Monotone Circuits: One-Way Functions versus Pseudorandom Generators

We study the computability of one-way functions and pseudorandom generators by monotone circuits, showing a substantial gap between the two: On one hand, there exist one-way functions that are computable by (uniform) polynomial-size monotone functions, provided (of course) that one-way functions exist at all. On the other hand, no monotone function can be a pseudorandom generator.


Introduction
One-way functions and pseudorandom generators play a central role in computational complexity theory and cryptography.Loosely speaking, one-way functions (OWFs) are functions that are easy to compute but hard to invert (in the average-case sense).Pseudorandom generators (PRGs) are efficient algorithms that stretch short random seeds into longer (pseudorandom) sequences that are computationally indistinguishable from truly random sequences.(Indeed, we refer to the standard definitions, which are recalled in Section 2; for further discussion, the interested reader is referred to [5,6].) A fundamental result in this area asserts that one-way functions exist if any only if pseudorandom generators exist [7] (see also [5,Sec. 3.5]).A relatively recent result of Applebaum, Ishai, and Kushilevitz [2] indicates that (under some widely believed conjectures) both OWFs and (sublinear-stretch) PRGs can be computed by very simple circuits; specifically, by circuits in which each output bit depends only on a constant number of input bits (i.e., NC 0 ).
The latter result raises the natural question of whether OWFs and PRGs can be computed by other restricted families of circuits.Recalling that PRGs constitute OWFs (see [5,Sec. 3.5]), it is natural to first ask whether OWFs can be computed by polynomial-size monotone circuits, and then to ask the same regarding PRGs.We show that the answer to the first question is positive (assuming, of course, that OWFs exist at all), while the answer to the second question is negative.That is: Theorem 1.1.If there exist one-way functions, then there exist one-way functions that are computable by uniform families of polynomial-size monotone circuits.
We stress that not only are these one-way functions monotone, but also their monotone circuit complexity is polynomial.
We stress that Theorem 1.2 makes no reference to the monotone (or even the general) complexity of f .We also note that the distinguishers witnessing this failure are very simple (and monotone).
Indeed, these two results indicate that in the "monotone world" there is a fundamental gap between one-way functions and pseudorandom generators; thus, the "hardness-vs-randomness" paradigm [4,11,9] fails in the monotone setting.
Organization Theorems 1.1 and 1.2 are proved in Sections 3 and 4, respectively.But before turning to these proofs, we recall (in Section 2) the standard definitions.

Preliminaries
We recall the standard definitions (adapted from [5], where the interested reader may find further discussions).A function f : N → R is called negligible if it decreases faster than the reciprocal of any positive polynomial (i.e., for every positive polynomial p and all sufficiently large n it holds that f (n) < 1/p(n)).A function f : N → R is called noticeable if it decreases slower than the reciprocal of some positive polynomial (i.e., there exists a positive polynomial p such that for all sufficiently large n it holds that f (n) > 1/p(n)).We say that a family of circuits {C n } is polynomial-size if there exists a polynomial p such that for all n it holds that size(C n ) ≤ p(n), while the number of input bits to the circuit C n is not necessarily n.

Definition 2.1 (One-Way Functions -OWF). Let
one-way if it satisfies the following two conditions.
• Easy to compute: There exists a polynomial-time algorithm that on input x outputs F(x).
• h-hard to invert: For every family of (uniform)1 polynomial-size circuits {I n } n∈N it holds that If h is noticeable, then F is called a weak one-way function, whereas if 1 − h is negligible then F is called a strong one-way function (or just a one-way function).
Note that the above definitional framework has two versions, one referring to uniform polynomial-size circuits and one referring to all (including non-uniform) polynomial-size circuits.Our results refer to both versions.The same applies also to the following definition.Definition 2.2 (Pseudorandom Generator -PRGs).A function G : {0, 1} * → {0, 1} * is called a pseudorandom generator if it satisfies the following three conditions: • Stretch: For every s it holds that |G(s)| > |s|.
• Easy to compute: There exists a polynomial-time algorithm that on input s outputs G(s).
• Pseudorandomness: For every family of (uniform) polynomial-size circuits {D n } n∈N it holds that the function ∆ defined by Monotone functions and circuits A Boolean function f : {0, 1} n → {0, 1} is called monotone if for every x ≺ y it holds that f (x) ≤ f (y), where ≺ denotes the standard partial order on (fixed length) bit strings (i.e., x for every i it holds that x i ≤ y i and for some i it holds that 0 , the projection of f on its i th output bit (i.e., f i (x) def = f (x) i ) yields a monotone Boolean function.This notion extends naturally to length regular functions defined over {0, 1} * (i.e., functions f : {0, 1} * → {0, 1} * such that for every |x| = |y| it holds that | f (x)| = | f (y)|).Throughout this paper, we shall consider only length-regular functions.

OWFs computable by monotone circuits
In this section, we prove Theorem 1.1.We focus on proving that the existence of OWFs implies the existence of weak-OWFs that are computable by small (uniform) monotone circuits.We derive standard OWFs (so computable) by observing that the standard amplification of one-way functions (cf., e. g., [5,Sec. 2.3]) applies to the current (monotone) setting.
The basic idea is to transform a standard OWF into a weak monotone OWF by restricting its "actual action" to the middle slice, and modifying it on all others slices so as to obtain a monotone function.
Recall that the k-slice of a Boolean function b : {0, 1} n → {0, 1} is defined as {x ∈ {0, 1} n : wt(x) = k}, where wt(x) def = |{i : x i = 1}| denotes the Hamming weight of x.Now, given a OWF F, we define F such that F (x) = F(x) if wt(x) = |x|/2 (i.e., x is in the middle slice) and The function F is monotone, since for every x ≺ y it holds that at most one of these strings belongs to the middle slice while the values of F on all other slices conform with any value given to the strings on the middle slice.However, this does not mean that F can be computed by polynomial-size monotone circuit.Nevertheless, the latter fact is a direct corollary of Berkowitz's theorem [3]: Theorem 3.1.Let b : {0, 1} n → {0, 1} be a Boolean function and let C be a circuit computing it.Then, for every k ∈ {1, . . ., n} there exists a monotone circuit C M of size poly(n) • size(C) that computes the k-slice function of b (i.e., the function that agrees with b on the k-slice, is zero on lower slices and one on higher slices).Moreover, C M is polynomial-time constructible, given C as an input.
Specifically, let T k : {0, 1} n → {0, 1} denote the k th threshold function (i.e., T k (x) = 1 iff wt(x) ≥ i) and recall that size(T k ) = O(n) (cf.[1]).Let C : {0, 1} 2n → {0, 1} be the monotone circuit obtained from C by pushing all negations to the bottom level and replacing negated variables by auxiliary variables; that is, C(x) = C (x, x), where x i = ¬x i .The crucial observation is that for any x such that wt(x) = k, it holds that It follows that F has (uniform) monotone polynomial-size circuits, and it is left to show that F is a weak OWF.Proposition 3.2.Let F be a (strong) one-way function and let F be as above.Then, no polynomial-size circuits may invert F on F (U n ) with success probability exceeding 1 − Ω(1/ √ n).
Proof.Intuitively, if the potential inverter has success probability exceeding Pr[wt(U n ) = n/2 ], then the excess must be due to preimages that reside in the middle slice.But since F agrees with F on the middle slice, this excess translates to a success probability of inverting F. The actual proof follows by using a standard reducibility argument.Specifically, suppose that algorithm A inverts F (U n ) with success probability at least 1 For simplicity, assume first that neither 0 n nor 1 n is in the image of F, which implies that for every x ∈ {0, 1} n such that wt(x) = n/2 it holds that F −1 (y) ⊆ F −1 (y), where y = F (x) = F(x).Then, it must be that Thus, if A is efficient then ε must be negligible, otherwise we reach a contradiction to the hypothesis that F is (strongly) one-way.The simplifying assumption (regarding the image of F) may be avoided by noting that for any one-way function F it holds that Pr[F(U n ) ∈ {0 n , 1 n }] is negligible. 2 The proposition follows.

Conclusion:
It follows that F is an Ω(1/ √ n)-hard OWF that is computable by (uniform) polynomial-size monotone circuits.Applying the standard hardness amplification process (i.e., letting where |z| = m 2 and z [i, j] = z i • • • z j for i < j), completes the proof of Theorem 1.1.

No PRGs are monotone
In this section, we prove Theorem 1.2.Intuitively, we prove that any monotone function that stretches its input either has a biased output bit or has two output bits that are correlated in a noticeable way.In each of these two cases, we obtain a very simple circuit that distinguishes the output of the function from a random sequence of the same length.

Technical background
We start by defining the core concepts.
We say that b is unbiased if it is 0-biased.
Note that equation (1) can be written as | Pr Definition 4.2 (influence [8]).Let b : {0, 1} n → {0, 1} be a Boolean function.We define the influence of the i th input bit on b as We next recall two fundamental results regarding these concepts.The first is a theorem proved by Kahn, Kalai, and Linial [8].
the claim follows.
The following theorem was proved by Talagrand [10].
Theorem 4.5.For some universal constant c > 0, we consider the function ϕ(t) = c • t/ log(e/t).Then, for all n and all monotone functions f , g : {0, 1} n → {0, 1}, it holds that It is crucial that the functions considered here are monotone; indeed, the claim fails for general functions (e. g., consider any pair of distinct linear functions).

Proof of Theorem 1.2
We now prove Theorem 1.2.Fix any n.Let f 1 , . . ., f n+1 be the output bits of f .We shall look at this sequence as a sequence of n + 1 monotone Boolean functions; that is, functions of the n input variables x 1 , . . ., x n .