Algebraic Hardness versus Randomness in Low Characteristic
AAlgebraic Hardness versus Randomness in Low Characteristic
Robert Andrews ∗ May 21, 2020
Abstract
We show that lower bounds for explicit constant-variate polynomials over fields of characteristic p > are sufficient to derandomize polynomial identity testing over fields of characteristic p .In this setting, existing work on hardness-randomness tradeoffs for polynomial identity testingrequires either the characteristic to be sufficiently large or the notion of hardness to be strongerthan the standard syntactic notion of hardness used in algebraic complexity. Our results makeno restriction on the characteristic of the field and use standard notions of hardness.We do this by combining the Kabanets-Impagliazzo generator with a white-box procedure totake p th roots of circuits computing a p th power over fields of characteristic p . When the numberof variables appearing in the circuit is bounded by some constant, this procedure turns out to beefficient, which allows us to bypass difficulties related to factoring circuits in characteristic p .We also combine the Kabanets-Impagliazzo generator with recent “bootstrapping” results inpolynomial identity testing to show that a sufficiently-hard family of explicit constant-variatepolynomials yields a near-complete derandomization of polynomial identity testing. This resultholds over fields of both zero and positive characteristic and complements a recent work of Guo,Kumar, Saptharishi, and Solomon, who obtained a slightly stronger statement over fields ofcharacteristic zero. The interaction between computational hardness and pseudorandomness is a central theme ofcomputational complexity. The goal of this vein of work is to show that a class C of problemsthat are solvable by randomized algorithms can in fact be solved by deterministic algorithms whichare not much slower than the known randomized algorithm, assuming lower bounds for a relatedclass D . When trying to derandomize BPP , the class of problems solvable in polynomial time by arandomized Turing machine with failure probability at most / , we understand this problem quitewell. A series of works culminated in that of Impagliazzo and Wigderson [IW97], which showed that BPP = P if there are problems in E which require boolean circuits of exponential size. Subsequentwork by Shaltiel and Umans [SU05] and Umans [Uma03] further tightened the quantitative tradeoffsobtainable for derandomizing BPP .In this work, we focus on the question of hardness versus randomness in the more restrictedcomputational model of algebraic circuits, which naturally compute multivariate polynomials overa specified base field F . Here, the algorithmic problem of interest is polynomial identity testing (PIT), which is the problem of determining if a given algebraic circuit computes the identically zeropolynomial. We typically consider identity testing of circuits whose size and degree are bounded bya polynomial function in the number of variables. This low-degree regime captures polynomials of ∗ Department of Computer Science, University of Illinois at Urbana-Champaign. Email: [email protected] .Supported by NSF grant CCF-1755921. a r X i v : . [ c s . CC ] M a y nterest to computer scientists, such as the determinant and permanent, and corresponds to typicalalgorithmic applications of PIT. In this regime, the problem of PIT is easily solved with randomnessby evaluating the circuit at a randomly chosen point of a large enough grid. The correctnessof this algorithm follows from the Schwartz-Zippel lemma, which roughly says that a low-degreemultivariate polynomial cannot vanish at many points of a sufficiently large grid. To date, nodeterministic algorithm for PIT is known that substantially improves on the naïve derandomizationof the Schwartz-Zippel lemma.Polynomial identity testing has widespread applications in theoretical computer science and hasled to randomized algorithms for perfect matching [Lov79; KUW86; MVV87], primality testing[AB03; AKS04], and equivalence testing of read-once branching programs [BCW80], among otherproblems. In light of the utility of PIT as an algorithmic primitive, it is worth understanding towhat extent PIT can be derandomized. There is a large body of work concerned with unconditionalderandomization of PIT for various sub-classes of algebraic circuits. For more on this, we refer thereader to the surveys of Shpilka and Yehudayoff [SY10] and Saxena [Sax09; Sax14]. In this work, wewill focus on conditional derandomization of PIT under suitable hardness assumptions. The first instantiation of the hardness-randomness paradigm for polynomial identity testing wasgiven by Kabanets and Impagliazzo [KI04]. Their work implemented the design-based approach ofNisan and Wigderson [NW94] in the algebraic setting, showing that lower bounds for an explicitfamily of multivariate polynomials can be used to derandomize PIT.Subsequent work by Dvir, Shpilka, and Yehudayoff [DSY09] and Chou, Kumar, and Solomon[CKS18] extended this to the setting of bounded-depth circuits, roughly showing that lower boundsagainst depth- (∆ + O (1)) circuits suffice to derandomize identity testing of depth- ∆ circuits, for anyconstant ∆ . The result of Dvir, Shpilka, and Yehudayoff [DSY09] works with any hard polynomial,but scales poorly with the individual degree of the circuit being tested. Chou, Kumar, and Solomon[CKS18] refined the approach of Dvir, Shpilka, and Yehudayoff [DSY09] and showed that if thefamily of hard polynomials has sufficiently low degree, then this dependence on the individual degreeof the circuit being tested can be avoided. Implementing the hardness-randomness paradigm inlow-depth is motivated in part by a host of depth-reduction results in algebraic complexity [AV08;Koi12; Tav15; GKKS16] which show that polynomials computable by small circuits can be computedby non-trivially small low-depth circuits.Returning to the setting of unrestricted circuits, recent work of Guo, Kumar, Saptharishi, andSolomon [GKSS19] uses a stronger hardness assumption than that of Kabanets and Impagliazzo[KI04] and obtains a stronger derandomization of PIT. Specifically, Guo, Kumar, Saptharishi, andSolomon [GKSS19] obtain a polynomial-time derandomization of PIT using lower bounds against anexplicit family of constant-variate polynomials. For comparison, Kabanets and Impagliazzo [KI04]only obtain quasipolynomial-time algorithms for PIT under multivariate hardness assumptions. InSection 6 of this work, we further discuss the relationship between these hardness assumptions andprovide evidence for the strength of constant-variate hardness compared to multivariate hardness.A separate line of work by Agrawal, Ghosh, and Saxena [AGS19] and Kumar, Saptharishi, andTengse [KST19] shows that PIT exhibits a “bootstrapping” phenomenon. That is, if one can obtaina barely non-trivial derandomization of PIT for circuits of size and degree which are unbounded inthe number of variables, then it follows that there is a near-complete derandomization of PIT forcircuits of polynomial size and degree.From these works, we have a relatively good understanding of what derandomization of PITis possible under hardness assumptions. However, excluding the bootstrapping results of Agrawal,2hosh, and Saxena [AGS19] and Kumar, Saptharishi, and Tengse [KST19], all previous work onhardness-randomness tradeoffs for PIT requires the underlying field to be of zero or large characteristic(for the definition of the characteristic of a field, see Section 2). That is, we can derandomize PITunder hardness assumptions over the complex numbers C or the finite field of p m elements F p m when p is sufficiently large, but we do not know how to do the same over a field of low characteristic like F m .A partial exception to this deficiency is the work of Kabanets and Impagliazzo [KI04]. Theirresults yield derandomization of PIT over a finite field F p m assuming an explicit polynomial which ishard to compute as a function over F p m . Over infinite fields, two polynomials are equal if and onlyif they compute the same function. However, this no longer holds over finite fields. For example,over F , the polynomial x − x computes the zero function but is decidedly not the zero polynomial.It is more common in the study of algebraic circuits to prove lower bounds on the task of computinga polynomial as a syntactic object, not as a function. Functional lower bounds imply syntactic lowerbounds, but the reverse direction does not hold, which makes proving functional lower bounds aharder task.If one inspects the proof of Kabanets and Impagliazzo [KI04], the functional hardness assumptioncan be replaced with a slightly weaker, albeit non-standard, syntactic hardness assumption. Namely,it suffices to assume the existence of an explicit family of n -variate polynomials { f n : n ∈ N } suchthat f p k n is hard in the syntactic sense for (cid:54) p k (cid:54) O ( n ) . Over characteristic zero fields, thefactoring algorithm of Kaltofen [Kal89] implies that if f is hard to compute, then f d is comparablyhard to compute as long as d is not too large. Over fields of characteristic p , it is not clear if hardnessof f p is implied by hardness of f . For example, it is consistent with our current state of knowledgethat the n × n permanent perm n ( x ) is Ω( n ) -hard over F , but that perm n ( x ) is computable bycircuits of size O ( n ) over F . Understanding the relationship between the complexity of f and f p over fields of characteristic p > in general remains a challenging open problem.For further exposition on hardness-randomness tradeoffs for PIT, see the recent survey of Kumarand Saptharishi [KS19]. Before describing our contributions, we take a detour to look more closely at the question ofderandomizing PIT over fields of low characteristic. Known techniques for derandomizing PITover fields of small characteristic under hardness assumptions fail due to the fact that over a fieldof positive characteristic, the derivative of a non-constant polynomial may be zero. For example,over F , we have ∂∂x ( x ) = 2 x = 0 , since in F . Thus, techniques which are in some sense“analytic” break in low characteristic. Given that the problem of polynomial identity testing isentirely algebraic, it would be nice to find an “algebraic” approach that does not succumb to this flaw.Indeed, derandomizing PIT in low characteristic fields under hardness assumptions is listed as anopen problem in the recent survey of Kumar and Saptharishi [KS19] on algebraic derandomization.The problem of derandomizing PIT in low characteristic fields also has interesting algorithmicapplications. Consider, for example, the randomized algorithm of Lovász [Lov79] to detect whethera bipartite graph has a perfect matching. Let G = ( V (cid:116) V , E ) be a balanced bipartite graph on n vertices with partite sets V and V . We form the n × n symbolic matrix A given by A i,j = (cid:40) x i,j { i, j } ∈ E otherwise . It is not hard to see that det( A ) (cid:54) = 0 if and only if G has a perfect matching. We can then check if3 has a perfect matching by evaluating A at a random point chosen from a suitably large grid ofintegers.In evaluating det( A ) , we may encounter large numbers of size Ω( n !) . Arithmetic on such numbersis expensive, requiring at least Ω( n log n ) time. We could instead implement this algorithm over afinite field of size poly( n ) . As the determinant is a polynomial of degree n , the Schwartz-Zippellemma guarantees that this modification yields an algorithm with low error probability. Whatwe have gained is the fact that elements of such a finite field can be represented in O (log n ) bits,so our arithmetic becomes more efficient. In principle, one could choose the field so that thecharacteristic is large enough for the the hardness-randomness paradigm to apply, but there may beother considerations which motivate picking, say, an extension field of F . Derandomizing such analgorithm (under hardness assumptions) requires extending the hardness-randomness paradigm tofields of low characteristic.Alternatively, one can reduce the bit complexity by using a derandomized polynomial identitytesting algorithm over the rational numbers, but with the arithmetic performed modulo a smallprime number. This approach also achieves logarithmic bit complexity. However, we are now in theposition of having to derandomize the selection of the prime number. It is not obvious how to dothis much faster than brute force, so the benefits of reducing the bit complexity are negated by theneed to try many different primes.While the previous example may seem somewhat artificial, we remark that there are instancesof algorithms which explicitly rely on polynomial identity testing over fields of low characteristic.For example, the randomized algorithm of Williams [Wil09] for the k -path problem makes useof polynomial identity testing over fields of characteristic 2. If one wanted to derandomize thisalgorithm under a hardness assumption, prior work on hardness-randomness tradeoffs for PIT wouldnot suffice. In this work, we instantiate the hardness-randomness paradigm for PIT over fields of low characteristicunder standard syntactic hardness assumptions. That is, we obtain derandomization of PIT fromthe existence of an explicit family of hard polynomials { f n : n ∈ N } without assuming hardness of p th powers of f n . At the heart of our results is a new technique for computing the map f p (cid:55)→ f over F [ x ] when the polynomial f p is given by an algebraic circuit. When f depends on a small number ofvariables, the circuit computing f is not too much larger than the circuit which computes f p . Lemma 1.1 (informal version of Corollary 3.6) . Suppose f ( x ) p is a polynomial on O (1) variablesand can be computed by a circuit of size s over a field of characteristic p > . Then f ( x ) can becomputed by a circuit of size O ( s ) . Using this, we are able to extend the techniques of Kabanets and Impagliazzo [KI04] to fields oflow characteristic. To do so, we need stronger hardness assumptions than those made by Kabanetsand Impagliazzo [KI04] for the case of zero characteristic fields. In algebraic complexity, lowerbounds are typically proved for families of polynomials parameterized by the number of variables, asthis captures the regime of interest for algorithmic applications. To prove our results, we assumelower bounds against a family of constant-variate polynomials which are parameterized by degree.For the sake of exposition, we focus on the case of lower bounds for univariate polynomials. Aunivariate polynomial of degree d can easily be computed by circuits of size O ( d ) using Horner’s rule.It is not hard to show that every such polynomial also requires size Ω(log d ) to compute. However,improving on this Ω(log d ) lower bound for an explicit family of polynomials is a long-standing open4roblem. Standard dimension arguments show that most univariate polynomials of degree d requirecircuits of size d Ω(1) to compute.When comparing statements regarding degree d univariates and degree n O (1) multivariatepolynomials on n variables, it is instructive to think of n and log d as comparable. In this sense,our results achieve the same hardness-randomness tradeoffs as those of Kabanets and Impagliazzo[KI04], but require translating their hardness assumptions to the comparable statement for univariatepolynomials.Using Lemma 1.1, we can extend the analysis of Kabanets and Impagliazzo to work over fields oflow characteristic. We now give two concrete examples of the derandomization we can obtain usingthis extension. Theorem 1.2 (informal version of Theorem 4.3 and Corollary 4.5) . Let F be a field of characteristic p > . Let { f d ( x ) : d ∈ N } be an explicit family of univariate polynomials which cannot be computedby circuits of size less than s ( d ) over F .1. If s ( d ) = log ω (1) d , then there is a deterministic algorithm for identity testing of polynomial-size,polynomial-degree circuits over F in n variables which runs in time n o (1) .2. If s ( d ) = 2 log Ω(1) d , then there is a deterministic algorithm for identity testing of polynomial-size,polynomial-degree circuits over F in n variables which runs in time log O (1) n . For comparison, from an n ω (1) lower bound against a family of explicit multilinear polynomials,Kabanets and Impagliazzo [KI04] give a deterministic algorithm for PIT over fields of characteristiczero which runs in time n o (1) . If instead one has a n Ω(1) lower bound, then their techniques yield adeterministic algorithm which runs in time log O (1) n . Viewing log d and n as (roughly) equivalent,we see that our derandomization obtains the same tradeoff between hardness and pseudorandomnessas Kabanets and Impagliazzo [KI04], modulo the difference between univariate and multivariatelower bounds.It is not hard to show that lower bounds in the constant-variate regime imply comparable lowerbounds in the multivariate regime (see Lemma 2.6), but the reverse implication is not known. InSection 6, we investigate the possibility of using known techniques to prove univariate lower boundsfrom multivariate lower bounds.As the assumption of a hard univariate family seems strong, it raises the question of whether ornot one can obtain a stronger derandomization of PIT over fields of positive characteristic under aunivariate hardness assumption. There is evidence this can be done, as Guo, Kumar, Saptharishi, andSolomon [GKSS19] use univariate lower bounds to obtain a complete derandomization of PIT overfields of characteristic zero. With a more careful instantiation of the Kabanets-Impagliazzo result, weare able to derandomize PIT in a way that suffices for the bootstrapping results of Agrawal, Ghosh,and Saxena [AGS19] and Kumar, Saptharishi, and Tengse [KST19] to take effect. This allows us toprove nearly-optimal hardness-randomness tradeoffs for PIT over fields of positive characteristic,which comes close to matching the characteristic zero result of Guo, Kumar, Saptharishi, andSolomon [GKSS19]. More concretely, we prove the following. Theorem 1.3 (informal version of Theorem 5.3) . Let F be a field of characteristic p > . Let { f d ( x ) : d ∈ N } be an explicit family of univariate polynomials which cannot be computed by circuitsof size less than d δ for some constant δ > . Then there is a deterministic algorithm for identitytesting of polynomial-size, polynomial-degree algebraic circuits in n variables over F which runs intime n exp ◦ exp( O (log (cid:63) n )) . p th roots of algebraic circuits over fields of characteristic p > . We then use this in Section 4 to extend the work of Kabanets and Impagliazzo to thelow characteristic setting. We combine our techniques with the bootstrapping results to obtainnear-complete derandomization of PIT over fields of positive characteristic in Section 5. Section 6investigates the relationship between univariate and multivariate circuit lower bounds. We concludein Section 7 with a collection of problems left open by this work. For n ∈ N , we write [ n ] := { , . . . , n } and (cid:74) n (cid:75) := { , . . . , n − } . If A is an n × m matrix, we write A i, • and A • ,j for the i th row and j th column of A , respectively. We abbreviate a vector of variables ( x , . . . , x n ) , numbers ( a , . . . , a n ) , or field elements ( α , . . . , α n ) by x , a , and α , respectively, wherethe length is usually clear from context. We also abbreviate the product (cid:81) ni =1 x a i i =: x a . Givena polynomial f ( x ) = (cid:80) a α a x a , we write deg( f ) and ideg( f ) for the total degree and individualdegree of f , respectively. The total degree of f is given by deg( f ) := max {(cid:107) a (cid:107) : α a (cid:54) = 0 } , while theindividual degree of f is given by ideg( f ) := max {(cid:107) a (cid:107) ∞ : α a (cid:54) = 0 } .For a field F , the characteristic of F , denoted char F , is the smallest positive integer p such that p · in F . In the case that there is no such p , we say that F has characteristic zero. Alternatively, char F is the number p such that the ring homomorphism Z → F induced by (cid:55)→ has kernel p Z . The set C F ( s, n, d ) ⊆ F [ x ] denotes the set of all n -variate degree d polynomials which can becomputed by an algebraic circuit of size at most s over F . We assume familiarity with the models of algebraic circuits, formulae, and branching programs.When we refer to the size of a circuit, formula, or branching program, we mean the number of nodesin the computational device. An introduction to this area can be found in the survey of Shpilka andYehudayoff [SY10]. Throughout this work, we analyze our algorithms under the assumption thatarithmetic over the base field F can be performed in constant time.We now collect basic definitions and results needed for the study of deterministic black-boxalgorithms for polynomial identity testing. More in-depth exposition is available in the recent surveyof Kumar and Saptharishi [KS19].We start with the notion of a hitting set, the basic object used to construct deterministicblack-box algorithms for polynomial identity testing. Definition 2.1.
Let
C ⊆ F [ x ] be a set of n -variate polynomials. We say that a set H ⊆ F n is a hitting set for C if for every non-zero f ( x ) ∈ C , there is a point α ∈ H such that f ( α ) (cid:54) = 0 . If H canbe computed in t ( n ) time, then we say that H is t ( n ) -explicit . ♦ We now introduce hitting set generators, the analogue of pseudorandom generators in the contextof algebraic derandomization.
Definition 2.2.
Let
C ⊆ F [ x ] be a set of n -variate polynomials. Let G : F m → F n be a mappinggiven by G ( y ) = ( G ( y ) , . . . , G n ( y )) , where G i ∈ F [ y ] . We say that G is a hitting set generator for C if for every non-zero f ( x ) ∈ C , wehave f ( G ( y )) (cid:54) = 0 . The seed length of G is m . The degree of G is max i ∈ [ n ] deg( G i ) . We say G is t ( n ) -explicit if, given α ∈ F m , we can compute G ( α ) in t ( n ) time. ♦
6t is a well-known result that an explicit, low-degree hitting set generator for C with small seedlength yields an explicit hitting set for C of small size. The hitting set is constructed by evaluatingthe generator on a grid of large enough size. Correctness follows from the Schwartz-Zippel lemma. Lemma 2.3.
Let C be a set of n -variate degree d polynomials. Let G : F m → F n be a t ( n ) -explicithitting set generator for C of degree D . Then there is a ( dD + 1) m t ( n ) -explicit hitting set H for C ofsize ( dD + 1) m . We also need a notion of explicitness for a family of polynomials. In previous works onhardness-randomness tradeoffs for polynomial identity testing, a family of n -variate polynomials { f n ∈ F [ x ] : n ∈ N } is considered explicit if f n is computable in exp( O ( n )) time. However, we willneed a slightly different notion of explicitness. Instead of an exponential-time algorithm to compute f n , we require an exponential-time algorithm to compute the coefficient of a given monomial in f n . This different notion of explicitness will be used to transition between the constant-variate andmultivariate regimes later on in Section 4 and Section 5. Definition 2.4.
Let { f n,d ( x ) ∈ F [ x ] : n, d ∈ N } be a family of n -variate degree d polynomials. Wesay that this family is strongly t ( n, d ) -explicit if there is an algorithm which on input ( n, d, a ) outputsthe coefficient of x a in f n,d ( x ) in t ( n, d ) time. ♦ Remark 2.5.
The preceding definition is reminiscent of Valiant’s criterion for membership in
VNP .Briefly, Valiant’s criterion says that if the coefficient of x a can be computed in P / poly , then thepolynomial f ( x ) is in VNP , an algebraic analogue of NP . We refer the reader to Bürgisser [Bür00,Chapters 1 and 2] for further exposition on VNP and Valiant’s criterion. ♦ We will repeatedly build explicit families of hard multivariate polynomials out of explicit families ofhard constant-variate polynomials. By “a family of hard multivariate polynomials,” we mean a familyof polynomials { f n ( x ) ∈ F [ x ] : n ∈ N } , where f n is an n -variate polynomial of degree n O (1) . Whenwe say “a family of hard constant-variate polynomials,” we mean a family { f d ( x ) ∈ F [ x ] : d ∈ N } ,where f d is a degree d polynomial on k = O (1) variables. That is, when we consider multivariatepolynomials, we parameterize the family by the number of variables and primarily consider familiesof small degree; when we look at constant-variate polynomials, we fix the number of variables in allpolynomials and parameterize the family by the degree of the polynomial.To illustrate how we can obtain hard multivariate polynomials from hard constant-variatepolynomials, suppose g d ( x ) = (cid:80) di =0 α i x i is a hard degree d univariate polynomial. We will definea new polynomial f n ( y ) on n := (cid:98) log d (cid:99) + 1 variables, where the monomials of f n correspond towriting each term of g d “in base 2.” More precisely, for each e ∈ { , } n , let j ( e ) be the numberwhose representation in binary corresponds to e . We assign the coefficient α j ( e ) to the monomial y e in f n . To show that f n is hard, we show the contrapositive: a small circuit for f n implies a smallcircuit for g d , which contradicts the hardness of g d . The proof of this is relatively straightforward, aswe simply find a way to substitute powers of x for each y i so that the monomial y e is mapped to x j ( e ) .In the case where g d is a polynomial in multiple variables, we simultaneously write each variableappearing in g d “in base 2.” We remark that there is nothing a priori special about our use of base2. However, doing so yields polynomials which are multilinear, a fact which will be useful later on.We now make the preceding sketch precise, showing that lower bounds in the constant-variateregime imply comparable lower bounds in the multivariate regime. Lemma 2.6.
Let g m,d ( x ) = (cid:80) a α a x a be a strongly t ( m, d ) -explicit m -variate degree d polynomialwhich requires circuits of size s to compute. Let j : { , } (cid:98) log d (cid:99) +1 → (cid:74) (cid:98) log d (cid:99) +1 (cid:75) be given by ( e ) = (cid:80) (cid:98) log d (cid:99) +1 i =1 e i i − , that is, j ( e ) is the number whose binary representation corresponds to e .Let y = ( y , , . . . , y , (cid:98) log d (cid:99) +1 , . . . , y m, , . . . , y m, (cid:98) log d (cid:99) +1 ) and define f m,d ( y ) = (cid:88) e ∈{ , } m ×(cid:98) log d (cid:99) +1 α ( j ( e , • ) ,...,j ( e m, • )) y e . Then f m,d is a strongly t ( m, d ) -explicit multilinear polynomial on m ( (cid:98) log d (cid:99) + 1) variables whichrequires circuits of size s − Θ( m log d ) to compute.Proof. The fact that f m,d is multilinear is clear from the definition.To see that f m,d is hard to compute, suppose Φ is a circuit of size t which computes f m,d . Byapplying the Kronecker substitution y i,j (cid:55)→ x j i , we can recover a circuit which computes g m,d ( x ) .This mapping can be computed in size Θ( m log d ) by repeated squaring, so we obtain a circuit for g m,d of size t + Θ( m log d ) . By assumption, t + Θ( m log d ) (cid:62) s , so t (cid:62) s − Θ( m log d ) , which provesthe lower bound on the circuit complexity of f m,d .Finally, remark that the binary description of a monomial in f m,d is exactly the same as thebinary description of a monomial in g m,d . This implies we can use the t ( m, d ) -time algorithm tocompute the coefficients of f m,d , so f m,d inherits the explicitness of g m,d .Whether lower bounds in the multivariate regime imply lower bounds in the constant-variateregime is an open question. In Section 6, we give complexity-theoretic evidence that suggests thetechnique used to prove the preceding lemma does not suffice to prove constant-variate lower boundsfrom multivariate lower bounds.In Section 5, we will run into some technical issues concerning circuits which are defined over alow-degree extension of the base field F . The next lemma says that whenever a circuit Φ is definedover an extension K ⊇ F of low degree, such a circuit can in fact be defined over F without increasingits size too much. A related result was proved in Bürgisser, Clausen, and Shokrollahi [BCS97,§4.3], where the authors considered extensions K ⊇ F such that circuits defined over K have nocomputational advantage compared to circuits defined over F when computing a polynomial in F [ x ] . Lemma 2.7 ([Bür00, Proposition 4.1(iii); HY11], see also [BCS97, §4.3]) . Let F be a field and let K ⊇ F be an extension of degree k . Suppose f ( x ) can be computed by a circuit of size s over K .Then there is a circuit of size O ( k s ) which computes f over F . We conclude our preliminaries on algebraic complexity by quoting a celebrated result of Kaltofenwhich shows that algebraic circuits may be factored without a large increase in size.
Theorem 2.8 ([Kal89]) . Let f ( x ) ∈ F [ x ] be a polynomial of degree d computable by an algebraiccircuit of size s . Let g ( x ) ∈ F [ x ] be a factor of f ( x ) . Then there is an algebraic circuit of size s (cid:48) (cid:54) O (( snd ) ) which computes1. g ( x ) , in the case that char F = 0 , and2. g ( x ) p k where k (cid:62) is the largest integer such that g ( x ) p k divides f ( x ) , in the case that char F = p > . We will make use of the designs of Nisan and Wigderson [NW94], specifically as they are used byKabanets and Impagliazzo [KI04] to prove hardness-randomness tradeoffs for polynomial identitytesting. Nisan and Wigderson [NW94] gave two constructions of designs: one via Reed-Solomoncodes, and one via a greedy algorithm. We first quote their construction using Reed-Solomon codes,which was also recently described in work by Kumar, Saptharishi, and Tengse [KST19].8 emma 2.9 ([NW94], see also [KST19]) . Let c (cid:62) be a positive integer, and let n, m, (cid:96), r ∈ N besuch that (i) (cid:96) = m c , (ii) r (cid:54) m , (iii) m is a prime power, and (iv) n (cid:54) m ( c − r . Then there is acollection of sets S , . . . , S n ⊆ [ (cid:96) ] such that • for each i ∈ [ n ] , we have | S i | = m ; and • for all distinct i, j ∈ [ n ] , we have | S i ∩ S j | (cid:54) r .Additionally, such a family can be deterministically constructed in poly( n ) time. We now cite the designs obtained by Nisan and Wigderson [NW94] via a greedy algorithm. Inthe regime where m = O (log n ) , this improves on the previous construction by taking the size (cid:96) ofthe ground set to be O (log n ) as opposed to O (log n ) . Lemma 2.10 ([NW94]) . Let n and m be integers such that n < m . There exists a family of sets S , . . . , S n ⊆ [ (cid:96) ] such that1. (cid:96) = O ( m / log( n )) ,2. for each i ∈ [ n ] , we have | S i | = m ; and3. for all distinct i, j ∈ [ n ] , we have | S i ∩ S j | (cid:54) log( n ) .Such a family of sets can be deterministically constructed in time poly( n, (cid:96) ) . In extending the analysis of the Kabanets-Impagliazzo generator to low characteristic fields, wewill make use of Lemma 2.10. Our use of Lemma 2.9 will arise when we combine the hardnessversus randomness paradigm with the bootstrapping phenomenon. In that setting, we will applyLemma 2.9 with c = O (1) and r = O (1) . Compared to Lemma 2.10, this yields sets with muchsmaller intersection size, though the number of sets is only m O (1) as opposed to m . To cleanly state some of our results, we need the notion of a perfect field. Namely, given a circuit Φ which computes f ( x ) p ∈ F [ x ] , we will construct in Section 3 a circuit Ψ which computes f ( x ) . Thisconstruction takes p th roots of field elements α ∈ F , which are not always guaranteed to exist in F . To ensure Ψ is defined over the base field F , we require that F is closed under taking p th roots,which is equivalent to requiring that F is perfect. Definition 2.11.
A field F is called perfect if either F has characteristic 0 or F has characteristic p > and the map α (cid:55)→ α p is an automorphism of F . If F has characteristic p > , then the perfect closure of F , denoted F p −∞ , is the smallest field containing F which is closed under taking p th roots. ♦ It is a basic fact that perfect closures exist.
Fact 2.12.
Every field F of characteristic p > has a perfect closure F p −∞ . ♦ Informally, one can prove this by adjoining “enough” p th roots to the field F . That is, for each α ∈ F , we introduce a countable collection of new field elements denoted by ( α, n ) for n ∈ N , wherethe element ( α, n ) is meant to represent α p − n . We then take a quotient by a suitable equivalencerelation; for example, if α p = β , then we regard ( α, n ) and ( β, n + 1) as equivalent for all n ∈ N . Onemust then verify that the resulting object is in fact a field and is (up to isomorphism) the perfect9losure of F . More formally, the perfect closure can be constructed as the direct limit of a particular direct system of fields. We refer the reader to Bourbaki [Bou90, Chapter 5, §1] for the details of thisconstruction.Examples of perfect fields of positive characteristic include all finite fields and all algebraicallyclosed fields of positive characteristic. A non-example is given by F p m ( x ) , the field of rationalfunctions in n variables with coefficients in F p m , where F p m is the finite field of size p m . The field F p m ( x ) fails to be perfect due to the fact that x /p / ∈ F p m ( x ) , so x is not in the image of the map α (cid:55)→ α p .For more details on perfect fields, we refer the reader to any text on field theory, e.g., Roman[Rom06, Chapter 3]. p th Roots of Algebraic Computation
Suppose F is a field of characteristic p > and Φ is a circuit which computes f ( x ) p for a polynomial f ( x ) . If we want to obtain a circuit which computes f ( x ) , then Theorem 2.8 does not suffice. In thissection, we will describe a simple transformation of Φ which yields a circuit computing f ( x ) . This isthe main technical step that will allow us to obtain hardness-randomness tradeoffs over fields of lowcharacteristic.In general, this transformation will incur an exponential blow-up in the size of Φ . If the originalcircuit computes a polynomial on n variables, then the new circuit we build will be larger in size by afactor of about p n . In particular, if our input is a circuit on a constant number of variables, then weonly increase the size of the circuit by a constant factor. The fact that this transformation is efficientin the constant-variate regime is exactly the reason we need to use hardness of constant-variatefamilies of polynomials as opposed to a family of hard multilinear polynomials.Before describing the construction for circuits on an arbitrary number of variables, we firstexamine the case of univariate polynomials. Let F be a field of characteristic p > and let f ( x ) ∈ F [ x ] be a univariate polynomial. We start by grouping the monomials of f by their degreemodulo p , which allows us to write f ( x ) = p − (cid:88) i =0 (cid:101) f i ( x ) x i , where each (cid:101) f i ( x ) is a univariate polynomial in x which is only supported on p th powers of x . Thatis, the term (cid:101) f i ( x ) x i corresponds exactly to the monomials in f ( x ) whose degree in x is congruent to i modulo p . Recall that over a field of characteristic p > , we have the identity ( a + b ) p = a p + b p .Since (cid:101) f i ( x ) is a sum of p th powers of x , we can write (cid:101) f i ( x ) = d i (cid:88) j =0 α i,j x jp = d i (cid:88) j =0 α /pi,j x j p . This expresses (cid:101) f i ( x ) as a p th power of the polynomial f i ( x ) := (cid:80) d i j =0 α /pi,j x j . In general, f i may notbe well-defined over F , as the coefficients α /pi,j may not exist in F . However, α /pi,j ∈ F p −∞ , the perfectclosure of F , so f i is well-defined over F p −∞ .With this, we can write f ( x ) = p − (cid:88) i =0 f i ( x ) p x i .
10e refer to such an expression as the mod- p decomposition of f . This motivates the followingdefinition, which generalizes this decomposition to the case of multivariate polynomials. Definition 3.1.
Let f ( x ) ∈ F [ x ] . The mod- p decomposition of f ( x ) is the collection of polynomials { f a ( x ) : a ∈ (cid:74) p (cid:75) n } such that f ( x ) = (cid:88) a ∈ (cid:74) p (cid:75) n f a ( x ) p x a . ♦ Over a perfect field F of characteristic p > , the existence of the mod- p decomposition followsfrom the fact that any polynomial of the form (cid:80) a α a x p · a has a p th root, given by (cid:80) a α /pa x a . Here,we use the fact that F is perfect to guarantee the constants α /pa exist in F . Uniqueness of thedecomposition follows from the fact that the monomials { x a : a ∈ N n } form a basis for F [ x ] . Werecord this observation as a lemma. Lemma 3.2.
Let F be a field of characteristic p > and let f, g ∈ F [ x ] . Let { f a : a ∈ (cid:74) p (cid:75) n } and { g a : a ∈ (cid:74) p (cid:75) n } be the mod- p decompositions of f and g , respectively. Then f = g if and only if f a = g a for all a ∈ (cid:74) p (cid:75) n . The utility of the mod- p decomposition becomes apparent when f ( x ) is itself a p th power. Inthis case, f itself is a sum of p th powers of monomials in the variables x , . . . , x n , so we have f ( x ) = f ( x ) p . Given a circuit Φ which computes f , suppose we could transform Φ into a new circuit Ψ which computes the mod- p decomposition of f . Then to compute f ( x ) /p , we simply constructthe circuit Ψ and set f ( x ) = f ( x ) /p to be the output.Before continuing on, we record a straightforward lemma about how the mod- p decompositionbehaves with respect to addition and multiplication. Lemma 3.3.
Let F be a perfect field of characteristic p > . Let f, g ∈ F [ x ] , and let { f a : a ∈ (cid:74) p (cid:75) n } and { g a : a ∈ (cid:74) p (cid:75) n } be the mod- p decompositions of f and g , respectively. Let h = αf + βg and q = γf g for α, β, γ ∈ F . Let { h a : a ∈ (cid:74) p (cid:75) n } and { q a : a ∈ (cid:74) p (cid:75) n } be the mod- p decompositions of h and q . Then for all a ∈ (cid:74) p (cid:75) n , we have h a = α /p f a + β /p g a and q a = γ /p (cid:88) b,c ∈ (cid:74) p (cid:75) n b + c ≡ a mod p f b g c x b + c − ap , where the sum and congruence b + c ≡ a mod p are performed component-wise.Proof. By expanding the equality h = αf + βg in the mod- p decomposition and using the fact that ( a + b ) p = a p + b p , we obtain (cid:88) a ∈ (cid:74) p (cid:75) n h a ( x ) p x a = α (cid:88) a ∈ (cid:74) p (cid:75) n f a ( x ) p x a + β (cid:88) a ∈ (cid:74) p (cid:75) n g a ( x ) p x a = (cid:88) a ∈ (cid:74) p (cid:75) n ( α /p f a ( x ) + β /p g a ( x )) p x a . Lemma 3.2 implies that h a = α /p f a + β /p g a as claimed.11or q ( x ) , we again expand the equality q = γf g in the mod- p decomposition to obtain (cid:88) a ∈ (cid:74) p (cid:75) n q a ( x ) p x a = γ (cid:88) a ∈ (cid:74) p (cid:75) n f a ( x ) p x a (cid:88) a ∈ (cid:74) p (cid:75) n g a ( x ) p x a = γ (cid:88) b,c ∈ (cid:74) p (cid:75) n f b ( x ) p g c ( x ) p x b + c = (cid:88) a ∈ (cid:74) p (cid:75) n γ /p (cid:88) b,c ∈ (cid:74) p (cid:75) n b + c ≡ a mod p f b ( x ) g c ( x ) x b + c − ap p x a . Once more, Lemma 3.2 implies that q a = γ /p (cid:88) b,c ∈ (cid:74) p (cid:75) n b + c ≡ a mod p f b g c x b + c − ap as claimed. We start by implementing the strategy outlined above in the case of algebraic circuits. Throughoutthis and subsequent sections, Φ and Ψ will denote algebraic circuits, formulae, or branching programs,and v , u , and w will denote gates in these circuits. We will frequently refer to the polynomialcomputed at a gate v , which we denote by ˆ v . For a ∈ (cid:74) p (cid:75) n , we write ˆ v a for the part of the mod- p decomposition of ˆ v indexed by a . Lemma 3.4.
Let F be a field of characteristic p > . Let Φ be an algebraic circuit of size s whichcomputes a polynomial f ( x ) ∈ F [ x ] and let { f a : a ∈ (cid:74) p (cid:75) n } be the mod- p decomposition of f . Thenthere is a circuit Ψ of size sp n + 2 n which simultaneously computes { f a : a ∈ (cid:74) p (cid:75) n } over F p −∞ , theperfect closure of F .Proof. To construct the desired circuit Ψ , we will split each gate v of Φ into pieces { ( v, a ) : a ∈ (cid:74) p (cid:75) n } and wire Ψ so that ( v, a ) computes ˆ v a . As Φ computes f ( x ) , this implies that Ψ will contain gatescomputing f a ( x ) for all a ∈ (cid:74) p (cid:75) n . To wire each gate ( v, a ) in Ψ , we consider the type of the gate v in Φ . • First, suppose v is an input gate in Φ labeled by a constant α ∈ F . In this case, we set ( v,
0) = α /p and ( v, a ) = 0 for a (cid:54) = 0 . By definition, F p −∞ contains α /p , so this is valid over F p −∞ .It follows from the definition of ˆ v a that ( v, a ) correctly computes ˆ v a . • If v is an input gate labeled by the variable x i , let e i denote the vector with a in the i th slotand zero elsewhere. We set ( v, e i ) = 1 and ( v, a ) = 0 for a (cid:54) = e i .Again, it follows immediately from the definition of ˆ v a that ( v, a ) correctly computes ˆ v a . • Suppose now that v is an addition gate in Φ with children u and w with incoming edges labeled α u and α w . For each a ∈ (cid:74) p (cid:75) p , we set ( v, a ) = α /pu · ( u, a ) + α /pw · ( w, a ) .By induction, ( u, a ) and ( w, a ) correctly compute ˆ u a and ˆ w a , respectively. Lemma 3.3 thenimplies that ( v, a ) correctly computes ˆ v a . 12 Finally, we consider the case where v is a multiplication gate in Φ with children u and w withincoming edges labeled α u and α w . For a ∈ (cid:74) p (cid:75) n , we set ( v, a ) = α /pu α /pw (cid:88) b,c ∈ (cid:74) p (cid:75) n b + c ≡ a (mod p ) ( u, b ) · ( w, c ) · x b + c − ap , where vector addition and congruence of vectors is performed coordinate-wise. Note thatsince b + c ≡ a mod p , the vector p ( b + c − a ) is in fact an integer vector. Moreover, since b + c ∈ { , . . . , p − } n , it follows that b + c − a ∈ { , p } n , so p ( b + c − a ) ∈ { , } n is azero-one vector.Via induction, ( u, b ) and ( w, c ) correctly compute ˆ u b and ˆ w c , respectively. From this andLemma 3.3, it follows that ( v, a ) correctly computes ˆ v a .As previously remarked, since Φ computes f ( x ) , for every a ∈ (cid:74) p (cid:75) n there is a gate in Ψ whichcomputes f a ( x ) , so Ψ correctly computes all components of the mod- p decomposition of f . It remainsto bound the size of Ψ .For every gate in Φ , we construct p n gates of the form ( v, a ) in Ψ . In the case that v isa multiplication gate, we need extra intermediate hardware to compute the summation ( v, a ) = (cid:80) b + c ≡ a (mod p ) ( u, b ) · ( w, c ) · x b + c − ap . This can be done with p n summation gates and p n multiplicationgates. We also need n gates to compute the products x e for e ∈ { , } n . Since Ψ is a circuit, weonly need to pay for these gates once, as we can reuse them for all the multiplication computations.In total, each multiplication gate incurs an extra cost of p n gates.This implies each gate in Φ gives rise to at most p n gates in Ψ . As there are s gates in Φ , thereare at most sp n + 2 n gates in Ψ . Remark 3.5.
In the above construction, rather than using the perfect closure, the resulting circuitcan be defined over an extension K ⊇ F of finite degree. This can be done by adjoining to F all p th roots of constants which appear in Φ . The degree of this extension may be exponential in s in theworst case. ♦ We can now use the construction of Lemma 3.4 to take p th roots of circuits which compute a p th power over a field of characteristic p . Corollary 3.6.
Let F be a field of characteristic p > . Let Φ be an algebraic circuit of size s whichcomputes a polynomial f ( x ) p ∈ F [ x ] . Then there is a circuit Ψ of size sp n + 2 n which computes f ( x ) over F p −∞ , the perfect closure of F .Proof. By Lemma 3.4, there is a circuit Ψ of the claimed size which computes ( f ( x ) p ) . It followsfrom the definition of the mod- p decomposition that f ( x ) = ( f ( x ) p ) , so Ψ computes f ( x ) asdesired. Remark 3.7. If n = O (log p s ) , then Corollary 3.6 shows that if f p is computable in size s , then f is computable in size s O (1) . While the log-variate regime may appear as a somewhat artificialintermediary between the constant-variate and full multivariate regimes, it is a meaningful setting tostudy due to various corollaries of the bootstrapping results. For example, Forbes, Ghosh, and Saxena[FGS18] recently studied the problem of designing explicit hitting sets for log-variate depth-threediagonal circuits. ♦ .2 Formulae It is natural to ask if the mod- p decomposition allows us to efficiently take p th roots in othermodels of algebraic computation. We address this question first in the case of algebraic formulae,and subsequently for algebraic branching programs. For the reader who is solely interested in theapplication of the mod- p decomposition and Corollary 3.6 to hardness-randomness tradeoffs, it issafe to skip ahead to Section 4. Before continuing on, we make an important remark regardingformulae and branching programs for univariate polynomials. Remark 3.8.
In the univariate regime, our results (as stated) for formulae and branching programsare not as meaningful as the result for circuits. A formula or ABP of size s can only compute apolynomial of degree d (cid:54) s , so any formula or ABP computing a degree d univariate polynomialmust have size at least d . For univariate polynomials, Horner’s rule supplies a matching O ( d ) upperbound. Thus, the p th root of a univariate polynomial which has complexity s can be computedby a device of size s/p , which is much stronger than what we will obtain in Corollary 3.10 andCorollary 3.12.However, if one modifies the model of formulae (or branching programs) to allow leaves (oredges) labeled by a power of a variable x ji , then the trivial Ω( d ) lower bound no longer holds. Ourtechniques can be adapted to this stronger model with little modification, where the upper boundswe obtain are less trivial. ♦ We now show how one can compute the mod- p decomposition of an algebraic formula. Weessentially do this by applying the transformation of Lemma 3.4 and arguing that we can convertthe resulting circuit into a formula without increasing its size too much. To do this, we need someadditional bookkeeping to ensure that the underlying graph of the resulting computation is a tree.We borrow this style of bookkeeping from Raz [Raz13], who used it for improved homogenizationand multilinearization of formulae. Alternatively, one can use the fact that formulae of size s can berebalanced to have depth O (log s ) and then analyze the increase in depth incurred in the proof ofLemma 3.4. Lemma 3.9.
Let F be a field of characteristic p > . Let Φ be an algebraic formula of size s andproduct depth d which computes a polynomial f ( x ) ∈ F [ x ] and let { f a : a ∈ (cid:74) p (cid:75) n } be the mod- p decomposition of f . Then there is a formula Ψ of size snp n ( d +3) and product depth d + (cid:100) log n (cid:101) which simultaneously computes { f a : a ∈ (cid:74) p (cid:75) n } over F p −∞ , the perfect closure of F .Proof. As in Lemma 3.4, we will split each gate v of Φ into pieces which compute components of themod- p decomposition of ˆ v . However, we will need a much larger number of copies of v to ensurethat the resulting circuit Ψ is in fact a formula.We first set up some notation, borrowing heavily from Raz [Raz13]. For a gate v in Φ , let path( v ) denote the set of all vertices on the path from v to the root of Φ , including v itself. Let N v denotethe set of all functions T : path( v ) → (cid:74) p (cid:75) n such that for all u, w ∈ path( v ) where u is a sum gatewith child w , we have T ( u ) = T ( w ) . Informally, the map T encodes the progression of types in themod- p decomposition seen as the computation progresses through the formula.For each gate v in Φ , we create a collection of gates { ( v, a, T ) : a ∈ (cid:74) p (cid:75) n , T ∈ N v , T ( v ) = a } . Wewill wire the gates of Ψ so that ( v, a, T ) computes ˆ v a . As before, to wire the gates of Ψ correctly,we consider what type of gate v is in Φ . The construction only differs meaningfully from that ofLemma 3.4 in the case of multiplication gates. • If v is an input gate in Φ labeled by α ∈ F , then we set ( v, , T ) = α /p and ( v, a, T ) = 0 for a (cid:54) = 0 . As α /p ∈ F p −∞ , this produces a valid circuit over F p −∞ .It is immediate from the definition that ( v, a, T ) correctly computes ˆ v a .14 If v is an input gate labeled by the variable x i , let e i denote the vector with a in the i th slotand zero elsewhere. We set ( v, e i , T ) = 1 and ( v, a, T ) = 0 for a (cid:54) = e i .Once more, it is an immediate consequence of the definition that ( v, a, T ) correctly computes ˆ v a . • Suppose now that v is an addition gate with children u and w with incoming edges labeled α u and α w . For each a ∈ { , . . . , p − } n and T ∈ N v , we set ( v, a, T ) = α /pu · ( u, a, T u )+ α /pw · ( w, a, T w ) ,where T u ∈ N u and T w ∈ N w extend T and satisfy T ( v ) = T u ( u ) = T w ( w ) .By induction, ( u, a, T u ) and ( w, a, T w ) correctly compute ˆ u a and ˆ w a , respectively. By Lemma 3.3,it follows that ( v, a, T ) correctly computes ˆ v a . • Finally, consider the case when v is a multiplication gate with children u and w with incomingedges labeled α u and α w . We set ( v, a, T ) = α /pu α /pw (cid:88) b + c ≡ a (mod p ) ( u, b, T u,b ) · ( w, c, T w,c ) · x b + c − ap , where T u,b (respectively T w,c ) extends T and satisfies T u,b ( u ) = b (respectively T w,c ( w ) = c ).By induction, ( u, b, T u,b ) and ( w, c, T w,c ) compute ˆ u b and ˆ w c , respectively. Lemma 3.3 impliesthat ( v, a, T ) correctly computes ˆ v a .By construction, Ψ correctly computes { f a : a ∈ (cid:74) p (cid:75) n } . It remains to bound the size and productdepth of Ψ and show that Ψ is indeed a formula.Each gate v in Φ yields p n | N v | gates of the form ( v, a, T ) in Ψ . If v is a multiplication gate withchildren u and w , we need to implement the sum over the children ( u, b, T u ) and ( w, c, T w ) . For agiven e ∈ { , } n , we can compute x e using a subformula of size at most n . To compute ( v, a, T ) , weneed p n summation gates and p n multiplication gates in addition to the gates computing ( u, b, T u ) , ( w, c, T w ) , and x e . This implies that we can compute ( v, a, T ) using at most np n extra gates. Thus,for every gate v in Φ , we create at most np n | N v | gates in Ψ .To bound the size of N v , note that a function T ∈ N v can only change values along path( v ) atmultiplication gates. Since there are at most d multiplication gates along path( v ) , we can specify T by a ( d + 1) -tuple of elements of (cid:74) p (cid:75) n , corresponding to the values taken by T between successivemultiplication gates. This implies | N v | (cid:54) p n ( d +1) . Thus Ψ contains at most snp n ( d +3) gates.It follows from the definition of Ψ that the product depth of Ψ is d + (cid:100) log n (cid:101) , as the number ofproduct gates on any path from a leaf to the root increases by at most an additive (cid:100) log n (cid:101) . Thisarises from the need to implement a product of the form x e at gates of Ψ which correspond tomultiplication gates in Φ . As we need to compute a product of this form at most once along everypath from the root to a leaf, we only incur an additive (cid:100) log n (cid:101) increase in product depth as opposedto a multiplicative increase.To see that Ψ is a formula, consider the edges leaving the gate ( u, a, T ) . Let v denote the parentof u in Ψ . If v is an addition gate, then only ( v, a, T v ) receives an edge from ( u, a, T ) where T v ∈ N v agrees with T on path( v ) . If v is a multiplication gate, then only ( v, T ( v ) , T v ) receives an edge from ( u, a, T ) where T v ∈ N v agrees with T on path( v ) . In both cases, the fan-out of the gate u is , so Ψ is in fact a formula.As with circuits, we can use Lemma 3.9 to compute p th roots of formulae which compute a p th power over a field of characteristic p > . 15 orollary 3.10. Let F be a field of characteristic p > . Let Φ be an algebraic formula of size s and product depth d which computes a polynomial f ( x ) p ∈ F [ x ] . Then there is a formula Ψ of size snp n ( d +3) and product depth d + (cid:100) log n (cid:101) which computes f ( x ) over F p −∞ , the perfect closure of F .Proof. Analogous to the proof of Corollary 3.6.
We now consider the task of taking p th roots of algebraic branching programs. We consider themodel of branching programs where edges may only be labeled by a constant α ∈ F or a multiple ofa variable αx i . Some authors allow the edges of a branching program to be labeled by an affine form (cid:96) ( x ) = α + (cid:80) ni =1 α i x i . Such a branching program can be converted to one whose edges are labeledby field constants or multiples of a variable. This transformation increases the number of vertices bya factor of O ( n ) , which is small compared to the increase in size we will incur by taking a p th root.We begin by computing the mod- p decomposition of an algebraic branching program. Lemma 3.11.
Let F be a field of characteristic p > . Let Φ be an algebraic branching program on s vertices with edges labeled by variables or field constants which computes a polynomial f ( x ) ∈ F [ x ] and let { f a : a ∈ (cid:74) p (cid:75) n } be the mod- p decomposition of f . Then there is an algebraic branchingprogram Ψ on sp n vertices which simultaneously computes { f a : a ∈ (cid:74) p (cid:75) n } over F p −∞ , the perfectclosure of F .Proof. For each node v in Φ , we create a collection of nodes { ( v, a ) : a ∈ (cid:74) p (cid:75) n } in Ψ . We will wirethe nodes of Ψ so that ( v, a ) computes ˆ v a .For a pair of vertices u and v , let (cid:96) ( u, v ) denote the label of the edge between u and v . Let N in ( v ) denote the set of vertices w such that the edge ( w, v ) is present in Φ .Let u and v be two nodes in Φ and suppose there is an edge from u to v in Φ . We consider twocases, depending on whether this edge is labeled by a constant α ∈ F or a multiple of a variable αx i . • Suppose the edge from u to v is labeled by α ∈ F . For all a ∈ (cid:74) p (cid:75) n , we add an edge between ( u, a ) and ( v, a ) labeled by α /p . Since α /p ∈ F p −∞ , this construction is valid over the perfectclosure F p −∞ of F . • Suppose the edge from u to v is labeled by αx i , where α ∈ F . Denote by e i the vector whichhas a in the i th slot and zeroes elsewhere. For all a ∈ (cid:74) p (cid:75) n , we add an edge between ( u, a ) and ( v, a + e i ) , where the addition a + e i is performed modulo p . If a i < p − , we label thisedge with α /p . If a i = p − , we label this edge with α /p x i . Again, α /p ∈ F p −∞ by definition,so this construction is valid.To see that this construction is correct, let v be a node in Φ . By the definition of an algebraicbranching program, we have ˆ v = (cid:88) u ∈ N in ( v ) (cid:96) ( u, v ) · ˆ u. Repeatedly applying the addition case of Lemma 3.3 yields, for each a ∈ (cid:74) p (cid:75) n , ˆ v a = (cid:88) u ∈ N in ( v ) ( (cid:96) ( u, v ) · ˆ u ) a . If (cid:96) ( u, v ) = α ∈ F , then we have ( (cid:96) ( u, v ) · ˆ u ) a = α /p ˆ u a . If (cid:96) ( u, v ) = αx i , then if a i > , we have ( (cid:96) ( u, v ) · ˆ u ) a = α /p ˆ u a − e i . Otherwise, a i = 0 , so ( (cid:96) ( u, v ) · ˆ u ) a = α /p ˆ u a − e i x i , where the subtraction a − e i is done modulo p . 16y induction, ( u, a ) correctly computes ˆ u a . From our construction of Ψ , if ( u, v ) is an edge in Φ ,then ( v, a ) has an incoming edge which computes ( (cid:96) ( u, v ) · ˆ u ) a . This implies that ( v, a ) computesthe polynomial (cid:80) u ∈ N in ( v ) ( (cid:96) ( u, v ) · ˆ u ) a = ˆ v a , which is what we want.Thus, Ψ simultaneously computes { f a : a ∈ (cid:74) p (cid:75) n } . Every node in Φ corresponds to p n nodes in Ψ .Unlike the cases of circuits and formulae, we do not need extra hardware to implement intermediatecalculations, so Ψ consists of sp n nodes as claimed.Again, as in the case of circuits and formulae, this immediately yields a way to compute p th roots of algebraic branching programs which compute a p th power over a field of characteristic p > . Corollary 3.12.
Let F be a field of characteristic p > . Let Φ be an algebraic branching program on s vertices with edges labeled by variables or field constants which computes a polynomial f ( x ) p ∈ F [ x ] .Then there is an algebraic branching program Ψ on sp n vertices which computes f ( x ) over F p −∞ , theperfect closure of F .Proof. Analogous to the proof of Corollary 3.6.
With our main technical tool in hand, we move on to our first application. The hitting set generatorof Kabanets and Impagliazzo [KI04] was the first to provide hardness-randomness tradeoffs forpolynomial identity testing over fields of characteristic zero. Over fields of characteristic p > ,Kabanets and Impagliazzo obtain hardness-randomness tradeoffs under non-standard hardnessassumptions. Namely, they require an explicit family of polynomials { f n : n ∈ N } such that f p k n ishard to compute for (cid:54) p k (cid:54) O ( n ) , though they do not state their results in this way. Rather, theyuse the assumption of a family of polynomials which are hard to compute as functions, which implieshardness of p th powers over finite fields.It is more common in algebraic complexity to prove lower bounds on the task of computingpolynomials as syntactic objects. Over infinite fields, this is equivalent to computing a polynomialas a function. However, the two notions differ over finite fields. For example, the polynomial x − x is non-zero as a polynomial over F , but computes the zero function over F . It is interesting tonote that examples of functional lower bounds over finite fields are known. The works of Grigorievand Karpinski [GK98], Grigoriev and Razborov [GR00], and Kumar and Saptharishi [KS17] provelower bounds against constant-depth circuits over finite fields which functionally compute an explicitpolynomial.In this section, we will extend the Kabanets-Impagliazzo generator to all perfect fields ofcharacteristic p > under syntactic hardness assumptions for a single family of polynomials. Theperfect fields of characteristic p include all finite fields and all algebraically closed fields of positivecharacteristic. To do this, we need a stronger (but still syntactic) hardness assumption. In their work,Kabanets and Impagliazzo use the existence of an explicit family of hard multilinear polynomials toderandomize polynomial identity testing. Here, we need lower bounds against an explicit family ofconstant-variate polynomials of arbitrarily high degree. Such an assumption appears to be strongerthan the assumption of a hard family of multilinear polynomials. We discuss the relationship betweenthese hypotheses in more detail in Section 6. We first describe the construction of the Kabanets-Impagliazzo generator.17 onstruction 4.1 ([KI04]) . Let n and m be integers satisfying n < m . Let g ∈ F [ x ] be apolynomial on m variables. Let S , . . . , S n ⊆ [ (cid:96) ] be a Nisan-Wigderson design as in Lemma 2.10.The Kabanets-Impagliazzo generator G KI ,g ( z ) : F (cid:96) → F n is the polynomial map given by G KI ,g ( z ) := ( g ( z | S ) , . . . , g ( z | S n )) , where z | S i denotes the restriction of z to the variables with indices in S i . We now quote the main lemma used by Kabanets and Impagliazzo in the analysis of theirgenerator.
Lemma 4.2 ([KI04]) . Let F be any field and n, m ∈ N such that n < m . Let f ∈ F [ y , . . . , y n ] and g ∈ F [ x , . . . , x m ] be non-zero polynomials of degree d f and d g , respectively. Let f ( y ) be computableby an algebraic circuit of size s . Let S ⊆ F be any set of size at least d f d g + 1 and let (cid:96) = O ( m / log n ) be as in Lemma 2.10. Let G KI ,g be as in Construction 4.1.Suppose that f ( G KI ,g ( α )) = 0 for all α ∈ S (cid:96) . Then there is an algebraic circuit Φ of size s (cid:48) (cid:54) poly( n, m, d f , d g , s, (1 + ideg g ) log n ) which computes the following. If F has characteristic zero,then Φ computes g ( x ) . If F has characteristic p > , then Φ computes g ( x ) p k for some k ∈ N suchthat p k (cid:54) d f . If f ( G KI ,g ( z )) = 0 , then using Lemma 4.2, we can reconstruct a circuit for g using the circuit for f . By taking g from a family of hard polynomials, we obtain a contradiction if there is a small circuitwhich computes f . This proves that G KI ,g is a hitting set generator for the class of small circuits.The explicitness of G KI ,g follows from the explicitness of the family from which g is taken. Thehardness-randomness tradeoffs of Kabanets and Impagliazzo [KI04] then follow by setting parametersaccording to the hardness of g .Over a field of characteristic p > , Lemma 4.2 provides a circuit computing g ( x ) p k . Suppose weare working over F q , the finite field of q = p a elements. By taking p th powers of g ( x ) p k if necessary,we can obtain a circuit which computes g ( x ) p ar = g ( x ) q r for some r ∈ N . The map α (cid:55)→ α q is theidentity over F q , so the circuit which computes g ( x ) q r in fact computes the same function as g ( x ) .This is why, without further work, we need a polynomial which is hard to compute as a function toobtain hardness-randomness tradeoffs over finite fields.If we could factor the circuit for g ( x ) p k to obtain a not-too-much-larger circuit for g ( x ) , then wecould derive hardness-randomness tradeoffs from the assumption of an explicit family of multilinearpolynomials which are hard to compute. It remains an open problem to show that if g ( x ) p has asmall circuit, then g ( x ) has a small circuit. However, in the constant-variate regime, Corollary 3.6resolves this problem in the affirmative. This is the main fact which drives our extension of theKabanets-Impagliazzo generator. We now show how to use the Kabanets-Impagliazzo generator to obtain hardness-randomnesstradeoffs over all perfect fields of characteristic p > . Recall that C F ( s, n, d ) denotes the set of n -variate degree d polynomials computable by circuits of size at most s . Theorem 4.3.
Let F be a field of characteristic p > and let c, k ∈ N be positive constants. Let { g d ( x ) : d ∈ N } be a strongly t ( k, d ) -explicit family of k -variate degree d polynomials. Let s : N → N be a function such that g d cannot be computed by algebraic circuits of size smaller than s ( d ) over F p −∞ . Then there is a hitting set generator G : F (cid:96) → F n for C F ( n c , n, n c ) which1. is (cid:0) poly( n, (cid:96) ) + t ( k, n ck +Ω( c ) ) · s − ( n ck +Ω( c ) ) O ( k ) (cid:1) -explicit, . has seed length (cid:96) = O (cid:16) k log ( s − ( n ck + O ( c ) ))log n (cid:17) , and3. has degree O ( k log( s − ( n ck + O ( c ) ))) .Proof. We will obtain our generator by using { g d : d ∈ N } to construct a family of hard multilinearpolynomials. We then set parameters and instantiate the Kabanets-Impagliazzo generator with thishard multilinear family.By Lemma 2.6, there is a strongly t ( k, d ) -explicit family of multilinear polynomials h d ( y ) on m := k ( (cid:98) log d (cid:99) +1) variables such that any circuit which computes h d must be of size s ( d ) − O ( k log d ) .The construction of h d also yields the identity g d ( x ) = h d ( x , x , . . . , x (cid:98) log d (cid:99) , . . . , x k , x k , . . . , x (cid:98) log d (cid:99) k ) , which allows us to obtain a circuit for g d from a circuit for h d . As h d is multilinear, we have deg( h d ) (cid:54) m and ideg( h d ) = 1 .Set d = s − ( n e ) for a large enough constant e (cid:62) to be specified later. Since g d is a k -variatedegree d polynomial, we trivially have s ( d ) (cid:54) d O ( k ) , so s − ( d ) (cid:62) d Ω(1 /k ) . This gives us m (cid:62) d k = s − ( n e ) k (cid:62) ( n Ω( e/k ) ) k = n Ω( e ) . Taking e to be large enough guarantees m > n . Let S , . . . , S n ⊆ [ (cid:96) ] be the Nisan-Wigdersondesign guaranteed by Lemma 2.10. Our generator G : F (cid:96) → F n is given by instantiating theKabanets-Impagliazzo generator with h d . That is, G ( z ) := G KI ,h d ( z ) = ( h d ( z | S ) , . . . , h d ( z | S n )) . We now verify the claimed properties of G . Correctness.
To see that G is indeed a hitting set generator for C F ( n c , n, n c ) , suppose there issome non-zero f ∈ C F ( n c , n, n c ) such that f ( G ( z )) = 0 . Then by Lemma 4.2, there is a circuit of size s (cid:48) (cid:54) poly( n, m, n c , log n ) (cid:54) n O ( c ) which computes h d ( y ) p a for p a (cid:54) deg( f ) (cid:54) n c . Via the Kronecker substitution y i,j (cid:55)→ x j i , we obtaina circuit of size s (cid:48) + O ( k log d ) (cid:54) n O ( c ) which computes g d ( x ) p a . We now apply Corollary 3.6 atotal of a times to obtain a circuit which computes g d ( x ) and has size s (cid:48)(cid:48) (cid:54) (3 · k · p k ) a n O ( c ) .Since p a (cid:54) n c and (cid:54) p , we obtain s (cid:48)(cid:48) (cid:54) n kc + O ( c ) . By setting e = 3 ck + Θ( c ) where the hiddenconstant on the Θ( c ) term is large enough, we obtain a contradiction as follows. By assumption,any circuit which computes g d must be of size at least s ( d ) = n e . However, we have a circuit ofsize n ck + O ( c ) (cid:28) n e = s ( d ) which computes g d , a contradiction. Thus, it must be the case that f ( G ( z )) (cid:54) = 0 . Hence G is a hitting set generator for C F ( n c , n, n c ) . Explicitness.
Given a point α ∈ F (cid:96) , we can evaluate G as follows. First, we construct theNisan-Wigderson design S , . . . , S n ⊆ [ (cid:96) ] in time poly( n, (cid:96) ) . We then compute all d O ( k ) coefficientsof h d , each in t ( k, d ) time. Finally, for each i ∈ [ (cid:96) ] , we evaluate h d on α | S i in time d O ( k ) . Using thefact that d = s − ( n ck + O ( c ) ) , we can evaluate G in poly( n, (cid:96) ) + t ( k, n ck + O ( c ) ) · s − ( n ck + O ( c ) ) O ( k ) time as claimed. Seed length.
It follows from Lemma 2.10 that G has seed length (cid:96) = O ( m / log n ) = O (cid:16) k log d log n (cid:17) .By our choice of d = s − ( n ck + O ( c ) ) , we obtain the claimed seed length of O (cid:16) k log ( s − ( n ck + O ( c ) ))log n (cid:17) . Degree.
By construction, G is a map of degree deg( h d ) (cid:54) m = k ( (cid:98) log d (cid:99) + 1) . Once more,plugging in our choice of d yields the claimed bound of O ( k log( s − ( n ck + O ( c ) ))) .19y applying Lemma 2.3, we obtain the following construction of explicit hitting sets for C F ( n c , n, n c ) . Corollary 4.4.
Assume the setup of Theorem 4.3. Let T , (cid:96) , and ∆ be the explicitness, seed length,and degree of the generator of Theorem 4.3, respectively. Then there is a hitting set H for C F ( n c , n, n c ) which1. has size |H| = ( n c ∆ + 1) (cid:96) , and2. has explicitness |H| · T = ( n c ∆ + 1) (cid:96) · T .Proof. This is Lemma 2.3 applied to Theorem 4.3.We conclude this section with some concrete hardness-randomness tradeoffs obtainable viaTheorem 4.3 and Corollary 4.4. Recall that for constant k , a k -variate polynomial of degree d consistsof at most (cid:0) k + dk (cid:1) (cid:54) d O ( k ) monomials. In this regime, a polynomial which is strongly d O ( k ) -explicit is“exponential time explicit,” as the description of a single monomial consists of O ( k log d ) bits. Corollary 4.5.
Let F be a field of characteristic p > . Let c, k ∈ N be fixed constants. Let { g d ( x ) : d ∈ N } be a strongly d O ( k ) -explicit family of k -variate degree d polynomials which cannot becomputed by circuits of size smaller than s ( d ) over F p −∞ . Then the following results hold regardinghitting sets for C F ( n c , n, n c ) .1. If s ( d ) = log ω (1) d , then there is a n o (1) -explicit hitting set for C F ( n c , n, n c ) of size n o (1) .2. If s ( d ) = 2 log Ω(1) d , then there is a log O (1) n -explicit hitting set for C F ( n c , n, n c ) of size log O (1) n .3. If s ( d ) = d Ω(1) , then there is a n O (log n ) -explicit hitting set for C F ( n c , n, n c ) of size n O (log n ) .Proof. Each statement follows by setting parameters in Theorem 4.3 and Corollary 4.4 and usingthe fact that c and k are fixed constants independent of n and d . We omit the straightforwardcalculations. Given that we use the seemingly stronger assumption of constant-variate hardness in our extensionof the Kabanets-Impagliazzo generator, one may wonder if we can push the hardness-randomnessconnection further and obtain a better derandomization of identity testing for C F ( n c , n, n c ) . Perhapssurprisingly, this is possible by going through the recent development of “bootstrapping” for hittingsets. Let n be a constant and let s be arbitrarily large. Suppose we have an explicit, slightly non-trivialhitting set for C F ( s, n, s ) . Then we can “bootstrap” the advantage this hitting set has over the trivialone in order to obtain an explicit hitting set of very small size for C F ( s, s, s ) . That is, in order toalmost completely derandomize polynomial identity testing for the class of polynomials of polynomialdegree computed by polynomial-size circuits, it suffices to find a non-trivial derandomization ofpolynomial identity testing for circuits on a constant number of variables but of arbitrary size anddegree. 20e remark that, throughout this section, one should read C F ( s, s, s ) as a stand-in for C F ( n c , n, n c ) ,where c is a fixed constant. This follows by taking s = n c and noting that C F ( n c , n, n c ) ⊆C F ( n c , n c , n c ) = C F ( s, s, s ) . While the following results are stated for C F ( s, s, s ) , changing s byat most a polynomial factor will not qualitatively affect the results we obtain.We now formally state the bootstrapping result. Let log (cid:63) s denote the iterated logarithm of s .That is, log (cid:63) s := (cid:40) (cid:63) (log s ) s > s (cid:54) . This version of the bootstrapping theorem is due to Kumar, Saptharishi, and Tengse [KST19] andimproves upon the initial work of Agrawal, Ghosh, and Saxena [AGS19]. Note that this theoremholds over all fields, including those of positive characteristic.
Theorem 5.1 ([KST19]) . Let F be any field and let ε > and n (cid:62) be constants. Suppose that forall sufficiently large s , there is an s O ( n ) -explicit hitting set of size s n − ε for C F ( s, n, s ) . Then there isan s exp ◦ exp( O (log (cid:63) s )) -explicit hitting set of size s exp ◦ exp( O (log (cid:63) s )) for C F ( s, s, s ) . In this section, we will use Theorem 5.1 to obtain a stronger derandomization of polynomialidentity testing over fields of characteristic p > under appropriate hardness assumptions. Suppose { g d ( x ) : d ∈ N } is a family of strongly d O ( k ) -explicit k -variate degree d polynomials which requirealgebraic circuits of size d Ω( k ) . Using Corollary 4.5, we can obtain a s O (log s ) -explicit hitting set for C F ( s, s, s ) of size s O (log s ) . By a more careful instantiation of the Kabanets-Impagliazzo generator, wecan use the hardness assumption on g d to design an explicit hitting set which satisfies the hypothesesof Theorem 5.1. This yields an explicit hitting set for C F ( s, s, s ) of size s exp ◦ exp( O (log (cid:63) s )) , whichgreatly improves upon the size s O (log s ) hitting set of Corollary 4.5.Our argument also works for fields of characteristic zero, giving us a general theorem whichconverts near-optimal constant-variate hardness into near-optimal derandomization of polynomialidentity testing for C F ( s, s, s ) .First, we need a technical lemma regarding lower bounds against constant-variate polynomials.Roughly, we will show that d δ lower bounds against degree d constant-variate polynomials can bemagnified to d c lower bounds against constant-variate polynomials for arbitrary δ, c > . Lemma 5.2.
Let F be any field. Let k ∈ N and c, δ > be fixed constants. Let { g d ( x ) : d ∈ N } bea strongly d O ( k ) -explicit family of k -variate polynomials of degree d . Suppose that for d sufficientlylarge, g d cannot be computed by algebraic circuits of size smaller than d δ over F . Then there isa constant m ∈ N and a family { h ∆ ( y ) : ∆ ∈ N } of strongly ∆ O ( m ) -explicit m -variate degree ∆ polynomials such that for ∆ sufficiently large, h ∆ cannot be computed by algebraic circuits of sizesmaller than ∆ c over F .Proof. We follow the approach of Lemma 2.6, but in base d δ/ c + 1 as opposed to base 2.Without loss of generality, assume that δ (cid:54) (cid:54) c . Let m := ckδ and let y = ( y , , . . . , y k, c/δ ) .Let σ ( y i,j ) = x ( d δ/ c +1) j i . We will take h ∆ ( y ) to be the polynomial of individual degree d δ/ c whichsatisfies the equation h ( σ ( y )) = g d ( x ) . More explicitly, let g d ( x ) = (cid:80) a ∈ N k α a x a be the expression of g d as a sum of monomials. Let ϕ : (cid:74) d δ/ c +1 (cid:75) c/δ → (cid:74) d +1 (cid:75) be the map which takes the base- ( d δ/ c +1) expansion of a number t ∈ (cid:74) d + 1 (cid:75) and returns t . Then we define h ∆ ( y ) as h ∆ ( y ) = (cid:88) A ∈ (cid:74) d δ/ c +1 (cid:75) k × c/δ α ϕ ( A , • ) ,...,ϕ ( A k, • ) (cid:89) i,j ∈ (cid:74) d δ/ c +1 (cid:75) y A i,j i,j .
21t is clear from the construction of h ∆ that h ∆ ( σ ( y )) = g d ( x ) . The polynomial h ∆ is of individualdegree at most d δ/ c , so ∆ := deg( h ∆ ) can be bounded as ∆ (cid:54) md δ/ c = 2 ckd δ/ c δ . Since k and δ are fixed constants, for d large enough, we obtain ∆ (cid:54) d δ/ c .To show that h ∆ has the claimed hardness, suppose we are given a circuit of size s which computes h ∆ . By repeated squaring, we may compute the map σ ( y ) using a circuit of size O ( k log d ) = O ( m log ∆) = O (log ∆) . This yields a circuit of size s (cid:48) (cid:54) s + O (log ∆) which computes g d . By theassumed hardness of g d , we have s (cid:48) (cid:62) d δ . Putting things together gives us s (cid:62) d δ − O (log ∆) . Since ∆ (cid:54) d δ/ c for d large enough, we obtain s (cid:62) ∆ c/ − O (log ∆) . For ∆ (and hence d ) large enough, we have s (cid:62) ∆ c , which yields the desired lower bound on h ∆ .It remains to verify the explicitness of h ∆ . We can compute a coefficient of h ∆ by computingthe corresponding coefficient of g d , so h ∆ inherits the strong d O ( k ) -explicitness of g d . We need toshow that d O ( k ) (cid:54) ∆ O ( m ) in order to conclude that h ∆ is strongly ∆ O ( m ) -explicit. By writing h ∆ as a sum of monomials, there is a circuit of size ∆ O ( m ) which computes h ∆ . Combined with theargument above, this yields a circuit of size ∆ O ( m ) + O (log ∆) = ∆ O ( m ) which computes g d . Sinceany circuit which computes g d must have size d δ , we obtain ∆ O ( m ) (cid:62) d δ . As c , k , δ , and m are allfixed constants, this yields d O ( k ) (cid:54) ∆ O ( m ) as desired.Now we are ready to state and prove our hardness-randomness tradeoff. Theorem 5.3.
Let F be any field and let k ∈ N and δ > be fixed constants. Let K = F p −∞ if char F = p > and K = F otherwise. Let { g d ( x ) ∈ F [ x ] : d ∈ N } be a family of strongly d O ( k ) -explicit k -variate degree d polynomials. Suppose that for all d sufficiently large, g d cannot be computedby algebraic circuits of size smaller than d δ over K . Then for all sufficiently large s , there is an s exp ◦ exp( O (log (cid:63) s )) -explicit hitting set of size s exp ◦ exp( O (log (cid:63) s )) for C F ( s, s, s ) .Proof. Using Lemma 5.2, we may assume without loss of generality that δ (cid:62) .By Theorem 5.1, it suffices to provide an explicit hitting set of size s n − ε for C F ( s, n, s ) forconstants ε, n and all s sufficiently large. We will instantiate the Kabanets-Impagliazzo generatorwith g d as the hard polynomial, using the finer-grained designs of Lemma 2.9.Let s be given. By adding auxiliary variables if necessary, we may assume that k is a primepower. Note there is always a power of between k and k , so this at most doubles the number ofvariables in g d . We set parameters as follows: • c := 3 , • n := 2 k c +1 = 2 k , • r := 2 , and • d := s k . 22y Lemma 2.9, we can construct in poly( n ) time a collection of sets S , . . . , S n ⊆ [ k c ] such that | S i | = k and | S i ∩ S j | (cid:54) r .Consider the generator G : F k c → F n given by G ( z ) = ( g d ( z | S ) , . . . , g d ( z | S n )) . By construction, G has seed length k c and degree d = s k . Since g d is strongly d O ( k ) -explicit, we canevaluate G by constructing the design S , . . . , S n , computing the coefficients of g d , and evaluatingeach of the n copies of g d . Constructing the design takes n O (1) time and computing the coefficientsof g d takes d O ( k ) time. To evaluate g d , we use the expression of g d as a sum of monomials, whichrequires d O ( k ) time for each of the n evaluations. In total, we can evaluate G in time n O (1) · d O ( k ) = n O (1) · s O ( k ) = n O (1) · s O ( √ n ) , so G is s O ( √ n ) -explicit for s sufficiently large.If G is in fact a hitting set generator for C F ( s, n, s ) , then using Lemma 2.3, we obtain a hittingset H for C F ( s, n, s ) of size ( s · d ) k c = ( s k +1 ) k = s k + k (cid:54) s k − ε = s n − ε for some ε > when s is large enough. Moreover, H is s O ( √ n ) · |H| (cid:54) s O ( n ) -explicit. We nowapply Theorem 5.1 to obtain the claimed s exp ◦ exp( O (log (cid:63) s )) -explicit hitting set for C F ( s, s, s ) of size s exp ◦ exp( O (log (cid:63) s )) . It remains to show that G is indeed a hitting set generator for C F ( s, n, s ) .To show this, suppose for the sake of contradiction that G is not a hitting set generator for C F ( s, n, s ) . Then there is some f ( y ) ∈ C F ( s, n, s ) such that f ( y ) (cid:54) = 0 and f ( G ( z )) = 0 . We define thehybrid polynomials f , . . . , f n by f ( y, z ) = f ( y , . . . , y n ) f ( y, z ) = f ( g d ( z | S ) , y , . . . , y n ) ...f n − ( y, z ) = f ( g d ( z | S ) , . . . , g d ( z | S n − ) , y n ) f n ( y, z ) = f ( g d ( z | S ) , . . . , g d ( z | S n )) = f ( G ( z )) . Since f (cid:54) = 0 and f n = 0 , there is some i ∈ [ n ] such that f i − (cid:54) = 0 and f i = 0 . Assuming | F | > sd (cid:62) deg( f i ) , we can find an assignment to the variables { y j : j (cid:54) = i } and { z j : j / ∈ S i } suchthat f i remains non-zero under this partial evaluation. If F is too small, we may find such anassignment using values from some finite extension F (cid:48) ⊇ F of size at least sd + 1 (and hence degree O (log( sd )) ). After renaming variables, denote this non-zero restriction of f i by f ( z , . . . , z k , y ) .We can compute f by composing the circuit for f with at most n − copies of the partialevaluation of g d ( z | S j ) for j < i . By assumption, we can compute f with a circuit of size s . Since | S j ∩ S i | (cid:54) for j (cid:54) = i , at most variables in z | S j are unset. This implies each restriction of g d ( z | S j ) is a polynomial of degree d on 2 variables and thus can be computed by a depth-two circuit of sizeat most d · ( d + 1) . This yields a circuit for f of size at most s + nd · ( d + 1) . Note that the degreeof f is bounded by sd , since f is the composition of two polynomials of degrees at most s and d .By assumption, we have that f ( z , . . . , z k , y ) (cid:54) = 0 and f ( z , . . . , z k , g d ( z )) = 0 . This implies that y − g d ( z ) is a factor of f . We now apply Theorem 2.8 to factor the circuit for f . • If char F = p > , we obtain a circuit for ( y − g d ( z )) p t = y p t − g d ( z ) p t for some t ∈ N . Since y p t − g d ( z ) p t is a factor of f ( z , . . . , z k , y ) , we must have dp t = deg( y p t − g d ( z ) p t ) (cid:54) deg( f ) (cid:54) sd. p t (cid:54) s . Since f has degree sd and is computable in size s + O ( nd ) , the circuitcomputing y p t − g d ( z ) p t has size at most O (( nsd ) ) . By setting y = 0 and negating the outputof the circuit, we obtain a circuit for g d ( z ) p t of size O (( nsd ) ) .We now apply Corollary 3.6 a total of t times. This produces a circuit which computes g d ( z ) and has size O (( nsd ) p kt kt t ) = O (( nsd ) s k +2 ) . Here we use the fact that p (cid:62) , so kt (cid:54) p kt (cid:54) s k and t (cid:54) t (cid:54) p t (cid:54) s .In the case where | F | > sd , the circuit for f was defined over F , so the circuit for g d is definedover K = F p −∞ . If instead | F | (cid:54) sd , the circuit for f was defined over a finite extension F (cid:48) ⊇ F of degree O (log( sd )) . As F (cid:48) is a finite field, F (cid:48) is perfect, so the circuit obtained fromCorollary 3.6 is defined over F (cid:48) . We apply Lemma 2.7 to simulate this circuit over F , incurringan extra O (log ( sd )) factor in the circuit size.In total, we now have a circuit which computes g d over K = F p −∞ and has size bounded by O (( nsd ) s k +2 log ( sd )) . • If char F = 0 , the previous case applies, but without the need to take a p th root or simulate afield extension. This yields a circuit which computes g d ( z ) over K = F and has size O (( nsd ) ) .In both cases, we obtain a circuit which computes g d ( z ) over K and has size at most O (( nsd ) s k +2 log ( sd )) .Restating in terms of k and d , we have a circuit for g d of size O (( nsd ) s k +2 log ( sd )) = O ( k s k d log ( d )) = O ( k d /k log ( d )) . Since k (cid:62) and k is a constant, we can bound the size of the circuit computing g d by O ( d log ( d )) .This contradicts the fact that g d requires circuits over K of size d δ (cid:62) d for sufficiently large d .Hence G is in fact a hitting set generator for C F ( s, n, s ) . Over fields of characteristic zero, the recent work of Guo, Kumar, Saptharishi, and Solomon[GKSS19] obtained what is currently the best-known derandomization of polynomial identity testingfor C F ( s, s, s ) under a hardness assumption. From an explicit family of k -variate degree d polynomialsof hardness d Ω(1) , they obtain an explicit hitting set for C F ( s, s, s ) of size s O (1) . Specifically, theyprove the following theorem. Theorem 5.4 ([GKSS19]) . Let F be a field of characteristic zero. Let k ∈ N be large enough andlet δ > be a fixed constant. Suppose { P k,d ∈ F [ x ] : d ∈ N } is a family of d O ( k ) -explicit k -variatepolynomials of degree d such that P k,d cannot be computed by algebraic circuits of size smaller than d δ . Then there is an s ( k/δ ) O (1) -explicit hitting set for C F ( s, s, s ) of size s O ( k /δ ) . We remark that Guo, Kumar, Saptharishi, and Solomon [GKSS19] do not define the notionof explicitness they use in their result, but it is enough for P k,d to be computable by a uniformalgorithm which runs in time d O ( k ) . This is slightly different from our notion of strong explicitness,where we require the coefficients of P k,d to be computable in d O ( k ) time. It is clear that one canpass from strong explicitness to the standard notion of explicitness by computing a polynomialas a sum of monomials. Via polynomial interpolation, one can show that polynomials which are“evaluation-explicit” are strongly explicit. In both cases, the explicitness parameter may degradeconsiderably, as the number of terms in a polynomial may be exponentially larger than the amountof time required to compute the polynomial or one of its coefficients. In general, one cannot hope todo better than this: in one direction, the coefficients of the permanent are easy to compute, but the24ermanent is widely conjectured to be hard to compute; in the other direction, there are examples ofpolynomials which are easy to compute but which have the permanent of a large matrix embeddedin their coefficients (see, for example, Bürgisser [Bür00, §2.3]).In the context of Theorem 5.3 and Theorem 5.4, however, the two notions of explicitness coincide.When working with k -variate polynomials of degree d , we incur an overhead of d O ( k ) in passingbetween the two notions of explicitness. As the hypotheses of these theorems are already in theregime of (strong) d O ( k ) -explicitness, the explicitness parameter changes by a polynomial factor,which is small enough to not affect the asymptotics of the results obtained.The fact that the underlying field has characteristic zero is used in a key part of the proof ofTheorem 5.4, and it is not clear how to adapt the proof to fields of positive characteristic. Thegenerator used to design the hitting set in the conclusion of Theorem 5.4 is notably not a variationon the Kabanets-Impagliazzo generator, but instead a new generator whose construction is morealgebraic than combinatorial in flavor.Note that Theorem 5.3 and Theorem 5.4 require the same hardness assumption. This givesa second proof of derandomization of polynomial identity testing from an explicit family of hardconstant-variate polynomials, although the derandomization we obtain is slightly weaker comparedto Theorem 5.4. However, our construction does not require the characteristic of the underlyingfield to be zero. It is tempting to conjecture that one can recover the conclusion of Theorem 5.4in positive characteristic by improving the bootstrapping process used to prove Theorem 5.1. It isunclear whether such a result is possible. This work and the work of Guo, Kumar, Saptharishi, and Solomon [GKSS19] have shown that lowerbounds against (strongly) explicit constant-variate polynomials yield very strong derandomizationsof polynomial identity testing. We are able to give an explicit hitting set of size s exp ◦ exp( O (log (cid:63) s )) for C F ( s, s, s ) for any field F (this is Theorem 5.3), while Guo, Kumar, Saptharishi, and Solomon[GKSS19] obtain explicit hitting sets of size s O (1) for the same class when char F = 0 . However, ifone instead assumes the existence of a (strongly) explicit family of maximally-hard multivariatepolynomials of low degree (specifically, degree n O (1) where n is the number of variables), it is not clearhow to obtain similar derandomization results. The best-known derandomization from multivariatelower bounds is that of Kabanets and Impagliazzo [KI04], who gave an explicit hitting set of size s O (log s ) for C F ( s, s, s ) .The fact that we can obtain strong derandomizations of polynomial identity testing fromconstant-variate hardness raises the question of whether or not such derandomization is possibleunder multivariate hardness assumptions. A natural first approach to this would be to show thatlower bounds for a (strongly) explicit family of multivariate polynomials imply comparable lowerbounds against a (strongly) explicit family of constant-variate polynomials. Such an implication isknown in the setting of non-commutative circuits and is due to Carmosino, Impagliazzo, Lovett, andMihajlin [CILM18].It is not hard to show a connection in the other direction; that is, lower bounds against stronglyexplicit families of constant-variate polynomials can be translated into comparable lower boundsagainst strongly explicit families of multivariate polynomials. An easy way to do this is via theapproach of Lemma 2.6.In this section, we investigate to what extent a converse to Lemma 2.6 may hold. Unconditionallyrefuting the converse of Lemma 2.6 requires proving circuit lower bounds that seem far out of reach,so we have little hope to fully resolve this question. However, we can give some complexity-theoretic25vidence which shows a converse to Lemma 2.6 is unlikely to hold. To do this, we take a detour intothe arithmetic complexity of integers. We start by defining the model we use to compute sequences of integers.
Definition 6.1.
For a natural number n ∈ N , let τ ( n ) denote the size of the smallest circuit whichcomputes n using the constant and the operations of addition, subtraction, and multiplication.Let ( a n ) n ∈ N be a sequence of natural numbers. If τ ( a n ) (cid:54) log O (1) n , then we say ( a n ) n ∈ N is easy tocompute . Otherwise, we say ( a n ) n ∈ N is hard to compute . ♦ As an example, the sequence (2 n ) n ∈ N is easy to compute, as we can compute n in O (log n ) arithmetic steps by repeated squaring. A major open problem in this area is to understand τ ( n !) ,the complexity of the sequence of factorials. The following conjecture regarding τ ( n !) appears to befolklore. Conjecture 6.2.
The sequence of factorials ( n !) n ∈ N is hard to compute. ♦ Prior work has established relationships between Conjecture 6.2 and other prominent conjecturesin computational complexity. Blum, Cucker, Shub, and Smale [BCSS98, page 126] gave an argumentthat shows if τ ( n !) (cid:54) log O (1) n , then there are circuits of log O (1) n size to factor n . A related workby Shamir [Sha79] reduces factorization to computing factorials, albeit in a slightly different model.Bürgisser [Bür09] showed that Conjecture 6.2 implies that the n × n permanent cannot be computedby constant-free division-free algebraic circuits of size n O (1) . Work by Lipton [Lip94] shows thataverage-case hardness of factoring implies a slightly weaker form of Conjecture 6.2; namely, that thepolynomial (cid:81) ni =1 ( x − i ) is hard to compute by constant-free algebraic circuits.Before moving on to address the question of a converse to Lemma 2.6, we present a reductiondue to Shamir [Sha79] which reduces the task of computing n ! to the task of computing (cid:0) nn (cid:1) . Lemma 6.3 ([Sha79]) . If ( (cid:0) nn (cid:1) ) n ∈ N is easy to compute, then ( n !) n ∈ N is easy to compute.Proof. Suppose τ (cid:0)(cid:0) nn (cid:1)(cid:1) (cid:54) O (log c n ) . Recall the identity n ! = (cid:40) (( n/ · (cid:0) nn/ (cid:1) n is even n · (( n − )!) · (cid:0) n − n − / (cid:1) n is odd . This implies τ ( n !) (cid:54) τ ( n ) + τ (( (cid:98) n/ (cid:99) !) ) + τ (cid:18)(cid:18) · (cid:98) n/ (cid:99)(cid:98) n/ (cid:99) (cid:19)(cid:19) . Expanding out the recurrence and using the fact that τ (( (cid:98) n/ (cid:99) !) ) (cid:54) τ ( (cid:98) n/ (cid:99) !) + 1 , we get τ ( n !) (cid:54) log n (cid:88) i =1 (cid:20) τ ( (cid:98) n/ i (cid:99) ) + τ (cid:18)(cid:18) · (cid:98) n/ i +1 (cid:99)(cid:98) n/ i +1 (cid:99) (cid:19)(cid:19) + 1 (cid:21) (cid:54) log n · ( O (log n ) + O (log c n ) + 1) (cid:54) O (log c +1 n ) . Hence ( n !) n ∈ N is easy to compute. 26 .2 The Inverse Kronecker Map and Constant-Free Circuits Here, we show that two forms of a converse to Lemma 2.6 refute Conjecture 6.2 to varying degrees.Our first argument shows that a straightforward converse of Lemma 2.6 implies that Conjecture 6.2fails infinitely often. That is, suppose g ( x ) is a univariate degree d polynomial and f ( y ) is amultilinear polynomial which simplifies to g ( x ) under the mapping y i (cid:55)→ x i . Lemma 2.6 says thathardness of g ( x ) implies hardness of f ( y ) . The following conjecture, which we wish to conditionallyrefute, says that hardness of f ( y ) implies hardness of g ( x ) . Conjecture 6.4.
Let g m,d ( x ) = (cid:80) a α a x a be an m -variate degree d polynomial. Let j : { , } (cid:98) log d (cid:99) +1 → (cid:74) (cid:98) log d (cid:99) +1 (cid:75) be given by j ( e ) = (cid:80) (cid:98) log d (cid:99) +1 i =1 e i i − . That is, j ( e ) is the number whose binary represen-tation corresponds to e . Let y = ( y , , . . . , y , (cid:98) log d (cid:99) +1 , . . . , y m, , . . . , y m, (cid:98) log d (cid:99) +1 ) and define f m,d ( y ) = (cid:88) e ∈{ , } m ×(cid:98) log d (cid:99) +1 α ( j ( e , • ) ,...,j ( e m, • )) y e . Suppose f m,d requires constant-free circuits of size s to compute. Then g m,d requires constant-freecircuits of size s Ω(1) − Θ( m log d ) to compute. ♦ We now show that Conjecture 6.4 implies the factorials are easy to compute infinitely often.
Theorem 6.5.
Suppose Conjecture 6.4 holds over Q . Then the sequence of factorials ( n !) n ∈ N iseasy to compute infinitely often.Proof. It is easy to see that (cid:80) n i =0 (cid:0) n i (cid:1) x i = ( x + 1) n is computable by a constant-free algebraiccircuit of size O ( n ) via repeated squaring. Let f n ( y ) = (cid:88) e ∈{ , } n +1 (cid:18) n j ( e ) (cid:19) y e . The contrapositive of Conjecture 6.4 yields a constant-free circuit of size O ( n c ) which computes f n for some absolute constant c . Let a n − = 1 and a = · · · = a n − = a n = 0 . Then f n ( a ) = (cid:0) n n − (cid:1) + 1 .By evaluating the circuit for f n at a and subtracting , we obtain a circuit of size O ( n c ) whichcomputes (cid:0) n n − (cid:1) .We now follow the argument of Lemma 6.3 to construct circuits of size O ( n c +1 ) to compute (2 n !) n ∈ N . By definition, we have n ! = (cid:18) n n − (cid:19) (2 n − !) = (cid:18) n n − (cid:19)(cid:18) n − n − (cid:19) (2 n − !) ... = n − (cid:89) i =0 (cid:18) n − i n − i − (cid:19) i . Using the fact that we fact that we can compute (cid:0) n n − (cid:1) by a circuit of size O ( n c ) , we obtain τ (2 n !) (cid:54) n − (cid:88) i =0 τ (cid:32)(cid:18) n − i n − i − (cid:19) i (cid:33) (cid:54) n − (cid:88) i =0 O ( n c +1 ) (cid:54) O ( n c +2 ) . Hence the factorials are easy to compute infinitely often.27t is unclear whether there is meaningful evidence to suggest that the factorials are not easy tocompute at numbers of the form n . Because of this, Theorem 6.5 may be best viewed as evidencethat if Conjecture 6.4 is true, the proof will not be straightforward.Conjecture 6.4 can be seen as a base-two converse to Lemma 2.6. Instead, we might consider thefollowing strengthening of Conjecture 6.4 to all number bases. Conjecture 6.6.
Let g m,d ( x ) = (cid:80) a α a x a be an m -variate degree d polynomial. Let k ∈ N and let j : (cid:74) k (cid:75) (cid:98) log k d (cid:99) +1 → (cid:74) k (cid:98) log k d (cid:99) +1 (cid:75) be given by j ( e ) = (cid:80) (cid:98) log k d (cid:99) +1 i =1 e i k i − , that is, j ( e ) is the number whosebase- k representation corresponds to e . Let y = ( y , , . . . , y , (cid:98) log k d (cid:99) +1 , . . . , y m, , . . . , y m, (cid:98) log k d (cid:99) +1 ) and define f m,d ( y ) = (cid:88) e ∈ (cid:74) k (cid:75) m ×(cid:98) log k d (cid:99) +1 α ( j ( e , • ) ,...,j ( e m, • )) y e . Suppose f m,d requires constant-free circuits of size s to compute. Then g m,d requires constant-freecircuits of size s Ω(1) − Θ( m log d ) to compute. ♦ We can show that this stronger conjecture is less likely to hold than Conjecture 6.4.
Theorem 6.7.
Suppose Conjecture 6.6 holds over Q . Then ( n !) n ∈ N is easy to compute.Proof. By Lemma 6.3, it suffices to show that the central binomial coefficients (cid:0) nn (cid:1) n ∈ N are easyto compute. Let n ∈ N be given. There is constant-free circuit of size O (log n ) which computes g ( x ) = ( x + 1) n . Consider the polynomial f ( y , y n ) = n − (cid:88) i =0 n − (cid:88) j =0 (cid:18) ni + jn (cid:19) y i y jn , where by convention (cid:0) nk (cid:1) = 0 when n < k . Note that f ( x, x n ) = n − (cid:88) i =0 n − (cid:88) j =0 (cid:18) ni + jn (cid:19) x i + jn = n − (cid:88) k =0 (cid:18) nk (cid:19) x k = n (cid:88) k =0 (cid:18) nk (cid:19) x k = ( x + 1) n . The contrapositive of Conjecture 6.6 implies that f is computable by a constant-free circuit of size O (log c n ) for some absolute constant c . We now evaluate f (0 , to obtain f (0 ,
1) = n − (cid:88) j =0 (cid:18) njn (cid:19) = (cid:18) n (cid:19) + (cid:18) nn (cid:19) + (cid:18) n n (cid:19) = (cid:18) nn (cid:19) + 2 . By computing f (0 , − , we obtain a constant-free circuit of size O (log c n ) which computes (cid:0) nn (cid:1) .Hence the central binomial coefficients are easy to compute.Note that the results of this section only give evidence that Conjecture 6.4 and Conjecture 6.6 donot hold over fields of characteristic zero. Over fields of positive characteristic, it is unclear whetherthese conjectures are likely to be true or false. This is somewhat interesting, as if Conjecture 6.4 holdsover fields of positive characteristic, then we can replace constant-variate hardness with multivariatehardness in our extension of the Kabanets-Impagliazzo generator to fields of small characteristic.28 Conclusion and Open Problems
In this work, we gave the first instantiation of the algebraic hardness-randomness paradigm over fieldsof small characteristic. Our main tool was the mod- p decomposition, which we used to efficientlycompute p th roots of circuits which depend on a small number of variables. This allowed us to extendknown hardness-randomness tradeoffs due to Kabanets and Impagliazzo [KI04] to fields of smallcharacteristic under seemingly stronger hardness assumptions. We also constructed a hitting setgenerator which, under suitable hardness assumptions, provides a near-complete derandomization ofpolynomial identity testing. As our hardness assumptions are somewhat atypical, we compared themto more standard hardness assumptions and gave a conditional result which says that our hardnessassumptions are not implied by standard ones.A number of problems in low-characteristic derandomization remain open, some of which wehave pointed out earlier in this work. Here, we mention some challenges which our techniques arenot able to resolve.1. Is it possible to obtain hardness-randomness tradeoffs over fields of small characteristic usinga strongly explicit family of hard multilinear polynomials as opposed to constant-variatepolynomials?2. Let F be a field of characteristic p > , where p is some fixed constant. Suppose f ( x ) p ∈ F [ x ] is an n -variate polynomial which can be computed by a circuit of size s over F . Is there acircuit of size s O (1) which computes f ( x ) in the case that n = ω (log s ) ?3. In the conclusion of Theorem 5.1, is it possible to obtain a hitting set of size s O (1) ? If so,this would give a construction of a hitting set generator over low characteristic fields whichqualitatively matches the parameters of the generator of Guo, Kumar, Saptharishi, and Solomon[GKSS19].4. Is it possible to lift lower bounds from the multivariate regime to the constant-variate regime?It seems like the answer may be “no,” but our evidence thus far only applies to constant-freecircuits over fields of characteristic zero. What can we say if we remove the constant-freerestriction? What about fields of positive characteristic? Acknowledgements.
We would like to thank Michael A. Forbes for many useful commentswhich helped improve the presentation of this work.
References [AB03] Manindra Agrawal and Somenath Biswas. “Primality and identity testing via Chineseremaindering”. In:
J. ACM (cit. onp. 2).[AGS19] Manindra Agrawal, Sumanta Ghosh, and Nitin Saxena. “Bootstrapping variables inalgebraic circuits”. In:
Proc. Natl. Acad. Sci. USA (cit. on pp. 2, 5, 21).[AKS04] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. “PRIMES is in P”. In:
Ann. ofMath. (2)
Proceedings of the 49th Annual IEEE Symposium on Foundations of Computer Science(FOCS 2008) . 2008, pp. 67–75 (cit. on p. 2).[BCS97] Peter Bürgisser, Michael Clausen, and M. Amin Shokrollahi. “Algebraic complexity the-ory”. Vol. 315. Grundlehren der Mathematischen Wissenschaften [Fundamental Principlesof Mathematical Sciences]. With the collaboration of Thomas Lickteig. Springer-Verlag,Berlin, 1997, pp. xxiv+618 (cit. on p. 8).[BCSS98] Lenore Blum, Felipe Cucker, Michael Shub, and Steve Smale. “Complexity and realcomputation”. With a foreword by Richard M. Karp. Springer-Verlag, New York, 1998,pp. xvi+453 (cit. on p. 26).[BCW80] Manuel Blum, Ashok K. Chandra, and Mark N. Wegman. “Equivalence of free Booleangraphs can be decided probabilistically in polynomial time”. In:
Inform. Process. Lett.
Comput. Complexity (cit. on p. 26).[CILM18] Marco L. Carmosino, Russell Impagliazzo, Shachar Lovett, and Ivan Mihajlin. “Hardnessamplification for non-commutative arithmetic circuits”. In:
Proceedings of the 33rd An-nual Computational Complexity Conference (CCC 2018) . Vol. 102. Leibniz InternationalProceedings in Informatics (LIPIcs). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik,2018, 12:1–12:16 (cit. on p. 25).[CKS18] Chi-Ning Chou, Mrinal Kumar, and Noam Solomon. “Hardness vs randomness forbounded depth arithmetic circuits”. In:
Proceedings of the 33rd Annual ComputationalComplexity Conference (CCC 2018) . Vol. 102. Leibniz International Proceedings inInformatics (LIPIcs). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 2018, 13:1–13:17 (cit. on p. 2).[DSY09] Zeev Dvir, Amir Shpilka, and Amir Yehudayoff. “Hardness-randomness tradeoffs forbounded depth arithmetic circuits”. In:
SIAM J. Comput. (cit. on p. 2).[FGS18] Michael A. Forbes, Sumanta Ghosh, and Nitin Saxena. “Towards blackbox identitytesting of log-variate circuits”. In:
Proceedings of the 45th International Colloquium onAutomata, Languages and Programming (ICALP 2018) . Vol. 107. Leibniz InternationalProceedings in Informatics (LIPIcs). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik,2018, 54:1–54:16 (cit. on p. 13).[GK98] Dima Grigoriev and Marek Karpinski. “An exponential lower bound for depth 3 arith-metic circuits”. In:
Proceedings of the 30th Annual ACM Symposium on Theory ofComputing (STOC 1998) . ACM, New York, 1998, pp. 577–582 (cit. on p. 17).30GKKS16] Ankit Gupta, Pritish Kamath, Neeraj Kayal, and Ramprasad Saptharishi. “Arithmeticcircuits: a chasm at depth 3”. In:
SIAM J. Comput. (cit. on p. 2).[GKSS19] Zeyu Guo, Mrinal Kumar, Ramprasad Saptharishi, and Noam Solomon. “Derandom-ization from Algebraic Hardness: Treading the Borders”. In:
Proceedings of the 60thAnnual IEEE Symposium on Foundations of Computer Science (FOCS 2019) . 2019,pp. 147–157 (cit. on pp. 2, 5, 24, 25, 29).[GR00] Dima Grigoriev and Alexander Razborov. “Exponential lower bounds for depth 3arithmetic circuits in algebras of functions over finite fields”. In:
Appl. Algebra Engrg.Comm. Comput. (cit. on p. 17).[HY11] Pavel Hrubeš and Amir Yehudayoff. “Arithmetic Complexity in Ring Extensions”. In:
Theory of Computing
P = BPP if E requires exponential circuits:derandomizing the XOR lemma”. In: Proceedings of the 29th Annual ACM Symposiumon Theory of Computing (STOC 1997) . ACM, New York, 1997, pp. 220–229 (cit. onp. 1).[Kal89] Erich Kaltofen. “Factorization of Polynomials Given by Straight-Line Programs”. In:
Advances in Computing Research
Comput. Complexity (cit. on pp. 2–6, 8, 17, 18, 25, 29).[Koi12] Pascal Koiran. “Arithmetic circuits: the chasm at depth four gets wider”. In:
Theoret.Comput. Sci.
448 (2012), pp. 56–65 (cit. on p. 2).[KS17] Mrinal Kumar and Ramprasad Saptharishi. “An exponential lower bound for homoge-neous depth-5 circuits over finite fields”. In:
Proceedings of the 32nd Annual Computa-tional Complexity Conference (CCC 2017) . Vol. 79. Leibniz International Proceedingsin Informatics (LIPIcs). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 2017, 31:1–30:30 (cit. on p. 17).[KS19] Mrinal Kumar and Ramprasad Saptharishi. “Hardness-Randomness Tradeoffs for Alge-braic Computation”. In:
Bull. Eur. Assoc. Theor. Comput. Sci.
129 (2019), pp. 56–87(cit. on pp. 3, 6).[KST19] Mrinal Kumar, Ramprasad Saptharishi, and Anamay Tengse. “Near-optimal boot-strapping of hitting sets for algebraic circuits”. In:
Proceedings of the 30th AnnualACM-SIAM Symposium on Discrete Algorithms (SODA 2019) . SIAM, Philadelphia, PA,2019, pp. 639–646 (cit. on pp. 2, 3, 5, 8, 9, 21).[KUW86] Richard M. Karp, Eli Upfal, and Avi Wigderson. “Constructing a perfect matching is inRandom NC”. In:
Combinatorica (cit. on p. 2).[Lip94] Richard J. Lipton. “Straight-line complexity and integer factorization”. In:
Algorithmicnumber theory (Ithaca, NY, 1994) . Vol. 877. Lecture Notes in Comput. Sci. Springer,Berlin, 1994, pp. 71–79 (cit. on p. 26).31Lov79] László Lovász. “On determinants, matchings, and random algorithms”. In:
Fundamentalsof computation theory (Proc. Conf. Algebraic, Arith. and Categorical Methods in Comput.Theory, Berlin/Wendisch-Rietz, 1979) . Vol. 2. Math. Res. Akademie-Verlag, Berlin, 1979,pp. 565–574 (cit. on pp. 2, 3).[MVV87] Ketan Mulmuley, Umesh V. Vazirani, and Vijay V. Vazirani. “Matching is as easy asmatrix inversion”. In:
Combinatorica (cit. on p. 2).[NW94] Noam Nisan and Avi Wigderson. “Hardness vs. randomness”. In:
J. Comput. SystemSci.
J. ACM (cit. on p. 14).[Rom06] Steven Roman. “Field theory”. 2nd ed. Vol. 158. Graduate Texts in Mathematics.Springer, New York, 2006, pp. xii+332 (cit. on p. 10).[Sax09] Nitin Saxena. “Progress on polynomial identity testing”. In:
Bull. Eur. Assoc. Theor.Comput. Sci.
99 (2009), pp. 49–79 (cit. on p. 2).[Sax14] Nitin Saxena. “Progress on Polynomial Identity Testing II”. In:
Proceedings of theWorkshop celebrating Somenath Biswas’ 60th Birthday . 2014, pp. 131–146 (cit. on p. 2).[Sha79] Adi Shamir. “Factoring numbers in O (log n ) arithmetic steps”. In: Inform. Process. Lett.
J. ACM (cit. on p. 1).[SY10] Amir Shpilka and Amir Yehudayoff. “Arithmetic circuits: a survey of recent results andquestions”. In:
Found. Trends Theor. Comput. Sci.
Inform.and Comput.
240 (2015), pp. 2–11 (cit. on p. 2).[Uma03] Christopher Umans. “Pseudo-random generators for all hardnesses”. In: