On some computational problems in nite abelian groups. Universitat des Saarlandes. Fachbereich 14 - Informatik. Postfach

Similar documents
The Pohlig-Hellman Method Generalized for Group EDLYN TESKE. Department of Combinatorics and Optimization, University of Waterloo

Algorithms for quadratic orders INGRID BIEHL AND JOHANNES BUCHMANN. Abstract. We describe deterministic algorithms for solving the following

The only method currently known for inverting nf-exp requires computing shortest vectors in lattices whose dimension is the degree of the number eld.

Distributed computation of the number. of points on an elliptic curve

(1.) For any subset P S we denote by L(P ) the abelian group of integral relations between elements of P, i.e. L(P ) := ker Z P! span Z P S S : For ea

A SPACE EFFICIENT ALGORITHM FOR GROUP STRUCTURE COMPUTATION

output H = 2*H+P H=2*(H-P)

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Elementary 2-Group Character Codes. Abstract. In this correspondence we describe a class of codes over GF (q),

The following can also be obtained from this WWW address: the papers [8, 9], more examples, comments on the implementation and a short description of

Polynomial functions over nite commutative rings

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

9 Knapsack Cryptography

J. Symbolic Computation (1995) 11, 1{000 An algorithm for computing an integral basis in an algebraic function eld Mark van Hoeij Department of mathem

18.312: Algebraic Combinatorics Lionel Levine. Lecture 22. Smith normal form of an integer matrix (linear algebra over Z).

Lifting to non-integral idempotents

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

Math 3361-Modern Algebra Lecture 08 9/26/ Cardinality

A CLASS GROUP HEURISTIC BASED ON THE DISTRIBUTION OF 1-EIGENSPACES IN MATRIX GROUPS

USING SHANKS BABY-STEP GIANT-STEP METHOD TO SOLVE THE GENERALIZED PELL EQUATION x 2 Dy 2 = N. Copyright 2009 by John P. Robertson. 1.

Fraction-free Row Reduction of Matrices of Skew Polynomials

CYCLICITY OF (Z/(p))

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Counting and Constructing Minimal Spanning Trees. Perrin Wright. Department of Mathematics. Florida State University. Tallahassee, FL

An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Consider the following general situation: let G and H be two sets (not. G H = f(g; h)j g 2 G; h 2 Hg:

COMPUTING MODULAR POLYNOMIALS

A One Way Function Based on Ideal Arithmetic in Number Fields

Factoring Polynomials with Rational Coecients. Kenneth Giuliani

A Graph Based Parsing Algorithm for Context-free Languages

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

2 J. Kluners and M. Pohst (993)] for calculating subelds. In this article we generalize and improve the methods of Dixon (990). The generating polynom

Complexity of the Havas, Majewski, Matthews LLL. Mathematisch Instituut, Universiteit Utrecht. P.O. Box

A Terr algorithm for computations in the infrastructure of real-quadratic number fields

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Group Theory. 1. Show that Φ maps a conjugacy class of G into a conjugacy class of G.

Primitive sets in a lattice

Structural Grobner Basis. Bernd Sturmfels and Markus Wiegelmann TR May Department of Mathematics, UC Berkeley.

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

group homomorphism if for every a; b 2 G we have Notice that the operation on the left is occurring in G 1 while the operation

An exploration of matrix equilibration

Lecture 6: Finite Fields

SOLVING QUADRATIC EQUATIONS IN DIMENSION 5 OR MORE WITHOUT FACTORING

Computational Number Theory. Adam O Neill Based on

UMASS AMHERST MATH 411 SECTION 2, FALL 2009, F. HAJIR

Journal de Theorie des Nombres. de Bordeaux 8 (1996), 283{313. On the computation of quadratic 2-class groups. par Wieb BOSMA et Peter STEVENHAGEN

Characters and triangle generation of the simple Mathieu group M 11

k-subsets of V: Finding a collection which forms a t-design is equivalent to the problem of solving a system of diophantine equations, as mentioned ab

GENERATING SETS KEITH CONRAD

A Finite Element Method for an Ill-Posed Problem. Martin-Luther-Universitat, Fachbereich Mathematik/Informatik,Postfach 8, D Halle, Abstract

ON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS

ERIC LARSON AND LARRY ROLEN

Computing a Lower Bound for the Canonical Height on Elliptic Curves over Q

A Course in Computational Algebraic Number Theory

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

4.1 Eigenvalues, Eigenvectors, and The Characteristic Polynomial

Representations of algebraic groups and their Lie algebras Jens Carsten Jantzen Lecture III

Algorithms (II) Yu Yu. Shanghai Jiaotong University

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

New Minimal Weight Representations for Left-to-Right Window Methods

R. Kwashira 1, 2 Work with J.C. Mba 3 ( 1 Birmingham, (CoE-MaSS), South Africa, 3 University of Johannesburg, South Africa

Finding Succinct. Ordered Minimal Perfect. Hash Functions. Steven S. Seiden 3 Daniel S. Hirschberg 3. September 22, Abstract

Abstract. the aid of a computer. The smallest parameter set found is 7-(24; 8; 4): for determining the isomorphism types. Further designs are derived

Dual Discrete Logarithms

TOPOLOGICAL COMPLEXITY OF 2-TORSION LENS SPACES AND ku-(co)homology

Computational algebraic number theory tackles lattice-based cryptography

STGs may contain redundant states, i.e. states whose. State minimization is the transformation of a given

Reduction of Smith Normal Form Transformation Matrices

Coins with arbitrary weights. Abstract. Given a set of m coins out of a collection of coins of k unknown distinct weights, we wish to

A fast algorithm to generate necklaces with xed content

Rings, Paths, and Paley Graphs

Simple groups and the classification of finite groups

You separate binary numbers into columns in a similar fashion. 2 5 = 32

A Las Vegas algorithm to solve the elliptic curve discrete logarithm problem

Upper and Lower Bounds on the Number of Faults. a System Can Withstand Without Repairs. Cambridge, MA 02139

GENERALIZATIONS OF SOME ZERO-SUM THEOREMS. Sukumar Das Adhikari Harish-Chandra Research Institute, Chhatnag Road, Jhusi, Allahabad , INDIA

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

The Non-existence of Finite Projective Planes of. Order 10. C. W. H. Lam, L. Thiel, and S. Swiercz. 15 January, 1989

Cover Page. The handle holds various files of this Leiden University dissertation

2 Grimm, Pottier, and Rostaing-Schmidt optimal time strategy that preserves the program structure with a xed total number of registers. We particularl

Extremal problems in logic programming and stable model computation Pawe l Cholewinski and Miros law Truszczynski Computer Science Department Universi

GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory.

On the classication of algebras

ISOMORPHISMS KEITH CONRAD

into B multisets, or blocks, each of cardinality K (K V ), satisfying

2 Garrett: `A Good Spectral Theorem' 1. von Neumann algebras, density theorem The commutant of a subring S of a ring R is S 0 = fr 2 R : rs = sr; 8s 2

Computing Invariant Factors


Non-context-Free Languages. CS215, Lecture 5 c

Elliptic curves: Theory and Applications. Day 3: Counting points.

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Lecture 8 - Algebraic Methods for Matching 1

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields.

only nite eigenvalues. This is an extension of earlier results from [2]. Then we concentrate on the Riccati equation appearing in H 2 and linear quadr

K. T. Arasu Jennifer Seberry y. Wright State University and University ofwollongong. Australia. In memory of Derek Breach.

Theoretical Cryptography, Lecture 13

2 3 DIGITAL SIGNATURE STANDARD (DSS) [PROPOSED BY NIST, 1991] Pick an x 2 Z p,1 as the private key Compute y = g x (mod p) asthe public key To sign a

HOMEWORK 4 SOLUTIONS TO SELECTED PROBLEMS

Lecture 15: The Hidden Subgroup Problem

Transcription:

On some computational problems in nite abelian groups Johannes Buchmann Michael J. Jacobson, Jr. Universitat des Saarlandes Fachbereich 14 - Informatik Postfach 151150 66041 Saarbrucken Germany Edlyn Teske y 0th February 1996 Abstract We present new algorithms for computing orders of elements, discrete logarithms, and structures of nite abelian groups. We estimate the computational complexity and storage requirements, and we explicitly determine the O-constants and -constants. We implemented the algorithms for class groups of imaginary quadratic orders and present a selection of our experimental results. Our algorithms are based on a modication of Shanks' baby-step giant-step strategy, and have the advantage that their computational complexity and storage requirements are relative to the actual order, discrete logarithm, or size of the group, rather than relative to an upper bound on the group order. AMS Subject Classication: 11Y16 1 Introduction Let G be a nite abelian group, written multiplicatively, in which we assume that the following are possible: for a; b G we can compute c = a b for a G we can compute a?1 for a; b G we can test whether a = b We call these the group operations. Note that from every group element a we can determine the neutral element 1 = a a?1. As an example, WE will consider class groups of imaginary quadratic elds. Another example is the group of points on an elliptic curve over a nite eld. For any subset S of G; denote by hsi the subgroup of G generated by S. If hsi = G then S is called a generating set of G. If S = fgg then write hgi instead of hsi. Three common computational problems in such groups are: supported by the Natural Sciences and Engineering Research Council of Canada y supported by the Deutsche Forschungsgemeinschaft 1

Given g G compute jhgij; the order of g in G, i.e., the least positive integer x such that g x = 1: Given g; d G decide whether d belongs to the cyclic subgroup hgi of G generated by g. If d hgi; nd log g d; the discrete logarithm of d to the base g; i.e., the least non-negative integer x such that g x = d: Given a generating set of G compute the structure of G. By computing the structure of G we mean computing positive integers m 1 ; : : :; m k with m 1 > 1, m i jm i+1, 1 i < k and an isomorphism : G! Z=m 1 Z Z=m k Z: This isomorphism is given in terms of the images of the generators. The integers m i are the uniquely determined invariants of G. In this paper we present improved versions of Shanks' algorithms for solving these problems. As in Shanks' original method [10] (see also [4], [8]), operations in G and table look-ups are used in our algorithms. The table entries are pairs (S z ; z), where S is a set of group elements, z belongs to the set Z S of all maps S?! Z, and S z = Q gs gz(g). When we estimate the complexity of our algorithms, we count the number of group operations, the number of table look-ups, and we determine bounds on the table sizes, i.e., the number of group elements which have to be stored. We ignore the time and space for doing index calculations. If hashing on the group elements is possible, the tables of group elements are hash tables and the time for one table look-up is comparable to the time required for a group operation. Here are our main results. Theorem 1.1 There is an algorithm for computing the order x of an element g G which executes one inversion and at most 4 p p x x + log multiplications in G. It uses a table of at most p x pairs (g; r) G f1; : : :; d p x eg. The total number of table look-ups is bounded by p x : Theorem 1. There is an algorithm that decides for g; d G, d 6= 1, whether d hgi and if so computes log g d: Let jhgij if d 6 hgi x = log g d if d hgi: The algorithm executes at most 6 p x + log p x multiplications in G. It uses a table of at most p x pairs (g; r) G f1; : : :; d p x eg. The total number of table look-ups is bounded by 4 p x :

Our algorithm for computing the structure of G may behave dierently if the generators are input in dierent orders. Therefore, the algorithm receives as input a generating sequence, i.e., a nite sequence S = (g 1 ; : : :; g l ) of group elements such that fg 1 ; : : :; g l g is a generating set of G. Set and G j = hg 1 ; : : :; g j i; 0 j l; (1) l(s) = jfj f1; : : :; lg : G j?1 6= G j gj : () In other words, if we generate G by using g 1 ; g ; g 3 ; : : :, l(s) is the number of generators which enlarge the group. Note that l(s) is at least as large as the number of invariants of G. We will prove the following result. Theorem 1.3 There is an algorithm that computes the structure of G from a generating sequence S of G which executes jsj inversions and at most l(s) (jsj + 5) p jgj + 4 l(s) p jgj + log jgj multiplications in G, with l(s) from (). It uses two tables of at most l(s) p jgj and l(s) +1p jgj pairs (g; ~q) G f0; : : :; p jgjg jsj. The total number of table look-ups is bounded by l(s) (jsj + l(s) + ) p jgj: The upper bound for the complexity of the group structure algorithm is exponential in the number l(s) of generators that are really used to determine the group structure. If that number is xed, the complexity of the algorithm is O(jSj p jgj). On the other hand, our analysis shows that if G = (Z=Z) l for some positive integer l; the complexity of our algorithm is (jgj). This lower bound also holds for Shanks' original algorithm and its variations. Hence, for nite abelian groups with a large number of small invariants our algorithm is not appropriate. The basic idea of this paper is to use baby-step giant-step algorithms with some initial step-width v N and to double that step-width as long as the result of the computation has not been found. A similar idea has been used in [] but the results obtained there are weaker than ours. For v = we obtain the above theorems. If v is chosen such that L = v is an upper bound on the group order, we obtain Shanks' original algorithms. Our analysis shows that for v = p L the number of multiplications and the table size in the order and discrete logarithm algorithms is ( p L). Also, for that choice of v the number of multiplications and the table size in the group structure algorithm is ( l(s)= jsj p jlj). Thus, if the upper bound L is much larger than the actual order, discrete logarithm or group order, the algorithm wastes a lot of time and space. We implemented our algorithms for class groups of imaginary quadratic orders using the computer algebra system LiDIA [7]. We present experimental results which yield good choices for the initial step-width v for these groups. The paper is organized as follows. In Section we describe and analyze the order algorithm. That section also contains the basic idea of the paper. In Section 3 we discuss the algorithm for computing discrete logarithms, and Section 4 is devoted to the group structure algorithm. 3

Computing the Order of an Element Given an element g G we wish to compute x = jhgij: Our improved algorithm, a modication of Shanks' baby-step giant-step method, is based on the following statement: Lemma.1 Let v be an even positive integer. For every positive integer x there are uniquely determined integers k, q and r with k 0, b4 k?1 cv k vq < 4 k v and 1 r k v such that x = y + r, y = k vq. Proof: Let x N. We rst show the existence of such k, q and r. We choose k such that b4 k?1 cv < x 4 k v ; and write x = k vq + r with 1 r k v. Then b4 k?1 cv? k v < k vq 4 k v? 1, which implies that k vq < 4 k v. Moreover, if k = 0, we have?v < vq; so 0 vq. If k 1, we have 4 k?1 v? k v < k vq; hence k?1 (v=)? 1 < q. Since v= is integral, this implies that k?1 (v=) q, so that 4 k?1 v k vq. To show the uniqueness of this representation, let x = k vq + r with k, q and r as stated above. Then b4 k?1 cv k vq < 4 k v, which implies q k v? 1, so that x = k vq + r k v( k v? 1) + k v = 4 k v. Moreover, we have b4 k?1 cv < k vq + r = x. These inequalities determine k uniquely. The uniqueness of q and r is due to the uniqueness statement for division with remainder. We explain the method for computing x = jhgij. We select an even positive integer v which is used as the initial step-width in the algorithm. Then there is a unique non-negative integer k such that x belongs to the interval I k = fb4 k?1 cv + 1; : : :; 4 k v g: We search those intervals for k = 0; 1; ; : : : until x is found. By Lemma.1, each number in I k can be written as y + r with y = k vq and r, q as stated in Lemma.1. Also, each integer that can be written in this way belongs to the interval I k. To check whether x is in I k we test whether g y+r = 1 with y = k vq and r and q as stated in Lemma.1. This means that we test whether For this purpose, we compute the set g y = g?r ; 1 r k v; y = k vq; b4 k?1 cv y < 4 k v : R k = f(g?r ; r) : 1 r k vg; and for all values of q such that b4 k?1 cv y < 4 k v we check whether there exists (g y ; r) R k for some r. If so, jhgij = y + r: Otherwise, we increase k by 1. If x v, the set R 0 contains at least one pair (1; r), and jhgij = r for the smallest such r. Therefore, before adding a pair (g?r ; r), 1 r v, to R 0 in the course of the computation of R 0, we always check whether g?r = 1, and we break if the answer is \yes", since then jhgij is already found. The eciency of the algorithm can be improved if we know a lower bound B of jhgij: Writing C = B? 1, we then work with the set R k = f(g?(r+c) ; r) : 1 r k vg; and if we nd (g y ; r) R k ; jhgij = y + r + C: If no lower bound for jhgij is known, we set C = 0. We now present the algorithm. 4

Algorithm. This algorithm computes the order of the group element g in G. Input: g G, lower bound C + 1 for jhgij, initial step-width v (v N) Output: x = jhgij (1) x = 0 () s = 1; y = v; u = v (3) h = g?1 (4) a = h C ; b = g v ; c = b / a = g?c?r ; (5) R = ; b = g y ; c = g u / (6) while (x == 0) do (7) for (r = s; s + 1 : : :; u) do / new baby steps / (8) a = a h (9) if ( s == 1 ) then / check if 1 x v / (10) if ( a == 1 ) then (11) x = r + C (1) return (x) (13) break while (14) else (15) R = R [ f(a; r)g (16) (17) else (18) R = R [ f(a; r)g (19) (0) od (1) while (x == 0 and y < u ) do / giant steps / () if (there is a number r such that (b; r) R ) then (3) x = y + r + C (4) return (x) (5) else (6) y = y + u (7) b = b c (8) (9) od (30) s = u + 1; u = u / double (31) c = c step width / (3) od Theorem.3 Let C = 0. Let x = jhgij. For every choice of v, Algorithm. executes one inversion and at most blog vc + 1 multiplications in G and requires space for three group elements. On further group multiplications, space required, and table look-ups, we have the following estimates. 1. If x v, Algorithm. executes x additional multiplications in G. It uses a table of x? 1 pairs (g; r) G f1; : : :; x? 1g and it performs x equality checks.. If p x v < x, the number M of additional multiplications in G satises v M p x + v? : 5

The algorithm uses a table of v pairs (g; r) G f1; : : :; vg, and it performs v equality checks. The total number TL of table look-ups satises 1 T L p x? 1: p 3. If x > v, the number M of additional multiplications in G satises 5 p p x x + log 4 v? 1 M 4 p x? v + log p x v? 5: It performs v equality checks. It uses a table of at least d p x e and at most d p x e? pairs (g; r) G f1; : : :; d p x eg. The total number TL of table look-ups satises d p x e 4 T L p x? v? : Proof: For the initialization, Algorithm. requires one inversion and at most blog vc + 1 multiplications to compute g?1 and b = c = g v. It must store g?1, b and c. If x v, we nd x = jhgij during the rst iteration of the outer while loop, in the course of the computation of the set R (= R 0 ). This requires x group multiplications and x equality checks, and the set R contains x? 1 pairs (g?r ; r). If p x v < x, we also nd x = jhgij during the rst iteration of the outer while loop. The set R contains v pairs (g?r ; r); which also means that the algorithm must perform v multiplications in G to compute R. It performs v equality checks to test whether g?r = 1. In the iterations of the inner while loop, the algorithm checks whether (g qv ; r) R while v qv x? r (r f1; : : :; vg), i.e., 1 q (x? 1)=v, so we have 1 q < p x. It computes g qv while v qv x?r, thus q < p x. This requires between 1 and d p x e?1 table look-ups, and at most d p x e? group multiplications. Hence, the total number of multiplications in the outer while loop is between v and v + d p x e?, if p x v < x. If v < p x, the algorithm performs k additional iterations of the outer while loop, where i.e., k? 1 < log p x v 4 k?1 v < x 4 k v (3) l m k, hence k = log p x. After the last iteration, the set R contains k v pairs (g?r ; r). v Thus, to compute R the algorithm performs k v multiplications in G, and it must store a table of k v pairs. From (3) we see that k?1 v < p x k v, so p x k v p x? : (4) In the rst inner while loop, the algorithm computes g qv for q v, which requires v? 1 multiplications. In all of the following inner while loops except the last, it computes g qi v while 4 i?1 v < q i v 4 i v ; i.e., where 1 i k? 1. This requires i?1 v < q i v; i v? v i?1 = 3 v i?1 multiplications in each loop, which can be summed to k?1 X 3 i?1 v = 3 (k?1? 1) v 6

multiplications. In the last loop, the algorithm computes g qk v while 4 k?1 v < q k v x? r; r f1; : : :; k vg; so k?1 v < q x?1. Since p x k v, we have x?1 x?1 k v k p v x < p x, and this requires at most p x? 1? k?1 v multiplications. Thus, the total number of multiplications in the inner while loops is at least and at most v? 1 + 3 ( k?1? 1) v = 3 k?1v? v? 1 (4) 3 p p x x? 4? 1 d p x e 4? 1; v? 1 + 3 ( k?1? 1) v + p x? 1? k?1 v = k?1 v? v + p x? (4) p x? v? 3; The total number of table look-ups is bounded below by d p x e =4 and above by d p x e? v?, which is the maximum number of iterations of the inner while loops. Finally, note that in k outer while loops the algorithm performs one multiplication to compute c. Together with (4) we get that Algorithm. performs at least p x log and at most log p x additional multiplications in G to nd jhgij, if v < p x. v v + 5 p x? 1 4 + 4 p x? v? 5 Remark.4 To adapt Theorem.3 to the case C 1, we just have to replace each x by x? C and add to the total number of group multiplications the multiplications required to compute a = (g?1 ) C, i.e., at most blog Cc + 1 multiplications. In practice, the most ecient way to handle the set R is by means of a hash table. This is possible as long as the group elements are represented as sequences of integers. Then, each look-up in the table R requires just one computation of a hash value and usually one equality test for group elements. As we see from Theorem.3, the eciency of Algorithm. depends largely on the appropriate choice of the initial step-width v. As noted by Shanks [10], the optimal choice of v is v = p jhgij: This results in about p jhgij group multiplications in our algorithm. If v is chosen too large (in comparison with p jhgij), we waste space and time because the set R is too big. If v is chosen too small, we waste time because of superuous iterations of the outer while loop. In order to test our algorithm, we implemented it using the LiDIA system [7] to compute orders of elements in ideal class groups of imaginary quadratic orders. For three discriminants of sizes ten, fteen, and twenty decimal digits, we computed the orders of the ideal classes of four prime ideals that we knew from previous computations had dierent orders. In Tables 1,, and 3 we show the actual numbers of group multiplications and table look-ups, denoted by GM and T L respectively, that were required to compute the order of each prime ideal class, together with the lower and upper bounds predicted by Theorem.3. denotes the 7

discriminant of the quadratic order and I p denotes the ideal class of which the prime ideal lying over the prime p is the reduced representative. We compute the order of each prime ideal class three times, using a dierent value of v each time. The simplest version of our algorithm uses v = ; v = 1=4 is equivalent to Shanks' original algorithm [10], and v = 1=4 = is half-way between the other two and has been shown to yield the best overall run times in our tests. Table 4 gives the run times for these computations on a SPARCstation 0. Lower Computed Upper p jhi p ij GM T L GM T L GM T L?4(10 10 + 1) 5 4033 85 16 164 94 58 15 3 1613 166 3 34 189 515 53 13 4198 0 39 485 1 68 309 7 48396 8 55 580 316 884 437?4(10 15 + 1) 7 0 0 4 0 5 0 9 4908 67 5 558 94 836 413 17 1874 456 89 107 506 1441 715 3 57448 643 17 178 757 037 1013?4(10 0 + 1) 13 304638 19054 3808 38750 35 6094 30463 5 46404976 6941 5385 6337 30544 86179 43081 37 9809855 38095 7616 77489 44706 11871 6097 7 1856197104 53870 10771 1664 61090 17348 86165 Table 1: Order algorithm group multiplications and table look-ups (v = ) Lower Computed Upper p jhi p ij GM T L GM T L GM T L?4(10 10 + 1) 5 4033 4 1 51 18 97 63 3 1613 4 1 305 7 361 17 13 4198 4 1 341 108 389 155 7 48396 4 1 449 16 453 19?4(10 15 + 1) 7 0 0 19 0 19 0 9 4908 3976 1 400 10 4199 07 17 1874 3976 1 404 3 4350 358 3 57448 3976 1 4056 64 4499 507?4(10 0 + 1) 13 304638 70711 1 74014 381 85965 153 5 46404976 70711 1 7795 656 974 1541 37 9809855 70711 1 83858 1315 101197 30464 7 1856197104 70711 1 96983 650 113816 43083 Table : Order algorithm group multiplications and table look-ups (v = 1=4 =) For =?4(10 10 + 1); our algorithm using v = is faster than Shanks' algorithm (i.e. v = 1=4 ) for I 5 ; the class with the smallest order. It is slower for I 3 and I 13 ; even though it executes fewer total group operations, because it performs four times as many giant steps than Shanks' algorithm, which requires additional table look-ups. In the case of I 7 ; the optimal value of v is v = p 48396 0; and the initial step width v = 1=4 447 that is used in Shanks' algorithm is suciently accurate that the extra giant steps taken by our algorithm cause it to execute more group operations in total. v = 1=4 = 3 is closer to the optimal value than v = 1=4 ; and this choice of v does result in the best overall performance for three of the four ideals. 8

Lower Computed Upper p jhi p ij GM T L GM T L GM T L?4(10 10 + 1) 5 4033 448 1 467 9 53 63 3 1613 448 1 494 36 587 17 13 4198 448 1 51 54 615 155 7 48396 448 1 566 108 679 19?4(10 15 + 1) 7 0 0 1 0 1 0 9 4908 7953 1 7977 5 8178 07 17 1874 7953 1 7988 16 839 358 3 57448 7953 1 8004 3 8478 507?4(10 0 + 1) 13 304638 1414 1 143086 1640 156678 153 5 46404976 1414 1 14477 381 16987 1541 37 9809855 1414 1 148008 656 171910 30464 7 1856197104 1414 1 154571 1315 18459 43083 Table 3: Order algorithm group multiplications and table look-ups (v = 1=4 ) p jhi p ij v = v = 1=4 = v = 1=4?4(10 10 + 1) 5 4033 19 hsec 16 hsec 7 hsec 3 1613 31 hsec hsec 7 hsec 13 4198 44 hsec 30 hsec 37 hsec 7 48396 60 hsec 44 hsec 41 hsec?4(10 15 + 1) 7 13 hsec 9 hsec 10 hsec 9 4908 86 hsec sec, 83 hsec 4 sec, 87 hsec 17 1874 1 sec, 0 hsec sec, 39 hsec 4 sec, 60 hsec 3 57448 1 sec, 74 hsec 1 sec, 95 hsec 3 sec, 6 hsec?4(10 0 + 1) 13 304638 61 sec, 40 hsec 51 sec, 80 hsec 9 sec, hsec 5 46404976 81 sec, 68 hsec 5 sec, 7 hsec 78 sec, 71 hsec 37 9809855 18 sec, 6 hsec 78 sec, 76 hsec 116 sec, 60 hsec 7 1856197104 17 sec, 86 hsec 10 sec, 8 hsec 111 sec, 14 hsec Table 4: Order Algorithm run times For =?4(10 15 + 1); our algorithm using v = is the fastest for three of the four prime ideals. The orders of the ideals are suciently small that selecting v = 1=4 or 1=4 = results in too many extra baby steps. For =?4(10 0 + 1); our algorithm using v = is faster than Shanks' algorithm for one of the four ideals. In this case, 1=4 is closer to the optimal value of v than for =?4(10 15 + 1): Using v = 1=4 =; as in the case of =?4(10 10 + 1); actually results in the best overall performance. Our results suggest that Algorithm. has two main advantages over Shanks' original algorithm. The rst and most obvious advantage is that it is faster when the order of the element is much smaller than the order of the group. In these cases, Shanks' algorithm executes too many baby steps, and although our algorithm using v = will execute some unnecessary giant steps, it will still execute fewer group operations overall. The second advantage is when the upper bound on the order of the group is too large. Shanks' algorithm will execute too many baby steps in this case as well. Our algorithm allows one to select an initial step width that is much smaller than the estimated order of the group, in the hope of attaining a better approximation of p jhgij: Using Shanks' algorithm, an initial step width that is too small results in far too many giant steps, but our algorithm will detect if the initial step width is too small and enlarge it if necessary. 9

3 Computing Discrete Logarithms Given g; d G; we wish to decide whether d belongs to the group hgi generated by g. If the answer is \yes," we want to compute x = log g d. We use the following modication of Algorithm. to solve this problem. We compute the order of g in G as in Algorithm., i.e., we try to nd integers y and r such that g y+r = 1. However, for each y, before checking whether g y+r = 1, we check whether g y+r = d. For this, we work with the same set R as in Algorithm.. We rst check whether (d?1 g y ; r) R, with R as in Algorithm.. If this is the case, log g d = y + r. Otherwise, we check whether (g y ; r) R. As soon as we have found jhgij, we know that there is no discrete logarithm of d for base g, since log g d < jhgij. Just as in Algorithm., during the computation of R 0 = f(g?r ; r) : 1 r vg we always check whether log g d or jhgij is already found before we include a pair (g?r ; r). Algorithm 3.1 This algorithm computes the discrete logarithm of d (d 6= 1) for base g. Input: d; g G (d 6= 1), initial stepwidth v (v N) Output: t = 1 and x = log g d if d hgi, t = 0 and x = jhgij if d = hgi (1) t = ; x = 0 () s = 1; y = v; u = v (3) h = g?1 (4) a = 1; b = g v ; c = b / a = g?r, b = g y, (5) R = ; c = g u / (6) f = d?1 (7) while (t == ) do (8) for (r = s; s + 1 : : :; u) do / new baby steps / (9) a = a h (10) if (s == 1) then / check if 1 x v / (11) if (a == f ) then (1) x = r; t = 1 (13) break while (14) else (15) if (a == 1) then (16) x = r; t = 0 (17) break while (18) else (19) R = R [ f(a; r)g (0) (1) () else (3) R = R [ f(a; r)g (4) (5) od 10

(6) while (t == and y < u ) do / giant steps / (7) if (there is a number r such that (f b; r) R) then / checking for (8) x = y + r; t = 1 discrete log. / (9) else (30) if (there is a number r such that (b; r) R) then / checking for (31) x = y + r; t = 0 the order of g / (3) else (33) y = y + u (34) b = b c (35) (36) (37) od (38) s = u + 1; u = u / double (39) c = c step width / (40) od (41) return (t, x) To discuss the complexity of Algorithm 3.1 we use the same arguments as in Theorem.3. We only have to observe that there are twice as many equality checks during the computation of R 0. Moreover, in each inner while loop, we have one additional multiplication to compute f b and at most one additional table look-up to check whether (f b; r) R. With x = log g d if d hgi and x = jhgij if d = hgi, this causes at least 1 additional multiplication and at most d p x e? 1 additional multiplications and table look-ups if p x v < x. If p x > v, this causes at least d p x e =4? 1 and at most d p x e? v? additional multiplications and table look-ups. Therefore, we have the following result: Theorem 3. Let d 6= 1. Let jhgij if d 6 hgi x = log g d if d hgi: For every choice of v, Algorithm 3.1 executes two inversions and at most blog vc + 1 multiplications in G and requires space for ve group elements. On further group multiplications, space required, and table look-ups, we have the following estimates. 1. If x v; Algorithm 3.1 executes x further multiplications in G. It uses a table of x? 1 pairs (g; r) G f1; : : :; x? 1g, and it performs at most x equality checks.. If p x v < x; the number M of further multiplications in G satises v + 1 M p x + v? 3: The algorithm uses a table of v pairs (g; r) G f1; : : :; vg, and it performs v equality checks. The total number TL of table look-ups satises 1 T L p x? : p 3. If x > v, the number M of further multiplications in G satises 3 p p x x + log v? M 6 p x? v + log p x v? 7: It performs at most v equality checks. It uses a table of at least d p x e and at most d p x e? pairs (g; r) G f1; : : :; d p x eg. The total number TL of table look-ups satises d p x e? 1 T L 4 p x? v? 4: 11

Algorithm 3.1 was implemented using the LiDIA system [7] to compute discrete logarithms in ideal class groups of imaginary quadratic orders. For the same three discriminants used in the previous section, we select the prime ideal class I p with the largest order and use our algorithm to compute log Ip Ip x in the class group, for 5 dierent values of x with varying sizes. Again, we perform the discrete logarithm computation three times using the same three values of v as before. Table 5 shows the number of group multiplications and table look-ups, denoted by GM and T L; required for each computation and Table 6 gives the run times for each computation. v = v = 1=4 = v = 1=4 p x GM T L GM T L GM T L?4(10 10 + 1) 7 9679 411 75 319 85 500 41 19358 668 403 405 171 544 85 9037 744 479 491 57 586 17 38716 80 555 577 343 630 171 48395 896 631 665 431 674 15?4(10 15 + 1) 3 51491 90 655 4016 3 7984 11 10980 1433 911 404 49 7996 3 154469 1633 1111 4068 75 8010 37 05958 1835 1313 4094 101 80 49 57447 035 1513 410 17 8036 63?4(10 0 + 1) 7 3713943 8807 5543 8133 10499 146696 549 74478843 110865 78081 91733 0999 151946 10499 111371863 16507 99519 1033 31499 157196 15749 1484957683 17640 110849 11733 41999 16446 0999 1856197103 18773 1179 1333 5499 167696 649 Table 5: DL algorithm group multiplications and table look-ups p x v = v = 1=4 = v = 1=4?4(10 10 + 1) 7 9679 34 hsec 0 hsec 4 hsec 19358 53 hsec 8 hsec 8 hsec 9037 58 hsec 36 hsec 3 hsec 38716 66 hsec 45 hsec 37 hsec 48395 56 hsec 40 hsec 34 hsec?4(10 15 + 1) 3 51491 1 sec, 8 hsec 1 sec, 55 hsec 3 sec, 13 hsec 10980 1 sec, 80 hsec 1 sec, 51 hsec 3 sec, 9 hsec 154469 sec, 5 hsec 1 sec, 67 hsec sec, 73 hsec 05958 sec, 0 hsec 1 sec, 44 hsec sec, 63 hsec 57447 1 sec, 53 hsec 1 sec, 40 hsec 3 sec, hsec?4(10 0 + 1) 7 3713943 130 sec, 4 hsec 55 sec, 17 hsec 80 sec, 3 hsec 74478843 179 sec, 9 hsec 80 sec, 61 hsec 90 sec, 70 hsec 111371863 38 sec,34 hsec 101 sec, 31 hsec 106 sec, 19 hsec 1484957683 64 sec,40 hsec 17 sec, 83 hsec 113 sec, 6 hsec 1856197103 188 sec, 5 hsec 105 sec, 6 hsec 106 sec, 34 hsec Table 6: DL algorithm run times In the DL Algorithm, the advantages of our method in comparison with Shanks' method become even clearer. This is due to the fact that for log g d all values between 0 and jhgij are possible, and they are equally probable (this is, however, not the case in cryptographic circumstances). Assuming that jhgij is not known a priori, 1

Shanks' original algorithm still uses the upper bound of the group order, i.e., v = 1=4, which causes the algorithm to perform far too many baby steps. For =?4(10 10 + 1) and the prime ideal lying over 7; in which case the bound v = 1=4 is quite accurate, Shanks' algorithm is faster than our algorithm using v = 1=4 = for about half of the computed logarithms in our experiments. For all DL's smaller than half of the order of I 7, our algorithm using v = 1=4 = works better. The comparatively bad results for our algorithm using v = are due to the fact that in the DL Algorithm each giant step causes two group multiplications and two table look-ups, so that too many giant steps cause twice as much unnecessary work as in the Order Algorithm. Note that computing discrete logarithms of elements generated by I 7 represents the best case for Shanks' algorithm and the worst case for our algorithm because I 7 is the largest prime ideal. For =?4(10 15 + 1) and =?4(10 0 + 1), where the upper bounds of the group order are much larger than the orders of the largest prime ideals, our algorithm using v = 1=4 = works better for almost all possible logarithms. Thus, our experiments lead to similar conclusions to those related to Algorithm., namely that our algorithm works better when log g d is small compared to jhgij and when the upper bound on the order of the group is too large. 4 Computing the Structure of a Subgroup Given a generating system, i.e., a nite sequence S = (g 1 ; : : :; g l ), of a nite abelian group G that is given as described in the introduction, we want to nd the structure of G. By this we mean nding positive integers m 1 ; : : :; m k with m 1 > 1, m j jm j+1, 1 j < k, and an isomorphism : G?! Z=m 1 Z Z=m k Z: (5) This isomorphism will be given in terms of the images of the elements of the generating system S. The integers m i are the invariants of G. We describe our method. For ~z = (z 1 ; : : :; z l ) Z l we write S ~z = ly A relation on S is a vector ~z Z l such that S ~z = 1. The set L(S) of all relations on S is a lattice in Z l of dimension l, since it is the kernel of the surjective homomorphism Z l?! G; ~z 7! S ~z : Our approach will be to compute a basis B = ( ~ b 1 ; : : :; ~ b l ) of L(S). That basis is identied with a matrix of column vectors ~ b j = (b 1j ; : : :; b lj ) t. Then the order of G is j det Bj. Using standard techniques, e.g. [6], [4], we compute the Smith normal form N of B and a matrix U Z ll with det U 6 0 modjgj such that there exists V Z ll with det V 6 0 modjgj and N UBV modjgj. This means that we do not need to nd two unimodular transformations for the Smith normal form but only a left unimodular transformation mod G. Therefore, modular techniques for nding the Smith normal form can be applied. Let N be the diagonal matrix diag(1; : : :; 1; m 1 ; : : :; m k ) where m 1 > 1. Then m 1 ; : : :; m k are the invariants of G. To dene the map (5) delete in U all but the last k rows. Let ~u 1 ; : : :; ~u l be the column vectors of that new matrix, ~u j = (u 1j ; : : :; u kj ) t. Set g i z i : (g j ) = (u 1j modm 1 ; : : :; u kj mod m k ); 1 j l: 13

Then is the isomorphism we were looking for. We describe the computation of the basis B of the relation lattice L(S). The matrix B will be an upper triangular matrix with positive entries on the diagonal. Suppose that we have computed ~ b 1 ; : : :; ~ b j?1. We describe the computation of ~ b j. The diagonal entry b jj is the smallest positive integer such that g j b jj belongs to the subgroup of G generated by fg 1 ; : : :; g j?1 g. The problem of nding ~ b j is therefore similar to a discrete logarithm problem. Indeed, our solution is an extension of Algorithm 3.1. Instead of a single initial stepwidth v we now use a vector ~v = (v 1 ; : : :; v l ) N l of step-widths. Since there is a basis B with 0 b ij < b ii for 1 i < j l we can write b ij = q i B i + r i ; where B i = p b ii, 0 qi < B i, and 0 r i < B i. We also write b jj = y + r j ; where y = k v j q and 1 r j k v j with k and q as in Lemma.1. Set S i = (g 1 ; : : :; g i ); 1 i l: As in Algorithms. and 3.1 we proceed to nd the smallest value of y such that where S j?1 ~q ~B g j y = S j?~r ; (6) ~q = (q 1 ; : : :; q j?1 ); 0 q i < B i ; q i B i < b ii ; 1 i < j; (7) ~B = (B 1 ; : : :; B j?1 ), ~q ~ B denotes the component-wise multiplication, and Once y is found we have ~r = (r 1 ; : : :; r j ); 0 r i < B i ; 1 i < j; and 1 r j k v j : (8) where denotes the concatenation of vectors. ~ bj = ~q ~B (y) (0; : : :; 0) {z } l?j +~r (0; : : :; 0) {z } l?j To be able to check quickly whether (6) holds for a given y we use the sets n o ~q Q = (S ~B j?1 ; ~q) : ~q as in (7) and R = (S j ~r ; ~r) : ~r as in (8) : Just as in the order algorithm and the discrete logarithm algorithm we check whether b jj v j already during the rst computation of R, i.e., when k = 0 in (8). For this we use the set R 0 = (S j?1 ~r : 0 r i < B i ; 1 i < j : Moreover, before computing any element of R we check if b jj = 1. This is done separately, because in many cases the algorithm will compute the entire group structure with only a few generators, and all the others can be handled by this special case. For this check we use the set Q instead of R 0, since in general Q is considerably smaller than R 0. Here is the algorithm which determines the HNF-basis B for the relation lattice L(S). 14

Algorithm 4.1 This algorithm computes the HNF-basis for the lattice of relations on a generating system for a nite abelian group. Input: A generating system S = (g 1 ; : : :; g l ) of G, initial stepwidth ~v = (v 1 ; : : :; v l ) N l. Output: A basis B= ( ~ b 1 ; : : :; ~ b l ) of the lattice of relations on S in upper triangular form. (1) R 0 = f(1; ( ))g; Q = f(1; ( ))g; ~B = ( ) / initialization / () for (j = 1; : : :; l) do (3) s = 1; y = v j ; u = v j (4)?1 h = g j / a = g?i j ; b = g y j ; (5) v a = 1; b = g j j ; c = b c = g u j / (6) R = ; (7) for (all (e; ~q) Q) do / check whether g j is (8) d = e g j contained in current (9) if ( there is ~r such that (d; ~r) R 0 and q i + r i < b ii 8i = subgroup / 1; : : :; j? 1) then (10) ~ bj = ~q ~B (0) (0; : : :; 0) + ~r (1) (0; : : :; 0) (11) break for (1) (13) od (14) while (b jj == 0) do (15) for (i = s; : : :; u) do / new baby steps / (16) a = a h (17) if ( s == 1 and i > 1 ) then / check whether (18) for ( all (d; ~r) R 0 ) do 1 < b jj v j / (19) e = d a (0) if ( there is ~q such that (e; ~q) Q and q i + r i < b ii 8i = 1; : : :; j? 1 ) then (1) ~ bj = ~q ~B (0) (0; : : :; 0) + ~r (i) (0; : : :; 0) () break while (3) else (4) R = R [ f(e; ~r (i))g (5) (6) od (7) else (8) R = R [ f(d a; ~r (i)) : (d; ~r) R 0 g (9) (30) od 15

(31) while ((b jj == 0) ^ (y < u )) do / giant steps / (3) for (all (e; ~q) Q) do (33) d = e b (34) if ( there is ~r such that (d; ~r) R and q i + r i < b ii 8i = 1; : : :; j? 1 ) then (35) ~ bj = ~q B ~ (y) (0; : : :; 0) + ~r (0; : : :; 0) (36) break while (37) (38) od (39) y = y + u (40) b = b c (41) od (4) s = u + 1 / double step width / (43) u = u (44) c = c (45) od (46) if (j 6= l) then (47) B j = b jj (48) ~B = ~B (B j ) (49) R 0 = f(d; ~r (0)) : (d; ~r) R 0 g [ f(d; ~r) R : 1 r j < B j g (50) Q = f(e; ~q (0)) : q (e; ~q) Qg [ f(e g j B j j ; ~q (q j )) : (e; ~q) Q; 1 q j < B j ; q j B j < b jj g (51) (5) od (53) B = ( ~ b 1 ; : : :; ~ b l ) (54) return (B) / compute new R 0 and Q / We implemented our algorithm using the LiDIA system [7] to compute, once again, in ideal class groups of imaginary quadratic orders. During the course of the implementation, we found that the sets R 0 ; R; and Q are most eciently stored as indexed hash tables, since the algorithm requires traversing the tables in addition to fast searching. Using this data structure also allows one to maintain R 0 and R in one table. In the interest of saving storage, the exponent vectors in these tables are encoded into single integers. For simplicity, we analyze the complexity of Algorithm 4.1 only with initial stepwidth ~v = (; : : :; ). We need the following lemma. Lemma 4. Let m 1 ; : : :; m l N and e = jfm j jm j > 1gj. Then we have ly pmj e Equality holds if and only if m j = for all m j with m j > 1. ly p mj : Proof: Let m N. If m = 1, d p m e = p m. If m =, d p m e = p p m. If 3 m 5, d p m e < p p m. If m 6, 1 < p 6( p? 1) p m( p? 1), thus d p m e < p m + 1 < p p m. Hence, d p m e p p m for all m, with equality if and only if m =. From this our claim follows. 16

Theorem 4.3 Let ~v = (v 1 ; : : :; v l ) with v 1 = = v l =. Algorithm 4.1 executes l inversions and at most l(s) (l + 5) p jgj + 4l(S) p jgj + log jgj multiplications in G, where l denotes the number of generators and l(s) denotes the number of the b jj that are larger than 1. It uses two tables of at most l(s) p jgj and l(s) +1p jgj pairs (e; ~q) G f0; : : :; jgjg l : The total number of table look-ups is bounded by l(s) (l + l(s) + ) p jgj. Proof: Algorithm 4.1 performs l outer loops to compute the column vectors ~ b 1 ; : : :; ~ b l. We rst estimate the sizes of the sets Q, R and R 0 for each of these outer loops, and how many group operations are needed to build up these sets. Let Q j, R j and R 0 denote the sets Q, R and j R0 after the j-th loop. We have where B j = p b jj. Thus jqj j Q j B i. Writing we get that jq j j T for all j. It takes at most jq 0 j = 1 and jq j j jq j?1 j B j ; T = ly j?1 jq j?1 j (B j? 1) (B j? 1) B i ; (9) multiplications to compute Q j given Q j?1. The maximum number M Q of multiplications to compute all the sets Q 1 ; : : :; Q l?1 can be estimated as follows:! Xl?1 j?1 Y l?1 j?1 X jy Y (B j? 1) B i = B i? B i M Q = l?1 Y Y B i B j? 1 T? 1: In considering R j, we use the arguments of the proof of Theorem.3, with initial stepwidth v =. At the end of the j-th loop, the set R (= R j ) consists of (at most) p j jr 0 j?1 j pairs (d g j i ; ~r) with d R 0 j?1 and 1 i p j, where p j = 0 if b jj = 1, p j = 1 if b jj =, p j = if < b jj 4, and p j p b jj? if < p b jj. So we have p j B j? in all cases. Hence jr j j (B j? )jr 0 j?1j: Moreover, the algorithm performs at most B j? multiplications a = ah (step (16)), so that the maximum number of multiplications needed to compute R j given R 0 j?1 can be estimated by (B j? )jr 0 j?1j + B j?. From the way in which jr 0 j is built up, we see that jr 0 jj = jr 0 j?1j + (B j? 1)jR 0 j?1j = B j jr 0 j?1j; where jr 0 0j = 1. Thus, jr 0 j j = jy B i ; j = 1; : : :; l? 1; (10) 17

and Y j?1 jr j j (B j? 1) B i ; j = 1; : : :; l; so that we always have jr 0 j T and jrj T. Therefore, the algorithm requires space for at most 4T pairs (e; ~q) G f0; : : :; jgjg l to store Q, R and R 0. Let E = fg j : j f1; : : :; lg; b jj g ; = fg j : j f1; : : :; lg; G j?1 6= G j g ; where G j = hg 1 ; : : :; g j i, 0 j l. Let l(s) = jej. Then the maximum number M R of multiplications required to compute all the sets R j satises M R = 4 X l 4 Y l T? + Y j?1 (B j? 1) B j? 1 + lx g j E lx b jj B i + lx (B j? 1) (B j? 1) 3 5 3 5 T? + l(s) p jgj: Next, let us consider the remaining group multiplications and table look-ups in the l outer loops. It takes l inversions and l multiplications to compute g j?1 and g j at the beginning of each outer loop. To check whether b jj = 1, i.e., whether g j is contained in the subgroup generated by g 1 ; : : :; g j?1, the algorithm checks for at most jqj elements e whether (e g j ; ~r) R 0 for some ~r. In total, this requires at most l jqj l T multiplications and table look-ups. We only have iterations of the outer while loops ((14) - (45)) if g j E. To check whether 1 < b jj (= v j ), the algorithm checks for at most jr 0 j elements d whether (dg j?b jj ; ~q) Q for some ~q. This requires at most jr 0 j (b jj?1)t = T table look-ups for each g j E, so altogether at most l(s) T table look-ups (the multiplications have already been considered above). We only have further p computations in the j-th outer loop if < b jj. In this case, we have to distinguish between the cases b jj and < p b jj. If p b jj, i.e., b jj = 3 or 4, then b jj is found during the rst iteration of the outer while loop. We conclude from the proof of Theorem.3 that it takes at most (B j? 1)jQ j?1 j = jq j?1 j table look-ups and multiplications to check whether some element (e b; ~r) is in R (steps (33)/(34)), and it requires at most p B j? (= 0) multiplications b = bc (step (40)), plus one additional multiplication in step (44). If < b jj, we have in total k j = + 1 = dlog b jj e log b jj iterations of the outer while loop, which means in all dlog b jj e multiplications for squaring c in step (44). We use the results of the proof of Theorem.3 to see that in the inner while loops ((31) - (41)), the algorithm performs at most (B j? 3)jQ j?1 j table look-ups and multiplications in steps (33)/(34) and at most B j? 4 multiplications in step (40). Combining the results of the cases p b jj and p b jj, we get that for each g j E the algorithm performs at most (B j? 3)jQ j?1 j 18

table look-ups in the inner while loops and at most (B j? 3)jQ j?1 j + B j? 4 + dlog b jj e group multiplications in the inner while loops and step (44). The maximum total number of table look-ups in the inner while loops, T L I ; can be estimated by T L I lx (B j? 3)jQ j?1 j lx lx 0 Y @ l (B j? 1)jQ j?1 j (B j? 1) j?1 Y 1 B i ; B j? 1A T? : For the maximum total number of multiplications in the inner while loops, M I ; we get M I T? + lx (B j? 1)? l + lx dlog b jj e T + l(s) p jgj + log jgj + l(s)? l? ; where we use that P l dlog b jje log Q l b jj + l(s) = log jgj + l(s). p Summing up, Algorithm 4.1 performs l inversions, at most (l+5)t +4l(S) jgj+log jgj group multiplications, and at most (l+l(s)+)t? table look-ups. It requires space for at most 4T pairs (e; ~q) Gf0; : : :; jgjg l. Since T l(s) p jgj (see Lemma 4.), this completes the proof. To get reasonable lower bounds for the total number of group multiplications and table look-ups we should treat many dierent distributions and orders of fb 11 ; : : :; b ll g separately. So we just give lower bounds for the sizes of Q, R and R 0, and the number of group multiplications required to compute these sets. This is done in the proof of the following theorem. Theorem 4.4 Let ~v = (; : : :; ) in Algorithm 4.1. Then the number of group multiplications and the table sizes are 0 Y @ l lp bjj where b 11 ; : : :; b ll denote the diagonal elements of the basis B computed by the algorithm. m 1 A ; Proof: loop. Just as in the previous proof, let Q j, R j and R 0 j denote the sets Q, R and R 0 after the j-th outer From the way Q is built Q up we get that jq j j = jq j?1 j if b jj = 1, and jq j j jq j?1 j(b j? 1) if B j > 1 (i.e., j if g j E). Thus jq j j (B i? 1), so at the end of the algorithm we have g i E jqj l?1 Y g j E (B j? 1) = : L; 19

and it takes at least L? 1 multiplications to compute all the sets Q 1 ; : : :; Q l?1. This lower bound is sharp: If b jj for all j, then Q = f(1;~0)g at the end of the algorithm. From the way R is built up and from Theorem.3 we see that jr j j = 0 if b jj = 1, jr j j jr 0 j?1 j if b jj =, and jr j j B j jr 0 j?1 j if b jj 3. With (10) it follows that jr j j 1 Let p = maxfj f1; : : :; lg : g j Eg. Then jr p j 1= T, and it takes at least 1= T multiplications to compute R p, with T as in (9). It also follows from (10) that at the end of the algorithm we have that jr 0 j = T=B l. (Especially, jr 0 j = T if g l 6 E. ) This proves the theorem. jy g j E B i : Corollary 4.5 Let G = (Z=Z) k. Then Algorithm 4.1 is of complexity (jgj). Proof: Let S be a generating sequence of G. Let l = jsj. Then for the diagonal elements b jj computed by the algorithm we necessarily have k times b jj = and l? k times b jj = 1. Since k = log jgj, the assertion follows by Lemma 4. together with Theorem 4.4. Let us further comment on the factor l(s), which appears in Theorem 4.3. We conclude from Theorem 4.4 that the more cyclic subgroups G has and the smaller they are, the larger R and R 0 (and Q) are, and thus the storage required and the number of group multiplications increases. However, this eect only depends on the structure of the type of groups we are dealing with. In the case of ideal class groups of imaginary quadratic elds, where we expect small ranks [5], we can say that the worst case does not occur very frequently, especially for large discriminants. Theoretically there is another possibility to have a disturbingly large exponent l(s) even if G is cyclic or consists of very large cyclic subgroups, namely if many generators are needed to build up each cyclic factor. To estimate the damage caused by these eects, we did the following experiments. For n = 3; 4; : : :; 10 we took the rst 1000 discriminants smaller than 10 n. For each of these discriminants, we took the ten prime ideal classes of smallest norm in the corresponding imaginary quadratic order and used our algorithm to compute the subgroup generated by these classes. We measured the sizes of Q and R 0 and counted the number l(s) of prime ideal classes actually used in the algorithm to compute the subgroup. In Table 7 we compare jqj and jr 0 j with jgj and p jgj, and in Table 8 we compare l(s) with the number of cyclic factors of jgj, which is the minimum number of generators needed to compute jgj. Table 7 shows that usually the sets Q and R 0 do not blow up to the entire group size but contain less than p jgj pairs (g; ~q) in average. Only for discriminants with absolute value smaller than 10 5 it occurred that jr 0 j jgj. Due to the way Q is built up by Algorithm 4.1, the set Q always contains considerably fewer elements than R 0. Table 8 shows that in more than half of all our experiments the algorithm actually uses no more generators than theoretically necessary. Also in the remaining cases, l(s) is always very small, as expected from the results of Cohen and Lenstra [5]. In Tables 9 and 10 we give some examples of subgroups computed with our algorithm. For each discriminant, we compute the group G generated by the classes of the 10 prime ideals of smallest norms in the order. As before, GM is the number of group multiplications required and T L is the number of table look-ups. We used ~v = (; : : :; ) as an initial step width in all cases. 0

jqj=jgj jr 0 j=jgj p jqj= jgj p jr 0 j= jgj n max ave max ave max ave max ave 3 0.50000 0.1871 1.00000 0.4068 1.30931 0.74079 5.65685 1.67457 4 0.44444 0.11417 1.00000 0.8418 1.33333 0.71759 5.65685 1.74131 5 0.19048 0.06389 0.66667 0.16840 1.5988 0.69884 5.36656 1.80439 6 0.13187 0.03534 0.66667 0.0973 1.35710 0.6840 9.3760 1.8396 7 0.0608 0.0193 0.6667 0.05590 1.34739 0.66498 7.1554 1.89770 8 0.03896 0.01055 0.16000 0.0305 1.6179 0.6454 9.05097 1.9333 9 0.01755 0.00581 0.0931 0.01835 1.31979 0.6394 8.41976 1.9636 10 0.01094 0.00317 0.0544 0.01059 1.1593 0.61567 8.1715.0498 Table 7: Subgroup algorithm size of R 0 and Q relative to jgj and jgj 1= l(s) - number of cyclic factors n 0 1 3 3 549 43 8 0 4 50 4 58 0 5 505 415 77 3 6 55 385 84 6 7 505 40 86 7 8 537 380 77 6 9 55 373 66 9 10 536 384 75 5 Table 8: Subgroup algorithm worst case data G GM T L time?(10 + 3) [5] 50 14 3 hsec?(10 3 + 3) [4] 44 13 4 hsec?(10 4 + 3) [1] 59 17 5 hsec?(10 5 + 3) [39] 9 31 6 hsec?(10 6 + 3) [105] 1 51 8 hsec?(10 7 + 3) [706] 33 149 0 hsec?(10 8 + 3) [170] 41 196 8 hsec?(10 9 + 3) [1840, ] 595 45 40 hsec?(10 10 + 3) [10538] 1038 369 73 hsec?(10 11 + 3) [31057] 13 1067 1 sec, 60 hsec?(10 1 + 3) [684, ] 33 1989 sec, 56 hsec?(10 13 + 3) [1464,, ] 5794 464 4 sec, 5 hsec?(10 14 + 3) [356368,, ] 933 3751 7 sec, 53 hsec?(10 15 + 3) [3996] 3564 1318 18 sec, 41 hsec?(10 16 + 3) [18435] 3749 16409 30 sec, 36 hsec?(10 17 + 3) [3854599] 67130 9484 1 min, 0 sec, 1 hsec?(10 18 + 3) [10764373] 103039 54913 1 min, 30 sec, 6 hsec?(10 19 + 3) [7845040,,, ] 149197 83049 3 min, 39 sec, 47 hsec?(10 0 + 3) [7116671, ] 34343 10837 6 min, 13 sec, 87 hsec Table 9: Subgroup algorithm sample run times 1

G GM T L time?4(10 + 1) [14] 63 18 3 hsec?4(10 3 + 1) [10,, ] 87 30 4 hsec?4(10 4 + 1) [40, 4] 140 58 6 hsec?4(10 5 + 1) [30, ] 3 91 10 hsec?4(10 6 + 1) [516, ] 319 114 13 hsec?4(10 7 + 1) [1446, ] 598 43 6 hsec?4(10 8 + 1) [4104, 4] 13 640 71 hsec?4(10 9 + 1) [560,,,, ] 1509 385 80 hsec?4(10 10 + 1) [48396,, ] 3388 16 1 sec, 93 hsec?4(10 11 + 1) [5677,,, ] 4891 660 sec, 54 hsec?4(10 1 + 1) [117360, 4, ] 6680 333 3 sec, 76 hsec?4(10 13 + 1) [748,, ] 1037 433 7 sec, 11 hsec?4(10 14 + 1) [1159048, 4,, ] 7615 1179 16 sec, 91 hsec?4(10 15 + 1) [57448, 4,,,,, ] 57387 013 36 sec, 58 hsec?4(10 16 + 1) [11809616,,,, ] 1007 645 1 min, 11 sec, 94 hsec?4(10 17 + 1) [46854696,,, ] 134990 65584 1 min, 8 sec, 1 hsec?4(10 18 + 1) [64135076,, ] 334 94688 min, 40 sec, 54 hsec?4(10 19 + 1) [1649441906, ] 5716 36334 6 min, 33 sec, 53 hsec?4(10 0 + 1) [1856197104,,, ] 97916 3800 15 min, 39 sec, 46 hsec Table 10: Subgroup algorithm sample run times References [1] I. Biehl and J. Buchmann, Algorithms for quadratic orders, Proceedings of Symposium on Mathematics of Computation, 1993. [] J. Buchmann and S. Paulus, Algorithms for nite abelian groups, Extended abstract. To be published in the proceedings of NTAMCS 93. [3] D.A. Buell, Binary quadratic forms: classical theory and modern computations, Springer-Verlag, New York, 1989. [4] H. Cohen, A course in computational algebraic number theory, Springer-Verlag, Berlin, 1993. [5] H. Cohen and H.W. Lenstra, Jr., Heuristics on class groups of number elds, Number Theory, Lecture notes in Math., vol. 1068, Springer-Verlag, New York, 1983, pp. 33{6. [6] P.D. Domich, Residual Hermite normal form computations, ACM Transactions on Mathematical Software 15 (1989), no. 3, 75{86. [7] J. Buchmann I. Biehl and T. Papanikolaou, LiDIA - a library for computational number theory, The LiDIA Group, Universitat des Saarlandes, Saarbrucken, Germany, 1995. [8] A.K. Lenstra and H.W. Lenstra, Jr., Algorithms in number theory, Handbook of theoretical computer science (J. van Leeuwen, ed.), Elsevier Science Publishers, 1990, pp. 673{715. [9] S. Paulus, Algorithmen fur endliche abelsche Gruppen, Master's thesis, Universitat des Saarlandes, Saarbrucken, Germany, 199. [10] D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 0, AMS, Providence, R.I., 1971, pp. 415{440.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback