${\displaystyle k}$-wise independence

Recall the definition of independence between events:

Definition (Independent events)

Events ${\displaystyle {\mathcal{E}}_1,{\mathcal{E}}_2,\dots ,{\mathcal{E}}_n}$ are mutually independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$, ${\displaystyle \begin{array}{rl}Pr\left[\underset{i\in I}{\bigwedge }{\mathcal{E}}_i\right]& =\prod _{i\in I}Pr[{\mathcal{E}}_i].\end{array}}$

Similarly, we can define independence between random variables:

Definition (Independent variables)

Random variables ${\displaystyle X_1,X_2,\dots ,X_n}$ are mutually independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$ and any values ${\displaystyle x_i}$, where ${\displaystyle i\in I}$, ${\displaystyle \begin{array}{rl}Pr[\underset{i\in I}{\bigwedge }(X_i=x_i)]& =\prod _{i\in I}Pr[X_i=x_i].\end{array}}$

Mutual independence is an ideal condition of independence. The limited notion of independence is usually defined by the k-wise independence.

Definition (k-wise Independenc)

1. Events ${\displaystyle {\mathcal{E}}_1,{\mathcal{E}}_2,\dots ,{\mathcal{E}}_n}$ are k-wise independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$ with ${\displaystyle |I|\le k}$ ${\displaystyle \begin{array}{rl}Pr\left[\underset{i\in I}{\bigwedge }{\mathcal{E}}_i\right]& =\prod _{i\in I}Pr[{\mathcal{E}}_i].\end{array}}$ 2. Random variables ${\displaystyle X_1,X_2,\dots ,X_n}$ are k-wise independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$ with ${\displaystyle |I|\le k}$ and any values ${\displaystyle x_i}$, where ${\displaystyle i\in I}$, ${\displaystyle \begin{array}{rl}Pr[\underset{i\in I}{\bigwedge }(X_i=x_i)]& =\prod _{i\in I}Pr[X_i=x_i].\end{array}}$

A very common case is pairwise independence, i.e. the 2-wise independence.

Definition (pairwise Independent random variables)

Random variables ${\displaystyle X_1,X_2,\dots ,X_n}$ are pairwise independent if, for any ${\displaystyle X_i,X_j}$ where ${\displaystyle i\ne j}$ and any values ${\displaystyle a,b}$ ${\displaystyle \begin{array}{rl}Pr[X_i=a\wedge X_j=b]& =Pr[X_i=a]\cdot Pr[X_j=b].\end{array}}$

Note that the definition of k-wise independence is hereditary:

• If ${\displaystyle X_1,X_2,\dots ,X_n}$ are k-wise independent, then they are also ${\displaystyle \ell }$-wise independent for any ${\displaystyle \ell <k}$.
• If ${\displaystyle X_1,X_2,\dots ,X_n}$ are NOT k-wise independent, then they cannot be ${\displaystyle \ell }$-wise independent for any ${\displaystyle \ell >k}$.

Pairwise Independent Bits

Suppose we have ${\displaystyle m}$ mutually independent and uniform random bits ${\displaystyle X_1,\dots ,X_m}$. We are going to extract ${\displaystyle n=2^m-1}$ pairwise independent bits from these ${\displaystyle m}$ mutually independent bits.

Enumerate all the nonempty subsets of ${\displaystyle \{1,2,\dots ,m\}}$ in some order. Let ${\displaystyle S_j}$ be the ${\displaystyle j}$th subset. Let

${\displaystyle Y_j=\underset{i\in S_j}{⨁}{X}_i,}$

where ${\displaystyle \oplus }$ is the exclusive-or, whose truth table is as follows.

${\displaystyle a}$	${\displaystyle b}$	${\displaystyle a}$${\displaystyle \oplus }$${\displaystyle b}$
0	0	0
0	1	1
1	0	1
1	1	0

There are ${\displaystyle n=2^m-1}$ such ${\displaystyle Y_j}$, because there are ${\displaystyle 2^m-1}$ nonempty subsets of ${\displaystyle \{1,2,\dots ,m\}}$. An equivalent definition of ${\displaystyle Y_j}$ is

${\displaystyle Y_j=\left(\sum _{i\in S_j}{X}_i\right)mod2}$.

Sometimes, ${\displaystyle Y_j}$ is called the parity of the bits in ${\displaystyle S_j}$.

We claim that ${\displaystyle Y_j}$ are pairwise independent and uniform.

Theorem

For any ${\displaystyle Y_j}$ and any ${\displaystyle b\in \{0,1\}}$, ${\displaystyle \begin{array}{rl}Pr[Y_j=b]& =\frac{1}{2}.\end{array}}$ For any ${\displaystyle Y_j,Y_{\ell }}$ that ${\displaystyle j\ne \ell }$ and any ${\displaystyle a,b\in \{0,1\}}$, ${\displaystyle \begin{array}{rl}Pr[Y_j=a\wedge Y_{\ell }=b]& =\frac{1}{4}.\end{array}}$

The proof is left for your exercise.

Therefore, we extract exponentially many pairwise independent uniform random bits from a sequence of mutually independent uniform random bits.

Note that ${\displaystyle Y_j}$ are not 3-wise independent. For example, consider the subsets ${\displaystyle S_1=\{1\},S_2=\{2\},S_3=\{1,2\}}$ and the corresponding random bits ${\displaystyle Y_1,Y_2,Y_3}$. Any two of ${\displaystyle Y_1,Y_2,Y_3}$ would decide the value of the third one.

Pairwise Independent Variables

We now consider constructing pairwise independent random variables ranging over ${\displaystyle [p]=\{0,1,2,\dots ,p-1\}}$ for some prime ${\displaystyle p}$. Unlike the above construction, now we only need two independent random sources ${\displaystyle X_0,X_1}$, which are uniformly and independently distributed over ${\displaystyle [p]}$.

Let ${\displaystyle Y_0,Y_1,\dots ,Y_{p-1}}$ be defined as:

${\displaystyle \begin{array}{rl}{Y}_i=(X_0+i\cdot X_1)modp& \text{for }i\in [p].\end{array}}$

Theorem

The random variables ${\displaystyle Y_0,Y_1,\dots ,Y_{p-1}}$ are pairwise independent uniform random variables over ${\displaystyle [p]}$.

Proof. We first show that ${\displaystyle Y_i}$ are uniform. That is, we will show that for any ${\displaystyle i,a\in [p]}$, ${\displaystyle \begin{array}{rl}Pr[(X_0+i\cdot X_1)modp=a]& =\frac{1}{p}.\end{array}}$ Due to the law of total probability, ${\displaystyle \begin{array}{rl}Pr[(X_0+i\cdot X_1)modp=a]& =\sum _{j\in [p]}Pr[X_1=j]\cdot Pr[(X_0+ij)modp=a]\\ & =\frac{1}{p}\sum _{j\in [p]}Pr[X_0\equiv (a-ij)(\mathrm{mod}p)].\end{array}}$ For prime ${\displaystyle p}$, for any ${\displaystyle i,j,a\in [p]}$, there is exact one value in ${\displaystyle [p]}$ of ${\displaystyle X_0}$ satisfying ${\displaystyle X_0\equiv (a-ij)(\mathrm{mod}p)}$. Thus, ${\displaystyle Pr[X_0\equiv (a-ij)(\mathrm{mod}p)]=1/p}$ and the above probability is ${\displaystyle \frac{1}{p}}$. We then show that ${\displaystyle Y_i}$ are pairwise independent, i.e. we will show that for any ${\displaystyle Y_i,Y_j}$ that ${\displaystyle i\ne j}$ and any ${\displaystyle a,b\in [p]}$, ${\displaystyle \begin{array}{rl}Pr[Y_i=a\wedge Y_j=b]& =\frac{1}{p^2}.\end{array}}$ The event ${\displaystyle Y_i=a\wedge Y_j=b}$ is equivalent to that ${\displaystyle \{\begin{array}{l}(X_0+i{X}_1)\equiv a(\mathrm{mod}p)\\ (X_0+j{X}_1)\equiv b(\mathrm{mod}p)\end{array}}$ Due to the Chinese remainder theorem, there exists a unique solution of ${\displaystyle X_0}$ and ${\displaystyle X_1}$ in ${\displaystyle [p]}$ to the above linear congruential system. Thus the probability of the event is ${\displaystyle \frac{1}{p^2}}$. ${\displaystyle ◻}$

Tools for limited independence

Let ${\displaystyle X_1,X_2,\dots ,X_n}$ be random variables. The variance of their sum is

${\displaystyle \begin{array}{r}\mathbf{V}\mathbf{a}\mathbf{r}\left[\sum _{i=1}^n{X}_i\right]=\sum _{i=1}^n\mathbf{V}\mathbf{a}\mathbf{r}[X_i]+\sum _{i\ne j}\mathbf{c}\mathbf{o}\mathbf{v}(X_i,X_j).\end{array}}$

If ${\displaystyle X_1,X_2,\dots ,X_n}$ are pairwise independent, then ${\displaystyle \mathbf{c}\mathbf{o}\mathbf{v}(X_i,X_j)=0}$ for any ${\displaystyle i\ne j}$ since the covariance of a pair of independent random variables is 0. This gives us the following theorem of linearity of variance for pairwise independent random variables.

Theorem

For pairwise independent random variables ${\displaystyle X_1,X_2,\dots ,X_n}$, ${\displaystyle \begin{array}{r}\mathbf{V}\mathbf{a}\mathbf{r}\left[\sum _{i=1}^n{X}_i\right]=\sum _{i=1}^n\mathbf{V}\mathbf{a}\mathbf{r}[X_i].\end{array}}$

The theorem relies on that the covariances of pairwise independent random variables are 0, which in turn is actually a consequence of a more general theorem.

Theorem (${\displaystyle k}$-wise independence fools ${\displaystyle k}$-degree polynomials)

Let ${\displaystyle X_1,X_2,\dots ,X_n}$ be mutually independent random variables and ${\displaystyle Y_1,Y_2,\dots ,Y_n}$ be ${\displaystyle k}$-wise independent random variables, with that the marginal distribution of ${\displaystyle Y_i}$ is identical to the marginal distribution of ${\displaystyle X_i}$, ${\displaystyle 1\le i\le n}$, that is, ${\displaystyle Pr[X_i=z]=Pr[Y_i=z]}$ for any ${\displaystyle z}$, ${\displaystyle 1\le i\le n}$. Let ${\displaystyle f:{\mathbb{R}}^n\to \mathbb{R}}$ be a multivariate polynomial of degree at most ${\displaystyle k}$. Then ${\displaystyle \begin{array}{r}\mathbf{E}[f(X_1,X_2,\dots ,X_n)]=\mathbf{E}[f(Y_1,Y_2,\dots ,Y_n)].\end{array}}$

This phenomenon is sometimes called that the ${\displaystyle k}$-degree polynomials are fooled by ${\displaystyle k}$-wise independence. In other words, a ${\displaystyle k}$-degree polynomial behaves the same on the ${\displaystyle k}$-wise independent random variables as on the mutual independent random variables.

This theorem is implied by the following lemma.

Lemma

Let ${\displaystyle X_1,X_2,\dots ,X_k}$ be ${\displaystyle k}$ mutually independent random variables. Then ${\displaystyle \begin{array}{r}\mathbf{E}\left[\prod _{i=1}^k{X}_i\right]=\prod _{i=1}^k\mathbf{E}[X_i].\end{array}}$

The lemma can be proved by directly compute the expectation. We omit the detailed proof.

By the linearity of expectation, the expectation of a polynomial is reduced to the sum of the expectations of terms. For a k-degree polynomial, each term has at most ${\displaystyle k}$ variables. Due to the above lemma, with k-wise independence, the expectation of each term behaves exactly the same as mutual independence.

Since the ${\displaystyle k}$th moment is the expectation of a k-degree polynomial of random variables, the tools based on the ${\displaystyle k}$th moment can be safely used for the k-wise independence. In particular, Chebyshev's inequality for pairwise independent random variables:

Chebyshev's inequality

Let ${\displaystyle X=\sum _{i=1}^n{X}_i}$, where ${\displaystyle X_1,X_2,\dots ,X_n}$ are pairwise independent Poisson trials. Let ${\displaystyle \mu =\mathbf{E}[X]}$. Then ${\displaystyle Pr[|X-\mu |\ge t]\le \frac{\mathbf{V}\mathbf{a}\mathbf{r}[X]}{t^2}=\frac{\sum _{i=1}^n\mathbf{V}\mathbf{a}\mathbf{r}[X_i]}{t^2}.}$

Application: Derandomizing MAX-CUT

Let ${\displaystyle G(V,E)}$ be an undirected graph, and ${\displaystyle S\subset V}$ be a vertex set. The cut defined by ${\displaystyle S}$ is ${\displaystyle C(S,\overline{S})=|\{uv\in E\mid u\in S,v\notin S\}|}$.

Given as input an undirected graph ${\displaystyle G(V,E)}$, find the ${\displaystyle S\subset V}$ whose cut value ${\displaystyle C(S,\overline{S})}$ is maximized. This problem is called the maximum cut (MAX-CUT) problem, which is NP-hard. The decision version of one of the weighted version of the problem is one of the Karp's 21 NP-complete problems. The problem has a ${\displaystyle 0.878}$-approximation algorithm by rounding a semidefinite programming. Assuming that the unique game conjecture (UGC), there does not exist a poly-time algorithm with better approximation ratio unless ${\displaystyle P=NP}$.

Here we give a very simple ${\displaystyle 0.5}$-approximation algorithm. The "algorithm" has a one-line description:

• Put each ${\displaystyle v\in V}$ into ${\displaystyle S}$ independently with probability 1/2.

We then analyze the approximation ratio of this algorithm.

For each ${\displaystyle v\in V}$, let ${\displaystyle Y_v}$ indicate whether ${\displaystyle v\in S}$, that is

${\displaystyle Y_v=\{\begin{array}{ll}1& v\in S,\\ 0& v\notin S.\end{array}}$

For each edge ${\displaystyle uv\in E}$, let ${\displaystyle Y_{uv}}$ indicate whether ${\displaystyle uv}$ contribute to the cut ${\displaystyle C(S,\overline{S})}$, i.e. whether ${\displaystyle u\in S,v\notin S}$ or ${\displaystyle u\notin S,v\in S}$, that is

${\displaystyle Y_{uv}=\{\begin{array}{ll}1& Y_u\ne Y_v,\\ 0& \text{otherwise}.\end{array}}$

Then ${\displaystyle C(S,\overline{S})=\sum _{uv\in E}{Y}_{uv}}$. Due to the linearity of expectation,

${\displaystyle \mathbf{E}[C(S,\overline{S})]=\sum _{uv\in E}\mathbf{E}[Y_{uv}]=\sum _{uv\in E}Pr[Y_u\ne Y_v]=\frac{|E|}{2}}$.

The maximum cut of a graph is at most ${\displaystyle |E|}$. Thus, the algorithm returns in expectation a cut with size at least half of the maximum cut.

We then show how to dereandomize this algorithm by pairwise independent bits.

Suppose that ${\displaystyle |V|=n}$ and enumerate the ${\displaystyle n}$ vertices by ${\displaystyle v_1,v_2,\dots ,v_n}$ in an arbitrary order. Let ${\displaystyle m=\lceil {\log }_2(n+1)\rceil }$. Sample ${\displaystyle m}$ bits ${\displaystyle X_1,\dots ,X_m\in \{0,1\}}$ uniformly and independently at random. Enumerate all nonempty subsets of ${\displaystyle \{1,2,\dots ,m\}}$ by ${\displaystyle S_1,S_2,\dots ,S_{2^m-1}}$. For each vertex ${\displaystyle v_j}$, let ${\displaystyle Y_{v_j}=\underset{i\in S_j}{⨁}{X}_i}$. The MAX-CUT algorithm uses these bits to construct the solution ${\displaystyle S}$:

• For ${\displaystyle j=1,2,\dots ,n}$, put ${\displaystyle v_j}$ into ${\displaystyle S}$ if ${\displaystyle Y_{v_j}=1}$.

We have shown that ${\displaystyle Y_{v_j}}$, ${\displaystyle j=1,2,\dots ,n}$, are uniform and pairwise independent. Thus we still have that ${\displaystyle Pr[Y_u\ne Y_v]=\frac{1}{2}}$. The above analysis still holds, so that the algorithm returns in expectation a cut with size at least ${\displaystyle \frac{|E|}{2}}$.

Finally, we notice that there are only ${\displaystyle m=\lceil {\log }_2(n+1)\rceil }$ total random bits in the new algorithm. We can enumerate all ${\displaystyle 2^m\le 2(n+1)}$ possible strings of ${\displaystyle m}$ bits, run the above algorithm with the bit strings as the "random sources", and output the maximum cut returned. There must exist a bit string ${\displaystyle X_1,\dots ,X_m\in \{0,1\}}$ on which the algorithm returns a cut of size ${\displaystyle \ge \frac{|E|}{2}}$ (why?). This gives us a deterministic polynomial time (actually ${\displaystyle O(n^2)}$ time) ${\displaystyle 1/2}$-approximation algorithm.

Application: Two-point sampling

Consider a Monte Carlo randomized algorithm with one-sided error for a decision problem ${\displaystyle f}$. We formulate the algorithm as a deterministic algorithm ${\displaystyle A}$ that takes as input ${\displaystyle x}$ and a uniform random number ${\displaystyle r\in [p]}$ where ${\displaystyle p}$ is a prime, such that for any input ${\displaystyle x}$:

• If ${\displaystyle f(x)=1}$, then ${\displaystyle Pr[A(x,r)=1]\ge \frac{1}{2}}$, where the probability is taken over the random choice of ${\displaystyle r}$.
• If ${\displaystyle f(x)=0}$, then ${\displaystyle A(x,r)=0}$ for any ${\displaystyle r}$.

We call ${\displaystyle r}$ the random source for the algorithm.

For the ${\displaystyle x}$ that ${\displaystyle f(x)=1}$, we call the ${\displaystyle r}$ that makes ${\displaystyle A(x,r)=1}$ a witness for ${\displaystyle x}$. For a positive ${\displaystyle x}$, at least half of ${\displaystyle [p]}$ are witnesses. The random source ${\displaystyle r}$ has polynomial number of bits, which means that ${\displaystyle p}$ is exponentially large, thus it is infeasible to find the witness for an input ${\displaystyle x}$ by exhaustive search. Deterministic overcomes this by having sophisticated deterministic rules for efficiently searching for a witness. Randomization, on the other hard, reduce this to a bit of luck, by randomly choosing an ${\displaystyle r}$ and winning with a probability of 1/2.

We can boost the accuracy (equivalently, reduce the error) of any Monte Carlo randomized algorithm with one-sided error by running the algorithm for a number of times.

Suppose that we sample ${\displaystyle t}$ values ${\displaystyle r_1,r_2,\dots ,r_t}$ uniformly and independently from ${\displaystyle [p]}$, and run the following scheme:

${\displaystyle B(x,r_1,r_2,\dots ,r_t):}$ return ${\displaystyle \underset{i=1}{\overset{t}{\bigvee }}A(x,r_i)}$;

That is, return 1 if any instance of ${\displaystyle A(x,r_i)=1}$. For any ${\displaystyle x}$ that ${\displaystyle f(x)=1}$, due to the independence of ${\displaystyle r_1,r_2,\dots ,r_t}$, the probability that ${\displaystyle B(x,r_1,r_2,\dots ,r_t)}$ returns an incorrect result is at most ${\displaystyle 2^{-t}}$. On the other hand, ${\displaystyle B}$ never makes mistakes for the ${\displaystyle x}$ that ${\displaystyle f(x)=0}$ since ${\displaystyle A}$ has no false positives. Thus, the error of the Monte Carlo algorithm is reduced to ${\displaystyle 2^{-t}}$.

Sampling ${\displaystyle t}$ mutually independent random numbers from ${\displaystyle [p]}$ can be quite expensive since it requires ${\displaystyle \mathrm{\Omega }(t\log p)}$ random bits. Suppose that we can only afford ${\displaystyle O(\log p)}$ random bits. In particular, we sample two independent uniform random number ${\displaystyle a}$ and ${\displaystyle b}$ from ${\displaystyle [p]}$. If we use ${\displaystyle a}$ and ${\displaystyle b}$ directly bu running two independent instances ${\displaystyle A(x,a)}$ and ${\displaystyle A(x,b)}$, we only get an error upper bound of 1/4.

The following scheme reduces the error significantly with the same number of random bits:

Algorithm

Choose two independent uniform random number ${\displaystyle a}$ and ${\displaystyle b}$ from ${\displaystyle [p]}$. Construct ${\displaystyle t}$ random number ${\displaystyle r_1,r_2,\dots ,r_t}$ by: ${\displaystyle \begin{array}{rl}\mathrm{\forall }1\le i\le t,& \text{let }{r}_i=(a\cdot i+b)modp.\end{array}}$ Run ${\displaystyle B(x,r_1,r_2,\dots ,r_t):}$.

Due to the discussion in the last section, we know that for ${\displaystyle t\le p}$, ${\displaystyle r_1,r_2,\dots ,r_t}$ are pairwise independent and uniform over ${\displaystyle [p]}$. Let ${\displaystyle X_i=A(x,r_i)}$ and ${\displaystyle X=\sum _{i=1}^t{X}_i}$. Due to the uniformity of ${\displaystyle r_i}$ and our definition of ${\displaystyle A}$, for any ${\displaystyle x}$ that ${\displaystyle f(x)=1}$, it holds that

${\displaystyle Pr[X_i=1]=Pr[A(x,r_i)=1]\ge \frac{1}{2}.}$

By the linearity of expectations,

${\displaystyle \mathbf{E}[X]=\sum _{i=1}^t\mathbf{E}[X_i]=\sum _{i=1}^{t}Pr[X_i=1]\ge \frac{t}{2}.}$

Since ${\displaystyle X_i}$ is Bernoulli trial with a probability of success at least ${\displaystyle p=1/2}$. We can estimate the variance of each ${\displaystyle X_i}$ as follows.

${\displaystyle \mathbf{V}\mathbf{a}\mathbf{r}[X_i]=p(1-p)\le \frac{1}{4}.}$

Applying Chebyshev's inequality, we have that for any ${\displaystyle x}$ that ${\displaystyle f(x)=1}$,

${\displaystyle \begin{array}{rl}Pr[\underset{i=1}{\overset{t}{\bigvee }}A(x,r_i)=0]& =Pr[X=0]\\ & \le Pr[|X-\mathbf{E}[X]|\ge \mathbf{E}[X]]\\ & \le Pr[|X-\mathbf{E}[X]|\ge \frac{t}{2}]\\ & \le \frac{4}{t^2}\sum _{i=1}^t\mathbf{V}\mathbf{a}\mathbf{r}[X_i]\\ & \le \frac{1}{t}.\end{array}}$

The error is reduced to ${\displaystyle 1/t}$ with only two random numbers. This scheme works as long as ${\displaystyle t\le p}$.

Universal Hashing

Hashing is one of the oldest tools in Computer Science. Knuth's memorandum in 1963 on analysis of hash tables is now considered to be the birth of the area of analysis of algorithms.

• Knuth. Notes on "open" addressing, July 22 1963. Unpublished memorandum.

The idea of hashing is simple: an unknown set ${\displaystyle S}$ of ${\displaystyle n}$ data items (or keys) are drawn from a large universe ${\displaystyle U=[N]}$ where ${\displaystyle N\gg n}$; in order to store ${\displaystyle S}$ in a table of ${\displaystyle M}$ entries (slots), we assume a consistent mapping (called a hash function) from the universe ${\displaystyle U}$ to a small range ${\displaystyle [M]}$.

This idea seems clever: we use a consistent mapping to deal with an arbitrary unknown data set. However, there is a fundamental flaw for hashing.

• For sufficiently large universe (${\displaystyle N>M(n-1)}$), for any function, there exists a bad data set ${\displaystyle S}$, such that all items in ${\displaystyle S}$ are mapped to the same entry in the table.

A simple use of pigeonhole principle can prove the above statement.

To overcome this situation, randomization is introduced into hashing. We assume that the hash function is a random mapping from ${\displaystyle [N]}$ to ${\displaystyle [M]}$. In order to ease the analysis, the following ideal assumption is used:

Simple Uniform Hash Assumption (SUHA or UHA, a.k.a. the random oracle model):

A uniform random function ${\displaystyle h:[N]\to [M]}$ is available and the computation of ${\displaystyle h}$ is efficient.

Families of universal hash functions

The assumption of completely random function simplifies the analysis. However, in practice, truly uniform random hash function is extremely expensive to compute and store. Thus, this simple assumption can hardly represent the reality.

There are two approaches for implementing practical hash functions. One is to use ad hoc implementations and wish they may work. The other approach is to construct class of hash functions which are efficient to compute and store but with weaker randomness guarantees, and then analyze the applications of hash functions based on this weaker assumption of randomness.

This route was took by Carter and Wegman in 1977 while they introduced universal families of hash functions.

Definition (universal hash families)

Let ${\displaystyle [N]}$ be a universe with ${\displaystyle N\ge M}$. A family of hash functions ${\displaystyle \mathcal{H}}$ from ${\displaystyle [N]}$ to ${\displaystyle [M]}$ is said to be ${\displaystyle k}$-universal if, for any items ${\displaystyle x_1,x_2,\dots ,x_k\in [N]}$ and for a hash function ${\displaystyle h}$ chosen uniformly at random from ${\displaystyle \mathcal{H}}$, we have ${\displaystyle Pr[h(x_1)=h(x_2)=\cdots =h(x_k)]\le \frac{1}{M^{k-1}}.}$ A family of hash functions ${\displaystyle \mathcal{H}}$ from ${\displaystyle [N]}$ to ${\displaystyle [M]}$ is said to be strongly ${\displaystyle k}$-universal if, for any items ${\displaystyle x_1,x_2,\dots ,x_k\in [N]}$, any values ${\displaystyle y_1,y_2,\dots ,y_k\in [M]}$, and for a hash function ${\displaystyle h}$ chosen uniformly at random from ${\displaystyle \mathcal{H}}$, we have ${\displaystyle Pr[h(x_1)=y_1\wedge h(x_2)=y_2\wedge \cdots \wedge h(x_k)=y_k]=\frac{1}{M^k}.}$

In particular, for a 2-universal family ${\displaystyle \mathcal{H}}$, for any elements ${\displaystyle x_1,x_2\in [N]}$, a uniform random ${\displaystyle h\in \mathcal{H}}$ has

${\displaystyle Pr[h(x_1)=h(x_2)]\le \frac{1}{M}.}$

For a strongly 2-universal family ${\displaystyle \mathcal{H}}$, for any elements ${\displaystyle x_1,x_2\in [N]}$ and any values ${\displaystyle y_1,y_2\in [M]}$, a uniform random ${\displaystyle h\in \mathcal{H}}$ has

${\displaystyle Pr[h(x_1)=y_1\wedge h(x_2)=y_2]=\frac{1}{M^2}.}$

This behavior is exactly the same as uniform random hash functions on any pair of inputs. For this reason, a strongly 2-universal hash family are also called pairwise independent hash functions.

2-universal hash families

The construction of pairwise independent random variables via modulo a prime introduced in Section 1 already provides a way of constructing a strongly 2-universal hash family.

Let ${\displaystyle p}$ be a prime. The function ${\displaystyle h_{a,b}:[p]\to [p]}$ is defined by

${\displaystyle h_{a,b}(x)=(ax+b)modp,}$

and the family is

${\displaystyle \mathcal{H}=\{h_{a,b}\mid a,b\in [p]\}.}$

Lemma

${\displaystyle \mathcal{H}}$ is strongly 2-universal.

Proof. In Section 1, we have proved the pairwise independence of the sequence of ${\displaystyle (ai+b)modp}$, for ${\displaystyle i=0,1,\dots ,p-1}$, which directly implies that ${\displaystyle \mathcal{H}}$ is strongly 2-universal. ${\displaystyle ◻}$

The original construction of Carter-Wegman

What if we want to have hash functions from ${\displaystyle [N]}$ to ${\displaystyle [M]}$ for non-prime ${\displaystyle N}$ and ${\displaystyle M}$? Carter and Wegman developed the following method.

Suppose that the universe is ${\displaystyle [N]}$, and the functions map ${\displaystyle [N]}$ to ${\displaystyle [M]}$, where ${\displaystyle N\ge M}$. For some prime ${\displaystyle p\ge N}$, let

${\displaystyle h_{a,b}(x)=((ax+b)modp)modM,}$

and the family

${\displaystyle \mathcal{H}=\{h_{a,b}\mid 1\le a\le p-1,b\in [p]\}.}$

Note that unlike the first construction, now ${\displaystyle a\ne 0}$.

Lemma (Carter-Wegman)

${\displaystyle \mathcal{H}}$ is 2-universal.

Proof. Due to the definition of ${\displaystyle \mathcal{H}}$, there are ${\displaystyle p(p-1)}$ many different hash functions in ${\displaystyle \mathcal{H}}$, because each hash function in ${\displaystyle \mathcal{H}}$ corresponds to a pair of ${\displaystyle 1\le a\le p-1}$ and ${\displaystyle b\in [p]}$. We only need to count for any particular pair of ${\displaystyle x_1,x_2\in [N]}$ that ${\displaystyle x_1\ne x_2}$, the number of hash functions that ${\displaystyle h(x_1)=h(x_2)}$. We first note that for any ${\displaystyle x_1\ne x_2}$, ${\displaystyle a{x}_1+b\not\equiv a{x}_2+b(\mathrm{mod}p)}$. This is because ${\displaystyle a{x}_1+b\equiv a{x}_2+b(\mathrm{mod}p)}$ would imply that ${\displaystyle a(x_1-x_2)\equiv 0(\mathrm{mod}p)}$, which can never happen since ${\displaystyle 1\le a\le p-1}$ and ${\displaystyle x_1\ne x_2}$ (note that ${\displaystyle x_1,x_2\in [N]}$ for an ${\displaystyle N\le p}$). Therefore, we can assume that ${\displaystyle (a{x}_1+b)modp=u}$ and ${\displaystyle (a{x}_2+b)modp=v}$ for ${\displaystyle u\ne v}$. Due to the Chinese remainder theorem, for any ${\displaystyle x_1,x_2\in [N]}$ that ${\displaystyle x_1\ne x_2}$, for any ${\displaystyle u,v\in [p]}$ that ${\displaystyle u\ne v}$, there is exact one solution to ${\displaystyle (a,b)}$ satisfying: ${\displaystyle \{\begin{array}{l}a{x}_1+b\equiv u(\mathrm{mod}p)\\ a{x}_2+b\equiv v(\mathrm{mod}p).\end{array}}$ After modulo ${\displaystyle M}$, every ${\displaystyle u\in [p]}$ has at most ${\displaystyle \lceil p/M\rceil -1}$ many ${\displaystyle v\in [p]}$ that ${\displaystyle v\ne u}$ but ${\displaystyle v\equiv u(\mathrm{mod}M)}$. Therefore, for every pair of ${\displaystyle x_1,x_2\in [N]}$ that ${\displaystyle x_1\ne x_2}$, there exist at most ${\displaystyle p(\lceil p/M\rceil -1)\le p(p-1)/M}$ pairs of ${\displaystyle 1\le a\le p-1}$ and ${\displaystyle b\in [p]}$ such that ${\displaystyle ((a{x}_1+b)modp)modM=((a{x}_2+b)modp)modM}$, which means there are at most ${\displaystyle p(p-1)/M}$ many hash functions ${\displaystyle h\in \mathcal{H}}$ having ${\displaystyle h(x_1)=h(x_2)}$ for ${\displaystyle x_1\ne x_2}$. For ${\displaystyle h}$ uniformly chosen from ${\displaystyle \mathcal{H}}$, for any ${\displaystyle x_1\ne x_2}$, ${\displaystyle Pr[h(x_1)=h(x_2)]\le \frac{p(p-1)/M}{p(p-1)}=\frac{1}{M}.}$ We prove that ${\displaystyle \mathcal{H}}$ is 2-universal. ${\displaystyle ◻}$

A construction used in practice

The main issue of Carter-Wegman construction is the efficiency. The mod operation is very slow, and has been so for more than 30 years.

The following construction is due to Dietzfelbinger et al. It was published in 1997 and has been practically used in various applications of universal hashing.

The family of hash functions is from ${\displaystyle [2^u]}$ to ${\displaystyle [2^v]}$. With a binary representation, the functions map binary strings of length ${\displaystyle u}$ to binary strings of length ${\displaystyle v}$. Let

${\displaystyle h_a(x)=\lfloor \frac{a\cdot xmod{2}^u}{2^{u-v}}\rfloor ,}$

and the family

${\displaystyle \mathcal{H}=\{h_a\mid a\in [2^v]\text{ and }a\text{ is odd}\}.}$

This family of hash functions does not exactly meet the requirement of 2-universal family. However, Dietzfelbinger et al proved that ${\displaystyle \mathcal{H}}$ is close to a 2-universal family. Specifically, for any input values ${\displaystyle x_1,x_2\in [2^u]}$, for a uniformly random ${\displaystyle h\in \mathcal{H}}$,

${\displaystyle Pr[h(x_1)=h(x_2)]\le \frac{1}{2^{v-1}}.}$

So ${\displaystyle \mathcal{H}}$ is within an approximation ratio of 2 to being 2-universal. The proof uses the fact that odd numbers are relative prime to a power of 2.

The function is extremely simple to compute in c language. We exploit that C-multiplication (*) of unsigned u-bit numbers is done ${\displaystyle mod{2}^u}$, and have a one-line C-code for computing the hash function:

h_a(x) = (a*x)>>(u-v)

The bit-wise shifting is a lot faster than modular. It explains the popularity of this scheme in practice than the original Carter-Wegman construction.

Collision number

Consider a 2-universal family ${\displaystyle \mathcal{H}}$ of hash functions from ${\displaystyle [N]}$ to ${\displaystyle [M]}$. Let ${\displaystyle h}$ be a hash function chosen uniformly from ${\displaystyle \mathcal{H}}$. For a fixed set ${\displaystyle S}$ of ${\displaystyle n}$ distinct elements from ${\displaystyle [N]}$, say ${\displaystyle S=\{x_1,x_2,\dots ,x_n\}}$, the elements are mapped to the hash values ${\displaystyle h(x_1),h(x_2),\dots ,h(x_n)}$. This can be seen as throwing ${\displaystyle n}$ balls to ${\displaystyle M}$ bins, with pairwise independent choices of bins.

As in the balls-into-bins with full independence, we are curious about the questions such as the birthday problem or the maximum load. These questions are interesting not only because they are natural to ask in a balls-into-bins setting, but in the context of hashing, they are closely related to the performance of hash functions.

The old techniques for analyzing balls-into-bins rely too much on the independence of the choice of the bin for each ball, therefore can hardly be extended to the setting of 2-universal hash families. However, it turns out several balls-into-bins questions can somehow be answered by analyzing a very natural quantity: the number of collision pairs.

A collision pair for hashing is a pair of elements ${\displaystyle x_1,x_2\in S}$ which are mapped to the same hash value, i.e. ${\displaystyle h(x_1)=h(x_2)}$. Formally, for a fixed set of elements ${\displaystyle S=\{x_1,x_2,\dots ,x_n\}}$, for any ${\displaystyle 1\le i,j\le n}$, let the random variable

${\displaystyle X_{ij}=\{\begin{array}{ll}1& \text{if }h(x_i)=h(x_j),\\ 0& \text{otherwise.}\end{array}}$

The total number of collision pairs among the ${\displaystyle n}$ items ${\displaystyle x_1,x_2,\dots ,x_n}$ is

${\displaystyle X=\sum _{i<j}{X}_{ij}.}$

Since ${\displaystyle \mathcal{H}}$ is 2-universal, for any ${\displaystyle i\ne j}$,

${\displaystyle Pr[X_{ij}=1]=Pr[h(x_i)=h(x_j)]\le \frac{1}{M}.}$

The expected number of collision pairs is

${\displaystyle \mathbf{E}[X]=\mathbf{E}\left[\sum _{i<j}{X}_{ij}\right]=\sum _{i<j}\mathbf{E}[X_{ij}]=\sum _{i<j}Pr[X_{ij}=1]\le (\genfrac{}{}{0ex}{}{n}{2})\frac{1}{M}<\frac{n^2}{2M}.}$

In particular, for ${\displaystyle n=M}$, i.e. ${\displaystyle n}$ items are mapped to ${\displaystyle n}$ hash values by a pairwise independent hash function, the expected collision number is ${\displaystyle \mathbf{E}[X]<\frac{n^2}{2M}=\frac{n}{2}}$.

Birthday problem

In the context of hash functions, the birthday problem ask for the probability that there is no collision at all. Since collision is something that we want to avoid in the applications of hash functions, we would like to lower bound the probability of zero-collision, i.e. to upper bound the probability that there exists a collision pair.

The above analysis gives us an estimation on the expected number of collision pairs, such that ${\displaystyle \mathbf{E}[X]<\frac{n^2}{2M}}$. Apply the Markov's inequality, for ${\displaystyle 0<ϵ<1}$, we have

${\displaystyle Pr[X\ge \frac{n^2}{2ϵM}]\le Pr[X\ge \frac{1}{ϵ}\mathbf{E}[X]]\le ϵ.}$

When ${\displaystyle n\le \sqrt{2ϵM}}$, the number of collision pairs is ${\displaystyle X\ge 1}$ with probability at most ${\displaystyle ϵ}$, therefore with probability at least ${\displaystyle 1-ϵ}$, there is no collision at all. Therefore, we have the following theorem.

Theorem

If ${\displaystyle h}$ is chosen uniformly from a 2-universal family of hash functions mapping the universe ${\displaystyle [N]}$ to ${\displaystyle [M]}$ where ${\displaystyle N\ge M}$, then for any set ${\displaystyle S\subset [N]}$ of ${\displaystyle n}$ items, where ${\displaystyle n\le \sqrt{2ϵM}}$, the probability that there exits a collision pair is ${\displaystyle Pr[\text{collision occurs}]\le ϵ.}$

Recall that for mutually independent choices of bins, for some ${\displaystyle n=\sqrt{2M\ln (1/ϵ)}}$, the probability that a collision occurs is about ${\displaystyle ϵ}$. For constant ${\displaystyle ϵ}$, this gives an essentially same bound as the pairwise independent setting. Therefore, the behavior of pairwise independent hash function is essentially the same as the uniform random hash function for the birthday problem. This is easy to understand, because birthday problem is about the behavior of collisions, and the definition of 2-universal hash function can be interpreted as "functions that the probability of collision is as low as a uniform random function".