Efficient quantum algorithms for some instances of the semidirect discrete logarithm problem

The semidirect discrete logarithm problem (SDLP) is the following analogue of the standard discrete logarithm problem in the semidirect product semigroup $G\rtimes \mathrm{End}(G)$ for a finite semigroup $G$. Given $g\in G, \sigma\in \mathrm{End}(G)$, and $h=\prod_{i=0}^{t-1}\sigma^i(g)$ for some integer $t$, the SDLP$(G,\sigma)$, for $g$ and $h$, asks to determine $t$. As Shor's algorithm crucially depends on commutativity, it is believed not to be applicable to the SDLP. Previously, the best known algorithm for the SDLP was based on Kuperberg's subexponential time quantum algorithm. Still, the problem plays a central role in the security of certain proposed cryptosystems in the family of \textit{semidirect product key exchange}. This includes a recently proposed signature protocol called SPDH-Sign. In this paper, we show that the SDLP is even easier in some important special cases. Specifically, for a finite group $G$, we describe quantum algorithms for the SDLP in $G\rtimes \mathrm{Aut}(G)$ for the following two classes of instances: the first one is when $G$ is solvable and the second is when $G$ is a matrix group and a power of $\sigma$ with a polynomially small exponent is an inner automorphism of $G$. We further extend the results to groups composed of factors from these classes. A consequence is that SPDH-Sign and similar cryptosystems whose security assumption is based on the presumed hardness of the SDLP in the cases described above are insecure against quantum attacks. The quantum ingredients we rely on are not new: these are Shor's factoring and discrete logarithm algorithms and well-known generalizations.


Introduction
The presumed difficulty of computing discrete logarithm problem (DLP) in certain groups is essential for the security of the Diffie-Hellman key exchange which is the basis for a number of communication protocols deployed today.However, since the invention of Shor's algorithm [Sho94], the problem of computing discrete logarithm can be solved efficiently in the domain of quantum computing.
Massive efforts have been done in order to construct alternative versions of the discrete logarithm problem that allow for the Diffie-Hellman key exchange without being vulnerable to Shor's algorithm.Since that algorithm takes advantage of the group structure underlying the problem, a DLP analogue in the framework of commutative group actions has been proposed.It is an instance of a constructive membership testing in orbits of commutative permutation groups (on large finite sets), called vectorization problem.The framework originally appears in [Cou06] and it becomes a central problem of isogeny-based cryptography, CSIDH [CLM + 18] for example.Another natural approach which is worth consideration to escape from the quantum attack is a DLP analogue in non-commutative groups.It is natural in a sense that Shor's algorithm crucially depends on the commutativity of the underlying groups.In this direction, an analogue of the DLP in the semidirect product groups has been proposed.The proposal firstly appears in its full generality in [HKKS13].Specifically, let G be a finite semigroup and End(G) be the monoid of endomorphisms of G. Then we have the semidirect product G ⋊ End(G) where the multiplication is defined by (g, σ)(h, φ) = (gσ(h), σφ).Moreover, we have the formula for exponentiation (g, σ) t = t−1 i=0 σ i (g), σ t , where ℓ i=k a i stands for the product a k • . . .• a ℓ in G.This leads to an analogue of the standard discrete logarithm problem in the semidirect product semigroup defined as follows.Given g ∈ G, σ ∈ End(G), and h = t−1 i=0 σ i (g) for some integer t, determine t.
The SDLP is interesting as it allows us to perform a Diffie-Hellman key exchange procedure, known as semidirect product key exchange (SPDKE).Suppose two parties, Alice and Bob, agree on a public group G, an element g ∈ G, and an endomorphism σ ∈ End(G).Then they can arrive at the same G−element as follows.
4. Bob computes its shared key K B = Bσ y (A).
Note that K A = K B , as the following calculation shows.
The key recovery problem of SPDKE is the problem of computing the shared key K A = K B from the public information g, A, B ∈ G and σ ∈ End(G).Clearly, similar to the case of the standard DLP and the corresponding Diffie-Hellman key exchange, the key recovery problem of SPDKE and the difficulty of SDLP are heavily related.Particularly, if one can solve an instance of the SDLP, then one is also able to break the corresponding SPDKE.
In the description of the SDLP above, an instance of the SDLP in G⋊End(G) is only specified by an endomorphism σ, hence we can describe the SDLP in an alternative, more compact way.
First, we observe some properties of semidirect product semigroups that would be useful for our purpose.Let G and T be semigroups and let σ : t → σ t be a homomorphism from T to the monoid of endomorphisms of G. Then the semidirect product G ⋊ σ T is the set G × T equipped with the multiplication (g, t)(g ′ , t ′ ) = (gσ t (g ′ ), tt ′ ).It is straightforward to check that G ⋊ σ T is a semigroup.Also, if both G and T are finite groups and σ 1 is the identity map of G, then G ⋊ σ T is also a group.There is a natural representation ρ : (g, t) → ρ (g,t) of G ⋊ σ T as a semigroup of transformations on G, given by ρ (g,t) (g ′ ) = gσ t (g ′ ).This is indeed a representation, i.e., a homomorphism to the semigroup of transformations, because we have (g, t)(g ′ , t ′ ) = (ρ (g,t) (g ′ ), tt ′ ) and If G ⋊ σ T is a group as above then ρ gives a permutation representation of the group G ⋊ σ T .Note that if G is a monoid and σ is a monoid endomorphims of G (that is, σ(1 G ) = 1 G ), then we have (g, 1) t = (ρ (g,1) t (1 G ), t).This shows that, as already observed by Battarbee et al. in [BKPS22], the SDLP can be cast as a constructive membership problem in an orbit of a transformation semigroup.Using the above observation and notations we have the following definition for the semidirect discrete logarithm that will be used throughout this paper.
Definition 1.Let σ be an endomorphism of the finite monoid G with identity element 1 G and consider the semigroup G ⋊ σ Z ≥0 where σ t = σ t for every t ∈ Z ≥0 .Then SDLP(G, σ) is the following problem.Given elements g and h of G, determine the set of non-negative integers t such that The set to be determined is either the empty set, a singleton, or {x 0 + ax : x ∈ Z ≥0 } for some integers x 0 ≥ 0 and a > 0. Indeed, an orbit of a semigroup generated by a single transformation on a finite set consists of a tail of a certain length called the index, followed by a recurrent cycle, whose length is called the period.The index can be zero while the period is positive.Note that these parameters can be computed by a slight modification of Shor's period finding quantum algorithm, see [CI14].In our case, the transformation semigroup is generated by ρ (g,1) and our objective is the orbit of it starting at 1 G .The solution set is a singleton if h is in the tail, while in the case when h is in the cycle, it is {x 0 + ax : x ∈ Z ≥0 }, where a is the period and x 0 is the position of h in the cycle, shifted by the index.
We remark that the assumptions that G is a monoid and that σ is a monoid endomorphism of G are rather technical, though they offer some notational conveniences.In the general semigroup case, one should solve the equation h = ρ (g,1) t−1 (g).
Battarbee et al. [BKPS22] present a subexponential quantum algorithm for the SDLP in so-called the easy family of semigroups {G p } p∈P for some countable set P .A family of semigroups {G p } p∈P is called easy if the size |G p | grows monotonically and polynomial in p, and the evaluation costs of gh and σ(g) is O((log p) 2 ) for any p ∈ P , g, h ∈ G p , and σ ∈ End(G p ). Indeed, the critical problem is determining the position of h in the cycle, which is actually an instance of the vectorization problem, and hence reduces to the abelian hidden shift problem for which Kuperberg's subexponential time algorithm [Kup05] is available.On the other hand, there exist several efficient algorithms that break the SPDKE protocols in some specific groups without solving the corresponding SDLP, instead exploiting the structure of the platform groups to directly solve the corresponding key recovery problem.See [BKS22] for a more detailed survey on the semidirect product key exchange.The most recent work in this direction is by Battarbee et al. [BKPS23].They propose a post-quantum signature scheme, called SPDH-Sign, where the security depends on the presumed difficulty of the group case of the SDLP.Moreover, they propose non-abelian groups of order p 3 for some odd prime p as candidate groups for SPDH-Sign.
In this paper, we work over black-box groups with non-necessarily unique encoding of elements to obtain sufficiently general results.(Together with assuming ability of evaluating powers of σ, this corresponds to the easy families of [BKPS22].)The concept of black-box groups was introduced by Babai and Szemerédi [BS84] for studying the structure of finite matrix groups.Elements of a black-box group G are represented by binary strings of a certain length and the group itself is given by a list of generators.The group operations are given by oracles.Here we also assume an oracle for computing σ j (g) for g ∈ G and j ∈ Z >0 .In general, it is not required that every group element is represented by a unique code-word.Instead, there is also an oracle for testing whether two strings represent the same group element.Here we assume a stronger oracle, a labeling.It is a function λ defined on the code-words for the group elements where x and y represent the same group element if and only if λ(x) = λ(y).We use the term black-box group with unique labeling for that sort of black-box groups.The labeling makes it possible to compute the structure of G when G is a solvable black-box group by the quantum algorithm of [IMS01, Theorem 7].(In that paper the term secondary encoding is used for the labeling.)The notion includes black-box groups with unique encoding.We need the generalization in order to handle certain factor groups.To illustrate how this can occur, assume that initially we work with a matrix group G and σ is given as conjugation by a matrix (possibly outside G) and we have another, non-faithful matrix representation φ of G whose kernel is σ-invariant.Suppose further that we need to solve the SDLP for φ(g) and φ(h) in Im(φ) and the automorphism induced by σ. (Recall that this is the unique map σ : Im(φ) → Im(φ) satisfying ψ(σ(x)) = σ(x).It is well-defined as the kernel of φ is required to be σ-invariant.)It turns out that we would have difficulties with evaluating powers of the induced automorphism if we used the natural unique encoding of the elements of Im(φ) by matrices.(In general, this would require finding finding an element of the pre-image φ −1 (x) for Im(φ).)We get around the issue by using the original matrices to encode the elements of Im(φ) and to multiply them; while considering φ as a labeling (and possibly also as further help).This gives us a simple way to evaluate the induced automorphism.
The SDLP(G, σ) is called the group-base case if G is a group, and we call it the (full) group case when G is a group and σ is an automorphism of G.In this paper we focus on the group-base case.If, in addition, σ is an automorphism of G then one could replace the monoid Z ≥0 with an appropriate finite cyclic group Z m = Z/mZ where m is a multiple of the order of σ and work over the finite semidirect product group of G and Z m .This justifies the terminology.
Contributions.In this paper, we provide an analysis of the SDLP in some interesting classes of groups.Particularly, in section 2, we first give a reduction from the group-base case to the group case of the SDLP.Moreover, using essentially the same idea, we show that there exists a recursion from the SDLP in a group into its quotient groups and subgroups.In section 3, we then propose efficient quantum algorithms based on Shor's algorithm for the group case SDLP(G, σ) for the following cases: 1.The automorphism σ is of small order, i.e., polynomial in log |G|; 2. The group G is solvable; 3. The group G is a matrix group over a finite field, i.e., G ≤ GL d (F q ), where q is a power of a prime and σ is an inner automorphism of G; , where for each i, ψ i maps M i to either 4.1 a black-box group with unique labeling and when automorphism of Im(ψ i ) induced by σ has polynomially small order; or 4.2 a solvable black-box group with unique labeling; or 4.3 a matrix group over a finite field, in which case we also assume that a power of the induced automorphism with a polynomially small exponent coincides with the conjugation by some matrix.
As a consequence, SPDH-Sign protocol in [BKPS23] and all other SPDKE cryptographic protocols whose platform groups are in the above cases do not belong to the realm of post-quantum cryptography.We remark that, a normal series together with the homomorphisms having the properties required in item 4., can be efficiently computed for quite a wide class of finite groups using advanced algorithms of computational group theory.These include matrix groups over finite fields of odd characteristic making the innerness assumption of item 3. unnecessary when q is odd, see the Appendix for a sketch of proof.We even think that it is difficult to propose any "concrete" platform group that item 4. is not applicable to, so a viable platform for SPDH-Sign protocol should be a semigroup quite far from any group.

Reduction and recursion of SDLP
In this section, we provide the reduction of the group-base case to the group case, and we also describe a recursion tool that passes the SDLP in a group to its quotient groups and subgroups.
From (g, 1) t = (ρ (g,1) t (1 G ), t) we infer the following identity We will frequently use this fact to reduce an instance of the SDLP for the endomorphism σ to an instance for σ r in place of σ with suitable choices of r.

Reduction from the group-base case to the group case
Let G be a finite group and σ be an endomorphism of G.We will describe a reduction from SDLP(G, σ) to SDLP(K, σ ′ ) where K is a subgroup of G and σ ′ is the restriction of σ to K which forms an automorphism.Let K = ∩ ∞ t=0 σ t (G) and let k 0 be the smallest non-negative integer such that K = σ k0 (G).Obviously, k 0 ≤ ⌈log |G|⌉.Let k ≥ k 0 , where such a k can be "blindly" chosen by taking an integer greater than a known upper bound for log |G|.(Such an upper bound can be ℓ, where binary strings of length ℓ encode the group elements.)Then K = σ k (G) and the restriction of σ to K is an automorphism of K. Let r be the length of the orbit {ρ By equation (2), if the solution set of the SDLP in K for σ k (g) and σ k (h) is {s + rt : t ∈ Z ≥0 } for some 0 ≤ s < r, then the set of solutions of the SDLP in G for g and h is either the empty set, a singleton {s + rt 0 }, or {s + rt : t ∈ Z ≥t0 }, for some t 0 ≤ ⌈k 0 /r⌉ ≤ ⌈log |G|⌉.Therefore, one can solve the SDLP(G, σ) for g and h by solving SDLP(K, σ| K ) for σ k (g) and σ k (h), followed by an exhaustive search.This gives the following theorem.
Theorem 1.There is a classical polynomial time reduction from an instance of the group-base case SDLP to an instance of the group case SDLP.

An easy reduction
In the group case, we have the following simple reduction based on brute force.This will be useful when a power of the automorphism σ with polynomially small exponent has some desired property.
Proposition 2. Assume that σ is an automorphism of the group G.Then, for every positive integer k, SDLP(G, σ) can be reduced to k instances of SDLP(G, σ k ).
Proof.We look for the smallest non-negative solution of the SDLP in the form s + tk for s = 0, . . ., k − 1.We have ) and h ′ = ρ (g,1) −s (h).Then, we need to solve the SDLP for g ′ and h ′ , where we replace σ by σ k .

Recursion into quotient groups and subgroups
We will show that one can solve the SDLP(G, σ), for a group G and σ ∈ Aut(G), by recursively solving an instance of the SDLP in a quotient group and a subgroup of G.The main idea of recursion is essentially the same as those used in the preceding subsections.
Theorem 3. Let G and G be black-box groups with unique labeling and let an automorphism σ of G be given by a black box for evaluating the powers σ i on codewords for group elements.Assume that we are given a σ-invariant normal subgroup M of G and a group homomorphism ψ : G → G with kernel M .We assume that ψ can be evaluated efficiently and we have a black box for evaluating powers of the automorphism σ of Im(ψ) induced by σ.Then SDLP(G, σ) can be reduced to an instance of SDLP(Im(ψ), σ) and an instance of SDLP(M, σ n0 |M ) for some integer n 0 .
Proof.Every solution of SDLP(G, σ) for g and h is a solution of the SDLP(Im(ψ), σ) for ψ(g) and ψ(h).If there is no solution for the problem in Im(ψ), then there is no solution for the problem in G either.
Otherwise, the set of solutions in Im(ψ) is the residue class {t 0 +n 0 t} for some 0 ≤ t 0 < n 0 , where n 0 = |{ρ (ψ(g),1) t (1 G ) : t ∈ Z}|.Note that n 0 is the smallest positive integer such that ρ (g,1) n 0 (M ) = M .We have g ′ = ρ (g,1) n 0 (1 G ) ∈ M and also This gives that the solutions of SDLP(G, σ) for g and h are exactly the numbers of the form t 0 + n 0 t, where t is a solution of SDLP(M, σ n0 ) for g ′ and h ′ .
By considering the equivalent "backward" version of the SDLP, that is, solving 1 G = ρ (g,1) t (h), the recursion suggested by the proof of the theorem can be interpreted as driving first to M by solving the SDLP in Im(ψ) ∼ = G/M and then, inside M , driving further to the identity element.
A general straightforward way to evaluate the induced automorphism (and its powers) is based on computing an arbitrary element of the pre-image ψ −1 (x) for each x ∈ Im(ψ).This can be facilitated by replacing G with the black-box group H encoded by pairs (x, ψ(x)), where x is a code-word for an element of G.For multiplication we use the oracle for G and re-evaluate ψ on the product.For labeling, we use the labeling of G.Of course, there are many cases when this trick can be replaced by a simple direct method for evaluating σ.This holds in particular when G = Z d p with the standard representation by column vectors modulo p.

Quantum algorithms for the group case SDLP
In this section, we will prove the following main result of the paper.
Theorem 4. Let G be a group and σ ∈ Aut(G).We assume that G is a blackbox group with a unique labeling of elements and we also have a black box for computing σ i (g) (i ∈ Z≥ 0, g ∈ G).Suppose that we are given a series Let σ i denote the automorphism of Im(ψ i ) induced by σ |Mi .Assume further that, for each i, either (0) Im(ψ i ) is of polynomial size; or (1) σ i has polynomial order; or (2) Im(ψ i ) is solvable; (3) G i ≤ GL di (F qi ) for some positive integer d i and for some prime power q i , moreover, there exists a polynomially bounded integer n i and a matrix For items (0), ( 1) and (2), we assume that G i is a black-box group with unique labeling.For item (4), neither n i nor a i are assumed to be given, their mere existence is sufficient.(By "polynomial" we mean polynomial in the maximum of the lengths of the bit strings used for encoding and labeling the elements of the groups G and G i (i = 1, . . ., k).Then SDLP(G, σ) can be solved in quantum polynomial time.
When k = 1, condition of type (0) means that G itself is of polynomial size, that of type (1) means that σ itself has polynomially small order, that of type (2) means that G is solvable.The standard descriptions of simple groups of Lie type define them as factors of certain matrix groups over finite field.The quotient is taken to be the center of the matrix group, so the simple group has a representation as a matrix group by the conjugation action on the matrix algebra spanned by the covering matrix group.Also, the outer automorphism group of a finite simple group is of polynomial size.Therefore, these groups are covered by conditions of type (3).
The algorithm for polynomially small groups is the straightforward trial and error.In the first three subsections of this section we give efficient algorithms for groups/automorphisms satisfying conditions (1), (2), or (3).In the fourth subsection we show how to use these ingredients and Theorem 3 to prove Theorem 4.
Note that the order of σ can be computed in quantum polynomial time using Shor's period finding method applied to the functions t → σ t (x i ) for the generators x i of the group G and taking the least common multiple of these periods.The order can be factorized using Shor's factoring algorithm.The length of the orbit {ρ (g,1) t (1 G ) : t ∈ Z} can be determined and factorized in a similar way.Based on these observations, in the algorithms below we assume that these numbers are already computed and factorized.The solution set is either empty or the the residue class of an arbitrary solution modulo the period.So it is sufficient to find any solution, e.g., the smallest non-negative one.

The SDLP for small order automorphisms
In this subsection we prove the following result.
Proposition 5. Let G be a black-box group with unique labeling.Then SDLP(G, σ) can be solved by a quantum algorithm in time polynomial in the order of σ and the length of the code-words together with the labels of the group elements.
Proof.By Proposition 2, it is sufficient to prove the case when σ is trivial.Then ρ (g,1) (x) = gx, whence ρ (g,1) t (1 G ) = g t for every integer t.Thus, solving the SDLP for g and h is the same as computing the base-g discrete logarithm of h, which can be accomplished by Shor's algorithm.

The SDLP in solvable groups
In this part, we first present a quantum algorithm for the SDLP on elementary abelian groups.We then show how Theorem 3 can be used to reduce the general together with a homomorphism φ : G → Z p .For any positive integer j, let N j = ∩ j−1 i=0 σ i (N ).Note that N j+1 = N j ∩ σ j (N ) and if N j+1 = N j then N j ′ = N j for any integer j ′ > j and N j is σ-invariant.This equality happens for an integer j bounded by the length ℓ of code-words for the group elements.We compute the map ψ : G → Z ℓ p defined as x → (φ(x), φ σ (x), . . ., φ σ ℓ−1 (x)) T .Based on the above discussion, the kernel M of ψ is σ-invariant.The image Im(ψ) is a subspace V of Z ℓ p .Compute a basis for V by taking a maximal linearly independent set of the images of the generators for G under the map ψ and using them replace ψ with the composition of ψ with the transpose of the matrix whose columns are the bases elements for V .This new map, denoted again by ψ, is a surjective homomorphism from G to Z d p with kernel M .Then, by Theorem 3, after solving the SDLP in the ψ-image Z d p , SDLP(G, σ) gets reduced to SDLP(M, σ ′ ) where σ ′ is the restriction of a power of σ to M .

The SDLP in matrix groups with an inner automorphism
In this part we prove the following result.
Theorem 8. Let G be a subgroup of GL d (F q ) where d is a positive integer and q is a power of a prime.Assume that G is given by a list of matrices that generate G and that the automorphism σ is given on the generators.Suppose that σ coincides with the conjugation action of a matrix a ∈ GL d (F q ).Then SDLP(G, σ) can be solved by a quantum algorithm in time polynomial in d and log q.
The matrix a that implements the automorphism σ does not need to be given, such a matrix is computed by the algorithm.(It is unique up to the centralizer of G.) Note that conjugation by a is an inner automorphism of the full matrix group GL d (F q ) (or just of the matrix group generated by G and a), justifying the title of the subsection.
Proof.We assume that q ≥ 2d.(If not, we consider G as a matrix group over an extension field of F q having at least 2d elements.)To find a matrix a with the desired property, we take the linear space of matrices y such that yx i = σ(x i )y for the generators x i of G, and choose a random element a of this space.Since q ≥ 2d, by the Schwartz-Zippel lemma [Sch79, Zip79], a random element of this matrix space will be with high probability invertible as it contains at least one by the assumption of the theorem.Conjugation by a extends σ to a linear automorphism of the full matrix algebra B = M d (F q ) of the d by d matrices.We denote this extension also by σ.
We have ρ (g,1) (x) = gσ(x), thus ρ (g,1) = µ g • σ, where µ g denotes the multiplication by g from the left.The map µ g can also be extended to an invertible linear transformation of B. Therefore the composition ρ (g,1) has an invertible linear extension Φ to B. Also, solving h = ρ t (g,1) (1 G ) is equivalent to solving h = Φ t I d .The latter is an instance of the well known Orbit Problem introduced by Harrison in [Har69].It is the following orbit membership problem.Given vectors a, b of a finite dimensional vector space V over the field F and a linear transformation Φ ∈ End F (V ), find t ∈ Z ≥0 , if there exists, such that b = Φ t a.
Kannan and Lipton in [KL86] gave a polynomial time solution of the Orbit Problem for the case when F is the field of rationals.Here we need to solve the finite field case.Kannan and Lipton gave a construction to reduce the Orbit Problem to the so-called Matrix Power Problem, which is the following.Given square matrices A and B over a field F, solve B = A t , see [KL86, Theorem 1].For completeness we briefly recall (a version of) their construction.We compute the subspace W spanned by Φ t a (t = 0, 1, . ..).This can be done by computing the vectors a, Φa, . . ., Φ j−1 a until Φ j a becomes linearly dependent of the previous vectors.Then W is the subspace with basis a, Φa, . . ., Φ j−1 a.If b ∈ W , then the problem has no solution.Otherwise Φ t b ∈ W for every t.Write the vectors Φ i a and Φ i b (i = 0, . . ., j − 1) as column vectors in terms of a basis of W .Let A be the matrix of the restriction of Φ to W the same basis and let C resp.D be the j by j matrices whose columns are a, Φa, . . ., Φ j−1 a and b, Φb, . . ., Φ j−1 b, respectively.Then b = A t a if and only if D = A t C. Let B = DC −1 and we need to solve B = A t .If Φ is invertible then so is A.
The invertible case of the matrix power problem over a finite field can be solved by Shor's quantum discrete log algorithm.
We remark that, using the Jordan blocks of A, one could classically reduce the problem to the instances of the discrete logarithm problem in the multiplicative group of extensions of F. Also, in practice it might be worth replacing B with the matrix algebra spanned by the elements of G.
Proposition 2 gives the following extension.
Corollary 9. Let G be as in Theorem 8. Let σ be an automorphism of G. Let K be a positive integer.We assume that for the divisors k ≤ K of the order of σ, the action of σ k on the generators for G is also given and that among those divisors k, σ k coincides with the conjugation action of a matrix.Then SDLP(G, σ) can be solved by a quantum algorithm in time polynomial in K, d and log q.

Putting things together
Our recursion tool (Theorem 3) can assemble the results proved in the preceding subsections for various special cases of the SDLP to obtain Theorem 4.
Proof of Theorem 4. Assume that we have the chain of subgroups M i and homomorphisms ψ i (i = 0, . . ., k) with properties as in the statement of the theorem.For i = k to 1, using Theorem 3, by solving the SDLP in the φ i -image of M i we reduce the problem to an instance in M i−1 .In the small size case (0), we use brute force.When σ i is of small order (case (1)) or when Im(ψ i ) is solvable (case (2)), we use Proposition 5 or Theorem 7, respectively.In order to facilitate using the oracle for evaluating the powers of σ to evaluate those of σ i , we use the pairs (x, ψ i (x)) to encode the elements of Im(ψ i ), while as labeling we use the labeling for G i .In the matrix group case (4), we use the natural encoding by matrices for the image.We compute the order o i of σ i using the factorization of the order of σ and compute σ t for the smallest few divisors of o i and apply the method of Corollary 9.

Appendix: the matrix group case in odd characteristic
This part is devoted to a sketch of a proof of the following.
Corollary 10.Let ψ : K → M d (F q ) be a representation of the black-box group K with our without a labeling.Assume that the automorphism σ is given by a black box to evaluate its powers on elements of K and that the kernel of ψ is σ-invariant (e.g., when ψ is faithful).Then, SDLP (Im(ψ), σ) can be solved in quantum polynomial time.
Proof (sketch).We encode the elements of G = Im(ψ) by pairs (x, ψ(x)) and labeling ψ(x) so that we can evaluate powers of σ on elements of the matrix group G.We use the notation σ for σ.We compute refinement of the sequence 1 ≤ Rad(G) ≤ Soc * (G) ≤ Pker(G) ≤ G between Rad(G) and Soc * (G).To this end we notice that σ also permutes the simple components of Soc G.We take a σ-orbit of a single simple component S and we compute S * * = T T * Rad(G), where the product is taken over the σ-orbit of S. Let r be the length of the orbit.Then σ r acts as an automorphism on each member of the orbit.As the outer automorphism group of a finite simple group is of size bounded by a polynomial of the logarithm of the group size, we obtain that a polynomially small power of σ acts as an inner automorphism of S * * / Rad(G).If S is sporadic, we use the regular representation of S. If S is of Lie type, we take the isomorphism between S and the standard copy of it computed by the algorithm of [BBS09].It realizes S as the quotient group of a matrix group by its center.We obtain a matrix representation of S by taking the conjugation action on the matrix algebra spanned by the elements of this covering group.We do the same for each T from the orbit (actually, these are isomorphic to S, so the construction made for S can be re-used.)Finally we obtain a matrix representation of S * * with kernel Rad(G) on the direct sum of these representations.Then we proceed with another orbit, construct the representation of the product of the orbit members and add to S * * .This way we obtain a chain of σ-invariant normal subgroups between Rad(G) and Soc * (G) together with the matrix representations of the factors so that case (4) of Theorem 4 is applicable to them.For G/ Pker(G), we use the permutation representation which can be naturally extended to a matrix representation.As σ also permutes the simple components, the induced automorphism will be conjugation by a permutation, so case (4) is again applicable.For Pker(G)/ Soc * G, we use the matrix representation as a labeling and, by solvability, case (3) is applicable.Finally, in Rad(G), again case (3) applies.
group, it has no nontrivial abelian subnormal subgroups.(Normal subgroups of a group are subnormal, and, recursively, normal subgroups of subnormal subgroups are also subnormal.)It follows that the minimal subnormal subgroups of G are noncommutative simple groups.They pairwise commute and the subgroup Soc(G) generated by them (called the socle of G) is the direct product of these simple groups.(It follows that there are at most log G simple constituents of Soc(G).)The full pre-image of Soc(G) at the projection G → G is denoted by Soc * (G).The subgroups Rad(G) and Soc * (G) are characteristic subgroups of G.The group G, by conjugation, acts as a permutation group on the minimal subnormal subgroups of G.The kernel Pker(G) of this permutation representation, called the permutation kernel, is a further characteristic subgroup.There are the following inclusions between the subgroups introduced above.generators for each component S are actually generators for a perfect subgroup S * of Soc * (G) such that (S * / Rad G) is the pre-image of S by the projection map G → G/ Rad(G).) [BBS09]e outline how the result of the polynomial time algorithm of Babai, Beals and Seress[BBS09]for computing the structure of matrix groups over finite fields can be used to obtain a series of normal subgroups together with representations of the factors making Theorem 4 applicable to these matrix groups.Every finite group G has a unique largest solvable normal subgroup, called the solvable radical of G.It is denoted by Rad(G).The factor group G