Cyclotomic Identity Testing and Applications
Nikhil Balaji, Sylvain Perifel, Mahsa Shirmohammadi, James Worrell
aa r X i v : . [ c s . CC ] J u l Cyclotomic Identity Testing and Applications
Nikhil Balaji , Sylvain Perifel , Mahsa Shirmohammadi , and James Worrell Department of Computer Science, University of Oxford, UK Universit´e de Paris, CNRS, IRIF, F-75013 Paris, France
Abstract
We consider the cyclotomic identity testing problem: given a polynomial f ( x , . . . , x k ), decidewhether f ( ζ e n , . . . , ζ e k n ) is zero, for ζ n = e πi/n a primitive complex n -th root of unity andintegers e , . . . , e k . We assume that n and e , . . . , e k are represented in binary and considerseveral versions of the problem, according to the representation of f . For the case that f isgiven by an algebraic circuit we give a randomized polynomial-time algorithm with two-sidederrors, showing that the problem lies in BPP . In case f is given by a circuit of polynomiallybounded syntactic degree, we give a randomized algorithm with two-sided errors that runs inpoly-logarithmic parallel time, showing that the problem lies in BPNC . In case f is given bya depth-2 ΣΠ circuit (or, equivalently, as a list of monomials), we show that the cyclotomicidentity testing problem lies in NC . Under the generalised Riemann hypothesis, we are ableto extend this approach to obtain a polynomial-time algorithm also for a very simple subclassof depth-3 ΣΠΣ circuits. We complement this last result by showing that for a more generalclass of depth-3 ΣΠΣ circuits, a polynomial-time algorithm for the cyclotomic identity testingproblem would yield a sub-exponential-time algorithm for polynomial identity testing. Finally,we use cyclotomic identity testing to give a new proof that equality of compressed strings, i.e.,strings presented using context-free grammars, can be decided in coRNC : randomized NC withone-sided errors. Introduction
Identity testing is a fundamental problem in algorithmic algebra. In particular, identity test-ing in number fields has been much studied in relation to solving systems of polynomial equa-tions [Ge93, Koi96], polynomial identity testing [CK00], and decision problems on matrix groupsand semigroups [CLZ00, BBC + cyclotomic identity testing problems , where the input consists of a polynomial f ( x , . . . , x k ) with integer coefficients together with integers n, e , . . . , e k , and the task is to decidewhether f ( ζ e n , . . . , ζ e k n ) is zero for ζ n = e πi/n . We consider four variants of this problem accordingto the representation of f : (i) f is given as an algebraic circuit; (ii) f is given by a circuit ofpolynomially bounded syntactic degree; (iii) f is given as a depth-2 ΣΠ circuit; (iv) f is given asa diamond-shaped depth-3 ΣΠΣ circuit, that is, where the two +-layers each contain a single gate.Although f is a multivariate polynomial, since it is evaluated on powers of a common primitive n -th root of unity, in formalising the above four problems we use circuits whose input gates arelabelled by powers of a single variable x .Formally, for our purposes an algebraic circuit C is a directed, acyclic graph with labelledvertices and edges. Vertices of in-degree zero are labelled in the set of monomials { x e : e ∈ N } andthe remaining vertices have labels in { + , ×} . Moreover the incoming edges to +-vertices have labelsin Z , that is, the +-gates compute integer-weighted sums. There is a unique vertex of out-degreezero which determines the output of the circuit, a univariate polynomial, in an obvious manner.We assume that all integer constants appearing in C are given in binary. The syntactic degree of C is defined inductively as follows: input gates have degree 0, the degree of an addition gate is themaximum of the degrees of its inputs, the degree of a multiplication gate is the sum of the degreesof its inputs, and the degree of C is the degree of the output gate. Note that the syntactic degreeof C is not an upper bound on the degree of the computed polynomial since we allow monomialsas inputs. We use notation such as ΣΠ and ΣΠΣ to denote classes of circuits in which the internalgates are arranged into alternating layers of + and × gates, with edges only between successivelayers. Observe that this notation elides the variable powering at input gates in our formalism forunivariate circuits.The four main variants of the cyclotomic identity testing problem are as follows: • In the
Cyclotomic Identity Testing (CIT) problem the input is an algebraic circuit C rep-resenting a polynomial f ( x ), together with an integer n , given in binary, and the task is todetermine whether f ( ζ n ) = 0, where ζ n = e πi/n is a primitive complex n -th root of unity. • The
Bounded-CIT problem is defined exactly as the CIT problem, except that the input alsoincludes an upper bound on the syntactic degree of the circuit C that is given in unary. Thusin Bounded-CIT the degree of the circuit is at most the length of the input. • In the
Sparse-CIT problem the polynomial f = P si =1 a i x k i is given as a list of pairs of integers( a , k ) , . . . , ( a s , k s ) in binary. This is equivalent to restricting the CIT to ΣΠ circuits. • Finally we consider the restriction to CIT to
Diamond-shaped
ΣΠΣ circuits (where each +-layer has a single gate) which can be seen as a mild generalisation of the Sparse-CIT Problem.2he representation of polynomials in the CIT problem can be exponentially more succinct thanin the Bounded-CIT problem, since the syntactic degree can be exponential in the size of the circuit.Likewise the representation in the Bounded-CIT problem can be exponentially more succinct thanin the Sparse-CIT problem, since the former allows the number of monomials to be exponential inthe circuit size. Diamond-shaped ΣΠΣ circuits are essentially the simplest non-trivial extension ofthe class of ΣΠ circuits. Here, again, the number of monomials can be exponential in the circuitsize.The problem Sparse-CIT was first studied by Plaisted [Pla84], who gave a randomised polynomial-time algorithm. Subsequently, deterministic polynomial-time algorithms were given by Cheng etal. [CTV10] (See also [Che07]). A natural approach to decide zeroness of f ( ζ n ) is to compute anapproximation of sufficient precision. However, given existing separation bounds for algebraic num-bers, the precision required to distinguish between zero and a non-zero value precludes a polynomialtime bound, and none of the existing polynomial-time procedures follows this naive route.The conclusion of [CTV10] raises the question of the complexity of CIT. The authors notethat this problem lies in the counting hierarchy , based on results of [ABKPM09]. Our first mainresult is that CIT can be placed in BPP by computing modulo a suitable prime ideal in the ringof integers of the number field Q ( ζ n ). Effectively this amounts to working in a finite field Z p thatcontains a primitive n -th root of unity. Theorem 1.
The CIT problem is in
BPP . Observe that the CIT problem is at least as hard as the Polynomial Identity Testing problemfor circuits of unbounded degree, which is a well-known P -hard problem [Mit13, Theorem 2.4.6,Theorem 2.6.3] (See also Proposition 7).Next we pass to the Bounded-CIT problem, in which the syntactic degree of the circuit ispolynomially bounded, and give a randomized procedure with two-sided errors that runs in poly-logarithmic parallel time. Here we forsake the approach via finite arithmetic because computingpowers in a finite field is not known to be in NC . Instead, we follow the identity testing methodof Chen and Kao [CK00]: we pick a Galois conjugate of f ( ζ n ) uniformly at random and determinethe zeroness of the conjugate by numerical computation. The reason that we have two-sided errorsis that our procedure for generating conjugates fails with a small probability. Thus we have: Theorem 2.
The Bounded-CIT problem is in
BPNC . Moving to the problem Sparse-CIT, we revisit the approach of [CTV10] to giving a polynomial-time decision procedure. Here we give a simpler reformulation of their method and, as a by-product,we observe that the problem can be solved in NC . Theorem 3.
The Sparse-CIT problem is in NC . We further build on Theorem 3 to give a polynomial-time algorithm for what is essentially thesimplest non-sparse case of CIT, subject to the Generalised Riemann Hypothesis (GRH).
Theorem 4.
Assuming GRH, CIT can be solved in polynomial time on the class of diamond-shaped
ΣΠΣ circuits. The Counting Hierarchy [Wag86] is defined inductively as follows: CH = PP , CH k + = PP CH k and CH = ∪ k ≥ CH k .CIT is known to admit an upper bound of PPPPPPP which is between CH and CH .
3e complement Theorem 4 by exhibiting a class of ΣΠΣ circuits for which CIT is hard. In factwe formulate this result in terms of evaluating multivariate polynomials given by ΣΠ circuits (i.e.,with inputs being variables x , . . . , x m ) on translations of roots of unity. Theorem 5.
Given a multivariate polynomial f ( x , . . . , x m ) as a ΣΠ circuit and given integers a , . . . , a m and e , . . . , e m in binary, if one can test f ( a + ζ e n , . . . , a m + ζ e m n ) = 0 in deterministicpolynomial time, then PIT for circuits of size s and degree d ≤ s can be solved in s O ( √ d ) time. In terms of applications, we observe that cyclotomic identity testing can be used to obtain anew coRNC algorithm to decide equality of compressed strings, that is, strings presented by acycliccontext-free grammars. K¨onig and Lohrey [KL15] show that the problem admits a coRNC algorithmby reduction to the identity testing problem for univariate polynomials given as so-called powerfulskew circuits. The main contribution of [KL15] was to give a randomised NC algorithm for thelatter problem. Following the identity testing algorithm of Agrawal and Biswas [AB03], theiralgorithm works, by computing the value of the circuit modulo a randomly chosen polynomial p ( x ). In order to perform this computation in NC they rely on the result of Fich and Tompa [FT88]that computing x m mod p ( x ) for large powers m can be done in NC (assuming p is given in denserepresentation). By contrast, we observe that the same identity testing problem can be solvedby numerically evaluating a polynomial at a randomly chosen conjugate of a root of unity ζ n ofsufficiently high order. To obtain an NC bound we rely on the fact that it is straightforward tocompute powers of ζ n . We also observe that our technique yields a randomised sequential algorithmthat runs in e O ( n ) time in the standard Turing machine model. Theorems 1, 2, and 3 all take different approaches to the CIT problem: respectively using finitearithmetic, numerical approximation, and multilinear algebra. However it is interesting to notethat all three approaches involve computing a partial prime factorisation of the order of the rootof unity (or some multiple thereof).As discussed in more detail in [CTV10], cyclotomic identity testing is related to the so-called torsion-point problem , which asks whether a given multivariate polynomial has a zero in which allcomponents are roots of unity [Roj07]. The univariate version of this problem is known to be NP -hard [Pla84]. Identity testing for expressions involving real roots of rational numbers is consideredin [Bl¨o98].There has been extensive work on the problem of testing equality of compressed strings startingwith the works of Hirschfield et al. [HJM94] ( O ( n ) time) and Melhorn et al. [MSU97] ( O ( n ) time)who independently gave the first deterministic polynomial time algorithms for the problem. Thestate of the art for deterministic sequential algorithms for this problem is by J´ez [Jez12] wherein he uses recompression to give an algorithm that runs in O ( n ) time. Note that the quadraticrunning time here is in a RAM model where the uncompressed string (which could be 2 n letterslong) fits into a single machine word. There have simpler randomized algorithms starting with thework of Gasieniec et al. [GKPR96] ( e O ( n ) time) and Schmidt-Schau and Schnitger ( O ( n ) time inthe RAM model). However neither of them is known to be parallelisable. [GKPR96] raised thequestion of whether testing compressed string equality is P -complete.4 Preliminaries
We give a useful lemma on finite arithmetic and then recall some basic definitions and facts aboutcyclotomic fields.
Lemma 6.
Fix m ∈ N and consider drawing an element k uniformly at random from the set { , . . . , m − } . Let A be the event that k and m are coprime and let B be the event that k and m share no common prime divisor p <
10 log m . Then Pr( A | B ) > for m sufficiently large.Proof. Write m = p e · · · p e r r , where p , . . . , p r are distinct primes and e , . . . , e r ≥
1. For i =1 , . . . , r , let E i be the event that p i does not divide the sampled number k . Then the collection ofevents E i is mutually independent, A = T ri =1 E i , and B = T i : p i <
10 log m E i . ThusPr( A | B ) = Pr( A )Pr( B )= Y i : p i ≥
10 log m Pr( E i )= Y i : p i ≥
10 log m (cid:18) − p i (cid:19) ≥ (cid:18) −
110 log m (cid:19) log m . Since the expression above converges to e − . > . m tends to infinity, for sufficiently large m we have Pr( A | B ) > .Fix n ∈ N and write Q ( ζ n ) for the field generated over Q by a primitive complex n -th root ofunity ζ n = e πin . The minimum polynomial of ζ n is denoted Φ n ( x ) and has degree ϕ ( n ), where ϕ isthe Euler totient function. We recall the lower bound [HW +
79, Theorem 328] ϕ ( n ) ≥ cn log log n , (1)where c is an effectively computable constant. An easy consequence is the following Proposition 7.
For any primitive n -th root of unity ζ n and univariate polynomial p ( x ) ∈ Z [ x ] ofdegree strictly smaller than ϕ ( n ) , p ( ζ n ) = 0 . It is well known that α ∈ Q ( ζ n ) is an algebraic integer just in case α = P n − j =0 a j ζ jn for some a , . . . , a n − ∈ Z . We call such a number a cyclotomic integer and write Z [ ζ n ] for the subring of Q ( ζ n ) comprised of cyclotomic integers.Let Gal( Q ( ζ n ) / Q ) denote the group of automorphisms of Q ( ζ n ). Then Gal( Q ( ζ n ) / Q ) is iso-morphic to the multiplicative group Z ∗ n of integers mod n . For each k ∈ Z ∗ n , the correspondingautmorphism in Gal( Q ( ζ n ) / Q ) sends ζ n to ζ kn . In this section we give a randomised polynomial-time algorithm, with two-sided errors, for the CITproblem. The idea is to work in a finite field, obtained by quotienting the ring of cyclotomic integersby a suitable rational prime. 5ecall that the norm of α ∈ Q ( ζ n ) is defined by N Q ( ζ n ) / Q ( α ) := Y σ ∈ Gal ( Q ( ζ n ) / Q ) σ ( α ) . For short, we will write N ( α ) for N Q ( ζ n ) / Q ( α ), i.e., the underlying field will be understood from thecontext. Recall that the norm of a cyclotomic integer lies in Z .If a polynomial f ∈ Z [ x ] is computed by a circuit C and if s ∈ N is the sum of size of C andbit-length of n , then we say that the cyclotomic integer f ( ζ n ) is computed by a circuit of size s . Proposition 8 (Norm upper bound for circuits) . Let α ∈ Z ( ζ n ) be a cyclotomic integer that iscomputed by a circuit of size s . Then | N ( α ) | ≤ s .Proof. Write α = P n − j =0 a j ζ jn , where a , . . . , a n − ∈ Z and let H := P ≤ i ≤ n − | a i | . Since α iscomputed by a circuit of size s , by an easy induction on s we have H ≤ s . We can give an upperbound on | N ( α ) | as follows: N ( α ) = N n − X j =0 a j ζ jn = Y σ ∈ Gal ( Q ( ζ n ) / Q ) σ n − X j =0 a j ζ jn = Y ℓ ∈ Z ∗ n n − X j =0 a j ζ jℓn . Since (cid:12)(cid:12)(cid:12)P n − j =0 a j ζ jℓn (cid:12)(cid:12)(cid:12) ≤ P n − i =0 | a i | = H for all ℓ , we have | N ( α ) | ≤ Y ℓ ∈ Z ∗ n H ≤ (2 s ) n ≤ (2 s ) s = 2 s . Theorem 9.
Let p ∈ Z be a prime such that the field Z p contains a primitive n -th root of unity ω n .Given g ( x ) ∈ Z [ x ] , we have that1. if g ( ζ n ) = 0 then g ( ω n ) = 0 , and2. if g ( ω n ) = 0 then p | N ( g ( ζ n )) .Proof. Define a ring homomorphism ev : Z [ x ] → Z p by ev( g ) = g ( ω n ) mod p . For d < n , sinceΦ d | x d − x d − = 0, we have ev(Φ d ) = 0. Since also x n − Q d | n Φ d , we haveev(Φ n ) = 0. It follows that ev factors through Z ( ζ n ) via a homomorpishm ev ′ : Z ( ζ n ) → Z p givenby ev ′ ( g ( ζ n )) = g ( ω n ) mod p for g ∈ Z [ x ].For Item 1, we have that if g ( ζ n ) = 0 then g ( ω n ) = ev ′ ( g ( ζ n )) = 0.For Item 2, observe that the kernel of ev ′ is a prime ideal p in Z ( ζ n ) satisfying p ∩ Z = p Z .Hence if g ( ω n ) = 0 then g ( ζ n ) ∈ p and so p | N ( g ( ζ n )),6 roposition 10. Let α ∈ Z ( ζ n ) be a non-zero cyclotomic integer that is computed by a circuit ofsize s . If p is chosen uniformly at random among primes in N of magnitude at most s , then withprobability at least − s s we have that p ∤ N ( g ( ζ n )) .Proof. By Proposition 8, the norm of α has absolute value at most 2 s . It follows that N ( α )has at most 2 s distinct prime factors. There are at least s s primes in the range [2 , s ]. Thusthe probability that a prime p chosen uniformly at random does not divide the norm of α is atleast 1 − s s .Proposition 10 suggests a natural test for CIT: evaluate the circuit in a finite field Z p thatcontains a primitive n -th root of unity. Since the multiplicative group Z ∗ p is cyclic, it is clear that Z p contains a primitive n -th root of unity just in case n | ( p − p ≡ n . We will usethe following estimate on the density of primes that are congruent to 1 modulo n . Theorem 11 (Primes in arithmetic progressions) . Given a ∈ Z ∗ n , write π n,a ( x ) for the number ofprimes less than x that are congruent to a modulo n . Then π n,a ( x ) ≥ x | Z ∗ n | log x − x √ log x (2) Proposition 12.
Let α ∈ Z ( ζ n ) be computed by a circuit C and let s be an upper bound on thesize of C and bit-length of n . If α is non-zero and prime p ∈ Z is chosen uniformly at randomamong those primes less than s that are congruent to modulo n , then the probability that p divides N ( α ) is at most s − s .Proof. By Proposition 8, the norm of α has absolute value at most 2 s . It follows that N ( α ) hasat most 2 s distinct prime factors. By Theorem 11, the number of primes less than 2 s that arecongruent to 1 modulo n is π n, (2 s ) ≥ s | Z ∗ n | s − s s ≥ s (cid:18) s s − s (cid:19) . (3)Assume that s ≥
5. It follows that s s − s ≥ s . Consequently, the probability that p divides N ( α ) is at most 2 s − s .The following straightforward proposition enables us to find primitive n -th roots of unity in Z p in case p ≡ n Proposition 13.
For a prime p , let h be chosen uniformly at random from the set ( a ∈ Z ∗ p : ^ 10 log( p − a p − q = 1 ) . Then h is a primitive root of Z ∗ p with probability at least 0.9.Proof. Fix a primitive root g ∈ Z ∗ p . For a distributed uniformly at random over Z ∗ p , we have thatlog g a is distributed uniformly at random over { , . . . , p − } . Moreover, for every prime divisor q of p − q divides log g a if and only if a p − q = 1 mod p . It follows that for h as in the statement ofcorollary, log g h is distributed uniformly at random among those elements in { , . . . , p − } that donot share a prime divisor less than 10 log( p − 1) with p − 1. Applying Lemma 6 we have that log g h is coprime with p − . 9. But log g h is coprime with p − h is itself a primitive root of Z ∗ p . 7 lgorithm for Cyclotomic Identity TestingInput: Algebraic circuit C and integer n , written in binary, of combined size s Output: Whether f ( ζ n ) = 0 for the polynomial f ( x ) computed by C .1: Pick p u.a.r. from n q ∈ N : q ≤ s , q prime , and q ≡ n o .2: Pick h u.a.r. from n a : a ∈ Z ∗ p , V The CIT problem is in BPP .Proof. Figure 3 presents a Monte Carlo randomized algorithm for the CIT problem. The argumentfor the correctness of the algorithm is as follows. Let p be a prime such that p ≡ n , as chosenin Line 1.It follows from Proposition 13 that with probability at least 0 . 9, the element h ∈ Z ∗ p that isselected in Line 2 of the algorithm is a primitive root of Z ∗ p . Now let us bound the error of thealgorithm under the assumption that h is indeed a primitive root of Z ∗ p . Note that in this case wehave that ω n , as chosen in Line 3, is a primitive n -th root of unity in the field Z p . We consider twocases. First, suppose that f ( ζ n ) = 0; then by Theorem 9 we have f ( ω n ) = 0, and hence the outputis ‘Zero’. Second, suppose that f ( ζ n ) = 0. Then by Theorem 9 the output will be ‘Non-Zero’provided that p does not divide N ( f ( ζ n )). But by Proposition 12 the probability that p does notdivide N ( f ( ζ n )) is at least 1 − s − s . Thus, in total, the probability that the algorithm gives thewrong output is 0 . s − s .It is clear that the algorithm runs in polynomial time. In particular, in Line 1, since theasymptotic density of primes in the set n q ∈ N : q ≤ s , q ≡ n o is proportional to s wecan find a prime in this set in polynomial time with arbitrary small constant error probability byrandom sampling. We use the following well-known result (see Appendix A for a proof): Lemma 14. [Chen and Kao [CK00] and Bl¨omer [Bl¨o98]] Let α be an algebraic integer where theabsolute value of all its conjugates is at most B . For all b ∈ N , a random conjugate α ′ of α satisfies | α ′ | ≤ − b , with probability at most B/ ( b + B ) . By above, given a polynomial f and an algebraic number α , whose all conjugates have absolutevalue bounded by B , a straightforward randomized algorithm to decide whether f ( α ) = 0 is torandomly pick a large conjugate α ′ and to approximate f ( α ′ ) with an error 2 − b . The challenge in8 lgorithm for Bounded Cyclotomic Identity TestingInput: Algebraic circuit C with a unary upper bound on its syntactic degree, and integer n written in binary, of combined size s Output: Whether f ( ζ n ) = 0 for the polynomial f ( x ) computed by C .1: Pick uniformly at random a ∈ { , . . . , n − } such that a and n have no commondivisor less than 10 log n .2: Compute f ( e ζ an ), which is f ( ζ an ) truncated up to an O ( s )-bit precision using Taylorexpansion.3: Output ”Zero” if f ( e ζ an ) = 0, otherwise output ”Non-Zero”.Figure 2: Algorithm for Bounded Cyclotomic Identity Testingsuch algorithms is how to pick a large conjugate with a high probability and how to bound theerror of computation.In the rest of this section, we prove Theorem 2. Given an algebraic circuit C with a unary upperbound on its syntactic degree, and an integer n written in binary, of combined size s . We decidewhether f ( ζ n ) = 0 for the polynomial f computed by C by the random algorithm in Figure 2. Weargue that the algorithm can be implemented by a uniform family of two-sided error randomizedcircuits of polynomial size and polylogarithmic depth, and conclude that Bounded-CIT is in BPNC .The random algorithm, in nutshell, approximates a random conjugates f ( ζ an ) of f ( ζ n ) with aprecision of 2 − Ω( s ) . The two-sided errors are due to • picking a such that ζ an is not a conjugate of ζ n (note that it is not known whether checkinggcd( a, n ) = 1 can be done in NC ); • drawing a conjugate ζ an such that f ( ζ a ) is non-zero but too small to distinguish from zerowithin the allowed precision. The error bound of − Ω( s ) . By the simple observation that the constants appearing in f andthe number of its terms are at most 2 s , we have that | f ( ζ n ) | ≤ s . Using Lemma 14 with B = 2 s and b = 4 s , for f ( ζ n ) = 0, a random conjugates f ( ζ n ) have absolute value larger than 2 − s , withprobability at least 2 / ζ ℓn of ζ n , by the Taylor series approximation to ζ n = e πin , restricted to thefirst k terms, we define e ζ ℓn = k X j =0 j ! (cid:18) πiℓn (cid:19) j . Notice that the error here is | ζ ℓn − e ζ ℓn | ≤ (cid:18) πℓn (cid:19) k +1 k + 1)! ≤ k + 1)! ≤ k k/ , which is less than 2 − s if k ≥ s . 9y above, to compute f ( ζ n ) within an error < − s , it suffices to approximate e πiℓn to 6 s bitsusing the k terms of the Taylor series above. Then | f ( ζ n ) − f ( e ζ n ) | ≤ s X j =0 a i | ζ ℓjn − f ζ ℓjn | < s X j =0 s | − s | ≤ − s which is the desired error. Probabilistic correctness. In Line 1, the algorithm iteratively chooses random numbers from { , . . . , n − } until it finds an element a such that a and n have no common divisors less than 10 log n . ByLemma 6, we have that a is coprime with n , and hence ζ an is a conjugate of ζ n , with probability atleast .Using Lemma 14 with B = 2 s and b = 4 s , a random conjugates of f ( ζ n ) has absolute valuelarger than 2 − s , with probability at least .There are two sources of errors. First, ζ an may not be a conjugate of ζ n . This leads to two-sidederrors and happens with probability at most . The second possibility is that f ( ζ n ) = 0 but f ( ζ an )is too small to distinguish from zero within the given precision. This happens with probability atmost . Thus the total error probability is at most . Theorem 2. The Bounded-CIT problem is in BPNC .Proof. From the work of Valiant et al. [VSBR83], given a polynomial degree arithmetic circuitof size s , one can construct an equivalent circuit of depth O (log s ) and size O ( s ) with fan-in 2multiplication and addition gates. Moreover, such a circuit can be constructed even in logarithmicspace [AJMV98]. Since we would like to compute f ( ζ n ) to error at most 2 − Ω( s ) , this requiresmaintaining O ( s ) bits at each gate of the circuit. Every bit of numbers produced at each gate canbe computed by NC circuits of size at most O ( s log s ) [RT92], and hence overall this results in an NC circuit of size e O ( s ). An algebraic circuit computing a univariate polynomial is said to be a powerful skew circuit ifat least one input of every multiplication gate is a leaf. Here the word powerful reflects ourconvention that leaves can be labelled with monomials x m , where m is given in binary. The classof powerful skew circuits was introduced by K¨onig and Lohrey [KL15], where they showed thatthe corresponding polynomial identity testing problem can be decided in coRNC by combining theclassical PIT algorithm of Agrawal and Biswas [AB03] and the result of Fich and Tompa [FT88]that computing x m mod p ( x ) for large powers m can be done in NC . The main motivation forstudying this identity testing problem is that there is an NC reduction of the equivalence testingproblem for compressed strings to identity testing for powerful skew circuits. Briefly, a compressedword is one that is given by an acyclic context-free grammar in which each non-terminal occurson the left-hand side of exactly one production. Such a grammar produces a single word, whoselength can be exponential in the number of non-terminals and productions. We refer to [KL15] formore details.In this section we provide an alternative coRNC algorithm for PIT on powerful skew circuits,employing the same random conjugate technique used to solve the Bounded-CIT problem. Since10he syntactic degree of a powerful skew circuit is at most the number of gates we can use ourAlgorithm in Figure 2 to decide PIT over the class of powerful skew circuits: we simply pick a rootof unity ζ n with n higher than the degree of the given polynomial f ∈ Z [ x ], and approximate arandom conjugate of f ( ζ n ).Since the algorithm is insensitive to the choice of n as long as it is larger than the degreeof f (that is at most 2 s where s is the size of circuit), we use this freedom and by Proposition 7,choose n = 2 s ensuring that ζ an is a conjugate of ζ an for all odd numbers a , 1 ≤ a < n . Thisprevents one-side of error in our random algorithm for the Bounded-CIT problem (error causedby picking an non-conjugate in Line 1 of Figure 2); indeed, whenever f ( ζ n ) = 0 our algorithmreturns “Zero” almost-surely (with probability 1). Then we conclude the following corollary notingthat the approximation is efficiently computable in randomized sequential time by using Brent’salgorithm [Bre76]. Theorem 15. Testing equality of two compressed words, of combined size s ,1. is solvable in e O ( s ) -time randomized sequential algorithm; and2. can be implemented by e O ( s ) -sized NC circuits using O ( s ) random bits.Proof. For the first item, having chosen the random conjugate ζ an , for each x m , inputted to amultiplication gate, we need to compute f ( ζ amn ) truncated up to an O ( s )-bit precision using Taylorexpansion. By Brent’s algorithm [Bre76], for each k , 1 ≤ k ≤ n , we can compute e πikn within anerror of 2 − O ( s ) in O ( s log s ) time. Since there are at most O ( s ) such different occurrences of ζ amn inthe powerful skew circuit, all these O ( s )-bit approximations can be computed in O ( s log s )-time.We are now left with the task of evaluating a powerful-skew arithmetic circuit that has O ( s )binary additions and O ( s ) binary multiplications on O ( s )-bit numbers. Addition and multiplicationof two O ( s )-bit integers can be implemented in O ( s ) and O ( s log s ) time respectively. Hence, for thewhole circuit this can be implemented with an additional time complexity of O ( s ) + O ( s log s ).Hence the overall time complexity is e O ( s ). The number of random bits used is O (log n ) = O ( s )(to select a conjugate of ζ n ). Notice that in a RAM model where each operation is unit cost, thisresults in a O ( s )-time algorithm, and in the log-cost model a O ( s log s )-time algorithm.The second item is an immediate consequence of Theorem 2 and its proof. In this section we revisit the method of [CTV10] for solving Sparse-CIT in polynomial time. Themain idea of [CTV10] is to give a tensor decomposition of the space of all polynomials that vanish ona given root of unity ζ n , based on a partial factorisation of the order n , and then to use sparsity toefficiently determine membership of this (exponential-dimension) space. Below we reformulate thisidea so as to avoid working with spaces of exponential dimension, relying instead on Proposition 19–a simple proposition in multi-linear algebra. With this proposition in hand, it is straightforward toplace the problem Sparse-CIT in NC .Let ζ n denote a primitive n -th root of unity for a positive integer n . Given nonnegative integers0 ≤ k < · · · < k s < n , we aim to compute the space of vanishing sums V ( k ,...,k s ) n := ( a ∈ Q s : s X i =1 a i ζ k i n = 0 ) 11n time polynomial in the total bit length of n and k , . . . , k s .In the approach of [CTV10] the following (which is an easy consequence of the Chinese Remain-der Theorem plays a central role: Proposition 16. Suppose that n = n n for positive integers n, n , n , with n and n coprime.Then the map ζ n ζ n ⊗ ζ n defines a Q -algebra isomorphism between Q ( ζ n ) and Q ( ζ n ) ⊗ Q ( ζ n ) . We first recall how to compute the space of vanishing sums V ( k ,...,k s ) n for n a prime power. Proposition 17. Let p be a prime, e a positive integer, and let ≤ k < . . . < k s < p e be non-negative integers. Given a ∈ R s , we have P si =1 a i ζ k i p e = 0 if and only if (i) a i = a j for all i, j suchthat k i ≡ k j (mod p e − ) and (ii) a i = 0 for all i such that { k j : k i ≡ k j (mod p e − ) } < p .Proof. Recall that the minimal polynomial of ζ p e is f ( x ) = 1 + x p e − + x p e − + . . . + x ( p − p e − . For a ∈ Q s we have P si =1 a i ζ k p e = 0 if and only if there exists q ∈ Q [ x ], deg( q ) < p e − , such that s X i =1 a i x k i = q ( x ) f ( x ) = p − X i =0 q ( x ) x i ( p e − ) . In other words, the polynomial P si =1 a i x k i consists of p appropriately translated copies of q ( x ).The result immediately follows. Next we show how to compute the space of vanishing sums V ( k ,...,k s ) n in case n has no “small”prime divisors. Proposition 18. Let f ( x ) = P si =1 a i x k i ∈ Q [ x ] be a polynomial such that ≤ k < · · · < k s < n and suppose that p > s for all all prime divisors p of n . Then f ( ζ n ) = 0 only if f is identicallyzero.Proof. Write n = p e · · · p e m m for the prime factorization of n . Write ℓ ij := k i mod p e j j for i = 1 , . . . , s and j = 1 , . . . , m . By the Chinese Remainder Theorem the m -tuples ℓ i = ( ℓ i , . . . , ℓ im ), i = 1 , . . . , s ,are all distinct. Now we have f ( ζ n ) = 0 ⇔ s X i =1 a i ζ k i n = 0 ⇔ s X i =1 a i ( ζ ℓ i p e ⊗ · · · ⊗ ζ ℓ im p emm ) = 0 . (cid:26) ζ ℓ j p ejj , . . . , ζ ℓ sj p ejj (cid:27) is a linearly independent set in Q ( ζ p ejj ) for all j = 1 , . . . , m (possibly listed with repetitions). It follows that n ζ ℓ i p e ⊗ · · · ⊗ ζ ℓ im p emm : i = 1 , . . . , s o is a linearly independent set in Q ( ζ n ). Since the ℓ i are all distinct we conclude that a = · · · = a s = 0. Given vectors a, b ∈ Q s , define the Hadamard product a ⊙ b ∈ Q s by a ⊙ b := ( a b , . . . , a s b s ).In general, for a nonnegative integer k and list of vectors w , . . . , w s ∈ Q k , write R ( w , . . . , w s )for the row space of the matrix with columns w , . . . , w s . Recall that R ( w , . . . , w s ) is the orthogonalcomplement of { a ∈ Q s : P si =1 a i w i = 0 } . Proposition 19. Let U, V be finite dimensional vector spaces over Q with u , . . . , u s ∈ U and v , . . . , v s ∈ V for some s ∈ N . Define the following three vector subspaces of Q s : A := { a ∈ Q s : P si =1 a i u i = 0 } B := { b ∈ Q s : P si =1 b i v i = 0 } C := { c ∈ Q s : P si =1 c i ( u i ⊗ v i ) = 0 } . Then C ⊥ = { a ⊙ b : a ∈ A ⊥ , b ∈ B ⊥ } .Proof. Without loss of generality, suppose that U = Q m and V = Q n . Then we can identify U ⊗ V with Q mn by taking u ⊗ v to be the Kronecker product of u ∈ U and v ∈ V . Now we have A ⊥ = R ( u , . . . , u s ) B ⊥ = R ( v , . . . , v s ) C ⊥ = R ( u ⊗ v , . . . , u s ⊗ v s ) . (4)But it clearly also holds that R ( u ⊗ v , . . . , u s ⊗ v s ) = span( { a ⊙ b : a ∈ R ( u , . . . , u s ) , b ∈ R ( v , . . . , v s ) } ) . (5)The result follows immediately from Equations (4) and (5). Theorem 3. The Sparse-CIT problem is in NC .Proof. Given f ( x ) = P si =0 a i x k i and n ∈ N , we wish to determine whether f ( ζ n ) = 0. We mayassume without loss of generality that deg( f ) < n : otherwise take the remainder on division of f by x n − NC ).Since integer division is in NC , given n ∈ N one can compute in NC a factorisation n = p e · · · p e ℓ ℓ m such that p , . . . , p s ≤ s are prime and all prime factors of m are strictly greater than s .Propositions 17 and 18 give respective characterisations of the vanishing spaces V ( k ,...,k s ) p eii for i = 1 , . . . , ℓ and V ( k ,...,k s ) m as sets of solutions of linear equations. This directly yields descriptions13f the respective orthogonal complements. Moreover, since only integer division required, the givencharacterisations can be computed in NC .Finally, one uses Proposition 19 to combine the orthogonal complements of the individualvanishing spaces V ( k ,...,k s ) p eii and V ( k ,...,k s ) m to obtain the orthogonal complement of V ( k ,...,k s ) n . Withthe latter in hand we can directly test whether f ( ζ n ) = 0.In terms of complexity, we remark that given sets of vectors a , . . . , a m and b , . . . , b n in Q s ,one can compute in NC a maximal linearly independent subset of { a i ⊙ b j : 1 ≤ i ≤ m, ≤ j ≤ n } .Thus we can combine a pair of vanishing spaces in NC and hence we can combine all vanishingspaces in NC by a straightforward divide-and-conquer approach. ΣΠΣ Circuits The results of the previous section show that for the class of polynomials computed by ΣΠ circuits,the Cyclotomic Identity Testing Problem is decidable in NC . In this section we move to a slightlymore general setting: we give an algorithm for essentially the simplest non-trivial class of depth-3circuits, namely ΣΠΣ circuits with a single gate in each +-layer. For obvious reasons, we call thesecircuits diamond-shaped . Such circuits compute polynomials g ( x ) of the form g ( x ) := s X i =1 b i ( a x e + · · · + a m x e m ) i , for integer coefficients a , . . . , a m and b , . . . , b s and natural-number exponents e , . . . , e m . Wegive an algorithm that solves the CIT for this class of circuits in polynomial time, assuming theGeneralized Riemann Hypothesis (GRH). Theorem 4. Assuming GRH, CIT can be solved in polynomial time on the class of diamond-shaped ΣΠΣ circuits.Proof. The algorithm is given in Figure 6. It involves an integer parameter G ( n ) and a rationalparameter ε ( g ) that are both functions of the input. We will say more about both parametersshortly, suffice to say for now that G ( n ) is chosen such that { k ∈ Z ∗ n : 1 ≤ k ≤ G ( n ) } generates Z ∗ n .Line 1 refers to the action of the group Z ∗ n on field Q ( ζ n ), obtained by associating with ℓ ∈ Z ∗ n the automorphism of Q ( ζ n ) that maps ζ n to ζ ℓn . Observe that if the algorithm halts in Line 2 thenthe output is correct: if f ( ζ n ) has more than s distinct conjugates then we cannot possibly have g ( ζ n ) = P si =1 b i f ( ζ n ) i = 0.Now suppose that | Orb( f ( ζ n )) | ≤ s in Line 2. We will use this assumption to bound the degreeand height of g ( ζ n ). (Recall that the degree and height of an algebraic integer are, respectively,the degree and height of its minimal polynomial.) By the assumption that { k ∈ Z ∗ n : 1 ≤ k ≤ G ( n ) } generates Z ∗ n , we have that Orb( f ( ζ n )) consists of all Galois conjugates of f ( ζ n ). Since | Orb( f ( ζ n )) | ≤ s it follows that f ( ζ n ), and hence also g ( ζ n ), have degree at most s . Furthermore,for every ℓ ∈ Z ∗ n we have | g ( ζ ℓn ) | ≤ smM , where M is the maximum of | a i b j | for i ∈ { , . . . , m } and j ∈ { , . . . , s } . By writing the coefficients of the minimal polynomial of g ( ζ n ) in terms of theGalois conjugates of g ( ζ n ), we have that g ( ζ n ) has height at most 2 s ( smM ) s .Now, a non-zero algebraic number of degree d and height H has magnitude at least d d +1 H d . Wechoose the value of ε ( g ) by substituting d := s and H := 2 s ( smM ) s into this bound, that is, we14 lgorithm for Diamond-Shaped ΣΠΣ CircuitsInput: Polynomial g ( x ) = P si =1 b i ( a x e + · · · + a m x e m ) i . Output: Whether g ( ζ n ) = 0.1: Let f ( x ) := P si =1 a i x e i and compute the orbit Orb( f ( ζ n )) of f ( ζ n ) w.r.t. the set { k ∈ Z ∗ n : k ≤ G ( n ) } .2: If | Orb( f ( ζ n )) | > s then return ”not zero”.3: If | Orb( f ( ζ n )) | ≤ s then compute rational number α such that | α − g ( ζ n ) | < ε ( g )3 and return ‘zero’ if α < ε ( g )3 and return ‘not zero’ otherwise.Figure 3: Algorithm for Diamond-Shaped ΣΠΣ Circuitsdefine ε ( g ) := 2 s s +1 (2 smM ) s . (6)With this choice, if g ( ζ n ) = 0 then | g ( ζ n ) | > ε ( g ): hence for the number α computed in Line 3 wehave | α | > ε ( g )3 . On the other hand, if g ( ζ n ) = 0 then | α | < ε ( g )3 . Thus the output produced inLine 3 is correct. This completes the proof that the algorithm gives the correct output.We turn now to the complexity. Note that we can use the procedure presented in the previoussection to determine in polynomial time whether or not two conjugates f ( ζ ℓn ) and f ( ζ jn ) are identical.Since the computation of Orb( f ( ζ n )) terminates as soon as | Orb( f ( ζ n )) | > s , we see that Line 1 canbe executed in time polynomial in the size of the input and the parameter G ( n ). Now it was shownin [Mon71] that under GRH there is a function G ( n ) = O (log n ) such that { k ∈ Z ∗ n : 1 ≤ k ≤ G ( n ) } generates Z ∗ n . It follows that Line 1 of the procedure can be executed in polynomial time, assumingGRH. Finally, from Expression (6) we see that | log( ε ( g )) | is polynomially bounded in the input size.Thus g ( ζ n ) can be computed to within precision ε ( g )3 in polynomial time, e.g., using the approachdescribed in Section 4. We now show that efficient deterministic algorithms for a mild generalisation of Sparse-CIT, entailssub-exponential time algorithms for the Polynomial Identity Testing problem, a longstanding openproblem in Complexity theory [Sax09, Sax14, KI04]. More formally, we have the following: Theorem 5. Given a multivariate polynomial f ( x , . . . , x m ) as a ΣΠ circuit and given integers a , . . . , a m and e , . . . , e m in binary, if one can test f ( a + ζ e n , . . . , a m + ζ e m n ) = 0 in deterministicpolynomial time, then PIT for circuits of size s and degree d ≤ s can be solved in s O ( √ d ) time.Proof. Similar to Koiran [Koi11, Proposition 1], we combine depth reduction and Kronecker sub-stitution. We start from the following result about the expressiveness of depth-4 circuits (see forexample [Sap15, Theorem 5.17] or [KKPS15, Proposition 1]): The paper [BH93] gives heuristic arguments and experimental data suggesting that the choice G ( n ) =(log 2) − log n log log n will yield a set of generators. heorem 20. Any m -variate polynomial P ( x ) of degree at most d = m O (1) computed by a circuitof size s = m O (1) can be expressed as: P ( x ) = s O ( √ d ) X i =1 c i Q i ( x ) d i (7) where c i ∈ Q , d i = O ( √ d ) and the Q i ( x ) are multivariate polynomials of sparsity at most s O ( √ d ) and degree √ d . Moreover, such a representation can be computed in s O ( √ d ) time. It follows that a poly ( m, s, d ) time algorithm for identity testing depth-4 circuits of the form inEquation 7 yields an s O ( √ d ) time algorithm for identity testing circuits of arbitrary-depth computinga low degree polynomial.Let P be a polynomial of degree ≤ d as in Equation 7. It is easy to see that the univariatepolynomial p ( x ) = P ( x, x ( d +1) , . . . , x ( d +1) m − ) of degree at most ( d + 1) m is non-zero if and onlyif the multivariate polynomial P ( x ) is non-zero. Thus a poly ( m, s, d ) time algorithm for identitytesting univariate polynomials of the form p ( x ) = s X i =1 c i q i ( x ) d i = s X i =1 c i ( a i x e i + · · · + a is x e is ) d i , (8)where q i ( x ) = Q i ( x, x ( d +1) , . . . , x ( d +1) m − ) = a i x e i + · · · + a is x e is , e ij ≤ ( d + 1) m and d i ≤ d , issufficient to get sub-exponential time algorithms for PIT.We will now show that the univariate polynomial p ( x ) obtained above can be expressed as inthe statement of the theorem. We will need the following version (Lemma 4.7 in [GKKS16]) of alemma originally due to Saxena [Sax08]: Lemma 21. For every m, d > , there exist α i , β ij ∈ Q ( ≤ i ≤ md, ≤ j ≤ d ) such that ( u + · · · + u m ) d = md X i =0 d X j =0 β ij ( u + α i ) j . . . ( u m + α i ) j . We provide a proof of this lemma in Appendix B for the sake of completeness. ApplyingLemma 21 to the terms ( a i x e i + · · · + a is x e is ) d i above, we get( a i x e i + · · · + a is x e is ) d i = sd i X r =0 d i X j =0 β irj ( a i x e i + α r ) j . . . ( a is x e is + α r ) j = sd i X r =0 d i X j =0 β ′ irj ( x e i + a ir ) j . . . ( x e is + a irs ) j β ′ irj = β irj / ( a ji . . . a jis ) and a ir = α r /a i , . . . , a irs = α r /a is . After plugging this into Equa-tion 8 , we get p ( x ) = s X i =1 c i sd i X r =0 d i X j =0 β ′ irj ( x e i + a ir ) j . . . ( x e is + a irs ) j , which is a polynomial f of degree ≤ d ( d + 1) m , sparsity ≤ s ( d + 1)( sd + 1), in ≤ s ( sd + 1) variablesand evaluated at (cid:0) ( x e i + a ir ) , . . . , ( x e is + a irs ) (cid:1) i,r .Testing if p is zero can now be done by deciding whether f (cid:0) ( ζ e i n + a ir , . . . , ζ e is n + a irs ) i,r (cid:1) =0 where n > d ( d + 1) m , thanks to Proposition 7. Thus, if CIT for this particular form is indeterministic polynomial time, this yields a poly ( s, d, m ) time PIT for p and hence for depth-4circuits, proving the theorem. References [AB03] Manindra Agrawal and Somenath Biswas. Primality and identity testing via chineseremaindering. Journal of the ACM (JACM) , 50(4):429–443, 2003.[ABKPM09] Eric Allender, Peter B¨urgisser, Johan Kjeldgaard-Pedersen, and Peter Bro Miltersen.On the complexity of numerical analysis. SIAM Journal on Computing , 38(5):1987–2006, 2009.[AJMV98] Eric Allender, Jia Jiao, Meena Mahajan, and V Vinay. Non-commutative arithmeticcircuits: depth reduction and size lower bounds. Theoretical Computer Science , 209(1-2):47–86, 1998.[BBC + 96] L´aszl´o Babai, Robert Beals, Jin-yi Cai, G´abor Ivanyos, and Eugene M Luks. Mul-tiplicative equations over commuting matrices. In Proceedings of the seventh annualACM-SIAM symposium on Discrete algorithms , pages 498–507, 1996.[BH93] Rric Bach and Lorenz Huelsbergen. Statistical evidence for small generating sets. Mathematics of Computation , 61(203):69–82, 1993.[Bl¨o98] Johannes Bl¨omer. A probabilistic zero-test for expressions involving roots of rationalnumbers. In European Symposium on Algorithms , pages 151–162. Springer, 1998.[Bre76] Richard P Brent. Fast multiple-precision evaluation of elementary functions. Journalof the ACM (JACM) , 23(2):242–251, 1976.[Che07] Qi Cheng. Derandomization of sparse cyclotomic integer zero testing. In , pages 74–80.IEEE, 2007.[CK00] Zhi-Zhong Chen and Ming-Yang Kao. Reducing randomness via irrational numbers. SIAM Journal on Computing , 29(4):1247–1256, 2000.[CLZ00] Jin-yi Cai, Richard J Lipton, and Yechezkel Zalcstein. The complexity of the abcproblem. SIAM Journal on Computing , 29(6):1878–1888, 2000.17CTV10] Qi Cheng, Sergey P Tarasov, and Mikhail N Vyalyi. Efficient algorithms for sparsecyclotomic integer zero testing. Theory of Computing Systems , 46(1):120–142, 2010.[FT88] Faith E Fich and Martin Tompa. The parallel complexity of exponentiating polyno-mials over finite fields. Journal of the ACM (JACM) , 35(3):651–667, 1988.[Ge93] Guoqiang Ge. Testing equalities of multiplicative representations in polynomial time.In Proceedings of 1993 IEEE 34th Annual Foundations of Computer Science , pages422–426. IEEE, 1993.[GKKS16] Ankit Gupta, Pritish Kamath, Neeraj Kayal, and Ramprasad Saptharishi. Arithmeticcircuits: A chasm at depth 3. SIAM Journal on Computing , 45(3):1064–1079, 2016.[GKPR96] Leszek Gasieniec, Marek Karpinski, Wojciech Plandowski, and Wojciech Rytter. Ran-domized efficient algorithms for compressed strings: The finger-print approach (ex-tended abstract). In Daniel S. Hirschberg and Eugene W. Myers, editors, Combinato-rial Pattern Matching, 7th Annual Symposium, CPM 96, Laguna Beach, California,USA, June 10-12, 1996, Proceedings , volume 1075 of Lecture Notes in Computer Sci-ence , pages 39–49. Springer, 1996.[HJM94] Yoram Hirshfeld, Mark Jerrum, and Faron Moller. A polynomial-time algorithm fordeciding equivalence of normed context-free processes. In , pages 623–631. IEEE Computer Society, 1994.[HW + 79] Godfrey Harold Hardy, Edward Maitland Wright, et al. An introduction to the theoryof numbers . Oxford university press, 1979.[Jez12] Artur Jez. Faster fully compressed pattern matching by recompression. In Artur Czu-maj, Kurt Mehlhorn, Andrew M. Pitts, and Roger Wattenhofer, editors, Automata,Languages, and Programming - 39th International Colloquium, ICALP 2012, War-wick, UK, July 9-13, 2012, Proceedings, Part I , volume 7391 of Lecture Notes inComputer Science , pages 533–544. Springer, 2012.[KI04] Valentine Kabanets and Russell Impagliazzo. Derandomizing polynomial identitytests means proving circuit lower bounds. computational complexity , 13(1-2):1–46,2004.[KKPS15] Neeraj Kayal, Pascal Koiran, Timoth´ee Pecatte, and Chandan Saha. Lower bounds forsums of powers of low degree univariates. In International Colloquium on Automata,Languages, and Programming , pages 810–821. Springer, 2015.[KL15] Daniel K¨onig and Markus Lohrey. Parallel identity testing for skew circuits with bigpowers and applications. In International Symposium on Mathematical Foundationsof Computer Science , pages 445–458. Springer, 2015.[Koi96] Pascal Koiran. Hilbert’s nullstellensatz is in the polynomial hierarchy. Journal ofcomplexity , 12(4):273–286, 1996. 18Koi11] Pascal Koiran. Shallow circuits with high-powered inputs. In Bernard Chazelle, editor, Innovations in Computer Science - ICS 2011, Tsinghua University, Beijing, China,January 7-9, 2011. Proceedings , pages 309–320. Tsinghua University Press, 2011.[Mit13] Johannes Mittmann. Independence in algebraic complexity theory . PhD thesis, Uni-versit¨ats-und Landesbibliothek Bonn, 2013.[Mon71] H. L. Montgomery. Multiplicative number theory. 227, 1971.[MSU97] Kurt Mehlhorn, R. Sundar, and Christian Uhrig. Maintaining dynamic sequencesunder equality tests in polylogarithmic time. Algorithmica , 17(2):183–198, 1997.[Pla84] David A Plaisted. New np-hard and np-complete polynomial and integer divisibilityproblems. Theoretical Computer Science , 31(1-2):125–138, 1984.[Roj07] J.M. Rojas. Efficiently detecting subtori and torsion points. 448:213233, 2007.[RT92] John H Reif and Stephen R Tate. On threshold circuits and polynomial computation. SIAM Journal on Computing , 21(5):896–908, 1992.[Sap15] Ramprasad Saptharishi. A survey of lower bounds in arithmetic circuit complexity. Github survey , 2015.[Sax08] Nitin Saxena. Diagonal circuit identity testing and lower bounds. In InternationalColloquium on Automata, Languages, and Programming , pages 60–71. Springer, 2008.[Sax09] Nitin Saxena. Progress on polynomial identity testing. Bulletin of the EATCS no ,99:49–79, 2009.[Sax14] Nitin Saxena. Progress on polynomial identity testing-ii. In Perspectives in Compu-tational Complexity , pages 131–146. Springer, 2014.[VSBR83] Leslie G. Valiant, Sven Skyum, S. Berkowitz, and Charles Rackoff. Fast parallelcomputation of polynomials using few processors. SIAM J. Comput. , 12(4):641–644,1983.[Wag86] Klaus W Wagner. The complexity of combinatorial problems with succinct inputrepresentation. Acta informatica , 23(3):325–356, 1986.19 Proofs from Section 4 Lemma 22. [Chen and Kao [CK00] and Bl¨omer [Bl¨o98]] Let α be an algebraic integer where theabsolute value of all its conjugates is at most B . For all b ∈ N , a random conjugate α ′ of α satisfies | α ′ | ≤ − b , with probability at most B/ ( b + B ) .Proof. For the algebraic integer α , let α = α, α , . . . , α d − be the conjugates. Let k be the numberof conjugates that are at most 2 − b in absolute value. Recall that | Q di =0 α i | is the absolute value ofthe constant term of the minimal polynomial of α . Since the minimal polynomial by definition isintegral, the product | Q di =0 α i | is at least 1. Together with the upper bound 2 B on | α i | we get1 ≤ | d Y i =0 α i | ≤ (2 B ) d − k (2 − b ) k This implies that (2 B ) d − k (2 − b ) k ≥ dB − k ( B + b ) ≥ dB − k ( B + b ) ≥ kd ≤ BB + b B Proofs from Section 7 Lemma 23. For every m, d > , there exist α i , β ij ∈ Q ( ≤ i ≤ md, ≤ j ≤ d ) such that ( u + · · · + u m ) d = md X i =0 d X j =0 β ij ( u + α i ) j . . . ( u m + α i ) j . We provide a proof due to Gupta et al. [GKKS16] Proof. Consider P u ( z ) = ( z + u ) . . . ( z + u m ) − z m = z m − ( u + . . . u m ) + lower order terms= ⇒ P u ( z ) d = z ( m − d ( u + · · · + u m ) d + lower order termsHence we can compute ( u + · · · + u m ) d as a coefficient of z ( m − d via interpolation by evaluating P u ( z ) d on ( m − d points. That is, for every distinct α , . . . , α md ∈ Q , there exist β ′ . . . β ′ md such20hat ( u + · · · + u m ) d = md X i =0 β ′ i P u ( z ) d = md X i =0 β ′ i (( u + α i ) . . . ( u m + α i ) − α mi ) d = md X i =0 β ′ i d X j =0 (cid:18) dj (cid:19) ( − α mi ) ( d − j ) (( u + α i ) . . . ( u m + α i )) j = md X i =0 d X j =0 β ij (( u + α i ) . . . ( u m + α i )) j where β ij = β ′ i (cid:0) dj (cid:1) ( − α i ) m ( d − j ))