[G1-Sync] Manual knowledge update

2026-05-09 22:47:42 +09:00
parent 93ec7e9056
commit 21ac3ed255
56 changed files with 22043 additions and 43 deletions
@@ -0,0 +1,476 @@
+---
+id: cs-hashing-strategies
+title: Hashing Strategies — MD5 / SHA / xxHash / Argon2
+category: Coding
+status: draft
+source_trust_level: B
+verification_status: conceptual
+created_at: 2026-05-09
+updated_at: 2026-05-09
+tags: [cs, hashing, vibe-coding]
+tech_stack: { language: "TS", applicable_to: ["Backend"] }
+applied_in: []
+aliases: [hash, MD5, SHA-256, xxHash, Argon2, password hash, content addressing]
+---
+
+# Hashing Strategies
+
+> 다양 use case 의 다양 hash. **Cryptographic (SHA-256, BLAKE3) vs Fast (xxHash, MurmurHash) vs Password (Argon2, bcrypt)**. 잘못 선택 = 보안 / 성능 망가짐.
+
+## 📖 핵심 개념
+- Cryptographic: collision-resistant, slow.
+- Fast non-crypto: speed-optimized.
+- Password: deliberately slow (brute force 차단).
+- Content-addressed: data = id (Git, IPFS).
+
+## 💻 코드 패턴
+
+### Use case 별 추천
+```
+Password hash:        Argon2id, bcrypt, scrypt
+Content address:       SHA-256, BLAKE3
+Tamper detection:      SHA-256, HMAC
+Cache key / sharding:  xxHash, MurmurHash
+File integrity:        SHA-256, BLAKE3
+HMAC (signing):        HMAC-SHA-256
+ID generation:         UUID, Snowflake
+```
+
+### Cryptographic hash (slow, secure)
+```ts
+import { createHash } from 'node:crypto';
+
+const hash = createHash('sha256').update('hello').digest('hex');
+// 'sha256' / 'sha512' / 'sha3-256' / 'blake2b512'
+
+// File hash
+import { createReadStream } from 'node:fs';
+
+async function hashFile(path: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const hash = createHash('sha256');
+    const stream = createReadStream(path);
+    stream.on('data', (chunk) => hash.update(chunk));
+    stream.on('end', () => resolve(hash.digest('hex')));
+    stream.on('error', reject);
+  });
+}
+```
+
+### BLAKE3 (modern, faster than SHA-256)
+```bash
+yarn add blake3
+```
+
+```ts
+import { hash } from 'blake3';
+const result = hash('hello').toString('hex');
+```
+
+→ SHA-256 보다 5-10x 빠름. Same security.
+
+### xxHash (very fast, non-crypto)
+```bash
+yarn add xxhash-wasm
+```
+
+```ts
+import xxhash from 'xxhash-wasm';
+
+const { h64ToString, h32 } = await xxhash();
+const hash = h64ToString('hello');  // 'cbb195b6c87b8e44'
+
+// 또는 number
+const num = h32('hello');
+```
+
+→ 10 GB/s+. Cache key, sharding, 짐 검사 (non-secure).
+
+### MurmurHash (fast, popular)
+```ts
+import murmurhash from 'murmurhash';
+const hash = murmurhash.v3('hello');  // 32-bit number
+```
+
+→ Java HashMap, Cassandra 사용.
+
+### Password hashing (Argon2)
+```bash
+yarn add argon2
+```
+
+```ts
+import argon2 from 'argon2';
+
+const hash = await argon2.hash('password', {
+  type: argon2.argon2id,
+  memoryCost: 65536,  // 64 MB
+  timeCost: 3,
+  parallelism: 4,
+});
+// '$argon2id$v=19$m=65536,t=3,p=4$...'
+
+const valid = await argon2.verify(hash, 'password');
+```
+
+→ Memory-hard. GPU brute force 차단.
+
+### bcrypt (legacy but OK)
+```ts
+import bcrypt from 'bcrypt';
+
+const hash = await bcrypt.hash('password', 12);  // cost 12
+const valid = await bcrypt.compare('password', hash);
+```
+
+→ 1999 부터. Stable. Argon2 보다 약함 — 새 = Argon2.
+
+### Password hash 의 cost
+```
+Argon2id (defaults):
+- 64 MB memory
+- 3 iterations
+- ~100ms verify
+
+→ Login 매번 100ms — OK.
+   Brute force = 매우 느림.
+```
+
+### HMAC (signed message)
+```ts
+import { createHmac } from 'node:crypto';
+
+const sig = createHmac('sha256', secret).update(message).digest('hex');
+
+// Verify
+function verify(msg: string, sig: string, secret: string): boolean {
+  const expected = createHmac('sha256', secret).update(msg).digest('hex');
+  return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
+}
+```
+
+→ Webhook signature, JWT, API auth.
+
+→ [[Backend_Webhook_Patterns]].
+
+### Content-addressed (Git, IPFS)
+```ts
+// Git: SHA-1 (legacy → SHA-256 future)
+const blobHash = createHash('sha1').update('blob 11\0hello world').digest('hex');
+
+// IPFS: 다양 (default = SHA-256)
+import { CID } from 'multiformats/cid';
+import { sha256 } from 'multiformats/hashes/sha2';
+
+const hash = await sha256.digest(new TextEncoder().encode('hello'));
+const cid = CID.create(1, 0x55, hash);  // 0x55 = raw codec
+```
+
+→ Same content = same hash. Dedup.
+
+### Hash for cache key
+```ts
+// 긴 string / object → cache key
+function cacheKey(req: Request): string {
+  const key = JSON.stringify({ url: req.url, body: req.body });
+  return xxhash.h64ToString(key);  // 16 char
+}
+
+await redis.set(`cache:${cacheKey(req)}`, response);
+```
+
+→ xxHash = 빠름. SHA = overkill.
+
+### Hash for sharding (consistent)
+```ts
+function shardKey(userId: string, numShards: number): number {
+  return xxhash.h32(userId) % numShards;
+}
+```
+
+→ [[CS_Consistent_Hashing]] (better — re-shard 시 작은 이동).
+
+### Hash table (HashMap)
+```
+JS Map / Object 가 HashMap.
+Default hash 가 V8 internal.
+
+→ 직접 implement 필요 X.
+```
+
+### MD5 (deprecated for security)
+```
+MD5: collision found (2004).
+SHA-1: collision found (2017).
+
+Use:
+- Non-security checksum: MD5 / SHA-1 OK
+- Security: SHA-256 / SHA-3 / BLAKE3
+```
+
+### SHA-1 vs SHA-256 vs SHA-3
+```
+SHA-1: deprecated (security)
+SHA-256: 표준
+SHA-512: 64-bit native (faster on 64-bit CPU)
+SHA-3: Keccak (different family)
+BLAKE3: faster than all
+```
+
+### Salt (password)
+```ts
+// ❌ Same password → same hash
+hash('password')
+
+// ✅ Salt
+hash(salt + password)
+// Salt 가 unique per user.
+// Argon2 / bcrypt 자동 salt.
+```
+
+### Pepper
+```ts
+const pepper = process.env.PEPPER!;  // server-side secret
+const hash = argon2.hash(password + pepper, ...);
+```
+
+→ Salt = DB 안. Pepper = env var. DB leak 시 추가 protection.
+
+### Timing attack
+```ts
+// ❌
+if (sig === expected) ...  // string compare timing
+
+// ✅
+import { timingSafeEqual } from 'node:crypto';
+if (timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) ...
+```
+
+### Password upgrade (rehash)
+```ts
+async function login(email: string, password: string) {
+  const user = await db.users.findByEmail(email);
+  
+  if (!await argon2.verify(user.passwordHash, password)) {
+    throw new Error('Invalid');
+  }
+  
+  // Upgrade hash if cost 옛
+  if (argon2.needsRehash(user.passwordHash, { ...currentParams })) {
+    const newHash = await argon2.hash(password, currentParams);
+    await db.users.update(user.id, { passwordHash: newHash });
+  }
+  
+  return createSession(user);
+}
+```
+
+→ 시간 지나며 cost 증가.
+
+### Hash chain (Merkle tree)
+```ts
+// Block hash:
+hash(prev_block_hash + transaction_data)
+
+// Tamper one block → 모든 후속 block invalid.
+// Bitcoin / Ethereum.
+```
+
+### Merkle tree
+```
+[hash root]
+  /         \
+[hash A]   [hash B]
+  /  \      /   \
+[h1] [h2] [h3] [h4]
+ |    |    |    |
+[d1] [d2] [d3] [d4]
+```
+
+→ Verify d2 = h2 + (h3+h4 hash) → root. log(N) proof.
+
+→ Git, IPFS, blockchain.
+
+### Bloom filter (probabilistic)
+```ts
+import xxhash from 'xxhash-wasm';
+
+const xh = await xxhash();
+const bf = new Uint8Array(M);  // M bits
+
+function add(key: string) {
+  for (let i = 0; i < K; i++) {
+    const idx = xh.h32(key + i) % (M * 8);
+    bf[idx >> 3] |= (1 << (idx & 7));
+  }
+}
+
+function maybe(key: string): boolean {
+  for (let i = 0; i < K; i++) {
+    const idx = xh.h32(key + i) % (M * 8);
+    if (!(bf[idx >> 3] & (1 << (idx & 7)))) return false;
+  }
+  return true;  // probably
+}
+```
+
+→ [[CS_Bloom_Filter]].
+
+### Hash collision
+```
+Cryptographic (SHA-256): 2^128 trial 가 평균. 안 발생.
+
+Non-crypto (xxHash 64): 2^32 trial 가 50% (birthday paradox).
+- 100 K items: 안 발생.
+- 1 B items: 가능.
+
+→ Critical = SHA-256. 작은 = xxHash OK.
+```
+
+### Comparison table
+```
+Algorithm       Speed    Security    Use case
+MD5             Fast     Broken     Legacy checksum
+SHA-1           Fast     Broken     Git (legacy)
+SHA-256         Medium   Strong     Default crypto
+SHA-3           Medium   Strong     New crypto
+BLAKE3          Fast     Strong     Modern crypto
+xxHash          Very fast None      Cache, shard
+MurmurHash      Very fast None      Cache, shard
+FNV             Very fast None      Cache (작은)
+HMAC-SHA256     Medium   Strong     Sign / verify
+Argon2id        Slow     Strong     Password
+bcrypt          Slow     Strong     Password
+scrypt          Slow     Strong     Password (memory-hard)
+```
+
+### Performance (대략)
+```
+SHA-256:        500 MB/s (1 thread)
+SHA-3:          400 MB/s
+BLAKE3:         3 GB/s (multi-thread)
+xxHash:         5-10 GB/s
+MurmurHash:     5 GB/s
+
+Argon2id:       ~100ms / verify (intentionally)
+bcrypt cost 12: ~250ms
+```
+
+### Hash + ID
+```ts
+// Content-addressable storage
+const id = createHash('sha256').update(content).digest('hex');
+await s3.put(`/objects/${id}`, content);
+// 같은 content = 같은 id (dedup).
+```
+
+### Snowflake / UUID + hash (composite)
+```
+Snowflake: time + machine + seq.
+UUID v7: time + random.
+
+ID 자체 가 hash X.
+
+But:
+hash(snowflake_id) → consistent shard key.
+```
+
+### Hash-based deduplication
+```ts
+// File dedup
+async function dedupe(file: Buffer) {
+  const hash = sha256(file);
+  if (await db.files.exists(hash)) return hash;  // already
+  await db.files.put(hash, file);
+  return hash;
+}
+```
+
+→ Same file = 1 copy.
+
+### Ethereum-style hash
+```
+keccak-256 (= SHA-3 의 변형, but Ethereum 가 fixed SHA-3 전 use).
+```
+
+### Common mistakes
+```
+- MD5 for password: broken.
+- SHA-256 for password: 너무 빠름 (brute force).
+- Plain text password store: 절대.
+- Salt 무: rainbow table.
+- Same hash function 모든 use case: wrong tool.
+- timingSafeEqual 무 (signature compare): timing attack.
+```
+
+### When to use what
+```
+DB password column:        Argon2id hash.
+Session ID:                 cryptographically random (not hash).
+File integrity:            SHA-256.
+Git-like CAS:               BLAKE3 (modern) / SHA-256.
+Cache key:                  xxHash.
+Webhook signature:          HMAC-SHA256.
+JWT signing:                HMAC-SHA256 또는 RS256.
+URL-safe ID:                base64url(random) 또는 NanoID.
+```
+
+### Library
+```ts
+// Node built-in
+import { createHash, createHmac, randomBytes } from 'node:crypto';
+
+// Modern
+import { hash as blake3 } from 'blake3';
+import argon2 from 'argon2';
+import xxhash from 'xxhash-wasm';
+
+// Web Crypto (browser + edge)
+const buffer = await crypto.subtle.digest('SHA-256', encoder.encode(text));
+const hex = Array.from(new Uint8Array(buffer)).map(b => b.toString(16).padStart(2, '0')).join('');
+```
+
+### Web Crypto (edge / browser)
+```ts
+async function sha256(text: string): Promise<string> {
+  const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(text));
+  return Array.from(new Uint8Array(buf))
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+```
+
+→ Cloudflare Workers / Deno / Bun 호환.
+
+## 🤔 의사결정 기준
+| 사용 | 추천 |
+|---|---|
+| Password | Argon2id |
+| File integrity | SHA-256 / BLAKE3 |
+| Cache key | xxHash |
+| Webhook sig | HMAC-SHA256 |
+| Random ID | randomBytes (not hash) |
+| Sharding | xxHash + consistent hashing |
+| Git-like | SHA-256 |
+| Tamper-evident | Merkle + SHA-256 |
+
+## ❌ 안티패턴
+- **Password 가 SHA-256**: brute force.
+- **MD5 prod**: broken.
+- **No salt**: rainbow table.
+- **timingSafeEqual 무 + sig compare**: timing.
+- **Hash 가 ID 의 only**: collision risk (xxHash large scale).
+- **너무 비싼 hash + non-security**: latency.
+- **Web Crypto 가 edge 안 알기**: error.
+
+## 🤖 LLM 활용 힌트
+- Use case 따라 정확 hash.
+- Argon2id = password.
+- SHA-256 = secure default.
+- xxHash = speed.
+- timingSafeEqual = compare.
+
+## 🔗 관련 문서
+- [[CS_Bloom_Filter]]
+- [[CS_Consistent_Hashing]]
+- [[Security_OWASP_Top_10_Practical]]