Automorphisms of Finite Rings and Applications to Complexity of Problems

1
Automorphisms of Finite Rings and Applications to
Complexity of Problems

• Manindra Agrawal
• NUS / IITK

2
Motivation

• Automorphisms of an algebraic structure capture
  its symmetries.
• Many properties can be proved by analyzing the
  automorphism group of the structure.

3
Examples in Mathematics

• Galois,1830 Structure of automorphism group of
  the splitting field of a polynomial f(x)
  characterizes the solvability of f using
  radicals.
• Hasse,1932 The number of rational points on
  elliptic curve Ep is between p1-2?p and p12?p.

4
What About Algorithms Complexity?

• Not received much attention.
• Used only for few problems like polynomial
  factorization.
• So are they not of much use?
• Automorphisms of finite rings are intimately
  related to the complexity of many important
  algebraic problems.

5
Examples Discussed

• Primality Testing
• Integer Factoring
• Polynomial Factoring
• Graph Isomorphism
• Polynomial Equivalence

6
Problems related to Automorphisms / Isomorphisms

• Ring Automorphism Given a ring R, does it have a
  non-trivial automorphism?
• Ring Isomorphism Given two rings R, S, are they
  isomorphic?
• The functional versions of above two require one
  to find a morphism.
• Automorphism Testing Given a ring R and a
  function ? R ? R, is ? an automorphism?

7
Representations of Finite Rings

• We consider finite commutative rings with
  identity.
• These rings have three main representations
• Table representation
• Basis representation
• Polynomial representation

8
Table Representation

• The ring R is given as
• (e1, e2, , en) the set of elements in R
• The table of addition operation
• The table of multiplication operation
• The size of representation is T(R2).

9
Table Representation Complexity

• Problems related to automorphisms can be computed
  in time O(nlog n)
• The ring has O(log n)-sized generator set under
  addition.
• An automorphism maps a generator set to another.
• Too verbose!

10
Basis Representation

• The ring R is given as
• (b1, m1, b2, m2, , bn, mn) where b1, , bn is a
  generator set for R under addition and mi is the
  order of bi.
• The table of multiplication operation for
  generators bi bj ?1kn ?ijk bk.
• The size of representation is T(n3) O(log R)3
  exponentially smaller than table representation.

11
Basis Representation Complexity

• Problems related to automorphisms are in the
  class FPAM ? coAM Kayal-Saxena,2004
• An automorphism/isomorphism is a linear map on
  additive generator set.
• So guess-and-verify technique works.
• A variant of Graph Isomorphism in coAM proof
  works.

12
Polynomial Representation

• The ring R is given as
• ZmX1, , Xn / (f1, , fk) where X1, , Xn is a
  generator set for R under addition and
  multiplication and (f1, , fk) is the ideal of
  polynomials satisfied by X1, , Xn.
• Each fi is given as an arithmetic circuit.
• The size of representation can be exponentially
  smaller than basis representation
• Example F2X1, , Xn / (X12, , Xn2)

13
Polynomial Representation Complexity

• Problems related to automorphisms are NP-hard
• An automorphism is completely specified by its
  action on X1, , Xn.
• Verifying membership in the ideal (f1, , fk) can
  be hard (EXPSPACE-complete in general).
• Ring Automorphism problem is NP-hard.
• Ring Isomorphism problem is coNP-hard.
• Too compact!

14

• So the best representation, from the complexity
  perspective, is basis representation.
• Often, basis and polynomial representations have
  similar sizes.
• In such cases, we use polynomial representation
  as it is most natural one.

15

• Application to Primality Testing

16
Automorphism Testing ? Primality Testing

• Fermats Little Theorem If n is prime then the
  map ?(x) xn (mod n) is the trivial automorphism
  of ring Zn.
• Converse is not true.
• Even if it were, it is expensive to test that the
  map is indeed an automorphism.
• These problems can be eliminated!

17
Automorphism Testing ? Primality Testing

• Let R ZnY / (Yr 1) for some r gt 0 and
  define ? R ? R as ?(x) xn.
• Observation ? is an automorphism of R iff for
  every g(Y) ? R,
• gn(Y) ?(g(Y)) g(?(Y)) g(Yn).

18
Automorphism Testing ? Primality Testing

• A-Kayal-Saxena,2002 For suitably chosen
  small r, if (Y a)n Yn a in R for 1 a
  vr log n, then either n is prime or has a divisor
  lt r.
• Above is a slight generalization of the original
  statement.

19
Automorphism Testing ? Primality Testing

• Let ring S ZnY / (Y2r Yr).
• The AKS theorem translates to
• Theorem (1) n is prime iff ? is an automorphism
  in S.
• (2) ? is an automorphism in S iff ?(Y a)
  ?(Y) a for 1 a vr log n.

20

• Application to Polynomial Factoring

21
Automorphism Testing ? Polynomial Factoring

• Let f be a polynomial of degree d in FqY.
• Let R FqY / (f) and ?(x) xq.
• Observation (1) ? is an automorphism in R and ?d
  is the trivial automorphism.
• (2) ?k is trivial iff degrees of all irreducible
  factors of f divide k.
• (3) ?k is trivial iff Yqk ?k(Y) Y.

22
Automorphism Testing ? Polynomial Factoring

• This allows to test for irreducibility of f as
  well as separate distinct degree factors of f
• For k 1 to d do compute gcd(f, Yqk Y).

23
Automorphism Testing ? Polynomial Factoring

• Finding equal degree factors of f can be reduced
  to finding roots of a related polynomial in Fq
• Find a t(Y) ? R \ Fq, with ?(t(Y)) t(Y). use
  linear algebra
• Let g(x) Res( t(Y) x, f(Y) ).
• For a root a of g, gcd( t(Y) a, f(Y) ) is
  non-trivial.

24
Automorphism Testing ? Polynomial Factoring

• Roots of g can be computed using distinct degree
  factorization method.
• Works in randomized polynomial time.

25

• Application to Integer Factoring

26
Finding Ring Automorphism ? Integer Factoring

• Quadratic Sieve, Number Field Sieve the fastest
  two known method for factoring integers.
• Both aim to find a and b in Zn, a ? b, a2 b2
  (mod n).
• Given such a and b, gcd(ab, n) is non-trivial.
• These methods are equivalent to finding an
  automorphism in a special ring.

27
Finding Ring Automorphism ? Integer Factoring

• Let R ZnY / (Y2 1) for odd n.
• Observation x ? x and x ? x are two
  straightforward automorphisms in R.
• Lemma Let ? be any automorphism of R. Then, ?(Y)
  cY with c2 1 (mod n).

28
Finding Ring Automorphism ? Integer Factoring

• Proof Let ?(Y) cY d. Then,
• 0 ?(Y2 1) (cYd)2 1
• 2cdY c2 d2 1.
• Since ? is an automorphism, (c, n) 1. Thus, d
  0 and c2 1 in Zn. ?
• So for any third automorphism, c ? 1.
  Therefore, finding a third automorphism is
  equivalent to factoring n.

29
Finding Ring Automorphism ? Integer Factoring

• Conversely, finding ring automorphism can be
  reduced to integer factoring.
• Kayal-Saxena,2004 showed how
• Given ring R, split it as a sum of local rings
  using integer and polynomial factoring oracles.
• For each local ring, it is easy to find a
  non-trivial automorphism if it exists.

30
Finding Ring Automorphism ? Integer Factoring

• There are many other connections too.
• Kayal-Saxena,2004 showed that integer factoring
  reduces to
• Counting number of automorphisms of ZnY / (Y2).
• Finding any non-trivial automorphism of ZnY /
  (f), f a random degree 3 poly.
• Finding any isomorphism between ZnY / (Y2-1)
  and ZnY / (Y2-a2), a randomly chosen from Zn.

31

• Application to Graph Isomorphism

32
Ring Isomorphism ? Graph Isomorphism

• Shown in Kayal-Saxena,2004.
• Here, we give a different, more general proof.
• Let G (V, E) be a graph on n vertices.
• Define polynomial pG as
• pG(x1,,xn) ?(i,j)?E xi ? xj.
• Define polynomial ideal IG as
• IG(x1,,xn) (pG(x1,,xn), xi21 i n,
• xixjxk1 i lt j lt k n).

33
Ring Isomorphism ? Graph Isomorphism

• Let Rq,G FqY1,,Yn / IG(Y1,,Yn).
• Theorem Graphs G1 and G2 are isomorphic iff
  either G1 G2 Km ? Dn-m or rings Rq,G1 and
  Rq,G2 are isomorphic.
• Here, Dn-m is a collection of n-m isolated
  vertices and q any odd prime power.

34
Ring Isomorphism ? Graph Isomorphism

• Proof If the graphs are isomorphic via ?, the
  rings are isomorphic via ?(Yi) Y?(i).
• Suppose the rings are isomorphic and G2 ? Km ?
  Dn-m for any m.
• Let ? be an isomorphism,
• ?(Yi) ai ?1 j n bijYj ?1 j lt k n
  cijk YjYk

35
Ring Isomorphism ? Graph Isomorphism

• Since ?(Yi)2 ?(Yi2) 0
• 0 ?(Yi)2 ai2 higher degree terms,
• implying that ai 0.
• So
• 0 ?(Yi)2 2 ?1 j lt k n bijbik YjYk.

36
Ring Isomorphism ? Graph Isomorphism

• If two or more bis are non-zero, pG2 must divide
  ?(Y)2.
• This implies G2 Km ? Dn-m. Not possible.
• If all bis are zero then ?(YiYt) 0. Not
  possible.
• So, exactly one of bis is non-zero.

37
Ring Isomorphism ? Graph Isomorphism

• Let ?(i) j where bij is non-zero.
• If ?(i) ?(t), then ?(YiYt) 0. Not possible.
• So ? is a permutation on 1,n.

38
Ring Isomorphism ? Graph Isomorphism

• Also
• 0 ?(pG1) ?(i,j)?E1 ?(Yi)?(Yj)
• ?(i,j)?E1 bi,?(i)bj,?(j) YiYj.
• So pG2 must divide above.
• This means ?(pG1) is a constant multiple of pG2
  implying that ? is an isomorphism.

39

• Application to Polynomial Equivalence

40
Polynomial Equivalence

• The Problem Given two polynomials f and g in
  Fx1,,xn, test if there exists an invertible
  linear transformation T such that
• g(x1,,xn) f(Tx1,,Txn).
• Thierauf,1998 proved it is in NP ? coAM when T
  is required to be a permutation.
• His proof works for arbitrary linear
  transformations too.

41
Polynomial Equivalence

• Polynomial equivalence for d-forms (homogeneous
  polynomials of degree d) is well-studied.
• Witts theorem 1936 implies a polynomial time
  algorithm for quadratic forms.
• No such algorithm is known for cubic forms.
• There is even a cryptosystem based on (presumed)
  difficulty of deciding equivalence between
  collections of cubic forms.

42
Polynomial Equivalence ? Ring Isomorphism

• Theorem Ring Isomorphism for rings of prime
  characteristic reduces to Polynomial Equivalence.
• Proof Let R and S be two rings given in basis
  representation
• R (b1,p,,bn,p), bibj ?1 k n ?ijk bk
• S (d1,p,,dn,p), didj ?1 k n bijk dk

43
Polynomial Equivalence ? Ring Isomorphism

• Define polynomial pR(y,b) as
• pR(y,b) ?1ij n yij (bibj - ?1k n ?ijk bk).
• Similarly define polynomial pS(z,d).
• Claim If R and S are isomorphic, then pR and pS
  are equivalent.
• Proof Let ? be an isomorphism between R and S.

44
Polynomial Equivalence ? Ring Isomorphism

• Then ?(bibj - ?1kn ?ijk bk) 0 in S.
• This implies that
• ?(bibj - ?1kn?ijkbk) ?l,m ?ijlm(dldm -
  ?1kn?lmkdk).
• Therefore, the T that extends ? to yijs as
• T(?ij ?ijlm yij) zlm
• is an equivalence between the polynomials.

45
Polynomial Equivalence ? Ring Isomorphism

• Claim If pR and pS are equivalent then R and S
  are isomorphic.
• Proof Let T be an equivalence. Then
• ?1ijn T(yij) T(bibj - ?1k n ?ijk bk)
  ?1ijn zij (didj - ?1k n bijk dk).
• By comparing degrees, we get
• ?1ijn T(yij) T(bibj) ?1ij n zijdidj.

46
Polynomial Equivalence ? Ring Isomorphism

• We first show that T(bi) is a linear combination
  of only ds.
• Suppose not. Let T(b1) include z11.
• Set z11 to make T(b1) zero. This gives
• ?1ltijn T(yij) T(bibj) ?1ijn, jgt1 zij (quad
  ds) (cubic ds).

47
Polynomial Equivalence ? Ring Isomorphism

• Notice that LHS has only n(n-1)/2 terms left
  while RHS has n(n1)/2 1 zs.
• For each term on LHS, if any of its component has
  a z-variable in it, set that variable to make the
  component zero.
• Continuing this way, by setting at most
  1n(n-1)/2 z-variables, LHS is independent of
  zs. But RHS still has n-1 unset z-variables.
  Contradiction.

48
Polynomial Equivalence ? Ring Isomorphism

• So each T(bi) has only ds. The equation is
• ?1ijn T(yij) T(bibj - ?1kn ?ijk bk)
  ?1ijn zij (didj - ?1kn bijk dk).
• Since there are no cubic ds in RHS, we can
  ignore ds in T(yij).
• Suppose that T(bibj - ?1kn ?ijk bk) is not in
  S.

49
Polynomial Equivalence ? Ring Isomorphism

• Then, in S
• T(bibj - ?1kn ?ijk bk) ?k ?ijk dk.
• Therefore, ?1ijn ?ijk T(yij) 0 in S. This is
  not possible since T is invertible on ys.
• Therefore, T restricted to bs is an isomorphism
  from R to S.

50
Other Connections

• Similar, more involved, proof shows that Graph
  Isomorphism reduces to cubic form equivalence.
• d-form equivalence over Fq with (d, q-1) 1,
  reduces to Ring Isomorphism for constant d.

51

• Open Questions

52

• Can one find connections with problems like
  discrete-log?
• Can one show that Ring Isomorphism reduces to
  cubic form equivalence?
• Our proof only reduces to degree 3 polynomials.

53

• Most of the effort in Integer Factoring has been
  concentrated on the ring ZnY / (Y2 1).
• Can taking the problem to other rings help?
• Kayal-Saxena,2004 provide some alternative
  rings.

54

• We reduce Graph Isomorphism to cubic form
  equivalence (over any field).
• Is the theory of cubic forms of any help in
  solving Graph Isomorphism?

55

• Thank you!