Java's hashCode to check whether data has been tampered with, an attacker could swap the original data for their modified version without the change being detected. At a high level, the tool uses a technique called "meet-in-the-middle." Instead of brute-forcing every possible text combination, it works from both ends, matching up pieces that produce the same intermediate hash value, which is dramatically faster. It's written in Rust and uses specialized CPU instructions (SIMD) to process many calculations simultaneously, bringing the search time down to milliseconds. The benchmarks show it testing hundreds of billions of hash candidates per second on modern hardware. The target audience is security researchers and engineers testing systems that rely on hashCode for integrity checks. A concrete example: if a service serializes objects to JSON and trusts hashCode to detect modifications, this tool demonstrates how an attacker could inject a field like "account_balance":99999 while keeping the hash identical. It's essentially a proof-of-concept for why hashCode should never be used as a security mechanism. The README is sparse beyond the benchmark and demo output, there's no detailed documentation on setup, configuration, or the full range of use cases. The project is notable for its speed: even on basic hardware it finds collisions in under 15 milliseconds, and with advanced CPU features like AVX-512, that drops to around 2.5 milliseconds.

Copy-paste prompts

Prompt 1
Using the java-hashcode-chosen-prefix tool from eternal-flame-ad, generate a collision for the JSON string {"uid":0,"balance":0} and show me the modified version with the same hashCode.
Prompt 2
I want to test if my Java service is vulnerable to hashCode-based tampering. How do I use eternal-flame-ad/java-hashcode-chosen-prefix to create a proof-of-concept collision for a JSON payload?
Prompt 3
Explain how the meet-in-the-middle technique in eternal-flame-ad/java-hashcode-chosen-prefix achieves sub-15ms collision times and what CPU features are required for maximum performance.
Prompt 4
Set up the eternal-flame-ad/java-hashcode-chosen-prefix Rust project and run its benchmarks to compare collision search speed on my hardware.

Frequently asked questions

What is java-hashcode-chosen-prefix?

A fast Rust tool that finds Java hashCode collisions, different text inputs producing the same hash value. It demonstrates why Java's hashCode should never be used for data integrity or security checks.

What language is java-hashcode-chosen-prefix written in?

Mainly Rust. The stack also includes Rust, SIMD, AVX-512.

Is java-hashcode-chosen-prefix actively maintained?

Quiet — no commits in 6-12 months (last push 2025-08-30).

What license does java-hashcode-chosen-prefix use?

No license information is provided in the README, so usage rights are unclear.

How hard is java-hashcode-chosen-prefix to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is java-hashcode-chosen-prefix for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.