One-way functions and circuit complexity by J. C. Lagarias & J. C. Lagarias
ONE-WAY FUNCTIONS AND CIRCUIT COMPLEXITY
R. Boppana
Massachusetts Institute of Technology
Cambridge, Massachusetts
J. C. Lagarias
AT&T Bell Laboratories
Murray Hill, New Jersey 07974
ABSTRACT
A ﬁnite function f is a mapping of {1 , 2 , . . . , m } into {1 , 2 , . . . , m } È { # } where # is a symbol to be
thought of as ‘‘undeﬁned.’’ This paper deﬁnes a measure M( f ) of the difﬁculty of inverting a ﬁnite
function f, which is given by M( f ) = MIN
ì
í
î log2 C( f )
log2 C(g) _ _________ : g an inverse of f
ü
ý
þ
where C( f ) is a circuit
complexity measure of the difﬁculty of computing f. We say that one-way functions exist (in a circuit
complexity sense) if and only if M( f ) is unbounded. We prove that one-way functions exist if and only if
the satisﬁability problem SAT has polynomial sized circuits.
This paper also deﬁnes an analogous measure Md( f ) in which only circuits of depth £ d are allowed.
We show that one-way functions exist in this bounded-depth circuit complexity model, by showing for the
permutations sn on {1 , 2 , . . . , 2n} deﬁned by sn(k) º 3k (mod 2n) that for d ³ 4 there is a positive
constant cd such that Md(sn) > cd log n as n ® ¥.ONE-WAY FUNCTIONS AND CIRCUIT COMPLEXITY
R. Boppana
Massachusetts Institute of Technology
Cambridge, Massachusetts
J. C. Lagarias
AT&T Bell Laboratories
Murray Hill, New Jersey 07974
1. Introduction
A one-way function is a function that is easy to compute, whose inverse is hard to compute. Such
functions play an important role in cryptography and in generating pseudo-random numbers. Several
distinct concepts of one-way functions have been proposed ([B], [L], [Sel]). However the existence of
one-way functions has never been proved for any of these concepts. There are particular classes of
functions, such as the discrete logarithm [O] which appear to possess some one-wayness properties. In this
paper we study a non-uniform notion of one-wayness based on circuit complexity.
We associate to a ﬁnite function f combinatorial measures M( f ) and Md( f ) of ‘‘degree of one-
wayness’’ based on circuit complexity. We consider functions f: Im ® Im È { # } having the ﬁnite domain
Im = {1 , 2 , ..., m }, and whose range may include the object #, where # is a symbol to be thought of as
‘‘undeﬁned.’’ We assign a circuit complexity to a ﬁnite function f by associating to f a set of 0-1 valued
Boolean functions { Bi( f )} (‘‘bit functions’’) that describe f, and then assigning a circuit complexity to this
set of Boolean functions. We deﬁne a notion of an inverse g to a ﬁnite function f and assign a similar
measure of circuit complexity of computing an inverse function g. The measures M( f ) and Md( f ) are
constructed from these.
We ﬁrst deﬁne for a Boolean function B : {0 , 1}n ® {0 , 1} the circuit complexity measures C(B) and
Ck(B) we use. We deﬁne a stratiﬁed circuit to be one having 2n inputs { x1, ..., xn} and {Øx1, ..., Øxn},
and which are stratiﬁed into levels having only OR gates at even levels 2i and AND gates at odd levels
2i + 1, with arbitrary fan-in and fan-out allowed at each level. The inputs to gates at level n must all be
outputs of gates at level n -1. We deﬁne the circuit complexity C(B) of a Boolean function B to be the
number of inputs n plus the minimum number of gates needed in any stratiﬁed circuit that computes B. The- 2 -
depth of a stratiﬁed circuit is the number of levels in a circuit. Every Boolean function can be computed by
some stratiﬁed circuit of depth 2 in this model. We deﬁne the depth-d circuit complexity Cd(B) of a
Boolean function B to be the number of input n plus the minimum number of gates needed in any stratiﬁed
circuit of depth at most d that computes B.
The circuit complexity measure C(B) is essentially the same up to a polynomial factor as a general
circuit complexity measure. An arbitrary circuit having G gates (AND, OR, and NOT) with fan-in and
fan-out at most two and an acyclic graph of connections can be computed by a stratiﬁed circuit having at
most 2G2 gates. (See Appendix A.) However the depth of circuit measure Cd(B) does depend in a critical
way on the allowability of circuits with unbounded fan-in and fan-out. For example, not all Boolean
functions can be represented by depth 2 circuits with bounded fan-in.
Now we deﬁne a circuit complexity measure C( f ) for a ﬁnite function f : Im ® Im È { # }. We ﬁrst
extend the domain of f to be the next higher power of 2 by using #: If 2n -1 < m £ 2n we deﬁne
f * : I2
n ® I2
n È { # } by
f *(k) =
ì
ï
í
ï
î
#
f(k)
for m + 1 £ k £ 2n .
for 1 £ k £ m ,
(1.1)
Next we express f * as n + 1 Boolean functions (‘‘bit functions’’) Bi = Bi( f *) for 0 £ i £ n by writing
the input k and output f(k) = ó in binary as
k = xn2n -1 + ... + x1 ; all xi Î {0 , 1}
and then for 1 £ i £ n - 1 deﬁning
B0(x1, ..., xn) =
ì
ï
í
ï
î
0
1
otherwise ,
if f(k) = #,
(1.2)
and- 3 -
Bi(x1, ..., xn) =
ì
ï
ï
í
ï
ï
î
0
yi
if f(k) = # ,
if f(k) =
i =1 S
n
yi 2i -1 with yi Î {0 , 1},
(1.3)
for 1 £ i £ n. Now we deﬁne the circuit complexity C( f ) of f by
C( f ) = C( f *) = n +
i =0 S
n
C(Bi( f *) ) . (1.4)
We have a similar depth-d measure Cd( f ) circuit complexity given by
Cd( f ) = Cd( f *) = n +
i =0 S
n
Cd(Bi( f *) ) . (1.5)
Next we deﬁne the circuit complexity of the problem of inverting a function f : Im ® Im È { # }. We
say a function g : Im ® Im È { # } is an inverse of f provided that
g(x) =
ì
ï
í
ï
î
#
y
if x / Î Range ( f ) .
if x Î Range ( f ) and f(y) = x,
A function f may have more than one inverse.
We deﬁne the canonical inverse function f # by:
f #(x) =
ì
ï
í
ï
î
#
MIN{ y : f(y) = x }
if x / Î Range ( f ).
if x Î Range ( f ) ,
(1.6)
We deﬁne the circuit complexity C-1( f *) of the function inversion problem to be
C-1( f *) = MIN{ C(G) : G is an inverse of f *} (1.7)
Analogously we deﬁne the depth d circuit complexity Cd
#( f ) of the function inversion problem by
Cd
-1( f *) = MIN{ Cd(g) : g is an inverse of f *} (1.6)
Finally we deﬁne the measure of one-wayness M( f ) of a ﬁnite function f by- 4 -
M( f ) =
log2 C( f *)
log2 C-1( f *) _ ____________ (1.8)
We have an analogous depth d measure of one-wayness Md( f ) deﬁned by
Md( f ) =
log2 Cd( f *)
log2 Cd
-1( f *) _ ____________ (1.9)
The point of these deﬁnition of M( f ) is that M( f ) ³ k if and only if C-1( f *) ³ C( f *)k, so that M( f ) is
unbounded if and only if a superpolynomial increase in the number of gates is needed in any circuit
computing an inverse function G of f * compared to the minimum number of gates needed to compute f *.
In this context the purpose of including the number of inputs n in the circuit complexity C(B) is to avoid
M( f ) possibly being large because C( f *) is small. In terms of this circuit complexity model we say that
one-way ﬁnite functions exist if and only if there exists an inﬁnite sequence of functions { fi : 1 £ i < ¥}
deﬁned on larger and larger domains such that { M( fi)} is unbounded.
Our main result for the general circuit complexity model is as follows.
Theorem 1. The following are equivalent:
(1) There is a bound c0 such that M( f ) £ c0 for all ﬁnite functions f.
(2) The satisﬁability problem SAT has polynomial sized circuits.
Karp and Lipton [KL] have shown that if SAT has polynomial size circuits then the polynomial hierarchy
collapses at the second level, i.e. S 2
p = P 2
p. This may be taken as evidence that one-way ﬁnite
functions exist.
For the bounded-depth circuit complexity model we are able to show that one-way functions exist.
Theorem 2. Let sn : I2
n ® I2
n be the permutation
sn(k) º 3k ( mod 2n) .
Then for any ﬁxed d ³ 4, there is a positive constant cd such that
Md(sn) ³ cd log n .- 5 -
This result is proved by showing that sn has polynomial sized circuits of depth 4 and second, that a circuit
to invert sn can be used to compute k º 0 (mod 3), a problem known to require superpolynomial size
constant depth circuits by a result of Furst, Saxe and Sipser [FSS]. The quantitative bound
Md(sn) ³ cd log n follows from a sharper bound of Ajtai [A] for the same problem.
Theorem 2 may be taken more as a indication of the restrictiveness of the bounded-depth circuit
complexity model than as a indication of the existence of one-way functions.
2. Proof of Theorem A
Before proving the result, we make precise the statement ‘‘SAT has polynomial-sized circuits.’’ Deﬁne
the length of a Boolean formula B to be the number of symbols in it, where the variable xn is counted as
log2n symbols. Let BFn,m denote all Boolean formulae of length at most m, involving only the variables
x1 , . . . , xn. There is an encoding r : BF ® N which has the properties
(1) r is one-to-one and is computable in polynomial time.
(2) The unique inverse r-1 is computable in polynomial time.
(3) r(BFn,m) Í [ 1 , 23m].
(See Appendix B). Note that
r-1(k) =
ì
ï
í
ï
î
#
F
if k / Î Range (r)
if k Î Range (r) and r(F) = k
Now set ó = 23m, and deﬁne the ﬁnite function SATn,m
* : Ió ® Ió È { # } by
SATn,m
* (k) =
ì
ï
í
ï
î#
0
1
if k / Î r(BFn,m).
if k = r(F) for F Î BFn,m and F is unsatisﬁable.
if k = r(F) for F Î BFn,m and F is satisﬁable.
Then ‘‘SAT has polynomial size circuits’’ means there exists an integer j such that
C(SATn,m
* ) £ (n + m) j + j .
for all m ³ 1.- 6 -
Proof of Theorem A. ( 1 ) = > ( 2 ). Suppose that the function M( f ) is bounded by the integer c0 for all
ﬁnite functions f. We will construct polynomial size circuits for SAT.
The TEST be the set
TEST =
ì
í
î
(B, x) : B a Boolean formula with n variables , x Î {0 , 1}n, n ³ 1 . }
Certainly TEST is recognizable in polynomial time, and it is easy to construct (by the same method as used
in Appendix B) a one-to-one polynomial-time computable encoding Y : TEST ® N such that:
(1) It is honest in the sense that
4 length (B, x) ³ length Y( (B, x) ) ³ length (B, x) (2.1)
for all inputs (B, x).
(2) The range Y( TEST ) is recognizable in deterministic polynomial time.
Deﬁne
TESTn,m =
ì
í
î
(B, x) : B Î BFn,m and x Î {0 , 1}nü
ý
þ
.
and observe that
Y( TESTn,m) Í [ 1 , 24 (n +m)] . (2.2)
We use the following well-known fact:
Lemma 2.1. Let T be a Turing machine used as a transducer that halts on all inputs of length £ n in time
f(n) and which has s states. There is a stratiﬁed Boolean circuit Wn of depth £ 6sf(n) with £ 20
s2[ f(n) ]2 gates which simulates T on all inputs of length £ n. More precisely, Wn has 2n input gates
encoding the n inputs to T as 00 = 0, 11 = 1 and 01 = #, and 2 f(n) outputs encoding the output of T
similarly.
We sketch a proof of Lemma 2.1 in Appendix C.
We ﬁrst infer from Lemma 2.1 that since the collection of functions {rn,m
-1 } given by- 7 -
rn,m
-1 (k) =
ì
ï
í
ï
î#
B
otherwise
if k = r(B) and B Î BFn,m
for integers k in the interval [ 1 , 23m] is computable by a polynomial time Turing machine, each such
functions rn,m
-1 is computable by a polynomial size circuit, having at most p2(n,m) gates.
Next we consider the ﬁnite function fn,m on domain [ 1 , 24 (m +n)] deﬁne by
fn,m(k) =
ì
ï
í
ï
î#
Y( (B, B(x)n) )
if k isn¢t in Y( TESTn,m).
if k = Y(B, x) is in Y( TESTn,m) ,
Here B denotes a Boolean expression with n variables, and B(x) is its value on input x. Since the complete
set of functions { fn,m} is computable by a polynomial time Turing machine used as a transducer, by
Lemma 2.1 the collection { fn,m} is computable by polynomial size circuits, having at most p3(n, m) gates
x1. By assumption M( fn,m) £ c0 so that there is an inverse function gn,m(.) for fn,m (.) that uses at most
p4(n, m) gates, where p4(x1, x2) = [p3(x1, x2) ]
c0. In particular, this inverse gn,m has the property
F Î BFn,m and F / Î SAT < = > F Î BFn,m and gn,m(Y(F, 1n) ) = # .
Consequently gn,m can be used to recognize UNSAT and hence SAT. A polynomial sized circuit for
SATn,m is easily constructed from that for gn,m(.) using the ﬂowchart in Figure 1, and the resulting circuit
has at most p5(n,m) = p3( (n +m)c0, (n +m)
c0 ) + p3(n,m) + p2(n,m) + 4 (n +m) gates.- 8 -
Figure 1. Flowchart for circuit to compute SATn,m.
(2) = > (1). Assume that SAT has polynomial sized circuits. Now let f be an arbitrary ﬁnite function
f : I2
n ® I2
n È { # } and suppose f has circuit complexity C( f ). For 0 £ i £ n +1 let S f
(i) be stratiﬁed
circuits computing the ‘‘bit functions’’ B0( f ) , . . . , Bn +1( f ) using the minimal number of gates Gi, and
note that by deﬁnition of the circuit complexity measure C( f ) we have
Gi £ C( f ) for 0 £ i £ n +1 . (2.3)
We shall combine these circuits with appropriately sized SAT circuits to create a circuit S f
# computing
the canonical inverse function f # which has at most (C( f ) )
c0 + c0 gates, where c0 is a constant
independent of f. Assuming this is accomplished, we may conclude that
M( f ) £
log2 C( f )
log2 C( f #) _ __________
£
log C( f )
c0 log2C( f ) + c0 _ ________________
£ 2c0 ,
and the desired implication follows.- 9 -
The circuit S f
# will use suitably encoded versions of the circuits S f
(i) as inputs to SAT circuit in
order to ‘‘guess’’ the lexicographically smallest value for the inverse function f # when it exists. To encode
the circuits S f
(i) as Boolean formulae we use the following result.
Lemma 2.2. Let g : {0 , 1}n ® {0 , 1} be any Boolean function of n variables, and suppose g is computable
by a stratiﬁed circuit having G gates. Then there is a Boolean formula B
_ _
g(x1 , . . . , xn, y1 , . . . , yG) in
n +G variables such that:
(1) For all (x1 , . . . , xn) Î {0 , 1}n we have
g(x1 , . . . , xn) = 1 Û $y1$y2 . . . $yH B
_ _
g(x1 , . . . , xn, y1 , . . . , yG) = 1 .
(2) The Boolean formula B
_ _
g(x1 , . . . , xn, y1 , . . . , yG) contains at most 2G2 + 2nG + 2G
variable symbols and has length at most 12G(n +G) log2(n +G).
Proof. (Sketch) We add dummy variables y1 , . . . , yG corresponding to the gates of the stratiﬁed circuit
and add appropriate equality conditions forcing the values yi to simulate the gates of the circuit. See
Appendix E for a detailed proof.
We apply Lemma 2.2 to the ‘‘bit functions’’ Bi( f ) to obtain Boolean formulae
B
_ _
i(x1 , . . . , xn, y1 , . . . , yGi ) such that for 0 £ i £ n,
Bi( f ) (x1 , . . . , xn) = 1 Û $y1 $y2 . . . $yGi B
_ _
i(x1 , . . . , xn, y1 , . . . , yGi ) = 1 . (2.4)
We may bound the length Li of the Boolean formula B
_ _
i using (2.3) and (2) of Lemma 2 to obtain
Li £ 24C( f ) (n +C( f ) ) log2 C( f ) £ 48C( f )3 (2.5)
The overall structure of the circuit S f
# to compute f # is pictured in Figures 2a and 2b. The main
ingredient in the circuit S f
# is the circuits used to compute Round i for 1 £ i £ n. The detailed structure
of a Round i circuit (excluding Round 1) is pictured in Figure 3. It has two main ingredients, a circuit
simulating a Turing machine computation and a SAT circuit. The purpose of the Turing machine
computation is to preprocess the question asked in Round i: ‘Do there exist values xi +1 , . . . , xn such that
f(x ˜1 , . . . , x ˜i, xi +1 , . . . , xn) = k?’ into a form suitable for input to the SAT circuit, where- 10 -
k =
i =1 S
n
zi 2i -1.
The required Turing machine has the following properties. It takes as inputs n, G, i, and n +1 Boolean
formulae B
_ _
i(x1 , . . . , xn, y1 , . . . , yG) for 0 £ i £ n, plus the i values (x ˜1 , . . . , x ˜i) and the n values
(z1 , . . . , zn) where k =
i =1 S
n
zi 2i -1. It produces as output the encoding r(Fi) of the Boolean formula
Fi(xi +1 , . . . , xn, y1 , . . . , yG) =
j=1
Ù
n
‘ B
_ _
j(x ˜1 , . . . , x ˜i, xi +1 , . . . , xn, y1 , . . . , yG) = zi¢ (2.6)
where B
_ _
j(x ˜1 , . . . , x ˜i, xi +1 , . . . , xn, y1 , . . . , yG) is the Boolean formula obtained from B
_ _
j of (2.4)
obtained by substituting the speciﬁc values (x ˜1 , . . . , x ˜i) for the variables (x1 , . . . , xi), and where
‘B
_ _
j = z’ is an abberivation for (B
_ _
j Ù z) Ú (ØB
_ _
j Ù Øz). It is clear that there is a polynomial time Turing
machine to do this computation, hence by Lemma 2.1 this can be simulated by a circuit of size polynomial
in C( f ).
Now we bound the size of the SAT circuit required to test r(Fi). Now the formula Fi involves at most
n +C( f ) variables and is of length at most 1536C( f )4, using the bounds (2.5) and n £ C( f ).
Consequently Fi Î BF2C( f ) , 1536C( f )
4. Thus we may test r(Fi) using a SAT2C( f ) , 1536C( f )
4 * -circuit.
Observe that
SAT* (r(Fi) ) = 1 Û $xi +1 . . . $xn$y1 . . . $yG B ˜
i(x ˜1 , . . . , x ˜i, xi +1 , . . . , xn, y1 , . . . , yG) = 1 ,
Û $xi +1 . . . $xn f(x ˜1 , . . . , x ˜i, xi +1 , . . . , xn) = k ,
as required.
By hypothesis SAT has polynomial sized circuits, so the resulting circuit S f
# is of size bounded by a
polynomial in C( f ), so is £ (C( f ) )
c0 + c0 for a sufﬁciently large ﬁxed constant c0.- 11 -
Figure 2. Flowchart for computing f #.- 12 -
3. Proof of Theorem B
Let sn : I2
n ® I2
n be the permutation sn(k) º 3k (mod 2n). We ﬁrst show that Cd(sn) is bounded
by a polynomial in n, for n ³ 4. We ﬁrst exhibit a depth 6 stratiﬁed circuit Sn that computes sn using
O(n2) gates. Write the input k in binary as
k =
i =0 S
n -1
xi2i
and deﬁne the binary bits zi by
3k =
i =0 S
n +1
zi 2i .
It sufﬁces to ﬁnd a circuit that when given { xi : 0 < i £ n - 1} computes the bits { zi : 0 £ i £ n + 1} and
then discards the overﬂow bits zn and zn +1. We view 3k = k + 2k and note that the ith ‘‘carry bit’’ can
be computed with a depth 4 circuit with 3i + 4 gates. Indeed consider the ith carry bit wi in adding
ó1 =
i =0 S
n
xi 2i to ó2 =
i =0 S
h
yi 2i Then
wi = 1 < = > either xi Ù yi = 1
or xi -1 Ú yi -m = 1 for 0 £ m £ j and
xi -j Ù yi -j = 1 for some j with 1 £ j £ i .
We compute the clauses xj Ù yj at depth 1, the clauses xj Ú yj at depth 2, combine them to compute the
i + 1 clauses Ai, 0 = xi Ù yi and
Ai,j =
i =m
Ù
j-1
(xi -m Ú yi -m) ) Ù (xi -j Ù yi -j) 1 £ j £ i
at depth 3 and ﬁnally compute
wi = A0 Ú A1 Ú ... Ú Ai (3.1)
at depth 4. Using all the carry bits for 0 £ i £ n, we can now compute all the bits of ó1 + ó2 in a depth
6 circuit using O(n2) gates. To do this we create other depth 4 circuits computing w
_ _
i = Øwi and then
compute the jth bit of ó1 + ó2 to be- 13 -
xj Å yj Å wj-1 = (xj Ù yj Ù wj-1) Ú (xj Ù y
_
j Ù w
_ _
j-1)
Ú(x
_
j Ù yj Ù w
_ _
j-1) Ú (x
_
j Ù y
_
j Ù wj-1) for 0 £ j £ n + 1 ,
where by convention w0 = xn +1 = yn +1 = 0. We apply this construction to obtain the desired depth 6
stratiﬁed circuit Sn computing sn using O(n2) gates.
Now we obtain a depth 4 circuit Sn
* computing sn using a polynomial number of gates. We use the
distributive laws to exchange two adjacent levels of AND and OR gates with at most a polynomial blow-up
in the number of gates, which is possible if the higher level has bounded fan-in. Then we may collapse one
level. If both levels exchanged have bounded fan-in, the same is true for the exchanged levels. We use this
procedure to eliminate levels 5 and 6 from Sn, obtaining the desired stratiﬁed circuit Sn
*. (See
Appendix D.)
Next we bound the complexity of computing the inverse Cd
#(sn) from below. Since sn is a
permutation, it has a unique inverse sn
-1 given by
sn
-1(k) º
3
1 _ _k ( mod 2n) .
and by (1.6) we have
Cd
-1(sn) = Cd(sn
-1) .
Let Pn be a depth d circuit competing sn
-1 with Gn gates. We will use Pn to construct a circuit Dn of
depth d + Ø which has Gn + O(n2) gates and which computes º 0 (mod 3) on [
2
n +1 _ ____] variables, i.e. it
computes the Boolean function
P3(y1, ..., y[
2
1 _ __n]) º
ì
ï
í
ï
î
0
1
otherwise .
if y1 + ... + y[
2
1 _ __n] º 0 ( mod 3 ) ,
We use the fact that
k º 0 ( mod 3 ) and 0 £ k < 2n < = > k = 3 sn
-1(k) over N . (3.2)
Note here that k º 3 sn
-1(k) (mod 2n), so the assertion on the right side of (3.2) is that the overﬂow bits zn- 14 -
and zn +1 in 3 sn
-1(k) are both zero. We next observe that if 0 £ k < 2n and k has the binary expansion
i =0 S
n -1
xi 2i then
k º 0 ( mod 3 ) < = > x0 + 2x1 + x2 + 2x3 + ... +
ì
ï
î 2
3 + (-1 )n
_ _________
ü
ï
þ
xn -1 º 0 ( mod 3 ) . (3.3)
Hence (3.2) and (3.3) imply that given { yi : 1 £ i £ [
2
n +1 _ ____]} we have
y1 + ... + y[
2
n +1 _ ____] º 0 ( mod 3 ) Û k =
i =0 S
[
2
n _ __]
yi 22i -1 has k = 3sn
-1(k) . (3.4)
We obtain the desired depth d + Ø circuit Dn with [
2
n +1 _ ____] inputs using the ﬂowchart in Figure 4. The
circuit Dn has Gn + O(n2) gates.
Figure 4: Circuit Computing º 0 (mod 3)
By a result of Furst, Saxe, and Sipser ([FSS], Corollary 3.6) any circuit Dn to compute º 0 (mod 3) on I2
n
requires a number of gates that grows at rate superpolynomial in n as n ® ¥. Ajtai’s [A] methods in fact- 15 -
imply that there is a positive constant c0 such that any such circuit has at least W(n
c0 log n) gates as n ® ¥.
Hence
Gn + O(n2) >>
ì
ï
î 2
n _ _ü
ï
þ
c0 log
2
n _ __
so that
Gn >> n
c1 log n (3.5)
with c1 =
2
c0 _ __, for large n. Consequently for d ³ 4,
Md(sn) ³
log Cd(sn)
log Cd
-1(sn) _ ___________
³
log n
log Gn _ ______
>> log n
using (3.5). Theorem B is proved.- 16 -
Appendix A. Relations Between Circuit Complexity Models
A general circuit is a circuit having inputs the variables x1 , . . . , xn and using AND, OR and NOT
gates and having an acyclic graph of connections with fan-in and fan-out at most two at each gate. A
stratiﬁed circuit is a circuit with inputs the literals x1, ..., xn and Øx1, ..., Øxn, which uses only AND and
OR gates which are stratiﬁed into levels such that gates at level i receive inputs only from gates at level
i - 1, and output only to level i + 1, and such that all gates at even levels 2i are AND gates, all gates at
odd levels 2i + 1 are OR gates, and fan-in and fan-out are unrestricted. Stratiﬁed circuits also may have
‘‘no-operation’’ gates at each level using e.g. B Ù B at even levels, B Ú B at odd levels.
Lemma A.1
(1) For any Boolean function f in n variables computable by a general circuit with G gates, there is a
stratiﬁed circuit computing f using at most 2G2 gates.
(2) For any Boolean function f in n variables computable by a stratiﬁed circuit with G gates, there is an
equivalent general circuit computing f using at most 2G2 + n gates.
Proof.
(1) Deﬁne the depth of a gate to be the longest directed path in the input-output graph which inputs to the
gate. We ﬁrst eliminate the NOT-gates by proceeding from the largest depth upwards by induction, using
the distributive laws, as in Figure A-1.- 17 -
Figure A.1 Eliminating NOT-gates
At stage i we eliminate NOT nodes at level i, possibly inserting new NOT nodes at levels i - 1 or lower.
At the end of this process we obtain a circuit whose inputs are the literals x1, ..., xn, x
_
1(= Øx1) , . . . , x
_
n
and only AND and OR gates, and this circuit has at most G gates since the total number of AND and OR
gates remains constant during this process.
Next add dummy (‘‘no-operation’’) gates at each level so that all of each gate’s inputs come from the
immediately preceding level, and all its outputs go to the next higher level. Since the maximum depth is at
most G, we add at most G2 - G dummy gates. Finally split each depth level into two levels, with all AND
gates at the top level and all OR gates at the bottom level, adding extra dummy gates at each level as
necessary. The resulting circuit is stratiﬁed and has at most 2G2 gates.
(2) The main problem is to eliminate fan-in. The stratiﬁed circuit has at most depth G and fan-in and
fan-out at most G at each level. Split each gate with fan-in k and fan-out ó into (k - 2 ) gates with fan-in 2
and fan-out 1 and a ﬁnal gate in this process with fan-in 2 and fan-out ó. Now split this last gate into ó
gates having fan-in 1 and fan-out 2. (See Figure A-2).- 18 -
Figure A.2
After doing this process with all original gates, the resulting circuit has at most 2G2 gates. Finally add n
NOT gates at level one to compute x
_
1, ... x
_
n.- 19 -
Appendix B. Encoding of Boolean Formulae as Natural Numbers
Let BF denote the collection of all well-formed Boolean formulae constructed using the symbols (, ), Ù,
,Ø and variables xj. We deﬁne the length of a Boolean formula to be the number of symbols in the
formula, using the convention that the variable xn is counted as being log2 n symbols. Let BFn,m denote
the subset of BF consisting of all formulae using only the symbols x1, ..., xn and of length at most m. The
map r : BF ® N encodes a formula F from left to right using the correspondence
ï® 100
) ï® 101
Ù ï® 110
Ú ï® 111
Ø ï® 011
and where the variable xn is encoded as / n /, where n is given in binary and then encoded further using
0 ® 000
1 ® 001
/ ® 010
.
Note that r is honest in the sense that for any Boolean formula B we have
3 length (B) ³ length (r(B) ) ³ length (B) .
Lemma B-1. The mapping r : BF ® N has the following properties:
(1) It is one-to-one (but not onto) and computable in polynomial time.
(2) The (unique) inverse r-1 is computable in polynomial time.
(4) r(BFn,m) Í [ 1 , 23m].
Proof. (1), (2) and (3) are all clear from the encoding procedure.- 20 -
Appendix C. Simulating Turing Machine Computations with Circuits: Proof of Lemma 2.1
We are given a Turing machine T having s internal states which halts on all inputs of length £ n in time
f(n). We construct a stratiﬁed circuit Wn simulating T on all inputs of length £ n as follows. The idea is
the Wn has f(n) special levels called tape levels in which the ith of these levels record the state of the
Turing machine and work tapes and output tapes of the Turing machine at time i. A tape level has
2n + 4f(n) + s gates, where 2f(n) of these gates are used to record the work tape data and indicate the
tape’s read head location, and 3f(n) gates are used to record the output tape data, encoded in the same way
as the input data (0 encoded as 00, 1 as 11, # as 01, / as 10), and 2n gates are used to record the input data,
and s gates are used to indicate the Turing machine’s current internal state. There are a bounded level of
intermediate levels between each tape level. There are used to carry out one step of the Turing machine
computation. Each set of intermediate levels has at most 6 s2 f(n) gates and at most depth 2s + 4. The
lemma follows.- 21 -
Appendix D. Collapsing Levels of Circuits
Lemma D-1. Let W be a stratiﬁed Boolean circuit of depth d ³ 3 with G gates, and suppose there are nj
gates on level j with fan-in bounded by fj. Then there exists a stratiﬁed Boolean circuit W* computing the
same Boolean function with depth d - 1 and at most G + nd( fd -1)
fd gates.
Proof. Suppose the dth level consists of AND gates. Use the distributive laws in the form
i =1
Ù
fd
(C1
(i) Ú ... Ú Cfd -1
(i) ) =
1 £ mi £ fd -1
m1, ..., mfd -1
Ú (
j=1
Ù
fd
Cmi
( j)) ,
We think of the Cj
(k) as Boolean functions computed by the gates at level d - 2, and dummy variables
Cj
(a) = 0 are added to ﬁll out the identity to fan-in fd -1 at each gate. This identity can be used to
interchange levels d and d - 1, putting one OR gate on level d with fan-in at most ( fd -1)
fd and ( fd -1)
fd
new AND gates on level d - 1 each with fan-in at most fd. Now since level d - 2 and the new level both
consist of AND gates d - 1 they may be coalesced to obtain the stratiﬁed circuit W*.
In the case where the dth level in OR gates, use the corresponding distributive law and dummy variables
Cj
(k) = 1.
Note that the new circuit has fan-in fi
* = fi for 1 £ i £ d - 3, fd -2
* £ fd -2 + fd and
fd -1
* £ ( fd -1)
fd.
The construction of Lemma D-1 can also be used to exchange two interior levels i and i + 1. This
collapses the depth by 2 and the number of new gates is at most ni +1( fi)
fi +1.- 22 -
Appendix E. Relations between circuits and existentially quantiﬁed Boolean formulae: Proof of
Lemma 2.2
Lemma 2.2 asserts that function computable by a Boolean circuit may be calculated by an existentially
quantiﬁed Boolean formula of approximately the same size.
Proof. To obtain the formula B we replace each gate g with a variable y2. If g is an AND-gate with gates
g1, g2, ..., gm as inputs, add the clause
Cg = ‘ ‘ yg = ( ( (yg1 Ù yg2 ) Ù ...) Ù ygm )¢ ¢
using
‘ ‘ B1 = B2¢ ¢ to mean ( (B1) Ú (ØB2) ) Ù (ØB1) Ú B2) )
Proceed similarly for OR-gates. The formula is
B(x1, ..., xn, y1, ..., yg) =
g
all
Ù Cg
Input variables x1, ..., xn, x
_
1, ..., x
_
n are treated as literals. The number of literals in B is at most
2E + 2G, where E is the number of edges in the input-output interconnect graph of the circuit W. Since
E £ G2 + nG the bound on the number of literals in B follows.
Lemma 2.2 holds for a general circuit also, using the same proof together with the distributive law to
eliminate NOT gates.- 23 -
References
[A] M. Ajtai, S-formulae on ﬁnite structures, Ann. Applied and Pure Logic 24 (1983), 1-48.
[B] G. Brassard, Relatived Cryptography, Proc. 20th IEEE Symposium on Foundations of Computer
Science, 1979, pp. 383-392 (Section 7)
[F] M. Furst, J. Saxe, and M. Sipser, Parity, Circuits and the Polynomial Time Hierarchy, Math.
Systems Theory 17 (1984) 13-27.
[KL] R. M. Karp and R. J. Lipton, Some connections between non-uniform and uniform complexity
classes, Proc. 12th Annual ACM Symp. on Theory of Computing, 1980, pp. 302-309.
[L] L. Levin, One-way functions and pscudo random generators, preprint.
[O] A. Odlyzko, Discrete logarithms in ﬁnite ﬁelds and their cryptographic signiﬁcance, preprint.
[S] A. Selman, Remarks about Natural Self-Reducible Sets in NP and Complexity Measures for Public
Key Cryptosystems, preprint.