k-wise uniformity

Adapted from lecture 12 of Ryan O’Donnell’s Fall 2017 graduate complexity theory class at CMU, lecture 12c of his Spring 2020 “CS theory toolkit” class (also at CMU), and sections 1.2-1.3 of the lecture notes for Emanuele Viola’s Fall 2017 “Special topics in complexity theory” class at Northeastern.

A distribution $D$ over ${0, 1}^{N}$ is $k$ -wise uniform if looks uniform over every set of $k$ variables.¹ Similarly, a random hash function $h : {0, 1}^{n} \to {0, 1}$ is $k$ -wise uniform if the hashes $h (x_{1}), \dots, h (x_{k})$ of $k$ distinct inputs are distributed uniformly. In fact (and this took me way too much time to realize), this is the same notion: a $k$ -wise uniform hash function over ${0, 1}^{n}$ corresponds to a $k$ -wise uniform distribution over ${0, 1}^{2^{n}}$ : just interpret each of the $2^{n}$ outputs

h (0, \dots, 0), \dots, h (1, \dots, 1)

as one coordinate of the distribution. So we will use them interchangeably.

This is equivalent to fooling tests of degree $\leq k$ . Indeed,

if $p$ has degree $\leq k$ , then we can decompose $E_{x \in D} [p (x)]$ into the expectation of its monomials, and those must be fooled since they each depend on only $\leq k$ variables;
conversely, if $\Pr_{x \in D} [x_{S} = v] \neq 2^{- k}$ for some set $S$ of $k$ variables and some assignment $v \in {0, 1}^{S}$ , then the polynomial $p (x) : = 1 [x_{S} = v]$ has degree $k$ and isn’t fooled.

In this note, we’ll try to build $k$ -wise uniform distributions and hash functions that can be efficiently computed from a short random seed.

1-wise uniformity

The case $k = 1$ is trivial: we just need to make sure that individually, each coordinate of the distribution is $0$ or $1$ with probability $1 / 2$ each. So we can let $D$ be uniform over the two strings $(0, \dots, 0)$ and $(1, \dots, 1)$ . In terms of hash functions, we can let $h$ be the all-zeroes or all-ones function with probability $1 / 2$ each.

This requires only $1$ bit of randomness: the seed length is $1$ .

Pairwise uniformity

When $k = 2$ , in addition to making sure $h (x) = 1$ with probability $1 / 2$ for each $x$ , we also need to make sure that the outputs $h (x), h (y)$ of two distinct points $x \neq y$ are equal as often as they’re unequal. In particularly, $h (x)$ and $h (y)$ shouldn’t always have the same value.

In the abstract, how would you try to design a hash function $h$ that avoids pairwise collisions? One attempt might be to do some kind of “parity check”, say XOR all the bits together. But for whatever parity check you come up with, there will be some strings $x \neq y$ that nevertheless map to the same value.

On the other hand, taking a random parity check seems more promising: that is, we’ll draw a random “parity check” string $r \in {0, 1}^{n}$ , then hash $x$ to

h (x) : = r \cdot x = r_{1} x_{1} \oplus \dots \oplus r_{n} x_{n} .

If $x \neq y$ , then their hashes will differ with probability $1 / 2$ : indeed, the “difference” is $h (x) \oplus h (y) = r \cdot (x \oplus y)$ , and if you take a random parity check of a nonzero string, it will be $1$ with probability $1 / 2$ .

This doesn’t give us pairwise uniformity, though: the issue is that $h (0^{n})$ is always $0$ . Luckily, this is the only issue, because for every $x$ that’s not the all-zeros string, we do have $h (x) = 1$ with probability $1 / 2$ . In fact, this means we already have a pairwise-uniform distribution over $N : = 2^{n} - 1$ coordinates given by ${h (x)}_{x \in {0, 1}^{n} ∖ {0^{n}}}$ .

To get pairwise uniformity, it’s enough to avoid the all-zeros string by first mapping each $x$ to $(x_{1}, \dots, x_{n}, 1) \in {0, 1}^{n + 1}$ then taking a random parity check for $r \in {0, 1}^{n + 1}$ . This is equivalent to drawing a random string $r \in {0, 1}^{n}$ and a random bit $b \in {0, 1}$ , and mapping $x$ to

h (x) : = (r \cdot x) \oplus b = r_{1} x_{1} \oplus \dots \oplus r_{n} x_{n} \oplus b .

This requires seed length $n + 1$ for hash functions, and $⌈ \log (N + 1) ⌉$ for distributions. And it’s very easy to compute. :)

Dual distance

It’s fairly natural to try and achieve $k$ -wise uniformity by making the distribution $D$ uniform over a linear code $C \subseteq F_{2}^{N}$ . Indeed, a linear code $C$ is uniform over a set $S$ of coordinates if and only if it is “complete over $S$ ”, i.e. ${C |}_{S} = {0, 1}^{S}$ . In particular, this means that $D$ will be $k$ -wise uniform as long as any $k$ columns in the generator matrix of $C$ are linearly independent.

For example, the distribution with $N : = 2^{n} - 1$ coordinates we described in the previous section is the Hadamard code: when $n = 3$ , it is generated by the matrix $G$ of all nonzero vectors $x \in {0, 1}^{3}$

G : = (\begin{matrix} 0 & 0 & 0 & 1 & 1 & 1 & 1 \\ 0 & 1 & 1 & 0 & 0 & 1 & 1 \\ 1 & 0 & 1 & 0 & 1 & 0 & 1 \end{matrix}),

with $C : = {r G ∣ r \in {0, 1}^{3}}$ . It’s pairwise uniform because any two distinct nonzero vectors $x, y \in {0, 1}^{3}$ are linearly independent.

The condition “any $k$ columns in $G$ are linearly independent” can be rephrased as “no nonzero vector of Hamming weight $\leq k$ is perpendicular to all rows of $G$ ”: such a vector would give the coefficients of a linear combination of $\leq k$ columns that sums to zero. Since the vectors perpendicular to all rows of $G$ form the dual code $C^{⊥}$ ,² this is also equivalent to the dual code having distance $> k$ (we call this distance the dual distance).

This means that to find a small $k$ -wise uniform distribution $D$ , it’s enough to find a large linear code $C^{⊥}$ with distance $> k$ : the parity checks of $C^{⊥}$ will be the generators of $C$ , so their number is the seed length needed. In the example above, $C^{⊥}$ is the Hamming code, which has distance $> 2$ and has the $3$ parity checks indicated by $G$ .

General case: Reed-Solomon codes

The Hamming bound tells us that a code of distance $> k$ can only cover a $N^{- Ω (k)}$ fraction of $F_{2}^{N}$ . So in the best case, $C^{⊥}$ would need $Ω (k \log N)$ parity checks, and thus the seed length would be at least $Ω (k \log N)$ in the best case.

Embarrasingly, I don’t know how to match the Hamming bound in general over $F_{2}$ , but I do know how to do this over larger fields such as $F_{2^{n}}$ . And fortunately, if we have a $k$ -wise uniform distribution over $(F_{2^{n}})^{m}$ , we still get a $k$ -wise uniform distribution over ${0, 1}^{n m}$ by interpreting the elements of $F_{2^{n}}$ as strings in ${0, 1}^{n}$ and concatenating them together.

Specifically, Reed-Solomon codes are great at achieving dual distance. Pick a field $F$ of size $\geq m$ , and fix $m$ distinct elements $f_{1}, \dots, f_{m} \in F$ in it (the “evaluation points”). Let $F [X]^{< k}$ be the set of all polynomials $p (x) = a_{0} + a_{1} x + \dots + a_{k - 1} x^{k - 1}$ of degree $< k$ . Consider the code $C$ where each codeword is the values of some polynomial $p$ at the evaluation points $f_{1}, \dots, f_{m}$ :

C : = {(p (f_{1}), \dots, p (f_{m})) | p \in F [X]^{< k}} .

Polynomials of degree $< k$ are uniquely determined by their value at $k$ distinct points, so $C$ is complete on every set of $k$ points, and therefore the uniform distribution on $C$ is $k$ -wise uniform.

Each coefficient $a_{i}$ takes $\log | F |$ bits of randomness, so by setting $m : = N / \log N$ and $F : = F_{2^{\log N}}$ , we get a $k$ -wise uniform distribution over ${0, 1}^{N}$ with seed length $O (k \log N)$ as hoped, and it’s very easy to compute.

Note: If you really care, you can get seed length $⌊ k / 2 ⌋ \log N + O (1)$ from BCH codes, and you can generalize that to $⌊ k / 2 ⌋ \log_{q} N + O (1)$ if both the seeds and the outputs are over $F_{q}$ instead of ${0, 1}$ .

Lower bounds

We seemed to get the best possible seed length we could have gotten from linear codes, but maybe there was some a more efficient way to do things, with a seed length $s$ much smaller than $k \log N$ ?

Let’s start with a very basic observation. Consider the matrix $M \in {0, 1}^{2^{s} \times N}$ whose rows are all possible outcomes of the distribution. If the distribution is pairwise uniform, then at the very least, no two columns shouldn’t be completely identical: otherwise those two coordinates would be perfectly correlated. There are only $2^{2^{s}}$ possible columns, so we get $N \leq 2^{2^{s}} \Rightarrow s \geq \log \log N$ .

But we have a stronger guarantee than this: for any two columns $v, w \in {0, 1}^{2^{s}}$ , we should have that $v_{i} = w_{i}$ as often as $v_{i} \neq w_{i}$ . If we switch the domain from ${0, 1}$ to ${\pm 1}$ , this means their inner product $v \cdot w$ is $0$ : $v$ and $w$ are orthogonal. A space of dimension $2^{s}$ cannot have more than $2^{s}$ pairwise orthogonal vectors, so we have $N \leq 2^{s} \Rightarrow s \geq \log N$ .

More generally, if the distribution is $k$ -wise uniform, then for any $k$ columns $v^{(1)}, \dots, v^{(k)}$ , the $k$ -tuple $(v_{i}^{(1)}, \dots, v_{i}^{(k)})$ should take every value in ${\pm 1}^{k}$ equally often. If we split them into two groups (assume $k$ is even), then the products $v_{i}^{(1)} \dots v_{i}^{(k / 2)}$ and $v_{i}^{(k / 2 + 1)} \dots v_{i}^{(k)}$ should be equal as often as they’re unequal. This means that the element-wise products $v^{(1)} \circ \dots \circ v^{(k / 2)}$ and $v^{(k / 2) + 1} \circ \dots \circ v^{(k)}$ are orthogonal. There are $(\binom{N}{k / 2})$ such products of $k / 2$ columns, so by the same argument³ we get $(\binom{N}{k / 2}) \leq 2^{s} \Rightarrow s \geq ⌊ k / 2 ⌋ \log (N / k)$ .

i.e. for every $S \in (\binom{[N]}{k})$ , the distribution of $x_{S}$ for $x \sim D$ is uniform over ${0, 1}^{S}$ ↩
The dual code $C^{⊥}$ the set of all vectors perpendicular to $C$ : all possible “parity checks” of $C$ . This is also the code whose generating matrix is $C$ ’s parity check matrix and vice versa. ↩
There is a slight catch, which is that for the argument to go through, we also need that $v^{(1)} \circ \dots \circ v^{(k / 2)}$ is orthogonal to $v^{(k / 2 + 1)} \circ \dots \circ v^{(k)}$ when there is partial overlap between $v^{(1)}, \dots, v^{(k / 2)}$ and $v^{(k / 2 + 1)}, \dots, v^{(k)}$ (i.e. some of those are the same columns in $M$ ). But this is not an issue: if say $v^{(j)} = v^{(j^{'})}$ for $j \leq k / 2 < j^{'}$ , then then in the inner product $(v^{(1)} \circ \dots \circ v^{(k / 2)}) \cdot (v^{(k / 2) + 1} \circ \dots \circ v^{(k)}) = \sum_{i} v_{i}^{(1)} \dots v_{i}^{(k)}$ , the corresponding factors $v_{i}^{(j)}$ and $v_{i}^{(j^{'})}$ will cancel out, so you can just get rid of both $j$ and $j^{'}$ and apply the same argument to products of fewer than $k / 2$ columns, which must also be orthogonal. ↩