On the Ring Isomorphism & Automorphism Problems

Neeraj Kayal, Nitin Saxena ∗ National University of Singapore, Singapore and IIT Kanpur, India {kayaln, nitinsa}@cse.iitk.ac.in

Abstract We will restrict our attention to finite rings with unity. We assume that the rings are given in terms of the basis of We study the complexity of the isomorphism and auto- their additive group and the multiplication table of basis el- morphism problems for finite rings with unity. ements. Given two rings in this form, the ring isomorphism We show that both integer factorization and graph iso- problem is to test if the rings are isomorphic. We show that morphism reduce to the problem of counting automor- this problem is in NP ∩ coAM and is at least as hard as the phisms of rings. The problem is shown to be in the complex- graph isomorphism problem. Thus, ring isomorphism is a ity class AM ∩ coAM and hence is not NP-complete unless natural algebraic problem whose complexity status is simi- the polynomial hierarchy collapses. Integer factorization lar to that of graph isomorphism. The search version of the also reduces to the problem of finding nontrivial automor- isomorphism problem is to find an isomorphism between phism of a ring and to the problem of finding isomorphism two given rings. We show that integer factoring reduces to between two rings. the search version of the problem. We also show that deciding whether a given ring has a non-trivial automorphism can be done in deterministic Another variant of the problem is to count the number polynomial time. of isomorphisms between two rings. We show that both integer factorization and graph isomorphism reduce to this problem. We also show that this problem is equivalent to that of counting the number of automorphisms in a ring and 1 Introduction lies in the class FPAM∩coAM. This implies that the problem is not NP-hard unless the polynomial hierarchy collapses to ΣP [Sch88]. A ring consists of a set of elements together with addi- 2 tion and multiplication operations. These structures are fun- damental objects of study in mathematics and particularly The ring automorphism problem is to test if a ring has so in algebra and number theory. It has long been recog- a non-trivial automorphism. We prove that this problem is nized that the group of automorphisms of a ring provides in P. This is in contrast to the corresponding problem for valuable information about the structure of the ring. Ga- graphs whose status is still open. On the other hand we lois initiated the study of the group of automorphisms of a show that the problem of finding a nontrivial automorphism field and it was later applied by Abel to prove the celebrated of a given ring is equivalent to integer factoring. This im- theorem that there does not exist any formula for finding plies that the search version of the problem is likely to be the roots of a quintic (degree 5) polynomial. However, to strictly harder than the decision version. the best of our knowledge, the computational complexity of the ring isomorphism and automorphism related problems The most general problem here is to compute the auto- has not been investigated thus far. In this paper, we initiate morphism group of a given ring, in terms of a small set of such a study and show interesting connections to some well generators. It is easy to see that all the above problems re- known problems. duce to it. Also, the proof of upper bound on counting au-

∗ tomorphisms can be adapted to exhibit an AM protocol for This work was done while the authors were visiting Princeton Univer- sity, Princeton, NJ, USA in 2003-04. Also partially supported by research it implying that this problem too is not NP-hard unless PH P funding from Infosys Technologies Limited, Bangalore. = Σ2 . 2 Representation of finite rings Remark. This theorem can be used to check in polyno- mial time whether for two rings, given in basis form, the The complexity of the problems involving finite rings de- additive groups are isomorphic or not. Suppose the two Z ⊕ ··· ⊕ Z  pends on the representation used to specify the ring. We will additive groups are G := d1 dn and G :=  Z
⊕···⊕Z
use the following natural representation of a ring: d1 dn . We can take gcd of disanddjs and keep factoring them till we stop getting nontrivial factors. At this Definition 2.1. Basis representation of rings: AringR point G will be isomorphic to G if and only if the multi-sets is given by first describing its additive group in terms of n  {di}i and {di}i are equal. generators and then specifying multiplication by giving for each pair of generators, their product as an element of the Proposition 2.5. GivenaringR in terms of generators, additive group. all having prime-power additive orders, we can compute k the number of automorphisms of the additive group of R, (R, +,.):=(d ,d ,d , ··· ,dn), ((a )) ≤i,j,k≤n 1 2 3 ij 1 #Aut(R, +), in polynomial time. k where, for all 1 ≤ i, j, k ≤ n, 0 ≤ a up to permuta- ∼ Z ⊕ Z ⊕···⊕Z ture (R, +) = d1 d1 dn . Moreover multi- tions) decomposed into indecomposable rings R1,...,Rs plication in R is specified by specifying the product of each such that pair of generators as an integer linear combination of the R = R1 ⊗ ...⊗ Rs. ≤ ≤ · n k generators: for 1 i, j n, ei ej = k=1 aij ek. Remark. It follows immediately from the proof Definition 2.2. Representation of maps on rings: Sup- ([McD74]) of above proposition that for a commutative ring pose R is a ring given in terms of its additive generators 1 R its decomposition can be found in polynomial time given e ,...,en and ring R given in terms of f ,...,fn.Inthis 1 2 1 oracles to integer and polynomial factorizations. Observe paper maps on rings would invariably be homomorphisms that any commutative ring R with characteristic n can be on the additive group. Then to specify any map φ : R → 1 expressed as: R2, it is enough to give the images φ(e1),...,φ(en).So we represent φ by an n × n matrix of integers A, such that ∼ R = Zn[x1,...,xm]/(f1(x),...,fl(x)) for all 1 ≤ i ≤ n: n and so if we can factor n into its prime factors and mul- φ(ei)= Aij fj tivariate polynomials fis into irreducible factors (modulo j=1 prime powers) then we can effectively factor ring R into its indecomposable components. and for all 1 ≤ i, j ≤ n, 0 ≤ Aij < additive order of fj. Algebraic structures mostly break into simpler objects. Let us also define the multiplication operation on ideals In the case of rings we get the following simpler rings. which will be useful in the last section. Definition 2.3. Indecomposable or Local ring: AringR Definition 2.7. Let I, J be two ideals of a ring R.We is said to be indecomposable or local if there do not exist define their product as ∼ rings R ,R such that R = R ⊗ R ,where⊗ denotes 1 2 1 2 I·J { | ∈I ∈J} the natural composition of two rings with component wise := ring generated by the elements ij i ,j addition and multiplication. It, for positive integer t, is defined similarly. We collect some of the known results about rings. Their It is easy to see that I·J is again an ideal of R. proofs can be found in algebra texts, e.g. [McD74]. Finally, we define the ring isomorphism and related Proposition 2.4. [Structure theorem for abelian groups] If problems that we are going to explore. R is a finite ring then its additive group (R, +) can be uniquely (up to permutations) expressed as: • The ring isomorphism problem is to check whether two given rings are isomorphic. The corresponding lan- ∼ Z α (R, +) = pi i guage we define as i

RI := {(R1,R2) | rings R1,R2 are given in the where pi’s are primes (not necessarily distinct) and αi ∈ ≥ ∼ } Z 1. basis representation and R1 = R2 .   • #RI is defined as the functional problem of computing R → R iff ∀iφisomorphically maps Ri to Ri. Thus, wlog the number of isomorphisms between two rings given we can assume that the additive basis of the rings R and R in basis form. is given in the form: • #RA is defined as the functional problem of comput- Zdα1 ⊕ ...⊕ Zdαn where 1 ≤ α1 ≤ ...≤ αn ing the number of automorphisms of a given ring. Its decision version can be viewed as the language Now in this case φ is an isomorphism from R → R iff it satisfies the following conditions: cRA := {(R, k) | R is a ring in basis form • ∈ Z∗ × s.t. #Aut(R) ≥ k} . det(A) d,whereA is the n n integer matrix describing the map φ : R → R. • RA is defined as the problem of determining whether • for all 1 ≤ i ≤ n, additive order of ei is the same as a given ring has a nontrivial ring automorphism.The that of φ(ei). corresponding language is: • ≤ ≤ · n k for all 1 i, j n, φ(ei) φ(ej )= k=1 aij φ(ek), { | k RA := R R is a ring in basis form s.t. where ((aij ))n2×n is the same matrix as given in the #Aut(R) > 1} . description of R. All these three conditions can be checked in polyno- 3 The Complexity of RI mial time. The first two conditions above imply that φ is an isomorphism on the additive structure of the two rings, ∼  In this section we prove upper and lower bounds on the i.e. (R, +) = (R , +). The third condition ensures that φ complexity of Ring Isomorphism problem. Specifically, we preserves the multiplicative structure too, i.e. for all i, j; ∩ show that RI is in NP coAM and the Graph Isomorphism φ(eiej)=φ(ei)φ(ej). problem reduces to RI. Theorem 3.1. RI ∈ NP ∩ coAM. The AM protocol for ring non-isomorphism is similar to that for graph non-isomorphism. Proof. We start with the easier part, Claim 3.1.2. RI ∈ coAM Claim 3.1.1. RI ∈ NP. Proof of Claim 3.1.2. Arthur has two rings R1,R2 in basis Proof of Claim 3.1.1. Suppose we are given two rings R forms and he wants a proof of their non-isomorphism from  →  ∼ and R together with a map φ : R R .Let Merlin. Arthur checks whether (R1, +) = (R2, +) (see re- mark of prop. 2.4), if not then Arthur already has a proof of Z ⊕ ⊕ Z (R, +) = m1 e1 ... mn en non-isomorphism. Now Merlin can provide the descriptions of (R1, +), (R2, +) in the form: Here we can assume that (m1,...,mn)= α α α α α α 11 12 21 22 t1 t2 n (d1 ,d1 ,...,d2 ,d2 ,...,dt ,dt ,...) where d1,...,dt are mutually coprime. For otherwise ∃i = j s.t. (R , +) = Z αi ei and 1 pi gcd(mi,mj)=:g>1 and can be used to break mi or mj i=1 into coprime factors a, b ∈ Z>1, hence, breaking (R, +) n ≥1 (R , +) = Z αi fi, where pi’s are primes and αi ∈ Z . further by applying: 2 pi i=1 ∼ (Zabek, +) = Za(bek) ⊕ Zb(aek) Let us also define a set related to the ring R1: k ∼  2 |∃ ∈ If (R, +) = (R , +) we can apply this process to get basis C(R1):= ((aij ))n ×n,Aφ π Aut(R1, +) s.t.  ≤ ≤ · n k representations of both the rings R and R over for all 1 i, j n, π(ei) π(ej)= k=1 aij π(ek); k αk for all 1 ≤ i, j, k ≤ n, 0 ≤ aij

P   Theorem 3.2. GI ≤m RI. 2 c10 +(2c10c11)v1 + ...+(2c10c1n)vn+  Proof. The proof involves constructing a commutative lo- (linear combination of ais)=0 cal ring that captures the “connectivity” of a given graph.    We associate variables to each vertex (v-variable) and pair As 1,vis and ajs form an additive basis of R(G ), we con- of vertices (a-variable). The characteristic of a variable en- clude: codes whether the variable corresponds to a vertex or an 2 3 c =2c c = ...=2c c n =0(mod p ) edge or a non-edge of the graph. The product of two vertex- 10 10 11 10 1 variables is defined to be an a-variable while the other prod- 3 Since p is an odd prime, if c10 =0( mod p ) then ucts are defined to be zero. 2 p|c10,c11,...,c1n. But then by equation (1), p φ(v1)=0 Given a graph G withnvertices, m edges. Choose an n which is a contradiction to the fact that φ is an isomorphism. { } 3 odd prime p and let l := 2 .Let ak k be a set of l vari- Thus, c =0(mod p ). Now at least one of the c i’s has ∈{ | ≤ ≤ } 10 1 ables indexed by k (i, j) 1 idimension n and 2 2 by the fact that φ(vi) = φ(vj ) =0(similar to eqn. 2) we there is an integer matrix A, ∀i, j Aij ≤ bij , that defines deduce: 0=φ(vi)φ(vj )=φ(vivj) which forces i = j. an isomorphism}. Hence, π is a permutation on [n]. Theorem 3.4. RI is NP-complete. We are now almost done, we just have to show that π is boundedIso →  indeed an isomorphism from G G . Proof. Clearly, RIboundedIso is in NP by claim 3.1.1. ∈ 2 2 Suppose e =(i, j) E(G). Thus, (using eqn. 3) Suppose we are given R1 := Zn[x]/(x − a ),R2 := 2 Zn[x]/(x − 1),β∈ Z and we want to find out whether   · φ(ae)=φ(vivj)=(ciπ(i)cjπ(j))vπ(i)vπ(j) + p (linear there is an isomorphism φ(x)=bx s.t. b ≤ β.Nowasin 2 2  the proof of theorem 3.3, b ≡ a (mod n). Thus, the ques- combination of a s). k tion at hand is equivalent to asking whether the quadratic 2 2 Since, p · φ(ae)=0and ciπ(i)cjπ(j) is a unit we get: equation (in y): y ≡ a (mod n) has a solution y ≤ β,and this is an NP-complete problem by [MA76]. ·   p vπ(i)vπ(j) =0   4 The Complexity of #RA Whence we conclude that vπ(i)vπ(j) is of additive order p implying, by the definition of R(G),that(π(i),π(j)) ∈ E(G). This section will explore the complexity of the problem By symmetry this shows that π is an isomorphism from of counting ring automorphisms. We will show that this G → G. problem is unlikely to be NP-hard but both graph isomor- phism and integer factoring reduce to it. There is also a connection between #RI and #RA. The theorem follows from the claim. We will show that given a ring R there is an AM protocol Another interesting variant of RI is its search version- in which Merlin sends a number l and convinces Arthur that FRI -finding an isomorphism given two rings. FRI is un- #Aut(R)=l. The ideas in the proof are basically from likelytobeNP hard as it reduces to computing the auto- [BS84]. morphism group of a ring which we observe later to be in ∩ Theorem 4.1. #RA ∈ FPAM coAM. 1 second level of low hierarchy. It turns out that solving FRI would mean solving integer factoring (IF). Proof. Let R be a ring given in its basis form. We will first ZPP show how Merlin can convince Arthur that #Aut(R) ≥ k. Theorem 3.3. IF ≤T FRI. Claim 4.1.1. cRA ∈ AM. Proof. Suppose n is an odd number to be factored. Pick a ∗ random a ∈ Zn and suppose we can find an isomorphism Proof of Claim 4.1.1. Merlin can give Sylow subgroups 2 2 2 φ : Zn[x]/(x −a ) → Zn[x]/(x −1).Letφ(x)=bx+c, Sp1 ,...,Spm of Aut(R), in terms of generators, to Arthur ∗  | | ··· | |≥ b should be in Zn otherwise there is a b =0( mod n) such such that Sp1 . . Spm k and p1,...,pm are distinct that bb =0(mod n) implying φ(bx − bc)=0which primes. Arthur now has to verify whether for a given Sy- t contradicts that φ is an isomorphism. Further, low subgroup Sp, |Sp| = p or not. So Merlin can further provide the composition series of Sp: a2 = φ(x)2 =(bx + c)2 (mod n, x2 − 1) Sp = Gt >Gt− >...>G >G = {id}. ⇒ 2bc =0(mod n) and b2 + c2 − a2 =0(mod n) 1 1 0 ⇒ c =0(mod n) and b2 = a2(mod n) Suppose, for the sake of induction, that Arthur is convinced i i+1 about |Gi| = p . Thentoprove|Gi+1| = p , Merlin 1 If n is composite then with probability at least 2 , b = will provide xi+1 ∈ Gi+1 to Arthur with the claim that ±a(mod n). Thus, we can factor n in expected polynomial ∈ p ∈ xi+1 Gi but xi+1 Gi. Finally, the only nontrivial thing time. left for Arthur to verify is whether xi+1 ∈ Gi, which can be verified by a standard AM protocol as there is a gap in the A related problem to RI, however, is hard. Suppose size of the set X := (group generated by xi+1 and Gi): we are given two rings R1,R2 and we want to find an isomorphism φ : R → R such that the corresponding i+1 1 2 xi+1 ∈ Gi ⇒ #X = p matrix A, which transforms the basis of (R1, +) to that of i xi+1 ∈ Gi ⇒ #X = p (R2, +), has elements smaller than a given size bound. It turns out that this problem is NP-complete. 1FP refers to functional problems that can be solved in polynomial time. To avoid too many rounds, Merlin first provides x0 = Proof. Suppose we are given a ring R. Clearly we can com- id, x1,...,xt ∈ Aut(R) with the proof of: for all 1 ≤ pute #Aut(R) by giving (R, R) as input to the oracle of p i ≤ t, xi ∈ Gi−1 := (group generated by x0,...,xi−1) #RI. to Arthur and then provides the proof of: for all 1 ≤ i ≤ Conversely, let R1,R2 be the two rings given in basis t, xi ∈ Gi−1 in one go for Arthur to verify. form. Let us assume the following about their decompos- ability into distinct local rings S1,...,Sk: ∼ ⊗ ⊗ ⊗ ⊗ ⊗ ⊗ Now we give the AM protocol that convinces Arthur of R1 = S1 ... S1 ... Sk ... Sk #Aut(R) ≤ k. where, for all 1 ≤ i ≤ k, indecomposable ring Si occurs ai ≥ 0 times and #Aut(Si)=mi. Claim 4.1.2. cRA ∈ coAM. ∼ Proof of Claim 4.1.2. Arthur has a ring R and he wants R2 = S1 ⊗ ...⊗ S1 ⊗ ...⊗ Sk ⊗ ...⊗ Sk a proof of #Aut(R) ≤ k. As in the proof of claim 3.1.2, where, for all 1 ≤ i ≤ k, indecomposable ring Si occurs we can assume that R is given in terms of generators hav- bi ≥ 0 times. ing prime-power additive orders. For concreteness let us The following claim relates the (non)isomorphism of assume: n the rings to counting ring automorphisms: (R, +) = Zpαi ei i ∼ i=1 Claim 4.2.1. R1 = R2 ⇒ #Aut(R1 ⊗ R1) · #Aut(R2 ⊗ ⊗ 2 Merlin sends Arthur a number l ≤ k as a candidate value R2) > (#Aut(R1 R2)) . for #Aut(R) and also provides some Sylow subgroups, the Proof of Claim 4.2.1. Due to the uniqueness of decompo- product of their sizes being equal to l, with the AM-proofs sition of a ring into indecomposable rings: for their sizes (as used in claim 4.1.1). Let k 2 |∃ ∈ ⊗ ⊗ ··· X := ((aij ))n×n π Aut(R, +) s.t #Aut(R1 R2)=#Aut(S1 ...a1 + b1 times) · n k ≤ ≤ π(ei) π(ej)= k=1 aij π(ek); for all 1 i, j, k n, #Aut(Sk ⊗ ...ak + bk times) k αk 0 ≤ aij l ⇒ #Aut(R) ≥ 2l ⇒ #X ≤ 2 2 1 1 2l #Aut(Sk ⊗ ...2bk times) 2b1 ··· 2bk =(2b1)!m1 (2bk)!mk 2ai+2bi 2ai+2bi cRA Notice that ≥ which implies (2ai)! · The claims above show that #RA ∈ FP ⊆ ai+bi 2ai ∩ 2 FPAM coAM. (2bi)! ≥ (ai + bi)! . This clearly shows:

2 #Aut(R1 ⊗ R1) · #Aut(R2 ⊗ R2) ≥ (#Aut(R1 ⊗ R2)) Remark. It is easy to see that the same protocol as above ∼ ∈ works for the problem of computing the automorphism Now since R1 = R2, there exists an i0 [k] such that · 2 group of a ring (in terms of the generators of Sylow sub- ai0 = bi0 in which case (2ai0 )! (2bi0 )! (ai0 + bi0 )! . groups). Thus, this problem too cannot be NP-hard. Thus,

2 In the case of graphs it is easy to show that graph isomor- #Aut(R1 ⊗ R1) · #Aut(R2 ⊗ R2) > (#Aut(R1 ⊗ R2)) . phism (or counting graph isomorphisms) reduces to count- ing graph automorphisms. The same result continues to hold for rings with a slightly more involved proof. P Lemma 4.2. #RI ≡T #RA. As a corollary of this we get: P Theorem 4.3. Graph Isomorphism ≤T #RA. Claim 5.1.2. If R is an indecomposable rigid commutative ∼ odd-sized ring then ∃ prime p and m ∈ N such that, R = Proof. Immediate from theorem 3.2 & lemma 4.2. Zpm .

Another interesting open problem that reduces to #RA Proof of Claim 5.1.2. It is known (e.g. see [McD74]) is integer factorization- IF. that any indecomposable commutative ring R contains an ZPP associated Galois ring G such that: Theorem 4.4. IF ≤T #RA. G = Zpm [x]/(f(x)) where square-free f(x) is irreducible Proof. Let n be the odd integer to be factored. Consider the over Zp and, n1 nk ring R = G[x1,...,xk]/(x1 ,...,xk ,g1,...,gl) 2 R := Zn[x]/(x ) where gi’s are polynomials in (x1,...,xk). ∗ We will show that #Aut(R)=φ(n):=|Zn|.Thetheorem Now if additionally R is rigid then G has to be Zpm oth- is then immediate as n can be factored in expected polyno- erwise G would have a nontrivial automorphism2 and hence mialtimeifwearegivenφ(n), see [Mil76]. R would have a nontrivial automorphism. Suppose ψ ∈ Aut(R) and let ψ(x)=ax + b,forsome Let M := (ring generated by p, x1,...,xk) be the a, b ∈ Zn.Sinceψ is an automorphism; a, b should satisfy unique maximal ideal of R and let t>0 be the least in- the following two conditions: t teger such that M =0.Ift =1then R = Zp, thus, (ax + b)2 =0in R ⇒ ab = b2 =0(mod n), and assume that t>1. We can assume wlog that x1 does not occur as a linear term with unit coefficient in any of the re- ∗ a ∈ Zn. lations g1,...,gl (if it does we can eliminate x1 by repeated substitutions). Now choose α ∈Mt−1 \{0, −x } and it is ∈ Z∗ 1 These two conditions force b =0and any a n will easy to see that the map |Z∗ | work. Thus, #Aut(R)= n = φ(n).   → x1 x1 + α  5 The Complexity of RA x2 → x2 φ :  .  . This section studies the problem of checking whether a  given ring is rigid (i.e. has no nontrivial automorphism) and xk → xk if not then finding a nontrivial automorphism. We will show that RA can be decided in deterministic induces a nontrivial automorphism of R. This contradiction polynomial time but finding a nontrivial automorphism is as implies that there can be no variable in R and therefore R = Z m hard as integer factoring. p . Mt−1\{ − } Theorem 5.1. RA ∈ P. Remark. If R was even sized then 0, x1 could 2 be empty as in the case of R := Z2[x]/(x ),whereM = Proof. Let R be a ring given in basis form. Let us first {0,x}. dispose off the case when R is non-commutative. Claim 5.1.1. If R is a non-commutative ring then it has a nontrivial automorphism. As a consequence of the above observations we have that Proof of Claim 5.1.1. It can be shown ([Len04]) that if the any  rigid commutative odd-sized ring R looks like: units in a ring R commute with the whole of R then R =< i j Z αij where, pi’s are distinct odd primes and pi R∗ >, and consequently R will be commutative. Thus, if R is a non-commutative ring then there is a unit r ∈ R that 1 ≤ αi1 <αi2 <.... (4) doesn’t commute with the whole of R. Then clearly the map φ : x → rxr−1 gives a nontrivial automorphism of R. Our algorithm for RA will test whether a given ring R is of the form (4) or not. As in the proof of claim 3.1.1, we can assume wlog that When R is commutative we first consider the case of odd the input ring R is given as sized R. We intend to give a classification of rigid commu- (R, +) = Zdα1 e ⊕ ...⊕ Zdαn en tative rings. We will show that indecomposable components 1 of a rigid commutative odd-sized ring R are isomorphic to 2If m =1then the map sending x → xp is an automorphism of G, Zpm , for some odd prime p: for larger m this automorphism can be lifted using Hensel lifting. We can also assume that αi’s are distinct (say, 1 ≤ α1 < It follows from the above claim that a commutative α2 <...<αn)otherwiseR would not be rigid as it would power-of-2 sized ring is rigid iff it is isomorphic to one of not be of the form (4). the following: Now we sketch an algorithm to check whether R is iso- Z α ⊗ ⊗ Z α morphic to: 2 1 ... 2 n or

Zdα1 ⊗ ...⊗ Zdαn (5) 2 Z2[x]/(x ) ⊗ Z2α1 ⊗ ...⊗ Z2αn

Z α 1) Compute f(x):= minpoly of e1 over d n . This can where, 1 ≤ α1 <α2 <...<αn. i be found out by checking whether e1 can be written as Since we can factor polynomials over Z2m we can com- i−1 a linear combination of 1,e1,...,e1 which amounts pute the decomposition of R into indecomposable rings (see α to doing linear algebra (mod d n ). remark of prop. 2.6) and check whether they are of the 2 forms: Z2m , Z2[x]/(x ) or not. Hence, we can check the ∼ Z α ⊗ ⊗ Z α 2) If R = d 1 ... d n then say e1 =(β1,...,βn) rigidity of even sized rings too in polynomial time. α1 where βi ∈ Zdαi . Also, since e1 has characteristic d and α1 α2,...,αn we can deduce: β1 is coprime to d and d|β2,...,βn. On the other hand the search version of this problem i.e. finding a nontrivial ring automorphism (FRA)isashardas These observations mean that n integer factoring (IF). { Z α } f(x)=lcmi=1 minpoly of βi over d i ≡ − l ∈ Z≥0 ZPP (x β1)x (mod d), for some l Theorem 5.2. IF ≡T FRA. or else R is not of the form (5). So we have a Proof. Let us first see how we can find a nontrivial ring non-repeating root β1(mod d) of f(x)(mod d) and we automorphism if we can do integer factoring. Suppose the can use Hensel lifting (see [LN86]) to find a root of given ring R is non-commutative then we know from the α1 f(x)(mod d ), which gives β1. proof of claim 5.1.1: there is a unit of R that does not com- mute with the whole of R and thus defines a nontrivial au- − − − 3) Consider e1 β1 =(0,β2 β1,...,βn β1).Note tomorphism. So we compute the multiplicative generators − − that β2 β1,...,βn β1 are all coprime to d.So of R∗ in randomized polynomial time and surely one of the { ∈ | − } if we compute R1 := γ R (e1 β1)γ =0 then generators will not commute with the whole of ring R. ∼ Z α R1 = d 1 or else R is not of the form (5). Now assume the given ring R is commutative. It can be decomposed into local rings, as remarked in proposition 4) Let eˆ ∈ R be the unity of R . Compute R⊥ := 1 1 1 2.6, in expected polynomial time using randomized meth- {γ ∈ R | eˆ γ =0}. Check that R = R ⊗ R⊥ oth- 1 1 1 ods for polynomial factorization and oracle of integer fac- erwise R is not of the form (5). torization. Once we have local rings we can output nontriv- ⊥ ∼ ial automorphisms like φ in the proof of claim 5.1.2. 5) Recursively check whether R = Zdα2 ⊗ ...⊗ Zdαn 1 Conversely, suppose we can find nontrivial automor- or not. phisms of rings and n is a given number. Let us assume for Let us now take up the case of even sized commutative simplicity that input n is a product of two distinct primes ∈ Z ring. It is sufficient to consider a ring R whose size is a p, q. Randomly choose a cubic f(x) [x].Define Z power of 2. We will show that R is rigid only if the inde- R := pq[x]/(f(x)) and suppose we can find a nontriv- composable rings that appear in the decomposition of R are ial automorphism φ of R. It follows from the distribution of 2 irreducible polynomials over finite fields that with probabil- isomorphic to either Z m or Z [x]/(x ). 2 2 ∼ 1 ity 9 : f(mod q) is irreducible and f(mod p) has exactly Claim 5.1.3. If R is an indecomposable rigid commutative two irreducible factors f1,f2,sayf1 is linear. Thus, 2 power-of-2 sized ring then R is either Z2m or Z2[x]/(x ). ∼ R = Zp ⊗ Zp[x]/(f2(x)) ⊗ Zq[x]/(f(x)).

Proof of Claim 5.1.3. Let M be the unique maximal ideal φ Note that we can compute R , the set of elements of R fixed of R and t be the least integer such that Mt =0.Asinthe by φ, using linear algebra (if at any point we cannot invert proof of claim 5.1.2, the rigidity of R implies that n1 nk an element (mod n), we get a factor of n). Let us now see Z m R = 2 [x1,...,xk]/(x1 ,...,xk ,g1,...,gl) what Rφ can be given that Rφ = R. where gi’s are polynomials in (x1,...,xk). t−1 also, either R is Z2m or R is univariate and M = 1) If φ fixes Zp[x]/(f2(x)): 2 φ ∼ φ {0, −x1}. In the latter case M = {0, −x1} and M =0, Then R = Zp ⊗ Zp[x]/(f2(x)) ⊗ Zq. Thus, |R | = Z 2 3 which implies that R = 2[x1]/(x1). p q. 2) If φ fixes Zq[x]/(f(x)): Acknowledgment φ ∼ φ Then R = Zp ⊗ Zp ⊗ Zq[x]/(f(x)). Thus, |R | = 2 3 p q . We would like to thank Manindra Agrawal, Hendrik Lenstra and Shien Jin Ong for many useful discussions. We 3) If φ moves both Zp[x]/(f2(x)) and Zq[x]/(f(x)): φ ∼ φ 2 especially thank Manindra Agrawal for lots of suggestions Then R = Zp ⊗ Zp ⊗ Zq. Thus, |R | = p q. that made the paper readable. We thank Hendrik Lenstra Since, the size of Rφ is in no case of the form n, n2 or n3, for pointing out that RA ∈ P even for noncommutative fi- the process of finding Rφ by doing linear algebra (mod n) nite rings. is going to yield a factor of n. In particular, this means that if the matrix describing φ over the natural additive basis References {1,x,x2} is:   100 [AT04] V. Arvind and Jacobo Toran. Solvable group iso-   morphism is (almost) in NP ∩coNP . Proc. 19th A := a0 a1 a2 IEEE Conference on Computational Complexity, b0 b1 b2 2004. then the determinant of one of the submatrices of (A − I) [BS84] L. Babai and E. Szemeredi. On the complexity of will have a nontrivial gcd with n. matrix group problems. Proc. 25th IEEE Foun- This idea can be extended to the case of composite n dations of Computer Science, 1984, 229-240. having more prime factors. Thus, the two problems: finding nontrivial automor- [GW02] O. Goldreich and A. Wigderson. Derandomiza- phisms of commutative rings and integer factoring have the tion That Is Rarely Wrong from Short Advice That same complexity. Is Typically Good. Proceedings of the 6th Interna- tional Workshop on Randomization and Approx- 6 Open Problems imation Techniques, 2002, 209-223. [Len04] Hendrik Lenstra, Jr. Private communication. Let us recap what we know about the various ring iso- 2004. morphism related problems. The solid arrows in Figure 1 indicate a polynomial time reduction (randomized reduc- [LN86] R. Lidl and H. Niederreiter. Introduction to finite C tion indicated by RP). A dotted arrow from to Σ2 means fields and their applications. Cambridge Univer- C C that Σ2 =Σ2, thus indicating that probably is not NP sity Press, 1986. hard. ComRA denotes the problem of computing the group of automorphisms of a ring (in terms of generators) together [MA76] K. Manders and L. Adleman. NP-complete de- with its size. cision problems for quadratic polynomials. Pro- We would like to ask the following questions: ceedings of the 8th ACM Symposium on Theory of Computing, 1976, 23-29. • We have seen two well-known problems of intermedi- ate complexity reduce to #RA. Can one reduce some [Mil76] G. L. Miller. Riemann’s hypothesis and tests for other such problem, e.g., DiscreteLog? primality. Journal of Computer and System Sci- ence, 13, 1976, 300-317. • The ring problems differ from the graph ones in their (in)ability to efficiently “fix” part of the automor- [McD74] Bernard R. McDonald. Finite Rings with Iden- phisms. This property allows one to prove the equiv- tity. Marcel Dekker, Inc., 1974. alence between computing automorphism groups, counting automorphisms, finding isomorphisms, and [Sch88] U. Schoning. Graph isomorphism is in the low testing isomorphisms in the case of graphs. For rings, hierarchy. Journal of Computer and System Sci- we cannot prove such equivalence. Does there exist ence, 37, 1988, 312-323. some way of doing such “fixing” for rings which will allow us to prove similar equivalences? Appendix • Is #RA ∈ BQP ? Theorem Given a ring R in terms of additive generators, • Consider the ring isomorphism problem over rationals: all having prime-power additive orders, we can compute the RIQ. It is not even clear if this problem is decidable. #Aut(R, +) in polynomial time.   ∼ l Z αij Proof. Let (R, +) be given as = i=1 j pi ,where One can also consider a different, exponentially larger, pi’s are distinct primes and αij ≥ 1.For1 ≤ i ≤ l define representation for rings: when the rings are given in terms subrings Ri of R as: of the addition and multiplication tables of all its elements. We do not know if the ring isomorphism problem under this { ∈ | } Ri := r R r has power-of-pi additive order representation can be solved in time polynomial in the size of the representation. However, the problem is likely to be Observe that l in NP ∩ coNP. ∼ R = Ri Let us give this problem a name: i=1 RITF := {(R1,R2) | R1,R2 are given in terms of tables, this is because if ri ∈ Ri and rj ∈ Rj (i = j) then for c ∼ ≥0 ci j R = R } some ci,cj ∈ Z ,pi rirj = pj rirj =0which implies 1 2 that rirj =0(since pi,pj are coprime) and by a similar It is easy to see that RITF ∈ NP. The nontrivial part is to argument r ,...,rl are linearly independent. 1 show: This decomposition of R gives us: l Theorem There exists an NP-machine that decides all but log8 n #Aut(R, +) = #Aut(Ri, +) 2 instances of RITF of length n. i=1 Proof. The proof is basically one given in [AT04] applied Thus, it suffices to show how to compute #Aut(R, +) n to the case of rings. ∼ Z α 5 when (R, +) is given as = i=1 p i where p is a prime We showed in claim 3.1.2 that RITF ∈ AM(log n), ≥1 and αi ∈ Z . where the parameter bounds the number of random bits used Suppose we are given R in terms of the following addi- by Arthur. Notice that the number of binary strings that tive basis: define a ring of size at most n, in basis form, is no more 3 than 2log n. ∴ by probability amplification: the random bits (R, +) = Z β1 e ⊕ ...⊕ Z β1 e n ⊕ ... p 11 p 1 1 used in the AM protocol would work for all input strings of ⊕ Z ⊕ ⊕ Z β 8 ... pβm em1 ... p m emnm size n if we use log n many random bits. Since we are using only a ”small” number of random bits we can apply where, n + ...+ nm = n and 1 ≤ β <...βm. 1 1 techniques of [GW02] to get an NP-machine that fails for Observe that φ ∈ Aut(R, +) iff the matrix A describing 8 at most 2log n inputs of size n. the map φ is invertible (mod p) and preserves the additive orders of eij ’s. Our intention is to count the number of all such matrices A. To do that let us see how A looks:   B11 B12 ... B1m    B21 B22 ... B2m  A =  . . .   ......  Bm1 Bm2 ... Bmm n×n where the block matrices Bij ’s are integer matrices of size ni ×nj. The properties of these block matrices which make A describe an automorphism of (R, +) are:

• for 1 ≤ j

• for 1 ≤ i