[mLib] / hash / unihash.3

.\" -*-nroff-*-
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.de hP
.IP
.ft B
\h'-\w'\\$1\ 'u'\\$1\ \c
.ft P
..
.ie t \{\
.  ds ss \s8\u
.  ds se \d\s0
.  ds us \s8\d
.  ds ue \u\s0
.  ds *d \(*d
.  ds >= \(>=
.\}
.el \{\
.  ds ss ^
.  ds se
.  ds us _
.  ds ue
.  ds *d \fIdelta\fP
.  ds >= >=
.\}
.TH unihash 3 "5 July 2003" "Straylight/Edgeware" "mLib utilities library"
.SH NAME
unihash \- simple and efficient universal hashing for hashtables
.\" @unihash_setkey
.\" @UNIHASH_INIT
.\" @unihash_hash
.\" @UNIHASH
.\" @unihash
.SH SYNOPSIS
.nf
.B "#include <mLib/unihash.h>"

.B "typedef struct { ...\& } unihash_info;"

.B "unihash_info unihash_global;"

.BI "void unihash_setkey(unihash_info *" i ", uint32 " k );
.BI "uint32 UNIHASH_INIT(const unihash_info *" i );
.BI "uint32 unihash_hash(const unihash_info *" i ", uint32 " a ,
.BI "                    const void *" p ", size_t " sz );
.BI "uint32 unihash(const unihash_info *" i ", const void *" p ", size_t " sz );
.BI "uint32 UNIHASH(const unihash_info *" i ", const void *" p ", size_t " sz );
.fi
.SH DESCRIPTION
The
.B unihash
system implements a simple and relatively efficient
.IR "universal hashing family" .
Using a such a universal hashing family means that it's provably
difficult for an adversary to choose input data whose hashes collide,
thus guaranteeing good average performance even on maliciously chosen
data.
.PP
Unlike, say,
.BR crc32 (3),
the
.B unihash
function is
.I keyed
\- in addition to the data to be hashed, the function takes as input a
32-bit key.  This key should be chosen at random each time the program
runs.
.SS "Preprocessing a key"
Before use, a key must be
.I preprocessed
into a large (16K) table which is used by the main hashing functions.
The preprocessing is done by
.BR unihash_setkey :
pass it a pointer to a
.B unihash_info
structure and the 32-bit key you've chosen, and it stores the table in
the structure.
.PP
Objects of type
.B unihash_info
don't contain any pointers to other data and are safe to free when
you've finished with them; or you can just allocate them statically or
on the stack if that's more convenient.
.SS "Hashing data"
The function
.B unihash_hash
takes as input:
.TP
.BI "const unihash_info *" i
A pointer to the precomputed tables for a key.
.TP
.BI "uint32 " a
An accumulator value.  This should be
.BI UNIHASH_INIT( i )
for the first chunk of a multi-chunk input, or the result of the
previous
.B unihash_hash
call for subsequent chunks.
.TP
.BI "const void *" p
A pointer to the start of a buffer containing this chunk of data.
.TP
.BI "size_t " sz
The length of the chunk.
.PP
The function returns a new accumulator value, which is also the hash of
the data so far. So, to hash multiple chunks of data, do something like
.VS
uint32 a = UNIHASH_INIT(i);
a = unihash_hash(i, a, p_0, sz_0);
a = unihash_hash(i, a, p_1, sz_1);
/* ... */
a = unihash_hash(i, a, p_n, sz_n);
.VE
The macro
.B UNIHASH
and function
.B unihash
are convenient interfaces to
.B unihash_hash
if you only wanted to hash one chunk.
.SS "Global hash info table"
There's no problem with using the same key for several purposes, as long
as it's secret from all of your adversaries.  Therefore, there is a
global
.B unihash_info
table define, called
.BR unihash_global .
This initially contains information for a fixed key which the author
chose at random, but if you need to you can set a different key into it
.I before
it gets used to hash any data (otherwise your hash tables will become
messed up).
.SS "Theoretical issues"
The hash function implemented by
.B unihash
is
.RI ( l \ +\ 1)/2\*(ss32\*(se-almost
XOR-universal, where
.I l
is the length (in bytes) of the longest string you hash.  That means
that, for any pair of strings
.I x
and
.I y
and any 32-bit value \*(*d, the probability taken over all choices of the
key
.I k
that
.IR H\*(usk\*(ue ( x )\  \c
.BR xor \c
.RI \  H\*(usk\*(ue ( y )\ =\ \*(*d
is no greater than
.RI ( l \ +\ 1)/2\*(ss32\*(se.
.PP
This fact is proven in the header file, but it requires more
sophisticated typesetting than is available here.
.PP
The function evaluates a polynomial over GF(2\*(ss32\*(se) whose
coefficients are the bytes of the message and whose variable is the key.
Details are given in the header file.
.PP
For best results, you should choose the key as a random 32-bit number
each time your program starts.  Choosing a different key for different
hashtables isn't necessary.  It's probably a good idea to avoid the keys
0 and 1.  This raises the collision bound to
.RI ( l \ +\ 1)/(2\*(ss32\*(se\ \-\ 2)
(which isn't a significant increase) but eliminates keys for which the
hash's behaviour is particularly poor.
.PP
In tests,
.B unihash
actually performed better than
.BR crc32 ,
so if you want to just use it as a fast-ish hash with good statistical
properties, choose some fixed key
.IR k \ \*(>=\ 2.
.PP
We emphasize that the proof of this function's collision behaviour is
.I not
dependent on any unproven assumptions (unlike many `proofs' of
cryptographic security, which actually reduce the security of some
construction to the security of its components).  It's just a fact.
.SH SEE ALSO
.BR unihash-mkstatic (3),
.BR crc32 (3),
.BR mLib (3).
.SH AUTHOR
Mark Wooding (mdw@distorted.org.uk).
Commit	Line	Data
8fe3c82b	1	.\" --nroff--
	2	.de VS
	3	.sp 1
	4	.RS
	5	.nf
	6	.ft B
	7	..
	8	.de VE
	9	.ft R
	10	.fi
	11	.RE
	12	.sp 1
	13	..
	14	.de hP
	15	.IP
	16	.ft B
	17	\h'-\w'\\$1\ 'u'\\$1\ \c
	18	.ft P
	19	..
	20	.ie t \{\
	21	. ds ss \s8\u
	22	. ds se \d\s0
	23	. ds us \s8\d
	24	. ds ue \u\s0
	25	. ds d \(d
	26	. ds >= \(>=
	27	.\}
	28	.el \{\
	29	. ds ss ^
	30	. ds se
	31	. ds us _
	32	. ds ue
	33	. ds *d \fIdelta\fP
	34	. ds >= >=
	35	.\}
	36	.TH unihash 3 "5 July 2003" "Straylight/Edgeware" "mLib utilities library"
	37	.SH NAME
	38	unihash \- simple and efficient universal hashing for hashtables
	39	.\" @unihash_setkey
	40	.\" @UNIHASH_INIT
	41	.\" @unihash_hash
	42	.\" @UNIHASH
	43	.\" @unihash
	44	.SH SYNOPSIS
	45	.nf
	46	.B "#include <mLib/unihash.h>"
	47
4729aa69 MW	48	.B "typedef struct { ...\& } unihash_info;"
4729aa69 MW	49
6f444bda	50	.B "unihash_info unihash_global;"
6f444bda	51
8fe3c82b	52	.BI "void unihash_setkey(unihash_info *" i ", uint32 " k );
8fe3c82b	53	.BI "uint32 UNIHASH_INIT(const unihash_info *" i );
3bc42912	54	.BI "uint32 unihash_hash(const unihash_info *" i ", uint32 " a ,
3bc42912	55	.BI " const void *" p ", size_t " sz );
8fe3c82b	56	.BI "uint32 unihash(const unihash_info " i ", const void " p ", size_t " sz );
	57	.BI "uint32 UNIHASH(const unihash_info " i ", const void " p ", size_t " sz );
	58	.fi
	59	.SH DESCRIPTION
	60	The
	61	.B unihash
	62	system implements a simple and relatively efficient
	63	.IR "universal hashing family" .
	64	Using a such a universal hashing family means that it's provably
	65	difficult for an adversary to choose input data whose hashes collide,
	66	thus guaranteeing good average performance even on maliciously chosen
	67	data.
	68	.PP
	69	Unlike, say,
	70	.BR crc32 (3),
	71	the
	72	.B unihash
	73	function is
	74	.I keyed
	75	\- in addition to the data to be hashed, the function takes as input a
	76	32-bit key. This key should be chosen at random each time the program
	77	runs.
	78	.SS "Preprocessing a key"
	79	Before use, a key must be
	80	.I preprocessed
	81	into a large (16K) table which is used by the main hashing functions.
	82	The preprocessing is done by
	83	.BR unihash_setkey :
	84	pass it a pointer to a
	85	.B unihash_info
	86	structure and the 32-bit key you've chosen, and it stores the table in
	87	the structure.
	88	.PP
	89	Objects of type
	90	.B unihash_info
	91	don't contain any pointers to other data and are safe to free when
	92	you've finished with them; or you can just allocate them statically or
	93	on the stack if that's more convenient.
	94	.SS "Hashing data"
	95	The function
	96	.B unihash_hash
	97	takes as input:
	98	.TP
	99	.BI "const unihash_info *" i
	100	A pointer to the precomputed tables for a key.
	101	.TP
d4efbcd9	102	.BI "uint32 " a
8fe3c82b	103	An accumulator value. This should be
	104	.BI UNIHASH_INIT( i )
	105	for the first chunk of a multi-chunk input, or the result of the
	106	previous
	107	.B unihash_hash
	108	call for subsequent chunks.
	109	.TP
	110	.BI "const void *" p
	111	A pointer to the start of a buffer containing this chunk of data.
	112	.TP
	113	.BI "size_t " sz
	114	The length of the chunk.
	115	.PP
	116	The function returns a new accumulator value, which is also the hash of
	117	the data so far. So, to hash multiple chunks of data, do something like
	118	.VS
	119	uint32 a = UNIHASH_INIT(i);
	120	a = unihash_hash(i, a, p_0, sz_0);
	121	a = unihash_hash(i, a, p_1, sz_1);
	122	/* ... */
	123	a = unihash_hash(i, a, p_n, sz_n);
	124	.VE
	125	The macro
	126	.B UNIHASH
	127	and function
	128	.B unihash
	129	are convenient interfaces to
	130	.B unihash_hash
	131	if you only wanted to hash one chunk.
6f444bda	132	.SS "Global hash info table"
	133	There's no problem with using the same key for several purposes, as long
	134	as it's secret from all of your adversaries. Therefore, there is a
	135	global
	136	.B unihash_info
	137	table define, called
	138	.BR unihash_global .
	139	This initially contains information for a fixed key which the author
	140	chose at random, but if you need to you can set a different key into it
	141	.I before
	142	it gets used to hash any data (otherwise your hash tables will become
	143	messed up).
8fe3c82b	144	.SS "Theoretical issues"
	145	The hash function implemented by
	146	.B unihash
	147	is
	148	.RI ( l \ +\ 1)/2\(ss32\(se-almost
	149	XOR-universal, where
	150	.I l
	151	is the length (in bytes) of the longest string you hash. That means
	152	that, for any pair of strings
	153	.I x
	154	and
	155	.I y
	156	and any 32-bit value \(d, the probability taken over all choices of the
	157	key
	158	.I k
	159	that
	160	.IR H\(usk\(ue ( x )\ \c
	161	.BR xor \c
	162	.RI \ H\(usk\(ue ( y )\ =\ \(d
	163	is no greater than
	164	.RI ( l \ +\ 1)/2\(ss32\(se.
	165	.PP
	166	This fact is proven in the header file, but it requires more
	167	sophisticated typesetting than is available here.
	168	.PP
	169	The function evaluates a polynomial over GF(2\(ss32\(se) whose
	170	coefficients are the bytes of the message and whose variable is the key.
	171	Details are given in the header file.
	172	.PP
	173	For best results, you should choose the key as a random 32-bit number
	174	each time your program starts. Choosing a different key for different
	175	hashtables isn't necessary. It's probably a good idea to avoid the keys
	176	0 and 1. This raises the collision bound to
	177	.RI ( l \ +\ 1)/(2\(ss32\(se\ \-\ 2)
	178	(which isn't a significant increase) but eliminates keys for which the
	179	hash's behaviour is particularly poor.
	180	.PP
	181	In tests,
	182	.B unihash
	183	actually performed better than
	184	.BR crc32 ,
	185	so if you want to just use it as a fast-ish hash with good statistical
	186	properties, choose some fixed key
	187	.IR k \ \*(>=\ 2.
	188	.PP
	189	We emphasize that the proof of this function's collision behaviour is
	190	.I not
	191	dependent on any unproven assumptions (unlike many `proofs' of
	192	cryptographic security, which actually reduce the security of some
	193	construction to the security of its components). It's just a fact.
	194	.SH SEE ALSO
6f444bda	195	.BR unihash-mkstatic (3),
8fe3c82b	196	.BR crc32 (3),
	197	.BR mLib (3).
	198	.SH AUTHOR
9b5ac6ff	199	Mark Wooding (mdw@distorted.org.uk).