Checking Matrix Multiplication

Let $F$ be a feild (you may think of it as the filed $Q$ of rational numbers, or the finite field $Z_{p}$ of integers modulo prime $p$ ). We suppose that each field operation (addition, subtraction, multiplication, division) has unit cost. This model is called the unit-cost RAM model, which is an ideal abstraction of a computer.

Consider the following problem:

Input: Three $n \times n$ matrices $A$ , $B$ , and $C$ over the field $F$ .
Output: "yes" if $C = A B$ and "no" if otherwise.

A naive way to solve this is to multiply $A$ and $B$ and compare the result with $C$ . The straightforward algorithm for matrix multiplication takes $O (n^{3})$ time, assuming that each arithmetic operation takes unit time. The Strassen's algorithm discovered in 1969 now implemented by many numerical libraries runs in time $O (n^{\log_{2} 7}) \approx O (n^{2.81})$ . Strassen's algorithm starts the search for fast matrix multiplication algorithms. The Coppersmith–Winograd algorithm discovered in 1987 runs in time $O (n^{2.376})$ but is only faster than Strassens' algorithm on extremely large matrices due to the very large constant coefficient. This has been the best known for decades, until recently Stothers got an $O (n^{2.374})$ algorithm in his PhD thesis in 2010, and independently Vassilevska Williams got an $O (n^{2.373})$ algorithm in 2012. Both these improvements are based on generalization of Coppersmith–Winograd algorithm. It is unknown whether the matrix multiplication can be done in time $O (n^{2 + o (1)})$ .

Freivalds Algorithm

The following is a very simple randomized algorithm due to Freivalds, running in $O (n^{2})$ time:

Algorithm (Freivalds, 1979)

pick a vector $r \in {0, 1}^{n}$ uniformly at random;
if $A (B r) = C r$ then return "yes" else return "no";

The product $A (B r)$ is computed by first multiplying $B r$ and then $A (B r)$ . The running time of Freivalds algorithm is $O (n^{2})$ because the algorithm computes 3 matrix-vector multiplications.

If $A B = C$ then $A (B r) = C r$ for any $r \in {0, 1}^{n}$ , thus the algorithm will return a "yes" for any positive instance ( $A B = C$ ). But if $A B \neq C$ then the algorithm will make a mistake if it chooses such an $r$ that $A B r = C r$ . However, the following lemma states that the probability of this event is bounded.

Lemma

If

A B \neq C

then for a uniformly random

r \in {0, 1}^{n}

,

Pr [A B r = C r] \leq \frac{1}{2}

.

Proof.

Let

D = A B - C

. The event

A B r = C r

is equivalent to that

D r = 0

. It is then sufficient to show that for a

D \neq 0

, it holds that

Pr [D r = 0] \leq \frac{1}{2}

.

Since $D \neq 0$ , it must have at least one non-zero entry. Suppose that $D_{i j} \neq 0$ .

We assume the event that $D r = 0$ . In particular, the $i$ -th entry of $D r$ is

(D r)_{i} = \sum_{k = 1}^{n} D_{i k} r_{k} = 0.

The $r_{j}$ can be calculated by

r_{j} = - \frac{1}{D_{i j}} \sum_{k \neq j}^{n} D_{i k} r_{k} .

Once all other entries $r_{k}$ with $k \neq j$ are fixed, there is a unique solution of $r_{j}$ . Therefore, the number of $r \in {0, 1}^{n}$ satisfying $D r = 0$ is at most $2^{n - 1}$ . The probability that $A B r = C r$ is bounded as

Pr [A B r = C r] = Pr [D r = 0] \leq \frac{2^{n - 1}}{2^{n}} = \frac{1}{2}

.

◻

When $A B = C$ , Freivalds algorithm always returns "yes"; and when $A B \neq C$ , Freivalds algorithm returns "no" with probability at least 1/2.

To improve its accuracy, we can run Freivalds algorithm for $k$ times, each time with an independent $r \in {0, 1}^{n}$ , and return "yes" if and only if all running instances returns "yes".

Freivalds' Algorithm (multi-round)

pick $k$ vectors $r_{1}, r_{2}, \dots, r_{k} \in {0, 1}^{n}$ uniformly and independently at random;
if $A (B r_{i}) = C r_{i}$ for all $i = 1, \dots, k$ then return "yes" else return "no";

If $A B = C$ , then the algorithm returns a "yes" with probability 1. If $A B \neq C$ , then due to the independence, the probability that all $r_{i}$ have $A B r_{i} = C_{i}$ is at most $2^{- k}$ , so the algorithm returns "no" with probability at least $1 - 2^{- k}$ . For any $0 < ϵ < 1$ , choose $k = \log_{2} \frac{1}{ϵ}$ . The algorithm runs in time $O (n^{2} \log_{2} \frac{1}{ϵ})$ and has a one-sided error (false positive) bounded by $ϵ$ .

Polynomial Identity Testing (PIT)

The Polynomial Identity Testing (PIT) is such a problem: given as input two polynomials, determine whether they are identical. It plays a fundamental role in Identity Testing problems.

First, let's consider the univariate ("one variable") case:

Input: two polynomials $f, g \in F [x]$ of degree $d$ .
Determine whether $f \equiv g$ ( $f$ and $g$ are identical).

Here the $F [x]$ denotes the ring of univariate polynomials on a field $F$ . More precisely, a polynomial $f \in F [x]$ is

f (x) = \sum_{i = 0}^{\infty} a_{i} x^{i}

,

where the coefficients $a_{i}$ are taken from the field $F$ , and the addition and multiplication are also defined over the field $F$ . And:

the degree of $f$ is the highest $i$ with non-zero $a_{i}$ ;
a polynomial $f$ is a zero-polynomial, denoted as $f \equiv 0$ , if all coefficients $a_{i} = 0$ .

Alternatively, we can consider the following equivalent problem by comparing the polynomial $f - g$ (whose degree is at most $d$ ) with the zero-polynomial:

Input: a polynomial $f \in F [x]$ of degree $d$ .
Determine whether $f \equiv 0$ ( $f$ is the 0 polynomial).

The problem is trivial if the input polynomial $f$ is given explicitly: one can trivially solve the problem by checking whether all $d + 1$ coefficients are $0$ . To make the problem nontrivial, we assume that the input polynomial is given implicitly as a black box (also called an oracle): the only way the algorithm can access to $f$ is to evaluate $f (x)$ over some $x$ from the field $F$ , $x$ chosen by the algorithm.

A straightforward deterministic algorithm is to evaluate $f (x_{1}), f (x_{2}), \dots, f (x_{d + 1})$ over $d + 1$ distinct elements $x_{1}, x_{2}, \dots, x_{d + 1}$ from the field $F$ and check whether they are all zero. By the fundamental theorem of algebra, also known as polynomial interpolations, this guarantees to verify whether a degree- $d$ univariate polynomial $f \equiv 0$ .

Fundamental Theorem of Algebra

Any non-zero univariate polynomial of degree

d

has at most

d

roots.

The reason for this fundamental theorem holding generally over any field $F$ is that any univariate polynomial of degree $d$ factors uniquely into at most $d$ irreducible polynomials, each of which has at most one root.

The following simple randomized algorithm is natural:

Algorithm for PIT

suppose we have a finite subset $S \subseteq F$ (to be specified later);
pick $r \in S$ uniformly at random;
if $f (r) = 0$ then return “yes” else return “no”;

This algorithm evaluates $f$ at one point chosen uniformly at random from a finite subset $S \subseteq F$ . It is easy to see the followings:

If $f \equiv 0$ , the algorithm always returns "yes", so it is always correct.
If $f ≢ 0$ , the algorithm may wrongly return "yes" (a false positive). But this happens only when the random $r$ is a root of $f$ . By the fundamental theorem of algebra, $f$ has at most $d$ roots, so the probability that the algorithm is wrong is bounded as

Pr [f (r) = 0] \leq \frac{d}{| S |} .

By fixing $S \subseteq F$ to be an arbitrary subset of size $| S | = 2 d$ , this probability of false positive is at most $1 / 2$ . We can reduce it to an arbitrarily small constant $δ$ by repeat the above testing independently for $\log_{2} \frac{1}{δ}$ times, since the error probability decays geometrically as we repeat the algorithm independently.

Communication Complexity of Equality

The communication complexity is introduced by Andrew Chi-Chih Yao as a model of computation with more than one entities, each with partial information about the input.

Assume that there are two entities, say Alice and Bob. Alice has a private input $a$ and Bob has a private input $b$ . Together they want to compute a function $f (a, b)$ by communicating with each other. The communication follows a predefined communication protocol (the "algorithm" in this model). The complexity of a communication protocol is measured by the number of bits communicated between Alice and Bob in the worst case.

The problem of checking identity is formally defined by the function EQ as follows: $E Q : {0, 1}^{n} \times {0, 1}^{n} \to {0, 1}$ and for any $a, b \in {0, 1}^{n}$ ,

E Q (a, b) = {\begin{cases} 1 & if a = b, \\ 0 & otherwise. \end{cases}

A trivial way to solve EQ is to let Bob send his entire input string $b$ to Alice and let Alice check whether $a = b$ . This costs $n$ bits of communications.

It is known that for deterministic communication protocols, this is the best we can get for computing EQ.

Theorem (Yao 1979)

Any deterministic communication protocol computing EQ on two

n

-bit strings costs

n

bits of communication in the worst-case.

This theorem is much more nontrivial to prove than it looks, because Alice and Bob are allowed to interact with each other in arbitrary ways. The proof of this theorem is in Yao's celebrated paper in 1979 with a humble title. It pioneered the field of communication complexity.

If we allow randomness in protocols, and also tolerate a small probabilistic error, the problem can be solved with significantly less communications. To present this randomized protocol, we need a few preparations:

We represent the inputs $a, b \in {0, 1}^{n}$ of Alice and Bob as two univariate polynomials of degree at most $n - 1$ , respectively

f (x) = \sum_{i = 0}^{n - 1} a_{i} x^{i}

and

g (x) = \sum_{i = 0}^{n - 1} b_{i} x^{i}

.

The two polynomials $f$ and $g$ are defined over finite field $Z_{p} = {0, 1, \dots, p - 1}$ for some suitable prime $p$ (to be specified later), which means the additions and multiplications are modulo $p$ .

The randomized communication protocol is then as follows:

A randomized protocol for EQ

Bob does:

pick $r \in Z_{p}$ uniformly at random;
send $r$ and $g (r)$ to Alice;

Upon receiving $r$ and $g (r)$ Alice does:

compute $f (r)$ ;
If $f (r) = g (r)$ return "yes"; else return "no".

The communication complexity of the protocol is given by the number of bits used to represent the values of $r$ and $g (r)$ . Since the polynomials are defined over finite field $Z_{p}$ and the random number $f$ is also chosen from $Z_{p}$ , this is bounded by $O (\log p)$ .

On the other hand the protocol makes mistakes only when $a \neq b$ but wrongly answers "yes". This happens only when $f ≢ g$ but $f (r) = g (r)$ . The degrees of $f, g$ are at most $n - 1$ , and $r$ is chosen among $p$ distinct values, we have

Pr [f (r) = g (r)] \leq \frac{n - 1}{p}

.

By choosing $p$ to be a prime in the interval $[n^{2}, 2 n^{2}]$ (by Chebyshev's theorem, such prime $p$ always exists), the above randomized communication protocol solves the Equality function EQ with an error probability of false positive at most $O (1 / n)$ , with communication complexity $O (\log n)$ , an EXPONENTIAL improvement to ANY deterministic communication protocol!

Schwartz-Zippel Theorem

Now let's see the the true form of Polynomial Identity Testing (PIT), for multivariate polynomials:

Input: two $n$ -variate polynomials $f, g \in F [x_{1}, x_{2}, \dots, x_{n}]$ of degree $d$ .
Determine whether $f \equiv g$ .

The $F [x_{1}, x_{2}, \dots, x_{n}]$ is the ring of multivariate polynomials over field $F$ . An $n$ -variate polynomial of degree $d$ , written as a sum of monomials, is:

f (x_{1}, x_{2}, \dots, x_{n}) = \sum_{\binom{i_{1}, i_{2}, \dots, i_{n} \geq 0}{i_{1} + i_{2} + \dots + i_{n} \leq d}} a_{i_{1}, i_{2}, \dots, i_{n}} x_{1}^{i_{1}} x_{2}^{i_{2}} \dots x_{n}^{i_{n}}

.

The degree or total degree of a monomial $a_{i_{1}, i_{2}, \dots, i_{n}} x_{1}^{i_{1}} x_{2}^{i_{2}} \dots x_{n}^{i_{n}}$ is given by $i_{1} + i_{2} + \dots + i_{n}$ and the degree of a polynomial $f$ is the maximum degree of monomials of nonzero coefficients.

As before, we also consider the following equivalent problem:

Input: a polynomial $f \in F [x_{1}, x_{2}, \dots, x_{n}]$ of degree $d$ .
Determine whether $f \equiv 0$ .

If $f$ is written explicitly as a sum of monomials, then the problem can be solved by checking whether all coefficients, and there at most $(\binom{n + d}{d}) \leq (n + d)^{d}$ coefficients in an $n$ -variate polynomial of degree at most $d$ .

A multivariate polynomial $f$ can also be presented in its product form, for example:

Example

The Vandermonde matrix $M = M (x_{1}, x_{2}, \dots, x_{n})$ is defined as that $M_{i j} = x_{i}^{j - 1}$ , that is

M = [\begin{matrix} 1 & x_{1} & x_{1}^{2} & \dots & x_{1}^{n - 1} \\ 1 & x_{2} & x_{2}^{2} & \dots & x_{2}^{n - 1} \\ 1 & x_{3} & x_{3}^{2} & \dots & x_{3}^{n - 1} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ 1 & x_{n} & x_{n}^{2} & \dots & x_{n}^{n - 1} \end{matrix}]

.

Let $f$ be the polynomial defined as

f (x_{1}, \dots, x_{n}) = det (M) = \prod_{j < i} (x_{i} - x_{j}) .

For polynomials in product form, it is quite efficient to evaluate the polynomial at any specific point from the field over which the polynomial is defined, however, expanding the polynomial to a sum of monomials can be very expensive.

The following is a simple randomized algorithm for testing identity of multivariate polynomials:

Randomized algorithm for multivariate PIT

suppose we have a finite subset $S \subseteq F$ (to be specified later);
pick $r_{1}, r_{2}, \dots, r_{n} \in S$ uniformly and independently at random;
if $f (\vec{r}) = f (r_{1}, r_{2}, \dots, r_{n}) = 0$ then return “yes” else return “no”;

This algorithm evaluates $f$ at one point chosen uniformly from an $n$ -dimensional cube $S^{n}$ , where $S \subseteq F$ is a finite subset. And:

If $f \equiv 0$ , the algorithm always returns "yes", so it is always correct.
If $f ≢ 0$ , the algorithm may wrongly return "yes" (a false positive). But this happens only when the random $\vec{r} = (r_{1}, r_{2}, \dots, r_{n})$ is a root of $f$ . The probability of this bad event is upper bounded by the following famous result due to Schwartz (1980) and Zippel (1979).

Schwartz-Zippel Theorem

Let

f \in F [x_{1}, x_{2}, \dots, x_{n}]

be a multivariate polynomial of degree

d

over a field

F

. If

f ≢ 0

, then for any finite set

S \subset F

, and

r_{1}, r_{2} \dots, r_{n} \in S

chosen uniformly and independently at random,

Pr [f (r_{1}, r_{2}, \dots, r_{n}) = 0] \leq \frac{d}{| S |} .

The Schwartz-Zippel Theorem states that for any nonzero $n$ -variate polynomial of degree at most $d$ , the number of roots in any cube $S^{n}$ is at most $d \cdot | S |^{n - 1}$ .

Dana Moshkovitz gave a surprisingly simply and elegant proof of Schwartz-Zippel Theorem, using some advanced ideas. Now we introduce the standard proof by induction.

Proof.

The theorem is proved by induction on $n$ .

Induction basis:

For $n = 1$ , this is the univariate case. Assume that $f ≢ 0$ . Due to the fundamental theorem of algebra, any polynomial $f (x)$ of degree at most $d$ must have at most $d$ roots, thus

Pr [f (r) = 0] \leq \frac{d}{| S |} .

Induction hypothesis:

Assume the theorem holds for any $m$ -variate polynomials for all $m < n$ .

Induction step:

For any $n$ -variate polynomial $f (x_{1}, x_{2}, \dots, x_{n})$ of degree at most $d$ , we write $f$ as

f (x_{1}, x_{2}, \dots, x_{n}) = \sum_{i = 0}^{k} x_{n}^{i} f_{i} (x_{1}, x_{2}, \dots, x_{n - 1})

,

where $k$ is the highest degree of $x_{n}$ , which means the degree of $f_{k}$ is at most $d - k$ and $f_{k} ≢ 0$ .

In particular, we write $f$ as a sum of two parts:

f (x_{1}, x_{2}, \dots, x_{n}) = x_{n}^{k} f_{k} (x_{1}, x_{2}, \dots, x_{n - 1}) + \bar{f} (x_{1}, x_{2}, \dots, x_{n})

,

where both $f_{k}$ and $\bar{f}$ are polynomials, such that

$f_{k} ≢ 0$ is as above, whose degree is at most $d - k$ ;
$\bar{f} (x_{1}, x_{2}, \dots, x_{n}) = \sum_{i = 0}^{k - 1} x_{n}^{i} f_{i} (x_{1}, x_{2}, \dots, x_{n - 1})$ , thus $\bar{f} (x_{1}, x_{2}, \dots, x_{n})$ has no $x_{n}^{k}$ factor in any term.

By the law of total probability, we have

\begin{aligned} Pr [f (r_{1}, r_{2}, \dots, r_{n}) = 0] \\ = & Pr [f (\vec{r}) = 0 ∣ f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) = 0] \cdot Pr [f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) = 0] \\ + Pr [f (\vec{r}) = 0 ∣ f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) \neq 0] \cdot Pr [f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) \neq 0] . \end{aligned}

Note that $f_{k} (r_{1}, r_{2}, \dots, r_{n - 1})$ is a polynomial on $n - 1$ variables of degree $d - k$ such that $f_{k} ≢ 0$ . By the induction hypothesis, we have

\begin{aligned} (*) & Pr [f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) = 0] \leq \frac{d - k}{| S |} . \end{aligned}

Now we look at the case conditioning on $f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) \neq 0$ . Recall that $\bar{f} (x_{1}, \dots, x_{n})$ has no $x_{n}^{k}$ factor in any term, thus the condition $f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) \neq 0$ guarantees that

f (r_{1}, \dots, r_{n - 1}, x_{n}) = x_{n}^{k} f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) + \bar{f} (r_{1}, r_{2}, \dots, r_{n - 1}, x_{n}) = g_{r_{1}, \dots, r_{n - 1}} (x_{n})

is a nonzero univariate polynomial of $x_{n}$ such that the degree of $g_{r_{1}, \dots, r_{n - 1}} (x_{n})$ is $k$ and $g_{r_{1}, \dots, r_{n - 1}} ≢ 0$ , for which we already known that the probability $g_{r_{1}, \dots, r_{n - 1}} (r_{n}) = 0$ is at most $\frac{k}{| S |}$ . Therefore,

\begin{aligned} (* *) & Pr [f (\vec{r}) = 0 ∣ f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) \neq 0] = Pr [g_{r_{1}, \dots, r_{n - 1}} (r_{n}) = 0 ∣ f_{k} (r_{1}, r_{2}, \dots, r_{n - 1}) \neq 0] \leq \frac{k}{| S |} \end{aligned}

.

Substituting both $(*)$ and $(* *)$ back in the total probability, we have

Pr [f (r_{1}, r_{2}, \dots, r_{n}) = 0] \leq \frac{d - k}{| S |} + \frac{k}{| S |} = \frac{d}{| S |},

which proves the theorem.

◻

Fingerprinting

The polynomial identity testing algorithm in the Schwartz-Zippel theorem can be abstracted as the following framework: Suppose we want to compare two objects $X$ and $Y$ . Instead of comparing them directly, we compute random fingerprints $F I N G (X)$ and $F I N G (Y)$ of them and compare the fingerprints.

The fingerprints has the following properties:

$F I N G (\cdot)$ is a function, meaning that if $X = Y$ then $F I N G (X) = F I N G (Y)$ .
It is much easier to compute and compare the fingerprints.
Ideally, the domain of fingerprints is much smaller than the domain of original objects, so storing and comparing fingerprints are easy. This means the fingerprint function $F I N G (\cdot)$ cannot be an injection (one-to-one mapping), so it's possible that different $X$ and $Y$ are mapped to the same fingerprint. We resolve this by making fingerprint function randomized, and for $X \neq Y$ , we want the probability $Pr [F I N G (X) = F I N G (Y)]$ to be small.

In Schwartz-Zippel theorem, the objects to compare are polynomials from $F [x_{1}, \dots, x_{n}]$ . Given a polynomial $f \in F [x_{1}, \dots, x_{n}]$ , its fingerprint is computed as $F I N G (f) = f (r_{1}, \dots, r_{n})$ for $r_{i}$ chosen independently and uniformly at random from some fixed set $S \subseteq F$ .

With this generic framework, for various identity testing problems, we may design different fingerprints $F I N G (\cdot)$ .

Communication protocols for Equality by fingerprinting

Now consider again the communication model where the two players Alice with a private input $x \in {0, 1}^{n}$ and Bob with a private input $y \in {0, 1}^{n}$ together compute a function $f (x, y)$ by running a communication protocol.

We still consider the communication protocols for the equality function EQ

E Q (x, y) = {\begin{cases} 1 & if x = y, \\ 0 & otherwise. \end{cases}

With the language of fingerprinting, this communication problem can be solved by the following generic scheme:

Communication protocol for EQ by fingerprinting

Bob does:

choose a random fingerprint function $F I N G (\cdot)$ and compute the fingerprint of her input $F I N G (y)$ ;
sends both the description of $F I N G (\cdot)$ and the value of $F I N G (y)$ to Alice;

Upon receiving the description of $F I N G (\cdot)$ and the value of $F I N G (y)$ , Alice does:

computes $F I N G (x)$ and check whether $F I N G (x) = F I N G (y)$ .

In this way we have a randomized communication protocol for the equality function EQ with false positive. The communication cost as well as the error probability are reduced to the question of how to design this random fingerprint function $F I N G (\cdot)$ to guarantee:

A random fingerprint function $F I N G (\cdot)$ can be described succinctly.
The range of $F I N G (\cdot)$ is small, so the fingerprints are succinct.
If $x \neq y$ , the probability $Pr [F I N G (x) = F I N G (y)]$ is small.

Fingerprinting by PIT

As before, we can define the fingerprint function as: for any bit-string $x \in {0, 1}^{n}$ , its random fingerprint is $F I N G (x) = \sum_{i = 1}^{n} x_{i} r^{i}$ , where the additions and multiplications are defined over a finite field $Z_{p}$ , and $r$ is chosen uniformly at random from $Z_{p}$ , where $p$ is some suitable prime which can be represented in $Θ (\log n)$ bits. More specifically, we can choose $p$ to be any prime from the interval $[n^{2}, 2 n^{2}]$ . Due to Chebyshev's theorem, such prime must exist.

As we have shown before, it takes $O (\log p) = O (\log n)$ bits to represent $F I N G (y)$ and to describe the random function $F I N G (\cdot)$ (since it a random function $F I N G (\cdot)$ from this family is uniquely identified by a random $r \in Z_{p}$ , which can be represented within $\log p = O (\log n)$ bits). And it follows easily from the fundamental theorem of algebra that for any distinct $x, y \in {0, 1}^{n}$ ,

Pr [F I N G (x) = F I N G (y)] \leq \frac{n - 1}{p} \leq \frac{1}{n} .

Fingerprinting by randomized checksum

Now we consider a new fingerprint function: We treat each input string $x \in {0, 1}^{n}$ as the binary representation of a number, and let $F I N G (x) = x mod p$ for some random prime $p$ chosen from $[k] = {0, 1, \dots, k - 1}$ , for some $k$ to be specified later.

Now a random fingerprint function $F I N G (\cdot)$ can be uniquely identified by this random prime $p$ . The new communication protocol for EQ with this fingerprint is as follows:

Communication protocol for EQ by random checksum

Bob does:

for some parameter

k

(to be specified),

choose a prime $p \in [k]$ uniformly at random;
send $p$ and $x mod p$ to Alice;

Upon receiving $p$ and $x mod p$ , Alice does:

check whether $x mod p = y mod p$ .

The number of bits to be communicated is obviously $O (\log k)$ . When $x \neq y$ , we want to upper bound the error probability $Pr [x mod p = y mod p]$ .

Suppose without loss of generality $x > y$ . Let $z = x - y$ . Then $z < 2^{n}$ since $x, y \in [2^{n}]$ , and $z \neq 0$ for $x \neq y$ . It holds that $x \equiv y (\mod p)$ if and only if $p ∣ z$ . Therefore, we only need to upper bound the probability

Pr [z mod p = 0]

for an arbitrarily fixed $0 < z < 2^{n}$ , and a uniform random prime $p \in [k]$ .

The probability $Pr [z mod p = 0]$ is computed directly as

Pr [z mod p = 0] \leq \frac{the number of prime divisors of z}{the number of primes in [k]}

.

For the numerator, any positive $z < 2^{n}$ has at most $n$ prime factors. To see this, by contradiction assume that $z$ has more than $n$ prime factors. Note that any prime number is at least 2. Then $z$ must be greater than $2^{n}$ , contradicting the fact that $z < 2^{n}$ .

For the denominator, we need to lower bound the number of primes in $[k]$ . This is given by the celebrated Prime Number Theorem (PNT).

Prime Number Theorem

Let

π (k)

denote the number of primes less than

k

. Then

π (k) \sim \frac{k}{\ln k}

as

k \to \infty

.

Therefore, by choosing $k = 2 n^{2} \ln n$ , we have that for a $0 < z < 2^{n}$ , and a random prime $p \in [k]$ ,

Pr [z mod p = 0] \leq \frac{n}{π (k)} \sim \frac{1}{n}

,

which means the for any inputs $x, y \in {0, 1}^{n}$ , if $x \neq y$ , then the false positive is bounded as

Pr [F I N G (x) = F I N G (y)] \leq Pr [| x - y | mod p = 0] \leq \frac{1}{n}

.

Moreover, by this choice of parameter $k = 2 n^{2} \ln n$ , the communication complexity of the protocol is bounded by $O (\log k) = O (\log n)$ .

Checking distinctness

Consider the following problem of checking distinctness:

Given a sequence $x_{1}, x_{2}, \dots, x_{n} \in {1, 2, \dots, n}$ , check whether every element of ${1, 2, \dots, n}$ appears exactly once.

Obviously this problem can be solved in linear time and linear space (in addition to the space for storing the input) by maintaining a $n$ -bit vector that indicates which numbers among ${1, 2, \dots, n}$ have appeared.

When this $n$ is enormously large, $Ω (n)$ space cost is too expensive. We wonder whether we could solve this problem with a space cost (in addition to the space for storing the input) much less than $O (n)$ . This can be done by fingerprinting if we tolerate a certain degree of inaccuracy.

Fingerprinting multisets

We consider the following more generalized problem, checking identity of multisets:

Input: two multisets $A = {a_{1}, a_{2}, \dots, a_{n}}$ and $B = {b_{1}, b_{2}, \dots, b_{n}}$ where $a_{1}, a_{2}, \dots, b_{1}, b_{2}, \dots, b_{n} \in {1, 2, \dots, n}$ .
Determine whether $A = B$ (multiset equivalence).

Here for a multiset $A = {a_{1}, a_{2}, \dots, a_{n}}$ , its elements $a_{i}$ are not necessarily distinct. The multiplicity of an element $a_{i}$ in a multiset $A$ is the number of times $a_{i}$ appears in $A$ . Two multisets $A$ and $B$ are equivalent if they contain the same set of elements and the multiplicities of every element in $A$ and $B$ are equal.

Obviously the above problem of checking distinctness can be treated as a special case of checking identity of multisets: by checking the identity of the multiset $A$ and set ${1, 2, \dots, n}$ .

The following fingerprinting function for multisets was introduced by Lipton for solving multiset identity testing.

Fingerprint for multiset

Let

p

be a uniform random prime chosen from the interval

[(n \log n)^{2}, 2 (n \log n)^{2}]

. By Chebyshev's theorem, such prime must exist. And consider the the finite field

Z_{p} = [p]

.

Given a multiset

A = {a_{1}, a_{2}, \dots, a_{n}}

, we define a univariate polynomial

f_{A} \in Z_{p} [x]

over the finite field

Z_{p}

as follows:

f_{A} (x) = \prod_{i = 1}^{n} (x - a_{i})

,

where

+

and

\cdot

are defined over the finite field

Z_{p}

.

We then define the random fingerprinting function as:

F I N G (A) = f_{A} (r) = \prod_{i = 1}^{n} (r - a_{i})

,

where

r

is chosen uniformly at random from

Z_{p}

.

Since all computations of $F I N G (A) = \prod_{i = 1}^{n} (r - a_{i})$ are over the finite field $Z_{p}$ , the space cost for computing the fingerprint $F I N G (A)$ is only $O (\log p) = O (\log n)$ .

Moreover, the fingerprinting function $F I N G (A)$ is invariant under permutation of elements of the multiset $A = {a_{1}, a_{2}, \dots, a_{n}}$ , thus it is indeed a function of multisets (meaning every multiset has only one fingerprint). Therefore, if $A = B$ then $F I N G (A) = F I N G (B)$ .

For two distinct multisets $A \neq B$ , it is possible that $F I N G (A) = F I N G (B)$ , but the following theorem due to Lipton bounds this error probability of false positive.

Theorem (Lipton 1989)

Let

A = {a_{1}, a_{2}, \dots, a_{n}}

and

B = {b_{1}, b_{2}, \dots, b_{n}}

be two multisets whose elements are from

{1, 2, \dots, n}

. If

A \neq B

, then

Pr [F I N G (A) = F I N G (B)] = O (\frac{1}{n})

.

Proof.

Let ${\tilde{f}}_{A} (x) = \prod_{i = 1}^{n} (x - a_{i})$ and ${\tilde{f}}_{B} (x) = \prod_{i = 1}^{n} (x - b_{i})$ be two univariate polynomials defined over reals $R$ . Note that in contrast to $f_{A} (x)$ and $f_{B} (x)$ , the $+$ and $\cdot$ in ${\tilde{f}}_{A} (x), {\tilde{f}}_{B} (x)$ do not modulo $p$ . It is easy to verify that the polynomials ${\tilde{f}}_{A} (x), {\tilde{f}}_{B} (x)$ have the following properties:

${\tilde{f}}_{A} \equiv {\tilde{f}}_{B}$ if and only if $A = B$ . Here $A = B$ means the multiset equivalence.
By the properties of finite field, for any value $r \in Z_{p}$ , it holds that $f_{A} (r) = {\tilde{f}}_{A} (r) mod p$ and $f_{B} (r) = {\tilde{f}}_{B} (r) mod p$ .

Therefore, assuming that $A \neq B$ , we must have ${\tilde{f}}_{A} (x) ≢ {\tilde{f}}_{B} (x)$ . Then by the law of total probability:

\begin{aligned} Pr [F I N G (A) = F I N G (B)] & = Pr [f_{A} (r) = f_{B} (r) ∣ f_{A} ≢ f_{B}] Pr [f_{A} ≢ f_{B}] \\ + Pr [f_{A} (r) = f_{B} (r) ∣ f_{A} \equiv f_{B}] Pr [f_{A} \equiv f_{B}] \\ \leq Pr [f_{A} (r) = f_{B} (r) ∣ f_{A} ≢ f_{B}] + Pr [f_{A} \equiv f_{B}] . \end{aligned}

Note that the degrees of $f_{A}, f_{B}$ are at most $n$ and $r$ is chosen uniformly from $[p]$ . By the Schwartz-Zippel theorem for univariate polynomials, the first probability

Pr [f_{A} (r) = f_{B} (r) ∣ f_{A} ≢ f_{B}] \leq \frac{n}{p} = o (\frac{1}{n}),

since $p$ is chosen from the interval $[(n \log n)^{2}, 2 (n \log n)^{2}]$ .

For the second probability $Pr [f_{A} \equiv f_{B}]$ , recall that ${\tilde{f}}_{A} ≢ {\tilde{f}}_{B}$ , therefore there is at least a non-zero coefficient $c \leq n^{n}$ in ${\tilde{f}}_{A} - {\tilde{f}}_{B}$ . The event $f_{A} \equiv f_{B}$ occurs only if $c mod p = 0$ , which means

\begin{aligned} Pr [f_{A} \equiv f_{B}] & \leq Pr [c mod p = 0] \\ = \frac{number of prime factors of c}{number of primes in [(n \log n)^{2}, 2 (n \log n)^{2}]} \\ \leq \frac{n \log_{2} n}{π (2 (n \log n)^{2}) - π ((n \log n)^{2})} . \end{aligned}

By the prime number theorem, $π (N) \to \frac{N}{\ln N}$ as $N \to \infty$ . Therefore,

Pr [f_{A} \equiv f_{B}] = O (\frac{n \log n}{n^{2} \log n}) = O (\frac{1}{n}) .

Combining everything together, we have $Pr [F I N G (A) = F I N G (B)] = O (\frac{1}{n})$ .

◻

高级算法 (Fall 2023)/Fingerprinting

Contents

Checking Matrix Multiplication

Freivalds Algorithm

Polynomial Identity Testing (PIT)

Communication Complexity of Equality

Schwartz-Zippel Theorem

Fingerprinting

Communication protocols for Equality by fingerprinting

Fingerprinting by PIT

Fingerprinting by randomized checksum

Checking distinctness

Fingerprinting multisets

Navigation menu

高级算法 (Fall 2023)/Fingerprinting

Checking Matrix Multiplication

Freivalds Algorithm

Polynomial Identity Testing (PIT)

Communication Complexity of Equality

Schwartz-Zippel Theorem

Fingerprinting

Communication protocols for Equality by fingerprinting

Fingerprinting by PIT

Fingerprinting by randomized checksum

Checking distinctness

Fingerprinting multisets

Navigation menu

Search