Baby-Step Giant-Step Algorithms for the Symmetric Group
BBaby-Step Giant-Step Algorithms for the Symmetric Group
Eric Bach
University of Wisconsin-Madison
Bryce Sandlund
University of Wisconsin-Madison
Abstract
We study discrete logarithms in the setting of group actions. Suppose that G is a group that actson a set S . When r , s ∈ S , a solution g ∈ G to r g = s can be thought of as a kind of logarithm. Inthis paper, we study the case where G = S n , and develop analogs to the Shanks baby-step / giant-step procedure for ordinary discrete logarithms. Specifically, we compute two sets A , B ⊆ S n such that every permutation of S n can be written as a product ab of elements a ∈ A and b ∈ B .Our deterministic procedure is optimal up to constant factors, in the sense that A and B can becomputed in optimal asymptotic complexity, and | A | and | B | are a small constant from √ n ! insize. We also analyze randomized “collision” algorithms for the same problem. Keywords:
Symmetric group, group actions, discrete logarithm, collision algorithm,computational group theory.
1. Introduction
Collision algorithms have been used to obtain polynomial (typically square root) speedupssince the advent of computer science. Indeed, there are even collision “algorithms” in the worldof analog measurement (Kwan, 2011). Most collision algorithms exploit time-space tradeo ff s,arriving at a quicker algorithm by storing part of the search space in memory and utilizing ane ffi cient lookup scheme. One of the most famous of these collision-style methods is Shanks’sbaby-step giant-step procedure for the discrete logarithm problem (Shanks, 1969).Traditionally, the discrete logarithm problem is the problem of finding an integer k such that b k = g , where b and g are elements of a finite cyclic group of order n and b is a generator (hasorder n ). Then there is exactly one k ∈ { , . . . , n } such that b k = g . Shanks’s baby-step giant-stepalgorithm then writes k = im + j with m = (cid:100) √ n (cid:101) and 0 ≤ i , j ≤ m and looks for a collision in theequation: g ( b − m ) i = b j . Email addresses: [email protected] (Eric Bach), [email protected] (Bryce Sandlund)
URL: http://pages.cs.wisc.edu/~bach/ (Eric Bach), http://pages.cs.wisc.edu/~sandlund/ (BryceSandlund)
Preprint submitted to Journal of Symbolic Computation March 31, 2018 a r X i v : . [ c s . S C ] D ec y precomputing values of b j (or b − mi ) and storing them in a hash table, a collision can be foundin O ( √ n ) time and O ( √ n ) space, recovering the solution k .Various extensions of the baby-step giant-step algorithm have been developed, mostly focus-ing on discrete logarithm problems in groups that are important to cryptography. For the classicproblem, Pollard (1978) contributed two elegant methods that also exploit collision, but use verylittle space. (They have yet to be rigorously analyzed, in their original form.) For more infor-mation about these algorithms, and more e ffi cient methods that apply to specific groups of anarithmetic nature, we refer to surveys by McCurley (1990) and Teske (2001).Ideas similar to the baby-step giant-step algorithm have been used on 0-1 integer program-ming problems. (This seems to be folklore.) Suppose we want to solve Ax = b , where x is a 0-1column vector. If we let x and x be half-length column vectors, and split A down the centralcolumn into A and A , we can use collision to solve A x = b − A x . (Here, we exploit nota group structure, but rather, the associative law for matrix-vector multiplication.) For a recentapplication, see Etherington et al. (2016).In this paper, we focus on a di ff erent discrete log generalization that can be stated as follows. Definition 1.
Suppose that G is a finite group that acts on a set S . Denote by r g the action ofg ∈ G on r ∈ S . Then, given elements r , s ∈ S , the group action discrete logarithm problem isthe problem of finding a g such that r g = s. The first step beyond brute force search for this problem is to design an analog to the Shanksmethod. We will find appropriate splitting sets A , B ⊆ G so that for any s in the orbit r G = { r g : g ∈ G } , we have r ab = s for some a ∈ A and b ∈ B . A match in the two sets { r a : a ∈ A } and { s b − : b ∈ B } recovers the solution g = ab .In this work, we treat two situations. The first is one of maximum generality: we knowalmost nothing about the structure of G , and can only work with it by applying it to elements of S . The second is maximally specific: G is the symmetric group S n . In neither case do we assumeany particular knowledge about the orbit of r or s .For general groups (the first case), we analyze randomized methods that achieve square rootspeedups when compared to the naive approach of exhaustive search. For the important secondcase, we develop deterministic algorithms that utilize the structure of S n . These algorithms haveclose to square root complexity.To motivate our model and concentration on S n , we give several applications that fit into ourframework.
2. Applications
We first show how group actions lead to an unconventional algorithm for the graph iso-morphism problem (GI). Let S be the set of adjacency matrices for graphs on n vertices. Thesymmetric group S n acts on S , via M g = P g MP − g . ( P g is just the permutation matrix for g .)In this case, the group action discrete logarithm problem is exactly graph isomorphism: givenadjacency matrices M and N , find g ∈ S n to make M g = N , or determine no such g exists. Usingour results, we arrive at a deterministic graph isomorphism procedure with run time about √ n !.Although there are much faster algorithms than this, they are either conceptually involved(Babai et al., 1983; Babai, 2016), cannot guarantee e ffi cient performance in all cases (F¨urer and2mmerman, 1992), or both (McKay and Piperno, 2014). The baby-step giant-step algorithm, onthe other hand, gives an immediate proof that exhaustive search through permutations is not thebest method for graph isomorphism.There are a variety of other GI-related problems that also fit in the discrete log symmetricgroup action framework. In particular, hypergraph isomorphism and equivalence of permutationgroups via conjugation can both be formulated as symmetric group actions. Furthermore, thelatter problem has no known moderately exponential (exp( n − c ) for c >
0) algorithm (Babai,2016).We further note that in cryptography, the solution of iterated block ciphers (Merkle and Hell-man, 1981) is closely related to a group-action discrete logarithm problem in a symmetric group.Our approach may also be useful in computational Galois theory, specifically, in computing thesplitting field of a polynomial (Orange et al., 2009).Because our approach is orbit-oblivious, our framework is very general. In some problems,however, algorithms aware of orbit restrictions may benefit significantly by reducing the numberof g ∈ G to consider. This is true, for example, in the graph isomorphism problem. An orbit-sensitive GI algorithm can utilize the fact that a vertex can only be mapped to another vertexof the same degree, whereas our approach will test every permutation. On the other hand, thereseem to be problems where one cannot exploit such orbit restrictions.In our conference paper, we developed such an example using homomorphic encryption. Theidea was that if we take a group action discrete logarithm problem and convert the objects r , s ,and the action function r g , to ciphertext E ( r ), E ( s ), and an action function on ciphertext E ( r ) g ,then no orbit restrictions can be determined on the encrypted objects. Unfortunately, there isa slight issue with this example, because encryption and functions on ciphertext are allowed tohave di ff erent outputs for the same input; in fact, the security of such cryptosystems require it.If this is the case, we can’t compare ciphertexts for equality or use e ffi cient lookup schemes onciphertext. The basic idea of the example still works, however, and we can get around the issuesby not explicitly using a homomorphic encryption system.Instead, imagine that you are given two ordered arrays of n indistinguishable objects withunique identities and a hash function that maps each possible ordered array of n objects uniquelyto a positive integer. The problem is to compute the permutation that moves the objects of the firstarray into the same order as the second, if such a permutation exists, using only the hash functionon permutations of the first and second arrays. The symmetric group acts by permuting arraysof indistinguishable objects, and we may store the integer given by the hash function for eachpermuted array to determine a collision. In this case, this is all we can do, since each permutationof the objects is indistinguishable and the associated integers say nothing about the particularpermutation represented. Our results show that we may solve this problem deterministically intime and space O ( n √ n !).Although the above problem is only theoretical, it is likely a realization exists with the correctnotion of indistinguishability and hash function that respects this notion. Solving such groupaction discrete logarithm problems by means of collision reduces to e ffi cient construction of thesets A and B . In the remainder of this paper, we shift our focus to the construction of these sets,rather than the mechanics of the algorithm itself. But before we do this, we give a hardnessresult that shows the group action discrete logarithm problem is as hard as the traditional discretelogarithm. 3 . Hardness In this section, we reduce the discrete logarithm problem to the group action discrete loga-rithm problem.Let C n be the cyclic group of order n , with generator a . The traditional discrete logarithmproblem is the following. Given b ∈ C n , find an x ∈ Z n for which a x = b . (Note that C n is writtenmultiplicatively.) This is not a group action discrete logarithm problem, because the x -th powermap may not be 1-1: consider x = Z ∗ n on C n . We now show how to reduce the traditional discrete logarithmproblem to computation of a group action discrete logarithm.A randomized reduction is easiest to describe. Given a , b as above, choose a random integer r with 0 ≤ r < n , and set b (cid:48) = ba r . With probability Ω (1 / (log log n )), the (unknown) discrete log x of a will satisfy x + r ∈ Z ∗ n , thereby making the randomly shifted element ba r a generator of C n . A solution to the group action discrete log problem a y = b (cid:48) then gives us x , as y − r .This reduction can be made deterministic. Recall that Jacobsthal’s function J ( n ) denotesthe maximum distance between consecutive units of Z n . (Distance is reckoned along the cycle,so that, for example, ± J (7) = J ( n ) = O (log n ) , although sharper bounds have been conjectured, for example by Vaughan(1977). (No explicit bound that is polynomial in log n seems to be known, but Costello andWatts (2013) come close: their estimate is (log n ) O (log log log n ) .) Therefore, we can replace therandom guess r by a search through r = , , . . . . For one of these choices, ba r will generate C n .We use, at most, O (log n ) values of r .For many applications in cryptography, n is chosen to be prime, and this case is of interest tous as well. Here, there are only two “types” for the value x . As an element of Z n , x is either 0,which we can test by comparing b to 1, or relatively prime to n . So, the traditional discrete logproblem in C n with n prime reduces immediately to a group action discrete log problem.Using these reductions, we can draw conclusions about the hardness of the group actiondiscrete log problem. Shoup (1997) showed that any generic probabilistic algorithm to solvethe discrete log problem in C n must do Ω ( √ p ) operations, where p is the largest prime factorof n . Informally, by a generic algorithm, we mean one that interacts with the group only bydoing group operations and equality tests. (See Shoup’s paper for a precise definition.) Earlier,Nechaev (1994) had proved a similar result for a large class of deterministic algorithms. Now,let us imagine that we have a generic algorithm Y that can solve the discrete log problem a x = b in C n , but only when a and b are generators. (If the condition isn’t fulfilled, the algorithm fails.)In e ff ect, Y solves a group action discrete logarithm problem for the case G = Z ∗ n and S = C n ,under a certain promise about the inputs. Using our reductions, we can extend Y to get a genericalgorithm Y (cid:48) that solves traditional discrete log problems, with polynomial (in log n ) overhead.The running time of Y must therefore obey Shoup’s lower bound: it must use Ω ( √ p ) groupoperations.Since generic algorithms can be randomized, a consequence of this is that the black-boxalgorithm based o ff of section 4 is best possible, since it applies to S = C p and G = Z ∗ p .
4. A Randomized Approach
In this section our approach is general enough to work over any group G where randomelements can be generated e ffi ciently. For the special case when G = S n , this is possible through4andom shu ffl ing procedures. For arbitrary permutation groups, this is also possible with anadditive poly( n ) overhead, where n is the degree of the permutation group (Seress, 2003). Thealgorithmic approach to random sampling of an arbitrary (permutation) group is discussed morethoroughly in Seress (2003) and Cooperman (1993).In this setting, an obvious idea is to simply pick k random elements of G for the set A and k random elements of G for the set B . Then, the probability a particular g ∈ G is present in AB willdepend on the value of k . For ease of notation, let m = | G | . We have: Proposition 2.
Suppose we pick k random elements of G without replacement for the set A andlikewise for B. Then the probability a particular g ∈ G is present in AB satisfies:Pr (cid:2) g ∈ AB (cid:3) ≥ − e − k / m . Proof.
Observe that g (cid:60) AB precisely when each b ∈ B avoids the set { a − g : a ∈ A } . Theprobability of this event is (cid:32) − km (cid:33) (cid:32) − km − (cid:33) · · · (cid:32) − km − k + (cid:33) , which is at most (1 − k / m ) k . Rewriting the exponent and utilizing that (1 − x / n ) n ≤ e − x gives usPr (cid:2) g (cid:60) AB (cid:3) ≤ (cid:32)(cid:32) − km (cid:33) m (cid:33) k / m ≤ e − k / m , from which the claim follows.By setting k = Θ ( √ m ), we can make the probability that g is present in AB constant. Ouranalysis, however, assumed sampling without replacement. If we simply sample with replace-ment and redraw when a duplicate is found, it is not hard to see that as long as we are sampling o ( m ) elements, the number of extra draws is O (1) in expectation.Note that with this approach, there will always be a non-zero probability that some groupelements are missing in AB , which will lead to one-sided error in our algorithm. Namely, if no g is found where r g = s , the randomized procedure only gives probabilistic evidence that no g exists. Furthermore, checking for missing elements of G in AB takes O ( | G | ) time. While thiswould only need to be done once and work for any set G acts on, it is prohibitively expensive.This leads us to ask for a deterministic algorithm to construct the sets A and B . This questioninherently asks about structure of the group G that can be exploited, similarly to the originalShanks method for the traditional discrete logarithm. Therefore, we will focus on the specialcase when G = S n .
5. Background on Groups
Our deterministic algorithm will rely on some elementary group theory. For this, we state afew necessary results and definitions.All groups in this paper will be finite. If K is a subgroup of G , we write K ≤ G , and K < G if the containment is proper. We do not assume that K is normal in G .When K ≤ G , its left cosets are the | G | / | K | sets gK with g ∈ G . Right cosets are definedsimilarly. 5ote that the set of left (or right) cosets of K in G forms a partition of G . Thus if we have asubgroup K of G , we can take B = K and A to be a set of elements of G such that each left cosetof K in G is represented in A . Then every element of G will be present in AB .In group theory, a minimal perfect set A of this kind is called a transversal. Definition 3 (Transversal) . A left (right) transversal T of a subgroup K of G is a set of elementsof G such that each left (right) coset of K in G has exactly one representative in T . Thus, T is aminimal set of coset representatives of K in G.
To make this definition clear, we give the following:
Example 4.
Let G = Z n and let K be the unique subgroup of G with n elements. Then | G : K | = n. If G = { , . . . , n − } , K = { , n , n , . . . , ( n − n } . One transversal of K in G isT = { , , , . . . , n − } . For this example, K and T are exactly the sets of giant steps and baby steps that the Shanksalgorithm would use. However, transversals are not unique; for example, we could have taken T to be any complete set of representatives modulo n .Combinatorially, a subgroup B and its left transversal A form a perfect splitting set for G , inthe sense that every g ∈ G is uniquely of the form ab , for a ∈ A and b ∈ B . Perfect splitting setsneed not be subgroups, as we could always replace A by Ax and B by x − B , choosing x ∈ G atwill.Ideally, these splitting sets have cardinality exactly √| G | . However, n ! is never a square for n >
1, so such perfect splitting sets cannot exist for G = S n . Therefore, we will either have totolerate duplicated products (as we did in the last section), or look for set sizes close to, but notexactly matching, √ n !.We now give some concepts that provide a “data structure” for working with permutationgroups: Definition 5 (Base) . Let G act on Ω . A base B for G is an ordered subset of Ω (i.e. a list) withthe following property: the only element of G that stabilizes everything in B is the identity. For our purposes, G = S n , which stabilizes no element of Ω = { , . . . , n } . So, we will use B : = [1 , , . . . , n ]; that is, B = Ω with the natural ordering of the integers. We could choose to notinclude any single integer from B , since the action of a permutation on the missing integer can beinferred via its action on the other elements; however, it will be easier to describe the transversalalgorithm with a more complete base, and no loss of e ffi ciency will be incurred. A base providesa convenient form to represent elements of G : Definition 6 (Base Image) . If g ∈ G and B = [ β , β , . . . , β k ] is a base for G, then B g : = [ β g , . . . , β gk ] is called the base image of g (relative to B). Recall that β gi means the result of applying the group element g to the object β i ∈ Ω .With the base B : = [1 , , . . . , n ], the base image gives the typical vector notation of a permu-tation. The base image B g uniquely determines the element g ∈ G .
6. Bidirectional Collisions
In recent work, Rosenbaum (2015) described a general framework to create deterministiccollision algorithms for isomorphism problems. In his dissertation, Rosenbaum does not initially6ive a way to apply this to permutation search, instead using a simpler problem to demonstratethe technique (Rosenbaum, 2015, p. 196). We are not aware that the application of bidirectionalcollision detection to permutation search is known, so we describe and analyze what we believeis the most natural application in this section.Let X and Y be two objects that we wish to test for isomorphism. In bidirectional collisiondetection, potential isomorphisms are represented by root-to-leaf paths in a tree. The individuallabelling of nodes at a particular level is not known, and is in general di ff erent between X and Y . We choose one set of paths that reach all nodes halfway down the tree, extending to leavesarbitrarily, and apply these to X . We choose one path to an arbitrary node halfway down the tree,extend it in all possible ways, and then apply each of these to Y . The shared path represents theisomorphism between X and Y . Figure 1: An example search tree for bidirectional collision detection. The set of paths applied to X are in blue, to Y arein red, and the shared path is in green. If we denote the set of transformations applied to X as C and to Y as D , then, borrowing thegroup action notation, this framework finds paths c ∈ C and d ∈ D so that X c = Y d whenever there exists some g such that X g = Y . Thus, this approach writes g = cd − , for some c ∈ C and d ∈ D . This means the sets C and D − form a factorization of the search space in the same way as our sets A and B . Note that by D − ,we mean the set of all inverses of the elements in D .To split the search space for permutations, the first level of our search tree will correspond towhere we send the integer 1, the second the integer 2, and so on. We choose a k with 1 ≤ k ≤ n as our halfway point. The set C will consist of ( n ) k ( n pick k ) permutations. Each permutationsends 1 , , . . . , k to all possible k -tuples in { , , . . . , n } . We can choose arbitrarily where to send k + , . . . , n .To make D , we choose an image tuple for the first k elements arbitrarily (not moving them atall will do) and then extend with all ( n − k )! possible su ffi xes.Since | C | = ( n ) k and | D | = ( n − k )!, the counting functions for these two sets are not inter-changable. However, we can try to balance the values of ( n ) k and ( n − k )!. Since ( n ) k · ( n − k )! = n !,finding a k such that ( n ) k ≈ ( n − k )! will, at least approximately, minimize ( n ) k + ( n − k )!, the costof the collision algorithm. We will show that the “right” value of k is roughly, but not exactly, n /
2. Surprisingly, the performance of the algorithm is very sensitive to k .7o proceed, we must obtain asymptotics for the solution x in x ! = √ n !. We will use x ! as anabbreviation for Γ ( x +
1) and log as the natural logarithm.
Proposition 7.
For integer n ≥ , let x be the positive real solution to x ! = √ n ! . Thenx = n (cid:32) + O (cid:32) n (cid:33)(cid:33) . Proof.
Since log factorial is convex (Andrews et al., 1999, p. 13), and the central binomialcoe ffi cient is a positive integer, we have (cid:18) n (cid:19) ! ≤ (cid:22) n (cid:23) ! · (cid:24) n (cid:25) ! ≤ n ! . Therefore, n / ≤ x ≤ n . From the enveloping property of Stirling’s series (Whittaker andWatson, 1973, pp. 252-253), we deduce that (cid:18) ze (cid:19) z ≤ z ! ≤ z z holds for z ≥
1. This implies x (cid:0) log x − (cid:1) ≤ log x ! ≤ n n , so x ≤ n n log x − ≤ n n log n − log 2 − = n (cid:32) + O (cid:32) n (cid:33)(cid:33) . Since x ≥ n / z ! = z log z − z + O (log z ), and then “bootstrapping” (Greene and Knuth,1982). For example, x = n (cid:32) + log 2log n + O (cid:16) (log n ) − (cid:17)(cid:33) . This is already pretty good: if n = x ≈ . n / + log 2 / log n ) ≈ . k for bidirectional collision detection appliedto permutation search, and analyze the performance of the technique with this choice. Proposition 8.
Bidirectional collision detection applied to permutation search finds A , B ⊆ S n such that AB = S n and max( | A | , | B | ) = Θ ( n / √ n !) .Proof. Let x be the positive real solution to x ! = √ n !. Since x ! increases for x ≥
1, there is aninteger m such that ( m − ≤ x ! = √ n ! ≤ m ! . Choose k so that n − k is the closest integer (either m or m −
1) to x . This will cause one of oursets to be larger than its “ideal” value √ n !, and we must estimate this disparity. Let n − k = x + α, with | α | ≤ / . x + α )! ∼ x ! x α as x → ∞ , in the sense that the limiting ratio is 1. Using this, and ourasymptotic expression for x from Proposition 7, we have( n − k )! = ( x + α )! ∼ x ! x α ∼ √ n ! (cid:18) n (cid:19) α . Similarly, ( n ) k = n !( n − k )! ∼ n ! √ n !( n / α = √ n !( n / − α . The bound on | α | gives max( | A | , | B | ) = max(( n ) k , ( n − k )!) = Θ (cid:16) n / √ n ! (cid:17) . Probably, the factor n / is best possible. Examination of numerical data shows that α variesirregularly within the interval ( − / , / n ’s on which α ’s limiting valueis 1 / k = n /
2, and as a consequence of Stirling’s formula,( n ) n / = Θ ( n − / n / √ n !)when n is even. Therefore, the “overhead” for exact splitting is exponential in n . It is not hardto see this intuitively, by considering a decision tree for generating permutations. Each of the“large” branching factors n − i , 0 ≤ i < n /
2, is roughly twice as large as its “small” counterpart n / − i . By choosing the best splitting fraction for each n , we have reduced this overhead to asmall power of n .Finally, we note that this approach indeed employs a subgroup and a corresponding transver-sal of that subgroup. The set D fixes the first k elements and permutes the remaining n − k elements amongst themselves in all possible ways. So D is isomorphic to S n − k . Because of this, D − = D . Then, since CD = S n and | C || D | = n !, C is a perfect set of left coset representatives of D in S n , i.e., a left transversal of S n − k in S n .
7. A Better Subgroup
In the conference version of this paper, we improved upon bidirectional collision detectionby finding a subgroup of S n of size Θ ( n ± / √ n !), with the plus or minus sign depending on theparity of n . With its corresponding transversal, this leads to sets A and B of size max( | A | , | B | ) =Θ ( n / √ n !). In this version, we find a subgroup of size Θ ( √ n !), leading to sets A and B of sizemax( | A | , | B | ) = Θ ( √ n !), which is optimal up to constant factors.Our conference paper relied on a particular subgroup that was very close to √ n ! in size. Ournew approach will be more similar to the previous section. In particular, instead of choosing aspecific subgroup for each n , we will choose a subgroup from a set of options with sizes roughlyevenly (geometrically) distributed from 1 to n !. To improve upon the O ( √ n ) size gap given bybidirectional collision detection, we will need to pick our subgroup from a larger set of options.9ne very simple idea is to take the symmetric group S k for 0 ≤ k ≤ n and add an (cid:96) -cycle onthe remaining n − k integers into the generating set, where (cid:96) may range from 0 to n − k . When (cid:96) = S k ; further, when k = (cid:96) -cycle. Without loss of generality, we assume either k or (cid:96) is greater than 0.We will show that for large enough n , there exists a choice of k and (cid:96) that produces a subgroupof this structure with size very close to √ n !. Lemma 9.
Denote by σ the (cid:96) -cycle ( k + k + . . . k + (cid:96) ) and by H the subgroup of S n generatedby S k and σ . Here, we require ≤ k ≤ n and ≤ (cid:96) ≤ n − k. WLOG, we assume k + (cid:96) > . Then | H | = k ! when (cid:96) = or and | H | = (cid:96) k ! when (cid:96) ≥ . Explicitly, the subgroup H is generated byH = (cid:104) (1 2) , (1 2 . . . k ) , ( k + k + . . . k + (cid:96) ) (cid:105) : if (cid:96) ≥ k ≥ (cid:104) (1 2) , (1 2 . . . k ) (cid:105) : if (cid:96) = k ≥ (cid:104) (2 3 . . . (cid:96) + (cid:105) : if k = . (cid:104) (1 2 . . . (cid:96) ) (cid:105) : if k = . Proof.
Recall that S k is generated by (1 2) and (1 2 . . . k ).When k = H is the powers of the (cid:96) -cycle σ , so H = (cid:104) (1 2 . . . (cid:96) ) (cid:105) if k = H = (cid:104) (2 3 . . . (cid:96) + (cid:105) if k = (cid:96) = k ≥ S k is our entire subgroup, therefore H = (cid:104) (1 2) , (1 2 . . . k ) (cid:105) , and(even if k = | H | = k !.Now assume (cid:96) ≥ k ≥
2. The (cid:96) -cycle σ = ( k + k + . . . k + (cid:96) ) is disjoint from S k , sowe may compose any element of S k with a power of σ to produce a new element of H . Thus, inthis case, H = (cid:104) (1 2) , (1 2 . . . k ) , ( k + k + . . . k + (cid:96) ) (cid:105) . Since there are (cid:96) distinct powers of σ ,when (cid:96) ≥ | H | = (cid:96) k !.Now suppose we are looking for a subgroup of S n of size m . Assume m < n !. If m = n !, wemay use S n itself. Let x be the largest integer such that x ! ≤ m < ( x + . We will show the following.
Theorem 10.
We may find a subgroup H of S n of size within a factor of max √ , (cid:114) x + n − x of m.Proof. By Lemma 9, we may find a subgroup H for any x + (cid:96) ≤ n . Thus, we may find a subgroupof size (cid:96) x ! for 1 ≤ (cid:96) ≤ n − x and ( x + x + / ( n − x ). Let α = max √ , (cid:114) x + n − x . Then m will reside within a factor of α from the size of one of the above subgroups; that is, wemay find a subgroup H with m α ≤ | H | ≤ α m . Using Theorem 10, we may prove the following Corollary for our specific choice of m = √ n !. Corollary 11.
We may find a subgroup H of S n of size √ n ! √ ≤ | H | ≤ √ n ! for n ≥ ; that is, wemay find a subgroup H of size Θ ( √ n !) in S n .Proof. For 0 < x < n , the derivative with respect to x of ( x + / ( n − x ) is ( n + / ( n − x ) , so thisfunction is increasing on (0 , n ). Solving for x in √ = √ ( x + / ( n − x ) yields x = (2 n − / < x ≤ (2 n − / √ , (cid:114) x + n − x = √ . Now let y be the positive real solution to y ! = √ n !. As proven in Proposition 7, the solution canbe expressed asymptotically by y = n (cid:32) + O (cid:32) n (cid:33)(cid:33) . If we let x = (cid:98) y (cid:99) , as in Theorem 10, then for all su ffi ciently large n , x will be less than or equalto (2 n − /
3. Examination of numerical data shows that for n ≥ (cid:98) y (cid:99) ≤ (cid:98) (2 n − / (cid:99) .The above corollary says that there exists a subgroup H within a constant factor of √ n ! forsu ffi ciently large n . To find it, we may simply try all k and (cid:96) with 1 ≤ k + (cid:96) ≤ n , (cid:96) ≥
0, andchoose the values that make (cid:96) k ! closest to √ n !. Charging O (1) time to multiply integers, this canbe done in O ( n ) time, which will be much less than the cost of enumerating H or its transversal.Once these values are determined, we may run a closure algorithm using the generators fromLemma 9 to enumerate the elements of H in O ( n | H | ) time (the O ( n ) factor is for representing thepermutations themselves). There is an additional factor of 2 or 3 overhead with this approachbecause each permutation needs to be composed with the generating set before it can be deter-mined all elements have been enumerated. This overhead can be avoided by instead using thestructure of H to construct the elements explicitly. We briefly give this algorithm. Algorithm 1
Enumeration of the elements of H
1. Enumerate all elements of S k . If k =
0, enumerate the identity.2. For each permutation from 1, output its composition with all powers of σ = ( k + k + . . . k + (cid:96) ). If (cid:96) =
0, simply output the permutation from 1.11efore analyzing the algorithm, we make a few statements regarding our model of computa-tion. For the purposes of this paper, we will charge O (1) space for each integer and O (1) time foraccessing elements of an array. We will not charge space for the output of an algorithm. In thismodel, we will represent each permutation using O ( n ) space and may compose two permutationsin O ( n ) time. Lemma 12.
Algorithm 1 correctly enumerates the elements of H in time O ( n | H | ) and space O ( n ) .Proof. For correctness, Lemma 9 shows the set returned is H .To argue resource bounds, note that we may iterate through every permutation of S k in O ( nk !)time and O ( n ) space (Holt, 2005, p. 112). For every permutation generated, we may then iteratethrough the powers of σ in total time O ( n (cid:96) k !) and again space O ( n ). Composing the pairs ofpermutations from 1 and 2 again takes total time O ( n (cid:96) k !) and no additional space, thus in totalthe algorithm takes time O ( n (cid:96) k !) = O ( n | H | ) and space O ( n ).
8. Constructing Transversals
We now consider finding a transversal of H in S n . Although finding transversals can becomplicated and require backtrack search through the parent group G (Holt, 2005), we can takeadvantage of having G = S n .We first give the following definition, as in Holt (2005). Definition 13.
Let B = [ β , . . . , β k ] be a base. Define a partial ordering ≺ on elements of Ω bytaking β i ≺ β i + for all ≤ i < k, and β i ≺ α , for every α ∈ Ω not present in B. We extend thisto base images by saying that for g , h ∈ G, B g ≺ B h if g precedes h in the lexicographic orderingon the base vectors. For our purposes, this is the natural ordering of the integers in B . Furthermore, this defineslexicographical ordering of permutations for base images B g and B h , g , h ∈ G .Our transversal construction will exploit the following lemma. Lemma 14.
Let K < G ≤ S n and let B = [ β , . . . , β k ] be a base of G. Then g ∈ G is the ≺ -least element of its coset gK if and only if β gj is the ≺ -least element of its orbit in K β g ,...,β gj − for ≤ j ≤ k. In this lemma, K β g ,...,β gj − denotes the subgroup of K consisting of the elements that fix each ofthe elements listed as subscripts. (When j =
1, this subgroup is just K .)Although the result has been known since the work of Charles Sims, we present a proof inthe interest of being self-contained. This lemma can be found (without proof) in (Holt, 2005, p.115). Proof.
Suppose that g satisfies the property given in Lemma 14. We must show g is ≺ -least in gK . Write: g = [ α , α , . . . , α k ] . Now suppose there exists some h ∈ gK such that h ≺ g . Write: h = [ γ , γ , . . . , γ k ] . h ∈ gK , we can write h = gk for some k ∈ K . Therefore we can think of h as applying someelement k to g . Now, since h ≺ g , there must be a first index j such that γ j ≺ α j ; so γ i = α i forall 1 ≤ i < j . Then k must stabilize α , . . . , α j − . Since γ j ≺ α j , k must map α j to γ j , therefore γ j and α j are in the same orbit in K α ,...,α j − . But by assumption, α j is the ≺ -least such element inits orbit in K α ,...,α j − . Therefore the element h cannot exist and so g is minimal in gK .In the other direction, suppose g does not satisfy the property in Lemma 14. Let j be the firstindex such that α j is not ≺ -least in its orbit in K α ,...,α j − . Then there must be some k ∈ K thatstabilizes α , . . . , α j − and maps α j to some η such that η ≺ α j . Then gk ≺ g .We can apply Lemma 14 to find base images that satisfy the property required to be ≺ -least elements in their respective cosets. However, these base images might not necessarilycorrespond to elements of G if G is an arbitrary permutation group. Here we take advantage ofthe fact G = S n . Every base image that satisfies Lemma 14 corresponds to some permutation on { , , . . . , n } , which is necessarily an element of S n . Thus, we may compute a transversal of H e ffi ciently if know the orbit structure after stabilizing in H . Lemma 15.
The subgroup H is initially composed of at most three categories of orbits, whichfurther split after stabilizing the smallest integer in the following way: (a)
Integers , , . . . k are in an orbit such that after repeatedly stabilizing the smallest integer,the remaining integers continue to stay in a single orbit. (b) Integers k + , k + , . . . , k + (cid:96) are in an orbit such that after stabilizing k + , integersk + , k + , . . . , k + (cid:96) are all in their own orbits. (c) Integers k + (cid:96) + , k + (cid:96) + , . . . , n are in their own orbits.If k = , (a) disappears. If (cid:96) = , (b) disappears. If k + (cid:96) = n, (c) disappears. Orbits in (a)Orbits in (b)Orbits in (c) 12 ... k ... k Stabilize1 · · ·
Stabilize2 k Stabilize k − k + k + ... k + (cid:96) k + k + ... k + (cid:96) Stabilize k + k + (cid:96) + k + (cid:96) + ... n Figure 2: The orbit structure in H Proof.
The subgroup H is generated by S k and ( k + k + . . . k + (cid:96) ). Therefore, the integers1 , , . . . k are in an orbit, k + , k + , . . . k + (cid:96) are in an orbit, and k + (cid:96) + , k + (cid:96) + , . . . , n are13n their own orbits. If k =
0, there are no integers in this first category. If (cid:96) =
0, there are nointegers in this second category. If k + (cid:96) = n , there are no integers in this third category.Now consider the first orbit in category (a). When we stabilize any integer, we are left with asubgroup isomorphic to S k − . All other integers remain in the same orbit, and the structure willrepeat itself if we continue to stabilize integers.Now consider orbit (b). This orbit comes from powers of σ = ( k + k + . . . k + (cid:96) ). Everypower of σ moves every integer in { k + , k + , . . . , k + (cid:96) } . Therefore, when we stabilize k +
1, nopowers of σ will be in this stabilizer. Thus, after stabilizing k +
1, integers k + , k + , . . . , k + (cid:96) will be in their own orbits.Once an integer is in its own orbit, it will remain in its own orbit after further stabilizations.Using Lemma 14 and Lemma 15, the algorithm to generate a transversal of H in S n is rel-atively straightforward. We wish to backtrack through the orbits in all possible ways such thateach base image generated through the procedure has the property of being ≺ -least for its re-spective coset. For our subgroup, this means the integers { , , . . . , k } must appear in this orderand k + { k + , k + , . . . , k + (cid:96) } . Any backtracking procedure thatenumerates all base images with this property su ffi ces to compute a transversal of H in S n . Wegive one such backtracking procedure below. Algorithm 2
Transversal of H in S n
1. Let A = [1 , , . . . , k ]. If k = A = [].2. Enumerate all permutations on { k + , k + , . . . , k + (cid:96) } that start with integer k +
1. If (cid:96) = { k + (cid:96) + , k + (cid:96) + , . . . , n } . If k + (cid:96) = n , enumerate an “empty” permutation, [].4. For each pair from steps 2 and 3, combine them in all possible ways with each other and A such that the integers from steps 1, 2, and 3 remain in the same relative order. For eachcombination, output the resulting permutation. Lemma 16.
Algorithm 2 correctly enumerates a transversal of H in S n in time O ( n | S n : H | ) andspace O ( n ) .Proof. Every permutation generated in the above procedure respects that integers { , , . . . , k } appear in this same order and that k + { k + , k + , . . . , k + (cid:96) } . Furthermore,every permutation that respects this order is present in the returned set. To double check, we maycount the number of permutations generated from the above procedure.Steps 2 and 3 enumerate ( (cid:96) − n − ( k + (cid:96) ))! permutations, respectively. For each pairfrom these steps, we merge lists in all possible ways while still respecting relative order withineach list. Let (cid:32)(cid:32) xy (cid:33)(cid:33) = (cid:32) x + y − y (cid:33) denote the number of y -multisets taken from an x -set. Then, using a stars and bars argument, thenumber of ways to merge lists while still respecting relative order is (cid:32)(cid:32) k + (cid:96) (cid:33)(cid:33) (cid:32)(cid:32) k + (cid:96) + n − ( k + (cid:96) ) (cid:33)(cid:33) = (cid:32) k + (cid:96)(cid:96) (cid:33)(cid:32) nn − ( k + (cid:96) ) (cid:33) . | S n : H | = ( (cid:96) − n − ( k + (cid:96) ))! (cid:32) k + (cid:96)(cid:96) (cid:33)(cid:32) nn − ( k + (cid:96) ) (cid:33) = ( (cid:96) − n − ( k + (cid:96) ))! ( k + (cid:96) )! (cid:96) ! k ! n !( n − ( k + (cid:96) ))!( k + (cid:96) )! = n ! (cid:96) k ! , which is exactly what we expect.To prove resource bounds, observe that for steps 2 and 3, we may use a procedure to iteratethrough permutations for a total time cost of O ( n ( (cid:96) − n − ( k + (cid:96) )))! and space cost of O ( n ).To perform step 4, we may use a backtracking procedure to output all possible combinations inspace O ( n ) and with an additional factor of n time cost on the number of elements produced, fora total time cost of O ( n | S n : H | ) and total space cost of O ( n ).Finally, we note that the property exploited in computing the transversal was that every baseimage found directly via stabilizers and orbits is necessarily an element of the parent group G if G = S n . This observation can be combined with black-box orbit, stabilizer, and base changingmethods as discussed in Holt (2005) to compute a transversal of an arbitrary permutation group K < S n e ffi ciently. We will not discuss the details here, nor give exact asymptotic guarantees.For more information, consult the transversal algorithms discussed in Holt’s book.
9. The Main Result
We have the following theorem:
Theorem 17.
We can compute sets A and B such that AB = S n with max( | A | , | B | ) = Θ ( √ n !) . Thecomputation can be done deterministically in time O ( n √ n !) and space O ( n ) .Proof. Corollary 11 states that for n ≥
7, we may find a subgroup H within a factor of √ √ n !. Using algorithm 1, it can be enumerated deterministically in time O ( n | H | ) and space O ( n ). Using Algorithm 2, its transversal can be found and enumerated deterministically in time O ( n | S n : H | ) and again space O ( n ). Therefore, we can find sets of permutations A and B determin-istically in time O ( n √ n !) and space O ( n ) such that every permutation of S n can be representedas a product ab , a ∈ A and b ∈ B .This lemma implies that the group action discrete logarithm problem in the symmetric groupcan be solved deterministically in about O ( n √ n !) time and O ( n √ n !) space, where the specificsdepend on the ability to hash or compare elements of S generated for the collision procedure.We note that while randomization may be used in the analysis of such hashing functions, thealgorithm itself will always produce correct results.Furthermore, regarding the space cost of solving the group action discrete logarithm problem,we require that one of the two sets { r a : a ∈ A } or { s b − : b ∈ B } be stored in memory. By storing the smaller set, we may take advantage of a time-space tradeo ff .Since the bounds in Corollary 11 hold for any choice of m ≤ √ n !, we may choose H within a √ m ≤ √ n !. Then we may solve the group action discrete logarithm problem inthe symmetric group deterministically in space O ( m ) and time O ( n ! m ) for any choice of m ≤ √ n !.The computation of sets A and B , in comparison, will also take time O ( n √ n !) by the ran-domized approach and time O ( n . √ n !) by bidirectional collision detection. In the former case,it is informative to know for what error bounds it becomes more e ffi cient to use our deterministicmethod.Our analysis of the randomized approach, applied to S n , shows that by picking k randompermutations for A and B , Pr (cid:2) g (cid:60) AB (cid:3) ≤ e − k / n ! . As n ! grows large, this inequality becomesincreasingly tighter. Taking it as a baseline for the probability of missing a particular permutationin AB , if we set k = √ n !, this probability isPr (cid:2) g (cid:60) AB (cid:3) ≈ e − ≈ . . Thus, it is more e ffi cient to use our deterministic method if we want more than about 86.47%accuracy; that is, when the algorithm determines no such g exists, this response is correct about86.47% of the time.On another practical note, examination of numerical data shows the best H for n = ff from √ n ! by a factor of √ n = . n =
28. On average, from n = H has size only o ff by a factorof approximately 1 . √ n !. Combining these facts with the simplicity of Algorithm 1 andAlgorithm 2, we consider our approach a viable practical alternative to the randomized one.
10. Acknowledgements
This research was supported in part by NSF: CCF-1420750. We’d like to thank Derek Holt,Gene Cooperman, and L´aszl´o Babai for correspondence on computing transversals in permuta-tion groups. We additionally thank the stackexchange community for their input on subgroupchoices, general help with computational group theory, and innovative latex solutions. Finally,we thank the anonymous reviewers for their constructive feedback during the review process.
References
G. E. Andrews, R. Askey, and R. Roy.
Special Functions
Cambridge Univ. Press, 1999.L. Babai, W. M. Kantor, E. M. Luks. Computational complexity and the classification of finite simple groups. In
Proc.24th Ann. Symp. Found. Comp. Sci. , 1983, pp. 162-171.L. Babai. Graph isomorphism in quasipolynomial time. Manuscript, 2016. http: // arxiv.org / pdf / DIMACS Series in Discrete Math-ematics and Theoretical Computer Science . Volume 11, 1993.A short note on Jacobsthal’s function. Manuscript, 2013. http: // arxiv.org / pdf / Abstract Algebra.
Wiley, 2004.C. J. Etherington, M. W. Anderson, E. Bach, J. T. Butler, and P. St˘anic˘a. A Parallel Approach in Computing CorrelationImmunity up to Six Variables.
International Journal of Foundations of Computer Science , v. 27, 2016, 511-528.J. Cai, M. F¨urer, N. Immerman. An optimal lower bound on the number of variables for graph identification.
Combina-torica , v. 12, 1992, pp. 389-410.D. H. Greene and D. E. Knuth.
Mathematics for the Analysis of Algorithms.
Birkh¨auser, 1982.D. Holt.
Handbook of Computational Group Theory.
Chapman & Hall, 2005.H. Iwaniec. On the problem of Jacobsthal.
Demonstratio Mathematica , v. 11, 1978, pp. 225-231.A. Kwan. Vernier scales and other early devices for precision measurement.
American J. Physics , v. 79, 2011, pp. 368-373.R. C. Merkle and M. E. Hellman, On the security of multiple encryption.
Comm. ACM , v. 24, 1981, pp. 465-467. . S. McCurley, The discrete logarithm problem. Proc. Symp. Appl. Math. , v. 42, 1990, pp. 49-73.B. McKay, A. Piperno. Practical graph isomorphism, II.
J. Symb. Comp. , v. 60, 2014, pp. 94-112.V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm.
Math. Notes , v. 55, 1994, pp. 165-172.S. Orange, G. Renault, K. Yokoyama. Computation schemes for splitting fields of polynomials. In
Proc. 2009 Int. Symp.on Symbolic and Algebraic Computation , 2009, pp. 279-286.J. M. Pollard. Monte Carlo methods for index computation (mod p ). Math. Comp. , v. 32, 1978, pp. 918-924.D. Rosenbaum.
Quantum Computation and Isomorphism Testing.
Dissertation, U. Washington, 2015.A. Seress.
Permutation Group Algorithms.
Cambridge Univ. Press, 2003.D. Shanks. Class number, a theory of factorization and genera.
Proc. Symp. Pure Math. , v. 20, 1969, pp. 415-440.V. Shoup, Lower bounds for discrete logarithms and related problems.
Proc. EUROCRYPT , 1997, pp. 256-266.E. Teske. Square-root algorithms for the discrete logarithm problem (a survey). In
Public Key Cryptography and Com-putational Number Theory , de Gruyter, 2001, pp. 283-301.R. C. Vaughan. On the order of magnitude of Jacobsthal’s function.
Proc. Edinburgh Math. Soc. , v. 20, 1977, pp. 329-331.E.T. Whittaker and G. N. Watson.
A Course of Modern Analysis