Lecture Notes in Computer Science 2976 Edited by G. Goos, J. Hartmanis, and J. van Leeuwen

Thông tin tài liệu

Lecture Notes in Computer Science Edited by G Goos, J Hartmanis, and J van Leeuwen 2976 Berlin Heidelberg New York Hong Kong London Milan Paris Tokyo Martin Farach-Colton (Ed.) LATIN 2004: Theoretical Informatics 6th Latin American Symposium Buenos Aires, Argentina, April 5-8, 2004 Proceedings 13 Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editor Martin Farach-Colton Rutgers University Department of Computer Science, Piscataway, NJ 08855, USA E-mail: farach@cs.rutgers.edu Cataloging-in-Publication Data applied for A catalog record for this book is available from the Library of Congress Bibliographic information published by Die Deutsche Bibliothek Die Deutsche Bibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data is available in the Internet at CR Subject Classification (1998): F.2, F.1, E.1, E.3, G.2, G.1, I.3.5, F.3, F.4 ISSN 0302-9743 ISBN 3-540-21258-2 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag Violations are liable for prosecution under the German Copyright Law Springer-Verlag is a part of Springer Science+Business Media springeronline.com c Springer-Verlag Berlin Heidelberg 2004 Printed in Germany Typesetting: Camera-ready by author, data conversion by PTP-Berlin, Protago-TeX-Production GmbH Printed on acid-free paper SPIN: 10989654 06/3142 543210 Preface This volume contains the proceedings of the Latin American Theoretical Informatics (LATIN) conference that was held in Buenos Aires, Argentina, April 5–8, 2004 The LATIN series of symposia was launched in 1992 to foster interactions between the Latin American community and computer scientists around the world This was the sixth event in the series, following S˜ ao Paulo, Brazil (1992), Valparaiso, Chile (1995), Campinas, Brazil (1998), Punta del Este, Uruguay (2000), and Cancun, Mexico (2002) The proceedings of these conferences were also published by Springer-Verlag in the Lecture Notes in Computer Science series: Volumes 583, 911, 1380, 1776, and 2286, respectively Also, as before, we published a selection of the papers in a special issue of a prestigious journal We received 178 submissions Each paper was assigned to four program committee members, and 59 papers were selected This was 80% more than the previous record for the number of submissions We feel lucky to have been able to build on the solid foundation provided by the increasingly successful previous LATINs And we are very grateful for the tireless work of Pablo Mart´ınez López, the Local Arrangements Chair Finally, we thank Springer-Verlag for publishing these proceedings in its LNCS series December 2003 Martin Farach-Colton VI Preface Invited Presentations Cynthia Dwork, Microsoft Research, USA Mike Paterson, University of Warwick, UK Yoshiharu Kohayakawa, Universidade de S˜ ao Paulo, Brazil Jean-Eric Pin, CNRS/Université Paris VII, France Dexter Kozen, Cornell University, NY, USA Organization Program Chair Local Arrangments Chair Steering Committee Martin Farach-Colton, Rutgers University, USA Pablo Mart´ınez López, Univ Nacional de La Plata, Argentina Ricardo Baeza Yates, Univ de Chile, Chile Gaston Gonnet, ETH Zurich, Switzerland Claudio Lucchesi, Univ de Campinas, Brazil Imre Simon, Univ de S˜ ao Paulo, Brazil Program Committee Michael Bender, SUNY Stony Brook, USA Gerth Brodal, University of Aarhus, Denmark Fabian Chudak, ETH, Switzerland Mary Cryan, University of Leeds, UK Pedro D’Argenio, UNC, Argentina Martin Farach-Colton (Chair), Rutgers University, USA David Fern´ andez-Baca, Iowa State University, USA Paolo Ferragina, Universit` a di Pisa, Italy Juan Garay, Bell Labs, USA Claudio Guti´ errez, Universidad de Chile, Chile John Iacono, Polytechnic University, USA Bruce Kapron, University of Victoria, Canada Valerie King, University of Victoria, Canada Marcos Kiwi, Universidad de Chile, Chile Sulamita Klein, Univ Federal Rio de Janeiro, Brazil Stefan Langerman, Université Libre de Bruxelles, Belgium Moshe Lewenstein, Bar Ilan University, Israel Alex L´ opez-Ortiz, University of Waterloo, Canada Eduardo Sany Laber, PUC-Rio, Brazil Pablo E Mart´ınez L´ opez, UNLP, Argentina S Muthukrishnan, Rutgers Univ and AT&T Labs, USA Sergio Rajsbaum, Univ Nacional Aut´ onoma de México, Mexico Andrea Richa, Arizona State University, USA Gadiel Seroussi, HP Labs, USA Alistair Sinclair, UC Berkeley, USA Danny Sleator, Carnegie Mellon University, USA VIII Organization Local Arrangements Committee Eduardo Bonelli, Universidad Nacional de La Plata Carlos “Greg” Diuk, Universidad de Buenos Aires Santiago Figueira, Universidad de Buenos Aires Carlos L´ opez Pombo, Universidad de Buenos Aires Mat´ıas Menni, Universidad Nacional de La Plata Pablo E Mart´ınez L´ opez (Chair), Univ de La Plata Alejandro Russo, Universidad de Buenos Aires Marcos Urbaneja S´ anchez, Universidad Nacional de La Plata Hugo Zaccheo, Universidad Nacional de La Plata Referees Dimitris Achlioptas Ali Akhavi David Aldous Jorge Almeida Greg Aloupis Andris Ambainis Eric Bach Pablo Barcelo Alexander Barg Elad Barkan Paulo Barreto Tomas Barros Cecilia Bastarrica Gabriel Baum Amir Ben-Amram Julien Bernet Javier Blanco Paulo Blauth Hans Bodlaender Philip Bohannon Eduardo Bonelli Prosenjit Bose Herve Brăonnimann Veronique Bruyere John Brzozowski Ayelet Butman Ying Cai Carlile Campos Lavor Héctor Cancela Jean Cardinal Olivier Carton Moses Charikar Chandra Chekuri Koen Claessen Don Coppersmith Massimo Coppola Ricardo Corin Peter Csorba Ricardo Dahab Ivan Damgaard Gianna Del Corso Erik Demaine Vinay Deolalikar Vania Maria F Dias Irit Dinur Shlomi Dolev Dan Dougherty Vida Dujmovic Dannie Durand Jerome Durand-Lose Nadav Efraty John Ellis Hazel Everett Luerbio Faria S´ andor P Fekete Claudson Ferreira Bornstein Santiago Figueira Celina M H de Figueiredo Philippe Flajolet Paola Flocchini Gudmund S Frandsen Antonio Frangioni Ari Freund Daniel Fridlender Alan Frieze Fabio Gadducci Naveen Garg Leszek Gasieniec Vincenzo Gervasi Jovan Golic Roberto Grossi Antonio Gulli Hermann Haeusler Petr Hajek Angele Hamel Darrel Hankerson Carmit Harel Amir Herzberg Alejandro Hevia Steve Homer Carlos Hurtado Ferran Hurtado Lucian Ilie Neil Immerman Andre Inacio Reis Gabriel Infante Lopez Achim Jung Charanjit Jutla Mehmet Hakan Karaata Hakan Karaata Makino Kazuhisa Organization Carmel Kent Claire Kenyon Tien Kieu Tomi Klein Jon Kleinberg Lars R Knudsen Cetin Koc Ulrich Kohlenbach Goran Konjevod Peter Kornerup Margarita Korovina Guy Kortsarz Natalio Krasnogor Danny Krizanc Marcos Kurban Alair Lago Leema Lallmamode Orlando Lee Noa Lewenstein Yehuda Lindell Ricardo Linden Claudia Linhares Marina Lipshtein Errol Lloyd Martin Loebl John Longley Fabrizio Luccio Alejandro Maass Guido Macchi Phil MacKenzie Nelson Maculan Francesco Maffioli Greg Malewicz Arnaldo Mandel Giovanni Manzini Alvaro Mart´ın Demetrio Martin Vilela Carlos Alberto Martinhon Brian Mayoh Robert W McGrail Candido F.X de Mendonca Mat´ıas Menni Andrea Mennucci Peter Merz Fatma Mili Ruy Milidiu Peter Bro Miltersen Manuela Montangero Pat Morin Rémi Morin Sergio Mu˜ noz Seffi Naor Gonzalo Navarro Alantha Newman Stefan Nickel Peter Niebert Rolf Niedermeier Soohyun Oh Alfredo Olivero Nicolas Ollinger Melih Onus Erik Ordentlich Friedrich Otto Daniel Panario Alessandro Panconesi Luis Pardo Rodrigo Paredes Ojas Parekh Michal Parnas Mike Paterson Boaz Patt-Shamir David Peleg Marco Pellegrini David Pelta Daniel Penazzi Pino Persiano Ra´ ul Piaggio Benny Pinkas Nadia Pisanti Ely Porat Daniele Pretolani Corrado Priami Cristophe Prieur Kirk Pruhs Geppino Pucci Claude-Guy Quimper Rajmohan Rajaraman Desh Ranjan Matt Robshaw Ricardo Rodr´ıguez Alexander Russell Andrei Sabelfeld Kai Salomaa Louis Salvail Luigi Santocanale Eric Schost Matthias Schră oder Marinella Sciortino Michael Segal Arun Sen Rahul Shah Jeff Shallit Scott Shenker David Shmoys Amin Shokrollahi Igor Shparlinski Riccardo Silvestri Guillermo Simari Imre Simon Bjarke Skjernaa Dan Spielman Jessica Staddon Mike Steele William Steiger Bernd Sturmfels Subhash Suri Maxim Sviridenko Wojciech Szpankowski Shang-Hua Teng Siegbert Tiga Loana Tito Nogueira Yaroslav Usenko Santosh Vempala Newton Vieira Narayan Vikas Jorge Villavicencio Alfredo Viola Elisa Viso Marcelo Weinberger Nicolas Wolovick David Wood Jinyun Yuan Michal Ziv-Ukelson IX X Organization Sponsoring Institutions 550 A Arratia and C.E Ortiz We consider first the formula, (P (z) ≥ qij /ri )φ(a, z) Fix an arbitrary m satisfying that F (m) = F (m + 1), m + > ri and m ≡ri −1 for every i ≤ k, fix a1 , , as < m Let t be a natural number such that m = tri + ri − Now, if Bm |= (P (z) ≥ qij /ri )φ(a, z) and since gcd(ri , m) = 1, then |{z < m : Bm |= φ(a, z)}| > qij m qij (tri + ri − 1) qij = = qij (t + 1) − ri ri ri and since qij < ri , we obtain that |{z < m : Bm |= φ(a, z)}| ≥ qij (t + 1) By induction hypothesis we get that |{z < m + : Bm+1 |= φ(a, z)}| ≥ qij (t + 1) = qij qij (t + 1)(ri ) = (m + 1), ri ri which implies that µ({z < m + : Bm+1 |= φ(a, z)}) ≥ qij /ri , that is Bm+1 |= (P (z) ≥ qij /ri )φ(a, z), which is the desired result Next we consider the formula (P (z) > qij /ri )φ(a, z) and we shall prove that case holds for this formula Fix an arbitrary m satisfying that F (m) = F (m + 1), m + > ri and m ≡ri −1 for every i ≤ k, fix a1 , , as < m Let t be a natural number such that m = tri +ri −1 If Bm |= (P (z) ≤ qij /ri )φ(a, z) and since gcd(ri , m) = 1, then |{z < m : Bm |= φ(a, z)}| < qij m qij (tri + ri − 1) qij = = qij (t + 1) − ri ri ri and since qij < ri , we obtain that |{z < m : Bm |= φ(a, z)}| ≤ qij (t + 1) By induction hypothesis we get that |{z < m + : Bm+1 |= φ(a, z)}| ≤ qij (t + 1) = qij qij (t + 1)(ri ) = (m + 1) ri ri which implies that µ({z < m + : Bm+1 |= φ(a, z)}) ≤ qij /ri , that is, Bm+1 |= (P (z) ≤ qij /ri )φ(a, z), which give us case for this formula The proofs for both type of probability quantifiers under the assumption that case holds for φ are just the counterpositive versions of the two cases just proved The above lemma can be used to prove separation of different fragments of LP M OD Theorem Let r, r1 , r2 , , rk be distinct non zero natural numbers, and such that r is relatively prime with each r1 , , rk Then LP M OD [r1 , , rk ] is properly contained in LP M OD [r1 rk , r] Approximating the Expressive Power of Logics in Finite Models 551 Proof It is obvious that LP M OD [r1 , , rk ] is contained in LP M OD [r1 , , rk , r] Furthermore, we saw (Example 4) that the query: “the size of the model is a multiple of r” is expressible in LP M OD (Γ )[r] We will show that this query is not expressible in LP[r1 , rk ]M OD (Γ ) More specifically, we will show that there is no sentence φ in LP gn [r1 , rk ](Γ ) that defines the above query, where k gn is the sublinear function defined in Example 3, for all n > ( i=1 ri )r Recall that the collection of all arithmetic models C = {Am }∞ m=1 forms a chain It follows that for every n, the collection Cgn = {Agmn }∞ m=1 forms a gn -chain Suppose now that there exists a sentence φ in LP gn [r1 , rk ](Γ ) that captures the query “the size of the model is a multiple of r” for all (except finitely many) structures Agmn Then we can apply Lemma and get the following: n For every two models Agmn and Agm+1 in Cgn such that m + > ri , m ≡ri −1 for every i, and gn (m) = gn (m + 1), we have that at least one of the following two cases hold n n (1) Agmn |= φ implies Agm+1 |= φ, or (2) Agm+1 |= φ implies Agmn |= φ Suppose it is case that is true Using that r is relatively prime with the ri ’s together with the Generalized Chinese Remainder Theorem we can get a natural k number b ≤ ( i=1 ri )r such that b ≡ri −1 for every i and b ≡r Let D be the k collection of naturals m such that m = r( i=1 ri )tn + b for some natural t > Clearly m + > ri , m ≡ri −1 for every i, and gn (m) = gn (m + 1) Furthermore, D is infinite and for every m ∈ D, m ≡r It follows that for almost all the n m ∈ D, Agmn |= φ and, in consequence, for almost all the m ∈ D, Agm+1 |= φ, i.e for almost all elements m of D, m + is a multiple of r, which is impossible Suppose it is case that kis true Then by a similar argument as above we prove the existence of b ≤ ( i=1 ri )r such that b ≡ri −1 for every i and b ≡r −1 Let D be the same as above Then D is infinite and for every m ∈ D, m ≡r −1 n |= φ and, in consequence, for It follows that for almost all the m ∈ D, Agm+1 gn almost all the m ∈ D, Am |= φ, i.e for almost all elements m of D, m is a multiple of r, which is impossible We conclude that such sentence φ can not exists in LP gn [r1 , rk ](Γ ) Corollary The expressive power of F OM OD is strictly weaker than the expressive power of LP M OD [2] This last result, for modular logics, corresponds to the separation of FO and FO + M in the context of arithmetic models, which in turn is equivalent to the separation of AC0 from TC0 shown by Ajtai and independently by Furst, Saxe and Sipser (see [5] for a nice exposition of this result and references) Approximating LP A with LP M OD We introduce the notion of approximate formulas This concept will provide a link between satisfaction in arithmetic structures and satisfaction in modular approximations of these arithmetic structures 552 A Arratia and C.E Ortiz Definition (Approximate Formulas) For every formula in prenex normal form θ(x) ∈ LP(Γ + ), for every ≤ < 1, we define the -approximation of θ(x) as follows: Atomic formulas If θ(x) := Rs (x, c) then θ (x) := Rs (x, c) Negation of atomic formulas If θ(x) := ¬Rs (x, c) then θ (x) := ¬Rs (x, c) Conjunction If θ(x) := φ(x) ∧ ψ(x) then θ (x) := φ (x) ∧ ψ (x) Disjunction If θ(x) := φ(x) ∨ ψ(x) then θ (x) := φ (x) ∨ ψ (x) Existential quantification If θ(x) := ∃zφ(x, z) then θ (x) := ∃zφ (x, z) Universal quantification If θ(x) := ∀zφ(x, z) then θ (x) := (P (z) > − )φ (x, z) Probability quantifiers If θ(x) := (P (z) > r)φ(x, z) then θ (x) := (P (z) > r − min(, r))φ (x, z) If θ(x) := (P (z) ≥ r)φ(x, z) then θ (x) := (P (z) ≥ r − min(, r))φ (x, z) The next lemma provides the basic operational properties of the approximate formulas Lemma For every formula (in prenex normal form) θ(x) ∈ LP(Γ + ), for every < < 1, for every finite structure Bm and every vector a < m the following holds: – If < < δ < then Bm |= θ(a) → θ (a) → θδ (a) – If {i }∞ i=1 is a sequence of real numbers less than and converging to 0, then If (∀i ∈ N, Bm |= θi (a)) then Bm |= θ(a) The purpose of the next theorem is to establish an “approximation” relationship between satisfaction in the modular logic LP M OD and satisfaction in LP A via the approximate formulas Theorem (Bridge Theorem) Fix a natural n For every formula in prenex normal form θ(x) ∈ LP(Γ + ), for every arithmetic model Am with m > n2 , for every a < gn (m), the following holds: Agmn |= θ(a) implies Am |=θ1/n (a) Proof By induction in the complexity of the formula Atomic formulas and negation of atomic formulas (Hint: for atomic formulas and their negation θ1/n is the same as θ.) Conjunction, disjunction Direct Existential quantifier (Hint: Suppose Agmn |= ∃zθ(a, z) Then use Lemma and that Agmn is gn -modular to conclude θ(x, z) is gn -modular for Agmn and, hence, Agmn |= θ(a, [c]gn (m) ) for some c < m.) Universal quantifier Suppose that Agmn satisfies the formula ∀zθ(a, z) Then for every c < gn (m) we have that Agmn |= θ(a, c) We can apply now the induction hypothesis to obtain that for every c < gn (m) we have that Am |= (m) n θ1/n (a, c) Since m−gmn (m) ≤ m and m > n2 we get that gnm > 1− n1 , which implies Am |= (P (z) > − n1 )θ1/n (a, c) Approximating the Expressive Power of Logics in Finite Models 553 Probability quantification Suppose that Agmn satisfies the formula (P (z) > r)θ(a, z) for < r < It follows that |{c < m : Agmn |= θ(a, c)}| > rm Then we get that |{c < gn (m) : Agmn |= θ(a, c)}| > rm − (m − gn (m)) Applying the induction hypothesis we obtain that |{c < m : Am |= θ1/n (a, c)}| > rm − (m − gn (m)) It follows that µm ({c < m : Am |= θ1/n (a, c)}) > r− (m − gn (m)) = r − since m > n2 m n rm − (m − gn (m)) = m But this last statement is just Am |= (P (z) > r − n1 )θ1/n (a, z) The gist of the above result is to give a quantifiable relationship between satisfaction of a formula in the structures Agmn and satisfaction of its approximation in Am It implies the following relationship between boolean queries captured by LP A and the boolean queries captured in LP M OD (We will abbreviate by (¬θ) , for θ ∈ LP(Γ + ), the -approximation of the formula equivalent to ¬θ.) Corollary Assume there is a boolean query B, a natural n and a formula θ ∈ LP(Γ + ) such that for every arithmetic model Am , with m > n2 , if Am |= θ1/n then Am ∈ B, and if Am |= (¬θ)1/n then Am ∈ B Then for every m > n2 , Am ∈ B iff Agmn |= θ P and the Logic LP Extended The first problem shown to be complete for the class P, deterministic polynomial time, was Path System Accessibility due to Cook [2] An instance of the Path System Accessibility problem, which we abbreviate from now on as PS, is a finite structure A = A, R, T, s, or a path system, where the universe A consists of, say, n vertices, a relation R ⊆ A × A × A (the rules of the system), a source s ∈ A, and a set of targets T ⊆ A such that s ∈ T A positive instance of PS is a path system A where some target in T is accessible from the source s, where a vertex v is accessible if it is the source s or if R(x, y, v) holds for some accessible vertices x and y, possibly equal In [8], Stewart shows that PS is complete for P via quantifier free first order reductions; in fact, via projections (see [8] for definitions and also [5] Section 11.2), and we will use that result to show that an approximation version of PS which we present in Example below is also complete for P via reductions that are projections, and that would help us to show that a certain extension of our LP logic captures P on finite ordered structures (We remark that Stewart considers the path systems in [8] as having only one target, and not a set of targets as we here However one can see that his results on completeness of PS via first order reductions holds also for our version of this problem.) 554 A Arratia and C.E Ortiz Definition Let X be a second order variable of arity 1, and α(x, X) a first order formula over some (finite) vocabulary τ with first order variables x = (x1 , , xm ) and second order variable X Let r ∈ [0, 1] Then (P (X) > r)α(x, X) and (P (X) ≥ r)α(x, X) are new formulas with the following semantic For an appropriate finite τ –model An , and elements a = (a1 , , am ) from {0, , n − 1}, the universe of An , An |= (P (X) > r)α(a, X) ⇐⇒ the least subset A ⊆ {0, , n − 1} such that An |= α(a, A) has |A|/n > r Similarly for (P (X) ≥ r)α(a, X) Example Let τ = {R, T, s} where R is a ternary relation symbol, T is a unary relation symbol and s is a constant symbol We think of τ -structures as path systems with source s, a target set T and set of rules R Let r be a rational with < r < We define NPS≥r := {A = A, R, T, s : A is a path system and at least a fraction r of the elements accessible from s are not in T } Let αnps (X) be the following formula (the constant symbol ⊥ stands for false), αnps (X) := ∀x(x = s −→ X(x)) ∧ ∀x∀y∀z(X(x) ∧ X(y) ∧ R(x, y, z) −→ X(z)) ∧ ∀x(X(x) ∧ T (x) −→ ⊥) Then An ∈ NPS≥r ⇐⇒ An |= (P (X) ≥ r)αnps (X) NPS≥r is an approximation version of the problem PS, definable by our probability quantifiers over unary second order variables acting on formulas with a particular form to which we give a name below Definition 10 Let τ = {R1 , , Rm , C1 , , Ck } be some vocabulary with relation symbols R1 , , Rm , and constant symbols C1 , , Ck , and let X be a unary second order variable A first order formula α over τ ∪ {X}, and extra symbols as = (equality) and the constant ⊥ (standing for false), is a universal Horn formula, if α is the conjunction of universally quantified formulas over τ ∪ {X} of the form ψ1 ∧ ψ2 ∧ ∧ ψs −→ ϕ where ϕ is either X(u) or ⊥, and ψ1 , , ψs are atomic (τ ∪ {X})-formulas with any occurrence of the variable X being positive (there are no restrictions on the predicates in τ or =) The logic LP Horn is the set of formulas FO + {(P (X) > r)α1 (x, X), (P (X) ≥ r)α2 (x, X) : αi (x, X) is universal Horn (first order) formula with second order variable X} Approximating the Expressive Power of Logics in Finite Models 555 Example shows that the problem NPS≥r is definable in LP Horn We shall see that this is true of all problems in P Lemma The set of finite structures that satisfy a sentence θ in LP Horn is in P Proof Let θ ∈ LP Horn be of the form (P (X) > r)[ m ∀xi (ψi1 ∧ ∧ ψis −→ ϕi )], i=1 and let An be a model of the appropriate vocabulary of size n Then it’s not difficult to describe a polynomial time procedure that decides whether An satisfies the above sentence Thus, according to this lemma, our problem NPS≥r is in P We show next that it is hard for P Lemma The problem NPS≥r is complete for P via projections Proof We exhibit a (successor free) projection from the complement of the problem PS to NPS≥r Let A = A, R, T, s be an instance of PS Define A = A , R , T , s as follows: its universe A = A2 , and T = T × s = {(x, s) : x ∈ T } R = {((x, s), (y, s), (z, s)) : (x, y, z) ∈ R} ∪ {((x, s), (y, s), (z, s)) : x ∈ T ∧ x = s ∧ y ∈ T ∧ y = s ∧ z = s} s = (s, s) Then, A ∈ PS ⇐⇒ A ∈ NPS≥r Corollary Every problem in P is a set of finite ordered structures that satisfy a sentence in LP Horn Proof Every problem in P is reducible to NPS≥r via projections; NPS≥r is definable in LP Horn and this logic is closed via projections Corollary Over finite ordered structures, the logic LP Horn captures P The logic LP Horn verifies Lemma 1; namely, for a sublinear function F , F -modularity is preserved Indeed, we need only to check for formulas of the form (P (X) > r)α(z, X): Suppose a, b < m, a ≡F (m) b and B m |= (P (X) > r)α(a, X) Then there exists a B ⊆ {0, 1, , m − 1}, such that B m |= α(a, B) and |B| > rm The parameters in a not occur in B; hence, by inductive hypothesis B m |= α(b, B) Thus, B m |= (P (X) > r)α(b, X) 556 A Arratia and C.E Ortiz References Barrington, D., Immerman, N., Straubing, H.: On uniformity within NC1 J Computer and Syst Sci 41 (1990) 274–306 Cook, S A.: An observation on time-storage trade off, J Comput System Sci (1974) 308–316 Etessami, K., Immerman, N.: Reachability and the power of local ordering, Theo Comp Sci 148, (1995) 261–279 Gurevich, Y.: Logic and the challenge of computer science In: Current trends in theoretical computer science (E Bă orger, Ed.) Computer Science Press (1988) 1-57 Immerman, N.: Descriptive Complexity Springer (1998) Keisler, H J.: Hyperfinite model theory In: “Logic Colloquium 76” R.C Gandy and J.M E Hyland, Eds.), North-Holland (1977) Libkin, L., Wong, L.: Lower bounds for invariant queries in logics with counting Theoretical Comp Sci 288 (2002), 153-180 Stewart, I.: Logical description of monotone NP problems, J Logic Computat 4, (1994) 337-357 Arithmetic Circuits for Discrete Logarithms Joachim von zur Gathen University of Paderborn, Germany gathen@upb.de http://www-math.uni-paderborn.de/ãggathen/ Abstract We introduce a new model of “generic discrete log algorithms” based on arithmetic circuits It is conceptually simpler than previous ones, is actually applicable to the natural representations of the popular groups, and we can derive upper and lower bounds that differ only by a constant factor, namely 10 Keywords Discrete logarithm, generic algorithm, arithmetic circuit, cyclic group Introduction Discrete logarithm computations and their presumed difficulty are a central topic in cryptography Let G be a finite cyclic group of order d, p the largest prime divisor of d, and n the bit length of d (that is, n is the “private key length”) There are three types of results: – “Generic” algorithms such as baby-step giant-step, Pollard rho, and Pohlig√ Hellman Together they provide a solution with O(n p + n2 ) group operations – Algorithms for special groups, such as the index calculus for the group of units in a finite field, and Weil descent for special elliptic curves √ – Lower bounds Ω( p) on “generic” algorithms This paper proposes a new solution to the last point Babai & Szemerédi (1984) first proposed a model in which even a lower bound Ω(p) holds Then Nechaev (1994) suggested a deterministic model with √ an Ω( p) bound, and Boneh & Lipton (1996) considered finite fields The most √ popular model was invented by Shoup (1997) It is probabilistic, has an Ω( p) lower bound, and also works for the Diffie-Hellman problem Maurer & Wolf (1998, 1999) continued to work on this, in particular by relating the two questions of discrete logarithms and the Diffie-Hellman task See also Schnorr & Jakobsson (2000) and Schnorr (2001) An essential ingredient of Shoup’s method is a bit representation of the group elements, and his lower bound holds for a random description of this form The standard “generic” algorithms consist of two phases: first some group calculations are performed, and in a second phase the resulting lists of group elements M Farach-Colton (Ed.): LATIN 2004, LNCS 2976, pp 557–566, 2004 c Springer-Verlag Berlin Heidelberg 2004 558 J von zur Gathen are sorted, with the goal of finding a collision Of course, when one wants to implement such an algorithm, one has to use some bit representation of the group elements in computer memory But the algorithms will use one “natural” representation, not random ones Strictly speaking, Shoup’s result does not apply to this situation, and thus does not provide a lower bound in the natural setting This paper repairs this state of affairs by presenting a new model for “generic” discrete log computations which is both technically simpler and more powerful It has the following properties: – – – – the known “generic” algorithms fit in, √ a lower bound of Ω( p) holds, it does not make assumptions about the representation of groups, there is a matching upper bound, larger only by a constant factor This is basically achieved by ignoring the second phase, where sorting occurs Then one can away with the group representation, and describe the first phase in a simple arithmetic model It is important to note that the goal here is not a way of describing useful discrete log computations In fact, our computations not calculate discrete logs, but any “generic” discrete log computation yields one of our type The asymptotically matching upper and lower bounds are an indication that this may be the “right” level of abstraction The most natural way of saying that we “only want to use group operations” is by using arithmetic circuits (a.k.a straight-line programs) with group operations This model was introduced in great generality by Strassen (1972) However, a circuit computes only group elements and not discrete logs, which live in the “exponent group” Success in the usual algorithms is signalled by a collision, where the same group element is calculated in two different ways The basic idea is to declare a circuit as successful if it produces such a collision One has to be a bit careful: it is easy to produce trivial collisions, say by calculating the group element in two different ways This leads to our notion of a collision “respecting” a divisor q of the group order: it is not trivial in the “exponent group modulo q” In Section 2, we set up the required notions Section starts with the usual “nonzero preservation” result modulo a prime power; it is somewhat simplified in comparison with other generic models by considering only linear polynomials Technically, this Lemma is the main overlap with Shoup’s method Then we √ prove the main result, a lower bound of Ω( p) in Theorem The model is sufficiently powerful (or weak, as you have it) that essentially matching upper and lower bounds hold; they differ only by a constant factor, namely 10 (Corollary 10) The model so far is deterministic; Section extends it to probabilistic computations The same lower bound holds This is no surprise, since randomized algorithms such as Pollard’s rho method not reduce the computing time This method is important because it reduces the required memory to a constant number of group elements, but we not consider this resource Arithmetic Circuits for Discrete Logarithms 559 Arithmetic Circuits for Discrete Logarithms We fix the following notation: G = g is a finite cyclic group, d = #G, p is the largest prime divisor of d, and n is the binary length of d (1) We consider algorithms that use only the group operations, starting with three special group elements: 1, the generator g, and x From these we build further group elements by multiplication and inversion Example Here is a formulation of the baby-step giant-step algorithm for d = 20: instruction y−2 ←− y−1 ←− g y0 ←− x y1 ←− y0 · y−1 y2 ←− y1 · y−1 y3 ←− y2 · y−1 y4 ←− y3 · y−1 y5 ←− y4 · y−1 y6 ←− y5 · y0−1 y7 ←− y6 · y6 y8 ←− y7 · y6 y9 ←− y8 · y6 y10 ←− y9 · y6 trace trace exponent g x t xg t+1 xg t+2 xg t+3 xg t+4 xg t+5 g g 10 10 g 15 15 g 20 20 g 25 25 The “trace” gives the group element computed in each step The “trace exponent” is explained below The algorithm is in its simplest form, ignoring shortcuts like g 20 = If logg x = 5b + c, with ≤ b, c < 5, then x = g 5b+c , hence xg 5−c = g 5(b+1) , and both elements appear in the computation If we take G = Z× 25 = 2, a group of order 20, and x = 19 = 218 , then we have 18 = · + and y2 = xg = g 20 = y9 How we express that the algorithm successfully computes logz x? We are very generous: we say that the algorithm is successful if a “collision” u = v occurs for two previously computed results u and v for which “u = v is not −1 trivial” If we computed y1 = y−1 · y−1 , y2 = y0 · y0−1 , then y1 = y2 would be trivial We will make this precise in a minute The type of computation shown in the table above could be called an “arithmetic group circuit with inputs 1, g, and x” We abbreviate the assignment yk ←− yi · yj±1 as (i, j, ±1), and also trace the exponents of g and x in the circuit Then we arrive at the following notion 560 J von zur Gathen Definition (i) An arithmetic circuit is a finite sequence C = (I1 , , I ) of instructions Ik = (i, j, ε), with −2 ≤ i, j < k and ε ∈ {1, −1} The size of C is Note that C is not connected to any particular group (ii) If C = (I1 , , I ) is an arithmetic circuit, G a group and g, x ∈ G, then the trace of C on input (g, x) is the following sequence z−2 , z−1 , , z of elements zk of G: z−2 = 1, z−1 = g, z0 = x, zk = zi · zjε for k ≥ and Ik = (i, j, ε) (iii) For an arithmetic circuit C = (I1 , , I ), the trace exponents consist of the following sequence τ−2 , τ−1 , , τ of linear polynomials τk in Z[t]: τ−2 = 0, τ−1 = 1, τ0 = t, τk = τi + ε · τj for k ≥ and Ik = (i, j, ε) We think of g as fixed, and also write zk (x) for the trace elements zk in (ii) The connection between the trace and the trace exponents is clear: if x = g a and τk = c · t + b, then zk (x) = g b xc = g b · g ac = g τk (a) Recall that in the exponents, we may calculate modulo the group order d, once we consider a fixed group Example Here are two more examples of trivial collisions (i) We take g, x = g a in a group of order d, and an arithmetic circuit which computes ym = g d with an addition chain of some length m, and also y2m = xd Then τm = d and τ2m = dt, ym = g d = = xd = y2m , and we take the congruence τm − τ2m ≡ mod d as an indicator for the triviality of this collision (ii) Now let q be an arbitrary prime divisor of d, maybe a small one, and assume that d = q Again we calculate some ym = g d/q and y2m = xd/q Now both results lie in the subgroup H = g d/q of order q, and we can find a collision √ with a further q (or even O( q)) steps But we have only calculated a discrete logarithm in H, not in G If, say, q = 2, then ym = g d/2 = and y2m is either ym or Thus we have a collision, either y−2 = y2m or ym = y2m How we express that “u = v is trivial”? We certainly want to say that “the collision yi = yj is trivial” if τi = τj , or even if τi ≡ τj mod d, but this is not quite enough We have to rule out unpleasant cases like the one at the end of Example 4, where a collision occurs but the discrete logarithm is not really computed Definition Let C be an arithmetic circuit of size , G = g, q an arbitrary divisor of the group order d = #G, and i, j ≤ (i) Then (i, j) is said to respect q if and only if τi − τj ≡ mod q Arithmetic Circuits for Discrete Logarithms 561 (ii) If on input some g, x ∈ G, a collision yi = yj occurs, then this collision respects q if and only if (i, j) respects q Thus we have the linear polynomial τi − τj ∈ Z[t] which is nonzero modulo q, hence modulo d, and if a collision occurs for x = g a , then g τi (a) = zi (x) = zj (x) = g τj (a) , so that (τi − τj )(a) ≡ mod d If q1 | q2 | d, and (i, j) respects q1 , then it also respects q2 Example continued (ii) For q = 2, we have τm = d/2, τ2m = dt/2, and τm − τ2m ≡ d/2 · (1 − t) mod d We assume that d is not a power of 2, and take a prime divisor q = of d Then q divides d/2, and τm − τ2m ≡ mod q Thus (m, 2m) does not respect q, and if on some input x from some group G, the collision g d/2 = zm (x) = z2m (x) = xd/2 occurs, then this does not respect q, either Definition Let G = g be a finite cyclic group, C an arithmethic circuit, and q an arbitrary divisor of the group order d = #G Then the success rate σC,q of C over G respecting q is the fraction of group elements for which a collision respecting q occurs: σC,q = d−1 · #{x ∈ G : on input x, a collision respecting q occurs in C} Thus ≤ σC,q ≤ 1, and a circuit, for which a collision respecting q occurs for every input x, has σC,q = If q1 | q2 | d, then σC,q1 ≤ σC,q2 Example √ indicates that the baby-step giant-step algorithm gives a circuit of size O( d), where d = #G and σC,d = For simplicity, our notation does not reflect the dependence of the success rate on the group Also, the Pohlig–Hellman algorithm is a generic algorithm But index calculus in G = F× p is not generic; it makes essential use of the representation of the elements of G as integers less than p, and the ability to compute with these integers, say to check whether they factor over the factor base The Deterministic Lower Bound “Nonzero preservation” is a generally useful tool It says that the value of a nonzero polynomial at a random point is likely to be nonzero It is well-known over integral domains; we need a slight generalization here See Shoup (1997) for a more general version Lemma Let d ≥ be an integer, pe a prime power divisor of d, where p is a prime, and τ = c1 t + c0 ∈ Z[t] a linear polynomial with τ ≡ mod pe Then #{a ∈ Zd : τ (a) ≡ mod pe } ≤ d/p Proof Let i ≥ be the largest exponent with τ ≡ mod pi Thus i < e, and we can write τ = pi · (c1 t + c0 ), with c0 , c1 ∈ Zd/pi and at least one of them nonzero modulo pe−i If c1 ≡ mod p, then there is no a ∈ Zd with 562 J von zur Gathen τ (a) ≡ mod pi+1 , let alone modulo pe Otherwise there is exactly one a0 ∈ Zp with c1 a0 + c0 ≡ mod p, namely a0 ≡ −c0 · c−1 mod p The residue class mapping Zd −→ Zp maps any a ∈ Zd to a mod p Exactly d/p elements of Zd are mapped to the same element of Zp Now if pi (c1 a + c0 ) = τ (a) ≡ mod pe , then c1 a + c0 ≡ mod p, and hence a mod p = a0 There are exactly d/p such a, and the claim follows Theorem Let G = g be a finite cyclic group, q = pe a prime power divisor of the group order d = #G, C an arithmetic circuit over G of size , and σC,q its success rate respecting q Then ≥ 2σC,q p − √ When σC,q is a positive constant, then ∈ Ω( p) Proof On some input x, a collision in C is of the form yi (x) = yj (x) with −2 ≤ i < j ≤ There are ( + 2)( + 3)/2 such (i, j) Any (i, j) which respects q leads to a collision for at most d/p values of x, by Lemma 7, since the exponents a ∈ Zd correspond bijectively to the group elements x = g a Thus the total number of possible collisions respecting q is at most ( + 2)( + 3)/2 · d/p, and hence σC,q ≤ ( + 2)( + 3)/2p, ( + 3)2 ≥ ( + 2)( + 3) ≥ 2σC,q p √ The various well-known algorithms yield an O(n p + n2 ) upper bound for √ discrete logarithm computations, and we now have a lower bound Ω( p) where p is the largest prime divisor of d In what follows, we derive upper and lower bounds that differ only by a constant factor We start with a lower bound different from Theorem 8, namely Ω(n) This is not of direct cryptographic interest, √ since n ≈ log2 d is roughly the “key length” or “input length”—in contrast to p which will usually be chosen so that it is exponentially large in n The interest is a desire to understand the complexity of discrete logarithms as well as possible Theorem Let C be an arithmetic circuit of size , G = g a cyclic group of order d ≥ 3, with σC,d = 1, and let n = log2 d + be the binary length of d Then n ≥ − 2, and hence ∈ Ω(n) Proof Any element a of Zd has exactly one balanced representative b ∈ Z with a = (b mod d), −d/2 < b ≤ d/2 For −2 ≤ k ≤ , we write the trace exponent τk ∈ Zd [t] as τk = (ck mod d) · t + (bk mod d), where ck , bk ∈ Z are balanced representatives By induction on k it follows that |bk |, |ck | ≤ 2k for ≤ k ≤ (and |bk |, |ck | ≤ for k = −2, −1) Now Arithmetic Circuits for Discrete Logarithms 563 √ let a0 = ... Universidad Nacional de La Plata Hugo Zaccheo, Universidad Nacional de La Plata Referees Dimitris Achlioptas Ali Akhavi David Aldous Jorge Almeida Greg Aloupis Andris Ambainis Eric Bach Pablo Barcelo... Barcelo Alexander Barg Elad Barkan Paulo Barreto Tomas Barros Cecilia Bastarrica Gabriel Baum Amir Ben-Amram Julien Bernet Javier Blanco Paulo Blauth Hans Bodlaender Philip Bohannon Eduardo Bonelli... Jung Charanjit Jutla Mehmet Hakan Karaata Hakan Karaata Makino Kazuhisa Organization Carmel Kent Claire Kenyon Tien Kieu Tomi Klein Jon Kleinberg Lars R Knudsen Cetin Koc Ulrich Kohlenbach Goran

Ngày đăng: 22/03/2023, 10:47

Xem thêm: