Structure computation and discrete logarithms in finite abelian p-groups
aa r X i v : . [ m a t h . N T ] A p r Volume 00, Number 0, Pages 000–000S 0025-5718(XX)0000-0
STRUCTURE COMPUTATION AND DISCRETE LOGARITHMSIN FINITE ABELIAN p -GROUPS ANDREW V. SUTHERLAND
Abstract.
We present a generic algorithm for computing discrete logarithmsin a finite abelian p -group H , improving the Pohlig–Hellman algorithm andits generalization to noncyclic groups by Teske. We then give a direct methodto compute a basis for H without using a relation matrix. The problem ofcomputing a basis for some or all of the Sylow p -subgroups of an arbitrary finiteabelian group G is addressed, yielding a Monte Carlo algorithm to compute thestructure of G using O ( | G | / ) group operations. These results also improvegeneric algorithms for extracting p th roots in G . Introduction
The discrete logarithm plays two opposing roles in group computations. As aconstructive tool, discrete logarithms are the key ingredient in generic algorithmsfor extracting roots (including square roots in finite fields) [2, 23, 27, 31] and forcomputing group structure [7, 8, 26, 28, 30]. On the other hand, a wide range ofcryptographic applications depend on the essential difficulty of computing discretelogarithms in the worst case (see [15] or [17] for a survey).Typically, the discrete logarithm is defined in the context of a cyclic group: forany β ∈ h α i there is a unique nonnegative integer x < | α | for which β = α x . Moregenerally, given α = ( α , . . . , α r ), if every β ∈ h α i can be written uniquely as β = α x = α x · · · α x r r , with 0 ≤ x i < | α i | , then x = DL( α , β ) is the discrete logarithm of β with respectto α , and we call the vector α a basis for the group it generates. We work inthe computational framework of generic group algorithms, as defined, for example,in [26]. Thus we suppose that a “black box” is used to perform group operations,possibly including the provision of random elements, with each group element ar-bitrarily assigned a unique identifier.We are interested in constructive applications of the discrete logarithm, but letus first recall the negative result of Shoup [24]. Any generic algorithm to com-pute discrete logarithms in a finite abelian group G with prime exponent usesΩ( | G | / ) group operations. A matching upper bound is achieved, for cyclic groups,by Shanks’ baby-step giant-step algorithm [22] and (probabilistically) by Pollard’srho method [20, 29]. Both algorithms can be generalized to compute discrete loga-rithms in any finite abelian group using O ( | G | / ) group operations [7, 26, 28]. Mathematics Subject Classification.
Primary 11Y16; Secondary 20K01, 12Y05. Consistent with our use of the word “logarithm”, we write groups multiplicatively. The exponent of G is the least positive integer n for which α n = 1 G for all α ∈ G . c (cid:13) However, when the exponent of the group is not prime, we can do better. Thiswas proven for cyclic groups by Pohlig and Hellman [19] and later generalized byTeske [30]. The Pohlig–Hellman approach relies on computing discrete logarithmsin subgroups of the given group. The reduction to subgroups of prime-power orderis straightforward, hence we focus primarily on abelian p -groups.If α is a basis for a finite abelian group G of exponent p m and rank r , Teske’sgeneralization of the Pohlig–Hellman algorithm computes DL( α , β ) using(1) T DL ( G ) = O ( m lg | G | + mp r/ )group operations [30, Thm. 6.1]. When m = 1 this reduces to the O ( | G | / )upper bound mentioned above. If p and r are small (when computing squareroots in finite fields, for example, r = 1 and p = 2) the first term dominatesand the complexity becomes O ( n ), where n = lg | G | . For cyclic groups this canbe improved to O ( n lg n ) [25, § O ( n lg n/ lg lg n )bound for arbitrary finite abelian groups when p and r are suitably bounded. Moregenerally, Algorithm 1 computes DL( α , β ) using(2) T DL ( G ) = O (cid:18) lg( m + 1)lg lg( m + 2) lg | G | + log p | G | r p r/ (cid:19) group operations, improving the dependence on m in both terms of (1).Discrete logarithms may be applied to compute the structure of a finite abeliangroup. Typically, one uses discrete logarithms to construct a relation matrix, whichis then reduced to yield a basis by computing the Smith normal form [7, 8, 28]. Wetake a simpler (and faster) approach, using our algorithm for discrete logarithmsto directly construct a basis. Given a generating set S for a finite abelian p -group G of rank r , we give a deterministic generic algorithm to construct a basis using(3) T B ( S ) = O (cid:0) lg ǫ | G | + ( | S | − r + 1) T DL ( G ) (cid:1) group operations, improving the O ( | S || G | / ) result of Buchmann and Schmidt [8].The bound in (3) is minimized when | S | ≈ r . If we pick a random subset S ⊂ G , of size r + O (1), then S generates G with very high probability [21]. Whencombined with an algorithm to compute the group exponent, this yields a genericMonte Carlo algorithm to compute the structure of an arbitrary finite abelian groupusing O ( | G | / ) operations. When sufficiently tight bounds on the group order areknown, this can be converted to a Las Vegas algorithm.This approach can also be applied to a Sylow p -subgroup H ⊂ G . If the groupexponent (or order) is known, the complexity then depends primarily on the sizeand shape of H , not G . This is useful when extracting p th roots in G , which onlyrequires a basis for H [27].2. Abelian p -groups and Young tableaux We begin by describing a bijection between finite abelian p -groups and Youngtableaux that motivates our approach and allows us to fix some terminology.We work in this section and the next with a basis α = ( α , . . . , α r ) for an abelian p -group G of order p n , exponent p m , and p -rank (rank) r . We let | α i | = p n i and Pohlig and Hellman credit Roland Silver, and also Richard Schroeppel and H. Block, for(unpublished) independent discovery of the same algorithm [19, p. 107]. Teske actually addresses a more general problem, find the minimal nontrivial solution ( x , y )to β y = α x , which we consider in Section 4. Note that we use lg x = log x throughout. TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 3 assume that m = n ≥ · · · ≥ n r ≥
1. Up to isomorphism, G is determined by theinteger partition π ( G ) = ( n , . . . , n r ). For example, if(4) G ∼ = Z /p Z × Z /p Z × Z /p Z , then π ( G ) = (5 , ,
1) is a partition of n = 9 into three parts, with Young diagram:A cyclic group has r = 1 and a single row in its diagram, while a group with primeexponent has m = 1 and a single column. In our example, G has r = 3 and m = 5.For each β ∈ G , we regard x = DL( α , β ) as an element of the ring(5) R α = R α × · · · × R α r = Z /p n Z × · · · × Z /p n r Z . The additive group of R α is isomorphic to G , via the map x α x (the inversemap sends β to DL( α , β )). We may write the components of x ∈ R α in base p as x i = n i X j =1 p n i − j x i,j , where x i, is the most significant digit (and may be zero). We can then represent x (and β = α x ) by a Young tableau of shape π ( G ) with label x i,j in the i th row and j th column. For our example G in (4), if p = 2 and x = (13 , , β = α x = α α α .We wish to split the tableau above into left and right halves, allowing us to write x = qv + u . The vector q is a “shift” vector whose components are powers of p , while v and u correspond to the left and right halves of x , respectively. These vectors are obtainedby computing discrete logarithms in certain subgroups of G , as we now describe.If we multiply x (exponentiate β ) by the integer scalar p k , this shifts the labelsof the tableau to the left k places, leaving zeros on the right. In our example, if k = 2, we have 4 x = (20 , , β = α α . The element β p k lies inthe subgroup of p k th powers in G ,(8) G p k = { β p k : β ∈ G } , which has a basis γ defined by γ i = α p k i . The diagram of G p k corresponds to the m − k rightmost columns in the diagram of G . In our example we have the shape π ( G ) = (3 , ,
0) = (3 , Our definition of a basis allows γ to contain trivial elements. In practice we may truncate γ . ANDREW V. SUTHERLAND
Now let u = DL( γ , β p k ). The vector u is an element of R γ , but as a vector ofintegers written in base p , each component of u contains the low order m − k digitsof the corresponding component of x . We may “clear” these digits of x to obtain z ∈ R α by subtracting u from x (in Z r ), to obtain a reduced element of R α . Inour example we have u = (5 , , z = (8 , ,
1) and the tableau(9) with the entries unaffected by subtracting u from x in bold. The element β α − u has order at most p k and lies in the p k -torsion subgroup(10) G [ p k ] = { β : β p k = 1 G , β ∈ G } . A basis δ for G [ p k ] is given by δ i = α q i i , where q i = p max(0 ,n i − k ) . The diagram of G [ p k ] corresponds to the k leftmost columns of the diagram of G . In our example, π ( G [4]) = (2 , , v = DL( δ , β α − u ), then z = qv and x = qv + u , as desired. In our example we have q = (8 , ,
1) and v = (1 , ,
1) yielding(13 , ,
1) = (8 , , , ,
1) + (5 , , . This equation effectively reconstructs the tableau in (6) by gluing together the boldportions of the tableaux in (7) and (9).Note that u and v were defined via discrete logarithms in the subgroups G p k and G [ p k ], respectively. This suggests a recursive approach, leading to base casesin subgroups corresponding to single columns in the Young diagram of G .3. Computing discrete logarithms
A recursive algorithm along the lines suggested above already yields an improve-ment over the result of Teske [28]; in the cyclic case this is equivalent to Shoup’sbalanced divide-and-conquer version of the Pohlig–Hellman algorithm [25, 11.2.3].We can achieve a further speedup by broadening the recursion tree, allowing usto take advantage of fixed-base exponentiation techniques. At the same time, wecan structure the algorithm to facilitate precomputation, an important practicaloptimization in applications that rely heavily on discrete logarithms [4, 27].We will need to compute discrete logarithms in various subgroups of the form(11) G ( j, k ) = { β p j : β p k = 1 G , β ∈ G } , for nonnegative integers j < k . The subgroup G ( j, k ) consists of all p j th powersof order at most p k − j and corresponds to columns j + 1 through k in the diagramof G . If G has exponent p m then G = G (0 , m ).We wish to obtain a basis for G ( j, k ) from our given basis α = ( α , . . . , α r ) for G .To this end, let n i = log p | α i | , let q i = p j +max(0 ,n i − k ) , and define(12) q ( j, k ) = ( q , . . . , q r ) and α ( j, k ) = α g ( j,k ) = ( α q , . . . , α q r ) . Then α ( j, k ) is our desired basis, as we now show. Lemma 1.
Let α = ( α , . . . , α r ) be a basis for a finite abelian G , and let j and k be nonnegative integers with j < k . Then α ( j, k ) is a basis for G ( j, k ) . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 5
Proof.
Let γ = α ( j, k ). We first show that γ is a basis for h γ i . Suppose for the sakeof contradiction that γ x = γ y with x , y ∈ R γ distinct. We must have x i = y i forsome i , which implies γ i = 1 G and q i | γ i | = | α i | . We also have α q ( j,k ) x = α q ( j,k ) y .As q i x i and q i y i are distinct integers less than | α i | , the vectors q ( j, k ) x and q ( j, q ) y are distinct elements of R α . But this is a contradiction, since α is a basis.We now prove h γ i = G ( j, k ). Every γ i is a p j th power (since p j | q i ) and has orderat most p k − j (since p n i | p k − j q i ); thus h γ i ⊂ G ( j, k ). Conversely, for δ ∈ G ( j, k ), if x = DL( α , δ ), then p j | x i and p n i | p k − j x i for each i . If k < n i , then p j + n i − k | x i , so q i | x i in every case. It follows that δ ∈ h γ i ; hence G ( j, k ) ⊂ h γ i . (cid:3) We now give a recursive algorithm to compute discrete logarithms in G ( j, k ),using α ( j, k ) and q ( j, k ) as defined above. Note that if j ≤ j ′ < k ′ ≤ k , theneach component of q ( j, k ) divides the corresponding component of q ( j ′ , k ′ ), andwe may then write q ( j ′ , k ′ ) / q ( j, k ) to denote point-wise division. For convenience,let DL α ( j, k, β ) denote DL( α ( j, k ) , β ). We assume the availability of a standardalgorithm for computing discrete logarithms in the base cases, as discussed below. Algorithm 1.
Given a basis α for a finite abelian p -group G and t ∈ Z > , thefollowing algorithm computes DL α ( j, k, β ) for integers ≤ j < k and β ∈ G ( j, k ) :
1. If k − j ≤ t , compute x ← DL α ( j, k, β ) as a base case and return x .2. Choose integers j , . . . , j w satisfying j = j < j < · · · < j w < j w +1 = k .3. Compute γ i = β p ji − j for i from 1 to w , and set x ← i from w down to 1:a. Recursively compute v ← DL α ( j i , j i +1 , γ i α ( j i , k ) − x ).b. Set x ← sv + x , where s = q ( j i , j i +1 ) / q ( j i , k ).5. Return x . Example 1.
Let G be cyclic of order p with basis α , j = 6 and k = 13. Then q (6 ,
13) = p , − = p and α p is a basis for G (6 , j = 8 and j = 11, so that (6 ,
13] is partitioned into subintervals (6 , , , q (11 ,
13) = p , q (8 ,
11) = p , q (6 ,
8) = p , and also q (8 ,
13) = p .For β ∈ G (6 , v = DL( α p , β p ) , x = v ,v = DL( α p , β p α − p x ) , x = p v + v ,v = DL( α p , βα − p x ) , x = p v + p v + v . The final value x = x contains 7 base p digits: 2 in v , 3 in v , and 2 in v . Example 2.
Suppose instead that G is cyclic of order p , but keep the otherparameters as above. We then have q (6 ,
13) = p , q (11 ,
13) = p , q (8 ,
11) = p , q (6 ,
8) = p , and q (8 ,
13) = p . For β ∈ G (6 , v = DL(1 G , G ) , x = v = 0 ,v = DL( α p , β p α − p x ) , x = v ,v = DL( α p , βα − p x ) , x = pv + v . The computation of x requires no group operations; the algorithm can determine α (11 ,
13) = 1 G from the fact that 11 ≥ | α | = p is given). The final value x = x contains 3 base p digits: 2 in v and 1 in v . ANDREW V. SUTHERLAND
These examples illustrate the general situation; we compute discrete logarithmsin r cyclic groups in parallel. The second example is contrived, but it shows whathappens when a cyclic factor of G has order less than p k .We assume that no cost is incurred by trivial operations (those involving theidentity element). As a practical optimization, the loop in step 4 may begin withthe largest i for which γ i = 1 G (it will compute x = 0 up to this point in any event).The correctness of Algorithm 1 follows inductively from the lemma below. Lemma 2.
Let α be a basis for a finite abelian p -group G and let j, j ′ , k ′ , and k be integers with ≤ j ≤ j ′ < k ′ ≤ k . For all β ∈ G ( j, k ) the following hold: (i) If x = DL α ( k ′ , k, β p k ′− j ) and γ = β p j ′− j α ( j ′ , k ) − x , then γ ∈ G ( j ′ , k ′ ) . (ii) If we also have v = DL α ( j ′ , k ′ , γ ) and s = q ( j ′ , k ′ ) / q ( j ′ , k ) ,then sv + x = DL α ( j ′ , k, β p j ′− j ) .Proof. For (i), note that β is a p j th power, so β p j ′− j is a p j ′ th power, and everyelement of h α ( j ′ , k ) i is a p j ′ th power, hence γ is a p j ′ th power. We also have γ p k ′− j ′ = (cid:16) β p j ′− j α ( j ′ , k ) − x (cid:17) p k ′− j ′ = β p k ′− j α ( j ′ , k ) − p k ′− j ′ x . It follows from the definition in (12) that α ( j ′ , k ) − p k ′− j ′ x = α ( k ′ , k ) − x , since wehave j ′ + max(0 , n i − k ) + k ′ − j ′ = k ′ + max(0 , n i − k ). We then obtain γ p k ′− j ′ = β p k ′− j α ( k ′ , k ) − x = β p k ′− j ( β p k ′− j ) − = 1 G . Thus γ has order at most p k ′ − j ′ , and therefore γ ∈ G ( j ′ , k ′ ), proving (i).Note that k ′ < k implies max(0 , n i − k ′ ) ≥ max(0 , n i − k ), so q ( j ′ , k ′ ) is divisible(component-wise) by q ( j ′ , k ), and s in (ii) is well defined. Now α ( j ′ , k ) sv = α q ( j ′ ,k ) sv = α q ( j ′ ,k ′ ) v = α ( j ′ , k ′ ) v = γ = β p j ′− j α ( j ′ , k ) − x , and therefore α ( j ′ , k ) sv + x = β p j ′− j , proving (ii). (cid:3) We now consider the parameter t in Algorithm 1. If p r is small, we precomputea lookup table for G (0 , t ), containing at most p rt group elements, for some suitablevalue of t . This will handle all the base cases, since they arise in subgroups G ( j, k ) of G (0 , t ), where k − j ≤ t . This is especially effective when one can amortize the costover many discrete logarithm computations, in which case a larger t is beneficial.In applications where p r = O (1), one typically chooses t to be logarithmic in therelevant problem size (which may be larger than | G | ).When p r is large, we instead set t = 1 and use a standard O ( √ N ) algorithm forcomputing discrete logarithms in finite abelian groups. A space-efficient algorithmderived from Pollard’s rho method is given in [28], and a baby-steps giant-stepsvariant can be found in [26, Alg. 9.3] (see Section 6 for optimizations).When partitioning the interval ( j, k ] into subintervals in step 2, we assume thatthe subintervals are of approximately equal size, as determined by the choice of w .The choice w = k − j limits the recursion depth to 1 and corresponds to the standardPohlig–Hellman algorithm. The choice w = 2 yields a balanced binary recursiontree. This might appear to be an optimal choice, but we can actually do betterwith a somewhat larger choice of w , using fixed-base exponentiation techniques.We recall a theorem of Yao. TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 7
Theorem 1 (Yao ) . There is an online algorithm that, given γ ∈ G and any inputsequence of positive integers e , . . . , e w , outputs γ e , . . . , γ e w using at most lg E + c w X i =1 (cid:24) lg e i lg lg( e i + 2) (cid:25) multiplications, where E = max i { e i } and c ≤ is a constant. The online algorithm in the theorem outputs γ e i before receiving the input e i +1 .If we set n = lg E , Yao’s Theorem tells us that, provided w = O (lg n ), we canperform w exponentiations of a common base with n -bit exponents using just O ( n )multiplications, the same bound as when w = 1. There are several algorithmsthat achieve Yao’s bound [5, 6, 12, 14, 16], and they typically require storage for O ( n/ lg n ) group elements.Consider the execution of Algorithm 1 computing DL( α , β ) = DL(0 , m, β ). Itwill be convenient to label the levels of the recursion tree with ℓ = 0 at the bottomand ℓ = d at the top, where d is the maximum depth of the recursion. At eachlevel the interval (0 , m ] is partitioned into successively smaller subintervals. We let s d = m denote the size of the initial interval at level d , and at level ℓ we partitioneach interval into approximately w ℓ subintervals of maximum size s ℓ − = ⌈ s ℓ /w ℓ ⌉ and minimum size ⌊ s ℓ /w ℓ ⌋ . 1001531 1 1 . . . 31 1 1 . . . 1431 1 1 . . . 21 1In the tree above we start at level ℓ = 3 with s = m = 100 and w = 7,partitioning 100 into two subintervals of size s = 15 and five subintervals of size 14.We then have w = 5 and s = 3, and finally w = 3 and s = 1. The base casesare all at level 0 in this example, but in general may also occur at level 1. Thefan-out of each node at level ℓ is w ℓ , except possibly at level 1 (in this example, wecannot partition 2 into three parts).Our strategy is to choose w ℓ ≈ min(lg( s ℓ lg p ) , s ℓ ) and apply Yao’s Theorem tobound the cost at each level of the recursion tree by O (lg | G | ) group operations,not including the base cases. The standard Pohlig–Hellman approach reduces theproblem to base cases in one level, potentially incurring a cost of O (lg | G | ) to doso. A binary recursion uses O (lg | G | ) group operations at each level, but requiresΩ(lg m ) levels, while we only need O (lg m/ lg lg m ).With these ideas in mind, we now prove an absolute bound on the running timeof Algorithm 1. An asymptotic bound appears in the corollary that follows. Pippenger gives a better bound for large w , but not necessarily an online algorithm [5, 18]. As E → ∞ the constant c can be made arbitrarily close to 1. ANDREW V. SUTHERLAND
Proposition 1.
Let α = ( α , . . . , α r ) be a basis for a finite abelian p -group G withrank r and exponent p m . Set n i = log p | α i | , and let r j be the rank of the subgroupof p j th powers in G . There is a generic algorithm to compute DL( α , β ) using T DL ( G ) ≤ c r X i =1 lg( n i + 1)lg lg( n i + 2) lg | α i | + m − X j =0 p r j / group operations, where c is an absolute constant independent of G . When a probabilistic algorithm is used for the base cases (such as the rhomethod), the algorithm in the proposition is probabilistic and T DL ( G ) refers to theexpected running time, but otherwise the algorithm is deterministic. The boundon T DL ( G ) depends only on the structure of G , not the basis α . Proof of Proposition 1.
We use Algorithm 1 to compute DL( α , β ) = DL α (0 , m, β )using t = 1. As discussed above, we label the levels of the recursion tree with ℓ = 0at the base and ℓ = d at the root. We let s ℓ denote the size of the first interval atlevel ℓ , and we assume that all others have size at least s ℓ − s ℓ . Thus s d = m , and we recursively define s ℓ − = ⌈ s ℓ /w ℓ ⌉ down to s = 1. To simplify theproof we use w ℓ = ⌈ lg(2 s ℓ ) ⌉ (independent of p ) and assume n = m .There is a base case in G ( j, j + 1) for each 0 ≤ j < m , with | G ( j, j + 1) | = p r j .Applying either of the standard O ( √ N ) discrete logarithm algorithms to the basecases yields the second sum in the bound for T DL ( G ), with c ≈ ℓ of the recursion tree, the total cost of step 3 is bounded by T ( ℓ ) < m (2 lg p ) = 2 lg | α | , since m exponentiations by p are required. The total cost of the multiplicationsby γ i in step 4a is bounded by T ( ℓ ) = m ≤ lg | α | .All other group operations occur in exponentiations in step 4a. These are ofthe form α ( j ′ , k ) − x , where j ≤ j ′ < k . To bound their cost, we consider thecost T ( α i , ℓ ) associated to a particular α i at level ℓ . The exponentiation of α i isnontrivial only when j ′ < n i and x i = 0. Thus to bound T ( α i , ℓ ), we only countexponentiations with j ′ < n i and only consider levels ℓ of the recursion tree with s ℓ − < n i , since at all higher levels x i will still be zero.In the recursive call to compute DL α ( j, k, β ), we may compute α ( j ′ , k ) − x usingfixed bases α − q i i , where q = q ( j, k ) as in (12), since q ( j, k ) divides q ( j ′ , k ) for all j ′ ≥ j . For each α i we can precompute all the α − q i i for a cost of T ( α i ) < n i lg p = 2 lg | α i | . At level ℓ > s ℓ − < n i , there are ⌈ n i /s l ⌉ instances of up to w ℓ − α i . These are computed using the common base α − q i i ,with exponents bounded by E = min( p s ℓ , | α i | ). Applying Yao’s Theorem, T ( α i , ℓ ) ≤ ⌈ n i /s l ⌉ (cid:18) lg E + 2( w ℓ − (cid:24) lg E lg lg( E + 2) (cid:25)(cid:19) . If s ℓ > n i , we replace ⌈ n i /s ℓ ⌉ by 1 and lg E by lg | α i | ; otherwise we replace lg E by s ℓ lg p . We then apply ⌈ z ⌉ ≤ z (for z ≥
1) to remove both ceilings and obtain(13) T ( α i , ℓ ) ≤ | α i | + 8 lg | α i | (cid:18) w ℓ − E + 2) (cid:19) . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 9 If E = p s ℓ , then ( w ℓ − / lg lg( E + 2) <
2. Otherwise E = | α i | , and thenlg( E + 2) > n i ≥ s ℓ − + 1 = ⌈ s ℓ /w ℓ ⌉ + 1 ≥ s ℓ / (lg s ℓ + 2) + 1 , which implies ( w ℓ − / lg lg( E + 2) <
3. This yields T ( α i , ℓ ) <
26 lg | α i | .It remains to bound the number of levels ℓ > s ℓ − < n i . This is equal tothe least ℓ for which s ℓ ≥ n i , which we denote d ( n i ). We derive an upper boundon d ( n i ) as a function of n i by proving a lower bound on s ℓ as a function of ℓ .We recall that s = 1 and for ℓ > w ℓ = ⌈ lg(2 s ℓ ) ⌉ ≥ s ℓ ≥ s ℓ − .This implies w ℓ ≥ l + 1 and s ℓ ≥ ℓs ℓ − ≥ ℓ ! for all ℓ >
0. Stirling’s formula yieldsa lower bound on s ℓ , from which one obtains the upper bound(14) d ( n i ) ≤ n i + 1)lg lg( n i + 2) , valid for n i ≥
14. The lexicographically minimal sequence of integers satisfying s = 1 and s ℓ − = ⌈ s ℓ / ⌈ lg(2 s ℓ ) ⌉⌉ for all ℓ > , , , , , , . . . , andone finds that s , . . . , s satisfy (14), with ℓ = n i and s ℓ = d ( n i ).The total cost of all computations outside of the base cases is then bounded by d X ℓ =1 (cid:16) T ( ℓ ) + T ( ℓ ) (cid:17) + r X i =1 T ( α i ) + d ( n i ) X ℓ =1 T ( α i , ℓ ) ≤ c r X i =1 lg( n i + 1)lg lg( n i + 2) lg | α i | , where we use d = d ( n ), and the constant c <
57. This yields the first sum in thebound for T DL ( G ) and completes the proof. (cid:3) For the sake of brevity we have overestimated the constant c in the proof above.Empirically, c is always less than 2 and is typically close to 1 (see Section 6).The space used by Algorithm 1 depends on how the base cases are handled,but can be bounded by O (lg | G | / lg lg | G | ) group elements. There are at most P ri =1 d ( n i ) √ n i distinct α − q i i that need to be precomputed, which fits within thisbound. In practice, additional precomputation using slightly more storage, perhaps O (lg | G | ) elements, can accelerate both the exponentiations and the base cases [27].For many groups arising “in nature”, both sums in the bound for T DL ( G ) aretypically dominated by their first terms. Divisor class groups of curves and idealclass groups of number fields are, at least heuristically, two examples. One oftensees an L -shaped Young diagram, with n ≈ m + r , where n = log p | G | . Algorithm 1yields a useful improvement here, with a complexity of O ( p r/ ) versus O ( mp r/ ).More generally, we have the following corollary. Corollary 1.
Let α be a basis for a finite abelian p -group G of size p n , exponent p m ,and rank r . There is a generic algorithm to compute DL( α , β ) using T DL ( G ) = O (cid:18) lg( m + 1)lg lg( m + 2) lg | G | + nr p r/ (cid:19) group operations.Proof. The first term is immediate from Proposition 1 since lg G = P ri =1 lg | α i | and n i ≤ m for all i . For the second term, consider P m − i =0 p r i / . We have r = r ≥ r i and n = r + · · · + r m − . For fixed r and n the worst case, up to a constant factor,occurs when the r i are roughly equal (one uses Lemma 9 to prove this). (cid:3) The asymptotic upper bound on T DL ( G ) achieved here is nearly tight for genericalgorithms. When r = O ( n ), the bound in the corollary becomes O ( p r/ ), matchingShoup’s Ω( p r/ ) lower bound. Even when this is not the case, one may argue, alongthe lines of Shoup, that the sum P p r i / in Proposition 1 is tight in any event. Thefirst term in the corollary is O (lg ǫ | G | ), and one does not expect to do better than O (lg | G | ), due to the Ω(lg | G | ) lower bound for exponentiation.To complete our discussion of discrete logarithms, we give an algorithm to com-pute DL( α , β ) in an arbitrary finite abelian group G . We assume that α is aprime-power basis for G , composed of bases α p for each of the Sylow p -subgroupsof G . The construction of such a basis is discussed in the next section (and readilyobtained from a given basis in any event). Algorithm 2.
Given a prime-power basis α for a finite abelian group G with | G | = N = q · · · q k a factorization into powers of distinct primes p , . . . , p k , and β ∈ G , the following algorithm computes x = DL( α , β ) :
1. Let M j = N/q j and compute β j ← β M j for j from 1 to k .2. Compute x j ← DL( α p j , β j ) using Algorithm 1.3. Set x ← x /M ◦ · · · ◦ x k /M k .The symbol “ ◦ ” denotes concatenation of vectors. Since β q j j = 1 G , we must have β j ∈ h α p j i , and the components of α p j all have order a power of p j . The exponentvector x j is thus divisible by M j , since M j is coprime to p j and therefore a unit ineach factor of the ring R α pj . The correctness of Algorithm 2 follows easily.Let n = lg N . For k = O (lg n ), the exponentiations in step 1 can be performedusing O ( n ) group operations, by Yao’s Theorem. As k approaches n , this boundincreases to O ( n / (lg n ) ), and one should instead apply the O ( n lg n/ lg lg n ) algo-rithm of [26, Alg. 7.4]. The total running time is then(15) T DL ( G ) = O (cid:18) lg( k + 1)lg lg( k + 2) lg | G | (cid:19) + k X j =1 T DL ( G p j ) , group operations, where G p j denotes the Sylow p j -subgroup of G . For sufficientlylarge | G | , the bound for T DL ( G ) is dominated by the sum in (15).4. Constructing a basis for a finite abelian p -group For a finite abelian group G , the group structure problem asks for a factor de-composition of G into cyclic groups of prime-power order, with a generator for eachfactor. This is equivalent to computing a basis for each of the (nontrivial) Sylow p -subgroups of G . We first suppose that G is a p -group and then give a reductionfor the general case in Section 5.Typically, a basis is derived from a matrix of relations among elements of agenerating set for the group [7, 8, 9, 28]. This generating set may be given, orobtained (with high probability) from a random sample. One then computes theSmith normal form of the relation matrix [11, § extended discrete logarithms . If α is a basis fora subgroup of G and β ∈ G , then EDL( α , β ) is the pair ( x , y ) satisfying β y = α x that minimizes y >
0, with x ∈ R α . In a p -group, y is necessarily a power of p . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 11
While our approach does not require us to compute EDL( α , β ), we note thatany algorithm for DL( α , β ) can be used to compute EDL( α , β ). Lemma 3.
Given a basis α for a subgroup of a finite abelian p -group G and β ∈ G ,there is a generic algorithm to compute EDL( α , β ) using at most (cid:6) lg(log p | β | ) (cid:7) T DL ( G ) + 2 lg | β | group operations.Proof. Assume Algorithm 1 returns an error whenever a base case fails. Compute β p j for 0 ≤ j ≤ log p | β | . Then use a binary search to find the least j for which onecan successfully compute x = DL( α , β p j ). We then have EDL( α , β ) = ( x , p j ). (cid:3) Teske gives an algorithm to directly compute EDL( α , β ), avoiding the lg(log p | β | )factor above, but this may still be slower than applying Lemma 3 to Algorithm 1.Alternatively, we may modify Algorithm 1 to solve a slightly easier problem. Insteadof solving β y = α x , we seek a solution to β y = α y x .More specifically, let us define a function DL ∗ α ( j, k, β ) that extends the functionDL α ( j, k, β ) computed by Algorithm 1. If α is a basis for a subgroup of an abelian p -group G and β ∈ G , we wish to compute a pair ( x , h ), with x = DL α ( j + h, k, β p h )and h ≥ h < k − j for which such a pairexists, and in this case we let h = k − j and x = 0. When α generates a subgroupwith exponent p m , we use DL ∗ ( α , β ) to denote DL ∗ α (0 , m, β ). Algorithm 3.
Let α be a basis for a subgroup of a finite abelian p -group G andlet t ∈ Z > . Given β ∈ G and ≤ j < k , compute ( x , h ) = DL ∗ α ( j, k, β ) as follows:
1. If k − j ≤ t , compute ( x , h ) ← DL ∗ α ( j, k, β ) as a base case. Return ( x , h ).2. Choose integers j , . . . , j w satisfying j = j < j < . . . < j w < j w +1 = k .3. Compute γ i = β p ji − j for i from 1 to w , and set x ← i from w down to 1:a. Recursively compute ( v , h ) ← DL ∗ α ( j i , j i +1 , γ i α ( j i , k ) − x ).b. Set x ← sv + x , where s = q ( j i + h, j i +1 ) / q ( j i + h, k ).c. If h > x , j i + h ).5. Return ( x , t = 1, the base case simply computes x = DL( α , β ) and returns ( x , , t >
1, one applies Lemma 3 (if a lookup table is used,this means O (lg t ) table lookups and O ( t lg p ) group operations).Aside from the computation of h and the possibility of early termination, Algo-rithm 3 is essentially the same as Algorithm 1. Indeed, assuming t = 1, if ( x , h ) isthe output of Algorithm 3, the sequence of group operations performed by Algo-rithm 1 on input α x will be effectively identical (ignoring operations involving theidentity). Thus the complexity bounds in Proposition 1 and its corollary apply.To verify the correctness of Algorithm 3, we first note that if h = k − j , then thefirst base case must have failed and the output ( , h ) is correct. If h < k − j , then it Failure detection with baby-steps giant-steps or lookup table is easy. See [28] for a rho search. Arguably, h should be log p | β | here (so that β p h = α p h x ), but this is less convenient. follows from the correctness of Algorithm 1 that x = DL α ( j + h, k, β p h ). It is onlynecessary to check that h is minimal, but if not, the base case DL α ( j + h − , j + h, β ′ )would have succeeded and h would be smaller.We now explain how to construct a basis using Algorithm 3. Let us start witha vector α consisting of a single element of G . Clearly α is a basis for the cyclicsubgroup it generates, and we would like to extend α to a basis for all of G byadding elements to it one by one. This will only be possible if our basis at eachstep generates a subgroup H that is a factor of G (meaning G ∼ = H × G/H ). Somecare is required, since H need not be a factor of G , but let us first consider how toextend a basis.Given a basis α for a subgroup H of G , we say that γ ∈ G is independent of α if the vector α ◦ γ = ( α , . . . , α r , γ ) is a basis for h α , γ i , and we write γ ⊥ α . Thefollowing lemma shows how and when one may use DL ∗ ( α , β ) to obtain such a γ . Lemma 4.
Let α be a basis for a subgroup of a finite abelian p -group G , with n i = log p | α i | , m = min n i , and m = max n i . Let β ∈ G and let γ = β α − x , where ( x , h ) = DL ∗ ( α , β ) . The following hold: (i) If | β | ≤ p m , then | γ | = p h . (ii) If | β | ≤ p m and | γ | ≤ p m , then γ ⊥ α .Proof. If h < m , then x = DL ∗ α ( h, m, β ), and we have β p h = α ( h, m ) x = α q ( h,m ) x = α p h x , since q ( h, m ), as defined in (12), has q i = p max( h,n i − m − h ) = p h . It follows that γ h = ( β α − x ) p h = 1 G , and this cannot hold for any h ′ < h , by the minimality of h . Thus (i) holds when h < m . Now suppose h = m . Then x = , γ = β , and | γ | = | β | ≥ p h = p m . If | β | ≤ p m , then | γ | = | β | = p h ; thus (i) also holds when h = m .To prove (ii), assume | β | ≤ p m | and | γ | ≤ p m , and suppose γ ⊥ α does nothold. Then there is a nontrivial relation of the form γ p j = α z , for some z ∈ R α and j < h , since | γ | = p h by (i). We claim that z is not divisible by p j , since γ p j = ( β α − x ) p j = β p j α − p j x = α z , and if p j divides z we can set v = x + z /p j to obtain β p j = α z + p j x = ( α v ) p j = α q ( j,m ) v = α ( j, m ) v , which contradicts the minimality of h . We now note that if | γ | ≤ p m , then γ p j hasorder at most p m − j . But α z has order greater than p m − j , since some z i is notdivisible by p j , and therefore | α z i i | > p n i − j ≥ p m − j , yielding a contradiction. (cid:3) Lemma 4 not only tells us how to find independent elements, it gives sufficientconditions to ensure that this is possible. This yields a remarkably simple algorithmto construct a basis from a generating set S .Start with α consisting of a single element of S with maximal order p m . Every β ∈ S then satisfies | β | ≤ p m = p m , and we may use Algorithm 1 to compute anindependent γ = β α − x for each β . We can then choose one with maximal order toextend our basis α and continue in this fashion until we have a basis spanning theentire group generated by S . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 13
Algorithm 4.
Given a subset S of a finite abelian p -group, the following algorithmcomputes a basis α for G = h S i :
1. Set α ← ∅ and compute h i ← log p | β i | for each β i ∈ S .2. If every h i = 0, return α .Otherwise pick a maximal h i , set α ← α ◦ β i , then β i ← G and h i ← h i > x , h ) ← DL ∗ ( α , β i ) using Algorithm 3.b. Set β i ← β i α − x and h i ← h .4. Go to step 2.After step 1 we have (trivially) β i ⊥ α for all β i , and after step 2 we must have h i ≤ min(log p | α i | ) for all h i . By Lemma 4, these statements remain true afterstep 3, and at every step the algorithm ensures that h i = log p | β i | and h α , S i = G .If every h i = 0, then h S i is trivial and α is a basis for G . Some nonzero h i is set tozero each time step 2 is executed, so this eventually happens. Note that when anelement β i is appended to α , its order p h i is known, as desired. Proposition 2.
Given a set S that generates an abelian group G of size p n , expo-nent p m , and rank r , there is a generic algorithm to compute a basis for G using T B ( S ) ≤ c (cid:16) r lg( m + 1)lg lg( m + 2) lg | G | + nr p ( r − / + (cid:0) | S | − r (cid:1) T DL ( G ) (cid:17) , group operations, where T DL ( G ) is as in Proposition 1 and c is an absolute constantindependent of S and G .Proof. We apply Algorithm 4, setting t = 1 in Algorithm 3. We assume that atable of all nontrivial p j th powers of each element of α is maintained throughout,for a total cost of at most 2 lg | G | group operations (this table can also be madeavailable to Algorithm 3, avoiding the need for any precomputation). For each β ∈ S , computing | β | in step 1 requires less than 2 m lg p group operations. Thecost of all the exponentiations in step 3b related to β is bounded by 2 lg | G | (if weconsider x = DL( α , β ) for the initial value of β relative to the final basis α , eachbase- p digit of x is “cleared” in step 3b at most once). The total cost of all stepsother than 3a is thus O ( | S | lg | G | ) group operations, which is bounded by the sumof the first and last terms in the bound for T B ( S ), for a suitable constant c .We now consider the cost of step 3a for those β = β i ∈ S for which h i is neverchosen in step 2, meaning β i is never appended to α . There are exactly | S | − r such β . For each base case that succeeds in some computation DL ∗ ( α , β ), the orderof β is reduced by a factor of p in step 3b, so there are at most m successful basecases relevant to β in the entire execution of Algorithm 4. Ignoring the cost ofreaching the first base case, and failed base cases, the successful part of all theDL ∗ ( α , β ) computations involving β corresponds to a single computation DL( α , β )with respect to the final basis α for G , which we bound by T DL ( G ).When computing DL ∗ ( α , β ), reaching the first base case involves exponentiat-ing β (and precomputing α ( j, k ), but this was addressed above). The order of β is bounded by the order of the most recently added component α i of α , hence thetotal cost of all the initial exponentiations of β is at most P ri =1 | α i | = 2 lg | G | ,which is bounded by a constant factor of T DL ( G ). Summing over the | S |− r differentvalues of β yields the term ( | S | − r ) T DL ( G ) in the bound for T B ( S ). It remains to consider the cost of step 3a for the elements β , . . . , β r that are atsome point appended to α . With n i = log p | α i | , we have m = n ≥ · · · ≥ n r ≥ m i = n i − n i +1 for 1 ≤ i ≤ r −
1, and let f ( x ) = x lg( x + 1) / lg lg( x + 2).Excluding base cases, the successful part of all computations DL ∗ ( α , β i ) may bebounded, as in Proposition 1, by a constant factor of(16) r − X i =1 ( r − i ) f ( m i ) lg p ≤ ( r − f ( m ) lg p < r lg( m + 1)lg lg( m + 2) lg | G | , where we have used P f ( m i ) ≤ f ( m ) for positive integers m i with P m i ≤ m . Asabove, the total cost of reaching the first base case in the computations DL ∗ ( α , β i )for β i is at most 2 lg | G | , which may be incorporated into (16), yielding the firstterm of the bound for T B ( S ).Finally, we consider the cost of the base cases occurring for β , . . . , β r . In the i th iteration of step 3a there are r − i elements β i which have yet to be appendedto α , and exactly one base case fails for each of these. Thus we may bound thecost of all failed base cases by a constant factor of(17) r − X i =1 ( r − i ) p i/ < p ( r +1) / ( √ p − < p ( r − / . For the successful base cases, let r j be the rank of the subgroup of p j th powersin G , as in Proposition 1, so that n = r + · · · + r m − . For each r j we obtain a sumof the form (17), and note that, as in Corollary 1, we may bound the cost to withina constant factor by assuming the r j are all approximately equal to r . In this casewe have m = ⌈ n/r ⌉ , yielding the term ( n/r ) p ( r − / in the bound for T B ( S ), whichalso covers the failed base cases, for a suitable choice of c . (cid:3) If we are given a set S of independent elements, Proposition 2 implies that wecan typically verify that S is a basis for G = h S i more quickly than we can computediscrete logarithms in G . In fact this is true whenever | S | = r , even if the elementsof S are not independent. More generally, we have the following corollary. Corollary 2.
Given a generating set S for a finite abelian p -group G of rank r ,with | S | = r + O (1) , there is a generic algorithm to compute a basis for G using T B ( G ) = O (cid:0) lg ǫ | G | (cid:1) + O (cid:0) T DL ( G ) (cid:1) = O ( | G | / ) group operations. When a generating set is not available, or when | S | ≫ r , we may instead use aprobabilistic algorithm to construct a basis from randomly sampled elements of G .If r is known (or bounded), Corollary 2 can be applied to a randomly generatedsubset S ⊂ G of size r + t to obtain a generic Monte Carlo algorithm that is correct with probability at least 1 − p − t . This follows from the lemma below, whose proofcan be found in [21, Eq. 2] and also [1, Lem. 4]. Lemma 5.
Let G be a finite abelian p -group of rank r , and let S be a sample of s ≥ r independent and uniformly distributed random elements of G .Then S generates G with probability s Q j = s − r +1 (cid:0) − p − j (cid:1) > − p r − s . This algorithm always outputs a basis for a subgroup H of G , but it may be that H < G . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 15
In general, we do not know the rank of G , a priori . Indeed, determining r maybe a reason for computing a basis. In this situation we could apply Algorithm 4to progressively larger randomly generated sets S until | S | > r + t , where r is therank of h S i and t is a constant. However, a more efficient approach is to simplyselect random β ∈ G , using the black box or via Lemma 6 below, and attempt touse Lemma 4 to extend the current basis.This eliminates the loop in step 3 of Algorithm 4, but we must now address thesituation where Lemma 4 fails to apply ( | β | > p m or | γ | > p m ). It may happenthat the basis we have constructed cannot be extended to a basis for G , and in thiscase we need to backtrack. Fortunately, this is easy to detect (and correct) and hasnegligible impact on the expected running time. Algorithm 5.
Given a randomized black box for a finite abelian p -group G and t ∈ Z > , the following algorithm computes a basis α for a subgroup H of G , where H = G with probability at least − p − t :
1. Set s ←
0. Pick a random α ∈ G and set α ← ( α ).2. If s = t , then return α .3. Pick a random β ∈ G and compute ( x , h ) ← DL ∗ ( α , β ).4. If h = 0, then increment s and go to step 2; otherwise set γ ← β α − x .5. For each α i with | α i | < | γ | , remove α i from α and set s ← α ← α ◦ γ and go to step 2.The correctness of Algorithm 5 depends on an easy corollary to Lemma 4. If welet the (possibly empty) vector α ′ consist of those components of α that satisfy | α i | ≥ | γ | , then γ ⊥ α ′ (the proof is the same). It follows that after step 6, α is a basis for the subgroup it generates (this is obviously also true after step 1).When the algorithm terminates, it has found t (independent, uniformly distributed)random elements β ∈ G that lie in H = h α i . If H is a proper subgroup of G , itmust be smaller by a factor of at least p ; the probability that t random elements β ∈ G all happen to lie in H is then at most p − t . Proposition 3.
Given a randomized black box for a finite abelian p -group G ofrank r , exponent p m , and size p n , and t ∈ Z > , there is a probabilistic genericalgorithm that computes a basis for a subgroup H of G using an expected T ∗ B ( G ) ≤ c (cid:16) r lg( m + 1)lg lg( m + 2) lg | G | + nr p ( r − / (cid:17) + tT DL ( G ) = O ( | G | / ) group operations, such that H = G with probability at least − p − t . The absoluteconstant c is independent of both t and G .Proof. We apply Algorithm 5. If it never backtracks (removes elements from α instep 5), the final basis α is obtained from the first r random elements, and then t discrete logarithms are computed using this basis. In this case, the bound T ∗ B ( G )follows from an argument similar to that used in the proof of Proposition 2, with | S | = r (and a better constant factor). We will show that the expected cost ofAlgorithm 5 is within a constant factor of the cost arising in this ideal scenario.Let α = ( α , . . . , α r ) be the final basis output by Algorithm 5, and note that | α | ≥ | α | ≥ · · · ≥ | α r | . As the computation proceeds, for each k from 1 to r ,there is a stage k where α k − = ( α , . . . , α k − ) is a (possibly empty) prefix of the final basis, and the algorithm is in the process of determining α k . This may involveextending and then backtracking to the prefix α k − (several times, perhaps), butonce α k is determined, we have the prefix α k and transition to stage k + 1. Ifno backtracking occurs, the algorithm completes stage 1 after step 1, and a singlecomputation of DL ∗ ( α k , β ) is required for each stage k >
1. From Proposition 1,the cost of this computation may be bounded by S k = c k − X i =1 lg( n i + 1)lg lg( n i + 2) lg | α i | + c m − X j =0 p r j / = A k + B k , where c is a constant, n i = log p | α i | , and the ranks r j ≤ k − A k and B k denote the two sums in S k , including the factor c .We now consider the probability that the computation DL ∗ ( α k − , β ) completesstage k . Let z be the discrete logarithm of β relative to the final basis α . Providedthat z k is not divisible by p , when h is computed in step 3 we will have h = n k ,and compute γ = α k in step 4, since no subsequent computation can yield anindependent element of order greater than n k (since n j ≤ n k for j > k ). Thusfor each random β ∈ G processed during stage k , the probability that we do notcomplete stage k is at most 1 /p (this is true for any extension of α k − arisingduring stage k ). Conditioning on w , the number of random β ∈ G processed duringstage k , the expected cost of stage k may be bounded by a sum of the form T k ≤ (1 − p − )( A k + B k ) + p − ((1 + 2) A k + (1 + p / ) B k ) + . . .T k ≤ p − p + ∞ X w =2 (cid:18) w + 12 (cid:19) p − w ! A k + p − p + ∞ X w =2 bp − w/ ! B k , (18)where b = 1 / ( √ p − β the current basis is extended by a γ that maximizes the cost of subsequentdiscrete logarithm computations. For each increment in w we suppose that |h α i| increases by a factor of |h α k − i| (in fact, it increases by at most a factor of | α k − | )and that every r j increases by 1.The second sum in (18) is a geometric series, bounded by b/ ( p − √ p ) < ∞ X w =1 (cid:18) w + 12 (cid:19) p − w = p ( p − , allowing us to bound the first sum in (18) by 4. Hence T k ≤ c S k for a constant c <
6, and the bound on T ∗ B ( G ) follows. The correctness probability was addressedabove, and clearly c = c c is independent of t and G . (cid:3) In practice, the constant c in Proposition 3 is quite small and T ∗ B ( G ) ≈ tT DL ( G ),even when p = 2 (the worst case, as far as the constant factors are concerned).When T DL ( G ) is dominated by p r/ , the constant t can be improved to √ t using ababy-steps giant-steps approach, as discussed in Section 6.If we are given a bound M satisfying M ≤ | G | < pM (perhaps M = | G | ), we caneasily convert Algorithm 5 from a Monte Carlo algorithm to a Las Vegas algorithmby replacing the test “ s = t ” in step 2 with “ |h α i| ≥ M ” (note that |h α i| = Q | α i | ).We now give a method to construct uniformly random elements of G from agenerating set S . This is useful in general and allows us to apply Algorithm 5 to agenerating set S , which may be faster than using Algorithm 4 when | S | ≫ r . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 17
Lemma 6.
Given a generating set S for a finite abelian group G with exponent p m = E , and t ∈ Z > , there is a generic algorithm to compute t independent,uniformly random elements of G using T R ( S, t ) ≤ (3 lg E ) | S | + 2 t (cid:18) ⌈ lg( E + 1) ⌉⌈ lg lg( E + 2) ⌉ + 1 (cid:19) | S | group operations and storage for at most t + lg E group elements.Proof. We represent S as a vector γ = ( γ , . . . , γ s ). To construct random elements β , . . . , β t , first set each β j to 1 G . Then, for each γ i , compute | γ i | = p n i , select t uniformly random integers z i,j ∈ [0 , p n i ), and set β j ← β j γ z i,j i for each j . Weassume all the z i,j are chosen independently.The cost of computing | γ i | is at most 2 m lg p = 2 lg E group operations. ByYao’s Theorem, the cost of t exponentiations of the common base γ i is at mostlg E + ct (cid:18) ⌈ lg( E + 1) ⌉⌈ lg lg( E + 2) ⌉ (cid:19) group operations, where c ≤
2. Accounting for the multiplication by β j and sum-ming over the γ i yields the bound T R ( S, t ). We only need to store the β j and atmost lg E powers of a single γ i at each step (we don’t count the size of the inputset S , since we only access one element of S at a time).Clearly the β j are independent; we must show that each is uniformly distributedover G . Let H = Z /p n Z × · · · × Z /p n s Z . The map ϕ : H → G that sends z to γ z is a surjective group homomorphism, and we have β j = ϕ ( z ), where z = ( z ,j , z ,j . . . , z s,j ) is uniformly distributed over H . As each coset of ker ϕ hasthe same size, it follows that β j is uniformly distributed over G ∼ = H/ ker ϕ . (cid:3) In practice, we may wish to generate random elements “on demand”, withoutknowing t . We can generate random elements in small batches of size t ≈ lg lg( E +2)to effectively achieve the same result. If S is reasonably small, the first term of T R ( S, t ) may be treated as a precomputation and need not be repeated.Provided that | S | = O ( | G | / − ǫ ), we may apply Lemma 6 and Proposition 3to compute a basis for G = h S i , with high probability, using O ( | G | / ) groupoperations. By contrast, Algorithm 4 uses O ( | S || G | / ) group operations when S islarge, as does the algorithm of Buchmann and Schmidt [8]. However, we note thatboth of these algorithms are (or can be made) deterministic.5. Constructing a basis in the general case
We now suppose that G is an arbitrary finite abelian group. If we know theexponent of G , call it λ ( G ), and its factorization into prime powers, we can easilyreduce the computation of a basis for G to the case already considered. In fact,it suffices to know any reasonably small multiple N of λ ( G ), including N = | G | .Factoring N does not require any group operations, and it is, in any event, a mucheasier problem than computing λ ( G ) in a generic group, hence we ignore this cost. As shown in the author’s thesis, λ ( G ) can be computed using o ( | G | / ) groupoperations [26]. This bound is strictly dominated by the worst-case complexity ofboth the algorithms presented in the previous section, allowing us to extend our We have subexponential-time probabilistic algorithms for factoring versus exponential lowerbounds for computing the group exponent with a probabilistic generic algorithm [3]. Most deter-ministic factoring algorithms are already faster than the Ω( N / ) lower bound of [26, Thm. 2.3]. complexity bounds for abelian p -groups to the general case. The basic facts neededfor the reduction are given by the following lemma. Lemma 7.
Let G be a finite abelian group and let N be a multiple of λ ( G ) . Let p , . . . , p k be distinct primes dividing N , and let G p i be the Sylow p i -subgroup of G . (i) Given a generating set S for G , one can compute generating sets S , . . . , S k for G p , . . . , G p k , each of size | S | , using O (cid:0) | S | lg ǫ N (cid:1) group operations. (ii) Given a uniformly distributed random β ∈ G , one can compute elements β , . . . , β k uniformly distributed over the groups G p , . . . , G p k ( respectively ) ,using O (cid:0) lg ǫ N (cid:1) group operations.Proof. Let N i be the largest divisor of N relatively prime to p i . Given β ∈ S , or arandom β ∈ G , we compute β = β N , . . . , β k = β N k with either Algorithm 7.3 orAlgorithm 7.4 of [26], using O (lg ǫ N ) group operations. The map φ i : G → G p i sending β to β N i is a surjective group homomorphism,invertible on G p i ⊂ G . Thus if S generates G , then S i = φ i ( S ) generates G p i , whichproves (i). If β is uniformly distributed over G , then φ i ( β ) is uniformly distributedover G p i , proving (ii). (cid:3) We now extend Propositions 2 and 3 to arbitrary finite abelian groups.
Proposition 4.
Let G be a finite abelian group whose nontrivial Sylow subgroupsare G p , . . . , G p k , and suppose that the exponent ( resp. order ) of G is given. Let S be a generating set for G , with S i as in Lemma 7. (i) There is a generic algorithm to compute a basis for G which uses O (cid:0) | S | lg ǫ | G | (cid:1) + X T B ( S i ) group operations, where T B ( S i ) is bounded as in Proposition 2. (ii) Given a randomized black box for G , there is a Monte Carlo ( resp. LasVegas ) generic algorithm to compute a basis for G using an expected O (cid:0) lg ǫ | G | (cid:1) + X T ∗ B ( G p i ) = O ( | G | / ) group operations, where T ∗ B ( G p i ) is bounded as in Proposition 3.Proof. (i) is immediate from Lemma 7 and Proposition 2. (ii) follows similarly fromProposition 3 and the comments following, using the bound X | G p i | / ≤ Y | G p i | / = 32 | G | / from Lemma 9. (cid:3) Corollary 3.
Given a randomized black box for a finite abelian group G , there is aMonte Carlo algorithm to compute a basis for G using O ( | G | / ) group operations.Proof. Algorithm 8.1 of [26] computes N = λ ( G ) with high probability and uses o ( √ N ) group operations, assuming Algorithms 5.1 and 5.2 of [26] are used for ordercomputations. The corollary then follows from (ii) of Proposition 4. (cid:3) Algorithm 7.3 is due to Celler and Leedham-Green [10].
TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 19
If we are given a generating set S with | S | = O ( | G | / − ǫ ), we may apply Lemma 6to obtain an analogous corollary.The space required by the algorithms of Proposition 4 and Corollary 3 can bemade quite small, polynomial in lg | G | , using algorithms based on Pollard’s rhomethod to handle the base cases of the discrete logarithm computations and apply-ing the search used in Algorithm 5.1 of [26]. If this is done, the complexity boundfor computing λ ( G ) increases to O ( N / ) (but will typically be better than this).It is not necessary to use a particularly fast algorithm to compute λ ( G ) in orderto prove Corollary 3; any O ( N / ) algorithm suffices. However, the time to computea basis for G is often much less then | G | / group operations, as the worst case mayarise rarely in practice. Applying Algorithms 5.1 and 5.2 of [26] yields considerableimprovement in many cases. These comments are especially relevant when one only wishes to compute a basisfor a particular Sylow p -subgroup H of G (perhaps as a prelude to extracting p throots in G ). Once we have computed λ ( G ), we can compute a basis for any of G ’sSylow subgroups with a running time that typically depends only on the size andshape of the subgroup of interest, not on G . The following proposition followsimmediately from Lemma 7 and Proposition 3. Proposition 5.
Let H be a Sylow p -subgroup of a finite abelian group G . Givena multiple N of the exponent of G and a randomized black box for G , there is aprobabilistic generic algorithm to compute a basis for H using O (cid:0) r lg ǫ N (cid:1) + T ∗ B ( H ) = O ( r lg ǫ N + | H | / ) group operations, where r is the rank of H . Performance results
We tested the new algorithms on abelian p -groups of various sizes and shapes inorder to assess their performance. As in previous sections, G is an abelian groupof size p n , exponent p m , and rank r , whose shape is given by a partition of n into r parts, with largest part m .Here we present results for p = 2, as this permits the greatest variation in theother parameters, and also because the Sylow 2-subgroup is of particular interestin many applications. Results for other small primes are similar. When p is large,the results are not as interesting: n , r , and m are all necessarily small, and thecomputation is dominated by the discrete logarithms computed in the base cases,whose Θ( p r/ ) performance is well understood.Our tests in p -groups used a black box which represents each cyclic factor of G using integers mod p n i . This is a convenient but arbitrary choice. Identical resultsare obtained for any black box implementation, since the algorithms are generic.Our performance metric counts group operations (multiplications and inversions)and does not depend on the speed of the black box or the computing platform. To compute discrete logarithms in the base cases, we used Shanks’ baby-stepsgiant-steps algorithm [22] extended to handle products of cyclic groups. Ratherthan the lexicographic ordering used by Algorithm 9.3 of [26], we instead compute For example, Teske reports computing a basis for the ideal class group G of Q [ √ D ], with D = − + 1), using 243 , , ≈ . | G | / group operations [28]. In [26], a basis for G iscomputed using 250 , ≈ . | G | / group operations. Thus the performance results reported here are not impacted by Moore’s law. n \ r
113 89 76 94 669 97936
261 204 172 194 853 163750
591 455 380 370 1501 197518
Table 1.
Group operations to compute DL ( α , β ) in G ∼ = (cid:0) Z / n/r Z (cid:1) r .a Gray code [13] when enumerating steps, always using one group operation perstep (this is especially useful for small p , saving up to a factor of 2). A moresignificant optimization available with Shanks’ method is the ability to perform k discrete logarithms in a group of size N using 2 √ kN (rather than 2 k √ N ) groupoperations by storing √ kN baby steps in a lookup table and then taking p N/k giant steps as each of the k discrete logarithms is computed. This optimization is useful in Algorithms 1 and 3, even for a single discretelogarithm computation, as there may be many base cases in the same subgroup.It is even more useful in the context of Algorithms 4 and 5, as several calls toAlgorithm 3 may use the same basis. In the bound for T DL ( G ) in Corollary 1, thiseffectively replaces the factor n/r by p n/r . When the rank-dependent terms in T DL ( G ) dominate sufficiently, the bounds in Propositions 2 and 3 can be improvedby replacing | S | − r with p | S | − r | and t with √ t (respectively).Table 1 lists group operation counts for Algorithm 1 when computing discretelogarithms in 2-groups of rectangular shape, corresponding to partitions of n into r parts, all of size m = n/r . Each entry is an average over 100 computations ofDL( α , β ) for a random β ∈ G . Precomputation was optimized for a single discretelogarithm (repeated for each β ) and these costs are included in Table 1. Reusingprecomputed values can improve performance significantly over the figures givenhere, particularly when additional space is used, as in [27].Algorithm 1 used the parameter t = ⌊ (lg n − /r ⌋ in these tests, which was nearoptimal in most cases. The optimal choice of w is slightly less than that used inthe proof of Proposition 1, as the average size of the exponents is smaller than thebound used there. For each entry in Table 1, if one computes the bound on T DL ( G )given by Proposition 1, we find the constant c close to 1 in most cases (never morethan 1.5). In the first four columns of Table 1, the counts are dominated by theexponent-dependent terms of T DL ( G ), explaining the initially decreasing costs as r increases for a fixed value of n ( r is larger, but m = n/r is smaller).Table 2 compares the performance of Algorithm 1 to Teske’s generalization ofthe Pohlig–Hellman algorithm on groups of order 2 with a variety of differentshapes. The baby-steps giant-steps optimization mentioned above is also applicableto Teske’s algorithm (with even greater benefit), and we applied this optimizationto both algorithms. The figures in Table 2 reflect averages over 100 computationsof DL ( α , β ) for random β ∈ h α i . One uses p kN/ β ∈ h α i . TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 21
Group Structure Pohlig–Hellman–Teske Algorithm 1 G
256 32862 1268 G · · · · · · · G G · · · · · · · · G · · · · G · Table 2.
Computing discrete logarithms in groups of order 2 . The notation a · b c indicates the group Z / a Z × (cid:0) Z / b Z (cid:1) c . Two advantages of Algorithm 1 are apparent in Table 2. In the first two rows,the complexity is dominated by m , and Algorithm 1 has a nearly linear dependenceon m , versus a quadratic dependence in the algorithms of Pohlig–Hellman andTeske. In the last two rows, the complexity is dominated by p r/ . Algorithm 1computes just one base case in a subgroup of size p r , due to the shapes of thegroups, while Teske’s algorithm computes m base case in a subgroup of size p r (using O ( m / p r/ ) group operations, thanks to the baby-steps giant-steps optimization).Table 3 presents performance results for Algorithms 4 and 5 when used to con-struct a basis for four of the groups listed in Table 2. The group operation countsare averages over 100 tests. The first four rows list results for Algorithm 4 whengiven a random generating set S of size r + t . The case t = 0 is of interest becauseit covers the situation where S is itself a basis, hence it may function as a basis ver-ification procedure. The costs in this case are comparable to the cost of computinga single discrete logarithm in the group generated by S (this improves for p > − p − t . t G G G G Algorithm 4 0 897 1739 9231 16963320 27077 15383 50528 40610240 45741 24946 71752 58650180 82921 44337 111451 788065Algorithm 5 - 12727 2770 49219 37287620 27725 15027 68362 49434540 44137 26066 79950 58764580 76054 40843 109257 936478
Table 3.
Computing a basis for groups of order 2 . Acknowledgments
The author would like to thank David Harvey for his extensive feedback on anearly draft of this paper, and the referee, for improving the proof of Lemma 6.8.
Appendix
The inequality below is elementary and surely known. Lacking a suitable refer-ence, we provide a short proof here.
Lemma 8.
For any real number a > there is a constant c ≤ a/e a such thatfor all real numbers x , . . . , x n ≥ a ( and any n ) , X x i ≤ c Y x i . Proof.
We assume x ≤ · · · ≤ x n . If we fix P x i , we can only decrease Q x i bysupposing x n − = a , since if x n − = a + δ , we have x n − x n = ax n + δx n ≤ ax n + δa = a ( x n + δ ) . We now assume x = · · · = x n − = a and x n = a + δ with δ ≥
0. Since f ( δ ) = X x i / Y x i = ( n − a + δa n − δ is a decreasing function of δ , we maximize P x i / Q x i by assuming x n = a as well.Thus it suffices to consider the case P x i / Q x i = na/a n , and we now view g ( n ) = na/a n as a function of a real variable n , which is maximized by n = 1 / ln a .Therefore, we may bound P x i / Q x i by (1 / ln a ) /a / ln a = a/e a , and thelemma follows. (cid:3) The bound on c given in the lemma is not necessarily tight, since n must be aninteger. If we note that g ( n ) = na/a n is increasing for n < / ln a and decreasingfor n > / ln a , it follows that the best possible c is(19) c = min (cid:18) g (cid:18)(cid:22) a (cid:23)(cid:19) , g (cid:18)(cid:24) a (cid:25)(cid:19)(cid:19) . Applying (19) with a = √
2, we obtain the following lemma.
Lemma 9.
For any integers x , . . . , x n > we have P √ x i ≤ Q √ x i . References
1. Vincenzo Acciaro,
The probability of generating some common families of finite groups , Util-itas Mathematica (1996), 243–254.2. Leonard M. Adleman, Kenneth Manders, and Gary L. Miller, On taking roots in finite fields ,Proceedings of the 18th IEEE Symposium on Foundations of Computer Science, 1977, pp. 175–178.3. L´aszl´o Babai and Robert Beals,
A polynomial-time theory of black-box groups I. , GroupsSt. Andrews 1997 in Bath, I, London Mathematical Society Lecture Notes Series, vol. 260,Cambridge University Press, 1999, pp. 30–64.4. Daniel J. Bernstein,
Faster square roots in annoying finite fields , http://cr.yp.to/papers/sqroot.pdf , 2001.5. , Pippenger’s exponentiation algorithm , http://cr.yp.to/papers/pippenger.pdf ,2001.6. Ernest F. Brickell, Daniel M. Gordon, Kevin S. McCurley, and David B. Wilson, Fast expo-nentiation with precomputation , Advances in Cryptology–EUROCRYPT ’92, Lecture Notesin Computer Science, vol. 658, Springer-Verlag, 1992, pp. 200–207.
TRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 23
7. Johannes Buchmann, Michael J. Jacobson, Jr., and Edlyn Teske,
On some computationalproblems in finite abelian groups , Mathematics of Computation (1997), 1663–1687.8. Johannes Buchmann and Arthur Schmidt, Computing the structure of a finite abelian group ,Mathematics of Computation (2005), 2017–2026.9. Johannes Buchmann and Ulrich Vollmer, Binary quadratic forms: an algorithmic approach ,Algorithms and Computations in Mathematics, vol. 20, Springer, 2007.10. Frank Celler and C. R. Leedham-Green,
Calculating the order of an invertible matrix , Groupsand Computation II, DIMACS Series in Discrete Mathematics and Theoretical ComputerScience, vol. 28, American Mathematical Society, 1997, pp. 55–60.11. Henri Cohen,
A course in computational algebraic number theory , Springer, 1996.12. Daniel M. Gordon,
A survey of fast exponentiation methods , Journal of Algorithms (1998),129–146.13. Donald E. Knuth, The art of computer programming, volume IV, fascicle 2: Generating alltuples and permutations , Addison-Wesley, 2005.14. Chae Hoon Lim and Pil Joong Lee,
More flexible exponentiation with precomputation , Ad-vances in Cryptology–CRYPTO ’94, Lecture Notes in Computer Science, vol. 839, Springer,1994, pp. 95–107.15. Kevin S. McCurley,
The discrete logarithm problem , Cryptography and Computational Num-ber Theory (C. Pomerance, ed.), Proceedings of Symposia in Applied Mathematics, vol. 42,American Mathematical Society, 1990, p. 4974.16. Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone,
Handbook of applied cryp-tography , CRC Press, 1997, revised reprint.17. Andrew Odlyzko,
Discrete logarithms: The past and the future , Designs, Codes, and Cryp-tography (2000), 129–145.18. Nicholas Pippenger, On the evaluation of powers and related problems (preliminary version) ,17th Annual Symposium on Foundations of Computer Science, IEEE, 1976, pp. 258–263.19. Stephen C. Pohlig and Martin E. Hellman,
An improved algorithm for computing logarithmsover GF ( p ) and its cryptographic significance , IEEE Transactions on Information Theory (1978), 106–110.20. John M. Pollard, Monte Carlo methods for index computations mod p , Mathematics of Com-putation (1978), 918–924.21. Carl Pomerance, The expected number of random elements to generate a finite abelian group ,Periodica Mathematica Hungarica (2001), 191–198.22. Donald Shanks, Class number, a theory of factorization and genera , Analytic Number Theory,Proceedings of Symposia on Pure Mathematics, vol. 20, American Mathematical Society, 1971,pp. 415–440.23. ,
Five number-theoretic algorithms , Proceedings of the 2nd Manitoba Conference onNumerical Mathematics, 1972, pp. 51–70.24. Victor Shoup,
Lower bounds for discrete logarithms and related problems , Advances inCryptology–EUROCRYPT ’97, Lecture Notes in Computer Science, vol. 1233, Springer-Verlag, 1997, revised version, pp. 256–266.25. ,
A computational introduction to number theory and algebra , Cambridge UniversityPress, 2005.26. Andrew V. Sutherland,
Order computations in generic groups , PhD thesis, MIT, 2007, http://groups.csail.mit.edu/cis/theses/sutherland-phd.pdf .27. ,
Extracting roots in finite abelian groups , 2008, preprint.28. Edlyn Teske,
A space efficient algorithm for group structure computation , Mathematics ofComputation (1998), 1637–1663.29. , Speeding up Pollard’s rho method for computing discrete logarithms , AlgorithmicNumber Theory Symposium–ANTS III, Lecture Notes in Computer Science, vol. 1423,Springer-Verlag, 1998, pp. 541–554.30. ,
The Pohlig-Hellman method generalized for group structure computation , Journal ofSymbolic Computation (1999), 521–534.31. Alberto Tonelli, Bemerkung ¨uber die Aufl¨osung quadratischer Congruenzen , G¨ottingerNachrichten (1891), 344–346.
Massachusetts Institute of Technology
E-mail address ::