% The Chicago Journal of Theoretical Computer Science, Volume 1998, Article 1
% Published by MIT Press, Cambridge, Massachusetts USA
% Copyright 1998 by Massachusetts Institute of Technology
%
\newtoks\rstyle
\rstyle={cjlook}
%
\documentclass[v1.1,published]{cjstruct}
%
% Local style resources for this article.
%
\usestyleresource{amstext}
%
% Local macro definitions for this article.
%
\catcode`\@=11
\ifx\nopagebreakbeginpar\undeftex
\newcommand{\nopagebreakbeginpar}{\@beginparpenalty10000}
\fi
\ifx\nopagebreakendpar\undeftex
\newcommand{\nopagebreakendpar}{\@endparpenalty10000}
\fi
\ifx\nopagebreakinteritem\undeftex
\newcommand{\nopagebreakinteritem}{\@itempenalty10000}
\fi
\catcode`\@=12
%
\newcommand{\prooffontshape}{\fontshape{n}\selectfont}
\newcommand{\GF}{{\rm GF}}
\newcommand{\Q}{{\bf Q}}
\newcommand{\F}{{\bf F}}
\newcommand{\iso}{\cong}
\newcommand{\implies}{\mbox{\(\;\Longrightarrow\;\)}}
\renewcommand{\iff}{\mbox{\(\;\Longleftrightarrow\;\)}}
\newcommand{\Prob}[1]{{\rm {\bf Pr}}{\bf [} #1 {\bf ]}}
\newcommand{\set}[2]{\{\,#1\mid#2\,\}}
\newcommand{\Vector}[1]{\mbox{\boldmath \(#1\)}}
\newcommand{\BPE}{{\rm BPE}}
\newcommand{\oneBPE}{{\rm 1\mbox{-}BPE}}
\newcommand{\BPI}{{\rm BPI}}
\newcommand{\BPNI}{\mbox{{\rm BPNI}}}
\newcommand{\oneBPI}{{\rm 1\mbox{-}BPI}}
\newcommand{\oneBPNI}{\mbox{{\rm 1\mbox{-}BPNI}}}
\newcommand{\GI}{{\rm GI}}
\newcommand{\GNI}{\mbox{{\rm GNI}}}
\newcommand{\BP}{{\rm BP}}
\newcommand{\RP}{{\rm RP}}
\newcommand{\PH}{{\rm PH}}
\newcommand{\NP}{{\rm NP}}
\newcommand{\IP}{{\rm IP}}
\newcommand{\AM}{{\rm AM}}
\newcommand{\co}{\mbox{\rm co}}
\def\registered{\({}^{\ooalign%
{\hfil\raise.07ex\hbox{{\tiny\textup{R}}}%
\hfil\crcr\scriptsize\mathhexbox20D\cr}}\)}
%
% end of local macro definitions for this article
%
\begin{document}
%
\begin{articleinfo}
%
\publisher{The MIT Press}
%
\publishercomment{%
{\Large
\begin{center}
Volume 1998, Article 1\\
\textit{10 March 1998}
\end{center}
}
\par\noindent
ISSN 1073--0486\@. MIT Press Journals, Five Cambridge Center, Cambridge, MA
02142-1493 USA; (617)253-2889;
\emph{journals-orders@mit.edu, journals-info@mit.edu}\@.
Published one article at a time in \LaTeX\ source form on the
Internet\@. Pagination varies from copy to copy\@. For more
information and other articles see:
\begin{itemize}
\item \emph{http://mitpress.mit.edu/CJTCS/}
\item \emph{http://www.cs.uchicago.edu/publications/cjtcs/}
\item \emph{ftp://mitpress.mit.edu/pub/CJTCS}
\item \emph{ftp://cs.uchicago.edu/pub/publications/cjtcs}
\end{itemize}
\sentence
\par\noindent
The \emph{Chicago Journal of Theoretical Computer Science} is
abstracted or indexed in \emph{Research Alert,\registered
SciSearch,\registered Current Contents\registered/Engineering
Computing \& Technology}, and \emph{CompuMath Citation Index\@.\registered}
}
%
\copyrightstmt{%
\copyright 1998 The Massachusetts Institute of Technology\@.
Subscribers are licensed to use journal articles in a variety of
ways, limited only as required to insure fair attribution to authors
and the journal, and to prohibit use in a competing commercial
product\@. See the journal's World Wide Web site for further
details\@. Address inquiries to the Subsidiary Rights Manager, MIT
Press Journals; (617)253-2864;
\emph{journals-rights@mit.edu}\@.\pagebreak[2]
}
%
\journal{Chicago\nolinebreak[1] Journal of Theoretical Computer\nolinebreak[1] Science}
\journalcomment{%
The \emph{Chicago Journal of Theoretical Computer Science}
is a peer-reviewed scholarly journal in theoretical computer
science\@. The journal is committed to providing a forum for
significant results on theoretical aspects of all topics in computer
science\@.
\par
\begin{trivlist}
\item[\emph{Editor in chief:}] Janos Simon
\item[\emph{Consulting editors:}]
Joseph Halpern, Stuart A.\ Kurtz, Raimund Seidel
\item[\emph{Editors:}]
\begin{tabular}[t]{lll}
Martin Abadi & Greg Frederickson & John Mitchell \\
Pankaj Agarwal & Andrew Goldberg & Ketan Mulmuley \\
Eric Allender & Georg Gottlob & Gil Neiger \\
Tetsuo Asano & Vassos Hadzilacos & David Peleg \\
Laszl\'o Babai & Juris Hartmanis & Andrew Pitts \\
Eric Bach & Maurice Herlihy & James Royer \\
Stephen Brookes & Ted Herman & Alan Selman \\
Jin-Yi Cai & Stephen Homer & Nir Shavit \\
Anne Condon & Neil Immerman & Eva Tardos \\
Cynthia Dwork & Howard Karloff & Sam Toueg \\
David Eppstein & Philip Klein & Moshe Vardi \\
Ronald Fagin & Phokion Kolaitis & Jennifer Welch \\
Lance Fortnow & Stephen Mahaney & Pierre Wolper \\
Steven Fortune & Michael Merritt
\end{tabular}
\vspace{1ex}
\item[\emph{Managing editor:}] Michael J.\ O'Donnell
\vspace{1ex}
\item[\emph{Electronic mail:}] \emph{chicago-journal@cs.uchicago.edu}
\end{trivlist}
\sentence
}
%
\bannerfile{cjtcs-banner.tex}
%
\volume{1998}
%
\articleid{1}
%
\selfcitation{
@article{cj98-01,
author={Thomas Thierauf},
title={The Isomorphism Problem for Read-Once Branching Programs and Arithmetic Circuits},
journal={Chicago Journal of Theoretical Computer Science},
volume={1998},
number={1},
publisher={MIT Press},
month={March},
year={1998}
}
}
%
\begin{retrievalinfo}
\end{retrievalinfo}
%
\title{The Isomorphism Problem for Read-Once Branching Programs and Arithmetic Circuits}
\shorttitle{The Isomorphism Problem}
%
\begin{authorinfo}
%
% Correction to error in cjstruct.sty version 1.1.
%
\def\fixversion{1.1}
\ifx\cjversion\fixversion
\renewcommand{\printname}[1]{
\global\authorstring={#1}
\global\authorstrue
\ifinfo\item Printed name: #1\fi
}
\fi
%
% End of correction.
%
\printname{Thomas Thierauf}
\collname{}{Thierauf, Thomas}
\begin{institutioninfo}
\instname{Universit\"at Ulm}
\department{Abt. Theoretische Informatik}
\address{Oberer}{Eselsberg}{89069}{Ulm}{Germany}
\end{institutioninfo}
\email{thierauf@informatik.uni-ulm.de}
\end{authorinfo}
%
\shortauthors{Thierauf}
%
\support{
Supported in part by DAAD, Acciones Integradas\@.
}
%
\begin{editinfo}
\submitted{11}{2}{1997}\reported{15}{4}{1997}
\submitted{28}{8}{1997}\reported{28}{10}{1997}
\submitted{18{}11}{1997}\reported{24}{11}{1997}
\submitted{26}{11}{1997}\reported{2}{1}{1998}\published{10}{3}{1998}
\end{editinfo}
%
\end{articleinfo}
%
\begin{articletext}
%
\begin{abstract}
\apar{Abstract-1}
We investigate the computational complexity of the
isomorphism problem for read-once branching programs (1-BPI):
upon input of two read-once branching programs \(B_0\) and \(B_1\),
decide whether there exists a permutation of the variables of \(B_1\)
such that it becomes equivalent to \(B_0\)\@.
%
\apar{Abstract-2}
Our main result is that
\(\oneBPI\) cannot be NP-hard unless the polynomial hierarchy collapses\@.
The result is extended to the isomorphism problem for arithmetic circuits
over large enough fields\@.
%
\apar{Abstract-3}
We use the known arithmetization of read-once branching programs
and arithmetic circuits into multivariate polynomials over the rationals\@.
Hence,
another way of stating our result is:
the isomorphism problem for multivariate polynomials over large enough fields
is not NP-hard unless the polynomial hierarchy collapses\@.
%
\apar{Abstract-4}
We derive this result by providing a
two-round interactive proof for the
nonisomorphism problem for multivariate polynomials\@.
The protocol is based on the Schwartz-Zippel theorem
for probabilistically checking polynomial identities\@.
%
\apar{Abstract-5}
Finally, we show that there is a
perfect zero-knowledge interactive proof
for the isomorphism problem for multivariate polynomials\@.
\end{abstract}
\asection{1}{Introduction}
%
\apar{1-1}
An interesting computational issue is to decide
the \emph{equivalence\/} of two given programs
with respect to some computational model
such as
Boolean circuits,
branching programs, or
Boolean formulas\@.
A more general problem is to decide the \emph{isomorphism\/} of two given circuits
(for example), that is,
whether the circuits become equivalent after permuting the input variables
of one of the circuits\@.
Isomorphism is one way of formalizing the idea that two circuits
are ``almost'' equivalent\@.
%
\apar{1-2}
The isomorphism problem for Boolean circuits is in fact a very old one,
dating back to the last century
(see~\cite{cj98-01-10} for background and early references on this problem
and variants of it)\@.
More recently,
the problem has been reconsidered with respect to its
computational complexity (see, for example, \cite{cj98-01-01,cj98-01-09,cj98-01-10,cj98-01-12})\@.
%
\apar{1-3}
The equivalence problems for Boolean circuits,
branching programs, and Boolean formulas are known to be coNP-complete\@.
Asking for isomorphism roughly amounts to putting
an existential quantifier in front of the problem\@.
Therefore, the corresponding isomorphism problems are in the
second level of the polynomial hierarchy, \(\Sigma^p_2\)\@.
An obvious question is whether these isomorphism problems
are complete for \(\Sigma^p_2\)\@.
This question was solved by Agrawal and Thierauf~\cite{cj98-01-01},
who showed that none of these isomorphism problems
is complete for \(\Sigma^p_2\)
unless the polynomial hierarchy collapses\@.
Thus, loosely speaking,
the existential quantifier we get by seeking an isomorphism
does not seem to add full NP-power to the corresponding equivalence problem\@.
%
\apar{1-4}
The most prominent example that supports the latter observation
might be the \emph{graph isomorphism problem}, GI\@.
Here,
the equivalence problem for graphs,
which is in fact an equality problem, is trivially
solvable in polynomial time;
therefore, GI is in NP\@.
However, GI is not NP-complete
unless the polynomial hierarchy collapses~\cite{cj98-01-16,cj98-01-08}
(see also~\cite{cj98-01-21})\@.
%
\apar{1-5}
For a restricted class of branching programs, namely,
the \emph{read-once branching programs},
where on each path, each variable is tested at most once
(see the next section for precise definitions),
the equivalence problem is easier:
it can be efficiently solved by a randomized Monte-Carlo type algorithm~\cite{cj98-01-07}
with one-sided error,
and is in the complexity class coRP\@.
Therefore,
when an existential quantifier is put in front,
the isomorphism problem for read-once branching programs, \(\oneBPI\),
is in NP\(\cdot\)coRP\@.
Motivated by the examples above,
we ask whether \(\oneBPI\) is NP-hard\@.
%
\apar{1-6}
In this paper, we show that
\(\oneBPI\) is also in the Arthur-Merlin class, \(\co\AM = \BP \cdot \co\NP\)\@.
As a consequence, it is not NP-hard
unless the polynomial hierarchy collapses\@.
The result is extended to \emph{arithmetic circuits\/} (or \emph{straight-line programs\/})
over large enough fields\@.
%
\apar{1-7}
One crucial point required to prove these results is that both
read-once branching programs and arithmetic circuits
can be arithmetized, yielding equivalent multivariate polynomials~\cite{cj98-01-07,cj98-01-19}\@.
In the case of read-once branching programs,
these polynomials are multilinear\@.
Therefore,
our main results can be restated in purely algebraic terms:
the isomorphism problem for multivariate polynomials
over large enough fields is not NP-hard
unless the polynomial hierarchy collapses\@.
%
\apar{1-8}
Our proof is based on a two-round interactive proof for
the nonisomorphism problem for multivariate polynomials\@.
In principle,
the interactive proof protocol follows the one for \emph{graph nonisomorphism}, GNI\@.
However,
there is a crucial difference:
in our protocol,
the verifier needs to compute a normal form of a polynomial
to hide the syntactic structure of the input polynomials
that are manipulated\@.
This problem does not occur when working with graphs;
however,
this requirement seems to exceed the computational power of the verifier\@.
We get around this difficulty by computing a
\emph{randomized normal form\/} instead\@.
The randomized normal form is based on the Schwartz-Zippel theorem
for testing polynomial identities\@.
%
\apar{1-9}
Combining these ideas with the ones from
Goldreich, Micali, and Wigderson~\cite{cj98-01-16},
we obtain perfect zero-knowledge interactive proofs for these
isomorphism problems\@.
%
\apar{1-10}
An extension of an isomorphism is a \emph{congruence},
where in addition to permuting variables, one can exchange a variable
with its negation\@.
Although we formulate our results only for isomorphism problems,
it can easily be checked that
all our theorems also hold for
the corresponding congruence problems\@.
\asection{2}{Preliminaries}
\asubsection{2.1}{Basic Definitions}
%
\apar{2.1-1}
We use fairly standard notions of complexity theory\@.
We refer the reader to~\cite{cj98-01-04,cj98-01-05,cj98-01-18} for definitions
of complexity classes such as P, NP, RP, or BPP\@.
The \(k^\mathrm{th}\) level of the polynomial hierarchy is denoted by \(\Sigma^p_k\)\@.
For any class \({\cal C}\),
we denote the complement class by \(\co\ {\cal C}\)\@.
%
\apar{2.1-2}
Class \(\BP\cdot\NP\)
is the class of sets~\(L\) such that there exist
a set \(A\in\NP\) and a polynomial~\(p\)
such that for every \(x\):
\begin{eqnarray*}
x \in L & \implies & \Prob{(x, y) \in A} ~=~ 1\\
x \not\in L & \implies & \Prob{(x, y) \in A} ~\leq~ {1 \over 2}
\end{eqnarray*}
where \(y\) is chosen uniformly at random from \(\Sigma^{p(|x|)}\)\@.
The obvious definition of \(\BP\cdot\NP\) would be with two-sided error,
but this is equivalent with the definition given here\@.
%
\apar{2.1-3}
Class \(\NP \cdot \co\RP\) is the class of sets~\(L\) such that there exist
a set \(A\in\co\RP\) and a polynomial~\(p\)
such that for every \(x\), we have:
\begin{eqnarray*}
x \in L & \iff & \exists y \in \Sigma^{p(|x|)}:~(x, y) \in A
\end{eqnarray*}
%
\apar{2.1-4}
Interactive proofs were defined in~\cite{cj98-01-15}\@.
An interactive proof system for a set \(L\)
consists of a prover~\(P\) and a verifier~\(V\)\@.
The verifier is a randomized polynomial-time algorithm
that can communicate with the prover\@.
The prover can make arbitrary computations\@.
After following some communication protocol,
the verifier finally has to accept or reject a given input,
such that:
\begin{eqnarray*}
x \in L & \implies & \exists\ \mbox{prover } P:~ \Prob{(V,P)(x) \mbox{ accepts}} ~=~ 1\\
x \not\in L & \implies & \forall\ \mbox{prover } P:~ \Prob{(V,P)(x) \mbox{ accepts}} ~\leq~{1 \over 2}
\end{eqnarray*}
where the probability is taken over the random choices
of the verifier\@.
%
\apar{2.1-5}
Class \(\IP\) is the class of sets that have an interactive proof system,
and \(\IP[k]\) is the subclass of \(\IP\) where
the verifier and the prover exchange at most \(k\) messages\@.
%
\apar{2.1-6}
Arthur-Merlin games were introduced in~\cite{cj98-01-03}\@.
They are defined similarly to interactive proofs, with
Arthur corresponding to the verifier and
Merlin to the prover\@.
The only difference is that Arthur has to make his random bits available to Merlin,
whereas in the interactive proof model,
the prover does not know the random bits of the verifier\@.
The notation \(\AM[k]\) denotes when \(k\) messages can be sent, and
\(\AM = \AM[2]\)\@.
%
\apar{2.1-7}
In this paper,
we are interested in constant-round interactive proof systems\@.
It is known that for both
interactive proof systems and Arthur-Merlin games,
constantly many rounds are the same as one round:
for any~\(k \geq 2\), \(\IP[k] = \AM[k] = \AM\)~\cite{cj98-01-03,cj98-01-17}\@.
Moreover,
it is known that
\(\AM = \BP \cdot \NP\)\@.
%
\apar{2.1-8}
An IP protocol for a set~\(L\) is a \emph{perfect zero-knowledge\/} protocol~\cite{cj98-01-15}
if it decides \(L\) correctly in the usual way and, in addition,
for any \(x \in L\),
the prover does not reveal any extra information to any verifier~\(V^*\)
besides the fact that \(x\) is in \(L\):
the messages exchanged with the prover appear random to \(V^*\)
(that is, these messages could have been produced by \(V^*\) himself)\@.
%
\apar{2.1-9}
\begin{alabsubtext}{Definition}{1}{}
\apar{Definition 1-1}
A prover \(P\) is perfectly zero knowledge on \(L\)
if, for any interactive machine \(V^*\) running in expected polynomial time,
there is a probabilistic machine \(M_{V^*}\) running in expected polynomial time
such that
for any \(x \in L\) and any string~\(H\), \(|H| \leq |x|^c\) for some \(c>0\),
and the communication between \(P\) and \(V^*\) on input \((x,H)\),
seen as a random variable, is identically distributed to the output of \(M_{V^*}\)
on the same input\@.
%
\apar{Definition 1-2}
Together, \(P\) and \(V\) form a perfect
zero-knowledge proof system for \(L\)
if the system is an interactive proof system for \(L\), and
if \(P\) is perfectly zero knowledge on \(L\)\@.
\end{alabsubtext}
%
\apar{2.1-10}
The string~\(H\) in the definition is needed if we wish to combine
two zero-knowledge protocols into one zero-knowledge protocol:
the history~\(H\) from the first protocol,
which is known to the verifier in the second protocol,
does not help the verifier\@.
For a more detailed discussion of this definition
and the need for expected polynomial time,
see~\cite{cj98-01-15,cj98-01-16}\@.
\asubsection{2.2}{Verifying Polynomial Identities}
%
\apar{2.2-1}
Let \(\F\) be some field, and \(p = p(x_1, \dots, x_n)\) be a multivariate
polynomial over \(\F\)\@.
The \emph{degree\/} of \(p\) is the maximum exponent of any variable
when \(p\) is written as a sum of monomials\@.
Polynomials of degree~\(1\) are called \emph{multilinear}\@.
Note the difference from the \emph{total degree} of a polynomial,
where one first adds the exponents of the variables in each monomial
and then takes the maximum over these sums\@.
%
\apar{2.2-2}
Given some polynomial~\(p\) written as an arithmetic expression,
we want to find out whether \(p\) is in fact the zero polynomial\@.
The obvious algorithm,
namely, to transform the arithmetic expression in a sum of monomials
and check whether all coefficients are zero,
can have up to exponential running time (in the size of the input)\@.
Efficient \emph{probabilistic\/} zero tests were developed by
Schwartz~\cite{cj98-01-22} and Zippel~\cite{cj98-01-24}\@.
The version below is a variant shown by Ibarra and Moran~\cite{cj98-01-19}\@.
They extended the corresponding theorem for multilinear polynomials
shown by Blum, Chandra, and Wegman~\cite{cj98-01-07} to arbitrary degrees\@.
We give a proof for completeness\@.
%
\begin{alabsubtext}{Theorem}{1}{\rm {\bf \cite{cj98-01-19,cj98-01-22,cj98-01-24}}}
Let \(p(x_1, \dots, x_n)\) be a multivariate polynomial of degree~\(d\) over field \(\F\)
that is not the zero polynomial\@.
Let \(T \subseteq \F\) with \(|T| \geq d\)\@.
Then there are at least \((|T|-d)^n\) points \((a_1, \dots, a_n) \in T^n\)
such that \(p(a_1, \dots, a_n) \not= 0\)\@.
\end{alabsubtext}
%
\begin{alabsubtext}{Proof of Theorem}{1}{}
\prooffontshape
The proof is by induction on~\(n\)\@.
For \(n = 1\) the theorem is true, because
a degree-\(d\) polynomial has at most \(d\) roots in \(\F\)\@.
%
\apar{2.2-3}
Let \(n>1\) and let \(p(x_1, \dots, x_n)\) be a nonzero polynomial of degree~\(d\)\@.
Furthermore, let \(\Vector{a} = (a_1, \dots, a_n)\) be a point
such that \(p(\Vector{a}) \not= 0\)\@.
We define two polynomials, both of which are subfunctions of \(p\):
\begin{eqnarray*}
p_0(x_1, \dots, x_{n-1}) &=& p(x_1, \dots, x_{n-1}, a_n)\\
p_1(x_n) &=& p(a_1, \dots, a_{n-1},x_n)
\end{eqnarray*}
By construction, both polynomials are nonzero
and have degree bounded by~\(d\):
\(p_0\) has \(n-1\) variables, and therefore differs from 0
on at least \((|T|-d)^{n-1}\) points in \(T^n\) (by the induction hypothesis)\@.
Similarly,
\(p_1\) has one variable, and therefore has at least \(|T|-d\) nonzero points\@.
%
\apar{2.2-4}
For each of the \(|T|-d\) choices for \(a_n\) where \(p_1\) is nonzero,
the corresponding polynomial~\(p_0\) has \((|T|-d)^{n-1}\)
nonzero points\@.
Therefore,
the number of nonzero points of \(p\) in \(T^n\) is at least
\((|T|-d)(|T|-d)^{n-1} = (|T|-d)^n\)\@.
{\nopagebreakbeginpar\markendlst{Proof of Theorem 1}}
\end{alabsubtext}
%
\apar{2.2-5}
We mention two important consequences of this theorem\@.
First of all, let \(T\) be any subset of \(\F\) that has at least \(d+1\) elements\@.
Then any nonzero polynomial of degree \(d\) has a nonzero point in \(T^n\)\@.
%
\begin{alabsubtext}{Corollary}{1}{}
Let \(p(x_1, \dots, x_n)\) be a polynomial of degree~\(d\) over \(\F\),
and \(T \subseteq \F\) with \(|T| > d\)\@.
Then \(p \not\equiv 0 \iff \exists \Vector{a} \in T^n~~p(\Vector{a}) \not= 0\)\@.
\end{alabsubtext}
%
\apar{2.2-6}
By enlarging \(T\) even further,
we can show that any nonzero polynomial \(p\) does not vanish
on most of the points of \(T^n\)\@.
This provides the tool for the probabilistic zero test\@.
%
\begin{alabsubtext}{Corollary}{2}{}
Let \(p(x_1, \dots, x_n)\) be a polynomial of degree~\(d\) over \(\F\),
and \(T \subseteq \F\) with \(|T| \geq 2nd\)\@.
Let \(\Vector{r} = (r_1, \dots, r_n)\) be a random element from \(T^n\)\@.
Then \(p(\Vector{r}) \not= 0\), with probability at least \(1/2\)\@.
\end{alabsubtext}
%
\begin{alabsubtext}{Proof of Corollary}{2}{}
\prooffontshape
\[
\Prob{p(\Vector{r}) \not= 0}
\geq \left({|T| - d \over |T|} \right)^n
\geq \left(1-{1 \over 2n}\right)^n
\geq {1 \over 2}
\]
{\nopagebreakbeginpar\markendlst{Proof of Corollary 2}}
\end{alabsubtext}
\asubsection{2.3}{Branching Programs}
%
\apar{2.3-1}
A \emph{branching program} \(B\) in \(n\) Boolean variables \(x_1, \dots, x_n\)
is a directed acyclic graph with the following types of nodes\@.
There is a single node of indegree zero, the \emph{initial node of\/} \(B\)\@.
All nodes have outdegree two or zero\@.
A node with outdegree two is an \emph{internal node of} \(B\)\@.
One of its edges is labeled with \(x_i\), the other with \(\overline{x}_i\),
for some \(i \in \{1, \dots, n\}\)\@.
A node with outdegree zero is a \emph{final node of} \(B\)\@.
The final nodes are labeled by either \emph{accept} or \emph{reject}\@.
%
\apar{2.3-2}
We call a branching program \emph{read-once}
if, on each path from the initial node to a final node,
every variable or its complement occurs at most once as an edge label\@.
%
\apar{2.3-3}
A read-once branching program is called \emph{ordered}
if the order of variable occurence on each path is consistent
with some ordering on the set of variables\@.
%
\apar{2.3-4}
Branching programs are also called \emph{binary decision diagrams} (BDD)
or \emph{Boolean graphs\/}\@.
Read-once branching programs
and ordered branching programs
are also called \emph{free binary decision diagrams} (FBDD) or \emph{free Boolean graphs}
and \emph{ordered binary decision diagrams} (OBDD), respectively\@.
%
\apar{2.3-5}
A branching program~\(B\) defines an
\(n\)-ary Boolean function from \(\{0,1\}^n\) to \(\{0,1\}\) as follows\@.
For an assignment \(\Vector{a} = (a_1, \dots, a_n) \in \{0,1\}^n\),
we walk through~\(B\), starting at the initial node, always following
the (unique) edge that evaluates to one under \(\Vector{a}\),
until we reach a final node\@.
If the final node is an accepting node, we define \(B(\Vector{a}) =1\),
and \(B(\Vector{a}) =0\) otherwise\@.
%
\apar{2.3-6}
Two branching programs \(B\) and \(B'\) in \(n\)~variables are equivalent,
\(B \equiv B'\) for short,
if they define the same Boolean function\@.
By \(\BPE\)
we denote the problem of deciding
whether two given branching programs are equivalent\@.
That is,
\[\BPE = \set{(B,B')}{B \equiv B'}\]
It is not hard to see that branching programs can compute
CNF Boolean formulas\@.
Therefore,
the satisfiability problem for branching programs is NP-complete;
hence \(\BPE\) is coNP-complete\@.
%
\apar{2.3-7}
Blum, Chandra, and Wegman~\cite{cj98-01-07} showed
that the equivalence problem for read-once branching programs, \(\oneBPE\),
is easier because one can transform these programs into equivalent
multilinear polynomials over the rational numbers, \(\Q\)\@.
To see this,
note first that a branching program~\(B\) can be viewed as a compact
way of denoting a DNF formula \(F_B\):
each path of ~\(B\) can be written as a monomial,
the conjunction of the literals occurring along that path\@.
Then, the function computed by~\(B\) is simply
the disjunction of all monomials coming from accepting paths of~\(B\)\@.
%
\apar{2.3-8}
We convert \(F_B\) into a polynomial~\(p_B\) over the rational numbers \(\Q\) as follows\@.
A variable \(x_i\) is kept as \(x_i\)\@.
A negated variable \(\overline{x}_i\) is replaced by \(1-x_i\)\@.
A conjunction is replaced by multiplication,
and a disjunction is replaced by addition\@.
For each satisfying assignment~\(\Vector{a} \in \{0,1\}^n\),
exactly one path of \(B\) evaluates to true under~\(\Vector{a}\)\@.
Therefore,
at most one product term in \(p_B\) will be one on input~\(\Vector{a}\);
hence, \(B\) and \(p_B\) agree on \(\{0,1\}^n\)\@. That is,
\[ B(\Vector{a}) = p_B(\Vector{a})~~\mbox{ for all } \Vector{a} \in \{0,1\}^n\]
It is easy to get an arithmetic expression for \(p_B\) from \(B\)
that has about the same size as \(B\)\@.
Note, however, that when
written as a sum of monomials,
\(p_B\) may consist of exponentially many terms in the size of \(B\)\@.
Therefore, in general, we cannot write down \(p_B\) in this normal form in polynomial time in \(|B|\)\@.
However,
with the expression at hand,
we can evaluate \(p_B\) at a given point in \(\Q^n\) in polynomial time,
and this suffices for our purposes\@.
To evaluate \(p_B\) at a point~\(\Vector{a} = (a_1, \dots, a_n)\),
we start by writing a 1 at the initial node\@.
Suppose now that a node has value~\(v\),
and its edges are labeled by variable \(x_i\)\@.
Then, values \(v a_i\) and \(v(1-a_i)\) are sent along
the \(x_i\)- and \(\overline{x}_i\)-edges, respectively\@.
When all incoming edges of a node \(u\) have sent values,
the value of \(u\) is the sum of all these incoming values\@.
Finally,
the value of \(p_B\) appears at the accepting node\@.
%
\apar{2.3-9}
Since \(B\) is read-once,
\(p_B\) is a multilinear polynomial\@.
Next let \(B'\) be another read-once branching program, and let \(p_{B'}\)
be the corresponding polynomial\@.
If \(B\) and~\(B'\) are equivalent,
then \(p_B\) and~\(p_{B'}\) agree on \(\{0,1\}^n\), a two-element set\@.
By Corollary~1 (applied to \(p = p_B - p_{B'}\)),
it follows that \(p_B\) and~\(p_{B'}\) agree on \(\Q\)\@.
Choosing \(T\) in Corollary~2 as \(T = \{1, \dots, 2n\}\),
we detect an inequivalence with probability more than \(1/2\)\@.
It follows that \(\oneBPE \in \co\RP\)\@.
%
\apar{2.3-10}
Fortune, Hopcroft, and Schmidt~\cite{cj98-01-13} have shown that if
one of two given read-once branching programs is even ordered,
then the equivalence can be decided in polynomial time\@.
In particular,
the equivalence problem for ordered branching programs
is solvable in polynomial time\@.
%
\apar{2.3-11}
Two branching programs~\(B\) and~\(B'\) are isomorphic,
denoted by \(B \iso B'\),
if there exists a permutation~\(\varphi\) on \(\{x_1, \dots, x_n\}\)
such that \(B\) becomes equivalent to \(B'\) when permuting the variables of \(B'\)
according to \(\varphi\)\@.
That is, \(B \equiv B' \circ \varphi\)\@.
In this case,
we call \(\varphi\) an \emph{isomorphism between \(B\) and~\(B'\)}\@.
%
\apar{2.3-12}
The isomorphism problem for branching programs is:
\begin{eqnarray*}
\BPI &=& \set{(B,B')}{B \iso B'}
\end{eqnarray*}
The isomorphism problem for read-once branching programs, \(\oneBPI\),
is defined analogously\@.
It follows directly from the definition that \(\BPI \in \Sigma_2^p\),
the second level of the polynomial hierarchy\@.
Agrawal and Thierauf~\cite{cj98-01-01} showed that \(\BPNI\)
is in \(\BP \cdot \Sigma_2^p\)\@.
By a result of Sch{\"o}ning~\cite{cj98-01-21},
it follows that \(\BPI\) cannot be complete for \(\Sigma_2^p\)
unless the polynomial hierarchy collapses to its third level, \(\Sigma_3^p\)\@.
%
\apar{2.3-13}
For read-once branching programs,
we have \(\oneBPI \in \NP \cdot \co\RP\)\@.
An obvious question is whether \(\oneBPI\) is NP-hard\@.
In this paper,
we show that the problem of deciding whether two read-once branching programs are not
isomorphic, \(\oneBPNI\),
is in \(\BP \cdot \NP\)\@.
Combined with the result of Boppana, H{\aa}stad, and Zachos~\cite{cj98-01-08}
(see also Sch{\"o}ning~\cite{cj98-01-21}),
it follows that \(\oneBPI\) cannot be \(\NP\)-hard
unless the polynomial hierarchy collapses to its second level, \(\Sigma_2^p\)\@.
%
\apar{2.3-14}
This result also covers the case of ordered branching programs\@.
Note, however, that in that case, the isomorphism problem is in NP\@.
\asubsection{2.4}{Arithmetic Circuits}
%
\apar{2.4-1}
An \emph{arithmetic circuit over a field\/}~\(\F\) is a circuit
where the inputs are field elements,
and the (fan-in two) gates perform the field operations \(+\), \(-\), and \(\times\)\@.
(We could also allow division, as long as a circuit
guarantees not to divide by zero on any input\@.)
Circuit size and depth are defined as usual\@.
%
\apar{2.4-2}
Ibarra and Moran~\cite{cj98-01-19} considered the equivalence problem for arithmetic circuits
(called straight-line programs there)\@.
They gave probabilistic polynomial-time algorithms for circuits over infinite fields\@.
This was split into two cases,
depending on whether the field had characteristic of 0 or greater than 0\@.
If the field \(\F\) had characteristic 0, it contained a subfield
isomorphic to \(\Q\), the rational numbers\@.
Therefore, it is enough to consider \(\F =\Q\)\@.
We show how a zero test can be done in this case\@.
%
\apar{2.4-3}
If a circuit~\(C\) has \(n\) input variables \(x_1, \dots, x_n\),
then \(C\) computes a multivariate polynomial~\(p_C\) over \(\Q\)\@.
If \(C\) has depth~\(d\), then \(p_C\) has degree at most \(2^d\)\@.
Therefore,
to obtain a zero test for~\(p_C\),
we have to choose \(T\) in Corollary~2 as \(T = \{1, \dots, 2n2^d\}\)
to detect a nonzero point with probability more than \(1/2\)
at a random point from \(T^n\)\@.
%
\apar{2.4-4}
However,
we do not have a polynomial-time procedure yet, because
the function values of \(p_C\) on \(T^n\) could be as large as \((2n2^d)^{n2^d} \leq 2^{N 2^N}\)
for \(N = n d\)\@.
Represented in binary, such numbers would be exponentially long\@.
Instead,
we evaluate \(p_C\) modulo smaller numbers,
namely from \(M=\{1, \dots, 2^{2N}\}\)\@.
(For a zero test, we can assume that all coefficients are integers,
so that the function values of \(p_C\) are integers too\@.)
Notice that \(p_C \pmod m\) might have more zeros than \(p_C\),
however, not too many:
%
\begin{alabsubtext}{Lemma}{1}{\cite{cj98-01-19}}
For any \(y \leq 2^{N 2^N}\) and a randomly chosen \(m \in M\),
we have \(y \not\equiv 0 \pmod m\) with probability at least \({1 \over 3N}\),
for large enough \(N\)\@.
\end{alabsubtext}
%
\begin{alabsubtext}{Proof of Lemma}{1}{}
\prooffontshape
Any \(y \leq 2^{N 2^N}\) has at most \(N 2^N\) prime divisors\@.
By the prime-number theorem, there are more than \({2^{2N} \over 2N}\)
primes in \(M\) for large enough \(N\)\@.
Therefore, \(M\) contains at least \({2^{2N} \over 2N} - N 2^N\)
primes that do not divide \(y\)\@.
Hence, for \(m\) randomly chosen from \(M\), we have:
\[\Prob{y \not\equiv 0 \pmod m}
\geq {{2^{2N} \over 2N} - N 2^N \over 2^{2N}}
= {1 \over 2N} - {N \over 2^{N}}
\geq {1 \over 3N}\]
{\nopagebreakbeginpar\markendlst{Proof of Lemma 1}}
\end{alabsubtext}
%
\apar{2.4-5}
The probabilistic zero test now works as follows\@.
%
\begin{alabsubtext}{Corollary}{3}{}
Let \(p(x_1, \dots, x_n)\) be a nonzero polynomial of degree~\(2^d\) over \(\Q\),
\(T = \{1, \dots, 2n2^d\}\), and \(M=\{1, \dots, 2^{2N}\}\), where \(N=nd\)\@.
Choose \(\Vector{r}_1, \dots, \Vector{r}_{6N}\) from \(T^n\)
and \(m_1, \dots, m_{6N}\) from \(M\), independently at random\@.
Then, \(p(\Vector{r}_i) \not\equiv 0 \pmod {m_i}\), for some \(i\),
with probability at least \(1/2\)\@.
\end{alabsubtext}
%
\begin{alabsubtext}{Proof of Corollary}{3}{}
\prooffontshape
By Corollary~2 and Lemma~1:
\[
\Prob{p(\Vector{r}_i) \not\equiv 0 \pmod {m_i}} \geq {1 \over 2} {1 \over 3N},
\mbox{ for any pair } \Vector{r}_i, m_i
\]
Therefore,
\[
\Prob{p(\Vector{r}_i) \equiv 0 \pmod {m_i} \mbox{ for all \(i\) }}
\leq \left(1-{1 \over 6N}\right)^{6N}
\leq {1 \over 2}
\]
{\nopagebreakbeginpar\markendlst{Proof of Corollary 3}}
\end{alabsubtext}
%
\apar{2.4-6}
We only sketch briefly the case of infinite fields with finite characteristic,
and refer the reader to~\cite{cj98-01-19} for a more detailed treatment\@.
Let \(\F\) be a field with characteristic~\(q\)
(which must, therefore, be a prime number)\@.
The trick is then to switch from \(\F\) to the ring of polynomials over \(\GF(q)\)\@.
This is certified by the the following lemma\@.
%
\begin{alabsubtext}{Lemma}{2}{\rm {\bf \cite{cj98-01-19}}}
Let \(p(x_1, \dots, x_n)\) be a polynomial\@.
\(p \equiv 0\) over \(\F\) if and only if \(p \equiv 0\) over \(\GF(q)[x]\)\@.
\end{alabsubtext}
%
\apar{2.4-7}
Since \(q\) is prime, \(\GF(q)\) is a field; therefore,
the ring \(\GF(q)[x]\) is a principal ideal domain,
that is, a ring with a one and no zero divisors such that every ideal is principal\@.
(In fact, \(\GF(q)[x]\) is what is sometimes called a \emph{Euclidean ring\/}\@.)
One can easily verify that this already suffices
in the assumption of Theorem~1 and its corollaries,
instead of having a field\@.
Hence,
we can apply the zero test for \(p\) over the polynomial ring \(\GF(q)[x]\)\@.
%
\apar{2.4-8}
However,
we can only deal with polynomials up to polynomial size in the input length\@.
In the case of \(\Q\), we did computations modulo small enough prime numbers\@.
Now we do computations modulo polynomials of small degree\@.
There is an analog of Lemma~1 bounding the
probability that \(p(a_1, \dots a_n) \not= 0\),
but \(p(a_1, \dots a_n) = 0 \pmod {r}\)
for a randomly chosen polynomial~\(r \in \GF(q)[x]\) of small degree
and \(a_i \in \GF(q)[x]\), for \(i = 1, \dots, n\)\@.
%
\apar{2.4-9}
Putting things together,
we get a zero test analogous to the one for polynomials over \(\Q\),
only the domain has changed to a polynomial ring instead of numbers\@.
%
\apar{2.4-10}
Clearly,
for any polynomial~\(p\) in \(\F[x_1, \dots, x_n]\)
given as an arithmetic expression,
one can construct an arithmetic circuit computing~\(p\)
that has about the same size as~\(p\)\@.
In particular,
it follows from the discussion in the preceding section
that one can transform a read-once branching program
into an equivalent arithmetic circuit of about the same size\@.
Though arithmetic circuits are the more general concept,
we prove our main result for read-once branching programs first,
and then explain how to extend it to solve the
isomorphism problem for arithmetic circuits\@.
\asection{3}{An Interactive Proof for 1-BPNI}
%
\apar{3-1}
We show that there is a two-round interactive proof for
the nonisomorphism problem for
read-once branching programs, \(\oneBPNI\)\@.
%
\apar{3-2}
We start by recalling the idea of the interactive proof for
the graph nonisomorphism problem, GNI~\cite{cj98-01-15} (see also \cite{cj98-01-20})\@.
There,
on input of two graphs \(G_0\) and \(G_1\),
the verifier randomly picks \(i \in \{0,1\}\)
and a permutation~\(\varphi\),
and sends \(H = \varphi(G_i)\) to the prover\@.
The prover is then asked to find out what the value of \(i\) is\@.
The verifier will accept only if the prover gives the right answer\@.
%
\apar{3-3}
When the input graphs are not isomorphic,
then the prover can identify~\(i\) easily\@.
However,
when the graphs are isomorphic,
both could have been used by the verifier to compute~\(H\),
so that no prover can identify~\(i\)\@.
For this reason, the answer of any prover is
correct with probability at most \(1/2\)\@.
%
\apar{3-4}
First of all, note that we cannot directly adapt this protocol
to branching programs\@.
The reason is that the syntactic structure
of two given isomorphic branching programs
might tell the prover which of two given branching programs
was selected by the verifier,
at least, if the verifier simply exchanges variables according to some permutation\@.
%
\apar{3-5}
A way out of this would be a normal form for read-once branching programs
that is easy to compute;
however,
such a normal form is not known\@.
At this point,
in the case of general branching programs,
Agrawal and Thierauf~\cite{cj98-01-01} used a result from learning theory
by Bshouty et al.~\cite{cj98-01-11}:
there is a randomized algorithm that uses an NP-oracle and
outputs branching programs equivalent to a given one\@.
The important point is that although
the algorithm might output (syntactically) different branching programs
depending on its random choices,
the output does not depend on the syntactic structure of its input\@.
However,
in our case,
the verifier does not have an NP-oracle available,
and there is no analog learning result
for read-once branching programs without an NP-oracle\@.
%
\apar{3-6}
The idea for getting around this problem is as follows\@.
On input of two given read-once branching programs \(B_0\) and \(B_1\)
with \(n\) variables,
the verifier randomly chooses one of them and permutes it
with a random permutation to obtain a branching program \(B\)\@.
Instead of trying to manipulate all of \(B\),
the verifier takes the arithmetization~\(p_B\) of \(B\) and
evaluates \(p_B\) at a randomly chosen point~\(\Vector{r} \in T^n\),
where \(T\) is some appropriate test domain\@.
The prover is then asked to tell which of \(B_0\), \(B_1\)
was used to obtain the point \((\Vector{r},p_B(\Vector{r}))\)\@.
If \(B_0\) and \(B_1\) are isomorphic,
then the prover cannot detect this, and must guess;
it will fail with probability \(1/2\)\@.
On the other hand,
if \(B_0\) and \(B_1\) are not isomorphic,
then the prover has a good chance of detecting
the origin of \((\Vector{r},p_B(\Vector{r}))\)\@.
This is because, by Corollary~2,
different multilinear polynomials
can agree on \(T\) on at most \(1/2\) of the points
for \(|T| \geq 2n\)\@.
That is,
the origin of \((\Vector{r},p_B(\Vector{r}))\) is unique with high probability\@.
With an additional round of communication,
the prover can always convince the verifier
of the nonisomorphism of \(B_0\) and \(B_1\)\@.
We give the details below\@.
%
\begin{alabsubtext}{Theorem}{2}{}
\(\oneBPNI \in \IP[4]\)\@.
\end{alabsubtext}
%
\begin{alabsubtext}{Proof of Theorem}{2}{}
\prooffontshape
We give a protocol for \(\oneBPNI\)\@.
The inputs are two read-once branching programs \(B_0\), \(B_1\),
both in \(n\) variables\@. Let \(T = \{1, \dots, 2n\}\)\@.
%
\begin{description}
\item[V1:]
The verifier randomly picks
\(i \in \{0,1\}\),
a permutation~\(\varphi\), and
\(\Vector{r}_1, \dots, \Vector{r}_k \in T^n\),
where \(k = \lceil n \log n \rceil +2\)\@.
Then it permutes the variables of \(B_i\)
according to \(\varphi\),
computes \(y_l = p_{B_i} \circ \varphi (\Vector{r}_l)\) for \(l = 1, \dots,k\),
and sends the set of pairs \(R = \set{(\Vector{r}_l,y_l)}{l = 1, \dots,k}\)
to the prover\@.
\item[P1:]
The prover sends
\(j \in \{0,1\}\) and
a permutation~\(\varphi'\) to the verifier\@.
\item[V2:]
If \(i=j\), then the verifier accepts\@.
If \(i \not= j\), the verifier
checks whether
\(p_{B_j} \circ \varphi'\) matches the set \(R\), that is, whether
\(p_{B_j} \circ \varphi' (\Vector{r}_l) = y_l\) for \(l = 1, \dots,k\)\@.
If the test fails, the verifier rejects;
otherwise, it sends \(\varphi\) to the prover\@.
\item[P2:]
The prover sends
a point \(\Vector{r}' \in T^n\) to the verifier\@.
\item[V3:]
Finally,
the verifier accepts if and only if
\(p_{B_i} \circ \varphi (\Vector{r}') \not= p_{B_j} \circ \varphi' (\Vector{r}')\)\@.
\end{description}
%
\apar{3-7}
We show that the above protocol works correctly\@.
%
\begin{alabsubtext}{Case}{1}{}
\(B_0 \not\iso B_1\): There is a prover such that the verifier always accepts
\end{alabsubtext}
%
The prover can cycle through all permutations
and check whether \(p_{B_0}\) or \(p_{B_1}\)
match with the set \(R\) sent by the verifier in step~V1\@.
Say that polynomial \(p_{B_0} \circ \varphi'\) matches\@.
The prover then sends \(j = 0\) and \(\varphi'\) to the verifier in step~P1\@.
%
\apar{3-8}
If no permutation of polynomial \(p_{B_1}\) matches \(R\) as well,
then \(i\) must have been \(0\), and therefore, the verifier
will accept in the first round\@.
%
\apar{3-9}
On the other hand,
if some permutation of polynomial \(p_{B_1}\) matches \(R\),
then the prover cannot tell which one was used by the verifier\@.
If the prover is lucky, \(i\) has been zero anyway, and the verifier accepts\@.
On the other hand, if \(i \not= j\),
then the verifier will send \(\varphi\) to the prover in step~V2,
because \(p_{B_j} \circ \varphi'\) matches \(R\)\@.
Since
\(p_{B_j} \circ \varphi'\not= p_{B_i} \circ \varphi\),
these polynomials can agree on at most \(1/2\) of the points of \(T^n\)
by Corollary~2\@.
Therefore,
the prover can find a point \(\Vector{r}' \in T^n\)
such that \(p_{B_j} \circ \varphi'(\Vector{r}') \not= p_{B_i} \circ \varphi(\Vector{r}')\),
and send it to the verifier in step~P2, which will accept in step~V3\@.
In summary, the verifier accepts with probability one\@.
%
\begin{alabsubtext}{Case}{2}{}
\(B_0 \iso B_1\): For any prover, the verifier accepts
with probability at most \(3/4\)
\end{alabsubtext}
%
By executing the protocol several times in parallel,
the acceptance probability can be made exponentially small\@.
%
\apar{3-10}
The prover will always find permutations of \(p_{B_0}\) \emph{and\/} \(p_{B_1}\)
that match the set~\(R\) sent by the verifier in step~V1\@.
Therefore,
with respect to the test \(i=j\) made by the verifier,
the best the prover can do is guess \(j\) randomly\@.
This will make the verifier accept with probability \(1/2\) in step~V2\@.
However,
the prover can improve its chances by the condition
checked in the second round by the verifier, i.e., by fixing
\(i\) and \(\varphi\) chosen by the verifier, say \(i=0\)\@.
Then there might exist a permutation \(\varphi'\)
such that \(p_{B_1} \circ \varphi'\) matches \(R\),
but \(p_{B_0} \circ \varphi \not= p_{B_1} \circ \varphi'\)\@.
Then the prover could choose a point~\(\Vector{r}'\) such that
\(p_{B_0} \circ \varphi(\Vector{r}') \not= p_{B_1} \circ \varphi'(\Vector{r}')\),
and make the verifier accept in step~V3 by sending
\(j=1\), \(\varphi'\), and \(\Vector{r}'\)\@.
We give an upper bound on the probability of this event\@.
%
\apar{3-11}
By Corollary~2,
for any \(\varphi'\) such that
\(p_{B_0} \circ \varphi \not= p_{B_1} \circ \varphi'\), we have:
\begin{eqnarray*}
\Prob{p_{B_0} \circ \varphi(\Vector{r}) = p_{B_1} \circ \varphi'(\Vector{r})}
&<& {1 \over 2}
\end{eqnarray*}
for a randomly chosen \(\Vector{r} \in T^n\)\@.
Because points \(\Vector{r}_1, \dots, \Vector{r}_k \in T^n\)
are chosen independently and uniformly
at random from \(T^n\),
we have:
\begin{eqnarray*}
\Prob{p_{B_1} \circ \varphi' \mbox{ matches } R} &<& 2^{-k}
\end{eqnarray*}
Therefore, considering all such \(\varphi'\),
we get that:
\begin{eqnarray*}
\Prob{\exists \varphi'~(p_{B_0} \circ \varphi \not= p_{B_1} \circ \varphi'
\mbox{ and } p_{B_1} \circ \varphi' \mbox{ matches } R}
&< & n!\ 2^{-k} ~\leq~ {1 \over 4}
\end{eqnarray*}
by our choice of \(k\)\@.
We conclude that the probability that any of the conditions tested
by the verifier is satisfied is bounded by \((1/2) + (1/4) = 3/4\)\@.
That is,
the verifier accepts with probability at most \(3/4\),
irrespective of the prover\@.
{\nopagebreakbeginpar\markendlst{Proof of Theorem 2}}
\end{alabsubtext}
%
\apar{3-12}
We can directly reduce to a one-round interactive proof
by choosing \(T\) large, for example \(T = \{1, \dots, 2nn!\}\)\@.
Then,
in case \(B_0 \not\iso B_1\),
the prover can always find a point \(\Vector{r}'\) (as above) without knowing \(\varphi\),
and hence can already send it in the first round to the verifier,
which can then make all its tests\@.
However,
another difficulty arises:
when \(T\) has exponential size, the values of the polynomials
might be up to double exponential,
in which case the polynomial time verifier can no longer deal with the numbers\@.
We will show in the next section how the verifier can still
manage its task\@.
%
\apar{3-13}
As mentioned in Section~2.1,
the class of sets that can be decided by a constant-round interactive proof system
coincides with the Arthur-Merlin class AM
which, in turn, is the same as \(\BP \cdot \NP\)~\cite{cj98-01-03,cj98-01-17}\@.
%
\begin{alabsubtext}{Corollary}{4}{}
\(\oneBPNI \in \BP\cdot \NP\)\@.
\end{alabsubtext}
%
\apar{3-14}
Sch{\"o}ning~\cite{cj98-01-20} gives a direct proof
that the graph isomorphism problem is in AM
(i.e., without using the relationship between IP and AM)
by using the Sipser hashing technique~\cite{cj98-01-23}\@.
We remark that
we can modify Sch{\"o}ning's proof based on our technique,
and also directly obtain Corollary~4\@.
%
\apar{3-15}
Note that both classes,
\(\BP\cdot \NP\) and \(\NP \cdot \co\RP\), can very loosely be considered
as some slight extensions of NP\@.
In this sense,
we have shown that \(\oneBPI\) is in a slight extension of \(\NP \cap \co\NP\)\@.
%
\begin{alabsubtext}{Corollary}{5}{}
\(\oneBPI \in \NP \cdot \co\RP ~\cap~ \BP\cdot \co\NP\)\@.
\end{alabsubtext}
%
\apar{3-16}
Boppana, H{\aa}stad, and Zachos~\cite{cj98-01-08}
(see also Sch{\"o}ning~\cite{cj98-01-21})
have shown that a \(\co\NP\)-complete set cannot be in \(\BP\cdot\NP\)
unless the polynomial hierarchy collapses to the second level,
in fact, even to \(\BP\cdot\NP\)\@.
Hence, we get the main result of this section\@.
%
\begin{alabsubtext}{Corollary}{6}{}
\(\oneBPI\) is not \(\NP\)-hard,
unless \(\PH = \Sigma^p_2\)\@.
\end{alabsubtext}
%
\apar{3-17}
Because ordered branching programs are a restricted form of
read-once branching programs, Corollary~6 can be applied\@.
The equivalence problem for ordered branching programs is in P~\cite{cj98-01-13}; therefore,
the isomorphism problem for ordered branching programs is in NP\@.
%
\begin{alabsubtext}{Corollary}{7}{}
The isomorphism problem for ordered branching programs is not \(\NP\)-complete
unless \(\PH = \Sigma^p_2\)\@.
\end{alabsubtext}
%
\apar{3-18}
Because computational models such as branching programs
work over inputs from \(\{0,1\}\), a set of size two,
Corollary~1 restricts our techniques
to multilinear polynomials\@.
However, if we start with polynomials of degree~\(d\) over \(\Q\)
for some constant~\(d > 0\),
then we can apply the above protocol for testing the
nonisomorphism of two such polynomials\@.
Just take the test domain \(T\) of size \(2dn\) for polynomials
with \(n\) variables\@.
For the representation of the polynomials it is enough that
we can evaluate them efficiently at any point\@.
Therefore,
the nonisomorphism problem for polynomials over \(\Q\) is in \(\BP \cdot \NP\)\@.
%
\begin{alabsubtext}{Corollary}{8}{}
The isomorphism problem for polynomials of degree~\(d\) over \(\Q\)
is not \(\NP\)-hard
unless \(\PH = \Sigma^p_2\)\@.
\end{alabsubtext}
%
\apar{3-19}
Our interactive proof system for \(\oneBPNI\) was motivated
by the one for \(\GNI\)\@.
However,
it is more general now, in the sense that it
can be used to solve \(\GNI\) as a special case\@.
Specifically,
one can assign a polynomial to a graph
such that nonisomorphic graphs are mapped to nonisomorphic polynomials: e.g.,
let \(G = (V,E)\) be a graph, where \(V = \{1, \dots, n\}\)\@.
We take one variable \(x_i\) for each node \(i \in V\)\@.
Define
\begin{eqnarray*}
e_i(x_1, \dots, x_n) &=& x_i^2 \prod_{(i,j) \in E} x_j, \mbox{ and}\\
p_G(x_1, \dots, x_n) &=& \sum_{i=1}^n e_i(x_1, \dots, x_n)
\end{eqnarray*}
%
\apar{3-20}
For graphs \(G_0, G_1\) we have that
\(G_0 \iso G_1 \iff p_{G_0} \iso p_{G_1}\)\@.
Therefore, we again obtain the result about \(\GI\)
from Corollary~8\@.
\asection{4}{Extension to Arithmetic Circuits}
%
\apar{4-1}
In this section,
we extend the above protocol for branching programs
to an interactive proof
to decide the nonisomorphism of two arithmetic circuits
over a large enough field, \(\F\)\@.
We start with \(\F = \Q\)
for an infinite field of characteristic 0\@.
%
\apar{4-2}
Let~\(C_0\), \(C_1\) be two arithmetic circuits with \(n\) inputs that are of depth~\(d\)\@.
We take the protocol from the previous section and modify it
according to Corollary~3\@.
Let \(T = \{1, \dots, 2n2^d\}\) and \(M=\{1, \dots, 2^{2N}\}\), where \(N=nd\)\@.
%
\begin{description}
\item[V1:]
The verifier starts by randomly choosing \(i \in \{0,1\}\) and a permutation~\(\varphi\)
as before,
and now \(6Nk\) points \(\Vector{r}_1, \dots, \Vector{r}_{6Nk} \in T^n\),
where \(k = \lceil n \log n \rceil +2\),
and for each point \(\Vector{r}_l\), a number \(m_l \in M\)\@.
Then the verifier
computes \(y_l = p_{C_i} \circ \varphi (\Vector{r}_l) \bmod {m_l}\), for \(l = 1, \dots,6Nk\),
and sends the set of triples \(R = \set{(\Vector{r}_l,y_l,m_l)}{l = 1, \dots,6Nk}\)
to the prover\@.
\item[P1:]
The prover sends
\(j \in \{0,1\}\) and
a permutation~\(\varphi'\) to the verifier\@.
\item[V2:]
If \(i=j\), then the verifier accepts\@.
If \(i \not= j\), the verifier
checks whether
\(p_{C_j} \circ \varphi'\) matches the set \(R\), that is, whether
\(y_l = p_{C_i} \circ \varphi' (\Vector{r}_l) \bmod {m_l}\), for \(l = 1, \dots,6Nk\)\@.
If the test fails, the verifier rejects;
otherwise, it sends \(\varphi\) to the prover\@.
\item[P2:]
The prover sends
a point \(\Vector{r}' \in T^n\) and \(m' \in M\) to the verifier\@.
\item[V3:]
Finally,
the verifier accepts if and only if
\(p_{C_i} \circ \varphi (\Vector{r}') \not\equiv p_{C_j} \circ \varphi' (\Vector{r}') \pmod{m'}\)\@.
\end{description}
%
\apar{4-3}
Combining the argument in the previous section with Corollary~3,
the verifier will accept two isomorphic arithmetic circuits
with probability at most \(3/4\)\@.
Note that the prover in step P2 must prove to the verifier that two numbers differ;
therefore, the computation modulo some number does not work in favor of the prover
in that case\@.
Two nonisomorphic arithmetic circuits
are still accepted with probability one\@.
%
\apar{4-4}
The case of infinite fields of characteristic greater than 0 is analogous\@.
As briefly explained in Section~2.4, the test domain
becomes the polynomial ring \(\GF(q)[x]\) when the field has characteristic~\(q\)\@.
Computations are done modulo randomly chosen polynomials of small degree,
and can therefore be done in polynomial time\@.
%
\apar{4-5}
\begin{alabsubtext}{Theorem}{3}{}
The nonisomorphism problem for arithmetic circuits over infinite fields
is in \(\BP \cdot \NP\)\@.
\end{alabsubtext}
%
\apar{4-6}
If the arithmetic circuits are over a finite field, say \(\GF(q)\),
where \(q\) is some prime power,
we run into the problem that there might not be enough elements
for our set~\(T\) to make the above protocol work\@.
Instead of \(\GF(q)\), we take the extension field
\(\GF(q^t)\), where \(t\) is the smallest integer such that \(q^t \geq 2n2^d\),
so that \(t = \lceil \log_q 2n2^d \rceil\)\@.
Then we can set \(T = \GF(q^t)\)\@.
By Corollary~1,
when \(q > 2^d\),
we have that two polynomials over \(\GF(q)\) are equivalent
if and only if they are equivalent over any extension field\@.
%
\apar{4-7}
The verifier must be able to evaluate a polynomial at a given point in
the extension field\@.
For this,
it needs an irreducible polynomial~\(\phi(x) \in \GF(q)[x]\)
of degree~\(t\)\@.
The verifier can cycle through all the \(q^{t+1} \leq 2n2^d q^2 < 2nq^3\)
polynomials in \(\GF(q)[x]\) of degree~\(t\), and check irreducibility
in polynomial time using the Berlekamp algorithm~(see \cite{cj98-01-06}, chapter 6),
and the verifier will find an irreducible polynomial \(\phi(x)\)
in polynomial time\@.
Then \(\GF(q^t)\) is isomorphic to \(\GF(q)[x]/\phi(x)\)\@.
Therefore,
knowing \(\phi(x)\), the verifier can do all computation needed
in polynomial time, and
the protocol can proceed as in the case of branching programs\@.
%
\begin{alabsubtext}{Theorem}{4}{}
The nonisomorphism problem for arithmetic circuits of depth~\(d\)
over a finite field of size more than \(2^d\)
is in \(\BP \cdot \NP\)\@.
\end{alabsubtext}
%
\apar{4-8}
The lower bound on the field size is crucial:
for small fields, the equivalence problem for arithmetic circuits
is coNP-complete~\cite{cj98-01-19}\@.
\asection{5}{Perfect Zero-Knowledge Interactive Proofs}
%
\apar{5-1}
Goldreich, Micali, and Wigderson~\cite{cj98-01-16} show that there are
perfect zero-knowledge interactive proofs for
the graph isomorphism problem, GI, and its complement, GNI\@.
Adapting their ideas,
we show the existence of a perfect zero-knowledge interactive proof
for the isomorphism of branching programs or arithmetic circuits\@.
Fortnow~\cite{cj98-01-14} and Aiello and H{\aa}stad~\cite{cj98-01-02} have shown that
any set that has a perfect zero-knowledge interactive proof is in \(\AM \cap \co\AM\)\@.
Thus it follows again from
the result in this section that \(\oneBPI \in \co\AM\)\@.
%
\begin{alabsubtext}{Theorem}{5}{}
There is a perfect zero-knowledge interactive proof system for \(\oneBPI\)\@.
\end{alabsubtext}
%
\begin{alabsubtext}{Proof of Theorem}{5}{}
\prooffontshape
\apar{Proof of Theorem 5-1}
The IP protocol described below accepts \(\oneBPI\)
and has the perfect zero-knowledge property\@.
The inputs are two read-once branching programs \(B_0\) and \(B_1\),
both over \(n\) variables\@.
Let \(T = \{1, \dots, 2n\}\)\@.
The following steps are repeated \(m\) times,
each time using independent random bits\@.
%
\begin{description}
\item[V1:]
The verifier randomly picks
points \(\Vector{r}_1, \dots, \Vector{r}_k \in T^n\),
where \(k = \lceil n \log n \rceil +2\),
and sends them to the prover\@.
\item[P1:]
The prover randomly chooses
a permutation~\(\varphi\)
and sends \(y_l = p_{B_0} \circ \varphi(\Vector{r}_l)\), for \(l = 1, \dots,k\),
to the verifier\@.
\item[V2:]
The verifier randomly picks
\(j \in \{0,1\}\) and sends it to the prover\@.
\item[P2:]
The prover sends a permutation~\(\pi\) to the verifier such that
\(p_{B_j} \circ \pi(\Vector{r}_l) = y_l\), for \(l = 1, \dots,k\)\@.
\item[V3:]
Finally,
the verifier accepts if and only if
this latter condition regarding~\(\pi\) in fact holds\@.
\end{description}
%
\apar{Proof of Theorem 5-2}
By arguments similar to those in Section~3,
the above protocol constitutes an interactive proof system for \(\oneBPI\):
if \(B_0 \iso B_1\) and the prover behaves as described in the protocol,
then the verifier will always accept\@.
If \(B_0 \not\iso B_1\),
then the verifier will accept with probability at most \(3/4\)
in each round,
no matter what the prover does,
and hence, with probability at most \((3/4)^m\)
after \(m\) rounds\@.
%
\apar{Proof of Theorem 5-3}
For the zero-knowledge property,
it is easy to see that the specific verifier in the protocol
gets no extra information\@.
The communication between \(P\) and \(V\) can be produced with equal distribution
by the following algorithm~\(M_V\):
randomly pick
\(j \in \{0,1\}\),
\(\Vector{r}_1, \dots, \Vector{r}_k \in T^n\),
and a permutation~\(\varphi\)
and output \(\Vector{r}_l\) and \(p_{B_j} \circ \varphi(\Vector{r}_l)\), for \(l = 1, \dots,k\),
and furthermore, \(j\) and \(\varphi\)\@.
%
\apar{Proof of Theorem 5-4}
By arguments similar to those in \cite{cj98-01-16},
one can show that \(P\) in fact conveys no knowledge
to any verifier, even verifiers that deviate from the above protocol\@.
We give a very short description so that a reader familiar with \cite{cj98-01-16}
can easily fill in the details\@.
%
\apar{Proof of Theorem 5-5}
Let \(V^*\) be an interactive machine\@.
We cannot simply define \(M_{V^*}\) the same way as for the specific verifier~\(V\) above,
because it has chosen \(j\) uniformly at random in step V2,
and therefore \(M_V\) could do the same thing\@.
However,
in general, \(V^*\) can make its choice of \(j\) dependent on the points
\(((\Vector{r}_1,y_1), \dots, (\Vector{r}_k,y_k))\) that it gets from the prover
after the first round\@.
On the other hand,
by only knowing \(j\) in advance, \(M_V\) could produce an isomorphism~\(\varphi\)
as above\@.
%
\apar{Proof of Theorem 5-6}
The way \(M_{V^*}\) works is as follows\@.
The \(M_{V^*}\) algorithm starts by simulating \(V^*\) to produce the points \(\Vector{r}_1, \dots, \Vector{r}_k \in T^n\)\@.
Then \(M_{V^*}\) randomly picks
\(j \in \{0,1\}\), and a permutation~\(\varphi\)\@.
This is similar to \(M_V\) above,
except that \(j\) is now considered only as a candidate for the value
that will actually be produced by \(V^*\)\@.
Next, \(M_{V^*}\) simulates \(V^*\) when \(V^*\)
gets the points \((\Vector{r}_1,y_1), \dots, (\Vector{r}_k,y_k)\) from the prover,
thereby obtaining the value \(j_{V^*}\) that \(V^*\) will send to the prover
after the first round\@.
Then,
in case that \(j = j_{V^*}\),
\(M_{V^*}\) is ``lucky,'' and can make the same output as \(M_V\) above, namely,
\(\Vector{r}_l\) and \(p_{B_j} \circ \varphi(\Vector{r}_l)\), for \(l = 1, \dots,k\),
and \(j\) and \(\varphi\)\@.
If \(j \not= j_{V^*}\),
then \(\varphi\) is the wrong permutation, and \(M_{V^*}\) cannot make a legal output\@.
Instead,
\(M_{V^*}\) repeats this whole process until it gets lucky, i.e., until \(j = j_{V^*}\),
and then makes an output\@.
%
\apar{Proof of Theorem 5-7}
The probability that \(M_{V^*}\) is lucky is \(1/2\)\@.
Therefore we expect \(M_{V^*}\) to repeat this process twice;
hence, \(M_{V^*}\) runs in expected polynomial time\@.
%
\apar{Proof of Theorem 5-8}
Finally,
the output distribution of \(M_{V^*}\) is identical
to that of the conversation of \(P\) and \(V^*\)\@.
Intuitively this is clear, because roughly speaking,
\(M_{V^*}\) simply waits until it can do the same trick
as \(M_V\) from above\@.
Therefore,
the output of \(M_{V^*}\) might be delayed,
but has the same distribution\@.
There are some subtleties that one must take care of,
but a formal argument can then easily be adapted from \cite{cj98-01-16}\@.
Note also that in fact \(M_{V^*}\) must produce the conversation
of several rounds of the protocol\@.
{\nopagebreakbeginpar\markendlst{Proof of Theorem 5}}
\end{alabsubtext}
%
\apar{5-2}
Clearly, Theorem~5 extends
to the isomorphism problem for arithmetic circuits\@.
%
\apar{5-3}
The interactive proof for \(\oneBPNI\) presented in Section~3
might not be zero knowledge, because in the first step
the verifier can present points to the prover that are obtained
in a different way than by random guesses,
and the answers from the prover later on might give some
extra information to the verifier\@.
For the graph-nonisomorphism problem \(\GNI\),
this problem is solved by
letting the verifier ``prove to the prover''
that it has a permutation in hand that was used to produce the
graph sent to the prover~\cite{cj98-01-16}\@.
However,
there are some problems in adapting this method to \(\oneBPNI\)
that arise from the way we describe polynomials in the interactive proofs,
namely, as a set of points\@.
We leave it as an open problem to show
that \(\oneBPNI\) has a zero-knowledge interactive proof\@.
\asection{Acknowledgments}{}
%
We thank Manindra Agrawal for many enjoyable discussions\@.
In particular,
the observation that the isomorphism problem for polynomials
is more general than the one for graphs (see end of Section~3)
is due to him\@.
Thanks also go to
Bernd Borchert, Lance Fortnow, and Uwe Sch{\"o}ning
for very helpful comments\@.
%
\end{articletext}
%
\bibliography{thierauf}
\bibliographystyle{alpha}
%
\end{document}