CS254
Chris Pollett
May 3, 2017
Definition. Let `H_(n,k)` be a collection of functions from `{0,1}^n` to `{0,1}^k`. We say that `H_(n,k)` is pairwise independent if for every `x, x' in {0,1}^n` with `x ne x'` and for every `y,y' in {0,1}^k`, `Pr_(h in_R H_(n,k))[h(x) = y ^^ h(x') = y'] = 2^(-2k)`.
We identify `{0,1}^n` with the finite field `GF(2^n)` containing `2^n` elements. The following theorem gives a construction of a family of efficiently computable pairwise independent hash functions.
Theorem. For every `n`, define the collection `H_(n,n)` to be `{h_(a,b)}_(a,b in GF(2^n))` where `a,b in GF(2^n)`, the function `h_(a,b):GF(2^n) -> GF(2^n)` maps `x` to `ax+b mod 2^n`. Then `H_(n,n)` is a collection of pairwise independent hash functions.
Proof. For every `x ne x' in GF(2^n)` and `y,y' in GF(2^n)`, `h_(a,b)(x) = y` and `h_(a,b)(x') = y'` iff `a` and `b` satisfy the equations:
`a cdot x +b =y`
`a cdot x' +b = y'`
These equations imply that `a = (y-y')(x-x')^(-1)`. This is well-defined because `x-x' ne 0`. Since `b = y - a cdot x`., the pair `langle a,b rangle` is completely determined by these equations, and so the probability that this happens over choices of `a` and `b` is exactly one over the number of possible pairs, `1/2^(2n)`.
Conditions: `S subseteq {0,1}^m` is a set such that membership in `S` can be certified. Both parties know a number `K`. The prover's goal is to convince the verifier that `|S| ge K` and the verifier should reject with good probability if `|S| < K/2`. Let `k` be an integer such that `2^(k-2) < K le 2^(k-1)`.
V: Randomly pick a function `h:{0,1}^m -> {0,1}^k` from a pairwise independent hash collection `H_(m,k)`. Pick `y in_R {0,1}^k`. Send `h,y` to prover.
P: Try to find an `x in S` such that `h(x) = y`. Send such an `x` to `V`, together with a certificate that `x in S`.
V output. If `h(x)=y` and the certificate validates that `x in S` accept. otherwise reject.
For `p^star = K/2^k`, we will see there is a gap of `3/4p^star` (`|S| ge K`) versus `p^star/2` (`|S| < K/2`) in the probability that there is an `x in S` such that the prover can be sure to make the verifier accept.
Claim. Let `S subseteq {0,1}^m` satisfy `|S| le 2^k/2`. Then for `p = |S|/2^k`
`p ge Pr_(h in_R H_(m,k), y in_(R) {0,1}^k)[(exists x in S) h(x) = y] ge (3p)/4 - p/2^k.`
Proof. The upper bound on the probability follows by noticing that the set `h(S)` of `y`'s with preimages in `S` has size at most `|S|`. To prove the lower bound we show
`Pr_(h in_R H_(m,k))[(exists x in S)h(x) = y] ge (3p)/4`
for every `y in {0,1}^k`. For every `x inS` define `E_x` as the event `h(x) = y`. Then, `Pr[(exists x in S) h(x) = y] = Pr[vv_(x in S) E_x]`. By the inclusion-exclusion principle, this is at least:
`sum_(x in S)Pr[E_x] - 1/2sum_(x ne x' in S)Pr[E_x cap E_(x')]`.
However, by pairwise independence of the hash functions, `if x ne x'`, then `Pr[E_x] = 2^(-k)` and
`Pr[E_x cap E_(x')] = 2^(-2k)` and so this probability (up to low order term `|S|/2^(2k)`) is at least
`|S|/2^k - 1/2|S|^2/2^(2k) = |S|/2^k(1- |S|/2^(k+1))
ge (3p)/4`
For round `t in [1, k(n)]`:
V: Randomly pick `f(n)` functions `h_j:{0,1}^m -> {0,1}^{b_t+1}` from a pairwise independent hash collection `H_(m,b_t+1)` and randomly picks `(f(n))^2` strings `y_p` in `{0,1}^{b_t+1}`. Send `h_1, ... h_{f(n)}, y_1, ..., y_{(f(n))^2}` to prover.
P: Find a next `IP[k]` verifier message `v_{t+1}`, and prover message `p_{t+1}` for some `r` on which `IP[k]` verifier accepts such that `V(w,r, hs_t) = v_{t+1}` and so there is a `j`, `p`, `h_j(v_{t+1})= y_p`. Send `v_{t+1}`, `p_{t+1}`, and `b_{t+1} := #a\c\c\ept(hs_t, w)` to `V`.
V: Checks there is a `j` and `p` such that `h_j(v_{t+1})= y_p`, if so goes to next round, otherwise rejects.
For round `k(n)+1`, (since we started with 0, the total rounds will be `k+2`):
V: Randomly pick `f(n)` functions `h_j:{0,1}^{f(n)} -> {0,1}^{b_{k+1}+1}` from a pairwise independent hash collection `H_({f(n)},b_{k+1}+1)` and randomly picks `(f(n))^2` strings `y_p` in `{0,1}^{b_{k+1}+1}`.
P: Send the random bits `r`, that it used in its computation of the last round.
V: Checks there is a `j` and `p` such that `h_j(r)= y_p`. The verifier then then uses r, to check for each round `t` of the IP protocol `V(w,r, hs_t) = v_{t+1}` and that for the final the IP verifier accepted.