Strongly Universal String Hashing Is Fast
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Using Tabulation to Implement the Power of Hashing Using Tabulation to Implement the Power of Hashing Talk Surveys Results from I M
Talk surveys results from I M. Patras¸cuˇ and M. Thorup: The power of simple tabulation hashing. STOC’11 and J. ACM’12. I M. Patras¸cuˇ and M. Thorup: Twisted Tabulation Hashing. SODA’13 I M. Thorup: Simple Tabulation, Fast Expanders, Double Tabulation, and High Independence. FOCS’13. I S. Dahlgaard and M. Thorup: Approximately Minwise Independence with Twisted Tabulation. SWAT’14. I T. Christiani, R. Pagh, and M. Thorup: From Independence to Expansion and Back Again. STOC’15. I S. Dahlgaard, M.B.T. Knudsen and E. Rotenberg, and M. Thorup: Hashing for Statistics over K-Partitions. FOCS’15. Using Tabulation to Implement The Power of Hashing Using Tabulation to Implement The Power of Hashing Talk surveys results from I M. Patras¸cuˇ and M. Thorup: The power of simple tabulation hashing. STOC’11 and J. ACM’12. I M. Patras¸cuˇ and M. Thorup: Twisted Tabulation Hashing. SODA’13 I M. Thorup: Simple Tabulation, Fast Expanders, Double Tabulation, and High Independence. FOCS’13. I S. Dahlgaard and M. Thorup: Approximately Minwise Independence with Twisted Tabulation. SWAT’14. I T. Christiani, R. Pagh, and M. Thorup: From Independence to Expansion and Back Again. STOC’15. I S. Dahlgaard, M.B.T. Knudsen and E. Rotenberg, and M. Thorup: Hashing for Statistics over K-Partitions. FOCS’15. I Providing algorithmically important probabilisitic guarantees akin to those of truly random hashing, yet easy to implement. I Bridging theory (assuming truly random hashing) with practice (needing something implementable). I Many randomized algorithms are very simple and popular in practice, but often implemented with too simple hash functions, so guarantees only for sufficiently random input. -
Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms
Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms Helena Handschuh1 and Bart Preneel2,3 1 Spansion, 105 rue Anatole France 92684 Levallois-Perret Cedex, France [email protected] 2 Katholieke Universiteit Leuven, Dept. Electrical Engineering-ESAT/COSIC, Kasteelpark Arenberg 10, bus 2446, B-3001 Leuven, Belgium [email protected] 3 IBBT, Van Crommenlaan, B-9000 Gent Abstract. This paper discusses key recovery and universal forgery at- tacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives. 1 Introduction Message Authentication Code (MAC) algorithms are symmetric cryptographic primitives that allow senders and receivers who share a common secret key to make sure the contents of a transmitted message has not been tampered with. Three main types of constructions for MAC algorithms can be found in the literature: constructions based on block ciphers, based on hash functions and based on universal hash functions. -
The Power of Tabulation Hashing
Thank you for inviting me to China Theory Week. Joint work with Mihai Patras¸cuˇ . Some of it found in Proc. STOC’11. The Power of Tabulation Hashing Mikkel Thorup University of Copenhagen AT&T Joint work with Mihai Patras¸cuˇ . Some of it found in Proc. STOC’11. The Power of Tabulation Hashing Mikkel Thorup University of Copenhagen AT&T Thank you for inviting me to China Theory Week. The Power of Tabulation Hashing Mikkel Thorup University of Copenhagen AT&T Thank you for inviting me to China Theory Week. Joint work with Mihai Patras¸cuˇ . Some of it found in Proc. STOC’11. I Providing algorithmically important probabilisitic guarantees akin to those of truly random hashing, yet easy to implement. I Bridging theory (assuming truly random hashing) with practice (needing something implementable). Target I Simple and reliable pseudo-random hashing. I Bridging theory (assuming truly random hashing) with practice (needing something implementable). Target I Simple and reliable pseudo-random hashing. I Providing algorithmically important probabilisitic guarantees akin to those of truly random hashing, yet easy to implement. Target I Simple and reliable pseudo-random hashing. I Providing algorithmically important probabilisitic guarantees akin to those of truly random hashing, yet easy to implement. I Bridging theory (assuming truly random hashing) with practice (needing something implementable). Applications of Hashing Hash tables (n keys and 2n hashes: expect 1/2 keys per hash) I chaining: follow pointers • x • ! a ! t • • ! v • • ! f ! s -
CS 473: Algorithms, Fall 2019
CS 473: Algorithms, Fall 2019 Universal and Perfect Hashing Lecture 10 September 26, 2019 Chandra and Michael (UIUC) cs473 1 Fall 2019 1 / 45 Today's lecture: Review pairwise independence and related constructions (Strongly) Universal hashing Perfect hashing Announcements and Overview Pset 4 released and due on Thursday, October 3 at 10am. Note one day extension over usual deadline. Midterm 1 is on Monday, Oct 7th from 7-9.30pm. More details and conflict exam information will be posted on Piazza. Next pset will be released after the midterm exam. Chandra and Michael (UIUC) cs473 2 Fall 2019 2 / 45 Announcements and Overview Pset 4 released and due on Thursday, October 3 at 10am. Note one day extension over usual deadline. Midterm 1 is on Monday, Oct 7th from 7-9.30pm. More details and conflict exam information will be posted on Piazza. Next pset will be released after the midterm exam. Today's lecture: Review pairwise independence and related constructions (Strongly) Universal hashing Perfect hashing Chandra and Michael (UIUC) cs473 2 Fall 2019 2 / 45 Part I Review Chandra and Michael (UIUC) cs473 3 Fall 2019 3 / 45 Pairwise independent random variables Definition Random variables X1; X2;:::; Xn from a range B are pairwise independent if for all 1 ≤ i < j ≤ n and for all b; b0 2 B, 0 0 Pr[Xi = b; Xj = b ] = Pr[Xi = b] · Pr[Xj = b ] : Chandra and Michael (UIUC) cs473 4 Fall 2019 4 / 45 Interesting case: n = m = p where p is a prime number Pick a; b uniformly at random from f0; 1; 2;:::; p − 1g Set Xi = ai + b Only need to store a; b. -
Non-Empty Bins with Simple Tabulation Hashing
Non-Empty Bins with Simple Tabulation Hashing Anders Aamand and Mikkel Thorup November 1, 2018 Abstract We consider the hashing of a set X U with X = m using a simple tabulation hash function h : U [n] = 0,...,n 1 and⊆ analyse| the| number of non-empty bins, that is, the size of h(X→). We show{ that the− expected} size of h(X) matches that with fully random hashing to within low-order terms. We also provide concentration bounds. The number of non-empty bins is a fundamental measure in the balls and bins paradigm, and it is critical in applications such as Bloom filters and Filter hashing. For example, normally Bloom filters are proportioned for a desired low false-positive probability assuming fully random hashing (see en.wikipedia.org/wiki/Bloom_filter). Our results imply that if we implement the hashing with simple tabulation, we obtain the same low false-positive probability for any possible input. arXiv:1810.13187v1 [cs.DS] 31 Oct 2018 1 Introduction We consider the balls and bins paradigm where a set X U of X = m balls are distributed ⊆ | | into a set of n bins according to a hash function h : U [n]. We are interested in questions → relating to the distribution of h(X) , for example: What is the expected number of non-empty | | bins? How well is h(X) concentrated around its mean? And what is the probability that a | | query ball lands in an empty bin? These questions are critical in applications such as Bloom filters [3] and Filter hashing [7]. -
6.1 Systems of Hash Functions
— 6 Hashing 6 Hashing 6.1 Systems of hash functions Notation: • The universe U. Usually, the universe is a set of integers f0;:::;U − 1g, which will be denoted by [U]. • The set of buckets B = [m]. • The set X ⊂ U of n items stored in the data structure. • Hash function h : U!B. Definition: Let H be a family of functions from U to [m]. We say that the family is c-universal for some c > 0 if for every pair x; y of distinct elements of U we have c Pr [h(x) = h(y)] ≤ : h2H m In other words, if we pick a hash function h uniformly at random from H, the probability that x and y collide is at most c-times more than for a completely random function h. Occasionally, we are not interested in the specific value of c, so we simply say that the family is universal. Note: We will assume that a function can be chosen from the family uniformly at random in constant time. Once chosen, it can be evaluated for any x in constant time. Typically, we define a single parametrized function ha(x) and let the family H consist of all ha for all possible choices of the parameter a. Picking a random h 2 H is therefore implemented by picking a random a. Technically, this makes H a multi-set, since different values of a may lead to the same function h. Theorem: Let H be a c-universal family of functions from U to [m], X = fx1; : : : ; xng ⊆ U a set of items stored in the data structure, and y 2 U n X another item not stored in the data structure. -
Linear Probing with 5-Independent Hashing
Lecture Notes on Linear Probing with 5-Independent Hashing Mikkel Thorup May 12, 2017 Abstract These lecture notes show that linear probing takes expected constant time if the hash function is 5-independent. This result was first proved by Pagh et al. [STOC’07,SICOMP’09]. The simple proof here is essentially taken from [Pˇatra¸scu and Thorup ICALP’10]. We will also consider a smaller space version of linear probing that may have false positives like Bloom filters. These lecture notes illustrate the use of higher moments in data structures, and could be used in a course on randomized algorithms. 1 k-independence The concept of k-independence was introduced by Wegman and Carter [21] in FOCS’79 and has been the cornerstone of our understanding of hash functions ever since. A hash function is a random function h : [u] [t] mapping keys to hash values. Here [s]= 0,...,s 1 . We can also → { − } think of a h as a random variable distributed over [t][u]. We say that h is k-independent if for any distinct keys x ,...,x [u] and (possibly non-distinct) hash values y ,...,y [t], we have 0 k−1 ∈ 0 k−1 ∈ Pr[h(x )= y h(x )= y ] = 1/tk. Equivalently, we can define k-independence via two 0 0 ∧···∧ k−1 k−1 separate conditions; namely, (a) for any distinct keys x ,...,x [u], the hash values h(x ),...,h(x ) are independent 0 k−1 ∈ 0 k−1 random variables, that is, for any (possibly non-distinct) hash values y ,...,y [t] and 0 k−1 ∈ i [k], Pr[h(x )= y ]=Pr h(x )= y h(x )= y , and ∈ i i i i | j∈[k]\{i} j j arXiv:1509.04549v3 [cs.DS] 11 May 2017 h i (b) for any x [u], h(x) is uniformly distributedV in [t]. -
The Power of Simple Tabulation Hashing
The Power of Simple Tabulation Hashing Mihai Pˇatra¸scu Mikkel Thorup AT&T Labs AT&T Labs May 10, 2011 Abstract Randomized algorithms are often enjoyed for their simplicity, but the hash functions used to yield the desired theoretical guarantees are often neither simple nor practical. Here we show that the simplest possible tabulation hashing provides unexpectedly strong guarantees. The scheme itself dates back to Carter and Wegman (STOC'77). Keys are viewed as consist- ing of c characters. We initialize c tables T1;:::;Tc mapping characters to random hash codes. A key x = (x1; : : : ; xc) is hashed to T1[x1] ⊕ · · · ⊕ Tc[xc], where ⊕ denotes xor. While this scheme is not even 4-independent, we show that it provides many of the guarantees that are normally obtained via higher independence, e.g., Chernoff-type concentration, min-wise hashing for estimating set intersection, and cuckoo hashing. Contents 1 Introduction 2 2 Concentration Bounds 7 3 Linear Probing and the Concentration in Arbitrary Intervals 13 4 Cuckoo Hashing 19 5 Minwise Independence 27 6 Fourth Moment Bounds 32 arXiv:1011.5200v2 [cs.DS] 7 May 2011 A Experimental Evaluation 39 B Chernoff Bounds with Fixed Means 46 1 1 Introduction An important target of the analysis of algorithms is to determine whether there exist practical schemes, which enjoy mathematical guarantees on performance. Hashing and hash tables are one of the most common inner loops in real-world computation, and are even built-in \unit cost" operations in high level programming languages that offer associative arrays. Often, these inner loops dominate the overall computation time. -
Fundamental Data Structures Contents
Fundamental Data Structures Contents 1 Introduction 1 1.1 Abstract data type ........................................... 1 1.1.1 Examples ........................................... 1 1.1.2 Introduction .......................................... 2 1.1.3 Defining an abstract data type ................................. 2 1.1.4 Advantages of abstract data typing .............................. 4 1.1.5 Typical operations ...................................... 4 1.1.6 Examples ........................................... 5 1.1.7 Implementation ........................................ 5 1.1.8 See also ............................................ 6 1.1.9 Notes ............................................. 6 1.1.10 References .......................................... 6 1.1.11 Further ............................................ 7 1.1.12 External links ......................................... 7 1.2 Data structure ............................................. 7 1.2.1 Overview ........................................... 7 1.2.2 Examples ........................................... 7 1.2.3 Language support ....................................... 8 1.2.4 See also ............................................ 8 1.2.5 References .......................................... 8 1.2.6 Further reading ........................................ 8 1.2.7 External links ......................................... 9 1.3 Analysis of algorithms ......................................... 9 1.3.1 Cost models ......................................... 9 1.3.2 Run-time analysis -
Security of Authentication Based on a Universal Hash-Function Family
c de Gruyter 2010 J. Math. Crypt. 4 (2010), 1–24 DOI 10.1515 / JMC.2010.xxx The power of primes: security of authentication based on a universal hash-function family Basel Alomair, Andrew Clark and Radha Poovendran Communicated by xxx Abstract. Message authentication codes (MACs) based on universal hash-function families are be- coming increasingly popular due to their fast implementation. In this paper, we investigate a family of universal hash functions that has been appeared repeatedly in the literature and provide a detailed algebraic analysis for the security of authentication codes based on this universal hash family. In particular, the universal hash family under analysis, as appeared in the literature, uses operation in the finite field Zp. No previous work has studied the extension of such universal hash family when computations are performed modulo a non-prime integer n. In this work, we provide the first such analysis. We investigate the security of authentication when computations are performed over arbi- trary finite integer rings Zn and derive an explicit relation between the prime factorization of n and the bound on the probability of successful forgery. More specifically, we show that the probability of successful forgery against authentication codes based on such a universal hash-function family is bounded by the reciprocal of the smallest prime factor of the modulus n. Keywords. Cryptography, authentication, finite integer rings, universal hash-function families. AMS classification. 11T71, 94A60, 94A62. 1 Introduction and related work Message authentication code (MAC) algorithms can be categorized, based on their se- curity, into unconditionally and conditionally secure MACs. -
New Bounds for Almost Universal Hash Functions
New bounds for almost universal hash functions Abstract Using combinatorial analysis and the pigeon-hole principle, we introduce a new lower (or combinatorial) bound for the key length in an almost (both pairwise and l-wise) universal hash function. The advantage of this bound is that the key length only grows in proportion to the logarithm of the message length as the collision probability moves away from its theoretical minimum by an arbitrarily small and positive value. Conventionally bounds for various families of universal hash functions have been derived by using the equivalence between pairwise universal hash functions and error-correcting codes, and indeed in this paper another (very similar) bound for almost universal hash functions can be calculated from the Singleton bound in coding theory. However, the latter, perhaps unexpectedly, will be shown to be not as tight as our combinatorial one. To the best of our knowledge, this is the first time that combinatorial analysis has been demonstrated to yield a better universal hash function bound than the use of the equivalence, and we will explain why there is such a mismatch. This work therefore potentially opens the way to re-examining many bounds for a number of families of universal hash functions, which have been solely derived from bounds in coding theory and/or other combinatorial objects. 1 Introduction and contribution Universal hash function H with parameters (, K, M, b) was introduced by Carter and Wegman [9, 43]. Each family, which is indexed by a K-bit key k, consists of 2K hash functions mapping a message representable by M bits into a b-bit hash output. -
High Speed Hashing for Integers and Strings
High Speed Hashing for Integers and Strings Mikkel Thorup May 12, 2020 Abstract These notes describe the most efficient hash functions currently known for hashing integers and strings. These modern hash functions are often an order of magnitude faster than those presented in standard text books. They are also simpler to implement, and hence a clear win in practice, but their analysis is harder. Some of the most practical hash functions have only appeared in theory papers, and some of them require combining results from different theory papers. The goal here is to combine the information in lecture-style notes that can be used by theoreticians and practitioners alike, thus making these practical fruits of theory more widely accessible. 1 Hash functions The concept of truly independent hash functions is extremely useful in the design of randomized algorithms. We have a large universe U of keys, e.g., 64-bit numbers, that we wish to map ran- domly to a range [m]= 0,...,m 1 of hash values. A truly random hash function h : U [m] { − } → assigns an independent uniformly random variable h(x) to each key in x. The function h is thus a U -dimensional random variable, picked uniformly at random among all functions from U to [m]. | | Unfortunately truly random hash functions are idealized objects that cannot be implemented. More precisely, to represent a truly random hash function, we need to store at least U log2 m bits, and in most applications of hash functions, the whole point in hashing is that the universe| | is much arXiv:1504.06804v9 [cs.DS] 9 May 2020 too large for such a representation (at least not in fast internal memory).