Data Structures Lower Bounds and Popular Conjectures
DData Structures Lower Bounds and PopularConjectures
Pavel Dvořák ! Charles University, Prague, Czech Republic
Michal Koucký ! Charles University, Prague, Czech Republic
Karel Král ! Charles University, Prague, Czech Republic
Veronika Slívová ! Charles University, Prague, Czech Republic
Abstract
In this paper, we investigate the relative power of several conjectures that attracted recently lot ofinterest. We establish a connection between the Network Coding Conjecture (
NCC ) of Li and Li [24]and several data structure like problems such as non-adaptive function inversion of Hellman [18] andthe well-studied problem of polynomial evaluation and interpolation. In turn these data structureproblems imply super-linear circuit lower bounds for explicit functions such as integer sorting andmulti-point polynomial evaluation.
Theory of computation → Computational complexity andcryptography
Keywords and phrases
Data structures, Circuits, Lower bounds, Network Coding Conjecture
Funding
The authors were partially supported by Czech Science Foundation GAČR grant
Acknowledgements
We would like to thank to Mike Saks and Sagnik Mukhopadhyay for insightfuldiscussions.
One of the central problems in theoretical computer science is proving lower bounds invarious models of computation such as circuits and data structures. Proving super-linearsize lower bounds for circuits even when their depth is restricted is rather elusive. Similarly,proving polynomial lower bounds on query time for certain static data structure problemsseems out of reach. To deal with this situation researchers developed various conjectureswhich if true would imply the sought after lower bounds. In this paper, we investigate therelative power of some of those conjectures. We establish a connection between the NetworkCoding Conjecture (
NCC ) of Li and Li [24] used recently to prove various lower bounds suchas lower bounds on circuit size counting multiplication [3] and a number of IO operations forexternal memory sorting [12].Another problem researchers looked at is a certain data structure type problem forfunction inversion [18] which is popular in cryptography. Corrigan-Gibbs and Kogan [9]observed that lower bounds for the function inversion problem imply lower bounds forlogarithmic depth circuits. In this paper we establish new connections between the problems,and identify some interesting instances. Building on the work of Afshani et al. [3] we showthat the Network Coding Conjecture implies certain weak lower bounds for the inversiondata structure problems. That in turn implies the same type of circuit lower bounds as given a r X i v : . [ c s . CC ] F e b Data Structures Lower Bounds and Popular Conjectures by Corrigan-Gibbs and Kogan [9]. We show that similar results apply to a host of other datastructure problems such as the well-studied polynomial evaluation problem or the FiniteField Fourier transform problem. Corrigan-Gibbs and Kogan [9] gave their circuit lowerbound for certain apriori undetermined function. We establish the same circuit lower boundsfor sorting integers which is a very explicit function. Similarly, we establish a connectionbetween data structure for polynomial evaluation and circuits for multi-point polynomialevaluation. Our results sharpen and generalize the picture emerging in the literature.The data structure problems we consider in this paper are for static, non-adaptive,systematic data structure problems, a very restricted class of data structures for which lowerbounds should perhaps be easier to obtain. Data structure problems we consider have thefollowing structure: Given the input data described by N bits, create a data structure of size s . Then we receive a single query from a set of permissible queries and we are supposed toanswer the query while non-adaptively inspecting at most t locations in the data structureand in the original data. The non-adaptivity means that the inspected locations are chosenonly based on the query being answered but not on the content of the inspected memory.We show that when s ≥ ω (cid:0) N log N/ log log N (cid:1) , polynomial lower bounds on t for certainproblems would imply super-linear lower bounds on log-depth circuits for computing sorting,multi-point polynomial evaluation, and other problems.We show that logarithmic lower bounds on t for the data structures can be derived fromthe Network Coding Conjecture even in the more generous setting of s ≥ εN and wheninspecting locations in the data structure is for free. This matches the lower bounds ofAfshani [3] for certain circuit parameters derived from the Network Coding Conjecture. Onecan recover the same type of result they showed from our connection between the NetworkCoding Conjecture, data structure lower bounds, and circuit lower bounds.In this regard, the Network Coding Conjecture seems the strongest among the conjectures,which is the hardest to prove. One would hope that for the strongly restricted data structureproblems, obtaining the required lower bounds should be within our reach. Organization.
This paper is organized as follows. In the next section we review the datastructure problems we consider. Then we provide a precise definition of Network CodingConjecture in Section 3. Section 4 contains the statement of our main results. In Sections 5and 6 we prove our main result for the function inversion and the polynomial problems.In Section 7 we discus the connection between data structure and circuit lower bounds forexplicit functions.
In this paper, we study lower bounds on systematic data structures for various problems –function inversion, polynomial evaluation, and polynomial interpolation. We are given aninput I = { x , . . . , x n − } , where each x i ∈ [ n ] = { , . . . , n − } or each x i is an element ofsome field F . First, a data structure algorithm can preprocess I to produce an advice string a I of s bits (we refer to the parameter s as space of the data structure D ). Then, we aregiven a query q and the data structure should produce a correct answer (what is a correctanswer depends on the problem). To answer a query q , the data structure D has accessto the whole advice string a I and can make t queries to the input I , i.e., read at most t elements from I . We refer to the parameter t as query time of the data structure.We consider non-uniform data structures as we want to provide connections between datastructures and non-uniform circuits. Formally, a non-uniform systematic data structure D n for an input I = { x , . . . , x n − } is a pair of algorithms ( P n , Q n ) with oracle access to I . The . Dvořák, M. Koucký, K. Král, and V. Slívová 3 algorithm P n produces the advice string a I ∈ { , } s . The algorithm Q n with inputs a I anda query q outputs a correct answer to the query q with at most t oracle queries to I . Thealgorithms P n and Q n can differ for each n ∈ N . In the function inversion problem, we are given a function f : [ n ] → [ n ] and a point y ∈ [ n ]and we want to find x ∈ [ n ] such that f ( x ) = y . This is a central problem in cryptographyas many cryptographic primitives rely on the existence of a function that is hard to invert.To sum up we are interested in the following problem. Function Inversion
Input:
A function f : [ n ] → [ n ] as an oracle. Preprocessing:
Using f , prepare an advice string a f ∈ { , } s . Query:
Point y ∈ [ n ]. Answer:
Compute the value f − ( y ), with a full access to a f andusing at most t queries to the oracle for f . We want to design an efficient data structure, i.e., make s and t as small as possible.There are two trivial solutions. The first one is that the whole function f − is stored in theadvice string a f , thus s = O ( n log n ) and t = 0. The second one is that the whole function f is queried during answering a query y ∈ [ n ], thus t = O ( n ) and s = 0. Note that the space s of the data structure is the length of the advice string a f in bits, but with one oracle-query x i the data structure reads the whole f ( x i ), thus with n oracle-queries we read the wholedescription of f , i.e., n log n bits.The question is whether we can design a data structure with s, t ≤ o ( n ). Hellman [18]gave the first non-trivial solution and introduced a randomized systematic data structurewhich inverts a function with a constant probability (over the uniform choice of the function f and the query y ∈ [ n ]) and s = O (cid:0) n / log n (cid:1) and t = O (cid:0) n / log n (cid:1) . Fiat and Naor [13]improved the result and introduced a data structure that inverts any function at any point,however with a slightly worse trade-off: s t = O (cid:0) n log n (cid:1) . Hellman [18] also introduced amore efficient data structure for inverting a permutation – it inverts any permutation at anypoint and st = O ( n log n ). Thus, it seems that inverting a permutation is an easier problemthan inverting an arbitrary function.In this paper, we are interested in lower bounds for the inversion problem. Yao [35]gave a lower bound that any systematic data structure for the inversion problem musthave st ≥ Ω( n log n ), however, the lower bound is applicable only if t ≤ O ( √ n ). Sincethen, only slight progress was made. De et al. [10] improved the lower bound of Yao [35]that it is applicable for the full range of t . Abusalah et al. [1] improved the trade-off, thatfor any k it must hold that s k t ≥ Ω (cid:0) n k (cid:1) . Seemingly, their result contradicts Hellman’strade-off (cid:0) s = t = O (cid:0) n / log n (cid:1)(cid:1) as it implies s = t ≥ n k/k +1 for any k . However, forHellman’s attack [18] we need that the function can be efficiently evaluated and the functionsintroduced by Abusalah et al. [1] cannot be efficiently evaluated. There is also a series ofpapers [16, 29, 11, 8] which study how the probability of successful inversion depends onthe parameters s and t . However, none of these results yields a better lower bound than st ≥ Ω( n log n ). Hellman’s trade-off is still the best known upper bound trade-off for theinversion problem. Thus, there is still a substantial gap between the lower and upper bounds.Another caveat of all known data structures for the inversion is that they heavily useadaptivity during answering queries y ∈ [ n ]. I.e., queries to the oracle depend on the advicestring a and answers to the oracle queries which have been already made. We are interested Data Structures Lower Bounds and Popular Conjectures in non-adaptive data structures. We say a systematic data structure is non-adaptive if alloracle queries depend only on the query y ∈ [ n ].As non-adaptive data structures are weaker than adaptive ones, there is a hope thatfor non-adaptive data structures we could prove stronger lower bounds. Moreover, thenon-adaptive data structure corresponds to circuits computation [30, 31, 33, 9]. Thus,we can derive a circuit lower bound from a strong lower bound for a non-adaptive datastructure. Non-adaptive data structures were considered by Corrigan-Gibbs and Kogan [9].They proved that improvement by a polynomial factor of Yao’s lower bound [35] for non-adaptive data structures would imply the existence of a function F : { , } N → { , } N for N = n log n that cannot be computed by a linear-size and logarithmic-depth circuit.More formally, they prove that if a function f : [ n ] → [ n ] cannot be inverted by a non-adaptive data structure of space O ( n log n/ log log n ) and query time O ( n ε ) for some ε > F : { , } N → { , } N that cannot be computed by anycircuit of size O ( N ) and depth O (log N ). They interpret r ∈ { , } N as n numbers in[ n ], i.e, r = ( r , . . . , r n ) ∈ { , } N where each r i ∈ [ n ]. The function F is defined as F ( y ) = F ( y , . . . , y n ) = (cid:0) f − ( y ) , . . . .f − ( y n ) (cid:1) where f − ( y i ) = min (cid:8) x ∈ [ n ] | f ( x ) = y (cid:9) and min ∅ = 0. Informally, if the function f is hard to invert at some points, then it ishard to invert at all points together. Moreover, they showed equivalence between functioninversion and substring search. A data structure for the function inversion of space s andquery time t yields a data structure of space O ( s log s ) and query time O ( t log t ) for findingpattern of length O (log n ) in a binary text of length O ( n log n ) and vice versa – an efficientdata structure for the substring search would yield an efficient data structure for the functioninversion. Compared to results of Corrigan-Gibbs and Kogan [9], we provide an explicitfunction (sorting integers) which will require large circuits if any of the functions f is hardto invert.Another connection between data structures and circuits was made by Viola [34] whoconsidered constant depth circuits with arbitrary gates. In this section, we describe two natural problems connected to polynomials. We consider ourproblems over a finite field F to avoid issues with encoding reals. Polynomial Evaluation over F Input:
Coefficients of a polynomial p ∈ F [ x ]: α , . . . , α n − ∈ F (i.e., p ( x ) = P i ∈ [ n ] α i x i ) Preprocessing:
Using the input, prepare an advice string a p ∈ { , } s . Query:
A number x ∈ F . Answer:
Compute the value p ( x ), with a full access to a p and usingat most t queries to the coefficients of p . Polynomial Interpolation over F Input:
Point-value pairs of a polynomial p ∈ F [ x ] of degree atmost n − (cid:0) x , p ( x ) (cid:1) , . . . , (cid:0) x n − , p ( x n − ) (cid:1) ∈ F × F where x i ̸ = x j for any two indices i ̸ = j Preprocessing:
Using the input, prepare an advice string a p ∈ { , } s . Query:
An index j ∈ [ n ]. Answer:
Compute j -th coefficient of the polynomial p , i.e., thecoefficient of x j in p , with a full access to a p and usingat most t queries to the oracle for point-value pairs. . Dvořák, M. Koucký, K. Král, and V. Slívová 5 In the paper we often use a version of polynomial interpolation where the points x , x , . . . , x n − are fixed in advance and the input consists just of p ( x ) , p ( x ) , . . . , p ( x n − ).Since we are interested in lower bounds, this makes our results slightly stronger.Let F = GF ( p k ) denote the Galois Field of p k elements. Let n be a divisor of p k −
1. Itis a well-known fact that for any finite field F its multiplicative group F ∗ is cyclic (see e.g.Serre [27]). Thus, there is an element σ ∈ F of order n in the multiplicative group F ∗ (thatis an element σ such that σ n = 1 and for each 1 ≤ j < n , σ j ̸ = 1). In other words, σ is ourchoice of primitive n -th root of unity. Pollard [26] defines the Finite Field Fourier transform (FFFT) (with respect to σ ) as a linear function FFFT n,σ : F n → F n which satisfies:FFFT n,σ ( α , . . . , α n − ) = ( β , . . . , β n − ) where β i = X j ∈ [ n ] α j σ ij for any i ∈ [ n ]The inversion FFFT − n,σ is given by:FFFT − n,σ ( β , . . . , β n − ) = ( α , . . . , α n − ) where α i = 1 n X j ∈ [ n ] β j σ − ij for any i ∈ [ n ]Note that if we work over a finite field F , our n might not be an element of F . For simplicitywe slightly abuse the notation and use n = ( P ni =1 − . In our theorems we always set n tobe a divisor of | F | − p k − n modulo p is non-zero and the inverse exists. Observe,that FFFT − n,σ = n FFFT n,σ − . Hence, FFFT is the finite field analog of Discrete Fouriertransform (DFT) which works over complex numbers.The FFT algorithm by Cooley and Tukey [7] can be used for the case of finite fieldsas well (as observed by Pollard [26]) to get an algorithm using O ( n log n ) field operations(addition or multiplication of two numbers). Thus we can compute FFFT n,σ and its inversein O ( n log n ) field operations.It is easy to see that FFFT n,σ is actually evaluation of a polynomial in multiple specialpoints (specifically in σ , . . . , σ n − ). We can also see that it is a special case of interpolationby a polynomial in multiple special points since FFFT − n,σ = n FFFT n,σ − . We provide anNCC-based lower bound for data structures computing the polynomial evaluation. However,we use the data structure only for evaluating a polynomial in powers of a primitive rootof unity. Thus, the same proof yields a lower bound for data structures computing thepolynomial interpolation.There is a great interest in data structures for polynomial evaluation in a cell probemodel. In this model, some representation of a polynomial p = P i ∈ [ n ] α i x i ∈ F [ x ] is storedin a table T of s cell cells, each of w bits. Usually, w is set to O (cid:0) log | F | (cid:1) , that we can storean element of F in a single cell. On a query x ∈ F the data structure should output p ( x )making at most t cell probes to the table T . A difference between data structures in the cellprobe model and systematic data structures is that a data structure in the cell probe modelis charged for any probe to the table T but a systematic data structure is charged only forqueries to the input (the coefficients α i ), reading from the advice string a p is for free. Notethat, the coefficients α i of p do not have to be even stored in the table T . There are againtwo trivial solutions. The first one is that we store a value p ( x ) for each x ∈ F and on a query x ∈ F we probe just one cell. Thus, we would get t cell = 1 and s cell = | F | (we assume that wecan store an element of F in a single cell). The second one is that we store the coefficients of p and on a query x ∈ F we probe all cells and compute the value p ( x ). Thus, we would get t cell = s cell = n . Data Structures Lower Bounds and Popular Conjectures
Let k = log | F | . Kedlaya and Umans [21] provided a data structure for the polynomialevaluation that uses space n ε · k o (1) and query time log O (1) n · k o (1) . Note that, n · k is the size of the input and k is the size of the output.The first lower bound for the cell probe model was given by Miltersen [25]. He provedthat for any cell probe data structure for the polynomial evaluation it must hold that t cell ≥ Ω (cid:0) k/ log s cell (cid:1) . This was improved by Larsen [22] to t cell ≥ Ω (cid:0) k/ log( s cell w/nk ) (cid:1) , thatgives t cell ≥ Ω( k ) if the data structure uses linear space s cell · w = O ( n · k ). However, thesize of F has to be super-linear, i.e., | F | ≥ n . Data structures in a bit probe modelwere studied by Gál and Miltersen [14]. The bit probe model is the same as the cell probemodel but each cell contains only a single bit, i.e., w = 1. They studied succinct datastructures that are data structures such that s cell = ( n + r ) · k for r < o ( n ). Thus, thesuccinct data structures are related to systematic data structures but still, the succinct datastructures are charged for any probe (as any other data structure in the cell probe model).Note that a succinct data structure stores only a few more bits than it is needed due toinformation-theoretic requirement. Gál and Miltersen [14] showed that for any succinct datastructure in the bit probe model it holds that r · t cell ≥ Ω( n · k ). We are not aware of anylower bound for systematic data structures for the polynomial evaluation.Larsen et al. [23] also gives a log-squared lower bound for dynamic data structures in thecell probe model. Dynamic data structures also support updates of the polynomial p .There is a great interest in algorithmic questions about the polynomial interpolationsuch as how fast we can interpolate polynomials [15, 5, 17], how many queries we need tointerpolate a polynomial if it is given by oracle [6, 19], how to compute the interpolationin a numerically stable way over infinite fields [28] and many others. However, we are notaware of any results about data structures for the interpolation, i.e., when the interpolationalgorithm has an access to some precomputed advice. We prove our conditional lower bounds based on the Network Coding Conjecture. In networkcoding, we are interested in how much information we can send through a given network. A network consists of a graph G = ( V, E ), positive capacities of edges c : E → R + and k pairsof vertices ( s , t ) , . . . , ( s k − , t k − ). We say a network R = (cid:0) G, c, ( s i , t i ) i ∈ [ k ] (cid:1) is undirected or directed (acyclic) if the graph G is undirected or directed (acyclic). We say a network is uniform if the capacities of all edges in the network equal to some q ∈ R + and we denotesuch network as (cid:0) G, q, ( s i , t i ) i ∈ [ k ] (cid:1) .A goal of a coding scheme for directed acyclic network R = (cid:0) G, c, ( s i , t i ) i ∈ [ k ] (cid:1) is that ateach target t i it will be possible to reconstruct an input message w i which was generated atthe source s i . The coding scheme specifies messages sent from each vertex along the outgoingedges as a function of received messages. Moreover, the length of the messages sent alongthe edges have to respect the edge capacities.More formally, each source s i of a network receives an input message w i sampled (in-dependently of the messages for the other sources) from the uniform distribution W i on aset W i . Without loss of generality we can assume that each source s i has an in-degree 0(otherwise we can add a vertex s ′ i and an edge ( s ′ i , s i ) and replace s i by s ′ i ). There is analphabet Σ e for each edge e ∈ E ( G ). For each source s i and each outgoing edge e = ( s i , u )there is a function f s i ,e : W i → Σ e which specifies the message sent along the edge e as afunction of the received input message w i ∈ W i . For each non-source vertex v ∈ V, v ̸ = s i and each outgoing edge e = ( v, u ) there is a similar function f v,e : Q e ′ =( u ′ ,v ) Σ e ′ → Σ e which . Dvořák, M. Koucký, K. Král, and V. Slívová 7 specifies the message sent along the edge e as a function of the messages sent to v along theedges incoming to v . Finally, each target t i has a decoding function d i : Q e ′ =( u ′ ,t i ) Σ e ′ → W i .The coding scheme is executed as follows: Each source s i receives an input message w i ∈ W i . Along each edge e = ( s i , u ) a message f s i ,e ( w i ) is sent. When a vertex v receives all messages m , . . . , m a along all incoming edges ( u ′ , v ) itsends along each outgoing edge e = ( v, u ) a message f v,e ( m , . . . , m a ). As the graph G is acyclic, this procedure is well-defined and each vertex of non-zero out-degree willeventually send its messages along its outgoing edges. At the end, each target t i computes a string ˜ w i = d i ( m ′ , . . . , m ′ b ) where m ′ j denotes thereceived messages along the incoming edges ( u ′ , t i ). We say the encoding scheme is correct if ˜ w i = w i for all i ∈ [ k ] and any input messages w , . . . , w k − ∈ W × · · · × W k − .The coding scheme has to respect the edge capacities, i.e., if M e is a random variable thatrepresents a message sent along the edge e , then H ( M e ) ≤ c ( e ), where H ( · ) denotes theShannon entropy. A coding rate of a network R is the maximum r such that there is a correctcoding scheme for input random variables W , . . . , W k − where H ( W i ) = log | W i | ≥ r forall i ∈ [ k ]. A network coding can be defined also for directed cyclic networks or undirectednetworks but we will not use it here.Network coding is related to multicommodity flows. A multicommodity flow for anundirected network ¯ R = (cid:0) ¯ G, c, ( s i , t i ) i ∈ [ k ] (cid:1) specifies flows for each commodity i such that theytransport as many units of commodity from s i to t i as possible. A flow of the commodity i is specified by a function f i : V × V → R +0 which describes for each pair of vertices ( u, v )how many units of the commodity i are sent from u to v . Each function f i has to satisfy: If u, v are not connected by an edge, then f i ( u, v ) = f i ( v, u ) = 0. For each edge { u, v } ∈ E ( ¯ G ), it holds that f i ( u, v ) = 0 or f i ( v, u ) = 0. For each vertex v that is not the source s i or the target t i , it holds that what comes tothe vertex v goes out from the vertex v , i.e., X u ∈ V f i ( u, v ) = X u ∈ V f i ( v, u ) . What is sent from the source s i arrives to the target t i , i.e., X u ∈ V f i ( s i , u ) − f i ( u, s i ) = X u ∈ V f i ( u, t i ) − f i ( t i , u ) . Moreover, all flows together have to respect the capacities, i.e., for each edge e = { u, v } ∈ E ( ¯ G )it must hold that P i ∈ [ k ] f i ( u, v ) + f i ( v, u ) ≤ c ( e ). A flow rate of a network ¯ R is themaximum r such that there is a multicommodity flow F = ( f , . . . , f k − ) that for each i transports at least r units of the commodity i from s i to t i , i.e., for all i , it holds that P u ∈ V f i ( u, t i ) − f i ( t i , u ) ≥ r . A multicommodity flow for directed graphs is defined similarly,however, the flows can transport the commodities only in the direction of edges.Let R be a directed acyclic network of a flow rate r ′ . It is clear that for a coding rate r of R it holds that r ≥ r ′ . As we can send the messages without coding and thus reduce theencoding problem to the flow problem. The opposite inequality does not hold: There is adirected network R = (cid:0) G, c, ( s i , t i ) i ∈ [ k ] (cid:1) such that its coding rate is Ω (cid:0) | V ( G ) | (cid:1) -times largerthan its flow rate as shown by Adler et al. [2]. Thus, the network coding for directed networksprovides an advantage over the simple solution given by the maximum flow. However, such aresult is not known for undirected networks. Li and Li [24] conjectured that the networkcoding does not provide any advantage for undirected networks, thus for any undirected Data Structures Lower Bounds and Popular Conjectures network ¯ R , the coding rate of ¯ R equals to the flow rate of ¯ R . This conjecture is known as Network Coding Conjecture (NCC) and we state a weaker version of it below.For a directed graph G = ( V, E ) we denote by un ( G ) the undirected graph ( V, ¯ E ) obtainedfrom G by making each directed edge in E undirected (i.e., replacing each ( u, v ) ∈ E ( G )by { u, v } ). For a directed acyclic network R = (cid:0) G, c, ( s i , t i ) i ∈ [ k ] (cid:1) we define the undirectednetwork un ( R ) = (cid:0) un ( G ) , ¯ c, ( s i , t i ) i ∈ [ k ] (cid:1) by keeping the source-target pairs and capacities thesame, i.e, c (cid:0) ( u, v ) (cid:1) = ¯ c (cid:0) { u, v } (cid:1) . ▶ Conjecture 1 (Weaker NCC) . Let R be a directed acyclic network, r be a coding rate of R and ¯ r be a flow rate of un ( R ) . Then, r = ¯ r . This conjecture was used to prove a conditional lower bound for sorting algorithms withan external memory [12] and for circuits multiplying two numbers [3].
In this paper, we provide several connections between lower bounds for data structures andother computational models. The first connection is that NCC (Conjecture 1) implies lowerbounds for data structures for the permutation inversion and the polynomial evaluation andinterpolation. Assuming NCC, we show that a query time t of a non-adaptive systematicdata structure for any of the above problems satisfies t ≥ Ω (cid:0) log n/ log log n (cid:1) , even if it useslinear space, i.e., the advice string a has size εn log n for sufficiently small constant ε > t Inv ( s ) as a query time of the optimal non-adaptive systematic datastructure for the permutation inversion using space at most s . Similarly, we define t F Eval ( s )and t F Interp ( s ) for the polynomial evaluation and interpolation over F . ▶ Theorem 2.
Let ε > be a sufficiently small constant. Assuming NCC, it holds that t Inv ( εn log n ) ≥ Ω (cid:0) log n/ log log n (cid:1) . ▶ Theorem 3.
Let F be a field and n be a divisor of | F | − . Let s = εn log | F | for asufficiently small constant ε > . Then assuming NCC, it holds that t F Eval ( s ) , t F Interp ( s ) ≥ Ω (cid:0) log n/ log log n (cid:1) . Note that by Theorem 2, assuming NCC, it holds that s · t ≥ Ω (cid:0) n log n/ log log n (cid:1) for s = εn log n and t = t Inv ( s ). The same holds for t F Eval and t F Interp by Theorem 3. Thus, theseconditional lower bounds cross the barrier Ω( n log n ) for s · t given by the best unconditionallower bounds known for the function inversion [35, 10, 1, 16, 29, 11, 8] and the lower bound forthe succinct data structures for the polynomial evaluation by Gál and Miltersen [14]. The lowerbound by Larsen [22] says that any cell probe data structure for the polynomial evaluationusing linear space s cell = O ( n log n ) needs at least logarithmic query time t cell ≥ Ω(log n ) ifthe size of the field is of super-linear size in n , i.e., | F | ≥ n . Then s cell · t cell ≥ Ω( n log n ).The lower bound given by Theorem 3 says that assuming NCC a non-adaptive data structureneeds to read at least logarithmically many coefficients α i of p even if we know εn log | F | bitsof information about the polynomial p for free. Our lower bound holds also for linear-sizefields.To prove Theorems 2 and 3, we use the technique of Farhadi et al. [12]. The proof can bedivided into two steps: From a data structure for the problem we derive a network R with O ( tn ) edges such that R admits an encoding scheme that is correct on a large fraction of the inputs. This stepis distinct for each problem and the reductions are shown in Sections 5 and 6. This stepuses new ideas and interestingly, it uses the data structure twice in a sequence. . Dvořák, M. Koucký, K. Král, and V. Slívová 9 If there is a network R with dn edges that admits an encoding scheme which is correctfor a large fraction of inputs, then d ≥ Ω (cid:0) log n/ log log n (cid:1) . This step is common to all theproblems. It was implicitly proved by Farhadi et al. [12] and Afshani et al. [3]. For thesake of completeness, we give a proof of this step in Appendix A.
In this section, we prove Theorem 2 that assuming NCC, any non-adaptive systematicdata structure for the permutation inversion requires query time at least Ω (cid:0) log n/ log log n (cid:1) even if it uses linear space. Let D be a data structure for inverting permutations of alinear space s = εn log n , for sufficiently small constant ε <
1, with query time t = t Inv ( s ).Recall that t Inv ( s ) is a query time of the optimal non-adaptive systematic data structure forthe permutation inversion using space s . From D we construct a directed acyclic network R = (cid:0) G, c, ( s i , t i ) i ∈ [ n ] (cid:1) and an encoding scheme of a coding rate log n . By Conjecture 1 we getthat the flow rate of un ( R ) = (cid:0) ¯ G, c, ( s i , t i ) i ∈ [ n ] (cid:1) is log n as well. We prove that there are manysource-target pairs of distance at least Ω(log t n ). Since the number of edges of ¯ G will be O ( tn )and flow rate of un ( R ) is log n , we are able to derive a lower bound t ≥ Ω (cid:0) log n/ log log n (cid:1) .We construct the network R in two steps. First, we construct a network R ′ that admitsan encoding scheme E ′ such that E ′ is correct only on a substantial fraction of all possibleinputs. This might create correlations among messages received by the sources. However,to use the Network Coding Conjecture we need to have a coding scheme that is able toreconstruct messages sampled from independent distributions. To overcome this issue we usea technique introduced by Farhadi et al. [12] and from R ′ we construct a network R thatadmits a correct encoding scheme.Let R = (cid:0) G, c, ( s i , t i ) i ∈ [ k ] (cid:1) be a directed acyclic network. Let each source receive a binarystring of length r as its input message, i.e., each W i = { , } r . If we concatenate all inputmessages w i we get a string of length r · k , thus the set of all possible inputs for an encodingscheme for R corresponds to the set I = { , } rk . We say an encoding scheme is correct on aninput ¯ w = ( w , . . . , w k − ) ∈ I if it is possible to reconstruct all messages w i at appropriatetargets. An ( ε, r )- encoding scheme is an encoding scheme which is correct on at least 2 (1 − ε ) rk inputs in I .We say a directed network R = (cid:0) G, c, ( s i , t i ) i ∈ [ k ] (cid:1) is ( δ, d )- long if for at least δk source-target pairs ( s i , t i ), it holds that distance between s i and t i in un ( G ) is at least d . Here, wemeasure the distance in the undirected graph un ( G ), even though the network R is directed.The following lemma is implicitly used by Farhadi et al. [12] and Afshani et al. [3]. We giveits proof in Appendix A for the sake of completeness. ▶ Lemma 4 (Implicitly used in [12, 3]) . Let R = (cid:0) G, q, ( s i , t i ) i ∈ [ k ] (cid:1) be a ( δ, d ) -long directedacyclic uniform network for δ > and sufficiently large q ∈ R + . Assume there is an ( ε, r ) -encoding scheme for R for sufficiently small ε . Then assuming NCC, it holds that | E ( G ) | k ≥ δ ′ · d , where δ ′ = δ − / . Now we are ready to prove a conditional lower bound for the permutation inversion. Forthe proof we use the following fact which follows from well-known Stirling’s formula: ▶ Fact 1.
The number of permutations [ n ] → [ n ] is at least n log n − n . ▶ Theorem 2.
Let ε > be a sufficiently small constant. Assuming NCC, it holds that t Inv ( εn log n ) ≥ Ω (cid:0) log n/ log log n (cid:1) . Input messages from [ n ] x x x i x n − t h − ( i + b ) = x i s s s i s n − tv v v n − u u n − u i ABMu v i t i = u i + b s i + b v i + b x i + b f − ( i ) s i sends f ( i ) = x i v j sends h ( j ) = f − ( j ) + b Figure 1
A sketch of the graph G ′ and encoding scheme E . Proof.
Let D = D n be the optimal data structure for the inversion of permutation on [ n ]using space εn log n . We set t = t Inv ( εn log n ). We will construct a directed acyclic uniformnetwork R = (cid:0) G, r, ( s i , t i ) i ∈ [ n ] (cid:1) where r = log n . Let ε ′ = 2 · ε + q + n for sufficiently large q so that we could apply Lemma 4. The network R will admit an ( ε ′ , r )-encoding scheme E .The number of edges of G will be at most 2 tn and the network R will be (cid:0) , d (cid:1) -long for d = log qt n . Thus, by Lemma 4 we get that2 t = 2 tnn ≥ Ω (cid:0) log qt n (cid:1) , from which we can conclude that t ≥ Ω (cid:0) log n/ log log n (cid:1) . Thus, it remains to construct thenetwork R and the scheme E .First, we construct a graph G ′ which will yield the graph G by deleting some edges.The graph G ′ has three layers of n vertices: a source layer A of n sources s , . . . , s n − , amiddle layer M of n vertices v , . . . , v n − and a target layer B of n vertices u , . . . , u n − .The targets t , . . . , t n − of R will be assigned to the vertices u , . . . , u n − later.We add edges according to the data structure D : Let Q j ⊆ [ n ] be a set of oracle queries,which D makes during the computation of f − ( j ), i.e., for each i ∈ Q j , it queries the oracleof f for f ( i ). As D is non-adaptive, the sets Q j are well-defined. For each j ∈ [ n ] and i ∈ Q j we add edges ( s i , v j ) and ( v i , u j ). We set a capacity of all edges to r = log n . This finishesthe construction of G ′ , see Fig. 1 for illustration of the graph G ′ .The graph G ′ has exactly 2 tn edges. Moreover, the vertices of the middle and the targetlayer have in-degree at most t as the incoming edges correspond to the oracle queries madeby D . However, some vertices of the source and the middle layer might have large outdegree,which is a problem that might prevent the network R to be (cid:0) , d (cid:1) -long. For example, thedata structure D could always query f (0). Then, there would be edges ( s , v j ) and ( v , u j )for all j ∈ [ n ], hence all vertices would be at distance at most 4 in un ( G ′ ). So we need toremove edges adjacent to high-degree vertices. Let W ⊆ V ( G ′ ) be the set of vertices ofout-degree larger than qt . We remove all edges incident to W from G ′ to obtain the graph G . (For simplicity, we keep the degree 0 vertices in G ). Thus, the maximum degree of G isat most qt . Since the graph G ′ has 2 tn edges, it holds that | W | ≤ q · n .Now, we assign the targets of R in such a way that R is (cid:0) , d (cid:1) -long. Let C v be the setof vertices of G which have distance at most d from v in un ( G ). Since the maximum degreeof G is at most qt and d = log qt n , for each v ∈ V ( G ), | C v | ≤ √ n . In particular, for everysource s i it holds that | C s i ∩ B | ≤ √ n , i.e., there are at most 2 √ n vertices in the target . Dvořák, M. Koucký, K. Král, and V. Slívová 11 layer B at distance smaller than d from v . It follows from an averaging argument that thereis an integer b such that there are at least n − √ n sources s i with distance at least d from u i + b in un ( G ). (Here the addition i + b is modulo n .) We fix one such b and set t i = u i + b .For n large enough, it holds that n − √ n ≥ · n . Thus, the network R is (cid:0) , d (cid:1) -long.It remains to construct the ( ε ′ , r )-encoding scheme E for R (see Fig. 1 for a sketch of theencoding E ). Each source s i receives a number x i ∈ [ n ] as an input message. We interpret thestring of the input messages x , . . . , x n − as a function. We define the function f : [ n ] → [ n ]as f ( i ) = x i . We will consider only those inputs x , . . . , x n − which are pairwise distinct sothat f is a permutation.At a vertex v j of the middle layer M we want to compute f − ( j ) using the data structure D . To compute f − ( j ) we need the appropriate advice string a f and answers to the oraclequeries Q j . We fix an advice string a f to some particular value which will be determinedlater, and we focus only on inputs x , . . . , x n − which have the same advice string a f . In G ′ the vertex v j is connected exactly to the sources s i for i ∈ Q j , but some of those connectionsmight be missing in G . Thus for each i such that s i ∈ W , x i will be fixed to some particularvalue c i which will also be determined later. Each source s i sends the input x i along alloutgoing edges incident to s i . Thus, at a vertex v j we know the answers to all f -oraclequeries in Q j . Recall that f ( i ) = x i and each x i for i ∈ Q j was either fixed to c i or sentalong the incoming edge ( s i , v j ) ∈ E ( G ). We also know the advice string a f as it was fixed.Therefore, we can compute f − ( j ) at every vertex v j . Note that f − ( j ) is the index of thesource which received j as an input message, i.e., if f − ( j ) = i , then x i = j .Now, we define another permutation h : [ n ] → [ n ] as h ( j ) = f − ( j ) + b where the additionis modulo n . Since b is fixed, we can compute h ( j ) at each vertex v j . The goal is to compute h − ( ℓ ) at each vertex u ℓ of the target layer. First, we argue that h − ( i + b ) = x i . Thepermutation f − maps an input message x i to the index i . The permutation h maps aninput message x i to the index i + b . Thus, the inverse permutation h − maps the index i + b to the input message x i . If we are able to reconstruct h − ( i + b ) at the target t i = u i + b , thenin fact we are able to reconstruct x i , the input message received by the source s i .To reconstruct h − ( ℓ ) at the vertex u ℓ we use the same strategy as for reconstructing f − ( j ) at vertices v j . We use again D , but this time for the function h . Again, we fix theadvice string a h of D , and we fix h ( j ) to some d j for each vertex v j ∈ W . Each vertex v j sends the value h ( j ) along all edges outgoing from v j . To compute h − ( ℓ ) we need values h ( j ) for all j ∈ Q ℓ , which are known to the vertex u ℓ . Again, they are either sent along theincoming edges or are fixed to d j . Since the value of the advice string a h is fixed, we cancompute the value h − ( ℓ ) = x ℓ − b at the vertex u ℓ .The network R is correct on all inputs x , . . . , x n − which encode a permutation andwhich are consistent with the fixed advice strings and the fixed values to the degree zerovertices. Now, we argue that we can fix all the values so that there will be many inputsconsistent with them. By Fact 1, there are at least 2 ( n log n ) − n inputs x , . . . , x n − whichencode a permutation. In order to make R work, we fixed the following values: Advice strings a f and a h , in total 2 ε · n log n bits. An input message c i for each source s i in W and a value d j for each vertex v j in W .Since | W | ≤ q · n and c i , d j ∈ [ n ], we fix q · n log n bits in total.Overall, we fix at most (2 ε + q ) · n log n bits. Thus, the fixed values divide the input stringsinto at most 2 (2 ε + q ) · n log n buckets. In each bucket all the input strings are consistent withthe fixed values. We conclude that there is a choice of values to fix so that its correspondingbucket contains at least 2 (1 − ε − q − n ) · n log n = 2 (1 − ε ′ ) · n log n input strings which encode apermutation. We pick that bucket and fix the corresponding values. Thus, the scheme E is ( ε ′ , r )-encoding scheme, which concludes the proof. ◀ In this section, we prove Theorem 3. The proof follows the blueprint of the proof of Theorem 2.The construction of a network R from a data structure is basically the same. Thus, wemainly describe only an ( ε ′ , r )-encoding scheme for R . ▶ Theorem 3.
Let F be a field and n be a divisor of | F | − . Let s = εn log | F | for asufficiently small constant ε > . Then assuming NCC, it holds that t F Eval ( s ) , t F Interp ( s ) ≥ Ω (cid:0) log n/ log log n (cid:1) . Proof.
Let D = D n be the optimal non-adaptive systematic data structure for the evaluationof polynomials of degree up to n − F and using space s = εn log | F | . We set t = t F Eval ( s ) , r = log | F | and ε ′ = 2 ε + q for sufficently large q . Again, we will construct a network R = (cid:0) G, r, ( s i , t i ) i ∈ [ n ] (cid:1) from D . To construct an ( ε ′ , r )-encoding scheme for R , we use entriesof FFFT, i.e., we will evaluate polynomials of degree at most n − n -th root of the unity. Thus, we fix a primitive n -th root of unity σ ∈ F , which we knowexists, as discussed in Section 2.2.We create a network R from D in the same way as we created in the proof of Theorem 2.By Lemma 4 we are able to conclude that t ≥ Ω (cid:0) log n/ log log n (cid:1) . First, we create a graph G ′ of three layers A = { s , . . . , s n − } , M = { v , . . . , v n − } and B = { u , . . . , u n − } and weadd 2 tn edges to G ′ according to the queries of D – on the vertex v j we will evaluate apolynomial in a point σ j and on the vertex u j we will evaluate a polynomial in a point σ − j .Then, we create a graph G from G ′ by removing edges incident to vertices in a set W , whichcontains vertices of degree higher than qt . Finally, we set a shift b ∈ [ n ] and set t i = u i + b insuch a way that the network R is (cid:0) , d (cid:1) -long for d = log qt n .Now, we desribe an ( ε ′ , r )-encoding scheme E for R using D . Each source s i receives aninput message α i ∈ F which we interpret as coefficients of a polynomial p ∈ F [ x ] (that is p ( x ) = P i ∈ [ n ] α i x i ). Each source s i sends its input message α i along all outgoing edges from s i . Each vertex v j computes p ( σ j ) using D . Again, we fix the advice string a p and the inputmessages α i for the sources s i in W . Each vertex v j computes a value h ( j ) = p ( σ j ) · σ jb andsends it along all outgoing edges from v j . We define a new polynomial p ′ ( x ) = P j ∈ [ n ] h ( j ) x j .We fix the advice string a p ′ and the values h ( j ) for each vertex v j ∈ W . Thus, each vertex u ℓ can compute a value p ′ ( σ − ℓ ). We claim that p ′ ( σ − ℓ ) n = α ℓ − b . p ′ ( σ − ℓ ) n = 1 n X j ∈ [ n ] h ( j ) σ − ℓj = 1 n X j ∈ [ n ] p ( σ j ) σ jb σ − ℓj = 1 n X j ∈ [ n ] X i ∈ [ n ] α i σ ji σ jb σ − ℓj = 1 n X i ∈ [ n ] α i X j ∈ [ n ] σ ji σ jb σ − ℓj = 1 n X i ∈ [ n ] α i X j ∈ [ n ] σ j ( i + b − ℓ ) = α ( ℓ − b mod n ) The last equality is by noting that P j ∈ [ n ] σ j ( i + b − ℓ ) = n for i = ℓ − b and 0 otherwise.Therefore, at each target t i = u i + b we can reconstruct the input message α i . See Fig. 2 for asketch of the scheme E .Again, we can fix values of advice strings a p and a p ′ (at most 2 ε · n log | F | fixed bits),input messages α i for each s i ∈ W and value of h ( j ) for each v j ∈ W (at most q · n log | F | . Dvořák, M. Koucký, K. Král, and V. Slívová 13 Input messages from F α i α n − ts s s i s n − tv v v n − u u n − u i ABMu v i t i = u i + b s i + b v i + b α i + b p (cid:0) σ i (cid:1) s i sends α i v j sends h ( j ) = p (cid:0) σ j (cid:1) · σ jb α α p ( x ) = (cid:80) i ∈ [ n ] α i · x i p (cid:48) ( x ) = (cid:80) j ∈ [ n ] h ( j ) x j p (cid:48) (cid:0) σ − ( i + b ) (cid:1) = α i Figure 2
Sketch of the encoding scheme E . fixed bits) in such a way there is a set F of inputs ( α , . . . , α n − ) consistent with such fixingand |F| ≥ (1 − ε − q ) n log | F | . Therefore, the scheme E is ( ε ′ , r )-encoding scheme. This finishesthe proof that t F Eval ( s ) ≥ Ω (cid:0) log n/ log log n (cid:1) .Essentially, the same proof can be used to prove the lower bound for t F Interp ( s ). Note that,the data structure D is used only for evaluating some polynomials in powers of the primitiveroot σ , i.e., computing entries of FFFT n,σ ( α , . . . , α n − ). However as discussed in Section 2.2,it holds that FFFT n,σ = n · FFFT − n,σ − . Moreover, entries of FFFT − n,σ − ( β , . . . , β n − ) canbe computed by a data structure for the polynomial interpolation. Thus, we may replaceboth uses of the data structure for the polynomial evaluation with a data structure for thepolynomial interpolation. Therefore, we can use a data structure for the interpolation as D and with slight changes of R and E , we would get again an ( ε ′ , r )-encoding scheme. ◀ In this section, we study a connection between non-adaptive data structures and booleancircuits. We are interested in circuits with binary AND and OR gates, and unary NOT gates.(See e.g. [20] for background on circuits).Corrigan-Gibbs and Kogan [9] describe a connection between lower bounds for non-adaptive data structures and lower bounds for boolean circuits for a special case whenthe data structure computes function inversion. They show that we would get a circuitlower bound if any non-adaptive data structure using O ( n ε ) queries must use at least ω (cid:0) n log n/ log log n (cid:1) bits of advice (for some fixed constant ε > boolean operator tobe a family of functions ( F n ) n ∈ N for F n : { , } n → { , } n represented by boolean circuitswith n input and n output bits and constant fan-in gates. A boolean operator is said to bean explicit operator if the decision problem whether the j -th output bit of F n is equal to oneis in the complexity class NP. ▶ Theorem 5 (Corrigan-Gibbs and Kogan [9], Theorem 3 (verbatim)) . If every explicit operatorhas fan-in-two boolean circuits of size O ( n ) and depth O (log n ) then, for every ε > ,there exists a family of strongly non-adaptive black-box algorithms that inverts all functions f : [ N ] → [ N ] using O (cid:0) N log N/ log log N (cid:1) bits of advice and O ( N ε ) online queries. To prove their theorem Corrigan-Gibbs and Kogan [9] use the common bits model of boolean circuits described by Valiant [30, 31, 32]. Valiant proves that for any circuit there isa small cut, called common bits , such that each output bit is connected just to few inputbits (formally stated in Theorem 6). Corrigan-Gibbs and Kogan [9] use the common bits ofthe given circuit to create a non-adaptive data structure by setting the advice string to thecontent of common bits and the queries are to those function values which are still connectedto the particular output after removing the common bits.Observe that it follows from the proof of Theorem 5 that the hard explicit operator isturning the function table into the table of its inverse function. The theorem is thereforeslightly stronger in the sense that if we have a data structure lower bound we also havea lower bound for a concrete boolean operator. It is also not straightforward to state aconnection between circuits computing FFFT and non-adaptive data structures computingpolynomial evaluation (resp. polynomial interpolation) as a consequence of Theorem 5. Thus,we restate the Valiant’s result to be able to state a more general theorem. ▶ Theorem 6 (Valiant [30, 31, 32]) . For every constant ε > , for every family of constantfan-in boolean circuits { C n } n ∈ N , where C n : { , } n → { , } n is of size O ( n ) and depth O (log n ) , and for every n ∈ N it holds that the circuit C n contains a set of gates called common bits of size O (cid:0) n/ log log n (cid:1) such that if we remove those gates then each output bitis connected to at most O ( n ε ) input bits. Now we can state a general theorem translating lower bounds for non-adaptive datastructures to circuit lower bounds. This allows us to apply the theorem directly to manydifferent problems. ▶ Theorem 7.
For every n ∈ N let us define b ( n ) = ⌈ log n ⌉ and for every function f n : { , } n · b ( n ) → { , } n · b ( n ) and for every i ∈ [ n ] we define a function f n,i : { , } n · b ( n ) →{ , } b ( n ) as follows: f n,i ( x ) = f n ( x ) i · b ( n ) ,i · b ( n )+1 ,..., ( i +1) · b ( n ) − , i.e., f n,i returns the ( i + 1) -stconsecutive block of b ( n ) bits of the output of f n .If there is a size O ( n log n ) and depth O (log n ) circuit family { C n } n ∈ N , where C n evaluatesa function f n : { , } n · b ( n ) → { , } n · b ( n ) , then for every constant ε > there exists afamily of non-adaptive data structures {D n } n ∈ N , where D n on input x ∈ { , } n · b ( n ) uses O (cid:0) n log n/ log log n (cid:1) bits of advice and on a query j ∈ [ n ] answers f n,j ( x ) using O ( n ε ) queriesto the input. The proof of Theorem 7 is the same as the proof of Theorem 3 of Corrigan-Gibbs andKogan [9] (restated here as Theorem 5). Note that the data structures are not uniform inthe sense that the algorithms for producing the advice string and for answering queries maydiffer for different input sizes. If we would like to get a uniform algorithm we would need theassumption that the explicit operator has linear size and logarithmic depth uniform circuits.Let us state concrete instances of Theorem 7. First, we formally state the stronger versionof Theorem 3 of Corrigan-Gibbs and Kogan [9], which follows from their proof. ▶ Corollary 8.
If there is a circuit family { C n } n ∈ N , such that C n : { , } n ⌈ log n ⌉ → { , } n ⌈ log n ⌉ is of size O ( n log n ) and depth O (log n ) and inverts a function f n : [ n ] → [ n ] (given on inputas a function table) on all points (i.e., returns function table of f − n ), then for every constant ε > there exists a family of non-adaptive data structures {D n } n ∈ N such that D n on allinput functions f n : [ n ] → [ n ] uses O (cid:0) n log n/ log log n (cid:1) bits of advice and for any x ∈ [ n ] itanswers f − n ( x ) using O ( n ε ) queries to the input. When f n is not a permutation we allow a table of any function which has zero if there is no preimageand any preimage if there are more possibilities. . Dvořák, M. Koucký, K. Král, and V. Slívová 15 Theorem 7 is general enough to easily capture the problem of computing FFFT over afinite field. Note that by the connection of FFFT to polynomial evaluation and interpolationthe following corollary captures both problems. ▶ Corollary 9.
Let S = (cid:8) p k | p is a prime , k ∈ N , k ̸ = 0 (cid:9) be the set of all sizes of finite fields.For each n ∈ S , let F n = GF ( n ) and σ n be a primitive ( n − -th root of unity (thus agenerator of the multiplicative group F ∗ n ).If there is a circuit family computing FFFT n − ,σ n (over F n ) of size O ( n log n ) and depth O (log n ) (where each input and output number is represented by log | F n | bits) then for every ε > there is a family of non-adaptive data structures {D n } n ∈S where D n uses advice ofsize O (cid:0) n log n/ log log n (cid:1) and on a query j ∈ [ n − outputs the j -th output of FFFT n − ,σ n using O ( n ε ) queries to the input. To put the corollary in counter-positive way: if for some ε >
0, there are no non-adaptivedata structures for polynomial interpolation, polynomial evaluation or FFFT with advise ofsize o (cid:0) n log n/ log log log n (cid:1) that use O ( n ε ) queries to the input then there are no linear-sizecircuits of logarithmic depth for FFFT.In Theorem 2, resp. Theorem 3, we prove a conditional lower bound for permutationinversion, resp. polynomial evaluation and polynomial interpolation, of the form, that anon-adaptive data structure using εn log n bits must do at least Ω (cid:0) log n/ log log n (cid:1) queries.It is not clear if assuming NCC we can get a sufficiently strong lower bound which would ruleout non-adaptive data structures with sublinear advice string using O ( n ε ) oracle queries. ▶ Corollary 10.
We say that a circuit C n : { , } n ⌈ log n ⌉ → { , } n ⌈ log n ⌉ sorts its input if onan input viewed as n binary strings x , x , . . . , x n ∈ { , } ⌈ log n ⌉ outputs the strings sortedlexicographically.If there is a circuit family ( C n ) n ∈ N , where C n : { , } n ⌈ log n ⌉ → { , } n ⌈ log n ⌉ sorts itsinputs, and each circuit C n is of size O ( n log n ) and depth O (log n ) then for every ε > , forevery permutation f : [ n ] → [ n ] there is a non-adaptive data structure for inverting f thatuses advice of size O (cid:0) n log n/ log log n (cid:1) and O ( n ε ) queries. The works of Farhadi et al. [12] and Asharov et al. [4] connect the NCC conjecturedirectly to lower bounds for sorting. Their work studies sorting n numbers of k + w bits bytheir first k bits. Namely Asharov et al. [4] show that NCC implies that constant fan-inconstant fan-out circuits must have size Ω (cid:0) nk ( w − log( n ) + k ) (cid:1) whenever w > log( n ) − k and k ≤ log n . This is incomparable to our results as we have w = 0. References Hamza Abusalah, Joël Alwen, Bram Cohen, Danylo Khilko, Krzysztof Pietrzak, and LeonidReyzin. Beyond hellman’s time-memory trade-offs with applications to proofs of space.In Tsuyoshi Takagi and Thomas Peyrin, editors,
Advances in Cryptology - ASIACRYPT2017 - 23rd International Conference on the Theory and Applications of Cryptology andInformation Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part II , volume10625 of
Lecture Notes in Computer Science , pages 357–379. Springer, 2017. doi:10.1007/978-3-319-70697-9\_13 . Micah Adler, Nicholas J. A. Harvey, Kamal Jain, Robert Kleinberg, and April Rasala Lehman.On the capacity of information networks. In
Proceedings of the Seventeenth Annual ACM-SIAMSymposium on Discrete Algorithm , SODA ’06, page 241–250, USA, 2006. Society for Industrialand Applied Mathematics. Peyman Afshani, Casper Benjamin Freksen, Lior Kamma, and Kasper Green Larsen. LowerBounds for Multiplication via Network Coding. In Christel Baier, Ioannis Chatzigiannakis,
Paola Flocchini, and Stefano Leonardi, editors, , volume 132 of
Leibniz International Proceedingsin Informatics (LIPIcs) , pages 10:1–10:12, Dagstuhl, Germany, 2019. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. URL: http://drops.dagstuhl.de/opus/volltexte/2019/10586 , doi:10.4230/LIPIcs.ICALP.2019.10 . Gilad Asharov, Wei-Kai Lin, and Elaine Shi. Sorting short keys in circuits of size o (n log n).In
Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms (SODA) , pages2249–2268. SIAM, 2021. Michael Ben-Or and Prasoon Tiwari. A deterministic algorithm for sparse multivariatepolynomial interpolation. In
Proceedings of the Twentieth Annual ACM Symposium on Theoryof Computing , STOC ’88, page 301–309, New York, NY, USA, 1988. Association for ComputingMachinery. doi:10.1145/62212.62241 . Michael Clausen, Andreas Dress, Johannes Grabmeier, and Marek Karpinski. On zero-testingand interpolation of k-sparse multivariate polynomials over finite fields.
Theor. Comput. Sci. ,84(2):151–164, July 1991. doi:10.1016/0304-3975(91)90157-W . James W Cooley and John W Tukey. An algorithm for the machine calculation of complexfourier series.
Mathematics of computation , 19(90):297–301, 1965. Sandro Coretti, Yevgeniy Dodis, Siyao Guo, and John Steinberger. Random oracles andnon-uniformity. In Jesper Buus Nielsen and Vincent Rijmen, editors,
Advances in Cryptology -EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applicationsof Cryptographic Techniques, 2018 Proceedings , Lecture Notes in Computer Science (includingsubseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), pages227–258. Springer Verlag, 2018. 37th Annual International Conference on the Theory andApplications of Cryptographic Techniques, EUROCRYPT 2018 ; Conference date: 29-04-2018Through 03-05-2018. doi:10.1007/978-3-319-78381-9_9 . Henry Corrigan-Gibbs and Dmitry Kogan. The function-inversion problem: Barriers andopportunities. In Dennis Hofheinz and Alon Rosen, editors,
Theory of Cryptography , pages393–421, Cham, 2019. Springer International Publishing. Anindya De, Luca Trevisan, and Madhur Tulsiani. Time space tradeoffs for attacks againstone-way functions and prgs. In Tal Rabin, editor,
Advances in Cryptology – CRYPTO 2010 ,pages 649–665, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. Yevgeniy Dodis, Siyao Guo, and Jonathan Katz. Fixing cracks in the concrete: Randomoracles with auxiliary input, revisited. In Jean-Sébastien Coron and Jesper Buus Nielsen,editors,
Advances in Cryptology – EUROCRYPT 2017 , pages 473–495, Cham, 2017. SpringerInternational Publishing. Alireza Farhadi, MohammadTaghi Hajiaghayi, Kasper Green Larsen, and Elaine Shi. Lowerbounds for external memory integer sorting via network coding. In
Proceedings of the 51stAnnual ACM SIGACT Symposium on Theory of Computing , STOC 2019, page 997–1008, NewYork, NY, USA, 2019. Association for Computing Machinery. doi:10.1145/3313276.3316337 . Amos Fiat and Moni Naor. Rigorous time/space trade-offs for inverting functions.
SIAM J.Comput. , 29(3):790–803, December 1999. doi:10.1137/S0097539795280512 . Anna Gál and Peter Bro Miltersen. The cell probe complexity of succinct data structures. InJos C. M. Baeten, Jan Karel Lenstra, Joachim Parrow, and Gerhard J. Woeginger, editors,
Automata, Languages and Programming , pages 332–344, Berlin, Heidelberg, 2003. SpringerBerlin Heidelberg. Joachim von zur Gathen and Jrgen Gerhard.
Modern Computer Algebra . Cambridge UniversityPress, USA, 3rd edition, 2013. Rosario Gennaro, Yael Gertner, Jonathan Katz, and Luca Trevisan. Bounds on the efficiencyof generic cryptographic constructions.
SIAM J. Comput. , 35(1):217–246, July 2005. doi:10.1137/S0097539704443276 . . Dvořák, M. Koucký, K. Král, and V. Slívová 17 Dima Grigoryev, Marek Karpinski, and Michael Singer. Fast parallel algorithms for sparsemultivariate polynomial interpolation over finite fields.
SIAM J. Comput. , 19:1059–1063, 121990. doi:10.1137/0219073 . M. Hellman. A cryptanalytic time-memory trade-off.
IEEE Transactions on InformationTheory , 26(4):401–406, 1980. doi:10.1109/TIT.1980.1056220 . Gábor Ivanyos, Marek Karpinski, Miklos Santha, Nitin Saxena, and Igor E. Shparlinski.Polynomial interpolation and identity testing from high powers over finite fields.
Algorithmica ,80(2):560–575, February 2018. doi:10.1007/s00453-016-0273-1 . Stasys Jukna.
Boolean function complexity: advances and frontiers , volume 27. SpringerScience & Business Media, 2012. K. S. Kedlaya and C. Umans. Fast modular composition in any characteristic. In , pages 146–155, 2008. doi:10.1109/FOCS.2008.13 . Kasper Green Larsen. Higher cell probe lower bounds for evaluating polynomials. In
Proceedingsof the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science , FOCS ’12,page 293–301, USA, 2012. IEEE Computer Society. doi:10.1109/FOCS.2012.21 . Kasper Green Larsen, Omri Weinstein, and Huacheng Yu. Crossing the logarithmic barrierfor dynamic boolean data structure lower bounds. In
Proceedings of the 50th Annual ACMSIGACT Symposium on Theory of Computing , STOC 2018, page 978–989, New York, NY,USA, 2018. Association for Computing Machinery. doi:10.1145/3188745.3188790 . Zongpeng Li and Baochun Li. Network coding: The case of multiple unicast sessions.
Proceed-ings of the 42nd Allerton Annual Conference on Communication, Control, and Computing , 102004. Peter Bro Miltersen. On the cell probe complexity of polynomial evaluation.
Theor. Comput.Sci. , 143(1):167–174, May 1995. doi:10.1016/0304-3975(95)80032-5 . John M Pollard. The fast fourier transform in a finite field.
Mathematics of computation ,25(114):365–374, 1971. Jean-Pierre Serre.
A course in arithmetic , volume 7. Springer Science & Business Media, 2012. A. Smoktunowicz, I. Wróbel, and P. Kosowski. A new efficient algorithm for polynomialinterpolation.
Computing , 79(1):33–52, February 2007. doi:10.1007/s00607-006-0185-z . Dominique Unruh. Random oracles and auxiliary input. In Alfred Menezes, editor,
Advancesin Cryptology - CRYPTO 2007 , pages 205–223, Berlin, Heidelberg, 2007. Springer BerlinHeidelberg. Leslie G Valiant. Graph-theoretic arguments in low-level complexity. In
International Sympo-sium on Mathematical Foundations of Computer Science , pages 162–176. Springer, 1977. Leslie G Valiant. Exponential lower bounds for restricted monotone circuits. In
Proceedings ofthe fifteenth annual ACM symposium on Theory of computing , pages 110–117, 1983. Leslie G Valiant. Why is boolean complexity theory difficult.
Boolean Function Complexity ,169(84-94):4, 1992. Emanuele Viola. On the power of small-depth computation.
Found. Trends Theor. Comput.Sci. , 5(1):1–72, January 2009. Emanuele Viola. Lower bounds for data structures with space close to maximum imply circuitlower bounds.
Theory of Computing , 15(18):1–9, 2019. URL: , doi:10.4086/toc.2019.v015a018 . A. C.-C. Yao. Coherent functions and program checkers. In
Proceedings of the Twenty-SecondAnnual ACM Symposium on Theory of Computing , STOC ’90, page 84–94, New York, NY,USA, 1990. Association for Computing Machinery. doi:10.1145/100216.100226 . A Proof of Lemma 4 ▶ Lemma 4 (Implicitly used in [12, 3]) . Let R = (cid:0) G, q, ( s i , t i ) i ∈ [ k ] (cid:1) be a ( δ, d ) -long directedacyclic uniform network for δ > and sufficiently large q ∈ R + . Assume there is an ( ε, r ) -encoding scheme for R for sufficiently small ε . Then assuming NCC, it holds that | E ( G ) | k ≥ δ ′ · d , where δ ′ = δ − / . For the proof, we use an F -correction game introduced by Farhadi et al. [12] (the statementof the following definition and lemma is due to Afshani et al. [3]). ▶ Definition 11 ( F -correction game [12, 3]) . Let
F ⊆ { , } mℓ . The F - correction game with ℓ + 1 players is defined as follows. The game is played by ℓ ordinary players p , . . . , p ℓ − andone designated supervisor player ¯ u . The supervisor ¯ u receives ℓ strings α , . . . , α ℓ − ∈ { , } m chosen independently at random. For every i ∈ [ ℓ ] , ¯ u sends p i a message β i . Given β i , theplayer p i produces a string γ i ∈ { , } m such that (cid:0) ( α ⊕ γ ) , . . . , ( α ℓ − ⊕ γ ℓ − ) (cid:1) ∈ F . ▶ Lemma 12 ([12, 3]) . If |F| ≥ (1 − ε ) mℓ , then there exists a protocol for the F -correctiongame with ℓ + 1 players such that the messages ( β i ) i ∈ [ ℓ ] are prefix-free and X i ∈ [ ℓ ] E | β i | ≤ ℓ + 2 ℓ log (cid:18)r ε · m + 1 (cid:19) + r ε · mℓ log 2 ε . (1)Observe that for sufficiently small ε and sufficiently large m the formula in Equation 1can be bounded by mℓ . Thus, we can suppose that the expected total length of the messagessent by supervisor u in the F -correction game is at most mℓ . Proof of Lemma 4.
Let R = (cid:0) G, q, ( s i , t i ) i ∈ [ k ] (cid:1) be a network given by the assumption of thelemma. We will create a directed acyclic network R ′ = (cid:0) G ′ , c ′ , ( s ′ i , t i ) i ∈ [ k ] (cid:1) which will admits acorrect encoding scheme. Thus, we will be able to apply NCC to R ′ . Note that, the network R ′ has new sources s ′ i but the original targets t i .The network R ′ is defined as follows. We add new sources s ′ , . . . , s ′ k and one specialvertex u to the graph G . For each i we add the following new edges:Edge ( s ′ i , s i ) and ( s ′ i , u ) of capacity r , i.e, edges connecting the new sources with theoriginal ones and the new special vertex.Edges connecting the new special vertex u with the original sources s i and the targets t i , i.e, the edges ( u, s i ) and ( u, t i ) of capacity E | β i | , where β i is the message sent bythe supervisor ¯ u to the player p i in the protocol for the F -correction game given byLemma 12.This finishes the construction of R ′ . By assumption, there is a set F ⊆ { , } kr and anencoding scheme E for R such that E is correct on inputs in F . Note that R is a subnetworkof R ′ . Thus, to create an encoding scheme for R ′ which will be correct on every input in { , } kr we use an encoding E to recover some messages w = ( w , . . . , w k − ) ∈ F and thespecial vertex u which will send messages as the supervisor ¯ u in the F -correction game. Afterthat, the targets t i will be able to reconstruct the input messages w ′ i received at the newsources s ′ i .More formally, let w ′ i be an input message received at the source s ′ i . Each w ′ i is uniformlysampled from { , } r (independently on other w ′ j ). Now, the encoding scheme E ′ for R ′ works as follows: Each source s ′ i sends the input message w ′ i to the vertex s i and u . The vertex u computes the messages β , . . . , β k − according to the protocol given byLemma 12 (applied for the messages α i = w ′ i ). Then for each i ∈ [ k ], the vertex u sendsthe messages β i to the vertex s i and t i . . Dvořák, M. Koucký, K. Král, and V. Slívová 19 Each vertex s i computes the string γ i . By Lemma 12, it holds that (cid:0) ( w ′ ⊕ γ ) , . . . , ( w ′ k − ⊕ γ k − ) (cid:1) ∈ F . Thus, we can use the encoding scheme E for R to reconstruct strings w ′ i ⊕ γ i at eachtarget t i . Each target t i can reconstruct strings w ′ i ⊕ γ i and γ i . Thus, it can reconstruct the inputmessage w ′ i .By construction of the network R ′ , it is clear that the encoding scheme E ′ respects thecapacities c ′ .The encoding scheme E ′ witnesses that the coding rate of R ′ is at least r . Thus by NCC(Conjecture 1), we conclude that the flow rate of un ( R ′ ) is at least r as well, i.e., there is amulticommodity flow F = ( f , . . . , f k − ) for un ( R ′ ) which transports at least r units of eachcommodity i . Now, we argue that there is only a small fraction of the total flow which goesthrough the special vertex u . ▷ Claim 13.
The size of total flow which goes through u is at most kr . Proof.
The total capacity of the edges incident to the vertex u is at most kr . The vertex u is incident to k edges { u, s ′ i } of capacity r , which contribute by kr to the total capacity.Then for each i , the vertex u is incident to the edges { u, s i } and { u, t i } , which have bothcapacity E | β i | . By Lemma 12, we have that P i E | β i | ≤ kr . Thus, these edges contributeby kr to the total capacity. By conservation of the flow, it must hold that X i ∈ [ k ] X v ∈ V ( G ′ ) f i ( v, u ) ≤ kr, X i ∈ [ k ] X v ∈ V ( G ′ ) f i ( u, v ) ≤ kr. ◁ Let A ⊆ [ k ] be a set of indices of source-target pairs ( s i , t i ) such that at least r units ofthe commodity i do not go through the vertex u . It follows that the set A is substantiallylarge. ▷ Claim 14. | A | ≥ k . Proof.
Suppose opposite, | A | < k , i.e., there are at least k source-target pairs ( s i , t i ) suchthat strictly more than r units of the commodity i goes through the vertex u . Therefore, thetotal size of the flow going through u is strictly larger than k · r = kr , which contradictsClaim 13. ◁ Let L ⊆ [ k ] be a set of indices of pairs ( s i , t i ) such that their distance in un ( G ) is at least d . By the assumption of the lemma, it holds that | L | ≥ δk . Note that for each i , the distancebetween s i and t i in G ′ is 2 because of the vertex u . However, due to Claim 14 there is a lotof source-target pairs ( s i , t i ) which are far in un ( G ) and some units of the commodity i donot go through u : (cid:12)(cid:12) A ∩ L (cid:12)(cid:12) ≥ (cid:12)(cid:12) A (cid:12)(cid:12) − (cid:12)(cid:12) [ k ] \ L (cid:12)(cid:12) = (cid:18) δ − (cid:19) · k. Let L ′ = A ∩ L , i.e., the set L ′ contains indices i ∈ [ k ] such that distance between s i and t i in un ( G ) is at least d and at least r units of the commodity i do not go through u – thus, it has to go through paths of length at least d . Now, we are ready to prove the assertion ofthe lemma. Let ¯ E = E (cid:0) un ( G ) (cid:1) . r · | ¯ E | = X e ∈ ¯ E c ( e ) ≥ X { v,w }∈ ¯ E X i ∈ [ k ] f i ( v, w ) + f i ( w, v ) ≥ X i ∈ L ′ X { v,w }∈ ¯ E f i ( v, w ) + f i ( w, v ) ≥ (cid:18) δ − (cid:19) k · r d = δ ′ · kr · d By definition of L ′ .It follows that | ¯ E | k ≥ δ ′ · d ..