1. No category

6.11 The Smith Normal Form

235
6.11. THE SMITH NORMAL FORM
6.11
The Smith Normal Form
Over a field K, for any matrix A ∈ K m×n , there exists invertible matrices U ∈
GLm (K) and V ∈ GLn (K) such that U AV is of the form
!
Ir 0
0 0
∈ K m×n
with r = rank A.
It classifies matrices up to rank and size, and is sometimes called rank canonical
form.
If one replaces the field K by a ring R, one can naturally ask what kind of
equivalence relation one obtains when allowing multiplication by invertible matrices
from both sides. It turns out that in the case of principal ideal domains, one obtains
diagonal matrices as in the field case. But the diagonal entries are not just 1’s and
0’s, but are ring elements d1 , . . . , dmin{n,m} with d1 | d2 | · · · | dmin{n,m} , which are
determined by A up to units in R. This can be seen as the natural extension of the
field case, where “up to unit”, every field element is either 0 or 1, and 1 | 1, 1 | 0
and 0 | 0.
This normal form for R = Z was first described by Henry J. S. Smith [Smi61].
While it is not very complicated to find an algorithm for computing the so-called
Smith Normal Form, it is challenging to compute it efficiently. In this section, we
rely on another algorithm by A. Storjohann which is rather simple to implement
and which yields good results. The algorithm was first described in [Sto96a].
Let us begin by officially defining the Smith Normal Form. We will define it for
integers assume that all entries are non-negative to make it unique; in general rings,
one can define it analogously by enforcing LU(di ) = 1.
Definition 6.11.1. Let A = (aij )ij ∈ Zm×n . We say that A is in Smith Normal
Form if aij = 0 for i 6= j, if a11 | a22 | · · · | akk with k = min{n, m}, and if aii ≥ 0
for all i.
Theorem 6.11.2 (Smith [Smi61]). For every A ∈ Zm×n there exist U ∈ GLm (Z)
and V ∈ GLn (Z) such that U AV is in Smith Normal Form. Moreover, if U 0 ∈
GLm (Z) and V 0 ∈ GLn (Z) such that U 0 AV 0 is also in Smith Normal Form, then
U AV = U 0 AV 0 .
A (constructive) proof of the existence can be found in [Fon11, Satz 2.11.12]. In
fact, this construction works over any principal ideal domain. In the next chapter
we will see how the Smith Normal Form can be used to describe the structure of a
finite abelian group (also compare [Fon11, Abschnitt 2.11]).
Here, we want to cite the following result by Storjohann:
Theorem 6.11.3 (Storjohann; Theorem 10 of [Sto96a]). There exists a deterministic algorithm which, given A ∈ Zn×m , computes the rank of A together with a Smith
normal form in Õ(nmr3 log3 kAk∞ ) basic b-operations.
We abstain from describing the algorithm in pseudo-code, but instead present a
Python implementation. It relies on a implementation of Algorithm 6.15 and the
HNF Algorithm 6.19 of the previous section, which we assume are provided in the
module hnf.py as follows:
1
2
def Algorithm_6_15 (R , a , bi , N ) :
""" Implements Algorithm 6.15. We are given :
236
CHAPTER 6. LINEAR ALGEBRA
R:
an rings . Integers () object ;
a:
integer ;
bi :
list of integers ;
N:
positive integer ( > 1) .
Returns ci , list of integers , such that
gcd (a , bi [0] , ... , bi [n -1] , N )
= gcd ( a + \ sum_ { i =0}ˆ{ n -1} ci [ i ] * bi [ i ] , N ) . """
3
4
5
6
7
8
9
10
...
11
12
13
14
15
16
17
def HNF ( A ) :
""" Computes the Hermite Normal Form of A together with a
transformation matrix U such that U * A is the returned
Hermite Normal Form . Returns U , U *A , and the rank
profile of A . """
...
The Smith Normal Form computation has two subroutines, one for Phase A and
one for Phase B. Transformation matrices are computed on the fly.
Phase A We begin with Smith_Theorem5(). As input, it takes an upper triangular
matrix A = (aij )ij ∈ Zn×m together with an index i (called col) such that:
• the first i − 1 columns of A are in Smith Normal Form;
• the first i columns of A have rank i, i.e. ajj 6= 0 for 1 ≤ j ≤ i;
• the elements akj , 1 ≤ k < i, i < j ≤ m are in the range [0, akk ).
This function modifies the matrix such that the conditions hold for i + 1 (except
possibly ai+1,i+1 6= 0). Assume that A has the following form:

a11



A=


..
0
t1
..
.
.
ai−1,i−1 ti−1
aii
∗ ···
..
.
..
.
∗ ···

∗
.. 
.

.
.. 


.
∗
In the first step (Lemma 6), the matrix will be modified such that gcd(ajj , tj ) =
gcd(ajj , tj , . . . , ti−1 , aii ). After that, we will iteratively apply Lemma 7, which in
the first step will ensure that a11 divides all ajj , 1 ≤ j ≤ i and tj , 1 ≤ j < i.
Afterwards, Lemma 7 is applied to the (n − 1) × (m − 1) submatrix starting at (2, 2).
Eventually, it will be made sure that aii > 0 and that the elements in row i are
reduced modulo aii .
Listing 6.1: Smith Normal Form Computation 1/3
1
2
3
import matrix
import rings
import hnf
4
5
6
7
8
9
def Smith_Theorem5 (A , U , V , col ) :
n = A . rows ()
m = A . cols ()
R = A . coefficientRing ()
# Lemma 6:
6.11. THE SMITH NORMAL FORM
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
237
for i in xrange ( col - 1 , -1 , -1) :
# Compute ci [0] such that
# GCD ( A [i , col ] + ci [0] * A [ i + 1 , col ] , A [i , i ])
# equals GCD ( A [i , col ] , A [ i + 1 , col ] , A [i , i ]) .
ci = hnf . Algorithm_6_15 (R , A [i , col ] , [ A [ i +1 , col ]] ,
A [i , i ])
# Add ci [0] times the ( i +1) - th row to the i - th row
for j in xrange ( m ) :
A [i , j ] = A [i , j ] + ci [0] * A [ i + 1 , j ]
for j in xrange ( n ) :
U [i , j ] = U [i , j ] + ci [0] * U [ i + 1 , j ]
# Reduce i - th row modulo A [i , i ]
for j in xrange ( i + 1 , m ) :
d , r = divmod ( A [i , j ] , A [i , i ])
if d != 0:
# Subtract d times the i - th column
# from the j - th column
A [i , j ] = r
for k in xrange ( m ) :
V [k , j ] = V [k , j ] - d * V [k , i ]
# Lemma 7
for j in xrange ( col ) :
# Apply lemma 7 to submatrix starting at (j , j )
s1 , s , t = R . extendedGCD ( A [j , j ] , A [j , col ])
ss = -A [j , col ] / s1
tt = A [j , j ] / s1
# Transform columns j and col by a 2 x2 matrix
A [j , j ] = s1
A [j , col ] = 0
for i in xrange ( j + 1 , n ) :
A [i , j ] , A [i , col ] = s * A [i , j ] + t * A [i , col ] , \
ss * A [i , j ] + tt * A [i , col ]
for i in xrange ( m ) :
V [i , j ] , V [i , col ] = s * V [i , j ] + t * V [i , col ] , \
ss * V [i , j ] + tt * V [i , col ]
# Clear column j in rows below
for i in xrange ( j + 1 , n ) :
mul = A [i , j ] / A [j , j ]
if mul != 0:
for jj in xrange ( m ) :
A [i , jj ] = A [i , jj ] - mul * A [j , jj ]
for jj in xrange ( n ) :
U [i , jj ] = U [i , jj ] - mul * U [j , jj ]
# Reduce j - th row modulo A [j , j ]
for jj in xrange ( j + 1 , m ) :
d , r = divmod ( A [j , jj ] , A [j , j ])
if d != 0:
# Subtract d times the i - th column
# from the j - th column
A [j , jj ] = r
for k in xrange ( m ) :
V [k , jj ] = V [k , jj ] - d * V [k , j ]
# Make A [ col , col ] positive
if A [ col , col ] < 0:
for jj in xrange ( col , m ) :
A [i , jj ] = -A [i , jj ]
238
65
66
67
68
69
70
71
72
73
74
75
76
77
CHAPTER 6. LINEAR ALGEBRA
for jj in xrange ( n ) :
U [i , jj ] = -U [i , jj ]
# Reduce col - th row modulo A [ col , col ]
for j in xrange ( col + 1 , m ) :
d , r = divmod ( A [ col , j ] , A [ col , col ])
if d != 0:
# Subtract d times the col - th column
# from the j - th column
A [ col , j ] = r
for k in xrange ( m ) :
V [k , j ] = V [k , j ] - d * V [k , col ]
# Return result
return A , U , V
Phase B The next function is Smith_Theorem8(), which operates on the submatrix A0 starting at (i, i) of A, where i is the given index (called row). It is assumed
that the first r - row columns of A0 are already in Smith Normal Form. It transforms
A0 such that the first row of A0 has its only non-zero entry in position 1, and that the
submatrix of A0 starting at (2, 2) satisfies the requirements for Smith_Theorem8().
The resulting matrix A0 might have non-zero entries in the first column. Thus, repeatedly applying this
to the submatrices of A starting at (i, i), 1 ≤ i ≤ r,
function
will yield a matrix Ã0 00 where à is lower triangular and invertible.
Listing 6.2: Smith Normal Form Computation 2/3
78
79
80
81
def Smith_Theorem8 (A , U , V , row , r ) :
n = A . rows ()
m = A . cols ()
R = A . coefficientRing ()
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
for j in xrange (r , m ) :
if A [ row , j ] != 0:
s1 , s , t = R . extendedGCD ( A [ row , row ] , A [ row , j ])
ss = -A [ row , j ] / s1
tt = A [ row , row ] / s1
# Transform columns row and j by a 2 x2 matrix
A [ row , row ] = s1
A [ row , j ] = 0
for i in xrange ( row + 1 , n ) :
A [i , row ] , A [i , j ] = s * A [i , row ] + t * A [i , j ] , \
ss * A [i , row ] + tt * A [i , j ]
for i in xrange ( m ) :
V [i , row ] , V [i , j ] = s * V [i , row ] + t * V [i , j ] , \
ss * V [i , row ] + tt * V [i , j ]
# Reduce column row
for i in xrange ( row + 1 , n ) :
d , r = divmod ( A [i , row ] , A [ row , row ])
if d != 0:
for jj in xrange ( m ) :
A [i , jj ] = A [i , jj ] - d * A [ row , jj ]
for jj in xrange ( n ) :
U [i , jj ] = U [i , jj ] - d * U [ row , jj ]
# Reduce column row
for i in xrange ( row + 1 , n ) :
6.11. THE SMITH NORMAL FORM
107
108
109
110
111
112
239
d , r = divmod ( A [i , row ] , A [ row , row ])
if d != 0:
for jj in xrange ( m ) :
A [i , jj ] = A [i , jj ] - d * A [ row , jj ]
for jj in xrange ( n ) :
U [i , jj ] = U [i , jj ] - d * U [ row , jj ]
113
114
return A , U , V
Main Part Finally, we present the main part of the algorithm. It first computes
a Hermite Normal Form of the matrix, rearranges the columns such that the upper
left r × r submatrix is invertible, and then uses the two functions Smith_Theorem5()
and Smith_Theorem8() to transform the HNF into the Smith Normal Form:
Listing 6.3: Smith Normal Form Computation 3/3
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
def Smith ( A ) :
""" Computes matrix U and V such that U * A * V is in Smith
Normal Form . Returns U , V and the list of non - zero
diagonal entries of the Smith Normal Form . """
# Read out info
n = A . rows ()
m = A . cols ()
R = A . coefficientRing ()
# Transform to Hermite Normal Form . A will now be in HNF
# and we can modify it without changing the original A .
U , A , rp = hnf . HNF ( A )
r = len ( rp )
# Create V
V = matrix . c r e a t e I d e n t i t y M a t r i x (R , m )
# Transform A via V so that the left r x r block of A is
# invertible
for i in xrange ( r ) :
if rp [ i ] > i :
A . swap_cols (i , rp [ i ])
V . swap_cols (i , rp [ i ])
# Phase One
for i in xrange ( r ) :
A , U , V = Smith_Theorem5 (A , U , V , i )
# Search where something not equal to 1 begins
beg = 0
while beg < r and A [ beg , beg ] == 1:
beg += 1
# Phase Two
if beg < r and r < m :
for i in xrange ( beg , r ) :
A , U , V = Smith_Theorem8 (A , U , V , i , r )
# Run transposed Phase One
AA = A . submatrix ( beg , beg , r - beg , r - beg ) . transpose ()
UU = matrix . c r e a t e I d e n t i t y M a t r i x (R , r - beg )
VV = matrix . c r e a t e I d e n t i t y M a t r i x (R , r - beg )
for i in xrange ( r - beg ) :
AA , UU , VV = Smith_Theorem5 ( AA , UU , VV , i )
# Insert AA
AA = AA . transpose ()
240
154
155
156
157
158
159
160
161
162
163
CHAPTER 6. LINEAR ALGEBRA
A . assign_submatrix ( beg , beg , AA . transpose () )
# Insert transformations
UU , VV = VV . transpose () , UU . transpose ()
U . assign_submatrix ( beg ,0 , UU * U . submatrix ( beg ,0 ,r - beg , n ) )
V . assign_submatrix (0 , beg , V . submatrix (0 , beg ,m ,r - beg ) * VV )
# Return results
diag = [ None ] * r
for i in xrange ( r ) :
diag [ i ] = int ( A [i , i ])
return U , V , diag
Example
At last, let us discuss an example. Assume we start with the matrix
4 −52 −96 16 −72 314
9
186 −54
 3
4
0
16
24
122
39
78
24 


−5 24
48 −24 24 −339 −45 −202
1 


A=
 ∈ Z6×9 .
 3 −12 −32 16
0
106
21
70
−7 


−3 −16 −24 −16 −48 −134 −57 −86 −49
2
−4 −8
8
0
237
42
140
19


Computing the HNF yields
1
0

0

A0 = 
0

0
0
0
4
0
0
0
0

0
0
8
0
0
0
0 0
0
0 0 0
0 0
0
0 0 0

0 0
4
0 0 6

.
8 0
1
0 0 3

0 24 0 18 8 7 
0 0 120 21 70 11

Here, the rank is 6, and the upper left 6 × 6 submatrix is already invertible; thus,
no columns have to be swapped.
In Phase A, most of the time, nothing will happen, except when we apply
Smith_Theorem5() with i = 6. The result is
1
0

0

A2 = 
0

0
0

0
1
0
0
0
0
0
0
4
0
0
0
0 0
0
0
0
0
0 0
0
0
0
0 

0 0
0
0
0
2 

.
8 0
0
2
0
5 

0 24 0
15 6 18 
0 0 960 741 70 731

Next, in Phase B, we first apply Smith_Theorem8() with i = 3; the output is then
1
0

0

A3 = 
0

0
0

0
1
0
0
0
0
0
0
2
1
0
1
0 0
0
0
0
0
0 0
0
0
0
0 

0 0
0
0
0
0 

.
8 0
0
2
0
10 

0 24 0
15 6
36 
0 0 960 741 70 1462

241
6.11. THE SMITH NORMAL FORM
The next three applications yield
1
0

0

A4 = 
0

0
0
0
0
1
0
0
2
0
1
0 −7
0 −369
1
0

0

A5 = 
0

0
0
0
0
0
1
0
0
0
2
0
0
1
2
0 −7
1
0 3880 −606
0 0
0
0
0
0 0
0
0
0 

0 0
0
0
0 


0 0
0
0
0 

3 0
0
0
0 
2 960 5928 −2824 −3576
1
0

0

A6 = 
0

0
0
0
0
0
1
0
0
0
2
0
0
1
2
0 −7
1
0 3880 −606
0
0
0
0
3
2



and
Now A6 is of the form
Ik 0 0
0 L0
0 0 0
0 0
0
0
0
0
0 0
0
0
0
0 

0 0
0
0
0
0 

,
2 0
0
0
0
0 

1 24 0
60
6
−39 
1 0 960 2964 70 −2243


0
0
0
0
0
8
0
0
0
0
0
0
0
0
0
0
0
0
0
0

0

.
0

0
0

, where k = 2 yields an 2 × 2 identity matrix and
2
0
 1
2

L=
 −7
1
3880 −606

0
0
3
2
0
0


0
8

is invertible and lower triangular. We now apply the operations from Phase A to
LT . In the first step, namely calling Smith_Theorem5() with i = 1, yields
2
0

LT1 = 
0
0

1
2
0
0
1
0
1 −606

,
3
2 
0
8

whose first row is now reduced modulo 2. Applying Smith_Theorem5() with i = 2,
i = 3 and finally i = 4 yields
1
0

LT2 = 
0
0

0
4
0
0
0
3
3
0
0
1


2 T 0
, L = 
0
2 3
8
0


0 0 0
1 0 0

 and
0 12 8
0 0 8

1
0

LT4 = 
0
0

Plugging L4 back into A6 yields
1
0

0

A7 = 
0

0
0

0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0 0
0 0
0 0
0 0
4 0
0 24
0
0
0
0
0
0
0
0
0
0
0
0
0
0

0

,
0

0
0

0
1
0
0
0 0
0 0

.
4 0
0 24

242
CHAPTER 6. LINEAR ALGEBRA
with diagonal entries (1, 1, 1, 1, 4, 24). The transformation matrices U ∈ GL6 (Z) and
V ∈ GL9 (Z) with U AV = A7 computed by the algorithm are
3
13
4
−6
4
0

 −4
−17
−7
6
−6
−2


 −48
−204
−83
73
−72
−23 


U =

 −303
−1291
−523
464
−456
−145 


 152096
647611
262547 −232747 228669
72883 
−455188 −1938143 −785743 696554 −684350 −218123


and
1
0
0
0
0
0
0
0
0

0 28
389
−536
−1153
−2304
0
0
0




602
−201
28
−4200 −627573 
0 −15 −202 279


0 15
193 −266 −572 −1494
7
−1050 −156894 


−65
89
190
12418 −240 36013
5381137 
V =
.
0 −5
0
1
13
−18
−36
2736
−56
8400
1255140 




0
0
1
8
−16036 320 −48020 −7175254
0


0
0
0
0
−6
−10
0
6
907 
0
0
1
−2
−8
−16
0
0
4


Chapter 7
Finite Groups
In this chapter, we want to investigate some problems in finite groups. Throughout
most of this chapter, we will concentrate on abelian finite groups, even though the
algorithms for the first two sections also work with generic groups. (In fact, they
restrict to a cyclic subgroup, which is again abelian.)
Throughout this chapter, let G be a finite group of order N . We write the group
multiplicatively, and denote its neutral element with 1G . We assume that computing the group operation in G can be done too efficiently, and that also inversions
can be done (though maybe not efficiently). We assume that group elements can
be represented in a unique way so that equality and inequality can be tested by
comparing the binary representation of the group element.
7.1
Computing Orders of Elements
The first task is to compute the order of an element g ∈ G. Recall that the order ord(g) is the smallest integer m ≥ 1 such that g m = 1G . Therefore, a simple
algorithm to compute this integer computes g, g 2 , g 3 , . . . by successively multiplying the last value by g. This yields an algorithm which needs O(ord(g)) group
operations.
It turns out that we can do much better. In fact, there exist two generic algorithms, called
p Pollard’s % and Shanks’ Baby-Step Giant-Step, which solve this problem in O( ord(g)) operations. Here, we want to present an adaption of Shanks’
algorithm which is suitable when no good upper bound on ord(g) is known. This
algorithm is due to David C. Terr [Ter00].
Note that the aforementioned algorithms can also be used to solve the Discrete
Logarithm Problem (DLP), which we will look at in the next section. For the DLP,
1
one can show that in case N is prime
√ and G is generic, there exists no algorithm
which can compute the DLP in o( N ) operations [Sho97]. For a long time, it was
believed that this is also true for computing orders. Only in 2007, Andrew V. Sutherland [Sut07] showed that thispis not the case. He presented an algorithm which
computes the order of g in o( ord(g)) group operations,pand shows a lower bound
of O(ord(g)1/3 ). In fact, his algorithm has complexity O( ord(g)/ log log ord(g)) in
case ord(g) is prime, but for nearly half of all possible ord(g)’s in a fixed interval,
its complexity is O(ord(g)1/3 ) and thus optimal.
1
One can make this notion precise, but for us, it suffices to know that generic groups, also called
blackbox groups, provide an interface to multiply, compare and invert group elements, and no further
knowledge about the group is available.
243
244
CHAPTER 7. FINITE GROUPS
The main idea of Sutherland’s algorithm is to first remove all “small” prime
k
factors from ord(g); by replacing g by g 0 := g p for a large enough k (namely such
that k log p ≥ log ord(g)), one makes sure that ord(g 0 ) is not divisible by p. This is
first done for a very large number of small primes, and then the remainder of the
possible values of ord(g) are excluded using a baby-step giant-step type algorithm.
We will not describe the algorithm here any further, but refer to [Sut07] for a detailed
description.
Terr’s order computation algorithm is based on the following fact:
Lemma 7.1.1. For every natural number n > 0, there exists unique natural numP
bers a, b ∈ N such that a > 0 and 0 ≤ b < a and n = 21 a(a + 1) − b = ai=1 i − b.
Proof. First note that if a = 1 and b = 0, then ai=1 i − b = 1. Therefore, assume
P
P
that n > 1. This is clear since ai=1 i − a−1
i=1 i = a, whence every number n with
Pa−1
Pa
Pa−1
i
≤
n
<
i
can
be
written
as
i=1
i=1
i=1 i + b̂ with 0 < b̂ ≤ a. Set b := a − b̂;
Pa
1
then 0 ≤ b < a and n = i=1 i − b = 2 a(a + 1) − b.
P
The idea is now to search for ord(g) in ( 12 a(a − 1), 21 a(a + 1)] for a = 1, 2, 3, . . . .
For this, we compute g 0 , g 1 , g 2 , . . . , g a−1 and compare these to g a(a+1)/2 . Using
that g a(a+1)/2 = g b with 0 ≤ b < a is equivalent to g a(a+1)/2−b = 1G and thus
to ord(g) | 21 a(a + 1) − b , we can find ord(g) in case a is minimal under this
condition. This is visualized in the following picture. When testing whether g a(a+1)/2
is contained in g 0 , . . . , g a−1 , the following areas are searched for (multiples of) ord(g):
ord(g)
=1
a=1
ord(g)
=2
ord(g)
=3
ord(g)
=4
a=2
ord(g)
=5
ord(g)
=6
a=3
ord(g)
=7
ord(g)
=8
ord(g)
=9
ord(g)
=10
a=4
Note that our description of the algorithm is the one in [BS05, Section 2].
Input: g ∈ G
Output: ord(g)
1. Set baby1 := g and giant1 := g;
2. Set L1 = {(1G , 0)} and i = 1;
3. Repeat:
(a) If (gianti , j) ∈ Li for some j, return 21 i(i + 1) − j;
(b) Set Li+1 = Li ∪ {(babyi , i)}.
(c) Compute babyi+1 := babyi · g;
(d) Compute gianti+1 := gianti · babyi+1 ;
(e) Set i := i + 1;
Algorithm 7.1: Order Computation
Theorem 7.1.2. Algorithm 7.1 is correct and needs less than 2 ord(g) group operations without any inversion. In case lookup and insertion in a set of size n can
be done in f (n)
p operations,
p where f is increasing and sublinear, the total time for
lookups is O( ord(g)f ( ord(g))).
p
245
7.2. THE DISCRETE LOGARITHM PROBLEM
If we use a balanced binary search tree (compare Section 4.2.2), lookup and
insertion can be done in f ∈ O(log n) operations. In case we use Python’s dict
data structure, which is based on hash tables, accessing and insertion are essentially
(amortized) constant time, i.e. f ∈ O(1).
Proof. First, note that babyi = g i and gianti = g i(i+1)/2 : for i = 1 this is clear, and
the equality for arbitrary i follows by induction since babyi+1 = babyi ·g = g i ·g = g i+1
and gianti+1 = gianti ·babyi+1 = g i(i+1)/2 ·g i+1 = g i(i+1)/2+(i+1) = g (i+1)(i+2)/2 . This
implies that Li = {(g j , j) | 0 ≤ j < i}.
Therefore, (gianti , j) is found in Li if and only if g i(i+1)/2−j = 1G for 0 ≤ j < i.
Since we return at the first occurrence, i is minimal, whence ord(g) = i(i + 1)/2 − j.
This shows that the algorithm is correct.
Concerning the running time, note that in every loop iteration, two group operations are done. Therefore, if (gianti , j) ∈ Li is found, 2(i − 1) group operP
ations were performed up to that point, and ik=1 O(f (k)) ⊆ O(if (i)) operations for the lookup. Now if ord(g) = i(i + 1)/2p
− j with 0 ≤ j < i, then
2
2
i − i < 2 ord(g) ≤ i + i. This is equivalent to√ i < ord(g) + 1/4 + 1/2 ≤ i + 1,
p
p
p
√
whence i < ord(g) + 1/4 + 1/2 ≤ ord(g) + 5−1
as
x
→
7
x + 1/4 + 1/2 − x
2
√
√
p
is decreasing and 1 + 1/4 + 1/2 − 1 = 5−1
2 .
Therefore, √the total number of group operations 2(i − 1) satisfies 2(i − 1) <
p
p
for the table lookups is
2( ord(g) + p5−3
2 ) < 2p ord(g), and the
p time needed
p
O(if (i)) ⊆ O( ord(g)f ( ord(g))) = O( ord(g)f ( ord(g))).
7.2
The Discrete Logarithm Problem
The Discrete Logarithm Problem (DLP) states that given two group elements g, h
with h ∈ hgi, find some n ≥ 0 with g n = h. (Sometimes this definition is also
extended to test whether h ∈ hgi.)
It was shown by p
Victor Shoup [Sho97] that there cannot be an algorithm which
solves the DLP in o( ord(g)) group operations in case ord(g) is prime for a generic
group G. On the other hand, in case ord(g) is not prime (and its factorization is
known), one can reduce the DLP to several smaller DLPs using the Pohlig-Hellman
method [PH78].
p
Two algorithms which can solve the DLP in O( ord(g)) operations – which is
thus optimal for prime ord(g) – are Pollard’s % algorithm and Shanks’ Baby-Step
Giant-Step algorithm. Let us first sketch Shanks’ algorithm. It works
p by covering
hgi by translates of the baby set {g −i h | 0 ≤ i < b}, where bp≈ ord(g). For
this, one computes the giant steps g bj , 0 ≤ j < B where B ≈ ord(g) such that
bB ≥ ord(g), and tests whether g bj lies in the baby set. If it does, then g bj = g −i h,
whence g bj+i = h.
The following picture visualizes this search for g bj = hg −i with b = 3:
h = g0
h = g1
j=0
h = g2
h = g3
h = g4
j=1
h = g5
h = g6
h = g7
j=2
h = g8
h = g 9 h = g 10 h = g 11
j=3
Now let us reformulate Terr’s modification of Shanks’ algorithm to the DLP
setting. For that, note that instead of g i(i+1)/2−j = 1G with 0 ≤ j < i, we want to
246
CHAPTER 7. FINITE GROUPS
test whether g i(i+1)/2−j = h. This is equivalent to g i(i+1)/2 = hg j . Therefore, we
modify the algorithm as follows:
Input: g ∈ G and h ∈ hgi
Output: ord(g)
1. Set baby1 := g and giant1 := g and compute baby10 := hg;
2. Set L1 = {(h, 0)} and i = 1;
3. Repeat:
(a) If (gianti , j) ∈ Li for some j, return 21 i(i + 1) − j;
(b) Set Li+1 = Li ∪ {(babyi0 , i)}.
0
(c) Compute babyi+1 := babyi · g and babyi+1
:= babyi0 · g;
(d) Compute gianti+1 := gianti · babyi+1 ;
(e) Set i := i + 1;
Algorithm 7.2: Discrete Logarithm Computation
Note that throughout the algorithm,
babyi = g i ,
babyi0 = hg i ,
1
gianti = g 2 i(i+1) ,
and
Li = {(hg j , j) | 0 ≤ j < i},
whence (gianti , j) ∈ Li yields g i(i+1)/2−j = h. Therefore, a similar argument as
above shows correctness and that the number of operations
is essentially the same,
p
with the number of group operations bounded by 3 ord(g):
Theorem 7.2.1. Algorithm 7.2 is correct and needs at most 3 ord(g) group operations without any inversion. In case lookup and insertion in a set of size n can
be done in f (n)
p operations,
p where f is increasing and sublinear, the total time for
lookups is O( ord(g)f ( ord(g))).
p
Note that the algorithm can also be called in case h 6∈ hgi, although in that
case, the algorithm will loop forever. If one introduces a second list L0i = {(g j , j) |
0 ≤ j < i} as in the original order computing algorithm, one can also test whether
1
2 i(i + 1) exceeds the order and terminate with “h 6∈ hgi” in that case. This will not
change the total number of group operations, and the asymptotically time needed
for lookups does not change either.
7.3
Computing the Structure of a Finite Abelian Group
In this section, we want to compute the structure of a finite abelian group. There
also exist algorithms for special classes of finite non-abelian groups, but these are
usually much more complicated.
7.3. COMPUTING THE STRUCTURE OF A FINITE ABELIAN GROUP
7.3.1
247
Structure of a Generated Subgroup
Assume that G is abelian and that we are given g1 , . . . , gn . We first want to investigate how to compute the structure of the subgroup hg1 , . . . , gn i of G. For that, we
consider the homomorphism
ϕ : Zn → G,
(e1 , . . . , en ) 7→
n
Y
giei .
i=1
(For this being a homomorphism, we need that hg1 , . . . , gn i is abelian.) We have that
the image of ϕ is precisely hg1 , . . . , gn i, and if Λ := ker ϕ, then by the Homomorphism
Theorem, Zn /Λ ∼
= hg1 , . . . , gn i.
Note that Λ is a free Z-module, whence there exists a Z-basis v1 , . . . , vk of Λ:
P
thus, every λ ∈ Λ can be written in a unique way as λ = ki=1 λi vi with λi ∈ Z. As
Zn /Λ ∼
= hg1 , . . . , gn i is finite, it must be that k = n. (Note that Λ is also called a
sublattice of Zn of full rank.)
Write v1 , . . . , vn into the columns of the matrix A ∈ Zn×n . Then Λ = {Aw | w ∈
n
Z }. If we now have two matrices U, V ∈ GLn (Z) such that
0

d1
U AV = 

..


.
0
dn



with integers d1 | d2 | · · · | dn – that is, if U AV is in Smith Normal Form –, then
Λ = {U
−1
U AV V
−1
w|w∈Z }= U
n
−1
d1
0
..
0
!
.
dn
n
w w∈Z .
This shows that if U −1 = (w1 , . . . , wn ) with wi ∈ Zn×1 , then di wi , 1 ≤ i ≤ n is
another basis of Λ and
n
Y
Z/di Z.
Zn /Λ ∼
=
i=1
In particular, the group element (0, . . . , 0, 1, 0, . . . , 0) ∈ ni=1 Z/di Z with the 1 in
the i-th position corresponds to ϕ(wi ) ∈ hg1 , . . . , gn i. Therefore, we obtain both the
structure of hg1 , . . . , gn i as well as a nice “basis” of this subgroup.
In the following, we want to describe an algorithm by Arthur Schmidt and Johannes Buchmann [Sch02, BS05] which computes such a matrix A; combining it
with Section 6.11, we obtain an algorithm which thus computes the structure of
hg1 , . . . , gn i. This algorithm is based on Terr’s order computation method. Note
that there also exist other algorithms, for example the one by Edlyn Teske based on
Pollard’s % [Tes98], and another one in case |G| is known and smooth, which uses
the idea of the Pohlig-Hellman method [Tes99]. This can also be combined with
another algorithm by A. Sutherland to compute the structure of abelian p-groups
[Sut11].
The basic idea by Schmidt and Buchmann is to compute directly a (modified)
Hermite Normal Form of A. Note that the columns of the Hermite Normal Form
have a special interpretation in this setting:
Q
Lemma 7.3.1. Let A = (aij )ij ∈ Zn be such that (an−j,n−i )ij is in Hermite Normal
Form. (In particular, A is upper triangular.) Then ker ϕ = A if and only if the
following conditions are satisfied:
248
CHAPTER 7. FINITE GROUPS
(i) rank A = n (or equivalently det A > 0);
(ii) aii = ord(gi + hg1 , . . . , gi−1 i) in hg1 , . . . , gi i/hg1 , . . . , gi−1 i ⊆ G/hg1 , . . . , gi−1 i;
(iii) giaii =
Qi−1 −aji
j=1 gj
.
Remark 7.3.2. Note that in case all conditions of the lemma are satisfied except that
(an−j,n−i )ij is not completely in Hermite Normal Form in the sense that the entries
above the diagonal elements might not be reduced modulo the diagonal elements, one
can easily transform the matrix to satisfy also this condition.
Qi−1 −aji
Namely, for i = n − 1, n − 2, . . . , 1, one uses the relation giaii = j=1
gj
to
reduce the coefficients aik , i < k ≤ n modulo aii . This might change the coefficients ajk , 1 ≤ j < i < k ≤ n, but these will be reduced later for the corresponding
values of i.
This lemma shows that we essentially can compute orders in quotients of G to
obtain the structure of G. Unfortunately, we cannot directly apply Algorithm 7.1.
The main problem is how to uniquely represent elements in these quotients.
The algorithm by Schmidt and Buchmann avoids this by extending Terr’s babystep giant-step search for ord(gi +hg1 , . . . , gi−1 i) with a classical baby-step giant-step
search in H = hg1 , . . . , gi−1 i. More precisely, the set H is split up into two sets H1
and H2 with |H1 |, |H2 | ≈ |H| such that every element h ∈ H can be written as h1 h2
with hi ∈ Hi . Then instead of looking for giante in babySete , we look for h2 · giante
S
in h1 ∈H1 (h1 · babySete ), where h2 ranges over all elements of H2 . Therefore, we
do ≈ |H| lookups per iteration instead of one lookup, and extend the size of the
S
lookup table by a factor of ≈ |H|. By noting that h1 ∈H1 (h1 · babySete+1 ) can be
S
obtained from h1 ∈H1 (h1 · babySete ) in ≈ |H| operations, we see that the running
time to compute ord(gi + hg1 , . . . , gi−1 i) is approximately
q
ord(gi + hg1 , . . . , gi−1 i) ·
q
|H|.
The exact algorithm is described and analyzed in the following proposition:
Proposition 7.3.3. Let k > 1. Assume that we already computed aij for 1 ≤ j < k
and 1 ≤ i ≤ j. Let m ∈ {1, . . . , k − 1}. Let I1 , I2 such that I1 ∪ I2 ∪ {m} =
{1, . . . , k − 1} is a disjoint union. Define
H1 =
Y
H2 =
Y
gi−xi ,
i∈I1
i∈I2
X
i∈I1
xi ei 0 ≤ xi < aii for i ∈ I1 ,
X
gixi ,
xi ei 0 ≤ xi < aii for i ∈ I2 ,
i∈I2
H = hg1 , . . . , gk−1 i
=
Y
i∈{1,...,k−1}
gixi 0 ≤ xi < aii for i ∈ {1, . . . , k − 1}
and the two quantities
s=
&p
'
|H|
=
|H1 |
&s
Q
aii
amm Q
i∈I1 aii
i∈I2
'
and
t=
&p
'
|H|
=
|H2 |
&s
Q
'
aii
amm Q
.
i∈I2 aii
i∈I1
7.3. COMPUTING THE STRUCTURE OF A FINITE ABELIAN GROUP
249
Moreover, define
n
o
o
−r
auxBabySet = (h1 gm
, v + rem ) (h1 , v) ∈ H1 , r ∈ {0, . . . , s − 1} ,
babySet1 = auxBabySet,
baby1 = gk ,
n
qs
giantSet = (h2 gm
, v + qsem ) (h2 , v) ∈ H2 , q ∈ {0, . . . , t − 1} ,
giant1 = gk ,
e = 1.
Now repeat the following steps:
1. For all (g, v) ∈ giantSet check whether (g · giante , w) ∈ babySete for some w;
• If this is the case, set a•k = v + w + 12 e(e + 1)ek and stop;
2. Set babySete+1 := babySete ∪ {(g · baby, v − eek ) | (g, v) ∈ auxBabySet};
3. Set babye+1 := babye · gk and giante+1 := giante · babye+1 ;
4. Set e := e + 1.
When the iteration is stopped, a•k is the correct k-th column of A, except possible
applications of the procedure described in Remark 7.3.2.
q
k−1
Now assume that I1 , I2 and m are chosen such that i∈I1 bii , i∈I2 bii ≤
i=1 bii .
−1
Assume that gi is precomputed,
1 ≤ i ≤ k. Then throughout the algorithm, less
p
√
than 4( akk + 1) 12 + |H| group operations are performed.
Let f be a function such that a lookup in babySete with n elements takes at most
f (n) operations. Assume that f is increasing. Then the number of operations needed
for lookups is less than
Q
Q
Q
q
q
√
√
2( akk + 1) |H| · f 2( akk + 1) |H| .
Before we prove this result, let us first visualize the search for k = 2; then I1 =
I2 = ∅ and m = 1. In particular, H1 = {(eG , 0)} = H2 and H = {g1x | 0 ≤ x < a11 }.
Let us assume 4 < a11 ≤ 9; then s = t = 3. Throughout the algorithm, we will have
babySete = {(g1−r g2x , re1 − xe2 ) | 0 ≤ r < 3, 0 ≤ x < e}
and
giantSet = {(g13q , 3qe1 ) | 0 ≤ q < 3}
= {giantElt1 , giantElt2 , giantElt3 }.
|
{z
q=0
} |
{z
q=1
} |
{z
q=2
}
(That this is the case follows from claims proven throughout the proof of Proposition 7.3.3. Also note that certain group elements appear more than once in
case st > a11 , which is here the case if and only if a11 < 9. For example, if a11 = 7,
the group elements in the first two rows of the following picture would equal the
group elements in the last two rows.) We use different colors to distinguish between
the three lookups made for every element of giantSet for every e. The following
picture shows which elements are searched for being eG when e = 1, 2, 3, 4:
250
CHAPTER 7. FINITE GROUPS
giantElt3
giantElt2
giantElt1
8 1
g1
g2
8 2
g1
g2
8 3
g1
g2
8 4
g1
g2
8 5
g1
g2
8 6
g1
g2
8 7
g1
g2
8 8
g1
g2
8 9
g1
g2
8 10
g1
g2
7 1
g1
g2
7 2
g1
g2
7 3
g1
g2
7 4
g1
g2
7 5
g1
g2
7 6
g1
g2
7 7
g1
g2
7 8
g1
g2
7 9
g1
g2
7 10
g1
g2
6 1
g1
g2
6 2
g1
g2
6 3
g1
g2
6 4
g1
g2
6 5
g1
g2
6 6
g1
g2
6 7
g1
g2
6 8
g1
g2
6 9
g1
g2
6 10
g1
g2
5 1
g1
g2
5 2
g1
g2
5 3
g1
g2
5 4
g1
g2
5 5
g1
g2
5 6
g1
g2
5 7
g1
g2
5 8
g1
g2
5 9
g1
g2
5 10
g1
g2
4 1
g1
g2
4 2
g1
g2
4 3
g1
g2
4 4
g1
g2
4 5
g1
g2
4 6
g1
g2
4 7
g1
g2
4 8
g1
g2
4 9
g1
g2
4 10
g1
g2
3 1
g1
g2
3 2
g1
g2
3 3
g1
g2
3 4
g1
g2
3 5
g1
g2
3 6
g1
g2
3 7
g1
g2
3 8
g1
g2
3 9
g1
g2
3 10
g1
g2
2 1
g1
g2
2 2
g1
g2
2 3
g1
g2
2 4
g1
g2
2 5
g1
g2
2 6
g1
g2
2 7
g1
g2
2 8
g1
g2
2 9
g1
g2
2 10
g1
g2
1 1
g1
g2
1 2
g1
g2
1 3
g1
g2
1 4
g1
g2
1 5
g1
g2
1 6
g1
g2
1 7
g1
g2
1 8
g1
g2
1 9
g1
g2
1 10
g1
g2
0 1
g1
g2
0 2
g1
g2
0 3
g1
g2
0 4
g1
g2
0 5
g1
g2
0 6
g1
g2
0 7
g1
g2
0 8
g1
g2
0 9
g1
g2
0 10
g1
g2
e=1
e=2
e=3
e=4
Proof of Proposition 7.3.3. We show several claims to prove this result.
1. Claim: For every h ∈ H, there exist (hi , vi ) ∈ Hi , 1 ≤ i ≤ 2 and q ∈
qs+r .
{0, . . . , t − 1} and r ∈ {0, . . . , s − 1} such that h = h−1
1 h2 gm
−x
x
xi
j
, vi = j∈Ii ej j for
Let h = k−1
j∈Ii gj
i=1 gi with 0 ≤ xi < bii . Set hi =
xm
i = 1, 2. Then h = h−1
1 h2 gm . Now write xm = qs + r with q, r ∈ N such that
0 ≤ r < s; we have to show that q < t. If this would not be the case, then
Q
P
s
xm ≥ ts ≥
Q
aii
amm Q
·
i∈I1 aii
i∈I2
s
P
Q
aii
= amm ,
i∈I2 aii
amm Qi∈I1
contradicting xm < amm . Therefore, the claim is true.
2. Claim: We have
babye = gke ,
1
giante = gk2
babySete =
e(e+1)
and
−r x
(h1 gm
gk , v
(h1 , v) ∈ H1 ,
+ rem − xek ) .
0 ≤ r < s, 0 ≤ x < e
The claims about babye and giante follow as in the proof of Theorem 7.1.2.
S
x
The claim on babySete follows from babySete = e−1
x=0 {(hgk , v − xek ) | (h, v) ∈
auxBabySet}.
3. Let H̃ = hg1 , . . . , gk i; then H̃/H is cyclic, generated by gk + H, and its order
equals the sought akk . Let π1 : H̃ → H̃/H be the canonical map and π2 :
7.3. COMPUTING THE STRUCTURE OF A FINITE ABELIAN GROUP
251
Zk → Z, (x1 , . . . , xk ) 7→ xk the k-th projection. Let π : H̃ × Zk → H̃/H × Z,
(h, v) 7→ (π1 (h), π2 (v)) be the product map.
Claim: Then
π1 (babye ) = π1 (gk )e ,
1
π1 (giante ) = π1 (gk ) 2 e(e+1)
and
o
π(babySete ) = (π1 (gk )x , −x) 0 ≤ x < e .
n
Moreover, there exist (g, v) ∈ giantSet and w ∈ Zk with (g · giante , w) ∈
babySete if and only if there exists some w̃ ∈ Z with (π1 (giante ), w̃) ∈ π(babySete ).
If this is the case, w̃ = π2 (w).
The claims on babye and giante are clear since π1 is a homomorphism. For
the claim on babySete , note that π1 (h) = H for every h ∈ H; therefore,
−r g x ) = π (h g −r )π (g )x = π (g )x . Moreover, π (v + re − xe ) = x.
π1 (h1 gm
1 1 m
1 k
1 k
2
m
k
k
Now assume that (g, v) ∈ giantSet and w ∈ Zk with (g · giante , w) ∈ babySete .
By the definition of giantSet, g ∈ H, whence π1 (g · giante ) = π1 (giante ).
Therefore, by definition
(π1 (giante ), π2 (w)) = π((g · giante , w)) ∈ π(babySete ).
For the other implication, assume that (π1 (giante ), w̃) ∈ π(babySete ) for some
w̃ ∈ Z. This shows that π1 (gk )e(e+1)/2 = π1 (gk )−w̃ for some −w̃ ∈ {0, . . . , e −
e(e+1)/2+w̃
−e(e+1)/2−w̃
1}; in particular, π1 (gk
) = H, whence gk
∈ H. By Claim 1,
−e(e+1)/2−w̃
−1
qs+r
with (h1 , v1 ) ∈ H1 , (h2 , v2 ) ∈ H2 ,
we can write gk
= h1 h2 gm
−r g −w̃ , v + re + w̃e ) ∈ babySet and
0 ≤ q < t and 0 ≤ r < s. Now (h1 gm
1
m
e
k
k
qs , v + qse ) ∈ giantSet, and
(h2 gm
2
m
e(e+1)/2
qs
qs
h2 gm
· giante = h2 gm
gk
|
{z
−r −w̃
= h1 gm
gk
}
−qs−r −w̃
gk
=h1 h−1
2 gm
is the first component of an element of babySete . Finally, π2 (v1 +rem + w̃ek ) =
w̃.
4. Claim: The loop terminates, and when it does, v + w + 21 e(e + 1)ek is the
correct k-th column of A, except possibly that the condition amk ≥ amm is
violated (which is no problem by Remark 7.3.2). Moreover,
up termination,
√
p
√
5−1
e < akk + 1/4 + 1/2 ≤ e + 1. In particular, e ≤ akk + 2 .
Claim 3 shows that all arguments from the proof of Theorem 7.1.2 apply to
this algorithm as well. Therefore, it is clear that the algorithm terminates,
that ord(gk + H) = akk and that the bounds on e hold. We are left to show
Q
−ajk
that gkakk = k−1
and 0 ≤ ajk < ajj for j 6= m.
j=1 gj
e(e+1)/2
Now if (g · gk
, w) ∈ babySete with (g, v) ∈ giantSet, then g = i∈I2 gixi ·
P
qs
gm and v = i∈I2 xi ei + qsem with 0 ≤ xi < aii , i ∈ I2 and 0 ≤ q < t, and
e(e+1)/2
−r g xk , w =
g·gk
= i∈I1 gi−xi ·gm
k
i ∈ I1 and 0 ≤ xk < e and 0 ≤ r < s.
Q
Q
P
i∈I1
xi ei +rem −xk ek with 0 ≤ xi < aii ,
252
CHAPTER 7. FINITE GROUPS
e(e+1)/2
Therefore, g · gk
=
1
gk2
Q
i∈I1
−r g xk yields
gi−xi · gm
k
e(e+1)−xk
=
−qs+r
gi−xi · gm
Y
i∈I1 ∪I2
and v + w + 12 e(e + 1)ek equals
X
xi ei + (qs + r)em +
1
2 e(e
+ 1) − xk ek .
i∈I1 ∪I2
Since ajk is claimed to be the coefficient of ej in v + w + 12 e(e + 1)ek , the claim
follows. (Note that it can be that qs + r ≥ xmm .)
5. Claim: We have |giantSet| < 2 |H| and |babySete | < 2e |H|.
p
p
Clearly,
|giantSet| = |H2 | · t = |H2 | ·
q
|H|/|H2 | <
q
|H| + |H2 |.
Next,
q
|babySete | = e · |auxBabySet| = e · |H1 | · s < e · ( |H| + |H1 |)
by the same argument. Since |H1 | =
p
similarly |H2 | ≤ |H|, the claim follows.
qQ
k−1
i=1 bii
i∈I1 bii ≤
Q
=
p
|H| and
6. Claim: In iteration e of thepprocess, < 2 |H|f (2e |H|) operations are
performed for lookups, and < 4 |H| + 2 group operations are performed.
p
p
By Claim 5, the number ofplookups is < 2 |H|, and the set where an element
is looked up has size < 2e |H|. As f is increasing, the claim on the lookup
operations follows.
p
Now in Step 1, |giantSet| < 2 |H| group operations are performed
p to compute all (g · giant, w). In Step 2, |babySetAux| = |babySet1 | < 2 |H| group
operations are performed to compute the new elements for babySete+1 . Finally,
in Step 3, two group operations are performed.
p
Since correctness is already shown in Claim 4, we are left to compute the total
number of lookup operations and group operations. From Claim 4 we know that
√
e < akk + 1. By Claim 6, the total number of lookup iterations is less than
q
2 |H|
e
q
X
f 2i |H| < 2
√
akk + 1
q
|H| · f 2
√
akk + 1
q
|H| .
i=1
Moreover, by the same claim, the number of total group operations is less than
e q
X
4 |H| + 2 < 4
√
akk + 1
1
2
+
q
|H| .
i=1
The following lemma shows that we can always split {1,
qQ. . . , k − 1} up as the
Q
Q
k−1
disjoint union I1 ∪ {m} ∪ I2 such that i∈I1 bii , i∈I2 bii ≤
i=1 bii . It also shows
how fast the precomputations can be done:
7.3. COMPUTING THE STRUCTURE OF A FINITE ABELIAN GROUP
253
Lemma 7.3.4. Let b11 , . . . , bk−1,k−1 ∈ N>0 for k > 1. Then there exist {m}, I1 , I2 ⊆
{1, . . . , k − 1} such that the union I1 ∪ I2 ∪ {m} = {1, . . . , k − 1} is disjoint with
Y
bii ,
i∈I1
v
uk−1
uY
bii ≤ t
bii .
Y
i=1
i∈I2
Moreover, for such choicesp
of m, I1 , I2 , computing H1 , H2 , auxBabySet and giantSet
can be done in less than 4 |H| group operations.
Proof. First, fill I1 and I2 with random elements such that
I1 ∩ I2 = ∅
and
Y
bii ,
Y
v
uk−1
uY
bii ≤ t
bii
i=1
i∈I2
i∈I1
are true, and will be wrong if any more element is added if any such element is
available. We claim that |I1 | + |I2 | ≥ k − 2. In case it equals k − 1, one can take
m as any element of I1 or I2 and remove that element from there; in case it equals
k − 2, we take m as the unique missing element.
Assume that there are two distinct elements m1 , m2 ∈ {1, . . . , k − 1} \ (I1 ∪ I2 ).
Q
Q
Assume that bm1 m1 ≤ bm2 m2 , and assume that i∈I1 bii ≤ i∈I2 bii . We claim that
then bm1 m1 ·
qQ
k−1
i=1
i∈I1 bii ≤
Q
qQ
k−1
i=1 bii .
Otherwise, we would have bm1 m1 ·
bii , and therefore also bm2 m2 ·
k−1
Y
i=1
Y
bii ≥ bm1 m1 ·
Q
i∈I2 bii
bii · bm2 m2 ·
i∈I1
>
Y
qQ
k−1
i=1
Q
i∈I1 bii
>
bii . This yields
v
uk−1 2
k−1
uY
Y
bii ,
bii > t
bii =
i=1
i∈I2
i=1
a contradiction.
Now assume that I1 and I2 and m are chosen as specified. From p
the proof of
Proposition 7.3.3 (Claim 5) we see that |auxBabySet|, |giantSet| < 2 |H|. Now
note that the group elements appearing in H1 and H2 are also group elements
appearing in auxBabySet and giantSet, respectively. Therefore, using a grid (see
below), one can compute all four sets in (|auxBabySet| − 1) + (|giantSet| − 1) group
operations.
The following picture shows how such a grid can be used to compute g1i g2j for
0 ≤ i < 6, 0 ≤ j < 3 in 6 · 3 − 1 group operations:
g10 g22
g11 g22
g12 g22
g13 g22
g14 g22
g15 g22
g10 g21
g11 g21
g12 g21
g13 g21
g14 g21
g15 g21
g10 g20
g11 g20
g12 g20
g13 g20
g14 g20
g15 g20
Note that g10 g20 = eG is the neutral element of G; therefore, no computation has to be
done for this element. Each other element can be obtained by one group operation,
which is indicated by an arrow. The arrows to the right multiply with g1 , and the
arrows up multiply with g2 .
The following corollary describes how to combine the above steps into one algorithm and determines the number of operations needed for computing the structure
of the subgroup hg1 , . . . , gn i:
254
CHAPTER 7. FINITE GROUPS
Corollary 7.3.5 (A. Schmidt, J. Buchmann [BS05]). There exists an algorithm
which computes the structure of the subgroup Ĝ := hg1 , . . . , gn i in
q
O n |Ĝ|
group operations and
q
O n |Ĝ| · log |Ĝ|
operations for lookup. The algorithm stores
O
q
|Ĝ|
group elements and integer vectors from Zn with entries of size O(log |G|) in memory. The post-processing step can be done in Õ(n5 log3 |Ĝ|) basic b-operations.
Proof. First note that |Ĝ| = ni=1 aii . To compute a11 , we use Algorithm 7.1. By
√
Theorem 7.1.2, this requires less than 2 a11 group operations, and the number of
√
√
operations for lookup and insertion are in O( a11 f ( a11 )).
q
Q
By Proposition 7.3.3 and Lemma 7.3.4, a•k can be computed in O
qQ
qQ
Qk
i=1 aii
k
k
group operations and O
operations for lookup.
i=1 aii · f
i=1 aii
Using balanced binary trees yields f (x) ∈ O(log x), which combined with the
rest yields the claim.
Note that the algorithm can be sped up by re-using the lookup tables H1 , H2 ,
auxBabySet and giantSet whenever possible. This is described in more detail in
[BS05, Algorithm 2].
7.3.2
Generating the Whole Group
In case we are given g1 , . . . , gn with G = hg1 , . . . , gn i, we can use the algorithms
from the previous section to compute the structure of G.
But what if the following situation appears: we do not have generators for G,
but instead a sampling method which samples (essentially) uniformly at random an
element from G. One can modify the algorithms that we can iteratively add new
generators. We now want to discuss two questions:
• How many generators do we have to expect?
• When do we know that we are done?
When are we done? Let us first consider the second question. Assume that
we already have hg1 , . . . , gn i, and that we sample a new element gn+1 . Now the
probability that gn+1 ∈ hg1 , . . . , gn i is
|G|
1
≤
|hg1 , . . . , gn i|
2
by Lagrange in case hg1 , . . . , gn i $ G, and 1 in case hg1 , . . . , gn i = G. Thus, if we
sample several elements and all turn out to be already in the subgroup generated
by the previous elements, we are done with a certain probability (namely at least
1 − 2−k , if we sampled k elements which do all belong to the previous subgroup).
7.3. COMPUTING THE STRUCTURE OF A FINITE ABELIAN GROUP
255
If we know that C ≤ |G| < 2C for some constant C, the situation is simpler.
Since |hg1 , . . . , gn i| either equals |G| or is at most 12 |G|, we have |hg1 , . . . , gn i| ≥ C
if and only if hg1 , . . . , gn i = G. Therefore, we have an explicit criterion when to
stop. Examples for groups for which such bounds are known are elliptic curves over
finite fields: if q > 33 and E is an elliptic curve over Fq , then L ≤ |E(Fq )| < 2L for
√
L = q + 1 − 2 q.
Q
Expected number of elements? First, note that if G ∼
= ki=1 Z/di Z with 1 <
d1 | · · · | dk , then one needs at least k elements to generate G. Carl Pomerance
showed in Corollary 2 of [Pom01] that the average number of elements – when
sampled uniformly at random – which generate G is less than k + σ, where
σ =1+
∞
X
j=2
1−
∞
Y
−1
ζ(`)
ζ(`) ≈ 2.118456563
`=j
−x being the Riemann zeta function.
with ζ(x) = ∞
i=1 i
Now note that d ≤ log2 |G|. Therefore, one needs in average at most O(log |G|)
elements to generate G.
Combining the above yields the following result:
P
Corollary 7.3.6.
in an
p The structure of a finite abelian group G can be computed
p
2
of
O(
|G|
log
|G|)
average of O( |G| log |G|) group operations, with an average
p
number of operations for lookups. The algorithm stores O( |G|) group elements
and integer vectors from Zn with entries of size O(log |G|) in memory. The postprocessing step can be done in Õ(log8 |Ĝ|) basic b-operations.
256
CHAPTER 7. FINITE GROUPS
Bibliography
[BCS97]
P. Bürgisser, M. Clausen, and M. A. Shokrollahi. Algebraic complexity
theory, volume 315 of Grundlehren der Mathematischen Wissenschaften
[Fundamental Principles of Mathematical Sciences]. Springer-Verlag,
Berlin, 1997. With the collaboration of Thomas Lickteig.
[BD73]
R. W. Brockett and D. Dobkin. On the optimal evaluation of a set of
bilinear forms. In Proceedings of the fifth annual ACM symposium on
Theory of computing, STOC ’73, pages 88–95, New York, NY, USA,
1973. ACM.
[Ber98]
D. J. Bernstein. Detecting perfect powers in essentially linear time. Mathematics of Computation, 67(223):1253–1283, 1998.
[BH74]
J. R. Bunch and J. E. Hopcroft. Triangular factorization and inversion
by fast matrix multiplication. Math. Comp., 28:231–236, 1974.
[Bla66]
W. A. Blankinship. Algorithm 288, solution of simultaneous linear diophantine equations. Communications of the ACM, 9:514, July 1966.
[BO81]
M. Ben-Or. Probabilistic algorithms in finite fields. Foundations of Computer Science, IEEE Annual Symposium on, 0:394–398, 1981.
[BS05]
J. Buchmann and A. Schmidt. Computing the structure of a finite abelian
group. Mathematics of Computation, 74(252):2017–2026, 2005.
[CKSU05] H. Cohn, R. D. Kleinberg, B. Szegedy, and C. Umans. Group-theoretic
algorithms for matrix multiplication. In FOCS, pages 379–388. IEEE
Computer Society, 2005.
[Coo66]
S. A. Cook. On the Minimum Computation Time of Functions. Ph.D.
thesis, Havard University, 1966.
[CU03]
H. Cohn and C. Umans. A group-theoretic approach to fast matrix
multiplication. In Proceedings of the 44th Annual IEEE Symposium on
Foundations of Computer Science, FOCS ’03, pages 438–, Washington,
DC, USA, 2003. IEEE Computer Society.
[CW90]
D. Coppersmith and S. Winograd. Matrix multiplication via arithmetic
progressions. J. Symbolic Comput., 9(3):251–280, 1990.
[CW12]
F. Costello and P. Watts. A computational upper bound on Jacobsthal’s
function. http://arxiv.org/abs/1208.5342, 2012.
257
258
BIBLIOGRAPHY
[DN08]
P. D’Alberto and A. Nicolau. Using recursion to boost atlas’s performance. In Proceedings of the 6th international symposium on highperformance computing and 1st international conference on Advanced low
power systems, ISHPC’05/ALPS’06, pages 142–151, Berlin, Heidelberg,
2008. Springer-Verlag.
[Dus99]
P. Dusart. The kth prime is greater than k(ln k + ln ln k − 1) for k ≥ 2.
Math. Comp., 68(225):411–415, 1999.
[Dus10]
P. Dusart. Estimates of some functions over primes without R.H. 2010.
[Eis95]
D. Eisenbud. Commutative Algebra: with a View Toward Algebraic Geometry. Number 150 in Graduate Texts in Mathematics. Springer-Verlag,
New York, 1995.
[Fon11]
F. Fontein. Einführung in die Algebra.
stsemester 2011.
[GMP]
GNU Multiple Precision Arithmetic Library. http://gmplib.org/.
[Her51]
C. Hermite. Sur l’introduction des variables continues dans la théorie des
nombres. J. Reine Angew. Math., pages 191–216, 1851.
[Iwa78]
H. Iwaniec. On the problem of Jacobsthal.
11(1):225–231, 1978.
[Kan75]
H.-J. Kanold. Über eine zahlentheoretische Funktion von E. Jacobsthal.
Abh. Braunschweig. Wiss. Gesellsch., 25:7–10, 1975.
[Knu81]
D. E. Knuth. The art of computer programming. Vol. 2. Addison-Wesley
Publishing Co., Reading, Mass., second edition, 1981. Seminumerical
algorithms, Addison-Wesley Series in Computer Science and Information
Processing.
[KO63]
A. A. Karatsuba and Y. P. Ofman. Multiplication of many-digital numbers by automatic computers. Doklady Akad. Nauk SSSR, 145:293–294,
1963. English translation in Physics-Doklady, vol. 7, pp. 595–596, 1963.
[Lot]
S. F. Lott. Building skills in Python. Available online at http://www.
itmaybeahack.com/homepage/books/python.html.
[MN98]
M. Matsumoto and T. Nishimura. Mersenne twister: a 623-dimensionally
equidistributed uniform pseudo-random number generator. ACM Trans.
Model. Comput. Simul., 8(1):3–30, January 1998.
[PH78]
S. C. Pohlig and M. E. Hellman. An improved algorithm for computing
logarithms over GF (p) and its cryptographic significance. IEEE Trans.
Inform. Theory, 24:106–110, 1978.
[Pom01]
C. Pomerance. The expected number of random elements to generate a
finite abelian group. Periodica Mathematica Hungarica, 43(1–2):191–198,
2001.
[Py]
Python programming language. http://www.python.org/.
Lecture’s homepage, Herb-
Demonstratio Math.,
BIBLIOGRAPHY
259
[Raz03]
R. Raz. On the complexity of matrix product.
32(5):1356–1369 (electronic), 2003.
SIAM J. Comput.,
[Rog71]
K. Rogers. The axioms for Euclidean domains. The American Mathematical Monthly, 78:1127–1128, 1971.
[Ros02]
M. Rosen. Number theory in function fields, volume 210 of Graduate
Texts in Mathematics. Springer-Verlag, New York, 2002.
[RSA78]
R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital
signatures and public-key cryptosystems. Communications of the ACM,
21(2):120–126, February 1978.
[S+ 13]
William A. Stein et al. Sage Mathematics Software (Version x.y.z). The
Sage Development Team, 2013. http://www.sagemath.org.
[Sch02]
A. Schmidt. Zur Berechnung der Struktur endlicher abelscher Gruppen.
Diplomarbeit, Technische Universität Darmstadt, January 2002.
[Sha48]
C. E. Shannon. A mathematical theory of communication. Bell System
Tech. J., 27:379–423, 623–656, 1948.
[Sho97]
V. Shoup. Lower bounds for discrete logarithms and related problems.
In Advances in cryptology—EUROCRYPT ’97 (Konstanz), volume 1233
of Lecture Notes in Comput. Sci., pages 256–266. Springer, Berlin, 1997.
[SL96]
A. Storjohann and G. Labahn. Asymptotically fast computation of hermite normal forms of integer matrices. In Proceedings of the 1996 international symposium on Symbolic and algebraic computation, ISSAC ’96,
pages 259–266, New York, NY, USA, 1996. ACM.
[Smi61]
H. J. Smith. On systems of linear indeterminate equations and congruences. Phil. Trans. Roy. Soc. London, pages 293–326, 1861.
[Ste77]
H. Stevens. On Jacobsthal’s g(n)-function. Math. Ann., 226(1):95–97,
1977.
[Sto96a]
A. Storjohann. Computing hermite and smith normal forms of triangular
integer matrices. ETH Zurich, Institut für Wissenschaftliches Rechnen.
Available online at http://dx.doi.org/10.3929/ethz-a-006651825,
1996.
[Sto96b]
A. Storjohann.
A fast+practical+deterministic algorithm for triangularizing integer matrices.
ETH Zurich, Institut für Wissenschaftliches Rechnen. Available online at http://dx.doi.org/10.
3929/ethz-a-006651735, 1996.
[Sto97]
A. Storjohann. A solution to the extended GCD problem with applications. In Proceedings of the 1997 International Symposium on Symbolic
and Algebraic Computation (Kihei, HI), pages 109–116 (electronic), New
York, 1997. ACM.
[Sto10]
A. J. Stothers. On the Complexity of Matrix Multiplication. Ph.D. thesis,
University of Edinburgh, 2010.
260
BIBLIOGRAPHY
[Str69]
V. Strassen. Gaussian elimination is not optimal. Numerische Mathematik, 13:354–356, 1969.
[Sut07]
A. V. Sutherland. Order Computations in Generic Groups. Ph.D. thesis,
Massachusetts Institute of Technology, 2007.
[Sut11]
A. V. Sutherland. Structure computation and discrete logarithms in finite
abelian p-groups. Math. Comp., 80(273):477–500, 2011.
[Ter00]
D. C. Terr. A modification of Shanks’ baby-step giant-step algorithm.
Mathematics of Computation, 69(230):767–773, 2000.
[Tes98]
E. Teske. A space efficient algorithm for group structure computation.
Mathematics of Computation, 67(224):1637–1663, 1998.
[Tes99]
E. Teske. The Pohlig-Hellman method generalized for group structure
computation. Journal of Symbolic Computation, 27(6):521–534, 1999.
[Vil05]
M. B. Villarino. Mertens’ proof of Mertens’ theorem. http://arxiv.
org/abs/math/0504289, 2005.
[vRD13]
G. van Rossum and F. L. Drake, Jr. The Python Language Reference.
Release 2.7.3. 2013.
[vzGG03] J. von zur Gathen and J. Gerhard. Modern computer algebra. Cambridge
University Press, Cambridge, second edition, 2003.
[Wil12]
V. V. Williams. Multiplying matrices faster than Coppersmith-Winograd
[extended abstract]. In STOC’12—Proceedings of the 2012 ACM Symposium on Theory of Computing, pages 887–898. ACM, New York, 2012.
Listings
1.1
1.2
1.3
1.4
2.1
3.1
5.1
6.1
GCD of Integers . . . . . . . . . . . . . . . . . . . . .
Extended GCD of Integers . . . . . . . . . . . . . . . .
Optimized Extended GCD of Integers . . . . . . . . .
c-ary Exponentiation . . . . . . . . . . . . . . . . . . .
A Fixed-Dimension Vector Class . . . . . . . . . . . .
Karatsuba’s Multiplication for Polynomials (deg < 2m )
Simultaneous Reduction using Huffman Trees . . . . .
Smith Normal Form Computation . . . . . . . . . . .
261
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
. 16
. 16
. 33
. 68
. 74
. 163
. 236
262
LISTINGS
Algorithms
1.1
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
5.1
Normalized Euclidean Algorithm . . . . . . . . . . . . . . . .
Hybrid Karatsuba Multiplication . . . . . . . . . . . . . . . .
Binary Exponentiation for Polynomials, First Version . . . .
Binary Exponentiation for Polynomials . . . . . . . . . . . . .
Fast Inversion of Polynomial Modulo X n . . . . . . . . . . . .
Fast Long Division for Polynomials . . . . . . . . . . . . . . .
Computing the Generalized Taylor Expansion . . . . . . . . .
Reversing the Generalized Taylor Expansion . . . . . . . . . .
Horner’s Method for Evaluating a Polynomial . . . . . . . . .
Newton’s Method . . . . . . . . . . . . . . . . . . . . . . . . .
Extracting m-th Roots of Natural Numbers, Special Version .
Extracting m-th Roots of Natural Numbers . . . . . . . . . .
Fast Extended Euclidean Algorithm – Main Part . . . . . . .
Fast Extended Euclidean Algorithm – Wrapper . . . . . . . .
The Fast Fourier Transformation . . . . . . . . . . . . . . . .
Schönhage-Strassen Multiplication for Polynomials . . . . . .
Binary search . . . . . . . . . . . . . . . . . . . . . . . . . . .
Inserting a new element into a heap . . . . . . . . . . . . . .
Percolate down (for heaps) . . . . . . . . . . . . . . . . . . .
Removing the smallest element of a heap . . . . . . . . . . . .
Building up a heap from a binary tree . . . . . . . . . . . . .
Huffman’s algorithm . . . . . . . . . . . . . . . . . . . . . . .
Q
Computing ni=1 fi . . . . . . . . . . . . . . . . . . . . . . . .
Heap sort . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Qmin{2h−k (i+1),n}
Compute all products aki = j=2h−k i+1
gj , 0 ≤ k ≤
5.2
5.3
5.4
5.5
5.6
dlog2 ne, 0 ≤ i < n/2h−k for Polynomials . . . . .
Compute f mod gi for 1 ≤ i ≤ n for Polynomials .
Simultaneous Inversion for CRT for Polynomials .
Linear Combination for CRT for Polynomials . . .
Fast Chinese Remaindering for Polynomials . . . .
Qmin{2h−k (i+1),n}
Compute all products aki = j=2h−k i+1
gj ,
l
m
l
m
dlog2 ne, 0 ≤ i < n/2h−k for Integers . . .
5.7 Compute f mod gi for 1 ≤ i ≤ n for Integers
5.8 Simultaneous Inversion for CRT for Integers
5.9 Linear Combination for CRT for Integers .
5.10 Fast Chinese Remaindering for Integers . .
6.1 Hybrid Strassen Multiplication . . . . . . .
6.2 Fast Inversion of Triangular Matrices . . . .
263
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
h
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
:=
28
76
80
81
84
86
90
94
97
97
98
99
106
109
114
117
122
133
135
135
137
149
151
155
.
.
.
.
.
0
. .
. .
. .
. .
. .
≤
. . .
. . .
. . .
. . .
. . .
k ≤
. .
. .
. .
. .
. .
h
. .
. .
. .
. .
. .
:=
160
161
170
171
173
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
174
175
175
176
176
180
191
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
264
ALGORITHMS
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
6.15
6.16
6.17
6.18
6.19
7.1
7.2
LUP Decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Computing the Inverse of a Matrix over a Field . . . . . . . . . . . . 195
Computing the Determinant of a Matrix over a Field . . . . . . . . . 196
Gaussian Elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Sieve of Eratosthenes . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Find Large Enough Product . . . . . . . . . . . . . . . . . . . . . . . 202
Find Primes With Large Enough Product . . . . . . . . . . . . . . . 203
Compute Determinant of Integer Matrix . . . . . . . . . . . . . . . . 204
Solve a Special Linear System Ax = b Over Zn . . . . . . . . . . . . 207
Computing the Rank Profile for an Integer Matrix . . . . . . . . . . 213
Finding c such that gcd(a + bc, N ) = 1 . . . . . . . . . . . . . . . . . 214
Finding c such that gcd(a + bc, N ) = 1 . . . . . . . . . . . . . . . . . 216
P
Finding c1 , . . . , cn such that gcd(a+ ni=1 ci bi , N ) = gcd(a, b1 , . . . , bn , N )218
Conditioning Subroutine for Storjohann’s HNF Algorithm . . . . . . 220
Column Reduction Subroutine for Storjohann’s HNF Algorithm . . . 222
Hermite Normal Form, Main Part . . . . . . . . . . . . . . . . . . . 224
Hermite Normal Form . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Order Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Discrete Logarithm Computation . . . . . . . . . . . . . . . . . . . . 246
Index
A
additive tree (Information Theory), 142
adjacent (Graph Theory), 124
average weight (Information Theory), 143
AVL tree, 129
B
b-adic representation, 2
basic b-operation, 4
basic integer arithmetic, 4, 10
Ben-Or’s algorithm, 36
Bézout equation, 15, 27
big-O notation, 10
bilinear map, 182
bilinear rank, 182
binary CS-tree (Graph Theory), 128
binary exponentiation, 33
for polynomials, 82
binary search, 121
binary search CS-tree (Graph Theory),
128
binary tree (Graph Theory), 122, 124
balanced, 129
complete, 126
degenerated, 129
perfect, 126
with data, 126
blackbox group, 243
connected graph, 124
convolution, 112, 187
Coppersmith-Winograd matrix multiplication, 185
CPU integer, 3
Cramer’s rule, 166
D
degree
of a polynomial, 11
of a representation (Representation
Theory), 185
of a vertex, 123
dense representation
for matrices, 177
for polynomials, 11
determinants of matrices, 196
discrete Fourier transform, 112
Representation Theory, 186
Discrete Logarithm Problem, 243, 245
docstring, 39
E
edge (Graph Theory), 123
entropy (Information Theory), 141
Euclidean algorithm, 14, 15
extended table, 100
for integers, 24
fast, 110
for polynomials, 21, 28
fast, 109
normalized, 26, 28
Euclidean domain, 208
Euclidean ring, 13
Euclidean valuation, 14
exception, 55
extended Euclidean algorithm, 15
C
carry bit, 3
Category Theory, 184
character (Representation Theory), 188
Chebychev function, first, 198
child (Graph Theory), 123, 125
Chinese Remainder Theorem, 157, 168
for principal ideal domains, 168
circle (Graph Theory), 124
complete binary tree (Graph Theory), 126 F
computing determinants of integer matri- fast Chinese remaindering
for integers, 174
ces, 204
for polynomials, 173
connected component (Graph Theory), 124
265
266
fast Euclidean algorithm, 106, 109
for integers, 110
for polynomials, 109
fast Fourier fransformation, 114
fast long division
for integers, 87
for polynomials, 86
finite field
arithmetic, 32, 119
construction, 36, 120
forest (Graph Theory), 122, 124
Fourier inversion formula (Representation
Theory), 186
free R-module, 182
INDEX
Iwaniec’s theorem, 215
K
Karatsuba multiplication
for integers, 77
for polynomials, 75
hybrid, for polynomials, 77
Kraft’s inequality (Information Theory),
144
L
Lagrange interpolation polynomials, 157
Las Vegas algorithm, 36
leading coefficient, 11
leading unit, 26
leaf (Graph Theory), 123, 124
G
linear form, 182
Gaussian elimination, 197
little-O notation, 10
generic group, 243
Gibb’s inequality (Information Theory), LUP decomposition, 190, 192
143
M
grandchild (Graph Theory), 125
matrix multiplication, 177
graph, 123
classic, 177
connected, 124
Coppersmith-Winograd, 185
Graph Theory, 123
exponent, 178
group algebra (Representation Theory),
Strassen, 181
186
Meissel-Mertens constant, 200
G-submodule (Representation Theory), 185
Mertens’ second theorem, 200
minor, 209
H
module (Python), 41
Hadamard’s inequality, 204
monic, 26
heap, 132
Monte Carlo algorithm, 36
binary, 132
multiplication time, 78
condition, 132
multipoint evaluation, 162
sort, 151, 155
map, 157
height
multipoint interpolation, 173
naive, 29
mutable object, 47
of a node (Graph Theory), 123, 125
Hermite normal form, 208, 247
N
Huffman’s algorithm (Information The- Newton iteration, 83
ory), 149
Newton root approximation, 95
I
immutable object, 47
incident (Graph Theory), 123
Information Theory, 141
inverses of matrices, 196
irreducible representation (Representation
Theory), 185
isomorphic representation (Representation
Theory), 186
node (Graph Theory), 125
normalization, 26
O
order, 243
P
parent (Graph Theory), 123, 125
path (Graph Theory), 124
perfect binary tree (Graph Theory), 126
267
INDEX
pivot element, 196, 208
pivot index, 196, 208
Pollard’s %, 243
polynomial arithmetic, 12
polynomial evaluation, 97
polynomial representation, 11
prime counting function, 200
prime number theorem, 200
primorial, 199
priority queue, 132
probability distribution (Information Theory), 141
pseudorandom number, 60
generator, 60
R
radix conversion, 95
random number generator, 60
rank
bilinear, 182
of an R-module, 182
rank canonical form, 235
rank profile, 209
rational arithmetic, 29, 119
red-black tree, 129
representation (Representation Theory),
185
irreducible, 185
isomorphic, 186
Representation Theory, 185
residue class ring arithmetic
for integers, 31, 119
for polynomials over fields, 32, 119
resultant, 162
root (Graph Theory), 122, 124
rooted binary forest (Graph Theory), 124
rooted binary tree (Graph Theory), 124
row echelon form, 196
reduced, 196
Russian peasant multiplication, 34
S
Schönhage-Strassen algorithm
for integers, 119
for polynomials, 117, 119
selection sort, 151, 154
sequence object, 47
sieve of Eratosthenes, 200, 201
simple tree, 130
simultaneous reduction modulo different
integers, 174
monic polynomials, 160
of an b-adic representation, 2
slicing of sequences, 48
Smith normal form, 235
softly linear, 119
soft-O notation, 119
solving linear systems
over Z, 206, 234
source coding theorem (Information Theory), 141, 145
sparse representation
for matrices, 177
for polynomials, 11
stable sorting algorithm, 152
Strassen matrix multiplication, 179
hybrid, 181
subgraph, 124
induced, 124
subtree (Graph Theory), 123, 125
T
Taylor expansion, 88
generalized, 89
truncated, 83
tensor product, 183
universal property, 184
Timsort, 151
tree (Graph Theory), 124
binary, 124
triple product property, 187
two’s complement, 3
U
uniquely decodable (Information Theory),
141, 143
V
valuation
Euclidean, 14
vertex (Graph Theory), 123
W
way (Graph Theory), 124
weight (Information Theory), 142

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz