New results on Noncommutative and Commutative Polynomial Identity Testing

Ne w results on Noncomm utati ve and Commutat i v e Polynomial Identity T esting V . Arvind, Partha Mukhopadhyay , and Srikanth Srini vasan Institute of Mathematical Sciences C.I.T Campus,Chennai 600 113, India { arvind,pa rtham,sri kanth } @ims c.res.in Abstract Using ideas from autom ata theory we design a new ef ficient (d eterministic) identity test for the nonco mmutative polyno mial identity testing problem (first intro duced and stud ied in [RS05, BW05]). More precisely , given as in put a noncom mutative circuit C ( x 1 , · · · , x n ) computin g a p olyno mial in F { x 1 , · · · , x n } of degree d with at most t mon omials, wh ere the variables x i are nonco mmuting , we gi ve a deterministic polynomial identity test that c hecks if C ≡ 0 and ru ns in time poly nomial in d, n, | C | , and t . The same metho ds works in a black-bo x s etting: Given a noncomm uting black -box polynomia l f ∈ F { x 1 , · · · , x n } of degree d with t mon omials we can, in fact, recon struct the entire p olyno mial f in time polyno mial in n, d and t . Indeed , we apply this idea to the re construction of black-box non commu ting algebraic branching prog rams ( the ABPs considered b y Nisan in [N9 1] and Raz-Shpilka in [RS05]). Assuming that the black-bo x model allows us to quer y the ABP for the ou tput at any giv en gate then we can reconstru ct an (equi valent) ABP in deterministic poly nomial time. Finally , we turn to comm utative iden tity testing and explore the complexity of the problem when the coefficients of the input polyn omial come from an arbitr ary finite commutative rin g with unity wh ose elements ar e unif ormly encod ed as strin gs and the ring o peration s ar e given by an orac le. W e show that se veral algorith mic results for po lynomial identity testing over fields also hold when the coefficients come from such finite rings. 1 Introd uction Polynomial identity testing (denote d PIT ) ov er fields is a well studied algori thmic problem: gi ven an arith- metic circuit C computin g a poly nomial in F [ x 1 , x 2 , · · · , x n ] o ver a field F , the problem is to determine whether the poly nomial computed by C is identic ally zero. The proble m is also studied when the inpu t polyn omial f is giv en only via black-box access. I.e. we can ev aluate it at any point in F n or in F ′ n for a field e xtension F ′ of F . When f is giv en by a circuit the problem is in randomized polynomial time. Even in the black-b ox setting, when | F | is suitably lar ger than d eg( f ) , the problem is in randomized polyn omial time. A major challenge it to obtain deterministic polynomial time algorith ms e ven for restr icted versio ns of the problem. The result s of Impagliazz o and Kaban ets [KI03] sho w that the problem is as hard as prov- ing superpolyn omial circuit lower bounds . Indeed , the proble m remains open ev en for depth-3 arithmetic circuit s with an unbo unded Σ gate as output [DS05, KS07]. As shown by Nisan [N91] non commutati ve algebr aic computation is somewha t easier to prov e lo wer bound s. Usin g a rank arg ument Nisan has sho wn exponen tial size lower bounds for nonco mmutativ e for - mulas (and noncommutati ve al gebraic bra nching pro grams) tha t comp ute the noncommutati ve p ermanent o r 1 determin ant polynomia ls in the ring F { x 1 , · · · , x n } where x i are non commuting v ariables. Thus, it seems plausi ble tha t identit y testi ng in the n oncommutati ve sett ing ought to be easi er too. Indeed, Raz an d Shpilka in [RS05] ha ve sho wn that that for noncommutati ve formu las (and algebr aic branching programs) there is a determinis tic polyno mial time algorith m for polynomial identity testing. Ho wev er , for noncommuta tiv e circuit s the situati on is some w hat dif ferent. Bogdano v and W ee in [BW05] sho w using Amitsur -L e vitzki’ s theore m that identi ty testin g for polynomial de gr ee non commutati ve cir cuits is in randomized polynomial time. Basically , the A mitsur -Le vitzki theo rem allo w s them to randomly assign ele ments from a matrix algebr a M k ( F ) for the noncommuting var iables x i , where 2 k e xceeds the degree of the circu it. The main contrib ution of this paper is the use of ideas from automat a theory to design ne w ef ficient (determin istic) polyno mial identity t ests for noncommutative pol ynomials. More p recisely , gi ven a nonco m- mutati ve circuit C ( x 1 , · · · , x n ) computing a polynomial of degree d w ith t monomials in F { x 1 , · · · , x n } , where the v ariables x i are noncommuting, we gi ve a deterministic polyno mial identity test that checks if C ≡ 0 and runs in time poly nomial in d, | C | , n , and t . The main id ea in our algorithm is to thi nk of the nonco mmuting monomials over the x i as words and to design finite automata that allo w us to distingu ish between dif ferent words . Then, using the connect ion betwee n automata, monoids and matrix rings we are able to determinist ically cho ose a relati vely small number of matrix assignments for the noncommutin g v ariables to decide if C ≡ 0 . Thus, w e are able to av oid using the Amitsur -Levitz ki theorem. In deed, us ing our automata theory method we can easily an alternati ve proof of (a weaker) versi on of Am itsur -Le vitzki which is good enough for algorit hmic purpos es as in [BW05] for ex ample. Our method ac tually works in a bl ack-box settin g. In fac t, gi ven a noncommuting bla ck-box polyn omial f ∈ F { x 1 , · · · , x n } of de gree d with t monomia ls, which we can e valuat e by assig ning matrices to x i , we can recons truct the entir e polyn omial f in time polynomia l in n, d and t . Furthermor e, we also apply this idea to blac k-box noncommuting alge braic branching prog rams. W e ext end the result of Raz an d Shpilka [RS05 ] by gi ving an efficien t determin istic recon struction algorit hm for black- box noncommutin g algebraic branch ing programs (where in we are a llo wed to only que ry the ABP f or input varia bles set to matrices of polynomial dimen sion). Our black -box model assumes that we can quer y for the output of any gate of the ABP , not just the output gate. W e no w motiv ate and explain the other results in the paper . Rec ently , in [AM 07] w e studied PIT (the usual commuting v ariables setti ng) and its connecti on to the polyn omial ideal membershi p problem. Al- thoug h ideal membership is E XPSP A CE -complete , there is an interes ting similarity between the two prob - lems which is the m oti v ation for the present paper . Suppose I ⊂ F [ x 1 , · · · , x n ] is an ideal ge nerated by polyn omials g 1 , · · · , g r ∈ F [ x 1 , · · · , x k ] an d f ∈ F [ x 1 , · · · , x n ] . W e obser ve that f ∈ I if and only if f is identi cally zer o in the ring F [ x 1 , · · · , x k ] /I [ x k +1 , · · · , x n ] . Thus, ideal membership is easily reducible to polyn omial identity testing w hen the coe fficien t ring is F [ x 1 , · · · , x k ] /I . C onsequ ently , identity testin g for the coe fficien t ring F [ x 1 , · · · , x k ] /I is EXPSP A CE-hard e ven when the polynomial f is giv en exp licitly as a linear combinat ion of monomials. This raise s the que stion about the comp lexity of PIT for a polynomial ring R [ x 1 , · · · , x n ] where R is a commutati ve ring with unity . How does the complex ity depend on the structu re of the ring R ? W e gi ve a precis e answer to this question in this paper . W e sho w that the alg ebraic structure of R is not impor tant. It suf fices that the elements of R ha ve polynomia l-size encoding , and w .r .t. thi s encodin g the ring operations can be effici ently performed. This is in contrast to the ring F [ x 1 , · · · , x k ] /I : we ha ve double expon ential number of elemen ts of polyno mial degree in F [ x 1 , · · · , x k ] and the ring operations in F [ x 1 , · · · , x k ] /I are essent ially ideal membershi p quest ions and henc e comput ationally hard. More pre cisely , w e study polyn omial identity tes ting for finite commutat iv e rings R , where we assume that the ele ments of R are unif ormly encoded as strin gs in { 0 , 1 } m with two special strings encod ing 0 a nd 2 1 , and the ring operat ions are carrie d out by querie s to the ring ora cle . 2 Noncommutative Polynomial Identity T est ing Recall that an arithmeti c cir cuit C ov er a field F is defined as follows: C take s as inputs, a set of indeter - minates (either commuting or noncommuting ) and elements from F as scalars. If f , g are the inputs of an additi on gate, then the output will be f + g . Similarly for a multip lication gate the output will be f g . For nonco mmuting va riables the cir cuit respe ct the order of multiplicatio n. A n arithmetic circuit is a formu la if the fan- out of e very gat e is at most one. Noncommutat iv e identity testing was studi ed by Raz and Shpilka in [RS05] and Bogdano v and W ee in [BW05]. In the Bo gdanov -W ee paper , they c onsidere d a po lynomial f of small d egree o ver F { x 1 , · · · , x n } , for a field F , gi ven by an arithmetic circuit . The y were able to gi ve a randomized po lynomial time algorith m for the identi ty testing of f . The ke y feature of their algorith m wa s a reducti on fro m noncommutati ve id entity testing to commutat iv e identity testing which is based on a c lassic theorem of Amitsur and Le vitzki [AL50] about minimal identiti es for algeb ras. Raz and Shpilka [RS 05] giv e a deterministic pol ynomial-time algo rithm for nonco mmutativ e formula identi ty testi ng by first con ve rting a homog eneous formul a into a noncommutati ve algebraic branch ing pro- gram (ABP), as done in [N91]. In this section we study the noncommutati ve pol ynomial identity testing problem. Using simple ideas from auto mata theory , we desi gn a new det erministic identity test that runs in pol ynomial time if the input circuit i s sparse and of smal l deg ree. Our algori thm works with only b lack-box access to the n oncommuting polyn omial, and we can e ven ef ficiently reconst ruct the polynomial . W e will fi rst describe the algorithm to test if a sparse polynomia l of polynomial degre e over noncom- muting vari ables is iden tically zero. Then we gi ve an algo rithm that reco nstructs this sparse polyn omial. Though the lat ter result subsumes the former , for clarity of e xposition , we describe both. Furthermore, we note that we can assume that the polyn omial is gi ven as an arithmet ic circu it o ver a field F . In the case of commuting varia bles, [O T88] giv es an interpolati on algori thm that compute s the gi ven sparse polynomial , and thus can be used for identity test ing. It is not clear how to generalize this algor ithm to the non commutati ve setting. Our iden tity testing alg orithm ev aluates the giv en polynomial at specific, well-cho sen points in a ma trix a lgebra (of polynomial dimen sion ov er the base field ), such that an y n on-zero sparse polynomial is guarant eed to e val uate to a non-zero matrix at on e of the se poi nts. The reconstructi on algori thm uses the abov e identity testing algorithm as a subroutin e in a prefix-based search to find all the monomials and their coef fi cients. W e no w describe the identity testing algorithm informal ly . Our idea is to view each monomial as a short binary string . A sp arse polynomial, hence, is giv en by a poly nomial number of such str ings (and the coef ficients of the correspond ing monomials). T he alg orithm proceeds in two steps; in the first ste p, we constr uct a small set of finite automata such that, gi ven any small col lection of short bin ary strings, at least one automato n from the set acc epts e xactly one string from this collection; in the s econd s tep, for each of the automata con structed, we con struct a tupl e of poin ts over a matrix algebra o ver F such tha t the e v aluation of any monomial at the tuple ‘mimics’ the run of the corres ponding string on the automa ton. Now , giv en any non-ze ro polynomial f of small degre e with fe w terms, we are gua ranteed to h av e cons tructed an au tomaton A ‘isolatin g’ a string from the collection of str ings cor respondi ng to mono mials in f . W e then sho w that e val uating f ov er the tuple corres ponding to A gi ves us a non-z ero outpu t: h ence, we can conclude f is non-ze ro. W e no w describe both algorithms formally . 3 2.1 Pr eliminaries W e fi rst reca ll some standa rd automata theory notatio n (see, for exa mple, [HU78]). Fix a finite au tomaton A = ( Q, δ, q 0 , q f ) which takes as inp ut strings in { 0 , 1 } ∗ . Q is the set of states of A , δ : Q × { 0 , 1 } → Q is the transi tion function, and q 0 and q f are the initi al and final states respecti vely (throu ghout, we only consid er automata with uniq ue accept ing states). For each letter b ∈ { 0 , 1 } , let δ b : Q → Q be the functi on defined by: δ b ( q ) = δ ( q , b ) . These funct ions generat e a submonoid of the monoid of all fun ctions from Q to Q . This is the transiti on monoid o f the auto maton A and is well -studied in automata the ory: for example , see [Str94, page 55]. W e no w define the 0 - 1 m atrix M b ∈ F | Q |×| Q | as follo ws: M b ( q , q ′ ) =  1 if δ b ( q ) = q ′ , 0 otherwis e. The m atrix M b is simply the adjacenc y m atrix of the graph of the function δ b . As the entries of M b are only zeros and ones, we can conside r M b to be a matrix ov er any field F . Furthermor e, for any w = w 1 w 2 · · · w k ∈ { 0 , 1 } ∗ we define the matrix M w to be the matrix product M w 1 M w 2 · · · M w k . If w is the empty string, define M w to be the identity matrix of dimensio n | Q | × | Q | . For a string w , let δ w denote the natural ex tension of the transition function to w ; if w is the empty string , δ w is simply the ident ity functi on. It is easy to chec k that: M w ( q , q ′ ) =  1 if δ w ( q ) = q ′ , 0 otherwis e. (1) Thus, M w is also a matrix of zeros and ones for any string w . Also, M w ( q 0 , q f ) = 1 if and only if w is accept ed by the automat on A . 2.2 The output of a circ uit on an automaton No w , we conside r the ring F { x 1 , · · · , x n } of pol ynomials with no ncommuting v ariable s x 1 , · · · , x n ov er a field F . L et C be a noncommutati ve arithmeti c circuit computing a polynomia l f ∈ F { x 1 , · · · , x n } . L et d be an upper bound on the degree of f . W e can con sider monomials ov er the nonc ommuting varia bles x 1 , · · · , x n as strings ov er an alphabe t of size n . For our construction in Section 2.3, it is con ven ient to encode the va riables x i in the alphabet { 0 , 1 } . W e do this by encoding the varia ble x i by the string v i = 01 i 0 , which is basically a unary encod ing with delimiters. Clearly , each monomial o ver the x i ’ s of deg ree at most d m aps uniq uely to a binar y strin g of leng th at most d ( n + 2) . Let A = ( Q, δ , q 0 , q f ) be a finite automa ton over the alphabe t { 0 , 1 } . W ith respe ct to auto maton A we ha ve matrices M v i ∈ F | Q |×| Q | as defined in Secti on 2.1, where eac h v i is the bin ary string that encod es x i . W e are int erested in the output matrix obtained when the inputs x i to the circui t C are replaced by the matrices M v i . This outpu t matrix is defined i n the o bviou s way: the i nputs are | Q | × | Q | matrices and we do matrix additi on and matrix multiplicati on at each addition (resp. m ultipli cation) of the circuit C . W e define the ou tput of C on the auto maton A to be this outp ut matrix M out . Clearly , gi ve n circuit C and automaton A , the matrix M out can be computed in time poly ( | C | , | A | , n ) . W e obser ve the follo wing propert y: the matrix output M out of C on A is dete rmined completel y by the polyn omial f co mputed by C ; the stru cture of the circuit C is otherwise irrele vant. This is impo rtant for us, since we are only intere sted in f . In particular , the outpu t is al ways 0 w hen f ≡ 0 . More specifically , con sider what happens when C computes a polyn omial with a single term, say f ( x 1 , · · · , x n ) = cx j 1 · · · x j k , with a non-zero coefficie nt c ∈ F . In this case, the output matrix M out 4 is clearly the matrix cM v j 1 · · · M v j k = cM w , where w = v j 1 · · · v j k is the bina ry string rep resenting the monomial x j 1 · · · x j k . Thus, by Equation 1 abo ve, we see that the entry M out ( q 0 , q f ) is 0 when A rejects w , and c when A accepts w . In gen eral, supp ose C compu tes a polynomia l f = P t i =1 c i m i with t no nzero terms, where c i ∈ F \ { 0 } an d m i = Q d i j =1 x i j , where d i ≤ d . Let w i = v i 1 · · · v i d i denote the binary string repres enting monomial m i . Finally , let S f A = { i ∈ { 1 , · · · , t } | A accepts w i } . Theor em 2.1 Given any arithmetic cir cuit C computing polynomial f ∈ F { x 1 , · · · , x n } and any finite automato n A = ( Q, δ , q 0 , q f ) , then the output M out of C on A is such that M out ( q 0 , q f ) = P i ∈ S f A c i . Pr oof . The proof is an easy consequ ence of the definitions and the propert ies of the matrices M w stated in S ection 2.1 . Note that M out = f ( M v 1 , · · · , M v n ) . But f ( M v 1 , · · · , M v n ) = P s i =1 c i M w i , where w i = v i 1 · · · v i d i is the bina ry string represe nting monomial m i . By Equation 1, we kn ow that M w i ( q 0 , q f ) is 1 if w i is accep ted by A , and 0 otherwis e. Adding up, we obtain the result. W e no w expla in the role of the au tomaton A in testi ng if the poly nomial f computed by C is iden tically zero or no t. Our basic idea is to try and design an automaton A that accepts e xactly one word from among al l the words that correspon d to the non-zer o terms in f . This would ensur e that M out ( q 0 , q f ) is the non-zero coef ficient of the monomial filtered out. Mor e precisely , we w ill us e the abo ve theorem primarily in the follo w ing form, which we state as a corollary . Cor ollary 2.2 Given any ari thmetic cir cuit C computing polyn omial f ∈ F { x 1 , · · · , x n } and any finite automato n A = ( Q, δ , q 0 , q f ) , then the output M out of C on A satisfies: (1) If A re jects every string corr espondin g to a monomial in f , then M out ( q 0 , q f ) = 0 . (2) If A accepts exactl y one strin g cor r espondin g to a monomial in f , then M out ( q 0 , q f ) is the nonzer o coef ficien t of that mono mial in f . Mor eo ver , M out can be computed in time poly ( | C | , | A | , n ) . Pr oof . Both points ( 1 ) and ( 2 ) are immediate conseque nces of the abo ve theorem. The comple xity of computin g M out easily follo ws from its definition. Another interest ing corol lary to the abo ve theore m is the follo w ing. Cor ollary 2.3 Given any a rithmetic cir cuit C over F { x 1 , · · · , x n } , and any monomial m of de gr ee d m , we can compute the coef ficient of m in C in time poly ( | C | , d m , n ) . Pr oof . Apply Corollary 2.2 with A bei ng any sta ndard automaton tha t accepts the str ing correspo nding to monomial m and rejects ev ery other string. Clearly , A can be cho sen so that A has a uniqu e acce pting stat e and | A | = O ( nd m ) . Remark 2.4 Observe that Cor ollar y 2.3 is hi ghly unl ikely to hold in the commutative settin g F [ x 1 , · · · , x n ] . F or , in the commuta tive cas e, computing the coef ficient of the monomial x 1 · · · x n in even an arbitr ary pr oduct of linear forms Π i ℓ i is at least as har d as the permanent pr oblem over F , which is # P -complet e when F = Q . 5 Remark 2.5 Cor ollary 2.2 can also be use d to give an inde pendent pr oof of a weaker form of the r esult of Amitsur and L evitz ki that is sta ted in Lemma A.4. In parti cular , it is easy to see that the alg ebra M d ( F ) of d × d m atrices over the field F does no t satisf y any nontrivial ide ntity of de gr ee < d . T o pr o ve this, we will consid er noncommuting monomials as strings dir ectly over the n letter alphab et { x 1 , · · · , x n } . Supp ose f = P t i =1 c i m i ∈ F { x 1 , · · · , x n } is a nonzer o polynomia l of de gre e < d . Clearly , we can construct an automato n B over the alpha bet { x 1 , · · · , x n } that accept s e xactly one string, namely one nonz er o monomial, say m i 0 , of f and r ejects all the other strin gs over { x 1 , · · · , x n } . A lso, B can be const ructed with at most d states . Now , consider the output M out of any cir cuit computing f on B . By Cor ollary 2.2 the output matrix is non-z er o, and this pr ove s the r esult. 2.3 Construction of finite automata W e be gin with a useful definitio n. Definition 2.6 Let W be a fini te set of binary strings an d A b e a finite family of finite automata over the binary alpha bet { 0 , 1 } . • W e say that A is isolatin g for W if ther e exists a str ing w ∈ W and an au tomaton A ∈ A such that A accept s w and r ejects all w ′ ∈ W \ { w } . • W e say tha t A is an ( m, s ) -isolati ng family if for e very subset W = { w 1 , · · · , w s } of s many binary string s, eac h of len gth at mos t m , th er e is a A ∈ A such tha t A is isola ting for W . Fix parameters m, s ∈ N . Our first aim is to construct an ( m, s ) isolatin g family of auto mata A , where both |A| and the size of each aut omaton in A is polyno mially bounded in size. Then, combined w ith Corollary 2.2 we will be able to obtain deterministic identity testing and interpolat ion alg orithms in the sequel . Recall that we only deal with finite automata that ha ve unique accepti ng states. In what follows, for a string w ∈ { 0 , 1 } ∗ , we denot e by n w the positi ve integ er represent ed by the binary numeral 1 w . For each prime p and each inte ger i ∈ { 0 , · · · , p − 1 } , we can eas ily constru ct an automaton A p,i that acc epts exactl y those w s uch that n w ≡ i ( mod p ) . Moreov er , A p,i can be cons tructed so as to ha ve p states and exac tly on e final state. Our colle ction of automata A is just the set of A p,i where p runs o ver the first fe w polyno mially many primes, and i ∈ { 0 , · · · , p − 1 } . Fo rmally , let N den ote ( m + 2)  s 2  + 1 ; A is the collectio n of A p,i , where p runs ov er the first N primes and i ∈ { 0 , · · · , p − 1 } . Notice that, by the prime number theorem, all the primes chosen abov e are bounded in valu e by N 2 , which is clearly polynomial in m and s . Hence, |A| = poly ( m, s ) , and each A ∈ A i s bounded in s ize by poly ( m, s ) . In the follo wing lemma we sho w that A is an ( m, s ) -isolating aut omata family . Lemma 2.7 The family of finite automata A defined as ab ove is an ( m, s ) -isolating aut omata famil y . Pr oof . Consider any set o f s binary strings W of le ngth at mos t m each. By th e con struction of A , A p,i ∈ A isolate s W if and only if p does not di vide n w j − n w k for some j and all k 6 = j , and n w j ≡ i ( mod p ) . Clearly , if p satisfies the first of these condition s, i can easily be cho sen so tha t the sec ond condition is sati sfied. W e will show tha t there is some prime among the first N primes that does not divid e P = Q j 6 = k ( n w j − n w k ) . This easily follo w s from the fact that the number of distinct prime divis ors of P is at most log | P | , which is clearly bound ed by ( m + 2)  s 2  = N − 1 . This conclud es the proof. W e no te that the above ( m, s ) -isolat ing family A can clearly be constru cted in time poly ( m, s ) . 6 2.4 The identity testing algorithm W e now des cribe the identi ty testing algor ithm. Let C be the input circui t computing a polyn omial f over F { x 1 , · · · , x n } . L et t be an upper bou nd on the number of monomia ls in f , and d be an upper boun d on the deg ree of f . As in Secti on 2.2, we rep resent monomials o ver x 1 , · · · , x n as bi nary strings. Every monomial in f is represent ed by a string of length at most d ( n + 2) . Our algorith m proc eeds as follo ws: Using the construc tion of S ection 2.3 , we compute a family A of automata such that A is isol ating for an y set W w ith at most t s trings of length at most d ( n + 2) each. For each A ∈ A , the alg orithm compute s the output M out of C on A . If M out 6 = 0 for an y A , the n the algo rithm conclu des that the polyn omial computed by the in put circ uit is not identic ally zero; othe rwise, the alg orithm declar es that the poly nomial is identic ally zero . The correctnes s of the abov e algorithm is almost immedi ate from Corollary 2.2. If th e polyn omial is identi cally zero , it is eas y to see that the algor ithm out puts the correct answer . If the polynomia l is non zero, then by the constructio n of A , we kno w that there exists A ∈ A such that A accepts precisely one of the string s correspo nding to the monomials in f . Then, by Corollary 2.2, the outpu t of C on A is nonzero. Hence, the algor ithm correct ly deduce s that the polyn omial comput ed is not ide ntically zero . As for the running time of the algorithm, it is easy to see that the family of automata A can be constr ucted in time poly ( d, n, t ) . Also, the matrices M v i for each A (all of which are of size poly ( d, n, t ) ) can be constr ucted in polyn omial time. Hence , the entire algorithm runs in time poly ( | C | , d, n, t ) . W e ha ve prov ed the follo wing theorem: Theor em 2.8 Given any a rithmetic ci r cuit C w ith the pr omise that C computes a po lynomial f ∈ F { x 1 , · · · , x n } of de gr ee d with at most t monomials, we can chec k, in time poly ( | C | , d, n, t ) , if f is identi- cally zer o. In particula r , if f is spar se and of polynomial de gr ee, then we have a determini stic polynomial time algor ithm. In the case of arbitra ry nonco mmutativ e arithmeti c circuits, [BW05] gi ves a rando mized expo nential time algorithm for the identity test ing problem. Their alg orithm is based on the A mitsur -Lev itzki theore m, which forces the iden tity test to randomly assign ex ponentia l size matric es for the noncommutin g vari ables since the circuit could compute an exp onential de gree polynomial. Ho wev er , notice that Theorem 2.8 gi ves a deterministic e xponent ial-time algorithm under the addition al restriction that the input circuit computes a poly nomial with at most e xpone ntially many monomia ls. In gen eral, a poly nomial of ex ponentia l degree can ha ve a doubl e ex ponential number of terms. 2.5 Interp olatio n of noncommutative p olynomial s W e no w describe an algorith m that ef ficiently computes the nonco mmutativ e poly nomial gi ven by the input circuit . L et C , f , t and d be a s i n Sec tion 2.4 . Let W denot e the set of all strings corresp onding to monomials with non-z ero co efficien ts in f . For al l binary strings w , let A w denote any standard automaton that accep ts w and rejects all other strings. For any auto maton A and string w , w e let [ A ] w denote the automato n that accept s tho se str ings that are a ccepted by A and in addition , contain w as a prefix. For a set of finite automata A , let [ A ] w denote the set { [ A ] w | A ∈ A} . W e now desc ribe a subrou tine Tes t that takes as input an arithmetic circuit C and a set of finite automata A and returns a field element α ∈ F . T he subro utine Test w ill ha ve the follo w ing properties : (P1) If A is i solating for W , the set of strings corresp onding to monomials in f , then α 6 = 0 . 7 (P2) In the speci al case when |A| = 1 , and the abo ve holds , then α is in fact the coef ficient of the isolated monomial. (P3) If no A ∈ A accepts any strin g in W , then α = 0 . W e no w gi ve the easy descrip tion of Tes t( C , A ) : For each A ∈ A , the subrou tine Test compute s the output m atrix M A out of C on A . If there is an A ∈ A such that M A out ( q A 0 , q A f ) 6 = 0 , then for the first such automaton A ∈ A , Test return s the scalar α = M A out ( q A 0 , q A f ) . Here, notice that q A 0 , q A f denote the initial and final states of the aut omaton A . If there is no such automat on A ∈ A is fou nd, then the subr outine returns the scalar 0 . It follo ws directly from C orollar y 2.2 that Tes t has Properties (P1)-(P3). Furthermore, clearly Tes t runs in time poly ( | C | , ||A|| ) , where ||A|| denot es the sum of the sizes of the automata in A . Let f ∈ F { x 1 , · · · , x n } den ote the noncommuting polyno mial computed by the input circuit C . W e no w describe a recu rsiv e prefix-search based algor ithm I nterpol ate that takes as input the circuit C and a binary string u , and compute s all those monomia ls of f (alon g with their coefficien ts) which contain u as a prefix when encoded as str ings using our encodin g x i 7→ v i = 01 i 0 . Clearly , in order to obt ain all monomials of f with their coef ficients, it suf fices to run this algorithm with u = ǫ , the empty string . In w hat follo ws, let A 0 denote the ( m, s ) -iso lating automata family { A p,i } as construc ted in Section 2.3 with parameter s m = d ( n + 2) and s = t . As explaine d in S ection 2.3 , we can compute A 0 in time poly ( d, n, t ) . Suppose f is the polyn omial comput ed by the circuit C . W e no w describe the algori thm Inter polat e( C , u ) formal ly (Algor ithm 1). The correctne ss of this algorithm is clear from the correctn ess of the Test subroutine an d Lemma 2.7. T o boun d the running time, note that the algorithm nev er calls In terpolat e o n a string u unless u is the prefix o f some st ring corres ponding to a monomial. H ence, th e algori thm in vok es Interpolate for a t most O ( td ( n + 2)) many prefixes u . Since || [ A 0 ] u 0 || an d | A u | are both bound ed by poly ( d, n, t ) for all prefixes u , it follo ws that the runnin g time of the algorit hm is poly ( | C | , d, n, t ) . W e s ummarize this dis cussion in the follo w ing theorem. Theor em 2.9 Given any arithmetic cir cuit C computing a polyno mial f ∈ F { x 1 , · · · , x n } of de gr ee at most d and with a t most t monomials, we ca n compute all th e monomials of f , an d their coef ficients, in time poly ( | C | , d, n , t ) . In partic ular , if C computes a sparse polyno mial f of poly nomial de gr ee, then f can be r econs tructed in polyno mial time. 3 Interpolation of Algeb raic Branching Programs over noncommuting vari- ables In this section, we study the interpolatio n problem for black-box Algebraic Branchin g Programs (AB P) computin g a polynomia l in the n oncommutati ve ring F { x 1 , · · · , x n } . W e are gi ven as input an ABP (defined belo w) P in the blac k-box setting , and our task is to output an AB P P ′ that computes the same polynomial as P . T o make the ta sk feasib le in the black-box setting , we assume that we are allo wed to e valuat e P at a ny of its intermed iate gates . W e first observ e that all the res ults in Section 2 hold under the assump tion that the input polynomial f is all owed o nly blac k-box access . In the noncommutati ve setting, we shall assume tha t the blac k-box access allo ws the polynomia l to be ev aluate d for input valu es from an arbitra ry matrix algebra ove r the base field F . It is implicit here that the cost of ev aluation is polynomia l in the dimension of the matrices. Note that 8 Algorithm 1 The Interp olation algor ithm 1: p r ocedure Interpo late ( C , u ) 2: α, α ′ , α ′′ ← 0 . 3: α ← T est ( C , { A u } ) ⊲ A u is the stand ard automato n that acce pts only u 4: if α = 0 then 5: Bre ak . ⊲ u can not correspond s to a m onomial of f 6: else 7: Output ( u, α ) . ⊲ u is the bin ary encoding of a monomial of f with coef fi cient α 8: end if No w the algorithm fi nd all mono mials (alo ng with their coe fficien t) contai ning u 0 or u 1 as prefix in the binary encoding. 9: if | u | = d ( n + 2) then 10: Stop . 11: else 12: α ′ ← Test ( C , [ A 0 ] u 0 ) , α ′′ ← Test ( C , [ A 0 ] u 1 ) . 13: end if 14: if α ′ 6 = 0 th en 15: Interp olat e ( C, u 0) . ⊲ There is some monomial in C extendin g u 0 16: end if 17: if α ′′ 6 = 0 th en 18: Interp olat e ( C, u 1) . ⊲ There is some monomial in C extendin g u 1 19: end if 20: end procedur e 9 this is a reasonable noncommutati ve black-box m odel, because if we can ev aluate f only over F or any commutati ve e xtension of F , then we cannot distinguis h the non-commutati ve polyn omial repres ented by f from the corres ponding commutati ve polynomial. W e state the black-b ox vers ion of our r esults bel ow . Theor em 3.1 (Simila r to Theorem 2.1) Given blac k-box access to an y polyn omial f = P t i =1 c i m i ∈ F { x 1 , · · · , x n } and any finite automaton A = ( Q, δ , q 0 , q f ) , then the out put M out of f on A is such that M out ( q 0 , q f ) = P i ∈ S f A c i , wher e S f A = { i | 1 ≤ i ≤ t and A a ccepts the s tring w i corr espondin g to m i } Here the outpu t of polyno mial f on A is defined analogous ly to the output of a circuit on A in S ection 2.2. Cor ollary 3.2 (Similar to Cor ollary 2.3 ) G iven blac k-box access to a polyno mial f in F { x 1 , · · · , x n } , and any monomial m of de gr ee d m , we can compute the coef ficient of m in f in time pol y ( d m , n ) . Finally we ha ve, Theor em 3.3 (Simila r to Theorem 2.9) Given blac k-box access to a polynomia l f in F { x 1 , · · · , x n } of de gr ee at most d and with at most t monomials, we can compute all the monomials of f , and their coef fi- cients , in time poly ( d, n , t ) . In particul ar , if f is a spars e polynomial of polynomial de gr ee, then it can be r econs tructed in polyno mial time. Our interpola tion algorithm for non commutati ve A BPs is motiv ated by Raz and Shpilka’ s [R S05] algo- rithm for identity testing of ABPs ov er noncommuting vari ables. Our algor ithm inter polates the gi ven ABP layer by layer using ideas de velop ed in Section 2 (princ ipally Corollar y 3.2). Definition 3.4 [N91, R S05] An Algebr aic Branc hing P r ogram (ABP) is a dir ected acyclic graph with one verte x of in-de gr ee zer o, called the sour ce, and a verte x of out-de gr ee zer o, called the sink. The vertices of the gr aph ar e partit ioned into le vels number ed 0 , 1 , · · · , d . E dges may only go fr om level i to leve l i + 1 for i ∈ { 0 , · · · , d − 1 } . The sour ce is the only vert ex at level 0 a nd the sin k is the only verte x at le vel d . Each edg e is labeled with a homog eneous linear form in the inpu t va riables. The size of t he ABP is the number of vertice s. Notice that an AB P with no edg e bet ween two vertic es u and v on le vels i and i + 1 is equi val ent to an A BP w ith an edge from u to v labeled with the zero linear form. Thu s, without loss of general ity , we assume that in the gi ven ABP there is an edge between e very pair of v ertices on adjacent lev els. As menti oned before, we will assu me black-bo x access to the inp ut ABP P where we can e val uate the polyn omial computed by P at an y of its gates ov er arbit rary matrix rings o ver F . In order to specify the gate at which we want the ou tput, we ind ex the gates of P with a layer number and a gate number (in the layer). Based on [RS05], we no w define a Raz-Shpilka basis for the lev el i of the ABP . L et the number of nodes at the i -th lev el be G i and let { p 1 , p 2 , · · · , p G i } be the polynomials computed at the nodes. W e will identify this set of polynomial s with the G i × n i matrix M i where the columns of M i are index ed by n i dif ferent monomials of deg ree i , and the rows are index ed by the pol ynomials p j . The ent ries of the matrix M i are th e corres ponding polynomial coef ficients. A Raz Shpilka ba sis is a set of at most G i linearl y indepe ndent colu mn vectors of M i that generates the entire column space. Notic e that eve ry vector in the basis is identified by a monomial. In the algorithm we need to compute a Raz-Shpilka basis at ev ery leve l of the ABP . Notice that at the le vel 0 it is tri vial to compute such a basis. Indu ctiv ely assume we can comput e such a basis at the lev el i . Denote the basis by B i = { v 1 , v 2 , · · · , v k i } where v j ∈ F G i , and k i ≤ G i . Assume that the elements of 10 this basis correspon ds to the monomials { m 1 , m 2 , · · · , m k i } . W e comput e a Raz S hpilka bas is at the lev el i + 1 by computin g the column v ectors correspo nding to the set of monomials { m j x s } j ∈ [ k i ] ,s ∈ [ n ] in M i +1 and then extractin g the linear independe nt vecto rs out of them. Computing these column vect ors requires the computation of the coefficien ts of the se monomial s, which can be done in polynomial time using the Corollary 3.2. Notice that we also kno w the monomials that the elements of this basis correspon d to. W e no w describ e the inter polation algorit hm formal ly . As mentioned before, w e will construct the output ABP P ′ layer by layer such that e very gate of P ′ compute s the same polynomial as the correspon ding gate in P . Clearly , this task is trivi al at le vel 0 . Assume that we ha ve completed the constructi on up to lev el i < d . W e now constru ct le vel i + 1 . This only in vol ves compu tation of the linear forms be tween lev el i and lev el i + 1 . Hence, there are k i ≤ G i vec tors in the Raz-Shpilka basis at the i th lev el. L et the monomials correspond ing to these vect ors be B = { m 1 , · · · , m k i } . Fix an y gate u at le vel i + 1 in P , and let p u be the polyno mial compute at this gate in P . Clearly , p u = G i X j =1 p j ℓ j where p j is the polynomial computed at the j th gate at lev el i , and ℓ j is the linear form labeling the edge between the j t h gate at le vel i and u . W e ha ve, p u = G i X j =1 p j ℓ j = G i X j =1   X m : | m | = i c ( j ) m m   n X s =1 a ( j ) s x s ! = X m : | m | = i,s mx s   G i X j =1 c ( j ) m a ( j ) s   = X m : | m | = i,s mx s h c m , a s i where c m and a s denote the vectors of field elements ( c ( j ) m ) j and ( a ( j ) s ) j respec tiv ely . Note that a s denote s a v ector of un kno wns that we need to comp ute. E ach mon omial mx s in the ab ove e quation giv es us a linear constr aint on a s . Howe ver , this syst em of constr aints is expon ential in size. T o o btain a feasi ble solution for { a s } s ∈ [ n ] , we observ e that it is suf ficient to satisfy the constraints cor respondin g only to monomials mx s where m ∈ B . All other constraint s are simply linear combin ations of these and are thus aut omatically satisfied by an y solution to th ese. No w , for m ∈ B and s ∈ { 1 , · · · , n } , we compute the coefficien ts of mx s in p u and those of m in each of the p i ’ s usi ng the algori thm of Corolla ry 3.2. Hence, we ha ve all the linear con straints we need to solve for { a s } s ∈ [ n ] . Firstly , note that such a solution exists, since the linear forms in the black box AB P P giv e us such a s olution. Moreov er , an y solutio n to thi s system of linea r equations generates the same poly nomial p u at ga te u . Hence, we can use an y soluti on to this system of linear equatio ns as our linear forms. W e perfor m this computation for all gate s u at the i + 1 st lev el. The final step in the itera tion is to compute the Raz-Shpilk a basis for the le vel i + 1 . 11 W e can use ind uction on the le vel numbers to ar gue correctnes s of the alg orithm. From the input black- box ABP P , for each le vel k , let P j k , 1 ≤ j ≤ G k denote the algebra ic br anching progra ms computed by P with output gate as gate j in lev el k . Assume, as indu ction hypothesis, that the algorith m has comput ed linear forms for all lev els upto lev el i and, furthermore, that the algorithm has a correc t Raz-Shpilka basis for all le vels upto le vel i . This g iv es us a reconstruc ted ABP P ′ upto le vel i with the property , for 1 ≤ k ≤ i , each ABP P ′ j k , 1 ≤ j ≤ G k compute s the same pol ynomials as the correspon ding P j k , 1 ≤ j ≤ G k , where P ′ j k is obtain ed from P ′ by designating gat e j at leve l k as ou tput gat e. Under this inductio n hypothe sis, it is clear that our interpolatio n algorithm will compute a correct set of linear forms between lev els i and i + 1 . Conse quently , the algorithm will correctly reconst ruct an ABP P ′ upto lev el i + 1 along with a corres ponding Raz-Shpilka basis for that le vel. W e can no w summari ze the result in the followin g theo rem. Theor em 3.5 Let P be an ABP of size s and de pth d over F { x 1 , x 2 , · · · , x n } given by blac k-box access that allows eval uation of any gate of P for inputs x i cho sen fr om a matrix algeb ra M k ( F ) for a polynomially bound ed value of k . Then in deterministi c time poly ( d, s, n ) , we can compute an ABP P ′ suc h that P ′ eva luates to th e same pol ynomial as P . 4 Noncommutative identity tes ting and cir cuit lower bound s In Section 2 we ga ve a new determini stic identity test for noncommut ing polynomials w hich runs in pol y- nomial time for spars e polyn omials of polyn omially bound ed de gree. Ho wev er , the real problem of intere st is identity testin g for polyn omials giv en by small deg ree non- commutati ve circuit s for w hich Bogdanov and W ee [BW05] gi ve an ef ficient ran domized test. When the nonco mmutativ e circuit is a formula, Raz and Shpilka [RS05] hav e sho wn that the problem is in determin- istic polyno mial time. T heir m ethod uses ideas from N isan’ s lo wer bound technique for noncommutati ve formulae [N91]. Ho w hard would it be to sho w that nonco mmutati ve PIT is in dete rministic polynomial time fo r circ uits of polynomial degr ee? In the commutativ e case, Impag liazzo and K abanet s [KI03] ha ve shown that deran- domizing P IT implies circui t lower bounds. It implies tha t either NE XP 6⊆ P/poly or the inte ger Permanent does not ha ve polyn omial-size arithmeti c circu its. W e observ e that this result also holds in the noncommutati ve settin g. I.e., if noncommutati ve PIT has a determinis tic polynomial- time algorith m then either NEXP 6⊆ P/poly or the nonco mmutative Permanent functi on does not ha ve polyn omial-size noncommut ativ e circu its. As noted, in some cases noncommut ativ e circu it lo wer bound s are easier to pro ve than for commutati ve circuit s. Nisan [N 91] has sho wn exp onential- size lo wer bounds for noncommutati ve formula size and further results are kno wn for pure noncommuta tiv e circuits [N91, RS05]. H o wev er , provin g superp olynomial size lo wer bounds for general noncommut ativ e circui ts comp uting th e Permanent has remained an open problem. The nonco mmutati ve Permanen t funct ion P er m ( x 1 , · · · , x n ) ∈ R { x 1 , · · · , x n } is defined as P er m ( x 1 , · · · , x n ) = X σ ∈ S n n Y i =1 x i,σ ( i ) , where the coefficie nt rin g R is any commutati ve ring with unity . S pecifically , for the next theorem we choose R = Q . 12 Theor em 4.1 If PIT for noncommutative cir cuits of polyno mial de gr ee C ( x 1 , · · · , x n ) ∈ Q { x 1 , · · · , x n } is in det erministic poly nomial-time then either NEXP 6⊆ P/poly or the noncommuta tiv e P ermanent function does not have polyno mial-size nonco mmutative cir cuits. Pr oof . Suppose NEXP ⊆ P/poly. Then, by the main result o f [IKW02] we ha ve NEXP = MA. Furthermor e, by T oda ’ s theorem MA ⊆ P P er m Z , where the oracle computes the integ er permanent. No w , assuming PIT for n oncommutati ve circuits of polynomia l degree is in determini stic polynomial- time we will s how that th e (nonco mmutati ve) Permane nt function does not ha ve po lynomial-s ize noncommutati ve circu its. Supp ose to the contrary that it does ha ve polynomial -size nonc ommutati ve circuits . C learly , we can use it to compute the inte ger permane nt as well. Furthe rmore, as in [KI03] w e notice that the noncommutat iv e n × n P ermanent is also uni quely charac terized by the identitie s p 1 ( x ) ≡ x an d p i ( X ) = P i j =1 x 1 j p i − 1 ( X j ) fo r 1 < i ≤ n , where X is a matrix of i 2 nonco mmuting v ariables and X j is its j -th min or w .r .t. the fi rst row . I.e. if ar bitrary polyn omials p i , 1 ≤ i ≤ n satis fies these n iden tities ov er no ncommuting v ariables x ij , 1 ≤ i, j ≤ n if and only if p i compute s the i × i permanent of noncommut ing variab les. The rest of the proof is exact ly as in Impaglia zzo-Kabanet s [KI03]. W e can easily describe an NP machine to simulate a P P er m Z computa tion. The NP machine guesses a pol ynomial-siz e non commutati ve circuit for P er m on m × m matrices , where m is a polynomial bound on the matrix size of the queries made. Then the N P verifies that the circuit compute s the permanent by checking the m no ncommutative identitie s it must sat isfy . This can be don e in determin istic polyn omial time by assumption . Finally , the NP m achine s uses the circuit to answer all the inte ger permanent queries. P utting it toge ther , we get NEX P = NP w hich cont radicts the nondet erministic time hiera rchy theor em. 5 Schwartz-Zippel lemma over fi nite rings In this section we giv e a generaliza tion of S chwartz -Zippel Lemma to finite commutati ve rings and app ly it for identity testing of black-box polynomials in R [ x 1 , · · · , x n ] , w here R is a finite commutativ e ring with unity whose elements are uniformly encode d by strings from { 0 , 1 } m with a special string e denote unity , and the ring operat ions are perfo rmed by a ring orac le. W e recall some fact s abo ut fi nite commutati ve rings [B74, AM69]. A commutati ve ring R with unity is a local ring if R has a uniq ue maximal ideal M . An element r ∈ R is nilpote nt if r n = 0 for some positi ve inte ger n . A n element r ∈ R is a unit if it is in verti ble. I.e. r r ′ = 1 fo r some element r ′ ∈ R . Any element of a finite lo cal ring is eithe r a ni lpotent or a unit. A n ideal I is a prime idea l of R if ab ∈ I implies either a ∈ I or b ∈ I . For finite commuta tiv e rings, prime ideals and maximal ideals coincide. These f acts consid erably simplify the study of finite commutati ve ring s (in contrast to infinite rings). The rad ical of a finite ri ng R denot ed by Rad ( R ) is defined as the set of all nilpotent elements, i.e Rad ( R ) = { r ∈ R | ∃ n > 0 s.t r n = 0 } The rad ical Rad ( R ) is an ideal of R , and it is the unique maximum ideal if R is a local ring . L et m denote the lea st positi ve inte ger such that for e ver y nilpo tent r ∈ R , r m = 0 , i.e ( Rad ( R )) m = 0 . Let R be any finite commutati ve ring with unity and { P 1 , P 2 , · · · , P ℓ } by the set of all maximal ideal s of R . Let R i denote the quo tient ring R/P m i for 1 ≤ i ≤ ℓ . Then, it is e asy to see tha t each R i is a lo cal ring and P i /P m i is the uniqu e maximal ideal in R i . W e rec all the fo llo wing stru cture theo rem for finite commuta tiv e rings. 13 Theor em 5.1 ([ B74], T heor em VI.2, page 95) Let R be a finite commutative ring . Then R decomposes (up to or der of su mmands) un iquely as a dir ect sum of local rings. Mor e pr ecisely R ∼ = R 1 ⊕ R 2 ⊕ · · · ⊕ R ℓ , via the map φ ( r ) = ( r + P m 1 , r + P m 2 , · · · , r + P m ℓ ) , w her e R i = R/P m i and P i , 1 ≤ i ≤ ℓ are all the maximal ideals of R . It is easy to see that φ is a homomor phism with triv ial kern el. The isomorphis m φ natural ly ex- tends to the polynomial ring R [ x 1 , x 2 , · · · , x n ] , and giv es the isomor phism ˆ φ : R [ x 1 , x 2 , · · · , x n ] → ⊕ ℓ i =1 R i [ x 1 , x 2 , · · · , x n ] . 5.1 The Schwartz-Zip pel lemma W e ob serve the follo wing easy fact about zeros of a uni var iate polynomial over a ring. Pro position 5.2 Let R be an arb itrary commutativ e ring containi ng an inte gra l domain D . If f ∈ R [ x ] is a nonze r o poly nomial of de gr ee d then f ( a ) = 0 for at most d distinct values of a ∈ D . Pr oof . Suppose a 1 , a 2 , · · · , a d +1 ∈ D are distinct points suc h that f ( a i ) = 0 , 1 ≤ i ≤ d + 1 . Then we can write f ( x ) = ( x − a 1 ) q ( x ) for q ( x ) ∈ R [ x ] . Now , div iding q ( x ) by x − a 2 yields q ( x ) = ( x − a 2 ) q ′ ( x ) + q ( a 2 ) , for some q ′ ( x ) ∈ R [ x ] . Thus , f ( x ) = ( x − a 1 )( x − a 2 ) q ′ ( x ) + ( x − a 1 ) q ( a 2 ) . Putting x = a 2 in this equation gi ves ( a 2 − a 1 ) q ( a 2 ) = 0 . But a 2 − a 1 is a nonze ro element in D and is hence in verti ble. Therefor e, q ( a 2 ) = 0 . Conseque ntly , f ( x ) = ( x − a 1 )( x − a 2 ) q ′ ( x ) . Applying this arg ument successi vel y for the other a i finally yields f ( x ) = g ( x ) Q d +1 i =1 ( x − a i ) for some nonzero polyn omial g ( x ) ∈ R [ x ] . Since Q d +1 i =1 ( x − a i ) is a monic polyn omial, this forces deg( f ) ≥ d + 1 whic h is a contra diction. Consider a polynomial f ∈ R [ x 1 , · · · , x n ] . Let R ′ denote the rin g R [ x 1 , · · · , x n − 1 ] . Then we can con- sider f as a un iv ariate polyno mial in R ′ [ x n ] and apply Lemma 5.2, since R ′ contai ns the in tegral domai n D that R contains . No w , by an easy ind uction argument on the nu mber of var iables as in [TZ06, Lemma D.3], we can deri ve the followin g analog of the Schwartz-Zip pel test for arbitrary commutati ve rings contain ing lar ge enough integral domains . Lemma 5.3 Let R be an arbitr ary commutative ring containin g an inte gral domain D . Let g ∈ R [ x 1 , x 2 , · · · , x n ] be any polynomial of de gr ee at most d . If g 6≡ 0 , then for any finite subset A of D we have Prob a 1 ∈ A, ··· , a n ∈ A [ g ( a 1 , a 2 , · · · , a n ) = 0] ≤ nd | A | . In gene ral Lemm a 5.3 is n ot applicab le, beca use the g iv en ring may not co ntain a lar ge integra l domain . W e explain how to get aroun d this problem in the case of fi nite local commutat iv e ring s. Because of the structu re theore m, it suf fi ces to consider local rings. Let R be a finite loca l ring with unity gi ven by a ring oracle. Suppose the characteris tic of R is p α for a prime p . If the eleme nts of R are encoded in { 0 , 1 } m then 2 m upper bounds the siz e of R . Let M > 2 m , to be fixed later in the analysis. Let U = { ce | 0 ≤ c ≤ M } , where e denotes the unity of R . W e will ar gue that, for a s uitable M , if we sample ce uniformly fro m U the n ( c mod p ) e is almost un iformly distr ibu ted in Z p e . Pick x uniformly at rando m fro m Z M and output xe . Let a ∈ Z p and P = P rob [ x ≡ a ( mod p )] . The x for 14 which x ≡ a ( mod p ) are a, a + p, · · · , a + p ⌊ M − a p ⌋ . Let M ′ = ⌊ M − a p ⌋ . Then P = M ′ + 1 / M ≤ 1 p (1 + 2 m M ) . Clearly , P ≥ 1 p (1 − 2 m M ) . For a gi ven ǫ > 0 , choose M = 2 m +1 /ǫ . Then 1 − ǫ/ 2 p ≤ P ≤ 1+ ǫ/ 2 p . So ( x mod p ) e is ǫ 2 -unifo rmly dist ribu ted in Z p e . Lemma 5.4 Let R be a finite local commutative ring with unity and of ch aracte ristic p α for a pri me p . The elements of R ar e enco ded using binary stri ngs of length m . Let g ∈ R [ x 1 , x 2 , · · · , x n ] be a polynomia l of de gr ee at most d and ǫ > 0 be a given constan t. If g 6≡ 0 , then Prob a 1 ∈ U, ··· ,a n ∈ U [ g ( a 1 , a 2 , · · · , a n ) = 0] ≤ nd p (1 + ǫ 2 ) , wher e U = { ce | 0 ≤ c ≤ M } and M > 2 m +1 /ǫ . Pr oof . Conside r the follo w ing tower of idea ls insi de R : R ⊇ pR ⊇ p 2 R ⊇ · · · ⊇ p α R = { 0 } . Let k be the integ er such that g ∈ p k R [ x 1 , · · · , x n ] \ p k +1 R [ x 1 , · · · , x n ] . Write g = p k ˆ g . Consider the ring, ˆ I = { r ∈ R | p k r = 0 } . Clearly , ˆ I is an ideal of R . Let S = R/ ( ˆ I + pR ) . W e claim that ˆ g is a nonzero polyno mial in S [ x 1 , · · · , x n ] . O therwise, let ˆ g ∈ ( ˆ I + pR )[ x 1 , · · · , x n ] . Write ˆ g = g 1 + g 2 , where g 1 ∈ ˆ I [ x 1 , · · · , x n ] and g 2 ∈ pR [ x 1 , · · · , x n ] . Then p k ˆ g = p k g 2 as p k g 1 = 0 . But g 2 ∈ pR [ x 1 , · · · , x n ] , which cont radicts the f act that k is the lar gest integer such that g ∈ p k R [ x 1 , · · · , x n ] . Thus ˆ g is a no nzero polyno mial in S [ x 1 , · · · , x n ] . N o w we ar gue that S co ntains the finit e field F p , an d then using the Lemma 5.3, the proof of the lemma will follo w easily . T o see a copy of F p inside S , it is enough to obse rve that { i + ( ˆ I + p R ) | 0 ≤ i ≤ p − 1 } as a field is i somorphic to F p . Clearly the fail ure probabilit y for identit y testing of g in R [ x 1 , · · · , x n ] is upp er bou nded by the failur e probabi lity for the ide ntity testing of ˆ g in S [ x 1 , · · · , x n ] . Consider the natura l homomorphis m φ : U → F p , giv en by φ ( ce ) = c mod p . Thus if w e sample unif ormly from U , usin g φ , we can ǫ 2 -unifo rmly sample from F p . Notice that for any b ∈ F p , 1 − ǫ/ 2 p ≤ Prob x ∈ Z M [ x ≡ b mod p ] ≤ 1+ ǫ/ 2 p . Now using the Lemma 5.3, we conclud e the follo w ing : Prob a 1 ∈ U,a 2 ∈ U ··· a n ∈ U [ g ( a 1 , · · · , a n ) = 0] ≤ Prob b 1 ∈ F p ··· b n ∈ F p [ ˆ g ( b 1 , · · · , b n ) = 0] ≤ nd p (1 + ǫ 2 ) , where b i = a i ( mod p ) . T he additio nal fact or of (1 + ǫ 2 ) comes from the fact that we are only sampling ǫ 2 -unifo rmly from F p . This can be eas ily ver ified from the proof of Lemma 5.3. Hence we ha ve pro ved the lemma. 6 Randomized P olynomial Identity T esting over fi nite rings In this sect ion we study the ide ntity testing problem o ver finite commutati ve rin g oracl e with unity . For the input polynomial , we consider both black-box representat ion and circuit represe ntation. First w e conside r the black-b ox case. Our ide ntity testing algorithm is a di rect consequenc e of Lemma 5.4. Theor em 6.1 Let R (which d ecomposes into l ocal rings a s ⊕ ℓ i =1 R i ) b e a fin ite commutative rin g with unity given as a oracle . Let the input polyn omial f ∈ R [ x 1 , · · · , x n ] of de gr ee at most d be given via blac k-box access . Suppose R i ’ s is of cha racter istic p α i i . L et ǫ > 0 be a given constan t. If p i ≥ k nd for all i , for some inte ger k ≥ 2 , we have a ran domized po lynomial time id entity test with success pr obabil ity 1 − 1 k (1 + ǫ 2 ) . 15 Pr oof . Consider the natural isomorp hism ˆ φ : R [ x 1 , x 2 , · · · , x n ] → ⊕ ℓ i =1 R i [ x 1 , x 2 , · · · , x n ] . Let ˆ φ ( f ) = ( f 1 , f 2 , · · · , f ℓ ) . If f 6≡ 0 then f i 6≡ 0 fo r some i ∈ [ ℓ ] , where f i ∈ R i [ x 1 , x 2 , · · · , x n ] . Fix such an i . Our algori thm is a dire ct applicatio n of Lemma 5.4. Define U = { ce | 0 ≤ c ≤ M } , assign v alues for the x i ’ s indepe ndently and unifo rmly at random from U , and e va luate f using the black-box acces s. The algorithm declar es f 6≡ 0 if and only if the computed va lue is nonzero. By Lemma 5.4, our algor ithm outputs the correc t answer with probab ility 1 − nd p i (1 + ǫ 2 ) ≥ 1 − 1 k (1 + ǫ 2 ) . 1 The drawback of T heorem 6.1 is that we get a randomized polyn omial-time algorithm only when p i ≥ k nd . Ho wev er , when the poly nomial f is gi ven by an arith metic circuit we will g et a rando mized identity test that works for all finite commutati ve rings giv en by or acle. This is the main result in this sec tion. A key idea is to apply the transfo rmation from [AB03] to con vert the g iv en multi v ariate polynomial to a u niv ariate polyn omial. The follo wing lemma has an identi cal proof as [AB03, Lemma 4.5]. Lemma 6.2 Let R be an arbitrar y commutati ve ring and f ∈ R [ x 1 , x 2 , · · · , x n ] be any polyn omial of maximum de gr ee d . Consider the polyno mial g ( x ) obtained fr om f ( x 1 , x 2 , · · · , x n ) by r eplacing x i by x ( d +1) i − 1 i.e g ( x ) = f ( x, x ( d +1) , · · · , x ( d +1) n − 1 ) . Then f ≡ 0 over R [ x 1 , · · · , x n ] if and only if g ≡ 0 over R [ x ] . By Lemma 6.2 , it suf fices to describe the identity test for a univ ariate polynomial in R [ x ] gi ven by an arithmeti c circuit. Notice that if deg ( f ) = d then w e can boun d deg( g ) by d ( d + 1) n − 1 which we denote by D . Our algorithm is simple and essen tially the same as the A graw al-Biswas identit y test ov er the finite ring Z n [AB03]. W e will randomly pick a monic polyno mial q ( x ) ∈ U [ x ] of degree ⌈ log O ( D ) ⌉ . Then we carry out a di vision of f ( x ) by the poly nomial q ( x ) and compute the remainder r ( x ) ∈ R [ x ] . Our algorithm declare s f to be identical ly zero if and only if r ( x ) = 0 . Notice that w e will use the structure of the circuit to carry out the di vision. At each gate w e carry out the divisi on. More precisely , if the inputs of a + gate are the remainde rs r 1 ( x ) and r 2 ( x ) , then the out put of this + gate is r 1 + r 2 . Similarly if r 1 and r 2 are th e inputs of a ∗ gate , then w e divi de r 1 ( x ) r 2 ( x ) by q ( x ) an d obtain the remain der as its outp ut. Crucially , since q ( x ) is a monic pol ynomial, the di vision algorith m will make sense and produce unique remaind er e ven if R [ x ] is not a U.F .D (whic h is the case in general). W e no w describe the pseudocod e of the identity testing algorithm (Algorithm 2). O ur algorith m tak es as input an arithmeti c circuit C computing a polynomia l f ∈ R [ x 1 , x 2 , · · · , x n ] of deg ree at most d and an ǫ > 0 . W e will no w prove the corre ctness of the abo ve rando mized identi ty test in Lemmas 6.3, 6.4, and 6.5. Lemma 6.3 Let R be a local commutativ e ring with unity and of char acterist ic p α for some prime p and inte ger α > 0 . L et g be a nonzer o polyn omial in R [ x ] suc h that g ∈ p k R [ x ] \ p k +1 R [ x ] for k < α . Let ˆ I = { r ∈ R | p k r = 0 } , g = p k ˆ g wher e ˆ g 6∈ pR and q is a m onic polynomial in R [ x ] . If q divides g in R , then q divide s ˆ g in R/ ( ˆ I + pR ) . Pr oof . As q ( x ) divide s g ( x ) in R [ x ] , w e ha ve g ( x ) = q ( x ) q 1 ( x ) for some polyno mial q 1 ( x ) ∈ R [ x ] . Suppose ˆ g ( x ) = q ( x ) ¯ q ( x ) + r ( x ) in R [ x ] where t he de gree of r ( x ) is le ss than the de gree of q ( x ) . Also note 1 Notice that we h ave to c ompute ce using the ring oracle for addition in R . Starting with e , we need to add it c times. The running time for this computation can be made polynomial in log c by writing c in binary and applying the standard doubling algorithm. 16 Algorithm 2 The Identi ty T esting algor ithm 1: p r ocedure Identit yTes ting ( C , ǫ ) 2: f or i = 1 , n do 3: x i ← x ( d +1) i − 1 ⊲ Univ ariate transformatio n 4: end f or 5: g ( x ) ← C ( x, x ( d +1) , · · · , x ( d +1) n − 1 ) . 6: D ← d ( d + 1) n − 1 . ⊲ The formal degree of g ( x ) is at most D 7: Choose a monic poly nomial q ( x ) ∈ U [ x ] of degree ⌈ log 12 D 1 − ǫ ⌉ uniformly at rando m. 8: Div ide g ( x ) by q ( x ) and comput e the rema inder r ( x ) . ⊲ T he di vision algorithm uses the structure of the circui t. 9: if r ( x ) = 0 th en 10: C computes a zero polynomial . 11: else 12: C computes a nonzero polynomia l. 13: end if 14: end procedur e that the d ivi sion makes sense ev en ov er th e ring as q ( x ) is monic. W e w ant to sh ow that r ( x ) ∈ ( ˆ I + pR )[ x ] . W e ha ve the follo wing rela tion in R [ x ] : g = q q 1 = p k ˆ g = p k q ¯ q + p k r . So, p k r = q ( q 1 − p k ¯ q ) . If ( q 1 − p k ¯ q ) 6≡ 0 in R [ x ] , then the deg ree of the po lynomial q ( q 1 − p k ¯ q ) is strictly more than the degree of p k r as q is monic and degree of q is more than the de gree of r . Thus ( q q 1 − p k q ¯ q ) ≡ 0 in R [ x ] for cing p k r = 0 in R [ x ] . So by the cho ice of ˆ I , we hav e r ( x ) ∈ ˆ I [ x ] . Thus r ( x ) ∈ ( ˆ I + pR )[ x ] . Notice that in the Lemma 5.4, we ha ve already prov ed that ˆ g ( x ) 6≡ 0 in S [ x ] , w here S = R/ ( ˆ I + pR ) . Also q is nonze ro in S [ x ] as it is a m onic polynomial. Hence we ha ve proved that q ( x ) di vides ˆ g ( x ) over S [ x ] . The follo w ing lemma is basically chinese remaindering tailored to our setting. Lemma 6.4 Let R be a local ring with char acteris tic p α . L et g ( x ) ∈ p k R [ x ] \ p k +1 R [ x ] for some k ≥ 0 . Let g ( x ) = p k ˆ g ( x ) and ˆ I = { r ∈ R | p k r = 0 } . Sup pose q 1 ( x ) , q 2 ( x ) ar e two monic polyno mials over R [ x ] such that ea ch o f them div ides g in R [ x ] . Mor eove r , suppose ther e ex ist polynomia ls a ( x ) , b ( x ) ∈ R [ x ] suc h that aq 1 + bq 2 = 1 in R / ( ˆ I + pR ) . Then q 1 q 2 divide s ˆ g in R/ ( ˆ I + pR ) . Pr oof . By the Lemm a 6.3, we kno w that q 1 and q 2 di vide ˆ g in R/ ( ˆ I + p R ) . Let ˆ g = q 1 ¯ q 1 and ˆ g = q 2 ¯ q 2 in R / ( ˆ I + p R ) . Let ¯ q 1 = q 2 q 3 + r in R/ ( ˆ I + p R ) . So, ˆ g = q 1 q 2 q 3 + q 1 r . Substitu ting q 2 ¯ q 2 for ˆ g , we get q 2 ( ¯ q 2 − q 1 q 3 ) = q 1 r . Multiplyi ng both sid e by a and subs tituting aq 1 ( x ) = 1 − bq 2 , we ge t q 2 [ a ( ¯ q 2 − q 1 q 3 ) + br ] = r . If r 6≡ 0 in R/ ( ˆ I + pR ) , we arriv e at a contradict ion since q 2 is monic and thus the deg ree of q 2 [ a ( ¯ q 2 − q 1 q 3 ) + br ] i s more than the degree of r . Let f ( x ) be a nonz ero polynomial in R [ x ] of deg ree at most D . The next lemma states that, if we pick a random monic polynomial q ( x ) ∈ U [ x ] ( U is similarly defined as before)of degr ee d ≈ log O ( D ) , with high proba bility , q ( x ) will not divid e f ( x ) . 17 Lemma 6.5 Let R be a commutativ e ring with unity . Su ppose f ( x ) ∈ R [ x ] is a nonzer o polyno mial of de gr ee at most D and ǫ > 0 be a given consta nt. Choose a random monic polynomial q ( x ) of de gr ee d = ⌈ lo g 12 D 1 − ǫ ⌉ in U [ x ] . Then with pr obab ility at least 1 − ǫ 4 d , q ( x ) will n ot divide f ( x ) over R [ x ] . 2 Pr oof . Let R ∼ = L i R i is the local ring decompo sition of R . As f is nonzero in R [ x ] , there exis ts j such that f j = ˆ φ j ( f ) is non zero in R j [ x ] . C learly , we can lower bound th e requ ired proba bility by the probabi lity that q j = ˆ φ j ( q ) does not divi de f j in R j [ x ] . Let the ch aracteristi c of R j is p α . If q j di vides f j in R j [ x ] , then it also divide s over R j / ( ˆ I j + pR j ) . It is sho w n in the pro of of the L emma 5.4, F p ⊂ R j / ( ˆ I j + pR j ) . No w the number of irreducib le polynomia ls in F p of deg ree d is at least p d − 2 p d/ 2 d . Let t = p d − 2 p d/ 2 d . Let ˆ q ( x ) = P d − 1 i =0 b i x i + x d ∈ F p [ x ] be a monic polyno mial. Now if a monic polynomia l P ( x ) of degree d is randomly chosen from U [ x ] the n, Prob [ P ( x ) ≡ ˆ q ( x ) mod p ] = Q d − 1 i =0 ⌊ ( M − b i ) /p ⌋ +1 M d ≥ 1 p d (1 − 2 m M ) d . Again, choos ing M > d 2 m +1 /ǫ , we get Prob [ P ( x ) ≡ ˆ q ( x ) m od p ] ≥ (1 − ǫ / 2) /p d . So, the probabil ity that q j is an irreducibl e polynomial in F p [ x ] is at least t (1 − ǫ ) /p d > (1 − ǫ ) / 2 d . Let f j ∈ p k R j [ x ] \ p k +1 R j [ x ] . S o we can write f j = p k f ′ , where f ′ ∈ R j [ x ] \ p R j [ x ] . B y the Lemma 6.3, q j di vides f ′ in R/ ( ˆ I j + pR ) . Also, by the L emma 6.4, the number of dif ferent monic polynomials that are irredu cible in F p and di vides f ′ in R j / ( ˆ I j + pR j ) is at most D /d . In the sample space for q , any monic polyn omial of de gree d in R j / ( ˆ I j + pR j ) occurs at most ( M p + 1) d times. So the prob ability that a rand om monic irredu cible polynomial q w ill di vide f is at most ( D/d )( M p +1) d M d ≤ D dp d (1 + 1 d ) d < 3 D d 2 d . S o a random monic polynomia l q ∈ U [ x ] (w hich is irreduci ble in F p with reason able proba bility) will not divide f ( x ) with proba bility at least 1 − ǫ 2 d − 3 D dp d > 1 − ǫ 4 d for d ≥ ⌈ log 12 D 1 − ǫ ⌉ . The cor rectness of Algorithm 2 an d its suc cess probabili ty follo w dire ctly from Lemma 6.3, Lemma 6.4 and Lemma 6.5. In particular , by Lemma 6.5, the success probability of our algori thm is at least 1 − ǫ 4 t , where t = ⌈ log 12 D 1 − ǫ ⌉ . As 1 − ǫ 4 t is an in verse polyno mial quan tity in input size and the randomized algorithm has one- sided error , we can boos t the success probabi lity by repeating the test polynomia lly many times. W e sum- marize the result in the follo w ing theorem. Theor em 6.6 Let R be a finite commutative ring w ith unity given as an ora cle and f ∈ R [ x ] be a polyno- mial, given as an arith metic cir cuit. Then in randomized time polynomial in the cir cuit size and log | R | we can test whether f ≡ 0 in R [ x ] . Randomize d polynomia l time identit y testing for multiv ariate po lynomials f ∈ R [ x 1 , · · · , x n ] giv en by arithmeti c circu its follo w s from Theorem 6.6 and Lemma 6.2. Theor em 6.7 Let R be a commutative ring w ith unity given as an oracle . L et f be a polyn omial in R [ x 1 , x 2 , · · · , x n ] of formal de gr ee at most d , is given by an arith metic cir cuit o ver R . Then in randomized time polyn omial in cir cuit size and log | R | we can test wheth er f ≡ 0 in R [ x 1 , x 2 , · · · , x n ] . Remark 6.8 The r andomize d polynomial -time identity test of Bo gdano v and W ee [BW 05] for noncommuta - tive c ir cuits o f pol ynomially bound ed de gre e in F { x 1 , · · · , x n } for a fie ld F , can be ext ended to such cir cuits ove r any commutative ring R with unit y , wher e R is given by a ring or acle. This follo ws fr om the fact that the Amitsur -Levitzki theor em is easily se en to hold even in the ring R { x 1 , · · · , x n } . The easy de tails ar e given in the appen dix. 2 An alternativ e proof of this lemma based on [AB03, Lemma 4.7] is giv en in the appendix. 18 Remark 6.9 F inally , w e note that the re sults in Section 2 carry over without chang es to noncommuting polyno mials in R { x 1 , · · · , x n } , wher e R is a commutative ring with unity given by a ring oracl e. Refer ences [AB03] M . A G R AW A L A N D S . B I S W A S . Primality a nd identit y testing via Ch inese remaind ering. J. A CM., 50(4): 429-443, 2003. [AL50] S . A A M I T SU R A N D J . L E V I T Z K I . Minimal Identi ties for al gebras. In Proceeding s of the American Mathematic al Society ., v olume 1, pages 449-463, 1950. [AM69] M . F . A T I Y A H A N D I . G . M AC D O N A L D . Introducti on to commutativ e algebra. Addison -W esle y Publishi ng Company , 1969. [AM07] V . A R V I N D A N D P . M U K H O P A D H Y A Y The Ideal Membership problem and P olynomial Identity T esting. ECCC report TR07-095, 2007. [B74] B R . M AC D O N A L D . Finite Ring s w ith Identity . Marcel Dekk er , INC. Ne w Y ork , 1974. [BW05] A . B O G DA N OV A N D H . W E E More o n Noncommutati ve Polynomial Iden tity T esting . In Proc . of the 20th Annual Conferenc e on Computatio nal Complex ity , pp. 92-99 , 2005. [DS05] Z . D V I R A N D A . S H P I L K A . Locally Decodable Code s with 2 quer ies and Polynomia l Identi ty T esting for depth 3 circu its. In Proc. of the 37th annua l A C M Sym. on Theory of computin g., 2005. [GZ05] A . G I A M B R U N O A N D M . Z A I C E V . Polyno mial Identities and Asympto tic Methods. American Mathematic al Society ., V ol. 122, 2005. [HU78] J . E . H O P C RO FT A N D J . D . U L L M A N Introductio n to Automata Theory , Language s and Computa- tion, Addison -W esle y , 1979. [IKW02] R . I M PAG L I A Z Z O , V . K A BA N E T S A N D A . W I G D E R S O N . In search of an easy witness: Expo- nentia l time vs. probabi listic polyn omial time. Journa l of Computer and System Sciences 65(4)., pages 672-6 94, 2002 . [KI03] V . K A B A N E TS A N D R . I M PAG LI A Z Z O . Derando mization of po lynomial ident ity tests means prov - ing circui t lower boun ds. In Proc. of the thirty-fifth annual A CM Sym. on Theory of computing., pages 355-3 64, 2003 . [KS05] N E E R A J K A Y A L , N I T I N S A X E NA , On the Ring Isomorp hism and Automorphism P roblems. IEEE Conferen ce on Computati onal Complexit y , 2-12, 2005. [KS07] N . K A Y A L A N D N . S A X E NA . Polynomial Ident ity T esting for Depth 3 C ircuits. Computatio nal Complex ity . , 16(2):115- 138, 2007. [Le92] H . W . L E N S T R A J R . Algorith ms in alg ebraic number theory . Bulletin of the AMS. , 26(2), 211-244, 1992. [N91] N . N IS A N . L o wer bou nds for non-co mmutati ve computati on. In Proc. of th e 23rd annual A C M Sym. on Theory of comput ing., pages 410-41 8, 1991. 19 [O T 88] M . B E N - O R A N D P . T I W A R I . A Determinist ic Algorithm For Sparse Multi v ariate Polynomial In- terpol ation. In Proc. of the 20th annual A CM Sym. on Theory of comput ing., pages 301-30 9, 1988. [RS05] R . R A Z A N D A . S H P I L K A . Deterministic poly nomial identity testi ng in non commutati ve models. Computatio nal Complex ity ., 14(1): 1-19, 2005. [Sch80] J A C O B T. S C H W A RT Z . Fast Probabili stic algorithm for verification of poly nomial identiti es. J. A C M., 27(4), pages 701-7 17, 1980 . [Str94] H O W A R D S T R AU B I N G . Finite automa ta, formal logic, and circ uit comp lexity . Progress in Theoret- ical Computer Science . Birkhuse r Boston Inc., Bosto n, MA, 199 4. [TZ06] T . T AO A N D T . Z E I G L E R . The primes contain arbitrarily long polyn omial progressi ons. T o appea r in Acta Mathematic a. In arxi v:math/03051 72 v2, June 2006. [Zip79] R . Z I P P E L . Probabili stic algorith ms for sparse polynomials . In Proc. of the Int. S ym. on Symbolic and Algebrai c Computatio n., pages 216-22 6, 1979 . 20 A Noncommutative i dentity tes ting ov er commutative coefficient rings Here we exten d the noncommut ativ e ident ity testing of Bogdan ov and W ee [BW05] to ov er R { x 1 , · · · , x n } where R i s an arbitrary commuta tiv e ring with unity . Our algorithm is a combination of Amitsur -Levitzk i’ s theore m and the T heorem 6.7. W e fi rst briefly discuss the A mitsur -Le vitzki’ s resu lt tailor ed to our ap pli- cation and the result of [B W05]. Let M k ( F ) be the k × k matrix algebr a over F . The follo wing algebrai c lemma was the k ey result used in [BW05]. Lemma A.1 [AL50, GZ 05] M k ( F ) does not satisfy any non-tri vial polynomia l identity of de gr ee < 2 k . Based on Lemma A.1, a noncommuta tiv e vers ion of the S chwart z-Zippel lemma ov er F { x 1 , · · · , x n } is described in [BW05]. W e first gi ve an intuiti ve description of the identity testing algorithm in [BW05]. Assume f ∈ F { x 1 , · · · , x n } is of de gree d and is gi ven by an ari thmetic circuit. Fix k such that k > ⌈ d/ 2 ⌉ . Consider a field exte nsion F ′ of F suc h that | F ′ | >> d . The idea is to ev aluate the circuit on random k × k matrices from M k ( F ′ ) . W e think each entry of the matrix as an indetermin ate and view the k 2 indete rminates as commuting v ariables . So at the outpu t of the circuit, we get a k × k matrix such that each of its entr ies are pol ynomials in commuting v ariables. Lemma A.1 guarantees that f ≡ 0 in F { x 1 , · · · , x n } if an d only if each of the k 2 polyn omials computed as the entrie s of the matrix at the output gat e, are identically zero. Then we get a lo wer bound of the success probabil ity via commutati ve Schwartz-Zipp el lemma. W e giv e a rando mized polynomia l time identity testin g algorith m over R { x 1 , · · · , x n } where R is any finite commutati ve ring with unity and is giv en by a ring oracle. Our algorit hm is based on the observ ation that Lemma A.1 is v alid over M k ( R ) . For the sake of completeness , we briefly discuss the proof of the Lemma A.1 tailore d to R . The follo wing fact is the ke y in proving the Lemma A.1. Fac t A.2 [GZ 05, page 7] Let A be an F -alge bra spanned by a set B over F . If the algebr a A satisfies an identi ty of de gr ee k in F { x 1 , · · · , x n } , then it satis fies a multilin ear ident ity of de gr ee ≤ k . W e observ e that the result of the Fact A .2 holds, e ven if A be an algeb ra ov er R . Proof is analog ous to the proof of the Fact A.2. Follo wing [GZ 05, page 7], we call a polyn omial f multilin ear if ev ery v ariable occurs with de gree exactly one in e very monomial of f . Lemma A.3 Let A be an R -alg ebra such that A sat isfies an ide ntity of de gr ee k . Then it satisfies a multi- linear identit y of de gr ee k . Pr oof . The le mma follo ws from an identical ar gument to that in th e proof of Theorem 1.3 .7 in [G Z05]. Using Lemma A.3, it follo ws that Lemma A.1 ext ends to M k ( R ) . The proof is analo gous to the proof of Theore m 1.7.2 in [GZ05]. L et f be an identity for M k ( R ) of de gree < 2 k . By the L emma A.3, we can assume that f is multilinear . Also, multiplyi ng f by the new v ariables from the right, w e can assume that the deg ree of f is 2 k − 1 . Let, f ( x 1 , x 2 , · · · , x 2 k − 1 ) = X σ ∈ S 2 k − 1 α σ x σ (1) · · · x σ (2 k − 1) with α 1 6 = 0 , where 1 denotes th e identity per mutation. Let e ij be the k × k matrix with unity (of R ) at the ( i, j ) -th entry and zero in all other entries . It is easy to see that f ( e 11 , e 12 , e 22 , e 23 , · · · , e k − 1 ,k , e k k ) = α 1 e 1 k 6 = 0 , sin ce x 1 · · · x 2 k − 1 is the only m onomial that does not v anish duri ng the ev aluation . So f is not an identity for M k ( R ) . The fact that R is a ring with unity is crucially used. 21 Lemma A.4 Let R be a finite commutativ e ring with unity . Then M k ( R ) does not satisfy any polynomial identi ty of de gr ee < 2 k . No w we a randomized polynomial time identity testing algorithm ov er R { x 1 , · · · , x n } . Theor em A.5 Let f ∈ R { x 1 , · · · , x n } be a polynomia l of de gr ee d , g iven by a no ncommutative arithmetic cir cuit C . R is given as a ring or acle and its element s ar e enco ded using binary strings of len gth m . Then ther e is a r andomized polynomia l time algorit hm ( poly (n,d,m)) to test if f ≡ 0 over R { x 1 , · · · , x n } . Pr oof . Let x 1 , x 2 , · · · , x n are the indetermina tes in C . C hoose k = ⌈ d/ 2 ⌉ + 1 . Replace each x i by a k × k matrix ov er the set of ind eterminates { y ( i ) j ℓ } 1 ≤ j,ℓ ≤ k . Once we replace x i by matrices , the inputs and the ou tputs of the gates will be matrices. Repla ce each addit ion (multiplicatio n) gate by a block of circuits computin g the sum (produc t) of two k × k matrices (without loss of generali ty , assume that the fan-in of all gates is tw o). This can be easily achie ved using O ( k 2 ) gates. Let ˆ C be the arithmetic circuit obtained from C by thes e modificati ons. Clearly , ˆ C computes a func tion from F nk 2 → F k 2 and the size of ˆ C is only polyn omial in the size of C . Denote by ¯ Y the v ariable list ( y (1) 11 , · · · , y (1) k k , · · · , y ( n ) 11 , · · · , y ( n ) k k ) . Then, ˆ C ( ¯ Y ) = ( P 1 ( ¯ Y ) , · · · , P k 2 ( ¯ Y )) . Also, by the Lemma A.4, M k ( R ) does not satisfy any iden tity of de gree < 2 k o ver R { x 1 , · · · , x n } . So f satisfies M k ( R ) if and only if f ≡ 0 in R { x 1 , · · · , x n } , which equi va lently implies tha t P i ≡ 0 o ver R [ ¯ Y ] for all i . Notice that the degr ee of P i is ≤ d . Now we appeal to the Theorem 6.7 in order to test whether P i ≡ 0 in time po ly ( n, d, m ) . Bogdano v and W ee in [BW05] ev aluate the noncommutati ve circuit ove r a field extensio n F ′ of F in case F is a small field compar ed to the de gree. In our pro of of Theore m A.5, when coef ficients come from the ring R , we av oid work ing in a ring e xtension and instea d apply Theorem 6.7. B Alter native pr oof of Lemma 6.5 Let R be a finite commutati ve ring with unity (denoted e ) and its elements uniformly encoded in { 0 , 1 } m . Recall w e need to show the foll owing : if we divi de a nonzero polyn omial g ( x ) ∈ R [ x ] of de gree D by a rando m m onic polynomial q ( x ) ∈ U [ x ] of de gree log O ( D ) then with high pro bability w e get a nonzero remainde r . Recall from Section 6 that U = { k e | 0 ≤ k ≤ M − 1 } , where M > 2 m +1 /ǫ . Indeed , Agrawal an d Biswas ess entially sho w in [AB03, Lemma 4.7] that the abo ve resul t holds for the specia l case when the ring R is the ring Z t of intege rs modulo t , where t is any positi ve inte ger gi ven in binary . In Section 6 we ga ve a sel f-contain ed proo f of Lemma 6.5. In the sequel we gi ve a dif ferent proof which applie s the [AB03] resul t for Z t and brings out an inter esting prope rty of the di vision algorith m. Let n denote the characte ristic of the ring R . Then sampling from U [ x ] amounts to almost uniform sampling from the copy of Z n [ x ] , namely Z n e [ x ] , contained in R [ x ] as a subring. Since ( R, +) is a finite abelia n group , by the fu ndamental the orem for abe lian gro ups, we can write ( R , +) as a dir ect sum R = L k i =1 Z n i e i , where e 1 , · · · , e k forms an independen t generat ing set for ( R, +) , and n i is the additi ve ord er of e i for e ach i . Notice tha t the lcm of n 1 , · · · , n k is th e ring’ s character istic n . This decomposi tion ex tends natura lly to the addit iv e grou p ( R [ x ] , +) to g iv e R [ x ] = k M i =1 Z n i [ x ] e i . (2) 22 Thus, ev ery polynomial g ( x ) ∈ R [ x ] can be uniquely written as g ( x ) = P i =1 g i ( x ) e i , where g i is a polyn omial w ith intege r coe fficien ts in the range 0 , · · · , n i − 1 for each i . C learly , dividi ng g ( x ) by q ( x ) amounts to div iding each term in P i =1 g i ( x ) e i . T he follo wing claim tells us ho w to analyz e thi s term by term divi sion. More precisely , we analyze the quotien t and remainder when we di vide g i ( x ) e i ∈ R [ x ] by q ( x ) ∈ Z n [ x ] ( ∼ = Z n e [ x ] ⊆ R [ x ] ). Claim B.1 Let g i ( x ) = q ( x ) q ′ ( x ) + r ′ ( x ) be the quotien t and r emainder w hen we divide g i ( x ) by q ( x ) in the ring Z n i [ x ] . L et g i ( x ) e i = q ( x ) q ′′ ( x ) + r ′′ ( x ) be the quo tient and r emainder when we d ivide g i ( x ) e i by q ( x ) in the ring R [ x ] . T hen q ′ ( x ) e i = q ′′ ( x ) and r ′ ( x ) e i = r ′′ ( x ) . This cla im is some what surprisin g beca use Equation 2 only gi ves us a g r oup decomposit ion of R [ x ] and not a rin g decomposition . Thus, it is no t clear why di visio n in the ring Z n i [ x ] can be related to di vision in R [ x ] . Indeed , the crucia l reason why we can relate the two div isions is because the div isor polyno mial q ( x ) liv es in the cop y of Z n [ x ] inside R [ x ] . T o s ee the claim, we will carry out the di vision of g i ( x ) by q ( x ) over R [ x ] . Since both g i and q ( x ) hav e inte ger coef ficients, this amount s to carryi ng out di vision in Z n [ x ] whic h yields, say , g i ( x ) = q ( x ) q 1 ( x ) + r 1 ( x ) . W e ca n also write q 1 ( x ) = a ( x ) + n i b ( x ) and r 1 ( x ) = c ( x ) + n i d ( x ) . Then, ov er Z n i , no tice that we must ha ve g i ( x ) = q ( x ) a ( x ) + c ( x ) . Therefore, a ( x ) = q ′ ( x ) and c ( x ) = r ′ ( x ) . Now , multipl ying both sides by e i we will get q 1 ( x ) e i = a ( x ) e i + n i e i b ( x ) = a ( x ) e i = q ′ ( x ) e i . Similarly , we get r 1 ( x ) e i = c ( x ) e i = r ′ ( x ) e i . F urthermor e, again multip lying both sides by e i , we als o get g i ( x ) e i = q ( x ) q 1 ( x ) e i + r 1 ( x ) e i . Hence, q ′′ ( x ) = q 1 ( x ) e i = q ′ ( x ) e i and r ′′ ( x ) = r 1 ( x ) e i = r ′ ( x ) e i . This pro ves the claim. A cons equence of the claim is the follo wing nice proper ty of the di vision algorithm: in order to di vide g ( x ) by q ( x ) ov er the ri ng R , for ea ch i we ca n carry out th e di vision of g i ( x ) by q ( x ) ov er the ring Z n i and obtain the quotie nts and remainde rs: g i ( x ) = q ( x ) q ′ i ( x ) + r ′ i ( x ) . Then we can put togeth er the term by term di visions to obtain g ( x ) = q ( x )( k X i =1 q ′ i ( x ) e i ) + ( k X i =1 r ′ i ( x ) e i ) . (3) More precisely , when w e divid e g ( x ) by q ( x ) in R [ x ] , the quotie nt is P k i =1 q ′ i ( x ) e i and the rema inder is P k i =1 r ′ i ( x ) e i . No w , since g ∈ R [ x ] is nonz ero, there is an inde x j such that g j [ x ] ∈ Z n j [ x ] is non zero. Furthermor e, since n j is a factor of n , the polyn omial q ( x ) modulo n j is still an almost uniformly distrib uted random m onic pol ynomial. It follo ws from the Agrawa l-Biswas res ult [AB03, Lemma 4.7] applied to di vision of g j ( x ) by q ( x ) ov er Z n j that r ′ j ( x ) w ill be nonzero with high probability . Consequentl y , by Equation 3 the remai nder P k i =1 r ′ i ( x ) e i on di viding g ( x ) by q ( x ) in the ring R [ x ] is also nonzero with the same probabi lity . 23