on-line algorithms and fast digital identity revocation - CiteSeerX

ON-LINE ALGORITHMS AND FAST DIGITAL IDENTITY REVOCATION BY SACHIN P LODHA

A dissertation submitted to the Graduate School—New Brunswick Rutgers, The State University of New Jersey in partial fulfillment of the requirements for the degree of Doctor of Philosophy Graduate Program in Computer Science Written under the direction of Endre Szemer´ edi and approved by

New Brunswick, New Jersey January, 2002

c 2002

Sachin P Lodha ALL RIGHTS RESERVED

ABSTRACT OF THE DISSERTATION

On-line Algorithms

and

Fast Digital Identity Revocation

by Sachin P Lodha Dissertation Director: Endre Szemer´ edi

The k–server problem is a generalized model of certain scheduling problems such as, for instance, multi–level memory paging, disk caching and head motion planning of multi–headed disks. The problem can be stated as follows: We are given k mobile servers that occupy k points of a metric space M . We assume that M is finite, |M | = n > k, and k > 1. At each time step a request, a point of M , appears. An algorithm must serve this request by moving one of its servers to the requested point (if that is vacant). The algorithm is charged a cost which is equal to the distance moved by the server. The algorithm A is on–line if it serves the request without knowing what the future 2

requests will be. We present a O(n 3 ln n)–competitive randomized on–line algorithm when the underlying metric space is given by n equally spaced points on a line. This algorithm is o(k)-competitive for n = k + o(k3/2/ ln k). Let A be an n-uniform hypergraph. Assume that the maximum degree of A is D = D(A) (local condition), and |A| = N = N (A) (global condition). By the Lov´ asz ii

Local Lemma (L.L.L.), if D
k, and k > 1. At each time step a request, a point of M , appears. An algorithm must serve this request by moving one of its servers to the requested point (if that is vacant). The algorithm is charged for a cost which is equal to the distance moved by the server. The algorithm A is on–line if it serves the request without knowing what the future requests will be. The standard way of measuring the performance of an on–line algorithm is competitive analysis. An on–line algorithm A is c–competitive if there exists a constant K

2

such that for all request sequence ρ, A(ρ) ≤ c · opt(ρ) + K,

(1.1)

where A(ρ) is the cost of A on ρ and opt(ρ) denotes the optimal off–line cost of ρ. This measure first appeared in [44] for the paging problem. The problem itself can be stated as: Consider a two-level memory divided into pages of fixed uniform size. Let n be the number of pages of fast memory. Each operation is an access that specifies a page of information. If the page is in fast memory, the access costs nothing. If the page is in slow memory, we must swap it for a page in fast memory, at a cost of one page fault. The goal is to minimize the number of page faults for a given sequence of accesses. [44] provided rigorous and tight analysis of welknown LRU algorithm and showed that it is k–competitive (where k is the size of the fast memory). The general k–server problem was introduced in [33]. They proved that the competitive ratio of any on–line algorithm is at least k (1 < k < n). They formulated the k–server conjecture, i.e. there exists a k–competitive on–line algorithm for every metric space M . This conjecture is still unsettled, the best known general upper bound on the competitive ratio is 2k − 1 [30]. However, for some special cases, there are k–competitive on–line algorithms (e.g. tree metric spaces [16], n = k + 2 [8, 31], etc.). In several branches of computer science, randomization does help. For the k–server problem very little is known about the competitive ratio of randomized on–line algorithms. The competitive ratio of a randomized algorithm R is c if the following holds: There exists a constant K such that for all request sequence ρ, E[R(ρ)] ≤ c · opt(ρ) + K,

(1.2)

where E[R(ρ)] denotes the expected cost of R on ρ. In [34], an Hk –competitive randomized on–line algorithm is given for the paging problem (Hk is the kth harmonic number. Hk ≈ log k). This is the best possible: [24] shows that Hk is a lower bound in this case. Another special case for which there is a good randomized on–line algorithm is the case of p(n)–unbalanced metric spaces [14]. For general metric spaces, the best results so far were achieved by the help of randomized algorithms for the metrical task system problem (see [15, 17]). Formally, a

3

metrical task system (MTS) is a pair S = (M, T ), where M is a finite metric space whose elements are called states, and T is a finite set of functions τ : M → ℜ+ called tasks. For notational convenience, if x, y ∈ M , we denote the distance from x to y simply as xy. Suppose we are given initial state x0 ∈ M and a sequence of tasks τ¯ = τ1 τ2 . . . τm . Any sequence x ¯ = x0 , x1, . . . , xm, where xi ∈ M , is called a schedule for x0, τ¯. We define

m X [xi−1 xi + τi (xi)], cost(x0 , τ¯, x ¯) = i=1

opt(x0 , τ¯) = min{cost(x0 , τ¯, x ¯)}. x ¯

The goal is design an on–line strategy that would have minimum possible competitive ratio when compared with opt. In a series of papers [2, 4, 5, 6, 25], a powerful method was developed for the randomized MTS problem. Translating these results for the k–server problem, the smallest randomized competitive ratio for general metric spaces is min(2k − 1, O(log see [25]. Note that Ω(

q

log k loglogk )

    n n log log log n log log n)), k k

lower bound is given in [14] for the competitive ratio

in general metric spaces. Here we investigate the randomized k–server problem for the special case when the underlying metric space is given by n equally spaced points on a line. The case when the log k metric space is a line has received special attention. First the lower bound Ω( loglog k ) is

shown in [14]. There are two interesting results concerning upper bounds (algorithms). For the special case when the underlying metric space is the real line and k = 2, [7] exhibits a randomized on–line algorithm with competitive ratio

155 78

< 2. Note that in

this case the size of the metric space, |M |, can be infinite. Another algorithm is for a line
segment of length n with equidistant point set having competitive ratio O(log nk log n), see [25].

2

Our contribution [19] is a O(n 3 ln n)–competitive randomized on–line algorithm when the underlying metric space is given by n equally spaced points on a line. For n = k +o(k3/2/ ln k), this algorithm is o(k)–competitive. Therefore it improves the best

4

results so far for the range n − k ∈ [ck, o(k3/2)/ ln k]. We remark that our method is directly suited for the k–server problem on a line.

1.2

Efficient Proper 2-coloring of Almost Disjoint Hypergraphs

The probabilistic method is used to prove the “existence” of a certain structure by creating a probability space and proving that a random point of this space represents the desired structure with some positive probability. Let E1, E2, . . . , EN be a system of N events in a probability space Ω. In applications of the method, these Ei ’s are “bad” events. We wish to show that P r(

N \

E i ) > 0,

i=1

so that there is a point ω ∈ Ω which is “good”. The Basic Method (Chapter 1 of [3]) may be written in the short form: if

N X

P r(Ei) < 1 then P r(

PN

i=1

E i ) > 0.

(1.3)

i=1

i=1

In most applications,

N \

P r(Ei) is very small and so P r(

TN

i=1

E i ) is very close to 1.

This automatically provides an efficient randomized algorithm. T There are other simple conditions that ensure P r( i E i ) > 0: For example, if E1, E2, . . . , EN are mutually independent and all P r(Ei) < 1, then P r(

N \

Ei) =

i=1

N Y

(1 − P r(Ei )) > 0.

i=1

The Lov´ asz Local Lemma (L.L.L.) is a remarkable sieve method which allows for some dependence among the Ei ’s. A graph G on vertices 1, 2, . . ., N (the indices for the Ei ) is called a dependency graph, if for all i, Ei is mutually independent of all Ej with (i, j) ∈ / G. Lemma 1.1 (Lov´ asz Local Lemma [21]) Let E1 , . . ., EN be events with dependency graph G such that P r(Ei ) ≤ p for all i, the degree of G is d and 4pd ≤ 1. Then P r(

N \

i=1

Ei) ≥

N Y (1 − 2p) ≈ e−2pN > 0. i=1

5

The lower bound supplied by L.L.L. is exponentially small. So it does not give us an efficient randomized algorithm. A typical application of the L.L.L. is the following Corollary 1.1 [21] Let A1, A2, . . . be n-element subsets of a finite set X, and assume that every Ai intersects at most 2n−3 other Aj , n ≥ 2. Then there is a 2-coloring of X such that no Ai is monochromatic. Proof: 2-color X randomly, that is, for each x ∈ X, choose its color to be red with probability

1 2

and blue with probability 12 . Make these choices independently for each x ∈ X.

Let Ei be the event that Ai becomes monochromatic (1 ≤ i ≤ N = number of A′i s). Let i, j be adjacent in the dependency graph iff the corresponding Ai and Aj intersect. T Now apply L.L.L. with p = 2 · 2−n and d = 2n−3 . As 4pd = 1, P r( i E i ) > 0, so there

is a 2-coloring for which no Ai is monochromatic (that is, proper 2-coloring).

The striking message of the Corollary 1.1 is that if a family A = {A1 , . . ., AN } of sets satisfies an exponential local condition, then the global size N of the family can be arbitrarily large compared to n and we still have a proper 2-coloring. The Basic Method (see equation (1.3)) breaks down for N ≥ 2n−1 . We note that Radhakrishnan and Srinivasan [40] recently improved Corollary 1.1. p They showed that if no edge intersects more than (0.17) n/ log n · 2n edges, then for a sufficiently large n, X has a proper 2-coloring. However, their result uses L.L.L. and

is also non-constructive. Note that the L.L.L. guarantees here the existence of a “needle in a haystack”. Since every Ai intersects at most 2n−3 other Aj , one can easily find pairwise disjoint sets Ai , i ∈ I with |I| ≥

N , 2n−3 +1

and so

P r(the random 2-coloring is “proper” for A) ≤ P r(the random 2-coloring is “proper” for I) = (1 − 2−n+1 )|I| ≈ e−|I|2

−n+1

≤ e−N 4

−n+2

.

(1.4)

Therefore, if N is much bigger than 4n , probability in equation (1.4) is extremely small, somewhat larger than the trivial lower bound of 2−|X|. So it gives rise to the following question [45]:

6

Question: Is there a polynomial (in N ) time algorithm for finding this exponentially small “needle” ? J. Beck gave a positive answer to this question in [12] if the original local condition 2n−3 is replaced by a weaker but still exponential bound 2α·n (α =

1 48 ).

Theorem 1.1 (Beck [12]) Let A = {A1 , A2, . . . , AN } be a family of n-element subsets of a finite set X, and assume that every Ai intersects at most 2αn other Aj , where α=

1 48

and n ≥ 2. Then there is a deterministic sequential algorithm which produces a

“proper” 2-coloring of X in running time N const. As noted in [12], the method used in the proof of Theorem 1.1 does not give the optimal value 1−ǫ (or just a “reasonable” value like 21 ) for α. In chapter 3, we build upon the method in [12] and manage to get α arbitrarily close to 1 [13]. This improvement does not come for free - our result is valid only for almost disjoint n-uniform setsystems defined below and the global size of the set-system is upper-bounded by a doubly exponential function of n.

1.3

Fast Digital Identity Revocation

Digital identities (and author-identities of messages) are essential for business, government and private use of the Internet. For example, they are needed for on-line shopping, business-to-business transactions, on-line banking, code-authentication, companyinternal identities, etc. (see [18, 38]). The U.S. Federal government, NIST, the U.S. Post-office, Visa, Master Card, some major banks, and private companies (like VeriSign, SIAC, IBM, GTE, and Microsoft) are all building digital identity infrastructures. While the general design of all these schemes is similar and relies on public-key cryptography and Certificate Authority services, the details (and hence the efficiency) of what it means for a digital identity to be valid and how it can be revoked differs from scheme to scheme.

7

The General Setting: The general setting consists of two ingredients blended together, namely, public-key cryptography [20] and a Certificate Authority Infrastructure (PKI). We briefly review both the notions. The public-key cryptography encompasses digital signatures and public-key encryption. A digital signature scheme is a triplet of algorithms: A key generation algorithm which generates a public-key and a private-key, a signing algorithm and a verification algorithm. The signing algorithm uses the public-key and private-key to generate a signature for an arbitrary document. The verification algorithm uses just the public-key to verify the signature of a document. The specifications require that all signatures generated with the valid private-key are verified by the verification algorithm and, without the private-key, it is computationally infeasible to generate a signature for a (previously unsigned) message which the verification algorithm would accept. The public-key encryption is also a triplet of algorithms: A key-generation algorithm which produces a public-key and a private-key, an encryption algorithm and a decryption algorithm. Anyone, given the public-key, can encrypt a message using the encryption algorithm, but only those who have the private-key can efficiently decrypt. For formal definitions and further details, see [43, 26, 27]. When using public-key cryptography over the Internet, the main issue is the ability to correctly associate the public-keys to different individuals and organizations. The overall strategy for doing so is as follows: In its simplest form, we assume existence of one or more trusted Certificate Authority (CA) centers which initially run the signature key generation algorithm to compute its own public and private keys. Each CA holds its private-key under great security, but widely distributes (e.g. publishes in New York Times) its public-key (or uses some other method to bind the public-key to the CA). Now any entity, who wishes to establish its digital identity with this CA, first generates its own public-key and private-key pair. Then it submits its publickey along with its name and other required identifying information to this CA. The CA checks the name and identifying information. If satisfied, it signs the public-key

8

and the name of the individual along with some subset of the identifying information, including expiration date, a serial number, and possibly some other information.1 Now any user can verify that a message came from this individual by verifying the signature of the message against a given public-key and also verifying that this publickey together with the right name and the valid expiration date are properly signed by CA. The above simple scheme extends to various hierarchies of CA structures (such as Federal Public-Key Infrastructure (PKI) hierarchy, banks, intra-company CA, etc.) where a user will belong to many such hierarchies [42]. (Also see [41] and references therein for more general structures.) For all these schemes, no matter what the structure is, one of the main bottlenecks is the issue of revocation. The Main Bottleneck: When a public-key, together with an expiration date, is signed by a CA, there remains a risk, i.e., a user’s private-key and certificate may be stolen/compromised or a company’s private-key and certificate may be retained by a former employee. Without a method for certificate revocation, these keys may be used by unauthorized parties. Just as with credit-cards, occasional revocation is a fact of life. According to some estimates, about 10% of public-keys will usually be revoked before they expire [37]. Thus, an important element of any CA scheme (or hierarchy) is its revocation procedure. Notice that with the revocation, the above simple setting becomes more involved since now to verify that some public-key is valid, one must not only check that it has been signed by the proper CA, but also that is has not been revoked. (Moreover, in case of CA hierarchy, one must certify that the CA public-key has not been revoked either). Thus, the definition of one’s identity depends on the revocation rules in an essential way. In chapter 4 (see [1]), we extend an elegant method of S. Micali [37, 36] for doing revocations. Before we explain our approach, let us review the setting, the design objectives and previous work done on this issue. 1

The amount of identifying information and the scrutiny of the information checking establish the level of trust with which a public-key is bound to the identified entity.

9

The Setting: Our Setting is identical to the one in [37]. We review it here. We consider some finite universe of users. The setting consists of one or several trusted certificate authorities, which distribute, at regular intervals (e.g. each day), information regarding revoked certificates to several untrusted Directories D. The reason for having many Directories is to allow replication of data. For each day, any Directory should be able to provide a proof whether public-key of user u is valid or revoked. Of course, we insist that the Directory (which is untrusted) can not cheat and change revocation status for any user. The Directory can provide the proof of the revocation status either to user u himself (who can then pass it along to any vendor) or to any other user who wishes to check that u’s identity is still valid. The critical costs of the scheme are the size of the proof of the validity of user’s identity (this proof should be as small as possible since this is the most frequently used operation) as well as the communication from the CA to the Directories for each interval. Previous Work: We briefly discuss some of the earlier work done on this problem. Previous to our work, three possible revocation strategies were proposed: The centralized on-line solution, Certificate Revocation Lists (e.g. see [18]) and Micali’s proposal and patent [37, 36]. Independent of our work, two other schemes by Kocher [29] and Naor and Nissim [39] have been proposed. We review all these schemes below and point out the differences. In the centralized on-line solution, there is a CA trusted central database which maintains the status of all the public-keys that have not yet expired (similar to creditcards). The user, in order to verify that a public-key has not been revoked, makes a query to this central database and receives an answer. The answer must be authenticated, either implicitly by the use of a private network, with a CA signature, or with CA private-key authentication provided that the CA shares a private authentication key with this user. This centralized solution has following drawbacks: The CA must be accessed for the verification processes on-line (or risk using revoked public-key) and

10

its answer must be authenticated (to prevent man-in-the-middle attacks of somebody impersonating as the CA). The centralized on-line solution is not acceptable in many cases and thus a distributed solution is sought. One such solution is the so-called Certificate Revocation List (CRL) (e.g. see VeriSign [18]). In this approach, the CA composes a list, say each day, of all the keys which have been revoked and signs this list. This list along with the CA’s signature of the list is the CRL for that day. Each day, the CA sends the CRL to all the untrusted revocation Directories all over the network. To verify a public-key certificate, the verifier first checks the expiration date. If the certificate has not yet expired, it contacts any Directory for that day’s CRL. If the public-key does not appear in the CRL, it is still valid. This solution is better than the centralized solution since now many sites maintain the CRL list and every such site, instead of maintaining the status of all public-keys, must only maintain a list of revoked public-keys. Typically R, the number of revoked keys, is much less than the total number of keys, N . The drawback is that the proof that some key is still valid is the entire CRL list signed by the CA. In 1995, S. Micali proposed a scheme in which a verifier needs only a small number of additional bits beyond the user’s signature and the user’s public-key certificate and only a small amount of extra computation to insure that the user has not been revoked [37, 36]. In this scheme, Micali uses the idea of off-line/on-line signatures [23] which in turn builds on the work of Lamport [32]. The basic idea is as follows: Let f be a one-way permutation which is easy to compute, but hard to invert.2 For each user u, the CA picks a random xu and computes yu = f (f (f · · · f (xu ))), where f is applied, as an example, for 365 times to compute yu . This yu is called user u’s “0-token.” For each user, the CA includes the user’s 0-token along with the users public-key, expiration date and other certificate information in its signed certificate. After the first day, the CA releases user u’s “1-token”, f −1 (yu ), to the Directories in the network for each user u whose public-key has not been revoked till that day. The CA computes 1-token 2

In practice, MD5 or other hash-functions are used.

11

from xu or from cached intermediate values of f i (xu ). Note that, given a 0-token for a user u, it is easy to check whether a candidate token is a 1-token for user u, but computationally infeasible to compute a 1-token for user u. To verify on the second day that the public-key of a user u was not revoked on the first day, a verifier gets a candidate token from a Directory or a candidate token from the user (who had already retrieved it from a Directory). The verifier then checks whether the candidate is a 1-token for the user. In general, if u’s certificate is not revoked till day i, the CA provides u’s i-token, f −i (yu ), to the Directories. On the i + 1st day, the verifier checks whether candidate tokens are i-tokens for users. The advantage of the scheme is that communication between a Directory and a user (or verifier) is small and need not be authenticated. If a given protocol calls for the user to retrieve the day i-token from the Directory, then the token remains a short certificate for day i + 1 that user has not been revoked. In addition, verifying a day i-token is less expensive then verifying the signature of a CRL. The disadvantage is that the scheme requires the CA to send N − R tokens to each Directory each day where N is the number of public-keys and R is the number of revoked keys. Micali also considers (as in our setting) the case where a Directory may act maliciously by not forwarding the day i-token of a user it received from the CA to the user or verifier. A non-revoked user could thus be considered revoked by a verifier. To prevent this, Micali modifies his scheme as follows: For each user, the CA also chooses a random x′u , the revocation token, and includes f (x′u ) in u’s certificate along with the 0-token and other certificate information. When u’s public-key is revoked, the CA sends the revocation token to the Directories. When a Directory is queried about a user on day i + 1, it must return either the day i-token or the revocation token for that user. Recently Naor-Nissim [39] have improved upon a scheme of Kocher [29]. We will describe the requirements of their scheme. For the details of the scheme, see [39]. In the Naor-Nissim scheme, the CA maintains an authenticated 2-3 tree of hash values of depth O(log R). For each public-key which is revoked in an update period, the CA must update this special tree by computing O(log R) new hash values. As soon as one key is added to this revocation tree, the root must be recomputed and signed. The

12

CA then must distribute these O(log R) new hash values per new revoked key, the new root and root signature to the Directories. This is done using insert/delete operations of the authenticated 2-3 tree and sending difference lists to the Directories. When a user queries a Directory concerning the revocation status of a key, the Directory sends O(log R) hash values and the signature of the root. To verify the revocation status of a key, a user must compute O(log R) hash values, compare them in a specified way with the hash values from the Directory and verify the signature of the root hash value. In summary, the CA to Directory communication of Naor-Nissim scheme is superior to our scheme (as well as Micali’s scheme), but the verification of the revocation status of the user (or vendor) is smaller for Micali’s scheme and our scheme. Our Results: We will build on Micali’s scheme [37, 36] to maintain its advantage of efficient verification. Recall that in Micali’s scheme every user’s certificate contains one 0-token. In order for the user to remain unrevoked on day i + 1, the CA must publish the i-token associated with the user’s 0-token. In our scheme, the CA will incorporate k 0-tokens into the certificate for each user rather than just one, where k will be a parameter of our scheme. The sets of 0-tokens for the users will be distinct, however the sets may intersect substantially. The rule for remaining unrevoked will now be slightly different. In order for a user to remain unrevoked on day i + 1, the CA need only publish an i-token associated with one of the user’s 0-tokens. Since the sets of 0-tokens may intersect, one i-token may act as a certificate of non-revocation for many users. Thus the CA may not need to publish N −R tokens when R keys have been revoked as in Micali’s scheme. For example, we show that if the number of 0-tokens in each certificate is log N and the sets of 0-tokens in each user’s certificate are selected properly, then the number of tokens a CA must publish during an update period is at most R log (N/R). In this work, we insist that the proof of the validity of user’s ID remains very small as in Micali’s scheme. For the scheme of Naor-Nissim, this is not the case, i.e., while [39] substantially save on the CA to Directories communication over [37], their proof of validity is bigger. We also study the tradeoff between the number of 0-tokens needed

13

in a certificate and the number of tokens a CA must publish per update period. We summarize our results (and compare it to Micali’s scheme) below. Note that N stands for the number of not-yet-expired certificates, R stands for the number of revoked certificates and c is a parameter in the general scheme, typically a constant. Scheme Name Micali’s Scheme Our Hierarchical Scheme Our Generalized Scheme

# Tokens from CA to Directories N −R R log (N/R) R logc (N/R) + R

# Tokens per Certificate 1 log N (2c−1 − 1) logc N

Table 1.1: Comparison between Our Schemes and Micali’s Scheme Notice that if the number of revocations is small, our scheme is faster than Micali’s scheme. However, even if the number of revocations is large, and in fact for any value of R, 0 ≤ R ≤ N , we show that the information update cost is better than the above table indicates, and it is always smaller then N − R of Micali’s scheme. In practical settings, both our hierarchical scheme and our general scheme with c = 3 provide savings in communication compared to the Micali’s approach, e.g. for the hierarchical scheme with 10% revocation rate, we gain 2.7 multiplicative factor improvement and for 1% revocation rate, we gain 14.9-fold improvement over Micali’s communication from a CA to Directories, while still requiring a single hash-value (i.e., 128 bits) proof of the validity of one’s identity. For the generalized scheme with c = 3, we get 2.9-fold improvement for the 10% revocation rate and 19-fold improvement for 1% revocation rate. If the percentage of revoked users is smaller, then the savings are more substantial. We should remark here that Micali’s method of avoiding malicious Directories by including one extra token in each certificate applies to our scheme as well and we will not explicitly include this in the description of our scheme. In the Naor-Nissim scheme [39], the communication from the CA to Directories is smaller than our scheme and Micali’s scheme. However, both Micali’s scheme and our scheme, the Directories need to send only one token (of 128 bits) in response to a query about any key.

14

Chapter 2 A Randomized On–line Algorithm for the k–Server Problem on a Line

2

The main result of this chapter is a randomized O(n 3 ln n)–competitive k–server algorithm for the underlying metric space given by n equally spaced points on the line. It 3

is o(k)–competitive for n = k + o(k 2 / ln k). Throughout the chapter, we consider the k–server problem in an equivalent form of l–evader problem: There are l = n − k evaders on the metric space M with n points. When there is no server on a point x ∈ M , then there is an evader on x, and vice versa. While in the k–server problem the satisfaction of a request is moving a server there, in the l–evader problem we must move away the evader residing on the request. Off–line and on–line algorithms, competitivity are defined in the same way as in the k–server setup. Note that no two evader can occupy the same point of M : that would result in more servers. It is easy to see that the l–evader problem is an equivalent formulation of the k–server problem. We will define and analyze our algorithm as a randomized l–evader algorithm. More on the l–evader problem can be found in [31]. We will consider an oblivious adversary model: there is an adversary A, who knowing the randomized algorithm R, but without the knowledge of its random choices, constructs the request sequence ρ. It pays optimally for it (A(ρ) = opt(ρ)) and compares it with the expected cost of R.

2.1

Definition of the Algorithm

We start by determining a block system on the line segment. First of all, we partition 1

it into t = n/b blocks, each of length b = n 3 . Secondly, we pick a random integer s uniformly from the interval [0, b − 1]. We will shift the blocks by this number: the

15

length of the leftmost block will be s, the length of the rightmost block will be b − s, all the other blocks will have the same length, b. For a block B, we denote its length by |B|. R works in phases. During the satisfaction of a request sequence ρ, the evaders of R will have two type of motions: steps inside a block or randomly jumping out into one of the available blocks. The rules for what makes a block available and how to determine the end of a phase will be discussed later. Let us provide the rules for taking steps inside a block. Assume that there are r evaders in block B. We will consider first the case r < |B|, the other case, r = |B|, will be handled differently. Let ρ be a request sequence. If the ith request of ρ, ρi, is not in B, then no evader will move in B. Otherwise, if ρi ∈ B and there is an evader on ρi , that evader will go to the closest vacant position according to its direction. Every evader has a direction, which is “right” in the beginning, and from time to time it changes from “right” to “left” and vice versa. Suppose that evader e is residing on ρi and its direction is “right”. Then e will move to the closest vacant position to the right of ρi . If there is no such position, e changes its direction to “left” and will go to the closest vacant position to the left of ρi . Similarly, e switches direction from “left” to “right”, if it has to move, and there is no vacant position on the left. These are the only cases an R–evader changes its direction. We say that e moved a round when it switches direction from “left” to “right”. Note that we have ensured that no two evaders will take the same position in any block. When r = |B| and there is a request for a position in B, that evader residing on the request will jump out into an available block. For deciding which are the available blocks and how to change blocks we will assign |B| auxiliary blocks AB1 , . . . , AB|B| to each block B. Recall that R divides the satisfaction of a request sequence into phases. During a phase, every block will get marks based on working of auxiliary evaders moving in corresponding auxiliary blocks. These marks will help R to decide on the availability of a block. At the start of the algorithm, R puts x auxiliary evaders into the auxiliary block ABx for every block B and every x (1 ≤ x ≤ |B|). The evaders in ABx are placed

16

on the leftmost x positions in ABx and their starting direction is “right”. Say that from the beginning of the actual phase the adversary gave R the request sequence ρ′ . If x = |B| and there is a request in ρ′ for some position in B, then B will be |B|–marked. For x < |B|, the auxiliary evaders will move in ABx when satisfying ρ′ as we described above for the R–evaders. We will count the number of rounds taken by all the auxiliary evaders of ABx from the beginning of the phase. If the sum of these rounds in ABx reaches b2, B will be x–marked. Note that a block can have several marks. We will always consider the smallest one. Thus, for each block, its mark is monotonically decreasing with time during a phase. Observe that the marking procedure is deterministic, there is no random choice in it. Now we are ready to give the description of R. Initialization: R chooses a random shift s ∈ [0, b − 1] and determines the block system. R places its evaders on the leftmost positions inside their blocks. The auxiliary evaders also take the leftmost positions in the auxiliary blocks. Description of a Phase: • If there is a request for a position in block B, take a step in B and in ABj (1 ≤ j ≤ |B|) according to the rules described earlier and update B’s marks, if necessary. • Suppose that B has become r ′ –marked. If there are r ≥ r ′ evaders in B, then eject r −r ′ +1 evaders, one by one, from B — if possible, eject among those which already changed block during this actual phase. Use First In First Out policy for their ejection. • Determine the available blocks for the ejected evaders. A block having r ′′ R– evaders is available if the smallest mark of the block is greater than r ′′ + 1. Pick randomly, uniformly a block, say C, from the available ones for the first ejected evader, that evader jumps into it. Rearrange the evaders of the block (including the new one) to have the configuration of the evaders of ACr′′ +1 . Rearrange the evaders in block B according to the configuration of the evaders of ABr−1 . For

17

each of the remaining ejected evaders, repeat the above process: randomly pick an available block for jumping in and rearrange the evaders in it and those in block B according to the actual configuration of the evaders in the appropriate auxiliary blocks. • If there is no available block for an ejected evader, the phase ends. Erase marks of all the blocks and begin a new phase. We finish the definition of R. As we already stated, R starts by determining the block system on the line segment before the first request appears. The shift s is not known to A. The evaders are placed according to the initial configuration. R rearranges them to their leftmost positions inside each block. Then the first phase starts when the first request appears.

2.2

Notation

We use following notation throughout the remainder of the paper. • We will assume that our blocks are arbitrarily numbered from 1 to t = nb . So we can talk about ith block, Bi . • Cp denotes the blockwise configuration of the adversary evaders at the end of Phase p, i.e. Cp is a t–tuple: it has the number r in the ith position, Cp (i) = r, if at the end of Phase p there are r A–evaders in Bi . • Similarly Dp denotes the blockwise configuration of the R–evaders at the end of Phase p.

2.3

Analysis of R

We are going to prove the following theorem. 2

Theorem 2.1 R is a O(n 3 ln n)–competitive randomized k–server algorithm for the underlying metric space given by n equally spaced points on a line. It is o(k)–competitive 3

for n = k + o(k 2 / ln k).

18

2.3.1

R Is Distribution Invariant

We show that, despite its random choices, the distribution of R’s evaders is the same for all runs at the end of each phase for a fixed shift. Lemma 2.1 Fix the shift s of the block system and let ρ be an arbitrary request sequence. Let B be a block. Suppose that for one run of R there are r evaders in B at the end of Phase p when satisfying ρ. Then B will contain exactly r evaders at the end of Phase p for all ρ–satisfying runs of R. Besides, the phases end at the same time for all runs. Proof: We prove the statement by induction on the phase number. It is trivially true before the first request appears because R starts in the initial configuration in each of its runs. Assume that the lemma is true up to Phase p − 1. Denote the possible runs of R by f1 , f2 , . . ., fu . Assume that we are now at the end of Phase p for the run f1 and B has r evaders inside. We also assume that f1 is the first run which finished Phase p, i.e. other runs may not have finished the Phase p so far. We will denote mark of block j by m(j). ex (j) will track the current number of evaders in block j in run x. Recall that m(j) is invariant of random choices of algorithm, i.e. different runs, for a given request sequence ρ. The current available space in block j in run x is sx (j) = m(j) − ex (j) − 1. Note that sx (j) ≥ 0 for any x, j always. We end phase when we cannot fulfill above requirement for every block j. Since f1 is the first run to end Phase p, there must be some block i0 such that its latest mark m(i0) caused e1 (i0) − m(i0) + 1 evaders to jump out of block i0 and there is no space left for them. Mathematically, S1 =

t X

s1 (j) < e1 (i0) − m(i0) + 1.

j,j6=i0

Note that S1 can also be written as S1 =

t X

m(j) −

t X

m(j) − (l − e1 (i0) + t − 1)

j,j6=i0

=

j,j6=i0

t X

(e1(j) + 1)

j,j6=i0

19



= 

t X

j,j6=i0



m(j) − l − t + 1 + e1 (i0)

where the first term in above sum is same for different runs at any given time owing to deterministic marking procedure. Let’s examine situation in run f2 when jump–outs start in block Bi0 in run f1 . We consider three cases: 1. e1 (i0) = e2 (i0): In both the runs, evaders start jumping out of block, one by one, simultaneously. Suppose we have problem for wth evader jumping out in the run f1 . At this point in time, S1 = 0. That means e1 (j) = m(j) − 1 for all j (j 6= i0). Corresponding sum S2 is also 0, owing to the fact that marks are same and the current number of evaders in block i0 is same for both f1 and f2 . So f2 also ends and for any block j, e1 (j) = e2 (j). 2. e1 (i0) > e2 (i0): Here we have to distinguish two cases (a) e1 (i0) ≥ m(i0) > e2 (i0): There are no jump–outs in f2 , and yet S1 becoming 0 after wth jump–out in f1 indicates that S2 was already negative to begin with — a contradiction! (b) e2 (i0) ≥ m(i0): There will be jump–outs in f2 now. We can envision this as f2 waiting for f1 to bring its e1 (i0) value to e2 (i0) and then starting its own jump–outs. If, at all, e1 (i0) could be reduced to e2 (i0), then we are in case 1. If not, then we have S2 < S1 = 0 — a contradiction! 3. e1 (i0) < e2(i0 ): There are jump–outs in both f1 and f2 . Since f1 finishes first, S2 ≥ S1 + e2 (i0) − e1(i0 ). We can envision this as f1 now waiting for f2 to bring its e2 (i0) value to e1 (i0) and then starting its own jump–outs. Again we are in case 1! This finishes the proof of the lemma. Remark: This is a very important lemma which allows us to calculate the exact number of evaders that changed blocks during any Phase p. This number is mp =

t X i=1

max{0, Dp−1(i) − Dp(i)}.

20

Since l =

Pt

i=1 Dp−1 (i)

=

Pt

i=1 Dp (i),

mp =

we can also write following expression for mp t

1X |Dp−1 (i) − Dp (i)|. 2

(2.1)

i=1

Note that every block and its corresponding all auxiliary blocks have exactly the same configuration at the end of a phase irrespective of random choices made during the phase. Once we fix s and ρ, we fix Dp ’s. We will like to figure out how “quickly” we move from Dp−1 to Dp in R. We answer it in the next section.

2.4

Expected Cost of R

We will now prove a series of lemmas to estimate the expected cost of R.

2.4.1

Initial Cost

Lemma 2.2 R spends at most O(bn) during the Initialization. Proof: R rearranges all the evaders in each and every block and its corresponding auxiliary blocks to the leftmost positions during the Initialization. It could be done in O(b2) cost per block. Summing over all blocks, cost paid by R is at most O(b2) · nb = O(bn). Note that this is a one–time constant cost and it can be absorbed in K of equation (1.2).

2.4.2

Cost Associated with Jump–outs

Let us now consider a simple game related to the analysis of R. Adversary has a permutation σ of the first t positive integers [t]. σ(i) denotes ith element of σ and, therefore, σ −1 (i) denotes the position of i in σ. We don’t know σ. In the first round, we randomly, uniformly pick one element of [t]: t1 . Let p1 = σ −1 (t1 ). Then adversary shows us first p1 elements of σ and discards them. In the second round we randomly, uniformly pick one from the remaining ones, denote it by t2 . In general, in the (i + 1)th round, we pick a number randomly, uniformly from the set {σ(pi +1), σ(pi +2), . . ., σ(t)} and denote it by ti+1 . We stop whenever we run out of elements, i.e. reach σ(t). Denote

21

the number of rounds in one possible outcome of the game by lt — this is a random variable. We will denote its expectation, E[lt], by Lt. Lemma 2.3 Lt =

Pt

1 i=1 i .

That is, Lt = ln t + O(1).

Proof: We prove the statement by induction on t. It is trivially true for t = 1. Assume now that the lemma is true up to t. Consider the set {1, 2, . . ., t, t + 1}. Pick t1 and let 1 p1 = σ −1 (t1). p1 can be anything between 1 and t + 1 with the same probability t+1 . 1 Pt+1 From this, we can write recurrence: Lt+1 = t+1 r=1 (1 + Lt+1−r ); (L0 = 0). Using

the induction hypothesis and simple rearrangement, we get

t+1

Lt+1 = Lt +

X1 1 1 1 1 = 1+ + +...+ = . t+1 2 3 t+1 i i=1

Remark: Note that Lemma 2.3 is valid even if we allow adversary following freedom: After we pick an element in any round, adversary can “pick” some permutation of the remaining elements from any probability space defined on the set of possible permutations of those remaining elements for the next round. This is clearly due to the fact that Lt is only a function of t, completely independent of choice of σ. Recall that when an R–evader has to jump out of a block, that evader jumps out which is among the ones that jumped into the block in the actual phase, if there is such an evader. This allows us to talk about the number of evaders changing block during a phase. We will like to relate the number of jumping evaders and the expected number of jump–outs during a phase. Let’s consider j th request, say ρj . Suppose it is in block Bi . When R serves it, that might possibly change mark of Bi depending on work done in Bi ’s auxiliary blocks. So if we keep track of these changes in the marks of the blocks while serving ρ, we get a unique marking sequence corresponding to ρ in which marks of each block are strictly decreasing. Even though the marking sequence is deterministic, randomization comes into play when we choose arbitrary available block for a jumping evader. So any marking sequence will have lots of possible runs. From Lemma 2.1, we know that all these runs start and end all phases at the same time and have exactly same distribution

22

of evaders at the end of each and every phase. This allows us to consider restriction of the marking sequence, and therefore associated runs, to any one particular phase p. From the remark at the end of Lemma 2.1, we know that total number of evaders that change block during phase p is t

1X mp = |Dp−1(i) − Dp (i)|. 2 i=1

Let Mp be a random variable which counts the number of jump–outs during Phase p. We will prove following lemma that finds E[Mp]. Lemma 2.4 Suppose there are mp evaders which change block during Phase p. All the others stay in their blocks for the whole phase. Then the expected number of jump–outs in Phase p, E[Mp], is O(mp ln n). Proof: There are mp jumping evaders, let’s use random variable Yi to count the number Pmp Yi . of jump–outs of ith evader. Then, Mp = i=1

We will first find out E[Yi]. Let’s consider the original block, say Bj , from which our

ith evader, ei , starts jumping out. There are precisely bj = |Dp−1(j) − Dp (j)| evaders that start their jump–outs from Bj . Let ei be wth evader, 1 ≤ w ≤ bj , that jumps out from Bj . Then it is clear that, irrespective of the run, ei will start jumping out only when the mark of Bj drops below Dp (j) + w for the first time. Let’s denote the time of this event in the marking sequence by Ti . At Ti, depending on the run we are in, there is a certain configuration of evaders in different blocks. Let’s suppose that L ≤ t blocks are available for ei to jump into, namely, Bi1 , Bi2 , . . ., BiL , and the block Bi1 has ri1 evaders. Recall that we use FIFO rule for ejecting evaders from any block: An evader will not jump out of a block unless those which jumped into the same block after it have already jumped out. This will mean that if ei chooses Biq to jump into, 1 ≤ q ≤ L, then it will jump out only when mark of the block Biq drops below riq + 1 for the first time. Let’s denote the time of this event in the marking sequence by Tiq .

23

It is easy to see now that we are in the situation described for the game in Lemma 2.3. Our original σ corresponds to the permutation of i1, i2, . . . , iL that sorts Ti1 , Ti2 , . . . , TiL in the increasing order. The evader ei has no idea about σ and picks any of the L available blocks. On the other hand, adversary has no inkling of ei ’s random choices. So E[Yi] = O(ln t) = O(ln n). Only difference between our algorithm and the game is that ei might not have to jump out even if adversary “hits” its block, while we always jump out in the game. Now it trivially follows that E[Mp] =

mp X

E[Yi] = O(mp ln n).

i=1

Lemma 2.5 If there are mp evaders during Phase p which change block, then the expected cost of R associated with jump–outs during Phase p is O(mp n ln n). Proof: Let’s say there are M jump outs during phase p. We can associate following costs to a jump out: 1. the number of steps inside the block before jump–out — it is O(n). Reason: Jump–out from block B takes place when its mark, say m, becomes less than or equal to the current number of evaders, say r, in it. This means that auxiliary block Bm finished b3 = O(n) work. Since we keep the smallest mark, work done in Br (which is exact replica of B!) is at most work done in Bm , i.e. O(n). 2. the distance the evader jumps — it is O(n); and 3. the cost of rearranging the blocks — it is O(b2) = o(n). So overall cost is O(n) per jump–out and the cost of R associated with jump–outs during Phase p is O(M n). But notice that M is a random variable and, from Lemma 2.4, E[M ] = O(mp ln n). So the expected cost of R associated with jump–outs during phase p is O(mpn ln n).

24

2.4.3

Overhead Cost

Mere jump–outs don’t account for entire cost paid by R. We have to account for 1. work done in a block after final jump–out out of it, 2. work done in a block after final jump–in into it, and 3. work done in a block with no jump–ins and jump–outs. Each type of work is of order O(n). Work of type 1 and 2 could be easily accounted into cost associated with jump–outs (this will just add at most 2 to the constant in Big–Oh notation of Lemma 2.5). So we only have to worry about work of type 3. Definition 2.1 A block Bi is called unchanged in Phase p if Dp−1 (i) = Dp (i). Let Up be the set of indices of the unchanged blocks in Phase p, i.e. Up = {i|Dp−1(i) = Dp(i)}. Note that, in the light of Lemma 2.1, Up is uniquely determined by a fixed s and ρ. Let up = |Up |. Unaccounted work of type 3 could only be possible in one or many members of Up . So its total cost is O(up n). We have following lemma. Lemma 2.6 If there are mp evaders which change block and up unchanged blocks during Phase p, then the expected cost of R during Phase p is O(mpn ln n + upn).

2.5

Analyzing Adversary Cost

Now we are going to estimate the cost of A in a phase. For that we will consider two copies of a block B, B1 and B2 . Assume that A has a evaders in B1 , viz. y1 , y2, . . . , ya, and R has r evaders in B2 , viz. x1 , x2, . . ., xr . We also assume that a ≥ r. Let ρ be a request sequence composed of positions in B. We allow any kind of movements for the A–evaders in B1 which satisfies ρ. The R–evaders in B2 will move according to our rules described earlier. It is important to note that neither the A–evaders nor the R–evaders will be allowed to jump out of their block. Then the following lemma holds.

25

Lemma 2.7 Let B1 , B2 , a, r and ρ be as above. Suppose that the R–evaders move T rounds combined when satisfying ρ. Then the A–evaders in B1 will move a distance of at least a Tr combined. Proof: When the R–evaders move in B2 , they meet the A–evaders. This can be a cover–and–leave, i.e. the R–evader stopped at a position on which there was an A– evader in B1 and now leaves it or a jump–over, when the R–evader cannot stop on that position because the A–evader is already covered by another R–evader. The R–evaders move T rounds combined when satisfying ρ which results in 2aT meetings with A–evaders. We will give a lower bound on the number of cover–and– leaves. Note that the number of cover–and–leaves is certainly a lower bound on the cost of A: A R–evader leaves a position only when there is a request for that position. Hence A has to move its evader as well. Let C denote the current configuration of A–evaders and R–evaders in B1 and B2 respectively. We define the potential of C, denoted by φ, as the number of positions in B which have an A–evader in B1 and a R–evader in B2 , i.e. covered positions. During the course of satisfaction of ρ, C and φ keep changing. We associate cost to any change in C, it is in terms of jump–overs. We monitor φ and observer that if 1. φ decreases by 1: R pays at most r − 1. Note that this is a cover–and–leave case, so A moves by a distance ≥ 1. 2. φ remains unchanged: Suppose R pays a non–zero cost. Once again, R won’t pay more than r − 1. Note that this is a cover–and–leave case too, so A moves by a distance ≥ 1. We don’t care about A’s movement if R pays nothing! 3. φ increases by 1: R pays at most r − 1 again. A might not make any move at all. To make life simpler, we will charge R nothing in this case, but account for this unpaid cost by including it in case 1. So A moves its evader by ≥ 1 when R pays at most 2(r − 1) and total cost paid by R is 2aT . This settles the lemma.

26

We use T = b2 rounds as a threshold in marking procedure of R. Also observe that the number of evaders r in any block cannot be bigger than b. We get following Corollary of Lemma 2.7 Corollary 2.1 Let B1 , B2 , a, r and ρ be as above. Suppose that the R–evaders move b2 rounds combined when satisfying ρ. Then the A–evaders in B1 will move a distance of at least ab combined. Remark: If r > a, then it is possible that all the A–evaders are covered by non–moving R–evaders. Hence A takes no steps while R moves any number of rounds. In the above we assumed that the A–evaders stay in their block. But we do not have any control on them, they may change block too. Definition 2.2 A takes an A–action in block B if either the A–evaders move b steps inside B or one of them jumps out of B. For example, in Corollary 2.1, we proved that A takes at least a A–actions in B if R has r ≤ a evaders in B, the R–evaders move b2 rounds, and all the A–evaders and R–evaders stay in B. According to our previous remark, if a − r + 1 A–evaders jump out of B, then it is possible that no A–evaders move inside B. But that means a − r + 1 A–actions. Lemma 2.8 Let B be a block with a A–evaders and r R–evaders in it at the beginning of the actual phase, at time t0 . R–evaders are not allowed to jump in or jump out. Suppose that from time t0 the request sequence forced the R–evaders to move b2 rounds in B. If a ≥ r ≥ 1, then we can associate at least a − r + 1 A–actions with B in the actual phase. Proof: Suppose that x A–evaders jump out of block B during the phase. If x ≥ a−r+1, we are done. Otherwise, x ≤ a − r. That means B always has at least a − x ≥ r A– evaders. So using Corollary 2.1, we have at least a − x more A–actions. Total number of A–actions, therefore, is a − x + x = a ≥ a − r + 1.

27

Notice that so far we have been insisting that R–evaders don’t jump out of their block B. But we cannot assume that during the run of R. What we know for sure though is that the auxiliary evaders in auxiliary blocks of B never jump around! Also rules of their movement are same as those of actual R–evaders. This allows us to relate the mark of block B at the end of phase and A–actions in B during the phase using Lemma 2.8. Lemma 2.9 Let a be the number of A–evaders in block B at the Start of Phase p. Let r be the number of R–evaders in B at the End of Phase p. If a > r, then there are at least a − r A–actions in B during Phase p. Proof: Due to our marking procedure, the mark of B, say m, at the end of Phase p is at most r + 1.1 Consider copy of B in adversary algorithm and Bm , the mth auxiliary block of B in R. m being the mark of B, the number of rounds in Bm is at least b2. Since a ≥ r + 1 ≥ m ≥ 1, applying Lemma 2.8 on these two “copies” of B, we prove that the number of A–actions in B during the phase is at least a − m + 1 ≥ a − r. Now we are ready to compare the number of A–actions with the expected cost of R. Let mp denote the number of moving evaders and up denote the number of unchanged blocks in Phase p. Let ap denote the number of A–actions in Phase p by adversary. We will make following assumption for the proofs of Lemma 2.10 and Theorem 2.1. Assumption: For every p and its corresponding Up , following holds: If i ∈ Up , then |Cp−1 (i) − Cp (i)| + |Cp−1 (i) − Dp(i)| ≥ 1.

(2.2)

This assumption discards the possibility that no difference exists in block Bi between the adversary and R during Phase p. Otherwise one can easily verify that, in the light of Lemma 2.7, R performs relatively much better in such blocks. So we are assuming worse scenario. We have following key lemma. Lemma 2.10 Fix the shift s. Let ρ be a request sequence for which R has F phases. P P n Then Fp=1 ap + 5b ≥ 15 Fp=1 (mp + up ). 1

In fact, it is one more than the number of evaders for all, but one, blocks!

28

Proof: Recall, from the remark at the end of Lemma 2.1, we have equation (2.1) t

mp =

1X |Dp−1 (i) − Dp (i)|. 2 i=1

Similarly we can lower bound the number of A–actions by the number of block changes t

ap ≥

1X |Cp−1 (i) − Cp (i)|. 2

(2.3)

i=1

But ap is at least

Pt

i=1

max{0, Cp−1(i) − Dp(i)} by Lemma 2.9. Therefore, t

ap ≥

1X |Cp−1 (i) − Dp(i)|. 2

(2.4)

i=1

Simple triangle inequality, and inequalities (2.3), (2.4) and (2.2) imply t

1X |Cp (i) − Dp (i)| 4 i=1 up ≥ . 2

ap ≥

(2.5)

ap

(2.6)

Once again, simple triangle inequality, and inequalities (2.5), (2.6), (2.4) and equation (2.1) imply 8ap−1 + 2ap ≥

t X

|Cp−1 (i) − Dp−1(i)| + 2up−1

+

t X

|Cp−1 (i) − Dp(i)|

i=1

≥

i=1 t X

|Dp−1(i) − Dp(i)| + 2up−1

i=1

= 2(mp + up−1).

(2.7)

Using equation (2.7), summing over all phases from 1 to F , and noting that a0 = u0 = 0 and up ≤ t = nb , we get F X p=1

ap +

n ≥ 5b

F

n 1 X (8ap−1 + 2ap) + 10 5b p=1

F

≥

1X (mp + up ). 5 p=1

29

Next we determine the expected number of A’s block changes (the randomness is in the random choice of the shift s). Lemma 2.11 Let ρ be a request sequence, then the expected number of A’s block changes is opt(ρ)b−1. Proof: We assume that the A–evaders always take steps of length one. This can be achieved by possibly dividing the motion of an evader into individual steps of length one, and if necessary, by switching role between evaders when one passes the other. Consider the indicator random variables X1, X2, . . . , Xopt(ρ). Xi = 1 if in the ith step the moving A–evader changes block, otherwise it is zero. Then clearly P r(Xi = 1) = b−1 for all i. P P So the expected number of block changes is E[ i Xi ] = i P r(Xi = 1) = opt(ρ)b−1. Now it is easy to estimate the expected number of A–actions. Lemma 2.12 For a request sequence ρ, the expected number of A–actions is at most 2opt(ρ)b−1. Proof: By Lemma 2.11 the expected number of block changes during the satisfaction of ρ is opt(ρ)b−1. The same number is clearly an upper bound for the number of other type of A–actions, viz. work done inside a block.

2.6

Proof of Theorem 1

We are ready to prove our main result, Theorem 2.1. Let ρ be a request sequence. Let us denote by msp the number of moving R–evaders in Phase p when the shift of the block system is s and the number of phases for shift s by ts . Let usp denote the number of unchanged blocks during Phase p for shift s. Also R(ρ)sp will denote the cost of R in Phase p with shift s and R(ρ)s the cost of R on ρ with shift s. By Lemma 2.12, 2opt(ρ)b−1 ≥ E[♯ of A–actions].

30

Lemma 2.10 implies that b

t

s n 1 XX E[♯ of A–actions] + ≥ (msp + usp ). 5b 5b

s=1 p=1

By Lemma 2.6, the latter expression is bounded below by  ts  b 1 1 XX . E[R(ρ)sp] 5b s=1 p=1 O(n ln n) By linearity of expectation, the above formula is b

X 1 E[R(ρ)s]. O(bn ln n) s=1

Taking the average for shifts and using above inequalities, we have 2opt(ρ)b−1 +

1 n ≥ E[R(ρ)] . 5b O(n ln n)

That is, O(

n ln n n2 ln n )opt(ρ) + O( ) ≥ E[R(ρ)]. b b 2

So the competitive ratio is O(n 3 ln n).

31

Chapter 3 Efficient Proper 2-coloring of Almost Disjoint Hypergraphs

3.1

Introduction

We have already introduced the basic framework for 2-coloring of n-uniform hypergraphs in chapter 1. We will now prove our result for almost disjoint families defined below. Definition 3.1 A set-system with the property that any two sets have at most one point in common is called almost disjoint. Theorem 3.1 Let A = {A1 , A2, . . . , AN } be an almost disjoint family of n-element subsets of a finite set X, and assume that every Ai intersects at most D other Aj . If there exist a positive integer 3 ≤ k ≤

n 3

and a real number β > 0 such that

  k/4 k−1 2 k/4 (2N )1+β = 2N · 2k n8 (2D) k−2 < 2(n−2k)2

(3.1)

then there is a deterministic sequential algorithm which produces a “proper” 2-coloring of X in running time N β+O(1). Remark: Our objective is to allow D as large as possible. If we increase the value of β, we can make upper limit for D close to (2 − δ)n for any given δ. We lose little in the bound of N and in the running time of the algorithm. On the other hand, dependence n

on k is trickier - if k = O(1), D = O(2n− k−1 ), and if k = O(n), D = O(2n−3k ). In both the cases, we “fail” in our objective. But k = n1−γ for some positive γ < 1, implies the following Corollary of Theorem 3.1.

32

Corollary 3.1 Let A = {A1, A2, . . . , AN } be an almost disjoint family of n-element subsets of a finite set X, and assume that every Ai intersects at most D = (2 − δ)n other Aj , δ > 0. Let γ < 1 be a small positive constant. If N ≤ 2O(δ(n−o(n)))2

(n1−γ /4)

then there is a deterministic sequential algorithm which produces a “proper” 2-coloring 1

of X in running time N O(1+ δ ). We shall in fact prove the following slight generalization of Theorem 3.1. Theorem 3.2 Let X be a finite set and let H = {H1, H2, . . . , HN } be an almost disjoint family (in fact, a “multi-set”, i.e. a set that can have multiplicity bigger than 1) of nelement subsets of X. For every Hi ∈ H, let there be given a 2-coloring fi : Hi → {red, blue}. Assume that every Hi intersects at most D other Hj ∈ H. If there exist a positive integer 3 ≤ k ≤

n 3

and a real number β > 0 such that

 k/4  k−1 2 k/4 < 2(n−2k)2 N 1+β = N · 2k n8 D k−2

(3.2)

then there is a deterministic sequential algorithm which produces a 2-coloring f : X → {red, blue} in running time N β+O(1) such that for every i, f |Hi 6= fi . (If f : D → R is a function, and S ⊂ D is a subset, then f |S denotes, as usual, the restriction of f to S.) Remark: It is important that the sets Hi are not necessarily distinct. This means that we may prohibit more than just one coloring on the same set. For example, in Theorem 3.1, we have two forbidden colorings on each A ∈ A: the all red and the all blue colorings. In view of this, Theorem 3.1 is a trivial Corollary of Theorem 3.2: we will duplicate each set A ∈ A and build H. Therefore note that “2” appears as a multiplicative factor in front of both N and D in condition (3.1) of Theorem 3.1.

33

3.2

Outline

Let us return to the Basic Method. When

P

i P r(Ei )

< 1, there often is a deterministic

“weight-function” algorithm to find a specific “good” ω ∈ Ω. A very elegant example (in fact the first example of “derandomization”) is Theorem 3.3 (Erd˝ os and Selfridge [22]) Let A1 , A2, . . .AN be n-element subsets of a finite set X. If N < 2n−1 , then there is a deterministic algorithm, which produces a “proper” 2-coloring of X in time N const. What we will actually use here is the following variant of Theorem 3.3. It will be the key ingredient of the proof of Theorem 3.2. Theorem 3.4 (Weight-function algorithm [12]) Let B1 , B2 , . . ., BL be not necessarily distinct subsets of a finite set X. For every Bi , let there be given a 2-coloring gi : Bi → {red, blue}. Let S ⊂ X be an arbitrary subset, and let x1 , x2, . . . , xs be an arbitrary permutation of S. If L < 2l , then there is a polynomial time algorithm which finds the color of xj , 1 ≤ j ≤ s sequentially and builds up 2-coloring g : S → {red, blue} of S such that for every i with |S ∩ Bi | ≥ l, g|S∩Bi 6= gi |S . This algorithm is “on–line” in the strong sense that at the stage of defining the color of xi , we do not know which points will be xi+1 , xi+2 , . . . , xs. In fact, we do not know the set S itself. We now outline idea of the proof of Theorem 3.2 (note that a similar idea was used in earlier papers [9, 10, 11, 12]). Let’s suppose that β and k required by condition (3.2) exist. We first define an auxiliary family of “big sets” of size O(N 1+β ). By applying Theorem 3.4 to this family of “big sets”, we obtain a partial coloring g : X → {red, blue, uncolored} in time N β+O(1) such that letting S = {x ∈ X : g(x) = red or blue} and X ′ = X − S = {x ∈ X : g(x) = uncolored}, 1. |Hi ∩ S| ≤ n − k for every Hi ∈ H with g|S∩Hi = fi |S , and 2. the truncated family H′ = {Hi : g|S∩Hi = fi |S } falls apart into small components of size < 2k each.

34

Observe that the members of H′ have ≥ k uncolored elements each. So we can apply Theorem 3.4 straightaway to each component of H′ and find a 2-coloring g ′ of X ′ in time O(N O(1)) such that g ′ |Hi ∩X ′ 6= fi |X ′ . Our final coloring is f = g ∪ g ′ .

3.3

Big Sets

First we build up the family B = {Bi : 1 ≤ i ≤ L} of “big sets” and the family {gi : 1 ≤ i ≤ L} of “forbidden” 2-colorings. Definition 3.2 Let F = {F1, F2, . . . , FK } be a hypergraph. A graph G = G(F ) on vertices 1, 2, . . ., K is called the dependency graph for F , if {i, j} ∈ G ⇐⇒ Fi ∩ Fj 6= ∅ (1 ≤ i < j ≤ K). Definition 3.3 Let G be a connected graph on vertices 1, 2, . . ., K. For any two vertices i and j, the G-distance of i and j is the number of edges in the shortest path joining i and j in G. For any vertex set I ⊂ {1, 2, . . ., K} and j ∈ {1, 2, . . ., K} − I, the G-distance of I and j is the minimum of the G-distances of j and i ∈ I. Definition 3.4 Let F = {F1 , F2, . . ., FK } be a hypergraph. The F -distance of Fi (or {Fi : i ∈ I}) and Fj is the G-distance of i (or I) and j, where G = G(F ) is the dependency graph of F . If this distance is d, we say that Fj is in the dth -neighborhood of Fi (or {Fi : i ∈ I}). Definition of B is much more involved and will become clear only during the proof of Lemma 3.2 (see Section 3.6). We give the reader some idea about it in what follows. This is going to be only one of the many possible ways in which we can build a “big set”. We will soon find out that this was just case 1 of the 8 possible cases that we encounter in building a “big set” B. We remark that any “big set” we build will be a union of T = 2k/4 n-sets. Rough idea of “big sets”: We start with any n-set H ∈ H. Let G1 = {H}. Assume that so far we have been selecting a family Gj of sets and the union set of these sets is denoted by Uj . Let

35

|Gj | = g(j). Then clearly, |Uj | ≤ n · g(j). Now we describe the step number j + 1. T Suppose the first-neighborhood of Uj contains a set Hi such that |Uj Hi | = 1. S Then, Gj+1 = Gj {Hi }. |Uj+1 | = |Uj | + n − 1. Uj Hi

Suppose we could repeat this for T = 2k/4 times. Let B = UT , that is the union set of GT . B is our “big set”, a member of B. Note that |B| ≥ (n − 1)T ≥ (n − k2 )T . We S associate with B the 2–coloring gB = i∈B fi : B → {red, blue}. That is, gB |Hi = fi .1

3.4

Partial 2-coloring: First Stage

Lemma 3.1 Let B ∈ B be a “big set”. Then the following claims hold: 1. B is a union of 2k/4 n-sets, 2. |B| ≥ (n − k2 )2k/4 and 3. |B| ≤ N 1+β < 2(n−2k)2

k/4

.

We will prove Lemma 3.1 in Section 3.6. We now employ Theorem 3.4 to the “big” family B, to the “forbidden” colorings gB , B ∈ B and to a subsequence {x1 , x2, . . ., xs } = S ⊂ X defined sequentially as follows. At the beginning, let x1 , x2, . . . , xj be arbitrary elements of X, we find the color g(xk ) ∈ {red, blue} of xk , 1 ≤ k ≤ j, by applying the “weight-function” algorithm of Theorem 3.4, and assume, with Xj = {x1, x2, . . . , xj }, that the equality max{|Xj ∩ Hi | : Hi ∈ H and g|Xj ∩Hi = fi |Xj } = n − k

(3.3)

occurs first time. Let H∗ denote the family of those “dangerous” Hi ∈ H for which equality (3.3) holds. We then “truncate” X first time by throwing out from X all the 1

Since sets in B are intersecting, it is possible that “forbidden” colorings might conflict at the intersection points ! Even though we could very well neglect such big sets, we keep them for simplicity of discussion.

36

uncolored points of all the dangerous Hi ∈ H∗ . We obtain a proper subset X (j) ⊂ X, and let xj+1 ∈ X (j) be arbitrary. Repeating this “throw out the dangerous uncolored points from dangerous sets” argument, and heavily using the fact that the “weightfunction” algorithm is on–line, we sequentially build up a partial coloring g of X and a 2-colored subset S=

\

X (j)

j≥1

such that (3.3) is always true. Theorem 3.4 sequentially produces a partial 2-coloring g : X → {red, blue, uncolored} in time O(|X||B|n2k/4) = O(N β+O(1)) such that, with S = {x ∈ X; g(x) = red or blue}, max |S ∩ Hi | ≤ n − k

(3.4)

Hi ∈H

and for every B ∈ B with |S ∩ B| ≥ (n − 2k)2k/4, g|S∩B 6= gB |S .

3.5

(3.5)

Completing the Partial 2-coloring: Second Stage

Let X ′ = X − S, the set of uncolored points. Let Hi denote Hi ∩ X ′. We classify a set ′

′

Hi in one of the three types: Emergency set: ′

′

Hi is an emergency set if |Hi ∩ S| = n − k and g|Hi∩S = fi |S . Note that |Hi | = k. Secondary set: ′

′

Hi is a secondary set if |Hi ∩ S| < n − k and g|Hi∩S = fi |S . Note that |Hi | > k. More ′

′

′

importantly, for every point v ∈ Hi , there exists an emergency set Hj such that v ∈ Hj . Since H is an almost disjoint family, distinct points determine distinct emergency sets.

37

Dead set: ′

Hi is a dead set if g|Hi∩S 6= fi |S . Note that dead sets pose no “danger” and are, therefore, irrelevant when we 2-color X ′. Consider now the subfamily of emergency and secondary sets H′ = {Hi : g|S∩Hi = fi |S }. Lemma 3.2 Every (connected) component of the dependency graph of H′ has less than 2k vertices. We will prove Lemma 3.2 in the next section by contradiction. Assuming there is a component of size > 2k , we will show that one could “extract” a “big set” which violates fact (3.5), that is, contradicts Theorem 3.4. The entire “extraction” process illustrates how to build (i.e. define sequentially) a “big set” and also gives us the desired estimate for |B| (see Lemma 3.1-(3)). Notice that if Lemma 3.2 were true, then we can apply Theorem 3.4 straightaway to each component of H′ (each Hi ∈ H′ has ≥ k uncolored points) and find a 2-coloring g ′ of X ′ in time O(N O(1)) such that g ′ |Hi ∩X ′ 6= fi |X ′ . We call it the “second stage”. Our final coloring is f = g ∪ g ′ . So it remains to prove Lemmas 3.1 and 3.2, and at the same time, to give the precise definition of “big sets”. We present it in the next section.

3.6

Proofs of Lemmas 2-3

Assume that there is a very large component C of H′ , |C| > 2k . Since H′ is the union of the emergency and secondary sets, and each secondary set has ≥ k emergency sets as neighbors, C must contain an emergency set E1. Let G1 = {E1}, and let U1 be the superset A(E1) ∈ H of E1.2 Assume that so far we have been selecting a family Gj of emergency sets and the union set of the supersets of these emergency sets is denoted by Uj . Let |Gj | = g(j). 2

We will use notation A(E) to denote the original set (or sometimes referred to as the superset) in H that has set E as its emergency part. Similarly the term “dth A(C)-neighborhood” will mean a collection of supersets of all emergency and secondary sets at distance d in the component C.

38

Then clearly, |Uj | ≤ n · g(j). Now we describe the step number j + 1. We distinguish several cases, in fact 8 cases: Case 1: The first A(C)-neighborhood of Uj contains the superset A(E) of an emerS T gency set E such that |Uj A(E)| = 1. Then, Gj+1 = Gj {E}. |Uj+1 | = |Uj | + n − 1. Uj A(E)

Case 2: The second A(C)-neighborhood of Uj contains the superset A(E) of an emergency set E such that there is a neighbor A1 of A(E) from the first A(C) S neighborhood of Uj which intersects Uj in at least two points. Then Gj+1 = Gj {E}, and A1 is an auxiliary “bond” set. |Uj+1 | = |Uj | + n.

Uj A1

A(E)

Remark: The name “bond set” comes from the fact that two points uniquely determine a set in an almost disjoint family. Bond sets have little effect in the calculation of the total number of “big sets”, see the Calculations later. Now we interrupt the case-study for a moment and make a remark about secondary sets. Let S be an arbitrary secondary set. We show that S has either type 1, or type 2, or type 3, or type 4. Type 1: A(S) intersect Uj in at least two points.

Uj A(S)

If |A(S)

T

Uj | ≤ 1, then there are at least (k − 1) points of S which are covered by

distinct emergency sets.

39

Type 2: There exist two emergency sets E1 and E2 such that |A(Ei) T |A(Ei) A(S)| = 1 for i = 1, 2.

T

Uj | ≥ 2 and

A(E 1) Uj A(S) A(E 2)

Type 3: There exist (k −2) emergency sets E1, E2, . . . , Ek−2 such that |Uj T = 0 and |A(S) A(Ei)| = 1 for i = 1, 2, . . ., k − 2.

T

A(Ei)|

A(S) Uj

A(E 1)

A(Ek-2 )

Type 4: There exists an emergency set E satisfying following two conditions: T T |Uj A(E)| = 1 and |A(E) A(S)| = 1. A(E) Uj A(S)

Because of case 1, we can assume that there is no type 4 secondary set in C. Assume that the second A(C)-neighborhood of Uj contains the superset A(E) of an emergency set E. Let A1 be a neighbor of A(E) which is in the first A(C)-neighborhood T of Uj . In view of case 2, we can assume that |A1 Uj | = 1. By case 1, we know that

A1 = A(S), that is A1 has to be the superset of a secondary set. We have two cases : either type 2 or type 3. Case 3: Then Gj+1 = Gj “bond” sets. |Uj+1 | = |Uj | + n.

S {E} and A(E1) and A(E2), A(S) are the auxiliary

40

A(E 1) Uj A(S)

A(E)

A(E 2)

S {E1, E2, . . . , Ek−2} and A(S) is the auxiliary set, but
it is not a “bond” set. |Uj+k−2 | ≥ |Uj | + (k − 2)n − k−2 2 . Case 4: Then Gj+k−2 = Gj

A(S) Uj

A(E 1)

A(Ek-2 )

In the rest of the case-study, we can assume that the second A(C)-neighborhood of Uj consists of secondary sets only. First we assume that the second A(C)-neighborhood of Uj contains a type 3 set S. Let A1 be a neighbor of A(S) which is in the first T T A(C)-neighborhood of Uj . Then either |A1 Uj | ≥ 2 or |A1 Uj | = 1. Case 5:|A1

T

Uj | ≥ 2.

A(S) Uj A1

A(E1)

A(E k-2 )

S {E1, E2, . . . , Ek−2}, A1 and A(S) are auxiliary sets: A1 is a
“bond” set, but A(S) is not. |Uj+k−2 | ≥ |Uj | + (k − 2)n − k−2 2 . Then Gj+k−2 = Gj

Then by case 1 we know that A1 = A(S ∗), where S ∗ is a secondary set. If S ∗ is

type 3, then we have case 4 again. So we can assume that S ∗ is of type 2. Case 6: |A1

T

Uj | = 1.

41

A(E*) Uj A(S*)

A(S)

A(E**)

A(E 1)

A(E k-2 )

S {E1, E2, . . . , Ek−2}. A(E ∗), A(E ∗∗), A(S ∗), A(S) are auxiliary
sets: all, but A(S), are “bond” sets. |Uj+k−2 | ≥ |Uj | + (k − 2)n − k−2 2 . Then Gj+k−2 = Gj

In the rest of the case-study we can assume that the second A(C)-neighborhood of Uj consists of type 2 secondary sets only. Case 7: The 3rd neighborhood of Uj contains the superset of an emergency set E. Let A1 = A(S) be a neighbor of A(E) which is in the 2nd A(C)-neighborhood of Uj . A1 is of type 2 secondary set. A(E 1) Uj A(S)

A(E)

A(E 2)

Then Gj+1 = Gj = |Uj | + n.

S {E}. A(E1), A(E2), A1 = A(S) are auxiliary “bond” sets. |Uj+1 |

From now on, we can assume that both the 2nd and the 3rd A(C)-neighborhoods of U consists of secondary sets only. Let S1 and S2 be secondary sets from the 2nd and 3rd T neighborhoods respectively such that |A(S1) A(S2)| = 1. We claim that S2 cannot be of type 2. Indeed, the neighbors of a 3rd neighbor of Uj

are not first neighbors of Uj , so they cannot intersect Uj in at least two points. Since types 1 and 4 are out, the only possible type for S2 is type 3. On the other hand, the whole 2nd neighborhood is of type 2, so S1 has to be type 2. Thus we can conclude the case-study with the following last case. Case 8:

42

A(E*) Uj A(S 1)

A(S2)

A(E**)

A(E1 )

A(E k-2 )

S {E1, E2, . . . , Ek−2}, A(E ∗), A(E ∗∗), A(S1), A(S2) are auxiliary
sets: all, but A(S2), are “bond” sets. |Uj+k−2 | ≥ |Uj | + (k − 2)n − k−2 2 . Then Gj+k−2 = Gj

Calculations: Let’s first calculate how many different ways we can “grow” to Gj+1 or Gj+k−2 from Gj . The upper bound on the number of possibilities for 1. case 1 is

|Uj | 1

2. case 2 is

|Uj |
n−2
1 D 2

3. case 3 is

|Uj | 4

4. case 4 is


k−2 |Uj |
n−1 1 D k−2 D

≤

5. case 5 is

|Uj | 2

Dk−2 ≤

6. case 6 is


k−2 |Uj |
4
n−2
2
n−2
n−3
n−1 1 D k−2 D 1 2 1 2 4

7. case 7 is

|Uj | 4

8. case 8 is


k−2 |Uj |
4
n−2
2
n−2
n−2
n−1 D k−2 D 1 1 2 1 2 4


D ≤ g(j) · n · D,


4
2




n−2 1

n−2 1


4
2




D

n−2 1

≤

g(j)2 ·n3 ·D , 2


2
2

n−1 k−2


2
2

n−2 1




n−2 1




n−3 1




D≤

g(j)4 ·n7 ·D , 4

g(j)·nk−1 ·Dk−1 , (k−2)!




n−2 1

g(j)2 ·nk+1 ·Dk−1 , 2(k−2)!




D≤

≤

g(j)4 ·nk+5 ·Dk−1 , 4(k−2)!

g(j)4 ·n7 ·D , 4

≤

g(j)4 ·nk+5 ·Dk−1 . 4(k−2)!

43

Note that we include 1 new set in cases 1, 2, 3 and 7. On the other hand, we include k − 2 new sets in cases 4, 5, 6 and 8. Therefore, the maximum number of possibilities “per” inclusion is at most k−1

g(j)4 · n8 · D k−2 . Remark: We have to clarify a crucial point here. In the proofs of Lemmas 3.1-3.2 we work with the concepts of “emergency set” and “secondary set”, which assumes the knowledge of the set X ′ = X − S of “uncolored points”. On the other hand, in the first stage of the algorithm when we apply Theorem 3.4 to the “big” family B, we have no idea which set (in fact the uncolored part of the set) will eventually become an “emergency”, or “secondary” or “dead set”. So we have to be able to define B, the family of “big sets”, strictly in terms of the original hypergraph H without referring to the (at that stage meaningless) concepts of “emergency” and “secondary sets”. Luckily the figures in cases 1–8 are about supersets (i.e. elements of H), and we can define the growing sequence of union sets {Ui }Ti=1 , T = 2k/4 strictly in terms of H such that each “growth” comes from one of the 8 cases described above. Now we are ready to define B (as we promised at the end of Section 3.3): B is the family of “big sets” B = UT , T = 2k/4 for all possible ways we can “grow” UT in terms of H by using cases 1-8. The result of “calculations” holds for this general interpretation of “big sets” without any modification. The narrow interpretation of “big sets” means to involve the concepts of “emergency” and “secondary sets”. Of course, a “big set” in the narrow sense is a “big set” in the general sense. A “big set” B = UT will have T = 2k/4 nearly disjoint n-sets. From our case study, it is clear that |B| ≥ (n − k2 )2k/4. Also the total number of “big sets”, |B|, that we can build starting with any set H ∈ H is |B| ≤ N ·

TY −1 

k−1

g(j)4 · n8 · D k−2

j=1

 k/4  k−1 2 ≤ N · 2k n8 D k−2 = N 1+β < 2(n−2k)2

k/4



44

by condition (3.2). This proves Lemma 3.1. Notice that as long as g(j)4 < |C|, we can build Gj inside C. If |C| > 2k , then we can make g(j) = T = 2k/4. That will give us a “big set” B = UT , i.e. the union set of the supersets of the family GT . It is easy to see that each time we add a set to build B, that set contributes at least (n − 2k) colored points of its own. Since B has 2k/4 emergency sets as its “members”, |S ∩ B| ≥ (n − 2k)2k/4 and g|S∩B = gB |S . This contradicts fact (3.5). So Lemma 3.2 is proved, and the proof of Theorem 3.2 is complete.

45

Chapter 4 Fast Digital Identity Revocation

4.1

Outline

We have already motivated the certificate revocation problem in chapter 1. In the next section, we describe our hierarchical scheme and prove a bound of R log (R/N ) on the number of tokens the CA must send to the Directories. In the Section 4.3, we describe a generalization of the hierarchical scheme which requires the CA to send asymptotically fewer tokens to the Directories using a novel complement cover construction.1 In the Section 4.4, we describe a variant of our scheme which includes an incremental feature, i.e., if some public key is revoked on day i, we do not have to pay for this on the following days, in short, we pay for each revocation only once. We now proceed with the details of our schemes.

4.2 4.2.1

Hierarchical Scheme Description of the Scheme

For concreteness, we will assume that the certificates are valid for D days and they are revoked once per day. Let f be a one-way permutation from n-bits to n-bits. Consider the following sequence: (r, f (r), f 2(r), . . ., f D (r)) where r is an uniformly chosen n-bit string. We will call this the chain of r and denote it by cr . We will index this sequence in reverse order starting from 0, i.e., the 0th element of the sequence, cr (0), is f D (r). We will call this the 0-token of the chain of r. Similarly, cr (1) = f D−1 (r). We will call it the 1-token of the chain of r. Note that the 1-token is the 1

We believe that this construction is of independent interest and might be useful for other purposes as well.

46

inverse of the 0-token, i.e., cr (1) = f −1 (cr (0)) = f D−1 (r). More generally, define cr (j) = f −j (cr (0)) = f D−j (r), j ≥ 1. We will call cr (j) the j-token of the chain of r. Note that it is easy to verify whether a token τ is an i-token of a chain once the 0-token (or a j-token, 0 ≤ j < i) of a chain is known. Simply compute f i (τ ) (f i−j (τ )) and check for equality with the 0-token (j-token). However, by the properties of a one-way permutation, given any number of the j-tokens of a chain, 0 ≤ j < i, it is computationally infeasible to compute the i-token of the chain. Before we describe our revocation scheme, it will be useful to review Micali’s revocation scheme. In Micali’s scheme, for each user v, there is a random n-bit string rv and a chain crv . For notational simplicity, we will hereafter refer to this as the chain of v and denote it by cv . In this scheme, the 0-token of v, cv (0), is incorporated into the certificate of v which is signed by the CA. If user v has not been revoked up to and including day i, then the CA will issue the i-token of v in response to queries about the status of user v’s certificate. Otherwise, the CA will not issue an i-token. To verify that signer v has not been revoked up to and including day i, a verifier must have v’s certificate and a candidate i-token τ for v which he obtains from either the CA, a Directory or v (who had previously obtained it from the CA or a Directory). He accepts that v has not been revoked up to and including day i if τ is verified to be the i-token of v. We will now describe our first and simplest scheme for revocation. For simplicity, we will assume that the number of users is a power of 2, i.e N = 2l , and that all users are issued certificates at the beginning of day 1.

2

Each user is given an l-bit id v ∈ {0, 1}l .

We associate these ids with the leaves of a labeled complete binary tree of height l in the natural way, i.e., label the root by the null string φ and label its two children by 0 and 1. Given any node in the tree whose label is a binary string s of length less than l, label its one child with s0 and the other with s1. For each node u in this tree, the CA computes a chain cu . For an l-bit id v, let (v0 = φ, v1, . . . , vl−1, vl = v) denote the nodes on the path from 2 We remark that these assumptions can be relaxed. We introduce them here for the clarity of exposition.

47

the root to v in this tree. Call the set of chains for this path the path of chains of v which we denote by pcv , i.e., pcv = (cv0 , . . ., cvl ). Furthermore, call the set of i-tokens of this path of chains the path of i-tokens of v and denote this symbolically as pcv (i), i.e., pcv (i) = (cv0 (i), . . ., cvl (i)). Of course, given the path of 0-tokens of v it is easy to verify whether a token τ is on the path of i-tokens of v (and even easier to verify whether τ is the i-token of, say, the jth node on the path). The CA’s Certificates: When creating a certificate for user v, the CA includes pcv (0), the path of 0-tokens of v, in the certificate (rather than just including the 0-token of chain cv in the certificate as in Micali’s scheme). Note that this path consists of log N + 1 0-tokens. The CA’s Update Operation: Let Ri be the set users which have been revoked at some point up to and including day i. At the end of day i, the CA will calculate a subset of nodes of the labeled tree, called the day-i verification nodes with the following two properties. 1. For every v ∈ / Ri , there is at least one node of the path of v which is a day-i verification node. 2. For every v ∈ Ri , none of the nodes on the path of v is a day-i verification node. For each day-i verification node, the CA can compute (or has cached) the i-token of that node. Call the collection of all such i-tokens the day-i verification tokens. The CA sends the day-i verification tokens to the Directories. A Directory’s Query Response: If u has not been revoked through the end of day i, then at least one node on the path of u is a day-i verification node. In response to queries concerning user u on day i + 1, the Directory issues the i-token of one such node. This i-token is, by definition, a member of the day-i verification tokens. If u has been revoked, no node on the path

48

of u is a member of the day-i verification nodes and, hence, the Directory cannot issue an i-token. The Verifier’s Operation: A verifier v must verify both the signature of a signer u and u’s certificate. This certificate contains the path of 0-tokens of u. We assume that the verifier has retrieved u’s certificate and a candidate i-token, τ , from either the signer, the CA or a Directory. He accepts that u has not been revoked up to and including day i if τ is verified to be an i-token of one of the nodes on the path of u. By property 1 of the day-i verification nodes, for a non-revoked signer u, an i token of one of the nodes on the path of v will be available for the verifier and the verifier will thus accept v. By property 2 of the day-i verification nodes and the definition of one-way permutation, it is computationally infeasible for a revoked user u or its any accomplice to deliver a token to the verifier which the verifier will accept as being an i-token of a node on the path of u. Calculating the Day-i Verification Nodes: Given a set of revoked users Ri , the CA can calculate the day-i verification nodes by operating on the labeled tree as follows. First mark as “revoked” every node in the path of every revoked user. Now the day-i verification nodes consists of all non-revoked nodes which are children of a revoked node. It is easy to verify that this set satisfies the two properties above and moreover it is the minimal set which satisfies these two properties. As an example, suppose that none of the users have been revoked on day one. Then the set of day-1 verification tokens consists of a single token: the 1-token of the root. Since this 1-token is on every users’ path of 1-tokens, a verifier which is given this token will accept every user. As another example, suppose that the user denoted by the string of all 1’s is revoked the first day. The day-1 verification tokens consists of the 1-tokens of the l nodes

49

0, 10, 110, . . . , 11 · · ·110. It is easy to verify that this set can be used to accept all but the revoked user. In the next subsection, we analyze the size of the set of verification nodes as a function of the number of revoked users.

4.2.2

Size of the Set of Verification Nodes

In this subsection, we derive an upper bound on the number of day-i verification nodes (and hence the number of day-i verification tokens) as a function of the number of nodes which have been revoked up to and including day i. Let N denote the number of users and r be the total number of revoked users. Definition 4.1 Let T¯(N, R) be the number of verification nodes in the labeled tree for N users when the set of revoked users (leaves) is R. Let T (N, r) = max|R|=r T¯(N, R). We will assume that N is a power of 2. We now prove the following. Theorem 4.1 For r = 0, T (N, r) = 1. For 1 < r ≤ N/2, T (N, r) ≤ r log (N/r). For N/2 < r ≤ N , T (N, r) ≤ N − r. Proof: Let N = 2l so that the labeled tree is a complete binary tree of height l. When |R| = r = 0, the set of verification nodes just consists of the root of the labeled tree and thus T (N, 0) = 1 for all N . When r = 1, our algorithm will mark as revoked all the nodes on the path of this revoked user. The algorithm puts all nodes which are children of revoked nodes into the set of verification nodes. There are log N such children. So, T (N, 1) = log N ∀N . Now consider the case when r > 1. First consider the case when r is a power of 2, i.e., r = 2k , k ≥ 1. Consider the r subtrees in the labeled tree whose roots are the nodes at depth k in the labeled tree. These trees have height l − k. We define the ˜ as follows. family of revoked sets R ˜ is a family of all revoked sets R ˜ such that |R| ˜ = r and there is Definition 4.2 R ˜ in each of the subtrees of height l − k. exactly one revoked user of R

50

˜ ∈ R, ˜ each By our previous analysis for one revoked user in a tree, for any R subtree of height l − k requires l − k verification nodes. Note that no other verification ˜ ∈ R, ˜ the total number of verification nodes, nodes are required. Hence, for any R ˜ is just r(l − k) = r log (N/r). We will now show that, for any set R ∈ ˜ T (N, R), / R, T¯(N, R) < r log (N/r). Actually we will prove a stronger statement in the lemma below. We will use the following definition. Definition 4.3 For any set of revoked users R, let sR be the number of subtrees of height l − k with no elements of R. Lemma 4.1 Let r be a power of 2. For any set of revoked users R of size r, there is ˜ in R ˜ such that T¯(N, R) ≤ T¯(N, R) ˜ − sR . aR Proof: We begin with two simple lemmas. Lemma 4.2 Let R be the set of revoked leaves and consider a maximal subtree with no revoked leaves of height h. Let u be a leaf of this subtree. Then, T¯(N, R ∪ {u}) = T¯(N, R) + h − 1. To see this note that, for the set R, the subtree was covered by one verification node at the root of the subtree. However, the number of verification nodes in the subtree after u is added to the revoked set is h. Lemma 4.3 Let R, for |R| ≥ 2, be the set of revoked leaves and consider a minimal subtree containing exactly two elements of R of height h. Let u be one of the two elements. Then, T¯(N, R − {u}) = T¯(N, R) − (h − 2). To see this note that the subtree has 2h − 2 verification nodes in R whereas it has h verification nodes in R − {v}. We will prove the Lemma 4.1 by induction. That is, we will show that for any R with |R| = r and sR ≥ 1, there is an R′ with |R′ | = r such that sR′ = sR − 1 and T (N, R) ≤ T (N, R′) − 1. Case sR = 0 serves as the basis for our induction argument. Then the lemma will follow.

51

Consider an R with |R| = r and sR (≥ 1) subtrees of height l − k with no elements of R. Let u be one of the leaves of one of these subtrees. Let v be a leaf in R of a subtree of height l − k with two or more leaves in R. Such a subtree must exist. Let R′ = (R/{v}) ∪ {u}. Note that the number of subtrees of height l − k with no elements of R′ is sR − 1. The maximal subtree containing u but containing no elements of R has height at least l − k. The minimal subtree containing v and exactly one other element of R has height at most l − k. Thus, using the two claims, we conclude that T¯(N, R) ≤ T¯(N, R′) − 1. This concludes the proof of the lemma. We now consider the case when r is not a power of 2. We write r as 2k + m where ˜ in a similar k = ⌊log r⌋ and 0 < m < 2k . We define the family of revocation sets R ˜ is in R ˜ if R ˜ has the fashion to the case when r is a power of two. The revocation set R following properties: Call a subtree of height l − k − 1 a i-subtree if i of its leaves are in ˜ Now, of the 2k+1 subtrees of height l − k − 1, r = 2k + m of them are 1-subtrees and R. 2k − m of them are 0-subtrees. Furthermore, each of the 0-subtrees is “paired” with a 1-subtree. That is, the sibling of the root of each 0-subtree is a root of a 1-subtree. (Note that such a pairing is possible since the number of 0-subtrees is strictly less than the number of 1-subtrees.) ˜ in R. ˜ Since Now let us consider the number of verification tokens required for a R each 0-subtree is paired with a 1-subtree, the root of each 0-subtree must be a verification node. The number of verification nodes required for each 1-subtree is just l −k −1. ˜ in R, ˜ T (N, R) ˜ = r(l − k − 1) + 2k − m. If r > N/2, k = l − 1. Then Thus, for each R ˜ = 2k − m = N − r. Otherwise, T (N, R) ˜ = r(l − k) − 2m. Since T (N, R) r log (r/2k ) = r log (1 +

r m ) ≤ m k < 2m, 2k 2

it follows that r log (N/2k ) − 2m < r log (N/r). As before, for an arbitrary revocation set R, we define sR to be the number of 0-subtrees for R. Note that sR ≥ 2k − m for every R of size r = 2k + m. As in the ˜ have the maximum number of case when r is a power of two, the revocations sets in R verification nodes. This follows from the following lemma.

52

Lemma 4.4 Consider a set of revoked users R whose size, 2k + m, is not a power of ˜ in R ˜ such that T¯(N, R) ≤ T¯(N, R) ˜ − (sR − (2k − m)). 2. For each such R, there is a R Proof: The proof is in two stages. In the first stage, we start with an arbitrary R and find an R′ with 2k − m 0-subtrees such that T¯(N, R) ≤ T¯(N, R′) − (sR − (2k − m)). The first stage is identical to the proof of Lemma 4.1. It proceeds by induction. Each step reduces the number of 0-subtrees by one and increases the number of verification ˜ ∈ R. ˜ We nodes by at least one. The second stage begins with R′ and ends with an R ˜ then there are two 0-subtrees whose will illustrate the first step of this stage. If R′ ∈ /R roots are siblings and two 1-subtrees whose roots are subtrees. Let v be one of the elements of R′ in one of the two 1-subtrees and let u be a leaf of one of the 0-subtrees. Let R′′ = (R′ /{v}) ∪ {u}. By our previous claims T (N, R′) ≤ T (N, R′′) − 1. We can proceed by induction on the number of 0-subtrees paired with 1-subtrees until we have ˜ ∈ R. ˜ a verification set R We remark that T (N, r) ≤ N − r. This can be shown algebraically or just by observing that, by construction, the number of verification nodes is never more than the number of non-revoked users. The number of tokens the CA needs to issue after r users have become revoked is at most T (N, r) in our scheme, and hence, this is at most the number of tokens the CA needs to issue in Micali’s scheme which is N − r. For small r, there is a large gap between the number of tokens which need to be issued in both schemes. For example, if r = N/64 (i.e., a revocation rate of approximately 1.5%), then N − r = (63/64)N is larger than T (N, r) ≤ (6/64)N by almost a factor of ten.

4.3

Generalized Hierarchical Scheme

In this section, we will first describe a set-theoretic object we call a complement cover family. We will then show that it properly captures the idea of assigning tokens to the non-revoked users. Finally, we will describe several complement cover families which thus yield constructions for the revocations problem.

53

4.3.1

Complement Cover Families

Consider an universe U of size N . Let R be any subset of U and let S and F denote ¯ = U − R denote the complement of R. families of subsets of U . Let R Definition 4.4 S is a complement cover of R iff

S

W ∈S

¯ W = R.

Definition 4.5 F is a complement cover family of U iff for every subset R of U , F contains a complement cover of R. That is, for every subset R of U , there is a subset S of F such that S is a complement cover of R, We will see below that for all of our constructions of a complement cover family F , for every subset R of U , there is a unique subset S of F which is a complement cover of R. We will call such families unique complement cover families. For any unique complement cover family F , and every subset R of U , let CCF (R) denote the unique complement cover of R which is contained in F . Furthermore, denote the function δF as the size of the complement cover of F which is defined as follows: δF (r) = maxR∈U,|R|=r |CCF (R)|. For every complement cover F and every element of u ∈ U , define HF (u) as the sets in F which contain u. Let hF (u) = |HF (u)| denote the height of u in F . By abuse of notation, define the height of F , hF as maxu∈U hF (u). Note that if u ∈ / R, then the intersection of CCF (R) and HF (u) is not empty, otherwise it is empty. This follows from the definition of a complement cover family. We will now show how a unique complement cover family can be used as a data structure for certificate revocation. Let U be the set of users and F a unique complement cover family of U . The CA creates a chain for each set S of F . Call this chain cS . The CA’s Certificates: Recall that for every user u, HF (u) is the collection of subsets which contain u. For each such subset, there is a chain. Call this set of chains the chains of HF (u). Denote the set of i-tokens of the chains of HF (u) as the i-tokens of HF (u). The certificate signed by the CA of each user u contains the 0-tokens of HF (u).

54

The CA’s Update Operation: As before, let Ri denote the set of users which have been revoked at some point up to and including day i. At the end of day i, The CA will set the day-i verification sets to be CCF (Ri), the complement cover of Ri . Define the set of day-i verification tokens to be the i-tokens of each set in the complement cover of Ri . The CA sends the day-i verification tokens to the Directories. A Directory’s Query Response: In response to queries on day i + 1 concerning user u, if u has not been revoked through the end of day i, the Directory computes the intersection of HF (u) and CCF (Ri). The Directory issues an i-token of one of the sets in the intersection. Note that this i-token is in the set of day-i verification tokens. If u has been revoked, the intersection is empty and, hence, the Directory cannot issue a token. The Verifier’s Operation: The day-i verification tokens are used by verifiers on day i + 1 to test whether users have or have not been revoked at some point up through the end of day i. This is done as follows. For a signer, u, as before a verifier is given u’s certificate. This certificate contains the 0-tokens of HF (u). In addition the verifier retrieves a candidate i-token, τ , from either the signer, the CA, or some other source. He accepts that u has not been revoked up to and including day i if τ is verified to be one of the i-tokens of HF (u). By the definition of the complement cover of Ri, for a non-revoked user u, one of the i-tokens of HF (u) will be available for the verifier and the verifier will thus accept u. In addition, by the definition of one-way permutation, it is computationally infeasible for a revoked user or any accomplice to deliver a token to the verifier which the verifier will accept as being an i-token of HF (u). Since unique complement cover families are useful as revocation data structures, we are interested in finding a family F of U such that

55

1. |F | is O(N c ) for some small constant c, i.e., number of chains required in the system is practical. 2. hF is small, i.e., the number of 0-tokens in the certificate of every user is small. 3. The complement cover of every set, CCF , can be efficiently computed. 4. The size of the complement covers, δF (·), as a function of the size of the revoked users is small.

4.3.2

Examples of Complement Cover Families

We consider two extreme, but simple, solutions for this problem: • F = {{1}, {2}, . . ., {N }}. Given any R, U − R =

S

x∈R / {x}.

Thus, F is a

complement cover of U . Clearly, |F | = N . Note that δF (r) = N − r and hF = 1. Observe that this corresponds to Micali’s scheme. Note that since δF (r) = N − r, the number of tokens the CA must issue when r is small is quite large. • F = 2U . Given any R, U − R ∈ F . So, δF (r) = 1. Thus, the number of dayi verification tokens is 1 regardless of the number of revoked users. However, the certificate size is hF = 2N −1 and |F | = 2N . Thus the solution is obviously not practical because the size of the certificates and the CA’s data structure are exponential. These two families stand at two opposite poles - the first family has small size and small hF but a large δF , and the second family has a small δF but large size and large hF . Below we will describe a scheme which has the advantages of both of the above.

4.3.3

Description of General Scheme

We will now describe a construction for a unique complement cover family which is parameterized by integer c ≥ 2. For simplicity, suppose that N = cl for some positive l. The first subset we put into the family is the entire set of cl elements. We next divide the elements into c subsets of size cl−1 each and put these subsets into the family. These

56

are level 1 subsets. Further divide each level 1 subset into c subsets of size cl−2 . These are level 2 subsets. Continue dividing the subsets and adding them to the family until all the level l subsets of size one have been added to the family. The collection of level i subsets which are subsets of the same level i − 1 subset are called siblings and the level i − 1 subset is called their parent. For example, in Fig. 1, {4}, {5} and {6} are siblings in level 2 and their parent is {4, 5, 6}. Note that thus far we have (cl+1 − 1)/(c − 1) subsets in the family and every element of U is in l + 1 sets. If c = 2 we are done. Otherwise, we will continue to add to this family as follows. For each collection of sibling subsets do the following. First form subsets which are
the union of any two siblings. There are 2c such subsets. Add these to the family.
Then form the subsets which are the union of any three siblings. There are 3c such
subsets. Add these to the family. In general, form the ci subsets which are the union of i siblings, for 1 < i < c, and add these to the family. This completes the subsets of the family. Using edges to represent the (maximal, nontrivial) subset relation, this complement cover family can be represented by a graph. See Fig. 1 for an example when c = 3 and N = 32 . [1,2,3,4,5,6,7,8,9]*

[1,2]*

[1,2,3,4,5,6]*

[1,2,3,7,8,9]*

[4,5,6,7,8,9]

[1,2,3]*

[4,5,6]

[7,8,9]

[1,3]*

[2,3]*

[4,5]

[4,6]

[5,6]

[7,8]

[7,9]

Level 1 Siblings

[8,9] Level 2 Siblings

[1]*

[2]*

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Figure 4.1: An example of the complement cover of {1, 2} for c = 3 and N = 9. The revoked nodes are marked with an asterisk. The sets which comprise the complement cover are circled.

57

The size of this family is cl − 1 c 2c (2 − 2) + 1 ≤ N . c−1 c−1 Also, it is easy to see that every element of U is in hF = (l − 1)2c−1 + 1 < 2c log N/ log c subsets of F . The complement cover of a revoked set R, CCF (R), can be computed as follows. As in the hierarchical scheme, first mark as revoked each singleton set whose sole member is a member of R. In Fig. 1, these sets are denoted by an asterisk. Then mark as revoked each subset of F which is a superset of any of these marked sets. In the graph representation, start by marking the revoked leaves. Then mark the immediate supersets of the marked leaves. Continue working up the graph until every superset of a marked set has been marked. In Fig. 1, the marked sets are marked with an asterisk. The elements of CCF (R) are the maximal subsets of F which have not been marked. In Fig. 1, they are circled. These elements are easy to find. For each set of siblings at a given level in which at least one of the sets, but not all, is marked as revoked do the following. If exactly one of the siblings is not marked, it is a member of CCF (R). For example, node {3} in Fig. 1. Otherwise, there is a unique subset of the parent of the siblings which is the union of the unmarked siblings. For example, node {4, 5, 6, 7, 8, 9} in Fig. 1. This set is a member of CCF (R). The size of the complement covers is given by δF (r) ≤ r logc N/ck −m ≤ r logc N/r− ck . This can be shown using methods similar to those for the hierarchical scheme. It is instructive to instantiate the scheme for several values of c. 1. c = 2 : This is the Hierarchical scheme. The size of the complement cover is |F | = 2N − 1, δF (r) ≤ r log (N/r) and hF = log N + 1. 2. c = 3 : This is an interesting case. It gives us a complement cover family of size 3N − 2 with δF (r) =

r log 3

log Nr ). Note that there is a 50% increase in size of F

compared to the Hierarchical scheme, but more than a 50% decrease in δ (since log 3 = 1.585). So, it could be an alternative to the Hierarchical scheme. log N/r log N 3. c = log N : |F | = (O(N 2), δF (r) ≤ r log log N ) and hF ≤ N log log N . Although this

58

setting achieves the lowest value for the size of the complement cover, |F | and hF may not be practical for moderately large N .

4.4

Incremental Version

Under the current scheme, if r1 users are revoked on day 1 and r2 users are revoked on day 2, the number of day 2 verification nodes is a function of r1 whereas the number of day 3 verification nodes is based on r1 + r2 although the number of users revoked the previous day was only r2. We propose the following modification to our scheme such that the number of verification nodes needed for a given day depends only on the number of users revoked the previous day and not on all of the users revoked so far. For the first modification, we replace each chain of tokens of length 365 with a hash tree of depth 2 · 365 analogous to [35, 28]. The root value of the hash tree becomes the 0-token. There is one such hash tree and 0-token associated with every node in the labeled tree of N elements. On day i, for each node v in the day-i verification set, the CA gives the log(2 · 365) + 1 hash values needed to compute the path from leaf 2i in the the hash tree to the 0-token associated with the node v. Call this the day-i verification path for node v. Note that given the day j, for 1 ≤ j < i, verification paths for node v, it is computationally infeasible to compute the day-i verification path for v. This motivates our second modification to the scheme. Recall that each user’s certificate contains log N 0-tokens, one for each node in the labeled tree on the path from the user’s id to the root. Previously, for a user to be verified on day i, the verifier would a need a day-i verification path for one of the user’s 0-tokens. We change the protocol as follows. On day i, the CA computes the day-i verification set of nodes in the labeled tree using just the users revoked the previous day. The CA sends to the Directory a day-i verification path for each node in the day-i verification set. Now, for a user to be verified on day i, the verifier will need a day-1 through day-i verification path with the additional property that the root of each of the verification paths is contained in the set of 0-tokens in the user’s certificate. This scheme reduces the CA to Directory communication costs

59

substantially as shown in the following lemma. Lemma 4.5 Let R denote the total number of revocations throughout the year. Then 2

365 R log 365 the average daily CA to Directory communication cost is O( R log log( N ). 365 R)+ 365

Proof: Let ri be the number of revocations on day i. Then, from earlier description, the CA to Directory communication cost of day i+1 will be proportional to ri log 365 log( N ri ). P The lemma follows easily once we observe that R = 365 i=1 ri and f (x) = −x log x is a concave function.

Of course, this reduction is gained at the expense of a larger communication requirement for the verifier which is proportional to i for day i. This latter communication requirement can be reduced to log 365 by requiring the CA to produce incremental verification paths for the log 365 times scales of 2 days, 4 days, 8 days, etc. This only increases the average daily communication cost of the CA by a factor of 2.

60

Chapter 5 Conclusions and Suggestions for Further Work

We investigated randomized k–server problem in Chapter 2. We discovered that Randomization does help, indeed! Our work resulted in first super-linear bound on n for the k-server problem on a line. We feel that our analysis of algorithm R is not tight and better analysis could yield better bound on n as a function of k. So our first suggestion for a research problem is Research Problem 1 Is the current analysis of R tight? Can one do better? It is worth noting that the competitive ratio of R is essentially proportional to the jump–out cost (which is n since the line–segment is of length n) except for a logarithmic factor. An easy improvement is possible if we further add super-block hierarchy on top of the existing block structure so that the initial movements of evaders are restricted inside blocks, then inside super-blocks and so on. With some balancing and trade-offs, we could then hope to bring down the jump-out cost and that should lead us to better competitive ratio and, of course, better bound on n. So our second suggestion for a research problem is Research Problem 2 Can a super-block hierarchy result in improved bound on n? Owing to wonderful results of [2, 4, 5] on approximating arbitrary metric spaces, a good algorithm on tree metrics immediately leads to a good algorithm for arbitrary metric spaces. [16] provided optimal k–competitive algorithm on trees in deterministic setting which lead to O(k log2 n)–competitive randomized k–server algorithm against oblivious adversary in any metric space. Even though this is far too inferior to (2k −1)– competitivity of [30], it does show how sub-linear bounds (in k) for the k–server problem

61

on tree metrics could be used to construct algorithms with sub-linear competitive ratio for any space with n sub-exponential in k. Since our algorithm R has already made a promising start on a line–segment (which is a tree!), a natural research problem one could investigate is Research Problem 3 Can one improvise on ideas of R to construct o(k)–competitive randomized algorithm for a general tree? The key to the solution of above problem might lie in good partitioning for trees. Building the randomly shifted block structure for a line–segment was very simple and natural, can we achieve something similar for any general tree? This throws up following research problem Research Problem 4 Given a tree T on n nodes having diameter D, can one decompose it into possibly overlapping subtrees T1, T2, . . . , Tm each of size θ(b) and diameter θ(d) such that 1. b2.d = O(D), 2. d = Dǫ for some ǫ > 0 and 3. m = O( nb ). We investigated 2–coloring of n–uniform hypergraphs in Chapter 3. We provided a polynomial (in N ) time algorithm to find a proper 2–coloring of an n–uniform, almost disjoint, size N hypergraph in which no edge intersects more than D other edges, where D = (2 − δ)n and N = O(2δ·n·2

√ n

). Our method is based on the ideas from [12] and we

feel that it might not be easy to use it further to get better bounds for this problem. In any case, the original problem of [45] remains open and it needs to be tackled with completely new approach. Research Problem 5 Let A = {A1, A2, . . . , AN } be a family of n-element subsets of a finite set X, and assume that every Ai intersects at most

2n 8n

other Aj , and n ≥ 2. Is

there a deterministic sequential algorithm which produces a “proper” 2-coloring of X in running time N const.

62

Finally we presented an efficient scheme in Chapter 4 to manage revocations of public-key certificates in public-key infrastructure. Our scheme is simple, computationally fast and easily scalable. Savings in communication cost are substantial when compared to other schemes like CRL, CRS. It would be an interesting project to develop a prototype for certificate management based on our scheme.

63

References [1] W. Aiello, S. Lodha, and R. Ostrovsky. Fast digital identity revocation. In Advances in Cryptology - CRYPTO ’98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23-27, 1998, Proceedings, volume 1462 of Lecture Notes in Computer Science, pages 137–152. Springer, 1998. [2] N. Alon, R. Karp, D. Peleg, and D. West. A graph-theoretic game, and its application to the k-server problem. SIAM Journal of Computing, 24:78–100, 1995. [3] N. Alon and J. Spencer. The probabilistic method. John Wiley and Sons, 2nd edition, September 2000. [4] Y. Bartal. Probabilistic approximations of metric spaces and its algorithmic application. In Proceedings of the 37th Annual Symposium on Foundations of Computer Science, pages 184–193, 1996. [5] Y. Bartal. On approximating arbitrary metrics by tree metrics. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pages 161–168, 1998. [6] Y. Bartal, A. Blum, C. Burch, and A. Tomkins. A polylog(n)–competitive algorithm for metrical task systems. In Proceedings of the 29th Annual ACM Symposium on Theory of Computing, pages 711–719, 1997. [7] Y. Bartal, M. Chrobak, and L. Larmore. A randomized algorithm for two servers on the line. Information and Computation, 158:53–69, 2000. [8] Y. Bartal and E. Koutsoupias. On the competitive ratio of the work function algorithm for the k-server problem. In Proceedings of 17th Annual Symposium on Theoretical Aspects of Computer Science, pages 605–613, 2000. [9] J. Beck. On 3-chromatic hypergraphs. Discrete Mathematics, 24:127–137, 1978. [10] J. Beck. On positional games. Journal of Combinatorial Theory, Series A, 30:117– 133, 1981. [11] J. Beck. Van der Waerden and Ramsey type games. Combinatorica, 1:103–116, 1981. [12] J. Beck. An algorithmic approach to the Lov´ asz local lemma. Random Structures and Algorithms, 2(4):343–365, 1991. [13] J. Beck and S. Lodha. Efficient proper 2-coloring of almost disjoint hypergraphs. To appear in 13th Annual ACM-SIAM Symposium on Discrete Algorithms, 2002. [14] A. Blum, H. Karloff, Y. Rabani, and M. Saks. A decomposition theorem for task systems and bounds for randomized server problems. SIAM Journal on Computing, 30(5):1624–1661, 2000.

64

[15] A. Borodin and R. El-Yaniv. Online Computation and Competitive Analysis, chapter 9, pages 123–149. Cambridge University Press, 1998. [16] M. Chrobak and L. Larmore. An optimal algorithm for the server problem on trees. SIAM Journal of Computing, 20:144–148, 1991. [17] M. Chrobak and L. Larmore. Metrical task systems, the server problem, and the work function algorithm. In A. Fiat and G. Woeginger, editors, Online Algorithms The State of the Art, volume 1442 of Lecture Notes in Computer Science, chapter 4, pages 74–96. Springer-Verlag, May 1998. [18] VeriSign Corporation. Available online URL: http://www.verisign.com/. [19] B. Csaba and S. Lodha. A randomized online algorithm for the k-server problem on a line. Technical Report 2001-34, DIMACS, October 2001. Available online URL: ftp://dimacs.rutgers.edu/pub/dimacs/TechnicalReports/TechReports/2001/200134.ps.gz. [20] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, 1976. [21] P. Erdos and L. Lov´ asz. Problems and results on 3-chromatic hypergraphs and some related questions. Infinite and Finite Sets, 11:609–627, 1975. [22] P. Erdos and J. Selfridge. On a combinatorial game. Journal of Combinatorial Theory, Series A, 14:298–301, 1973. [23] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. In G. Brassard, editor, Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings, volume 435 of Lecture Notes in Computer Science, pages 263– 277. Springer-Verlag, 1990. [24] A. Fiat, R. Karp, M. Luby, L. McGeoch, D. Sleator, and N. Young. Competitive paging algorithms. Journal of Algorithms, 12(4):685–699, 1991. [25] A. Fiat and M. Mendel. Better algorithms for unfair metrical task systems and applications. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, pages 725–734, 2000. [26] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984. [27] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, 1988. [28] C. Jutla and M. Yung. Paytree: “Amortized signature” for flexible micropayments. In 2nd USENIX workshop on Electronic Commerce, November 1996. [29] P. Kocher. On certificate revocation and validation. In Proceedings of Financial Cryptology, pages 172–177, 1998.

65

[30] E. Koutsoupias and C. Papadimitriou. On the k-server conjecture. Journal of the ACM, 42(5):971–983, 1995. [31] E. Koutsoupias and C. Papadimitriou. The 2-evader problem. Information Processing Letters, 57(5):249–252, 1996. [32] L. Lamport. Password authentification with insecure communication. Communications of the ACM, 24(11):770–772, 1981. [33] M. Manasse, L. McGeoch, and D. Sleator. Competitive algorithms for server problems. Journal of Algorithms, 11(2):208–230, 1990. [34] L. McGeoch and D. Sleator. A strongly competitive randomized paging algorithm. Algorithmica, 6(6):816–825, 1991. [35] R. Merkle. A certified digital signature. In G. Brassard, editor, Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings, volume 435 of Lecture Notes in Computer Science, pages 218–238. Springer-Verlag, 1990. [36] S. Micali. Certificate revocation system. U.S. Patent number 5666416, issued. [37] S. Micali. Enhanced certificate revocation system. Technical Report TM-542, MIT, November 1995. Available online URL: ftp://ftp-pubs.lcs.mit.edu/pub/lcspubs/tm.outbox/. [38] Microsoft. Proposal for authenticating code via the internet, April 1996. Available online URL: http://www.microsoft.com/security/tech/authcode/authcode-f.htm. [39] M. Naor and K. Nissim. Certificate revocation and certificate update. In Proceedings 7th USENIX Security Symposium, 1998. [40] J. Radhakrishnan and A. Srinivasan. Improved bounds and algorithms for hypergraph two-coloring. Random Structures and Algorithms, 16:4–32, 2000. [41] M. Reiter and S. Stubblebine. Towards acceptable metrics of authentication. In Proceedings of IEEE Symposium on Security and Privacy, pages 10–20, 1997. [42] R. Rivest and B. Lampson. SDSI–A simple distributed security infrastructure. Available online URL: http://theory.lcs.mit.edu/~rivest/sdsi10.html. [43] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signature and public key cryptosystems. Communications of the ACM, 21(2):120–126, 1978. [44] D. Sleator and R. Tarjan. Amortized efficiency of list update and paging rules. Communications of the ACM, 28(2):202–208, 1985. [45] J. Spencer. Ten lectures on the probabilistic method. SIAM, Philadelphia, 1987.

66

Vita Sachin P. Lodha 1990

Graduated from M.E.S. Boys’ High School, Pune. Ranked second among 300,000 students in the state level 10th grade finals.

1990-96

National Talent Search (NTS) scholarship, instituted by the National Council for Educational Research and Training (NCERT), New Delhi, India.

1992

Graduated from S. P. College, Pune. Ranked sixth among 150,000 students in the state level 12th grade finals.

1992

Ranked twenty-eighth in India in the Joint Entrance Exam (JEE) for IITs.

1992

Represented India and won a bronze medal at the International Mathematical Olympiad (IMO) held in Moscow.

1992-96

B.Tech. in Computer Science and Engineering at Indian Institute of Technology, Mumbai, India. Ranked third in the class.

1996-00

Teaching Assistant, Department of Computer Science, Rutgers, The State University of New Jersey.

1998

M.S. in Computer Science, Rutgers, The State University of New Jersey.

2000-01

University and Bevier Graduate Fellowship, Rutgers, The State University of New Jersey.

2001

Stefan Langerman, Sachin Lodha and Rahul Shah. Algorithms for Efficient Filtering in Content Based Multicast. Algorithms - ESA 2001, Lecture Notes in Computer Science, Springer, Vol. 2161, 2001, pp 428-439. This paper won The Best Student Paper Award in ESA 2001.

2002

Ph.D. in Computer Science, Rutgers, The State University of New Jersey.