1. Introduction
In computations with finite groups, one of the central problems has a deceptively simple formulation:
Given a set of matrices of size over a given field of characteristic p, determine if they generate a group isomorphic to . If so, find a nontrivial unipotent element in G (i.e., an element of order p) in time polynomial in , and .
This problem was posed by Babai and Beals in the context of black box groups in 1999 [
1]. Solutions were discovered only much later, in [
2] for
and in [
3] for odd
p.
Our approach to its solution in [
3] was based on the use of two concepts: black box groups introduced by Babai and Szemerédi in [
4], and black box fields originating from the papers [
5,
6]. These concepts are discussed in
Section 2; they significantly expand the range of tools and methods, even for problems in matrix groups over finite fields.
In [
3], we presented an algorithm constructing the adjoint representation of a black box group
encrypting
for a field
of odd order, that is, we constructed within
a black box field
encrypting
and represented elements of
as
orthogonal matrices with entries from this black box field
. In the present paper, we considerably extend this result: we produce an algorithm that constructs the natural representation of a black box group
encrypting
. The need for such a construction arises from the fact that constructive recognition algorithms for black box groups of Lie type of higher rank involve a constructive recognition of a black box group encrypting
, see [
7,
8,
9,
10,
11,
12,
13], where it was postulated as being provided by a
-
oracle. These papers also used the discrete logarithm oracle in
along with a
-oracle. We wish to emphasize that we make no use of any oracles.
We prove the following theorem (notation and terminology are explained in
Section 2).
Theorem 1. Let be a black box group encrypting , where is an unknown finite field of unknown odd characteristic, and E be a global exponent for , that is, for all . Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in , the following:
- (a)
A black box field encrypting ;
- (b)
Isomorphismsthat run in probabilistic time polynomial in .
We call the pair of isomorphisms and constructed in Theorem 1 a structural approximation of the black box group and call the matrix group its structural proxy.
Most groups of Lie type (we exclude series , , and ) can be seen as functors from the category of commutative unital rings with involution (that is, an automorphism of order ) to the category of groups. There are other algebraic structures that can be defined in a similar functorial way, such as functors . For example, finite-dimensional simple associative algebras and finite-dimensional simple Lie algebras can be viewed as rings. The corresponding structural proxy problem can be stated as follows.
Construction of a structural proxy. Suppose that we are given a black box structure . Construct, in probabilistic polynomial in time, where is the uniform length of the strings in , the following:
- –
A black box field ;
- –
Probabilistic polynomial time isomorphisms:
and
Remark 1. One of the principal results of [3] amounts to construction of a structural proxy for a black box group encrypting ,where is an unknown finite field of unknown odd characteristic and . In this paper, we have another structural proxy for ,with being the same black box field. Indeed, in Section 7, we construct an efficient isomorphism between and . The existence of this isomorphism is well-known but its efficient computational realization needs a delicate treatment. Theorem 2. Let be a black box group encrypting or , where is an unknown finite field of unknown odd characteristic, and let E be a global exponent for . Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in , structural proxiesorrespectively. Theorem 3. Let be a black box group encrypting one of the groups , or , where is the standard explicitly given finite field of known characteristic. Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in , isomorphismsrespectively. Our algorithm runs in probabilistic polynomial time in . The proof of Theorem 3 follows from a construction of an isomorphism from
to
, which is given in [
6]. Note that the isomorphism
in Theorem 3 could be seen as a “half
-oracle”. Moreover, when the characteristic of
is small (in the sense that we can inverse the isomorphism of prime fields
and construct a look-up table for the inverse isomorphism
), we can reverse the isomorphism from
to
by using the results from [
6] which establishes a full
-oracle, that is, probabilistic polynomial time two-way isomorphisms between
and
. Now, if we call such finite fields
tame fields, then we have the following theorem.
Theorem 4. For a black box group encrypting over a tame field , there exists a polynomial time Las Vegas algorithm constructing two-way isomorphism Notice that the finite fields of characteristic can be easily seen as tame fields.
Notice also that if
, then all our theorems are obviously true and do not require the methods developed in this paper, since we can list elements of
and provide necessary isomorphisms with no difficulty in these cases. For technical results in this paper, we assume that
. We note that all classical black box groups over small fields can be recognized efficiently by the algorithms in [
14].
2. Axiomatic Description of Black Box Algebraic Structures
A black box algebraic structure is a black box (device, algorithm, or oracle), which produces and operates with 0–1 strings of uniform length encrypting (not necessarily in a unique way) elements of some fixed algebraic structure A: if is one of these strings, then it corresponds to a unique (but unknown to us) element . Here, is the decrypting map, not necessarily known to us in advance.
- BB1
On request, produces a string of fixed length , which depends on , encrypting an element for some fixed explicitly given algebraic structure A; this is done in time polynomial in . When this procedure is repeated, the elements are independent and uniformly distributed in A.
In this paper, we work only with groups and fields so we assume that operations on A are unary or binary; a general case can be treated in exactly the same way.
- BB2
On request,
performs algebraic operations on the encrypted strings, which correspond to operations in
A in a way that makes the map
(unknown to us) a homomorphism: for every binary (unary case is similar) operation ⊡ and strings
and
produced or computed by
,
It should be noted that we do not assume the existence of an algorithm which allows us to decide whether a specific string can be potentially produced by ; requests for operations on strings can be made only in relation to strings previously output by . Also, we do not make any assumptions on probabilistic distribution of strings.
- BB3
On request, determines, in time polynomial in , whether two strings and encrypt the same element in A, that is, check whether .
We say in this situation that a black box encrypts the algebraic structure A and we write .
Clearly, in black box problems, the decrypting map is not given in advance. However, it is useful to think about any algebraic structure (say, a finite field) implemented on a computer as a trivial black box, with being the identity map, and with random elements produced with the help of a random number generator. In this situation, obviously, the axioms BB1–BB3 hold.
In our algorithms, we have to build new black boxes from existing ones and work with several black box structures at once. This is why we have to keep track of the length
on which a specific black box
operates. For example, it turns out in [
3] that it is useful to consider an automorphism of
A as a graph in
. This produces another algebraic structure isomorphic to
A, which can be seen as being encrypted by a black box
producing, and operating on, certain pairs of strings from
; see [
3] for more examples. In this case, clearly,
.
Axiom BB1 is the only difference between our axioms and the original set up of Babai and Szemerédi [
4]. When we construct a new black box structure
from
, operations on
are usually more expensive than a direct construction of random elements in
from random elements in
. This is the case, for example, of a black box field constructed from a black box projective plane constructed from a black box group
, which, in turn, is constructed from a black box group
[
3]. Another example where Axiom BB1 is very natural in analysis of an impersonation attack on homomorphic encryption [
15]. Here, supply of random elements is achieved simply by picking random codewords from the intercepted communication traffic.
3. Black Box Fields
We use Axioms BB1–BB3 to define black box fields with a few obvious changes in the wording. In Axiom BB2, we assume that the black box can perform the addition, multiplication, and inversion in the field. The reader may wish to compare our exposition with [
5]. We remind that, in this paper, we do not necessarily know the characteristic of the field. Therefore, we slightly generalize the definition of a black box field given in [
5,
6] by removing the assumption that the characteristic of the field is known. We refer the reader to [
5,
6] for more details of black box fields of known characteristic.
When we are dealing with the isomorphism
in Theorem 3, we first construct a field isomorphism between an explicitly given finite field
and a black box field
. Clearly, this leads to an isomorphism
. In this situation, the characteristic
p of
is given, and to construct such an isomorphism, we will use some results about the isomorphism problem for black box fields of known characteristic
p [
6]. The explicit data for a finite field of cardinality
is defined to be a system of structure constants over the prime field, that is,
elements
of the prime field
(represented as integers in
) so that
becomes a field with ordinary addition and multiplication by elements of
, and multiplication determined by
where
denotes a basis of
over
. The concept of an explicitly given field of order
is robust; indeed, Lenstra Jr. has shown in [
16] (Theorem 1.2) that for any two fields,
A and
B of order
given by two sets of structure constants
and
, an isomorphism
can be constructed in time polynomial in
.
By an efficient isomorphism between a black box field and an explicitly given finite field , we mean an algorithm constructing such an isomorphism in time polynomial in the input length, that is, we find a procedure that computes images and preimages in time polynomial in n and .
One of the key results on black box fields belongs to Maurer and Raub [
6]; its statement and proof can be reformulated to yield the following result.
Theorem 5. Let be a black box field of known characteristic p encrypting an explicitly given finite field and the prime subfield of . Then, the isomorphism problem between and can be efficiently reduced to the isomorphism problem between and . In particular,
an efficient isomorphism can be extended in time polynomial in the input length to an efficient isomorphism
there exists an isomorphism computable in time polynomial in .
In our terminology, Theorem 5 provides a
structural proxy for black box fields of known characteristic. Indeed, if
is a black box field of known characteristic
p, then we can construct an isomorphism
by the map
where
is the unit in
; it is computable in linear in
time by the double-and-add method. Construction of an isomorphism
remains an open problem when
p is an astronomically large prime.
4. Plan of Proof of Theorem 1
Let
, where
is an unknown finite field of unknown odd characteristic. It is easy to see that at least half of elements in
are of even order. Therefore, by using the standard method [
3] (Section 4.7), we can easily construct an involution in
but
contains only one involution—the generator of the center.
In the proof of Theorem 1, we first redefine the equality of strings in
in the following way to be able to pass to the quotient group
:
Then, we use algorithms developed in [
3] (Theorem 1.3) for the black box group
to construct a black box group
, a black box field
, and computable, in polynomial time, homomorphisms
We note here that we can add and multiply elements and take additive and multiplicative inverses of (non-zero) elements of the black box field
(see [
3] (Section 9)). Furthermore, the two isomorphisms
are inverses of each other ([
3] (Section 11)).
It is well-known that
is isomorphic to
, and we need to present an efficient algorithm constructing such an isomorphism. We deal with this problem in
Section 6.
The group
arises in [
3] as the group of matrices from
preserving the quadratic form with the matrix
we will denote this group as
.
It turns out that it is much more convenient to compute in the orthogonal groups
preserving the quadratic form with the matrix
we will denote this group as
.
Of course, the two groups
and
are conjugate in
; the computation of the conjugating (change of basis) matrix is very easy if
contains
, but it requires more attention if
does not contain
; see
Section 5.3.
After that we obtain the homomorphisms
and focus on its restriction
We reverse the first homomorphism, making it
(this step requires a careful analysis of the corresponding constructions from [
3]) and then lift the resulting isomorphisms
to
This is performed in
Section 6.
It will become clear that the appropriate fragments of this proof, together with [
17], provide a proof of Theorem 2; see
Section 7.
5. Orthogonal Groups in Two Types of Bases
5.1. Generalities on Symmetric Bilinear Forms
Let
V be a vector space of dimension 3 over a black box field
, where
is an unknown finite field of unknown odd characteristic. An important additional assumption that we are making is that we are given a computationally feasible global exponent for
, that is, a natural number
E such that
for all
, so that we can compute square roots in
, when they exist, by a version of the Tonelli–Shanks algorithm, [
3] (Lemma 5.6).
Assume that
is a non-degenerate symmetric bilinear form on
V. It is well-known [
17] (Section 1.4) that
has Witt index 1 and that there are only two classes of equivalence of non-degenerate symmetric bilinear forms on
V, and if
belongs to one of these classes, then
, where
is not a square root in
, belongs to another class.
We set ; this is the quadratic form associated with . (In the literature, the quadratic form associated with is frequently taken to be ; it can be seen that our choice simplifies some of our calculations.)
Notice that the orthogonal groups and coincide elementwise for arbitrary .
It is important to keep this basic observation in mind because in the algorithms that we develop in this paper, the orthogonal groups will be their sets of inputs. Moreover, they will be given to us as subsets of the matrix group . Writing orthogonal transformations from in different bases of V introduces some subtle changes, which we will have to take into account.
5.2. Two Types of Bases: Spinor and Canonical
We shall call a basis
of
V a
spinor basis if
In a spinor basis, the quadratic form
Q associated with
is written by the scalar matrix
, and we will denote the group of matrices that preserves this form as
, the corresponding special orthogonal group as
, and its commutator subgroup as
.
Therefore,
which is the same as the standard definition of the orthogonal group:
We shall call a basis
of
V canonical if the quadratic form
Q is written in it by the matrix
, where
We define
as
or, which is the same,
with
and
defined in an obvious way (the latter is the commutator of
, but it can also be defined as the group of elements of spinor norm
).
The quadratic forms and associated with matrices I and J are and . When are seen as acting on their Lie algebra , that is, the algebra of matrices over of trace , turns out to be most the natural quadratic form: ; of course, it is also proportional to the Killing form on .
To summarize, the subgroups and in represent the same orthogonal group written in two different bases; one of them is spinor, and the other is canonical. The groups and do not change if we replace the corresponding symmetric bilinear form by its non-zero scalar multiple .
5.3. Change of Basis
In this subsection, we construct the change of basis matrix that conjugates to in , where is a black box field.
Let us take a canonical basis
with
. Then,
In every finite field
of odd characteristic, there exist
such that
, and such pairs can be easily found by the Tonelli–Shanks algorithm [
3] (Lemma 5.6) in probabilistic time polynomial in
. Note that we can compute
and
without knowing the characteristic of
. Then, a direct calculation shows that the vectors
form a spinor basis. Let us call it
, and we have the change of basis matrix from
to
If
contains square root of
, say,
, then we can take
,
, and obtain a simpler transition matrix
Analysis of This Calculation
The three-dimensional vector space
with a non-degenerate symmetric bilinear form
has a model that is very natural in the context of this paper: the space (actually, the Lie algebra)
of
matrices over
of trace
with
For the space
, the matrices
form a canonical basis; applying construction of a spinor basis as described above, we obtain
The matrices
are generators of three cyclic subgroups of order 4 in a quaternion group
, and they satisfy the following relations:
Our previous paper [
3] (Section 9) explains why finding a quaternion subgroup
amounts to constructing of a spinor basis in
in a pure black box and hence coordinate-free context. In [
3] (Section 8), computing in a black box group
, we construct the image
of
in
and its normalizer
, and this is one of the key steps in the algorithm developed in [
3].
5.4. Isomomorphisms
Proposition 1. Let be a black box finite field and let E be a global exponent for the multiplicative group . Then, there is a Las Vegas algorithm that constructs, in probabilistic time polynomial in , two-way isomorphismThe algorithm runs in time polynomial in . Proof. The required isomorphism comes from the action of
on the Lie algebra
of
matrices over
of trace
. Following
Section 5.3, we choose a canonical basis in
as
Let
then
and it is easy to compute
Therefore, the conjugation by the matrix
is written in the basis
E,
W,
F by the matrix
and we have a homomorphism from
to
:
where
. It is easy to check that the kernel of this homomorphism is the group of scalar matrices and results in an isomorphism
The inverse isomomorphism
can now be found with ease. Note that we can construct, if they exist, the square roots of the elements of the black box field
in time polynomial in
by [
3] (Lemma 5.6).
Assume that we are given a matrix
and wish to find
such that
. Because of Equation (
1), this amounts to solving the system of equations in variables
It is easy to see that at least one of the matrix elements
is not zero; assume that
, and other cases can be treated similarly.
If
has no square root in
, then
also has no square root. In that case, pick some
that is not a square root in
; alternatively, set
. In both cases,
is a square and, for the sake of argument, denote (but do not compute—we cannot compute because we do not know
)
and compute
This allows us to rewrite Equation (
2) as
which can be immediately solved. If
, then we set
If
, then similar computations yield us the matrix
which is the same element of
as
A. Notice that we do not compute
and
.
This establishes the isomorphism □
6. Construction of a Proxy for
In this section, we present the proof of Theorem 1. The following lemma is crucial.
Lemma 1. Let X and Y be two groups isomorphic to over a finite field of odd characteristic, then any surjective homomorphismcan be lifted to a homomorphismand this homomorphism is unique. Proof. The proof immediately follows from the well-known property: every automorphism of can be lifted to an automorphism of Y, and this automorphism of Y is unique. □
To prove Theorem 1, we need some details of the constructions from [
3], which we shall give a summary here. Let
. We construct two cyclic subgroups
(torus of order twice odd number) and
(torus containing an element of order 4) in
and form the direct product
. Then, we consider the black box subgroup
that is generated in
by the pairs
for
and
for
. Now,
, where
is the involution swapping the two copies of
in
. Using the results in [
3], these constructions lead up to a construction of a black box field
and the morphisms
6.1. Construction of the Morphism
Through the construction of the morphisms
from [
3] and
in
Section 5.4, together with
in
Section 5.3, we have a chain of morphisms
Reading this diagram from right to left and restricting the map to
, we can obtain a chain of morphisms
then we expand it to
where the last arrow is induced by the natural projection of
on its direct factor. Hence, we have a morphism
Now, we shall lift this morphism
to the desired morphism
Let be the central involution of . If , then is a coset in made of two elements, say and . If is of odd order, then one of the elements in the coset has odd order and, by Lemma 1, is equal to the image of .
It is well-known that every matrix
can be written as a product of
transvections,
; explicit formulae are in [
17] (pp. 81–82). Indeed, if
and
, then
If
, we have
If
, we have
Since we work in fields of odd characteristic, transvections are elements of odd order, and the previous argument allows us to compute
as
6.2. Construction of the Morphism
To construct the reverse morphism presented in
Section 6.1, it is important to observe that the morphism
is reversible on
and
, since we have natural maps
and we can map them back to
.
Now, we show how to reverse on the entire . Let us denote . Abusing notation, we may use the same notation for elements in as for elements in .
Indeed, it will suffice to reverse the map
induced by
on
and have a morphism
expand it to
and then lift it to a map
Let us call elements in with already known preimages in “white”. Obviously, products of white elements are white.
We shall prove that every element in is white.
Lemma 2. All elements in and are white.
Proof. It suffices to prove the statement for involutions in
. We first construct one such involution. Since the elements of
are white, we can represent any element from
by
matrices with entries from
. Let
be an element of order bigger than or equal to 3, and let
M be its image in
. Then we need to locate an involution
satisfying
which is equivalent to
. The entries of such a matrix
A can be found by solving a system of linear equations over the black box field
. Now, by using the map
from
Section 6.1, we construct a white element
. Now, any other involution
can be written as
, with
being a white element. □
Lemma 3. If is a white involution then all elements in are white.
Proof. One of the white tori or contains an involution; without loss of generality, we can assume that this is . Being white involutions, and are conjugate by a white element (we can do the corresponding calculation in ); hence, is conjugate to the white subgroup by a white element and is therefore white. □
We can now complete construction of .
Lemma 4. Every involution in is white.
Proof. Let be an involution. Taking random white involutions (that is, images of random involutions from ), we can find a white involution such that the product is of even order, thus yielding an involution commuting with both and ; this involution is therefore white. This means that we can produce random white involutions in until they generate a white dihedral subgroup containing . □
Lemma 5. Every element of is white.
Proof. Applying the same arguments in [
3] (Lemma 5.4), we have a Las Vegas polynomial time algorithm with which we can write every element of
as a product of involutions. Since every involution is white, every element is white. □
We can now complete the proof of Theorem 1. Indeed, we have the inverse morphism
and we thus have a morphism
Let
. We can compute
as the coset in
consisting of two elements
and
, and compute
. If
, then
; otherwise,
.
8. GAP Code
The isomorphism from the group
, given in its natural representation to a black box group encrypting
, is implemented in GAP [
18] where
is a field of prime order. We present our GAP code at
https://github.com/sukru-yalcinkaya/SL2Morphisms, accessed on 29 October 2025.
Our implementation takes a group element from , as it is represented in GAP and computes its image in the black box group encrypting . The correctness of the isomorphism can be verified by a user by comparing, for example, the well-known Chevalley Commutator Formulas between the elements in the natural and their images in the black box group.
In our implementation, the only GAP functions employed are the black box operations described in BB1–BB3, namely group multiplication, inversion, identity testing, together with the generation of pseudo-random elements. For an exponent, we use the order of the group
. We emphasize that operations such as computing the orders of group elements are not used. The code is intended primarily to be a proof of concept rather than a fully practical implementation, leaving considerable room for optimization and extension. Further discussion of our implementation can be found in [
19]; see also our GitHub repository above.