S. Guritman, N. Aliatiningtyas, T. Wulandari and M. Ilyas 182 Algorithm 2 Operation Algorithm mod f b a : Input: Vector 1 2 1 ..., , , , − = m a a a a a and 1 2 1 ..., , , , − = n b b b b b in the ring [ ] . x f x p n p Z Z ≅ Output: The vector 1 2 1 ..., , , , − = n c c c c c as the product of a and b in the ring . n p Z 1. Initialization a c : b = denotes a scalar times vector and . : a w = 2. For integer 1 = i to , 1 − = n i calculate: a f w RotSubs w , : = call Algorithm 1. b If , ≠ i b calculate . : w c c i b + =

3. returnc.

Since the speed of Algorithm 1 is constant on the growth of the value of n, the most dominant influence computational efficiency of Algorithm 2 is the number of addition and multiplication operations modulo p. In this case, we could observe that Algorithm 2 involves at most 2 n multiplication operation modulo p and at most 1 − n n addition operation modulo p . Related to Algorithm 2 as a subroutine in the construction of a hash function algorithm described in Section 3, it is assumed that b is a binary vector. Therefore, it is easily observed that Algorithm 2 only requires an average of ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − 2 1 n n addition operation modulo p, equivalent to p n n lg 2 1 ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − bits operation. By setting the parameter p as constant, the size of the efficiency of Algorithm 2 is 2 n O bit operations 1 . 1 O read “big oh” is a measure of the speed of a mathematical algorithm asymptotically. Formal definition can refer to standard text books containing the algorithm discussion. Construction of Family of Hash Functions Based on Ideal Lattice 183

3. Hash Function Construction

Following the definition of the hash function and its construction techniques in the [9], the definition and construction of hash functions in this article is enough to define the compression function just as well as construct the algorithm. In this case, the hash function is constructed based on lattice, the family of hash functions that compression is defined as n p m d h Z Z → : A with Ax x y A = = h with m n p × ∈ Z A is viewed as a key bits lg length p mn are chosen at random after the positive integer parameter values m, n, d d is relatively small value is set, with compression condition . lg lg 2 d p n m ≈ The process of computing a matrix multiplication Ax which means involving n m × multiplication operation modulo p. Furthermore, matrix multiplication formula Ax can be written from the multiplication operation in [ ] , x f x p Z i.e., ∑ = ⋅ = t i i i 1 . x a y In this case, tn m = and t a a a ..., , , 2 1 is seen as key with length p m lg bits are t vector in n p Z chosen at random. i i x a ⋅ is a representation of a multiplication operation modulo , x f that is clear that the computational process becomes more efficient than before. This formula is defined as compression function formula of the hash function family based on ideal lattice. With the aim of shortening the key and accelerating the computation process of a hash function family computing based on ideal lattice, we now define the compression function of the hash function defined recursively S. Guritman, N. Aliatiningtyas, T. Wulandari and M. Ilyas 184 , a y = and for t k ..., , 2 , 1 = calculate , mod 1 i i k k f x y y : − = then ∑ = = t i i 1 . y y In this case, a and t f f f ..., , , 2 1 is seen as a key, a is chosen randomly and uniformly in n p Z and t f f f ..., , , 2 1 were selected randomly and uniformly t ordered pairs in the set { } { } 1 ..., , 2 , 1 1 , 1 − ± ± ± × − n and computing i i i f x y mod 1 : − using Algorithm 2. More specifically, the compression procedure of the above formula is as follows. 1. Set positive integer parameters m , n and t with , nt m = also set the value of a prime p such that . lg 2 p n m ≈ 2. Select randomly and uniformly key a and . ..., , , 2 1 t f f f 3. Take binary message , 2 m Z ∈ x divided into t blocks, namely: , ..., , , 2 1 t x x x then n k 2 Z ∈ x for . ..., , 2 , 1 t k = 4. Calculate compression function value y of the input message x using the following algorithm. Algorithm 3 Compression Function Algorithm Input: Message block , ..., , , 2 1 t x x x means n k 2 Z ∈ x for . ..., , 2 , 1 t k = Output: The vector . n p Z ∈ y 1. Initialization . , : y a z = = 2. For integer 1 = k to , t i = calculate: a k k f x z z mod : : = call Algorithm 2. b . : z y y + = 3. return y . Construction of Family of Hash Functions Based on Ideal Lattice 185 It is clear that the computing process above will define a family of compression functions n p m h Z Z → 2 : which means compressing binary message x with length m bits to y with length 2 lg m p n ≈ bits. Moreover, because the computing process k k f x z mod : defines a matrix multiplication , k k x A then the computational process of the compression function h also defines matrix multiplication Ax x = h with . 2 1 m n q t × ∈ = Z A A A A From the fact that Algorithm 2 contains 2 1 n n − addition operations modulo p, it is clear that the process of computing the compression function h on average contains 2 1 2 1 m n t n n − = ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − additional operations modulo p, equivalent to p m n lg 2 1 ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − bits operation.

4. Security Aspects of Construction Result