Circuit Complexity, Proof Complexity, and Polynomial Identity Testing: The Ideal Proof System Circuit Complexity, Proof Complexity, and PIT: The Ideal Proof System

Algebraic Circuit Complexity. The most natural way to compute a polynomial function $f(x_1,\ldots,x_n)$ is with a sequence of instructions $g_1,\ldots,g_m = f$, starting from the inputs $x_1,\ldots, x_n$, and where each instruction $g_i$ is of the form $g_j \circ g_k$ for some $j,k \lt i$, where $\circ$ is either a linear combination or multiplication. Such computations are called algebraic circuits or straight-line programs. The goal of algebraic complexity is to understand the optimal asymptotic complexity of computing a given polynomial family $(f_n(x_1,\ldots,x_{\operatorname{poly}(n)}))_{n=1}^{\infty }$, typically in terms of size (=number of instructions) and depth (the depth of the natural directed acyclic graph associated to the instruction sequence of a straight-line program) of algebraic circuits. In addition to the intrinsic interest in these questions, since Valiant's work [102–104] algebraic complexity has become more and more important for Boolean computational complexity. Valiant argued that understanding algebraic complexity could give new intuitions that may lead to better understanding of other models of computation (see also [108]); several direct connections have been found between algebraic and Boolean complexity [23, 48, 50, 74]; and the Geometric Complexity Theory Program (see, e.g., the overview [76] and references therein) suggests how algebraic techniques might be used to resolve major Boolean complexity conjectures.

Two central functions in this area are the determinant and permanent polynomials, which are fundamental both because of their prominent role in many areas of mathematics and because they are complete for various natural complexity classes. In particular, the permanent of $\lbrace 0,1\rbrace$-matrices is $\mathsf {\# P}$-complete, and the permanent of arbitrary matrices is $\mathsf {VNP}$-complete in odd characteristic. Valiant's Permanent versus Determinant Conjecture [102] states that the permanent of an $n \times n$ matrix, as a polynomial in $n^2$ variables, cannot be written efficiently as the determinant of any polynomially larger matrix all of whose entries are variables or constants. In some ways this is an algebraic analog of $\mathsf {P} \ne \mathsf {NP}$, although it is in fact much closer to $\mathsf {FNC}^2 \ne \mathsf {\# P}$. In addition to this analogy, the Permanent versus Determinant Conjecture is also known to be a formal consequence of the nonuniform lower bound $\mathsf {NP} \not\subseteq \mathsf {P/poly}$ [23] and is thus thought to be an important step towards showing $\mathsf {P} \ne \mathsf {NP}$.

Unlike in Boolean circuit complexity, (slightly) non-trivial lower bounds for the size of algebraic circuits are known [9, 97]. Their methods, however, only give lower bounds up to $\Omega (n\log n)$. Moreover, their methods are based on a degree analysis of certain algebraic varieties and do not give lower bounds for polynomials of constant degree. Recent work [2, 55, 99] has shown that polynomial-size algebraic circuits computing functions of polynomial degree can in fact be computed by sub-exponential-size depth 4 algebraic circuits. Thus, strong-enough lower bounds for depth 4 algebraic circuits for the permanent would already prove $\mathsf {VP} \ne \mathsf {VNP}$.

Effective Nullstellensatzë. A special case of Hilbert's famous Nullstellensatz says that over a field , a set of polynomials $F_1(x_1,\ldots, x_n)$, $\ldots\,$, $F_m(x_1,\ldots, x_n)$ of degree at most $d$ has no common zero over the algebraic closure if and only if the ideal they generate contains 1 or, equivalently, if there exists polynomials $G_i$ such that $\sum G_i F_i = 1$. Doubly exponential upper bounds on the degree of the $G_i F_i$ were shown as early as 1983 [68], of the form $d^{O(2^n)}$. These were later improved to singly exponential bounds of the form $O(d^n)$ [20] (in characteristic zero) and subsequently improved to bounds that hold over an arbitrarily algebraically closed field, have tighter dependence on the degrees of each $F_i$, and are essentially tight [56]. Since then, more refined geometric information than merely degree bounds has been obtained by a number of authors [21, 30, 49, 57, 96]. For a good overview of this work, see the introduction of Ein and Lazarsfeld [30] and references therein.

In this article, we raise the question of extending Effective Nullstellensatzë from degree bounds to bounds on the algebraic circuit complexity of Nullstellensatz certificates. (This question was perhaps implicit in Pitassi [81, 82], and a syntactically more complicated variant of this question was raised in Grigoriev-Hirsch [35].) It has long been known [42]—although perhaps not well known—that bounds on algebraic circuit complexity can have geometric consequences; indeed, this is one of the philosophical underpinnings of the current Geometric Complexity Theory Program towards resolving questions like $\mathsf {P}$ versus $\mathsf {NP}$ (see, e.g., References [36, 64, 75–78] and references therein). Here, we show that the algebraic circuit complexity of the Nullstellensatz has deep connections to Boolean proof complexity, and we use ideas motivated by this question to forge new bridges between proof complexity and computational complexity.

Proof Complexity. Despite considerable progress obtaining super-polynomial lower bounds for many weak proof systems (resolution [40], cutting planes [17], and bounded-depth Frege systems [58]), there has been essentially no progress in the last 25 years for stronger proof systems such as Extended Frege systems or Frege systems. More surprisingly, no nontrivial lower bounds are known for the seemingly weak $\mathsf {AC}^0[p]$-Frege system. In contrast, the analogous result in circuit complexity—proving super-polynomial $\mathsf {AC}^0[p]$ lower bounds for an explicit function—was resolved by Razborov and Smolensky over 25 years ago [86, 94]. To date, there has been no satisfactory explanation for this state of affairs.

In proof complexity, there are no known formal barriers such as relativization [8], Razborov–Rudich-natural proofs [87], or algebrization [1] that exist in Boolean function complexity. Moreover, there has not even been progress by way of conditional lower bounds. That is, trivially $\mathsf {NP} \ne \mathsf {coNP}$ implies superpolynomial lower bounds for $\mathsf {AC}^0[p]$-Frege, but we know of no weaker complexity assumption that implies such lower bounds. The only formal implication in this direction shows that certain circuit lower bounds imply lower bounds for proof systems that admit feasible interpolation, but unfortunately only weak proof systems (not Frege nor even $\mathsf {AC}^0$-Frege) have this property, under standard complexity-theoretic assumptions [18, 19]. In the converse direction, there are essentially no implications at all. For example, we do not know if $\mathsf {AC}^0[p]$-Frege lower bounds—nor even Frege nor Extended Frege lower bounds—imply any nontrivial circuit lower bounds.

In this article, we define a simple and natural proof system that we call the Ideal Proof System (IPS) based on Hilbert's Nullstellensatz. Our system is similar in spirit to related algebraic proof systems that have been studied previously but is different in a crucial way that we explain below.

Given a set of polynomials $F_1,\ldots ,F_m$ in $n$ variables $x_1,\ldots ,x_n$ over a field without a common zero over the algebraic closure of , Hilbert's Nullstellensatz says that there exist polynomials such that $\sum F_i G_i =1$, i.e., that 1 is in the ideal generated by the $F_i$. In the Ideal Proof System, we introduce new variables $y_i$ that serve as placeholders into which the original polynomials $F_i$ will eventually be substituted:

For any class $\mathcal {C}$ of polynomial families, we may speak of $\mathcal {C}$-$\text{IPS}$ proofs of a family of systems of equations $(\mathcal {F}_n)$, where $\mathcal {F}_n$ is $F_{n,1}(\vec{x}) = \cdots = F_{n,\operatorname{poly}(n)}(\vec{x}) = 0$. When we refer to $\text{IPS}$ without further qualification, we mean $\text{IPS}$ certificates whose proofs are computed by circuits of polynomial size (with no a priori bound on the degree), unless specified otherwise.¹

The Ideal Proof System is easily shown to be sound, and (without any size bounds) its completeness follows from the Nullstellensatz.

We note that although the Nullstellensatz says that if $F_1(\vec{x}) = \cdots = F_m(\vec{x}) = 0$ is unsatisfiable, then there always exists a certificate that is linear in the $y_i$—that is, of the form $\sum y_i G_i(\vec{x})$—our definition of $\text{IPS}$ certificate does not enforce $\vec{y}$-linearity. The definition of $\text{IPS}$ certificate allows certificates with $\vec{y}$-monomials of higher degree, and it is conceivable that one could achieve a savings in size by considering such certificates rather than only considering $\vec{y}$-linear ones. (Subsequent to this work it was shown [34] that, for general IPS, super-polynomial savings are not possible; but the result does not rule out a savings for $\mathcal {C}$-$\text{IPS}$ proofs for various restricted classes $\mathcal {C}$; see Section 8.2 below for details.) As the linear form is closer to the original way Hilbert expressed the Nullstellensatz (see, e.g., the translation [44]), we refer to certificates of the form $\sum y_i G_i(\vec{x})$ as Hilbert-like $\text{IPS}$ certificates.

We typically consider $\text{IPS}$ as a propositional proof system by translating a CNF tautology $\varphi$ into a system of equations as follows. We translate a clause $\kappa$ of $\varphi$ into a single algebraic equation $F(\vec{x})$ as follows: $x \mapsto 1-x$, $x \vee y \mapsto xy$. This translation has the property that a $\lbrace 0,1\rbrace$ assignment satisfies $\kappa$ if and only if it satisfies the equation $F = 0$. Let $\kappa _1,\ldots, \kappa _m$ denote all the clauses of $\varphi$, and let $F_i$ be the corresponding polynomials. Then the system of equations we consider is $F_1(\vec{x}) = \cdots = F_m(\vec{x}) = x_1^2 - x_1 = \cdots = x_n^2 - x_n = 0$. The latter equations force any solution to this system of equations to be $\lbrace 0,1\rbrace$-valued. Despite our indexing here, when we speak of the system of equations corresponding to a tautology, we always assume that the $x_i^2 - x_i$ are among the equations, unless explicitly stated otherwise (and, indeed, there are a few situations where we do not need the equations $x_i^2 - x_i$).

Like previously defined algebraic systems [14, 27, 81, 82], proofs in our system can be checked in randomized polynomial time. The key difference between our system and previously studied ones is that those systems are axiomatic in the sense that they require that every sub-computation (derived polynomial) be in the ideal generated by the original polynomial equations $F_i$ and thus be a sound consequence of the equations $F_1=\cdots =F_m=0$. In contrast our system has no such requirement: An $\text{IPS}$ proof can compute potentially “unsound” sub-computations (whose vanishing does not follow from $F_1=\cdots =F_m=0$), as long as the final polynomial is in the ideal generated by the equations. This key difference allows $\text{IPS}$ proofs to be ordinary algebraic circuits, and thus nearly all results in algebraic circuit complexity apply directly to the Ideal Proof System. To quote the tagline of a common US food chain, the Ideal Proof System is a “No rules, just right” proof system.

Our first main theorem shows one of the advantages of this close connection with algebraic circuits. To the best of our knowledge, this is the first implication showing that a proof complexity lower bound implies any sort of computational complexity lower bound.

The preceding theorem is perhaps somewhat unsurprising—though not completely immediate—given the definition of $\text{IPS}$, because of the close connection between the definition of $\text{IPS}$ proofs and algebraic circuits. However, the following result is significantly more surprising—showing a relation between a standard rule-based algebraic proof system and algebraic circuit lower bounds—and we believe we would not have come to this result had we not first considered the rule-less Ideal Proof System.

Corollary 1.3 follows from the proof of Theorem 1.2 together with one of our simulation results (Proposition 3.4).

Under a reasonable assumption on polynomial identity testing, which we discuss further below, we are able to show that Extended Frege is equivalent to the Ideal Proof System. Polynomial Identity Testing (PIT) is the problem of deciding whether a given algebraic circuit computes the identically zero polynomial or not; unless otherwise stated, we take PIT to allow arbitrary circuits as input, with no restriction on their degree. Even without degree restriction, the standard randomized algorithm places PIT into $\mathsf {coRP}$ by working over an extension field of polynomial degree if needed [29, 89, 109]. Extended Frege (EF) is the strongest natural deduction-style propositional proof system that has been proposed and is the proof complexity analog of $\mathsf {P/poly}$ (that is, Extended Frege = $\mathsf {P/poly}$-Frege).

In light of Theorem 1.4, a promising direction for proving EF lower bounds is to try to prove lower bounds for IPS instead. Since this suggestion seems counter to the usual philosophy of trying to prove lower bounds on the next-hardest proof system, and proving IPS lower bounds may be much harder, this suggestion deserves a little discussion. First, by considering $\mathcal {C}$-IPS for restricted circuit classes $\mathcal {C}$, we recover some of the usual philosophy of trying to prove lower bounds on incrementally harder proof systems first rather than jumping straight to (full) IPS lower bounds.

Second, and more importantly, IPS gives a new way of thinking about propositional proof systems and creates the possibility of harnessing tools from algebra, representation theory, and algebraic circuit complexity. Indeed, tools from algebraic circuit complexity have already been used to prove lower bounds for some restricted IPS systems [34] , and in Section 6 we give one suggestion of how to apply tools from algebraic geometry to obtain IPS lower bounds.

Although PIT has long been a central problem of study in computational complexity—both because of its importance in many algorithms, as well as its strong connection to circuit lower bounds—our theorems highlight the importance of PIT in proof complexity. Next we prove that Theorem 1.4 can be scaled down to obtain similar results for weaker Frege systems and discuss some of its more striking consequences.

Theorem 1.6 also highlights the importance of our PIT axioms for getting $\mathsf {AC}^0[p]$-Frege lower bounds, which has been an open question for nearly 30 years. (For even weaker systems, Theorem 1.6 in combination with known results yields an unconditional lower bound on $\mathsf {AC}^0$-Frege proofs of the PIT axioms.) In particular, we are in the following win-win scenario:

Finally, in Section 6 we show what obstacles must be overcome in any attempt to extend proof techniques from lower bounds on ($\mathcal {C}$-)algebraic circuits to lower bounds on ($\mathcal {C}$-)IPS proofs—which may also apply to Extended Frege via Theorem 1.4. We then use the algebraic structure of $\text{IPS}$ to suggest a new approach to proving lower bounds that we feel has promise. In particular, the set of all $\text{IPS}$-certificates for a given unsatisfiable system of equations is, in a certain precise sense, “finitely generated.” We suggest how one might take advantage of this finite generation to transfer techniques from algebraic circuit complexity to prove lower bounds on $\text{IPS}$, and, consequently, on Extended Frege (since $\text{IPS}$ p-simulates Extended Frege unconditionally), giving hope for the long-sought length-of-proof lower bounds on an algebraic proof system. We hope to pursue this approach in future work.

Other proof systems. We will see in Section 3.3 that many previously studied proof systems can be p-simulated by $\text{IPS}$ and, furthermore, can be viewed simply as different complexity measures on $\text{IPS}$ proofs or as $\mathcal {C}$-$\text{IPS}$ for certain classes $\mathcal {C}$. In particular, the Nullstellensatz system [14], the Polynomial Calculus (or Gröbner) proof system [27], and Polynomial Calculus with Resolution [4] are all particular measures on $\text{IPS}$, and Pitassi's previous algebraic systems [81, 82] are subsystems of $\text{IPS}$.

Raz and Tzameret [85] introduced various multilinear algebraic proof systems. Although their systems are not so easily defined in terms of $\text{IPS}$, the Ideal Proof System nonetheless p-simulates all of their systems. Among other results, they show that a super-polynomial separation between two variants of their system—one representing lines by multilinear circuits, and one representing lines by general algebraic circuits—would imply a super-polynomial separation between general and multilinear circuits computing multilinear polynomials. However, they only get implications to lower bounds on multilinear circuits rather than general circuits, and they do not prove a statement analogous to our Theorem 1.2, that lower bounds on a single system imply algebraic circuit lower bounds.

Grigoriev and Hirsch [35] introduced two proof systems, F-NS and F-PC, analogous to Nullstellensatz and Polynomial Calculus, respectively, but in which the basic objects of the proofs are allowed to be algebraic formulae, rather than only sums of monomials, and equivalence of formulae must be verified line-by-line using the axioms for a polynomial ring (associativity, commutativity, distributivity, etc.). Again, although these systems are not so easily defined in terms of IPS, they are easily p-simulated by IPS; indeed, in IPS the standard axioms for a polynomial ring come nearly for free—the main cost is that the verification is randomized instead of deterministic. They did not draw connections between algebraic circuit lower bounds and lower bounds on their proof systems.

Finally, we mention that Hrubeš and Tzameret [46] have studied the proof complexity of polynomial identity testing (PIT). In particular, they studied the question of how many basic ring identities—associativity, distributivity, and so on—are needed to verify a polynomial identity. While one of the messages of our article is the importance of the proof complexity of PIT, the way it shows up in our work is in proving that a Boolean circuit deciding PIT is correct (see our PIT axioms, Definition 5.1), whereas in Hrubeš and Tzameret [46] they study the complexity of proving individual polynomial identities.

Ideal Membership and Effective Nullstellensatzë. Prior to our work, much work was done on bounds for the Ideal Membership Problem ($\mathsf {EXPSPACE}$-complete [70, 71]), the so-called Effective Nullstellensatz (where exponential degree bounds are known, and known to be tight [20, 30, 56, 96]), and the arithmetic Nullstellensatz over , where one wishes to bound not only the degree of the polynomials but also the sizes of the integer coefficients appearing [61]. The viewpoint afforded by the Ideal Proof Systems raises new questions about potential strengthening of these results (or at least simplifies and highlights questions that were implicit in References [35, 81, 82]).

In particular, the following is a natural extension of Definition 1.1.

Grigoriev and Hirsch [35, Section 2.5] introduced a related system, denoted (F-)PC$\sqrt {}$, for proving that a polynomial is in the radical of an ideal. The key difference between (F-)PC$\sqrt {}$ and (F-)PC being that they add the rule from which derives a polynomial $P$ from $P^2$. But otherwise, their system has similar tradeoffs relative to IPS: On the one hand, their system can be deterministically verified; on the other hand, it is restricted to syntactic derivations.

Under special circumstances, of course, one may be able to achieve better upper bounds.

The preceding observation, however, does not seem to apply to effective Nullstellensatzë, which are generally about showing that a function $G$ is in the radical of an ideal (which, in particular, always applies for $G=1$). We thus raise the following question:

In Section 2, we give the necessary preliminaries from algebraic circuit complexity, proof complexity, and commutative algebra. We really begin in Section 3 by proving several basic facts about $\text{IPS}$. We discuss the relationship between $\text{IPS}$ and previously studied proof systems. We also highlight several consequences of results from algebraic complexity theory for the Ideal Proof System, such as division elimination [98] and the chasms at depths 3 [39, 99] and 4 [2, 55, 99].

In Section 4, we prove that lower bounds on $\text{IPS}$ imply algebraic circuit lower bounds (Theorem 1.2). We also show how this result gives as a corollary a new, simpler proof that over any field (Corollary 4.1). In Section 5 we introduce our PIT axioms in detail and prove Theorems 1.4 and 1.6.

We also discuss in detail many variants of Theorem 1.6 and their consequences, as briefly mentioned above. In Section 6, we show what obstacles need to be overcome to extend lower bounds from algebraic circuit complexity to (algebraic) proof complexity; we also suggest a new framework for transferring techniques in this direction. Finally, in Section 7, we gather a long list of open questions raised by our work, many of which we believe may be quite approachable.

In Section 8, we discuss some developments that occurred subsequent to the appearance of the preliminary version of this article [37]. Namely, Li, Tzameret, and Wang [65] showed—along the lines suggested in Section 5—that non-commutative formula $\text{IPS}$ is unconditionally quasi-polynomially equivalent to Frege. We discuss their result and its significance for proving Frege lower bounds. Also, Forbes, Shpilka, Tzameret, and Wigderson [34] showed several fundamental results about IPS as well as how to transfer some techniques from circuit complexity to prove lower bounds on some simple polynomials in $\mathcal {C}$-IPS for various $\mathcal {C}$.

In Appendices A and B, we introduce two variants of the Ideal Proof System—one of which allows certificates to be rational functions and not only polynomials and one of which has a more geometric flavor—and discuss their relationship to $\text{IPS}$. These systems further suggest that tools from geometry and algebra could potentially be useful for understanding the complexity of various propositional tautologies and more generally the complexity of individual instances of $\mathsf {NP}$-complete problems.

Over a ring $R$, $\mathsf {VP}_{R}$ is the class of families $f=(f_n)_{n=1}^{\infty }$ of formal polynomials—that is, considered as symbolic polynomials rather than as functions—$f_n$ such that $f_n$ has $\operatorname{poly}(n)$ input variables, is of $\operatorname{poly}(n)$ degree, and can be computed by algebraic circuits over $R$ of $\operatorname{poly}(n)$ size. $\mathsf {VNP}_{R}$ is the class of families $g$ of polynomials $g_n$ such that $g_n$ has $\operatorname{poly}(n)$ input variables and is of $\operatorname{poly}(n)$ degree and can be written as

A linear combination gate is a gate $g$, with incoming edges from gates $f_1,\ldots, f_k$, and with scalar weights on its incoming edges, which computes the linear combination $\sum _i w_i f_i$. For the definitions of $\mathsf {VP}$ and $\mathsf {VNP}$ it does not matter whether we use gates of bounded fan-in or unbounded fan-in, and whether we allow general linear combination gates or merely addition gates (with no weights). But when we consider families of algebraic circuits of bounded-depth, we will by default allow linear combination gates and product gates of unbounded fan-in.

A family of algebraic circuits is said to be constant free if the only constants used in the circuit are $\lbrace 0,1,-1\rbrace$. Other constants can be used but must be built up using algebraic operations, which then count towards the size of the circuit. The class $\mathsf {VP}^0$ is defined by restricting the circuits used in the definition of $\mathsf {VP}$ to be constant free and similarly for $\mathsf {VNP}^0$. We note that over a fixed finite field , , since there are only finitely many possible constants. Consequently, as well. Over the integers, coincides with those families in that are computable by algebraic circuits of polynomial total bit-size: Note that any integer of polynomial bit-size can be constructed by a constant-free circuit by using its binary expansion $b_n \cdots b_1 = \sum _{i=0}^{n-1} b_i 2^i$, and computing the powers of 2 by linearly many successive multiplications. A similar trick shows that over the algebraic closure of a finite field, coincides with those families in that are computable by algebraic circuits of polynomial total bit-size or equivalently where the constants they use lie in subfields of of total size bounded by $2^{n^{O(1)}}$. (Recall that is a subfield of whenever $a | b$, and that the algebraic closure is just the union of over all integers $a$.)

A polynomial $f(\vec{x})$ is a projection of a polynomial $g(\vec{y})$ if $f(\vec{x}) = g(L(\vec{x}))$ identically as polynomials in $\vec{x}$, for some map $L$ that assigns to each $y_i$ either a variable or a constant. A family of polynomials $(f_n)$ is a polynomial projection or p-projection of another family $(g_n)$, denoted $(f_n) \le _{p} (g_n)$, if there is a function $t(n) = n^{\Theta (1)}$ such that $f_n$ is a projection of $g_{t(n)}$ for all (sufficiently large) $n$. The primary value of projections is that they are very simple and thus preserve bounds on nearly all natural complexity measures. Valiant [102, 104] was the first to point out not only their value but also their ubiquity in computational complexity—nearly all problems that are known to be complete for some natural class, even in the Boolean setting, are complete under p-projections. We say that two families $f=(f_n)$ and $g=(g_n)$ are of the same p-degree if each is a p-projection of the other, which we denote $f \equiv _{p} g$.

Despite its central role in computation, and the fact that $\mathsf {VP} = \mathsf {VNC}^2$ [105], the determinant is not known to be $\mathsf {VP}$-complete under p-projections. The determinant is $\mathsf {VQP}$-complete ($\mathsf {VQP}$ is defined just like $\mathsf {VP}$ but with a quasi-polynomial $n^{(\log n)^{O(1)}}$ bound on the size and degree of the circuits) under qp-projections (like p-projections, but with a quasi-polynomial bound). The complexity of the determinant is clarified by skew and weakly skew circuits. An algebraic circuit is skew if every multiplication gate has only two inputs, one of which is a variable or a constant. An algebraic circuit is weakly skew if every multiplication gate has at least one input that is computed solely for the purposes of that multiplication gate; more precisely, each multiplication gate $f = g_0 \times g_1$ has the property that for at least one of its input $g_i$, removing the edge connecting $g_i$ to $f$ in the directed acyclic graph corresponding to the circuit results in a disconnected graph. $\mathsf {VP}_s$ is the class of polynomials of $\operatorname{poly}(n)$ variables computed by skew circuits of $\operatorname{poly}(n)$ size; $\mathsf {VP}_{ws}$ is defined analogously with “skew” replaced by “weakly skew.” In both these classes, $\operatorname{poly}(n)$ bounded degree follows from the definition for free, thus $\mathsf {VP}_s \subseteq \mathsf {VP}$ and $\mathsf {VP}_{ws} \subseteq \mathsf {VP}$. Let $\mathsf {VP}_{\det }$ denote the class of polynomials that are p-projections of the determinant. It turns out that $\mathsf {VP}_s = \mathsf {VP}_{ws} = \mathsf {VP}_{\det }$ [101] (see also Malod and Portier [67]). We will use weakly skew circuits and $\mathsf {VP}_{\det }$ in Proposition 3.4.

The semantic degree of any gate in an algebraic circuit is just the degree of the polynomial it computes; the semantic degree of a (single-output) algebraic circuit is the semantic degree of its output gate. The syntactic degree of an algebraic circuit is defined inductively as follows: The syntactic degree of a constant is 0; the syntactic degree of a variable is 1; the syntactic degree of a product gate with children $f_1,\ldots, f_k$ is the sum of the syntactic degrees of the $f_i$; and the syntactic degree of a sum or linear combination gate with children $f_1,\ldots, f_k$ is the maximum of the syntactic degrees of the $f_i$. Semantic degree can be exponentially smaller than syntactic degree due to cancellations.

Here we give formal definitions of proof systems and probabilistic proof systems for $\mathsf {coNP}$ languages and discuss several important and standard proof systems for TAUT.

As this is just the definition of an $\mathsf {NP}$ procedure for $L$, it follows that for any $\mathsf {coNP}$-complete language $L$, $L$ has a polynomially bounded proof system if and only if $\mathsf {coNP} \subseteq \mathsf {NP}$.

Cook and Reckhow [28] formalized proof systems for the language TAUT (all Boolean tautologies) in a slightly different way, although their definition is essentialy equivalent to the one above. We mildly prefer the above definition as it is consistent with definitions of interactive proofs.

Intuitively, we think of $P^{\prime }$ as a procedure for verifying that $\pi$ is a proof that some $x \in L$ and if so, it outputs $x$. (For all strings $z$ that do not encode valid proofs, $P^{\prime }(z)$ may just output some fixed $x_0 \in L$.) It is a simple exercise to see that for every language $L$, any propositional proof system $P$ according to our definition can be converted to a Cook–Reckow proof system $P^{\prime }$, and vice versa, and furthermore the runtime properties of $P$ and $P^{\prime }$ will be the same. In the forward direction, say $P$ is a proof system for $L$ according to our definition. Define $\pi$ as encoding a pair $(x,\pi ^{\prime })$; on input $\pi =(x,\pi ^{\prime })$, $P^{\prime }$ runs $P$ on the pair $(x,\pi ^{\prime })$. If $P$ accepts, then $P^{\prime }(\pi)$ outputs $x$, and if $P$ rejects, then $P^{\prime }(\pi)$ outputs (the encoding of) a canonical $x_0$ in $L$. Conversely, say that $P^{\prime }$ is a Cook–Reckhow proof system for $L$. $P(x,\pi)$ runs $P^{\prime }$ on $\pi$ and accepts if and only if $P^{\prime }(\pi)=x$.

Informally, $P_1$ p-simulates $P_2$ if proofs in $P_1$ are no longer than proofs in $P_2$ (up to polynomial factors).

Standard Propositional Proof Systems. For TAUT (or UNSAT), there are a variety of standard and well-studied proof systems, the most important ones including Extended Frege (EF), Frege, Bounded-depth Frege, and Resolution. A Frege rule is an inference rule of the form: $B_1, \ldots , B_n \Rightarrow B$, where $B_1,\ldots , B_n,B$ are propositional formulas. If $n=0$, then the rule is an axiom. For example, $A \vee \lnot A$ is a typical Frege axiom, and $A, \lnot A \vee B \Longrightarrow B$ is a typical Frege rule. A Frege system is specified by a finite set, $R$, of rules. Given a collection $R$ of rules, a derivation of a 3DNF formula $f$ is a sequence of formulas $f_1,\ldots ,f_m$ such that each $f_i$ is either an instance of an axiom scheme or follows from previous formulas by one of the rules in $R$ and such that the final formula $f_m$ is $f$. In order for a Frege system to be a proof system in the Cook–Reckhow sense, its corresponding set of rules must be sound and complete. Work by Cook and Reckhow in the 1970s [28] showed that Frege systems are very robust in the sense that all Frege systems are polynomially equivalent.

Bounded-depth Frege proofs ($\mathsf {AC}^0$-Frege) are Frege proofs but with the additional restriction that each formula in the proof has bounded depth. (Because our connectives are AND, OR, and negation, by depth we assume the formula has all negations at the leaves, and we count the maximum number of alternations of AND/OR connectives in the formula.) Polynomial-sized $\mathsf {AC}^0$-Frege proofs correspond to the complexity class $\mathsf {AC}^0$ because such proofs allow a polynomial number of lines, each of which must be “syntactically in $\mathsf {AC}^0$” (that is, syntactically it must be described by a bounded-depth circuit).

Bounded-depth Frege proofs with mod $p$ connectives ($\mathsf {AC}^0[p]$-Frege) are bounded-depth Frege proofs that also allow unbounded fan-in $MOD_p$ connectives, namely $MOD_p^i$ for $i \in \lbrace 0,\ldots,p-1\rbrace$. $MOD^i_p(x_1,\ldots, x_k)$ evaluates to true if the number of $x_i$ that are true is congruent to $i \pmod {p}$ and evaluates to false otherwise.

Extended Frege systems generalize Frege systems by allowing, in addition to all of the Frege rules, a new axiom of the form $y \leftrightarrow A$, where $A$ is a formula and $y$ is a new variable not occurring in $A$ nor in the final formula (i.e., the formula being proved). Whereas polynomial-size Frege proofs allow a polynomial number of lines, each of which must be a polynomial-size formula, using the new axiom, polynomial-size EF proofs allow a polynomial number of lines, each of which can be a polynomial-size circuit. See Krajíček [59] for precise definitions of Frege, $\mathsf {AC}^0$-Frege, and EF proof systems.

Probabilistic Proof Systems. The concept of a proof system for a language in $\mathsf {coNP}$ can be generalized in the natural way to obtain randomized Merlin–Arthur-style proof systems.

It is clear that for any $\mathsf {coNP}$-complete language $L$, there is a polynomially bounded probabilistic proof system for $L$ if and only if $\mathsf {coNP} \subseteq \mathsf {MA}$ (which implies the collapse of $\mathsf {PH}$).

Again, we have chosen to define our probabilitic proof systems to match the definition of $\mathsf {MA}$. The probabilistic proof system that would be analogous to the standard Cook–Reckhow proof system would be somewhat different, as defined below. Again, a simple argument like the one above shows that our probablistic proof systems are essentially equivalent to probabilistic Cook–Reckhow proof systems.

We note that both Pitassi's algebraic proof system [81] and the Ideal Proof System are probabilistic Cook–Reckhow systems. The algorithm $P$ takes as input a description of a (constant-free) algebraic circuit $C$ together with a tautology $\varphi$ and then verifies that the circuit is indeed an $\text{IPS}$-certificate for $\varphi$ by using the standard Schwartz–Zippel–DeMillo–Lipton [29, 89, 109] $\mathsf {coRP}$ algorithm for polynomial identity testing. The proof that Pitassi's algebraic proof system is a probabilistic Cook–Reckhow system is essentially the same.

The following preliminaries from commutative algebra are needed only in Section 6 and Appendix A.

A module over a ring $R$ is defined just like a vector space, except over a ring instead of a field. That is, a module $M$ over $R$ is a set with two operations: addition (making $M$ an abelian group) and multiplication by elements of $R$ (“scalars”), satisfying the expected axioms (see any textbook on commutative algebra, e.g., References [6, 31]). A module over a field is precisely a vector space over . Every ring $R$ is naturally an $R$-module (using the ring multiplication as the scalar multiplication), as is $R^{n}$, the set of $n$-tuples of elements of $R$. Every ideal $I \subseteq R$ is an $R$-module—indeed, an ideal could be defined, if one desired, as an $R$-submodule of $R$—and every quotient ring $R/I$ is also an $R$-module, by $r \cdot (r_0 + I) = rr_0 + I$.

Unlike vector spaces, however, there is not so nice a notion of “dimension” for modules over arbitrary rings. Two differences will be particularly relevant in our setting. First, although every vector subspace of is finite-dimensional, hence finitely generated, this need not be true of every submodule of $R^n$ for an arbitrary ring $R$. Second, every (finite-dimensional) vector space $V$ has a basis, and every element of $V$ can be written as a unique -linear combination of basis elements, but this need not be true of every $R$-module, even if the $R$-module is finitely generated, as in the following example.

A ring $R$ is Noetherian if there is no strictly increasing, infinite chain of ideals . Fields are Noetherian (every field has only two ideals: the zero ideal and the whole field), as are the integers . Hilbert's Basis Theorem says that every ideal in a Noetherian ring is finitely generated. Hilbert's (other) Basis Theorem says that if $R$ is finitely generated, then so is the polynomial ring $R[x]$ (and hence so is any polynomial ring $R[\vec{x}]$). Quotient rings of Noetherian rings are Noetherian, so every ring that is finitely generated over a field (or more generally, over a Noetherian ring $R$) is Noetherian.

Similarly, an $R$-module $M$ is Noetherian if there is no strictly increasing, infinite chain of submodules . If $R$ is Noetherian as a ring, then it is Noetherian as an $R$-module. It is easily verified that finite direct sums of Noetherian modules are Noetherian, so if $R$ is a Noetherian ring, then it is a Noetherian $R$-module, and, consequently, $R^{n}$ is a Noetherian $R$-module for any finite $n$. Just as for ideals, every submodule of a Noetherian module is finitely generated.

This result and its proof are essentially the same as Pitassi [81, Theorem 4]; here we mainly take advantage of history that PIT and $\mathsf {coMA}$ are now much more standard than they were in 1996. We also note that the proof allows arbitrary fields, as long as one is careful about the use of constant freeness.

If we wish to drop the restriction of “constant free” (which, recall, is no restriction at all over a finite field), then we may do so either by using the Blum–Shub–Smale analogs of $\mathsf {NP}$ and $\mathsf {coMA}$ using essentially the same proof or over fields of characteristic zero using the Generalized Riemann Hypothesis (Proposition 3.2).

The key difference between this result and Proposition 3.1 is that we do not need to assume the proofs are constant free. The price we pay is the use of GRH and that we do not know how to improve this result from $\mathsf {coAM}$ to $\mathsf {coMA}$ (as in Proposition 3.1). We thank Pascal Koiran for the second half of the proof.

Proof (with P. Koiran). The key fact we will use is that deciding Hilbert's Nullstellensatz—that is, given a system of integer polynomials over , deciding if they have a solution over —is in $\mathsf {AM}$ [54]. Rather than looking at solvability of the original set of equations $F_1(\vec{x}) = \cdots = F_m(\vec{x}) = 0$, we consider solvability of a set of equations whose solutions describe all of the polynomial-size $\text{IPS}$-certficiates for $F$.

The equations we consider will come from a generic polynomial-size circuit; here we use the model of generic circuits from Mulmuley--Sohoni [77, Section 6]. The generic circuit will have depth $d \le \operatorname{poly}(n)$ and width $n+m \le w \le \operatorname{poly}(n)$, consisting of $d+1$ layers of gates, the 0th layer consisting of the inputs to a potential $\text{IPS}$ certificate—$x_1,\ldots, x_n, y_1,\ldots, y_m$—the $d$th layer consisting of a single output gate, and each intermediate layer containing $w$ nodes. Each node in level $\ell$ is connected to every node in level $\ell +1$. There are also new variables $z_{i,j,k}$. We define the circuit to compute as follows: We use $f_k$ to denote the function computed at gate $k$. If $k$ is an input gate, then $f_k$ is equal to the appropriate input variable; otherwise, $f_k(\vec{x}, \vec{y}, \vec{z}) \stackrel{\textit{def}}{=}\sum _{i,j} z_{i,j,k} f_i f_j$, where the sum is over all pairs of gates $i,j$ in the layer immediately preceding the layer of $k$. The output gate of this generic circuit computes a polynomial $C(\vec{x}, \vec{y}, \vec{z})$, and for any setting of the $z_{i,j,k}$ variables to constants $\zeta _{i,j,k}$, we get a particular polynomial $C_{\vec{\zeta }}(\vec{x}, \vec{y}) \stackrel{\textit{def}}{=}C(\vec{x}, \vec{y}, \vec{\zeta })$ that is easily seen to be computed by circuits of polynomial size. Furthermore, any function computed by a polynomial-size circuit is equal to $C_{\vec{\zeta }}(\vec{x},\vec{y})$ for some setting of $\vec{\zeta }$. In particular, there is a polynomial-size $\text{IPS}$ proof $C^{\prime }$ for $F$ if and only if there is some such that $C^{\prime } = C_{\vec{\zeta }}(\vec{x}, \vec{y})$.

We will translate the conditions that a circuit be an $\text{IPS}$ certificate into equations on the new $z$ variables. Pick sufficiently many random values $\vec{\xi }^{(1)}, \vec{\xi }^{(2)},\ldots, \vec{\xi }^{(h)}$ to be substituted into $\vec{x}$. Heintz and Schnorr [42, Theorem 4.4] showed that by picking $h \sim \operatorname{poly}(n)$ random values from $[N]^{n}$ for some $N \le \exp (n^{O(1)})$ (which therefore have $\operatorname{poly}(n)$ bit-size), with high probability $\lbrace \vec{\xi }^{(1)},\ldots, \vec{\xi }^{(h)}\rbrace$ will be a hitting set against all $n$-variable polynomials of circuit-size $\le \operatorname{poly}(n)$. Then we consider the solvability of the following set of $2h$ equations in $\vec{z}$:

\begin{eqnarray*} \text{(For $i=1,\ldots,h$)} & &\quad C(\vec{\xi }^{(i)}, \vec{0}, \vec{z}) = 0 \\ \text{(For $i=1,\ldots,h$)} & &\quad C(\vec{\xi }^{(i)}, \vec{F}(\vec{\xi }^{(i)}), \vec{z}) = 1. \end{eqnarray*}

Determining whether a system of polynomial equations, given by circuits over a field of characteristic zero, has a solution in the algebraic closure can be done in $\mathsf {AM}$ [ 54]. If there is an $\text{IPS}$ proof, then let $\vec{\zeta }$ be such that $C_{\vec{\zeta }}(\vec{x}, \vec{y})=C(\vec{x}, \vec{y}, \vec{\zeta })$ is an $\text{IPS}$ proof. Then the preceding equalities will be satisfied regardless of the choices of the $\vec{\xi }^{(i)}$. Conversely, suppose that $\vec{\zeta }$ is a solution to the above system of equations. Since $C(\vec{\xi }^{(i)}, 0, \vec{\zeta }) = 0$ for each $\vec{\xi }^{(i)}$, and $\lbrace \vec{\xi }^{(1)},\ldots, \vec{\xi }^{(h)}\rbrace$ is a hitting set, it follows that $C(\vec{x},0,\vec{\zeta })$ is identically zero as a polynomial in $\vec{x}$. Similarly for $C(\vec{x}, \vec{F}(\vec{x}), \vec{\zeta }) - 1$. Hence, $C_{\vec{\zeta }}(\vec{x}, \vec{y})$ is an $\text{IPS}$ proof.

Composing Koiran's $\mathsf {AM}$ algorithm for the Nullstellensatz with the random guesses for the $\vec{\xi }^{(i)}$, and assuming that every family of propositional tautologies has polynomial-size $\text{IPS}$ certificates, we get an $\mathsf {AM}$ algorithm for TAUT.

Recently, many strong depth reduction theorems have been proved for circuit complexity [2, 39, 55, 99], which have been called “chasms” since Agrawal and Vinay [2]. In particular, they imply that sufficiently strong lower bounds against depth 3 or 4 circuits imply super-polynomial lower bounds against arbitrary circuits. Since an $\text{IPS}$ proof is just a circuit, these depth reduction chasms apply equally well to $\text{IPS}$ proof size. Note that it was not clear to us how to adapt the proofs of these chasms to proofs in the Polynomial Calculus or other previous algebraic systems [82], and indeed this was part of the motivation to move to our more general notion of $\text{IPS}$ proof.

This suggests that size lower bounds for $\text{IPS}$ proofs in restricted circuit classes would be interesting, even for restricted kinds of depth 3 circuits.

Similarly, since $\text{IPS}$ proofs are just circuits, any $\text{IPS}$ certificate family of polynomially bounded degree that is computed by a polynomial-size family of algebraic circuits with divisions can also be computed by a polynomial-size family of algebraic circuits without divisions (follows from Strassen [98]). We note, however, that one could in principle consider $\text{IPS}$ certificates that were not merely polynomials, but even rational functions, under suitable conditions; divisions for computing these cannot always be eliminated. We discuss this “Rational Ideal Proof System,” the exact conditions needed, and when such divisions can be effectively eliminated in Appendix A.

Previously studied algebraic proof systems can be viewed as particular complexity measures on the Ideal Proof System, including the Polynomial Calculus (or Gröbner) proof system (PC) [27], Polynomial Calculus with Resolution (PCR) [4], the Nullstellensatz proof system [14], and Pitassi's algebraic systems [81, 82], as we explain below.

All of the previous algebraic proof systems are rule-based systems, in that they syntactically enforce the condition that every line of the proof is a polynomial in the ideal of the original polynomials $F_1(\vec{x}),\ldots, F_m(\vec{x})$. Typically, they do this by allowing two derivation rules: (1) from $G$ and $H$, derive $\alpha G + \beta H$ for $\alpha ,\beta$ constants and (2) from $G$, derive $Gx_i$ for any variable $x_i$. By “rule-based circuits,” we mean circuits with inputs $y_1,\ldots, y_m$ having linear combination gates and, for each $i=1,\ldots,n$, gates that multiply their input by $x_i$. In particular, rule-based circuits necessarily produce Hilbert-like certificates.

In Pitassi's 1998 system [82], a proof is a rule-based derivation of 1, as above, starting from the $F_i$, with size measured by number of lines. This is essentially the same as the Polynomial Calculus, but with size measured by the number of lines rather than by the total number of monomials appearing.

In Pitassi's 1996 system [81], a proof of the unsatisfiability of $F_1(\vec{x}) = \cdots = F_m(\vec{x}) = 0$ is a circuit computing a vector $(G_1(\vec{x}),\ldots, G_m(\vec{x}))$ such that $\sum _i F_i(\vec{x}) G_i(\vec{x}) = 1$. Size is measured by the size of the corresponding circuit.

Now we come to the definitions of previous algebraic proof systems in terms of complexity measures on the Ideal Proof System:

• Complexity in the Nullstellensatz proof system [14], or “Nullstellensatz degree,” is the minimal degree of any Hilbert-like certificate (for systems of equations of constant degree, such as the algebraic translations of tautologies.)
  
• “Polynomial Calculus size” [27] is the sum of the (semantic) number of monomials at each gate in $C(\vec{x}, \vec{F}(\vec{x}))$, where $C$ ranges over rule-based circuits.
  
• “PC degree” [27] is the minimum over rule-based circuits $C(\vec{x}, \vec{y})$ of the maximum semantic degree at any gate in $C(\vec{x}, \vec{F}(\vec{x}))$.
  
• Pitassi's 1998 algebraic proof system [82] is essentially PC, except where size is measured by number of lines of the proof (rather than total number of monomials appearing). This corresponds exactly to the smallest size of any rule-based circuit $C(\vec{x}, \vec{y})$ computing any Hilbert-like $\text{IPS}$ certificate. Below we show that this is p-equivalent to $\mathsf {VP}_{\det }$-$\text{IPS}$.
  
• Polynomial Calculus with Resolution (PCR) [4] also allows variables $\overline{x}_i$ and adds the equations $\overline{x}_i = 1 - x_i$ and $x_i \overline{x}_i = 0$. This is easily accommodated into the Ideal Proof System: Add the $\overline{x}_i$ as new variables, with the same restrictions as are placed on the $x_i$’s in a rule-based circuit, and add the polynomials $\overline{x}_i - 1 + x_i$ and $x_i \overline{x}_i$ to the list of equations $F_i$. Note that while this may have an effect on the PC size as it can decrease the total number of monomials needed, it has essentially no effect on the number of lines of the proof.
  
• Pitassi's 1996 algebraic proof system [81] is equivalent to Hilbert-like IPS.
  

We prove the precise relationships between Pitassi's previous algebraic proof systems [81, 82] and $\text{IPS}$ next.

Recall from Section 2.1 the definitions of $\mathsf {VP}_{\det }$ and $\mathsf {VP}_{ws}$; for readability and ease of speech, we refer to $\mathsf {VP}_{\det }$-$\text{IPS}$ $=\mathsf {VP}_{ws}$-$\text{IPS}$ as “determinantal $\text{IPS}$” or “$\det$-$\text{IPS}$,” for short.

In light of this proposition, we henceforth refer to the systems from Pitassi [81] and [82] as Hilbert-like $\text{IPS}$ and Hilbert-like $\det$-$\text{IPS}$, respectively. Pitassi [81, Theorem 5] showed that Hilbert-like $\text{IPS}$ p-simulates Polynomial Calculus and Frege. Essentially, the same proof shows that Hilbert-like $\text{IPS}$ p-simulates Extended Frege as well. Unfortunately, the proof of the simulation in Pitassi [81] does not seem to generalize to give a depth-preserving simulation. In Section 3.5, we show there is indeed a depth-preserving simulation (Theorem 3.5).

It is interesting to note that the condition of being weakly skew is precisely the condition we needed to make this proof go through.

Throughout this section, all algebraic circuits may have linear combination gates—with weights on their incoming edges (see Section 2.1)—and product gates of unbounded fan-in. We measure the size of all circuits $C$ (Boolean and algebraic), denoted $\text{size}(C)$, by the number of gates. The depth of a circuit $C$ (Boolean or algebraic), denoted $\text{depth}(C)$, is the maximum number of gates encountered on any path from a leaf to the root.

The “$O(d)$” above is ; in a forthcoming preprint [38], we prove a tighter depth-preserving simulation, which has the advantage of drawing connections to depth-six algebraic circuits; the two proofs follow the same outline, but the tighter result requires several new technical ingredients.

The proof uses known sparse multivariate polynomial interpolation algorithms. The threshold $T$ is essentially the number of points at which the polynomial must be evaluated in the course of the interpolation algorithm. Here we use one of the early, elegant interpolation algorithms due to Zippel [110]. Although Zippel's algorithm chooses random points at which to evaluate polynomials for the interpolation, in our nonuniform setting it suffices merely for points with the required properties to exist (which they do as long as ). Better bounds may be achievable using more recent interpolation algorithms such as those of Ben-Or and Tiwari [16] or Kaltofen and Yagati [51]. We note that all of these interpolation algorithms only give limited control on the depth of the resulting Hilbert-like $\text{IPS}$-certificate (as a function of the depth of the original $\text{IPS}$-certificate $f$), because they all involve solving linear systems of equations, which is not known to be computable efficiently in constant depth.

Forbes, Shpilka, Tzameret, and Wigderson [34] subsequently improved on this result; see Section 8.

Fix some standard Boolean encoding of constant-free algebraic circuits, so that the encoding of any size-$m$ constant-free algebraic circuit has size $\operatorname{poly}(m)$. We use “$[C]$” to denote the encoding of the algebraic circuit $C$. Let $K = (K_{m,n})$ denote a family of Boolean circuits for solving polynomial identity testing. That is, $K_{m,n}$ is a Boolean function that takes as input the encoding of a size $m$ constant-free algebraic circuit, $C$, over variables $x_1, \ldots , x_n$, and if $C$ has polynomial degree, then $K$ outputs 1 if and only if the polynomial computed by $C$ is the 0 polynomial.

Notational convention: We underline parts of a statement that involve propositional variables. For example, if in a propositional statement we write “$[C]$,” then this refers to a fixed Boolean string that is encoding the (fixed) algebraic circuit $C$. In contrast, if we write $\underline{[C]}$, then this denotes a Boolean string of propositional variables, which is to be interpreted as a description of an as-yet-unspecified algebraic circuit $C$; any setting of the propositional variables corresponds to a particular algebraic circuit $C$. Throughout, we use $\vec{p}$ and $\vec{q}$ to denote propositional variables (which we do not bother underlining except when needed for emphasis) and $\vec{x}, \vec{y}, \vec{z},\ldots\,$ to denote the algebraic variables that are the inputs to algebraic circuits. Thus, $C(\vec{x})$ is an algebraic circuit with inputs $\vec{x}$, $[C(\vec{x})]$ is a fixed Boolean string encoding some particular algebraic circuit $C$, $\underline{[C(\vec{x})]}$ is a string of propositional variables encoding an unspecified algebraic circuit $C$, and $[C(\underline{\vec{p}})]$ denotes a Boolean string together with propositional variables $\vec{p}$ that describes a fixed algebraic circuit $C$ whose inputs have been set to the propositional variables $\vec{p}$.

Note that the issue is not the existence of small circuits for PIT, since we would be happy with nonuniform polynomial-size PIT circuits, which do exist. Unfortunately, the known constructions are highly nonuniform—they involve picking random points—and we do not see how to prove axiom 1 for these constructions. Nonetheless, it seems very plausible to us that there exists a polynomial-size family of PIT circuits where the above axioms are efficiently provable in EF.

To prove the theorem, we will first show that EF is p-equivalent to $\text{IPS}$ if a family of propositional formulas expressing soundness of $\text{IPS}$ are efficiently EF provable. Then we will show that efficient EF proofs of $Soundness_{\text{IPS}}$ follows from efficient EF proofs for our PIT axioms.

Soundness of $\text{IPS}$ . It is well known that for standard Cook–Reckhow proof systems, a proof system $P$ can p-simulate another proof system $P^{\prime }$ if and only if $P$ can prove soundness of $P^{\prime }$. Our proof system is not standard, because verifying a proof requires probabilistic, rather than deterministic, polynomial-time. Still we will show how to formalize soundness of $\text{IPS}$ propositionally, and we will show that if EF can efficiently prove soundness of $\text{IPS}$ then EF is p-equivalent to $\text{IPS}$.

Let $\varphi = \kappa _1 \wedge \ldots \wedge \kappa _m$ be an unsatisfiable propositional 3CNF formula over variables $p_1,\ldots ,p_n$, and let $Q^\varphi _1, \ldots , Q^\varphi _m$ be the corresponding polynomial equations (each of degree at most 3) such that $\kappa _i(\alpha)=1$ if and only if $Q^\varphi _i(\alpha)=0$ for $\alpha \in \lbrace 0,1\rbrace ^{n}$. An $\text{IPS}$-refutation of $\varphi$ is an algebraic circuit, $C$, which demonstrates that 1 is in the ideal generated by the polynomial equations $\vec{Q}^\varphi$. (This demonstrates that the polynomial equations $\vec{Q}^\varphi =0$ are unsolvable, which is equivalent to proving that $\varphi$ is unsatisfiable.) In particular, recall that $C$ has two types of inputs: $x_1,\ldots,x_n$ (corresponding to the propositional variables $p_1,\ldots,p_n$) and the placeholder variables $y_1, \ldots , y_m$ (corresponding to the equations $Q^{\varphi }_1,\ldots,Q^\varphi _m$) and satisfies the following two properties:

1. $C(\vec{x},\vec{0})=0$. This property essentially states that the polynomial computed by $C(\vec{x},\vec{Q}(\vec{x}))$ is in the ideal generated by $Q^\varphi _1,\ldots ,Q^\varphi _m$.
   
2. $C(\vec{x},\vec{Q}^\varphi (\vec{x}))=1$. This property states that the polynomial computed by $C$, when we substitute the $Q^\varphi _i$’s for the $y_i$’s, is the identically 1 polynomial.
   

Encoding $\text{IPS}$ Proofs. Let $K$ be a family of polynomial-size circuits for PIT. Using $K_{m,n}$, we can create a polynomial-size Boolean circuit, $Proof_{\text{IPS}} ([C], [\varphi ])$ that is true if and only if $C$ is an $\text{IPS}$-proof of the unsatisfiability of $\vec{Q}^\varphi =0$. The polynomial-sized Boolean circuit $Proof_{\text{IPS}} ([C],[\varphi ])$ first takes the encoding of the algebraic circuit $C$ (which has $x$-variables and placeholder variables), and creates the encoding of a new algebraic circuit, $[C^{\prime }]$, where $C^{\prime }$ is like $C$ but with each $y_i$ variable replaced by 0. Second, it takes the encoding of $C$ and $[\varphi ]$ and creates the encoding of a new circuit $C^{\prime \prime }$, where $C^{\prime \prime }$ is like $C$ but now with each $y_i$ variable replaced by $Q^\varphi _i$. (Note that whereas $C$ has $n+m$ underlying algebraic variables, both $C^{\prime }$ and $C^{\prime \prime }$ have only $n$ underlying variables.) $Proof_{\text{IPS}} ([C], [\varphi ])$ is true if and only if $K([C^{\prime }])$—that is, $C^{\prime }(\vec{x})=C(\vec{x},\vec{0})$ computes the 0 polynomial—and $K([1-C^{\prime \prime }])=0$—that is, $C^{\prime \prime }(\vec{x})=C(\vec{x},\vec{Q}^{\varphi }(\vec{x}))$ computes the 1 polynomial.

Theorem 1.4 follows from Lemma 5.4 and the following lemma.

Note that here we do not need to restrict the circuit $K$ to be in the class $\mathcal {C}$. This requires one more technical device compared to the proofs in the previous section. The proof of Theorem 1.6 follows the proof of Theorem 1.4 very closely. The main new ingredient is a folklore technical device that allows even very weak systems such as $\mathsf {AC}^0$-Frege to make statements about arbitrary circuits $K$—such as those needed to reason about the PIT axioms—together with a careful analysis of what was needed in the proof of Theorem 1.4. Before proving Theorem 1.6, we discuss some of its more interesting consequences.

As $\mathsf {AC}^0$-Frege is known unconditionally to be strictly weaker than Extended Frege [3], we immediately get that $\mathsf {AC}^0$-Frege cannot efficiently prove the PIT axioms for any Boolean circuit family $K$ correctly computing PIT.

Using essentially the same proof as Theorem 1.6, we also get the following result. By “depth-$d$ PIT axioms,” we mean a variant where the algebraic circuits $C$ (encoded as $[C]$ in the statement of the axioms) have depth at most $d$. Note that, even over finite fields, super-polynomial lower bounds on depth-$d$ algebraic circuits are notoriously open problems even for $d$ as small as 4 or 5.⁶

This corollary makes the following question of central importance in getting lower bounds on $\mathsf {AC}^0[p]$-Frege:

This question has the virtue that answering it either way is highly interesting:

• If $\mathsf {AC}^0[p]$-Frege does not have polynomial-size proofs of the [depth-$d$] PIT axioms for any $K$, then we have super-polynomial size lower bounds on $\mathsf {AC}^0[p]$-Frege, answering a question that has been open for nearly thirty years.
  
• Otherwise, super-polynomial size lower bounds on $\mathsf {AC}^0[p]$-Frege imply that the permanent does not have polynomial-size algebraic circuits [of depth $d$] over any finite field of characteristic $p$. This would then explain why getting superpolynomial lower bounds on $\mathsf {AC}^0[p]$-Frege has been so difficult.
  

This dichotomy is in some sense like a “completeness result for $\mathsf {AC}^0[p]$-Frege, modulo proving strong algebraic circuit lower bounds on $\mathsf {VNP}$”: If one hopes to prove $\mathsf {AC}^0[p]$-Frege lower bounds without proving strong lower bounds on $\mathsf {VNP}$, then one must prove $\mathsf {AC}^0[p]$-Frege lower bounds on the PIT axioms. For example, if you believe that proving $\mathsf {VP} \ne \mathsf {VNP}$ [or that proving $\mathsf {VNP}$ does not have bounded-depth polynomial-size circuits] is very difficult, and that proving $\mathsf {AC}^0[p]$-Frege lower bounds is comparatively easy, then to be consistent you must also believe that proving $\mathsf {AC}^0[p]$-Frege lower bounds on the [bounded-depth] PIT axioms is easy.

Similarly, by combining Theorems 1.6 and 3.5, we get the following corollary.

Using the chasms at depths 3 and 4 for algebraic circuits [2, 55, 99] (see Observation 3.3), we can also help explain why sufficiently strong exponential lower bounds for $\mathsf {AC}^0$-Frege—that is, lower bounds that do not depend on the depth, or do not depend so badly on the depth (the current best bounds are of the form $\exp (\Omega (n^{\exp (-d + O(1)}))$ [15, 60, 83]), which have also been open for nearly thirty years—have been difficult to obtain:

As with Corollary 1.7, we conclude a similar dichotomy: Either $\mathsf {AC}^0$-Frege can efficiently prove the depth-4 PIT axioms (depth 3 in characteristic zero) or proving $2^{\omega (\sqrt {n} \log n)}$ lower bounds on $\mathsf {AC}^0$-Frege implies $\mathsf {VP}^0 \ne \mathsf {VNP}^0$.

Encoding $K$ into Weak Proof Systems. Extended Frege can easily reason about arbitrary circuits $K$: For each gate $g$ of $K$ (or even each gate of each instance of $K$ in a statement, if so desired), with children $g_{\ell }, g_{r}$, EF can introduce a new variable $k_g$ together with the requirement that $k_g \leftrightarrow k_{g_{\ell }} \, op_{g} \, k_{g_{r}}$, where $\, op_{g} \,$ is the corresponding operation $g = g_{\ell } \, op_{g} \, g_{r}$ (e.g., $\wedge$, $\vee$, etc.). But weaker proof systems such as Frege (=$\mathsf {NC}^1$-Frege), $\mathsf {AC}^0[p]$-Frege, or $\mathsf {AC}^0$-Frege do not have this capability. We thus need to help them out by introducing these new variables and formulae ahead of time.

For each gate $g$, the statement $k_g \leftrightarrow k_{g_{\ell }} \, op_{g} \, k_{g_{r}}$ only involves three variables and thus can be converted into a 3CNF of constant size. We refer to these clauses as the “$K$-clauses.” Note that the $K$-clauses do not set the inputs of $K$ to any particular values nor require its output to be any particular value. We denote the variables corresponding to $K$’s inputs as $k_{in,i}$ and the variable corresponding to $K$’s output as $k_{out}$.

The modified statement $\textit{Proof}_{\text{IPS}} (\underline{[C]},\underline{[\varphi ]})$ now takes the following form. Recall that $Proof_{\text{IPS}}$ involves two uses of $K$: $K(\underline{[C(\vec{x},\vec{0})]})$ and $K(\underline{[1-C(\vec{x}, \vec{Q}^\varphi (\vec{x}))]})$. Each of these instances of $K$ needs to get its own set of variables, which we denote $k^{(1)}_{g}$ for gate $g$ in the first instance and $k^{(2)}_{g}$ for gate $g$ in the second instance, together with their own copies of the $K$-clauses. For an encoding $[C]$ or $[\varphi ]$, let $[C]_{i}$ denote its $i$th bit, which may be a constant, a propositional variable, or even a propositional formula. Then $\textit{Proof}_{\text{IPS}} (\underline{[C]}, \underline{[\varphi }])$ is

The Proofs. Lemmata 5.10 and 5.11 are the $\mathsf {AC}^0$-analogs of Lemmata 5.4 and 5.5, respectively. The proof of Lemma 5.10 will cause no trouble, and the proof of Lemma 5.11 will need one additional technical device (the “dummy statements” above).

Before getting to their proofs, we state the main additional lemma that we use to handle the new $K$ variables. We say that a variable $k^{(i)}_{in,j}$ corresponding to an input gate of $K$ is set to $\psi$ by a propositional statement if $k^{(i)}_{in,j} \leftrightarrow \psi$ occurs in the statement.

Now we state the analogs of Lemmata 5.4 and 5.5 for $\mathcal {C}$-Frege. Because of the similarity of the proofs to the previous case, we merely indicate how their proofs differ from the Extended Frege case.

Proof. We mimic the proof of Lemma 5.5. In steps (1), (2), and (4) of that proof we used $m$ additional copies of $K$, where $m$ is the number of clauses in the CNF $\varphi$ encoded by $\underline{[\varphi ]}$, and thus $m \le \operatorname{poly}(n)$. To talk about these copies of $K$ in $\mathcal {C}$-Frege, however, the $K$ variables must already be present in the statement we wish to prove in $\mathcal {C}$-Frege. The “dummy statements” in the new version of soundness are the $K$-clauses—with inputs and outputs not set to anything—for each of $m$ new copies of $K$, which we denote $K^{(3)},\ldots, K^{(m+2)}$ (recall that the first two copies $K^{(1)}$ and $K^{(2)}$ are already used in the statement of $Proof_{\text{IPS}}$). We will not actually need these clauses anywhere in the proof, we just need their variables to be present from the beginning.

Starting with $\textit{Truth}_{bool}(\underline{[\varphi ]},\vec{p})$, $K^{(1)}(\underline{[C(\vec{x},\vec{0})]})$, $K^{(2)}(\underline{[1-C(\vec{x},\vec{Q}(\vec{x}))]})$ we derive a contradiction. The only step of the proof of Lemma 5.5 that was not either the use of an axiom or modus ponens was step (1), so it suffices to verify that this can be carried out in $\mathsf {AC}^0$-Frege with the $K$-clauses.

Step (1) was to show for every $i \in [m]$, $Truth_{bool}([\varphi ],\vec{p}) \rightarrow K(\underline{[Q_i^\varphi (\vec{p})]})$, where $Q_i^\varphi$ is the low-degree polynomial corresponding to the clause, $\kappa _i$, of $\varphi$. Note that, as $\varphi$ is not a fixed formula but is determined by the propositional variables encoding $\underline{[\varphi ]}$, the encoding $\underline{[Q_i^\varphi ]}$ depends on a subset of these variables.

$Truth_{bool}(\underline{[\varphi ]},\vec{p})$ states that each clause $\kappa _i$ in $\varphi$ evaluates to true under $\vec{p}$. It is a tautology that if $\kappa _i$ evaluates to true under $\vec{p}$, then $Q_i^{\varphi }$ evaluates to 0 at $\vec{p}$. Since $K$ correctly computes PIT,

\begin{equation} Truth_{bool}(\underline{[\kappa _i]},\vec{p}) \rightarrow K^{(i+2)}(\underline{[Q_i^\varphi (\vec{p})]}) \end{equation} (**)

is a tautology. Furthermore, although both the encoding $\underline{[\kappa _i]}$ and $\underline{[Q_i^{\varphi }]}$ depend on the propositional variables encoding $\underline{[\varphi ]}$, since we assume that $\varphi$ is a 3CNF, these only depend on constantly many of the variables encoding $\underline{[\varphi ]}$. Writing out ( **) it has the form

\[ Truth_{bool} \rightarrow \left((\text{$K^{(i+2)}$-clauses }) \wedge (\text{ setting inputs of $K^{(i+2)}$ to $\underline{[Q_i^\varphi (\vec{p})]}$}) \rightarrow k^{(i+2)}_{out} \right), \]

which is equivalent to

\[ Truth_{bool} \wedge (K^{(i+2)}\text{-clauses}) \wedge \left(\text{ setting inputs of $K^{(i+2)}$ to $\underline{[Q_i^\varphi (\vec{p})]}$}\right) \rightarrow k^{(i+2)}_{out}. \]

Thus ( **) satisfies the conditions of Lemma 5.9 and has a short $\mathsf {AC}^0$-Frege proof. Since $Truth_{bool}(\underline{[\varphi ]}, \vec{p})$ is defined as $\bigwedge _i Truth_{bool}(\underline{[\kappa _i]}, \vec{p})$ (see Section 5.4), we can then derive

\[ Truth_{bool}(\underline{[\varphi ]},\vec{p}) \rightarrow K^{(i+2)}(\underline{[Q_i^\varphi (\vec{p})]}), \]

as desired.

For an $\le m$-clause, $\le n$-variable 3CNF $\varphi = \kappa _1 \wedge \cdots \wedge \kappa _m$, its encoding is a Boolean string of length $3m(\lceil \log _2(n) \rceil +1)$. Each literal $x_i$ or $\lnot x_i$ is encoded as the binary encoding of $i$ ($\lceil \log _2(n) \rceil$ bits) plus a single other bit indicating whether the literal is positive (1) or negative (0). The encoding of a single clause is just the concatenation of the encodings of the three literals, and the encoding of $\varphi$ is the concatenation of these encodings.

We define

For a single 3-literal clause $\kappa$, we define $Truth_{bool,n}(\underline{[\kappa ]}, \vec{p})$ as follows. For an integer $i$, let $[i]$ denote the standard binary encoding of $i-1$ (so that the numbers $1,\ldots,2^k$ are put into bijective correspondence with $\lbrace 0,1\rbrace ^{k}$). Let $\underline{[\kappa ]} = \vec{q_1} s_1 \vec{q_2} s_2 \vec{q_3} s_3$, where each $s_i$ is the sign bit (positive/negative) and each $\vec{q_i}$ is a length-$\lceil \log _2 n \rceil$ string of variables corresponding to the encoding of the index of a variable. We write $\vec{q} = [k]$ as shorthand for $\bigwedge _{i=1}^{\lceil \log _2 n \rceil } (q_i \leftrightarrow [k]_i)$, where $x \leftrightarrow y$ is shorthand for $(x \wedge y) \vee (\lnot x \wedge \lnot y)$. Finally, we define:

The key fact we use is embodied in Lemma 6.1, which says that the set of (Hilbert-like) certificates for a given unsatisfiable system of equations is, in a precise sense, “finitely generated.” The basic idea is then to leverage this finite generation to extend lower bound techniques from individual polynomials to entire “finitely generated” sets of polynomials.

Because Hilbert-like certificates are somewhat simpler to deal with, we begin with those and then proceed to general certificates. But keep in mind that all our key conclusions about Hilbert-like certificates will also apply to general certificates. For this section, we will need the notion of a module over a ring (the ring-analogue of a vector space over a field) and a few basic results about such modules (see Section 2.3).

Recall that a Hilbert-like $\text{IPS}$-certificate $C(\vec{x}, \vec{y})$ is one that is linear in the $y$-variables, that is, it has the form $\sum _{i=1}^{m}G_i(\vec{x}) y_i$. Each function of the form $\sum _i G_i(\vec{x})y_i$ is completely determined by the tuple $(G_1(\vec{x}), \ldots , G_m(\vec{x}))$, and the set of all such tuples is exactly the $R[\vec{x}]$-module $R[\vec{x}]^{m}$.

The algebraic circuit size of a Hilbert-like certificate $C=\sum _i G_i(\vec{x}) y_i$ is equivalent (up to a small constant factor and an additive $O(n)$) to the algebraic circuit size of computing the entire tuple $(G_1(\vec{x}),\ldots, G_m(\vec{x}))$. A circuit computing the tuple can easily be converted to a circuit computing $C$ by adding $m$ times gates and a single plus gate. Conversely, for each $i$ we can recover $G_i(\vec{x})$ from $C(\vec{x}, \vec{y})$ by plugging in 0 for all $y_j$ with $j \ne i$ and 1 for $y_i$. So from the point of view of lower bounds on Hilbert-like certificates, we may consider their representation as tuples essentially without loss of generality. This holds even in the setting of Hilbert-like depth 3 $\text{IPS}$-proofs.

Using the representation of Hilbert-like certificates as tuples, we find that Hilbert-like $\text{IPS}$-certificates are in bijective correspondence with $R[\vec{x}]$ solutions (in the new variables $g_i$) to the following $R[\vec{x}]$-linear equation:

Just as in linear algebra over a field, the set of such solutions can be described by taking one solution and adding to it all solutions to the associated homogeneous equation:

We now come to the key lemma for Hilbert-like certificates.

Lemma 6.1 seems so conceptually important that it is worth re-stating:

The set of all Hilbert-like $\text{IPS}$-certificates for a given system of equations can be described by a single Hilbert-like $\text{IPS}$-certificate, together with a finite generating set for the syzygies.

Its importance may be underscored by contrasting the preceding statement with the structure (if any?) of the set of all proofs in other proof systems, particularly non-algebraic ones.

Note that a finite generating set for the syzygies (indeed, even a Gröbner basis) can be found in the process of computing a Gröbner basis for the $R[\vec{x}]$-ideal $\langle F_1(\vec{x}),\ldots, F_m(\vec{x}) \rangle$. This process is to Buchberger's Gröbner basis algorithm as the extended Euclidean algorithm is to the usual Euclidean algorithm; an excellent exposition can be found in the book by Ene and Herzog [32] (see also Eisenbud [31, Section 15.5]).

Lemma 6.1 suggests that one might be able to prove size lower bounds on Hilbert-like-$\text{IPS}$ along the following lines: (1) Find a single family of Hilbert-like $\text{IPS}$-certificates $(G_n)_{n=1}^{\infty }$, $G_n = \sum _{i=1}^{\operatorname{poly}(n)} y_i G_i(\vec{x})$ (one for each input size $n$); (2) use your favorite algebraic circuit lower bound technique to prove a lower bound on the polynomial family $G$; (3) find a (hopefully nice) generating set for the syzygies; and (4) show that when adding to $G$ any $R[\vec{x}]$-linear combinations of the generators of the syzygies, whatever useful property was used in the lower bound on $G$ still holds. Although this indeed seems significantly more difficult than proving a single algebraic circuit complexity lower bound, it at least suggests a recipe for proving lower bounds on Hilbert-like $\text{IPS}$ (and its subsystems such as homogeneous depth 3, depth 4, multilinear, etc.), which should be contrasted with the amorphous difficulty of transferring lower bounds for a circuit class to lower bounds on previous related proof systems, e.g., transferring $\mathsf {AC}^0[p]$ lower bounds [86, 94] to $\mathsf {AC}^0[p]$-Frege.

This entire discussion also applies to general $\text{IPS}$-certificates, with the following modifications. We leave a certificate $C(\vec{x}, \vec{y})$ as is, and instead of a module of syzygies we get an ideal (still finitely generated) of what we call zero-certificates. The difference between any two $\text{IPS}$-certificates is a zero-certificate; equivalently, a zero-certificate is a polynomial $C(\vec{x}, \vec{y})$ such that $C(\vec{x}, \vec{0}) = 0$ and $C(\vec{x}, \vec{F}(\vec{x})) = 0$ as well (contrast with the definition of $\text{IPS}$ certificate, which has $C(\vec{x}, \vec{F}(\vec{x})) = 1$). The set of $\text{IPS}$-certificates is then the coset intersection

A finite generating set for the ideal of zero-certificates can be computed using Gröbner bases (see, e.g., Ene and Herzog [32, Section 3.2.1]).

Just as for Hilbert-like certificates, we get:

The set of all $\text{IPS}$-certificates for a given system of equations can be described by a single $\text{IPS}$-certificate, together with a finite generating set for the ideal of zero-certificates.

Our suggestions above for lower bounds on Hilbert-like $\text{IPS}$ apply mutatis mutandis to general $\text{IPS}$-certificates, suggesting a route to proving true size lower bounds on $\text{IPS}$ using known techniques from algebraic complexity theory.

The discussion here raises many basic and interesting questions about the complexity of sets of (families of) functions in an ideal or module, which we propose in Section 7.

Li, Tzameret, and Wang [65] considered a noncommutative version of the Ideal Proof System. They consider precisely what one would imagine from the name “noncommutative formula IPS,” with the one caveat that—because it is designed to consider systems of polynomial equations coming from Boolean formulas—they always include the equations $x_i x_j - x_j x_i$ among the initial equations $F_i$. Their main result is as follows.

Their proof follows the conditional proof in this article; they get an unconditional result by giving a quasi-polynomial-size Frege proof for the deterministic polynomial-time algorithm for noncommutative formula PIT [84].

They go on to suggest that proving lower bounds on noncommutative formula IPS is potentially a more promising avenue for getting Frege lower bounds than by considering commutative formula IPS (which is p-equivalent to Frege if the formula PIT axioms have short Frege proofs). Their reasoning is that (a) noncommutative formula IPS is unconditionally quasi-polynomially equivalent to Frege and (b) exponential lower bounds on computing functions by noncommutative formulas have been known for decades [80]. Despite these facts, there are a few issues making this approach more difficult than it might appear in light of known noncommutative formula lower bounds [80]. In particular, although it remains the case that the set of noncommutative IPS certificates for a given tautology is a coset of an ideal—using essentially the same proof as in Section 6—it is now a coset of an ideal in a noncommutative polynomial ring. The issue here is that the remaining discussion in Section 6 does not go through a priori, because noncommutative polynomial rings are not Noetherian: For example, the ideal $\langle yxy, yx^2 y, yx^3 y,\ldots, \rangle$ in two noncommuting variables is not finitely generated. This raises a potentially important question about noncommutative IPS:

However, Nisan's original noncommutative circuit lower bound applied to the permanent and determinant regardless of the ordering of variables within a monomial [80]. This gives some hope that even if the answer to the preceding question is negative, one might be able to prove lower bounds on noncommutative IPS by proving noncommutative circuit lower bounds by considering (the noncommutative versions of) a finite generating set of the commutative version of the relevant coset of an ideal.

Forbes, Shpilka, Tzameret, and Wigderson [34] improved some of our foundational simulations and used circuit complexity lower bounds (some of which they developed in their article) to prove lower bounds on simple systems of equations (often the Boolean axioms plus a single equation) in restricted forms of IPS.

First, they show that Hilbert-like IPS is essentially equivalent to IPS:

As with our simulation result Proposition 3.7, in their result it is also difficult to get a good handle on the depth, so the result seems to only hold for IPS of unrestricted depth.

In their article [34], they prove many results; here we just highlight the main IPS lower bounds that they get and some open questions that are underscored by their results. Though we do not discuss their techniques, they surely deserve further investigation.

For definitions of the circuit classes considered, we refer to their article [34]. For some of their results, they introduce a new variant of IPS, which we call “weakly Hilbert-like”: This is IPS where the initial equations include the Boolean axioms $x_i^2 - x_i$, but the certificate is only required to be linear in the placeholder variables for the initial equations other than the Boolean axioms.

As they point out in their article, all of these lower bounds have the form of the Boolean axioms plus a single polynomial involving all of the variables. In particular, this allowed them to use techniques treating these formal polynomials as functions on the Boolean cube, implicitly handling the syzygies between the Boolean axioms and the one other function. But their techniques seem ill suited to handle situations with more complicated syzygies. Even the following question would be an interesting extension of their results: