Streaming Graph Computations with a Helpful Advisor
aa r X i v : . [ c s . D S ] J un Streaming Graph Computations with a Helpful Advisor
Graham Cormode ∗ Michael Mitzenmacher † Justin Thaler ‡ October 30, 2018
Abstract
Motivated by the trend to outsource work to commercial cloud computing services, we con-sider a variation of the streaming paradigm where a streaming algorithm can be assisted bya powerful helper that can provide annotations to the data stream. We extend previous workon such annotation models by considering a number of graph streaming problems. Withoutannotations, streaming algorithms for graph problems generally require significant memory; weshow that for many standard problems, including all graph problems that can be expressed withtotally unimodular integer programming formulations, only a constant number of hash valuesare needed for single-pass algorithms given linear-sized annotations. We also obtain a proto-col achieving optimal tradeoffs between annotation length and memory usage for matrix-vectormultiplication; this result contributes to a trend of recent research on numerical linear algebrain streaming models.
The recent explosion in the number and scale of real-world structured data sets including the web,social networks, and other relational data has created a pressing need to efficiently process andanalyze massive graphs. This has sparked the study of graph algorithms that meet the constraintsof the standard streaming model: restricted memory and the ability to make only one pass (orfew passes) over adversarially ordered data. However, many results for graph streams have beennegative, as many foundational problems require either substantial working memory or a prohibitivenumber of passes over the data [1]. Apparently most graph algorithms fundamentally requireflexibility in the way they query edges, and therefore the combination of adversarial order andlimited memory makes many problems intractable.To circumvent these negative results, variants and relaxations of the standard graph stream-ing model have been proposed, including the Semi-Streaming [2], W-Stream [3], Sort-Stream [4],Random-Order [1], and Best-Order [5] models. In Semi-Streaming, memory requirements are re-laxed, allowing space proportional to the number of vertices in the stream but not the number ∗ AT & T Labs – Research, [email protected] † Harvard University, School of Engineering and Applied Sciences, [email protected]. This work wassupported in part by NSF grants CCF-0915922 and CNS-0721491, and in part by grants from Yahoo! Research,Google, and Cisco, Inc. ‡ Harvard University, School of Engineering and Applied Sciences, [email protected]. Supported by theDepartment of Defense (DoD) through the National Defense Science & Engineering Graduate Fellowship (NDSEG)Program.
1f edges. The W-Stream model allows the algorithm to write temporary streams to aid in com-putation. And, as their names suggest, the Sort-Stream, Random-Order, and Best-Order modelsrelax the assumption of adversarially ordered input. The Best-Order model, for example, allowsthe input stream to be re-ordered arbitrarily to minimize the space required for the computation.In this paper, our starting point is a relaxation of the standard model, closest to that put forthby Chakrabarti et al. [6], called the annotation model . Motivated by recent work on outsourcingof database processing, as well as commercial cloud computing services such as Amazon EC2,the annotation model allows access to a powerful advisor, or helper who observes the streamconcurrently with the algorithm. Importantly, in many of our motivating applications, the helperis not a trusted entity: the commercial stream processing service may have executed a buggyalgorithm, experienced a hardware fault or communication error, or may even be deliberatelydeceptive [5, 6]. As a result, we require our protocols to be sound : our verifier must detect any liesor deviations from the prescribed protocol with high probability.The most general form of the annotation model allows the helper to provide additional anno-tations in the data stream at any point to assist the verifier, and one of the cost measures is thetotal length of the annotation. In this paper, however, we focus on the case where the helper’sannotation arrives as a single message after both the helper and verifier have seen the stream. Thehelper’s message is also processed as a stream, since it may be large; it often (but not always)includes a re-ordering of the stream into a convenient form, as well as additional information toguide the verifier. This is therefore stronger than the Best-Order model, which only allows theinput to be reordered and no more; but it is weaker than the more general online model, becausein our model the annotation appears only after the input stream has finished.We argue that this model is of interest for several reasons. First, it requires minimal coordinationbetween helper and verifier, since it is not necessary to ensure that annotation and stream dataare synchronized. Second, it captures the case when the verifier uploads data to the cloud asit is collected, and later poses questions over the data to the helper. Under this paradigm, theannotation must come after the stream is observed. Third, we know of no non-trivial problemswhich separate the general online and our “at-the-end” versions of the model, and most prior resultsare effectively in this model.Besides being practically motivated by outsourced computations, annotation models are closelyrelated to Merlin-Arthur proofs with space-bounded verifiers, and studying what can (and cannot)be accomplished in these models is of independent interest.
Relationship to Other Work.
Annotation models were first explicitly studied by Chakrabarti et al. in [6], and focused primarily on protocols for canonical problems in numerical streams,such as Selection, Frequency Moments, and Frequent Items. The authors also provided protocolsfor some graph problems: counting triangles, connectedness, and bipartite perfect matching. TheBest-Order Stream Model was put forth by Das Sarma et al. in [5]. They present protocolsrequiring logarithmic or polylogarithmic space (in bits) for several problems, including perfectmatching and connectivity. Historical antecedents for this work are due to Lipton [7], who usedfingerprinting methods to verify polynomial-time computations in logarithmic space. Recent workverifies shortest-path computations using cryptographic primitives, using polynomial space for theverifier [8].
Our Contributions.
We identify two qualitatively different approaches to producing protocolsfor problems on graphs with n nodes and m edges. In the first, the helper directly proves matchingupper and lower bounds on a quantity. Usually, proving one of the two bounds is trivial: the helper2rovides a feasible solution to the problem. But proving optimality of the feasible solution can bemore difficult, requiring the use of structural properties of the problem. In the second, we simulatethe execution of a non-streaming algorithm, using the helper to maintain the algorithm’s internaldata structures to control the amount of memory used by the verifier. The helper must provide thecontents of the data structures so as to limit the amount of annotation required.Using the first approach (Section 3), we show that only constant space and annotation linear inthe input size m is needed to determine whether a directed graph is a DAG and to compute the sizeof a maximum matching. We describe this as an ( m,
1) protocol, where the first entry refers to theannotation size (which we also call the hcost) and the second to the memory required for the verifier(which we also call the vcost). Our maximum matching result significantly extends the bipartiteperfect matching protocol of [6], and is tight for dense graphs, in the sense that there is a lowerbound on the product of hcost and vcost of hcost · vcost = Ω( n ) bits for this problem. Second,we define a streaming version of the linear programming problem, and provide an ( m,
1) protocol.By exploiting duality, we hence obtain ( m,
1) protocols for many graph problems with totallyunimodular integer programming formulations, including shortest s - t path, max-flow, min-cut, andminimum-weight bipartite perfect matching. We also show all are tight by proving lower bounds ofhcost · vcost = Ω( n ) bits for all four problems. A more involved protocol obtains optimal tradeoffsbetween annotation cost and working memory for dense LPs and matrix-vector multiplication; thiscomplements recent results on approximate linear algebra in streaming models (see e.g. [9, 10]).For the second approach (Section 4), we make use of the idea of “memory checking” due to Blumet al. [11], which allows a small-space verifier to outsource data storage to an untrusted server. Wepresent a general simulation theorem based on this checker, and obtain as corollaries tight protocolsfor a variety of canonical graph problems. In particular, we give an ( m,
1) protocol for verifying aminimum spanning tree, an ( m + n log n,
1) protocol for single-source shortest paths, and an ( n , · vcost = Ω( n ) bits for thelatter two problems, and an identical lower bound for MST when the edge weights can be givenincrementally. While powerful, this technique has its limitations: there does not seem to be anygeneric way to obtain the same kind of tradeoffs observed above. Further, there are some instanceswhere direct application of memory checking does not achieve the best bounds for a problem.We demonstrate this by presenting an ( n log n,
1) protocol to find the diameter of a graph; thisprotocol leverages the ability to use randomized methods to check computations more efficientlythan via generating or checking a deterministic witness. In this case, we rely on techniques to verifymatrix-multiplication in quadratic time, and show that this is tight via a nearly matching lowerbound for diameter of hcost · vcost = Ω( n ).In contrast to problems on numerical streams, where it is often trivial to obtain ( m,
1) protocolsby replaying the stream in sorted order, it transpires that achieving linear-sized annotations withlogarithmic space is more challenging for many graph problems. Simply providing the solution(e.g. a graph matching or spanning tree) is insufficient, since we have the additional burden ofdemonstrating that this solution is optimal . A consequence is that we are able to provide solutionsto several problems for which no solution is known in the best-order model (even though one canreorder the stream in the best-order model so that the “solution” edges arrive first).3
Model and Definitions
Consider a data stream A = h a , a , . . . , a m i with each a i in some universe U . Consider a proba-bilistic verifier V who observes A and a deterministic helper H who also observes A and can senda message h to V after A has been observed by both parties. This message, also referred to as an annotation , should itself be interpreted as a data stream that is parsed by V , which may permit V to use space sublinear in the size of the annotation itself. That is, H provides an annotation h ( A ) = ( h ( A ) , h ( A ) , . . . h ℓ ( A )).We study randomized streaming protocols for computing functions f ( A ) → Z . Specifically,assume V has access to a private random string R and at most w ( m ) machine words of workingmemory, and that V has one-way access to the input A· h , where · represents concatenation. Denotethe output of protocol P on input A , given helper h and random string R , by out ( P , A , R , h ). Weallow V to output ⊥ if V is not convinced that the annotation is valid. We say that h is valid for A with respect to P if P r R ( out ( P , A , R , h ) = f ( A )) = 1, and we say that h is δ - invalid for A withrespect to P if P r R ( out ( P , A , R , h ) = ⊥ ) ≤ δ . We say that h is a valid helper if h is valid for all A .We say that P is a valid protocol for f if1. There exists at least one valid helper h with respect to P and2. For all helpers h ′ and all streams A , either h ′ is valid for A or h ′ is -invalid for A .Conceptually, P is a valid protocol for f if for each stream A there is at least one way to convince V of the true value of f ( A ), and V rejects all other annotations as invalid (this differs slightly from[6] to allow for multiple h ’s that can convince V ). The constant can be any constant less than .Let h be a valid helper chosen to minimize the length of h ( A ) for all A . We define the helpcost hcost( P ) to be the maximum length of h over all A of length m , and the verification costvcost( P ) = w ( m ), the amount of working memory used by the protocol P . All costs are expressedin machine words of size Θ(log m ) bits, i.e. we assume any quantity polynomial in the input sizecan be stored in a constant number of words; in contrast, lower bounds are expressed in bits. Wesay that P is an ( h, v ) protocol for f if P is valid and hcost( A ) = O ( h + 1), vcost( A ) = O ( v + 1).While both hcost and vcost are natural costs for such protocols, we often aim to achieve a vcost of O (1) and then minimize hcost. In other cases, we show that hcost can be decreased by increasingvcost, and study the tradeoff between these two quantities.In some cases, f is not a function of A alone; instead it depends on A and h . In such cases, V should simply accept if convinced that the annotation has the correct properties, and output ⊥ otherwise. We use the same terminology as before, and say that P is a valid protocol if there is avalid helper and any h ′ that is not valid for A is -invalid for A .In this paper we primarily consider graph streams, which are streams whose elements are edgesof a graph G . More formally, consider a stream A = h e , e , . . . , e m i with each e i ∈ [ n ] × [ n ]. Sucha stream defines a (multi)graph G = ( V, E ) where V = { v , ..., v n } and E is the (multi)set of edgesthat naturally corresponds to A . We use the notation { i : m ( i ) } for the multiset in which i appearswith multiplicity m ( i ). Finally, we will sometimes consider graph streams with directed edges, andsometimes with weighted edges; in the latter case each edge e i ∈ [ n ] × [ n ] × Z + . Our protocols make careful use of fingerprints , permutation-invariant hashes that can be efficientlycomputed in a streaming fashion. They determine in small space (with high probability) whether4wo streams have identical frequency distributions. They are the workhorse of algorithms proposedin earlier work on streaming models with an untrusted helper [5, 6, 7, 12]. We sometimes also needthe fingerprint function to be linear.
Definition 2.1 (Fingerprints) . A fingerprint of a multiset M = { i : m ( i ) } where each i ∈ [ q ] forsome known upper bound q is defined as a computation over the finite field with p elements, F p , as f p,α ( M ) = P qi =1 m ( i ) α i , where α is chosen uniformly at random from F p . We typically leave p, α implicit, and just write f ( M ) . Some properties of f are immediate: it is linear in M , and can easily be computed incrementallyas elements of [ q ] are observed in a stream one by one. The main property of f is that Pr[ f ( M ) = f ( M ′ ) | M = M ′ ] ≤ q/p over the random choice of α (due to standard properties of polynomialsover a field). Therefore, if p is sufficiently large, say, polynomial in q and in an (assumed) upperbound on the multiplicities m ( i ), then this event happens with only polynomially small probability.For cases when the domain of the multisets is not [ q ], we either establish a bijection to [ q ] for anappropriate value of q , or use a hash function to map the domain onto a large enough [ q ] such thatthere are no collisions with high probability (whp). In all cases, p is chosen to be O (1) words.A common subroutine of many of our protocols forces H to provide a “label” l ( u ) for each nodeupfront, and then replay the edges in E , with each edge ( u, v ) annotated with l ( u ) and l ( v ) so thateach instance of each node v appears with the same label l ( v ). Definition 2.2.
We say a list of edges E ′ is label-augmented if (a) E ′ is preceded by a sorted listof all the nodes v ∈ V , each with a value l ( v ) and deg( v ) , where l ( v ) is the label of v and deg( v ) isclaimed to be the degree of v ; and (b) each edge e = ( u, v ) in E ′ is annotated with a pair of symbols l ( e, u ) and l ( e, v ) . We say a list of label-augmented edges E ′ is valid if for all edges e = ( u, v ) , l ( e, u ) = l ( u ) and l ( e, v ) = l ( v ) ; and E ′ = E , where E is the set of edges observed in the stream A . Lemma 2.3 (Consistent Labels) . There is a valid ( m, protocol that accepts any valid list oflabel-augmented edges.Proof. V uses the annotation from Definition 2.2 (a) to make a fingerprint of the multiset S := { ( u, l ( u )) : deg( u ) } . V also maintains a fingerprint f of all ( u, l ( e, u )) pairs seen while observing theedges of L . If f = f ( S ) then (whp) each node u must be presented with label l ( e, u ) = l ( u ) everytime it is reported in an edge e (and moreover u must be reported in exactly deg( u ) edges), elsethe multiset of observed (node, label) pairs would not match S . Finally, V ensures that E ′ = E by checking that f ( E ) = f ( E ′ ). A (directed) graph G is a DAG if and only if G has a topological ordering , which is an orderingof V as v , . . . v n such that for every edge ( v i , v j ) we have i < j [13, Section 3.6]. Hence, if G isa DAG, H can prove it by providing a topological ordering. If G is not a DAG, H can provide adirected cycle as witness. Theorem 3.1.
There is a valid ( m, protocol to determine if a graph is a DAG. roof. If G is not a DAG, H provides a directed cycle C as ( v , v ) , ( v , v ) . . . ( v k , v ). To ensure C ⊆ E , H then provides E \ C , allowing V to check that f ( C ∪ ( E \ C )) = f ( E ).If G is a DAG, let v , . . . v n be a topological ordering of G . We require H to replay the edges of G , with edge ( v i , v j ) annotated with the ranks of v i and v j i.e. i and j . We ensure H providesconsistent ranks via the Consistent Labels protocol of Lemma 2.3, with the ranks as “labels”. Ifany edge ( v i , v j ) is presented with j > i , V rejects immediately. We give an ( m,
1) protocol for maximum matching which leverages the combinatorial structure ofthe problem. Previously, matching was only studied in the bipartite case, where an ( m,
1) protocoland a lower bound of hcost · vcost = Ω( n ) bits for dense graphs were shown [6, Theorem 11]. Thesame lower bound applies to the more general problem of maximum matching, so our protocol istight up to logarithmic factors.The protocol shows matching upper and lower bounds on the size of the maximum matching.Any feasible matching presents a lower bound. For the upper bound we appeal to the Tutte-Bergeformula [14, Chapter 24]: the size of a maximum matching of a graph G = ( V, E ) is equal to min V S ⊆ V ( | V S | − occ( G − V S ) + | V | ) , where G − V S is the subgraph of G obtained by deleting thevertices of V S and all edges incident to them, and occ( G − V S ) is the number of components in thegraph G − V S that have an odd number of vertices. So for any set of nodes V S , ( | V S | − occ( G − V S ) + | V | ) is an upper bound on the size of the maximum matching, and there exists some V S forwhich this quantity equals the size of a maximum matching M . Conceptually, providing both V S and M , H proves that the maximum matching size is M . Additionally, H has to provide a proofof the value of occ( G − V S ) to V . Theorem 3.2.
There is a valid ( m, protocol for maximum matching. Moreover, any protocolfor max-matching requires hcost · vcost = Ω( n ) bits.Proof. To prove a lower bound of k on the size of the maximum matching, H provides a matching M = ( V M , E M ) of size | E M | = k , and then proves that M is indeed a matching. It suffices to provethat | V M | = 2 | E M | and M ⊆ E . First, H lists E M , and V fingerprints the nodes present as f ( V M ). H then presents V ′ M which is claimed to be V M in sorted order, allowing V to easily check no nodeappears more than once and that f ( V M ) = f ( V ′ M ). Next, H provides E \ M , allowing V to checkthat f ( M ∪ ( E \ M )) = f ( E ). Hence M is a matching.To prove an upper bound of k on the size of the maximum matching, H sends a (sorted) set V S ⊆ V , where ( | V S | − occ( G − V S ) + | V | ) = k . Both | V S | and | V | are computed directly; forocc( G − V S ), H sends a sequence of (sub)graphs C i = ( V i , E i ) ⊆ V × E claimed to be a partitionof G − V S into connected components. V can easily compute c , the number of C i ’s with an oddnumber of nodes. To ensure that the C i ’s are indeed the connected components of G − V S , it sufficesto show that (a) each C i is connected in G − V S ; (b) V \ V S is the disjoint union of the V i ’s; and(c) there is no edge ( v, w ) ∈ E s.t. v ∈ V i , w ∈ V j , i = j .To prove Property (a), H presents the (sub)graph C i as V i ⊂ V (in sorted order) where each v is paired with its degree deg( v ); followed by E i ⊂ E (in arbitrary order). Fingerprints are usedto ensure that the multiset of nodes present in E i matches the claimed degrees of nodes in V i . Ifthese fingerprints agree, then (whp) E i ⊆ V i × V i . Then H uses the connectivity protocol from [6,Theorem 5.6] on the (sub)graph C i = ( V i , E i ) to prove that C i is connected. Each of these checkson C i has hcost O ( | E i | ). Note that V requires only a constant number of fingerprints for these6hecks, and can use the same working memory for each different C i to check that E i ⊆ V i × V i andthat C i is connected. The total vcost over all C i is a constant number of fingerprints; the totalhcost is O ( m ).Property (b) is checked by testing f (cid:0) ( ∪ i V i ) ∪ V S (cid:1) = f ( V ), where the unions in the LHS countmultiplicities; if the fingerprints match then whp V \ V S is the disjoint union of the V i ’s. For(c), it suffices to ensure that each each edge in E \ ( S i E i ) is incident to at least one node in V S ,as we have already checked that no edges in S i E i cross between V i and V j for i = j . To thisend, we use the “Consistent Labels” protocol of Lemma 2.3, with l ( u ) = 1 indicating u ∈ V S and l ( u ) = 0 indicating u / ∈ V S , to force H to replay all of E with each edge ( u, v ) annotated with l ( u ) and l ( v ). This allows V to identify the set E S of edges incident to at least one node in V S . V checks that f (cid:0) ( ∪ i E i ) ∪ E S (cid:1) = f ( E ), which ensures (whp) that Property (c) holds and that overthe entire partition of G no edges are added or omitted. Finally, provided all the prior fingerprinttests pass, the protocol accepts if c , the number of C i ’s with an odd number of nodes, satisfies ( | S | − c + | V | ) = k . We present protocols to solve linear programming problems in our model leveraging the theory ofLP duality. This leads to non-trivial schemes for a variety of graph problems.
Definition 3.3.
Given a data stream A containing entries of vectors b ∈ R b , c ∈ R c , and non-zeroentries of a b × c matrix A in some arbitrary order, possibly interleaved. Each item in the streamindicates the index of the object it pertains to. The LP streaming problem on A is to determine thevalue of the linear program min { c T x | A x ≤ b } . We present our protocol as if each entry of each object appears at most once (if an entry doesnot appear, it is assumed to be zero). When this is not the case, the final value for that entry isinterpreted as the sum of all corresponding values in the stream.
Theorem 3.4.
There is a valid ( | A | , protocol for the LP streaming problem, where | A | is thenumber of non-zero entries in the constraint matrix A of A .Proof. The protocol shows an upper bound by providing a primal-feasible solution x , and a lowerbound by providing a dual-feasible solution y . When the value of both solutions match, V isconvinced that the optimal value has been found.From the stream, V fingerprints the sets S A = { ( i, j, A i,j ) } , S B = { ( i, b i ) } and S C = { ( i, c j ) } .Then H provides all pairs of values c j , x j , ≤ j ≤ c , with each x j additionally annotated with | A · j | , the number of non-zero entries in column j of A . This allows V to fingerprint the multiset S X = { ( j, x j ) : | A · j |} and calculate the solution cost P bj =1 c j x j .To prove feasibility, for each row i of A , A i · , H sends b i , then (the non-zero entries of) A i · sothat A ij is annotated with x j . This allows the i th constraint to be checked easily in constant space. V fingerprints the values given by H for A , b , and c , and compares them to those for the stream.A single fingerprint of the multiset of values presented for x over all rows is compared to f ( S X ).The protocol accepts x as feasible if all constraints are met and all fingerprint tests pass.Correctness follows by observing that the agreement with f ( A ) guarantees (whp) that each entryof A is presented correctly and no value is omitted. Since H presents each entry of b and c once,in index order, the fingerprints f ( S B ) and f ( S C ) ensure that these values are presented correctly.7he claimed | A · j | values must be correct: if not, then the fingerprints of either S X or S A will notmatch the multisets provided by H . f ( S X ) also ensures that each time x j is presented, the samevalue is given (similar to Lemma 2.3).To prove that x is primal-optimal, it suffices to show a feasible solution y to the dual A T sothat c T x = b T y . Essentially we repeat the above protocol on the dual, and check that the claimedvalues are again consistent with the fingerprints of S A , S B , S C .For any graph problem that can be formulated as a linear program in which each entry of A , b , and c can be derived as a linear function of the nodes and edges, we may view each edge in agraph stream A as providing an update to values of one or more entries of A , b , and c . Therefore,we immediately obtain a protocol for problems of this form via Theorem 3.4. More generally, weobtain protocols for problems formulated as totally unimodular integer programs (TUM IPs), sinceoptimality of a feasible solution is shown by a matching feasible solution of the dual of its LPrelaxation [15]. Corollary 3.5.
There is a valid ( | A | , protocol for any graph problem that can be formulated asa linear program or TUM IP in which each entry of A , b , and c is a linear function of the nodesand edges of graph. This follows immediately from Theorem 3.4 and the subsequent discussion: note that the linear-ity of the fingerprinting builds fingerprints of S A , S B and S C , so H presents only their (aggregated)values, not information from the unaggregated graph stream. Corollary 3.6.
Shortest s − t path, max-flow, min-cut, and minimum weight bipartite perfectmatching (MWBPM) all have valid ( m, protocols. For all four problems, a lower bound of hcost · vcost = Ω( n ) bits holds for dense graphs.Proof. The upper bound follows from the previous corollary because all the problems listed possessformulations as TUM IPs and moreover the constraint matrix in each case has O ( m + n ) non-zeroentries. For example, for max-flow, x gives the flow on each edge, and the weight of each edge inthe stream contributes (linearly) to constraints on the capacity of that edge, and the flow throughincident nodes.The lower bound for MWBPM, max-flow, and min-cut holds from [6, Theorem 11] whichargues hcost · vcost = Ω( n ) bits for bipartite perfect matching, and straightforward reductions ofbipartite perfect matching to all three problems, see e.g. [13, Theorem 7.37]. The lower bound forshortest s − t path follows from a straightforward reduction from index , for which a lower boundlinear in hcost · vcost was proven in [6, Theorem 3.1]. Given an instance ( x, k ) of index where x ∈ { , } n , k ∈ [ n ], we construct graph G , with V G = [ n + 2], and E G = E A ∪ E B . Alice creates E A = { ( i, j ) : x f ( i,j )=1 } from x alone, where f is a 1-1 correspondence [ n ] × [ n ] → [ n ]. Bob creates E B = { ( n + 1 , i ) , ( j, n + 2) } using f ( i, j ) = k . The shortest path between nodes n + 1 and n + 2is 3 if x k = 1 and is 4 or more otherwise. This also implies that any approximation within p / · vcost = Ω( n ) (better inapproximability constants may be possible).Conceptually, the above protocols for solving the LP streaming problem are straightforward: H provides a primal solution, potentially repeating it once for each row of A to prove feasibility,and repeats the protocol for the dual. There are efficient protocols for the problems listed in thecorollary since the constraint matrices of their IP formulations are sparse. For dense constraintmatrices, however, the bottleneck is proving feasibility. We observe that computing A x reduces to8omputing b inner-product computations of vectors of dimension c . There are ( c α , c − α ) protocolsto verify such inner-products [6]. But we can further improve on this since one of the vectors is heldconstant in each of the tests. This reduces the space needed by V to run these checks in parallel;moreover, we prove a lower bound of hcost · vcost = Ω(min( c, b ) ) bits, and so obtain an optimal tradeoff for square matrices, up to logarithmic factors. Theorem 3.7.
Given a b × c matrix A and a c dimensional vector x , the product A x can be verifiedwith a valid ( bc α , c − α ) protocol. Moreover, any such protocol requires hcost · vcost = Ω(min( c, b ) ) bits for dense matrices.Proof. We begin with the upper bound. The protocol for verifying inner-products which followsfrom [6] treats a c dimensional vector as an h × v array F , where hv ≥ c . This then defines degree c polynomials f over a suitably large field, so that for each polynomial f ( x, y ) = F x,y . For an inner-product between two vectors, we wish to compute P x ∈ [ h ] ,y ∈ [ v ] F x,y G x,y = P x ∈ [ h ] ,y ∈ [ v ] f ( x, y ) g ( x, y )for the corresponding arrays F, G and polynomials f, g . These polynomials can then be evaluatedat locations outside [ h ] × [ v ], so in the protocol V picks a random position r , and evaluates f ( r, y )and g ( r, y ) for 1 ≤ y ≤ v . H then presents a degree h polynomial s ( x ) which is claimed to be P vy =1 f ( x, y ) g ( x, y ). V checks that s ( r ) = P vy =1 f ( r, y ) g ( r, y ), and if so accepts P hx =1 s ( x ) as thecorrect answer.In [6] it is shown how V can compute f ( r, y ) efficiently as F is defined incrementally in thestream: each addition of w to a particular index is mapped to ( x, y ) ∈ [ h ] × [ v ], which causes f ( r, y ) ← f ( r, y ) + wp ( r, x, y ), where p ( r, x, y ) depends only on x , y , and r . Equivalently, the finalvalue of f ( r, y ) over updates in the stream where the j th update is t j = ( w j , x j , y j ) is f ( r, y ) = P t j : y j = y w j p ( r, x j , y ).To run this protocol over multiple vectors in parallel naively would require keeping the f ( r, y )values implied by each different vector separately, which would be costly. Our observation is thatrather than keep these values explicitly, it is sufficient to keep only a fingerprint of these values,and use the linearity of fingerprint functions to finally test whether the polynomials provided by H for each vector together agree with the stored values.In our setting, the b × c matrix A implies b polynomials of degree c . We evaluate each polynomialat ( r, y ) for 1 ≤ y ≤ v for the same value of r : since each test is fooled by H with small probability,the chance that none of them is fooled can be kept high by choosing the field to evaluate thepolynomials over to have size polynomial in b + c . Thus, conceptually, the parallel invocation of b instances of this protocol require us to store f i ( r, y ) for 1 ≤ y ≤ v and 1 ≤ i ≤ b (for the b rowsof A ), as well as f x ( r, y ) for 1 ≤ y ≤ v (where f x is the polynomial derived from x ). Rather thanstore this set of bv values explicitly, V instead stores only v fingerprints, one for each value of y ,where each fingerprint captures the set of b values of f i ( r, y ).From the definition of our fingerprints, this means over stream updates t j = ( w j , i j , x j , y j ) ofweight w j to row i j and column indexed by x j and y j we compute a fingerprint f ( A, y ) = b X i =1 f i ( r, y ) α i = b X i =1 X t j : y j = y,i j = i w j p ( r j , x j , y ) α i for each y , 1 ≤ y ≤ v . Observe that for each y this can be computed incrementally in the streamby storing only r and the current value of f ( A, y ).To verify the correctness, V receives the b polynomials s i , and builds a fingerprint of the multisetof S = { i : s i ( r ) } incrementally. V then tests whether9 X y =1 f ( A, y ) f x ( r, y ) = f ( S )To see the correctness of this, we expand the lhs, as v X y =1 f ( A, y ) f x ( r, y ) = v X y =1 (cid:0) b X i =1 f i ( r, y ) α i (cid:1) f x ( r, y )= v X y =1 (cid:0) b X i =1 f x ( r, y ) f i ( r, y ) α i (cid:1) = b X i =1 (cid:0) v X y =1 f x ( r, y ) f i ( r, y ) (cid:1) α i Likewise, if all s i ’s are as claimed, then f ( S ) = b X i =1 s i ( r ) α i = b X i =1 ( v X y =1 f x ( r, y ) f i ( r, y ) (cid:1) α i Thus, if the s i ’s are as claimed, then these two fingerprints should match. Moreover, by theSchwartz-Zippel lemma, and the fact that α and r are picked randomly by V and not known to H , the fingerprints will not match with high probability if the s i ’s are not as claimed, when thepolynomials are evaluated over a field of size polynomial in ( b + c ).To analyze the vcost, we observe that V can compute all fingerprints in O ( v ) space. As H provides each polynomial s i ( x ) in turn, V can incrementally compute f ( S ) and check that thismatches P vy =1 f ( A, y ) f x ( r, y ). At the same time, V also computes P bi =1 P hx =1 s i ( x ), as the value of A x . Note that if each s i is sent one after another, V can forget each previous s i after the requiredfingerprints and evaluations have been made; and if h is larger than v , does not even need to keep s i in memory, but can instead evaluate it term by term in parallel for each value of x . Thus thetotal space needed by V is dominated by the v fingerprints and check values.Setting h = c α and v = c − α , the total size of the information sent by H is dominated by the b polynomials of degree h = c α .To prove the lower bound, we give a simple reduction of index to matrix-vector multiplication.Suppose we have an instance ( x, k ) of index where x ∈ { , } n , k ∈ [ n ]. Alice constructs an n × n matrix A from x alone, in which A i,j = 1 if x f ( i,j )=1 , where f is a 1-1 correspondence [ n ] × [ n ] → [ n ],and A i,j = 0 otherwise. Assume f ( i, j ) = k . Bob then constructs a vector x ∈ R n such that x i = 1and all other entries of x are 0. Then the j ’th entry of A x is 1 if and only if x f ( i,j )=1 , and thereforethe value of x f ( i,j ) can be extracted from the vector A x . Therefore, if we had an ( h, v ) protocolfor verifying matrix-vector multiplication given an n × n matrix A (even for a stream in which allentries of A come before all entries of x ), we would obtain a ( √ h, √ v ) protocol for index . Thelower bound for matrix-vector multiplication thus holds by a lower bound for index given in [6,Theorem 3.1]. Corollary 3.8.
For c ≥ b there is a valid ( c α , c − α ) protocol for the LP streaming problem. roof. This follows by using the protocol of Theorem 3.7 to verify A x ≤ b and A T y ≥ c withinthe protocol of Theorem 3.4. The cost is ( bc α + cb α , c − α + b − α ), so if c ≥ b , this is dominated by( c α , c − α ) (symmetrically, if b > c , the cost is ( b α , b − α )).Our protocol for linear programming relied on only two properties: strong duality, and theability to compute the value of a solution x and check feasibility via matrix-vector multiplication.Such properties also hold for more general convex optimization problems, such as quadratic pro-gramming and a large class of second-order cone programs. Thus, similar results apply for thesemathematical programs, motivated by applications in which weak peripheral devices or sensorsperform error correction on signals. We defer full details from this presentation.Theorem 3.7 also implies the existence of protocols for graph problems where both hcost andvcost are sublinear in the size of the input (for dense graphs). These include: • An ( n α , n − α ) protocol for verifying that λ is an eigenvalue of the adjacency matrix A orthe Laplacian L of G : H provides the corresponding eigenvector x , and V can use the protocolof Theorem 3.7 to verify that Ax = λx or Lx = λx . • An ( n α , n − α ) protocol for the problem of determining the effective resistance betweendesignated nodes s and t in G where the edge weights are resistances. The problem reducesto solving an n × n system of linear equations [16]. Next, we give protocols by appealing to known non-streaming algorithms for graph problems. Ata high level, we can imagine the helper running an algorithm on the graph, and presenting a“transcript” of operations carried out by the algorithm as the proof to V that the final result iscorrect. Equivalently, we can imagine that V runs the algorithm, but since the data structures arelarge, they are stored by H , who provides the contents of memory needed for each step. There maybe many choices of the algorithm to simulate and the implementation details of the algorithm: ouraim is to choose ones that result in smaller annotations.To make this concrete, consider the case of requiring the graph to be presented in a particularorder, such as depth first order. Starting from a given node, the exploration retrieves nodes in order,based on the pattern of edges. Assuming an adjacency list representation, a natural implementationof the search in the traditional model of computation maintains a stack of edges (representing thecurrent path being explored). Edges incident on the current node being explored are pushed, andpops occur whenever all nodes connected to the current node have already been visited. H can allow V to recreate this exploration by providing at each step the next node to push, or the new headof the stack when a pop occurs, and so on. To ensure the correctness of the protocol, additionalchecking information can be provided, such as pointers to the location in the stack when a node isvisited that has already been encountered.We provide protocols for breadth first search and depth first search in Appendix A, based onthis idea of “augmenting a transcript” of a traditional algorithm. However, while the resultingprotocols are lightweight, it rapidly becomes tedious to provide appropriate protocols for othercomputations based on this idea. Instead, we introduce a more general approach which argues thatany (deterministic) algorithm to solve a given problem can be converted into a protocol in our11odel. The running time of the algorithm in the RAM model becomes the size of the proof in oursetting.Our main technical tool is the off-line memory checker of Blum et al. [11], which we use toefficiently verify a sequence of accesses to a large memory. Consider a memory transcript of asequence of read and write operations to this memory (initialized to all zeros). Such a transcript is valid if each read of address i returns the last value written to that address. The protocol of Blumet al. requires each read to be accompanied by the timestamp of the last write to that address;and to treat each operation (read or write) as a read of the old value followed by the write of anew value. Then to ensure validity of the transcript, it suffices to check that a fingerprint of allwrite operations (augmented with timestamps) matches a fingerprint of all read operations (usingthe provided timestamps), along with some simple local checks on timestamps. Consequently, anyvalid (timestamp-augmented) transcript is accepted by V , while any invalid transcript is rejectedby V with high probability.We use this memory checker to obtain the following general simulation result. Theorem 4.1.
Suppose P is a graph problem possessing a non-randomized algorithm M in therandom-access memory model that, when given G = ( V, E ) in adjacency list or adjacency matrixform, outputs P ( G ) in time t ( m, n ) , where m = | E | and n = | V | . Then there is an ( m + t ( m, n ) , protocol for P .Proof sketch. H first repeats (the non-zero locations of) a valid adjacency list or matrix represen-tation G , as writes to the memory (which is checked by V ); V uses fingerprints to ensure the edgesincluded in the representation precisely correspond to those that appeared in the stream, and canuse local checks to ensure the representation is otherwise valid. This requires O ( m ) annotationand effectively initializes memory for the subsequent simulation. Thereafter, H provides a validaugmented transcript T ′ of the read and write operations performed by algorithm M ; V rejects if T ′ is invalid, or if any read or write operation executed in T ′ does not agree with the prescribedaction of M . As only one read or write operation is performed by M in each timestep, the lengthof T ′ is O ( t ( m, n )), resulting in an ( m + t ( m, n ) ,
1) protocol for P .Although Theorem 4.1 only allows the simulation of deterministic algorithms, H can non-deterministically “guess” an optimal solution S and prove optimality by invoking Theorem 4.1 ona (deterministic) algorithm that merely checks whether S is optimal. Unsurprisingly, it is often thecase that the best-known algorithms for verifying optimality are more efficient than those findinga solution from scratch (see e.g. the MST protocol below); therein lies much of the power of thesimulation theorem. Theorem 4.2.
There is a valid ( m, protocol to find a minimum cost spanning tree; a valid ( m + n log n, protocol to verify single-source shortest paths; and a valid ( n , protocol to verifyall-pairs shortest paths.Proof. We first prove the bound for MST. Given a spanning tree T , there exists a linear-timealgorithm M for verifying that T is minimum (see e.g. [17]). Let M ′ be the linear-time algorithmthat, given G and a subset of edges T in adjacency matrix form, first checks that T is a spanningtree by ensuring | T | = n − T is connected (by using e.g. breadth-first search), and thenexecutes M to ensure T is minimum. We obtain an ( m,
1) protocol for MST by having H providea minimum spanning tree T and using Theorem 4.1 to simulate algorithm M ′ .12he upper bound for single-source shortest path follows from Theorem 4.1 and the fact thatthere exist implementations of Djikstra’s algorithm that run in time m + n log n . The upper boundfor all-pairs shortest paths also follows from Theorem 4.1 and the fact that the Floyd-Warshallalgorithm runs in time O ( n ).We now provide near-matching lower bounds for all three problems. Theorem 4.3.
Any protocol for verifying single-source or all pairs shortest paths requires hcost · vcost =Ω( n ) bits. Additionally, if edge weights may be specified incrementally, then an identical lowerbound holds for MST.Proof. The lower bounds for single-source and all-pairs shortest paths are inherited from shortest s − t path (Corollary 3.6).To prove the lower bound for MST, we present a straightforward reduction from an instanceof index , ( x, k ), where x ∈ { , } n , k ∈ [ n ]. Alice will construct a graph G , with V G = [ n ],and E G = E A . Bob will then construct two graphs, G and G , with E G = E A ∪ E B and E G = E A ∪ E B . If edge ( i, j ) is in E A ∩ E B , then we interpret this to mean that the weight ofedge ( i, j ) in E G is the sum of its weights in E A and E B . Below, we will write ( i, j, w ) to denotean edge between nodes i and j with weight w .Alice creates E A = { ( i, j,
1) : x f ( i,j )=1 } from x alone, where f is a bijection [ n ] × [ n ] → [ n ].Bob creates E B = { ( u, v,
3) : f ( u, v ) = k } , and E B = E B ∪ { ( i, j, } , where ( i, j ) is the edgesatisfying f ( i, j ) = k . Edge ( i, j ), if it exists, is the lowest-weight edge in E G , and hence ( i, j ) is inany min-cost spanning tree of G if and only if x k = 1. In contrast, ( i, j ) is always in the min-costspanning tree of G . Therefore, if x k = 1, then the minimum spanning tree of G will be of highercost than that of G , because the weight of ( i, j ) is 1 in E G and 2 in E G . And if x k = 0, then themininmum spanning tree of G will be of lower cost than that of G , because the weight of edge( i, j ) will be ∞ in G and 1 in G . Thus, by comparing the cost of the MSTs of G and G , Bobcan extract the value of x k . The lower bound now follows from the hardness of index [6, Theorem3.1]. Diameter.
The diameter of G can be verified via the all-pairs shortest path protocol above, butthe next protocol improves over the memory checking approach. Theorem 4.4.
There is a valid ( n log n, protocol for computing graph diameter. Further, anyprotocol for diameter requires hcost · vcost = Ω( n ) bits.Proof. [6, Theorem 5.2] gives an ( n log l,
1) protocol for verifying that A l = B for a matrix A presented in a data stream and for any positive integer l . Note that if A is the adjacency matrix of G ; then ( I + A ) lij = 0 if and only if there is a path of length at most l from i to j . Therefore, thediameter of G is equal to the unique l > I + A ) lij = 0 for all ( i, j ), while ( I + A ) l − ij = 0for some ( i, j ). Our protocol requires H to send l to V , and then run the protocol of [6, Theorem5.2] twice to verify that l is as claimed. Since the diameter is at most n −
1, this gives an ( n log n, index , ( x, k ), where x ∈ { , } n / , k ∈ [ n / G = ( V, E ) from x alone: she includes edge ( i, j ) in E ifand only if x f ( i,j ) = 1, where f is a bijection from edges to indices. Bob then adds to G two nodes L and R , with edges from L to each node in the left partite set, edges from R to each node in the13ight partite set, and an edge between L and R . This ensures that the graph is connected, withdiameter at most 3. Finally, Bob appends a path of length 2 to node i , and a path of length 2 tonode j , where f ( i, j ) = k . If x k = 0, then the diameter is now 7, while if x k = 1, the diameter is5. The lower bound follows from the hardness of index [6, Theorem 3.1] (this also shows that anyprotocol to approximate diameter better than √ . · vcost = Ω( n ) bits; no efforthas been made to optimize the inapproximability constant). In this paper, we showed that a host of graph problems possess streaming protocols requiringonly constant space and linear-sized annotations. For many applications of the annotation model,the priority is to minimize vcost, and these protocols achieve this goal. However, these resultsare qualitatively different from those involving numerical streams in the earlier work [6]: for thecanonical problems of heavy hitters, frequency moments, and selection, it is trivial to achieve an( m,
1) protocol by having H replay the stream in sorted (“best”) order. The contribution of [6] is inpresenting protocols obtaining optimal tradeoffs between hcost and vcost in which both quantitiesare sublinear in the size of the input. There are good reasons to seek these tradeoffs. For example,consider a verifier with access to a few MBs or GBs of working memory. If an ( m,
1) protocolrequires only a few KBs of space, it would be desirable to use more of the available memory tosignificantly reduce the running time of the verification protocol.In contrast to [6], it is non-trivial to obtain ( m,
1) protocols for the graph problems we consider,and we obtain tradeoffs involving sublinear values of hcost and vcost for some problems with analgebraic flavor (e.g. matrix-vector multiplication, computing effective resistances, and eigenvaluesof the Laplacian). We thus leave as an open question whether it is possible to obtain such tradeoffsfor a wider class of graph problems, and in particular if the use of memory checking can be adaptedto provide tradeoffs.A final open problem is to ensure that the work of H is scalable. In motivating settings such asCloud computing environments, the data is very large, and H may represent a distributed clusterof machines. It is a challenge to show that these protocols can be executed in a model such as theMapReduce framework. Acknowledgements.
We thank Moni Naor for suggesting the use of memory checking.
References [1] A. McGregor, “Graph mining on streams,” in
Encyc. of Database Systems . Springer, 2009.[2] J. Feigenbaum, S. Kannan, A. McGregor, S. Suri, and J. Zhang, “On graph problems in asemi-streaming model,”
Theor. Comput. Sci. , vol. 348, no. 2, pp. 207–216, 2005.[3] C. Demetrescu, I. Finocchi, and A. Ribichini, “Trading off space for passes in graph streamingproblems,” in
SODA , 2006, pp. 714–723.[4] G. Aggarwal, M. Datar, S. Rajagopalan, and M. Ruhl, “On the streaming model augmentedwith a sorting primitive,” in
FOCS , 2004, pp. 540–549.145] A. Das Sarma, R. J. Lipton, and D. Nanongkai, “Best-order streaming model,” in
Theory andApplications of Models of Computation , 2009, pp. 178–191.[6] A. Chakrabarti, G. Cormode, and A. Mcgregor, “Annotations in data streams,” in
ICALP ,2009, pp. 222–234.[7] R. J. Lipton, “Efficient checking of computations,” in
STACS , 1990, pp. 207–215.[8] M. Yiu, Y. Lin, and K. Mouratidis, “Efficient verification of shortest path search via authen-ticated hints,” in
ICDE , 2010.[9] K. L. Clarkson and D. P. Woodruff, “Numerical linear algebra in the streaming model,” in
STOC , 2009, pp. 205–214.[10] T. Sarlos, “Improved approximation algorithms for large matrices via random projections,” in
IEEE FOCS , 2006.[11] M. Blum, W. Evans, P. Gemmell, S. Kannan, and M. Naor, “Checking the correctness ofmemories,” pp. 90–99, 1995.[12] R. J. Lipton, “Fingerprinting sets,” Princeton University, Tech. Rep. Cs-tr-212-89, 1989.[13] J. Kleinberg and E. Tardos,
Algorithm Design , 2005.[14] A. Schrijver,
Combinatorial Optimization: Polyhedra and Efficiency , 2003.[15] ——,
Theory of linear and integer programming , 1986.[16] B. Bollobas,
Modern Graph Theory . Springer, 1998.[17] V. King, “A simpler minimum spanning tree verification algorithm,”
Algorithmica , vol. 18,no. 2, pp. 263–270, 1997.[18] J. Feigenbaum, S. Kannan, A. McGregor, S. Suri, and J. Zhang, “Graph distances in thedata-stream model,”
SIAM J. Comput. , vol. 38, no. 5, pp. 1709–1727, 2008.15
Direct Protocols for Breadth First and Depth First Search
In this appendix, we consider the problem of “verifying” a breadth first or depth first search. Ourgoal is to force H to provide to V the edges of G in the order they would be visited by a non-streaming BFS or DFS algorithm, despite limiting V to logarithmic space. We can accomplish thiswith linear annotation simply by invoking Theorem 4.1 on a BFS or DFS algorithm; however wenow give “direct” protocols for this problem. Our protocols improve over Theorem 4.1 by constantfactors, because we avoid having to replay the entire contents of memory at the beginning and endof the protocol. As an immediate corollary of our BFS protocol, we obtain an ( m,
1) protocol forbipartiteness.To make precise the notion of “verifying a BFS”, we define the concept of a BFS transcript,using the concept of a label-augmented list of edges defined in Definition 2.2.
Definition A.1.
Given a connected undirected graph G , a BFS transcript T rooted at s is a label-augmented list of edges E ′ , with each label l ( e, u ) claimed to be the distance from s to u . Let d e := min( l ( e, u ) , l ( e, v )) . A BFS transcript is valid if: (a) Edges are presented in increasing orderof d e ; (b) E ′ is a valid list of label-augmented edges; and (c) For all u , l ( u ) is the (hop) distancefrom s to u . For clarity, we make explicit the labels of each edge; a more concise protocol would group edgesin order of l ( e, u ) + l ( e, v ). However, this does not alter the asymptotic cost.It is easy to see that any valid BFS transcript corresponds to the order edges are visited in anactual BFS of G . We therefore say a protocol verifies a BFS if it accepts any valid BFS transcript(possibly with additional annotation interleaved) and rejects any invalid BFS transcript with highprobability. With this in mind, we now define augmented BFS transcripts.Any valid BFS transcript corresponds to a possible order of edges being visited in an actual BFSof G . So we seek a protocol that accepts any valid BFS transcript (possibly with additional anno-tation interleaved), and rejects an invalid transcript (whp). This leads us to define an augmentedBFS transcript.Let T be a BFS transcript. We partition the edges by their distance, so that E l = { e : d e = l } .Likewise, we define V l = { u |∃ e = ( u, v ) s.t. l ( e, u ) = l } . In a valid BFS transcript, the sets V l partition V since l ( e, u ) gives the same distance from s to u every time is is listed; an invalidtranscript may not have this property. Definition A.2.
An augmented BFS transcript T ′ is a BFS transcript T where additionally beforeeach E l , V l +1 is presented, along with degrees deg l ( v ) , defined as deg l ( v ) = |{ u | ( u, v ) ∈ E, u ∈ V l , v ∈ V l +1 }| .The augmented BFS transcript is valid if the underlying BFS transcript is valid and all claimeddegrees are truthful. Theorem A.3.
There is a valid ( m, protocol to accept a valid augmented BFS transcript.Proof. To ensure Definition A.1 (a), V rejects if the edges are not presented in increasing orderof d e , which is trivial to check since l ( e, u ) and l ( e, v ) are presented for every edge. V ensuresDefinition A.1 (b) using the “Consistent Labels” protocol of Lemma 2.3.To verify the augmented transcript, fingerprints ensure multiset { v ∈ V l +1 : deg l ( v ) } matchesthe multiset of edges e = ( u, v ) with l ( e, u ) = l, l ( e, v ) = l + 1. V (re)uses the same workingmemory to store these fingerprints for each level l in turn. To ensure Definition A.1 (c), V uses the16ugmented annotation at each edge-level to reject if a node at level l + 1 is not incident to any nodesat level l , or if an edge is ever presented with | l ( e, u ) − l ( e, v ) | >
1. An inductive argument ensuresthat l ( e, u ) is the distance from s to u for all u and all e incident to u (the base case is just l ( s ) = 0).For the vcost, note that any valid augmented BFS transcript has length O ( n + m ) = O ( m ).From this theorem, we obtain an ( m,
1) protocol for bipartiteness: G is bipartite if and only ifthere is no edge ( u, v ) with l ( e, u ) = l ( e, v ), which is easily checked given a valid augmented BFStranscript. Further, any online protocol for bipartiteness requires hcost · vcost = Ω( n ) bits, evenwhen m = O ( n ); this lower bound follows by reducing bipartiteness to index [18], which has thesame lower bound [6, Theorem 3.1].Our approach for Depth First Search is similar, but more involved. Analogously to BFS, wenow define DFS transcripts. Definition A.4.
Given a connected undirected graph G , a DFS transcript consists of m + 2 n rows,where each row is of the form edge ( u, v ) , push ( u ) , or pop ( u ) . Each symbol push ( u ) (resp. pop ( u ) )represents a simulated push (pop) of node u on a (simulated) stack. Reading the transcript inorder, the most recently pushed vertex that has not yet been popped is termed the “top” node. ADFS transcript is valid for G = ( V, E ) if(a) Every v ∈ V is pushed exactly once, immediately after it first appears in an edge;(b) Every e ∈ E is presented exactly once, and is incident to the top node;(c) Every v ∈ V is popped exactly once, when it is the top and all edges incident to it have alreadyappeared in the transcript. The order edges are visited in an actual DFS of G always corresponds to the ordering of edgesin a valid DFS transcript, and each simulated push and pop operation corresponds to actual pushand pop operations in the same DFS. Therefore, just as in the BFS case, we seek a protocol thataccepts any valid DFS transcript (possibly with additional annotation on each event) and rejectsinvalid DFS transcripts whp. We write t ( event , u ) = t to denote that the t ’th row of the transcriptis event ( u ). Thus, the top node at time t is top ( t ) = arg max u ( t ( push , u ) | t ( push , u ) ≤ t < t ( pop , u )),and we say the stack height at time t is height ( t ) = |{ u | t ( push , u ) ≤ t < t ( pop , u ) }| . Definition A.5.
An augmented DFS transcript T ′ is a DFS transcript where in addition:(a) before the edges, triples ( u, level ( u ) , ntop ( u )) are listed for each node in order;(b) every edge e = ( u, v ) is annotated with ( t ( push , u ) , t ( pop , u ) , t ( push , v ) , t ( pop , v )) .(c) each pop ( u ) with t ( pop , u ) = t is annotated with ( v, t ( push , v ) , t ( pop , v )) where v = top ( t + 1) Definition A.6.
We say an augmented DFS transcript is valid if(a) the underlying DFS transcript is valid;(b) for all u , level ( u ) = height ( t ( push , u )) and ntop ( u ) is |{ t | top ( t ) = u }| .(c) all t ( push , u ) and t ( pop , u ) annotations are consistent;(d) the triple after each pop event correctly identifies the new top. Theorem A.7.
There is a valid ( m, protocol to accept a valid augmented DFS transcript.Proof. To ensure Definition A.6 (b), V initially computes a fingerprint f of the multiset { ( u, level ( u )) : ntop ( u ) } . Throughout the protocol, V also tracks height ( t ), and maintains a fingerprint f of all( top ( t ) , height ( t )) pairs observed while reading the augmented DFS transcript. If property (b) issatisfied, f and f will match, otherwise they will differ with high probability. This is essentiallythe “Consistent Labels” protocol applied to this setting.17or Definition A.6 (c), we use the “Consistent Labels” protocol of Lemma 2.3 to ensure thatthe claimed push times are consistent for all nodes. This protocol presents a list of nodes in sortedorder accompanied by their t ( push , u ) values. This list is also used to check to see that exactly one push event is claimed for each node: a fingerprint of the list can then be compared to one generateddirectly from the transcript. The case for pop is identical.For Definition A.6 (d), V can reject if the triple of Definition A.5 (c) has t ( push , v ) > t or t ( pop , v ) < t . Observe that the stack must have the same height every time v is claimed to be thetop, else the fingerprints f and f will differ (whp). Thus we can assume that v is always reportedas top at the same height, which is h = height ( t ( push , v )). We argue that at any timestep t therecan be only one node v at height h such that t ( push , v ) ≤ t < t ( pop , v ). If not, then let u and v be a“witness” pair of nodes both claimed to be at height h such that t ( push , v ) < t ( push , u ) < t ( pop , v ):if there are many such nodes, then pick v with the smallest value of t ( push , v ), and u likewise withthe smallest t ( push , u ) such that the condition is met. For this to happen, there must have been a pop event to bring the height below h ; either this is to v itself, contradicting the assumptions, orto some other node, w . Assuming that t ( push , w ) < t ( pop , w ) (else our other checks identify thiserror), then v and w form a witness pair with t ( push , w ) < t ( pop , w ) < t ( push , u ), contradicting theclaim that u and v formed the earliest witness pair.Next, we ensure that the underlying DFS transcript is valid. Definition A.4 (a) is easy tocheck, given Definition A.6 (c), by having V reject if the t ’th row of the transcript is edge ( u, v )and is annotated with t ( push , v ) > t + 1. Definition A.4 (b) is also easy to check given DefinitionA.6 (d): V tracks top ( t ) implicit from push operations or from annotations on pop events. Thisleaves Definition A.4 (c) i.e. to ensure that nodes are popped at the correct times. To accomplishthis, it suffices to have V reject if the t ’th row of the transcript is edge ( u, v ) and is annotated with t ( pop , u ) < t or if the t ’th row is pop ( u ) and top ( t ) = u . These rules ensure pop ( v ) cannot occur“too early”, i.e. before all edges incident to v have been presented: when such an edge is presentedin row t , V will reject due to t ( pop , v ) < t . Likewise, v cannot be popped “too late”, since if top ( t ) = v and there are no more edges incident on v , the next edge will not be incident on top ( t )(required by Definition A.4 (b)) unless vv