Designs, Codes and Cryptography

, Volume 63, Issue 1, pp 1–13 | Cite as

A low-memory algorithm for finding short product representations in finite groups

  • Gaetan Bisson
  • Andrew V. Sutherland
Open Access


We describe a space-efficient algorithm for solving a generalization of the subset sum problem in a finite group G, using a Pollard-ρ approach. Given an element z and a sequence of elements S, our algorithm attempts to find a subsequence of S whose product in G is equal to z. For a random sequence S of length d log2 n, where n = #G and d ≥ 2 is a constant, we find that its expected running time is \({O(\sqrt{n}\,{\rm log}\,n)}\) group operations (we give a rigorous proof for d > 4), and it only needs to store O(1) group elements. We consider applications to class groups of imaginary quadratic fields, and to finding isogenies between elliptic curves over a finite field.


Short product Generic group algorithm Pollard-rho Isogeny search 

Mathematics Subject Classification (2000)

20D60 11R29 



The authors are indebted to Andrew Shallue for his kind help and advice in putting our result in the context of subset sum problems, and to Steven Galbraith for his useful feedback on an early draft of this paper.

Open Access

This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.


  1. 1.
    Alon N., Milman V.D.: λ1, isoperimetric inequalities for graphs, and superconcentrators. J. Comb. Theory B 38, 73–88 (1985)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Alon N., Barak A., Manber U.: On disseminating information reliably without broadcasting. In: Popescu-Zeletin R., Le Lann G., Kim K.H. (eds.) Proceedings of the 7th International Conference on Distributed Computing Systems, pp. 74–81. IEEE Computer Society Press, Los Alamitos (1987).Google Scholar
  3. 3.
    Babai L., Erdős P.: Representation of group elements as short products. North-Holland Math. Stud. 60, 27–30 (1982)CrossRefGoogle Scholar
  4. 4.
    Bach E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Bisson G.: Computing endomorphism rings of elliptic curves under the GRH (2010, in preparation).Google Scholar
  6. 6.
    Bisson G., Sutherland A.V.: Computing the endomorphism ring of an ordinary elliptic curve over a finite field. J. Number Theory (special issue on Elliptic Curve Cryptography) (2009, to appear).Google Scholar
  7. 7.
    Brent R.P.: An improved Monte Carlo factorization algorithm. BIT Numer. Math. 20, 176–184 (1980)MathSciNetzbMATHCrossRefGoogle Scholar
  8. 8.
    Childs A.M., Jao D., Soukharev V.: Constructing elliptic curve isogenies in quantum subexponential time. (2010).
  9. 9.
    Eggleton R.B., Erdős P.: Two combinatorial problems in group theory. Acta Arithmetica 28, 247–254 (1975)Google Scholar
  10. 10.
    Erdős P., Rényi A.: Probabilistic methods in group theory. Journal d’Analyse Mathématique 14(1), 127–138 (1965)CrossRefGoogle Scholar
  11. 11.
    Galbraith S.D.: Constructing isogenies between elliptic curves over finite fields. J. Comput. Math. 2, 118–138 (1999)MathSciNetzbMATHGoogle Scholar
  12. 12.
    Galbraith S.D., Hess F., Smart N.P.: Extending the GHS Weil descent attack. In: Knudsen L.R. (eds.) Advances in Cryptology–EUROCRYPT ’02. Lecture Notes in Computer Science, vol. 2332, pp. 29–44. Springer, Heidelberg (2002).Google Scholar
  13. 13.
    Hafner J.L., McCurley K.S.: A rigorous subexponential algorithm for computing in class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Howgrave-Graham N., Joux A.: New generic algorithms for hard knapsacks. In: Gilbert H. (eds.) Advances in Cryptology—EUROCRYPT ’10. Lecture Notes in Computer Science, vol. 6110, pp. 235–256. Springer, Heidelberg (2010).Google Scholar
  15. 15.
    Impagliazzo R., Naor M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptol. 9(4), 199–216 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Jao D., Miller S.D., Venkatesan R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Karp R.M.: Reducibility among combinatorial problems. In: Miller, R.E., Thatcher, J.W., Bohlinger, J.D. (eds) Complexity of Computer Computations, pp. 85–103. Plenum Press, New York (1972)Google Scholar
  18. 18.
    Knuth D.E.: The Art of Computer Programming. Seminumerical Algorithms, Vol. II. Addison-Wesley, Boston (1998)Google Scholar
  19. 19.
    Knuth D.E.: The Art of Computer Programming. Fascicle 2: Generating all Tuples and Permutations, Vol. IV. Addison-Wesley, Boston (2005)Google Scholar
  20. 20.
    Merkle R., Hellman M.: Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory 24(5), 525–530 (1978)CrossRefGoogle Scholar
  21. 21.
    Pollard J.M.: A Monte Carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Schönhage A.: Fast reduction and composition of binary quadratic forms. In: Watt, S.M. (eds.) International Symposium on Symbolic and Algebraic Computation–ISSAC ’91, pp. 128–133. ACM Press, New York (1991)CrossRefGoogle Scholar
  23. 23.
    Schoof R.: Counting points on elliptic curves over finite fields. Journal de Théorie des Nombres de Bordeaux 7, 219–254 (1995)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Schroeppel R., Shamir A.: A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems. SIAM J. Comput. 10(3), 456–464 (1981)MathSciNetzbMATHCrossRefGoogle Scholar
  25. 25.
    Sedgewick R., Szymanski T.G.: The complexity of finding periods. In: Proceedings of the 11th ACM Symposium on the Theory of Computing. pp. 74–80. ACM Press, New York (1979).Google Scholar
  26. 26.
    Shoup V.: Lower bounds for discrete logarithms and related problems. In: Advances in Cryptology–EUROCRYPT ’97. Lecture Notes in Computer Science, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). Revised version.Google Scholar
  27. 27.
    Siegel C.L.: Über die Classenzahl quadratischer Zahlkörper. Acta Arithmetica 1, 83–86 (1935)zbMATHGoogle Scholar
  28. 28.
    Sobol I.M.: On periods of pseudo-random sequences. Theory Prob. Appl. 9, 333–338 (1964)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Sutherland A.V.: Genus 1 point counting in quadratic space and essentially quartic time (in preparation).Google Scholar
  30. 30.
    Sutherland A.V.: Order Computations in Generic Groups. PhD thesis, MIT, Cambridge (2007)
  31. 31.
    Teske E.: A space efficient algorithm for group structure computation. Math. Comput. 67, 1637–1663 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  32. 32.
    van Oorschot P.C., Wiener M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–28 (1999)zbMATHCrossRefGoogle Scholar
  33. 33.
    White E.: Ordered sums of group elements. J. Combin. Theory A 24, 118–121 (1978)zbMATHCrossRefGoogle Scholar

Copyright information

© The Author(s) 2011

Authors and Affiliations

  1. 1.LORIAVandœuvre-lès-NancyFrance
  2. 2.Eindhoven University of TechnologyEindhovenThe Netherlands
  3. 3.Massachusetts Institute of TechnologyCambridgeUSA

Personalised recommendations