Random self-reducibility (RSR) is the rule that a good algorithm for the average case implies a good algorithm for the worst case. RSR is the ability to solve all instances of a problem by solving a large fraction of the instances.
Definition
If for a
function
Function or functionality may refer to:
Computing
* Function key, a type of key on computer keyboards
* Function model, a structured representation of processes in a system
* Function object or functor or functionoid, a concept of object-oriente ...
''f'' evaluating any instance ''x'' can be reduced in polynomial time to the evaluation of ''f'' on one or more
random
In common usage, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wikt:order, order and does not follow an intelligible pattern or combination. Ind ...
instances ''y
i'', then it is self-reducible (this is also known as a ''non-adaptive uniform self-reduction''). In a random self-reduction, an arbitrary worst-case instance ''x'' in the domain of ''f'' is mapped to a random set of instances ''y''
1, ..., ''y
k''. This is done so that ''f''(''x'') can be computed in polynomial time, given the coin-toss sequence from the mapping, ''x'', and ''f''(''y''
1), ..., ''f''(''y
k''). Therefore, taking the average with respect to the induced distribution on ''y
i'', the
average-case complexity of ''f'' is the same (within polynomial factors) as the worst-case randomized complexity of ''f''.
One special case of note is when each random instance ''y
i'' is distributed uniformly over the entire set of elements in the domain of ''f'' that have a length of , ''x'', . In this case ''f'' is as hard on average as it is in the worst case. This approach contains two key restrictions. First the generation of ''y''
1, ..., ''y
k'' is performed non-adaptively. This means that ''y''
2 is picked before ''f''(''y''
1) is known. Second, it is not necessary that the points ''y''
1, ..., ''y
k'' be uniformly distributed.
Application in cryptographic protocols
Problems that require some privacy in the data (typically ''cryptographic problems'') can use randomization to ensure that privacy. In fact, the only provably secure cryptographic system (the
one-time pad
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ran ...
) has its security relying totally on the ''randomness'' of the key data supplied to the system.
The field of
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
utilizes the fact that certain number-theoretic functions are randomly self-reducible. This includes
probabilistic encryption
Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. The term "probabilistic encryption" is typically used in referen ...
and cryptographically strong
pseudorandom number generation. Also,
instance-hiding schemes (where a weak private device uses a strong public device without revealing its data) are easily exemplified by random self-reductions.
Examples
The
discrete logarithm
In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log''b' ...
problem, the
quadratic residuosity problem The quadratic residuosity problem (QRP) in computational number theory is to decide, given integers a and N, whether a is a quadratic residue modulo N or not.
Here N = p_1 p_2 for two unknown primes p_1 and p_2, and a is among the numbers which are ...
, the
RSA inversion problem, and the problem of computing the
permanent
Permanent may refer to:
Art and entertainment
* ''Permanent'' (film), a 2017 American film
* ''Permanent'' (Joy Division album)
* "Permanent" (song), by David Cook
Other uses
* Permanent (mathematics), a concept in linear algebra
* Permanent (cy ...
of a matrix are each random self-reducible problems.
Discrete logarithm
''Theorem'': Given a cyclic group ''G'' of size , ''G'', . If a deterministic polynomial time algorithm ''A'' computes the discrete logarithm for a 1/poly(''n'') fraction of all inputs (where ''n'' = log , ''G'', is the input size), then there is a randomized polynomial time algorithm for discrete logarithm for all inputs.
Given a generator ''g'' of a cyclic group ''G'' = , and an ''x'' ∈ ''G'', the discrete log of ''x'' to the base ''g'' is the integer ''k'' (0 ≤ ''k'' < , ''G'', ) with ''x'' = ''g''
''k''. Take ''B'' to be distributed uniformly on {0,...,, ''G'', − 1}, then ''xg''
''B'' = ''g''
''k''+''B'' is also distributed uniformly on ''G''. Therefore ''xg''
''B'' is independent of ''x'', and its logarithm can be computed with probability 1/poly(''n'') in polynomial time. Then log
g''x'' ≡ log
''g''''xg''
''B'' - ''B'' (mod , ''G'', ) and the discrete logarithm is self-reducible.
Permanent of a matrix
Given the definition of the
permanent
Permanent may refer to:
Art and entertainment
* ''Permanent'' (film), a 2017 American film
* ''Permanent'' (Joy Division album)
* "Permanent" (song), by David Cook
Other uses
* Permanent (mathematics), a concept in linear algebra
* Permanent (cy ...
of a matrix, it is clear that ''PERM''(''M'') for any ''n''-by-''n'' matrix ''M'' is a multivariate polynomial of degree ''n'' over the entries in ''M''. Calculating the permanent of a matrix is a difficult computational task—''PERM'' has been shown to be
#P-complete (
proof). Moreover, the ability to compute ''PERM''(''M'') for most matrices implies the existence of a random program that computes ''PERM''(''M'') for all matrices. This demonstrates that ''PERM'' is random self-reducible. The discussion below considers the case where the matrix entries are drawn from a finite field ''F
p'' for some prime ''p'', and where all arithmetic is performed in that field.
Let ''X'' be a random ''n''-by-''n'' matrix with entries from ''F
p''. Since all the entries of any matrix ''M'' + ''kX'' are linear functions of ''k'', by composing those linear functions with the degree ''n'' multivariate polynomial that calculates ''PERM''(''M'') we get another degree ''n'' polynomial on ''k'', which we will call ''p''(''k''). Clearly, ''p''(0) is equal to the permanent of ''M''.
Suppose we know a program that computes the correct value of ''PERM''(''A'') for most ''n''-by-''n'' matrices with entries from ''F
p''---specifically, 1 − 1/(3''n'') of them. Then with probability of approximately two-thirds, we can calculate ''PERM''(''M'' + ''kX'') for ''k'' = 1,2,...,''n'' + 1. Once we have those ''n'' + 1 values, we can solve for the coefficients of ''p''(''k'') using
interpolation
In the mathematical field of numerical analysis, interpolation is a type of estimation, a method of constructing (finding) new data points based on the range of a discrete set of known data points.
In engineering and science, one often has a n ...
(remember that ''p''(''k'') has degree ''n''). Once we know ''p''(''k'') exactly, we evaluate ''p''(0), which is equal to ''PERM''(''M'').
If we do so, we run the risk of being wrong 1/3 of the time, but by picking multiple random ''X''s and repeating the above procedure many times, and only providing the majority winner as an answer, we can drive the error rate down very low.
Consequences
* If an
NP-complete
In computational complexity theory, a problem is NP-complete when:
# it is a problem for which the correctness of each solution can be verified quickly (namely, in polynomial time) and a brute-force search algorithm can find a solution by tryi ...
problem is non-adaptively random self-reducible the
polynomial hierarchy
In computational complexity theory, the polynomial hierarchy (sometimes called the polynomial-time hierarchy) is a hierarchy of complexity classes that generalize the classes NP and co-NP. Each class in the hierarchy is contained within PSPACE. T ...
collapses to Σ
3.
* If a
CoNP-hard problem is random self-reducible in ''O''(log ''n''/''n'') then Σ
2 = Π
2.
References
* M. Abadi, J. Feigenbaum, and J. Kilian, ''On Hiding Information from an Oracle'', J. Comput. Syst. Sci., 1989
* S. Arora, ''Around the PCP Theorem'', 1996
J. Feigenbaum, L. Fortnow, ''On the Random-self-reducibility of Complete Sets'', 1991
Randomized algorithms