To clarify what I mean by 'non-hashable token' - There is a format for
identifiers, and a function for 'scrambling' them, so that they look very
different, but there's a function which can accurately compare two
identifiers ('tokens') regardless of how scrambled they are. By
'non-hashable' I mean that given a set of n tokens, there should be no
algorithm for determining if there's a pair of identical ones better than
doing all n^2 - n comparisons.
An example motivation: Say you have a very large database of user logins,
and you would like for users to be able to give you their history and for
you to verify it, but you're worried about an attacker getting access to
your database and analyzing it. What you do then is you give each user an
unhashable token as an identifier, and whenever you store login records
you store a login date and a scrambled version of the login id. Then, if
someone wants to demonstrate their login history they send you the dates
and their id and you can verify it, but analyzing the database as a whole
requires a lot of work.
Well, so that's not a particularly strong motivation, but hopefully it
clarifies.
-Bram Cohen
