We consider the satisfiability problem for circuits of limited size and/or depth. Say that an algorithm solving a Boolean satisfiability problem on n variables is improved iff it takes time O(2 cn ) for some constant c < 1, i.e. iff it is exponentially better than a brute force search. We show an improved algorithm for the satisfiability problem for circuits of constant depth and linear size. If improved upper bounds are not possible for a variant where the size is somewhat more than linear or the depth grows, can we provide evidence regarding the hardness of the problem? (note to authors: Did we actually discuss this question in greater depth in the paper? Maybe this should be reworded.)
Introduction
All NP-complete problems are equivalent as far as the existence of polynomial time algorithms is concerned. However, the exact complexities of these problems vary widely. There are frequently algorithms for NP-complete problems that achieve substantial improvement over exhaustive search. This raises the questions: Which problems have such improved algorithms? How much can we improve? Can we provide evidence that no improvement over some known algorithm is possible? Work addressing such questions, both from the algorithmic and complexity theoretic sides, has become known as exact complexity, and it is related to the field of parameterized complexity. While significant work has been done, both areas are still fairly new and leave open many problems. In particular, the answers and techniques seem to rely on the exact NP-complete problem in question, and there are few unifying techniques. (This is in some ways similar to the situation for the exact approximation ratios achievable for different NP-complete problems, which also is problem dependent. However, the use of probabilistically checkable proofs, and the unique games conjecture and related conjectures, provide very general tools for understanding approximability for a wide variety of problems. We are still looking for similar tools for exact complexity.)
From the viewpoint of exact complexity, the most studied and best understood problems are probably the restricted versions of the general satisfiability problem (SAT), in particular, k-SAT, a restriction of SAT to k-CNFs, and CNF-SAT, a restriction to general CNFs. There has been a sequence of highly nontrivial and interesting algorithmic approaches to these problems [Sch99, PPZ99, PPSZ05, Sch05, DW05, CIP06] , where the best known constant factor improvements in the exponent are of the form 1 − 1/O(k) for k-SAT and 1 − 1/O(lg c) for CNF-SAT with at most cn clauses. Also, a sequence of papers ([IPZ01, IP01, CIKP08, CIP06]) has shown many nontrivial relationships between the exact complexities of these problems, and helped characterize their hardest instances (under the assumption that they are indeed exponentially hard.) For what other circuit/formula models can we expect to show improved exponential-time (i.e. O(2 cn )-time for c < 1) algorithms for the satisfiability problem?
Linear-size Bounded Depth Circuits
In this paper, we consider the exact complexity of the satisfiability problem for circuits of limited size and depth, which seems significantly harder than k-SAT. We give what we believe are the first improved algorithms for the satisfiability problem for circuits of constant depth d > 2 (AC 0 type). (There is some work that improves the performance of SAT algorithms in terms of the circuit size parameter, but these algorithms are no better than exhaustive search once the circuit size gets larger than around 4n or so.) For each c, d > 0, we give a constant δ > 0 and a randomized algorithm that works in 2 (1−δ)n time and solves the satisfiability problem for depth d, size at most cn circuits. (Here, it is significant that circuit size is measured by gates rather than wires.)
For d = 2, our algorithm becomes deterministic and matches the current best bound [CIP06] , since our algorithm and analysis are generalizations of the ones there. However, the randomization procedure described above also yields the best quantum algorithm for this case, with running time
n ). For d = 3, this gives δ ≥ 1/O(c lg 4 c), which, as far as the authors know, is the first improvement achieved for this problem.
There are a few motivations to consider linear-size circuits. One is the question of ideal block cipher design. Block ciphers are carefully constructed to maximize efficiency for a given level of security. Particularly, since we want ciphers to be usable by low-power devices, and to be implemented at the network level, it is often very important to have efficient hardware implementations that make maximum use of parallelism. A typical cipher computes for a small number of "rounds", where in each round, very simple operations are performed (e.g., substitutions from a look-up table called an S box, permutations of the bit positions, or bit-wise ⊕ operations). These operations are almost always AC 0 type or even simpler. It is also considered vital to have key sizes that are as small as possible, and an algorithm that breaks the cryptosystem in significantly less time than exhaustive search over keys is considered worrisome. So this raises the question: Can we have an ideal block cipher family (one per key size), i.e. so that the number of rounds remains constant, each round being implementable in constant depth with a linear number of gates, and security is almost that of exhaustive search over keys? Our results rule out such ideal block ciphers, and so give a partial explanation for why the number of rounds needs to increase in new generations of block ciphers. (Block ciphers require average-case security, not worst-case, but worst-case algorithms obviously also rule out average-case security. Our values of δ are vanishingly small for the sizes and depths of real cryptosystems, so our results cannot be used for cryptanalysis of existing block ciphers.)
Another motivation is that linear-size circuits are perhaps the most general class of circuits for which we can expect to show improved upper bounds on their exact complexity. To explain this statement, we need the following notation. Let s k = inf{c|∃ a randomized algorithm for k-SAT with time complexity poly(m)2 cn for k-CNF formulas of size m over n variables}. Let ETH denote the Exponential-Time Hypothesis: s 3 > 0. We know that the sequence {s k } has a limit and let s ∞ denote this limit. [IP01] proposed the open question whether s ∞ = 1, which we will call the Strongly Exponential-Time Hypothesis (SETH). The best known upper bounds for s k are all of the form 1 − 1/O(k), which makes the conjecture SETH plausible.
Here is the connection between SETH and the complexity of satisfiability of linear-size circuits: Since one can embed k-CNFs for any k into any non-linear size circuit model (in particular, nonconstant density CNF) [CIP06] , improved upper bounds for the satisfiability problem for nonlinear-size circuits would imply s ∞ < 1. Thus, we are primarily left with the question of the complexity of the satisfiability problem for linear-size circuits if SETH holds. The following partial converse shows a further connection between SETH and improved bounds for the satisfiability of linear-size circuits. If s ∞ < 1, one can easily show using the depth-reduction technique of Valiant [Val77] (see also [Cal08] ) that the satisfiability problem for cn-size series-parallel circuits has an improved upper bound of 2 δ(c)n where δ(c) < 1.
Yet another motivation is that improved algorithms for SAT for a circuit model C may reveal structural properties of the solution space of circuits in C. These structural properties may in turn be helpful in proving stronger lower bounds on the size of circuits which are disjunctions of circuits in C. In fact, [PSZ00, PPZ99, PPSZ05, IPZ01] exploit this connection to provide the best known lower bounds of the form 2 ∆(k)n/k where ∆(k) > 1 for depth-3 unbounded fan-in circuits with bounded bottom fan-in k. This connection between the hardness of the satisfiability problem for a circuit model and lower bounds of a related circuit model is not surprising since a more general circuit can compute more complicated functions, it may become more difficult to invert, i.e. check the satisfiability of, these functions.
Extension to quantum computing model
Since Grover's quantum search algorithm [Gro96] provides a quadratic speed-up, the baseline in the quantum model for improved algorithms is 2 n/2 . In other words, a quantum algorithm is an improvement for the satisfiability problem if the constant factor in the exponent in the running time is strictly less than 1/2. However, it is not clear that every improved algorithm in the classical model can benefit from a quadratic speed-up in the quantum model. It is known that the class of algorithms that are exponential iterations of probabilistic polytime algorithms can obtain quadratic speed-up using Grover's technique.
More precisely, [Gro96, BBHT96] show that a probabilistic algorithm running in time t and with success probability p can be transformed into a quantum algorithm with running time O(t/ √ p) and with constant success probability. The quadratic speed-up provided by quantum algorithms prompts the following question: Given an algorithm A with exponential running time t, can we transform it into an exponential iteration of a polytime algorithm B with success probability approximately 1/t? Such a transformation would prime A for use in Grover's algorithm and we could reap the full benefit of its quadratic speedup in the quantum model. In this paper, we show that our algorithm for the satisfiability of bounded-depth linear-size circuits can be sped up quadratically in the quantum model, i.e. that our algorithm, which runs in time 2 (1−δ)n with constant success probability, can be sped up by transforming it into a probabilistic polynomial-time algorithm that succeeds with probability at least 2 −(1−δ)n .
2 Improved upper bounds for the satisfiability of bounded depth circuits of linear size
Definitions
A literal is a variable or its negation. The inputs (outputs) of a dag are those nodes with indegree 0 (outdegree 0). A circuit F is a dag where each input is labeled with a literal, each non-input (called a gate) is labeled AND or OR, and there is exactly 1 output. A subgate of size k of a gate g is a gate h (not necessarily in F ) with the same label as g and with k of g's inputs. The depth d of F is the number of edges in a longest path in F . The ith level of F is the set of gates a distance of i from the output, e.g. the output is at level 0 and the bottom gates are at level d − 1. We define the savings for an algorithm A whose input φ contains n boolean variables is the supremum of δ such that A has run time ≤ poly(|φ|)2 (1−δ)n . We can think of the savings as the fraction of variables 'saved' over the run time of an exhaustive search algorithm.
High level description
Assume F has n variables and at most cn gates. To test whether F is satisfiable, we first reduce the fan-in of each bottom gate to some k by branching on a k-subset of the edges coming into any bottom gate with fan-in > k. We branch until either we've halved the original number of variables, in which case we simply use exhaustive search to solve, or each bottom gate has fan-in ≤ k, in which case we choose a random restriction of (1 − p)n variables for some p. This may leave some bottom level gates with > 1 free variable. We clean up these gates by branching on all possible assignments to them. By choosing k, p appropriately, w.h.p. there will still be Ω(pn) free variables, but the bottom level gates will each have at most 1 free variable. So we can collapse the circuit to depth d − 1 and recurse.
The random restriction technique used in this paper is a simpler version of the technique used in [IPS97] to obtain nonlinear lower bounds of the number of edges of bounded depth threshold circuits.
Detailed description
We describe our algorithm in several subroutines: is such that the ratio of gates to variables in F is at most c, but A will set variables, increasing the ratio. If the ration ever exceeds 2c, A will resort to exhaustive search since this means at least half of the variables must have been set since the most recent call to A d,c .
• A d,c,k (F ) will test the satisfiability of F when F has depth d, at most cn gates, and bottom fan-in ≤ k.
• find restriction(F, p) finds a set of variables W in F whose complement has size in the interval [ 1 2 pn, pn] and such that if the variables of W are assigned, then each bottom level gate has ≤ 1 free variable.
• PPZ is the k-SAT solver (which is the same as a depth 2 circuit solver) from [PPZ99] whose run time has savings 1/k. We also assume this algorithm handles depth 1 circuits in poly time.
Below, the choices of k, p, c are unspecified, and are left for the analysis section. If h is an AND of literals, then F |h sets those literals to true and simplifies the circuit by removing true children of AND gates, false children of OR gates, replacing empty AND gates by true, replacing empty OR gates by false; unless h contains contradictory literals, in which case F |h is simply false. If h is an OR of literals, F |h removes any gate of which h is a subgate and then performs a similar simplification. Also if h is an AND (OR) of literals, then ¬h is the OR (AND) of the negations of those literals. 
for each a ∈ 2 W // the bottom level gates of F |a are trivial F ← F |a but collapsing the bottom level if n . The amount of time T 1 spent on all the leaves that call A d,2c,k , not counting time spent in find restriction in any subcall, is at most poly(n) times
The summation is (1 + 2
Both conditions (1),(2) are implied by
,k )n provided k can be chosen to satisfy (3). Since we assume a d,2c,k ≤ 1 2 , T 0 is no more than this bound, and we have the following.
Now we analyze find restriction. Let g ∈ B and X = |var(g) − U |. g has a fan-in k ≤ k and so X is hypergeometric with parameters n, k , pn. We claim that P r(g ∈ G) = P r(X ≥ 2) ≤ k 2 p 2 . To see this, note that the sample points where X ≥ 2 can be partitioned according to the positions among the k variables of g of the first 2 free variables (i.e., not in U ), and the probability of any of these k 2 events is at most p 2 . So
We want E(|V |) ≤ 1 4 pn, and this happens if we choose
By Markov's inequality,
So the probability that any call to find restriction dies is at most 2 −2n 0 and the time spent in each call is at most poly(n 0 ). Now consider the loop of A d,c,k , which leaves f ∈ [ 1 2 pn, pn] variables free and sets the rest. The gates to variables ratio for F is at most
The running time of A d,c,k , not counting the time spent in find restriction, is then at most poly(n) times
and we have the following.
Lemma 3. ∀d, c ≥ 2,
where the constant in the big-Oh depends only on d. From the inductive hypothesis and lemma 2,
To use lemma 1, we need to choose k such that
So k = O(lg c) suffices, and we conclude that
So we have the recurrence
Theorem 1. ∀d, c ≥ 2, the savings for main d,c is at least
where the constant in the big-Oh depends only on d.
Proof: This is a corollary from the previous lemma together with the following observations. The total time spent in find restriction is at most poly(n 0 ) times the number of calls to A d ,c ,k for all values of d , c , k , so it suffices to upper bound the time spent elsewhere. Also, from the union bound, and since the number of these calls is at most 2 n 0 , the probability of dying in some call to find restriction is at most 2 −n 0 .
Fully randomizing the algorithm
We now sketch how to make the algorithm run in polytime and succeed with probability ≥ 2 −(1−δ)n where δ ≥ 1/O(c 2 d−2 −1 lg 3·2 d−2 −2 c). The 'exhaustive search' in A d,c should be changed to simply choose a random assignment a and return F (a). Also, instead of calling both A d,c (F |h) and A d,c (F |¬h), we instead call just one of them randomly. In particular, call the one that eliminates k variables with some probability q and the other with probability 1 − q. The iteration over all a ∈ 2 W in A d,c,k should be changed to choose a random a ∈ 2 W .
It can be shown that choosing q = a d,c,k 4c allows us to use almost exactly the same analysis as before, only instead of upper bounding run time, now we lower bound success probability. Details can be found in the Appendix.
Appendix 3 Polytime version of depth d, linear size circuit algorithm

High level description
Assume F has n variables and at most cn gates. To test whether F is satisfiable, we first reduce the fan-in of each bottom gate to some k by repeatedly selecting a k-subset h of the edges coming into any bottom gate g with fan-in > k and setting h to either true or false. One of these settings will eliminate k variables and the other will eliminate a gate. The one that eliminates k variables we choose with probability q and the other with probability 1 − q.
We continue guessing until either we've halved the original number of variables, in which case we simply guess an assignment to the remaining variables, or each bottom gate has fan-in at most k, in which case we choose a random restriction of (1 − p)n variables for some p. This may leave some bottom level gates with > 1 free variable. We clean up these gates by randomly setting all the variables in them. By choosing k, p appropriately, with probability ≥ 1 2 there will still be Ω(pn) free variables, but the bottom level gates will each have at most 1 free variable. So we can collapse the circuit to depth d − 1 and recurse.
This procedure takes polynomial time and has exponentially small probability s of finding a satisfying assignment. By iterating s −1 times, we increase the probability of success to a constant.
Detailed description
We describe our algorithm in several subroutines:
• A d,c (F ) tests the satisfiability of F when F has depth d and at most cn gates. F initially has gates to variables ratio of at most c, but it may set variables, increasing the ratio. If it ever exceeds 2c, A d,c will simply guess an assignment to the remaining variables since this means at least half of the variables must have been set.
• A d,c,k (F ) will test the satisfiability of F when F has depth d, at most cn gates, and bottom fan-in at most k.
• find restriction(F, p) finds, with probability ≥ 1 2 , a set of variables W in F whose complement has size in the interval [ 1 2 pn, pn] and such that if the variables of W are assigned, then each bottom level gate has at most 1 free variable.
• PPZ iterate is 1 iteration of the k-SAT solver (which is the same as a depth 2 circuit solver) from [PPZ99] whose run time has savings 1/k -i.e., PPZ iterate takes polytime and has success probability ≥ 2
More explicitly, it chooses a random permutation of the variables, then assigns them one at a time, in that order, uniformly randomly, unless the current variable appears in a unit clause C, in which case it is set as C demands, and simplifies the formula after each iteration by removing true clauses and false literals. We also assume this algorithm handles depth 1 circuits in polytime.
Our algorithm description is not the most efficient, compromises were made to simplify the proof. For example, it is easy to construct an equivalent algorithm containing only 2 subroutines, but the analysis would be obtuse. Below, the choices of k, p, q, c are unspecified, and are left for the analysis section.
If h is an AND of literals, then F |(h = 1) sets those literals to true and simplifies the circuit by removing true children of AND gates, false children of OR gates, replacing empty AND gates by true, replacing empty OR gates by false; unless h contains contradictory literals, in which case 1 with probability 1 − q 0 with probability q b ← 1 if h is an AND gate 0 if h is an OR gate
a ← random assignment to W // the bottom level gates of F |a are trivial F ← F |a but collapsing the bottom level return
Run time analysis
Suppose A d,c , A d,c,k succeed with probability ≥ 2 −(1−a d,c )n , 2 −(1−a d,c,k )n , respectively, given that find restriction succeeds on each call to it -we will eliminate this assumption later. We assume c ≥ 2 and ∀d ≥ 2,
Proof: Each iteration of the while loop of A d,c (F ) eliminates (1) a gate or (2) k variables. (1) occurs ≤ cn times and (2) occurs r ≤ n k times. Let a be a solution to F . Exactly one sequence of random choices, say with r choices of type (2), will lead A d,c (F ) to find a. So the probability that A d,c (F ) finds a given that each call to find restriction succeeds, is
To lower bound q r (1−q) cn 2 −(1−a d,2c,k )(n−kr) , take the logarithm, divide by n, and set r = r n ∈ [0,
Now we analyze find restriction. Let g ∈ B and X = |var(g) − U |. g has a fan-in k ≤ k and so X is hypergeometric with parameters n, k , pn. We claim that P r(g ∈ G) = P r(X ≥ 2) ≤ k 2 p 2 . To see this, note that the sample points where X ≥ 2 can be partitioned according to the positions among the k variables of g of the first 2 free variables (i.e., not in U ), and the probability of any of these k 2 events is ≤ p 2 . So
We want E(|V |) ≤ 1 4 pn, and this happens if we choose p = 1 2ck 3 .
So the probability that any call to find restriction dies is ≤ 
The probability that A d,c,k (F ) finds a, assuming each call to find restriction succeeds, is then Proof: This is a corollary from the previous lemma together with the following: find restriction is called ≤ d times, each with success probability ≥ 1 2 , so the probability that in every call it succeeds is ≥ 2 −d , a penalty that can be absorbed into the big-Oh in the theorem statement.
