For any positive integer $k$, let $\boxplus_k$ be addition on $k$-bit unsigned integers and $\boxminus_k$ be subtraction on $k$-bit unsigned integers. Let $\operatorname{NH}_w((X,Y),(a,b)) = (a \boxplus_w X)\cdot(b \boxplus_w Y)$.
For any binary operator $F$ (the "hash family") we will say that $F$ is $\varepsilon-\operatorname{A\phi U}$ (abbreviating "$\varepsilon$-almost $\phi$ universal") when
$$\forall a \neq b,c, \Pr_u [\phi(F(u,a), F(u,b)) = c] \leq \varepsilon$$
Common functions for $\phi$ when the co-domain of $F$ is unsigned $k$-bit integers include $\boxminus_k$ and xor (aka $\oplus$). In the latter case, such families are sometimes just called "AXU"; in the former, $\text{A$\Delta$U}$. These obviously omit the $\varepsilon$ when it is clear by context.
Black et al. show that $\operatorname{NH}_w$ is $\text{$2^{-w}$-A$\Delta$U}$ for $\Delta = \boxminus_{2w}$ in "UMAC: Fast and Secure Message Authentication" [1, 2]. Other hash functions with similar probabilistic guarantees are used frequently for message authentication codes ("MACs"). See, for instance Poly1305 or GHASH in Galois/Counter Mode.
The question I am working on is as follows:
Is $\operatorname{NH}_w$ $\text{$\alpha 2^{-w}$-AXU}$ for some constant $\alpha$ that does not depend on $w$?
The goal is increased performance, which I briefly touch on below.
I have checked by brute force computation that the proposition is true for $\alpha=2$ when $w < 11$. Specifically, $\max_{a\neq b,c} |\{ u : \operatorname{NH}_w(u,a) \oplus \operatorname{NH}(u,b) = c \}|$ forms the sequence 2, 4, 12, 20, 52, 92, 184, 404, 824, 1686, ... However, the computation method requires ${\sim}2^{4w}$ operations (each indexing into memory of size $\Omega(2^w)$ bytes), and I am interested in testing this proposition up to $w = 32$.
Some tools I have attempted to use to come up with a proof (or a non-galactic way of computing the results up to $w=32$) that have come up short include:
- OEIS for the sequence above or other easily-computable sub-problems for $w < 11$
- Writing $a \oplus b$ as $a + b - 2(a \mathbin\& b)$ or $a - b + 2(\neg a \mathbin\& b)$ or $(a \mathbin| b) - (a \mathbin\& b)$
- Induction on $w$ on either the least-significant or most-significant bit
- Recursively defining the "carry" digits in the $\boxplus_w$ operations and handling those explicitly to generate $2w$ equations that restrict $u$
- Very basic differential cryptanalysis
- T-functions and M-functions as in "Statistical Properties of Multiplication mod $2^n$", as well as 2-adic analysis of T-functions as in "Non-Archimedean analysis, T-functions, and cryptography"
- "Fast Computation of Large Distributions and Its Cryptographic Applications"
- "On CCZ-equivalence of Addition mod $2^n$"
The motivation for this question is Nandi's "On the Minimum Number of Multiplications Necessary for Universal Hash Constructions", which shows a way to speed up certain hash computations that can be useful in MACs. In it, a linear code is applied to the output of a hash function applied to a sequence pointwise. Since linear codes are often over a finite field but NH is over integers, the question whether NH is AXU shows up.
(This is a cross-post from MathOverflow, where the question got no comments and no answers after ten days, following their guidance on cross-posting.)
Edit:
The family
$$\operatorname{SNH}_w((X,Y), a) = \operatorname{NH}_w(X,a) \boxplus_{2w} Y$$
(where $0 \leq Y < 2^{2w}$) is $2^{-w}$ almost strongly universal, meaning that
$$\forall a \neq b, c, d, \Pr_u [\operatorname{SNH}_w(u,a) = c \land \operatorname{SNH}_w(u,b) = d] \leq 2^{-w}/2^{2w} = 2^{-3w}$$
(This is perhaps first mentioned in Theorem 5.4 of Stinson's "On the Connections Between Universal Hashing, Combinatorial Designs and Error-Correcting Codes".)
Since any $\varepsilon\text{-ASU}$ family is also $\varepsilon\text{-AXU}$, $\operatorname{SNH}$ has the property I'm looking for with $\alpha = 1$. However, this doesn't answer the original question. Furthermore, it requires both more randomness to generate a member of $\operatorname{SNH}$ as well as more computation to compute. I wonder if it is possible to answer my original question using $\operatorname{SNH}$ combined with work like Lipmaa et al.'s "On the Additive Differential Probability of Exclusive-Or" or Mouha et al.'s "Maximums of the Additive Differential Probability of Exclusive-Or", which examine functions/values like
- $\operatorname{adp}^\oplus_w(\eta,\beta \to \gamma) = \Pr_{x,y} [(x \boxplus_w \eta) \oplus (y \boxplus_w \beta) = \gamma \boxplus_w (x \oplus y)]$, for which they prove that $\operatorname{adp}^\oplus_w(\eta, \beta \to \gamma) = \operatorname{adp}^\oplus_w(P, Q \to R)$ whenever the two multisets $\{\eta, \beta, \gamma\}$ and $\{P,Q,R\}$ are equal
- $\max_{\eta,\beta} \operatorname{adp}^\oplus_w(\eta, \beta \to \gamma)$ for given $\gamma$, which they prove is equal to $\operatorname{adp}^\oplus_w(0, \gamma \to \gamma)$ for all $\gamma$
- $\operatorname{adpmax}^\oplus_w(\gamma) = \{(\eta, \beta) : \operatorname{adp}^\oplus_w(\eta, \beta \to \gamma) = \operatorname{adp}^\oplus_w(0, \gamma \to \gamma)\}$, for which they prove $\forall \gamma, |\operatorname{adpmax}^\oplus_w(\gamma)| \in \{2,8\}$
- $\min_{\gamma} \operatorname{adp}^\oplus_w(0, \gamma \to \gamma) = \frac{1}{34 \cdot 8^n} \left( (17 + 7\sqrt{17})(1+\sqrt{17})^n + (17-7\sqrt{17}) (1-\sqrt{17})^n \right)$
- $\sum_{\gamma} \operatorname{adp}^\oplus_w(0, \gamma \to \gamma) = 2(3/2)^{w-1}$
The challenge in applying these to $\operatorname{SNH}$ is the $\Pr_{x,y}$ in the definition of $\operatorname{adp}^\oplus_w$, because the outputs of the two calls to $\operatorname{NH}$ are not independent and uniformly distributed.
Edit 2:
After two weeks with no answers here, I have cross-posted to cstheory.SE.
