Is a forged signature the same sort of thing as a genuine signature, or is it a diﬀerent sort of thing?

— Gilbert Ryle (1900–1976),
*The Concept of Mind (1949)*

“Katherine, I gave him the code.

He veriﬁed the code.”

“But did you verify him?”

*— The Numbers Station (2013)*

### Digital Signatures

^{a}

*• Alice wants to send Bob a signed document x.*

*• The signature must unmistakably identifies the sender.*

*• Both Alice and Bob have public and private keys*
*e*^{Alice}*, e*^{Bob}*, d*^{Alice}*, d*^{Bob}*.*

*• Every cryptosystem guarantees D(d, E(e, x)) = x.*

*• Assume the cryptosystem also satisfies the commutative*
property

*E(e, D(d, x)) = D(d, E(e, x)).* (15)
**– E.g., the RSA system satisfies it as (x*** ^{d}*)

^{e}*= (x*

*)*

^{e}*.*

^{d}aDiﬃe & Hellman (1976).

### Digital Signatures Based on Public-Key Systems

*• Alice signs x as*

*(x, D(d*_{Alice}*, x)).*

*• Bob receives (x, y) and veriﬁes the signature by checking*
*E(e*_{Alice}*, y) = E(e*_{Alice}*, D(d*_{Alice}*, x)) = x*

based on Eq. (15).

*• The claim of authenticity is founded on the diﬃculty of*
*inverting E*_{Alice} *without knowing the key d*_{Alice}.

### Probabilistic Encryption

^{a}

*• A deterministic cryptosystem can be broken if the*

plaintext has a distribution that favors the “easy” cases.

*• The ability to forge signatures on even a vanishingly*
small fraction of strings of some length is a security
weakness if those strings were the probable ones!

*• A scheme may also “leak” partial information.*

**– Parity of the plaintext, e.g.**

*• The ﬁrst solution to the problems of skewed distribution*
and partial information was based on the QRA.

aGoldwasser and Micali (1982). This paper “laid the framework for modern cryptography” (2013).

### Shafi Goldwasser

^{a}

### (1958–)

aTuring Award (2013).

### Silvio Micali

^{a}

### (1954–)

aTuring Award (2013).

### Goldwasser and Micali

### A Useful Lemma

**Lemma 77 Let n = pq be a product of two distinct primes.**

*Then a number y ∈ Z*_{n}^{∗}*is a quadratic residue modulo n if*
*and only if (y | p) = (y | q) = 1.*

*• The “only if” part:*

**– Let x be a solution to x**^{2} *= y mod pq.*

**– Then x**^{2} *= y mod p and x*^{2} *= y mod q also hold.*

**– Hence y is a quadratic modulo p and a quadratic***residue modulo q.*

### The Proof (concluded)

*• The “if” part:*

**– Let a**^{2}_{1} *= y mod p and a*^{2}_{2} *= y mod q.*

**– Solve**

*x = a*_{1} *mod p,*
*x = a*_{2} *mod q,*

*for x with the Chinese remainder theorem.*

**– As x**^{2} *= y mod p, x*^{2} *= y mod q, and gcd(p, q) = 1,*
*we must have x*^{2} *= y mod pq.*

### The Jacobi Symbol and Quadratic Residuacity Test

*• The Legendre symbol can be used as a test for quadratic*
residuacity by Lemma 64 (p. 538).

*• Lemma 77 (p. 651) says this is not the case with the*
Jacobi symbol in general.

*• Suppose n = pq is a product of two distinct primes.*

*• A number y ∈ Z*_{n}^{∗}*with Jacobi symbol (y | pq) = 1 is a*
*quadratic nonresidue modulo n when*

*(y | p) = (y | q) = −1,*
*because (y | pq) = (y | p)(y | q).*

### The Setup

*• Bob publishes n = pq, a product of two distinct primes,*
*and a quadratic nonresidue y with Jacobi symbol 1.*

*• Bob keeps secret the factorization of n.*

*• Alice wants to send bit string b*_{1}*b*_{2} *· · · b**k* to Bob.

*• Alice encrypts the bits by choosing a random quadratic*
*residue modulo n if b** _{i}* is 1 and a random quadratic

nonresidue (with Jacobi symbol 1) otherwise.

*• So a sequence of residues and nonresidues are sent.*

*• Knowing the factorization of n, Bob can eﬃciently test*
quadratic residuacity and thus read the message.

### The Protocol for Alice

1: **for i = 1, 2, . . . , k do**

2: *Pick r ∈ Z*_{n}* ^{∗}* randomly;

3: **if b**_{i}**= 1 then**

4: *Send r*^{2} *mod n; {Jacobi symbol is 1.}*

5: **else**

6: *Send r*^{2}*y mod n; {Jacobi symbol is still 1.}*

7: **end if**

8: **end for**

### The Protocol for Bob

1: **for i = 1, 2, . . . , k do**

2: *Receive r;*

3: **if (r | p) = 1 and (r | q) = 1 then**

4: *b** _{i}* := 1;

5: **else**

6: *b** _{i}* := 0;

7: **end if**

8: **end for**

### Semantic Security

*• This encryption scheme is probabilistic.*

*• There are a large number of diﬀerent encryptions of a*
given message.

*• One is chosen at random by the sender to represent the*
message.

**– Encryption is a one-to-many mapping.**

*• This scheme is both polynomially secure and*
**semantically secure.**

### What Is a Proof?

^{a}

*• A proof convinces a party of a certain claim.*

**– “x**^{n}*+ y*^{n}*= z*^{n}*for all x, y, z ∈ Z*^{+} *and n > 2.”*

**– “Graph G is Hamiltonian.”**

**– “x**^{p}*= x mod p for prime p and p |x.”*

*• In mathematics, a proof is a ﬁxed sequence of theorems.*

**– Think of it as a written examination.**

*• We will extend a proof to cover a proof process by which*
the validity of the assertion is established.

**– Recall a job interview or an oral examination.**

a*“What then do you call proof?” Henry James (1902), The Wings of*
*the Dove.*

### Prover and Verifier

*• There are two parties to a proof.*

**– The prover (Peggy).**

**– The verifier (Victor).**

*• Given an assertion, the prover’s goal is to convince the*
**veriﬁer of its validity (completeness).**

*• The veriﬁer’s objective is to accept only correct*
**assertions (soundness).**

*• The veriﬁer usually has an easier job than the prover.*

*• The setup is very much like the Turing test.*^{a}

aTuring (1950).

### Interactive Proof Systems

* • An interactive proof for a language L is a sequence of*
questions and answers between the two parties.

*• At the end of the interaction, the veriﬁer decides*
whether the claim is true or false.

*• The veriﬁer must be a probabilistic polynomial-time*
algorithm.

*• The prover runs an exponential-time algorithm.*^{a}

**– If the prover is not more powerful than the veriﬁer,**
no interaction is needed!

aSee the problem to Note 12.3.7 on p. 296 and Proposition 19.1 on p. 475, both of the textbook, about alternative complexity assumptions without aﬀecting the deﬁnition. Contributed by Mr. Young-San Lin (B97902055) and Mr. Chao-Fu Yang (B97902052) on December 18, 2012.

### Interactive Proof Systems (concluded)

*• The system decides L if the following two conditions*
*hold for any common input x.*

* – If x ∈ L, then the probability that x is accepted by*
the veriﬁer is at least 1

*− 2*

*.*

^{−| x |}**– If x ∈ L, then the probability that x is accepted by***the veriﬁer with any prover replacing the original*
prover is at most 2* ^{−| x |}*.

*• Neither the number of rounds nor the lengths of the*
messages can be more than a polynomial of *| x |.*

### An Interactive Proof

!

!

!

!

!

' ' ' ' '

### IP

^{a}

* • IP is the class of all languages decided by an interactive*
proof system.

*• When x ∈ L, the completeness condition can be*
modiﬁed to require that the veriﬁer accept with
certainty without aﬀecting IP.^{b}

*• Similar things cannot be said of the soundness condition*
*when x ∈ L.*

*• Veriﬁer’s coin ﬂips can be public.*^{c}

aGoldwasser, Micali, & Rackoﬀ (1985).

bGoldreich, Mansour, & Sipser (1987).

cGoldwasser & Sipser (1989).

### The Relations of IP with Other Classes

*• NP ⊆ IP.*

**– IP becomes NP when the veriﬁer is deterministic and**
there is only one round of interaction.^{a}

*• BPP ⊆ IP.*

**– IP becomes BPP when the veriﬁer ignores the**
prover’s messages.

*• IP = PSPACE.*^{b}

aRecall Proposition 36 on p. 312.

bShamir (1990).

### Graph Isomorphism

*• V*_{1} *= V*_{2} = *{ 1, 2, . . . , n }.*

*• Graphs G*_{1} *= (V*_{1}*, E*_{1}*) and G*_{2} *= (V*_{2}*, E*_{2}) are
**isomorphic if there exists a permutation π on**

*{ 1, 2, . . . , n } so that (u, v) ∈ E*_{1} *⇔ (π(u), π(v)) ∈ E*_{2}.

*• The task is to answer if G*_{1} *∼*= *G*_{2}.

*• No known polynomial-time algorithms.*^{a}

*• The problem is in NP (hence IP).*

*• It is not likely to be NP-complete.*^{b}

aThe recent bound of Babai (2015) is 2^{O(log}^{c}* ^{n)}* for some constant

*c.*

bSch¨oning (1987).

### graph nonisomorphism

*• V*_{1} *= V*_{2} = *{ 1, 2, . . . , n }.*

*• Graphs G*_{1} *= (V*_{1}*, E*_{1}*) and G*_{2} *= (V*_{2}*, E*_{2}) are

**nonisomorphic if there exist no permutations π on***{ 1, 2, . . . , n } so that (u, v) ∈ E*_{1} *⇔ (π(u), π(v)) ∈ E*_{2}.

*• The task is to answer if G*_{1} *∼*= *G*_{2}.

*• Again, no known polynomial-time algorithms.*

**– It is in coNP, but how about NP or BPP?**

**– It is not likely to be coNP-complete.**^{a}

*• Surprisingly, graph nonisomorphism ∈ IP.*^{b}

aSch¨oning (1987).

bGoldreich, Micali, & Wigderson (1986).

### A 2-Round Algorithm

1: *Victor selects a random i ∈ { 1, 2 };*

2: *Victor selects a random permutation π on { 1, 2, . . . , n };*

3: *Victor applies π on graph G**i* *to obtain graph H;*

4: *Victor sends (G*^{1}*, H) to Peggy;*

5: **if G**^{1} *∼*= **H then**

6: *Peggy sends j = 1 to Victor;*

7: **else**

8: *Peggy sends j = 2 to Victor;*

9: **end if**

10: **if j = i then**

11: Victor accepts; *{G*^{1} *∼*= *G*^{2}.*}*

12: **else**

13: Victor rejects; *{G*^{1} *∼*= *G*^{2}.*}*

14: **end if**

### Analysis

*• Victor runs in probabilistic polynomial time.*

*• Suppose G*^{1} *∼*= *G*^{2}.

**– Peggy is able to tell which G***i* *is isomorphic to H, so j = i.*

**– So Victor always accepts.**

*• Suppose G*^{1} *∼*= *G*^{2}.

**– No matter which i is picked by Victor, Peggy or any***prover sees 2 identical copies.*

**– Peggy or any prover with exponential power has only**
*probability one half of guessing i correctly.*

**– So Victor erroneously accepts with probability 1/2.**

*• Repeat the algorithm to obtain the desired probabilities.*

### Knowledge in Proofs

*• Suppose I know a satisfying assignment to a satisﬁable*
boolean expression.

*• I can convince Alice of this by giving her the assignment.*

*• But then I give her more knowledge than is necessary.*

**– Alice can claim that she found the assignment!**

**– Login authentication faces essentially the same issue.**

**– See**

www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.

### Knowledge in Proofs (concluded)

*• Suppose I always give Alice random bits.*

*• Alice extracts no knowledge from me by any measure,*
but I prove nothing.

*• Question 1: Can we design a protocol to convince Alice*
(the knowledge) of a secret without revealing anything
extra?

*• Question 2: How to deﬁne this idea rigorously?*

### Zero Knowledge Proofs

^{a}

*An interactive proof protocol (P, V ) for language L has the*
**perfect zero-knowledge property if:**

*• For every veriﬁer V* ^{}*, there is an algorithm M with*
expected polynomial running time.

*• M on any input x ∈ L generates the same probability*
distribution as the one that can be observed on the
*communication channel of (P, V* ^{}*) on input x.*

aGoldwasser, Micali, & Rackoﬀ (1985).

### Comments

*• Zero knowledge is a property of the prover.*

**– It is the robustness of the prover against attempts of**
the veriﬁer to extract knowledge via interaction.

**– The veriﬁer may deviate arbitrarily (but in**

polynomial time) from the predetermined program.

**– A veriﬁer cannot use the transcript of the interaction**
to convince a third-party of the validity of the claim.

**– The proof is hence not transferable.**

### Comments (continued)

*• Whatever a veriﬁer can “learn” from the speciﬁed prover*
*P via the communication channel could as well be*

computed from the veriﬁer alone.

*• The veriﬁer does not learn anything except “x ∈ L.”*

*• Zero-knowledge proofs yield no knowledge in the sense*
that they can be constructed by the veriﬁer who believes
the statement, and yet these proofs do convince him.

### Comments (continued)

*• The “paradox” is resolved by noting that it is not the*
transcript of the conversation that convinces the veriﬁer.

*• But the fact that this conversation was held “on line.”*

*• Computational zero-knowledge proofs are based on*
complexity assumptions.

**– M only needs to generate a distribution that is**

computationally indistinguishable from the veriﬁer’s view of the interaction.

### Comments (concluded)

*• If one-way functions exist, then zero-knowledge proofs*
exist for every problem in NP.^{a}

*• If one-way functions exist, then zero-knowledge proofs*
exist for every problem in PSPACE.^{b}

*• The veriﬁer can be restricted to the honest one (i.e., it*
follows the protocol).^{c}

*• The coins can be public.*^{d}

*• The digital money Zcash (2016) is based on*
zero-knowledge proofs.

aGoldreich, Micali, & Wigderson (1986).

bOstrovsky & Wigderson (1993).

cVadhan (2006).

### Quadratic Residuacity

*• Let n be a product of two distinct primes.*

*• Assume extracting the square root of a quadratic residue*
*modulo n is hard without knowing the factors.*

*• We next present a zero-knowledge proof for the input*
*x ∈ Z*_{n}^{∗}

being a quadratic residue.

### Zero-Knowledge Proof of Quadratic Residuacity

1: **for m = 1, 2, . . . , log**_{2} **n do**

2: *Peggy chooses a random v ∈ Z*_{n}* ^{∗}* and sends

*y = v*

^{2}

*mod n to Victor;*

3: *Victor chooses a random bit i and sends it to Peggy;*

4: *Peggy sends z = u*^{i}*v mod n, where u is a square root*
*of x; {u*^{2} *≡ x mod n.}*

5: *Victor checks if z*^{2} *≡ x*^{i}*y mod n;*

6: **end for**

7: *Victor accepts x if Line 5 is conﬁrmed every time;*

### A Useful Corollary of Lemma 77 (p. 651)

**Corollary 78 Let n = pq be a product of two distinct**

*primes. (1) If x and y are both quadratic residues modulo n,*
*then xy ∈ Z*_{n}^{∗}*is a quadratic residue modulo n. (2) If x is a*
*quadratic residue modulo n and y is a quadratic nonresidue*
*modulo n, then xy ∈ Z*_{n}^{∗}*is a quadratic nonresidue modulo n.*

*• Suppose x and y are both quadratic residues modulo n.*

*• Let x ≡ a*^{2} *mod n and y ≡ b*^{2} *mod n.*

*• Now xy is a quadratic residue as xy ≡ (ab)*^{2} *mod n.*

### The Proof (concluded)

*• Suppose x is a quadratic residue modulo n and y is a*
*quadratic nonresidue modulo n.*

*• By Lemma 77 (p. 651), (x | p) = (x | q) = 1 but, say,*
*(y | p) = −1.*

*• Now xy is a quadratic nonresidue as (xy | p) = −1, again*
by Lemma 77 (p. 651).

### Analysis

*• Suppose x is a quadratic residue.*

**– Then x’s square root u can be computed by Peggy.**

**– Peggy can answer all challenges.**

**– Now,**

*z*^{2} *≡*

*u*^{i}_{2}

*v*^{2} *≡*

*u*^{2}_{i}

*v*^{2} *≡ x*^{i}*y mod n.*

**– So Victor will accept x.**

### Analysis (continued)

*• Suppose x is a quadratic nonresidue.*

**– Corollary 78 (p. 678) says if a is a quadratic residue,***then xa is a quadratic nonresidue.*

**– As y is a quadratic residue, x**^{i}*y can be a quadratic*
*residue (see Line 5) only when i = 0.*

**– Peggy can answer only one of the two possible**
*challenges, when i = 0.*^{a}

**– So Peggy will be caught in any given round with**
probability one half.

aLine 5 (*z*^{2} *≡ x*^{i}*y mod n) cannot equate a quadratic residue z*^{2} with
a quadratic nonresidue *x*^{i}*y when i = 1.*

### Analysis (continued)

*• How about the claim of zero knowledge?*

*• The transcript between Peggy and Victor when x is a*
*quadratic residue can be generated without Peggy!*

*• Here is how.*

*• Suppose x is a quadratic residue.*^{a}

*• In each round of interaction with Peggy, the transcript is*
*a triplet (y, i, z).*

*• We present an eﬃcient Bob that generates (y, i, z) with*
*the same probability without accessing Peggy’s power.*

aThere is no zero-knowledge requirement when *x ∈ L.*

### Analysis (concluded)

1: *Bob chooses a random z ∈ Z*_{n}* ^{∗}*;

2: *Bob chooses a random bit i;*

3: *Bob calculates y = z*^{2}*x*^{−i}*mod n;*^{a}

4: *Bob writes (y, i, z) into the transcript;*

aRecall Line 5 on p. 677: Victor checks if *z*^{2} *≡ x*^{i}*y mod n.*

### Comments

*• Assume x is a quadratic residue.*

*• For (y, i, z), y is a random quadratic residue, i is a*
*random bit, and z is a random number.*

*• Bob cheats because (y, i, z) is not generated in the same*
order as in the original transcript.

**– Bob picks Peggy’s answer z ﬁrst.**

**– Bob then picks Victor’s challenge i.**

**– Bob ﬁnally patches the transcript.**

### Comments (concluded)

*• So it is not the transcript that convinces Victor, but*
*that conversation with Peggy is held “on line.”*

*• The same holds even if the transcript was generated by*
a cheating Victor’s interaction with (honest) Peggy.

*• But we skip the details.*^{a}

aOr apply Vadhan (2006).

### Zero-Knowledge Proof of 3 Colorability

^{a}

**1: for i = 1, 2, . . . , | E |**^{2} **do**

2: Peggy chooses a random permutation *π of the 3-coloring φ;*

3: Peggy samples encryption schemes randomly, commits^{b} them,
and sends *π(φ(1)), π(φ(2)), . . . , π(φ(| V |)) encrypted to Victor;*

4: Victor chooses at random an edge *e ∈ E and sends it to Peggy*
for the coloring of the endpoints of *e;*

5: **if e = (u, v) ∈ E then**

6: Peggy reveals the colors *π(φ(u)) and π(φ(v)) and “proves”*

that they correspond to their encryptions;

7: **else**

8: Peggy stops;

9: **end if**

aGoldreich, Micali, & Wigderson (1986).

bContributed by Mr. Ren-Shuo Liu (D98922016) on December 22, 2009.

10: **if the “proof” provided in Line 6 is not valid then**
11: Victor rejects and stops;

12: **end if**

13: * if π(φ(u)) = π(φ(v)) or π(φ(u)), π(φ(v)) ∈ { 1, 2, 3 } then*
14: Victor rejects and stops;

15: **end if**
**16: end for**

17: Victor accepts;

### Analysis

*• If the graph is 3-colorable and both Peggy and Victor*
follow the protocol, then Victor always accepts.

*• Suppose the graph is not 3-colorable and Victor follows*
the protocol.

*• Let e be an edge that is not colored legally.*

*• Victor will pick it with probability 1/m per round,*
*where m = | E |.*

*• Then however Peggy plays, Victor will reject with*
*probability at least 1/m per round.*

### Analysis (concluded)

*• So Victor will accept with probability at most*

1 *− m*^{−1}_{m}^{2}

*≤ e*^{−m}*.*

*• Thus the protocol is a valid IP protocol.*

*• This protocol yields no knowledge to Victor as all he*
gets is a bunch of random pairs.

*• The proof that the protocol is zero-knowledge to any*
veriﬁer is intricate.^{a}

aBut no longer necessary because of Vadhan (2006).

### Comments

*• Each π(φ(i)) is encrypted by a diﬀerent cryptosystem in*
Line 3.^{a}

**– Otherwise, all the colors will be revealed in Line 6.**

*• Each edge e must be picked randomly.*^{b}

**– Otherwise, Peggy will know Victor’s game plan and**
plot accordingly.

aContributed by Ms. Yui-Huei Chang (R96922060) on May 22, 2008

bContributed by Mr. Chang-Rong Hung (R96922028) on May 22, 2008

*Approximability*

All science is dominated by the idea of approximation.

— Bertrand Russell (1872–1970)

Just because the problem is NP-complete does not mean that you should not try to solve it.

— Stephen Cook (2002)

### Tackling Intractable Problems

*• Many important problems are NP-complete or worse.*

**• Heuristics have been developed to attack them.**

**• They are approximation algorithms.**

*• How good are the approximations?*

* – We are looking for theoretically guaranteed bounds,*
not “empirical” bounds.

*• Are there NP problems that cannot be approximated*
*well (assuming NP* *= P)?*

*• Are there NP problems that cannot be approximated at*
*all (assuming NP* *= P)?*

### Some Definitions

**• Given an optimization problem, each problem****instance x has a set of feasible solutions F (x).**

*• Each feasible solution s ∈ F (x) has a cost c(s) ∈ Z*^{+}.
**– Here, cost refers to the quality of the feasible**

solution, not the time required to obtain it.

**– It is our objective function: total distance, number**
of satisﬁed clauses, cut size, etc.

### Some Definitions (concluded)

**• The optimum cost is**

opt*(x) = min*

*s∈F (x)**c(s)*
for a minimization problem.

*• It is*

opt*(x) = max*

*s∈F (x)**c(s)*
for a maximization problem.

### Approximation Algorithms

*• Let (polynomial-time) algorithm M on x returns a*
feasible solution.

**• M is an -approximation algorithm, where ≥ 0, if***for all x,*

*| c(M(x)) − opt(x) |*

*max(opt(x), c(M (x)))* *≤ .*

**– For a minimization problem,**

*c(M (x)) − min*_{s∈F (x)}*c(s)*

*c(M (x))* *≤ .*

**– For a maximization problem,**

max_{s∈F (x)}*c(s) − c(M (x))*

max_{s∈F (x)}*c(s)* *≤ .* (16)

### Lower and Upper Bounds

*• For a minimization problem,*

*s∈F (x)*min *c(s) ≤ c(M (x)) ≤* min_{s∈F (x)}*c(s)*
1 *− * *.*

*• For a maximization problem,*
(1 *− ) × max*

*s∈F (x)**c(s) ≤ c(M (x)) ≤ max*

*s∈F (x)**c(s).* (17)

### Lower and Upper Bounds (concluded)

*• ranges between 0 (best) and 1 (worst).*

*• For minimization problems, an -approximation*
algorithm returns solutions within

opt*,* opt
1 *− *

*.*

*• For maximization problems, an -approximation*
algorithm returns solutions within

[ (1 *− ) × opt, opt ].*

### Approximation Thresholds

*• For each NP-complete optimization problem, we shall be*
*interested in determining the smallest for which there*
*is a polynomial-time -approximation algorithm.*

*• But sometimes has no minimum value.*

**• The approximation threshold is the greatest lower***bound of all ≥ 0 such that there is a polynomial-time*

*-approximation algorithm.*

*• By a standard theorem in real analysis, such a threshold*
exists.^{a}

aBauldry (2009).

### Approximation Thresholds (concluded)

*• The approximation threshold of an optimization*

problem is anywhere between 0 (approximation to any desired degree) and 1 (no approximation is possible).

*• If P = NP, then all optimization problems in NP have*
an approximation threshold of 0.

*• So assume P = NP for the rest of the discussion.*

### Approximation Ratio

*• -approximation algorithms can also be measured via*
**the approximation ratio:**^{a}

*c(M (x))*
opt*(x)* *.*

*• For a minimization problem, the approximation ratio is*
1 *≤* *c(M (x))*

min_{s∈F (x)}*c(s)* *≤* 1

1 *− .* (18)

*• For a maximization problem, the approximation ratio is*
1 *− ≤* *c(M (x))*

max_{s∈F (x)}*c(s)* *≤ 1.* (19)

aWilliamson and Shmoys (2011).

### Approximation Ratio (concluded)

*• Suppose there is an approximation algorithm that*
*achieves an approximation ratio of θ.*

**– For a minimization problem, it implies a**

(1 *− θ** ^{−1}*)-approximation algorithm by Eq. (18).

**– For a maximization problem, it implies a**

(1 *− θ)-approximation algorithm by Eq. (19).*

### node cover

*• node cover seeks the smallest C ⊆ V in graph*

*G = (V, E) such that for each edge in E, at least one of*
*its endpoints is in C.*

*• A heuristic to obtain a good node cover is to iteratively*
*move a node with the highest degree to the cover.*

*• This turns out to produce an approximation ratio of*^{a}
*c(M (x))*

opt*(x)* *= Θ(log n).*

*• So it is not an -approximation algorithm for any*
*constant < 1 according to Eq. (18) on p. 702.*

aChv´atal (1979).

### A 0.5-Approximation Algorithm

^{a}

1: *C := ∅;*

2: **while E = ∅ do**

3: *Delete an arbitrary edge [ u, v ] from E;*

4: *Add u and v to C; {Add 2 nodes to C each time.}*

5: *Delete edges incident with u or v from E;*

6: **end while**

7: **return C;**

aGavril (1974).

### Analysis

*• It is easy to see that C is a node cover.*

*• C contains | C |/2 edges.*^{a}

*• No two edges of C share a node.*^{b}

*• Any node cover C** ^{}* must contain at least one node from

*each of the edges of C.*

**– If there is an edge in C both of whose ends are***outside C*^{}*, then C** ^{}* will not be a cover.

aThe edges deleted in Line 3.

bIn fact, *C as a set of edges is a maximal matching.*

### Analysis (continued)

### Analysis (concluded)

*• This means that opt(G) ≥ | C |/2.*

*• The approximation ratio is hence*

*| C |*

opt*(G)* *≤ 2.*

*• So we have a 0.5-approximation algorithm.*^{a}

*• And the approximation threshold is therefore ≤ 0.5.*

aRecall p. 703.

### The 0.5 Bound Is Tight for the Algorithm

^{a}

Optimal cover

aContributed by Mr. Jenq-Chung Li (R92922087) on December 20, 2003. Recall that K¨onig’s theorem says the size of a maximum matching

### Remarks

*• The approximation threshold is at least*^{a}
1 *−*

10*√*

5 *− 21*_{−1}

*≈ 0.2651.*

*• The approximation threshold is 0.5 if one assumes the*
**unique games conjecture (ugc).**^{b}

*• This ratio 0.5 is also the lower bound for any “greedy”*

algorithms.^{c}

aDinur & Safra (2002).

bKhot & Regev (2008).

cDavis & Impagliazzo (2004).