Set Families with Low Pairwise Intersection
aa r X i v : . [ c s . CC ] A p r Set Families with Low Pairwise Intersection
Calvin BeidemanHigh School [email protected]
Jeremiah BlockiCarnegie Mellon University [email protected]
January 19, 2018
Abstract
A ( n, ℓ, γ )-sharing set family of size m is a family of sets S , . . . , S m ⊆ [ n ] s.t. each sethas size ℓ and each pair of sets shares at most γ elements. We let m ( n, ℓ, γ ) denote themaximum size of any such set family and we consider the following question: How largecan m ( n, ℓ, γ ) be? ( n, ℓ, γ )-sharing set families have a rich set of applications includingthe construction of pseudorandom number generators[NW94] and usable and securepassword management schemes [BBD13]. We analyze the explicit construction of Blockiet al [BBD13] using recent bounds [Son09] on the value of the t ’th Ramanujan prime[Ram19]. We show that this explicit construction produces a (cid:0) ℓ ln 4 ℓ, ℓ, γ (cid:1) -sharing setfamily of size (2 ℓ ln 2 ℓ ) γ +1 for any ℓ ≥ γ . We also show that the construction of Blocki etal [BBD13] can be used to obtain a weak ( n, ℓ, γ )-sharing set family of size m for any m >
0. These results are competitive with the inexplicit construction of Raz et al [RRV99]for weak ( n, ℓ, γ )-sharing families. We show that our explicit construction of weak( n, ℓ, γ )-sharing set families can be used to obtain a parallelizable pseudorandom numbergenerator with a low memory footprint by using the pseudorandom number generatorof Nisan and Wigderson[NW94]. We also prove that m ( n, n/c , c n ) must be a constantwhenever c ≤ c + c . We show that this bound is nearly tight as m ( n, n/c , c n ) growsexponentially fast whenever c > c − . Informally, we define an ( n, ℓ, γ )-sharing set family of size m to be a collection of m sub-sets of [ n ], each of size ℓ , no two of which have more than γ elements in common, andwe let m ( n, ℓ, γ ) denote the maximum size of such a set family. How large can m ( n, ℓ, γ )be? Can we find explicit constructions of large ( n, ℓ, γ )-sharing set families? While thesecombinatorial questions are interesting in their own right, these question also have numer-ous practical implications including the construction of pseudorandom number generators[NW94], randomness extractors[Tre01, RRV99] and most recently usable and secure pass-word management scheme (systematic strategies for users to create and remember multiplepasswords) [BBD13]. Applications to Pseudorandom Number Generation
A pseudorandom number gen-erator is a function G : { , } n → m which takes a uniformly random seed x ∼ { , } n oflength n , and outputs a string G ( x ) ∈ { , } m ( m ≫ n ) which “looks random.” Nisan and1igderson used a ( n, ℓ = O ( √ n ) , γ = log m )-sharing set family S = { S , . . . , S m } of size m to construct pseudorandom number generators [NW94]. In particular, they define thepseudorandom number generator NW P, S ( x ) = P (cid:0) x | S (cid:1) . . . P (cid:0) x | S m (cid:1) , where x | S i ∈ { , } ℓ denotes the bits of x ∈ { , } ℓ at the indices specified by S i and P : { , } ℓ → { , } is apredicate. If the predicate P : { , } ℓ → { , } is “hard” for circuits of size H ℓ ( P ) to predict then no circuit of size H ℓ ( P ) − O ( m γ ) will be able to distinguish NW P, S ( x ) from atruly random binary string of length m , when the seed x ∼ { , } n is chosen uniformly atrandom. In this context, n is the length of the random seed, m is the number of random bitsextracted and the pseudorandom number generator fools circuits of size H ℓ ( P ) − O ( m γ ).Thus, we would like to find ( n, ℓ, γ )-sharing set families where n is small, m is large (e.g.,we can extract many pseudorandom bits from a small seed) and γ is small (e.g., so that thepseudorandom bits look random to a large circuit). Nisan and Wigderson gave an explicitconstruction of an (cid:0) ℓ , ℓ, γ (cid:1) -sharing set family of size ℓ γ +1 . Applications to Randomness Extractors
Trevisan used the pseudorandom numbergenerator of Nisan and Wigderson to construct a randomness extractor [Tre01]. A ( k, ǫ )randomness extractor is a function
Ext : { , } ˆ ℓ × { , } n → { , } m that takes a string x ∼ D , where D is a distribution over { , } ˆ ℓ with minimum entropy k , along with a n additional uniformly random bits x ∼ { , } n and extracts an m -bit string y ∈ { , } m thatis almost uniformly random (e.g., distribution over y ∈ { , } m is ǫ -close to the uniformdistribution U m over { , } m ). Trevisan used the string x to select a random predicate P : { , } ℓ → { , } , and then extracted m bits by running NW P, S ( x ). Raz et al [RRV99]observed that the pseudorandom number generator Nisan and Wigderson could be builtusing a weak ( n, ℓ, γ )-sharing set family of size m , and showed how to construct weak ( n, ℓ, γ )-sharing set family of size m for any value of m as long as n ≥ ⌈ ℓγ ⌉ ℓ . However, theirconstruction was not explicit. Advantages of Explicit Constructions
One nice property of the Nisan WigdersonPseudorandom number generator is that it is highly parallelizable. For each j ∈ [ m ] we cancompute the j ’th bit NW P, S ( x ) [ j ] = P (cid:16) x | S j (cid:17) independently as long as we can quicklyfind the set S j ∈ S . Observe that we would need space at least O ( mℓ log n ) to store theset family S = { S , . . . , S m } , which could be a problem especially when m is very large.However, if the set family has an explicit construction (e.g., there is a small circuit C s.t. C ( i ) = S i for all i ∈ [ m ]) then we can simply compute NW P, S ( x ) [ j ] = P (cid:0) x | C ( j ) (cid:1) . Applications to Password Management
Recently Blocki et al [BBD13] used ( n, ℓ, γ )–sharing set families to develop usable and secure password management schemes. In theirproposed password management scheme, Shared Cues, the user memorizes and rehearses n secret stories. From these n stories the user is able to create m ( n, ℓ, γ ) different passwords.In particular, the password at each of the user’s accounts is formed by appending ℓ of thesesecret stories together. A usable password management scheme should keep n and ℓ as smallas possible so that the user does not have to memorize too many stories and type too many Nisan and Wigderson observe that a random predicate P will satisfy this property with highprobability[NW94]. γ is a security parameter which specifies how muchinformation one password might leak about another (e.g., if an adversary learns the user’sAmazon password then he learns at most γ of the user’s stories for eBay). A secure passwordmanagement scheme should keep γ as small as possible (so that one password does not leaktoo much information about another password) and ℓ as large as possible (so that eachpassword has high entropy). Blocki et al [BBD13] gave a construction of ( n, ℓ, γ )–sharing setfamilies using the Chinese Remainder Theorem. Given pairwise coprime numbers n , . . . , n ℓ s.t. n = n + . . . + n ℓ they construct S , . . . , S m where S i = { P j − k =1 n k +( i mod n j ) : j ∈ [ ℓ ] } . They use the Chinese Remainder Theorem to prove that max i = j | S i ∩ S j | ≤ γ as longas m ≤ Q γ +1 i =1 n i . Contributions
We analyze the explicit construction of Blocki et al [BBD13] and showthat it is competitive with the explicit construction of Nisan and Wigderson [NW94]. Ouranalysis uses recent bounds [Son09] on the value of the t ’th Ramanujan prime [Ram19].We also show that the construction of Blocki et al can be used to explicitly construct weak ( n, ℓ, γ )-sharing set families whose size is very large. Our analysis shows that this explicitconstruction is competitive with the non-explicit construction of Raz et al [RRV99]. Weshow that our explicit construction of weak ( n, ℓ, γ )-sharing set families can be used toobtain a parallelizable pseudorandom number generator with a low memory footprint byusing the pseudorandom number generator of Nisan and Wigderson[NW94].We also proveseveral upper bounds on the value of m ( n, ℓ, γ ) when ℓ and γ are in a constant ratio to n . Organization
The paper is organized as follows: We first introduce related work inSection 1.1. We then introduce preliminary definitions in Section 2. In Section 3 we analyzethe construction of Blocki et. al, and state a lower bound on m ( n, ℓ, γ ) that can be derivedfrom it. We compare this lower bound to the construction of Nisan and Wigderson. We alsoshow that this explicit construction yields a good weak ( n, ℓ, γ )-sharing set family. In Section4 we explain how the explicit construction of Blocki et al [BBD13] can be used to obtaina highly parallelizable pseudorandom number generator with a low memory footprint. InSection 5 we explore some cases where ℓ and γ are in a constant ratio to n and prove anupper bound on m ( n, ℓ, γ ) as n grows large. We show that our upper bounds are nearlytight. We conclude in Section 6 by discussing cases that do not meet the conditions for anyof our bounds, and hypotheses about how our bounds could be made stronger. The problem of finding maximally sized ( n, ℓ, γ )–sharing set families was considered at leastas early as 1956 by Paul Erd˝os and Alfr´ed R´enyi [ER56], and applications of some of thesefamilies may have been considered by Euler [Eul82]. Erd˝os explored properties of thesefamilies several times [EH63] [EFF85], and R¨odl built on his work [R¨od85].( n, ℓ, γ )–sharing set families were rediscovered by Nisan and Wigderson [NW94], whoused them to design a pseudorandom number generator. Trevisan showed how to use( n, ℓ, γ )–sharing set families to construct pseudorandom extractors [Tre01]. Extractors arealgorithms that transform weakly random sources into a uniformly random source. Raz etal [RRV99] improved on Trevisan’s pseudorandom extractors by introducing a weakened3otion of ( n, ℓ, γ )–sharing set families. They require that the set family S , . . . , S m ⊆ [ n ]satisfies | S i | = ℓ and P j
1) for all i ∈ [ m ] (instead of | S i T S j | ≤ γ ).Observe that every ( n, ℓ, γ )–sharing set family also satisfies these weaker requirements.Using this relaxed definition Raz et al [RRV99] showed how to extract a uniformly randomstring y ∈ { , } k using at most O (cid:0) log n (cid:1) bits of information given a string x ∈ { , } n chosen at random from a distribution D with minimum entropy k . To obtain their resultsthey show how to construct very large weak ( n, ℓ, γ )–sharing set families. However, theirconstruction is not explicit. We use the construction of Blocki et al to obtain an explicitconstruction of large weak ( n, ℓ, γ )–sharing set families.Blocki et al [BBD13] proposed a construction of m ( n, ℓ, γ )–sharing set families basedon the Chinese Remainder Theorem. In their analysis of their construction they focusedon parameters that were appropriate for the context of password management (e.g., ℓ =4 , γ = 1 , n = 43). We extend their analysis to include a broader range of parameters. Ouranalysis uses recent results of Sondow [Son09], who provided a (nearly) asymptotically tightbound on the value of the t ’th Ramanujan prime [Ram19]. We show that the constructionof Blocki et al [BBD13] yields a larger ( n, ℓ, γ )-sharing set family than the construction ofNisan and Widgerson [NW94] with equivalent values of n and γ (though the value of ℓ isslightly smaller). We begin by formally defining an ( n, ℓ, γ )–sharing set family (Definition 1).
Definition 1. An ( n, ℓ, γ ) –sharing set family S , . . . , S m ⊆ [ n ] of size m satisfies the fol-lowing conditions: (1) ∀ i ∈ [ m ] . | S i | = ℓ , and (2) ∀ ≤ i < j ≤ m. | S i T S j | ≤ γ . We use m ( n, ℓ, γ ) to denote the maximum value of m such that there exists an n, ℓ, γ sharing setfamily of size m . We say that a set family S , . . . , S m ⊆ [ n ] is explicitly constructible ifthere is a circuit C of size O ( n ) that computes C ( i ) = S i for each i ∈ [ m ] . Nisan and Wigderson referred to these families as ( k, m )-designs [NW94]. We follow thenotation of Blocki et al [BBD13]. The construction of Blocki et al [BBD13] relies on theChinese Remainder Theorem. To analyze their construction we will be interested in findinga large set S = { t , . . . , t ℓ } of integers such that S has size ℓ , the numbers in S are pairwisecoprime, P ℓi =1 t i ≤ n and each t i ≥ n ℓ . We will rely on recent results on prime density. Definition 2. π ( t ) indicates the number of prime numbers less than or equal to t . ππ ( t ) indicates the maximum | S | such that S ⊆ (cid:8) ⌈ t ⌉ , ..., t (cid:9) and ∀ i = j ∈ S. GCD ( i, j ) = 1 . We are particularly interested in lower bounding the value ππ ( x ). Clearly, ππ ( x ) ≥ π ( x ) − π ( x/ π ( x ) − π ( x/
2) using Ramanujan primes.
Definition 3. [Ram19] The t’th Ramanujan Prime is the smallest integer R t s.t. π ( x ) − π ( x/ ≥ t for all x ≥ R t . Allowing n to equal at least ℓR ℓ guarantees that (cid:8) n ℓ , nℓ (cid:9) contains at least ℓ primes whichwill satisfy the conditions of the Blocki conjecture. Sondow’s bounds on Ramanujan primes(see Theorem 2) allow us to express this bound on n as an elementary function.4 .1 Pseudorandom Number Generators and Randomness Extractors Before we formally define a pseudorandom number generator we first define a pseudorandomdistribution X over { , } m . Informally, definition 4 say that distribution is pseudorandoma distribution that ‘appears’ random to any ‘small enough’ circuit. Given a circuit C weuse Adv C ( X ) = (cid:12)(cid:12)(cid:12)(cid:12) Pr x ∈ X [ C ( x ) = 1] − P r x ∈ U m [ C ( x ) = 1] (cid:12)(cid:12)(cid:12)(cid:12) to denote the advantage of C at predicting whether x was drawn from the distribution X orfrom U m , where U m is the uniform distribution over { , } m . The distribution X ‘appears’random to a circuit C if Adv C ( X ) is small. Definition 4.
A distribution X over { , } m is said to be ( s, ǫ ) -pseudorandom if, given anycircuit C (taking m inputs) of size at most s , Adv C ( X ) ≤ ǫ . Given a distribution X over { , } n and a function G : { , } n → { , } m we use G ( X )to denote the distribution over { , } m induced by G . Informally, a function G : { , } n →{ , } m is pseudorandom if it induces a pseudorandom distribution. Definition 5.
Let { G n } n ∈ N be a family of functions such that G n : { , } n → { , } m . Wesay the family is a ( s, ǫ ) -pseudorandom number generator if G is computable in time O ( n ) ,and G ( U n ) considered as a distribution is ( s, ǫ ) -pseudorandom. Nisan and Wigderson [NW94] show how to construct a pseudorandom number generator G : { , } n → { , } m using any ( n, ℓ, γ )-sharing set family of size m . Their constructionassumes the existence of a predicate f : { , } ℓ → { , } that is hard for ‘small’ circuits topredict. Definition 6.
Let f : { , } ℓ → { , } be a boolean function. We say that f is ( s, ǫ ) -hard iffor any circuit C of size s , (cid:12)(cid:12)(cid:12) Pr x ∼{ , } ℓ [ C ( x ) = f ( x )] − (cid:12)(cid:12)(cid:12) ≤ ǫ. Observe that a random function will fool all small circuits with high probability .Following, Nisan and Wigderson we use H ( f ) to denote the hardness of a function f . Definition 7.
Let f : { , } ∗ → { , } be a boolean function and let f ℓ be the restrictionof f to strings of length ℓ . The hardness of f at ℓ , H f ( ℓ ) is defined to be the maximuminteger h ℓ such that f ℓ is (1 /h ℓ , h ℓ ) − hard . Raz et al [RRV99] showed that the Nisan-Wigderson pseudorandom number generatorworks even if the family of sets S , ..., S m only satisfies the weaker condition from definition8. Observe that any ( n, ℓ, γ )-sharing set family is also a weak ( n, ℓ, γ )-sharing set family,but the converse is not necessarily true. We also note that as m increases the requirement P j
1) becomes increasingly lax. This allows us to construct arbitrarilylarge weak ( n, ℓ, γ )-sharing families.
Definition 8.
A family of sets S , ..., S m ⊂ [ n ] is a weak ( n, ℓ, γ ) -sharing set family if (1) ∀ i ∈ [ m ] . | S i | = ℓ , and (2) ∀ i ∈ [ m ] . P j
Nisan and Wigderson [NW94] gave an explicit construction of (cid:0) ℓ , ℓ, γ (cid:1) -sharing set familiesof size m = ℓ γ +1 for any prime power ℓ . Given a polynomial p ( x ) with coefficients in GF ( ℓ ),the finite field of size ℓ , they define the set S p = { ( x, p ( x )) x ∈ GF ( ℓ ) } . The family S = { S p p has degree ≤ γ } is (cid:0) ℓ , ℓ, γ (cid:1) -sharing and has size m = |S| = ℓ γ +1 . Given pairwisecoprime numbers n < . . . < n ℓ Blocki et al [BBD13] provided an explicit constructionof (cid:16)P ℓi =1 n i , ℓ, γ (cid:17) -sharing families. Given an integer i ≥ S i = { P j − k =1 n k + ( i mod n j ) : j ∈ [ ℓ ] } . They show that the family S = n S i ≤ i < Q γ +1 j =1 n i o is an (cid:16)P ℓi =1 n i , ℓ, γ (cid:17) -sharing set family of size Q γ +1 j =1 n i .The proof of Theorem 3 is based on the following result of Blocki et al [BBD13]. Wetake advantage of Sondow’s results on prime density [Son09] to compare the Blocki et alconstruction to the construction of Nisan and Wigderson. Theorem 1. [BBD13] Suppose that n < . . . < n ℓ are pairwise co-prime then there is a ( P ℓi =1 n i , ℓ, γ ) –sharing set system of size m = Q γi =1 n i . Furthermore, this set family has anexplicit construction. Theorem 2. [Son09] For all t ≥ the following bound holds t ln t < R t < t ln 4 t . Theorem 3. ∀ n ≥ ℓ ln 4 ℓ , m ( n, ℓ, γ ) ≥ (2 ℓ ln 2 ℓ ) γ +1 . Furthermore, this set family isexplicitly constructible.Proof. Theorem 2 due to Sondow [Son09] shows that there will always be at least ℓ primes p , . . . , p ℓ between 2 ℓ ln 2 ℓ and 4 ℓ ln 4 ℓ . We have P ℓi =1 p i ≤ ℓ (4 ℓ ln 4 ℓ ) ≤ n . Note that Q γ +1 i =1 p i ≥ (2 ℓ ln 2 ℓ ) γ +1 . It follows from Theorem 1 that m ( n, ℓ, γ ) ≥ (2 ℓ ln 2 ℓ ) γ +1 .Note that the construction of Blocki et al only requires relatively prime numbers. Sothe results from theorem 3 could be improved by including non-prime values. However,theorem 4 implies that these improvements will not be particularly significant. Theorem 4. ∀ n ∈ Z + . ππ ( n ) ≤ π ( n ) − π ( n ) + π ( √ n ) .Proof. Let S ⊆ (cid:8) ⌈ n ⌉ , . . . , n (cid:9) be a set of coprime numbers of maximum size. Observe thateach prime number p ∈ [ n ] is a factor of at most one number in S . Without loss of generalitywe can assume that each of the primes between n and n are contained in S (if p / ∈ S then,because S is of maximum size, we must have some t = pq ∈ S , but in this case we cansimply replace t with p ). The number of primes between n and n is π ( n ) − π ( n ), and allof these integers are relatively prime to each other and to every other number in the range[ n ]. All other numbers in S must have at least two prime factors, and at least one of themmust be less than or equal to √ n . Since each prime factor less than or equal to √ n canbe used at most once, for the members of S to remain pairwise relatively prime, at most π ( √ n ) non-primes can be included in the set, each containing a single prime factor less that √ n . 6 omparison. To compare the constructions of Blocki et al [BBD13] and Nisan andWigderson [NW94] we set n = 4 ℓ ′ ln 4 ℓ ′ and we set ℓ = √ ℓ ′ ln 4 ℓ ′ . The constructionof Nisan and Wigderson gives use m ( n, ℓ, γ ) ≥ ℓ γ +1 = (cid:16) ℓ ′ √ ln 4 ℓ ′ (cid:17) γ +1 , while the con-struction of Blocki et al [BBD13] gives us m ( n, ℓ ′ , γ ) ≥ (2 ℓ ′ ln 2 ℓ ′ ) γ +1 > (cid:16) ℓ ′ √ ln 4 ℓ ′ (cid:17) γ +1 .However, ℓ ′ < ℓ so the construction of Blocki et al has a smaller ℓ . ( n, ℓ, γ ) -sharing set families In this subsection we show that the techniques of Blocki et al [BBD13] yield an explicitconstruction of weak ( n, ℓ, γ )-sharing set families of arbitrary size m . Our main results arestated in Theorem 5. Theorem 5.
For all m there is an explicitly constructible weak (cid:0) ℓ ln 4 ℓ, ℓ, γ (cid:1) -sharing setfamily of size m as long as γ ≥ (cid:16) − ℓ (cid:17) . Furthermore, this set family is explicitlyconstructible.Proof. Let m be given. We use the explicit construction of Blocki et al [BBD13]. ByTheorem 2 we can find ℓ primes such that 2 ℓ ln 2 ℓ < p < . . . < p ℓ < ℓ ln 4 ℓ . In particular,we let S i = n P j − k =1 p k + ( i mod p j ) j ∈ [ ℓ ] o . Now for i ∈ [ m ] we have X j
1) 2 γ Raz et al gave a randomized construction of weak (cid:16)l ℓγ m · ℓ, ℓ, γ (cid:17) -sharing set families forany m, γ >
0. While they showed that their construction could be derandomized, theirconstruction is not explicit (e.g., the construction of i ’th subset S i is dependent on thesets S , . . . , S i − ). Our analysis shows that the construction of Blocki et al [BBD13] iscompetitive with the construction of Raz et al [RRV99] though the value of n is slightlylarger. Nisan and Wigderson proved that if γ = log m , S is a ( n, ℓ, γ )-sharing set family and H f ( ℓ ) ≥ m that their construction NW f, S is a (cid:0) m , m (cid:1) pseudorandom number generator.In particular, Theorem 6 implies that if D is a circuit of size | D | ≤ m that distinguishes NW f, S ( U n ) from U m with advantage ADV D ( NW f, S ( U n )) ≥ m then there exists a circuit7 of size | C | ≤ m which predicts f ( x ) with advantage ADV C ( f ( U ℓ )) ≥ m . Thiscontradicts the definition of H f ( ℓ ). Raz et al [RRV99] observed that it suffices for S tobe a weak ( n, ℓ, γ )-sharing set family. If we let S m denote the explicitly constructible weak (cid:0) ℓ ln 4 ℓ, ℓ, γ (cid:1) -sharing set family of size m from Section 3.1 then for any m > NW f, S m is a (cid:0) m , m (cid:1) pseudorandom number generator with seed length 4 ℓ ln 4 ℓ assuming that H f ( ℓ ) ≥ m . Because S m is explicitly constructible we can compute each bit NW f, S m ( x ) [ i ] = f (cid:0) x | S i (cid:1) independently. Theorem 6. [NW94, RRV99] Let f : { , } ℓ → { , } be a boolean function and S = { S , ..., S m } be an weak ( n, ℓ, γ ) -sharing set family. Suppose D : { , } m → { , } issuch that ADV D ( NW f, S ( U n )) > ǫ , then there exists a circuit C of size | C | ≤ | D | + O (cid:16) max j ∈ [ m ] P i 10) = 2. Theorem 7. ∀ < c < , n, c ∈ N such that c | n . m ( n, nc , c n ) = c iff c < c + c . The proof of Theorem 7 can be bound in the appendix. We instead prove an easierresult here. Theorem 8 upper bounds lim n →∞ m ( n, ℓ, γ ) when ℓ is in a constant ratio to n and γ is small. Theorem 8 holds because the k ’th set S k must use cn − ( k − γ newelements (elements that are not in S k − i =1 S i ). Theorem 8. ∀ γ c , < c < such that cn ∈ N . m ( n, cn, γ c ) → ⌊ c ⌋ as n → ∞ .Proof. Let ℓ = cn and let τ ∈ N be an integer such that τ > ⌊ c ⌋ . The first set will contain ℓ elements. The second set can share at most γ of them, so the second set must containat least ℓ − γ previously unused elements. Therefore the union of the first two sets mustcontain at least 2 ℓ − γ elements. In a similar manner, the kth set must contain at least ℓ − ( k − γ new elements, therefore, kℓ − ( k − kγ ≤ (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) k [ i =1 S i (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ n . (1)Assume for contradiction that lim sup n →∞ m ( n, cn, γ c ) = τ .Then we havelim n →∞ (cid:18) n − τ ℓ + ( k − kγ (cid:19) = lim n →∞ (cid:18) n − τ cn + ( k − kγ (cid:19) = lim n →∞ ( n (1 − cτ ))= −∞ . This contradicts equation 1. 8e also show that the upper bound from Theorem 7 is nearly tight. In particular, when γ = c n for a slightly larger constant c then m ( n, ℓ, γ ) is exponentially large. Theorem 9lower bounds the values of c for which m ( n, ℓ, γ ) is exponentially large.The full proof of Theorem 9 is found in the appendix. We demonstrate the existenceof an ( n, ℓ, γ )–sharing set family of exponential size by showing that the probability ofobtaining such a set family through random selection is non-zero. Our proof uses thefollowing randomized construction of an ( n, ℓ, γ )–sharing set family. Independently chooserandom integers r ji each in the range 0 ≤ r i < c for i ∈ { , . . . , ℓ − } and j ∈ [ m ]. Let S j = ℓ − S i =0 { ic + r ji } . We use standard concentration bounds due to Chernoff [Che52] to showthat | S j T S j | ≤ γ with high probability, and then we union bounds to argue that the entireset family is ( n, ℓ, γ )–sharing with non-zero probability. Theorem 9. ∀ c > , n, c ∈ N such that c | n . m ( n, nc , c n ) > exp ( O ( n )) if c > c + ǫ . Blocki et al [BBD13] observed that m ( n, γ + 1 , γ ) = (cid:0) nγ +1 (cid:1) whenever n ≥ γ + 1. Weobserve that in general m ( n, ℓ, γ ) ≥ m ( n, ℓ + 1 , γ ) whenever ℓ ≥ γ + 1 . This implies thatwhenever n/ ≥ γ + 1 we havemax ℓ ≥ γ m ( n, ℓ, γ ) = m ( n, γ + 1 , γ ) = (cid:18) nγ + 1 (cid:19) , and whenever γ ≥ n/ ℓ ≥ γ m ( n, ℓ, γ ) = m ( n, γ, γ ) = (cid:0) nγ (cid:1) . Clearly, the inequal-ity m ( n, ℓ, γ ) ≥ m ( n, ℓ, γ + 1) also holds. Both of these inequalities also hold for weak( n, ℓ, γ )-sharing set families. We conclude with some open questions.We have shown that the explicit construction of Blocki et al [BBD13] can be used withthe weaker requirements of Raz et al [RRV99] to create weak ( n, ℓ, γ )-sharing set families ofarbitrarily large size. Our analysis uses a number of potentially loose bounds, however, so itis possible that a better analysis of the Blocki et al construction for weak set families couldimprove our requirements on the parameters. Also of interest is whether there is anotherexplicit construction that would perform better than the Blocki et al construction.We have shown that the value m ( n, n/c , nc ) is constant whenever c ≤ c + c . Fur-thermore, we showed that whenever c > c , m ( n, n/c , nc ) grows exponentially. How does m ( n, n/c , nc ) grow whenever c ∈ h c + c , c i ?We have shown that ππ ( n ) never exceeds π ( n ) − π ( n ) + π ( √ n ). We hypothesize that ππ ( n ) = π ( n ) − π ( n ) + π ( √ n ) for all n ≥ 55. A simple method to select a maximally-sizedset of relatively prime integers is to take the square of each prime between p n and √ n , Suppose that ℓ ≥ γ +1 and we have an ( n, ℓ + 1 , γ )-sharing set family S , . . . , S m ⊆ [ n ] of size m . We canform a ( n, ℓ, γ )-sharing set family S ′ , . . . , S ′ m ⊆ [ n ] by picking some element s i ∈ S i setting S ′ i = S i − { s i } for each i ∈ [ m ]. Observe that this argument does not apply whenever ℓ = γ because then we might have S ′ i = S ′ j for i = j . j ’th prime less than p n and the k ’th prime greater than √ n , for j from 1 to π ( √ n ) and k = j unless this would make the product less than n in which case kis chosen to be the minimum value greater than the previous k so that the product is greatthan n . With the aid of a computer we have shown this equation true for all n from 1 to100,000, except for 51, 52, 53, and 54. References [BBD13] Jeremiah Blocki, Manuel Blum, and Anupam Datta. Naturally rehearsing pass-words. In Kazue Sako and Palash Sarkar, editors, Advances in Cryptology -ASIACRYPT 2013 , volume 8270 of Lecture Notes in Computer Science , pages361–380. Springer Berlin Heidelberg, 2013.[Che52] Herman Chernoff. A measure of asymptotic efficiency for tests of a hypothe-sis based on the sum of observations. The Annals of Mathematical Statistics ,23(4):493–507, 1952.[EFF85] Paul Erd¨os, Peter Frankl, and Zolt´an F¨uredi. Families of finite sets in which no setis covered by the union ofr others. Israel Journal of Mathematics , 51(1-2):79–89,1985.[EH63] P Erd6s and H Hanani. On a limit theorem in combinatorical analysis. Publ.Math. Debrecen , 10:10–13, 1963.[ER56] P Erd¨os and A Renyi. On some combinatorial problems. Publ. Math. Debrecen ,4:398–405, 1956.[Eul82] Leonhard Euler. Recherches sur une nouvelle espece de quarres magiques .Zeeuwsch Genootschao, 1782.[NW94] Noam Nisan and Avi Wigderson. Hardness vs randomness. Journal of Computerand System Sciences , 49(2):149–167, 1994.[Ram19] Srinivasa Ramanujan. A proof of bertrand’s postulate. Journal of the IndianMathematical Society , 11:181–182, 1919.[R¨od85] Vojtˇech R¨odl. On a packing and covering problem. European Journal of Combi-natorics , 6(1):69–78, 1985.[RRV99] Ran Raz, Omer Reingold, and Salil Vadhan. Extracting all the randomness andreducing the error in trevisan’s extractors. In Proceedings of the Thirty-first An-nual ACM Symposium on Theory of Computing , STOC ’99, pages 149–158, NewYork, NY, USA, 1999. ACM.[Son09] Jonathan Sondow. Ramanujan primes and bertrand’s postulate. American Math-ematical Monthly , 116(7):630–635, 2009.[Tre01] Luca Trevisan. Extractors and pseudorandom generators. Journal of the ACM ,48(4):860–879, 2001. 10 Missing Proofs Reminder of Theorem 7. ∀ < c < , n, c ∈ N such that c | n . m ( n, nc , c n ) = c iff c < c + c .Proof of theorem 7. Suppose that for some valid n, c , c there is an ( n, ℓ, γ )–sharing setfamily of size c + 1. By equation 1, the number of elements used by such a set family mustbe at least: ( c + 1) ℓ − c ( c + 1) γ ≤ n (2)Taking advantage of the fact that ℓ = nc and γ = c n , the inequality can be simplified: n + ℓ − c ( c + 1) γ ≤ nℓ ≤ c ( c + 1) γ nc ≤ c ( c + 1) c n n ≤ ( c + c ) c n c + c ≤ c . Thus, all set families of size c +1 or greater must have c ≥ c + c , and c < c + c guaranteesthe set family will have a size of at most c .Since c ℓ = n , it is possible to make a family of size c for any value of c by simplychoosing sets that share no elements. Therefore, the size of the largest possible set familyfor any n, ℓ, γ meeting the specified conditions is c if c < c + c .If c ≥ c + c , there will always exist a set family of size ≥ c + 1. To create such afamily, choose c + 1 sets such that each of them shares γ elements with each of the others.This will be possible as long as: c γ ≤ ℓnc c ≤ nc c c ≤ c c + c ≤ . Since this final inequality is true for all possible values of c , it will such a set familycan always be created, and its size will be, as shown earlier, n when c = c + c . Sinceincreasing c will not eliminate any possible set families, no n, ℓ, γ satisfying the conditionswith c ≥ c + c will have a maximum family size < c + 1. Therefore, the size of the largestpossible set family for a valid n, ℓ, γ will be c iff c < c + c . (cid:3) The proof of theorem 9 is based on standard concentration bounds due to Chernoff. Weuse the specific form from Theorem 10. We demonstrate the existence of an ( n, ℓ, γ )–sharing11et family of exponential size by showing that the probability of obtaining such a set familythrough random selection is non-zero. Theorem 10. [Che52] Let X , . . . , X n ∈ [0 , be a sequence of independent random vari-ables. Let S = P ni =1 x i , and let µ = E [ S ] . Then for all δ ≥ S ≥ µ + δn ] ≤ e − nδ . Reminder of Theorem 9. ∀ c > , n, c ∈ N such that c | n . m ( n, nc , c n ) > exp ( O ( n )) if c > c + ǫ .Proof of Theorem 9. We create an ( n, ℓ, γ )–sharing set family by creating sets in thefollowing manner: Independently choose random integers r ji each in the range 0 ≤ r i < c for j ∈ [ m ] and i ∈ { , . . . , ℓ − } . Let S j = ℓ − S i =0 n ic + r ji o . Given two such sets, S j , S k let x i = ( r ji = r ki r ji = r ki Then the number of elements shared by S j and S k is S j ∩ S k = ℓ − X i =0 x i . Let µ = E [ S j ∩ S k ] = nc denote the expected number of shared elements. The probabilitythat two such sets share more than γ elements, given c = c + ǫ is P r [ | S j ∩ S k | > γ ] = P r [ ℓ − X i =0 x i > c n ]= P r [ X x i > nc + nǫ ] ≤ P r [ X x i ≥ µ + ǫn ] ≤ e − nǫ with the last step by Theorem 10. Thus the probability that two randomly selected setsshare more than γ elements is at most e − nǫ .An ( n, ℓ, γ )–sharing set family of size m will contain (cid:0) m (cid:1) pairs of sets. The probabilitythat the family is valid, with none of the sets sharing more than γ elements is P r [ ∃ j = k : | S j ∩ S k | > γ ] ≤ (cid:18) m (cid:19) P r [ | S j ∩ S k | > γ ] ≤ (cid:18) m (cid:19) e − nǫ ≤ m e − nǫ by the union bound. For m < e nǫ , this probability will be less than 1, meaning there is anon-zero chance of forming a valid set family of size m by random selection and thereforesuch a family must exist. (cid:3)(cid:3)