Negligible function
Negligible function
Main page
N

Negligible function

logo
Community Hub0 subscribers
Read side by side
Negligible function
View on Wikipedia
from Wikipedia

In mathematics, a negligible function is a function such that for every positive integer c there exists an integer Nc such that for all x > Nc,

Equivalently, the following definition may be used. A function is negligible, if for every positive polynomial poly(·) there exists an integer Npoly > 0 such that for all x > Npoly

History

[edit]

The concept of negligibility can find its trace back to sound models of analysis. Though the concepts of "continuity" and "infinitesimal" became important in mathematics during Newton and Leibniz's time (1680s), they were not well-defined until the late 1810s. The first reasonably rigorous definition of continuity in mathematical analysis was due to Bernard Bolzano, who wrote in 1817 the modern definition of continuity. Later Cauchy, Weierstrass and Heine also defined as follows (with all numbers in the real number domain ):

(Continuous function) A function is continuous at if for every , there exists a positive number such that implies

This classic definition of continuity can be transformed into the definition of negligibility in a few steps by changing parameters used in the definition. First, in the case with , we must define the concept of "infinitesimal function":

(Infinitesimal) A continuous function is infinitesimal (as goes to infinity) if for every there exists such that for all
[citation needed]

Next, we replace by the functions where or by where is a positive polynomial. This leads to the definitions of negligible functions given at the top of this article. Since the constants can be expressed as with a constant polynomial, this shows that infinitesimal functions are a superset of negligible functions.

Use in cryptography

[edit]

In complexity-based modern cryptography, a security scheme is provably secure if the probability of security failure (e.g., inverting a one-way function, distinguishing cryptographically strong pseudorandom bits from truly random bits) is negligible in terms of the input = cryptographic key length . Hence comes the definition at the top of the page because key length must be a natural number.

Nevertheless, the general notion of negligibility doesn't require that the input parameter is the key length . Indeed, can be any predetermined system metric and corresponding mathematical analysis would illustrate some hidden analytical behaviors of the system.

The reciprocal-of-polynomial formulation is used for the same reason that computational boundedness is defined as polynomial running time: it has mathematical closure properties that make it tractable in the asymptotic setting (see #Closure properties). For example, if an attack succeeds in violating a security condition only with negligible probability, and the attack is repeated a polynomial number of times, the success probability of the overall attack still remains negligible.

In practice one might want to have more concrete functions bounding the adversary's success probability and to choose the security parameter large enough that this probability is smaller than some threshold, say 2−128.

Closure properties

[edit]

One of the reasons that negligible functions are used in foundations of complexity-theoretic cryptography is that they obey closure properties.[1] Specifically,

  1. If are negligible, then the function is negligible.
  2. If is negligible and is any real polynomial, then the function is negligible.

Conversely, if is not negligible, then neither is for any real polynomial .

Examples

[edit]
  • is negligible for any :
    • Step: This is an exponential decay function where is a constant greater than or equal to 2. As , very quickly, making it negligible.
  • is negligible:
    • Step: This function has exponential decay with a base of 3, but the exponent grows slower than (only at ). As , , so it’s still negligible but decays slower than .
  • is negligible:
    • Step: In this case, represents a polynomial decay, with the exponent growing negatively due to . Since the decay rate increases with , the function goes to 0 faster than polynomial functions like for any constant , making it negligible.
  • is negligible:
    • Step: This function decays as the logarithm of raised to a negative exponent , which leads to a fast approach to 0 as . The decay here is faster than inverse logarithmic or polynomial rates, making it negligible.
  • is not negligible, for positive :
    • Step: We can rewrite this as , which is a polynomial decay rather than an exponential one. Since is positive, as , but it doesn’t decay as quickly as true exponential functions with respect to , making it non-negligible.

Assume , we take the limit as :

Negligible:

  • :
    • Step: This function decays exponentially with base raised to the power of . As , quickly, making it negligible.
  • for :
    • Step: We can simplify as , which decays faster than any polynomial. As , the function approaches zero and is considered negligible for any and .
  • for :
    • Step: The decay is determined by the base raised to the power of . Since grows with , this function approaches zero faster than polynomial decay, making it negligible.=
  • :
    • Step: Here, decays exponentially with a base of raised to . As , quickly, so it’s considered negligible.
  • :
    • Step: With an exponential base and exponent , this function would approach zero very rapidly, suggesting negligibility.

Non-negligible:

  • :
    • Step: Since as , this function decays very slowly, failing to approach zero quickly enough to be considered negligible.

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Negligible function

View on Grokipedia
from Grokipedia
In mathematics and theoretical computer science, a negligible function is a function μ:NR\mu: \mathbb{N} \to \mathbb{R} that approaches zero asymptotically faster than the reciprocal of any positive polynomial, ensuring it becomes arbitrarily small relative to polynomial decay for sufficiently large inputs.[1] Formally, μ\mu is negligible if for every positive polynomial pp and every constant c>0c > 0, there exists an integer N>0N > 0 such that for all nNn \geq N, μ(n)<1/p(n)c|\mu(n)| < 1/p(n)^c.[2] This property distinguishes negligible functions from those that decay only polynomially, as the latter remain bounded below by some inverse polynomial infinitely often.[3] The concept originates in the foundations of modern cryptography, where it formalizes the notion of "insecurity" or adversarial advantage being computationally insignificant as the security parameter grows.[1] In cryptographic definitions, such as those for one-way functions, pseudorandom generators, or semantic security of encryption schemes, security is required to hold except with negligible probability over polynomial-time computations.[2] For instance, an encryption scheme is semantically secure if no efficient adversary can distinguish encryptions of two messages with advantage greater than a negligible function in the security parameter nn.[1] This asymptotic framework allows proofs to focus on worst-case behavior for large nn, abstracting away concrete security parameters while capturing practical irrelevance of tiny failure probabilities.[3] Negligible functions exhibit useful closure properties that facilitate their application in proofs: the sum (or finite linear combination) of negligible functions is negligible, and the product of a negligible function with any polynomially bounded function remains negligible.[3] Examples of negligible functions include exponential decays like 2n2^{-n} or sub-polynomial ones like 2n2^{-\sqrt{n}}, which outpace any 1/nc1/n^c for fixed cc.[2] In contrast, functions like 1/nk1/n^k for fixed kk are non-negligible, as they exceed 1/nk+11/n^{k+1} for arbitrarily large nn.[3] These traits ensure negligible functions model events too rare to exploit within feasible computational resources, underpinning the rigorous analysis of cryptographic protocols.[1]

Definition

Formal Definition

In asymptotic analysis, particularly within cryptography, a function μ:NR\mu: \mathbb{N} \to \mathbb{R} is defined as negligible if, for every positive integer cc, there exists a natural number NcN_c such that μ(n)<nc|\mu(n)| < n^{-c} for all nNcn \geq N_c.[4] This condition ensures that μ(n)\mu(n) diminishes to zero faster than the inverse of any polynomial in nn, capturing the notion of an "insignificant" quantity in the limit as nn grows large. An equivalent formulation states that μ\mu is negligible if, for every positive polynomial p()p(\cdot), there exists a natural number NN such that μ(n)<1/p(n)|\mu(n)| < 1/p(n) for all n>Nn > N. Here, nn typically serves as the security parameter in cryptographic contexts, such as the bit length of a cryptographic key, allowing definitions of security to hold asymptotically for all sufficiently large values of nn. This criterion quantifies probabilities or advantages that become computationally irrelevant, as no polynomial-time adversary can exploit them meaningfully in the large-nn regime.[4]

Equivalent Formulations

An alternative formulation of a negligible function μ:NR\mu: \mathbb{N} \to \mathbb{R} states that μ\mu is negligible if for every polynomial pp with p(n)>0p(n) > 0 for sufficiently large nn, there exists an integer NN such that for all n>Nn > N, μ(n)<1/p(n)|\mu(n)| < 1/p(n).[5] This definition captures the idea that μ(n)\mu(n) vanishes faster than the reciprocal of any polynomial growth. This polynomial inverse formulation is mathematically equivalent to the constant-exponent definition, where μ\mu is negligible if for every constant c>0c > 0, there exists NN such that for all n>Nn > N, μ(n)<nc|\mu(n)| < n^{-c}.[4] To see the equivalence, first note that the polynomial version implies the constant-exponent version by specializing p(n)=ncp(n) = n^c, yielding 1/p(n)=nc1/p(n) = n^{-c}. Conversely, for the constant-exponent version implying the polynomial one, consider a polynomial pp of degree dd with leading coefficient ad>0a_d > 0; then p(n)(ad+1)ndp(n) \leq (a_d + 1) n^d for large nn, so 1/p(n)1/((ad+1)nd)1/p(n) \geq 1/((a_d + 1) n^d). Choosing c=d+1c = d + 1 gives μ(n)<n(d+1)=nd/n|\mu(n)| < n^{-(d+1)} = n^{-d}/n. For sufficiently large n>ad+1n > a_d + 1, 1/n<1/(ad+1)1/n < 1/(a_d + 1), hence nd/n<1/((ad+1)nd)1/p(n)n^{-d}/n < 1/((a_d + 1) n^d) \leq 1/p(n), establishing μ(n)<1/p(n)|\mu(n)| < 1/p(n). The notion aligns with functions exhibiting superpolynomial decay, such as exponential functions like 2n2^{-n}, which satisfy negligibility because, for any c>0c > 0, 2n<nc2^{-n} < n^{-c} holds for sufficiently large nn (as exponential decay outpaces any polynomial).[6] Such rapid decay ensures the function becomes insignificant compared to any inverse-polynomial bound. The definition naturally extends to real-valued functions via the absolute value μ(n)|\mu(n)|, accommodating both positive and negative values while preserving the negligibility criterion. For non-discrete inputs, such as real-valued security parameters, the concept generalizes by evaluating μ(x)\mu(x) for xR+x \in \mathbb{R}^+ and applying the same bounds relative to polynomials in xx, though cryptographic applications typically restrict to natural numbers. Notably, while functions with finite support (zero for all but finitely many nn) or eventually zero are technically negligible, the intent focuses on asymptotically decaying functions rather than trivial cases that terminate abruptly.

Properties

Closure Properties

The set of negligible functions is closed under addition. Specifically, if μ1(n)\mu_1(n) and μ2(n)\mu_2(n) are negligible functions, then their sum μ1(n)+μ2(n)\mu_1(n) + \mu_2(n) is also negligible.[7] To see this using the cc-based definition, consider any positive integer cc. Since μ1\mu_1 is negligible, there exists N1N_1 such that for all n>N1n > N_1, μ1(n)<1/(2nc)|\mu_1(n)| < 1/(2n^c). Similarly, there exists N2N_2 such that for all n>N2n > N_2, μ2(n)<1/(2nc)|\mu_2(n)| < 1/(2n^c). Let N=max(N1,N2)N = \max(N_1, N_2). Then for all n>Nn > N, μ1(n)+μ2(n)<1/nc|\mu_1(n) + \mu_2(n)| < 1/n^c. Thus, the sum satisfies the definition of negligibility.[7] The set is also closed under multiplication by any polynomial. If μ(n)\mu(n) is negligible and q(n)q(n) is a polynomial of degree dd, then q(n)μ(n)q(n) \cdot \mu(n) is negligible.[7] For a proof outline, fix any positive integer cc. Define the polynomial s(n)=q(n)nc+1s(n) = q(n) \cdot n^{c+1}. Since μ\mu is negligible, there exists NN such that for all n>Nn > N, μ(n)<1/s(n)|\mu(n)| < 1/s(n). Therefore, q(n)μ(n)<q(n)/s(n)=1/nc+1<1/nc|q(n) \cdot \mu(n)| < q(n)/s(n) = 1/n^{c+1} < 1/n^c. This ensures the product meets the negligibility condition for every cc.[7] These properties extend to finite sums and products of negligible functions. For a fixed constant kk, the sum i=1kμi(n)\sum_{i=1}^k \mu_i(n) of kk negligible functions is negligible, as it follows by iteratively applying the addition closure, with bounds independent of kk since kk is constant. Similarly, the product i=1kμi(n)\prod_{i=1}^k \mu_i(n) is negligible, because each μi(n)\mu_i(n) is smaller than any inverse polynomial, and the finite product preserves this superpolynomial decay.[7] However, the set of negligible functions is not closed under certain other operations. For instance, multiplication by a superpolynomial function may yield a non-negligible result. Consider μ(n)=2n\mu(n) = 2^{-n}, which is negligible since limnnc2n=0\lim_{n \to \infty} n^c \cdot 2^{-n} = 0 for any c>0c > 0.[7] Yet, multiplying by the superpolynomial 2n2^n gives 2n2n=12^n \cdot 2^{-n} = 1, a constant function that is not negligible, as there exists a polynomial p(n)=np(n) = n such that 11/n1 \not< 1/n for all nn.[8] A similar issue arises with infinite sums: while finite sums preserve negligibility, an infinite sum of negligible functions need not be negligible in general, as the accumulated terms may fail to decay faster than every inverse polynomial if the number of significant terms grows without bound relative to the security parameter.[9]

Asymptotic Relations

A negligible function μ(n)\mu(n) satisfies μ(n)0\mu(n) \to 0 as nn \to \infty, meaning μ(n)=o(1)\mu(n) = o(1).[2] However, the converse does not hold: there exist functions that are o(1)o(1) but not negligible, such as 1logn\frac{1}{\log n}, which approaches zero but fails the stricter condition of decaying faster than the inverse of every polynomial (e.g., for p(n)=np(n) = n and c=1c=1, 1logn>1n\frac{1}{\log n} > \frac{1}{n} for all sufficiently large nn).[10] Negligible functions exhibit superpolynomial decay, meaning they vanish asymptotically faster than 1/q(n)1/q(n) for any polynomial q(n)q(n); this contrasts with non-negligible functions like those bounded below by 1/poly(n)1/\mathrm{poly}(n) infinitely often, which may still be relevant in polynomial-time analyses.[2] For any fixed positive integer kk, a negligible function μ(n)\mu(n) satisfies μ(n)=o(1/nk)\mu(n) = o(1/n^k). To see this, consider the polynomial p(n)=nkp(n) = n^k; by definition, there exists NN such that for all n>Nn > N, μ(n)<1/p(n)=1/nk|\mu(n)| < 1/p(n) = 1/n^k, so μ(n)nk<1\mu(n) \cdot n^k < 1 eventually, implying limnμ(n)nk=0\lim_{n \to \infty} \mu(n) \cdot n^k = 0.[2] Negligible functions form a strict subset of the class of functions ff such that f(n)0f(n) \to 0 (i.e., o(1)o(1)), which in turn is a strict subset of the bounded functions (those satisfying f(n)M|f(n)| \leq M for some constant MM and all nn). The inclusion negligible o(1)\subset o(1) holds as established, with 1logn\frac{1}{\log n} as a counterexample for the reverse. The inclusion o(1)o(1) \subset bounded holds because any f(n)0f(n) \to 0 is eventually less than 1 in absolute value and thus bounded (adjusting for finitely many initial values), but the constant function f(n)=1f(n) = 1 is bounded yet does not approach zero.[1][2]

History

Early Concepts in Analysis

The roots of negligible functions trace back to 19th-century efforts to rigorize calculus by addressing infinitesimals and vanishing quantities in the context of limits and continuity. In 1817, Bernard Bolzano introduced a definition of continuity in his Rein analytischer Beweis des Lehrsatzes: Eine kontinuierliche Function, in jedem Intervalle einen Werth annimmt, welcher zwischen ihren Werten an den beiden Endpunkten dieses Intervalles liegt, emphasizing that for a function to be continuous at a point, the difference in function values must be smaller than any given positive quantity whenever the difference in arguments is sufficiently small, thereby avoiding reliance on undefined infinitesimals.[11] This approach implied quantities that could be made arbitrarily small without being zero, prefiguring the idea of functions diminishing faster than any fixed rate. Augustin-Louis Cauchy advanced this in his 1821 Cours d'analyse, where he defined limits using the concept of variable quantities approaching a fixed value, laying groundwork for precise statements about rates of convergence in series and integrals. He further rejected the notion of infinitesimals as entities existing before or after vanishing in his 1823 Résumé des leçons sur le calcul infinitésimal: "We shall not say, as many geometers do, that a quantity is infinitely small before it vanishes or after it has vanished, but at the very moment when it vanishes." Cauchy's framework treated such vanishing quantities as approachable zeros. Building on this, Karl Weierstrass formalized the ε-δ definition of a limit in his 1861 Berlin lectures, stating that a function f(x) approaches L as x approaches a if for every ε > 0 there exists δ > 0 such that if 0 < |x - a| < δ, then |f(x) - L| < ε, rendering infinitesimals obsolete by quantifying arbitrary smallness directly.[12] Eduard Heine, in 1872, extended this rigor to uniform continuity, requiring the δ to be independent of the point in the domain, further clarifying conditions under which function variations remain controlled by vanishingly small inputs across intervals.[12] In the 1960s and 1970s, probabilistic models incorporated similar notions of negligible errors within approximation theorems, particularly in stochastic processes and statistical inference, where error terms diminish relative to sample size or parameter scales. For instance, extensions of the Berry–Esseen theorem provided uniform bounds on the difference between cumulative distribution functions of normalized sums and the standard normal, with error rates on the order of O(1/√n) that become negligible for large n, enabling reliable approximations in central limit scenarios. These developments in sound probabilistic frameworks, such as those in stochastic approximation algorithms, emphasized error contributions that vanish asymptotically, bridging continuous analysis to statistical applications. Non-standard analysis, pioneered by Abraham Robinson in 1961, offered a rigorous revival of infinitesimals through hyperreal numbers, an extension of the reals incorporating non-zero quantities smaller than any positive real (infinitesimals) and their reciprocals (infinite numbers).[13] In this system, a function takes infinitesimal values near a point if its hyperreal extension yields outputs in the monad of zero, corresponding to "infinitely small" non-zero perturbations that align conceptually with modern negligible behaviors, as they are negligible compared to any standard positive scale.[13] The transition to discrete mathematics appeared in early 20th-century number theory, where limit theorems employed error terms that vanish relative to the primary asymptotic growth, serving as analogs to continuous vanishing quantities. The prime number theorem, proved independently by Jacques Hadamard and Charles Jean de la Vallée Poussin in 1896, states that the number of primes up to x is approximately x / log x, with initial error estimates showing the relative discrepancy tends to zero as x → ∞, prefiguring discrete negligibility before computational complexity formalized such ideas.[14] Subsequent refinements in the 1920s–1950s, such as those by Hardy and Littlewood, quantified these errors as o(x / log x), highlighting functions that diminish faster than logarithmic scales in integer contexts.[14]

Formalization in Cryptography

The formalization of negligible functions in cryptography began in the early 1980s, coinciding with the shift toward provable security based on computational complexity. The concept was first explicitly invoked in the collaborative works of Shafi Goldwasser, Silvio Micali, and Charles Rackoff from 1983 to 1985, notably in their seminal 1985 paper on the knowledge complexity of interactive proof systems, where they introduced "non-negligible probability" to describe adversary success rates that must be avoided for soundness. In this context, they contrasted such probabilities with those too small to impact security in polynomial-time settings, such as those bounded by 1/poly(n) for security parameter n. This usage marked the initial discrete adaptation of infinitesimal notions from analysis to cryptographic adversaries, focusing on semantic security and zero-knowledge protocols where success probabilities for breaking the system are deemed insignificant if they diminish faster than any polynomial inverse.[15] Refinements to the notion appeared concurrently in Andrew Chi-Chih Yao's contributions to complexity-theoretic cryptography between 1982 and 1986. Yao's foundational paper on trapdoor functions implicitly relied on analogous ideas of asymptotically vanishing probabilities for pseudorandomness and one-wayness, without the explicit term but establishing the framework for bounding adversary advantages in computational terms. The formal definition of a negligible function—requiring that for every positive polynomial p(·), the function μ(n) satisfies μ(n) < 1/p(n) for sufficiently large n—was crystallized in subsequent papers of the era, including early security analyses of protocols like the Diffie-Hellman key exchange. These proofs demanded that no polynomial-time adversary could compute shared secrets with non-negligible probability, solidifying the polynomial inverse bound as the cornerstone of asymptotic security reductions.[16] By the 1990s, negligible functions achieved standardization across cryptographic theory, appearing consistently in textbooks and monographs that formalized provable security. Oded Goldreich's "Foundations of Cryptography" series exemplified this evolution, providing a precise definition tied to the polynomial inverse condition and integrating it into broader discussions of pseudorandomness and zero-knowledge. While minor variants emerged in quantum cryptography—such as statistical negligibility for unbounded adversaries—the core computational definition remained unaltered, preserving its role in ensuring security against quantum polynomial-time attacks. Key papers establishing the bound include Goldwasser, Micali, and Rackoff's 1985 work and Mihir Bellare's 1997 note, which distinguished pointwise from uniform negligibility to refine ensemble-based security.[1][4]

Applications

In Cryptography

In cryptography, security definitions for primitives such as encryption schemes, signature schemes, and pseudorandom generators are typically framed in terms of computational hardness against probabilistic polynomial-time adversaries. A primitive is considered secure if the adversary's advantage—measured as the difference between its success probability in attacking the primitive and that under a random or ideal model—is a negligible function of the security parameter $ n $ (often the key length or bit security level).[17] This approach, introduced in the context of probabilistic encryption, ensures that no efficient attacker can succeed with more than negligible probability, even if superpolynomial computation is infeasible. For instance, in the definition of a one-way function $ f: {0,1}^n \to {0,1}^m $, $ f $ is hard to invert if for every probabilistic polynomial-time inverter $ A $, the probability $ \Pr[A(1^n, f(x)) \in f^{-1}(f(x))] $ (where $ x \leftarrow {0,1}^n $) is negligible in $ n $.[4] Negligible advantages play a central role in reduction-based proofs of security, particularly for pseudorandom generators (PRGs) and one-way functions. For a PRG $ G: {0,1}^n \to {0,1}^{l(n)} $ with superlinear stretch $ l(n) > n $, security requires that the output distribution is computationally indistinguishable from uniform randomness, meaning no distinguisher $ D $ has non-negligible advantage $ |\Pr[D(G(s)) = 1] - \Pr[D(U_{l(n)}) = 1]| $ (where $ s \leftarrow {0,1}^n $, $ U_m $ is uniform on $ m $ bits).[18] In proofs reducing PRG security to one-way functions, the closure property of negligible functions ensures that composing multiple negligible advantages (e.g., via hybrid steps) yields an overall negligible bound. Similarly, for pseudorandom functions, security reductions rely on the fact that polynomial sums or products of negligible functions remain negligible.[4] A key application is in defining computational indistinguishability of ensemble distributions $ {X_n} $ and $ {Y_n} $, where they are indistinguishable if for every probabilistic polynomial-time distinguisher $ A $, the advantage $ |\Pr[A(X_n) = 1] - \Pr[A(Y_n) = 1]| $ is negligible in $ n $.[17] Hybrid arguments exploit this by constructing an intermediate sequence of distributions $ H_0 = X_n, H_1, \dots, H_t = Y_n $ (with $ t $ polynomial in $ n $), where each consecutive pair $ H_i $ and $ H_{i+1} $ is indistinguishable with negligible advantage $ \epsilon(n) $; the triangle inequality then bounds the total distinguishing advantage by $ t \cdot \epsilon(n) $, which remains negligible.[18] This technique underpins proofs for many protocols, such as secure multi-party computation and zero-knowledge proofs. Practically, negligible functions model security against polynomial-time adversaries while allowing for computational overhead, contrasting with information-theoretic security where advantages are exactly zero (or exponentially small) regardless of computation. This enables efficient constructions based on assumptions like the hardness of factoring, where security holds as long as no polynomial-time algorithm breaks the assumption with non-negligible probability.[17]

In Computational Complexity

In computational complexity theory, negligible functions play a crucial role in defining and analyzing randomized algorithms, particularly within the bounded-error probabilistic polynomial-time class BPP. A language is in BPP if there exists a probabilistic polynomial-time Turing machine that accepts inputs in the language with probability at least 2/3 and rejects inputs not in the language with probability at least 2/3. This constant error bound of 1/3 can be amplified to an exponentially small or negligible error probability through repeated independent executions of the algorithm, leveraging the closure of negligible functions under addition: if multiple runs are taken and a majority vote is used, the overall error probability becomes negligible in the input size. Such amplification ensures that the defining properties of BPP are robust and independent of the specific constant error threshold, as long as it is bounded away from 1/2.[19] Negligible functions also appear in the study of promise problems, where the input is guaranteed to belong to one of two disjoint sets (yes or no instances), and the goal is to decide correctly with high probability. In average-case complexity, which extends worst-case analysis to distributions over inputs, algorithms are considered efficient if they succeed on all but a negligible fraction of the input space under the given distribution.[20] For instance, in promise problems related to NP, such as those involving search-to-decision reductions, negligible gaps between yes and no instances ensure that average-case hardness implies worst-case hardness, providing a framework for understanding the distributionally robust behavior of complexity classes.[21] Derandomization techniques further highlight the role of negligible functions, particularly through hitting set generators, which are deterministic constructions that "hit" all accepting random strings of a probabilistic algorithm with one-sided error. Under circuit lower bound assumptions, such generators can derandomize BPP algorithms, replacing random bits with pseudorandom ones such that the failure probability over the generated set is negligible.[22] This connects to broader efforts in proving BPP ⊆ P, where the negligible error in the derandomized simulation preserves the original algorithm's guarantees. Beyond core complexity classes, negligible functions inform error bounds in other areas. In probably approximately correct (PAC) learning, extensions like probably almost exactly correct (PAExact) learning require hypotheses that approximate the target concept with negligible error, bridging exact learning and standard PAC frameworks with polynomial error tolerances.[23] Similarly, in quantum query complexity models, negligible failure probabilities quantify the advantage of quantum algorithms over classical ones in decision problems, such as distinguishing functions where quantum queries succeed with probability 1 minus negligible, while classical methods require more queries.

Examples

Negligible Functions

Negligible functions exhibit decay rates that surpass the inverse of any polynomial in the security parameter nn, ensuring they become arbitrarily small compared to polynomial bounds. Exponential decay functions, such as μ(n)=2n\mu(n) = 2^{-n} or more generally μ(n)=an\mu(n) = a^{-n} for any constant a>1a > 1, are quintessential examples of negligible functions. To verify this using the definition, consider any positive integer cc. Since n/log2nn / \log_{2} n \to \infty, there exists NN such that for all nNn \geq N, n>clog2nn > c \log_{2} n, implying 2n>nc2^{n} > n^{c} and thus 2n<nc2^{-n} < n^{-c}. The same argument extends to ana^{-n} by adjusting the base in the logarithmic comparison. Sub-exponential functions also qualify, illustrating decay slower than full exponential but still superpolynomial. For instance, μ(n)=3n\mu(n) = 3^{-\sqrt{n}} is negligible: for any c>0c > 0, nln3>clnn\sqrt{n} \ln 3 > c \ln n holds for sufficiently large nn because n/lnn\sqrt{n} / \ln n \to \infty, so 3n<nc3^{-\sqrt{n}} < n^{-c}.[24] Another example is μ(n)=nlogn\mu(n) = n^{-\log n}, where logn\log n denotes the natural logarithm (base irrelevant for asymptotics). Here, for any c>0c > 0, eventually logn>c\log n > c, yielding nlogn<ncn^{-\log n} < n^{-c}.[25] Composite forms further exemplify negligible behavior while highlighting pure decay cases. The function μ(n)=1/n!\mu(n) = 1/n! decays factorially, far exceeding exponential rates; by Stirling's approximation, n!2πn(n/e)nn! \approx \sqrt{2 \pi n} (n/e)^{n}, so 1/n!ennn/2πn1/n! \approx e^{-n} n^{-n} / \sqrt{2 \pi n}, which is negligible as the nnn^{-n} term dominates any polynomial. Products like 2nnk2^{-n} \cdot n^{-k} for fixed kk remain negligible, but pure exponentials and sub-exponentials suffice for most analyses. These functions are pivotal in cryptography, commonly modeling the negligible success probability of exhaustive search attacks, such as brute-forcing an nn-bit key with chance 2n2^{-n}.[26]

Non-Negligible Functions

Non-negligible functions are those that fail to satisfy the condition for negligibility, meaning there exists some positive integer constant cc such that the function exceeds 1/nc1/n^c for infinitely many nn. These functions decay toward zero but not sufficiently rapidly to be dismissed as insignificant in asymptotic analyses, particularly in cryptography where they represent probabilities that cannot be ignored.[25] A classic example of a non-negligible function is the inverse of a fixed-degree polynomial, such as f(n)=1/nkf(n) = 1/n^k for some fixed positive integer kk. This function is non-negligible because, for c=k+1c = k+1, f(n)=1/nk>1/nk+1f(n) = 1/n^k > 1/n^{k+1} holds for all n>1n > 1, violating the negligibility requirement that f(n)<1/ncf(n) < 1/n^c for all sufficiently large nn. Similarly, 1/n1001/n^{100} remains bounded below by 1/n1011/n^{101} for all large nn, confirming its non-negligible nature.[2][2] Functions involving slower-growing terms, like logarithmic decay, also qualify as non-negligible. For instance, g(n)=1/logng(n) = 1/\log n (for n>1n > 1) approaches zero but exceeds any inverse polynomial bound infinitely often; specifically, for any ϵ>0\epsilon > 0, 1/logn>1/nϵ1/\log n > 1/n^\epsilon for all sufficiently large nn since logn=o(nϵ)\log n = o(n^\epsilon). Another example is h(n)=2clognh(n) = 2^{-c \log n} for constant c>0c > 0, which simplifies to ncn^{-c} and thus behaves like a polynomial inverse, failing negligibility for c>cc' > c. These illustrate boundaries where decay is sub-polynomial in speed.[27][27] Sporadic non-negligible functions highlight cases where the exceedance occurs only infinitely often, not eventually always. Consider μ(n)=2n\mu(n) = 2^{-n} if nn is even and μ(n)=1/n3\mu(n) = 1/n^3 if nn is odd. This is negligible on even inputs (exponentially small) but non-negligible overall, as for odd nn, μ(n)=1/n31/n4\mu(n) = 1/n^3 \geq 1/n^4 holds for all such n1n \geq 1, occurring infinitely often. Such functions are non-negligible because there exists c=4c=4 where the bound is violated infinitely often, even if negligible on complementary inputs. In cryptographic contexts, non-negligible functions signify "noticeable" events, such as the success probability of a polynomial-time adversary in breaking a scheme; for example, an advantage of 1/nk1/n^k allows attacks feasible within polynomial resources, undermining computational security guarantees.[25]

References

  1. [PDF] Foundations of Cryptography { A Primer
  2. [PDF] A Graduate Course in Applied Cryptography - CIS UPenn
  3. [PDF] Lecture 1: Introduction, Negligible Functions
  4. [PDF] A Note on Negligible Functions - Cryptology ePrint Archive
  5. [PDF] Foundations of Cryptography 89-856 | Yehuda Lindell
  6. One-Way Functions | CS 4501 Crypto - Wei-Kai Lin
  7. [PDF] book.pdf - A Graduate Course in Applied Cryptography
  8. https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek
  9. [PDF] A Note on Negligible Functions - UCSD CSE
  10. [PDF] 23/09/2024. Lecture 3. 1 Polynomials in modular arithmetic. - LIRMM
  11. [PDF] Bolzano, Cauchy and the intermediate value theorem - HAL
  12. [PDF] Who Gave You the Epsilon? Cauchy and the Origins of Rigorous ...
  13. [1502.06942] On the history of epsilontics - arXiv
  14. Maximum Lq-likelihood estimation - Project Euclid
  15. On Stochastic Approximation | Theory of Probability &amp - SIAM.org
  16. https://math.uchicago.edu/~may/VIGRE/VIGRE2009/REUPapers/Davis.pdf
  17. 254A, Notes 2: Complex-analytic multiplicative number theory
  18. The Knowledge Complexity of Interactive Proof Systems
  19. [PDF] Theory and Applications of Trapdoor Functions
  20. [PDF] A NOTE ON COMPUTATIONAL INDISTINGUISHABILITY 1
  21. [PDF] An Overview of the Hybrid Argument - Cryptology ePrint Archive
  22. [PDF] Another proof that BPP ⊆ PH (and more)
  23. [PDF] Average Case Complexity, Revisited
  24. On Worst‐Case to Average‐Case Reductions for NP Problems
  25. [PDF] Simplified Derandomization of BPP Using a Hitting Set Generator
  26. Exploring learnability between exact and PAC - ScienceDirect.com
  27. [PDF] One-Way Functions 1 Noticeable and Negligible Functions
  28. [PDF] Computational Security. - Cryptography CS 555
  29. [PDF] Lecture 2: One Way Functions
  30. [PDF] Foundations of Cryptography – A Primer - Oded Goldreich
  31. [PDF] Lecture 4: Computationally secure cryptography 1 Topic Covered 2 ε ...
User Avatar
No comments yet.