3 .\" Manual for universal hashing
5 .\" (c) 2003, 2005, 2007, 2009, 2023, 2024 Straylight/Edgeware
8 .\"----- Licensing notice ---------------------------------------------------
10 .\" This file is part of the mLib utilities library.
12 .\" mLib is free software: you can redistribute it and/or modify it under
13 .\" the terms of the GNU Library General Public License as published by
14 .\" the Free Software Foundation; either version 2 of the License, or (at
15 .\" your option) any later version.
17 .\" mLib is distributed in the hope that it will be useful, but WITHOUT
18 .\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 .\" FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
20 .\" License for more details.
22 .\" You should have received a copy of the GNU Library General Public
23 .\" License along with mLib. If not, write to the Free Software
24 .\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
27 .\"--------------------------------------------------------------------------
28 .so ../defs.man \" @@@PRE@@@
30 .\"--------------------------------------------------------------------------
31 .TH unihash 3mLib "5 July 2003" "Straylight/Edgeware" "mLib utilities library"
38 .\"--------------------------------------------------------------------------
40 unihash \- simple and efficient universal hashing for hashtables
42 .\"--------------------------------------------------------------------------
46 .B "#include <mLib/unihash.h>"
48 .B "typedef struct { ...\& } unihash_info;"
50 .B "unihash_info unihash_global;"
52 .BI "void unihash_setkey(unihash_info *" i ", uint32 " k );
53 .BI "uint32 UNIHASH_INIT(const unihash_info *" i );
54 .ta \w'\fBuint32 unihash_hash('u
55 .BI "uint32 unihash_hash(const unihash_info *" i ", uint32 " a ,
56 .BI " const void *" p ", size_t " sz );
57 .BI "uint32 unihash(const unihash_info *" i ", const void *" p ", size_t " sz );
58 .BI "uint32 UNIHASH(const unihash_info *" i ", const void *" p ", size_t " sz );
61 .\"--------------------------------------------------------------------------
65 system implements a simple and relatively efficient
66 .IR "universal hashing family" .
67 Using a such a universal hashing family means that it's provably
68 difficult for an adversary to choose input data whose hashes collide,
69 thus guaranteeing good average performance even on maliciously chosen
78 \- in addition to the data to be hashed, the function takes as input a
79 32-bit key. This key should be chosen at random each time the program
82 .SS "Preprocessing a key"
83 Before use, a key must be
85 into a large (16K) table which is used by the main hashing functions.
86 The preprocessing is done by
88 pass it a pointer to a
90 structure and the 32-bit key you've chosen, and it stores the table in
95 don't contain any pointers to other data and are safe to free when
96 you've finished with them; or you can just allocate them statically or
97 on the stack if that's more convenient.
104 .BI "const unihash_info *" i
105 A pointer to the precomputed tables for a key.
108 An accumulator value. This should be
109 .BI UNIHASH_INIT( i )
110 for the first chunk of a multi-chunk input, or the result of the
113 call for subsequent chunks.
116 A pointer to the start of a buffer containing this chunk of data.
119 The length of the chunk.
121 The function returns a new accumulator value, which is also the hash of
122 the data so far. So, to hash multiple chunks of data, do something like
124 uint32 a = UNIHASH_INIT(i);
125 a = unihash_hash(i, a, p_0, sz_0);
126 a = unihash_hash(i, a, p_1, sz_1);
128 a = unihash_hash(i, a, p_n, sz_n);
134 are convenient interfaces to
136 if you only wanted to hash one chunk.
138 .SS "Global hash info table"
139 There's no problem with using the same key for several purposes, as long
140 as it's secret from all of your adversaries. Therefore, there is a
145 This initially contains information for a fixed key which the author
146 chose at random, but if you need to you can set a different key into it
148 it gets used to hash any data (otherwise your hash tables will become
151 .SS "Theoretical issues"
152 The hash function implemented by
155 .RI ( l \ +\ 1)/2\*(ss32\*(se-almost
158 is the length (in bytes) of the longest string you hash. That means
159 that, for any pair of strings
163 and any 32-bit value \*(*d, the probability taken over all choices of the
167 .IR H\*(usk\*(ue ( x )\ \c
169 .RI \ H\*(usk\*(ue ( y )\ =\ \*(*d
171 .RI ( l \ +\ 1)/2\*(ss32\*(se.
173 This fact is proven in the header file, but it requires more
174 sophisticated typesetting than is available here.
176 The function evaluates a polynomial over GF(2\*(ss32\*(se) whose
177 coefficients are the bytes of the message and whose variable is the key.
178 Details are given in the header file.
180 For best results, you should choose the key as a random 32-bit number
181 each time your program starts. Choosing a different key for different
182 hashtables isn't necessary. It's probably a good idea to avoid the keys
183 0 and 1. This raises the collision bound to
184 .RI ( l \ +\ 1)/(2\*(ss32\*(se\ \-\ 2)
185 (which isn't a significant increase) but eliminates keys for which the
186 hash's behaviour is particularly poor.
190 actually performed better than
192 so if you want to just use it as a fast-ish hash with good statistical
193 properties, choose some fixed key
196 We emphasize that the proof of this function's collision behaviour is
198 dependent on any unproven assumptions (unlike many `proofs' of
199 cryptographic security, which actually reduce the security of some
200 construction to the security of its components). It's just a fact.
202 .SS "Practical issues"
203 The implementation of
205 uses a (fairly large) table precomputed from the key.
206 When a message is hashed,
207 some of the message data
208 and internal state of the hashing operation
209 are leaked to other processes on the same hardware
210 through the processor cache
211 and other stateful microarchitectural features.
212 It's possible for an adversary to determine the hashing key
213 by observing this leakage.
214 This is unlikely to be a major concern
215 since local processes have other, more effective ways to deny service;
218 may be more appropriate.
219 See that manual page for a comparison of the two.
221 .\"--------------------------------------------------------------------------
224 .BR unihash-mkstatic (1),
229 .\"--------------------------------------------------------------------------
232 Mark Wooding (mdw@distorted.org.uk).
234 .\"----- That's all, folks --------------------------------------------------