Natural Representations of Black Box Groups SL₂$\left(\mathbb{F}q\right)$

Abstract

In this paper, we make one step further in the recognition of black box groups of Lie type: given a black box group encrypting a special linear group of dimension 2 over a finite field of an unknown odd characteristic, we construct a black box field and a polynomial time isomorphism from the special linear group of dimension 2 over this new field to the black box, which can be made polynomial time-reversible for small characteristics at the expense of constructing a look-up table for the prime field. Our result opens a way to constructing structural proxies for black box groups of Lie type.

1. Introduction

In computations with finite groups, one of the central problems has a deceptively simple formulation:

Given a set of matrices $X_1,\dots ,X_l$ of size $n\times n$ over a given field ${\mathbb{F}}_{p^m}$ of characteristic p, determine if they generate a group $G=\langle X_1,\dots ,X_l\rangle$ isomorphic to ${\mathrm{SL}}_2\left({\mathbb{F}}_{p^k}\right)$. If so, find a nontrivial unipotent element in G (i.e., an element of order p) in time polynomial in $k,l,m,n$, and $logp$.

This problem was posed by Babai and Beals in the context of black box groups in 1999 [1]. Solutions were discovered only much later, in [2] for $p=2$ and in [3] for odd p.

Our approach to its solution in [3] was based on the use of two concepts: black box groups introduced by Babai and Szemerédi in [4], and black box fields originating from the papers [5,6]. These concepts are discussed in Section 2; they significantly expand the range of tools and methods, even for problems in matrix groups over finite fields.

In [3], we presented an algorithm constructing the adjoint representation of a black box group $\mathsf{Y}$ encrypting ${\mathrm{PSL}}_2\left(\mathbb{F}\right)$ for a field $\mathbb{F}$ of odd order, that is, we constructed within $\mathsf{Y}$ a black box field $\mathsf{K}$ encrypting $\mathbb{F}$ and represented elements of $\mathsf{Y}$ as $3\times 3$ orthogonal matrices with entries from this black box field $\mathsf{K}$. In the present paper, we considerably extend this result: we produce an algorithm that constructs the natural representation of a black box group $\mathsf{X}$ encrypting ${\mathrm{SL}}_2\left(\mathbb{F}\right)$. The need for such a construction arises from the fact that constructive recognition algorithms for black box groups of Lie type of higher rank involve a constructive recognition of a black box group encrypting ${\mathrm{SL}}_2\left(\mathbb{F}\right)$, see [7,8,9,10,11,12,13], where it was postulated as being provided by a ${\mathrm{SL}}_2$-oracle. These papers also used the discrete logarithm oracle in $\mathbb{F}$ along with a ${\mathrm{SL}}_2$-oracle. We wish to emphasize that we make no use of any oracles.

We prove the following theorem (notation and terminology are explained in Section 2).

Theorem 1.

Let $\mathsf{Y}$ be a black box group encrypting ${\mathrm{SL}}_2\left(\mathbb{F}\right)$, where $\mathbb{F}$ is an unknown finite field of unknown odd characteristic, and E be a global exponent for $\mathsf{Y}$, that is, ${\mathsf{y}}^E=1$ for all $\mathsf{y}\in \mathsf{Y}$. Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in $logE$, the following:

(a)

A black box field $\mathsf{K}$ encrypting $\mathbb{F}$;

(b)

Isomorphisms

$$\psi :\mathsf{Y}⟶{\mathrm{SL}}_2\left(\mathsf{K}\right) and {\psi }^{-1}:{\mathrm{SL}}_2\left(\mathsf{K}\right)⟶\mathsf{Y}$$

that run in probabilistic time polynomial in $logE$.

We call the pair of isomorphisms $\psi$ and ${\psi }^{-1}$ constructed in Theorem 1 a structural approximation of the black box group $\mathsf{Y}$ and call the matrix group ${\mathrm{SL}}_2\left(\mathsf{K}\right)$ its structural proxy.

Most groups of Lie type (we exclude series ${}^{2}B_2$, ${}^{2}F_4$, and ${}^{2}G_2$) can be seen as functors $G:\mathcal{R}⟶\mathcal{G}$ from the category of commutative unital rings $\mathcal{R}$ with involution (that is, an automorphism of order $\le 2$) to the category of groups. There are other algebraic structures that can be defined in a similar functorial way, such as functors $A:\mathcal{R}⟶\mathcal{A}$. For example, finite-dimensional simple associative algebras and finite-dimensional simple Lie algebras can be viewed as rings. The corresponding structural proxy problem can be stated as follows.

• Construction of a structural proxy. Suppose that we are given a black box structure $\mathsf{X}\vDash A\left(\mathbb{F}\right)$. Construct, in probabilistic polynomial in $l\left(\mathsf{X}\right)$ time, where $l\left(\mathsf{X}\right)$ is the uniform length of the strings in $\mathsf{X}$, the following:

  –

  A black box field $\mathsf{K}\vDash \mathbb{F}$;

  –

  Probabilistic polynomial time isomorphisms:

  $$\psi :A\left(\mathsf{K}\right)⟶\mathsf{X}$$

  and

  $${\psi }^{-1}:\mathsf{X}⟶A\left(\mathsf{K}\right).$$

Remark 1.

One of the principal results of [3] amounts to construction of a structural proxy for a black box group $\mathsf{X}$ encrypting ${\mathrm{SO}}_3\left(\mathbb{F}\right)$,

$$\mathsf{X}⟷{\mathrm{SO}}_3\left(\mathsf{K}\right),$$

where $\mathbb{F}$ is an unknown finite field of unknown odd characteristic and $\mathsf{K}\vDash \mathbb{F}$. In this paper, we have another structural proxy for $\mathsf{X}$,

$$\mathsf{X}⟷{\mathrm{PGL}}_2\left(\mathsf{K}\right)$$

with $\mathsf{K}$ being the same black box field. Indeed, in Section 7, we construct an efficient isomorphism between ${\mathrm{SO}}_3\left(\mathsf{K}\right)$ and ${\mathrm{PGL}}_2\left(\mathsf{K}\right)$. The existence of this isomorphism is well-known but its efficient computational realization needs a delicate treatment.

Theorem 2.

Let $\mathsf{X}$ be a black box group encrypting ${\mathrm{PSL}}_2\left(\mathbb{F}\right)$ or ${\mathrm{PGL}}_2\left(\mathbb{F}\right)$, where $\mathbb{F}$ is an unknown finite field of unknown odd characteristic, and let E be a global exponent for $\mathsf{X}$. Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in $logE$, structural proxies

$$\mathsf{X}⟷{\mathrm{PSL}}_2\left(\mathsf{K}\right)$$

or

$$\mathsf{X}⟷{\mathrm{PGL}}_2\left(\mathsf{K}\right),$$

respectively.

Theorem 3.

Let $\mathsf{X}$ be a black box group encrypting one of the groups ${\mathrm{SL}}_2\left(\mathbb{F}\right),{\mathrm{PSL}}_2\left(\mathbb{F}\right)$, or ${\mathrm{PGL}}_2\left(\mathbb{F}\right)$, where $\mathbb{F}$ is the standard explicitly given finite field of known characteristic. Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in $log\left|\mathbb{F}\right|$, isomorphisms

$${\mathrm{SL}}_2\left(\mathbb{F}\right)\to \mathsf{X},{\mathrm{PSL}}_2\left(\mathbb{F}\right)\to \mathsf{X} or {\mathrm{PGL}}_2\left(\mathbb{F}\right)\to \mathsf{X},$$

respectively. Our algorithm runs in probabilistic polynomial time in $log\left|\mathbb{F}\right|$.

The proof of Theorem 3 follows from a construction of an isomorphism from $\mathbb{F}$ to $\mathsf{K}$, which is given in [6]. Note that the isomorphism ${\mathrm{SL}}_2\left(\mathbb{F}\right)\to \mathsf{X}$ in Theorem 3 could be seen as a “half ${\mathrm{SL}}_2$-oracle”. Moreover, when the characteristic of $\mathbb{F}$ is small (in the sense that we can inverse the isomorphism of prime fields ${\mathbb{F}}_p⟶{\mathsf{K}}_0$ and construct a look-up table for the inverse isomorphism ${\mathsf{K}}_0⟶{\mathbb{F}}_p$), we can reverse the isomorphism from $\mathbb{F}$ to $\mathsf{K}$ by using the results from [6] which establishes a full ${\mathrm{SL}}_2$-oracle, that is, probabilistic polynomial time two-way isomorphisms between ${\mathrm{SL}}_2\left(\mathbb{F}\right)$ and $\mathsf{X}$. Now, if we call such finite fields tame fields, then we have the following theorem.

Theorem 4.

For a black box group $\mathsf{X}$ encrypting ${\mathrm{SL}}_2\left(\mathbb{F}\right)$ over a tame field $\mathbb{F}$, there exists a polynomial time Las Vegas algorithm constructing two-way isomorphism

$${\mathrm{SL}}_2\left(\mathbb{F}\right)⟷\mathsf{X}.$$

Notice that the finite fields of characteristic $p\le 1000$ can be easily seen as tame fields.

Notice also that if $\left|\mathbb{F}\right|<7$, then all our theorems are obviously true and do not require the methods developed in this paper, since we can list elements of $\mathsf{Y}$ and provide necessary isomorphisms with no difficulty in these cases. For technical results in this paper, we assume that $\left|\mathbb{F}\right|⩾7$. We note that all classical black box groups over small fields can be recognized efficiently by the algorithms in [14].

2. Axiomatic Description of Black Box Algebraic Structures

A black box algebraic structure $\mathsf{X}$ is a black box (device, algorithm, or oracle), which produces and operates with 0–1 strings of uniform length $l\left(\mathsf{X}\right)$ encrypting (not necessarily in a unique way) elements of some fixed algebraic structure A: if $\mathsf{x}$ is one of these strings, then it corresponds to a unique (but unknown to us) element $\pi \left(\mathsf{x}\right)\in A$. Here, $\pi$ is the decrypting map, not necessarily known to us in advance.

BB1

On request, $\mathsf{X}$ produces a string $\mathsf{x}$ of fixed length $l\left(\mathsf{X}\right)$, which depends on $\mathsf{X}$, encrypting an element $\pi \left(\mathsf{x}\right)$ for some fixed explicitly given algebraic structure A; this is done in time polynomial in $l\left(\mathsf{X}\right)$. When this procedure is repeated, the elements $\pi \left({\mathsf{x}}_1\right),\pi \left({\mathsf{x}}_2\right),\dots$ are independent and uniformly distributed in A.

In this paper, we work only with groups and fields so we assume that operations on A are unary or binary; a general case can be treated in exactly the same way.

BB2

On request, $\mathsf{X}$ performs algebraic operations on the encrypted strings, which correspond to operations in A in a way that makes the map $\pi$ (unknown to us) a homomorphism: for every binary (unary case is similar) operation ⊡ and strings $\mathsf{x}$ and $\mathsf{y}$ produced or computed by $\mathsf{X}$,

$$\pi (\mathsf{x}⊡\mathsf{y})=\pi \left(\mathsf{x}\right)⊡\pi \left(\mathsf{y}\right).$$

It should be noted that we do not assume the existence of an algorithm which allows us to decide whether a specific string can be potentially produced by $\mathsf{X}$; requests for operations on strings can be made only in relation to strings previously output by $\mathsf{X}$. Also, we do not make any assumptions on probabilistic distribution of strings.

BB3

On request, $\mathsf{X}$ determines, in time polynomial in $l\left(\mathsf{X}\right)$, whether two strings $\mathsf{x}$ and $\mathsf{y}$ encrypt the same element in A, that is, check whether $\pi \left(\mathsf{x}\right)=\pi \left(\mathsf{y}\right)$.

We say in this situation that a black box $\mathsf{X}$ encrypts the algebraic structure A and we write $\mathsf{X}\vDash A$.

Clearly, in black box problems, the decrypting map $\pi$ is not given in advance. However, it is useful to think about any algebraic structure (say, a finite field) implemented on a computer as a trivial black box, with $\pi$ being the identity map, and with random elements produced with the help of a random number generator. In this situation, obviously, the axioms BB1–BB3 hold.

In our algorithms, we have to build new black boxes from existing ones and work with several black box structures at once. This is why we have to keep track of the length $l\left(\mathsf{X}\right)$ on which a specific black box $\mathsf{X}$ operates. For example, it turns out in [3] that it is useful to consider an automorphism of A as a graph in $A\times A$. This produces another algebraic structure isomorphic to A, which can be seen as being encrypted by a black box $\mathsf{Z}$ producing, and operating on, certain pairs of strings from $\mathsf{X}$; see [3] for more examples. In this case, clearly, $l\left(\mathsf{Z}\right)=2l\left(\mathsf{X}\right)$.

Axiom BB1 is the only difference between our axioms and the original set up of Babai and Szemerédi [4]. When we construct a new black box structure $\mathsf{Y}$ from $\mathsf{X}$, operations on $\mathsf{Y}$ are usually more expensive than a direct construction of random elements in $\mathsf{Y}$ from random elements in $\mathsf{X}$. This is the case, for example, of a black box field constructed from a black box projective plane constructed from a black box group ${\mathrm{PGL}}_2$, which, in turn, is constructed from a black box group ${\mathrm{SL}}_2$ [3]. Another example where Axiom BB1 is very natural in analysis of an impersonation attack on homomorphic encryption [15]. Here, supply of random elements is achieved simply by picking random codewords from the intercepted communication traffic.

3. Black Box Fields

We use Axioms BB1–BB3 to define black box fields with a few obvious changes in the wording. In Axiom BB2, we assume that the black box can perform the addition, multiplication, and inversion in the field. The reader may wish to compare our exposition with [5]. We remind that, in this paper, we do not necessarily know the characteristic of the field. Therefore, we slightly generalize the definition of a black box field given in [5,6] by removing the assumption that the characteristic of the field is known. We refer the reader to [5,6] for more details of black box fields of known characteristic.

When we are dealing with the isomorphism ${\mathrm{SL}}_2\left({\mathbb{F}}_q\right)\to \mathsf{X}$ in Theorem 3, we first construct a field isomorphism between an explicitly given finite field ${\mathbb{F}}_q$ and a black box field $\mathsf{K}\vDash {\mathbb{F}}_q$. Clearly, this leads to an isomorphism ${\mathrm{SL}}_2\left({\mathbb{F}}_q\right)\to {\mathrm{SL}}_2\left(\mathsf{K}\right)$. In this situation, the characteristic p of ${\mathbb{F}}_q$ is given, and to construct such an isomorphism, we will use some results about the isomorphism problem for black box fields of known characteristic p [6]. The explicit data for a finite field of cardinality $p^n$ is defined to be a system of structure constants over the prime field, that is, $n^3$ elements ${\left(c_{ijk}\right)}_{i,j,k=1}^n$ of the prime field ${\mathbb{F}}_p=\mathbb{Z}/p\mathbb{Z}$ (represented as integers in $[0,p-1]$) so that ${\mathbb{F}}_{p^n}$ becomes a field with ordinary addition and multiplication by elements of ${\mathbb{F}}_p$, and multiplication determined by

$$s_i{s}_j=\sum _{k=1}^n{c}_{ijk}{s}_k,$$

where $s_1,s_2,\dots ,s_n$ denotes a basis of ${\mathbb{F}}_{p^n}$ over ${\mathbb{F}}_p$. The concept of an explicitly given field of order $p^n$ is robust; indeed, Lenstra Jr. has shown in [16] (Theorem 1.2) that for any two fields, A and B of order $p^n$ given by two sets of structure constants ${\left(a_{ijk}\right)}_{i,j,k=1}^n$ and ${\left(b_{ijk}\right)}_{i,j,k=1}^n$, an isomorphism $A⟶B$ can be constructed in time polynomial in $nlogp$.

By an efficient isomorphism between a black box field and an explicitly given finite field ${\mathbb{F}}_{p^n}$, we mean an algorithm constructing such an isomorphism in time polynomial in the input length, that is, we find a procedure that computes images and preimages in time polynomial in n and $logp$.

One of the key results on black box fields belongs to Maurer and Raub [6]; its statement and proof can be reformulated to yield the following result.

Theorem 5.

Let $\mathsf{K}$ be a black box field of known characteristic p encrypting an explicitly given finite field ${\mathbb{F}}_{p^n}$ and ${\mathsf{K}}_0$ the prime subfield of $\mathsf{K}$. Then, the isomorphism problem between $\mathsf{K}$ and ${\mathbb{F}}_{p^n}$ can be efficiently reduced to the isomorphism problem between ${\mathsf{K}}_0$ and ${\mathbb{F}}_p$. In particular,

• an efficient isomorphism ${\mathsf{K}}_0⟶{\mathbb{F}}_p$ can be extended in time polynomial in the input length $l\left(\mathsf{K}\right)$ to an efficient isomorphism $\mathsf{K}⟶{\mathbb{F}}_{p^n};$
• there exists an isomorphism ${\mathbb{F}}_{p^n}⟶\mathsf{K}$ computable in time polynomial in $l\left(\mathsf{K}\right)$.

In our terminology, Theorem 5 provides a structural proxy for black box fields of known characteristic. Indeed, if $\mathsf{K}$ is a black box field of known characteristic p, then we can construct an isomorphism ${\mathbb{F}}_p=\mathbb{Z}/p\mathbb{Z}⟶{\mathsf{K}}_0$ by the map

$$m\mapsto 1+1+\cdots +1(m \mathrm{times})$$

where $1$ is the unit in ${\mathsf{K}}_0$; it is computable in linear in $logp$ time by the double-and-add method. Construction of an isomorphism ${\mathsf{K}}_0⟶{\mathbb{F}}_p$ remains an open problem when p is an astronomically large prime.

4. Plan of Proof of Theorem 1

Let $\mathsf{Y}\vDash {\mathrm{SL}}_2\left(\mathbb{F}\right)$, where $\mathbb{F}$ is an unknown finite field of unknown odd characteristic. It is easy to see that at least half of elements in $\mathsf{Y}$ are of even order. Therefore, by using the standard method [3] (Section 4.7), we can easily construct an involution in $\mathsf{Y}$ but $\mathsf{Y}$ contains only one involution—the generator of the center.

In the proof of Theorem 1, we first redefine the equality of strings in $\mathsf{Y}$ in the following way to be able to pass to the quotient group $\mathsf{Y}/Z\left(\mathsf{Y}\right)$:

$$\mathsf{x}\equiv \mathsf{y}\iff {\mathsf{xy}}^{-1} \mathrm{is}\mathrm{either}\mathrm{identity}\mathrm{or}\mathrm{the}\mathrm{central}\mathrm{involution}\mathrm{in} \mathsf{Y}.$$

Then, we use algorithms developed in [3] (Theorem 1.3) for the black box group $\mathsf{Y}/Z\left(\mathsf{Y}\right)\vDash {\mathrm{PSL}}_2\left(\mathbb{F}\right)$ to construct a black box group $\mathsf{X}\vDash {\mathrm{PGL}}_2\left(\mathbb{F}\right)$, a black box field $\mathsf{K}\vDash \mathbb{F}$, and computable, in polynomial time, homomorphisms

$$\mathsf{Y}⟶\mathsf{Y}/Z\left(\mathsf{Y}\right)⟶\mathsf{X}⟷{\mathrm{SO}}_3\left(\mathsf{K}\right).$$

We note here that we can add and multiply elements and take additive and multiplicative inverses of (non-zero) elements of the black box field $\mathsf{K}$ (see [3] (Section 9)). Furthermore, the two isomorphisms

$$\mathsf{X}⟷{\mathrm{SO}}_3\left(\mathsf{K}\right)$$

are inverses of each other ([3] (Section 11)).

It is well-known that ${\mathrm{SO}}_3\left(\mathsf{K}\right)$ is isomorphic to ${\mathrm{PGL}}_2\left(\mathsf{K}\right)$, and we need to present an efficient algorithm constructing such an isomorphism. We deal with this problem in Section 6.

The group ${\mathrm{SO}}_3\left(\mathsf{K}\right)$ arises in [3] as the group of matrices from ${\mathrm{GL}}_3\left(\mathsf{K}\right)$ preserving the quadratic form with the matrix

$$\left[\begin{array}{ccc}1& 0& 0\\ 0& 1& 0\\ 0& 0& 1\end{array}\right];$$

we will denote this group as ${\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)$.

It turns out that it is much more convenient to compute in the orthogonal groups ${\mathrm{SO}}_3\left(\mathsf{K}\right)$ preserving the quadratic form with the matrix

$$\left[\begin{array}{ccc}0& 0& 1\\ 0& -2& 0\\ 1& 0& 0\end{array}\right];$$

we will denote this group as ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$.

Of course, the two groups ${\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)$ and ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$ are conjugate in ${\mathrm{GL}}_3\left(\mathsf{K}\right)$; the computation of the conjugating (change of basis) matrix is very easy if $\mathsf{K}$ contains $\sqrt{-1}$, but it requires more attention if $\mathsf{K}$ does not contain $\sqrt{-1}$; see Section 5.3.

After that we obtain the homomorphisms

$$\mathsf{Y}⟶\mathsf{Y}/Z\left(\mathsf{Y}\right)⟶\mathsf{X}⟷{\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)⟷{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)⟷{\mathrm{PGL}}_2\left(\mathsf{K}\right)$$

and focus on its restriction

$$\mathsf{Y}/Z\left(\mathsf{Y}\right)⟶[\mathsf{X},\mathsf{X}]⟷{\mathrm{PSL}}_2\left(\mathsf{K}\right).$$

We reverse the first homomorphism, making it

$$\mathsf{Y}/Z\left(\mathsf{Y}\right)⟷[\mathsf{X},\mathsf{X}]$$

(this step requires a careful analysis of the corresponding constructions from [3]) and then lift the resulting isomorphisms

$$\mathsf{Y}/Z\left(\mathsf{Y}\right)⟷{\mathrm{PSL}}_2\left(\mathsf{K}\right)$$

to

$$\mathsf{Y}⟷{\mathrm{SL}}_2\left(\mathsf{K}\right).$$

This is performed in Section 6.

It will become clear that the appropriate fragments of this proof, together with [17], provide a proof of Theorem 2; see Section 7.

5. Orthogonal Groups in Two Types of Bases

5.1. Generalities on Symmetric Bilinear Forms

Let V be a vector space of dimension 3 over a black box field $\mathsf{K}\vDash \mathbb{F}$, where $\mathbb{F}$ is an unknown finite field of unknown odd characteristic. An important additional assumption that we are making is that we are given a computationally feasible global exponent for $\mathsf{K}$, that is, a natural number E such that ${\mathsf{a}}^E=1$ for all $\mathsf{a}\in \mathsf{K}\setminus \left\{0\right\}$, so that we can compute square roots in $\mathsf{K}$, when they exist, by a version of the Tonelli–Shanks algorithm, [3] (Lemma 5.6).

Assume that $\beta (·,·)$ is a non-degenerate symmetric bilinear form on V. It is well-known [17] (Section 1.4) that $\beta$ has Witt index 1 and that there are only two classes of equivalence of non-degenerate symmetric bilinear forms on V, and if $\beta$ belongs to one of these classes, then $ϵ\beta$, where $ϵ$ is not a square root in $\mathsf{K}$, belongs to another class.

We set $Q\left(v\right)=\beta (v,v)$; this is the quadratic form associated with $\beta$. (In the literature, the quadratic form associated with $\beta$ is frequently taken to be $Q\left(v\right)={\displaystyle \frac{1}{2}}\beta (v,v)$; it can be seen that our choice simplifies some of our calculations.)

Notice that the orthogonal groups $\mathrm{SO}(V,\beta )$ and $\mathrm{SO}(V,ϵ\beta )$ coincide elementwise for arbitrary $0\ne ϵ\in \mathsf{K}$.

It is important to keep this basic observation in mind because in the algorithms that we develop in this paper, the orthogonal groups $\mathrm{SO}(V,\beta )$ will be their sets of inputs. Moreover, they will be given to us as subsets of the matrix group ${\mathrm{GL}}_3\left(\mathsf{K}\right)$. Writing orthogonal transformations from $\mathrm{SO}(V,\beta )$ in different bases of V introduces some subtle changes, which we will have to take into account.

5.2. Two Types of Bases: Spinor and Canonical

We shall call a basis $\mathcal{B}=\{v_1,v_2,v_3\}$ of V a spinor basis if

$$\beta (v_i,v_j)=\left\{\begin{array}{cc}\lambda \mathrm{for}\mathrm{some}\mathrm{fixed}1\ne \lambda \in \mathsf{K}\hfill & \mathrm{if}i=j\hfill \\ 0\hfill & \mathrm{if}i\ne j\hfill \end{array}\right..$$

In a spinor basis, the quadratic form Q associated with $\beta$ is written by the scalar matrix $\lambda I$, and we will denote the group of matrices that preserves this form as $O_3^{♯}\left(\mathsf{K}\right)$, the corresponding special orthogonal group as ${\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)$, and its commutator subgroup as ${\Omega }_3^{♯}\left(\mathsf{K}\right)$.

Therefore,

$$O_3^{♯}\left(\mathsf{K}\right)=\{M\in {\mathrm{GL}}_3\left(\mathsf{K}\right):M^t·\lambda I·M=\lambda I\},$$

which is the same as the standard definition of the orthogonal group:

$$O_3^{♯}\left(\mathsf{K}\right)=\{M\in {\mathrm{GL}}_3\left(\mathsf{K}\right):M^{t}M=I\}.$$

We shall call a basis $\mathcal{C}=\{e,w,f\}$ of V canonical if the quadratic form Q is written in it by the matrix $\lambda J$, where

$$J=\left[\begin{array}{ccc}0& 0& 1\\ 0& -2& 0\\ 1& 0& 0\end{array}\right].$$

We define $O_3^{♭}\left(\mathsf{K}\right)$ as

$$O_3^{♭}\left(\mathsf{K}\right)=\{M\in {\mathrm{GL}}_3\left(\mathsf{K}\right):M^t·\lambda J·M=\lambda J\},$$

or, which is the same,

$$O_3^{♭}\left(\mathsf{K}\right)=\{M\in {\mathrm{GL}}_3\left(\mathsf{K}\right):M^{t}JM=J\},$$

with ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$ and ${\Omega }_3^{♭}\left(\mathsf{K}\right)$ defined in an obvious way (the latter is the commutator of ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$, but it can also be defined as the group of elements of spinor norm $1$).

The quadratic forms $Q^{♯}$ and $Q^{♭}$ associated with matrices I and J are $Q^{♯}={\mathsf{x}}_1^2+{\mathsf{x}}_3^2+{\mathsf{x}}_3^2$ and $Q^{♭}=-2{\mathsf{x}}_2^2+2{\mathsf{x}}_1{\mathsf{x}}_3$. When ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)\simeq {\mathrm{PGL}}_3\left(\mathsf{K}\right)$ are seen as acting on their Lie algebra ${\mathfrak{l}}_2\left(\mathsf{K}\right)$, that is, the algebra of $2\times 2$ matrices $M=\left[\begin{array}{cc}{\mathsf{x}}_2& {\mathsf{x}}_1\\ {\mathsf{x}}_3& -{\mathsf{x}}_2\end{array}\right]$ over $\mathsf{K}$ of trace $0$, $Q^{♭}$ turns out to be most the natural quadratic form: $Q^{♭}\left(M\right)=-2detM$; of course, it is also proportional to the Killing form on ${\mathfrak{l}}_2\left(\mathsf{K}\right)$.

To summarize, the subgroups $O_3^{♯}\left(\mathsf{K}\right)$ and $O_3^{♭}\left(\mathsf{K}\right)$ in ${\mathrm{GL}}_3\left(\mathsf{K}\right)$ represent the same orthogonal group $O_3(V,\beta )$ written in two different bases; one of them is spinor, and the other is canonical. The groups $O_3^{♯}\left(\mathsf{K}\right)$ and $O_3^{♭}\left(\mathsf{K}\right)$ do not change if we replace the corresponding symmetric bilinear form $\beta$ by its non-zero scalar multiple $\lambda \beta$.

5.3. Change of Basis

In this subsection, we construct the change of basis matrix that conjugates ${\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)$ to ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$ in ${\mathrm{GL}}_3\left(\mathsf{K}\right)$, where $\mathsf{K}$ is a black box field.

Let us take a canonical basis $\mathcal{C}=\{e,w,f\}$ with $\lambda =1$. Then,

$$\beta (e,e)=\beta (f,f)=\beta (e,w)=\beta (f,w)=0,\beta (e,f)=1,\beta (w,w)=-2.$$

In every finite field $\mathsf{K}$ of odd characteristic, there exist $\mathsf{a},\mathsf{b}\in \mathsf{K}$ such that ${\mathsf{a}}^2+{\mathsf{b}}^2=-1$, and such pairs can be easily found by the Tonelli–Shanks algorithm [3] (Lemma 5.6) in probabilistic time polynomial in $logE$. Note that we can compute $\mathsf{a}$ and $\mathsf{b}$ without knowing the characteristic of $\mathsf{K}$. Then, a direct calculation shows that the vectors

$$\begin{array}{ccc}\hfill v_1& =& e+f\hfill \\ \hfill v_2& =& -\mathsf{b}e+\mathsf{a}w+\mathsf{b}f\hfill \\ \hfill v_3& =& \mathsf{a}e+\mathsf{b}w-\mathsf{a}f\hfill \end{array}$$

form a spinor basis. Let us call it $\mathcal{B}$, and we have the change of basis matrix from $\mathcal{C}$ to $\mathcal{B}$

$$P=\left[\begin{array}{ccc}1& -\mathsf{b}& \mathsf{a}\\ 0& \mathsf{a}& \mathsf{b}\\ 1& \mathsf{b}& -\mathsf{a}\end{array}\right].$$

If $\mathsf{K}$ contains square root of $-1$, say, ${ϵ}^2=-1$, then we can take $\mathsf{a}=ϵ$, $\mathsf{b}=0$, and obtain a simpler transition matrix

$$P=\left[\begin{array}{ccc}1& 0& ϵ\\ 0& ϵ& 0\\ 1& 0& -ϵ\end{array}\right].$$

Analysis of This Calculation

The three-dimensional vector space $V={\mathsf{K}}^3$ with a non-degenerate symmetric bilinear form $\beta (·,·)$ has a model that is very natural in the context of this paper: the space (actually, the Lie algebra) ${\mathfrak{sl}}_2\left(\mathsf{K}\right)$ of $2\times 2$ matrices over $\mathsf{K}$ of trace $0$ with

$$\beta (U,V)=-\mathrm{Tr}\left(UV\right).$$

For the space ${\mathfrak{sl}}_2\left(\mathsf{K}\right)$, the matrices

$$E=\left[\begin{array}{cc}0& 0\\ -1& 0\end{array}\right],W=\left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right],F=\left[\begin{array}{cc}0& 1\\ 0& 0\end{array}\right]$$

form a canonical basis; applying construction of a spinor basis as described above, we obtain

$$V_1=\left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right],V_2=\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{b}& -\mathsf{a}\end{array}\right],V_3=\left[\begin{array}{cc}\mathsf{b}& -\mathsf{a}\\ -\mathsf{a}& -\mathsf{b}\end{array}\right].$$

The matrices $V_1,V_2,V_3$ are generators of three cyclic subgroups of order 4 in a quaternion group $\mathsf{Q}<{\mathrm{GL}}_2\left(\mathsf{K}\right)$, and they satisfy the following relations:

$$V_1^2=V_2^2=V_3^2=-1,V_1{V}_2=V_3,V_2{V}_3=V_1,V_3{V}_1=V_2.$$

Our previous paper [3] (Section 9) explains why finding a quaternion subgroup $\mathsf{Q}$ amounts to constructing of a spinor basis in ${\mathfrak{sl}}_2\left(\mathsf{K}\right)$ in a pure black box and hence coordinate-free context. In [3] (Section 8), computing in a black box group $\mathsf{X}\vDash {\mathrm{PGL}}_2\left(\mathbb{F}\right)$, we construct the image $\overline{\mathsf{Q}}$ of $\mathsf{Q}$ in $\mathsf{X}$ and its normalizer $N_{\mathsf{X}}\left(\overline{\mathsf{Q}}\right)\vDash {\mathrm{Sym}}_4$, and this is one of the key steps in the algorithm developed in [3].

5.4. Isomomorphisms ${\mathrm{PGL}}_2\left(\mathsf{K}\right)⟷{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$

Proposition 1.

Let $\mathsf{K}$ be a black box finite field and let E be a global exponent for the multiplicative group ${\mathsf{K}}^{*}$. Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in $logE$, two-way isomorphism

$$\mathsf{\Phi }:{\mathrm{PGL}}_2\left(\mathsf{K}\right)⟶{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right),{\mathsf{\Phi }}^{-1}:{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)⟶{\mathrm{PGL}}_2\left(\mathsf{K}\right).$$

The algorithm runs in time polynomial in $logE$.

Proof. 

The required isomorphism comes from the action of ${\mathrm{GL}}_2\left(\mathsf{K}\right)$ on the Lie algebra $\mathfrak{l}={\mathfrak{sl}}_2\left(\mathsf{K}\right)$ of $2\times 2$ matrices over $\mathsf{K}$ of trace $0$. Following Section 5.3, we choose a canonical basis in $\mathfrak{l}$ as

$$E=\left[\begin{array}{cc}0& 0\\ -1& 0\end{array}\right],W=\left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right],F=\left[\begin{array}{cc}0& 1\\ 0& 0\end{array}\right].$$

Let

$$A=\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]\in {\mathrm{GL}}_2\left(\mathsf{K}\right),$$

then

$$A^{-1}={\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left[\begin{array}{cc}\mathsf{d}& -\mathsf{b}\\ -\mathsf{c}& \mathsf{a}\end{array}\right],$$

and it is easy to compute

$$\begin{array}{ccc}\hfill E^A& =& {\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left[\begin{array}{cc}\mathsf{ab}& {\mathsf{b}}^2\\ -{\mathsf{a}}^2& -\mathsf{ab}\end{array}\right]\hfill \\ & =& {\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left({\mathsf{a}}^{2}E+\mathsf{ab}W+{\mathsf{b}}^{2}F\right),\hfill \\ \hfill W^A& =& {\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left[\begin{array}{cc}\mathsf{ad}+\mathsf{bc}& 2\mathsf{bd}\\ -2{\mathsf{ac}}^2& -\mathsf{ad}-\mathsf{bc}\end{array}\right]\hfill \\ & =& {\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left(2\mathsf{ac}E+(\mathsf{ad}+\mathsf{bc})W+2\mathsf{bd}F\right),\hfill \\ \hfill F^A& =& {\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left[\begin{array}{cc}\mathsf{cd}& {\mathsf{d}}^2\\ -{\mathsf{c}}^2& -\mathsf{cd}\end{array}\right]\hfill \\ & =& {\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left({\mathsf{c}}^{2}E+\mathsf{cd}W+{\mathsf{d}}^{2}F\right).\hfill \end{array}$$

Therefore, the conjugation by the matrix $A=\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]$ is written in the basis E, W, F by the matrix

$${\displaystyle \frac{1}{\mathsf{ad}-\mathsf{bc}}}\left[\begin{array}{ccc}{\mathsf{a}}^2& 2\mathsf{ac}& {\mathsf{c}}^2\\ \mathsf{ab}& \mathsf{ad}+\mathsf{bc}& \mathsf{cd}\\ {\mathsf{b}}^2& 2\mathsf{bd}& {\mathsf{d}}^2\end{array}\right],$$

and we have a homomorphism from ${\mathrm{GL}}_2\left(\mathsf{K}\right)$ to ${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$:

$$A=\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]\mapsto \left[\begin{array}{ccc}{\mathsf{a}}^2\delta & 2\mathsf{ac}\delta & {\mathsf{c}}^2\delta \\ \mathsf{ab}\delta & (\mathsf{ad}+\mathsf{bc})\delta & \mathsf{cd}\delta \\ {\mathsf{b}}^2\delta & 2\mathsf{bd}\delta & {\mathsf{d}}^2\delta \end{array}\right],$$

(1)

where $\delta =1/(\mathsf{ad}-\mathsf{bc})$. It is easy to check that the kernel of this homomorphism is the group of scalar matrices and results in an isomorphism

$$\mathsf{\Phi }:{\mathrm{PGL}}_2\left(\mathsf{K}\right)⟶{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right).$$

The inverse isomomorphism

$${\mathsf{\Phi }}^{-1}:{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)⟶{\mathrm{PGL}}_2\left(\mathsf{K}\right)$$

can now be found with ease. Note that we can construct, if they exist, the square roots of the elements of the black box field $\mathsf{K}$ in time polynomial in $logE$ by [3] (Lemma 5.6).

Assume that we are given a matrix

$$B=\left[\begin{array}{ccc}{\mathsf{b}}_{11}& {\mathsf{b}}_{12}& {\mathsf{b}}_{13}\\ {\mathsf{b}}_{21}& {\mathsf{b}}_{22}& {\mathsf{b}}_{23}\\ {\mathsf{b}}_{31}& {\mathsf{b}}_{32}& {\mathsf{b}}_{33}\end{array}\right]\in {\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$$

and wish to find $A=\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]$ such that $\mathsf{\Phi }\left(A\right)=B$. Because of Equation (1), this amounts to solving the system of equations in variables $\mathsf{a},\mathsf{b},\mathsf{c},\mathsf{d}$

$$\left[\begin{array}{ccc}{\mathsf{a}}^2\delta & 2\mathsf{ac}\delta & {\mathsf{c}}^2\delta \\ \mathsf{ab}\delta & (\mathsf{ad}+\mathsf{bc})\delta & \mathsf{cd}\delta \\ {\mathsf{b}}^2\delta & 2\mathsf{bd}\delta & {\mathsf{d}}^2\delta \end{array}\right]=\left[\begin{array}{ccc}{\mathsf{b}}_{11}& {\mathsf{b}}_{12}& {\mathsf{b}}_{13}\\ {\mathsf{b}}_{21}& {\mathsf{b}}_{22}& {\mathsf{b}}_{23}\\ {\mathsf{b}}_{31}& {\mathsf{b}}_{32}& {\mathsf{b}}_{33}\end{array}\right]$$

(2)

It is easy to see that at least one of the matrix elements ${\mathsf{b}}_{11},{\mathsf{b}}_{13},{\mathsf{b}}_{31},{\mathsf{b}}_{33}$ is not zero; assume that ${\mathsf{b}}_{11}\ne 0$, and other cases can be treated similarly.

If ${\mathsf{b}}_{11}={\mathsf{a}}^2\delta$ has no square root in $\mathsf{K}$, then $\delta$ also has no square root. In that case, pick some $\gamma$ that is not a square root in $\mathsf{K}$; alternatively, set $\gamma =1$. In both cases, $\delta \gamma$ is a square and, for the sake of argument, denote (but do not compute—we cannot compute because we do not know $\delta$)

$${ϵ}^2=\delta \gamma ,$$

and compute

$${\mathsf{b}}_{ij}^{\prime }={\mathsf{b}}_{ij}\gamma \mathrm{for}i,j=1,2,3.$$

This allows us to rewrite Equation (2) as

$$\left[\begin{array}{ccc}{\mathsf{a}}^2{ϵ}^2& 2\mathsf{ac}{ϵ}^2& {\mathsf{c}}^2{ϵ}^2\\ \mathsf{ab}{ϵ}^2& (\mathsf{ad}+\mathsf{bc}){ϵ}^2& \mathsf{cd}{ϵ}^2\\ {\mathsf{b}}^2{ϵ}^2& 2\mathsf{bd}{ϵ}^2& {\mathsf{d}}^2{ϵ}^2\end{array}\right]=\left[\begin{array}{ccc}{\mathsf{b}}_{11}^{\prime }& {\mathsf{b}}_{12}^{\prime }& {\mathsf{b}}_{13}^{\prime }\\ {\mathsf{b}}_{21}^{\prime }& {\mathsf{b}}_{22}^{\prime }& {\mathsf{b}}_{23}^{\prime }\\ {\mathsf{b}}_{31}^{\prime }& {\mathsf{b}}_{32}^{\prime }& {\mathsf{b}}_{33}^{\prime },\end{array}\right]$$

(3)

which can be immediately solved. If ${\mathsf{b}}_{12}^{\prime }\ne 0$, then we set

$$\begin{array}{ccc}\hfill \sqrt{{\mathsf{b}}_{11}^{\prime }}& =& \mathsf{a}ϵ\hfill \\ \hfill {\displaystyle \frac{{\mathsf{b}}_{21}^{\prime }}{\sqrt{{\mathsf{b}}_{11}^{\prime }}}}& =& \mathsf{b}ϵ\hfill \\ \hfill {\displaystyle \frac{{\mathsf{b}}_{12}^{\prime }}{2\sqrt{{\mathsf{b}}_{11}^{\prime }}}}& =& \mathsf{c}ϵ\hfill \\ \hfill {\displaystyle \frac{2{\mathsf{b}}_{23}^{\prime }·\sqrt{{\mathsf{b}}_{11}^{\prime }}}{{\mathsf{b}}_{12}^{\prime }}}& =& \mathsf{d}ϵ.\hfill \end{array}$$

If ${\mathsf{b}}_{12}^{\prime }=0$, then similar computations yield us the matrix

$$ϵ\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]=ϵA$$

which is the same element of ${\mathrm{PGL}}_2\left(\mathsf{K}\right)$ as A. Notice that we do not compute $\delta$ and $ϵ$.

This establishes the isomorphism ${\mathsf{\Phi }}^{-1}:{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)⟶{\mathrm{PGL}}_2\left(\mathsf{K}\right).$ □

6. Construction of a Proxy for $\mathsf{Y}\vDash {\mathrm{SL}}_2$

In this section, we present the proof of Theorem 1. The following lemma is crucial.

Lemma 1.

Let X and Y be two groups isomorphic to ${\mathrm{SL}}_2\left(\mathbb{F}\right)$ over a finite field $\mathbb{F}$ of odd characteristic, then any surjective homomorphism

$$X⟶Y/Z\left(Y\right)$$

can be lifted to a homomorphism

$$X⟶Y,$$

and this homomorphism is unique.

Proof. 

The proof immediately follows from the well-known property: every automorphism of $Y/Z\left(Y\right)$ can be lifted to an automorphism of Y, and this automorphism of Y is unique. □

To prove Theorem 1, we need some details of the constructions from [3], which we shall give a summary here. Let $\mathsf{Y}\vDash {\mathrm{SL}}_2\left(\mathbb{F}\right)$. We construct two cyclic subgroups $\mathsf{S}$ (torus of order twice odd number) and $\mathsf{R}$ (torus containing an element of order 4) in $\mathsf{Y}$ and form the direct product $\mathsf{Y}\times \mathsf{Y}$. Then, we consider the black box subgroup ${\mathsf{X}}^{*}$ that is generated in $\mathsf{Y}\times \mathsf{Y}$ by the pairs $(\mathsf{s},\mathsf{s})$ for $\mathsf{s}\in \mathsf{S}$ and $(\mathsf{r},{\mathsf{r}}^{-1})$ for $\mathsf{r}\in \mathsf{R}$. Now, $\mathsf{X}=({\mathsf{X}}^{*}/Z\left({\mathsf{X}}^{*}\right))\langle \delta \rangle \vDash {\mathrm{PGL}}_2\left(\mathbb{F}\right)$, where $\delta$ is the involution swapping the two copies of $\mathsf{Y}$ in $\mathsf{Y}\times \mathsf{Y}$. Using the results in [3], these constructions lead up to a construction of a black box field $\mathsf{K}\vDash \mathbb{F}$ and the morphisms

$$\mathsf{X}⟷{\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right).$$

6.1. Construction of the Morphism ${\mathrm{SL}}_2\left(\mathsf{K}\right)\to \mathsf{Y}$

Through the construction of the morphisms

$$\mathsf{X}⟷{\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)$$

from [3] and

$${\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)⟷{\mathrm{PGL}}_2\left(\mathsf{K}\right)$$

in Section 5.4, together with

$${\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)⟷{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)$$

in Section 5.3, we have a chain of morphisms

$$\mathsf{X}⟷{\mathrm{SO}}_3^{♯}\left(\mathsf{K}\right)⟷{\mathrm{SO}}_3^{♭}\left(\mathsf{K}\right)⟷{\mathrm{PGL}}_2\left(\mathsf{K}\right).$$

Reading this diagram from right to left and restricting the map to ${\mathrm{PSL}}_2\left(\mathsf{K}\right)$, we can obtain a chain of morphisms

$${\mathrm{PSL}}_2\left(\mathsf{K}\right)⟶{\Omega }_3^{♯}\left(\mathsf{K}\right)⟶{\mathsf{X}}^{*}/Z\left({\mathsf{X}}^{*}\right),$$

then we expand it to

$${\mathrm{SL}}_2\left(\mathsf{K}\right)⟶{\mathrm{PSL}}_2\left(\mathsf{K}\right)⟶{\Omega }_3^{♯}\left(\mathsf{K}\right)⟶{\mathsf{X}}^{*}/Z\left({\mathsf{X}}^{*}\right)⟶\mathsf{Y}/Z\left(\mathsf{Y}\right),$$

where the last arrow is induced by the natural projection of ${\mathsf{X}}^{*}=\mathsf{Y}\times \mathsf{Y}$ on its direct factor. Hence, we have a morphism

$$\varphi :{\mathrm{SL}}_2\left(\mathsf{K}\right)⟶\mathsf{Y}/Z\left(\mathsf{Y}\right).$$

Now, we shall lift this morphism $\varphi$ to the desired morphism

$$\psi :{\mathrm{SL}}_2\left(\mathsf{K}\right)⟶\mathsf{Y}.$$

Let $\mathsf{z}\in Z\left(\mathsf{Y}\right)$ be the central involution of $\mathsf{Y}$. If $\mathsf{x}\in {\mathrm{SL}}_2\left(\mathsf{K}\right)$, then $\varphi \left(\mathsf{x}\right)$ is a coset in $\mathsf{Y}$ made of two elements, say $\mathsf{y}$ and $\mathsf{yz}$. If $\mathsf{x}$ is of odd order, then one of the elements in the coset $\{\mathsf{y},\mathsf{yz}\}$ has odd order and, by Lemma 1, is equal to the image $\psi \left(\mathsf{x}\right)$ of $\mathsf{x}$.

It is well-known that every matrix $\mathsf{x}\in {\mathrm{SL}}_2\left(\mathsf{K}\right)$ can be written as a product of $k⩽4$ transvections, $\mathsf{x}={\mathsf{x}}_1\dots {\mathsf{x}}_k$; explicit formulae are in [17] (pp. 81–82). Indeed, if

$$\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]\in {\mathrm{SL}}_2\left(\mathsf{K}\right)$$

and $\mathsf{c}\ne 0$, then

$$\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]=\left[\begin{array}{cc}1& (\mathsf{a}-1){\mathsf{c}}^{-1}\\ 0& 1\end{array}\right]\left[\begin{array}{cc}1& 0\\ \mathsf{c}& 1\end{array}\right]\left[\begin{array}{cc}1& (\mathsf{d}-1){\mathsf{c}}^{-1}\\ 0& 1\end{array}\right].$$

If $\mathsf{b}\ne 0$, we have

$$\left[\begin{array}{cc}\mathsf{a}& \mathsf{b}\\ \mathsf{c}& \mathsf{d}\end{array}\right]=\left[\begin{array}{cc}1& 0\\ (\mathsf{d}-1){\mathsf{b}}^{-1}& 1\end{array}\right]\left[\begin{array}{cc}1& \mathsf{b}\\ 0& 1\end{array}\right]\left[\begin{array}{cc}1& 0\\ (\mathsf{a}-1){\mathsf{b}}^{-1}& 1\end{array}\right].$$

If $\mathsf{b}=\mathsf{c}=0$, we have

$$\left[\begin{array}{cc}\mathsf{a}& 0\\ 0& {\mathsf{a}}^{-1}\end{array}\right]=\left[\begin{array}{cc}1& 0\\ {\mathsf{a}}^{-1}-1& 1\end{array}\right]\left[\begin{array}{cc}1& 1\\ 0& 1\end{array}\right]\left[\begin{array}{cc}1& 0\\ \mathsf{a}-1& 1\end{array}\right]\left[\begin{array}{cc}1& -{\mathsf{a}}^{-1}\\ 0& 1\end{array}\right].$$

Since we work in fields of odd characteristic, transvections are elements of odd order, and the previous argument allows us to compute $\psi \left(\mathsf{x}\right)$ as

$$\psi \left(\mathsf{x}\right)=\psi \left({\mathsf{x}}_1\right)\cdots \psi \left({\mathsf{x}}_k\right).$$

6.2. Construction of the Morphism $\mathsf{Y}\to {\mathrm{SL}}_2\left(\mathsf{K}\right)$

To construct the reverse morphism presented in Section 6.1, it is important to observe that the morphism

$$\psi :{\mathrm{SL}}_2\left(\mathsf{K}\right)⟶\mathsf{Y}$$

is reversible on $\mathsf{S}$ and $\mathsf{R}$, since we have natural maps

$$\mathsf{S}⟶{\mathsf{X}}^{*}\mathrm{and}\mathsf{R}⟶{\mathsf{X}}^{*}$$

and we can map them back to ${\mathrm{SL}}_2\left(\mathsf{K}\right)$.

Now, we show how to reverse $\psi$ on the entire $\mathsf{Y}$. Let us denote $\overline{\mathsf{Y}}=\mathsf{Y}/Z\left(\mathsf{Y}\right)$. Abusing notation, we may use the same notation for elements in $\overline{\mathsf{Y}}\vDash {\mathrm{PSL}}_2$ as for elements in $\mathsf{Y}\vDash {\mathrm{SL}}_2$.

Indeed, it will suffice to reverse the map $\rho$ induced by $\psi$ on

$$\rho :{\mathrm{PSL}}_2\left(\mathsf{K}\right)⟶\overline{\mathsf{Y}},$$

and have a morphism

$${\rho }^{-1}:\overline{\mathsf{Y}}⟶{\mathrm{PSL}}_2\left(\mathsf{K}\right),$$

expand it to

$$\sigma :\mathsf{Y}⟶{\mathrm{PSL}}_2\left(\mathsf{K}\right)$$

and then lift it to a map

$$\theta :\mathsf{Y}⟶{\mathrm{SL}}_2\left(\mathsf{K}\right).$$

Let us call elements in $\overline{\mathsf{Y}}$ with already known preimages in ${\mathrm{PSL}}_2\left(\mathsf{K}\right)$ “white”. Obviously, products of white elements are white.

We shall prove that every element in $\mathsf{Y}$ is white.

Lemma 2.

All elements in $N_{\overline{\mathsf{Y}}}\left(\mathsf{S}\right)$ and $N_{\overline{\mathsf{Y}}}\left(\mathsf{R}\right)$ are white.

Proof. 

It suffices to prove the statement for involutions in $N_{\overline{\mathsf{Y}}}\left(\mathsf{S}\right)\setminus \mathsf{S}$. We first construct one such involution. Since the elements of $\mathsf{S}$ are white, we can represent any element from $\mathsf{S}$ by $2\times 2$ matrices with entries from $\mathsf{K}$. Let $\mathsf{s}\in \mathsf{S}$ be an element of order bigger than or equal to 3, and let M be its image in ${\mathrm{SL}}_2\left(\mathsf{K}\right)$. Then we need to locate an involution $A\in {\mathrm{SL}}_2\left(\mathsf{K}\right)$ satisfying $M^A=M^{-1}$ which is equivalent to $MA=A{M}^{-1}$. The entries of such a matrix A can be found by solving a system of linear equations over the black box field $\mathsf{K}$. Now, by using the map $\psi$ from Section 6.1, we construct a white element $\mathsf{u}=\psi \left(A\right)\in N_{\overline{\mathsf{Y}}}\left(\mathsf{S}\right)\setminus \mathsf{S}$. Now, any other involution $\mathsf{t}\in N_{\overline{\mathsf{Y}}}\left(\mathsf{S}\right)$ can be written as $\mathsf{t}=\mathsf{u}·\mathsf{u}\mathsf{t}$, with $\mathsf{u}\mathsf{t}\in \mathsf{S}$ being a white element. □

Lemma 3.

If $\mathsf{a}$ is a white involution then all elements in $C_{\overline{\mathsf{Y}}}\left(\mathsf{a}\right)$ are white.

Proof. 

One of the white tori $\mathsf{S}$ or $\mathsf{R}$ contains an involution; without loss of generality, we can assume that this is $\mathsf{s}\in \mathsf{S}$. Being white involutions, $\mathsf{a}$ and $\mathsf{s}$ are conjugate by a white element (we can do the corresponding calculation in ${\mathrm{PSL}}_2\left(\mathsf{K}\right)$); hence, $C_{\overline{\mathsf{Y}}}\left(\mathsf{a}\right)$ is conjugate to the white subgroup $C_{\overline{\mathsf{Y}}}\left(\mathsf{s}\right)=N_{\overline{\mathsf{Y}}}\left(\mathsf{S}\right)$ by a white element and is therefore white. □

We can now complete construction of ${\rho }^{-1}:\overline{\mathsf{Y}}⟶{\mathrm{PSL}}_2\left(\mathsf{K}\right)$.

Lemma 4.

Every involution in $\overline{\mathsf{Y}}$ is white.

Proof. 

Let $\mathsf{t}\in \overline{\mathsf{Y}}$ be an involution. Taking random white involutions (that is, images of random involutions from ${\mathrm{PSL}}_2\left(\mathsf{K}\right)$), we can find a white involution $\mathsf{a}$ such that the product $\mathsf{a}\mathsf{t}$ is of even order, thus yielding an involution $\mathsf{z}$ commuting with both $\mathsf{a}$ and $\mathsf{t}$; this involution $\mathsf{z}$ is therefore white. This means that we can produce random white involutions in $C_{\overline{\mathsf{Y}}}\left(\mathsf{t}\right)$ until they generate a white dihedral subgroup containing $\mathsf{t}$. □

Lemma 5.

Every element of $\overline{\mathsf{Y}}$ is white.

Proof. 

Applying the same arguments in [3] (Lemma 5.4), we have a Las Vegas polynomial time algorithm with which we can write every element of $\overline{\mathsf{Y}}$ as a product of involutions. Since every involution is white, every element is white. □

We can now complete the proof of Theorem 1. Indeed, we have the inverse morphism ${\rho }^{-1}$ and we thus have a morphism

$$\sigma :\mathsf{Y}⟶{\mathrm{PSL}}_2\left(\mathsf{K}\right).$$

Let $\mathsf{y}\in \mathsf{Y}$. We can compute $\sigma \left(\mathsf{y}\right)$ as the coset in ${\mathrm{PSL}}_2\left(\mathsf{K}\right)$ consisting of two elements $\mathsf{u}$ and $\mathsf{v}$, and compute $\rho \left(\mathsf{u}\right)$. If $\rho \left(\mathsf{u}\right)=\mathsf{y}$, then $\theta \left(\mathsf{y}\right)=\mathsf{u}$; otherwise, $\theta \left(\mathsf{y}\right)=\mathsf{v}$.

7. Construction of a Proxy for $\mathsf{Y}\vDash {\mathrm{PSL}}_2$ and $\mathsf{Y}\vDash {\mathrm{PGL}}_2$

If $\mathsf{X}\vDash {\mathrm{PGL}}_2\left(\mathbb{F}\right)$, the proof of Theorem 2 is a simple combination of Remark 1 and Proposition 1.

If $\mathsf{X}\vDash {\mathrm{PSL}}_2\left(\mathbb{F}\right)$, the proof is a slight modification of arguments of Section 6.

8. GAP Code

The isomorphism from the group ${\mathrm{SL}}_2\left(\mathbb{F}\right)$, given in its natural representation to a black box group encrypting ${\mathrm{SL}}_2\left(\mathbb{F}\right)$, is implemented in GAP [18] where $\mathbb{F}$ is a field of prime order. We present our GAP code at https://github.com/sukru-yalcinkaya/SL2Morphisms, accessed on 29 October 2025.

Our implementation takes a group element from ${\mathrm{SL}}_2\left(\mathbb{F}\right)$, as it is represented in GAP and computes its image in the black box group encrypting ${\mathrm{SL}}_2\left(\mathbb{F}\right)$. The correctness of the isomorphism can be verified by a user by comparing, for example, the well-known Chevalley Commutator Formulas between the elements in the natural ${\mathrm{SL}}_2$ and their images in the black box group.

In our implementation, the only GAP functions employed are the black box operations described in BB1–BB3, namely group multiplication, inversion, identity testing, together with the generation of pseudo-random elements. For an exponent, we use the order of the group ${\mathrm{SL}}_2\left(\mathbb{F}\right)$. We emphasize that operations such as computing the orders of group elements are not used. The code is intended primarily to be a proof of concept rather than a fully practical implementation, leaving considerable room for optimization and extension. Further discussion of our implementation can be found in [19]; see also our GitHub repository above.