${\displaystyle k}$-wise independence

Recall the definition of independence between events:

Definition (Independent events)

Events ${\displaystyle {\mathcal{E}}_1,{\mathcal{E}}_2,\dots ,{\mathcal{E}}_n}$ are mutually independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$, ${\displaystyle \begin{array}{rl}Pr\left[\underset{i\in I}{\bigwedge }{\mathcal{E}}_i\right]& =\prod _{i\in I}Pr[{\mathcal{E}}_i].\end{array}}$

Similarly, we can define independence between random variables:

Definition (Independent variables)

Random variables ${\displaystyle X_1,X_2,\dots ,X_n}$ are mutually independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$ and any values ${\displaystyle x_i}$, where ${\displaystyle i\in I}$, ${\displaystyle \begin{array}{rl}Pr[\underset{i\in I}{\bigwedge }(X_i=x_i)]& =\prod _{i\in I}Pr[X_i=x_i].\end{array}}$

Mutual independence is an ideal condition of independence. The limited notion of independence is usually defined by the k-wise independence.

Definition (k-wise Independenc)

1. Events ${\displaystyle {\mathcal{E}}_1,{\mathcal{E}}_2,\dots ,{\mathcal{E}}_n}$ are k-wise independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$ with ${\displaystyle |I|\le k}$ ${\displaystyle \begin{array}{rl}Pr\left[\underset{i\in I}{\bigwedge }{\mathcal{E}}_i\right]& =\prod _{i\in I}Pr[{\mathcal{E}}_i].\end{array}}$ 2. Random variables ${\displaystyle X_1,X_2,\dots ,X_n}$ are k-wise independent if, for any subset ${\displaystyle I\subseteq \{1,2,\dots ,n\}}$ with ${\displaystyle |I|\le k}$ and any values ${\displaystyle x_i}$, where ${\displaystyle i\in I}$, ${\displaystyle \begin{array}{rl}Pr[\underset{i\in I}{\bigwedge }(X_i=x_i)]& =\prod _{i\in I}Pr[X_i=x_i].\end{array}}$

A very common case is pairwise independence, i.e. the 2-wise independence.

Definition (pairwise Independent random variables)

Random variables ${\displaystyle X_1,X_2,\dots ,X_n}$ are pairwise independent if, for any ${\displaystyle X_i,X_j}$ where ${\displaystyle i\ne j}$ and any values ${\displaystyle a,b}$ ${\displaystyle \begin{array}{rl}Pr[X_i=a\wedge X_j=b]& =Pr[X_i=a]\cdot Pr[X_j=b].\end{array}}$

Note that the definition of k-wise independence is hereditary:

• If ${\displaystyle X_1,X_2,\dots ,X_n}$ are k-wise independent, then they are also ${\displaystyle \ell }$-wise independent for any ${\displaystyle \ell <k}$.
• If ${\displaystyle X_1,X_2,\dots ,X_n}$ are NOT k-wise independent, then they cannot be ${\displaystyle \ell }$-wise independent for any ${\displaystyle \ell >k}$.

Pairwise Independent Bits

Suppose we have ${\displaystyle m}$ mutually independent and uniform random bits ${\displaystyle X_1,\dots ,X_m}$. We are going to extract ${\displaystyle n=2^m-1}$ pairwise independent bits from these ${\displaystyle m}$ mutually independent bits.

Enumerate all the nonempty subsets of ${\displaystyle \{1,2,\dots ,m\}}$ in some order. Let ${\displaystyle S_j}$ be the ${\displaystyle j}$th subset. Let

${\displaystyle Y_j=\underset{i\in S_j}{⨁}{X}_i,}$

where ${\displaystyle \oplus }$ is the exclusive-or, whose truth table is as follows.

${\displaystyle a}$	${\displaystyle b}$	${\displaystyle a}$${\displaystyle \oplus }$${\displaystyle b}$
0	0	0
0	1	1
1	0	1
1	1	0

There are ${\displaystyle n=2^m-1}$ such ${\displaystyle Y_j}$, because there are ${\displaystyle 2^m-1}$ nonempty subsets of ${\displaystyle \{1,2,\dots ,m\}}$. An equivalent definition of ${\displaystyle Y_j}$ is

${\displaystyle Y_j=\left(\sum _{i\in S_j}{X}_i\right)mod2}$.

Sometimes, ${\displaystyle Y_j}$ is called the parity of the bits in ${\displaystyle S_j}$.

We claim that ${\displaystyle Y_j}$ are pairwise independent and uniform.

Theorem

For any ${\displaystyle Y_j}$ and any ${\displaystyle b\in \{0,1\}}$, ${\displaystyle \begin{array}{rl}Pr[Y_j=b]& =\frac{1}{2}.\end{array}}$ For any ${\displaystyle Y_j,Y_{\ell }}$ that ${\displaystyle j\ne \ell }$ and any ${\displaystyle a,b\in \{0,1\}}$, ${\displaystyle \begin{array}{rl}Pr[Y_j=a\wedge Y_{\ell }=b]& =\frac{1}{4}.\end{array}}$

The proof is left for your exercise.

Therefore, we extract exponentially many pairwise independent uniform random bits from a sequence of mutually independent uniform random bits.

Note that ${\displaystyle Y_j}$ are not 3-wise independent. For example, consider the subsets ${\displaystyle S_1=\{1\},S_2=\{2\},S_3=\{1,2\}}$ and the corresponding random bits ${\displaystyle Y_1,Y_2,Y_3}$. Any two of ${\displaystyle Y_1,Y_2,Y_3}$ would decide the value of the third one.

Pairwise Independent Variables

We now consider constructing pairwise independent random variables ranging over ${\displaystyle [p]=\{0,1,2,\dots ,p-1\}}$ for some prime ${\displaystyle p}$. Unlike the above construction, now we only need two independent random sources ${\displaystyle X_0,X_1}$, which are uniformly and independently distributed over ${\displaystyle [p]}$.

Let ${\displaystyle Y_0,Y_1,\dots ,Y_{p-1}}$ be defined as:

${\displaystyle \begin{array}{rl}{Y}_i=(X_0+i\cdot X_1)modp& \text{for }i\in [p].\end{array}}$

Theorem

The random variables ${\displaystyle Y_0,Y_1,\dots ,Y_{p-1}}$ are pairwise independent uniform random variables over ${\displaystyle [p]}$.

Proof. We first show that ${\displaystyle Y_i}$ are uniform. That is, we will show that for any ${\displaystyle i,a\in [p]}$, ${\displaystyle \begin{array}{rl}Pr[(X_0+i\cdot X_1)modp=a]& =\frac{1}{p}.\end{array}}$ Due to the law of total probability, ${\displaystyle \begin{array}{rl}Pr[(X_0+i\cdot X_1)modp=a]& =\sum _{j\in [p]}Pr[X_1=j]\cdot Pr[(X_0+ij)modp=a]\\ & =\frac{1}{p}\sum _{j\in [p]}Pr[X_0\equiv (a-ij)(\mathrm{mod}p)].\end{array}}$ For prime ${\displaystyle p}$, for any ${\displaystyle i,j,a\in [p]}$, there is exact one value in ${\displaystyle [p]}$ of ${\displaystyle X_0}$ satisfying ${\displaystyle X_0\equiv (a-ij)(\mathrm{mod}p)}$. Thus, ${\displaystyle Pr[X_0\equiv (a-ij)(\mathrm{mod}p)]=1/p}$ and the above probability is ${\displaystyle \frac{1}{p}}$. We then show that ${\displaystyle Y_i}$ are pairwise independent, i.e. we will show that for any ${\displaystyle Y_i,Y_j}$ that ${\displaystyle i\ne j}$ and any ${\displaystyle a,b\in [p]}$, ${\displaystyle \begin{array}{rl}Pr[Y_i=a\wedge Y_j=b]& =\frac{1}{p^2}.\end{array}}$ The event ${\displaystyle Y_i=a\wedge Y_j=b}$ is equivalent to that ${\displaystyle \{\begin{array}{l}(X_0+i{X}_1)\equiv a(\mathrm{mod}p)\\ (X_0+j{X}_1)\equiv b(\mathrm{mod}p)\end{array}}$ Due to the Chinese remainder theorem, there exists a unique solution of ${\displaystyle X_0}$ and ${\displaystyle X_1}$ in ${\displaystyle [p]}$ to the above linear congruential system. Thus the probability of the event is ${\displaystyle \frac{1}{p^2}}$. ${\displaystyle ◻}$

Universal Hashing

Hashing is one of the oldest tools in Computer Science. Knuth's memorandum in 1963 on analysis of hash tables is now considered to be the birth of the area of analysis of algorithms.

• Knuth. Notes on "open" addressing, July 22 1963. Unpublished memorandum.

The idea of hashing is simple: an unknown set ${\displaystyle S}$ of ${\displaystyle n}$ data items (or keys) are drawn from a large universe ${\displaystyle U=[N]}$ where ${\displaystyle N\gg n}$; in order to store ${\displaystyle S}$ in a table of ${\displaystyle M}$ entries (slots), we assume a consistent mapping (called a hash function) from the universe ${\displaystyle U}$ to a small range ${\displaystyle [M]}$.

This idea seems clever: we use a consistent mapping to deal with an arbitrary unknown data set. However, there is a fundamental flaw for hashing.

• For sufficiently large universe (${\displaystyle N>M(n-1)}$), for any function, there exists a bad data set ${\displaystyle S}$, such that all items in ${\displaystyle S}$ are mapped to the same entry in the table.

A simple use of pigeonhole principle can prove the above statement.

To overcome this situation, randomization is introduced into hashing. We assume that the hash function is a random mapping from ${\displaystyle [N]}$ to ${\displaystyle [M]}$. In order to ease the analysis, the following ideal assumption is used:

Simple Uniform Hash Assumption (SUHA or UHA, a.k.a. the random oracle model):

A uniform random function ${\displaystyle h:[N]\to [M]}$ is available and the computation of ${\displaystyle h}$ is efficient.

Families of universal hash functions

The assumption of completely random function simplifies the analysis. However, in practice, truly uniform random hash function is extremely expensive to compute and store. Thus, this simple assumption can hardly represent the reality.

There are two approaches for implementing practical hash functions. One is to use ad hoc implementations and wish they may work. The other approach is to construct class of hash functions which are efficient to compute and store but with weaker randomness guarantees, and then analyze the applications of hash functions based on this weaker assumption of randomness.

This route was took by Carter and Wegman in 1977 while they introduced universal families of hash functions.

Definition (universal hash families)

Let ${\displaystyle [N]}$ be a universe with ${\displaystyle N\ge M}$. A family of hash functions ${\displaystyle \mathcal{H}}$ from ${\displaystyle [N]}$ to ${\displaystyle [M]}$ is said to be ${\displaystyle k}$-universal if, for any items ${\displaystyle x_1,x_2,\dots ,x_k\in [N]}$ and for a hash function ${\displaystyle h}$ chosen uniformly at random from ${\displaystyle \mathcal{H}}$, we have ${\displaystyle Pr[h(x_1)=h(x_2)=\cdots =h(x_k)]\le \frac{1}{M^{k-1}}.}$ A family of hash functions ${\displaystyle \mathcal{H}}$ from ${\displaystyle [N]}$ to ${\displaystyle [M]}$ is said to be strongly ${\displaystyle k}$-universal if, for any items ${\displaystyle x_1,x_2,\dots ,x_k\in [N]}$, any values ${\displaystyle y_1,y_2,\dots ,y_k\in [M]}$, and for a hash function ${\displaystyle h}$ chosen uniformly at random from ${\displaystyle \mathcal{H}}$, we have ${\displaystyle Pr[h(x_1)=y_1\wedge h(x_2)=y_2\wedge \cdots \wedge h(x_k)=y_k]=\frac{1}{M^k}.}$

In particular, for a 2-universal family ${\displaystyle \mathcal{H}}$, for any elements ${\displaystyle x_1,x_2\in [N]}$, a uniform random ${\displaystyle h\in \mathcal{H}}$ has

${\displaystyle Pr[h(x_1)=h(x_2)]\le \frac{1}{M}.}$

For a strongly 2-universal family ${\displaystyle \mathcal{H}}$, for any elements ${\displaystyle x_1,x_2\in [N]}$ and any values ${\displaystyle y_1,y_2\in [M]}$, a uniform random ${\displaystyle h\in \mathcal{H}}$ has

${\displaystyle Pr[h(x_1)=y_1\wedge h(x_2)=y_2]=\frac{1}{M^2}.}$

This behavior is exactly the same as uniform random hash functions on any pair of inputs. For this reason, a strongly 2-universal hash family are also called pairwise independent hash functions.

2-universal hash families

The construction of pairwise independent random variables via modulo a prime introduced in Section 1 already provides a way of constructing a strongly 2-universal hash family.

Let ${\displaystyle p}$ be a prime. The function ${\displaystyle h_{a,b}:[p]\to [p]}$ is defined by

${\displaystyle h_{a,b}(x)=(ax+b)modp,}$

and the family is

${\displaystyle \mathcal{H}=\{h_{a,b}\mid a,b\in [p]\}.}$

Lemma

${\displaystyle \mathcal{H}}$ is strongly 2-universal.

Proof. In Section 1, we have proved the pairwise independence of the sequence of ${\displaystyle (ai+b)modp}$, for ${\displaystyle i=0,1,\dots ,p-1}$, which directly implies that ${\displaystyle \mathcal{H}}$ is strongly 2-universal. ${\displaystyle ◻}$

The original construction of Carter-Wegman

What if we want to have hash functions from ${\displaystyle [N]}$ to ${\displaystyle [M]}$ for non-prime ${\displaystyle N}$ and ${\displaystyle M}$? Carter and Wegman developed the following method.

Suppose that the universe is ${\displaystyle [N]}$, and the functions map ${\displaystyle [N]}$ to ${\displaystyle [M]}$, where ${\displaystyle N\ge M}$. For some prime ${\displaystyle p\ge N}$, let

${\displaystyle h_{a,b}(x)=((ax+b)modp)modM,}$

and the family

${\displaystyle \mathcal{H}=\{h_{a,b}\mid 1\le a\le p-1,b\in [p]\}.}$

Note that unlike the first construction, now ${\displaystyle a\ne 0}$.

Lemma (Carter-Wegman)

${\displaystyle \mathcal{H}}$ is 2-universal.

Proof. Due to the definition of ${\displaystyle \mathcal{H}}$, there are ${\displaystyle p(p-1)}$ many different hash functions in ${\displaystyle \mathcal{H}}$, because each hash function in ${\displaystyle \mathcal{H}}$ corresponds to a pair of ${\displaystyle 1\le a\le p-1}$ and ${\displaystyle b\in [p]}$. We only need to count for any particular pair of ${\displaystyle x_1,x_2\in [N]}$ that ${\displaystyle x_1\ne x_2}$, the number of hash functions that ${\displaystyle h(x_1)=h(x_2)}$. We first note that for any ${\displaystyle x_1\ne x_2}$, ${\displaystyle a{x}_1+b\not\equiv a{x}_2+b(\mathrm{mod}p)}$. This is because ${\displaystyle a{x}_1+b\equiv a{x}_2+b(\mathrm{mod}p)}$ would imply that ${\displaystyle a(x_1-x_2)\equiv 0(\mathrm{mod}p)}$, which can never happen since ${\displaystyle 1\le a\le p-1}$ and ${\displaystyle x_1\ne x_2}$ (note that ${\displaystyle x_1,x_2\in [N]}$ for an ${\displaystyle N\le p}$). Therefore, we can assume that ${\displaystyle (a{x}_1+b)modp=u}$ and ${\displaystyle (a{x}_2+b)modp=v}$ for ${\displaystyle u\ne v}$. Due to the Chinese remainder theorem, for any ${\displaystyle x_1,x_2\in [N]}$ that ${\displaystyle x_1\ne x_2}$, for any ${\displaystyle u,v\in [p]}$ that ${\displaystyle u\ne v}$, there is exact one solution to ${\displaystyle (a,b)}$ satisfying: ${\displaystyle \{\begin{array}{l}a{x}_1+b\equiv u(\mathrm{mod}p)\\ a{x}_2+b\equiv v(\mathrm{mod}p).\end{array}}$ After modulo ${\displaystyle M}$, every ${\displaystyle u\in [p]}$ has at most ${\displaystyle \lceil p/M\rceil -1}$ many ${\displaystyle v\in [p]}$ that ${\displaystyle v\ne u}$ but ${\displaystyle v\equiv u(\mathrm{mod}M)}$. Therefore, for every pair of ${\displaystyle x_1,x_2\in [N]}$ that ${\displaystyle x_1\ne x_2}$, there exist at most ${\displaystyle p(\lceil p/M\rceil -1)\le p(p-1)/M}$ pairs of ${\displaystyle 1\le a\le p-1}$ and ${\displaystyle b\in [p]}$ such that ${\displaystyle ((a{x}_1+b)modp)modM=((a{x}_2+b)modp)modM}$, which means there are at most ${\displaystyle p(p-1)/M}$ many hash functions ${\displaystyle h\in \mathcal{H}}$ having ${\displaystyle h(x_1)=h(x_2)}$ for ${\displaystyle x_1\ne x_2}$. For ${\displaystyle h}$ uniformly chosen from ${\displaystyle \mathcal{H}}$, for any ${\displaystyle x_1\ne x_2}$, ${\displaystyle Pr[h(x_1)=h(x_2)]\le \frac{p(p-1)/M}{p(p-1)}=\frac{1}{M}.}$ We prove that ${\displaystyle \mathcal{H}}$ is 2-universal. ${\displaystyle ◻}$

A construction used in practice

The main issue of Carter-Wegman construction is the efficiency. The mod operation is very slow, and has been so for more than 30 years.

The following construction is due to Dietzfelbinger et al. It was published in 1997 and has been practically used in various applications of universal hashing.

The family of hash functions is from ${\displaystyle [2^u]}$ to ${\displaystyle [2^v]}$. With a binary representation, the functions map binary strings of length ${\displaystyle u}$ to binary strings of length ${\displaystyle v}$. Let

${\displaystyle h_a(x)=\lfloor \frac{a\cdot xmod{2}^u}{2^{u-v}}\rfloor ,}$

and the family

${\displaystyle \mathcal{H}=\{h_a\mid a\in [2^v]\text{ and }a\text{ is odd}\}.}$

This family of hash functions does not exactly meet the requirement of 2-universal family. However, Dietzfelbinger et al proved that ${\displaystyle \mathcal{H}}$ is close to a 2-universal family. Specifically, for any input values ${\displaystyle x_1,x_2\in [2^u]}$, for a uniformly random ${\displaystyle h\in \mathcal{H}}$,

${\displaystyle Pr[h(x_1)=h(x_2)]\le \frac{1}{2^{v-1}}.}$

So ${\displaystyle \mathcal{H}}$ is within an approximation ratio of 2 to being 2-universal. The proof uses the fact that odd numbers are relative prime to a power of 2.

The function is extremely simple to compute in c language. We exploit that C-multiplication (*) of unsigned u-bit numbers is done ${\displaystyle mod{2}^u}$, and have a one-line C-code for computing the hash function:

h_a(x) = (a*x)>>(u-v)

The bit-wise shifting is a lot faster than modular. It explains the popularity of this scheme in practice than the original Carter-Wegman construction.