1

I need a compression function $F$ that uses only bitwise operations (AND, NOT, OR, XOR, shifts, rotations) and outputs one 32-bit word $W$ from four 32-bit words $w_1 \mathbin\Vert w_2 \mathbin\Vert w_3 \mathbin\Vert w_4$. The function is required to satisfy one special property: if two 128-bit blocks

$$\begin{array}{l} B_1 = w_{1.1} \mathbin\Vert w_{1.2} \mathbin\Vert w_{1.3} \mathbin\Vert w_{1.4},\\ B_2 = w_{2.1} \mathbin\Vert w_{2.2} \mathbin\Vert w_{2.3} \mathbin\Vert w_{2.4} \end{array}$$

differ only in one word (that is, there exists only one number $x$ such that $w_{1.x} \neq w_{2.x}$), then $$F(B_1) \neq F(B_2).$$

But if we have a set $S$ of $y$ different 128-bit blocks

$$S = \{B_1, B_2, \ldots, B_{y-1}, B_y\}$$

such that for any pair $(B_m, B_n)$ of elements, $B_m$ differs from $B_n$ in two or more words, then the probability of $F(B_m) = F(B_n)$ is the same as for any standard cryptographic compression function (that outputs one 32-bit word from four 32-bit words).

Is it possible to construct such a function? If yes, can anyone give an example of a function that fits the above description?

EDIT

The connection to cryptography is that some attacks on EnRUPT and XXTEA use the fact that the round function does not satisfy the property described above:

The round function of EnRUPT is not bijective for the given key word

and

XXTEA’s $F$ is not bijective for either neighbor

lyrically wicked
  • 1,337
  • 7
  • 10
  • 2
    The operations you specified make the system Turing complete, so you could describe any algorithm as NOT+AND. Also, what you're looking for is a property called "burst detection", which is in the realm of CRCs. – forest Apr 06 '19 at 07:50
  • 1
    @forest: I used the term "bitwise operations" as related to a practical implementation of a function. For example, Keccak block permutations use only bitwise operations, but a practical implementation of a block transformation in SHA-2 also uses additions, hence does not use "only bitwise operations". – lyrically wicked Apr 06 '19 at 08:04
  • You can use the parity of the bits: guaranteed to change under single-bit errors (and as a bonus, errors of any odd Hamming weight); cheap to compute using only XOR; extends naturally to larger error-detecting capacity as a special case of any CRC over a polynomial with $x + 1$ as a factor. But there's no cryptographic content here. What do you want this for? What is the connection to cryptography? – Squeamish Ossifrage Apr 07 '19 at 20:48
  • @SqueamishOssifrage: I edited the question to explain the connection to cryptography. What do I want this for? The answer depends on the performance of a function with the described property. If the algorithm is fast, then at least it can be used as a non-cryptographic hashing function for 128-bit integers... – lyrically wicked Apr 08 '19 at 05:23
  • What are you planning to do with this? Suppose it's fast; what do you need it for then? ‘Hashing function’ doesn't narrow it down—that could mean any of umpteen different things. Are you using it for a hash table? For a message authentication code? For content-addressed storage? For error detection in a nonmalicious noisy channel? – Squeamish Ossifrage Apr 08 '19 at 05:28
  • @SqueamishOssifrage: I need it to detect single-word errors in 128-bit keys. – lyrically wicked Apr 08 '19 at 05:39
  • Well, you can try to pick a CRC polynomial with sufficient guaranteed error-detection capacity, but it may be a tall order to demand that every possible single-word error is detected. You're still not saying why you need this, and the amount of effort you're putting forth to conceal your purpose is not promising. Can you step back, forget the diffusion and nonlinearity and words and hashing, and give the actual context? – Squeamish Ossifrage Apr 08 '19 at 05:47
  • @SqueamishOssifrage: [1/2] The basic non-cryptographic context is given, for example, here or here. Just a 32-bit hash for an unsigned 128-bit integer, with the additional property of detecting any error if this error is in a single 32-bit word. – lyrically wicked Apr 08 '19 at 06:34
  • @SqueamishOssifrage: [2/2] Regarding the cryptographic context, I explained it in the edit. I was reading about the attacks on EnRUPT and XXTEA, and I was interested in the structure of the round function. Also I have a question about the unbalanced Feistel networks (but I cannot ask this question without gathering some preliminary information). – lyrically wicked Apr 08 '19 at 06:34

1 Answers1

2

I may be missing some subtlety intended by the problem-setter, but the simple answer that satisfies the stated conditions, or damn near, is to just xor the words:

$$F = w_1 \oplus w_2 \oplus w_3 \oplus w_4$$

If we model any change to $w_i$ as xoring with a nonzero error term $e_i$, since xor is linear in $GF(2^n)$

$$F' = (w_1\oplus e_1)\oplus (w_2\oplus e_2)\oplus (w_3\oplus e_3)\oplus (w_4\oplus e_4) \\ = F \oplus (e_1\oplus e_2\oplus e_3\oplus e_4)$$

If only one of $e_i$ is nonzero, the net error is nonzero. If more than one of $e_i$ is nonzero, independently at random, the probability that the net error is zero is almost $2^{-32}$ -- excluding zero from some of the choices throws it off slightly, but I don't remember enough probability to compute exactly how.

dave_thompson_085
  • 6,319
  • 1
  • 21
  • 23
  • Yes, but a simple XOR lacks two basic cryptographic properties: sufficient diffusion of bits and non-linearity. It is possible to choose four different keys $(a, b, c, d)$ for an appropriate PRP $E$ and use $F(B) = E_a(w_1) \oplus E_b(w_2) \oplus E_c(w_3) \oplus E_d(w_4)$, but the problem is obvious: such functions make the performance absolutely unacceptable... – lyrically wicked Apr 08 '19 at 05:25