## Computing Science Group A new bound for l-wise almost universal hash functions

### BibTeX

@MISC{Nguyen_computingscience,

author = {L. H. Nguyen and A. W. Roscoe and L. H. Nguyen and A. W. Roscoe},

title = {Computing Science Group A new bound for l-wise almost universal hash functions},

year = {}

}

### OpenURL

### Abstract

Abstract. Using the pigeon-hole principle, we derive a new bound for the key length in a l-wise almost universal hash function where the multicollision or l-collision probability is bounded above by ɛ ∈ [0, 1]. The important features of this bound are (1) it decreases very slowly as l increases, and (2) the key length grows at least linearly with the logarithm of the message length. To our knowledge, this is the first almost universal hash bound for any integer l ≥ 2. This work arises from the use of l-wise almost universal hash functions in manual authentication protocols. 1

### Citations

694 |
Universal Classes of Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...l-wise almost universal hash functions in manual authentication protocols. 1 Introduction An almost universal family of hash functions AU with parameters (K, M, b) was introduced by Carter and Wegman =-=[3]-=-. A universal family consists of 2K hash functions, each of which maps a M-bit message from {0, 1} M into {0, 1} b or a b-bit output. In this paper, we will derive a AUl-bound whose l-collision probab... |

229 | PayWord and MicroMint: Two Simple Micropayment Schemes. In http://theory.lcs.mit.edu/ rivest/RivestShamir-mpay.pdf (This version is dated 2001). An earlier version appears
- Rivest, Shamir
- 2001
(Show Context)
Citation Context ...cture [5] and NIST’s specification for SHA-3 candidates [1] (Section 2.B.1). Multicollision resistance in cryptographic hash functions is also required in several identification and signature schemes =-=[2, 5, 10]-=-. The intuitive reason is because constructing l messages with the same hash value should be much harder than constructing only two of these.2 A new bound for almost universal hash functions The foll... |

22 | On the Connections Between Universal Hashing, Combinatorial Designs and Error-Correcting Codes. Congressus Numerantium
- Stinson
- 1996
(Show Context)
Citation Context ...nt to our work is the equivalence between errorcorrecting codes (ECC) and pairwise universal hash functions, and thus several ECC-bounds have been transformed into bounds for universal hash functions =-=[4, 11]-=-. This strategy however cannot be used to derive AUl-bound for l > 2 because the minimum Hamming distance among pairs of codewords corresponds to the pairwise-collision property in AU2. ECC-parameters... |

21 | Authenticating ad hoc networks by comparison of short digests
- Nguyen, Roscoe
(Show Context)
Citation Context ...· · · = hk(ml)] ≤ ɛ This specification arises from the use of AUl in a number of group protocols in the manual authentication technology, including the schemes of Laur and Pasini [7], and the authors =-=[8, 9]-=-. In these protocols, parties have to manually compare a universal hash value of some key and public data that they seek to agree on. An attacker therefore will attempt to fool multiple parties into a... |

17 |
On the relation between A-Codes and Codes correcting independent errors
- Johansson, Kabatianskii, et al.
(Show Context)
Citation Context ...nt to our work is the equivalence between errorcorrecting codes (ECC) and pairwise universal hash functions, and thus several ECC-bounds have been transformed into bounds for universal hash functions =-=[4, 11]-=-. This strategy however cannot be used to derive AUl-bound for l > 2 because the minimum Hamming distance among pairs of codewords corresponds to the pairwise-collision property in AU2. ECC-parameters... |

15 | SAS-Based Group Authentication and Key Agreement Protocols
- Laur, Pasini
- 2008
(Show Context)
Citation Context ... }[hk(m1) = hk(m2) = · · · = hk(ml)] ≤ ɛ This specification arises from the use of AUl in a number of group protocols in the manual authentication technology, including the schemes of Laur and Pasini =-=[7]-=-, and the authors [8, 9]. In these protocols, parties have to manually compare a universal hash value of some key and public data that they seek to agree on. An attacker therefore will attempt to fool... |

14 | Authentication protocols based on low-bandwidth unspoofable channels: a comparative survey
- Nguyen, Roscoe
(Show Context)
Citation Context ...· · · = hk(ml)] ≤ ɛ This specification arises from the use of AUl in a number of group protocols in the manual authentication technology, including the schemes of Laur and Pasini [7], and the authors =-=[8, 9]-=-. In these protocols, parties have to manually compare a universal hash value of some key and public data that they seek to agree on. An attacker therefore will attempt to fool multiple parties into a... |

6 |
Multicollisions in Iterated Hash Functions
- Joux
- 2004
(Show Context)
Citation Context ...aphic hash functions are not the same, it might be worth to mention that the idea of multicollision has been encountered in cryptographic hash design such as the cascaded or Merkle-Damg˚ard structure =-=[5]-=- and NIST’s specification for SHA-3 candidates [1] (Section 2.B.1). Multicollision resistance in cryptographic hash functions is also required in several identification and signature schemes [2, 5, 10... |

4 | New combinatorial bounds for authentication codes and key predistribution schemes
- Kurosawa, Okada, et al.
- 1998
(Show Context)
Citation Context ...ersal hash parameters, which is the bound we derive here. We note that there have been bounds for a l-wise strongly universal hash function, which is a stronger version of AUl, due to Kurosawa et al. =-=[6]-=-, sadly these are only proved for the perfect case where ɛ = 2 −b . What also relevant to our work is the equivalence between errorcorrecting codes (ECC) and pairwise universal hash functions, and thu... |

3 |
Design validation for siscrete logarithm based signature schemes
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...cture [5] and NIST’s specification for SHA-3 candidates [1] (Section 2.B.1). Multicollision resistance in cryptographic hash functions is also required in several identification and signature schemes =-=[2, 5, 10]-=-. The intuitive reason is because constructing l messages with the same hash value should be much harder than constructing only two of these.2 A new bound for almost universal hash functions The foll... |