Strongly 2-Universal Family of Hash Functions from {0,1}^m -> {0,1}^n ===================================================================== Random Toeplitz Matrix A of dimensions n x m: Populate the first row and first column of A with random {0,1} entries. Any other entry A_{ij} = A_{i-1, j-1}; i.e., all the diagonals in A have the same value. Now define the family: H = { h_{A, b}(x) = Ax + b | A is a random n x m Toeplitz matrix, b is a random {0,1}^n vector } All calculations are done in GF(2). Hence any hash function h_{A,b} is specified by (m + n - 1) + n bits. (m + n - 1) for A, n for b. How many functions are there in H? CLAIM: H is a strongly 2-UnivHashFam. Proof. Want to show for x != y \in {0,1}^m and alpha, beta \in {0,1}^n (*) Pr_h [ h(x) = alpha AND h(y) = beta ] = 1/(2^n)^2 = 1/2^{2n} [FIRST: let us find the Pr of getting an appropriate A.] If h(x) = Ax + b = alpha, and h(x) = Ay + b = beta then A(x-y) = (beta - alpha). Call z = x-y, gamma = beta - alpha. Want Pr[ Az = gamma ] Remember z != 0^n, since x != y. [ -------- A_1 --------- ] [ z_1 ] [ -------- A_2 --------- ] [ z_2 ] [ -------- . --------- ] [ . ] [ -------- . --------- ] [ . ] [ -------- A_i --------- ] [ . ] [ -------- . --------- ] [ . ] [ -------- . --------- ] [ . ] [ -------- A_n --------- ] [ . ] [ . ] [ z_m ] Can imagine that first entry of z is a 1. (I.e., z_1 = 1.) (If first j entries of z are zero, define z' = [z_(j+1) ..... z_m]^T, define A' as A without its first j columns. note that Pr[ A'.z' = gamma ] = Pr[ A.z = gamma ] ) If A.z = gamma, then A_1.z = gamma_1, A_2.z = gamma_2 etc. We will defer decisions again: we first look at the first row A_1, and then the new bit A_{21} on the second row, then the new bit A_{31} on the third row, and so on. Pr[A_1.z = gamma_1] = 1/2. (This is just Claim 2.2.3 from Lec #2. We have looked at A_1.) Pr[A_2.z = gamma_2 | A_1 ] = 1/2. (Want A_{21}z_1 = gamma_2 - (A_{22}z_2 + ... + A_{2m}z_m) = gamma_2 - (A_{11}z_2 + ... + A_{1,m-1}z_m). Either RHS = 0 or 1. Hence A_{21} must be 0 or 1 for equality. Note that A_{21} is new random value not in row A_1. Hence new coin flip, which has prob = 1/2. We have now looked at A_{21}.) Similarly each of the other gamma_i values, Pr[A_i.z = gamma_i | A_1, A_2, ..., A_{i-1} ] = 1/2. Thus Pr[ Az = gamma ] = Pr[A_1.z = gamma_1] * Pr[A_2.z = gamma_2 | A_1 ] * ... Pr[A_n.z = gamma_n | A_1, A_2, ..., A_{n-1} ] = (1/2)^n. [NEXT: let us find the Pr of getting an appropriate b for such A's.] Conditioning on such an A, for (Ax + b) to be equal to alpha, we must have b = (alpha - Ax). Chance of this b appearing is (1/2)^n, since b randomly from {0,1}^n Since A and b chosen independently, chance of (*) is (1/2)^n * (1/2)^n, as desired. QED. Strongly 2-Universal Hash Family of functions from GF(q) -> GF(q) ================================================================= We assume that q is such that there is a corresponding finite field of size q. (I.e., q is a prime or prime power.) H = { h_{a,b}(x) = ax+b | a, b \in GF(q) } All calculations are in GF(q). Claim: H is a Strongly 2-UnivHashFam. Proof. If (ax + b = alpha) AND (ay + b = beta), then [ alpha ] = [ x 1 ] [ a ] [ beta ] [ y 1 ] [ b ] But x != y, and thus the 2x2 matrix is invertible. Given alpha and beta, there are unique values in GF(q) that a and b must have, and the probability of that is 1/q^2. QED. Another Strongly 2-UnivHashFam from {0,1}^m -> {0,1}^n ====================================================== Note that setting q = 2^m, and then taking the first n bits of the answer, we can get another hash family from {0,1}^m -> {0,1}^n. But calculations in the field GF(2^m) are more involved than in GF(2), and furthermore, if m is large, we use more randomness here (2m bits as opposed to m+2n-1 bits for the previous hash function).