A finite function f is a mapping of {1 , 2 , . . . , m } into {1 , 2 , . . . , m } ∪ { # } where # is a symbol to be thought of as ''undefined.'' This paper defines a measure M( f ) of the difficulty of inverting a finite function f, which is given by
depth of a stratified circuit is the number of levels in a circuit. Every Boolean function can be computed by some stratified circuit of depth 2 in this model. We define the depth-d circuit complexity C d (B) of a Boolean function B to be the number of input n plus the minimum number of gates needed in any stratified circuit of depth at most d that computes B.
The circuit complexity measure C (B) is essentially the same up to a polynomial factor as a general circuit complexity measure. An arbitrary circuit having G gates (AND, OR, and NOT) with fan-in and fan-out at most two and an acyclic graph of connections can be computed by a stratified circuit having at most 2G 2 gates. (See Appendix A.) However the depth of circuit measure C d (B) does depend in a critical way on the allowability of circuits with unbounded fan-in and fan-out. For example, not all Boolean functions can be represented by depth 2 circuits with bounded fan-in.
Now we define a circuit complexity measure C( f ) for a finite function f : I m → I m ∪ { # }. We first extend the domain of f to be the next higher power of 2 by using #: If 2 n − 1 < m ≤ 2 n we define for 1 ≤ i ≤ n. Now we define the circuit complexity C( f ) of f by
We have a similar depth-d measure C d ( f ) circuit complexity given by
Next we define the circuit complexity of the problem of inverting a function f :
A function f may have more than one inverse.
We define the canonical inverse function f # by:
We define the circuit complexity C − 1 ( f * ) of the function inversion problem to be
Analogously we define the depth d circuit complexity
We have an analogous depth d measure of one-wayness
The point of these definition
unbounded if and only if a superpolynomial increase in the number of gates is needed in any circuit computing an inverse function G of f * compared to the minimum number of gates needed to compute f * .
In this context the purpose of including the number of inputs n in the circuit complexity C (B) is to avoid M( f ) possibly being large because C( f * ) is small. In terms of this circuit complexity model we say that one-way finite functions exist if and only if there exists an infinite sequence of functions { f i : 1 ≤ i < ∞} defined on larger and larger domains such that { M( f i ) } is unbounded.
Our main result for the general circuit complexity model is as follows. (2) The satisfiability problem SAT has polynomial sized circuits.
Karp and Lipton [KL] have shown that if SAT has polynomial size circuits then the polynomial hierarchy collapses at the second level, i.e. Σ 2 p = Π 2 p . This may be taken as evidence that one-way finite functions exist.
For the bounded-depth circuit complexity model we are able to show that one-way functions exist.
Theorem 2. Let σ n : I 2 n → I 2 n be the permutation
Then for any fixed d ≥ 4, there is a positive constant c d such that
This result is proved by showing that σ n has polynomial sized circuits of depth 4 and second, that a circuit to invert σ n can be used to compute k ≡ 0 (mod 3), a problem known to require superpolynomial size constant depth circuits by a result of Furst, Saxe and Sipser [FSS] . The quantitative bound
log n follows from a sharper bound of Ajtai [A] for the same problem.
Theorem 2 may be taken more as a indication of the restrictiveness of the bounded-depth circuit complexity model than as a indication of the existence of one-way functions.
Proof of Theorem A
Before proving the result, we make precise the statement ''SAT has polynomial-sized circuits.'' Define the length of a Boolean formula B to be the number of symbols in it, where the variable x n is counted as log 2 n symbols. Let BF n,m denote all Boolean formulae of length at most m, involving only the variables
There is an encoding ρ : BF → N which has the properties (1) ρ is one-to-one and is computable in polynomial time.
(2) The unique inverse ρ − 1 is computable in polynomial time.
(See Appendix B) . Note that
Now set¸= 2 3m , and define the finite function SAT n,m
Then ''SAT has polynomial size circuits'' means there exists an integer j such that
for all m ≥ 1.
Proof of Theorem A. ( 1 ) = > ( 2 ). Suppose that the function M( f ) is bounded by the integer c 0 for all finite functions f. We will construct polynomial size circuits for SAT.
The TEST be the set
Certainly TEST is recognizable in polynomial time, and it is easy to construct (by the same method as used in Appendix B) a one-to-one polynomial-time computable encoding Ψ : TEST → N such that:
(1) It is honest in the sense that
for all inputs (B, x).
(2) The range Ψ( TEST ) is recognizable in deterministic polynomial time.
and observe that
We use the following well-known fact:
Lemma 2.1. Let T be a Turing machine used as a transducer that halts on all inputs of length ≤ n in time f (n) and which has s states. There is a stratified Boolean circuit Ω n of depth ≤ 6sf (n) with ≤ 20
2 gates which simulates T on all inputs of length ≤ n. More precisely, Ω n has 2n input gates encoding the n inputs to T as 00 = 0, 11 = 1 and 01 = #, and 2 f (n) outputs encoding the output of T similarly.
We sketch a proof of Lemma 2.1 in Appendix C.
We first infer from Lemma 2.1 that since the collection of functions {ρ n,m − 1 } given by 
Here B denotes a Boolean expression with n variables, and B(x) is its value on input x. Since the complete set of functions { f n,m } is computable by a polynomial time Turing machine used as a transducer, by Lemma 2.1 the collection { f n,m } is computable by polynomial size circuits, having at most p 3 (n, m) gates
In particular, this inverse g n,m has the property
Consequently g n,m can be used to recognize UNSAT and hence SAT. A polynomial sized circuit for SAT n,m is easily constructed from that for g n,m ( . ) using the flowchart in Figure 1 , and the resulting circuit (2) = > (1). Assume that SAT has polynomial sized circuits. Now let f be an arbitrary finite function
circuits computing the ''bit functions'' B 0 ( f ) , . . . , B n + 1 ( f ) using the minimal number of gates G i , and note that by definition of the circuit complexity measure C( f ) we have
We shall combine these circuits with appropriately sized SAT circuits to create a circuit Σ f # computing the canonical inverse function f # which has at most (C( f ) ) c 0 + c 0 gates, where c 0 is a constant independent of f. Assuming this is accomplished, we may conclude that
and the desired implication follows. (1) For all (x 1 , . . . , x n ) ∈ {0 , 1} n we have
variable symbols and has length at most 12G(n + G) log 2 (n + G).
Proof. (Sketch) We add dummy variables y 1 , . . . , y G corresponding to the gates of the stratified circuit and add appropriate equality conditions forcing the values y i to simulate the gates of the circuit. See
Appendix E for a detailed proof.
We apply Lemma 2.2 to the ''bit functions' ' B i ( f ) to obtain Boolean formulae
We may bound the length L i of the Boolean formula B _ _ i using (2.3) and (2) of Lemma 2 to obtain
The overall structure of the circuit Σ f # to compute f # is pictured in Figures 2a and 2b . The main ingredient in the circuit Σ f # is the circuits used to compute Round i for 1 ≤ i ≤ n. The detailed structure of a Round i circuit (excluding Round 1) is pictured in Figure 3 . It has two main ingredients, a circuit simulating a Turing machine computation and a SAT circuit. The purpose of the Turing machine computation is to preprocess the question asked in Round i: 'Do there exist values x i + 1 , . . . , x n such that f (x 1 , . . . , x i , x i + 1 , . . . , x n ) = k?' into a form suitable for input to the SAT circuit, where
The required Turing machine has the following properties. It takes as inputs n, G, i, and n + 1 Boolean formulae B _ _ i (x 1 , . . . , x n , y 1 , . . . , y G ) for 0 ≤ i ≤ n, plus the i values (x 1 , . . . , x i ) and the n values (z 1 , . . . , z n ) where
It produces as output the encoding ρ(F i ) of the Boolean formula 
. It is clear that there is a polynomial time Turing machine to do this computation, hence by Lemma 2.1 this can be simulated by a circuit of size polynomial in C( f ).
Now we bound the size of the SAT circuit required to test ρ(F i ). Now the formula F i involves at most
n + C( f ) variables and is of length at most 1536C( f ) 4 , using the bounds (2.5) and n ≤ C( f ).
Observe that
By hypothesis SAT has polynomial sized circuits, so the resulting circuit Σ f # is of size bounded by a 
Proof of Theorem B
Let σ n : I 2 n → I 2 n be the permutation σ n (k) ≡ 3k (mod 2 n ). We first show that C d (σ n ) is bounded by a polynomial in n, for n ≥ 4. We first exhibit a depth 6 stratified circuit Σ n that computes σ n using O(n 2 ) gates. Write the input k in binary as
and define the binary bits z i by
It suffices to find a circuit that when given { x i : 0 < i ≤ n − 1} computes the bits { z i : 0 ≤ i ≤ n + 1} and then discards the overflow bits z n and z n + 1 . We view 3k = k + 2k and note that the i th ''carry bit'' can be computed with a depth 4 circuit with 3i + 4 gates. Indeed consider the i th carry bit w i in addinģ
We compute the clauses x j ∧ y j at depth 1, the clauses x j ∨ y j at depth 2, combine them to compute the
at depth 3 and finally compute
at depth 4. Using all the carry bits for 0 ≤ i ≤ n, we can now compute all the bits of¸1 +¸2 in a depth 6 circuit using O(n 2 ) gates. To do this we create other depth 4 circuits computing w _ _ i = ¬w i and then compute the j th bit of¸1 +¸2 to be
where by convention w 0 = x n + 1 = y n + 1 = 0. We apply this construction to obtain the desired depth 6 stratified circuit Σ n computing σ n using O(n 2 ) gates.
Now we obtain a depth 4 circuit Σ n * computing σ n using a polynomial number of gates. We use the distributive laws to exchange two adjacent levels of AND and OR gates with at most a polynomial blow-up in the number of gates, which is possible if the higher level has bounded fan-in. Then we may collapse one level. If both levels exchanged have bounded fan-in, the same is true for the exchanged levels. We use this procedure to eliminate levels 5 and 6 from Σ n , obtaining the desired stratified circuit Σ n * . (See
Next we bound the complexity of computing the inverse C d # (σ n ) from below. Since σ n is a permutation, it has a unique inverse σ n − 1 given by
and by (1.6) we have
Let Π n be a depth d circuit competing σ n − 1 with G n gates. We will use Π n to construct a circuit ∆ n of depth d + ¬ which has G n + O(n 2 ) gates and which computes ≡ 0 (mod 3) on [ 2
computes the Boolean function
We use the fact that (3.2) and z n + 1 in 3 σ n − 1 (k) are both zero. We next observe that if 0 ≤ k < 2 n and k has the binary expansion
Hence (3.2) and (3.3) imply that given { y i :
We obtain the desired depth d + ¬ circuit ∆ n with [ 2 n + 1 _ ____ ] inputs using the flowchart in Figure 4 . The circuit ∆ n has G n + O(n 2 ) gates. By a result of Furst, Saxe, and Sipser ([FSS] , Corollary 3.6) any circuit ∆ n to compute ≡ 0 (mod 3) on I 2 n requires a number of gates that grows at rate superpolynomial in n as n → ∞. Ajtai's [A] methods in fact imply that there is a positive constant c 0 such that any such circuit has at least Ω(n c 0 log n ) gates as n → ∞. 
>> log n using (3.5). Theorem B is proved.
Appendix A. Relations Between Circuit Complexity Models
A general circuit is a circuit having inputs the variables x 1 , . . . , x n and using AND, OR and NOT gates and having an acyclic graph of connections with fan-in and fan-out at most two at each gate. A stratified circuit is a circuit with inputs the literals x 1 , ..., x n and ¬x 1 , ..., ¬x n , which uses only AND and OR gates which are stratified into levels such that gates at level i receive inputs only from gates at level i − 1, and output only to level i + 1, and such that all gates at even levels 2i are AND gates, all gates at odd levels 2i + 1 are OR gates, and fan-in and fan-out are unrestricted. Stratified circuits also may have ''no-operation'' gates at each level using e.g. B ∧ B at even levels, B ∨ B at odd levels. Proof.
(1) Define the depth of a gate to be the longest directed path in the input-output graph which inputs to the gate. We first eliminate the NOT-gates by proceeding from the largest depth upwards by induction, using the distributive laws, as in Figure At the end of this process we obtain a circuit whose inputs are the literals x 1 , ..., x n , x _ 1 ( = ¬x 1 ) , . . . , x _ n and only AND and OR gates, and this circuit has at most G gates since the total number of AND and OR gates remains constant during this process.
Next add dummy (''no-operation'') gates at each level so that all of each gate's inputs come from the immediately preceding level, and all its outputs go to the next higher level. Since the maximum depth is at most G, we add at most G 2 − G dummy gates. Finally split each depth level into two levels, with all AND gates at the top level and all OR gates at the bottom level, adding extra dummy gates at each level as necessary. The resulting circuit is stratified and has at most 2G 2 gates.
(2) The main problem is to eliminate fan-in. The stratified circuit has at most depth G and fan-in and fan-out at most G at each level. Split each gate with fan-in k and fan-out¸into (k − 2 ) gates with fan-in 2 and fan-out 1 and a final gate in this process with fan-in 2 and fan-out¸. Now split this last gate intoģ ates having fan-in 1 and fan-out 2. (See Figure A-2) . Lemma 2.2 holds for a general circuit also, using the same proof together with the distributive law to eliminate NOT gates.
