## STRUCTURE COMPUTATION AND DISCRETE LOGARITHMS IN FINITE ABELIAN p-GROUPS

Citations: | 1 - 0 self |

### BibTeX

@MISC{Sutherland_structurecomputation,

author = {Andrew V. Sutherland},

title = {STRUCTURE COMPUTATION AND DISCRETE LOGARITHMS IN FINITE ABELIAN p-GROUPS},

year = {}

}

### OpenURL

### Abstract

Abstract. We present a generic algorithm for computing discrete logarithms in a finite abelian p-group H, improving the Pohlig–Hellman algorithm and its generalization to noncyclic groups by Teske. We then give a direct method to compute a basis for H without using a relation matrix. The problem of computing a basis for some or all of the Sylow p-subgroups of an arbitrary finite abelian group G is addressed, yielding a Monte Carlo algorithm to compute the structure of G using O(|G | 1/2) group operations. These results also improve generic algorithms for extracting pth roots in G. 1.

### Citations

2724 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ... = O(lg n), we can perform w exponentiations of a common base with n-bit exponents using just O(n) multiplications, the same bound as when w = 1. There are several algorithms that achieve Yao’s bound =-=[5, 6, 12, 14, 16]-=-, and they typically require storage for O(n/ lg n) group elements. Consider the execution of Algorithm 1 computing DL(α,β)=DL(0,m,β). It will be convenient to label the levels of the recursion tree w... |

987 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1996
(Show Context)
Citation Context ...tate precomputation, an important practical optimization in applications that rely heavily on discrete logarithms [4, 27]. We will need to compute discrete logarithms in various subgroups of the form =-=(11)-=- G(j, k) ={β pj : β pk =1G,β∈ G}, for nonnegative integers j<k. The subgroup G(j, k) consists of all p j th powers of order at most p k−j and corresponds to columns j +1throughk in the diagram of G. I... |

329 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...ny finite abelian group using O(|G| 1/2 ) group operations [7, 26, 28]. However, when the exponent of the group is not prime, we can do better. This was proven for cyclic groups by Pohlig and Hellman =-=[19]-=- and later generalized by Teske [30]. 3 The Pohlig–Hellman approach relies on computing discrete logarithms in subgroups of the given group. The reduction to subgroups of prime-power order is straight... |

250 |
Monte Carlo Methods for Index Computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ...f the word “logarithm”, we write groups multiplicatively. 2 The exponent of G is the least positive integer n for which α n =1G for all α ∈ G. 1 c○2010 by the author2 ANDREW V. SUTHERLAND rho method =-=[20, 29]-=-. Both algorithms can be generalized to compute discrete logarithms in any finite abelian group using O(|G| 1/2 ) group operations [7, 26, 28]. However, when the exponent of the group is not prime, we... |

233 | Lower Bounds for Discrete Logarithms and Related Problems
- Shoup
- 1997
(Show Context)
Citation Context ...ments, with each group element arbitrarily assigned a unique identifier. We are interested in constructive applications of the discrete logarithm, but let us first recall the negative result of Shoup =-=[24]-=-. Any generic algorithm to compute discrete logarithms in a finite abelian group G with prime exponent 2 uses Ω(|G| 1/2 ) group operations. A matching upper bound is achieved, for cyclic groups, by Sh... |

170 | A Survey of Fast Exponentiation Methods
- Gordon
- 1988
(Show Context)
Citation Context ... = O(lg n), we can perform w exponentiations of a common base with n-bit exponents using just O(n) multiplications, the same bound as when w = 1. There are several algorithms that achieve Yao’s bound =-=[5, 6, 12, 14, 16]-=-, and they typically require storage for O(n/ lg n) group elements. Consider the execution of Algorithm 1 computing DL(α,β)=DL(0,m,β). It will be convenient to label the levels of the recursion tree w... |

72 |
Fast exponentiation with precomputation
- Brickell, Gordon, et al.
- 1993
(Show Context)
Citation Context ... = O(lg n), we can perform w exponentiations of a common base with n-bit exponents using just O(n) multiplications, the same bound as when w = 1. There are several algorithms that achieve Yao’s bound =-=[5, 6, 12, 14, 16]-=-, and they typically require storage for O(n/ lg n) group elements. Consider the execution of Algorithm 1 computing DL(α,β)=DL(0,m,β). It will be convenient to label the levels of the recursion tree w... |

41 | A polynomial-time theory of black box groups I
- Babai, Beals
- 1999
(Show Context)
Citation Context ...allowing us to extend our 11 We have subexponential-time probabilistic algorithms for factoring versus exponential lower bounds for computing the group exponent with a probabilistic generic algorithm =-=[3]-=-. Most deterministic factoring algorithms are already faster than the Ω(N 1/3 ) lower bound of [26, Thm. 2.3].18 ANDREW V. SUTHERLAND complexity bounds for abelian p-groups to the general case. The b... |

36 |
On taking roots in finite fields
- Adleman, Manders, et al.
- 1977
(Show Context)
Citation Context ...n) [25, §11.2.3], and here we achieve an O(n lg n/ lg lg n) bound for arbitrary finite abelian groups when p and r are suitably bounded. More generally, Algorithm 1 computes DL(α,β)using ( ) lg(m +1) =-=(2)-=- TDL(G) =O lg lg(m +2) lg |G| + logp |G| p r r/2 group operations, improving the dependence on m in both terms of (1). Discrete logarithms may be applied to compute the structure of a finite abelian g... |

28 | Discrete logarithms: the past and the future
- Odlyzko
(Show Context)
Citation Context ...ng group structure [7, 8, 26, 28, 30]. On the other hand, a wide range of cryptographic applications depend on the essential difficulty of computing discrete logarithms in the worst case (see [15] or =-=[17]-=- for a survey). Typically, the discrete logarithm is defined in the context of a cyclic group: for any β ∈〈α〉 there is a unique nonnegative integer x<|α| for which β = αx .More generally, given α =(α1... |

24 | On some computational problems in finite abelian groups
- Buchmann, Jacobson, et al.
- 1997
(Show Context)
Citation Context ... a constructive tool, discrete logarithms are the key ingredient in generic algorithms for extracting roots (including square roots in finite fields) [2, 23, 27, 31] and for computing group structure =-=[7, 8, 26, 28, 30]-=-. On the other hand, a wide range of cryptographic applications depend on the essential difficulty of computing discrete logarithms in the worst case (see [15] or [17] for a survey). Typically, the di... |

20 | Calculating the order of an invertible matrix
- Celler, Leedham-Green
- 1995
(Show Context)
Citation Context ...oup operations, assuming Algorithms 5.1 and 5.2 of [26] are used for order computations. The corollary then follows from (ii) of Proposition 4. □ □ 12 Algorithm 7.3 is due to Celler and Leedham-Green =-=[10]-=-.STRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 19 If we are given a generating set S with |S| = O(|G| 1/2−ɛ ), we may apply Lemma 6 to obtain an analogous corollary. The space required by the algorit... |

20 |
Bemerkung über die Auflösung quadratischer Congruenzen. Göttinger Nachrichten
- Tonelli
(Show Context)
Citation Context ...plays two opposing roles in group computations. As a constructive tool, discrete logarithms are the key ingredient in generic algorithms for extracting roots (including square roots in finite fields) =-=[2, 23, 27, 31]-=- and for computing group structure [7, 8, 26, 28, 30]. On the other hand, a wide range of cryptographic applications depend on the essential difficulty of computing discrete logarithms in the worst ca... |

17 | A space efficient algorithm for group structure computation
- Teske
- 1998
(Show Context)
Citation Context ... a constructive tool, discrete logarithms are the key ingredient in generic algorithms for extracting roots (including square roots in finite fields) [2, 23, 27, 31] and for computing group structure =-=[7, 8, 26, 28, 30]-=-. On the other hand, a wide range of cryptographic applications depend on the essential difficulty of computing discrete logarithms in the worst case (see [15] or [17] for a survey). Typically, the di... |

16 |
Binary quadratic forms. An algorithmic approach
- Buchmann, Vollmer
- 2007
(Show Context)
Citation Context ...irst suppose that G is a p-group and then give a reduction for the general case in Section 5. Typically, a basis is derived from a matrix of relations among elements of a generating set for the group =-=[7, 8, 9, 28]-=-. This generating set may be given, or obtained (with high probability) from a random sample. One then computes the Smith normal form of the relation matrix [11, §2.4], applying corresponding group op... |

12 | Computing the structure of a finite abelian group
- Buchmann, Schmidt
(Show Context)
Citation Context ... a constructive tool, discrete logarithms are the key ingredient in generic algorithms for extracting roots (including square roots in finite fields) [2, 23, 27, 31] and for computing group structure =-=[7, 8, 26, 28, 30]-=-. On the other hand, a wide range of cryptographic applications depend on the essential difficulty of computing discrete logarithms in the worst case (see [15] or [17] for a survey). Typically, the di... |

12 |
On the evaluation of powers and related problems (preliminary version
- Pippenger
(Show Context)
Citation Context ... an absolute bound on the running time of Algorithm 1. An asymptotic bound appears in the corollary that follows. 6 Pippenger gives a better bound for large w, but not necessarily an online algorithm =-=[5, 18]-=-. 7 As E →∞the constant c can be made arbitrarily close to 1.8 ANDREW V. SUTHERLAND Proposition 1. Let α =(α1,...,αr) be a basis for a finite abelian p-group G with rank r and exponent pm . Set ni =l... |

10 | Faster square roots in annoying finite fields
- Bernstein
(Show Context)
Citation Context ...0) G[p k ]={β : β pk =1G,β∈ G}. Abasisδ for G[p k ]isgivenbyδi = α qi i ,whereqi = p max(0,ni−k) . The diagram of G[p k ] corresponds to the k leftmost columns of the diagram of G. In our example, π(G=-=[4]-=-) = (2, 2, 1). If we now let v =DL(δ,βα −u ), then z = qv and x = qv + u, as desired. In our example we have q =(8, 2, 1) and v =(1, 2, 1) yielding (13, 5, 1) = (8, 2, 1)(1, 2, 1) + (5, 1, 0). This eq... |

9 | Order Computations in Generic Groups
- Sutherland
- 2007
(Show Context)
Citation Context |

7 |
The discrete logarithm problem, Cryptography and Computational Number Theory
- McCurley
- 1990
(Show Context)
Citation Context ... computing group structure [7, 8, 26, 28, 30]. On the other hand, a wide range of cryptographic applications depend on the essential difficulty of computing discrete logarithms in the worst case (see =-=[15]-=- or [17] for a survey). Typically, the discrete logarithm is defined in the context of a cyclic group: for any β ∈〈α〉 there is a unique nonnegative integer x<|α| for which β = αx .More generally, give... |

5 |
The probability of generating some common families of finite groups
- Acciaro
- 1996
(Show Context)
Citation Context ...rd, hence we focus primarily on abelian p-groups. If α is a basis for a finite abelian group G of exponent p m and rank r, Teske’s generalization of the Pohlig–Hellman algorithm computes DL(α,β)using =-=(1)-=- T DL(G) =O(m lg |G| + mp r/2 ) group operations [30, Thm. 6.1]. 4 When m = 1 this reduces to the O(|G| 1/2 ) upper bound mentioned above. If p and r are small (when computing square roots in finite f... |

5 |
Lim and Pil Joong Lee. More flexible exponentiation with precomputation
- Hoon
(Show Context)
Citation Context |

5 |
The expected number of random elements to generate a finite abelian group
- Pomerance
(Show Context)
Citation Context ...ng the O(|S||G| 1/2 ) result of Buchmann and Schmidt [8]. The bound in (3) is minimized when |S| ≈ r. If we pick a random subset S ⊂ G, of size r + O(1), then S generates G with very high probability =-=[21]-=-. When combined with an algorithm to compute the group exponent, this yields a generic Monte Carlo algorithm to compute the structure of an arbitrary finite abelian group using O(|G| 1/2 ) operations.... |

4 |
a theory of factorization and genera, Analytic Number Theory
- Shanks, number
- 1971
(Show Context)
Citation Context ...screte logarithms in a finite abelian group G with prime exponent 2 uses Ω(|G| 1/2 ) group operations. A matching upper bound is achieved, for cyclic groups, by Shanks’ baby-step giant-step algorithm =-=[22]-=- and (probabilistically) by Pollard’s Received by the editor September 19, 2008 and, in revised form, July 27, 2009 and August 29, 2009. 2010 Mathematics Subject Classification. Primary 11Y16; Seconda... |

2 |
e Art of Computer Programming, Volume IV, Fascicle 2: Generating all Tuples and Permutations
- Knuth
- 2005
(Show Context)
Citation Context ...1 197518 256 1268 1021 833 760 2065 328839 512 2718 2165 1770 1607 3760 395187 1024 5949 3931 3755 4601 5745 657965 Table 1. Group operations to compute DL(α, β) in G ∼ = ( Z/2 n/r Z )r . a Gray code =-=[13]-=- when enumerating steps, always using one group operation per step (this is especially useful for small p, saving up to a factor of 2). A more significant optimization available with Shanks’ method is... |

1 |
The art of computer programming, vol. IV, fascicle 2: Generating all tuples and permutations
- Knuth
- 2005
(Show Context)
Citation Context ...89 76 94 669 97936 64 261 204 172 194 853 163750 128 591 455 380 370 1501 197518 256 1268 1021 833 760 2065 328839 512 2718 2165 1770 1607 3760 395187 1024 5949 3931 3755 4601 5745 657965 a Gray code =-=[13]-=- when enumerating steps, always using one group operation per step (this is especially useful for small p, saving up to a factor of 2). A more significant optimization available with Shanks’ method is... |