Average-Case
Completeness Jie Department University
of a Word Problem Wang
*
of Mathematical of North
Sciences
Carolina
Greensboro,
for Groups
at Greensboro
NC
27412
wangC?uncg.edu
Abstract.
This
problem hard
for on
given
paper
groups
an
tained
whose
average.
The
integer from
k,
Z(x–l
transformations
problem
the problem
is average-case
stances
chosen
distribution.
at
G,
word
problems
can
for
of
lem
problem
ob-
for
groups
[Dehll]
z
a uniform general
The
crypt
ion
1
Word
The
theory
of average-case
by Levin
[Lev86],
en-average
the
tem
that
tacks. lem
that
can The
to
idea
built
security.
problem cannot “This
survive
and
tosystem
with have work
hard
average
using
is likely such
cryptanalytic
a problem
hard-on-average instances
a fast
on
is supported
in pmt
can
group
is an
randomly
word
NP
algorithm
unless
by the NSF
under
evgrant
to e, which
word.
Positive
is
and
each
in
[WM85]. presented
nature
[MKS76].
can be read
consists order, ‘1 a%
expression
it
The
in as
n
not
word
words
group
=
and
a~a~
get
of the
also
For
each
word
of all
the
symbols
each
al
by
ai.
where
until w,
compo-
as a positive strings. all
Words
expressions
aL reduced the
word
inverse
word
of w written
is replaced A
X
empty A word
negative
with out
the
group.
called
juxtaposing
c c. a.,+
no ai appears
O, we
contain
are
To be
[A] is a
cam be uniquely
e is regarded
ai canceled
= Y,
a set of rela-
free
that
of a set
words.
in the forlm
identity
does
is replaced
X
and
for a~ or a;l,
where
consists
generated
word
is the
by a~l
obtained.
w‘1
con-
in finitely
set.
When
empty
multiplied
verse
325
if
The
aia~l
Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantaqe, the ACM copyri ht n$ice a~ the title of the publication and rts date appear, a J that co~yi~is by permission of the Association%’~~b~ Machinery. o COP otherwise, or to republish, requires a fee andlor spec #112 permisson. STOC’ 95, Las V as, Nevada, USA %’ 01995 ACM 0-8991 -718-9/95/0005..=50
a~l.
nents.
are
CCR-9396331.
en-
was
problem
all elements
a, e A, af
is positive
which
a finite
as a reduced
adjacent
bet-
prob-
public
symbols)
the freely
including
where
cryp-
word
direct
of a group
(abstract
relate
let Abe
written
seems
provide
problem
generated average
at-
a public-key
that
precise,
prob-
cryptosystem that
tions
and
a finitely
decryption
of a group
presentation
of generators
part
cryptosys-
a hard-on-average
a public-key it
in
decide, whether
to a computer.
A finite
studying
is due
a public-key
average-case
of
on A
on
of hard-
for
word
Dehn
[Nov55]
unsolvabl~e allows
word
to
exists
combinatorics
presentation
an input
is
Novikov
for
prob-
by
~, y,
there
interested
due to their
A finite
initiated
notion
motivation
construct
construct
promising
ter
to
a robust
The
are
desire
completeness,
proposes
problems.
problems to
groups
G.
problem
We are particularly
Problem
which
an
on the
word
original
words
that
a trapdoor
based
the
considered
and
in
with
word and
structed
y
distribution
The
first
G
proved
group
of
[Thu14],
to
[Bo059]
p-time
paper.
was
Thue
equivalent
lem.
well.
this
a group
presented
as
in
and
Boone
every
versions
groups
given
is
under
bounded
for
when
in-
is shown
problem
study
~, y, z,
when
more
groups
one.
be
We show that
under
NP
has
We
Tietze
NP-complete
NP-completeness
bounded
words
k times.
ery
when
elementary
random
are
decide,
(Z–lyZ)Z
in G using
yz)
word
instances
is to
group
whether
for at most
are
a bounded
random
presented
a finitely
and
presents
relation
and
by on
in a~l
reand
A is an
Y are words
on
A.
Let
K~
denote
be a finite
R
bythe
thenormal
XY-l
for
A and l? form
after
a finite
generators and
the
A group
quotient
presentation the
relations
semicolon.
For
A quantifier
may
similar
relations
instance,
Vx
quantified plicity,
in a compressed
binary
a given
to denote Abe
statement
Vx
we use the
term
Suppose Y,
X
=
Y
and
Let
words.
u s
metric
XY-l,
and a-la
au–l
necessarily
that
Tietze
the
transformations
for
by ++~, where
ex-
{r,,
*R
k ~
operation.
Definition
1 Let
z be a word
2. If z is not Z2 could
word,
empty
then
z e~
y.
and has spelling
be possibly
null),
then
and
ZIZ2 z HR
(zl
Informally,
this
be obtained
tors
at
any
ity,
we
also
to
be
point
consider
by
that
an
eliminating
of the
elementary
obtained
means
by
original
the
word rela-
following
as such
applying
equivalent
For
the
is a
problem
word
of
problem
group
,for
G = [A; R],
and
a unary
notation
of
generators
and
(with
or
binary
?i, R
without
=
quanti-
form.
(U-lVU)W
are
1, m, randomly al,
made
+%
W(u-lvu)
in
a conjugation
and n,
of
G for
u on
and
v,
probability
binary
select
strings
u,
independently
,.,, al
and
with
respect
binary
independently
and and
probability
rl,
..., r-m.
The
to
default
the
distributions strings
as in
distribution
v,
choose
on
random stanpositive
[Lev86].
Hence,
is proportional
to
simplic2-(llAu~llo+l~l+
transformations
a transformation
elementary
word
presented
Randomly
uniform
integers
word
which
u o v.)
strings
choices
~1yz2.
or introducing word.
Is
Then
binary
or
dard can
in
integers
w.
randomized groups,
problem:
VU is called
by
positive
1. If ~ is an empty
quantifiers)
decision
relations
Probability:
and y be a relator.
words
strings.
randomized
{al, ..., al} of
(U-l
denoted
that
or without
of the original
coded
n?
Let
We use IA[
Ia,l.
as binary
u, v, w,
=
Question:
is a sym-
~~1
following
A finitely
A all
of
1~1 = n.
.. .. am}.
presented
3 The
. . . . rm}
presented
(with coded
strings
fiers),
code
n, we use ~
[A; R], we assume
is the following
where
to length
Thue.
instance:
elemen-
finitely
and
is a
We use II A Ilo to denote
the
Dehn
binary
1“ with {al,
to denote
finitely
modification
groups
transfor-
following
for
slight
are
v have
llAll~
consider
Definition
Ob-
reduced)
u and
Following
we define
[A; R], denoted
group
then
then
v means
theorem, Tietze
for
relators.
v be (not
the same spelling.
mation
We
integer
notation
its cardinality.
problem
sim-
are called
the
in -R are properly
by the
relation”
is a relation,
Y–lX
u and
Then
actly
“quantified
{0,1}
set of strings
and
if there
E =
A and relations
over
relations
specified
alphabet
a unary
Iail
z can
transformations
We use IzI to denote
For a presentation
For
E A : Z3 = Z2. For
if a is a generator,
relators.
sev-
statement.
YX–l,
viously,
~~~
Tietze
Z. For a positive
a finite
to denote
case, we say that
z is a relation
string
words.
y in G.
We use a binary
the
form.
A : X3 = X2 represents
c
such a quantified
tary
before
to describe
a: = a: for i = 1,2, ..., n. In this a? = a: for
X–l
~ -+%
all languages.
y be two
G in n steps
such that
[Al, Az; l?l, I&]
also be used
y in
I? on A
or sets of relations
example,
from
of n elementary
[A; R] to allow
notation
z and
sequence
of G, denoted
or sets of generators
several
be obtained
[A]/KR.
group
2 Let
Ghasa
[Al U Az; RI U R2].
means
eral
to the
We extend
semicolon
c R
A and a set of relations
if G is isomorphic
several
=Y
Definition
Let
of [A] generated
subgroup
X
set of generators
by [A; R].
on A.
set of relations
can
11A U R111)2”
(lrnn\ullvj[w[
be
transformations
We
show
that
the
lvl+lwl)
randomized
word
problem
for
twice. groups ●
If % ~ be then
The there #+
alXX2,
z’
s
ZIX–1Z2
possibly
null),
and
X
=
z fiR
zlYm2
and
z’
~R
subscript
1? is often
is no confusion. to denote
+-%
Let
omitted ~=+
for some
(~1
and
Y
is
X2 could
who
a relation,
ZIY–1Z2.
from o =.
+R
is is not
the
theory
to
Section
average-case familiar
NP-complete. with
the
of average-case 2 for
The
basic
completeness
a definition
of
reader
terminology
in
is referred
average-case
NP-
completeness.
when
Theorem
We use
1 The
randomized
groups is average-case
k.
326
word
NP-complete.
problem
for
We The
prove
same
it
completeness
word
not
ily to show
about
groups
is polynomially average-case
also
as in this
isomorphic
instances
In
of
this
section,
terminology
in
dis-
completeness
used in this
Let
eas-
problem
P(Z)
for
>0
problems
p is defined standard
deterministic
p“(z)
[WB95].
groups
bounded
4 The is the following
Instance: strings
A finitely
Z, y, and
Question: Definition
decision
problem:
presented
group
a unary
Is x +% 5 Let
notation
decision
for
G be a finitely
presented
for
group.
some
problem:
Instance:
Strings
Question:
Z, y, and
Is x #+
a unary
notation
This
il
y in G for k S n?
obtain
the
following
worst-case
complete-
ness results.
i.e.,
fixed
k
bounded
uniform
problem
for
such
groups is NP-complete.
0,
3 There
Theorem
G for
which
the
is a finitely bounded
presented problem
word
group is NP-
first is a similar
semigroups, relations fore
(also
without
strings by
where
Y
we can
rewriting
vice rule.
rect
operation
rules)
any
where
X
+
=
define
Notice
by quantified
X2, then
string-rewriting
rule, rules
string-rewriting
system
rewriting
rules)
serves
link
a Turing
aj
machine
X3 =
instead,
+%, if re-
relations
such
X2 is not
a di-
(i.e., as
an
the
computation
in
our
fault
uniform string,
that ger
form
group.
327
distributions.
h
p is dom-
f
a function
instance
by
(symp’
~J ~f
probability
probability then
f
that
of the
of the second then
and
prob-
v iff p is
[Gur91]. distribution
in [Gur!31]
convenience,
that
we use ~
1
as the
distribution.
the standard
Let
uniform
de-
z be a
probabil-
of z is ~. function
~“ is p-time
a deterministic
every
string
A outputs
z
and
bounded
distributions
have
every
binary the
on
computable
algcmithm
and
a finite
– YI S z-k,
polynomially
to a finitely
poly-
by ~ for 1 > 1 or even by -.
exists
for k,
1P*(z)
proof
of average
is a polynomial
to
It is indicated
A distribution
A
overmore
< h([xl)v(,z).
uniform
distribution
if there
set of all string-
bridge
notational
ity
the
= a? for z = 1,2, ..., n.
For
binary
that
it represents
‘.n(n+l)
0(1).
of other
probability
is one-one,
o ~
can be replaced
elementary
operation
if f by v
standard
of~is
is a string-
= which
if p is dominated
to a rare
Clearly,
The
of X
(lZlT(Z))kfor
[Lev86i],
v if there
v)
=
on av-
Wp(z)
notion
respect
definition
Let
where
of rareness
time
respect
nomial
= 1. The
on Z’.
distribution
IZ / is used
test,
obvious We
i.e.,
distribution
one may allow
time
to a given
with
comes
p(x)
p(y),
complexity,
longer
A running
erage
G is the following
on Z*,
~Ze=.
order
is a measure
domness
NP-
1).
than r(z)
0(1).
and
= ~Vnl>o.
~
= axr,x.
= ~pK, if EqF = —— HpK is the z-th —— in I’ in the fixed order. Here p and q
are states in Q1.
where n is positive.
R4:
● g ‘1 is coded by ~, ●
as z! ~ y.
an actual
pose X z a;’ .” . afi~ is a (not necessarily
is coded
Q‘2”
is written
with
G = [A; R].
and power
●
●
to denote Symbolically,
group
in a much com-
words as follows. ●
as z ~ y and ~
y is substituted
We now give codings
concatenation
words
we write&
of a for y times.
the actual group op-
negative
where X and
rules above are followed.
it is exponen-
such a word as a direct
pressed form without
XY is written ~hen
relations.
= X1-l . . . X;lX;l,
the concatenation
number.
a, it can be represented
erations.
binary
so coded is easily distinguished
use words
tial to write
10, 0 with
(X,X2 . . . X1)-l
A bi-
struct ing group of symbol
We code a positive
1 with
of the
01.
any coded symbol coded binary
is a string
denoted
as ~.
a–n is coded by a–2ni a–2n2 .”. a–2”1, denoted — as o , where n=2n’-t 2~2+. ..+,and and nl>n2
This
>...
coding
>n120. scheme
R5: provides
represent at ion for power
words.
a much
length of& is O(log ]z[ + log n). is only a representation of power does not introduce lations.
shorter
For instance,
new generating
the
Notice that this words and so it symbols
or re-
For any word w on S4, we use w to denote
the coded word
of w.
at ions for the power
R6: Let
One can easily define operwords
so coded following
the
length
in terms
of log lx 1, the length
way.
already,
then Y*”
(X-l)-l
=
=
W#x-lTixtx-l
=
x-txr,7x-tx~
W
=
Wx–txr~lx–tx
T7ri
=
xtx-1’Ti;$x-1T7
~r~l
Then X*n is coded as above (X), denoted as ~, where
For example,
S q(lzl)
of m, and the
r:l
is
coded as above by replacing ~ with (Y). Group operations can be applied on this repr&entation in a natural
length
X,
331
positive
representing
1. ri W
If Y is a coded word
representing
all r-j:
of n.
Let X be a word. by replacing Q with n >0.
be a variable
on S1, let t be a variable
21WI, For all W with
standard rules such that, for example, a+~a+” = a+~~n, (a+~)-’ = a~n, (a~~~+n)-’ = ~~~a~~. — . These operations can be carried out in polynomial time
W
words
and for
O(log Izl)
2.
power strings
r~tx–~ = xty% r-lx-tx = x-txr-~ n#X-l
xtx-~n
=
One
~–~x–tx = x-tx~-~ It is easy to see that relations.
The number
of quantified length
R contains
of relations
relations
dent of z.
except
only thing
that
else can be symbolically evaluations).
is therefore relation length
(without
We will
system
The length quantifier)
obtain
the
same
E UEqFV,
result
where
and V, = X21viX-lriX21vi
‘2’U’X
M’
Similarly,
down
if
Oi =
X-1,
can
show
that
(sz$)’1
~
in G.
Using
a polynomial
and R6(2)
number
of relations
in R4
of R, we have
each
in R6 has
system.)
halts
is a polynomial
. .@k–l, V = EJk-l . . .IU21U1.
we
T–l&@–l
(i.e., without
specified
L in 17 with k < q(]zl)
on input
~
z iff
p such that
then (sz$oz)E
IJ!-l[(h-l~h)/+J — .
++
k < a fixed
if
IJ7-l[~(h-lrh)]IP ——
w
KXP-l&Q-’T@hm — — —
44
K(sz$ o T) — ———
~ so
in G with m
