Applications of fine-grained complexity

Applications of Fine-Grained Complexity

by

Andrea Lincoln

B.S., Massachusetts Institute of Technology (2014)

M.Eng., Massachusetts Institute of Technology (2015)

M.S., Stanford (2016)

Submitted to the Department of Electrical Engineering and Computer

Science

in partial fulfillment of the requirements for the degree of

Doctor of Philosphy

at the

MASSACHUSETTS INSTITUTE OF TECHNOLOGY

September 2020

c

○ Massachusetts Institute of Technology 2020. All rights reserved.

Author . . . .

Department of Electrical Engineering and Computer Science

August 21, 2020

Certified by . . . .

Virginia Vassilevska Williams

Steven and Renee Finn Career Development Associate Professor of

Electrical Engineering and Computer Science

Thesis Supervisor

Accepted by . . . .

Leslie A. Kolodziejski

Professor of Electrical Engineering and Computer Science

Applications of Fine-Grained Complexity

by

Andrea Lincoln

Submitted to the Department of Electrical Engineering and Computer Science on August 21, 2020, in partial fulfillment of the

requirements for the degree of Doctor of Philosphy

Abstract

This thesis is on the topic of the applications of Fine-Grained Complexity (FGC). FGC is concerned with categorizing computational problems by their running time up to low order terms in the exponent. FGC has been a very successful field, explaining the computational hardness of many problems via a network of reductions. Given the explanatory success of FGC in the standard computational model, it would be valuable to apply FGC to new areas. This thesis focuses on studying the core assumptions of FGC and three areas of applications: (1) traditional FGC in the standard model (the worst-case RAM model), (2) average-case FGC (ACFGC), and (3) fine-grained cryptography.

If we can strengthen the core of FGC, then we would also strengthen the applications of FGC. This thesis demonstrates that a core hypothesis of FGC (the 3-SUM hypothesis) is equivalent to its small space counterpart. This makes the 3-SUM hypothesis more plausi-ble.

FGC has built a network of reductions between problems that explain the known run-ning time of the problems contained in the network. A core goal of FGC research is to add new problems to this network of reductions. This thesis shows that the sparse All Pairs Shortest Paths problem in n-node m-edge graphs requires (nm)1−o(1) time if the zero-k-clique hypothesis is true. This result gives a novel connection between the hardness of these two problems.

A problem of much interest to both traditional complexity and FGC is Boolean Satisfi-ability (SAT). There is a well-studied average-case variant of SAT called Random k-SAT. In this thesis we study the running time of this problem, seeking to understand its ACFGC. We present an algorithm for Random k-SAT which runs in 2n(1−Ω(lg2(k))/k)time, giving the fastest known running time for Random k-SAT.

Modern cryptography relies on average-case constructions. That is, an encryption scheme is shown to be hard to break via reduction from a problem conjectured to be hard on average. Similarly, fine-grained cryptography relies on average-case fine-grained lower bounds and reductions. This is the core connection between fine-grained cryptography and ACFGC. This thesis presents a plausible fine-grained average-case hypothesis which

results in a novel public-key cryptosystem.

This thesis presents results that strengthen the core hypotheses of FGC, gives more efficient algorithms for problems of interest, and builds fine-grained cryptosystems. The core goal is to apply the tools and techniques of FGC to get novel results in both the worst-case setting as well as the average-worst-case setting.

Thesis Supervisor: Virginia Vassilevska Williams

Title: Steven and Renee Finn Career Development Associate Professor of Electrical Engi-neering and Computer Science

Acknowledgments

I would not have finished the work in this thesis nor finished the thesis itself without the help and support of many people.

I want to start by thanking my advisor. Virginia Vassilevska Williams has been an excellent advisor. She has supported me, helped me find opportunities, helped me grow, and helped me shape my research agenda. I was very lucky to work with her at Stanford and that I could continue to work with my chosen advisor through her move. You have shaped my life for the better.

I want to thank my thank my thesis committee: Virginia Vassilevska Williams, Vinod Vaikuntanathan, and Ryan Williams. I deeply appreciate the feedback and help you have given on proposal and thesis.

I want to thank my co-authors on the work in this thesis: Rio LaVigne, Virginia Vas-silevska Williams, Josh R Wang, Ryan Williams, and Adam Yedidia. I really enjoyed working on these projects with you. I have learned things from each of you. Collaborating on these works has, obviously, shaped the kind of research that I do. Working on these projects was some of the most fun I had during my PhD.

I want to thank my all of my excellent coauthors: Michael Bender, Giuseppe Bianchi, Lorenzo Bracciale, Keren Censor-Hillel, Erik D. Demaine, Martin L. Demaine, Roozbeh Ebrahimi, Sarah Eisenstat, Jeremy T. Fineman, Monika Henzinger, Adam Hesterberg, Rob Johnson, Rio LaVigne, Ying Lin Wei, Quanquan C. Liu, Jayson Lynch, Samuel McCauley, Muriel Médard, Stefan Neumann, Adam Polak, Virginia Williams Vassilevska, Nikhil Vyas, Joshua R. Wang, Yun William Yu, Ryan Williams, Helen Xu, and Adam Yedidia. Working with you all helped me grow as a researcher.

Special thanks to Rob Johnson who hosted me at VMware and taught me a lot.

Thank you to Chris Brzuska who gave many useful comments on the paper that became Chapter6.

I want to thank both the MIT and Stanford theory groups which were great places to grow as a researcher. I want to thank faculty at Stanford who I rotated with: Greg Valiant

and Stefano Ermon. I also want to thank Dan Boneh who was a very supportive and wel-coming faculty in the Stanford theory group. I want to thank the faculty of the MIT theory group for being very welcoming when I moved to MIT with Virginia. I want to thank the students of the Stanford theory group who provided a tight knit social environment. I want to thank Kevin Lewi, Josh Wang, Amir Abboud, and Greg Bodwin for your advice when I arrived at Stanford. I want to thank the students of the MIT theory group who were very inviting and created a great environment for collaboration. Theory retreats, cookie fest, corn fest, and art events are a small subset of events that added to the welcoming environ-ment. I want to thank the administrative staff of the MIT theory group for organizing many of these events.

I want to thank the combined academic families of Virginia and Ryan. Amir Abboud, Greg Bodwin, Josh Alman, Nicole Wein, Mina Dalirrooyfard, Rio Lavigne, Shyan Akmal, Yinzhan Xu, Huacheng Yu, Cody Murray, Brynmor Chapman, Dylan McKay, Lijie Chen, Nikhil Vyas, and Rahul Ilango. It has been a blast.

Personal Thanks I want to thank my family Raymonde Guindon, Patrick Lincoln, and Sierra Lincoln. Without you I would not be here. I love you all dearly. I would like to thank my parents, Raymonde Guindon and Patrick Lincoln for nurturing and guiding my interest in math and computer science. I want to thank you for providing love, support, and parental care. Thank you for helping me get here.

I want to thank my partner, Adam Yedidia. You bring me an uncomplicated happiness. Your love has made me a more joyful person. May we live a long blissful life.

I also want to thank Adam’s family, Ann Blair, Jonathan Yedidia and Zachary Yedidia, who hosted me during the COVID-19 lock-down of 2020 (during which much of thesis was edited).

I want to thank my friends from high school, college and my PhD. I would be a different and worse person without you. I have learned so much about how to be kind, considerate and compassionate from all of you. I thank you all for teaching me to be a better person.

This thesis is dedicated to my sister, Sierra Lincoln.

Contents

1 Introduction 21

1.1 Contributions . . . 25

1.1.1 Chapter 3: The Space-Time Complexity of k-SUM . . . 26

1.1.2 Chapter 4: The Hardness of Sparse Graph Problems . . . 27

1.1.3 Chapter 5: A Faster Algorithm for Average-Case Satisfiability . . . 28

1.1.4 Chapter 6: Building and Defining Fine-Grained Cryptographic Prim-itives . . . 30

1.2 Organization. . . 32

2 Preliminaries 35 2.1 Satisfiability and SETH . . . 36

2.2 The k-SUM Problem . . . 37

2.3 All Pairs Shortest Paths . . . 38

2.4 Zero k-Clique . . . 39

3 Deterministic Time-Space Tradeoffs for k-SUM 41 3.1 Summary . . . 41

3.2 Introduction . . . 42

3.2.1 Our Results . . . 43

3.3 Preliminaries . . . 46

3.3.2 Computational Model . . . 47

3.3.3 Other Prior Work . . . 47

3.4 Building Blocks . . . 48

3.4.1 Domination Lemma . . . 48

3.4.2 Bucket Retrieval and Space-Efficient Selection . . . 51

3.5 Subquadratic 3-SUM implies Subquadratic small-space 3-SUM . . . 52

3.5.1 3-SUM Self Reduction . . . 53

3.5.2 General Theorem for Space Reduction. . . 54

3.5.3 Space-Efficient Fast 3-SUM . . . 56

3.5.4 The 3-SUM Hypothesis and Small Space . . . 57

3.6 k-SUM . . . 59

3.6.1 k-SUM Self-Reduction . . . 59

3.6.2 Applying our k-SUM Self-Reduction . . . 60

3.7 s-Select . . . 61

3.7.1 Bounded Range s-Select . . . 61

3.7.2 Batch real k-Select . . . 62

4 Tight Hardness for Shortest Cycles and Paths in Sparse Graphs 63 4.1 Summary . . . 63

4.2 Introduction . . . 65

4.3 Preliminaries . . . 75

4.4 Reduction from Hyperclique to Hypercycle . . . 79

4.5 Reduction from Hypercycle to Cycle in Directed Graphs . . . 82

4.6 Probably Optimal Weighted k-Cycle Algorithms. . . 84

4.7 Hardness Results for Shortest Cycle . . . 86

4.8 Discussion of the Hyperclique Hypothesis . . . 88

4.9 No Generalized Matrix Multiplication for k>2. . . 90

4.10 Max-k-SAT to Tight Hypercycle . . . 92

4.12 Beating O(mn) for Many Graph Problems is Probably Hard . . . 97

4.12.1 Undirected k-cycle reduces to radius . . . 97

4.12.2 Undirected k-cycle reduces to Wiener index . . . 102

4.12.3 Undirected k-cycle reduces to APSP . . . 107

4.13 General CSP to Hyperclique . . . 107

4.13.1 Degree-k-CSP to Weighted Hyperclique . . . 108

4.13.2 Degree-k-CSP to Unweighted Hyperclique . . . 112

4.14 Bounds for Graph Densities for NonInteger L . . . 114

5 Faster Random K-CNF Satisfiability 119 5.1 Summary . . . 119 5.2 Introduction . . . 120 5.2.1 A New Algorithm . . . 122 5.2.2 Previous work . . . 124 5.3 Preliminaries . . . 127 5.4 Algorithm . . . 131

5.4.1 Correctness and Running Time. . . 134

5.5 Bounding the False Positive Rate . . . 135

5.6 Bounding the True Positive Rate . . . 142

5.7 Lower Bounding the Number of Satisfied Formulas . . . 156

5.8 Putting it All Together . . . 162

5.9 Conclusion and Future Work . . . 164

5.10 Acknowledgments . . . 166

5.11 Discussion. . . 166

5.11.1 Alternate View on the Algorithmic Framework . . . 167

5.11.2 Additional Motivation . . . 168

5.11.3 Exhaustive Search . . . 170

6 Public-Key Cryptography: in the Fine-Grained Setting 173 6.1 Summary . . . 173 6.2 Introduction . . . 173 6.2.1 Our contributions . . . 177 6.2.2 Previous Works . . . 179 6.2.3 Technical Overview . . . 184 6.2.4 Organization of Chapter . . . 189

6.3 Preliminaries: Model of Computation and Definitions . . . 190

6.3.1 Fine-Grained Symmetric Crypto Primitives . . . 191

6.3.2 Fine-Grained Asymmetric Crypto Primitives . . . 193

6.4 Average Case Assumptions . . . 195

6.4.1 General Useful Properties . . . 195

6.4.2 Concrete Hypothesis . . . 198

6.5 Our assumptions - background and justification . . . 202

6.5.1 Background for Fine-Grained Problems . . . 202

6.5.2 Justifying the Hardness of Some Average-Case Fine-Grained Prob-lems . . . 204

6.6 Fine-Grained Key Exchange . . . 206

6.6.1 Description of a Weak Fine-Grained Interactive Key Exchange . . . 206

6.6.2 Correctness and Soundness of the Key Exchange . . . 208

6.7 A Better Fine-Grained Key Exchange from Zero-k-Clique. . . 215

6.7.1 Proof of Correctness . . . 217

6.7.2 Proof of Soundness . . . 218

6.7.3 Generalizing Zero-k-Clique Properties . . . 225

6.8 Fine-Grained One-Way Functions . . . 225

6.8.1 Weak and Strong OWFs in the Fine-Grained Setting . . . 225

6.8.2 Building Fine-Grained OWFs from Plantable Problems . . . 230

6.9 Properties of k-SUM and Zero-k-Clique Hypotheses. . . 238

6.9.1 k-SUM is Plantable from a Weak Hypothesis . . . 239

6.9.2 Zero-k-Clique is also Plantable from Weak or Strong Hypotheses . 240

6.9.3 Zero-k-Clique is Plantable, Average Case List-Hard and, Splittable from the Strong Zero-k-Clique Hypothesis . . . 243

6.9.4 Larger Ranges for Zero-k-Clique are as Hard as Smaller Ranges. . . 252

6.10 Key Exchange Proofs . . . 253

6.10.1 Proof of Correctness . . . 253

List of Figures

3-1 Domination Lemma chains when n = 3 and k = 3. The chain {(1, 1, 1), (2, 2, 2), (3, 3, 3)} is highlighted in red. In three dimensions, the number of chains is roughly proportional to the surface area of the cube, which is only

O(n2), despite the fact that there are O(n3) points. . . 49

3-2 A depiction of how L is divided. . . 50

4-1 A depiction of a network of reductions related to sparse weighted graph problems and the dense Minimum k-clique problem. The bold edges rep-resent a subset of the reductions in this chapter. The green edges are reduc-tions from Agarwal and Ramachandran [AR16]. . . 70

4-2 A depiction of why hypercycle needs sets of size ` − ⌈`/k⌉ + 1 to cover every choice of k elements. . . 80

4-3 The Radius gadget. . . 99

4-4 The unweighted radius gadget. . . 101

4-5 The Wiener Index gadget. . . 103

4-6 The unweighted Wiener Index gadget. . . 105

4-7 The heavy blue line represents the upper bound of ˜O(nm) and the jagged lighter red line represents the lower bound at all densities m = ˜Θ(n1+1/L). The curved green lines show the lower bounds from appendix 4.14.. . . 115

5-1 A histogram of how many clauses are satisfied by every possible assign-ment. In this example, there are n = 16 variables, m = 163 clauses, and k= 4 literals per clause. For the example, we take T = 155.5 to be the clause-satisfaction threshold above which we explore further, and αn = 4 to be the small-Hamming-distance threshold at which the exhaustive search algorithm finishes. (In actual runs of the algorithm, both of these parame-ters are selected more conservatively; we chose these parameparame-ters for clarity.)125

5-2 The left side of this diagram represents all pairs of (φ , a) in the support of D_pa(m, n, k). The right side of this diagram represents all φ in the support of D_R(m, n, k). The orange in the diagram represents pairs (φ , a) where φ ∈ S (on the left) and formulas φ in the set S (on the right). The diagram shows an example of a possible mapping. The dotted line shows the worst-case 1-to-1 mapping that we assume to get our upper bound on |S|. . . 151

5-3 Three representations of (φ , α) pairs, where pairs such that a ∈ Sα n(φ ) are

dark red and other pairs are white. Across the three representations, the total dark red area is meant to be fixed. In the first representation we mark in red every pair (φ , α) where a ∈ Sα n(φ ). The vertical axis represents

dif-ferent formulas, while the horizontal axis represents difdif-ferent assignments. In the second representation we instead mark the size of |Sα n(φ )| for every

φ , starting from the left. The orange bar highlights φ ∈ Sbad, i.e. those φ

for which |Sα n(φ )| >1₂|H(a, α, n)|. Finally, we show a visualization of the

worst-case distribution of |Sα n(φ )|, given a fixed dark red area. The orange

bar highlights which φ would be in Sbad in this case. While the length of

the orange bar in the middle figure represents the true value of pbad, the

length of the orange bar in the rightmost figure represents our upper bound on pbad as proved in Lemma 5.6.4. . . 172

6-1 A table of previous works’ results in this area. There have been several results characterizing different aspects of fine-grained cryptography. *It was [BGI08] who showed that Merkle’s construction could be realized with a random oracle. However, Merkle presented the construction. . . 182

6-2 A depiction of our reduction showing hardness for our fine-grained key exchange. . . 187

6-3 A depiction of splitting the subproblems for a case where ` = 2 and k = 3. . 245

List of Tables

2.1 Some common notation and terms. . . 35

4.1 Weighted graph lower bounds. Our results are in bold. Und stands for undirected and Dir stands for directed. Repl stands for replacement. . . 69

4.2 Unweighted graph lower bounds. Our results are in bold. Upper bounds marked with * are hypothesized. U stands for undirected. Src stands for source. Shrt stands for shortest. Ind stands for index. . . 73

Chapter 1

Introduction

This thesis presents work that strengthens the core of worst-case fine-grained complexity (FGC) and then work that applies those techniques to average-case FGC (ACFGC) and fine-grained cryptography. We begin by motivating FGC and then more specifically ACFGC and fine-grained cryptography.

What is Fine-Grained Complexity? Fine-Grained Complexity (FGC) is an area of study that focuses on the fine-grained time complexity of problems [Vas18]. FGC is a sub-field of traditional complexity. The goal is to understand the running times of the best algorithms for a given problem Q in terms of the input size, n, and relate them to the best known running times for other problems of interest. Questions in FGC are generally about un-derstanding the running time of a problem Q to the point we can bound it to be between T(n)1−o(1) and T (n)1+o(1)1. That is, we want to find a T (n) such that we have an algo-rithm for Q that runs in T (n)1+o(1) time and a conditional lower bound of T (n)1−o(1) for Q. The value of FGC is the ability to answer many questions unanswered by traditional complexity.

Motivation via NP-hardness. Consider the tool of NP-hardness reductions from tradi-tional complexity. When we show a problem Q is NP-hard, we can say there is no poly-nomial time algorithm to solve Q in the worst case if P ̸= NP. However, there are many problems Q that have polynomial time algorithms (for example O(n2) or O(n3) time algo-rithms). These problems cannot be NP-complete if P ̸= NP. However, in many settings an n2or n3algorithm is considered inefficient. If no faster algorithm exists for a problem, Q, we would like to be able to show that, for example, Q has a n2+o(1) time algorithm and requires n2−o(1)time. For example, let m be the number of edges in a weighted graph and n the number of nodes, then an O(mn) algorithm has existed for All Pairs Shortest Paths (APSP) since 1956 [Dij59]. The best algorithms for APSP still take nm1−o(1) time even in the dense case [Wil14,Pet02,PR05]. FGC allows us to focus on the constant in the expo-nent of these polynomial-time problems. We would ideally like to give an unconditional nm1−o(1) lower bound for the APSP problem using the tools of FGC. Unfortunately, there are no known natural problems that have both a polynomial time algorithm and an uncon-ditional lower bound of nc on their running time for c > 1 [Vas18]. There are unnatural problems in the time hierarchy with unconditional lower bounds, but there are no known reduction techniques to reduce from these problems. So, FGC mirrors the approach of traditional complexity: FGC generates plausible hypotheses. In traditional complexity we often show that problems are NP-hard, which is only meaningful if P ̸= NP. So, the hypoth-esis underlying those hardness results is that P ̸= NP. In contemporary FGC we similarly produce conditional lower bounds based on plausible hypotheses. We can then produce lower bounds on the hardness of problems from these hypotheses. There are three core hy-potheses in contemporary FGC: the Strong Exponential Time Hyhy-potheses (SETH)[IP01], the 3-SUM hypothesis[GO12], and the APSP hypothesis[WW10] [Vas18]. The formal statements of these problems and the associated hypotheses are given in the Preliminaries in Section2. FGC is, metaphorically, NP-hardness for polynomial-time problems.

Reductions and FGC. How will we show that problem Q requires T (n)1−o(1) time if Qdoes not have a stated hypothesis? The primary tool used to prove these lower bounds in FGC is fine-grained reductions. You show that if an algorithm exists for the problem Q that runs faster than T (n)1−o(1) time, then we violate one of our hypotheses. For ex-ample, the edit-distance problem requires n2−o(1) time if SETH is true [BI15]. There are many computational geometry problems that require n2−o(1)time if the 3-SUM hypothesis is true [GO12]. Additionally, many traditional graph centrality measures (e.g. radius) re-quire n3−o(1)time if the APSP hypothesis is true [WW10]. These constraints have caused fine-grained complexity theorists to build a network of reductions that can propagate both conjectured lower bounds and new improved algorithms.

FGC Goals. In traditional FGC there are two primary goals: first to make the hypotheses we use more plausible and second to add more problems to the web of reductions. By mak-ing the hypotheses we use more plausible we make the results garnered by FGC techniques stronger. By adding more problems to our web of reductions we understand the complex-ity of more problems we care about. The purpose of FGC is to explain and categorize the fine-grained hardness of problems. This helps us understand why some problems have inefficient, but polynomial time, algorithms. It also helps us find shared root causes for this inefficiency. For example, given the reduction from SAT to edit-distance, we can say that edit-distance and k-CNF Satisfiability have a shared reason for their hardness, SETH. Studying FGC gives us a greater understanding of the computational landscape.

What is Average-Case FGC? So far we have been discussing problems in the worst-case. That is, we ask for algorithms that will be efficient and correct given any input. How-ever, there are many application areas where we are instead concerned with the case. In the case we are given an explicit distribution over inputs D. An average-case algorithm A for the problem Q over the input distribution D is said to solve Q in O(T (n)) time with probability p if given an input I drawn from D we have thatA (I) gives the correct answer in O(T (n)) time with probability p. The crucial difference between

worst-case algorithms and average-case algorithms where p < 1 is that an average-case algorithm can give the wrong answer, or no answer, on certain inputs2.

There are many application areas where the average-case is more useful than the worst-case for analysis. The two primary application areas are faster algorithms and cryptography.

ACFGC Algorithmic Motivation. If you are trying to develop a faster algorithm for a problem Q and you know the distribution of inputs you will care about in practice, then you can use average-case analysis to develop these algorithms. Given an explicit distribution you will sometimes (though not always) be able to generate faster average-case algorithms for the problem Q. ACFGC techniques can both be used to generate these faster algorithms, and can be used to get lower bounds for a problem given a particular distribution. For an example of a faster algorithm previous work has generated an algorithm for APSP on a random graph with n nodes and n2edges can be solved in n2+o(1)time [CFMP00a] (faster than the n3−o(1) time fastest known worst-case algorithm [Wil14]). For an example of a lower-bound, previous work has demonstrated that average-case algorithms for counting k-cliques in Erd˝os-Rényi graphs require T (n)1−o(1) time if worst case k-clique counting requires T (n) time [BBB19]. We can use ACFGC to understand for each problem Q under which distributions we can get faster algorithms than in the worst case.

ACFGC Cryptographic Motivation. All of cryptography is built on problems that are hard in the average-case. Cryptography has a massive number of practical applications given our desire for privacy and security online. In traditional cryptography one starts with a (usually average-case) hypothesis that a problem Q requires super-polynomial time to solve. Traditional cryptographic assumptions are about problems that are in NP and coNP 2_{To give an example, consider the problem where you are given n unsorted numbers between [−2n, 2n]} and you must return True if all numbers are positive and False if any number is non-positive. In the worst case you must take Ω(n) time to solve this problem because if we fail to look at any number in the input that number could be a negative number. However, consider an average-case version of this problem where the distribution D is created by sampling all n numbers uniformly at random from [−2n, 2n]. An instance I drawn from D has a probability of less than 2−n of being a True instance. So, an average-case algorithm for this problem over the distribution D exists that runs in O(1) time and succeeds with probability at least 1 − 2−n. It simply returns False.

simultaneously. In fact there is a reason to think traditional cryptography can not be based on an NP hard problem [BT06]. Given this state of affairs FGC can add new hypotheses and techniques to get cryptography with different properties. For example, if P = NP then traditional cryptographic assumptions break. However, many traditional FGC hypotheses seem to be independent of P = NP3. This allows for the possibility of fine-grained cryp-tography existing even when P = NP. An additional example is that FGC assumptions are sometimes stronger than traditional complexity assumptions. Consider that we prob-ably can’t build cryptography from the assumption that SAT takes super polynomial time [BT06]; however, we could potentially build cryptography from SETH, a stronger assump-tion about the run-time of SAT. So, with the techniques and hypotheses from FGC we may be able to build cryptography based on assumptions that are very different from traditional cryptographic assumptions, but still plausible.

FGC and ACFGC. FGC and ACFGC are exciting areas because they help us understand the underlying complexity of problems we deeply care about. We care about these prob-lems from an algorithmic perspective; we want fast algorithms or lower bounds against the existance of fast algorithms. We also care about these problems from a cryptographic perspective; we want to take hard problems and use them to communicate privately. If problems are easy we want to find fast algorithms, if problems are hard we want to build cryptography from them. FGC and ACFGC help us know the difference.

1.1

Contributions

In this thesis I make progress in strengthening the 3-SUM hypothesis, expanding the net-work of fine-grained reductions, giving a faster average-case algorithm for k-SAT, and de-veloping fine-grained cryptography. There are four chapters that the results have been divided into. I will give a summary of the results that can be found in each chapter of this 3_{For example, consider the hypothesis that APSP on graphs with n nodes and n}2_{edges requires n}3−o(1)_. There could be an n100time algorithm for satisfiability and APSP could require n3−o(1)time.

thesis.

1.1.1

Chapter

3

: The Space-Time Complexity of k-SUM

In Deterministic Time-Space Tradeoffs for k-SUM my co-authors and I present a deter-ministic space-efficient self-reduction for the 3-SUM problem [LWWW16]. This self-reduction will show that the 3-SUM hypothesis is equivalent to a seemingly more plausible small-space 3-SUM hypothesis. Additionally, this same self-reduction will produce an al-gorithm that achieves better space efficiency while keeping the same time complexity of the fastest contemporary 3-SUM algorithm.

The 3-SUM problem takes as input three lists (A, B,C) of n integers each. The integers are in the range of [−n3, n3]. An algorithm solving the 3-SUM problem must return True if there exist an a ∈ A, b ∈ B, and c ∈ C such that a + b + c = 0. Otherwise the algorithm must return False. The 3-SUM conjecture states that the 3-SUM problem requires n2−o(1) time.

There are two primary implications of our self-reduction [LWWW16]. First, it pro-duces algorithms that are simultaneously space and time efficient. For example, given a (deterministic/randomized) algorithm for the 3-SUM problem which runs in n2/ lga(n) time and space, we can provide an algorithm which uses n2/ lga(n) time and√nlga/2(n) space. Notably we give an algorithm for 3-SUM that runs in O(n2lg lg(n)/ lg(n)) time and O(pnlg(n)/ lg lg(n)) space. Second, this self-reduction allows us to provide an equiva-lence between the traditional 3-SUM hypothesis and the seemingly weaker Small-Space 3-SUM hypothesis, given below.

Definition The Small-Space 3-SUM hypothesis conjectures that there exists some ε > 0 such that all algorithms to solve the 3-SUM problem using at most O(n1/2+ε) space must take n2−o(1)time.

The equivalence lends credibility to the 3-SUM conjecture, strengthening a core hy-pothesis of FGC. Additionally, this result connects the worst case time complexity with the

best space-time trade-off for 3-SUM. By improving the plausibility of the 3-SUM conjec-ture we achieve one of the goals of this thesis.

1.1.2

Chapter

4

: The Hardness of Sparse Graph Problems

The next chapter extends and explores one of the three core assumptions. This chapter is based off the work Tight Hardness for Shortest Cycles and Paths in Sparse Graphs [LWW18]. In this chapter we add more problems to the network of reductions in FGC. We explore the relationship between a hypothesis about dense weighted graphs and hy-potheses about sparse unweighted graphs. We show that many sparse unweighted graph problems on graphs with n nodes and m edges have tight lower bounds of nm1−o(1)under a very plausible dense-graph hypothesis. This expands our understanding of the connections between the complexity of dense and sparse graph problems.

We give a relationship between the following two hypotheses.

Definition In the negative-weight k-clique problem, we are given a graph, G, with n nodes and O(n2) edges with polynomially large edge weights. We must return true if there is a k-clique where the sum of the weights on the k₂
edges in the clique is negative. That is nodes v1, . . . , vkform a negative-weight k-clique if

∑

(i∈[1,k])( j∈[1,k]& j̸=i)

∑

w(v_i, v_j) < 0

where w(vi, vj) is the weight of the edge between nodes viand vj.

The negative-weight k-clique hypothesis states that this problem requires nk−o(1) time.

Definition In APSP we are given a graph G with n nodes, V , and m edges, E with polyno-mially large edge weights. To solve APSP we must return the weight of the shortest path between u and v for all u, v ∈ V .

The best known algorithms for sparse APSP, where m = o(n2) take time nm1−o(1). In this paper my co-authors and I show that, given the negative weight k-clique hypothesis, All Pairs Shortest Paths (APSP) must take mn1−o(1)time. Our reduction connects the hardness of a dense-graph hypothesis to the sparse hardness of APSP.

Additionally, we generalize our results to hypergraphs. This allows us to give a re-duction from k-degree constraint satisfaction problems (e.g. when k = 3, MAX 3-SAT), to unweighted and undirected sparse-cycle detection in graphs. We show that if shortest-cycle can be solved in sparse directed unweighted graphs in m3/2−εtime for some constant ε > 0 then there is an algorithm for MAX 3-SAT that runs in time 2n−ε′ for some constant ε′ > 0. These sparse results are not tight, the best currently known algorithm for sparse directed unweighted shortest-cycle takes ω(m3/2) time. However, they do present a non-trivial lower bound on these problems. These results were later expanded upon to show hardness for some even undirected graph problems from MAX 3-SAT [LV20].

In this chapter we apply the techniques of FGC to different hypotheses and show the tight connections between sparse and dense weighted graph problems. We additionally show the connection between constraint satisfaction problems and sparse unweighted graph problems. This grows the network of reductions we are building in FGC.

1.1.3

Chapter

5

: A Faster Algorithm for Average-Case Satisfiability

In this chapter we study the random k-satisfiability problem, which is an average-case vari-ant of the k-satisfiability problem. In this chapter we present an algorithm for random k-SAT that runs in 2n(1−Ω(lg2(k))/k) time [LY]. Our algorithm improves upon the previous best-known algorithm that had a running time of 2n(1−Ω(lg(k))/k) [VW19]. This algorithm is currently the fastest algorithm for average-case k-CNF SAT.

A CNF SAT instance is written as the conjunction of a series of disjunctive clauses. A k-CNF SAT (also called k-SAT) instance if further constrained to include disjunctive clauses that are of size at most k. As k grows, the best known runtime of the worst-case k-SAT problem, O(2n(1−1/Θ(k))), grows [IP01,PPSZ05]. There is a well studied average-case

distribution for k-SAT [Ach09,DSS15,NLH+04,COKV07,CO10,MTF90,VW19]. This distribution, DR(m, n, k) is parametrized by m, n and k; where n is the number of variables in the k-SAT instance and m is the number of clauses in the k-SAT instance. The distribution DR(m, n, k) is formed by selecting all mk variables in the m clauses of size k iid from the n variables. There is a particular ratio of m and n at which the problem of determining if the formula is satisfiable is most interesting. That ratio is called the “threshold” [DSS15].

There are three primary reasons to study the problem of algorithmic efficiency for Ran-dom k-SAT. The first is to better understand the difference between practical SAT solvers and our best worst-case algorithms. In the worst-case our best algorithms take 2n−o(1)time, however, in practice there are efficient SAT solvers (though not over all inputs, inputs drawn from cryptographic problems are still hard for example). There are two ways to understand this difference. One, there is a small set of easy problems with lots of structure from which we draw our “practical inputs” and practical SAT solvers are fast on those. Alternatively, maybe there is a small hard core of problems that the hard problems in the worst case are drawn from. By studying average-case SAT we can understand if hard problems or easy problems are truly more typical. The second reason to study Random k-SAT is that it serves as an easier direction to take to make progress towards violating SETH. If you believe that SETH is false, then there should be an algorithm for Random k-SAT that runs in 2n(1−ε) time for some ε > 0 and succeeds with probability 1. However, when considering the Ran-dom k-SAT problem we can consider algorithms with the more modest success probability of 1 − 1/2nΘ(1). So, if SETH is false there should also be a very efficient algorithm for Ran-dom k-SAT, and this should be easier to find (as you don’t need to succeed on all inputs) than the worst-case algorithm. This chapter presents a faster algorithm for Random k-SAT than is available in the worst case, but does not violate “Random SETH”. However, the techniques and ideas presented here may lead to faster algorithms for Random k-SAT in the future. The third reason to study Random k-SAT is to find faster worst-case algorithms. The hard problems of the worst-case seem to heavily overlap with distribution of Random k-SAT. So, approaches like those in Vyas and Williams ([VW19]) and in this Chapter may

lend insight into better worst-case algorithms.

In Chapter 5we will present a time 2n(1−Ω(lg2(k))/k) algorithm for the Random k-SAT problem. We present a new algorithm and a new analysis to achieve this. This furthers the work of understanding the fine-grained complexity of average-case problems over distribu-tions of interest.

1.1.4

Chapter

6

: Building and Defining Fine-Grained Cryptographic

Primitives

In this chapter we explore fine-grained cryptography. Some definitions of average-case cryptographic objects, for example fine-grained one-way functions, had been proposed pre-viously [BRSV17]. However, in this paper we propose a full set of useful definitions for fine-grained public key cryptosystems. Additionally, we define a set of three properties such that if a problem Q has all three properties we can build a fine-grained public-key cryptosystem from Q. We further provide an explicit problem and a complexity hypoth-esis about that problem which together imply the existence of a problem with the three properties.

Cryptography is largely based on unproven assumptions, which, while believable, might fail. A compelling question is if any interesting cryptography might exist in Pessiland [Imp95]. Pessiland is a possible world, defined by Russell Impagliazzo, that could be the computational world we live in given our current understating of complexity. Pes-siland describes a world where “there are hard average-case problems, but no one-way functions” [Imp95]. So, we can’t solve problems quickly, but we also don’t get any cryp-tography. As Russell says: “the worst of all possible worlds”. Notably if P = NP, or if we live in Pessiland, then all current cryptographic assumptions will be broken.

A natural approach to tackle this question is to base cryptography on an assumption from fine-grained complexity. Ball, Rosen, Sabin, and Vasudevan [BRSV17] attempted this, starting from popular hardness assumptions, such as the Orthogonal Vectors (OV) Conjecture. They obtained problems that are hard on average, assuming that OV and other

problems are hard in the worst case. They obtained proofs of work, and hoped to use their average-case hard problems to build a fine-grained one-way function. Unfortunately, they proved that constructing one using their approach would violate a popular hardness hypothesis. This motivates the search for other fine-grained average-case hard problems.

The main goal of this 2019 paper, [LLW19], is to identify sufficient properties for a grained average-case assumption that imply cryptographic primitives such as fine-grained public key cryptography (PKC). Our main contribution is a novel construction of a cryptographic key exchange, together with the definition of a small number of relatively weak structural properties, such that if a computational problem satisfies them, our key ex-change has provable fine-grained security guarantees, based on the hardness of this lem. We then show that a natural and plausible average-case assumption for the key prob-lem Zero-k-Clique from fine-grained complexity satisfies our properties. We also develop fine-grained one-way functions and hardcore bits even under these weaker assumptions.

Where previous works had to assume random oracles or the existence of strong one-way functions to get a key-exchange computable in O(n) time secure against O(n2) adversaries (see [Mer78] and [BGI08]), our assumptions seem much weaker. Our key exchange has a similar gap between the computation of the honest party and the adversary as prior work, while being non-interactive, implying fine-grained PKC.

We show that any problem with the three key properties can be sued to build fine-grained PKC. The properties we define ask if a problem is plantable, average-case list-hard, and splittable. These properties are formally defined in chapter 6. We also evince a specific problem and a hypothesis over that problem which meet all three properties. The specific problem we use is average-case zero k-clique. The worst-case zero k-clique assumption is given below.

Definition In the zero-weight k-clique problem one is given a graph, G, with n nodes and O(n2) edges with polynomially large edge weights. One must return true if there is a k-clique where the sum of the weights on the k₂
edges in the clique is zero. That is nodes

v₁, . . . , vk form a zero-weight k-clique if

∑

∑

where w(vi, vj) is the weight of the edge between nodes viand vj.

The zero weight k-clique hypothesis states that this problem requires nk−o(1)time. The average-case zero k-clique assumption gives a distribution over which the inputs are drawn for the zero k-clique problem.

Definition In the average-case zero-weight k-clique problem the input comes from a dis-tribution. In this distribution every edge has weight drawn uniformly at random from the integers in [0, R − 1] where R = nk. A zero k-clique in this setting has the sum of all of its edges is congruent to zero mod R.

The average-case zero weight k-clique hypothesis states that solving this problem with probability greater than 1 − 1/100 requires nk−o(1) time.

My co-authors I have developed fine-grained public-key cryptography from fine-grained average-case polynomial assumptions [LLW19]. In this chapter we generate a public key exchange that is computable in time O(n) and is secure against O(n1.5−ε) time eavesdrop-pers for ε > 0. We additionally present a newer exchange that is secure against O(n2−ε) time adversaries for ε > 0. This work gives useful definitions, constructions and hypotheses to further the work of fine-grained cryptography.

1.2

Organization

In this thesis I will cover my work on applying fine-grained complexity to both the av-erage case and cryptography. To this aim I include two chapters improving the core of fine-grained complexity Chapter3 and Chapter 4. Chapter 3is based on the paper “De-terministic Time-Space Tradeoffs for k-SUM" and Chapter4is based on the paper “Tight

Hardness for Shortest Cycles and Paths in Sparse Graphs” [LWWW16, LWW18]. The next Chapter5covers my in average-case fine-grained algorithms [LY]. The final Chapter

6covers my work on fine-grained cryptography [LLW19]. Each chapter lists the people I collaborated with on the paper that the chapter is based on.

Chapter 2

Preliminaries

There are three hypotheses that are the focus of most research in fine-grained complexity (FGC). These hypotheses center around the problems of Satisfiability, k-SUM, and All Pairs Shortest Paths (APSP). We will have sections on these problems bellow. In addition to the three core problems I will also define k-Clique(k-Clique). The Zero-3-Clique hypothesis is implied by both the 3-SUM hypothesis and the APSP hypothesis [WW10,VW09]. In this thesis we will study these problems. We define the problems here because the complexity of these problems are interconnected and are thus referenced across multiple chapters.

In addition to these popular problems and hypotheses there are some terms and notation that heavily used in fine-grained complexity. I define them in table2.1.

Term/Notation Meaning

Subpolynomial Time no(1) time

Truly Subquadratic Algorithm Algorithm in n2−ε time ε > 0 Truly Subcubic Algorithm Algorithm in n3−ε time ε > 0

f(n) = ˜O(T (n)) f(n) = O(T (n)no(1)) ˜

Ω(T (n)) f(n) = Ω(T (n)n−o(1))

Qis equivalent to P Hypothesis Q implies hypothesis P and vica versa. Table 2.1: Some common notation and terms.

Another important notion in FGC is the fine-grained reduction. In FGC we want to reduce problems P hypothesized to require TP(n)1−o(1) time to problems Q hypothesized to require TQ(n)1−o(1) time. To do this one can take an instance of P and spend TP(n)1−ε time where ε > 0 processing to generate ` instances of Q of size n1, . . . , n`. Then, one can take the outputs of these instances and post process in TP(n)1−ε time where ε > 0 to answer the original instance of P. Let AQ(n) be the actual time complexity of Q. This reduction takes R(n) = TP(n)1−ε+ ∑`i=1AQ(ni) time. If

A_Q(n) = T_Q(n)1−ε where ε > 0
=⇒ R(n) = TP(n)1−ε

′

where ε′> 0

then this is a successful reduction. Note that you can change what call you are making to Q adaptively based on the previous responses from Q. If you get reductions in both directions then we say the hypotheses are equivalent 1. For a more in depth discussion and many examples see the Vassilevska Williams Survey [Vas15].

We will now give a more formal statement of these hypotheses.

2.1

Satisfiability and SETH

The k-CNF Satisfiability problem (k-SAT) problem is one of the best studied problems in computer science [PPSZ05,Aar17,GPFW96,Ach09,DGH+02].

Definition The k-CNF Satisfiability (k-SAT) problem takes as input a formula φ with m clauses and n variables. The formula is in conjunctive normal form (CNF) which requires that the formula be the and of m clauses. Each clause is the or of at most k variables.

1_{People will often informally say that problem P is equivalent to problem Q. In informal speech this means} one of two things. Let TP(n) be the time complexity of P and TQ(n) be the time complexity of Q. First, some people mean that TP(n) = ˜O(TQ(n)) and TQ(n) = ˜O(TP(n)). That is, they have the same running time up to subpolynomial factors. The second informal meaning relates to the hypotheses related to the problems P and Q. There is often a primary hypothesis for a popular problem (e.g. APSP has the APSP hypothesis) and people will sometimes informally say two problems are equivalent when it is the two associated hypotheses which are equivalent.

If there is any setting of the n variables such that the formula, φ , evaluates to true we return true. If there is no setting of the n variables such that φ evaluates to true then return false.

The Strong Exponential Time Hypothesis gives a fine-grained hypothesis on the run-ning time of k-CNF SAT [IP01]. To define this we will need a helper notion of ck.

Definition Let ck be the smallest constant such that there is an algorithm for k-SAT that runs in 2ckn+o(n) _time.

Strong Exponential Time Hypothesis (SETH) There is no constant ε > 0 such that ck≤ 1 − ε for all constant k.

Intuitively SETH states that there is no 2(1−ε)n algorithm for k-SAT where ε > 0. While we do not use the SETH assumption in this work, SETH is heavily used in fine-grained works generically. Defining it here is additionally useful to give context for why the average-case results on faster algorithms for Random Satisfiability in Chapter 5 are surprising. Additionally, it gives some context to the MAX k-SAT assumptions of chapter

4.

2.2

The k-SUM Problem

First we will define the k-SUM problem.

Definition In the k-SUM problem, we are given an unsorted list L of n values (over Z or R) and want to determine if there are a1, . . . , ak∈ L such that ∑ki=1ai= 0.

The most studied version of this problem is the k = 3 version of 3-SUM. The associated assumption has been heavily used in fine-grained complexity [Vas18].

The 3-SUM Hypothesis [GO12] The 3-SUM hypothesis states that that the 3-SUM prob-lem requires n2−o(1)time [GO12].

There are many popular alternative versions of the k-SUM and 3-SUM problem state-ments which are all equivalent to each other. 2 Bellow we have two versions equivalent to the k-SUM problem (see [Vas18,GO12,Pat10]).

List k-SUM In the k-SUM problem, we are given k unsorted lists L1, . . . , Lk of n values (over Z or R) and want to determine if there are a1, . . . , aksuch that ∑ki=1ai= 0 and ai∈ Li for all i.

The following version has not only lists but also asks for the sum to be zero mod R for some R. This version is equivalent only with a randomized reduction and R = Ω(nk). Ranged and Listed k-SUM An instance of the k-SUM problem over range R, k-SUM-R, consists of kn numbers in k lists L1, . . . , Lk. The numbers are chosen from the range [0, R − 1]. A solution of a k-SUM-R instance is a set of k numbers a1∈ L1, . . . , ak∈ Lk such that their sum is zero mod R, ∑ki=1ai≡ 0 mod R.

2.3

All Pairs Shortest Paths

The All Pairs Shortest Paths (APSP) problem is a basic computational problem. We will define it now.

Definition APSP takes as input a graph G with n nodes, V (also called vertices) and m edges, E. These edges are given weights in [−R, R] where R = O(nc) for some constant c. We must return the shortest path length for every pair of vertices u, v ∈ V . The length of a path is the sum of the edge weights for all edges on that path.

There are O(nm) algorithms for APSP, which when m = n2are O(n3) algorithms [Dij59,

Wil14,Pet02,PR05].

2_{Equivalence here means that if we have an alternate version of 3-SUM (e.g. 3-SUM’) an algorithm} vio-lating the 3-SUM hypothesis implies a viovio-lating of the corresponding 3-SUM’ hypothesis. Said yet another way if there is a n2−ε(ε > 0) algorithm for one of 3-SUM or 3-SUM’ then there is a n2−ε′(ε′> 0) algorithm for the other.

APSP Hypothesis The APSP Hypothesis states that the APSP problem requires n3−o(1) time [WW10].

We show that the sparse O(nm) algorithms are optimal in Chapter4.

2.4

Zero k-Clique

The Zero-k-Clique problem has been of particular interest because in the case of k = 3 it can be shown to be n3−o(1) hard from both 3-SUM and APSP [WW10,VW09].

Definition The Zero-k-Clique problem takes as input a k-partite graph with kn nodes and partitions P1, . . . , Pk. The k-partite graph is complete: there is an edge between a node v ∈ Pi and a node u ∈ Pj if and only if i ̸= j. Thus, every instance has ₂k
n2 edges. Every edge has a numerical weight.

A solution in a Zero-k-Cliqueinstance is a set of k nodes v1∈ P1, . . . , vk∈ Pk such that the sum of all the weights on the k₂
edges in the k-clique formed by v1, . . . , vkis congruent to zero mod R: ∑i∈[1,k]∑j∈[1,k] and j̸=iw(vi, vj) = 0. A solution is also called a zero k-clique.

There is a O(nk) algorithm for Zero-k-Clique [Vas18]. Using the nearly linear hash functions of Patrascu, we can show that the Zero-k-Clique problem with numbers in [−R, R] is solved by Zero-k-Clique with numbers in range [−nk, nk] [Pat10]. Additionally, we can take the numbers in the range [−nk, nk] mod R ≥ 2knk; k numbers will sum to zero mod R only if the original numbers in the range [−nk, nk] summed to zero.

Definition An instance of Zero-k-Clique-R consists of a k-partite graph with kn nodes and partitions P1, . . . , Pk. The k-partite graph is complete: there is an edge between a node v ∈ Pi and a node u ∈ Pj if and only if i ̸= j. Thus, every instance has k₂
n2edges. The weights of the edges come from the range [0, R − 1].

A solution in a Zero-k-Clique-R instance is a set of k nodes v1∈ P1, . . . , vk∈ Pksuch that the sum of all the weights on the k₂
edges in the k-clique formed by v1, . . . , vkis congruent

to zero mod R: ∑i∈[1,k]∑j∈[1,k] and j̸=iw(vi, vj) ≡ 0 mod R. A solution is also called a zero k-clique.

Chapter 3

Deterministic Time-Space Tradeoffs for

k-SUM

3.1

Summary

This chapter was written with Authors Andrea Lincoln, Virginia Vassilevska Williams, Joshua R. Wang, and Ryan Williams [LWWW16].

Given a set of numbers, the k-SUM problem asks for a subset of k numbers that sums to zero. When the numbers are integers, the time and space complexity of k-SUM is generally studied in the word-RAM model; when the numbers are reals, the complexity is studied in the real-RAM model, and space is measured by the number of reals held in memory at any point.

We present a time and space efficient deterministic self-reduction for the k-SUM prob-lem which holds for both models, and has many interesting consequences. To illustrate:

∙ 3-SUM is in deterministic time O(n2_{lg lg(n)/ lg(n)) and space O}qnlg(n) lg lg(n)

 . In general, any polylogarithmic-time improvement over quadratic time for 3-SUM can be converted into an algorithm with an identical time improvement but low space complexity as well.

∙ 3-SUM is in deterministic time O(n2_{) and space O(}√_{n), derandomizing an algorithm} of Wang.

∙ A popular hypothesis states that 3-SUM requires n2−o(1) time on the word-RAM. We show that the 3-SUM hypothesis is in fact equivalent to the (seemingly weaker) hypothesis that every O(n.51)-space algorithm for 3-SUM requires at least n2−o(1) time on the word-RAM.

∙ For k ≥ 4, k-SUM is in deterministic O(nk−2+2/k) time and O(√n) space.

3.2

Introduction

In this chapter, we consider the k-SUM problem: given a list S of n values, determine whether there are distinct a1, . . . , ak ∈ S such that ∑ki=1ai= 0. This classic problem is a parameterized version of the Susbset Sum problem, which is among Karp’s original NP-Complete problems1.

The brute-force algorithm for k-SUM runs in O(nk) time, and it is known [PW10] that an no(k) time algorithm (where the little-o depends on k) would violate the Exponential Time Hypothesis [IP01]. A faster meet-in-the-middle algorithm reduces the k-SUM prob-lem on n numbers to 2-SUM on O(n⌈k/2⌉) numbers, which can then be solved by sorting and binary search in O(n⌈k/2⌉log n) time. The belief that this meet-in-the-middle approach is essentially time-optimal is at the heart of many conditional 3-SUM-hardness results in computational geometry (e.g. [GO12]) and string matching (e.g. [ACLL14,AVW14]).

The space usage of the meet-in-the-middle approach is prohibitive: the O(n log n) time solution for 2-SUM uses linear space, which causes the fast k-SUM algorithm to need Ω(n⌈k/2⌉) space. However, the brute-force algorithm needs only O(k log n) space. This leads to the natural question: how well can one trade off time and space in solving k-SUM? Schroeppel and Shamir [SS81] first studied time-space tradeoff algorithms for Subset Sum. They showed how to reduce Subset Sum to an instance of k-SUM for any k ≥ 2:

split the elements into k sets of n/k elements each; for each set, compute 2n/k sums cor-responding to the subsets of the set; this forms a k-SUM instance of size 2n/k. Since the k-SUM instance does not have to be explicitly stored, any time T (N), space S(N) algorithm for k−SUM immediately implies a time T (2n/k), space S(2n/k) algorithm for Subset Sum. Furthermore, Schroeppel and Shamir gave a deterministic ˜O(n2) time, ˜O(n) space algo-rithm for 4-SUM, implying a O*(2n/2) time, O*(2n/4) space algorithm for Subset Sum.2 They also generalized the algorithm to provide a smooth time-space tradeoff curve, with extremal points at O*(2n/2) time, O*(2n/4) space and O*(2n) time, O*(1) space.

A recent line of work leading up to Austrin et al. [AKKM13] has improved this long-standing tradeoff curve for Subset Sum via randomized algorithms, resulting in a more complex curve. Wang [Wan14] moved these gains to the k-SUM setting. In particular, for 3-SUM he obtains an ˜O(n2) time, ˜O(√n) space Las Vegas algorithm.

Despite the recent progress on the problem, all of the improved algorithms for the gen-eral case of k-SUM have heavily relied on randomization, either utilizing hashes or random prime moduli. These improvements also all rely heavily on the values in the lists being integers. For the general case of k-SUM, the previous best deterministic k-SUM results (even for integer inputs) are the brute-force algorithm, the meet-in-the-middle algorithm, and the Schroeppel and Shamir 4-SUM algorithm, and simple combinations thereof.

3.2.1

Our Results

In this chapter we consider new ways of trading time and space in solving k-SUM, on both integer and real inputs (on the word-RAM and real-RAM respectively), without the use of randomization.

Our main result is a deterministic self-reduction for k-SUM. Informally, we show how to deterministically decompose a list of n numbers into a small collection of shorter lists, such that the k-SUM solution is preserved. This result is shown for k = 3 in Section3.5. It is shown for general k in Section3.6.

Theorem 3.2.1. Let g be any integer between 1 and n. k-SUM on n numbers can be reduced to O(kgk−1) instances of k-SUM on n/g numbers. The reduction uses O(ngk−1) additional time and O(n/g) additional words of space.

Theorem 3.2.1has several interesting applications. First, it leads to more efficient k-SUM algorithms. For example, Gold and Sharir, building on other recent advances, report a deterministic algorithm for 3-SUM that works in both the word-RAM and real-RAM models and which runs in time O(n2lg lg(n)/ lg(n)) [GS15]. However, this algorithm uses a considerable amount of space to store a table of permutations. Applying Theorem3.2.1

multiple times and calling their algorithm, we recover the same running time but with drastically better space usage:

Theorem 3.2.2. There is an O(n2lg lg(n)/ lg(n)) time deterministic algorithm for 3-SUM that stores at O(

q nlg(n)

lg lg(n)) numbers in memory at point. (An analogous statement holds for 3-SUM over the integers.)

Theorem3.2.1also directly leads to a derandomization of Wang’s space-efficient algo-rithm for 3-SUM:

Theorem 3.2.3. For all s ∈ [0, 1/2] there is a deterministic time O(n3−2s), algorithm which uses O(ns) words of space for 3-SUM.

From Theorem 3.2.1we can also derive a more space-efficient algorithm for 4-SUM, and lift it to a new algorithm for k-SUM:

Theorem 3.2.4. For k ≥ 4, k-SUM is solvable in deterministic O(nk−2+2/(k−3)) time and O(√n) space in terms of words.

A more plausible 3-SUM hypothesis. A rather popular algorithmic hypothesis is the 3-SUM Hypothesis that 3-SUM on n integers requires n2−o(1) time on a word-RAM with O(log n) bit words. This hypothesis has been used to derive conditional lower bounds for a huge variety of problems—for instance [GO12, ACLL14, AVW14, Pat10, AV14]. To

refute the hypothesis, one could conceivably construct an algorithm that runs in O(n1.99) time, but utilizes Ω(n1.99) space in some clever way. Here we consider a seemingly weaker (and thus more plausible) hypothesis:

Hypothesis 3.2.5 (The Small-Space 3-SUM Hypothesis). On a word-RAM with O(log n)-bit words, there exists an ε > 0 such that every algorithm that solves 3-SUM in O(n1/2+ε) space must take at least n2−o(1)time.

This hypothesis looks weaker than the original 3-SUM Hypothesis, because we only have to prove a quadratic-time lower bound for all algorithms that use slightly more than √

n space. Proving time lower bounds is generally much easier when space is severely restricted (e.g. [BSSV03,FLvMV05,DvMW11,Wil08,BCM13]).

Our self-reduction for SUM yields the intriguing consequence that the original 3-SUM Hypothesis is equivalent to the Small-Space 3-3-SUM hypothesis! That is, the non-existence of a truly subquadratic 3-SUM algorithm is the same as the non-non-existence of a truly subquadratic-time n0.51-space 3-SUM algorithm, even though the latter appears to be a more plausible lower bound(!).

We prove:

Theorem 3.2.6. If 3-SUM is solvable in time O(n2−ε) time, then for every α > 0 there is a δ > 0 such that 3-SUM is solvable in O(n2−δ) time and space O(n1/2+α) in terms of words.

Note that Theorem3.2.6is interesting regardless of the veracity of the 3-SUM hypoth-esis. On the one hand, the theorem reduces the difficulty of proving the 3-SUM Hypothesis if it is true, because we only have to rule out small-space sub-quadratic time algorithms. On the other hand, the theorem means that refuting the 3-SUM hypothesis immediately implies a truly-subquadratic time algorithm for 3-SUM using small space as well, which would be an algorithmic improvement.

Relation to Thesis: The results of this chapter relate to the thesis as a whole by strength-ening both the assumptions and the algorithms of fine-grained complexity. Notably, by

showing that the Small-Space 3-SUM hypothesis is equivalent ot the original 3-SUM hy-pothesis, we have made the 3-SUM hypothesis more plausible. Additionally, as mentioned, any violation of the 3-SUM hypothesis implies a simultaneously fast and small space algo-rithm.

3.3

Preliminaries

3.3.1

k-SUM and Selection

Recall Definition2.2:

Definition2.2Reminder In the k-SUM problem, we are given an unsorted list L of n val-ues (over Z or R) and want to determine if there are a1, . . . , ak∈ L such that ∑ki=1ai= 0.

One fundamental case is the 3-SUM problem. Sometimes 3-SUM is presented with three separate lists, which we denote as 3-SUM’, but the two are reducible to each other in linear time, and with no impact on space usage. The following definition is specific to the case of k = 3, but fundamentally relates to Definitions2.2and Definition2.2from the preliminaries. However, to avoid excessive subscripts we use A, B and C as the names of the three lists instead of L1, L2, L3.

Definition In the 3-SUM problem, we are given an unsorted list L of n values and want to know if there are a, b, c ∈ L such that a + b + c = 0.

In the 3-SUM’ problem, we are given three unsorted lists A, B, and C of values, where |A| = |B| = |C| = n, and want to know if there are a ∈ A, b ∈ B, c ∈ C such that a + b + c = 0.

As part of our k-SUM algorithms, the classical Selection Problem will also arise:

Definition In the s-SELECT problem, we are given an unsorted list L of n values and a natural number s, and want to determine the sthsmallest value in L.

3.3.2

Computational Model

As standard when discussing sub-linear space algorithms, the input is provided in read-only memory, and the algorithm works with auxiliary read/write memory which counts towards its space usage.

Computation on Integers. When the input values are integers, we work in the word-RAM model of computation: the machine has a word size w, and we assume all input numbers can be represented with w bits so that they fit in a word. Arithmetic operations (+, −, *) and comparisons on two words are assumed to take O(1) time. Space is counted in terms of the number of words used.

Computation on Reals. When the input values are real numbers, we work in a natural real-RAM model of computation, which is often called the comparison-addition model (see, for example, [PR05]). Here, the machine has access to registers that can store arbitrary real numbers; addition of two numbers and comparisons on real numbers take O(1) time. Space is measured in terms of the number of reals stored.

Time-Space Complexity Notation. We say that k-SUM is solvable inTISP(T(n),S(n)) if k-SUM on lists of length n can be solved by a single algorithm running in deterministic O(T (n)) time and O(S(n)) space simultaneously on the real-RAM (and if the lists contain integers, on the word-RAM).

3.3.3

Other Prior Work

Baran, Demaine and Patrascu [BDP05] obtained randomized slightly subquadratic time algorithms for Integer 3-SUM in the word-RAM. Grønlund and Pettie [GP14] studied 3-SUM over the reals, obtaining an O(n2/(log n/ log log n)) time randomized algorithm and an O(n2/(log n/ log log n)2/3) time deterministic algorithm. This has been recently im-proved to a deterministic algorithm over the reals in time O(n2/(log n/ log log n)) by Gold and Sharir [GS15]. Abboud, Lewi and Williams [ALW14] showed that Integer k-SUM is W[1]-complete. In the linear decision tree model of computation, k-SUM over the reals is

known to require Ω(n⌈k/2⌉) depth k-linear decision trees [Eri95, AC05], but the problem can be solved with O(nk/2√log n) depth (2k − 2)-linear decision trees [GP14]. The ran-domized decision tree complexity was improved by Gold and Sharir [GS15] to O(nk/2).

3.4

Building Blocks

In this section, we describe two tools we use to obtain our main self-reduction lemma for k-SUM and 3-SUM. The first tool helps us guarantee that we don’t have to generate too many subproblems in our reduction; the second will allow us to find these subproblems in a time and space efficient way.

3.4.1

Domination Lemma

Our deterministic self-reduction for k-SUM will split lists of size n into g sublists of size n/g, then solve subproblems made up of k-tuples of these sublists. Naively, this would generate gk subproblems to enumerate all k-tuples. In this section, we show that we only need to consider O(kgk−1) subproblems.

First, we define a partial ordering on k-tuples on [n]k. For t,t′∈ [n]k_{, we say that t ≺ t}′ if t[i] < t′[i] for all i = 1, . . . , k. (Geometrically, the terminology is that t′dominates t.) Lemma 3.4.1 (Domination Lemma). Suppose all tuples in a subset S ⊆ [n]kare incompa-rable with respect to≺. Then |S| ≤ knk−1.

The Domination Lemma can be seen as an extension of a result in [VW09] (also used in [CL07] in a different context) which covers the k = 3 case.

Proof. We will give a cover of all elements in [n]k with few chains under ≺. Then by Dilworth’s theorem, any set of incomparable elements under ≺ can only have one element from each chain.

Take any k-tuple t ∈ [n]ksuch that t[i] = 1 for some i = 1, . . . , k. Letting ` ∈ [n] be the largest element in t, we define the chain C(t) = {t0,t1, . . . ,tn−`}, where each tjis given by

x y z 0 1 2 3 1 2 3 1 2 3

Figure 3-1: Domination Lemma chains when n = 3 and k = 3. The chain {(1, 1, 1), (2, 2, 2), (3, 3, 3)} is highlighted in red. In three dimensions, the number of chains is roughly proportional to the surface area of the cube, which is only O(n2), despite the fact that there are O(n3) points.

t_j[i] = t[i] + j for all i = 1, . . . , k. Clearly C(t) forms a chain in [n]k under ≺. Moreover these chains cover all elements of [n]k: observe that the tuple t appears in the chain C(t′) where t′[i] = t[i] − minjt[ j] + 1 for all i = 1, . . . , k.

The number of chains is exactly the number of k-tuples with a 1 in at least one coordi-nate. This number is less than k times the number of tuples that have a 1 in dimension i. The number of tuples with a 1 in dimension i is nk−1. Thus, the total number of chains is ≤ knk−1.

The Domination Lemma can be applied to show that in any list of numbers, not too many k-SUM subproblems can have k-SUM solutions. In the following, let g divide n for simplicity. Given a list L of n numbers divided into g groups of size n/g, a subproblem of L is simply the union of a k-tuple of groups from L. Note that a subproblem contains at most kn/g numbers.

Figure 3-2: A depiction of how L is divided.

where|Li| = n/g for all i, and for all a ∈ Li and b∈ Li+1 we have a≤ b. Then there are O(k · gk−1) subproblems L′ of L such that the smallest k-sum of L′ is less than zero and the largest k-sum of L′is greater than zero. Furthermore, if some subproblem of L has its largest or smallest k-sum equal to0, then the corresponding k-SUM solution can be found in O(gk) time.

Proof. We associate each subproblem of L with a corresponding k-tuple (x1, . . . , xk) ∈ [g]k corresponding to the k sublists (Lx1, . . . , Lxk) of L.

Let m[i] be the element in position i · (n/g) when L is in sorted order. Consider any subproblem with ∑ki=1m[xi] > 0 (smallest k-sum greater than zero) or ∑ki=1m[xi+ 1] < 0 (largest k-sum less than zero). We call such a subproblem trivial, since it cannot contain k-SUM solutions.

In O(gk) time, we can determine whether any subproblem has ∑ki=1m[xi] = 0, and return the corresponding k-SUM solution if this is the case. Otherwise, we can assume that for each subproblem either it is trivial, or ∑ki=1m[xi] < 0 < ∑ki=1m[xi+ 1].

Consider the set of non-trivial subproblems. Because for all a ∈ Li and b ∈ Li+1 we have a ≤ b, if for two subproblem k-tuples we have t ≺ t′, then the smallest k-sum of the subproblem t′ is at least the largest k-sum of the subproblem t. This implies that at least one of the two subproblems must be trivial. In other words, the set of nontrivial problems corresponds to a set of incomparable k-tuples in [g]k. Applying Lemma3.4.1, the number of nontrivial subproblems is O(kgk).

3.4.2

Bucket Retrieval and Space-Efficient Selection

A randomized algorithm for k-SUM can partition a list of numbers by choosing a hash function at random, then loop over the hash function range to partition a given list into smaller buckets. Given a hash and a bucket number, it is easy to retrieve the contents of that bucket by scanning the list.

To derandomize this process, we could try to create small “hash” buckets by grouping the n/g smallest elements together, then the next n/g smallest elements, and so on, without actually sorting the list. However, retrieving the contents of a bucket may now be difficult to do with small space: we need to know the smallest and largest elements of a bucket to retrieve its elements, and we may not be able to store all of these extrema. We require an efficient algorithm to compute the largest element of a bucket, given the smallest element and the bucket size.

This problem is equivalent to the selection problem, also known as s-SELECT, which asks for the sthsmallest element of a list, when we set s = n/g. To reduce from our problem to s-SELECT, pretend that every entry less than our smallest element is ∞. (To reduce from s-SELECTto our problem, we can pretend our smallest element is −∞.)

We could use the classic median-of-median algorithm to solve s-SELECTin O(n) time and O(n) space [BFP+73]. However, since we care about space usage, we provide an algorithm below which has the same running time, but uses much less space. It turns out to be optimal for our purposes, since retrieving the bucket afterwards will already take O(n) time and O(s) space.

Lemma 3.4.3. s-SELECTcan be solved in O(n) time and O(s) space.

Proof. The plan is to scan through the elements of the list, inserting them to a data structure Dwhich will allow us to track the smallest s elements. We perform n insertions, then query Dto ask for the smallest s elements it contains. To get the claimed algorithm for selection, we give a data structure can handle these operations in O(1) amortized update time and O(s) query time, with a data structure using only O(s) space.