On the Consistency of Circuit Lower Bounds
for Non-Deterministic Time¹¹1An extended abstract of part of this work appeared as [2].

Being well motivated, consistency results are also hard to come by, and not much is known. In particular, it is unknown whether $\mathsf{NP}\not\subseteq\mathsf{P/poly}$ is consistent with $\mathsf{S}^{1}_{2}$.

It is not straightforward to formalize $\mathsf{NP}\not\subseteq\mathsf{P/poly}$ because exponentiation is not provably total in bounded arithmetics. On the formal level, call a number $n$ small if $2^{n}$ exists. A size-$n^{c}$ circuit can be coded by a binary string of length at most $10\cdot n^{c}\cdot\log(n^{c})$, and hence by a number below $2^{10\cdot n^{c}\cdot\log(n^{c})}$; this bound exists for small $n$.

On the formal level, an $\mathsf{NP}$-problem is represented by a $\Sigma^{b}_{1}$-formula $\varphi(x)$. A sentence expressing that the problem defined by $\varphi(x)$ has size $n^{c}$ circuits looks as follows:

Here, the quantifier on $n$ ranges over small numbers above $1$. We think of the quantifier on $C$ as ranging over circuits of encoding-size $n^{c}$, and of the quantifier on $x$ as ranging over length $n$ binary strings. Counting the $\exists$ hidden in $\varphi$, this is a bounded $\forall\exists\forall\exists$-sentence (namely a $\forall\Sigma^{b}_{3}$-sentence).

Now more precisely, the central question whether $\mathsf{S}^{1}_{2}$ is consistent with $\mathsf{NP}\not\subseteq\mathsf{P/poly}$ asks for a $\Sigma^{b}_{1}$-formula $\varphi(x)$ such that $\mathsf{S}^{1}_{2}+\big{\{}\neg\alpha^{c}_{\varphi}\mid c\in\mathbb{N}\big{\}}$ is consistent. As mentioned a model witnessing this consistency would be a world where a considerable part of complexity theory is true and the $\mathsf{NP}$-problem defined by $\varphi$ does not have polynomial-size circuits. This is faithful in that there also exists an $\mathsf{NP}$-machine $M$ that cannot be simulated by small circuits in the model. Namely, $\mathsf{S}^{1}_{2}$ proves that $\varphi(x)$ is equivalent to a formula

for a suitable $\mathsf{NP}$-machine $M$, namely a model-checker for $\varphi$. Here, the constant $d$ stems from the polynomial running time of $M$. We write $\alpha^{c}_{M}:=\alpha^{c}_{\varphi}$ for $\varphi(x)$ equal to (2). One can also fix the machine $M$ in advance to a universal one, namely a model-checker $M^{*}$ for an $\mathsf{S}^{1}_{2}$-provably $\mathsf{NP}$-complete problem (e.g., $\mathsf{SAT}$).

The predominant approach to the consistency of circuit lower bounds is based on witnessing theorems: a proof of $\alpha^{c}_{M}$ in some bounded arithmetic implies a low-complexity algorithm that computes a witness $C$ from $1^{n}$. E.g., if the theory has feasible witnessing in $\mathsf{P}$, then it does not prove $\alpha^{c}_{\varphi}$ for any $c$ unless the problem defined by $\varphi(x)$ is in $\mathsf{P}$. However, $\mathsf{S}^{1}_{2}$ is only known to have feasible witnessing in $\mathsf{P}$ for bounded $\forall\exists$-sentences and $\alpha^{c}_{\varphi}$ is a $\forall\exists\forall\exists$-sentence.

Fortunately, a self-reducibility argument implies that the quantifier complexity of this formula can be reduced. Up to suitable changes of $c$, the formula $\alpha^{c}_{M^{*}}$ is $\mathsf{S}^{1}_{2}$-provably equivalent to the following sentence of lower quantifier complexity:

where $d$ stems from the polynomial runtime of $M^{*}$. We define

Note, $\beta^{c}_{M^{*}}$ is a bounded $\forall\exists\forall$-sentence (namely a $\forall\Sigma^{b}_{2}$-sentence). For such sentences, $\mathsf{S}^{2}_{2}$ has feasible witnessing in $\mathsf{P}^{\mathsf{NP}}$ [6], and $\mathsf{S}^{1}_{2}$ has feasible witnessing by certain interactive polynomial-time computations [21]. This was exploited by Cook and Krajíček [12] to prove⁶⁶6$\mathsf{P}^{\mathsf{NP}}_{\mathrm{tt}}$ denotes polynomial time with non-adaptive queries to an $\mathsf{NP}$-oracle. In [12] a distinct but similar formalization of $\mathsf{NP}\not\subseteq\mathsf{P/poly}$ is used. that “$\mathsf{NP}\not\subseteq\mathsf{P/poly}$” is consistent with $\mathsf{S}^{2}_{2}$ unless $\mathsf{PH}\subseteq\mathsf{P}^{\mathsf{NP}}$, and with $\mathsf{S}^{1}_{2}$ unless $\mathsf{PH}\subseteq\mathsf{P}^{\mathsf{NP}}_{\mathrm{tt}}$. Since the complexity of witnessing increases with the strength of the theory, it seems questionable whether this method yields insights for much stronger theories: by the Karp-Lipton Theorem [19], $\mathsf{PH}\not\subseteq\mathsf{NP}^{\mathsf{NP}}$ implies that “$\mathsf{NP}\not\subseteq\mathsf{P/poly}$” is true, and true sentences are consistent with any true theory. Moreover, the focus of this work is on unconditional consistency results.

Using similar methods, a recent line of works [24, 8, 9, 10] achieved unconditional consistency results for fixed-polynomial lower bounds, even for $\mathsf{P}$ instead of $\mathsf{NP}$ (based on [36]). For example, the main result in [8] implies that $\mathsf{S}^{2}_{2}+\neg\alpha_{\varphi}^{c}$ and $\mathsf{S}^{1}_{2}+\neg\alpha_{\psi}^{c}$ are consistent for certain formulas $\varphi(x)$ and $\psi(x)$ that define problems in $\mathsf{P}^{\mathsf{NP}}$ and $\mathsf{NP}$, respectively. Again it seems questionable whether the underlying methods can yield insights for much stronger theories: by Kannan [18], the lower bound stated by $\neg\alpha_{\chi}^{c}$ is true for some formula $\chi(x)$ defining a problem in $\mathsf{NP}^{\mathsf{NP}}$. Moreover, the formulas above depend on $c$ and new ideas seem to be required to reach the unconditional consistency of superpolynomial lower bounds.

The purpose of this paper is to prove the unconditional consistency of $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$ with the comparatively strong theory $\mathsf{V}^{0}_{2}$. Consistency results for $\mathsf{V}^{0}_{2}$ are meaningful, since $\mathsf{V}^{0}_{2}$ is stronger than $\mathsf{T}^{2}_{2}$ which, as discussed earlier, can formalize many results in complexity theory. Our approach is not via witnessing but via simulating comprehension.

The problems in $\mathsf{NEXP}$ are naturally represented on the formal level by $\hat{\Sigma}^{1,b}_{1}$-formulas $\varphi(x)$: an existentially quantified set variable followed by a bounded formula. We discuss three ways to formalize $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$, namely with $\{\neg\alpha^{c}_{\varphi}\mid c\geqslant 1\}$ for a $\hat{\Sigma}^{1,b}_{1}$-formula $\varphi(x)$, with $\{\neg\alpha^{c}_{M_{0}}\mid c\geqslant 1\}$ and with $\{\neg\beta^{c}_{M_{0}}\mid c\geqslant 1\}$ for a suitable universal $\mathsf{NEXP}$-machine $M_{0}$. We now discuss these formalizations; they are analogous to the formalizations discussed in the previous section.

The “direct formalization” of the consistency of $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$ is based on the formulas $\alpha^{c}_{\varphi}$. These are defined similarly as before but with $\varphi$ a $\hat{\Sigma}^{1,b}_{1}$-formula:

Then our direct formalization of the consistency of $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$ is:

Theorem 2 can be strengthened to establish the consistency of $\mathsf{NEXP}\not\subseteq\mathsf{PH/poly}$ (see Section 2.3) but our focus is on $\mathsf{P/poly}$.

Theorem 2 is proved in Section 2.2 but in hindsight is not hard to prove. For $\varphi(x)$ take a formula negating the pigeonhole principle: it states that there exists a set coding an injection from $\{0,\ldots,x+1\}$ into $\{0,\ldots,x\}$, and thus is expressible as a $\hat{\Sigma}^{1,b}_{1}$-formula. The intermediate steps in the usual proof of the pigeonhole principle involve further sets encoding injections, and these can also expressed with $\hat{\Sigma}^{1,b}_{1}$-formulas. If these formulas were computed by polynomial-size circuits, then we could use quantifier-free induction to show that the pigeonhole principle is provable in $\mathsf{V}^{0}_{2}$. But it is well known that this is not the case (see [22, Corollary 12.5.5]).

Concerning the faithfulness of the direct formalization we get, as before, a model of $\mathsf{V}^{0}_{2}$ where a certain $\mathsf{NEXP}$-machine cannot be simulated by small circuits. Indeed, for an explicit $\mathsf{NEXP}$-machine $M$ we can write the formula (2) using instead of $\exists y$ a quantification $\exists Y$ for a set variable $Y$:

Roughly, an explicit $\mathsf{NEXP}$-machine is one such that $\mathsf{S}^{1}_{2}$ can verify a suitable bound on its runtime; we defer the details to Section 3.1. It turns out that $\mathsf{V}^{0}_{2}$ proves that every $\hat{\Sigma}^{1,b}_{1}$-formula $\varphi(x)$ is equivalent to (3) for a suitable $M$, namely a model-checker for $\varphi(x)$. Proving this is not trivial because $\mathsf{V}^{0}_{2}$ is agnostic about the existence of computations of exponential-time machines. One of our contributions is to prove it; we give the details in Section 3.

Intuitively, $\mathsf{V}^{0}_{2}$ does not know whether non-trivial exponential-size sets exist, namely sets not given by bounded formulas. But then, how meaningful is the consistency statement of Theorem 2 or the corresponding statement for $\{\neg\alpha^{c}_{M}\mid c\geqslant 1\}$? These sentences contain (universal and) existential set quantifiers. It turns out that we can move again to a suitably modified sentence $\beta^{c}_{M}$ of lower quantifier complexity, namely a sentence all of whose set quantifiers are universal (i.e., $\forall\Pi^{1,b}_{1}$): such sentences do not entail the existence of non-trivial large sets. This does not follow from simple self-reducibility arguments but is a deep result of complexity theory, namely the Easy Witness Lemma of Impagliazzo, Kabanets and Wigderson [14, Theorem 31]. We use Williams’ version as stated in [38, Lemma 3.1] (see [39, Theorem 3.1] for the equivalence):

An oblivious witness circuit for a machine $M$ and input length $n$ is a circuit $D$ with at least $n$ inputs such that for every $x$ of length $n$, if $M$ accepts $x$, then $\mathit{tt}(D_{x})$ encodes an accepting computation of $M$ on $x$. Here, the circuit $D_{x}$ is obtained from $D$ by fixing the first $n$ inputs to the bits of $x$, and $\mathit{tt}(D_{x})$ is the truth table of $D_{x}$. In the statement of the lemma, polynomial-size refers to polynomial in $n$, and the qualifier oblivious refers to the fact that $D$ depends only on the length of $x$, not on $x$ itself.

In the language of two-sorted bounded arithmetic the string $\mathit{tt}(D_{x})$ corresponds to the set $D_{x}(\cdot)$ of numbers accepted by $D_{x}$. We thus define the formula $\beta^{c}_{M}$ by replacing $D(x)$ by $D_{x}(\cdot)$ and $\forall y$ by $\forall Y$:

In Section 4.1 we define a suitable universal explicit $\mathsf{NEXP}$-machine $M_{0}$ and arrive at our formalization of $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$:

The main result of this paper is:

In the notation introduced above, this gives:

Both $\{\lnot\alpha^{c}_{M_{0}}:c\in\mathbb{N}\}$ and $\{\lnot\beta^{c}_{M_{0}}:c\in\mathbb{N}\}$ are formalizations of $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$. The first has the advantage of being more direct whereas the second has the advantage of having lower quantifier complexity: $\beta^{c}_{M_{0}}$ is $\forall\Pi^{1,b}_{1}$ while $\alpha^{c}_{M_{0}}$ is $\forall\Sigma^{b}_{\infty}(\Pi^{1,b}_{1})$. In addition, being $\forall\Pi^{1,b}_{1}$ is instrumental for our magnification result discussed below (Theorem 11). It is easy to see that $\mathsf{V}^{0}_{2}$ proves that $\{\lnot\alpha^{c}_{M_{0}}:c\in\mathbb{N}\}$ implies $\{\lnot\beta^{c}_{M_{0}}:c\in\mathbb{N}\}$. The converse implication is true too, but depends on the Easy Witness Lemma. It is open whether $\mathsf{V}^{0}_{2}$ proves this implication or the Easy Witness Lemma.

We emphasize here that our formalization of $\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$ through the universal machine $M_{0}$ and the $\alpha^{c}_{M_{0}}$ and $\beta^{c}_{M_{0}}$ sentences refers exclusively to the setting of non-relativized complexity classes.

Second we show that $\mathsf{NEXP}$ can be lowered to just above $\mathsf{NP}$. For $k\in\mathbb{N}$, define $\log^{(k)}n$ inductively by $\log^{(1)}n:=\log n$, and $\log^{(k+1)}n:=\log\log^{(k)}n$. We prove:

The formalization and proof proceeds similarly and relies on an Easy Witness Lemma for barely superpolynomial time by Murray and Williams [27]. Theorem 9 “almost” settles the central question for the consistency of $\mathsf{NP}\not\subseteq\mathsf{P/poly}$ with a strong bounded arithmetic. Closing the tiny gap, however, seems to require some new ideas.

The proof of the consistency of circuit lower bounds is based on the complexity of constant depth propositional proofs for the pigeonhole principle. We shall see that $\mathsf{V}^{0}_{2}+\alpha^{c}_{M_{0}}$ (and thus $\mathsf{V}^{0}_{2}+\beta^{c}_{M_{0}}$) proves the pigeonhole principle. This implies Theorem 7 as it is well-known that $\mathsf{V}^{0}_{2}$ cannot prove this principle. Thereby, Theorem 7 is ultimately based on the exponential lower bound for this principle in bounded depth Frege systems [1, 4]. On a high level, while the approach based on witnessing uses complexity theoretic methods, our approach is based on methods that arose from mathematical logic, in particular forcing (cf. [3]).

The $\{\lnot\beta^{c}_{M_{0}}\}$ formulation of “$\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$” provides an additional insight into the consistency lower bound. By the Easy Witness Lemma, the inclusion $\mathsf{NEXP}\subseteq\mathsf{P/poly}$ implies that a rich collection of sets is represented by circuits (via their truth tables). A weak theory can quantify over circuits and hence implicitly over this collection. Thus, intuitively, $\beta^{c}_{M_{0}}$ should enable a weak theory to simulate a two-sorted theory of considerable strength. More precisely, we show that $\beta^{c}_{M_{0}}$ can be used to simulate a considerable fragment of $\Sigma^{1,b}_{1}$-comprehension, i.e., a considerable fragment of $\mathsf{V}^{1}_{2}$.

The sketched idea can be made explicit as follows. By $\mathsf{S}^{1}_{2}(\alpha)$ we denote the two-sorted variant of $\mathsf{S}^{1}_{2}$. Its models consist of two universes $M$ and $\mathcal{X}$ interpreting the number and the set sort, respectively. Given such a model that additionally satisfies $\beta^{c}_{M_{0}}$ for some $c\in\mathbb{N}$, we will show in Lemma 45 that shrinking $\mathcal{X}$ to the sets represented by circuits in $M$ yields a model of $\mathsf{V}^{1}_{2}$. This has two interesting consequences. The first is:

By a number-sort formula we mean one that does not use set-sort variables. Note that the corollary refers to number-sort sentences of arbitrary unbounded quantifier complexity. It is conjectured that $\mathsf{V}^{1}_{2}$ has more number-sort consequences than all other theories mentioned so far. But this is known only for $\mathsf{S}^{1}_{2}$ [37, 20], and there even for $\forall\Pi^{b}_{1}$-sentences. Theorem 10 directly infers evidence for the truth of “$\mathsf{NEXP}\not\subseteq\mathsf{P/poly}$” from progress in mathematical logic on understanding independence. Loosely speaking, we view it in line with the belief that it is mathematical logic that ultimately bears on fundamental complexity-theoretic conjectures (see e.g. again the preface of [22]).

The second consequence is:

This is a magnification result on the hardness of proving circuit lower bounds: it infers strong hardness (for $\mathsf{V}^{1}_{2}$) from weak hardness (for $\mathsf{S}^{1}_{2}(\alpha)$). The term magnification has been coined in [28] in the context of circuit lower bounds where such results are currently intensively investigated (cf. [11]). In proof complexity such results are rare so far. An example in propositional proof complexity appears in [26, Proposition 4.14]. Magnification results are interesting because they reveal inconsistencies in common beliefs about what is and what is not within the reach of currently available techniques. Theorem 11 might foster hopes to complete Razborov’s program to find a precise barrier in circuit complexity (cf. Remark 46).

Bounded arithmetics have language $x{\leqslant}y$, $0$, $1$, $x{+}y$, $x{\cdot}y$, $\lfloor x{/}2\rfloor$, $x{\#}y$, $|x|$, and built-in equality $x{=}y$. Note that Cantor’s pairing $\langle x,y\rangle$ is given by a term. Iterating it gives $\langle x_{1},\ldots,x_{k}\rangle$ for $k>2$. A number $x$ is called small if it satisfies the formula $\exists y\ x{=}|y|$. We abbreviate $\exists y\ x{=}|y|$ by $x{\in}\mathit{Log}$ and $x{\in}\mathit{Log}\wedge 1{<}x$ by $x{\in}\mathit{Log}_{>1}$. The quantifiers $\forall x{\in}\mathit{Log}_{>1}$ and $\exists x{\in}\mathit{Log}_{>1}$ range over small numbers above $1$. If $x=|y|$, we write $2^{x}$ for $1\#y$ and similarly for other exponential functions. E.g., a formula of the form $\forall x{\in}\mathit{Log}_{>1}\ \ldots\ 2^{x^{2}}\ldots$ stands for the formula $\forall x\forall y\ (1{<}x\wedge x{=}|y|\to\ldots\ y\#y\ldots)$.