Tame logarithmic signatures of abelian groups

Lemma 2.1.

Let A⊆G, S⋄:={g1,g2,…,gs} (the set of all periods of A) and S:={0}∪S⋄. Then S≤G, and A is a union of cosets of S, i.e., there exists B⊆G such that A=B+S and |A|=|B|⋅|S|.

Proof.

We have S≠∅, because 0∈S. Let g,h∈S. Then g+h∈S, because A+(g+h)=(A+g)+h=A+h=A (i.e., g+h is a period of A and thus in S). Also, -g∈S, because by adding -g on both sides of the equation A=A+g, we get A-g=A. So, S≤G.

The group G is the disjoint union of all cosets of S (the cosets form a partition of G). Pick an arbitrary a∈A. For every s∈S, we have a+s∈A (because s is a period of A), i.e., a+S⊆A. So, given a coset t+S of S (with t∈G), t+S is either contained completely in A or it is disjoint to A; A is a (disjoint) union of cosets of S. In order to construct B, pick one representative from each coset of S contained in A. ∎

Theorem 3.1.

Let G,H be groups, let φ:G→H be a surjective group homomorphism, let k:=|ker(φ)|, and let α=(A1,…,As) be an l-factorization of G. Then φ⁢(α) is a (k⋅l)-factorization of H (i.e., every element of H can be expressed in exactly k⋅l different ways with respect to the block sequence φ⁢(α)).

Proof.

As φ is a surjective group homomorphism, we have G/ker⁡(φ)≅H, by the isomorphism theorem. Thus, every h∈H has exactly k preimages under φ. Indeed, let h′ be any preimage of h under φ (i.e., φ⁢(h′)=h). Then the set of all preimages of h under φ is φ-1⁢(h)={z+h′∣z∈ker⁡(φ)}.

Let (i1,…,is) be a factorization index vector of an element g∈G, i.e., g=A1⁢[i1]+⋯+As⁢[is]. Then φ⁢(A1⁢[i1])+⋯+φ⁢(As⁢[is]) is a factorization of φ⁢(g) in φ⁢(α), because we have φ⁢(A1⁢[i1])+⋯+φ⁢(As⁢[is])=φ⁢(A1⁢[i1]+⋯+As⁢[is])=φ⁢(g). As α is an l-factorization of G, all of the k elements in φ-1⁢(h) have l different factorizations in α; these correspond to the k⋅l different factorizations of h with respect to φ⁢(α). So, φ⁢(α) is a (k⋅l)-factorization of H. ∎

Theorem 3.2.

Let G,H be groups, let φ:G→H be a surjective group homomorphism, let k:=|ker(φ)|, and let α be an l-factorization of G. If k and l are polynomial in ℓ⁢(α) and if we can efficiently factor elements in the (k⋅l)-factorization φ⁢(α) of H, then we can efficiently factor elements with respect to α.

Proof.

Suppose that we want to factor a g∈G. Apply φ to the elements in the blocks of α to obtain φ⁢(α). Compute the k⋅l different factorizations of the element φ⁢(g) in φ⁢(α). Selecting the same indices in α, these k⋅l different factorizations generate the elements {z+g∣z∈ker⁡(φ)} (each element of this set is generated exactly l times). As 0∈ker⁡(φ), l of these k⋅l different factorizations generate g. ∎

Remark 3.3.

Applying Theorem 3.2 recursively does not directly result in an efficient factorization algorithm (even when the homomorphism kernels on each recursion level are of fixed size), because l grows exponentially.

Theorem 3.4.

Let G be a group and let α=(A1,…,As)∈Λ⁢(G) with at least one block Ai being a normal subgroup in G. Define α′ by removing the block Ai from α and replacing all elements g by g+Ai in the remaining blocks. Then α′∈Λ⁢(G/Ai). If factorizations in α′ can be computed efficiently, then factorizations in α can be computed efficiently, too.

Proof.

Write N:=Ai and let φ:G→G/N, g↦g+N, be the canonical group homomorphism (projection) of G onto G/N. By Theorem 3.1, the block sequence φ⁢(α) is an |N|-factorization of G/N (i.e., every element in G/N is expressible by exactly |N| different factorizations). α′ is the block sequence obtained from φ⁢(α) by removing the ith block. Observe that E⁢(φ⁢(Ai))={0} (as all elements are in N). So α′ is a logarithmic signature for G/N.

In order to factor an element x∈G, first factor x+N in α′ (by hypothesis we can factorize in α′ efficiently). Select the corresponding elements in α (the elements at the same positions as in α′ except Ai). Now compute the sum (in G) of the elements selected in the blocks A1,…,Ai-1 and call it yl. Analogously, compute the sum (in G) of the elements selected in the blocks Ai+1,…,As and call it yr. There is exactly one element a∈Ai such that yl+a+yr=x, which completes the factorization of x that we were looking for. ∎

Remark 3.5.

All results in Section 3 hold for non-abelian groups, too.

Algorithm 4.1.

The following algorithm tests whether x+N=y+N holds.

We expect the blocks A1,…,Ar to be given as a block sequence α:=(A1,…,Ar), and x and y given as elements of G. The set N (containing |A1|⋅|A2|⁢⋯⁢|Ar| elements) is not part of the input; it is only used for notation.

The algorithm consists of two procedures. The first procedure computes a list ℭ of m group elements. Using ℭ, the second procedure tests whether x+N=y+N holds.

Computing ℭ is independent of x and y, i.e., when multiple elements are being tested, computing ℭ once is sufficient.

ℭ is computed by the following procedure:

1. Let α′=(A1′,…,Ar′)←α.

2. Let ℭ←((0,…,0),…,(0,…,0))∈Gm.

3. For c←1 to m:

   1. For i←1 to r:

      1. Let S←{(g1,…,gm)∈Ai′∣g1=⋯=gc-1=0⁢ and ⁢gc≠0}.

      2. If S=∅, continue.

      3. Let s=(s1,…,sm)∈S be an element with sc minimal (among the elements in S).

      4. Set ℭ⁢[c]←s.

      5. For all elements h=(h1,…,hm) in the blocks Ai+1′,…,Ar′:

         1. Replace h by h-⌊hcsc⌋⋅s.

Testing whether x+N=y+N holds is now possible using the following reduction procedure:

1. Let t=(t1,…,tm)←x-y.

2. For c←1 to m:

   1. If tc=0, continue.

   2. Let s=(s1,…,sm)←ℭ⁢[c].

   3. If s=(0,…,0), return “x+N≠y+N”.

   4. Set t←t-⌊tcsc⌋⋅s.

   5. If tc≠0, return “x+N≠y+N”.

3. return “x+N=y+N”.

Proof.

First of all, we have

Let d:=x-y. In this proof, let us call (g1,…,gm)∈G a c-element if g1=⋯=gc-1=0 and gc≠0, and define (0,…,0) to be an (m+1)-element.

We now prove in detail why the two procedures work.

For all 1≤i≤r, the block sequences (A1,…,Ai) and (A1′,…,Ai′) generate exactly the same elements at any time while the ℭ computation procedure is running (including the end).

In order to see why this is true, observe that the innermost replacement operation does not change the set of generated elements, because s is an element of the subgroup A1′+⋯+Ai′ (and thus -⌊hcsc⌋⋅s also is an element of this subgroup), and A1′+⋯+Ai′≤A1′+⋯+Aq′ when h is an element in the block Aq′ (note that q≥i+1).

In other words, replacing h by h-⌊hcsc⌋⋅s is a selective shift using -⌊hcsc⌋⋅s from the subgroup A1′+⋯+Ai′ onto h in Aq′ (with q≥i+1), and selective shifts never change the set of generated elements.

The ℭ computation procedure replaces h by h-⌊hcsc⌋⋅s. After this step, we clearly have hc<sc (from the original hc, the -⌊hcsc⌋⋅s operation subtracts as many sc from hc as possible, thus for the new hc, we get 0≤hc<sc).

ℭ has the following properties (after its computation procedure has finished):

1. 〈ℭ〉=N.

2. For all 1≤c≤m, the cth element of ℭ is a c-element.

Let γc:G→ℤpckc, (g1,…,gm)↦gc, be the projection of the cth component. Furthermore, let

with A1′,…,Ar′ being the blocks when entering the ith iteration within the cth outer iteration of the ℭ computation procedure. The following statements hold for all 1≤c≤m, 1≤i≤r:

1. γc⁢(S⁢(c,1))≤γc⁢(S⁢(c,1)+S⁢(c,2))≤⋯≤γc⁢(S⁢(c,1)+⋯+S⁢(c,r))≤ℤpckc.

2. γc⁢(a)>γc⁢(b) for all a∈(S⁢(c,1)+⋯+S⁢(c,i-1))∖{(0,…,0)}, b∈S⁢(c,i)+⋯+S⁢(c,r).

We prove these properties by induction over c. Let the claims be true for the first c-1 components, and let A1′,…,Ar′ be the blocks when entering the cth outer iteration.

Let i be the first index that the procedure finds, for which S≠∅ (i.e., S⁢(c,j)={(0,…,0)} for all 1≤j<i and |S⁢(c,i)|≥2). Let s=(s1,…,sm)∈S be an element with sc minimal, and os:=ord⁡(γc⁢(s)∈ℤpckc). As A1′+⋯+Ai′≤G, all multiples of s (in G) must be contained in A1′+⋯+Ai′.

Let a1∈A1′ be a c1-element, …, ai-1∈Ai-1′ be a ci-1 element, and let c~:=min⁡{c1,…,ci-1}. If c~<c, then from the claims being true for all components less than c, we obtain that a1+⋯+ai-1 is a c~-element. Together with the fact that A1′,…,Ai-1′ do not contain any c-elements (Ai′ is the first block containing c-elements), the subgroup A1′+⋯+Ai-1′ does not contain any c-elements. Keeping in mind that the components less than c of the elements in Ai′ have already been reduced as much as possible, we can conclude that for every 0≤j<os, there must exist a∈S with γc⁢(a)=j⋅γc⁢(s). This establishes γc⁢(S⁢(c,1))≤γc⁢(S⁢(c,1)+S⁢(c,2))≤⋯≤γc⁢(S⁢(c,i))≤ℤpckc.

The full chain γc⁢(S⁢(c,1))≤γc⁢(S⁢(c,1)+S⁢(c,2))≤⋯≤γc⁢(S⁢(c,1)+⋯+S⁢(c,r))≤ℤpckc can be established by iteratively moving into factor groups (imaginarily, only for the proof). First move into the factor group G/〈s〉. By this, the c-elements in Ai′ become z-elements with z>c. Due to the previous reductions, a factor group element in the blocks Ai+1′,…,Ar′ now is a c-element if and only if it is a c-element in G. The argumentation above can now be applied in G/〈s〉 (the first block that contains c-elements will have an index greater than i). Continuing this iteratively until the end of the block sequence, the full chain is established.

The inner loop of the ℭ computation procedure ensures that the c-component of every element in Ai+1′,…,Ar′ is smaller than γc⁢(s), and this holds iteratively for all blocks containing c-elements. Indeed, by the above subgroup chain for ℤpckc, we have γc⁢(a)>γc⁢(b) for all a∈(S⁢(c,1)+⋯+S⁢(c,i-1))∖{(0,…,0)} and b∈S⁢(c,i)+⋯+S⁢(c,r).

The reduction procedure tries to reduce d to (0,…,0). If this is possible, d∈N (i.e., x+N=y+N), otherwise d∉N (i.e., x+N≠y+N).

A reduction is a selective shift of a multiple of an element in ℭ onto the current t (which is the element that we want to reduce; it was initially set to d). Each element in ℭ originates from a block Ai′ and thus is an element of the subgroup N (and all multiples are also elements of N).

These reductions are performed iteratively for each component. In the first iteration, the procedure tries to reduce the first component of t. In the second iteration, the second component is reduced, and so on. This process has the property that once the first c components have been reduced, the reduction of the components c+1,c+2,… does not have any effect on the first c components, because in the c′th iteration only a c′-element is used for reduction.

Recall that each element in ℭ originates from a block Ai′. In the reduction procedure it can happen that t is reduced multiple times by elements originating from a common block. For example, in the jth iteration, the jth component of t could be reduced using a j-element u in a block Ai′, and later the kth component (k>j) of t could be reduced using a k-element v in the same block Ai′. This is not a problem, because (t-u)-v=t-(u+v), and u+v∈A1+⋯+Ai, as A1+⋯+Ai is a subgroup of G. Note that we never need to actually compute the factorization of u+v in A1+⋯+Ai. It is just important to understand that two such reductions are always equivalent to subtracting one element from A1+⋯+Ai.

By applying this argument iteratively to all performed reductions, we see that these reductions are equivalent to subtracting one element w∈N from d. Then, in the end, t=(0,…,0) if and only if there exists w∈N such that d-w=(0,…,0) or, equivalently, d∈N. ∎

Proposition 4.2.

Let G be an abelian group (represented as G=Zp1k1⊕Zp2k2⊕⋯⊕Zpmkm, with pi∈P and ki∈N for 1≤i≤m) and let N:=A1+A2+⋯+Ar, with A1≤G, A1+A2≤G, A1+A2+A3≤G, …, N≤G. Let also α:=(A1,…,Ar). Then Algorithm 4.1 performs O⁢(m⋅r⋅ℓ⁢(α)) group operations (and obviously we have O(m⋅r⋅ℓ(α))⊆O(log2|G|⋅ℓ(α)2)).

Proof.

We determine the run-times of the two procedures. ℭ computation. Initializing α′ involves copying ℓ⁢(α) group elements. Initializing ℭ requires copying the identity element m times. The outer loop runs exactly m times, and the loop within it runs exactly r times. It is not necessary to actually build the set S. Trying to locate a c-element s=(s1,…,sm) with sc minimal is sufficient. So we need to inspect |Ai′| group elements; observe that |S|≤|Ai′|=|Ai|. We consider copying s to ℭ⁢[c] to take 1 group operation. The next loop iterates over all elements in the blocks right of Ai′.

In total, we need

group operations. Reduction. We need

group operations.

Thus, for the ℭ computation and the reduction together, we need

group operations. ∎

Lemma 4.3.

Let G be an abelian group (represented as G=Zp1k1⊕Zp2k2⊕⋯⊕Zpmkm, with pi∈P and ki∈N for 1≤i≤m) and let N:=A1+A2+⋯+Ar, with A1≤G, A1+A2≤G, A1+A2+A3≤G, …, N≤G. Let also α:=(A1,…,Ar) and S⊆G/N, with (0,…,0)∈S (each element of S shall be given by a representative in G). Then finding the periods of S (representatives in G for elements in G/N) is possible using O⁢(|S|3⋅m⋅r⋅ℓ⁢(α)) group operations.

The algorithm for computing the periods takes α and S as input. The set N (containing |A1|⋅|A2|⁢⋯⁢|Ar| elements) is not part of the input; it is only used for notation.

Proof.

A g∈G/N∖{(0,…,0)} is a period of S if S+g=S. As (0,…,0)∈S, the only candidates for g are the elements in S.

So, for each candidate g∈S∖{(0,…,0)}, we build the set S+g and test whether S+g=S, which can be done using at most |S|2 element equality tests using Algorithm 4.1 (for each element in S+g check whether it is also in S).

In total, we need

group operations. ∎

Algorithm 4.4.

The following recursive algorithm tries to find the factorization of h with respect to β, when calling FactorizeAb(β,h,((0,…,0))). It succeeds (efficiently) if and only if it finds a periodic block on each recursion level. In Section 5 we describe a class of logarithmic signatures where this is the case.

Function FactorizeAb(LogSig α, GroupElement g, BlockSequence N) : List<UInt>

1. If |α|=1, then find g+N in α⁢[1] (in G/N) and return its index (one item in a list).

2. If α does not contain any block that is periodic in G/N, then fail with error. Otherwise, let j be the index of the periodic block, and let α⁢[j]=B+S, with B⊆G, S≤G and |α⁢[j]|=|B|⋅|S| (see Lemma 2.1).

3. If |S|=|α⁢[j]| (i.e., S≤G/N), then:

   1. Let α′←α without the jth block. Let N′←N with block α⁢[j] appended.

   2. Let v← FactorizeAb(α′, g, N′).

   3. Insert 0 at index j in v.

   4. Let t←α⁢[1]⁢[v⁢[1]]+⋯+α⁢[j-1]⁢[v⁢[j-1]]+α⁢[j+1]⁢[v⁢[j+1]]+⋯+α⁢[|α|]⁢[v⁢[|α|]].

   5. For i←1 to |α⁢[j]|:

      1. If t+α⁢[j]⁢[i]+N=g+N, then set v⁢[j]←i and return v.

4. Let α′ be the logarithmic signature obtained by replacing the block α⁢[j] by the two blocks B and S.

5. return FactorizeAb(α′, g, N).

Proof.

The algorithm realizes the idea of Theorem 3.4.

The set N is fulfilling the requirements for Algorithm 4.1 and Lemma 4.3. Indeed, initially, we have N={(0,…,0)} (which is a subgroup of G) and on every recursion level a block α⁢[j] is appended, where α⁢[j] is a subgroup in G/N. That is, every new N′ is also a subgroup of G and while descending in the recursion, we get sequences of subgroups as required by Algorithm 4.1 and Lemma 4.3. ∎

Proposition 4.5.

Let G be an abelian group (represented as G=Zp1k1⊕Zp2k2⊕⋯⊕Zpmkm, with pi∈P and ki∈N for 1≤i≤m) and let β=(B1,B2,…,Bn)∈Λ⁢(G) canonical. Let also q:=max⁡{|Bi|∣1≤i≤n}. Then Algorithm 4.4 requires O(log2|G|⋅q3⋅m⋅n2⋅ℓ(β)) group operations.

Proof.

We count the required group operations.

Searching for g+N in a block (if α consists of one block only) requires at most q equality tests using Algorithm 4.1, i.e., q⋅O⁢(m⋅n⋅ℓ⁢(β)) group operations.

For finding a periodic block (and computing the periods), we use Lemma 4.3 for each block, and thus need at most |α|⋅O(q3⋅m⋅n⋅ℓ(β)) group operations.

Computing t and completing the factorization requires at most

group operations.

We have computed S already (during the search of a periodic block). The block B can be constructed as follows. Let A←α⁢[j] and B←∅. Pick an arbitrary a in A, put a into B and remove the set a+S from A, and repeat this until A=∅. This procedure requires at most

group operations.

Splitting a periodic block can happen at most ∑i=1mki-1<log2|G| times. Each time a periodic block is splitted, another recursion level is entered (for a logarithmic signature having at most n+1 blocks), where at most n+1 periodicity tests are performed (requiring at most (n+1)⋅O⁢(q3⋅m⋅n⋅ℓ⁢(β)) group operations) until finding the subgroup block from the splitting.

In total, we need