The circulant hash revisited

Filipe Araujo 1  and Samuel Neves 1
  • 1 CISUC, Dept. of Informatics Engineering, University of Coimbra, Coimbra, Portugal
Filipe Araujo and Samuel Neves

Abstract

At ProvSec 2013, Minematsu presented the circulant hash, an almost-xor universal hash using only the xor and rotation operations. The circulant hash is a variant of Carter and Wegman’s H3 hash as well as Krawczyk’s Toeplitz hash, both of which are hashes based on matrix-vector multiplication over 𝔽2. In this paper we revisit the circulant hash and reinterpret it as a multiplication in the polynomial ring 𝔽2[x]/(xn + 1). This leads to simpler proofs, faster implementations in modern computer chips, and newer variants with practical implementation advantages.

1 Introduction

Universal hashing was formally introduced by Carter and Wegman [1, 2, 3] and has numerous applications in data structures, authentication, and many other areas. In cryptography, universal hashes are often found in Wegman-Carter-Shoup [3, 4] authenticators and their variants. Lucks [5] and later Naor-Reingold [6] showed that the first and last rounds of the 4-round Luby-Rackoff construction can be universal. Universal hash functions are also very useful in randomness extraction, via the leftover-hash lemma [7].

The usage of universal hashing for authentication does, in fact, predate Carter and Wegman, and is often attributed to Gilbert, MacWilliams, and Sloane’s multilinear hash [8], as well as Zobrist [9]. Many practical universal hash functions have been since proposed, including integer multiply and shift [10], polynomial evaluation [11, 12, 13], polynomial or integer remainder [14, 15], or Toeplitz matrices [16]. Achieving the best possible speeds continues to be a popular research problem, with new proposals being regularly published.

One such almost-xor universal hash function, the circulant hash, was recently proposed by Mine-matsu [17]. It is described in Definition 1.1.

Definition 1.1

Let n be a positive integer. The circulant hash (CLH) is the keyed function {0, 1}n×{0, 1}n−1 ↦ {0, 1}n defined as

CLHn(k,a)=i=0n1ki if ai=1.

In other words, the hash consists of the xor of the key k rotated by the amounts defined by the positions of the nonzero bits of the input a. Alternatively, CLH is a matrix-vector multiplication in which the matrix is a circulant matrix (hence the name). Minematsu proved this function is 2/2n-almost xor universal.

Theorem 1.2

([17, Lemma 1]). Let k be a key uniformly sampled from {0, 1}n. We have

Prk[CLHn(k,a)CLHn(k,b)=c]2/2nandPrk[CLHn(k,a)=c]2/2n,

for n prime and 2 a primitive root modulo n.

Minematsu’s proof of Theorem 1.2 is fairly involved, and relies on nontrivial results in linear algebra, e.g., [18].

CLH is quite similar to the “shift register hash” first described by Vazirani in the context of entropy extraction [19]. Indeed, Vazirani’s proof sketch [19, Lemma 2] is similar to the one presented below in Section 3.

1.1 Contribution

Our contribution is threefold. First, we reinterpret the circulant hash in terms of polynomial arithmetic modulo xn + 1, which results in a much simpler proof (Section 3), and immediate implementation possibilities. Secondly, we present several variants of CLH that have speed or flexibility advantages (Sections 4 and 5). Lastly, we (re-)obtain the differential probability of data-dependent rotation and the stretch-then-shift hash using largely the same techniques (Section 6).

2 Notation and Definitions

Unless otherwise specified, a polynomial p(x) of degree d is written as xd + · · · + 1 and has coefficients in 𝔽2. wi denotes the ith bit of an n-bit word w.s$S means that s is an element of S sampled uniformly at random. We denote concatenation of two bit strings a and b by ab.

We define a family of hash functions as a finite multiset H of 2k functions, for some k, with each hH having domain {0, 1}n and range {0, 1}m for some constant n and m.

The original definition of universal hashing is due to Carter and Wegman [1], and is presented below.

Definition 2.1

A hash function family H : {0, 1}n ↦ {0, 1}m of size 2k is ϵ-almost universal if for every distinct a, b ∈ {0, 1}n there are at most ϵ · 2k functions hH such that h(a) = h(b). In other words,

PrhH[h(a)=h(b)]ϵ.

If ϵ = 2n, H is simply called universal.

A stronger notion is presented next. It was stated independently by Krawczyk [16], Rogaway [20], and Lucks [5] for xor differences, and generalized to arbitrary additive groups by Stinson [21].

Definition 2.2

A hash function family H : {0, 1}n ↦ {0, 1}m of size 2k is ϵ-almost xor universal if for every distinct a, b ∈ {0, 1}n there are at most ϵ2k functions hH such that h(a) ⊕ h(b) = c, for any c ∈ {0, 1}m. In other words,

PrhH[h(a)h(b)=c]ϵ.

If ϵ = 2n, H is simply called xor universal.

A xor universal hash function is necessarily universal; this is the special case c = 0.

3 Simpler Proof of Theorem 1.2

Our proof approach follows the lead of Rivest [22] and observes the natural embedding of bit rotation by i as multiplication by xi in the ring 𝔽2[x]/(xn + 1). That is, a word w of n bits is interpreted as the polynomial

w0+w1x++wn1xn1.

Additionally, word rotation by i bits can be interpreted as multiplication by xi modulo xn + 1 1, and addition can be accomplished by element-wise addition modulo 2, i.e., xor. Coupled with the identities 0 and 1, this yields the ring 𝔽2[x]/(xn + 1). This interpretation of circulant matrices is often found in error correcting code literature [23], cellular automata [24, 25], as well as cipher design [26].

In light of this understanding, we can restate Definition 1.1 as follows.

Definition 3.1

Let n be a positive integer. The circulant hash (CLH) is the keyed function {0, 1}n×{0, 1}n−1 ↦ {0, 1}n defined as

CLHn(k,a)=kamod(xn+1).

Not only does this definition have more explanatory power than Minematsu’s, it also makes it clear that it does not matter whether we are rotating the key depending on the data, or vice-versa. This allows variable-time implementations without the risk of timing side-channel attacks. It also makes it obvious how to implement this function in terms of carryless multiplication, in the common case where hardware supports it. Now we are ready to restate and prove Theorem 1.2.

Theorem 3.2

Letk${0,1}n.For any distinct a, b ∈ {0, 1}n−1and c ∈ {0, 1}n, we have

Prk[CLHn(k,a)CLHn(k,b)=c]2/2nandPrk[CLHn(k,a)=c]2/2n,

for n prime and 2 a primitive root modulo n.

Proof

Since CLHn(k, a) is clearly linear, i.e., k · a + k · b ≡ k · (a + b) (mod xn + 1), proving uniformity for nonzero input is sufficient [16, Theorem 6].

If n is an odd prime, xn + 1 factors as (x + 1)Φn(x), Φn(x) being the nth cyclotomic polynomial xn−1 + xn−2 + · · · + x + 1. Suppose that Φn(x) is irreducible modulo 2. Because the degree of a is at most n − 2, a mod Φn(x) = a. We can analyze the behavior of CLH modulo Φn(x) and x + 1 independently:

  1. Modulo Φn(x). This is a finite field multiplication. Therefore any equation k · a ≡ c (mod Φn(x)) has a unique solution k ≡ ca−1 (mod Φn(x)).
  2. Modulo x + 1. By a counting argument there can be at most 2 keys satisfying k · a ≡ c (mod (x + 1)) for any choice of parameters.

Combining the two cases with the Chinese remainder theorem, we obtain at most 2 distinct solutions.

It remains to be determined that Φn(x) is irreducible. This follows directly from the fact that n is prime, Φn(x) is the nth cyclotomic polynomial, and 2 is a primitive root modulo n [27, §1.6]. Thus, the differential probability is at most 2/2n. □

Remark 3.3

The conditions imposed by Minematsu on n are precisely the necessary conditions for there being a type-I optimal normal basis for the field 𝔽2n−1. Optimal normal bases are exceptionally fast representations for polynomials over binary fields, to the point that field sizes for binary elliptic curves are often chosen such that such bases are known to exist [28].

The circulant hash is, as a matter of fact, a multiplication in the “ghost bit” redundant representation of a type-I optimal normal basis [29, 30], with one exception—the end result remains in the ring 𝔽2[x]/(xn + 1) instead of being reduced modulo Φn(x). Reduction by “all-one” polynomials is exceptionally simple, and would enable a straightforward {0, 1}n−1 × {0, 1}n−1 ↦ {0, 1}n−1 finite-field multiplicative hash—simply add the coefficient of xn−1 to every coefficient in the polynomial, i.e.,

(w0+wn1)+(w1+wn1)x++(wn1+wn1)xn1,

and output the first n − 1 coefficients. This can be achieved on a computer with a single xor and arithmetic shift.

4 Polynomial Evaluation

A very successful approach to designing universal hashes that accept an arbitrary-sized input is polynomial evaluation [31, 32]. Our interpretation of the circulant hash in the previous section lends itself to a straight-forward polynomial evaluation variant, which allows for arbitrary-sized inputs.

In this setting, we split an m(n−1)-bit input message a into m blocks (a0, a1, . . . , am−1) of n−1 bits each, padding as needed 2. We interpret the message a as the degree m polynomial with coefficients in 𝔽2[x]/(xn+1):

a(X)=Xmam1+Xm1am2++Xa0+0.

We can now define the hash function PCLH(k, a) as the evaluation of this polynomial at k.

Definition 4.1

Let n be a positive integer. The polynomial evaluation circulant hash (PCLH) is a keyed function {0, 1}n × {0, 1}(n−1)m ↦ {0, 1}n defined as

PCLHn(k,a)=i=1mkiaimod(xn+1)=a(k).
Theorem 4.2

Let n be a prime such that 2 is a primitive root modulo n. For messages of at most m blocks, the polynomial hash PCLHn is 2m/2n-almost xor universal.

Proof

By linearity, PCLHn(k, a)+PCLHn(k, b) = PCLHn(k, a+b), where a+b indicates addition of polynomials of the form (3). Furthermore, PCLHn(k, a + b) = (a + b)(k). Thus we have (a + b)(k) = c, from which follows that (a + b + c)(k) = 0, which means the number of keys coincides with the number of roots of the polynomial a + b + c, which has degree at most m.

As in Theorem 1.2, given the constraints on n we can consider the behavior of the hash modulo x + 1 and Φn(x) independently:

– Modulo Φn(x). This is a finite field polynomial evaluation and the fundamental theorem of algebra applies—there are at most m roots of a degree m polynomial.

– Modulo x + 1. Here, by a simple counting argument, there cannot be more than 2 roots for any polynomial.

This leads to a probability of at most 2m/2n. The case m = 1 is exactly Theorem 1.2. □

5 A Variant for Powers of 2

Operating on block sizes of prime size, as required by the original CLH function, is not very convenient. Ideally, one would work instead on “natural” power of two blocks, such as n = 128. To this end, we define a new variant of the circulant hash that works in this setting.

Definition 5.1

Let n be a power of 2. The modified circulant hash (MCLH) is a keyed function {0, 1}n × {0, 1}n−1 ↦ {0, 1}n defined as

MCLHn(k,a)=ka+xn1(a+1mod(x+1))mod(xn+1).

In this variant, instead of keeping the (n − 1)th coefficient empty we use it to ensure that the input is always invertible modulo xn + 1 with the injective transformation (a + xn−1(a + 1 mod (x + 1)). The input to MCLH can equivalently be defined as every element of {0, 1}n with an odd number of bits. Lemma 5.2 proves this is the case.

Lemma 5.2

For any a ∈ {0, 1}n−1, (a + xn−1(a + 1 mod (x + 1))) mod (x + 1) = 1.

Proof

xn−1 mod (x + 1) = (xn−1)(1) = 1 by the polynomial remainder theorem. Thus,

=a+xn1(a+1mod(x+1))mod(x+1)=amod(x+1)+(a+1)mod(x+1)=1.

We now prove MCLH is an almost-xor universal hash.

Theorem 5.3

Let n be a power of 2. Letk${0,1}n.For any distinct a, b ∈ {0, 1}n−1and c ∈ {0, 1}n, we have

Prk[MCLHn(k,a)MCLHn(k,b)=c]1/2nandPrk[MCLHn(k,a)=c]1/2n.
Proof

Again, by linearity it suffices to prove Prk[MCLHn(k,a)=c]1/2n.Since we are working in characteristic 2 and n is a power of 2, xn +1 = (x +1)n. As such, if gcd(a, x + 1) = 1, then gcd(a, (x +1)n) = 1 for any positive n.

Given an equation k ·a ≡ c (mod xn +1), there is a unique k such that k ≡ ca−1 (mod xn +1). a is always invertible modulo xn + 1 by construction, as shown in Lemma 5.2. □

Remark 5.4

The value a mod (x + 1) can be efficiently computed with, e.g., the Intel instruction popcnt. It can also be computed by keeping track of the parity of the input.

6 Related Functions

6.1 Data-dependent Rotation

The same mathematical framework used in the previous sections may also be used to show that data-dependent rotation has low differential probability when the difference is in the rotation amounts. In Theorem 6.1 we re-derive the differential probability result of [33] in terms of multiplication in 𝔽2[x]/(xn + 1).

Theorem 6.1

([33]). Let n be a power of 2, andk${0,1}n,and distinct r1, r2 ∈ {0, 1, . . . , n − 1} be inputs. Then

Prk[kr1kr2=c]2gcd(r2r1,n)n.
Proof

As above, kr1⊕ kr2 is equivalent to k · (xr1 + xr2 ) mod (xn + 1). Thus, we want to bound the probability that k · (xr1 + xr2 ) mod (xn + 1) = c. We begin by rewriting it as k · kxr2r1+1=cxr1.

We may factor any exponent r2r1 mod n as 2p · q, for odd q. Then xr2−r1 +1 = (xq +1)2p = (x+1)2p (xq−1 + xq−2 + · · · + 1)2p . We can now rewrite the above equality further as

k(x+1)2p=cxr1(xq1+xq2++1)2p,

as the right hand side multipliers are all units in this ring. The remaining factor (x+1)2p remains to be handled. Since 2p divides n, multiplication by (x+1)2p is a surjective group homomorphism sending 𝔽2[x]/(xn+1) to the unique subgroup of 𝔽2[x]/(xn +1) of order 2n−2p . As such, each key is one of 22p equivalent representations in this subgroup, k+t·(x+1)n−2p for t of degree less than 2p. If the right hand side of (6) belongs to the subgroup, i.e., it is congruent to 0 modulo (x + 1)2p , there is a unique solution in the subgroup with corresponding 22p equivalents in the main group; otherwise there are no solutions.

Finally, since n is a power of 2, we have 2p = gcd(r2r1, n). Putting it all together, we have at most 2gcd(r2−r1,n) possible keys for any given r1, r2, c, leading to a maximum probability of 2gcd(r2−r1,n)−n. □

6.2 Stretch-then-shift

The OCB3 authenticated encryption mode [34] introduced a special-purpose almost xor universal function—stretch-then-shift—to hash the 6 least significant bits of a nonce. This function, Hc(k, a), takes a 128-bit key k, a 6-bit input a, and outputs the first 128 bits of the result:

Hc(k,a)=(stretch(k)a)[0127],

where stretch(k) is defined as kk ⊕ (k c), for some constant c < 128.

As with the case of the circulant hash, the authors of stretch-then-shift offer only a linear-algebraic rationale for the almost xor universal property of their function. Yet, we can also offer a polynomial interpretation that, once again, makes things simpler. We can understand this function as equivalent to a multiplication in the ring 𝔽2[x]/(x128 + xc + 1). Namely,

Hc(k,a)=kxamod(x128+xc+1).

This comes directly from the fact that shift left by a is equivalent to polynomial multiplication by xa, and reduction of a polynomial f of degree < 256 − c modulo x128 + xc + 1 can be written as

fmod(x128+xc+1)=fmodx128+f/x128(xc+1),

since x128 mod x128+xc+1 = xc +1. Therefore, the stretch-then-shift hash is nothing more than an optimized polynomial multiplication modulo a trinomial. Since there are no irreducible trinomials of degree 128, the analysis proceeds similarly to the case of rotation.

We now prove in Theorem 6.2 that the concrete choice of shift used in OCB3, H8, makes for a xor universal hash.

Theorem 6.2

Letk${0,1}128, and distinct a, b ∈ {0, 1, . . . , 63} be inputs. Then, for any c ∈ {0, 1}128,

PrkH8(k,a)H8(k,b)=c2128.
Proof

We use the equivalence of H8 to k·xa mod (x128+x8+1). We have, as before, k·xa+k·xb = k·(xa+xb) = c can be written as k · (xab + 1) = c · xb. As long as both xab and xb are unique (i.e., invertible modulo x128 + x8 + 1), there is a unique k satisfying the equation.

The modulus x128 + x8 + 1 factors as (x8 + x6 + x5 + x3 + 1)8(x8 + x6 + x5 + x4 + x3 + x + 1)8. As xb shares no factors with it, we need only concern with xab + 1. Without loss of generality, we consider positive differences a > b only. As long as xab + 1 shares no factor with the modulus, this multiplication is invertible. We rewrite xab + 1 as xab = 1 modulo any of the factors of the modulus, i.e., the order of x. The order of x modulo x8 + x6 + x5 + x3 + 1 is 255; the order of x modulo x8 + x6 + x5 + x4 + x3 + x + 1 is 85. Therefore, as long as ab ∈ [−84, . . . , 84], H8 is injective and thus for any c at most one choice of k exists. □

This interpretation also gives us efficient ways to find suitable constants c. Given the factorization of the trinomial x128 + xc + 1, the function is xor universal as long as x has sufficiently large order modulo every factor. Alternatively, gcd(xa + 1, x128 + xc + 1) = 1 for every admissible value of a.

References

  • [1]

    Mark N.Wegman and Larry Carter,New Classes and Applications of Hash Functions, in: 20th Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 29-31 October 1979 pp. 175–182, IEEE Computer Society, 1979.

  • [2]

    Larry Carter and Mark N. Wegman, Universal Classes of Hash Functions, J. Comput. Syst. Sci. 18 (1979), 143–154.

  • [3]

    Mark N. Wegman and Larry Carter, New Hash Functions and Their Use in Authentication and Set Equality, J. Comput. Syst. Sci. 22 (1981), 265–279.

  • [4]

    Victor Shoup, On Fast and Provably Secure Message Authentication Based on Universal Hashing, in: Advances in Cryptology - CRYPTO’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings (Neal Koblitz, ed.), Lecture Notes in Computer Science 1109, pp. 313–328, Springer, 1996.

  • [5]

    Stefan Lucks, Faster Luby-Rackoff Ciphers, in: Fast Software Encryption, Third International Workshop, Cambridge, UK, February 21-23, 1996, Proceedings (Dieter Gollmann, ed.), Lecture Notes in Computer Science 1039, pp. 189–203, Springer, 1996.

  • [6]

    Moni Naor and Omer Reingold, On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited, J. Cryptology12 (1999), 29–66.

  • [7]

    Russell Impagliazzo, Leonid A. Levin and Michael Luby, Pseudo-random Generation from one-way functions (Extended Abstracts), in: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14-17, 1989, Seattle, Washigton, USA (David S. Johnson, ed.), pp. 12–24, ACM, 1989.

  • [8]

    Edgar N. Gilbert, F. Jessie MacWilliams and Neil J. A. Sloane, Codes Which Detect Deception, Bell System Technical Journal53 (1974), 405–424.

  • [9]

    Albert L. Zobrist, A New Hashing Method With Application for Game Playing University of Wisconsin—Madison Department of Computer Sciences, Report no. #88, April 1970.

  • [10]

    Martin Dietzfelbinger, Universal Hashing and k-Wise Independent Random Variables via Integer Arithmetic without Primes, in: STACS 96, 13th Annual Symposium on Theoretical Aspects of Computer Science, Grenoble, France, February 22-24, 1996, Proceedings (Claude Puech and Rüdiger Reischuk, eds.), Lecture Notes in Computer Science 1046, pp. 569–580, Springer, 1996.

  • [11]

    Bert den Boer, A Simple and Key-Economical Unconditional Authentication Scheme, Journal of Computer Security2 (1993), 65–72.

  • [12]

    Jürgen Bierbrauer, Thomas Johansson, Gregory Kabatianskii and Ben J. M. Smeets, On Families of Hash Functions via Geometric Codes and Concatenation, in: Advances in Cryptology - CRYPTO ’93, 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26, 1993, Proceedings (Douglas R. Stinson, ed.), Lecture Notes in Computer Science 773, pp. 331–342, Springer, 1993.

  • [13]

    Richard Taylor, Near Optimal Unconditionally Secure Authentication, in: Advances in Cryptology - EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings (Alfredo De Santis, ed.), Lecture Notes in Computer Science 950, pp. 244–253, Springer, 1994.

  • [14]

    Michael O. Rabin, Fingerprinting by Random Polynomials Center for Research in Computing Technology, Harvard University, Report no. TR-CSE-03-01, 1981.

  • [15]

    Richard M. Karp and Michael O. Rabin, Efficient Randomized Pattern-Matching Algorithms, IBM Journal of Research and Development31 (1987), 249–260.

  • [16]

    Hugo Krawczyk, LFSR-based Hashing and Authentication, in: Advances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings (Yvo Desmedt, ed.), Lecture Notes in Computer Science 839, pp. 129–139, Springer, 1994.

  • [17]

    Kazuhiko Minematsu, A Short Universal Hash Function from Bit Rotation, and Applications to Blockcipher Modes, in: Provable Security - 7th International Conference, ProvSec 2013, Melaka, Malaysia, October 23-25, 2013. Proceedings (Willy Susilo and Reza Reyhanitabar, eds.), Lecture Notes in Computer Science 8209, pp. 221–238, Springer, 2013.

  • [18]

    D. E. Daykin, On the Rank of the Matrix fA and the Enumeration of Certain Matrices over a Finite Field, Journal of the London Mathematical Societys1-35 (1960), 36–42.

  • [19]

    Umesh V. Vazirani, Efficiency Considerations in Using Semi-random Sources (Extended Abstract), in: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA (Alfred V. Aho, ed.), pp. 160–168, ACM, 1987.

  • [20]

    Phillip Rogaway, Bucket Hashing and Its Application to Fast Message Authentication, J. Cryptology12 (1999), 91–115.

  • [21]

    Douglas R. Stinson, On the Connections Between Universal Hashing, Combinatorial Designs and Error-Correcting Codes, in: Congressus Numerantium 114 pp. 7–27, 1996.

  • [22]

    Ronald L. Rivest, The invertibility of the XOR of rotations of a binary word, Int. J. Comput. Math. 88 (2011), 281–284.

  • [23]

    Cunsheng Ding and Zhengchun Zhou, Binary cyclic codes from explicit polynomials over GF(2m), Discrete Mathematics321 (2014), 76–89.

  • [24]

    Olivier Martin, Andrew M. Odlyzko and Stephen Wolfram, Algebraic properties of cellular automata, Comm. Math. Phys. 93 (1984), 219–258.

  • [25]

    Dario Bini, Gianna M. Del Corso, Giovanni Manzini and Luciano Margara, Inversion of circulant matrices over ZmMath. Comput. 70 (2001), 1169–1182.

  • [26]

    Joan Daemen, Cipher and hash function design, strategies based on linear and differential cryptanalysis, PhD Thesis K.U.Leuven, 1995.

  • [27]

    Ian F. Blake and Ronald C. Mullin, The Mathematical Theory of Coding Academic Press, April 1975.

  • [28]

    Christophe Doche, Finite Field Arithmetic Handbook of Elliptic and Hyperelliptic Curve Cryptography. (Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen and Frederik Vercauteren, eds.), Chapman and Hall/CRC,2005, pp. 201–237.

  • [29]

    Toshiya Itoh and Shigeo Tsujii, Structure of Parallel Multipliers for a Class of Fields GF(2mInf. Comput. 83 (1989), 21–40.

  • [30]

    Joseph H. Silverman, Fast Multiplication in Finite Fields GF(2N in: Cryptographic Hardware and Embedded Systems, First International Workshop, CHES’99, Worcester, MA, USA, August 12-13, 1999, Proceedings (Çetin Kaya Koç and Christof Paar, eds.), Lecture Notes in Computer Science 1717, pp. 122–134, Springer, 1999.

  • [31]

    Ted Krovetz and Phillip Rogaway, Fast Universal Hashing with Small Keys and No Preprocessing: The PolyR Construction, in: Information Security and Cryptology - ICISC 2000, Third International Conference, Seoul, Korea, December 8-9, 2000, Proceedings (Dongho Won, ed.), Lecture Notes in Computer Science 2015, pp. 73–89, Springer, 2000.

  • [32]

    Daniel J. Bernstein, The Poly1305-AES Message-Authentication Code, in: Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Revised Selected Papers (Henri Gilbert and Helena Handschuh, eds.), Lecture Notes in Computer Science 3557, pp. 32–49, Springer, 2005.

  • [33]

    Scott Contini and Yiqun Lisa Yin, On differential properties of data-dependent rotations and their use in MARS and RC6, in: The 2nd Conference on Advanced Encryption Standard (AES), Rome, Italy, March 22-23, 1999 February 1999.

  • [34]

    Ted Krovetz and Phillip Rogaway, The Software Performance of Authenticated-Encryption Modes, in: Fast Software Encryption - 18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers (Antoine Joux, ed.), Lecture Notes in Computer Science 6733, pp. 306–327, Springer, 2011.

Footnotes

1

In 𝔽2, 1 and −1 are interchangeable. As such, we use positive signs whenever possible for simplicity.

2

Here we simply consider messages of fixed length and multiple of n − 1 bits. Standard padding methods [31, 32] apply to make PCLH suitable for variable-length messages.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1]

    Mark N.Wegman and Larry Carter,New Classes and Applications of Hash Functions, in: 20th Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 29-31 October 1979 pp. 175–182, IEEE Computer Society, 1979.

  • [2]

    Larry Carter and Mark N. Wegman, Universal Classes of Hash Functions, J. Comput. Syst. Sci. 18 (1979), 143–154.

  • [3]

    Mark N. Wegman and Larry Carter, New Hash Functions and Their Use in Authentication and Set Equality, J. Comput. Syst. Sci. 22 (1981), 265–279.

  • [4]

    Victor Shoup, On Fast and Provably Secure Message Authentication Based on Universal Hashing, in: Advances in Cryptology - CRYPTO’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings (Neal Koblitz, ed.), Lecture Notes in Computer Science 1109, pp. 313–328, Springer, 1996.

  • [5]

    Stefan Lucks, Faster Luby-Rackoff Ciphers, in: Fast Software Encryption, Third International Workshop, Cambridge, UK, February 21-23, 1996, Proceedings (Dieter Gollmann, ed.), Lecture Notes in Computer Science 1039, pp. 189–203, Springer, 1996.

  • [6]

    Moni Naor and Omer Reingold, On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited, J. Cryptology12 (1999), 29–66.

  • [7]

    Russell Impagliazzo, Leonid A. Levin and Michael Luby, Pseudo-random Generation from one-way functions (Extended Abstracts), in: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14-17, 1989, Seattle, Washigton, USA (David S. Johnson, ed.), pp. 12–24, ACM, 1989.

  • [8]

    Edgar N. Gilbert, F. Jessie MacWilliams and Neil J. A. Sloane, Codes Which Detect Deception, Bell System Technical Journal53 (1974), 405–424.

  • [9]

    Albert L. Zobrist, A New Hashing Method With Application for Game Playing University of Wisconsin—Madison Department of Computer Sciences, Report no. #88, April 1970.

  • [10]

    Martin Dietzfelbinger, Universal Hashing and k-Wise Independent Random Variables via Integer Arithmetic without Primes, in: STACS 96, 13th Annual Symposium on Theoretical Aspects of Computer Science, Grenoble, France, February 22-24, 1996, Proceedings (Claude Puech and Rüdiger Reischuk, eds.), Lecture Notes in Computer Science 1046, pp. 569–580, Springer, 1996.

  • [11]

    Bert den Boer, A Simple and Key-Economical Unconditional Authentication Scheme, Journal of Computer Security2 (1993), 65–72.

  • [12]

    Jürgen Bierbrauer, Thomas Johansson, Gregory Kabatianskii and Ben J. M. Smeets, On Families of Hash Functions via Geometric Codes and Concatenation, in: Advances in Cryptology - CRYPTO ’93, 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26, 1993, Proceedings (Douglas R. Stinson, ed.), Lecture Notes in Computer Science 773, pp. 331–342, Springer, 1993.

  • [13]

    Richard Taylor, Near Optimal Unconditionally Secure Authentication, in: Advances in Cryptology - EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings (Alfredo De Santis, ed.), Lecture Notes in Computer Science 950, pp. 244–253, Springer, 1994.

  • [14]

    Michael O. Rabin, Fingerprinting by Random Polynomials Center for Research in Computing Technology, Harvard University, Report no. TR-CSE-03-01, 1981.

  • [15]

    Richard M. Karp and Michael O. Rabin, Efficient Randomized Pattern-Matching Algorithms, IBM Journal of Research and Development31 (1987), 249–260.

  • [16]

    Hugo Krawczyk, LFSR-based Hashing and Authentication, in: Advances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings (Yvo Desmedt, ed.), Lecture Notes in Computer Science 839, pp. 129–139, Springer, 1994.

  • [17]

    Kazuhiko Minematsu, A Short Universal Hash Function from Bit Rotation, and Applications to Blockcipher Modes, in: Provable Security - 7th International Conference, ProvSec 2013, Melaka, Malaysia, October 23-25, 2013. Proceedings (Willy Susilo and Reza Reyhanitabar, eds.), Lecture Notes in Computer Science 8209, pp. 221–238, Springer, 2013.

  • [18]

    D. E. Daykin, On the Rank of the Matrix fA and the Enumeration of Certain Matrices over a Finite Field, Journal of the London Mathematical Societys1-35 (1960), 36–42.

  • [19]

    Umesh V. Vazirani, Efficiency Considerations in Using Semi-random Sources (Extended Abstract), in: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA (Alfred V. Aho, ed.), pp. 160–168, ACM, 1987.

  • [20]

    Phillip Rogaway, Bucket Hashing and Its Application to Fast Message Authentication, J. Cryptology12 (1999), 91–115.

  • [21]

    Douglas R. Stinson, On the Connections Between Universal Hashing, Combinatorial Designs and Error-Correcting Codes, in: Congressus Numerantium 114 pp. 7–27, 1996.

  • [22]

    Ronald L. Rivest, The invertibility of the XOR of rotations of a binary word, Int. J. Comput. Math. 88 (2011), 281–284.

  • [23]

    Cunsheng Ding and Zhengchun Zhou, Binary cyclic codes from explicit polynomials over GF(2m), Discrete Mathematics321 (2014), 76–89.

  • [24]

    Olivier Martin, Andrew M. Odlyzko and Stephen Wolfram, Algebraic properties of cellular automata, Comm. Math. Phys. 93 (1984), 219–258.

  • [25]

    Dario Bini, Gianna M. Del Corso, Giovanni Manzini and Luciano Margara, Inversion of circulant matrices over ZmMath. Comput. 70 (2001), 1169–1182.

  • [26]

    Joan Daemen, Cipher and hash function design, strategies based on linear and differential cryptanalysis, PhD Thesis K.U.Leuven, 1995.

  • [27]

    Ian F. Blake and Ronald C. Mullin, The Mathematical Theory of Coding Academic Press, April 1975.

  • [28]

    Christophe Doche, Finite Field Arithmetic Handbook of Elliptic and Hyperelliptic Curve Cryptography. (Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen and Frederik Vercauteren, eds.), Chapman and Hall/CRC,2005, pp. 201–237.

  • [29]

    Toshiya Itoh and Shigeo Tsujii, Structure of Parallel Multipliers for a Class of Fields GF(2mInf. Comput. 83 (1989), 21–40.

  • [30]

    Joseph H. Silverman, Fast Multiplication in Finite Fields GF(2N in: Cryptographic Hardware and Embedded Systems, First International Workshop, CHES’99, Worcester, MA, USA, August 12-13, 1999, Proceedings (Çetin Kaya Koç and Christof Paar, eds.), Lecture Notes in Computer Science 1717, pp. 122–134, Springer, 1999.

  • [31]

    Ted Krovetz and Phillip Rogaway, Fast Universal Hashing with Small Keys and No Preprocessing: The PolyR Construction, in: Information Security and Cryptology - ICISC 2000, Third International Conference, Seoul, Korea, December 8-9, 2000, Proceedings (Dongho Won, ed.), Lecture Notes in Computer Science 2015, pp. 73–89, Springer, 2000.

  • [32]

    Daniel J. Bernstein, The Poly1305-AES Message-Authentication Code, in: Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Revised Selected Papers (Henri Gilbert and Helena Handschuh, eds.), Lecture Notes in Computer Science 3557, pp. 32–49, Springer, 2005.

  • [33]

    Scott Contini and Yiqun Lisa Yin, On differential properties of data-dependent rotations and their use in MARS and RC6, in: The 2nd Conference on Advanced Encryption Standard (AES), Rome, Italy, March 22-23, 1999 February 1999.

  • [34]

    Ted Krovetz and Phillip Rogaway, The Software Performance of Authenticated-Encryption Modes, in: Fast Software Encryption - 18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers (Antoine Joux, ed.), Lecture Notes in Computer Science 6733, pp. 306–327, Springer, 2011.

OPEN ACCESS

Journal + Issues

Search