On some computational problems in nite abelian groups. Universitat des Saarlandes. Fachbereich 14 - Informatik. Postfach

Transcription

1 On some computational problems in nite abelian groups Johannes Buchmann Michael J. Jacobson, Jr. Universitat des Saarlandes Fachbereich 14 - Informatik Postfach Saarbrucken Germany Edlyn Teske y 0th February 1996 Abstract We present new algorithms for computing orders of elements, discrete logarithms, and structures of nite abelian groups. We estimate the computational complexity and storage requirements, and we explicitly determine the O-constants and -constants. We implemented the algorithms for class groups of imaginary quadratic orders and present a selection of our experimental results. Our algorithms are based on a modication of Shanks' baby-step giant-step strategy, and have the advantage that their computational complexity and storage requirements are relative to the actual order, discrete logarithm, or size of the group, rather than relative to an upper bound on the group order. AMS Subject Classication: 11Y16 1 Introduction Let G be a nite abelian group, written multiplicatively, in which we assume that the following are possible: for a; b G we can compute c = a b for a G we can compute a?1 for a; b G we can test whether a = b We call these the group operations. Note that from every group element a we can determine the neutral element 1 = a a?1. As an example, WE will consider class groups of imaginary quadratic elds. Another example is the group of points on an elliptic curve over a nite eld. For any subset S of G; denote by hsi the subgroup of G generated by S. If hsi = G then S is called a generating set of G. If S = fgg then write hgi instead of hsi. Three common computational problems in such groups are: supported by the Natural Sciences and Engineering Research Council of Canada y supported by the Deutsche Forschungsgemeinschaft 1

2 Given g G compute jhgij; the order of g in G, i.e., the least positive integer x such that g x = 1: Given g; d G decide whether d belongs to the cyclic subgroup hgi of G generated by g. If d hgi; nd log g d; the discrete logarithm of d to the base g; i.e., the least non-negative integer x such that g x = d: Given a generating set of G compute the structure of G. By computing the structure of G we mean computing positive integers m 1 ; : : :; m k with m 1 > 1, m i jm i+1, 1 i < k and an isomorphism : G! Z=m 1 Z Z=m k Z: This isomorphism is given in terms of the images of the generators. The integers m i are the uniquely determined invariants of G. In this paper we present improved versions of Shanks' algorithms for solving these problems. As in Shanks' original method [10] (see also [4], [8]), operations in G and table look-ups are used in our algorithms. The table entries are pairs (S z ; z), where S is a set of group elements, z belongs to the set Z S of all maps S?! Z, and S z = Q gs gz(g). When we estimate the complexity of our algorithms, we count the number of group operations, the number of table look-ups, and we determine bounds on the table sizes, i.e., the number of group elements which have to be stored. We ignore the time and space for doing index calculations. If hashing on the group elements is possible, the tables of group elements are hash tables and the time for one table look-up is comparable to the time required for a group operation. Here are our main results. Theorem 1.1 There is an algorithm for computing the order x of an element g G which executes one inversion and at most 4 p p x x + log multiplications in G. It uses a table of at most p x pairs (g; r) G f1; : : :; d p x eg. The total number of table look-ups is bounded by p x : Theorem 1. There is an algorithm that decides for g; d G, d 6= 1, whether d hgi and if so computes log g d: Let jhgij if d 6 hgi x = log g d if d hgi: The algorithm executes at most 6 p x + log p x multiplications in G. It uses a table of at most p x pairs (g; r) G f1; : : :; d p x eg. The total number of table look-ups is bounded by 4 p x :

3 Our algorithm for computing the structure of G may behave dierently if the generators are input in dierent orders. Therefore, the algorithm receives as input a generating sequence, i.e., a nite sequence S = (g 1 ; : : :; g l ) of group elements such that fg 1 ; : : :; g l g is a generating set of G. Set and G j = hg 1 ; : : :; g j i; 0 j l; (1) l(s) = jfj f1; : : :; lg : G j?1 6= G j gj : () In other words, if we generate G by using g 1 ; g ; g 3 ; : : :, l(s) is the number of generators which enlarge the group. Note that l(s) is at least as large as the number of invariants of G. We will prove the following result. Theorem 1.3 There is an algorithm that computes the structure of G from a generating sequence S of G which executes jsj inversions and at most l(s) (jsj + 5) p jgj + 4 l(s) p jgj + log jgj multiplications in G, with l(s) from (). It uses two tables of at most l(s) p jgj and l(s) +1p jgj pairs (g; ~q) G f0; : : :; p jgjg jsj. The total number of table look-ups is bounded by l(s) (jsj + l(s) + ) p jgj: The upper bound for the complexity of the group structure algorithm is exponential in the number l(s) of generators that are really used to determine the group structure. If that number is xed, the complexity of the algorithm is O(jSj p jgj). On the other hand, our analysis shows that if G = (Z=Z) l for some positive integer l; the complexity of our algorithm is (jgj). This lower bound also holds for Shanks' original algorithm and its variations. Hence, for nite abelian groups with a large number of small invariants our algorithm is not appropriate. The basic idea of this paper is to use baby-step giant-step algorithms with some initial step-width v N and to double that step-width as long as the result of the computation has not been found. A similar idea has been used in [] but the results obtained there are weaker than ours. For v = we obtain the above theorems. If v is chosen such that L = v is an upper bound on the group order, we obtain Shanks' original algorithms. Our analysis shows that for v = p L the number of multiplications and the table size in the order and discrete logarithm algorithms is ( p L). Also, for that choice of v the number of multiplications and the table size in the group structure algorithm is ( l(s)= jsj p jlj). Thus, if the upper bound L is much larger than the actual order, discrete logarithm or group order, the algorithm wastes a lot of time and space. We implemented our algorithms for class groups of imaginary quadratic orders using the computer algebra system LiDIA [7]. We present experimental results which yield good choices for the initial step-width v for these groups. The paper is organized as follows. In Section we describe and analyze the order algorithm. That section also contains the basic idea of the paper. In Section 3 we discuss the algorithm for computing discrete logarithms, and Section 4 is devoted to the group structure algorithm. 3

4 Computing the Order of an Element Given an element g G we wish to compute x = jhgij: Our improved algorithm, a modication of Shanks' baby-step giant-step method, is based on the following statement: Lemma.1 Let v be an even positive integer. For every positive integer x there are uniquely determined integers k, q and r with k 0, b4 k?1 cv k vq < 4 k v and 1 r k v such that x = y + r, y = k vq. Proof: Let x N. We rst show the existence of such k, q and r. We choose k such that b4 k?1 cv < x 4 k v ; and write x = k vq + r with 1 r k v. Then b4 k?1 cv? k v < k vq 4 k v? 1, which implies that k vq < 4 k v. Moreover, if k = 0, we have?v < vq; so 0 vq. If k 1, we have 4 k?1 v? k v < k vq; hence k?1 (v=)? 1 < q. Since v= is integral, this implies that k?1 (v=) q, so that 4 k?1 v k vq. To show the uniqueness of this representation, let x = k vq + r with k, q and r as stated above. Then b4 k?1 cv k vq < 4 k v, which implies q k v? 1, so that x = k vq + r k v( k v? 1) + k v = 4 k v. Moreover, we have b4 k?1 cv < k vq + r = x. These inequalities determine k uniquely. The uniqueness of q and r is due to the uniqueness statement for division with remainder. We explain the method for computing x = jhgij. We select an even positive integer v which is used as the initial step-width in the algorithm. Then there is a unique non-negative integer k such that x belongs to the interval I k = fb4 k?1 cv + 1; : : :; 4 k v g: We search those intervals for k = 0; 1; ; : : : until x is found. By Lemma.1, each number in I k can be written as y + r with y = k vq and r, q as stated in Lemma.1. Also, each integer that can be written in this way belongs to the interval I k. To check whether x is in I k we test whether g y+r = 1 with y = k vq and r and q as stated in Lemma.1. This means that we test whether For this purpose, we compute the set g y = g?r ; 1 r k v; y = k vq; b4 k?1 cv y < 4 k v : R k = f(g?r ; r) : 1 r k vg; and for all values of q such that b4 k?1 cv y < 4 k v we check whether there exists (g y ; r) R k for some r. If so, jhgij = y + r: Otherwise, we increase k by 1. If x v, the set R 0 contains at least one pair (1; r), and jhgij = r for the smallest such r. Therefore, before adding a pair (g?r ; r), 1 r v, to R 0 in the course of the computation of R 0, we always check whether g?r = 1, and we break if the answer is \yes", since then jhgij is already found. The eciency of the algorithm can be improved if we know a lower bound B of jhgij: Writing C = B? 1, we then work with the set R k = f(g?(r+c) ; r) : 1 r k vg; and if we nd (g y ; r) R k ; jhgij = y + r + C: If no lower bound for jhgij is known, we set C = 0. We now present the algorithm. 4

5 Algorithm. This algorithm computes the order of the group element g in G. Input: g G, lower bound C + 1 for jhgij, initial step-width v (v N) Output: x = jhgij (1) x = 0 () s = 1; y = v; u = v (3) h = g?1 (4) a = h C ; b = g v ; c = b / a = g?c?r ; (5) R = ; b = g y ; c = g u / (6) while (x == 0) do (7) for (r = s; s + 1 : : :; u) do / new baby steps / (8) a = a h (9) if ( s == 1 ) then / check if 1 x v / (10) if ( a == 1 ) then (11) x = r + C (1) return (x) (13) break while (14) else (15) R = R [ f(a; r)g (16) (17) else (18) R = R [ f(a; r)g (19) (0) od (1) while (x == 0 and y < u ) do / giant steps / () if (there is a number r such that (b; r) R ) then (3) x = y + r + C (4) return (x) (5) else (6) y = y + u (7) b = b c (8) (9) od (30) s = u + 1; u = u / double (31) c = c step width / (3) od Theorem.3 Let C = 0. Let x = jhgij. For every choice of v, Algorithm. executes one inversion and at most blog vc + 1 multiplications in G and requires space for three group elements. On further group multiplications, space required, and table look-ups, we have the following estimates. 1. If x v, Algorithm. executes x additional multiplications in G. It uses a table of x? 1 pairs (g; r) G f1; : : :; x? 1g and it performs x equality checks.. If p x v < x, the number M of additional multiplications in G satises v M p x + v? : 5

6 The algorithm uses a table of v pairs (g; r) G f1; : : :; vg, and it performs v equality checks. The total number TL of table look-ups satises 1 T L p x? 1: p 3. If x > v, the number M of additional multiplications in G satises 5 p p x x + log 4 v? 1 M 4 p x? v + log p x v? 5: It performs v equality checks. It uses a table of at least d p x e and at most d p x e? pairs (g; r) G f1; : : :; d p x eg. The total number TL of table look-ups satises d p x e 4 T L p x? v? : Proof: For the initialization, Algorithm. requires one inversion and at most blog vc + 1 multiplications to compute g?1 and b = c = g v. It must store g?1, b and c. If x v, we nd x = jhgij during the rst iteration of the outer while loop, in the course of the computation of the set R (= R 0 ). This requires x group multiplications and x equality checks, and the set R contains x? 1 pairs (g?r ; r). If p x v < x, we also nd x = jhgij during the rst iteration of the outer while loop. The set R contains v pairs (g?r ; r); which also means that the algorithm must perform v multiplications in G to compute R. It performs v equality checks to test whether g?r = 1. In the iterations of the inner while loop, the algorithm checks whether (g qv ; r) R while v qv x? r (r f1; : : :; vg), i.e., 1 q (x? 1)=v, so we have 1 q < p x. It computes g qv while v qv x?r, thus q < p x. This requires between 1 and d p x e?1 table look-ups, and at most d p x e? group multiplications. Hence, the total number of multiplications in the outer while loop is between v and v + d p x e?, if p x v < x. If v < p x, the algorithm performs k additional iterations of the outer while loop, where i.e., k? 1 < log p x v 4 k?1 v < x 4 k v (3) l m k, hence k = log p x. After the last iteration, the set R contains k v pairs (g?r ; r). v Thus, to compute R the algorithm performs k v multiplications in G, and it must store a table of k v pairs. From (3) we see that k?1 v < p x k v, so p x k v p x? : (4) In the rst inner while loop, the algorithm computes g qv for q v, which requires v? 1 multiplications. In all of the following inner while loops except the last, it computes g qi v while 4 i?1 v < q i v 4 i v ; i.e., where 1 i k? 1. This requires i?1 v < q i v; i v? v i?1 = 3 v i?1 multiplications in each loop, which can be summed to k?1 X 3 i?1 v = 3 (k?1? 1) v 6

7 multiplications. In the last loop, the algorithm computes g qk v while 4 k?1 v < q k v x? r; r f1; : : :; k vg; so k?1 v < q x?1. Since p x k v, we have x?1 x?1 k v k p v x < p x, and this requires at most p x? 1? k?1 v multiplications. Thus, the total number of multiplications in the inner while loops is at least and at most v? ( k?1? 1) v = 3 k?1v? v? 1 (4) 3 p p x x? 4? 1 d p x e 4? 1; v? ( k?1? 1) v + p x? 1? k?1 v = k?1 v? v + p x? (4) p x? v? 3; The total number of table look-ups is bounded below by d p x e =4 and above by d p x e? v?, which is the maximum number of iterations of the inner while loops. Finally, note that in k outer while loops the algorithm performs one multiplication to compute c. Together with (4) we get that Algorithm. performs at least p x log and at most log p x additional multiplications in G to nd jhgij, if v < p x. v v + 5 p x? p x? v? 5 Remark.4 To adapt Theorem.3 to the case C 1, we just have to replace each x by x? C and add to the total number of group multiplications the multiplications required to compute a = (g?1 ) C, i.e., at most blog Cc + 1 multiplications. In practice, the most ecient way to handle the set R is by means of a hash table. This is possible as long as the group elements are represented as sequences of integers. Then, each look-up in the table R requires just one computation of a hash value and usually one equality test for group elements. As we see from Theorem.3, the eciency of Algorithm. depends largely on the appropriate choice of the initial step-width v. As noted by Shanks [10], the optimal choice of v is v = p jhgij: This results in about p jhgij group multiplications in our algorithm. If v is chosen too large (in comparison with p jhgij), we waste space and time because the set R is too big. If v is chosen too small, we waste time because of superuous iterations of the outer while loop. In order to test our algorithm, we implemented it using the LiDIA system [7] to compute orders of elements in ideal class groups of imaginary quadratic orders. For three discriminants of sizes ten, fteen, and twenty decimal digits, we computed the orders of the ideal classes of four prime ideals that we knew from previous computations had dierent orders. In Tables 1,, and 3 we show the actual numbers of group multiplications and table look-ups, denoted by GM and T L respectively, that were required to compute the order of each prime ideal class, together with the lower and upper bounds predicted by Theorem.3. denotes the 7

8 discriminant of the quadratic order and I p denotes the ideal class of which the prime ideal lying over the prime p is the reduced representative. We compute the order of each prime ideal class three times, using a dierent value of v each time. The simplest version of our algorithm uses v = ; v = 1=4 is equivalent to Shanks' original algorithm [10], and v = 1=4 = is half-way between the other two and has been shown to yield the best overall run times in our tests. Table 4 gives the run times for these computations on a SPARCstation 0. Lower Computed Upper p jhi p ij GM T L GM T L GM T L?4( ) ?4( ) ?4( ) Table 1: Order algorithm group multiplications and table look-ups (v = ) Lower Computed Upper p jhi p ij GM T L GM T L GM T L?4( ) ?4( ) ?4( ) Table : Order algorithm group multiplications and table look-ups (v = 1=4 =) For =?4( ); our algorithm using v = is faster than Shanks' algorithm (i.e. v = 1=4 ) for I 5 ; the class with the smallest order. It is slower for I 3 and I 13 ; even though it executes fewer total group operations, because it performs four times as many giant steps than Shanks' algorithm, which requires additional table look-ups. In the case of I 7 ; the optimal value of v is v = p ; and the initial step width v = 1=4 447 that is used in Shanks' algorithm is suciently accurate that the extra giant steps taken by our algorithm cause it to execute more group operations in total. v = 1=4 = 3 is closer to the optimal value than v = 1=4 ; and this choice of v does result in the best overall performance for three of the four ideals. 8

9 Lower Computed Upper p jhi p ij GM T L GM T L GM T L?4( ) ?4( ) ?4( ) Table 3: Order algorithm group multiplications and table look-ups (v = 1=4 ) p jhi p ij v = v = 1=4 = v = 1=4?4( ) hsec 16 hsec 7 hsec hsec hsec 7 hsec hsec 30 hsec 37 hsec hsec 44 hsec 41 hsec?4( ) 7 13 hsec 9 hsec 10 hsec hsec sec, 83 hsec 4 sec, 87 hsec sec, 0 hsec sec, 39 hsec 4 sec, 60 hsec sec, 74 hsec 1 sec, 95 hsec 3 sec, 6 hsec?4( ) sec, 40 hsec 51 sec, 80 hsec 9 sec, hsec sec, 68 hsec 5 sec, 7 hsec 78 sec, 71 hsec sec, 6 hsec 78 sec, 76 hsec 116 sec, 60 hsec sec, 86 hsec 10 sec, 8 hsec 111 sec, 14 hsec Table 4: Order Algorithm run times For =?4( ); our algorithm using v = is the fastest for three of the four prime ideals. The orders of the ideals are suciently small that selecting v = 1=4 or 1=4 = results in too many extra baby steps. For =?4( ); our algorithm using v = is faster than Shanks' algorithm for one of the four ideals. In this case, 1=4 is closer to the optimal value of v than for =?4( ): Using v = 1=4 =; as in the case of =?4( ); actually results in the best overall performance. Our results suggest that Algorithm. has two main advantages over Shanks' original algorithm. The rst and most obvious advantage is that it is faster when the order of the element is much smaller than the order of the group. In these cases, Shanks' algorithm executes too many baby steps, and although our algorithm using v = will execute some unnecessary giant steps, it will still execute fewer group operations overall. The second advantage is when the upper bound on the order of the group is too large. Shanks' algorithm will execute too many baby steps in this case as well. Our algorithm allows one to select an initial step width that is much smaller than the estimated order of the group, in the hope of attaining a better approximation of p jhgij: Using Shanks' algorithm, an initial step width that is too small results in far too many giant steps, but our algorithm will detect if the initial step width is too small and enlarge it if necessary. 9

10 3 Computing Discrete Logarithms Given g; d G; we wish to decide whether d belongs to the group hgi generated by g. If the answer is \yes," we want to compute x = log g d. We use the following modication of Algorithm. to solve this problem. We compute the order of g in G as in Algorithm., i.e., we try to nd integers y and r such that g y+r = 1. However, for each y, before checking whether g y+r = 1, we check whether g y+r = d. For this, we work with the same set R as in Algorithm.. We rst check whether (d?1 g y ; r) R, with R as in Algorithm.. If this is the case, log g d = y + r. Otherwise, we check whether (g y ; r) R. As soon as we have found jhgij, we know that there is no discrete logarithm of d for base g, since log g d < jhgij. Just as in Algorithm., during the computation of R 0 = f(g?r ; r) : 1 r vg we always check whether log g d or jhgij is already found before we include a pair (g?r ; r). Algorithm 3.1 This algorithm computes the discrete logarithm of d (d 6= 1) for base g. Input: d; g G (d 6= 1), initial stepwidth v (v N) Output: t = 1 and x = log g d if d hgi, t = 0 and x = jhgij if d = hgi (1) t = ; x = 0 () s = 1; y = v; u = v (3) h = g?1 (4) a = 1; b = g v ; c = b / a = g?r, b = g y, (5) R = ; c = g u / (6) f = d?1 (7) while (t == ) do (8) for (r = s; s + 1 : : :; u) do / new baby steps / (9) a = a h (10) if (s == 1) then / check if 1 x v / (11) if (a == f ) then (1) x = r; t = 1 (13) break while (14) else (15) if (a == 1) then (16) x = r; t = 0 (17) break while (18) else (19) R = R [ f(a; r)g (0) (1) () else (3) R = R [ f(a; r)g (4) (5) od 10

11 (6) while (t == and y < u ) do / giant steps / (7) if (there is a number r such that (f b; r) R) then / checking for (8) x = y + r; t = 1 discrete log. / (9) else (30) if (there is a number r such that (b; r) R) then / checking for (31) x = y + r; t = 0 the order of g / (3) else (33) y = y + u (34) b = b c (35) (36) (37) od (38) s = u + 1; u = u / double (39) c = c step width / (40) od (41) return (t, x) To discuss the complexity of Algorithm 3.1 we use the same arguments as in Theorem.3. We only have to observe that there are twice as many equality checks during the computation of R 0. Moreover, in each inner while loop, we have one additional multiplication to compute f b and at most one additional table look-up to check whether (f b; r) R. With x = log g d if d hgi and x = jhgij if d = hgi, this causes at least 1 additional multiplication and at most d p x e? 1 additional multiplications and table look-ups if p x v < x. If p x > v, this causes at least d p x e =4? 1 and at most d p x e? v? additional multiplications and table look-ups. Therefore, we have the following result: Theorem 3. Let d 6= 1. Let jhgij if d 6 hgi x = log g d if d hgi: For every choice of v, Algorithm 3.1 executes two inversions and at most blog vc + 1 multiplications in G and requires space for ve group elements. On further group multiplications, space required, and table look-ups, we have the following estimates. 1. If x v; Algorithm 3.1 executes x further multiplications in G. It uses a table of x? 1 pairs (g; r) G f1; : : :; x? 1g, and it performs at most x equality checks.. If p x v < x; the number M of further multiplications in G satises v + 1 M p x + v? 3: The algorithm uses a table of v pairs (g; r) G f1; : : :; vg, and it performs v equality checks. The total number TL of table look-ups satises 1 T L p x? : p 3. If x > v, the number M of further multiplications in G satises 3 p p x x + log v? M 6 p x? v + log p x v? 7: It performs at most v equality checks. It uses a table of at least d p x e and at most d p x e? pairs (g; r) G f1; : : :; d p x eg. The total number TL of table look-ups satises d p x e? 1 T L 4 p x? v? 4: 11

12 Algorithm 3.1 was implemented using the LiDIA system [7] to compute discrete logarithms in ideal class groups of imaginary quadratic orders. For the same three discriminants used in the previous section, we select the prime ideal class I p with the largest order and use our algorithm to compute log Ip Ip x in the class group, for 5 dierent values of x with varying sizes. Again, we perform the discrete logarithm computation three times using the same three values of v as before. Table 5 shows the number of group multiplications and table look-ups, denoted by GM and T L; required for each computation and Table 6 gives the run times for each computation. v = v = 1=4 = v = 1=4 p x GM T L GM T L GM T L?4( ) ?4( ) ?4( ) Table 5: DL algorithm group multiplications and table look-ups p x v = v = 1=4 = v = 1=4?4( ) hsec 0 hsec 4 hsec hsec 8 hsec 8 hsec hsec 36 hsec 3 hsec hsec 45 hsec 37 hsec hsec 40 hsec 34 hsec?4( ) sec, 8 hsec 1 sec, 55 hsec 3 sec, 13 hsec sec, 80 hsec 1 sec, 51 hsec 3 sec, 9 hsec sec, 5 hsec 1 sec, 67 hsec sec, 73 hsec sec, 0 hsec 1 sec, 44 hsec sec, 63 hsec sec, 53 hsec 1 sec, 40 hsec 3 sec, hsec?4( ) sec, 4 hsec 55 sec, 17 hsec 80 sec, 3 hsec sec, 9 hsec 80 sec, 61 hsec 90 sec, 70 hsec sec,34 hsec 101 sec, 31 hsec 106 sec, 19 hsec sec,40 hsec 17 sec, 83 hsec 113 sec, 6 hsec sec, 5 hsec 105 sec, 6 hsec 106 sec, 34 hsec Table 6: DL algorithm run times In the DL Algorithm, the advantages of our method in comparison with Shanks' method become even clearer. This is due to the fact that for log g d all values between 0 and jhgij are possible, and they are equally probable (this is, however, not the case in cryptographic circumstances). Assuming that jhgij is not known a priori, 1

13 Shanks' original algorithm still uses the upper bound of the group order, i.e., v = 1=4, which causes the algorithm to perform far too many baby steps. For =?4( ) and the prime ideal lying over 7; in which case the bound v = 1=4 is quite accurate, Shanks' algorithm is faster than our algorithm using v = 1=4 = for about half of the computed logarithms in our experiments. For all DL's smaller than half of the order of I 7, our algorithm using v = 1=4 = works better. The comparatively bad results for our algorithm using v = are due to the fact that in the DL Algorithm each giant step causes two group multiplications and two table look-ups, so that too many giant steps cause twice as much unnecessary work as in the Order Algorithm. Note that computing discrete logarithms of elements generated by I 7 represents the best case for Shanks' algorithm and the worst case for our algorithm because I 7 is the largest prime ideal. For =?4( ) and =?4( ), where the upper bounds of the group order are much larger than the orders of the largest prime ideals, our algorithm using v = 1=4 = works better for almost all possible logarithms. Thus, our experiments lead to similar conclusions to those related to Algorithm., namely that our algorithm works better when log g d is small compared to jhgij and when the upper bound on the order of the group is too large. 4 Computing the Structure of a Subgroup Given a generating system, i.e., a nite sequence S = (g 1 ; : : :; g l ), of a nite abelian group G that is given as described in the introduction, we want to nd the structure of G. By this we mean nding positive integers m 1 ; : : :; m k with m 1 > 1, m j jm j+1, 1 j < k, and an isomorphism : G?! Z=m 1 Z Z=m k Z: (5) This isomorphism will be given in terms of the images of the elements of the generating system S. The integers m i are the invariants of G. We describe our method. For ~z = (z 1 ; : : :; z l ) Z l we write S ~z = ly A relation on S is a vector ~z Z l such that S ~z = 1. The set L(S) of all relations on S is a lattice in Z l of dimension l, since it is the kernel of the surjective homomorphism Z l?! G; ~z 7! S ~z : Our approach will be to compute a basis B = ( ~ b 1 ; : : :; ~ b l ) of L(S). That basis is identied with a matrix of column vectors ~ b j = (b 1j ; : : :; b lj ) t. Then the order of G is j det Bj. Using standard techniques, e.g. [6], [4], we compute the Smith normal form N of B and a matrix U Z ll with det U 6 0 modjgj such that there exists V Z ll with det V 6 0 modjgj and N UBV modjgj. This means that we do not need to nd two unimodular transformations for the Smith normal form but only a left unimodular transformation mod G. Therefore, modular techniques for nding the Smith normal form can be applied. Let N be the diagonal matrix diag(1; : : :; 1; m 1 ; : : :; m k ) where m 1 > 1. Then m 1 ; : : :; m k are the invariants of G. To dene the map (5) delete in U all but the last k rows. Let ~u 1 ; : : :; ~u l be the column vectors of that new matrix, ~u j = (u 1j ; : : :; u kj ) t. Set g i z i : (g j ) = (u 1j modm 1 ; : : :; u kj mod m k ); 1 j l: 13

14 Then is the isomorphism we were looking for. We describe the computation of the basis B of the relation lattice L(S). The matrix B will be an upper triangular matrix with positive entries on the diagonal. Suppose that we have computed ~ b 1 ; : : :; ~ b j?1. We describe the computation of ~ b j. The diagonal entry b jj is the smallest positive integer such that g j b jj belongs to the subgroup of G generated by fg 1 ; : : :; g j?1 g. The problem of nding ~ b j is therefore similar to a discrete logarithm problem. Indeed, our solution is an extension of Algorithm 3.1. Instead of a single initial stepwidth v we now use a vector ~v = (v 1 ; : : :; v l ) N l of step-widths. Since there is a basis B with 0 b ij < b ii for 1 i < j l we can write b ij = q i B i + r i ; where B i = p b ii, 0 qi < B i, and 0 r i < B i. We also write b jj = y + r j ; where y = k v j q and 1 r j k v j with k and q as in Lemma.1. Set S i = (g 1 ; : : :; g i ); 1 i l: As in Algorithms. and 3.1 we proceed to nd the smallest value of y such that where S j?1 ~q ~B g j y = S j?~r ; (6) ~q = (q 1 ; : : :; q j?1 ); 0 q i < B i ; q i B i < b ii ; 1 i < j; (7) ~B = (B 1 ; : : :; B j?1 ), ~q ~ B denotes the component-wise multiplication, and Once y is found we have ~r = (r 1 ; : : :; r j ); 0 r i < B i ; 1 i < j; and 1 r j k v j : (8) where denotes the concatenation of vectors. ~ bj = ~q ~B (y) (0; : : :; 0) {z } l?j +~r (0; : : :; 0) {z } l?j To be able to check quickly whether (6) holds for a given y we use the sets n o ~q Q = (S ~B j?1 ; ~q) : ~q as in (7) and R = (S j ~r ; ~r) : ~r as in (8) : Just as in the order algorithm and the discrete logarithm algorithm we check whether b jj v j already during the rst computation of R, i.e., when k = 0 in (8). For this we use the set R 0 = (S j?1 ~r : 0 r i < B i ; 1 i < j : Moreover, before computing any element of R we check if b jj = 1. This is done separately, because in many cases the algorithm will compute the entire group structure with only a few generators, and all the others can be handled by this special case. For this check we use the set Q instead of R 0, since in general Q is considerably smaller than R 0. Here is the algorithm which determines the HNF-basis B for the relation lattice L(S). 14

15 Algorithm 4.1 This algorithm computes the HNF-basis for the lattice of relations on a generating system for a nite abelian group. Input: A generating system S = (g 1 ; : : :; g l ) of G, initial stepwidth ~v = (v 1 ; : : :; v l ) N l. Output: A basis B= ( ~ b 1 ; : : :; ~ b l ) of the lattice of relations on S in upper triangular form. (1) R 0 = f(1; ( ))g; Q = f(1; ( ))g; ~B = ( ) / initialization / () for (j = 1; : : :; l) do (3) s = 1; y = v j ; u = v j (4)?1 h = g j / a = g?i j ; b = g y j ; (5) v a = 1; b = g j j ; c = b c = g u j / (6) R = ; (7) for (all (e; ~q) Q) do / check whether g j is (8) d = e g j contained in current (9) if ( there is ~r such that (d; ~r) R 0 and q i + r i < b ii 8i = subgroup / 1; : : :; j? 1) then (10) ~ bj = ~q ~B (0) (0; : : :; 0) + ~r (1) (0; : : :; 0) (11) break for (1) (13) od (14) while (b jj == 0) do (15) for (i = s; : : :; u) do / new baby steps / (16) a = a h (17) if ( s == 1 and i > 1 ) then / check whether (18) for ( all (d; ~r) R 0 ) do 1 < b jj v j / (19) e = d a (0) if ( there is ~q such that (e; ~q) Q and q i + r i < b ii 8i = 1; : : :; j? 1 ) then (1) ~ bj = ~q ~B (0) (0; : : :; 0) + ~r (i) (0; : : :; 0) () break while (3) else (4) R = R [ f(e; ~r (i))g (5) (6) od (7) else (8) R = R [ f(d a; ~r (i)) : (d; ~r) R 0 g (9) (30) od 15

16 (31) while ((b jj == 0) ^ (y < u )) do / giant steps / (3) for (all (e; ~q) Q) do (33) d = e b (34) if ( there is ~r such that (d; ~r) R and q i + r i < b ii 8i = 1; : : :; j? 1 ) then (35) ~ bj = ~q B ~ (y) (0; : : :; 0) + ~r (0; : : :; 0) (36) break while (37) (38) od (39) y = y + u (40) b = b c (41) od (4) s = u + 1 / double step width / (43) u = u (44) c = c (45) od (46) if (j 6= l) then (47) B j = b jj (48) ~B = ~B (B j ) (49) R 0 = f(d; ~r (0)) : (d; ~r) R 0 g [ f(d; ~r) R : 1 r j < B j g (50) Q = f(e; ~q (0)) : q (e; ~q) Qg [ f(e g j B j j ; ~q (q j )) : (e; ~q) Q; 1 q j < B j ; q j B j < b jj g (51) (5) od (53) B = ( ~ b 1 ; : : :; ~ b l ) (54) return (B) / compute new R 0 and Q / We implemented our algorithm using the LiDIA system [7] to compute, once again, in ideal class groups of imaginary quadratic orders. During the course of the implementation, we found that the sets R 0 ; R; and Q are most eciently stored as indexed hash tables, since the algorithm requires traversing the tables in addition to fast searching. Using this data structure also allows one to maintain R 0 and R in one table. In the interest of saving storage, the exponent vectors in these tables are encoded into single integers. For simplicity, we analyze the complexity of Algorithm 4.1 only with initial stepwidth ~v = (; : : :; ). We need the following lemma. Lemma 4. Let m 1 ; : : :; m l N and e = jfm j jm j > 1gj. Then we have ly pmj e Equality holds if and only if m j = for all m j with m j > 1. ly p mj : Proof: Let m N. If m = 1, d p m e = p m. If m =, d p m e = p p m. If 3 m 5, d p m e < p p m. If m 6, 1 < p 6( p? 1) p m( p? 1), thus d p m e < p m + 1 < p p m. Hence, d p m e p p m for all m, with equality if and only if m =. From this our claim follows. 16

17 Theorem 4.3 Let ~v = (v 1 ; : : :; v l ) with v 1 = = v l =. Algorithm 4.1 executes l inversions and at most l(s) (l + 5) p jgj + 4l(S) p jgj + log jgj multiplications in G, where l denotes the number of generators and l(s) denotes the number of the b jj that are larger than 1. It uses two tables of at most l(s) p jgj and l(s) +1p jgj pairs (e; ~q) G f0; : : :; jgjg l : The total number of table look-ups is bounded by l(s) (l + l(s) + ) p jgj. Proof: Algorithm 4.1 performs l outer loops to compute the column vectors ~ b 1 ; : : :; ~ b l. We rst estimate the sizes of the sets Q, R and R 0 for each of these outer loops, and how many group operations are needed to build up these sets. Let Q j, R j and R 0 denote the sets Q, R and j R0 after the j-th loop. We have where B j = p b jj. Thus jqj j Q j B i. Writing we get that jq j j T for all j. It takes at most jq 0 j = 1 and jq j j jq j?1 j B j ; T = ly j?1 jq j?1 j (B j? 1) (B j? 1) B i ; (9) multiplications to compute Q j given Q j?1. The maximum number M Q of multiplications to compute all the sets Q 1 ; : : :; Q l?1 can be estimated as follows:! Xl?1 j?1 Y l?1 j?1 X jy Y (B j? 1) B i = B i? B i M Q = l?1 Y Y B i B j? 1 T? 1: In considering R j, we use the arguments of the proof of Theorem.3, with initial stepwidth v =. At the end of the j-th loop, the set R (= R j ) consists of (at most) p j jr 0 j?1 j pairs (d g j i ; ~r) with d R 0 j?1 and 1 i p j, where p j = 0 if b jj = 1, p j = 1 if b jj =, p j = if < b jj 4, and p j p b jj? if < p b jj. So we have p j B j? in all cases. Hence jr j j (B j? )jr 0 j?1j: Moreover, the algorithm performs at most B j? multiplications a = ah (step (16)), so that the maximum number of multiplications needed to compute R j given R 0 j?1 can be estimated by (B j? )jr 0 j?1j + B j?. From the way in which jr 0 j is built up, we see that jr 0 jj = jr 0 j?1j + (B j? 1)jR 0 j?1j = B j jr 0 j?1j; where jr 0 0j = 1. Thus, jr 0 j j = jy B i ; j = 1; : : :; l? 1; (10) 17

18 and Y j?1 jr j j (B j? 1) B i ; j = 1; : : :; l; so that we always have jr 0 j T and jrj T. Therefore, the algorithm requires space for at most 4T pairs (e; ~q) G f0; : : :; jgjg l to store Q, R and R 0. Let E = fg j : j f1; : : :; lg; b jj g ; = fg j : j f1; : : :; lg; G j?1 6= G j g ; where G j = hg 1 ; : : :; g j i, 0 j l. Let l(s) = jej. Then the maximum number M R of multiplications required to compute all the sets R j satises M R = 4 X l 4 Y l T? + Y j?1 (B j? 1) B j? 1 + lx g j E lx b jj B i + lx (B j? 1) (B j? 1) T? + l(s) p jgj: Next, let us consider the remaining group multiplications and table look-ups in the l outer loops. It takes l inversions and l multiplications to compute g j?1 and g j at the beginning of each outer loop. To check whether b jj = 1, i.e., whether g j is contained in the subgroup generated by g 1 ; : : :; g j?1, the algorithm checks for at most jqj elements e whether (e g j ; ~r) R 0 for some ~r. In total, this requires at most l jqj l T multiplications and table look-ups. We only have iterations of the outer while loops ((14) - (45)) if g j E. To check whether 1 < b jj (= v j ), the algorithm checks for at most jr 0 j elements d whether (dg j?b jj ; ~q) Q for some ~q. This requires at most jr 0 j (b jj?1)t = T table look-ups for each g j E, so altogether at most l(s) T table look-ups (the multiplications have already been considered above). We only have further p computations in the j-th outer loop if < b jj. In this case, we have to distinguish between the cases b jj and < p b jj. If p b jj, i.e., b jj = 3 or 4, then b jj is found during the rst iteration of the outer while loop. We conclude from the proof of Theorem.3 that it takes at most (B j? 1)jQ j?1 j = jq j?1 j table look-ups and multiplications to check whether some element (e b; ~r) is in R (steps (33)/(34)), and it requires at most p B j? (= 0) multiplications b = bc (step (40)), plus one additional multiplication in step (44). If < b jj, we have in total k j = + 1 = dlog b jj e log b jj iterations of the outer while loop, which means in all dlog b jj e multiplications for squaring c in step (44). We use the results of the proof of Theorem.3 to see that in the inner while loops ((31) - (41)), the algorithm performs at most (B j? 3)jQ j?1 j table look-ups and multiplications in steps (33)/(34) and at most B j? 4 multiplications in step (40). Combining the results of the cases p b jj and p b jj, we get that for each g j E the algorithm performs at most (B j? 3)jQ j?1 j 18

19 table look-ups in the inner while loops and at most (B j? 3)jQ j?1 j + B j? 4 + dlog b jj e group multiplications in the inner while loops and step (44). The maximum total number of table look-ups in the inner while loops, T L I ; can be estimated by T L I lx (B j? 3)jQ j?1 j lx lx 0 l (B j? 1)jQ j?1 j (B j? 1) j?1 Y 1 B i ; B j? 1A T? : For the maximum total number of multiplications in the inner while loops, M I ; we get M I T? + lx (B j? 1)? l + lx dlog b jj e T + l(s) p jgj + log jgj + l(s)? l? ; where we use that P l dlog b jje log Q l b jj + l(s) = log jgj + l(s). p Summing up, Algorithm 4.1 performs l inversions, at most (l+5)t +4l(S) jgj+log jgj group multiplications, and at most (l+l(s)+)t? table look-ups. It requires space for at most 4T pairs (e; ~q) Gf0; : : :; jgjg l. Since T l(s) p jgj (see Lemma 4.), this completes the proof. To get reasonable lower bounds for the total number of group multiplications and table look-ups we should treat many dierent distributions and orders of fb 11 ; : : :; b ll g separately. So we just give lower bounds for the sizes of Q, R and R 0, and the number of group multiplications required to compute these sets. This is done in the proof of the following theorem. Theorem 4.4 Let ~v = (; : : :; ) in Algorithm 4.1. Then the number of group multiplications and the table sizes are 0 l lp bjj where b 11 ; : : :; b ll denote the diagonal elements of the basis B computed by the algorithm. m 1 A ; Proof: loop. Just as in the previous proof, let Q j, R j and R 0 j denote the sets Q, R and R 0 after the j-th outer From the way Q is built Q up we get that jq j j = jq j?1 j if b jj = 1, and jq j j jq j?1 j(b j? 1) if B j > 1 (i.e., j if g j E). Thus jq j j (B i? 1), so at the end of the algorithm we have g i E jqj l?1 Y g j E (B j? 1) = : L; 19

20 and it takes at least L? 1 multiplications to compute all the sets Q 1 ; : : :; Q l?1. This lower bound is sharp: If b jj for all j, then Q = f(1;~0)g at the end of the algorithm. From the way R is built up and from Theorem.3 we see that jr j j = 0 if b jj = 1, jr j j jr 0 j?1 j if b jj =, and jr j j B j jr 0 j?1 j if b jj 3. With (10) it follows that jr j j 1 Let p = maxfj f1; : : :; lg : g j Eg. Then jr p j 1= T, and it takes at least 1= T multiplications to compute R p, with T as in (9). It also follows from (10) that at the end of the algorithm we have that jr 0 j = T=B l. (Especially, jr 0 j = T if g l 6 E. ) This proves the theorem. jy g j E B i : Corollary 4.5 Let G = (Z=Z) k. Then Algorithm 4.1 is of complexity (jgj). Proof: Let S be a generating sequence of G. Let l = jsj. Then for the diagonal elements b jj computed by the algorithm we necessarily have k times b jj = and l? k times b jj = 1. Since k = log jgj, the assertion follows by Lemma 4. together with Theorem 4.4. Let us further comment on the factor l(s), which appears in Theorem 4.3. We conclude from Theorem 4.4 that the more cyclic subgroups G has and the smaller they are, the larger R and R 0 (and Q) are, and thus the storage required and the number of group multiplications increases. However, this eect only depends on the structure of the type of groups we are dealing with. In the case of ideal class groups of imaginary quadratic elds, where we expect small ranks [5], we can say that the worst case does not occur very frequently, especially for large discriminants. Theoretically there is another possibility to have a disturbingly large exponent l(s) even if G is cyclic or consists of very large cyclic subgroups, namely if many generators are needed to build up each cyclic factor. To estimate the damage caused by these eects, we did the following experiments. For n = 3; 4; : : :; 10 we took the rst 1000 discriminants smaller than 10 n. For each of these discriminants, we took the ten prime ideal classes of smallest norm in the corresponding imaginary quadratic order and used our algorithm to compute the subgroup generated by these classes. We measured the sizes of Q and R 0 and counted the number l(s) of prime ideal classes actually used in the algorithm to compute the subgroup. In Table 7 we compare jqj and jr 0 j with jgj and p jgj, and in Table 8 we compare l(s) with the number of cyclic factors of jgj, which is the minimum number of generators needed to compute jgj. Table 7 shows that usually the sets Q and R 0 do not blow up to the entire group size but contain less than p jgj pairs (g; ~q) in average. Only for discriminants with absolute value smaller than 10 5 it occurred that jr 0 j jgj. Due to the way Q is built up by Algorithm 4.1, the set Q always contains considerably fewer elements than R 0. Table 8 shows that in more than half of all our experiments the algorithm actually uses no more generators than theoretically necessary. Also in the remaining cases, l(s) is always very small, as expected from the results of Cohen and Lenstra [5]. In Tables 9 and 10 we give some examples of subgroups computed with our algorithm. For each discriminant, we compute the group G generated by the classes of the 10 prime ideals of smallest norms in the order. As before, GM is the number of group multiplications required and T L is the number of table look-ups. We used ~v = (; : : :; ) as an initial step width in all cases. 0

21 jqj=jgj jr 0 j=jgj p jqj= jgj p jr 0 j= jgj n max ave max ave max ave max ave Table 7: Subgroup algorithm size of R 0 and Q relative to jgj and jgj 1= l(s) - number of cyclic factors n Table 8: Subgroup algorithm worst case data G GM T L time?(10 + 3) [5] hsec?( ) [4] hsec?( ) [1] hsec?( ) [39] hsec?( ) [105] hsec?( ) [706] hsec?( ) [170] hsec?( ) [1840, ] hsec?( ) [10538] hsec?( ) [31057] sec, 60 hsec?( ) [684, ] sec, 56 hsec?( ) [1464,, ] sec, 5 hsec?( ) [356368,, ] sec, 53 hsec?( ) [3996] sec, 41 hsec?( ) [18435] sec, 36 hsec?( ) [ ] min, 0 sec, 1 hsec?( ) [ ] min, 30 sec, 6 hsec?( ) [ ,,, ] min, 39 sec, 47 hsec?( ) [ , ] min, 13 sec, 87 hsec Table 9: Subgroup algorithm sample run times 1

22 G GM T L time?4(10 + 1) [14] hsec?4( ) [10,, ] hsec?4( ) [40, 4] hsec?4( ) [30, ] hsec?4( ) [516, ] hsec?4( ) [1446, ] hsec?4( ) [4104, 4] hsec?4( ) [560,,,, ] hsec?4( ) [48396,, ] sec, 93 hsec?4( ) [5677,,, ] sec, 54 hsec?4( ) [117360, 4, ] sec, 76 hsec?4( ) [748,, ] sec, 11 hsec?4( ) [ , 4,, ] sec, 91 hsec?4( ) [57448, 4,,,,, ] sec, 58 hsec?4( ) [ ,,,, ] min, 11 sec, 94 hsec?4( ) [ ,,, ] min, 8 sec, 1 hsec?4( ) [ ,, ] min, 40 sec, 54 hsec?4( ) [ , ] min, 33 sec, 53 hsec?4( ) [ ,,, ] min, 39 sec, 46 hsec Table 10: Subgroup algorithm sample run times References [1] I. Biehl and J. Buchmann, Algorithms for quadratic orders, Proceedings of Symposium on Mathematics of Computation, [] J. Buchmann and S. Paulus, Algorithms for nite abelian groups, Extended abstract. To be published in the proceedings of NTAMCS 93. [3] D.A. Buell, Binary quadratic forms: classical theory and modern computations, Springer-Verlag, New York, [4] H. Cohen, A course in computational algebraic number theory, Springer-Verlag, Berlin, [5] H. Cohen and H.W. Lenstra, Jr., Heuristics on class groups of number elds, Number Theory, Lecture notes in Math., vol. 1068, Springer-Verlag, New York, 1983, pp. 33{6. [6] P.D. Domich, Residual Hermite normal form computations, ACM Transactions on Mathematical Software 15 (1989), no. 3, 75{86. [7] J. Buchmann I. Biehl and T. Papanikolaou, LiDIA - a library for computational number theory, The LiDIA Group, Universitat des Saarlandes, Saarbrucken, Germany, [8] A.K. Lenstra and H.W. Lenstra, Jr., Algorithms in number theory, Handbook of theoretical computer science (J. van Leeuwen, ed.), Elsevier Science Publishers, 1990, pp. 673{715. [9] S. Paulus, Algorithmen fur endliche abelsche Gruppen, Master's thesis, Universitat des Saarlandes, Saarbrucken, Germany, 199. [10] D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 0, AMS, Providence, R.I., 1971, pp. 415{440.