Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Las Vegas algorithms for matrix groups L6sz16 Babai1’2 Department of Computer Science University of Chicago Chicago, IL 60637 Robert Beals’ Department of CIS University of Oregon Eugene, OR 97403 Abstract 1 1.1 We consider algorithms in finite groups, given by a list of generators. We give polynomial time Las Vegas algorithms (randomized, with guaranteed correct output) for basic problems for finite matrix groups over the rationals (and over algebraic number fields): testing membership, determining the order, finding a presentation (generators and relations), and finding basic building blocks: center, composition factors, and Sylow subgroups. These results extend previous work on permutation groups into the potentially more significant domain of matrix groups. Such an extension has until recently been considered intractable. In case of matrix groups G of characteristic p , there are two basic types of obstacles to polynomial-time computation: number theoretic (factoring, discrete log) and large Lie-type simple groups of the same characteristic p involved in the group. The number theoretic obstacles are inherent and appear already in handling abelian groups. They can be handled by moderately efficient (subexponential) algorithms. We are able to locate all the nonabelian obstacles in a normal subgroup N and solve all problems listed above for G I N . Most results are even more general and apply (with some additional stipulations) t o black-box groups (group elements are strings of uniform length, group operations are performed by an oracle). The algorithms build on a variety of recent randomization techniques, as well as a statistical analysis of various classes of finite simple groups. The classification of the finite simple groups is extensively used, even when the objective is merely to determine the order of the group. Matrix groups: obstacles and results Both in mathematics and in sciences, groups occur mostly in the form of matrix groups. Matrix representations are a classical tool of group theory. Most finite simple groups arise as groups of matrices. Given these prominent roles, it is somewhat surprising that the algorithmic theory of matrix groups has until recently been virtually nonexistent. Instead, permutation groups have been the dominant form of group representation both in complexity theory and in computational practice. The reason for this state of affairs may be the perceived intractability of matrix groups. Indeed, the membership problem for groups of 4 x 4 integral matrices is undecidable [Mi]. The same problem for groups of 1 x 1 matrices over finite fields is a close relative of the discrete log problem, not believed to be solvable in polynomial time. From the point of view of polynomial time computation, permutation groups are fairly well understood (cf. [Si], [FHL], [Lull, [Ka2], [KLs]), and program packages in computational group theory (CAYLEY [Can], GAP [Sch+], [Leol-2]) perform well for permutation groups. However, to our knowledge, these programs treat matrix groups poorly, by turning them into permutation groups, usually acting on an exponentially large domain. Thereby the hope for handling matrix groups of nontrivial dimension is eliminated. Solving the problems of factoring certain integers and discrete log are sufficient and in essence also necessary to handle abelian matrix groups. The main message of the present paper should be that many “nonabelian obstacles” can be eliminated, and the largest ones located. Since the abelian obstacles can be handled in subexponential time, a complete elimination of the nonabelian obstacles would greatly expand the boundaries of computation with matrix groups. In this paper we overcome some of the “nonabelian ‘Partially supported by NSF Grant CCR 9014562 and OTKA Grant 2581. 2E6tv6s University, Budapest, Hungary 427 0272-542W3$03.00 8 1993 IEEE Introduction number fields are not a priori represented by strings of fixed (polynomially bounded) length; the fact that they actually are is a recent result [BBR]. In our algorithms, we shall assume the knowledge of a superset of the prime divisors of G. This is trivial (above) in the characteristic zero case. In the case of groups of d x d matrices over GF(q) (subgroups of the linear group GL(d,q ) ) , this amounts to factoring the integers (qi - 1), i = 1,. . . , d . This is possible in subexponential time (cf. [Dix2]), and in practice faster methods are known for factoring integers of special forms such as (qi - 1). Even when G is known to be elementary abelian of order dividing 5 p2‘, it is not possible to tell the cases IGl = pe and /GI = p2‘ apart by fewer than pe + 1 queries to the oracle [BSz]. Therefore it is necessary even just to handle the case of elementary abelian groups, to endow the black-box group with a further device, the linear algebra oracle. This oracle produces an expression of an element of an elementary abelian subgroup H 5 G in terms of a given set of elements of H ; and reports if no such expression exists. In subgroups of GL(d,p”), linear algebra over an elementary abelian r-subgroup P comes “for free” for r = p . If r # p , then the linear algebra oracle is equivalent (by diagonalizing the matrices of P ) to the discrete log problem in a subgroup (of order r ) of the multiplicative group of an extension of the field of degree 5 d. (The discrete log problem in a field F is the following: given a , b E F find x such that a” = b or report that no such 2: exists.) If r is polynomially bounded, this is easy, regardless of the field. Otherwise we have to invoke a discrete log routine. The fastest general discrete log algorithm over F (Adleman and DeMarrais [AD]) has complexity obstacles” in Las Vegas polynomial time. In particular, our results completely solve the basic problems in the case of characteristic zero (finite matrix groups over Q and more generally over algebraic number fields), and provide substantial partial results in the case of finite characteristic. Recently, E. M. Luks [ L u ~ ]has given polynomial time algorithms for solvable matrix groups involving tiny primes only (except for the characteristic of the field). (“Tiny” means it is part of the input in unary. Some stipulation of this type is inevitable because of the “discrete log obstacle” .) At the cost of replacing determinism by Las Vegas, we obtain results for arbitrary groups. 1.2 Characteristic zero The following corollary to our main results is the simplest to state. Note that the class of finite matrix groups over Z already properly includes all permutation groups. By nice representation we mean a homomorphism to either a permutation group or to the additive group of ZT for some prime r . Theorem 1.1 Let G be a finite matrix group over an algebraic number field, given b y a list of generators. Then in Las Vegas polynomial time we can (a) test membership in G (b) compute IGI and a presentation (generators and relations) for G ; (c) find the center of G; (d) find a composition series for G , together with nice representations of the composition factors; ( e ) find Sylow p-subgroups of G for each p I ]GI. We note that finiteness of such G can be tested in deterministic polynomial time [BBR], and the primes dividing [GI are tiny ( 5 2kn where k is the degree (over Q ) of the algebraic number field and n is the dimension of the matrices) [New, p. 175, Theorem IX.61. Item (d) allows permutation group techniques to be applicable (in particular, sifting [Si], cf. [FHL]), clearing the way for the solution of a host of further problems. (Sifting is explained in Sec. 3.) 1.3 exp(Jc1og 1 ~ loglog 1 1~1). The [AD] analysis relies on some unproven number theoretic assumptions. For many cases, Lovorn [Lo] provides the same complexity with fully proven analysis. For earlier results, we refer to [McC, ElG, HR]. 1.4 Groups with tractable composition factors Black-box groups A subgroup H is subnormal in G if it is a member of some subnormal chain. Notation: H aa G. If, in addition, H < I( 5 G, H a IC, and I ( / H is elementary abelian of order r , we shall say that the field G F ( T )is involved in G. For black-box groups with large elementary abelian subgroups, we require a linear algebra oracle. In addition, we need the number theory oracles for G . These We consider finite groups in a very general representation called black-box groups [BSz]: group elements are represented by strings of uniform length, group operations are performed by an oracle, and, as always in this paper, a group is given b y a list of generators. Matrix groups over finite fields clearly fit in this model. Elements of finite matrix groups over algebraic 428 1.5 comprise oracles for computing discrete logarithms in finite fields involved in G; moreover an explicitly given a superset of the prime divisors of (GI. Let u(G) denote the smallest U such that all nonabelian composition factors of G have permutation representations of degree 5 U. The timing of our main result will depend on the value of U. For G a matrix group in finite characteristic, the parameter U may be exponentially large. In this case our algorithm may still be used to obtain important information about the group in polynomial time if p is small, or in subexponential time if discrete log routines need to be used. Basically, a “bottleneck subgroup” N Q G is found which in a sense captures all of the nonabelian obstacles; and GIN is manageable. Theorem 1.2 Let G be a black-box group with a linear algebra oracle for elementary abelian subgroups and the number theory oracles. Then one can perform, in Las Vegas time that is polynomial an (u+input size), each task listed in Theorem 1.1. Theorem 1.4 Let G 5 GL(n,pa)be given along with a timing parameter U and the number theory oracle. Then in Monte Carlo time polynomial in the input length and U we can find a normal subgroup N of G and a matrix representation p of N in characteristic p satisfying: (i) N is in block upper triangular form. (ii) Either N = 1 or the diagonal blocks Nj satisfy By the preceding discussion, Theorem 1.1 is a corollary of this result. In addition, Theorem 1.2 can be applied to matrix groups over finite fields. Here, we should make a comparison with recent work of E. M. Luks [ L u ~ ]the , only paper in existence in the area of polynomial-time algorithms for matrix groups. Luks’s algorithms are deterministic, while ours are Las Vegas (randomized with proven correct output). Luks considers solvable matrix groups in characteristic p and solves the basic problems in time, polynomial in the input size and p , the largest prime divisor of /GI other than p . For solvable matrix groups, u(G)= 1, and the conditions of our Theorem 1.2 (factoring, linear algebra oracle, and discrete-log) can easily be implemented within Luks’s timing. We have thus reproduced Luks’s basic results in this case with a more elementary Las Vegas algorithm. More significantly, we consider all finite groups, not merely the subclass of solvable groups. Our algorithms are efficient (apart from the inevitable discrete log) for all groups where the u(G) parameter is not too large. Next we state a result which allows direct comparison with Luks’s main result [ L u ~Theorem , 3.21. Let G 5 GL(n,pa).Let p be the largest prime other than p among the orders of the abelian composition factors of G , and let U = v ( G ) (as above). Si 5 Ni/Z(Ni)5 AUt(Si), where Si is a Lie-type simple group of characteristic p with no permutation representation of degree 5 U. For the quotient group G I N , we solve all tasks except (a) (membership), listed in Theorem 1.1. We remark that this algorithm is not Las Vegas: with small probability, it can make a (one-sided) error (underestimating IGl). Such error cannot occur if we have membership test for N ; in that case, the algorithm becomes Las Vegas. This result shows that effective treatment of representations of Lie-type simple groups in their own characteristic would resolve our problems for matrix groups in general. One step in this direction is provided by Neumann and Praeger [NP]. 1.6 Theorem 1.3 For G 5 GL(n,p’l),one can perform, in Las Vegas time that is polynomial in ( p size), each task listed in Theorem 1.1. Structure Theorem for nonabelian bottlenecks + v+input Application t o cryptography Several authors have proposed various cryptosystems and cryptographic protocols based on the assumption that discrete log is intractable. (For example, Boyar, Krentel, and Kurtz [BKK] give a bit commitment scheme based on the discrete log.) Generalizing this, Impagliazzo and Yung [Iyl introduce the notion of a one-way group homomorphism. Brassard, Crdpeau and Yung [BCY] further develop this idea. Formally, 4 : G 4 H is a one-way group homomorphism if G and H are black-box groups, 4 is a homomorphism, the image 4 ( G ) is polynomial time Note that no discrete log oracle is invoked in this statement, and the bound on the running time does not involve p . This result does not follow directly from Theoreml.2; the extra work required is indicated in Section 7.2. In Luks’s case we have U = 1 in which case our ] timing reduces to his. We note that Luks [ L u ~ solves a number of other computational tasks as well. 429 P polynomially many times, we will find H with high recognizable, and it is computationally infeasible to invert Cp. The notion of one-way group homomorphisms can be used in the place of the discrete log in various cryptographic applications, such as bit commitment schemes. Our black-box group membership algorithm can be used to invert a homomorphism to a black-box group, unless Cp(G)either involves a large abelian group as a quotient of a normal subgroup or has nonabelian composition factors which require large (i.e., not polynomially bounded) degree permutation representations. This focuses the search for one-way homomorphisms to the abelian case (discrete log) and to Chevalley groups represented as matrix groups of the same characteristic. 1.7 probability. This method is used by Beals and Seress [BSI to find a normal subgroup of a black-box group assuming that one with small index exists. In this case there is a class of “nice” subgroups (proper normal subgroups of G ) , and the procedure P ( X ) works by taking a random element r of X and returning ( r G ) .The sequence of elements r1, r2, . . . ,rf selected by successive iterations of P is a random walk on G . This random walk is oneway in the following sense: if for some i, the element ri lies in a proper normal subgroup of G , then for all j 2 i the element r, is also in that proper normal subgroup of G . We use several variations of the one-way random walk method. In addition to the basic version described above, we show how to use the method t o find normal subgroups even when no normal subgroup of small index exists (cf. section 5). For convenience, we will say that a procedure has a “reasonable” probability of success if the reciprocal of the success probability is polynomially bounded. The one-way random walk method is used to amplify “reasonable” success probability to high probability. Methods A conjugate of a subset S G is a subset of the form g-’Sg ( 9 E G ) . All conjugates of S generate its normal closure (SG), the smallest normal subgroup containing S . One of the key operations used is taking normal closures in black-box groups via the ”random subproducts” method from [BCFLS] (in Monte Carlo polynomial time). Our algorithms make frequent use of nearly uniformly distributed random elements, obtained in Monte Carlo polynomial time using random walks and “cube doubling” in [Ba2]. While a simple combination of this and normal closure is often unsatisfactory, an improvement allows us to perform “blind descent’’ along an unknown and untestable chain of subgroups via a “one-way random walk” [BSI (see below). The analysis of the algorithms depends on detailed information about the list of finite simple groups and specific statistical results regarding small conjugacy classes of elements in some of these classes of groups (cf. Lemmas 2.6, 2.7). 2 2.1 The following observation leads to further shortcuts in the one-way random walk: Lemma 2.1 Let G be a nonabelian black-box group. Let a , b E G\ ( 1 ) . Then in Las Vegas time polynomial in the input length we m a y calculate c E G \ (1) such that if at least one of a , b is in a proper normal subgroup of G , then c is also in a proper normal subgroup of G . Proof: Note that [a,b] = a - l b - l a b = (b-l)“b = E (aG)n ( b G ) , so if a and b do not commute we may let c = [a,b]. Similarly, if some a‘ E (aG) does not commute with b then we may let c = [a’,b], so assume b centralizes ( a G ) . Then if b centralizes G , we let c = b since b E Z(G) # G . ( Z ( G )denotes the center of G . ) Otherwise we let c = a, since b centralizes (aG) but not G so we must have (aG)# G . 0 Preliminaries One-way random walks Suppose that we know that our group G has some “nice” subgroup H which we want, to compute with high probability, and that we have a randomized procedure P such that P ( G ) = H with probability 1/71‘, and otherwise P ( G ) = G . If we lack an algorithm to test whether a given subgroup is H , it seems that little can be done. However, sometimes it is possible to design P such that P ( H ) = H . Then by iterating 2.2 Group theoretic tools For standard terminology, we refer to [Ha]. Given a black-box group G , we would like to construct a concrete representation of a factor group of G , either as a permutation group or as a matrix group. We make use of the following facts: 430 Fact 2.2 Suppose T aa G is a nonabelian simple This result, together with the order formulas for the classical groups, gives the following: group. Then ( T G ) ,the normal closure of T , is a direct product of conjugates of T . Th.ese conjugates are permuted transitively by the conjugation action of G . 0 Lemma 2.6 Let G be a classical group. Then there exists a prime r , polynomially bounded b y u(G), such that with probability 2 l / u c ( G ) ,a random element g of G raised to the power r will have 5 u"(G) con- Fact 2.3 Suppose T aa G is cyclic of prime o r d e r p . Let P = ( T G ) .Then P i s a p-group.0 jugates in Aut(G), with 'g absolute. Suppose we succeed in calculating a subnormal simple subgroup T of G . If T is nonabelian, then we obtain an unfaithful permutation action of G. If T is abelian, then by descending the lower central series of ( T G )and taking the normal closure of an element of prime order, we find an elementary abelian normal subgroup N of G , on which G acts as linear transformations of a vector space. (In Section 6 we show how to use the linear algebra oracle to explicitly calculate the matrix representations of elements of G in this case.) # 1 . The constant c is Proof: G acts projectively on a vector space of dimension d over a q element field, where qd is polynomially bounded by u(G). Also, G contains a subgroup H isomorphic to G1 x G2, where G I is the same kind of classical group as G acting projectively on a vector space of dimension d - 4, and G2 is nontrivial. By Fact 2.5 and the order of IG1 I there is a prime number r dividing lGll and not dividing qi-1 for 1 5 i < d-cl (where c1 is a constant depending on which family of classical groups G belongs to and on the parity of d ) . Let h E H map to an element of order r in GI and to a non-identity element of Gz. By choice of T , h acts irreducibly on a subspace of dimension d - c1, so the order of the centralizer of h is polynomially bounded. Let g E G be random. The probability that g is conjugate to h is l/ICG(h)I (since IGI = ( h G l .IcG(h)l). ( C G ( h ) denotes the centralizer of h in G . ) Raising a conjugate of h to the power r , we obtain a non-identity element with polynomially many conjugates in Aut(G).O For alternating groups, we need a similar result: Our algorithm depends upon the classification of finite simple groups (cf. [Go]). These groups fall into four categories: cyclic groups of prime order, alternating groups (degree 5), simple groups of Lie type, and finitely many sporadic groups. The Lie type simple groups are defined in terms of matrix groups over finite fields (cf. [Car]), and comprise classical groups and exceptional groups. There are four families of classical groups, each parameterized by the order of the field and the dimension of the vector space: linear, symplectic, orthogonal and unitary groups. The families of exceptional groups act on spaces of bounded dimension and are parameterized by the order of the field only. A result of Landazuri and Seitz [LS] implies that for a Lie type simple group G , u(G) is polynomially related to the size of the vector space. In particular if G is an exceptional group then IGI is polynomially bounded by u(G). We summarize what we need in the following statement: > Lemma 2.7 Let G be isomorphic t o the alternating group Ak. Let n 2 k , and lei q be the highest power of 3 dividing n ! . Randomly choose g E G. With probability R ( l / k ) , g"!/q is a 3-cycle, and so has O ( k 3 ) conjugates in G . Proof: We consider the cycle decomposition of 9 , depending on the residue class of k mod 6 . If k 5 2 or 4 (mod 6) consider the probability that g has cycle lengths 3, k - 3. If k 5 0 (mod 6) consider cycle lengths 2 , 2 , 3 ,k - 7. If k E 1 or 3 (mod 6) consider cycle lengths 2 , 3 , k - 5 . Finally, if k E 5 (mod 6) consider cycle lengths 3,4, k - 7. Each of these has probability Q ( l / k ) , and in all such cases, g is an even permutation with rn!/q a 3-cycle.0 These Lemmas are used in Sections 4 and 5 to handle classical and alternating subgroups and quotient groups. Our results on black-box groups may be applied to finite matrix groups in characteristic 0. For this we use the following combination of a result of Feit and Tits [FT] with [LS]: Fact 2.4 Let G be a finite group. Then the nonabelian composition factors of G are alternating groups of degree < u(G), classical groups acting on vector spaces of size polynomially bounded by u(G), exceptional groups of order bounded b y ( U ( G ) ) and ~ , sporadic groups (of bounded order).O Our algorithm t o handle classical composition factors relies on the following result of Zsigmondy (cf [HB, p. 508, Theorem 8.31): q be a prime power. Suppose k > 6 . Then there is a prime number r such that r I qk - 1 and for all i < k , rxq' - 1 . (The only exceptions for k 5 6 are k = 6 , q = 2 and k = 2 with q a Mersenne prime.) Fact 2.5 Let 431 Fact 2.8 Let G 5 GL(n,C) be a finite group. T h e n v ( G ) 5 nconst.O 3 not S / M is abelian (in the abelian case we need to show how to use the linear algebra oracle to express elements of S K I M in terms of a basis, see Section 6). In the abelian case if the matrix representation is trivial, then in Section 6 we show how to obtain a homomorphismfrom K to M , and if this homomorphism is trivial then S is central and we are in case (d). . , In the nonabelian case if the permutation representation is trivial then S is normal in K and we find in Section 4 an element of S which has only polynomially many conjugates modulo M , so we are in case (a). Many of the subroutines we use are Monte Carlo, nevertheless we obtain a Las Vegas algorithm in the end. This is because in the end we obtain fast membership tests for all of the subgroups K constructed, so techniques of Sims [Si] (cf. [FHL], [Kn]) apply: we need to verify that each supposedly normal subgroup constructed is in fact closed under conjugation, and contains the siftees of the generators. Overview of the algorithm We shall use sifting, a technique essentially going back to Schreier and extensively used in permutation group algorithms by Sims [Si] (cf. [FHL], [Kn], [Lu~]). Suppose G has a subgroup H 5 G and there exists a set of coset representatives of H , (71,. . . , ri} such that for each g E G we can calculate its representative r, satisfying g E H r i . Then we can represent g (uniquely) as hri for some h E H , the siftee. Repeating this process through a chain of subgroups yields a saftee in the group at the bottom of the chain. In permutation groups, the subgroup chain typically used is the stabilizer chain (we successively fix the points of the permutation domain). In the context of the present paper, we shall be able to sift once a permutation representation 4 : G + S, is found, using the inverse image of the stabilizer chain. As a result, we shall be able to sift down to the kernel of 4, while standard permutation group techniques will establish all the necessary information regarding the quotient G/ker4. Similarly, if a homomorphism G -+ Zp is found into the additive group of integers mod p , we shall be able to sift down t o the kernel even if p is large (so a list of coset representatives could not be stored). Our basic data structure will consist of a pair ( M ,K ) of subnormal subgroups of G such that (1) M is in the center of I - ; (2) we are able to sift down from G to K . Progress is made by finding one of the following: (a) a nontrivial permutation representation for K , (b) a nontrivial unfaithful matrix representation for K , (c) a nontrivial homomorphism from K to M , or (d) a central subgroup of K properly containing M . In cases (a), (b) or (c) we sift to the kernel (decreasing K ) ; but for (b) we use a recursive call, treating the matrix group as a black-box group (if G is a matrix group in characteristic p , it is possible to avoid making recursive calls on matrix groups of characteristic # p ; we discuss this in subsection 7.2). In case (d) we increase M . We are done when M = K (we will see later how the linear algebra oracle can be used to do membership testing in M ) . Intermediate progress is made, in Section 5, by finding a subnormal subgroup S of K such that S / M is simple. We obtain a permutation representation or an unfaithful matrix representation of K by the conjugation action on S K I M , depending on whether or Remark. As described here, given a matrix group G , our algorithm may make recursive calls with matrix groups of different characteristic from that of G. However, the algorithm may be modified so that this does not happen. The necessary modifications are described in subsection 7.2. Therefore, composition factors isomorphic to Zp, where p is the characteristic of the field, do not pose problems even for the recursive calls. Remark. This process also yields presentations (in terms of generators and relators) of G (within the same time bound). 4 Simple groups Assume that M = 1 (this assumption will be justified in Section 6). Suppose we have S a K nonabelian simple. (This is essentially our base case.) We wish to find a permutation representation of small degree for S. This will be accomplished once we find an element g E S with few K-conjugates. A simple group S is either (a) alternating or classical, or (b) has polynomial size. Case (b) is trivial, so suppose we are in case (a). By Lemmas 2.6 and 2.7, a carefully selected power cy of a random element will have polynomially many conjugates. There are polynomially many choices for cy: it is either a prime 5 v(G)or v(G)!/q,where q is the highest power of 3 dividing v(G)!.Therefore, in expected polynomial time, we can find an element with polynomially many conjugates. We have proved: 432 Lemma 4.1 Let S be a simple normal subgroup of shown: the black-box group IC. Then in Las Vegas time polynomial in u ( S ) and the input length, we can find a conjugacy class C of IC contained in S with IC1 polynomially bounded b y u(S).O Lemma 5.1 Let G be a black-box group, given together with a list including all prime divisors of IGI. 5 Then in Las Vegas time polynomial in u(G) and the input length we can find a subnormal simple subgroup of G.0 Finding normal subgroups Again, assume M = 1. To find a simple S aa K , we let IC0 = K and successively find K1 D Kz D . . ., where each Ki+l is the normal closure in Ki of an element x chosen so that Ki+l has a reasonable probability of being a proper normal subgroup of Ki. The process of selecting x is similar in flavor to the methods for handling simple groups outlined in the previous Section. We describe the process below: To take care of abelian quotient groups, we let x be a commutator of generators of Ki (unless K , itself is abelian, in which case an appropriate power of an element of Ki will generate a cyclic group of prime order). For polynomial size quotient groups, including all sporadic and exceptional quotients, a random element x of ICi suffices. Now assume that the simple quotient groups of Ki consist of alternating and classical groups. Pick one, call it S (S and the homomorphism from K , to S are of course not known to the algorithm). We want to find a nonidentity x E Ki such that with reasonable probability x maps to the identity in S. First we use the method of the previous Section to find a y E G such that the image of y in S has polynomially many conjugates. In contrast with the situation of the last Section, we cannot immediately tell whether an element has polynomially many conjugates in S. However, our success probability is reasonable. Suppose that we are successful in finding a y which maps to an element of S with polynomially many conjugates. If y has polynomially many conjugates in IC*, then we have a permutation representation of K i , of which we can let Ki+l be the kernel (or, if the kernel is trivial, then we can find a simple subnormal subgroup of ICi by Luks’s algorithm [Lull). If y has a large number of conjugates in K i , then since the image of y in S has only polynomially many conjugates, we may let x be the quotient of y and a random conjugate of y. 6 Nilpotent groups Nilpotent groups (cf. [Ha], [ L u ~ ] occur ) at the “bottom” of our reductions. We show below how to handle them using the linear algebra oracle. We remark that we do not refer to Luks’s deterministic algorithms to handle this case [ L u ~ ]Instead, . we give a considerably simpler Las Vegas algorithm. Nilpotent subgroups of G include M , and those subgroups encountered which are abelian modulo M . Note that being able to test membership in M allows us to treat K / M as a black-box group, justifying our assumption that M = 1 in the preceding two Sections. First we show how to express elements of M in terms of the generators, even when M is not elementary abelian. We know all the primes in IMI, so by Chinese remaindering we can effectively factor M into a direct product of pgroups, so assume M is a pgroup. Let k be the smallest power such that p k is less than the exponent of M . Then raising elements to the p’th power is a homomorphism to an elementary abelian p-group, and the linear algebra oracle allows us to sift to the kernel of this homomorphism. Repeat with decreasing IC. Next we show how to represent elements of S K I M as vectors, where S K I M is elementary abelian. The “commutator trick” described below gives us a homomorphism from S K I M to M , so again we can sift. Finally we describe how to obtain a homomorphism from K to M if S / M is central in K / M but S is not central in K . This “commutator trick” was first used in this algorithmic context in [BSz]: for a E IC let $ a : S / M + A l be the homomorphism M x c-) [a, x] (this is well defined). The qja satisfy $(ab) = $ a $ b . Let s be the generator of S / M . Then a H da(s) is a homomorphism from K to A4 and it is trivial iff S is central. + Of course, we do not know what types of simple groups are factor groups of K i , but a guess has a reasonable probability of being correct. We continue until we reach an i such that with high probability Ki is simple, and then we use the methods outlined in Section 3 to make progress. We have A combinationofthis and Lemmas4.1 and 5.1 completes the proof of Theorem 1.2.0 433 7 Application to matrix groups Therefore, starting from a matrix group in characteristic p , our algorithm need only rnake recursive calls on matrix groups in characteristic p , with the possible exception of a recursive call with a subgroup of F,’ for r # p . Permutation representations can be found in all other cases. This completes the proof of Theorem 1 . 3 . 0 While matrix groups may be viewed as implementations of black-box groups, there are several speedups to our algorithm which may be used in applications to matrix group utilizing action on subspaces. Such additional tricks account for the added strength of Theorem 1.3. We describe below how to modify the proof of Theorem 1.2 to obtain Theorem 1.3. Also, in finite characteristic we may encounter “nonabelian obstacles” which are too large to be handled by our methods. We show how it is possible to work around these obstacles and obtain useful structural information about the group. 7.1 7.3 We sketch the proof of Theorem 1.4. For simplicity we assume wlog that the timing parameter v is greater than some polynomial in the input length, so that the only possible nonabelian composition factors of G not having permutation representations of degree 5 v are Lie-type simple groups of the same characteristic p as the field. We add the following modification to the subroutine that searches for normal subgroups: Recall that, in descending to a simple subnormal subgroup, we repeatedly let Ki+l be the normal closure in Ki of a specially chosen z. In the original algorithm, z is chosen in such a way that with reasonable probability, x will be in a proper normal subgroup of Ki if K;has an abelian quotient group or has a quotient group with a permutation representation of degree 5 v. We wish to take care of one more possibility. Suppose K , has at least two maximal normal subgroups. Then there is a A x B , where A and B are homomorphism 4 : K; simple groups. Let, y be a randomly chosen element of K i , let P be a prime dividing the order m of y, and let 3: = y”/‘. Let $(y) = ( a , b ) . With probability at least 1/2, a and b have different orders. Since r is one of polynomially many primes dividing m , with reasonable probability we have a‘ = 1 or b‘ = 1 (or both). So with reasonable probability, z is in a proper normal subgroup of I<;. It may still happen that we reach a Kj for which we can find neither a proper normal subgroup nor a permutation representation of degree 5 v. Consider the structure of such a Ki. K , has a unique simple quotient group T , a simple group of Lie type of characteristic p . By an algorithm of R6nyai [Ro] we may put K; in block upper triangular form, where the diagonal blocks act irreducibly. By looking at the diagonal blocks, we obtain a homomorphism from Ki to K , / P , where P is the largest normal psubgroup of Ki. Let S be a simple subnormal subgroup of K ; / P . Since Ki has no permutation representations of polynomially bounded degree, S is either normal or abelian (or both). Also, Ki has no linear representations in characteristic # p of polynomially bounded dimension, so if S is abelian, it is central. On the other hand, if S is Characteristic 0 By Fact 2.8, finite matrix groups in characteristic 0 satisfy the conditions of Theorem 1.2 with polynomially bounded v , so Theorem 1.1 is proved.0 7.2 Working around nonabelian obstacles Proof of Theorem 1.3 First, in characteristic p it is helpful to assume, as we may by a polynomial-time algorithm of R6nyai [Ro], that the group is irreducible (or a pgroup in characteristic p ) . We may find permutation actions by finding subspaces with polynomially many K-images. For example, if N a K , then K permutes transitively the N-isotypic subspaces. Suppose G is a matrix group in characteristic p in dimension n. Thus, elementary abelian psubgroups of G present no difficulty (the linear algebra oracle comes “for free”). However, the algorithm as described above may make a recursive call on a matrix group in characteristic r , for some r # p . We must avoid this, as there may be no easy way to handle the elementary abelian psubgroups in characteristic r. Our algorithm makes a recursive call on a matrix group in characteristic r if a subgroup S is found, such that S K I M is an elementary abelian r-group. We may assume that S K acts isotypically (otherwise we obtain a permutation representation), so Z ( S K )is cyclic. If SK is abelian, then it must be cyclic of order r or r2, and in either case we obtain a homomorphism from K to FT*.If S K is nonabelian, then ISK/Z(SK)I5 n 2 (in fact any system of coset representatives for S K : z ( S K )is a basis for the enveloping algebra of SKIand conversely any basis for the enveloping algebra of S K consisting of elements of sKis a system of coset representatives for S K : Z ( S K ) ) . So in this case, we obtain a permutation representation for K of dimension at most n2. --f 434 nonabelian, then we have S = T = Kj/P. Now consider (K,/P)/Z(Ki/P). This group has trivial center, since Kj has no abelian quotients. We must in fact have that T = (Ki/P)/Z(Ki/P). So while our algorithm may fail to find a simple subnormal subgroup, we do get “close”. Let N = (Z(Ki),P)K (recall that K is the subgroup of G that we can “sift” down to). Modulo N I K j is simple. We can now make progress as in Section 3, with the following modifications: we wish to find the permutation action of K on conjugates of Ki modulo N I but it is now not obvious how to tell if two conjugates of K, are the same. Two conjugates of K, are different modulo N iff their mutual commutator is solvable. Therefore, we can sift to the normalizer of K j modulo N , so assume that K normalizes Kj N . In this case, we cannot represent nicely the conjugation action of K on T , so we will work around T . That is, we wish to find a representation of K which contains K,N in the kernel, but has as small a kernel as we can manage. By Rhyai’s algorithm [Ro], we put the matrices in Ki in block upper triangular form with irreducible blocks on the diagonals. We find two kinds of representations for K : the permutation action on Ki-isotypic subspaces, and, after sifting to the kernel of the permutation action, for each Ki-isotypic subspace V we find a tensor product decomposition VI@ V2 such that Ki acts trivially on Vz. The kernel of the action 4 of K on V2 may properly include Kj N , but we will have T the goal is to find an element of a proper normal subgroup. The techniques of Section 5 will accomplish this in time polynomial in log n, thereby speeding up and simplifying the [BSI algorithm. Some of the other cases of the [BSI algorithm may be treated using our techniques as well. 9 In finite characteristic, it would be desirable to remove the dependence on v(G)in Theorem 1.2 (replacing at the same time the permutation representation of the composition factors in the output by linear representations). Acknowledgements We are indebted to W. M. Kantor and E. M. Luks for fruitful conversations. We wish to thank W. M . Kantor in particular for pointing out Fact 2.8. Bibliography [AD] L. M. Adleman, J. DeMarrais: A Subexponential Algorithm For Discrete Logarithms Over All Finite Fields, Proc. CRYPTO’93, to appear. [Asch] M. Aschbacher: On the maximal subgroups of the finite classical groups, Invent. Math. 76 (1984), pp. 469-514. [At] M. D. Atkinson, ed.: Computational Group Theory (Proc. Durham Symp. 1982), Acad. Press, London 1984. [Ball L. Babai: The Probability of Generating the Symmetric Group, J . Comb. Theory, Ser. A 52 (1989), pp. 148-153. [Ba2] L. Babai: Local expansion of vertex-transitive graphs and random generation in finite groups, Proc. 23rd ACM STOC (1991), pp. 164-174. [BBR] L. Babai, R. Beals, D. Rockmore: Deciding finiteness of matrix groups in deterministic polynomial time, Tech Rep 92-17, U. Chicago, 1992. [BCFLS] L. Babai, G. Cooperman, L. Finkelstein, E. M. Luks, A. Seress: Fast Monte Carlo algorithms for permutation groups, Proc. 23rd ACM STOC (1991), pp. 90-100. [BCFS] L. Babai, G. Cooperman, L. Finkelstein, A. Seress: Nearly linear time algorithms for permutation groups with a small base, Proc ISSAC’S1 (Internat. Symp. on Symbolic and Algebraic Computation), Bonn 1991, pp. 200-209. I Ker(4)/(Z(Ker(d)), Op(Ker(4))) I Aut(T). We then continue the algorithm with the image of d. The product of the kernels of the 4 found during the course of the algorithm will be the subgroup N mentioned in the statement of Theorem 1.4. This completes the proof of Theorem 1.4.0 8 Concluding remarks Application to permutation groups A family of permutation groups {GI, G 2 , .. .}, where G, has degree n , is said to be a family of small- base groups if log IG, I is polynomially bounded by log n . Membership testing for small-base groups may be performed very efficiently (in time O(nlog‘ n ) ) by an algorithm of [BCFS]. Beals and Seress [BSI, in finding composition factors of small-base groups, show how the [BCFS] algorithm may be used to treat the group as a black box group, where the length of the encoding is polylogarithmic in n. One of the tricky cases in the [BSI algorithm occurs when G has a factor group isomorphic to A , where m = O(1og n ) , and 435 [BSz] L. Babai, E. SzemerCdi: On the complexity of matrix group problems I, in: Proc. 25th IEEE FOCS, Palm, Beach FL, 1984, pp. 229-240. [BSI R. Beals, A. Seress: Structure forest and composition factors for small base groups in nearly linear time, 24th STOC (1992), 116-125. [BKK] J. Boyar, M. Krentel, S. Kurtz: A discrete logarithm implementation of zero-knowledge blobs, Journal of Cryptography 2 (1990). [BCY] G. Brassard, C. CrCpeau, M. Yung: Everything in NP can be argued in perfect zeroknowledge in a bounded number of rounds, Proc. of the 16th ICALP, Springer-Verlag, Berlin 1989, pp. 123-136. [Can] J. J. Cannon: An introduction to the group theory language CAYLEY, in [At], pp. 145-183. [Car] R. W. Carter: Simple Groups of Lie Type, Wiley Classics Edition, Wiley, New York (1989). [CCNPW] J . H. Conway, R. T . Curtis, S. P. Norton, R. A. Parker, R. A. Wilson: Atlas offinite groups, Clarendon Press, Oxford (1985). [Dixl] J. D. Dixon: The probability of generating the symmetric group, Math. Z. 110( 1960), 199-205. [Dix2] J . D. Dixon: Asymptotically fast factorization of integers, Math. Comp. 36( 1981), 255-260. [ElG] T. ElGamal: A subexponential time algorithm for computing discrete logarithms over G F ( p 2 ) , IEEE Trans. Info. Theory 31(1985), 473-481. [FT] W. Feit, J . Tits: Projective representations of minimum degree of group extensions, Can. J . Math. 30 (1978), pp. 1092-1102. [FR] K. Friedl, L. R6nyai: Polynomial time solutions of some problems in computational algebra, in: Proc. 17th ACM STOC, 1985, pp. 153-162. [FHL] M. L. Furst, J. Hopcroft, E. M. Luks: Polynomial-time algorithms for permutation groups, in: 21st IEEE FOCS, 1980, pp. 36-41. [Go] D. Gorenstein: Finite Simple Groups-An introduction to their classification, Plenum, N.Y. 1982 [Ha] M. Hall, Jr.: The Theory of Groups, Macmillan, New York, 1959. [HR] M. E. Hellman, J. M. Reyneri: Fast computation of discrete logarithms in G F ( q ) ,Adv. in Crypt 0logy:Cryp t o ’82,Chaum ,Rivest, Sherman, eds., Plenum 1983, 3-13. [HB] B. Huppert, N . Blackburn: Finite Groups 11, Grundlehren der mathematischen Wissenschaften 242, Springer-Verlag, Berlin, 1982. [IY] R. Impagliazzo, M. Yung: Direct minimumknowledge computations, Adv. in Cryptology: Crypto’87, LNCS 293, Springer 1988,40-51. [Kal] W. M. Kantor: Permutation Representations of the Finite Classical Groups of Small Degree or Rank, J. Algebra 60 (1979), pp. 158-168. [Ka2] W. M. Kantor: Sylow’s Theorem in Polynomial Time, JCSS 30 (1985), pp. 359-394. [KLy] W. M. Kantor, A. Lubotzky: The probability of generating a finite classical group, Geometriae Dedicata 36 (1990), pp. 67--87. [KLs] W. M. Kantor, E. M. Luks: Computing in quotient groups, 22nd STOC( l990), 524-534. [LS] V. Landazuri, G. M. Seitz: On the Minimal Degrees of Projective Representations of the Finite Chevalley Groups, J. Algebra32(1974), 418-443 [Leol] J. Leon: On an Algorithm for Finding a Base and Strong Generating Set for a Group Given by a Set of Generating Permutations, Math. Comp. 35 (1980), pp. 941-974. [Leo21 J . Leon: Permutation Group Algorithms Based on Partitions, I: Theory and Algorithms, J . Symbolic Comput. 1 2 (1991), pp. 533-583. [Lo] R. Lovorn: Rigorous, Subexponential Algorithms for Discrete Logarithms Over Finite Fields, Ph. D. Thesis, University of Georgia, 1992. [Lull E. M. Luks: Computing the composition factors of a permutation group in polynomial time, Combinatorica 7 (1987), pp. 87-99. [ L u ~ ]E. M . Luks: Computing in Solvable Matrix Groups, 33rd FOCS (1992), pp. 111-120. [McC] K. S. McCurley, The Discrete Logarithm Problem, Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 4 2 (1990), AMS, Providence, pp. 49-74. [Mi] K. A. Mihailova: The occurrence problem for direct products of groups (in Russian), Dokl. Akad. Nauk SSSR 119 (1958), pp. 1103-1105, and Mat. Sb. (N. S.) 70 (112) (1966), pp. 241-251. [New] M. Newman: Integral Matrices, Pure and Applied Mathematics, vol. 45, Academic Press, New York 1972. [NP] P. M. Neumann, Cheryl E. Praeger: A recognition algorithm for the special linear groups, manuscript, 1990. [Ro] L. R6nyai: Computing the structure of finite algebras, J. Symbolic Comp. 9 (1990), 355-373. [Sch+] M. Schonert et.al.: GAP - Groups, Algorithms, and Programming, Lehrstuhl D fur Mathematik, Rheinisch-Westfalische Techn. Hochschule, Aachen, Germany. 1st ed., 1992. [Si] C. C. Sims: Computation with permutation groups, Proc Second Symp. Symb. Algeb. Manipulation, ACM, New York, 1971, pp. 23-28. 436