On the circuit-size of inverses

On the circuit -size of in verses J.C. Bir get October 31, 2018 Abstract W e reprove a result of Boppana an d Lagarias: If Π P 2 , Σ P 2 then the re exists a partial fu nction f that is computab le by a polynomial-size family of circuits, b ut no in verse of f is compu table by a poly nomial-size family of circu its. W e strengthen this r esult by showing that there exist length -preserv ing total functions that are o ne-way by circuit size an d that are comp utable in uniform polynom ial time. W e also prove, if Π P 2 , Σ P 2 , that there exist poly nomially balan ced total surjective fu nctions that are o ne-way by circuit size; here non- unifor mity is used. K eywords : Computati onal complexity , circuit size, one-way functions 1 Introd uction The di ffi culty of in version (i.e., gi ven f and y , find any x such that f ( x ) = y ) is a fund amental topic in com- putati onal comp lexi ty and in cryptog raphy . The ques tion whether NP is di ff erent from P can be formulate d as a question about the di ffi cult y of in v ersio n, namely , P , NP i ff the re exis ts a one-w ay function based on polyn omial-time ([11], [8] pp. 32-43, [5] pp. 11 9-125) . A function f is said to b e one-w ay based on po lynomia l time i ff f is polyn omial-ti me computable (by a determin istic T uring machine) b ut no in verse func tion f ′ of f is polyn omial-time compu table. An in ver se of f is any function f ′ that f ◦ f ′ ◦ f = f . In this paper we consider one-w ay functions based on (non-unifo rm) families of circu its of polynomial size. Boppana and Lagarias [2] (by using the Karp-Lipton theorem [9] ) prov ed that if Π P 2 , Σ P 2 then there exists a partial function f that can be computed by a non-un iform family of circuits of polynomial size, b ut no in vers e f ′ of f can be computed by a non-uniform fa mily of circu its of polyno mial size. W e sho w that this result still holds when f is a total surjec ti ve and polyno mially balanced function, or when f is lengt h-pres erving and unifo rmly computable in polyn omial time (but non-un iformity is allo wed for the in v erses ). By “circuit” we mean a digital circui t made of boolean gates, whose under lying dire cted graph is acy clic [16]. More precisely , a circuit C with m input v ertices and n output v ertice s, con sists of two part s. F irst, C has an acyclic directe d graph (with vertex set V and edg e set E ); we assu me tha t the set of vertice s V has a total order (i.e., V is not just a set b ut a sequen ce). Second, C has a gate map gate : v ∈ V 7− → gate ( v ) ∈ { and , or , not , f ork , in 1 , . . . , in m , out 1 , . . . , out n } which assi gns a gat e gate ( v ) to each ve rtex v . The gates and , or , and not ar e the trad itiona l boolean operations . The gates and and or hav e domain { 0 , 1 } × { 0 , 1 } , so a verte x labeled by such a gate has in-de gree 2; not has domain { 0 , 1 } , s o a vertex labeled by not has in-de gree 1; all th ree o perati ons ha ve co domain { 0 , 1 } , so the verte x has out -deg ree 1. The gate f ork : x ∈ { 0 , 1 } 7→ ( x , x ) ∈ { 0 , 1 } × { 0 , 1 } is also called the fan- out operat ion; the corres pondin g ve rtex has in-d egr ee 1 and ou t-de gree 2. Input vertic es are mappe d to in 1 , . . . , in m ; the y ha ve in- deg ree 0 and out -deg ree 1. Outpu t vertice s are mapped to out 1 , . . . , out n ; the y hav e in- deg ree 1 and out-de gree 0. The gate map is injecti v e on the union of the set of input vertic es and the set of output vertices. The size (or comple xity) of a circuit C , denoted | C | , is define d to be the number edg es (i.e., wire links) plus the number of vertic es. Thus | C | is al ways at least as lar ge as the number of inpu t ver tices, plus the number of output vertices. A circuit C with m input vertices and n output vertices has an input-outp ut function 1 ( x 1 , . . . , x m ) ∈ { 0 , 1 } m 7− → ( y 1 , . . . , y n ) ∈ { 0 , 1 } n that we denote by C ( . ). The image set of C , i.e. the set all actual output s, is denoted by im ( C ) ( ⊆ { 0 , 1 } n ). Let A be a finite alphabet; when we talk about circuits we alway s assume that A = { 0 , 1 } . Definition 1.1 A funct ion f : A ∗ → A ∗ is calle d length-e quality pres erving i ff for all x 1 , x 2 ∈ A ∗ , | x 1 | = | x 2 | implies | f ( x 1 ) | = | f ( x 2 ) | . Equivale ntly , for every m ther e exists n suc h that f ( A m ) ⊆ A n . A speci al case consists of the length-pre servin g functions, satisfying | f ( x ) | = | x | . Definition 1.2 A function f : A ∗ → A ∗ is called polynomia lly balan ced i ff ther e exis t polynomial s p 1 ( . ) and p 2 ( . ) suc h that for all inputs x ∈ A ∗ : | f ( x ) | ≤ p 1 ( | x | ) and | x | ≤ p 2 ( | f ( x ) | ) . A speci al case is, again, the length- pr eserving functions . Definition 1.3 A len gth-eq uality pre servin g function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is said to be comput ed by a family of circuits C = { C m : m ∈  } i ff for all m ∈  and al l x ∈ { 0 , 1 } m , f ( x ) = C ( x ) . (W e do not mak e any u niformit y assumpti ons for C . ) This family is said to be of polynomia l size i ff ther e is a polynomial p ( . ) such that for all m : | C m | ≤ p ( m ) . In general, a family of circuits C = { C i : i ∈  } could contain any number of circuits C i with the same number of inpu t vertices ; then C d oes not compute a functio n. Computatio nal one-wayn ess can be defined in many (no n-equ i v alent) ways. W e will use the follo wing definitio n, related to worst -case circuit comple xity (we are not cons idering cryptograp hic one-w ay functions here). Definition 1.4 A length-e qualit y pr eser ving function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is one-way by circu it size i ff • f is polyno mially balanced, • f is computab le by a polynomial-siz e family of cir cuits, but • no in verse function f ′ of f is computable by a polynomial -size family of cir cuits. Intuiti vely , one-wayn ess based on circuit size sho uld be stronge r than one-wayne ss bas ed on unifo rm compu- tation al co mplex ity . Indeed, in the former , not only is it di ffi cult to find any in verse f ′ of f , but the circuits for the in verses f ′ are all ve ry lar ge. Definition 1.4 can also be ada pted to a family of circuits , by itself. Definition 1.5 A family of cir cuits C = { C i : i ∈  } is on e-way by circuit size i ff for every pol ynomial p ( . ) ther e is no family of circ uits C ′ = { C ′ i : i ∈  } such that for all i, C i ◦ C ′ i ◦ C i ( . ) = C i ( . ) and | C ′ i | ≤ p ( | C i | ) . Before dealing with one-wayne ss we cha racteri ze the complexity of the inje cti v eness proble m and of the surjec ti ven ess problem for circuits. Injecti ve ness is equ i v alent to the existe nce of left in verses, and sur jecti v e- ness is equi v ale nt to the existenc e of right in v erses. After that we consi der general in ve rses. 2 Injectiven ess and surjectivene ss The equival ence pr oblem fo r circuits takes two circuits C 1 , C 2 as input, and asks whether C 1 ( . ) = C 2 ( . ). It is well kno wn that this problem is coNP -co mplete [5, 8]. A rel ated prob lem is the follo wing, where for any set S we denote the identi ty functio n on S by id S . In the identi ty pr oblem , for a giv en circuit C the que stion is whether C ( . ) = id { 0 , 1 } n . In the injectiv eness pr oblem the question is whether C ( . ) is injecti ve. The identity proble m is a special case of both the equi v alence problem and the injecti ve ness problem. Pro position 2.1 The injectivene ss pr oblem and the identity pr oblem for circ uits ar e coNP -complet e. 2 Pro of (this is Theorem 6.5 in [1], repro ve d here purel y in the cont ext of circuits) . It is easy to see that the injecti veness proble m and the identity pro blem are in coNP . T o sh o w ha rdness we red uce the tauto logy proble m for boolean formu las to the injecti v eness prob lem and to the identi ty prob lem for circuits, as follo ws. Let B be an y boole an formula with n v ariab les. W e define a n e w bool ean function F B : { 0 , 1 } n + 1 → { 0 , 1 } n + 1 by F B ( x 1 , . . . , x n , x n + 1 ) = ( ( x 1 , . . . , x n , x n + 1 ) if B ( x 1 , . . . , x n ) = 1 or x n + 1 = 1 , ( 1 , . . . , 1 , 1) ( = 1 n + 1 ) otherwis e. Let us check tha t the follo wing three properties are equ i v alent : (1) B is a tauto logy , (2) F B is injecti ve, and (3) F B = id { 0 , 1 } n + 1 . When B ( x 1 , . . . , x n ) = 1 then F B ( x 1 , . . . , x n , x n + 1 ) = ( x 1 , . . . , x n , x n + 1 ). So, if B is a tautology then F B is the identi ty function on { 0 , 1 } n + 1 (which also implies that F B is injec ti ve) . If B is a not a tautolog y t hen B ( c 1 , . . . , c n ) = 0 for some ( c 1 , . . . , c n ) ∈ { 0 , 1 } n . It follows that F B ( c 1 , . . . , c n , 0) = (1 , . . . , 1 , 1). But we also hav e F B (1 , . . . , 1 , 1) = (1 , . . . , 1 , 1), since here x n + 1 = 1. Hence, F B is not injecti ve (and hence not the identit y function).  . The surjective ness pr oblem for circu its takes a circuit C as input, an d asks wheth er C ( . ) i s surjecti v e. Let Π P 2 denote the ∀∃ -class at le vel 2 in the polynomia l hierarchy [5, 8]; similarl y , Σ P 2 denote s the ∃∀ - class. Theorem 2.2 below is v ery s imilar t o Theorem 5.9 in [1] abou t the surjecti veness problem for elements of the T hompson - Higman monoid M 2 , 1 . But there are technical di ff eren ces between circuits and elements of M 2 , 1 , so we gi ve a separa te proof for circuits here. Theor em 2.2 The surjecti veness pr oblem for cir cuits is Π P 2 -complet e. Pro of. The definition of surjecti v eness sh o ws that the surjec ti ven ess pro blem is in Π P 2 . Inde ed, C ( . ) is surjecti v e i ff ( ∀ y ∈ { 0 , 1 } n )( ∃ x ∈ { 0 , 1 } m ) [ C ( x ) = y ]. T his is a Π P 2 -formula , since n , m ≤ | C | , and since the prope rty C ( x ) = y can be chec ked deterministi cally in pol ynomial time when x , y , a nd C are gi v en. Let us prov e hardn ess by reducing ∀∃ Sat (the ∀∃ -satisfiability probl em) to the surjecti ve ness problem for circuit s. Let B ( x , y ) be any boolean formul a w here x is a sequence of m boolean v aria bles, and y is a seque nce of n boolea n v ariabl es. The problem ∀∃ Sat asks on input ∀ y ∃ x B ( x , y ) whether this sentence is true. It is well kno wn that ∀∃ Sat is Π P 2 -complet e [5 , 8]. W e map the formula B to the circuit C B with inpu t-outpu t function defined by C B ( x , y , y n + 1 ) = ( ( y , y n + 1 ) if B ( x , y ) = 1 or y n + 1 = 1, (1 n , 1) if B ( x , y ) = y n + 1 = 0. Equi v alen tly , C B ( x , y , y n + 1 ) =  y 1 ∨ ( B ( x , y ) ∨ y n + 1 ) , . . . , y n ∨ ( B ( x , y ) ∨ y n + 1 ) , y n + 1 ∨ B ( x , y )  . Hence one can easily constru ct a circuit for C B from the formula B ( x , y ). B y the definit ion of C B , im ( C B ) = { ( y , 0) : ∃ x B ( x , y ) } ∪ { ( y , 1) : y ∈ { 0 , 1 } n } ( ∪ { (1 n , 1) } ) . Since (1 n , 1) ∈ { ( y , 1) : y ∈ { 0 , 1 } n } , the term { (1 n , 1) } (which may or may not be present) is irrele v ant. Hence, im ( C B ) = { 0 , 1 } n 1 ∪ { y ∈ { 0 , 1 } n : ∃ x B ( x , y ) } 0 . Therefore , ∀ y ∃ x B ( x , y ) is true i ff im ( C B ) = { 0 , 1 } n 1 ∪ { 0 , 1 } n 0, i.e., i ff C B is surje cti ve .  For a partial functio n f : X → Y it is a well-kno wn f act that f is surjecti ve i ff f has a right in v erse. By definitio n, a partial function g : Y → X is called a right in ver se of f i ff f ◦ g ( . ) = id Y . For circu its we ha ve: A circuit C (with m input wires and n output wires ) is surjecti ve i ff there exists a circuit C ′ (with n input w ires and m outpu t w ires) such that C ◦ C ′ ( . ) = id { 0 , 1 } n . Theor em 2.3 If ther e exists a pol ynomial p ( . ) su ch th at e very s urject ive cir cuit C has a right in verse C ′ of size | C ′ | ≤ p ( | C | ) , then Π P 2 = Σ P 2 . 3 Pro of. If such a po lynomial p ( . ) exists then the surje cti v eness of C is chara cteriz ed by C is surject i ve i ff ( ∃ C ′ , | C ′ | ≤ p ( | C | )) ( ∀ x ∈ { 0 , 1 } m ) [ C ◦ C ′ ( x ) = x ]. This is a Σ P 2 -formula sinc e the quantified varia bles are polynomia lly bo unded in terms of | C | , and the relation C ◦ C ′ ( x ) = x can be checked determini sticall y in polyn omial time when C , C ′ and x are giv en. This implies that the surjecti veness problem is in Σ P 2 . But since w e already prov ed tha t the surjecti v eness problem is Π P 2 - complete , this implies that Π P 2 ⊆ Σ P 2 . Hence, Π P 2 = Σ P 2 .  3 General in verses The gener al conc ept of an in v erse goes back to Moore [12] (Moore-Penrose pse udo-in verse of a matrix), and v on Neumann [13] (re gular rings). For a partial function f : X → Y , the domain of f is den oted by dom ( f ) ( ⊆ X ), and the image (or range) is denoted by im ( f ) ( ⊆ Y ). A partial function f : X → Y is cal led tot al i ff dom ( f ) = X . When we jus t say “function ” we mean a total functi on. Definition 3.1 F or a partial fun ction F : X → Y an in v erse (also called a semi-in verse ) of F is any part ial functi on F ′ : Y → X such that F ◦ F ′ ◦ F = F . If both F ◦ F ′ ◦ F = F and F ′ ◦ F ◦ F ′ = F ′ hold then F ′ is a mutual in verse of F , and F is a mutual in vers e of F ′ . The followin g f acts about in vers es are well kno wn and straightfor ward to prove. Fo r any two partial functi ons F : X → Y and F ′ : Y → X w e ha ve: • F ◦ F ′ ◦ F = F i ff ( F ◦ F ′ ) im ( F ) = id im ( F ) , wher e ( . ) im ( F ) denote s the res trictio n to im ( F ) . • If F ′ is a semi-in verse of F then im ( F ) ⊆ dom ( F ′ ) ; i.e., F ′ ( y ) is define d for all y ∈ im ( F ) . • If F ′ is a semi-in verse of F then F ′ im ( F ) is injective . • If F ′ is a semi-in verse of F then F ′ ◦ F ◦ F ′ is a mutual in verse of F . • Every pa rtial function F has at least one se mi-in verse . Mor e specifi cally , F has at least one semi-in verse F ′ 1 that is total (i.e., dom ( F ′ 1 ) = Y ), and at lea st one semi-in verse F ′ 2 that is injectiv e and whos e domain is im ( F ) . For infinite sets the last fact requir es the axiom of cho ice. The follo wing two L emmas are also stra ightfo r - ward. Lemma 3.2 F ′ is a righ t in ver se of F i ff F ′ is a total and inject ive mutual in ver se of F .  Lemma 3.3 F or a par tial function F : X → Y the following ar e equiva lent: (1) F is surje cti ve ; (2) F has a right in verse; (3) F has a mutual in verse F ′ that is total and inject ive; (4) ever y semi-in verse F ′ of F is total and inje ctive; (5) ever y semi-in verse F ′ of F is total.  W e can now refo rmulate Theorem 2.3 in terms of in verses. Theor em 3.4 If ther e e xis ts a polynomial p ( . ) suc h that ever y cir cuit C has a semi-in verse C ′ of size | C ′ | ≤ p ( | C | ) , then Π P 2 = Σ P 2 . Pro of. If such a p ( . ) e xists then e v ery circui t C ha s an in verse C ′ of size | C ′ | ≤ p ( | C | ), and henc e eve ry C has a mutual in verse C ′ 2 = C ′ ◦ C ◦ C ′ of si ze | C ′ 2 | ≤ 2 · p ( | C | ) + | C | . Let q ( n ) = 2 · p ( n ) + n , whic h is also a polynomial. Let us now conside r the spec ial case where C is surjec ti ve . Then by Lemm a 3.3 (1 ⇒ 4), C ′ 2 is total and injecti ve. T hen by Lemma 3.2, since C ′ 2 is a mutual in verse, C ′ 2 is a right in verse of C . Now Theorem 2.3 (for the polyno mial q ( . )) implies that Π P 2 = Σ P 2 .  4 Theorem 3.4 is not ne w; it follows immediately from a result by B oppana and L agarias (Theorem 2.1a in [2]), combine d w ith the Karp-Lipto n Theo rem [9, 5, 8]. The proof of Theorem 3.4 also applies to surje cti ve functions (while the methods in [2] do not seem to): Cor ollary 3.5 If the r e e xists a polyno mial p ( . ) such that ev ery sur jecti ve circ uit C has a semi-in verse C ′ of size | C ′ | ≤ p ( | C | ) , then Π P 2 = Σ P 2 .  Theorems 2.3, 3.4 and Coro ll. 3.5 sho w th at the family o f all circuits and t he f amily of all surjec ti ve circu its are one-w ay by circuit-si ze. 4 One-way functions, if Π P 2 , Σ P 2 W e will use the abov e results to constru ct two types of function s that are one -way by circuit-s ize. 4.1 A surjectiv e non-unif orm one-way function The papers [6] and [ 4] discuss the existen ce of surjecti v e one-w ay f unctio ns, based o n uniform poly nomial time comple xity . In the uni form case (with uniformity for both f and f ′ ), it is kno wn tha t P , NP ∩ coNP implies the existenc e of one-way f unctio ns (attri b uted to [3] in the Introduct ion of [6]). Here we giv e an e xist ence res ult for surject i ve one-way functi ons w ith respect to non-u niform polynomial time, i.e., circuit size. For a circuit C we will denote the number of input vertices by m C or m , and the number of output wires by n C or n . An identity wir e in a circuit is an edge ( x i , y j ) that dir ectly connects an input vertex x i to an out put ver tex y j ; so x i and y j ha ve the same va lue. T o add an identity wire means to creat e a new input v erte x, a new outpu t verte x, and an edge between them. Lemma 4.1 Suppo se C 0 is obtai ned fr om C by adding identity wire s. Then C 0 is surje ctive i ff C is surjective . Pro of. Let j be the numbe r of ident ity wires added . So, im ( C 0 ) = im ( C ) × { 0 , 1 } j . Then C is surjecti ve i ff im ( C ) = { 0 , 1 } n i ff im ( C 0 ) = { 0 , 1 } n × { 0 , 1 } j = { 0 , 1 } n + j i ff C 0 is surje cti ve .  Pro position 4.2 Theor em 2.3 and Cor ollary 3.5 still hold when one only consid ers surjectiv e cir cuits C that satisfy m ≤ 1 2 | C | < 2 n. The same holds if one conside rs only surjective cir cuits th at satisfy 2 n < m ≤ | C | < 6 n. Pro of. From any circuit C one can construct a circuit C 1 by adding | C | identity wires. Then C is surjecti ve i ff C 1 is su rjecti ve (by Lemma 4.1). An ident ity wire has t wo v ertic es and one ed ge, so the resulting circuit C 1 has size | C 1 | = 4 | C | . For the numbe r of input vertic es and output vertices we ha ve m 1 = m + | C | , and n 1 = n + | C | . Since m ≤ | C | , it follo ws that m 1 ≤ 1 2 | C 1 | . Also, | C 1 | = 4 ( n 1 − n ) < 4 n 1 . The circuit C 1 satisfies 2 n 1 > m 1 (since m 1 ≤ 1 2 | C 1 | < 2 n 1 ). No w 2 n 1 − m 1 + 1 new input vertices can be added to C 1 ; the se ve rtices are not connected to anything and are not output ve rtices. Then the new circuit C 2 is surjecti v e i ff C 1 is surjecti v e. The ne w circuit C 2 satisfies n 2 = n 1 , | C 2 | = | C 1 | + 2 n 1 − m 1 + 1 ≤ | C 1 | + 2 n 1 < 4 n 1 + 2 n 1 , and m 2 = 2 n 1 + 1 > 2 n 2 . Hence, 2 n 2 < m 2 ≤ | C 2 | ≤ 6 n 2 . The circui ts C 1 and C 2 can be constructed from C determinist ically in polyn omial time. Moreov er , an in verse of C can be obtain ed in polynomial time from an in v erse of C 1 , and vice vers a. The same holds for C 2 . Hence, C has an in verse of size ≤ p ( | C | ) (for some poly nomial p ( . )) i ff C i has an in v erse of size ≤ p i ( | C i | ) (for some polyno mial p i ( . ), i = 1 , 2). Since the existenc e of polynomial-s ize in v erses for all surjecti ve circuits C implies Π P 2 = Σ P 2 (by Corollary 3.5), the existe nce of polynomial -size in verses fo r C 1 or C 2 also implies Π P 2 = Σ P 2 .  W e saw in Lemma 3.3 that a functi on f : X → Y is surjecti ve i ff ev ery in verse of f is tota l and injecti ve. 5 Theor em 4.3 F or eve ry polynomia l p ( . ) co nsider the following set of surjecti ve cir cuits: C p =  C : 2 n C < m C ≤ | C | < 6 n C and e ver y in verse C ′ of C satisfies | C ′ | > p ( | C | )  . If Π P 2 , Σ P 2 then for every po lynomial p ( . ) the set { n C : C ∈ C p } (consist ing of the output len gths of the cir cuit s in C p ) is infinite . Pro of. W e assume Π P 2 , Σ P 2 . Then by Corollary 3.5 and Prop. 4.2 , C p is not empty . For all C ∈ C p we ha ve 2 n C < m C ≤ | C | < 6 n C . It follo ws th at for a ny polyn omial p ( . ) the four sets C p , {| C | : C ∈ C p } , { n C : C ∈ C p } , and { m C : C ∈ C p } are all infinit e i ff one of them is infinite. Moreo v er , if a function is sur jecti ve then all its in verses are total and injecti ve (Lemma 3.3). Hence, C p is infinit e i ff the set { C ′ : C ′ is an in v erse of some C ∈ C p } is infinite, i ff the set { | C ′ | : C ′ is an in verse of some C ∈ C p } is infinite. For two polyn omials we write p 2 ≥ p 1 when p 2 ( n ) ≥ p 1 ( n ) for all n . If p 2 ≥ p 1 then C p 2 ⊆ C p 1 ; hence for any pol ynomial p 0 ( . ) we ha ve S p ≥ p 0 C p = C p 0 . For any po lynomia l p 0 ( . ) the set { p ( | C | ) : p ( . ) is a polynomia l, p ≥ p 0 , and C ∈ C p } is infinite; indeed, the set o f polyno mials is infinite and each C p is non-emp ty . It follows that for any polyn omial p 0 ( . ) the set {| C ′ | : C ′ is an in vers e of some C ∈ C p , for some p ≥ p 0 } is infinit e, since | C ′ | > p ( | C | ) w hen C ∈ C p . Hence, for any p 0 ( . ), C p 0 and { n C : C ∈ C p 0 } are infinite.  Theor em 4.4 If Π P 2 , Σ P 2 then ther e e xists a surject i ve total function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ which is polynomially balan ced and length-equ ality pr eserving , and whic h satisfie s: • f is computed by a non-unifor m polyn omial-si ze family of cir cuits, but • f has no in ver se that can be computed by a non-unif orm polyn omial-siz e family of cir cuits. Pro of. Consider an infinite sequence of polynomia ls p 1 < p 2 < . . . < p k < . . . , with p k ( x ) > x k + k for all numbers x . Recall that C p k =  C : 2 n C < m C ≤ | C | < 6 n C and ev ery in verse C ′ of C satisfies | C ′ | > p k ( | C | )  . Let us abbrev iate C p k by C k . W e saw that . . . ⊆ C k ⊆ . . . ⊆ C 2 ⊆ C 1 . B y Theorem 4.3, if Π P 2 , Σ P 2 then C k and {| C | : C ∈ C k } are infinite for e ver y k . W e no w construc t an infinite set of circuits { C k ∈ C k : k ∈ N } , where we abbre viate m C k and n C k by m k , respe cti v ely n k . C 1 is a smalles t circuit in C 1 ; C k + 1 is a smalles t circuit in { C ∈ C k + 1 : | C | > | C k | , n C > 1 + n k and m C > 2 m k } . Since C k + 1 is infinite (by Theorem 4.3), the circuit C k + 1 exi sts. Claim: m k + 1 − m k > n k + 1 − n k > 1. Proof of the Claim: W e ha ve m k + 1 > 2 m k (by the choice of C k + 1 ), and m k + 1 > 2 n k + 1 (since C k + 1 ∈ C k + 1 ). Hence, m k + 1 / 2 > m k and m k + 1 / 2 > n k + 1 . By adding these ineq ualitie s we obtain m k + 1 > m k + n k + 1 , hence m k + 1 − m k > n k + 1 > n k + 1 − n k . Also, the choice of n C > 1 + n k implies n k + 1 − n k > 1. This pro ves the Claim. W e define a total and surjecti ve func tion F : { 0 , 1 } ∗ → { 0 , 1 } ∗ as follo ws: (1) F ( x ) = C k ( x ) if | x | = m k ; (2) F maps D k = S m k + 1 − 1 m = m k + 1 { 0 , 1 } m onto R k = S n k + 1 − 1 n = n k + 1 { 0 , 1 } n . In (1), F maps { 0 , 1 } m k onto { 0 , 1 } n k for e v ery k , since C k is surje cti ve . In (2) , D k and R k are non -empty , since m k + 1 − m k > n k + 1 − n k ≥ 1 (by the Claim). T o comple te the definiti on of F , D k can be mapped onto R k in a length -equal ity preserv ing wa y , as follows: Since m k + 1 − m k − 1 > n k + 1 − n k − 1 and m i > n i (for all i ), we can map { 0 , 1 } m k + i onto { 0 , 1 } n k + i for i = 1 , . . . , n k + 1 − n k − 1 ( ≤ m k + 1 − m k − 1). Nex t, we map S n k ≤ m < m k + 1 { 0 , 1 } m onto { 0 , 1 } n k + 1 − 1 . This way , F is ont o and leng th-equ ality preservin g. In more deta il yet, when j > i we map { 0 , 1 } j onto { 0 , 1 } i by ( x 1 , . . . , x i , x i + 1 , . . . , x j ) 7→ ( x 1 , . . . , x i ). This way , F : D k → R k consis ts of projection s. Let u s che ck that o v erall, F is pol ynomiall y balanced (in f act, inp ut sizes and output si zes bou nd each o ther linearl y): Inde ed, F maps length m k to length n k , with m k < 6 n k . Also, len gth m k + i is mapped to n k + i for 1 ≤ i < n k + 1 − n k , w ith m k + i < 6 n k + i . Finally , lengths between m k + n k + 1 − n k and m k + 1 − 1 are mapped to length n k + 1 − 1, w ith m k + 1 − 1 < 6 n k + 1 − 1. 6 W e see th at F can be computed by a line ar -size non-un iform family of circuits: For inputs of len gth m k (for some k ) w e use the circu its C k ; for the othe r inputs, F is a projectio n. Finally , let us c heck th at no in v erse F ′ of F is computa ble by a polynomial -size circuit famil y (if Π P 2 , Σ P 2 ). The set { C k : k ∈  } that we co nstruc ted is infinite and C k ∈ C k ; hence any family ( C ′ k : k ∈  ) of circuits that compute s an in v erse F ′ will satisf y | C ′ k | > | C k | k + k for all k . Since th e set { n k : k ∈  } is infinite , the restricti on of F to S k ∈  { 0 , 1 } m k → S k ∈  { 0 , 1 } n k has no in v erse with size bounde d by a polynomial (of fixe d degre e). Thus F has no poly nomial-si ze in verse.  4.2 A unif orm one-way function A resul t of Boppana and Lagarias [2] (combin ed w ith the Karp-Lipt on theorem [9]) states that if Π P 2 , Σ P 2 then there ex ists a fun ction f that is one-w ay in the s ense that f computabl e by a polyno mial-size family of circu its, b ut the in ver ses of f are not compu table by an y polynomial- size family of circ uits. The one-way func tions consid ered in [2] are not polynomially balanced; moreov er , the y are either not total or not lengt h-equa lity preser ving (in t he te rminolog y of [2], the o utput ca n be the single symbol #) . Also, thes e one-w ay funct ions are based on the Karp-Lipton theorem, so the y are (apparently ) not computabl e in uniform polynomial time. W e will no w construct a length-pres erving funct ion f that can be comput ed uniformly in polynomial time, b ut no in verse f ′ has a polyn omial-siz e family of circuits . W e can describe any circuit C by a bitstring code ( C ), i.e., there is a “G ¨ odel numbering” for circ uits. Nat- urally ther e is also a decodi ng function decode ( . ) which is an in verse of code ( . ), i.e., decode ( code ( C )) = C . W e can ex tend decode ( . ) to a total func tion, so any bits tring is deco ded to a circ uit. The encod ing function code ( . ) is associa ted with an evaluati on function ev such that e v  code ( C ) , x  = C ( x ) for all x ∈ { 0 , 1 } m c . Here we den ote the length of the inp uts of C by m C and the leng th of the output s by n C . The functio ns code ( . ), decode ( . ), and e v ( ., . ) can be cons tructed so that the y ha ve special pro perties . T he existence and the main proper ties of e v ( ., . ) and code ( . ) are well-kno wn folklore, but we p rov e the m here ne vertheles s because we will need detai led size and complexity estimate s (ite ms 3, 4, and 5 in the Proposition belo w). Pro position 4.5 Let C denote the set of all cir cuits. Ther e e xist function s code : C → { 0 , 1 } ∗ , decode : { 0 , 1 } ∗ → C , e v : { 0 , 1 } ∗ × { 0 , 1 } ∗ → { 0 , 1 } ∗ , suc h that (1) for all C ∈ C : decode ( code ( C )) = C ; (2) for all c , x ∈ { 0 , 1 } ∗ with | x | = m decode ( c ) : e v ( c , x ) = [ decode ( c )]( x ) ; in particu lar , for all C ∈ C , x ∈ { 0 , 1 } m C : e v  code ( C ) , x  = C ( x ) ; (3) for all C ∈ C : | C | log 2 | C | < | code ( C ) | < 6 | C | log 2 | C | ; (4) decode ( . ) and e v ( ., . ) ar e total funct ions; (5.1) the langua g e im ( code ) = im ( code ◦ decode ) ⊆ { 0 , 1 } ∗ belong s to P ; (5.2) code ◦ decode ( . ) : { 0 , 1 } ∗ → { 0 , 1 } ∗ is polyn omial-time computable and polynomially balanced ; (5.3) e v ( ., . ) is polynomial-t ime compu table . Pro of. W e denote the set s of ve rtices and edges of C by V , respect i vel y E . T o construct the bitstri ng code ( C ) from a circu it C we fi rst use a four-l etter alpha bet { a , b , c , d } . W e labe l the vertice s of the ac yclic digraph of C injecti vely by strings ov er { a , b } , using binary number ing (with a = 0, b = 1), accordi ng to the order of V , from number 0 through | V | − 1. Each ve rtex is th us represente d by a stri ng in { a , b } ∗ of length ⌈ log 2 | V |⌉ . In additio n, each v erte x is lab eled by its ga te type (n amely and , or , not , f ork , in 1 , . . . , in m , out 1 , . . . , out n ), acco rding to the gate map; strin gs over { c , d } of length ⌈ log 2 (4 + m + n ) ⌉ are used for these gate labe ls. As we alte rnate between 7 { a , b } and { c , d } , no se parato r is neede d. Thus we ha v e a descri ption of leng th | V | ( ⌈ log 2 | V |⌉ + ⌈ log 2 (4 + m + n ) ⌉ ) for the list of vertice s and the ir gate types. Each edge is described by a pair of verte x codes , separat ed by a lett er c , and an y tw o edg es are se parated by a letter d . Thus the list of edges is descr ibed by a string of length | E | (2 + 2 ⌈ log 2 | V |⌉ ). So, | code ( C ) | = | V | ( ⌈ log 2 | V |⌉ + ⌈ log 2 (4 + m + n ) ⌉ ) + | E | (2 + 2 ⌈ log 2 | V |⌉ ). Hence | code ( C ) | > 1 2 | C | log 2 | C | (since | V | 2 + | V | ≥ | E | + | V | = | C | ), and | code ( C ) | < 3 | C | log 2 | C | (since | C | = | V | + | E | ). Tu rning code ( C ) into a bitst ring (e.g., by encoding a , b , c , d as 00, 01, 10, 11, respecti vely) doubl es the length. This complet es the definition of code ( . ) and prove s property (3). T o define the functio n decode we first let decode ( code ( C )) = C . When c is not the code of any circuit, we let decode ( c ) be the larges t ide ntity circuit (i.e., comp uting the identity map on { 0 , 1 } m , for some m ) w ith a code of length ≤ | c | . This makes decode ( . ) a to tal function; property (1) also follo ws immediately . An e v alu ation func tion e v can no w be defined, based on the abo v e constructio n of code ( . ) and decode ( . ). For any ( c , x ) ∈ { 0 , 1 } ∗ × { 0 , 1 } ∗ , let C = decode ( c ). If | x | = m C then we define ev ( c , x ) = [ decode ( c )]( x ). If | x | , m C we define ev ( c , x ) = x . Propert ies (2) and (4) now hold . The definitions of code and decode m ake it easy to chec k w hether a string c is an enc oding of a circui t, and t o dec ode c (or to genera te an iden tity circui t if c is not a code). The inequalitie s in (3) imply t hat decode ◦ code ( . ) is polyno mially bal anced. This sho ws propertie s (5.1) and (5.2). The defini tions of code , decode , and e v make it easy to compu te e v ( c , x ), so we ha ve (5.3). The details are very simil ar to the proo f that the circui t v alue probl em is in P (see sectio n 4.3 of [ 14]).  The functi on ev is neither length-equ ality prese rving nor polynomiall y balanc ed. Pro position 4.6 Let m and n deno te, r espec tively , the number of inp ut and output vertices of a cir cuit C . Theor em 3.4 still holds when one on ly consi der s cir cuit s C that sati sfy | C | < 2 m and m = n (i.e., the functi on C ( . ) is length -pr eserving). Theor em 3.4 a lso hold s when one only co nside rs cir cuits C w ith m = n and | code ( C ) | < 12 m log 2 (2 m ) . Pro of. F rom C one can construct a circu it C 1 with equal numbers of inp ut and outp ut vert ices. If m < n one adds n − m e xtra input vertice s that are not conne cted to an ythin g else in the circuit. If m > n one add s m − n ne w output vertice s tha t carry the constant boolean value 0. A constan t 0 can be created by m aking two copies of th e input x 1 (by f orking twice) a nd then t aking x 1 ∧ x 1 ( = 0); this uses 4 gates and 6 wires. Making m − n − 1 more cop ies of 0 uses m − n − 1 f ork gates and 2 ( m − n − 1) more wires. Now m 1 = n 1 = max { n , m } , and | C 1 | ≤ | C | + 3 | m − n | + 10 (wh ere | m − n | denotes the absolu te v alu e of m − n ). In verting C is equiv alent to in vertin g C 1 . In any circuit C 1 one can add | C 1 | identity wires. An identity wire has two verti ces and one edg e, so the resulti ng circuit C 2 has size | C 2 | = 4 | C 1 | , and m 2 = m 1 + 3 | C 1 | input vertices, an d n 2 = n 1 + 3 | C 1 | outpu t ver tices. H ence, | C 2 | < m 2 + n 2 . Recall that circuit size is defined to be the number of vertices plus the number of edge s in the circuit. If m 1 = n 1 then m 2 = n 2 , and | C 2 | < 2 m 2 . Since C 1 and C 2 di ff er only by id entity wires, there is a one -to-on e cor respon dence betwee n in verses of C 1 and of C 2 ; an in vers e for C 2 can be obtai ned from an in vers e of C 1 by addi ng identity wires; an in verse for C 1 can be ob tained from an i n verse of C 2 by remo ving the extr a identity wires. By Prop. 4.5, C 2 also satisfies | code ( C 2 ) | ≤ 6 | C 2 | log 2 | C 2 | . W e saw that | C 2 | < 2 m 2 , hence | code ( C 2 ) | < 12 m 2 log 2 (2 m 2 ). The circui ts C 1 and C 2 can be constructed from C determinist ically in polyn omial time. Moreov er , an in verse of C can be obt ained in pol ynomial time from an in vers e of C 1 or C 2 , and vice versa. Hence, C has an in ve rse of size ≤ p ( | C | ) (for some polynomial p ( . )) i ff C i has an in ve rse of siz e ≤ p i ( | C | ) (for some polyn omial p i ( . )), i = 1 , 2. S ince the existen ce of polyn omial-si ze in vers es for all circuits C implies Π P 2 = Σ P 2 (by Theorem 3.4), the exi stence of polynomia l-size in vers es for circuits C i also implies Π P 2 = Σ P 2 .  Based on Proposi tions 4.5 and 4.6 w e now construct a function which is one-w ay by circuit size. W e sta rt with the functi on 8 e v circ : ( c , x ) 7− →  c , [ decode ( c )]( x )  which is just the pairin g h π 1 , e v i of the first projec tion π 1 : ( x 1 , x 2 ) 7− → x 1 and the e v alua tion functio n ev . W e saw that e v is a total func tion that can be compute d determini stically in poly nomial time, hence e v circ is also total and polynomial-t ime comp utable . Levin observe d that e v circ is a complete or “uni v ersal” one-way functi on, for a certa in definition of one-way funct ions and for certain reductions between functions (see [10], [11], [7], and [15]). The functi on e v circ is polyn omially bala nced . Indee d, for any input X = ( code ( C ) , x ) and output Y = ( code ( C ) , C ( x )) o f e v circ we ha ve: | X | = | code ( C ) | + | x | ≤ 2 ( | code ( C ) | + | C ( x ) | ) = 2 | Y | , an d | Y | = | code ( C ) | + | C ( x ) | ≤ 2 ( | code ( C ) | + | x | ) = 2 | X | , usin g the facts that | x | ≤ | C | , | C ( x ) | ≤ | C | , and | C | ≤ | code ( C ) | . Also, if c is not the code of any circ uit then ev circ ( c , x ) = ( c , x ), so length is preserv ed in that case. The function ev circ is not length-equ ality preservin g, ther efore we introdu ce a special ev alu ation fun ction e v o : { 0 , 1 } ∗ × { 0 , 1 } ∗ − → { 0 , 1 } ∗ × { 0 , 1 } ∗ , e v o ( c , x ) = ( ( c , C ( x )) if c = code ( C ) , | c | ≤ 12 m C log 2 (2 m C ) , and | x | = m C = n C , ( c , x ) otherwis e . This definition make s e v o length -pr eserving , hence it is also length-e quality preserving and polynomially bal- anced. Clearly , ev o is also uniformly compu table in pol ynomial time. T he de finition was made in such a way that Prop. 4.6 can be applie d. Lemma 4.7 If Π P 2 , Σ P 2 then the specia l evaluatio n function ev o is one-way by cir cuit size. Pro of. By contraposit ion, let us assume that e v o has an in verse functio n ev ′ o which is compute d by a polynomial- size family of circui ts E ′ = ( E ′ i : i ∈  ). So, there is a polyno mial p ( . ) such that for all i , | E ′ i | ≤ p ( i ). The circuit E ′ i tak es inp uts of the form ( c , y ) ∈ { 0 , 1 } ∗ × { 0 , 1 } ∗ with i = | c | + | y | . Consider the case where c = code ( C ) for any circ uit C such that m C = n C = | y | , and | c | ≤ 12 m C log 2 (2 m C ). Then i = | c | + n C = | c | + m C . W e let C ′ = E ′ i ( code ( C ) , · ) ; this is the c ircuit E ′ i with the c -in put hard wired t o t he value code ( C ). Then the e xisten ce of an in verse C ′ for e very circ uit C as in Prop. 4.6, impl ies Π P 2 = Σ P 2 .  Lemma 4.7 immediately implies: Theor em 4.8 If Π P 2 , Σ P 2 then ther e e xist lengt h-pr eserving functions that ar e one-way by circuit size and computa ble uniformly in polynomial time.  Refer ences [1] J.C. Birget, “The R - and L -order s of the Thomp son-Higm an mon oid M k , 1 and their complexity”, Internation al J. of Algebra and Computation , 20.4 (June 2010 ) 489- 524. [2] R. Bop pana, J. Lagarias, “One-way functio ns and circuit comp lexity”, Information a nd Comp utation , 74.3 (1987) 26-24 0. [3] A. Borod in, A. Demers, “Some c omments on f unctiona l self-re ducibility a nd the NP hierarchy”, T ec hnical Report TR 76-28 4, Dept. of Computer Science, Cornell University ( July 19 76). [4] H. Buh rman, L. Fortnow , M. K o uck ´ y , J. Rogers, N. V ereshc hagin, “ In verting onto functio ns and th e po lynom ial hierarchy ”, Th eory of Computing Systems , 46.1 (201 0) 143-156. [5] D.Z. Du, K.I. K o, Theory of computation al co mplexity , W iley (2000). [6] S. Fenner, L. Fortnow , A. Naik, J. Rog ers, “Inverting onto functions”, Information a nd Computation , 186 (2 003) 90-10 3. [7] O. Goldreich, F oundatio ns of Cryptography , Basic T ools , Cambridge U. Press (2001). 9 [8] L. Hemaspaandr a, M. Ogihara, The complexity theory companion , S pringer (200 2). [9] R.M. Karp, R .J. Lipton, “Some connections between nonun iform and unifor m co mplexity c lasses, ” Pr oc. 12th ACM Symposium on Theo ry of Computation (STOC) , (1980) 302-309 . Jour nal version: “T uring machines that take ad- vice”, L ’ Enseignemen t Math ´ ematique , 28 (1982) 191-201. [10] L. Levin, “One-way f unction s and pseudo-rando m gene rators”, Combinatorica 7.4 (1987) 357-363. [11] L. Levin, “The tale of one-way functions”, Pr o blemy P er edatshi Informatsii , 39(1 ):92-1 03, 200 3. http: // arx iv . org / abs / cs.CR / 0012023 [12] E.H. Moore, “On the reciprocal of the g eneral algebraic matrix”, Bulletin of the American Mathematical Society , 26 (1920 ) 394-3 95. [13] J. von Neumann, “On regular r ings”, Pr oc. of the National Academy of Sciences of the USA , 22 (1936) 707-713 . [14] Ch. Papadimitriou, Computational Comple xity , Addison-W esley (1994 ). [15] L. T revisan, “The program -enum eration bo ttleneck in average-case complexity”, TR10-0 34 (Mar ch 2 010) http: // www .eccc.uni-trier .de / report / 2010 / 034 [16] I. W egener, The complexity of boolea n function s , W iley / T eubner (1987) . Jea n-Camille Birget Dept. of Computer Science Rutgers Univ ers ity at Camden Camden, NJ 08102 , US A birget@c amden.ru tgers.edu 10