Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Las Vegas algorithms for matrix groups
Document related concepts
Transcript
Las Vegas algorithms for matrix groups
L6sz16 Babai1’2
Department of Computer Science
University of Chicago
Chicago, IL 60637
Robert Beals’
Department of CIS
University of Oregon
Eugene, OR 97403
Abstract
1
1.1
We consider algorithms in finite groups, given by a
list of generators.
We give polynomial time Las Vegas algorithms (randomized, with guaranteed correct output) for basic
problems for finite matrix groups over the rationals
(and over algebraic number fields): testing membership, determining the order, finding a presentation
(generators and relations), and finding basic building
blocks: center, composition factors, and Sylow subgroups.
These results extend previous work on permutation
groups into the potentially more significant domain of
matrix groups. Such an extension has until recently
been considered intractable.
In case of matrix groups G of characteristic p , there
are two basic types of obstacles to polynomial-time
computation: number theoretic (factoring, discrete
log) and large Lie-type simple groups of the same characteristic p involved in the group. The number theoretic obstacles are inherent and appear already in handling abelian groups. They can be handled by moderately efficient (subexponential) algorithms.
We are able to locate all the nonabelian obstacles
in a normal subgroup N and solve all problems listed
above for G I N .
Most results are even more general and apply
(with some additional stipulations) t o black-box groups
(group elements are strings of uniform length, group
operations are performed by an oracle).
The algorithms build on a variety of recent randomization techniques, as well as a statistical analysis of
various classes of finite simple groups. The classification of the finite simple groups is extensively used,
even when the objective is merely to determine the
order of the group.
Matrix groups: obstacles and results
Both in mathematics and in sciences, groups occur
mostly in the form of matrix groups. Matrix representations are a classical tool of group theory. Most
finite simple groups arise as groups of matrices. Given
these prominent roles, it is somewhat surprising that
the algorithmic theory of matrix groups has until recently been virtually nonexistent. Instead, permutation groups have been the dominant form of group
representation both in complexity theory and in computational practice.
The reason for this state of affairs may be the perceived intractability of matrix groups. Indeed, the
membership problem for groups of 4 x 4 integral matrices is undecidable [Mi]. The same problem for groups
of 1 x 1 matrices over finite fields is a close relative of
the discrete log problem, not believed to be solvable
in polynomial time.
From the point of view of polynomial time computation, permutation groups are fairly well understood
(cf. [Si], [FHL], [Lull, [Ka2], [KLs]), and program
packages in computational group theory (CAYLEY
[Can], GAP [Sch+], [Leol-2]) perform well for permutation groups. However, to our knowledge, these
programs treat matrix groups poorly, by turning them
into permutation groups, usually acting on an exponentially large domain. Thereby the hope for handling
matrix groups of nontrivial dimension is eliminated.
Solving the problems of factoring certain integers
and discrete log are sufficient and in essence also necessary to handle abelian matrix groups. The main message of the present paper should be that many “nonabelian obstacles” can be eliminated, and the largest
ones located. Since the abelian obstacles can be handled in subexponential time, a complete elimination
of the nonabelian obstacles would greatly expand the
boundaries of computation with matrix groups.
In this paper we overcome some of the “nonabelian
‘Partially supported by NSF Grant CCR 9014562 and
OTKA Grant 2581.
2E6tv6s University, Budapest, Hungary
427
0272-542W3$03.00 8 1993 IEEE
Introduction
number fields are not a priori represented by strings
of fixed (polynomially bounded) length; the fact that
they actually are is a recent result [BBR].
In our algorithms, we shall assume the knowledge
of a superset of the prime divisors of G. This is trivial
(above) in the characteristic zero case. In the case
of groups of d x d matrices over GF(q) (subgroups of
the linear group GL(d,q ) ) , this amounts to factoring
the integers (qi - 1), i = 1,. . . , d . This is possible in
subexponential time (cf. [Dix2]), and in practice faster
methods are known for factoring integers of special
forms such as (qi - 1).
Even when G is known to be elementary abelian
of order dividing 5 p2‘, it is not possible to tell the
cases IGl = pe and /GI = p2‘ apart by fewer than
pe + 1 queries to the oracle [BSz]. Therefore it is necessary even just to handle the case of elementary abelian
groups, to endow the black-box group with a further
device, the linear algebra oracle. This oracle produces
an expression of an element of an elementary abelian
subgroup H 5 G in terms of a given set of elements
of H ; and reports if no such expression exists.
In subgroups of GL(d,p”), linear algebra over an
elementary abelian r-subgroup P comes “for free” for
r = p . If r # p , then the linear algebra oracle is
equivalent (by diagonalizing the matrices of P ) to the
discrete log problem in a subgroup (of order r ) of the
multiplicative group of an extension of the field of degree 5 d. (The discrete log problem in a field F is the
following: given a , b E F find x such that a” = b or
report that no such 2: exists.)
If r is polynomially bounded, this is easy, regardless
of the field. Otherwise we have to invoke a discrete
log routine. The fastest general discrete log algorithm
over F (Adleman and DeMarrais [AD]) has complexity
obstacles” in Las Vegas polynomial time. In particular, our results completely solve the basic problems in the case of characteristic zero (finite matrix
groups over Q and more generally over algebraic number fields), and provide substantial partial results in
the case of finite characteristic.
Recently, E. M. Luks [ L u ~ ]has given polynomial
time algorithms for solvable matrix groups involving
tiny primes only (except for the characteristic of the
field). (“Tiny” means it is part of the input in unary.
Some stipulation of this type is inevitable because of
the “discrete log obstacle” .)
At the cost of replacing determinism by Las Vegas,
we obtain results for arbitrary groups.
1.2
Characteristic zero
The following corollary to our main results is the
simplest to state. Note that the class of finite matrix
groups over Z already properly includes all permutation groups. By nice representation we mean a homomorphism to either a permutation group or to the
additive group of ZT for some prime r .
Theorem 1.1 Let G be a finite matrix group over an
algebraic number field, given b y a list of generators.
Then in Las Vegas polynomial time we can
(a) test membership in G
(b) compute IGI and a presentation (generators and
relations) for G ;
(c) find the center of G;
(d) find a composition series for G , together with nice
representations of the composition factors;
( e ) find Sylow p-subgroups of G for each p I ]GI.
We note that finiteness of such G can be tested in
deterministic polynomial time [BBR], and the primes
dividing [GI are tiny ( 5 2kn where k is the degree
(over Q ) of the algebraic number field and n is the dimension of the matrices) [New, p. 175, Theorem IX.61.
Item (d) allows permutation group techniques to
be applicable (in particular, sifting [Si], cf. [FHL]),
clearing the way for the solution of a host of further
problems. (Sifting is explained in Sec. 3.)
1.3
exp(Jc1og
1 ~ loglog
1 1~1).
The [AD] analysis relies on some unproven number
theoretic assumptions. For many cases, Lovorn [Lo]
provides the same complexity with fully proven analysis. For earlier results, we refer to [McC, ElG, HR].
1.4
Groups with tractable composition
factors
Black-box groups
A subgroup H is subnormal in G if it is a member
of some subnormal chain. Notation: H aa G. If,
in addition, H < I( 5 G, H a IC, and I ( / H is elementary abelian of order r , we shall say that the field
G F ( T )is involved in G.
For black-box groups with large elementary abelian
subgroups, we require a linear algebra oracle. In addition, we need the number theory oracles for G . These
We consider finite groups in a very general representation called black-box groups [BSz]: group elements
are represented by strings of uniform length, group
operations are performed by an oracle, and, as always
in this paper, a group is given b y a list of generators.
Matrix groups over finite fields clearly fit in this
model. Elements of finite matrix groups over algebraic
428
1.5
comprise oracles for computing discrete logarithms in
finite fields involved in G; moreover an explicitly given
a superset of the prime divisors of (GI.
Let u(G) denote the smallest U such that all nonabelian composition factors of G have permutation
representations of degree 5 U. The timing of our main
result will depend on the value of U.
For G a matrix group in finite characteristic, the
parameter U may be exponentially large. In this case
our algorithm may still be used to obtain important
information about the group in polynomial time if p is
small, or in subexponential time if discrete log routines
need to be used. Basically, a “bottleneck subgroup”
N Q G is found which in a sense captures all of the
nonabelian obstacles; and GIN is manageable.
Theorem 1.2 Let G be a black-box group with a linear algebra oracle for elementary abelian subgroups
and the number theory oracles. Then one can perform,
in Las Vegas time that is polynomial an (u+input size),
each task listed in Theorem 1.1.
Theorem 1.4 Let G 5 GL(n,pa)be given along with
a timing parameter U and the number theory oracle.
Then in Monte Carlo time polynomial in the input
length and U we can find a normal subgroup N of G
and a matrix representation p of N in characteristic
p satisfying:
(i) N is in block upper triangular form.
(ii) Either N = 1 or the diagonal blocks Nj satisfy
By the preceding discussion, Theorem 1.1 is a corollary of this result. In addition, Theorem 1.2 can be
applied to matrix groups over finite fields. Here, we
should make a comparison with recent work of E. M.
Luks [ L u ~ ]the
, only paper in existence in the area of
polynomial-time algorithms for matrix groups.
Luks’s algorithms are deterministic, while ours are
Las Vegas (randomized with proven correct output).
Luks considers solvable matrix groups in characteristic p and solves the basic problems in time, polynomial in the input size and p , the largest prime divisor
of /GI other than p .
For solvable matrix groups, u(G)= 1, and the conditions of our Theorem 1.2 (factoring, linear algebra
oracle, and discrete-log) can easily be implemented
within Luks’s timing. We have thus reproduced Luks’s
basic results in this case with a more elementary Las
Vegas algorithm.
More significantly, we consider all finite groups, not
merely the subclass of solvable groups. Our algorithms
are efficient (apart from the inevitable discrete log) for
all groups where the u(G) parameter is not too large.
Next we state a result which allows direct comparison with Luks’s main result [ L u ~Theorem
,
3.21. Let
G 5 GL(n,pa).Let p be the largest prime other than
p among the orders of the abelian composition factors
of G , and let U = v ( G ) (as above).
Si
5 Ni/Z(Ni)5 AUt(Si),
where Si is a Lie-type simple group of characteristic p with no permutation representation of degree
5 U.
For the quotient group G I N , we solve all tasks except
(a) (membership), listed in Theorem 1.1.
We remark that this algorithm is not Las Vegas:
with small probability, it can make a (one-sided) error (underestimating IGl). Such error cannot occur
if we have membership test for N ; in that case, the
algorithm becomes Las Vegas.
This result shows that effective treatment of representations of Lie-type simple groups in their own
characteristic would resolve our problems for matrix
groups in general. One step in this direction is provided by Neumann and Praeger [NP].
1.6
Theorem 1.3 For G 5 GL(n,p’l),one can perform,
in Las Vegas time that is polynomial in ( p
size), each task listed in Theorem 1.1.
Structure Theorem for nonabelian
bottlenecks
+ v+input
Application t o cryptography
Several authors have proposed various cryptosystems and cryptographic protocols based on the assumption that discrete log is intractable. (For example, Boyar, Krentel, and Kurtz [BKK] give a bit commitment scheme based on the discrete log.)
Generalizing this, Impagliazzo and Yung [Iyl introduce the notion of a one-way group homomorphism.
Brassard, Crdpeau and Yung [BCY] further develop
this idea. Formally, 4 : G 4 H is a one-way group
homomorphism if G and H are black-box groups, 4 is
a homomorphism, the image 4 ( G ) is polynomial time
Note that no discrete log oracle is invoked in this
statement, and the bound on the running time does
not involve p . This result does not follow directly from
Theoreml.2; the extra work required is indicated in
Section 7.2.
In Luks’s case we have U = 1 in which case our
]
timing reduces to his. We note that Luks [ L u ~ solves
a number of other computational tasks as well.
429
P polynomially many times, we will find H with high
recognizable, and it is computationally infeasible to invert Cp. The notion of one-way group homomorphisms
can be used in the place of the discrete log in various
cryptographic applications, such as bit commitment
schemes.
Our black-box group membership algorithm can be
used to invert a homomorphism to a black-box group,
unless Cp(G)either involves a large abelian group as a
quotient of a normal subgroup or has nonabelian composition factors which require large (i.e., not polynomially bounded) degree permutation representations.
This focuses the search for one-way homomorphisms
to the abelian case (discrete log) and to Chevalley
groups represented as matrix groups of the same characteristic.
1.7
probability.
This method is used by Beals and Seress [BSI to find
a normal subgroup of a black-box group assuming that
one with small index exists. In this case there is a class
of “nice” subgroups (proper normal subgroups of G ) ,
and the procedure P ( X ) works by taking a random
element r of X and returning ( r G ) .The sequence of
elements r1, r2, . . . ,rf selected by successive iterations
of P is a random walk on G . This random walk is oneway in the following sense: if for some i, the element
ri lies in a proper normal subgroup of G , then for all
j 2 i the element r, is also in that proper normal
subgroup of G .
We use several variations of the one-way random
walk method. In addition to the basic version described above, we show how to use the method t o find
normal subgroups even when no normal subgroup of
small index exists (cf. section 5). For convenience, we
will say that a procedure has a “reasonable” probability of success if the reciprocal of the success probability is polynomially bounded. The one-way random
walk method is used to amplify “reasonable” success
probability to high probability.
Methods
A conjugate of a subset S
G is a subset of the
form g-’Sg ( 9 E G ) . All conjugates of S generate its
normal closure (SG), the smallest normal subgroup
containing S .
One of the key operations used is taking normal closures in black-box groups via the ”random subproducts” method from [BCFLS] (in Monte Carlo polynomial time).
Our algorithms make frequent use of nearly uniformly distributed random elements, obtained in
Monte Carlo polynomial time using random walks and
“cube doubling” in [Ba2]. While a simple combination of this and normal closure is often unsatisfactory,
an improvement allows us to perform “blind descent’’
along an unknown and untestable chain of subgroups
via a “one-way random walk” [BSI (see below).
The analysis of the algorithms depends on detailed
information about the list of finite simple groups and
specific statistical results regarding small conjugacy
classes of elements in some of these classes of groups
(cf. Lemmas 2.6, 2.7).
2
2.1
The following observation leads to further shortcuts
in the one-way random walk:
Lemma 2.1 Let G be a nonabelian black-box group.
Let a , b E G\ ( 1 ) . Then in Las Vegas time polynomial
in the input length we m a y calculate c E G \ (1) such
that if at least one of a , b is in a proper normal subgroup of G , then c is also in a proper normal subgroup
of G .
Proof: Note that
[a,b] = a - l b - l a b = (b-l)“b =
E (aG)n ( b G ) ,
so if a and b do not commute we may let c = [a,b].
Similarly, if some a‘ E (aG) does not commute with
b then we may let c = [a’,b], so assume b centralizes
( a G ) . Then if b centralizes G , we let c = b since b E
Z(G) # G . ( Z ( G )denotes the center of G . ) Otherwise
we let c = a, since b centralizes (aG) but not G so we
must have (aG)# G . 0
Preliminaries
One-way random walks
Suppose that we know that our group G has some
“nice” subgroup H which we want, to compute with
high probability, and that we have a randomized procedure P such that P ( G ) = H with probability 1/71‘,
and otherwise P ( G ) = G . If we lack an algorithm
to test whether a given subgroup is H , it seems that
little can be done. However, sometimes it is possible
to design P such that P ( H ) = H . Then by iterating
2.2
Group theoretic tools
For standard terminology, we refer to [Ha].
Given a black-box group G , we would like to construct a concrete representation of a factor group of G ,
either as a permutation group or as a matrix group.
We make use of the following facts:
430
Fact 2.2 Suppose T aa G is a nonabelian simple
This result, together with the order formulas for
the classical groups, gives the following:
group. Then ( T G ) ,the normal closure of T , is a direct product of conjugates of T . Th.ese conjugates are
permuted transitively by the conjugation action of G . 0
Lemma 2.6 Let G be a classical group. Then there
exists a prime r , polynomially bounded b y u(G), such
that with probability 2 l / u c ( G ) ,a random element g
of G raised to the power r will have 5 u"(G) con-
Fact 2.3 Suppose T aa G is cyclic of prime o r d e r p .
Let P = ( T G ) .Then P i s a p-group.0
jugates in Aut(G), with 'g
absolute.
Suppose we succeed in calculating a subnormal simple subgroup T of G . If T is nonabelian, then we obtain an unfaithful permutation action of G. If T is
abelian, then by descending the lower central series
of ( T G )and taking the normal closure of an element
of prime order, we find an elementary abelian normal
subgroup N of G , on which G acts as linear transformations of a vector space. (In Section 6 we show
how to use the linear algebra oracle to explicitly calculate the matrix representations of elements of G in
this case.)
#
1 . The constant c is
Proof: G acts projectively on a vector space of dimension d over a q element field, where qd is polynomially
bounded by u(G). Also, G contains a subgroup H
isomorphic to G1 x G2, where G I is the same kind
of classical group as G acting projectively on a vector
space of dimension d - 4, and G2 is nontrivial. By
Fact 2.5 and the order of IG1 I there is a prime number
r dividing lGll and not dividing qi-1 for 1 5 i < d-cl
(where c1 is a constant depending on which family of
classical groups G belongs to and on the parity of d ) .
Let h E H map to an element of order r in GI and to a
non-identity element of Gz. By choice of T , h acts irreducibly on a subspace of dimension d - c1, so the order
of the centralizer of h is polynomially bounded. Let
g E G be random. The probability that g is conjugate
to h is l/ICG(h)I (since IGI = ( h G l .IcG(h)l). ( C G ( h )
denotes the centralizer of h in G . ) Raising a conjugate
of h to the power r , we obtain a non-identity element
with polynomially many conjugates in Aut(G).O
For alternating groups, we need a similar result:
Our algorithm depends upon the classification of finite simple groups (cf. [Go]). These groups fall into
four categories: cyclic groups of prime order, alternating groups (degree 5), simple groups of Lie type,
and finitely many sporadic groups. The Lie type simple groups are defined in terms of matrix groups over
finite fields (cf. [Car]), and comprise classical groups
and exceptional groups. There are four families of classical groups, each parameterized by the order of the
field and the dimension of the vector space: linear,
symplectic, orthogonal and unitary groups. The families of exceptional groups act on spaces of bounded
dimension and are parameterized by the order of the
field only. A result of Landazuri and Seitz [LS] implies
that for a Lie type simple group G , u(G) is polynomially related to the size of the vector space. In particular if G is an exceptional group then IGI is polynomially bounded by u(G). We summarize what we need
in the following statement:
>
Lemma 2.7 Let G be isomorphic t o the alternating
group Ak. Let n 2 k , and lei q be the highest power
of 3 dividing n ! . Randomly choose g E G. With probability R ( l / k ) , g"!/q is a 3-cycle, and so has O ( k 3 )
conjugates in G .
Proof: We consider the cycle decomposition of 9 , depending on the residue class of k mod 6 . If k 5 2 or
4 (mod 6) consider the probability that g has cycle
lengths 3, k - 3. If k 5 0 (mod 6) consider cycle
lengths 2 , 2 , 3 ,k - 7. If k E 1 or 3 (mod 6) consider
cycle lengths 2 , 3 , k - 5 . Finally, if k E 5 (mod 6)
consider cycle lengths 3,4, k - 7. Each of these has
probability Q ( l / k ) , and in all such cases, g is an even
permutation with rn!/q a 3-cycle.0
These Lemmas are used in Sections 4 and 5 to handle classical and alternating subgroups and quotient
groups.
Our results on black-box groups may be applied to
finite matrix groups in characteristic 0. For this we
use the following combination of a result of Feit and
Tits [FT] with [LS]:
Fact 2.4 Let G be a finite group. Then the nonabelian
composition factors of G are alternating groups of degree < u(G), classical groups acting on vector spaces of
size polynomially bounded by u(G), exceptional groups
of order bounded b y ( U ( G ) ) and
~ , sporadic groups (of
bounded order).O
Our algorithm t o handle classical composition factors relies on the following result of Zsigmondy (cf
[HB, p. 508, Theorem 8.31):
q be a prime power. Suppose k > 6 .
Then there is a prime number r such that r I qk - 1
and for all i < k , rxq' - 1 . (The only exceptions for
k 5 6 are k = 6 , q = 2 and k = 2 with q a Mersenne
prime.)
Fact 2.5 Let
431
Fact 2.8 Let G 5 GL(n,C) be a finite group. T h e n
v ( G ) 5 nconst.O
3
not S / M is abelian (in the abelian case we need to
show how to use the linear algebra oracle to express
elements of S K I M in terms of a basis, see Section 6).
In the abelian case if the matrix representation is
trivial, then in Section 6 we show how to obtain a homomorphismfrom K to M , and if this homomorphism
is trivial then S is central and we are in case (d).
. ,
In the nonabelian case if the permutation representation is trivial then S is normal in K and we find in
Section 4 an element of S which has only polynomially
many conjugates modulo M , so we are in case (a).
Many of the subroutines we use are Monte Carlo,
nevertheless we obtain a Las Vegas algorithm in the
end. This is because in the end we obtain fast membership tests for all of the subgroups K constructed,
so techniques of Sims [Si] (cf. [FHL], [Kn]) apply: we
need to verify that each supposedly normal subgroup
constructed is in fact closed under conjugation, and
contains the siftees of the generators.
Overview of the algorithm
We shall use sifting, a technique essentially going
back to Schreier and extensively used in permutation
group algorithms by Sims [Si] (cf. [FHL], [Kn], [Lu~]).
Suppose G has a subgroup H 5 G and there exists
a set of coset representatives of H , (71,. . . , ri} such
that for each g E G we can calculate its representative r, satisfying g E H r i . Then we can represent g
(uniquely) as hri for some h E H , the siftee. Repeating this process through a chain of subgroups yields a
saftee in the group at the bottom of the chain.
In permutation groups, the subgroup chain typically used is the stabilizer chain (we successively fix
the points of the permutation domain). In the context
of the present paper, we shall be able to sift once a permutation representation 4 : G + S, is found, using
the inverse image of the stabilizer chain. As a result,
we shall be able to sift down to the kernel of 4, while
standard permutation group techniques will establish
all the necessary information regarding the quotient
G/ker4. Similarly, if a homomorphism G -+ Zp is
found into the additive group of integers mod p , we
shall be able to sift down t o the kernel even if p is
large (so a list of coset representatives could not be
stored).
Our basic data structure will consist of a pair
( M ,K ) of subnormal subgroups of G such that (1)
M is in the center of I - ; (2) we are able to sift down
from G to K .
Progress is made by finding one of the following:
(a) a nontrivial permutation representation for K , (b)
a nontrivial unfaithful matrix representation for K ,
(c) a nontrivial homomorphism from K to M , or (d)
a central subgroup of K properly containing M .
In cases (a), (b) or (c) we sift to the kernel (decreasing K ) ; but for (b) we use a recursive call, treating the
matrix group as a black-box group (if G is a matrix
group in characteristic p , it is possible to avoid making recursive calls on matrix groups of characteristic
# p ; we discuss this in subsection 7.2). In case (d) we
increase M . We are done when M = K (we will see
later how the linear algebra oracle can be used to do
membership testing in M ) .
Intermediate progress is made, in Section 5, by finding a subnormal subgroup S of K such that S / M is
simple. We obtain a permutation representation or
an unfaithful matrix representation of K by the conjugation action on S K I M , depending on whether or
Remark. As described here, given a matrix group
G , our algorithm may make recursive calls with matrix groups of different characteristic from that of G.
However, the algorithm may be modified so that this
does not happen. The necessary modifications are described in subsection 7.2. Therefore, composition factors isomorphic to Zp, where p is the characteristic of
the field, do not pose problems even for the recursive
calls.
Remark. This process also yields presentations (in
terms of generators and relators) of G (within the
same time bound).
4
Simple groups
Assume that M = 1 (this assumption will be justified in Section 6). Suppose we have S a K nonabelian
simple. (This is essentially our base case.) We wish to
find a permutation representation of small degree for
S. This will be accomplished once we find an element
g E S with few K-conjugates.
A simple group S is either (a) alternating or classical, or (b) has polynomial size. Case (b) is trivial, so suppose we are in case (a). By Lemmas 2.6
and 2.7, a carefully selected power cy of a random element will have polynomially many conjugates. There
are polynomially many choices for cy: it is either a
prime 5 v(G)or v(G)!/q,where q is the highest power
of 3 dividing v(G)!.Therefore, in expected polynomial
time, we can find an element with polynomially many
conjugates. We have proved:
432
Lemma 4.1 Let S be a simple normal subgroup of
shown:
the black-box group IC. Then in Las Vegas time polynomial in u ( S ) and the input length, we can find a
conjugacy class C of IC contained in S with IC1 polynomially bounded b y u(S).O
Lemma 5.1 Let G be a black-box group, given together with a list including all prime divisors of IGI.
5
Then in Las Vegas time polynomial in u(G) and the
input length we can find a subnormal simple subgroup
of G.0
Finding normal subgroups
Again, assume M = 1. To find a simple S aa K ,
we let IC0 = K and successively find K1 D Kz D
. . ., where each Ki+l is the normal closure in Ki of
an element x chosen so that Ki+l has a reasonable
probability of being a proper normal subgroup of Ki.
The process of selecting x is similar in flavor to the
methods for handling simple groups outlined in the
previous Section. We describe the process below:
To take care of abelian quotient groups, we let x
be a commutator of generators of Ki (unless K , itself
is abelian, in which case an appropriate power of an
element of Ki will generate a cyclic group of prime
order). For polynomial size quotient groups, including all sporadic and exceptional quotients, a random
element x of ICi suffices.
Now assume that the simple quotient groups of Ki
consist of alternating and classical groups. Pick one,
call it S (S and the homomorphism from K , to S are
of course not known to the algorithm). We want to
find a nonidentity x E Ki such that with reasonable
probability x maps to the identity in S.
First we use the method of the previous Section to
find a y E G such that the image of y in S has polynomially many conjugates. In contrast with the situation of the last Section, we cannot immediately tell
whether an element has polynomially many conjugates
in S. However, our success probability is reasonable.
Suppose that we are successful in finding a y which
maps to an element of S with polynomially many conjugates. If y has polynomially many conjugates in IC*,
then we have a permutation representation of K i , of
which we can let Ki+l be the kernel (or, if the kernel is
trivial, then we can find a simple subnormal subgroup
of ICi by Luks’s algorithm [Lull). If y has a large number of conjugates in K i , then since the image of y in
S has only polynomially many conjugates, we may let
x be the quotient of y and a random conjugate of y.
6
Nilpotent groups
Nilpotent groups (cf. [Ha], [ L u ~ ] occur
)
at the “bottom” of our reductions. We show below how to handle
them using the linear algebra oracle. We remark that
we do not refer to Luks’s deterministic algorithms to
handle this case [ L u ~ ]Instead,
.
we give a considerably
simpler Las Vegas algorithm.
Nilpotent subgroups of G include M , and those
subgroups encountered which are abelian modulo M .
Note that being able to test membership in M allows
us to treat K / M as a black-box group, justifying our
assumption that M = 1 in the preceding two Sections.
First we show how to express elements of M in
terms of the generators, even when M is not elementary abelian. We know all the primes in IMI, so by
Chinese remaindering we can effectively factor M into
a direct product of pgroups, so assume M is a pgroup.
Let k be the smallest power such that p k is less than
the exponent of M . Then raising elements to the p’th
power is a homomorphism to an elementary abelian
p-group, and the linear algebra oracle allows us to sift
to the kernel of this homomorphism. Repeat with decreasing IC.
Next we show how to represent elements of S K I M
as vectors, where S K I M is elementary abelian. The
“commutator trick” described below gives us a homomorphism from S K I M to M , so again we can sift.
Finally we describe how to obtain a homomorphism
from K to M if S / M is central in K / M but S is not
central in K . This “commutator trick” was first used
in this algorithmic context in [BSz]: for a E IC let
$ a : S / M + A l be the homomorphism M x c-) [a, x]
(this is well defined). The qja satisfy $(ab) = $ a $ b .
Let s be the generator of S / M . Then a H da(s) is a
homomorphism from K to A4 and it is trivial iff S is
central.
+
Of course, we do not know what types of simple
groups are factor groups of K i , but a guess has a reasonable probability of being correct.
We continue until we reach an i such that with high
probability Ki is simple, and then we use the methods outlined in Section 3 to make progress. We have
A combinationofthis and Lemmas4.1 and 5.1 completes the proof of Theorem 1.2.0
433
7
Application to matrix groups
Therefore, starting from a matrix group in characteristic p , our algorithm need only rnake recursive calls
on matrix groups in characteristic p , with the possible
exception of a recursive call with a subgroup of F,’
for r # p . Permutation representations can be found
in all other cases.
This completes the proof of Theorem 1 . 3 . 0
While matrix groups may be viewed as implementations of black-box groups, there are several speedups
to our algorithm which may be used in applications
to matrix group utilizing action on subspaces. Such
additional tricks account for the added strength of
Theorem 1.3. We describe below how to modify the
proof of Theorem 1.2 to obtain Theorem 1.3. Also,
in finite characteristic we may encounter “nonabelian
obstacles” which are too large to be handled by our
methods. We show how it is possible to work around
these obstacles and obtain useful structural information about the group.
7.1
7.3
We sketch the proof of Theorem 1.4. For simplicity
we assume wlog that the timing parameter v is greater
than some polynomial in the input length, so that the
only possible nonabelian composition factors of G not
having permutation representations of degree 5 v are
Lie-type simple groups of the same characteristic p as
the field.
We add the following modification to the subroutine that searches for normal subgroups: Recall that,
in descending to a simple subnormal subgroup, we repeatedly let Ki+l be the normal closure in Ki of a
specially chosen z. In the original algorithm, z is chosen in such a way that with reasonable probability, x
will be in a proper normal subgroup of Ki if K;has an
abelian quotient group or has a quotient group with a
permutation representation of degree 5 v. We wish to
take care of one more possibility. Suppose K , has at
least two maximal normal subgroups. Then there is a
A x B , where A and B are
homomorphism 4 : K;
simple groups. Let, y be a randomly chosen element
of K i , let P be a prime dividing the order m of y, and
let 3: = y”/‘. Let $(y) = ( a , b ) . With probability
at least 1/2, a and b have different orders. Since r
is one of polynomially many primes dividing m , with
reasonable probability we have a‘ = 1 or b‘ = 1 (or
both). So with reasonable probability, z is in a proper
normal subgroup of I<;.
It may still happen that we reach a Kj for which
we can find neither a proper normal subgroup nor a
permutation representation of degree 5 v. Consider
the structure of such a Ki. K , has a unique simple
quotient group T , a simple group of Lie type of characteristic p . By an algorithm of R6nyai [Ro] we may
put K; in block upper triangular form, where the diagonal blocks act irreducibly. By looking at the diagonal
blocks, we obtain a homomorphism from Ki to K , / P ,
where P is the largest normal psubgroup of Ki. Let
S be a simple subnormal subgroup of K ; / P . Since
Ki has no permutation representations of polynomially bounded degree, S is either normal or abelian (or
both). Also, Ki has no linear representations in characteristic # p of polynomially bounded dimension, so
if S is abelian, it is central. On the other hand, if S is
Characteristic 0
By Fact 2.8, finite matrix groups in characteristic
0 satisfy the conditions of Theorem 1.2 with polynomially bounded v , so Theorem 1.1 is proved.0
7.2
Working around nonabelian obstacles
Proof of Theorem 1.3
First, in characteristic p it is helpful to assume,
as we may by a polynomial-time algorithm of R6nyai
[Ro], that the group is irreducible (or a pgroup in
characteristic p ) . We may find permutation actions by
finding subspaces with polynomially many K-images.
For example, if N a K , then K permutes transitively
the N-isotypic subspaces.
Suppose G is a matrix group in characteristic p in
dimension n. Thus, elementary abelian psubgroups of
G present no difficulty (the linear algebra oracle comes
“for free”). However, the algorithm as described above
may make a recursive call on a matrix group in characteristic r , for some r # p . We must avoid this, as
there may be no easy way to handle the elementary
abelian psubgroups in characteristic r. Our algorithm
makes a recursive call on a matrix group in characteristic r if a subgroup S is found, such that S K I M is an
elementary abelian r-group. We may assume that S K
acts isotypically (otherwise we obtain a permutation
representation), so Z ( S K )is cyclic. If SK is abelian,
then it must be cyclic of order r or r2, and in either
case we obtain a homomorphism from K to FT*.If
S K is nonabelian, then ISK/Z(SK)I5 n 2 (in fact any
system of coset representatives for S K : z ( S K )is a
basis for the enveloping algebra of SKIand conversely
any basis for the enveloping algebra of S K consisting
of elements of sKis a system of coset representatives
for S K : Z ( S K ) ) . So in this case, we obtain a permutation representation for K of dimension at most
n2.
--f
434
nonabelian, then we have S = T = Kj/P. Now consider (K,/P)/Z(Ki/P). This group has trivial center,
since Kj has no abelian quotients. We must in fact
have that T = (Ki/P)/Z(Ki/P).
So while our algorithm may fail to find a simple subnormal subgroup, we do get “close”. Let
N = (Z(Ki),P)K (recall that K is the subgroup of
G that we can “sift” down to). Modulo N I K j is simple. We can now make progress as in Section 3, with
the following modifications: we wish to find the permutation action of K on conjugates of Ki modulo N I
but it is now not obvious how to tell if two conjugates
of K, are the same. Two conjugates of K, are different modulo N iff their mutual commutator is solvable.
Therefore, we can sift to the normalizer of K j modulo
N , so assume that K normalizes Kj N .
In this case, we cannot represent nicely the conjugation action of K on T , so we will work around T .
That is, we wish to find a representation of K which
contains K,N in the kernel, but has as small a kernel
as we can manage.
By Rhyai’s algorithm [Ro], we put the matrices
in Ki in block upper triangular form with irreducible
blocks on the diagonals. We find two kinds of representations for K : the permutation action on Ki-isotypic
subspaces, and, after sifting to the kernel of the permutation action, for each Ki-isotypic subspace V we
find a tensor product decomposition VI@ V2 such that
Ki acts trivially on Vz. The kernel of the action 4 of
K on V2 may properly include Kj N , but we will have
T
the goal is to find an element of a proper normal subgroup. The techniques of Section 5 will accomplish
this in time polynomial in log n, thereby speeding up
and simplifying the [BSI algorithm. Some of the other
cases of the [BSI algorithm may be treated using our
techniques as well.
9
In finite characteristic, it would be desirable to remove the dependence on v(G)in Theorem 1.2 (replacing at the same time the permutation representation
of the composition factors in the output by linear representations).
Acknowledgements
We are indebted to W. M. Kantor and E. M. Luks
for fruitful conversations.
We wish to thank
W. M . Kantor in particular for pointing out Fact 2.8.
Bibliography
[AD] L. M. Adleman, J. DeMarrais: A Subexponential Algorithm For Discrete Logarithms Over All
Finite Fields, Proc. CRYPTO’93, to appear.
[Asch] M. Aschbacher: On the maximal subgroups
of the finite classical groups, Invent. Math. 76
(1984), pp. 469-514.
[At] M. D. Atkinson, ed.: Computational Group Theory (Proc. Durham Symp. 1982), Acad. Press,
London 1984.
[Ball L. Babai: The Probability of Generating the
Symmetric Group, J . Comb. Theory, Ser. A 52
(1989), pp. 148-153.
[Ba2] L. Babai: Local expansion of vertex-transitive
graphs and random generation in finite groups,
Proc. 23rd ACM STOC (1991), pp. 164-174.
[BBR] L. Babai, R. Beals, D. Rockmore: Deciding
finiteness of matrix groups in deterministic polynomial time, Tech Rep 92-17, U. Chicago, 1992.
[BCFLS] L. Babai, G. Cooperman, L. Finkelstein, E.
M. Luks, A. Seress: Fast Monte Carlo algorithms
for permutation groups, Proc. 23rd ACM STOC
(1991), pp. 90-100.
[BCFS] L. Babai, G. Cooperman, L. Finkelstein, A.
Seress: Nearly linear time algorithms for permutation groups with a small base, Proc ISSAC’S1 (Internat. Symp. on Symbolic and Algebraic Computation), Bonn 1991, pp. 200-209.
I Ker(4)/(Z(Ker(d)), Op(Ker(4))) I Aut(T).
We then continue the algorithm with the image of
d. The product of the kernels of the 4 found during the course of the algorithm will be the subgroup
N mentioned in the statement of Theorem 1.4. This
completes the proof of Theorem 1.4.0
8
Concluding remarks
Application to permutation groups
A family of permutation groups {GI, G 2 , .. .},
where G, has degree n , is said to be a family of
small- base groups if log IG, I is polynomially bounded
by log n . Membership testing for small-base groups
may be performed very efficiently (in time O(nlog‘ n ) )
by an algorithm of [BCFS]. Beals and Seress [BSI, in
finding composition factors of small-base groups, show
how the [BCFS] algorithm may be used to treat the
group as a black box group, where the length of the
encoding is polylogarithmic in n. One of the tricky
cases in the [BSI algorithm occurs when G has a factor group isomorphic to A , where m = O(1og n ) , and
435
[BSz] L. Babai, E. SzemerCdi: On the complexity of
matrix group problems I, in: Proc. 25th IEEE
FOCS, Palm, Beach FL, 1984, pp. 229-240.
[BSI R. Beals, A. Seress: Structure forest and composition factors for small base groups in nearly
linear time, 24th STOC (1992), 116-125.
[BKK] J. Boyar, M. Krentel, S. Kurtz: A discrete logarithm implementation of zero-knowledge blobs,
Journal of Cryptography 2 (1990).
[BCY] G. Brassard, C. CrCpeau, M. Yung: Everything in NP can be argued in perfect zeroknowledge in a bounded number of rounds, Proc.
of the 16th ICALP, Springer-Verlag, Berlin 1989,
pp. 123-136.
[Can] J. J. Cannon: An introduction to the group
theory language CAYLEY, in [At], pp. 145-183.
[Car] R. W. Carter: Simple Groups of Lie Type, Wiley Classics Edition, Wiley, New York (1989).
[CCNPW] J . H. Conway, R. T . Curtis, S. P. Norton,
R. A. Parker, R. A. Wilson: Atlas offinite groups,
Clarendon Press, Oxford (1985).
[Dixl] J. D. Dixon: The probability of generating the
symmetric group, Math. Z. 110( 1960), 199-205.
[Dix2] J . D. Dixon: Asymptotically fast factorization
of integers, Math. Comp. 36( 1981), 255-260.
[ElG] T. ElGamal: A subexponential time algorithm
for computing discrete logarithms over G F ( p 2 ) ,
IEEE Trans. Info. Theory 31(1985), 473-481.
[FT] W. Feit, J . Tits: Projective representations of
minimum degree of group extensions, Can. J .
Math. 30 (1978), pp. 1092-1102.
[FR] K. Friedl, L. R6nyai: Polynomial time solutions
of some problems in computational algebra, in:
Proc. 17th ACM STOC, 1985, pp. 153-162.
[FHL] M. L. Furst, J. Hopcroft, E. M. Luks:
Polynomial-time algorithms for permutation
groups, in: 21st IEEE FOCS, 1980, pp. 36-41.
[Go] D. Gorenstein: Finite Simple Groups-An introduction to their classification, Plenum, N.Y. 1982
[Ha] M. Hall, Jr.: The Theory of Groups, Macmillan,
New York, 1959.
[HR] M. E. Hellman, J. M. Reyneri: Fast computation of discrete logarithms in G F ( q ) ,Adv. in
Crypt 0logy:Cryp t o ’82,Chaum ,Rivest, Sherman,
eds., Plenum 1983, 3-13.
[HB] B. Huppert, N . Blackburn: Finite Groups 11,
Grundlehren der mathematischen Wissenschaften
242, Springer-Verlag, Berlin, 1982.
[IY] R. Impagliazzo, M. Yung: Direct minimumknowledge computations, Adv. in Cryptology:
Crypto’87, LNCS 293, Springer 1988,40-51.
[Kal] W. M. Kantor: Permutation Representations
of the Finite Classical Groups of Small Degree or
Rank, J. Algebra 60 (1979), pp. 158-168.
[Ka2] W. M. Kantor: Sylow’s Theorem in Polynomial
Time, JCSS 30 (1985), pp. 359-394.
[KLy] W. M. Kantor, A. Lubotzky: The probability
of generating a finite classical group, Geometriae
Dedicata 36 (1990), pp. 67--87.
[KLs] W. M. Kantor, E. M. Luks: Computing in quotient groups, 22nd STOC( l990), 524-534.
[LS] V. Landazuri, G. M. Seitz: On the Minimal Degrees of Projective Representations of the Finite
Chevalley Groups, J. Algebra32(1974), 418-443
[Leol] J. Leon: On an Algorithm for Finding a Base
and Strong Generating Set for a Group Given by
a Set of Generating Permutations, Math. Comp.
35 (1980), pp. 941-974.
[Leo21 J . Leon: Permutation Group Algorithms
Based on Partitions, I: Theory and Algorithms,
J . Symbolic Comput. 1 2 (1991), pp. 533-583.
[Lo] R. Lovorn: Rigorous, Subexponential Algorithms
for Discrete Logarithms Over Finite Fields, Ph.
D. Thesis, University of Georgia, 1992.
[Lull E. M. Luks: Computing the composition factors of a permutation group in polynomial time,
Combinatorica 7 (1987), pp. 87-99.
[ L u ~ ]E. M . Luks: Computing in Solvable Matrix
Groups, 33rd FOCS (1992), pp. 111-120.
[McC] K. S. McCurley, The Discrete Logarithm
Problem, Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 4 2 (1990),
AMS, Providence, pp. 49-74.
[Mi] K. A. Mihailova: The occurrence problem for direct products of groups (in Russian), Dokl. Akad.
Nauk SSSR 119 (1958), pp. 1103-1105, and Mat.
Sb. (N. S.) 70 (112) (1966), pp. 241-251.
[New] M. Newman: Integral Matrices, Pure and Applied Mathematics, vol. 45, Academic Press, New
York 1972.
[NP] P. M. Neumann, Cheryl E. Praeger: A recognition algorithm for the special linear groups,
manuscript, 1990.
[Ro] L. R6nyai: Computing the structure of finite algebras, J. Symbolic Comp. 9 (1990), 355-373.
[Sch+] M. Schonert et.al.: GAP - Groups, Algorithms,
and
Programming,
Lehrstuhl
D fur Mathematik, Rheinisch-Westfalische Techn.
Hochschule, Aachen, Germany. 1st ed., 1992.
[Si] C. C. Sims: Computation with permutation
groups, Proc Second Symp. Symb. Algeb. Manipulation, ACM, New York, 1971, pp. 23-28.
436
