Towards Effective Recognition of Black Box Rings

1. Introduction

General discussion of problems in black box algebra, and extensive bibliography and historic remarks on black box groups, fields and rings can be found in [1]. Terminology and notation in the present paper follow more updated papers [2,3].

As an example of application of black box analysis of an algebraic structure, we prove the following

Theorem 1.

Let $\mathsf{R}$ be a black box ring encrypting the ring of $2\times 2$ matrices ${\mathrm{M}}_{2\times 2}\left(\mathbb{F}\right)$, where $\mathbb{F}$ is an unknown finite field $\mathbb{F}$ of unknown odd characteristic, and let E be a computationally feasible global exponent for invertible cryptoelements $\mathsf{x}$ of $\mathsf{R}$ (that is, ${\mathsf{x}}^E=\mathsf{1}$, see Axiom  GE  in Section 2). Then, there is a Las Vegas algorithm which constructs, in time polynomial in $logE$, a black box field $\mathsf{Z}$ encrypting $\mathbb{F}$, and isomorphisms

$$\mathsf{R}⟷{\mathrm{M}}_{2\times 2}\left(\mathsf{Z}\right).$$

Corollary 1.

Let $\mathsf{R}$ be a black box ring encrypting the ring of $2\times 2$ matrices ${\mathrm{M}}_{2\times 2}\left(\mathbb{F}\right)$, where $\mathbb{F}$ is a finite field of known odd order q. Then, there is a Las Vegas algorithm which constructs, in time polynomial in $logq$, a black box field $\mathsf{Z}$ encrypting $\mathbb{F}$, and isomorphisms

$$\mathsf{R}⟷{\mathrm{M}}_{2\times 2}\left(\mathsf{Z}\right).$$

Estimates for complexity and running times of various algorithms involved in our construction are mostly present in [1] or discussed in the proof of Theorem 1 in Section 6. They all are polynomial of small degree in $logE$.

A few words about the nature of algorithms could be useful. Most probabilistic algorithms used in black box algebra are divided in two classes:

Monte-Carlo 

: they give correct answer with probability $>1/2$. Repeating the calculation makes the probability of error exponentially small.

One-sided version: answer YES is always correct but answer NO may be wrong with probability $<1/2$.

Las Vegas 

: they give always a correct answer or fail with probability $<1/2$.

• In the proof of Theorem 1, we construct and use Monte-Carlo algorithms, for example constructing the field of scalars, see Step 4 of the proof. But the ultimate check of correctness of the answer is done by verifying the Identities (3) for the matrix elements ${\mathsf{e}}_{ij}$ of a standard matrix basis constructed in the proof:

  $${\mathsf{e}}_{ij}{\mathsf{e}}_{kl}=\left\{\begin{array}{cc}{e}_{il}& ifj=k\\ 0& ifj\ne k\end{array}\right..$$

  Therefore the full algorithm is Las Vegas.

2. Axiomatic Description of Black Box Algebraic Structures

A black box algebraic structure $\mathsf{X}$ is a black box (device, algorithm, or oracle) which produces and operates with 0–1 strings of uniform length $l\left(\mathsf{X}\right)$ encrypting (not necessarily in a unique way) elements of some fixed algebraic structure A: if $\mathsf{x}$ is one of these strings, then it corresponds to a unique (but unknown to us) element $\pi \left(\mathsf{x}\right)\in A$. Here, $\pi$ is the decrypting map, not necessarily known to us in advance.

Our axioms for black boxes are the same as in [1,2,3], but stated in a more formal language.

BB1 

On request, $\mathsf{X}$ produces a string $\mathsf{x}$ of fixed length $l\left(\mathsf{X}\right)$, which depends on $\mathsf{X}$, encrypting an element $\pi \left(\mathsf{x}\right)$ for some fixed explicitly given algebraic structure A; this is done in time polynomial in $l\left(\mathsf{X}\right)$. When this procedure is repeated, the elements $\pi \left({\mathsf{x}}_1\right),\pi \left({\mathsf{x}}_2\right),\dots$ are independent and uniformly distributed in A.

In this paper, we work only with groups and fields so we assume that operations on A are unary or binary; a general case can be treated in exactly the same way.

BB2 

On request, $\mathsf{X}$ performs algebraic operations on the encrypted strings which correspond to operations in A in a way which makes the map $\pi$ (unknown to us!) a homomorphism: for every binary (unary case is similar) operation ⊡ and strings $\mathsf{x}$ and $\mathsf{y}$ produced or computed by $\mathsf{X}$,

$$\pi (\mathsf{x}⊡\mathsf{y})=\pi \left(\mathsf{x}\right)⊡\pi \left(\mathsf{y}\right).$$

We shall write $\mathsf{x}\in \mathsf{X}$ if the string $\mathsf{x}$ is produced by $\mathsf{X}$.

It should be noted that we do not assume the existence of an algorithm which allows us to decide whether a specific string can be potentially produced by $\mathsf{X}$; requests for operations on strings can be made only in relation to strings previously output by $\mathsf{X}$. Also, we do not make any assumptions on probabilistic distribution of strings.

BB3 

On request, $\mathsf{X}$ determines, in time polynomial in $l\left(\mathsf{X}\right)$, whether two strings $\mathsf{x}$ and $\mathsf{y}$ encrypt the same element in A, that is, check whether $\pi \left(\mathsf{x}\right)=\pi \left(\mathsf{y}\right)$.

We say in this situation that a black box $\mathsf{X}$ encrypts the algebraic structure A and we write $\mathsf{X}\vDash A$. We shall call strings produced by $\mathsf{X}$ cryptoelements. If $\mathsf{x}\in \mathsf{X}$ and $\pi \left(\mathsf{x}\right)=a\in A$, we shall express that as $\mathsf{x}\vDash a$ and use the expressions $\mathsf{x}$ encrypts a and $\mathsf{x}$ represents a interchangeably.

Clearly, in black box problems, the decrypting map $\pi$ is not given in advance. However, it is useful to think about any algebraic structure (say, a finite field) implemented on a computer as a trivial black box, with $\pi$ being the identity map, and with random elements produced with the help of a random number generator. In this situation, obviously, the axioms BB1 – BB3 hold.

In our algorithms, we have to build new black boxes from existing ones and work with several black box structures at once: this is why we have to keep track of the length $l\left(\mathsf{X}\right)$ on which a specific black box $\mathsf{X}$ operates. For example, in [1] it turns out that it is useful to consider an automorphism of A as a graph in $A\times A$. This produces another algebraic structure isomorphic to A which can be seen as being encrypted by a black box $\mathsf{Z}$ producing, and operating on, certain pairs of cryptoelements from $\mathsf{X}$, see [1] for more examples. In this case, clearly, $l\left(\mathsf{Z}\right)=2l\left(\mathsf{X}\right)$.

Axiom BB1 is the only difference between our axioms and the original set up of Babai and Szemerédi [4]: when we construct a new black box structure $\mathsf{Y}$ from $\mathsf{X}$, operations on $\mathsf{Y}$ are usually more expensive than a direct construction of random cryptoelements in $\mathsf{Y}$ from random cryptoelements in $\mathsf{X}$ – this is the case, for example, of a black box field constructed from a black box projective plane constructed from a black box group ${\mathrm{PGL}}_2\left(\mathbb{F}\right)$, which, in its turn, constructed from a black box group ${\mathrm{SL}}_2\left(\mathbb{F}\right)$ [1]. Another example where Axiom BB1 is very natural in analysis of an impersonation attack on homomorphic encryption [2]: here, supply of random cryptoelements is achieved simply by picking random codewords from the intercepted communication traffic.

3. Black Box Fields

We use Axioms BB1–BB3 to define black box fields with a few obvious changes in the wording. In Axiom BB2, we assume that the black box can perform the addition, multiplication, and inversion in the field. The reader may wish to compare our exposition with [5]. We remind that, in this paper, we do not necessarily know the characteristic of the field. Therefore we slightly generalize the definition of a black box field given in [5,6] by removing the assumption that the characteristic of the field is known. We refer the reader to [5,6] for more details of black box fields of known characteristic.

The explicit data for a finite field of cardinality $p^n$ is defined to be a system of structure constants over the prime field, that is, $n^3$ elements ${\left(c_{ijk}\right)}_{i,j,k=1}^n$ of the prime field ${\mathbb{F}}_p=\mathbb{Z}/p\mathbb{Z}$ (represented as integers in $[0,p-1]$) so that ${\mathbb{F}}_{p^n}$ becomes a field with ordinary addition and multiplication by elements of ${\mathbb{F}}_p$, and multiplication determined by

$$s_i{s}_j={\displaystyle \sum _{k=1}^n}{c}_{ijk}{s}_k,$$

where $s_1,s_2,\dots ,s_n$ denotes a basis of ${\mathbb{F}}_{p^n}$ over ${\mathbb{F}}_p$. The concept of an explicitly given field of order $p^n$ is robust; indeed, Lenstra Jr. has shown in [7] that for any two fields A and B of order $p^n$ given by two sets of structure constants ${\left(a_{ijk}\right)}_{i,j,k=1}^n$ and ${\left(b_{ijk}\right)}_{i,j,k=1}^n$ an isomorphism $A⟶B$ can be constructed in time polynomial in $nlogp$.

By an efficient isomorphism between a black box field and an explicitly given finite field ${\mathbb{F}}_{p^n}$, we mean an algorithm constructing such an isomorphism in time polynomial in the input length, that is, we find a procedure which computes images and preimages, in time polynomial in n and $logp$.

One of the key results on black box fields belongs to Maurer and Raub [6]; its statement and proof can be reformulated to yield the following result.

Theorem 2.

Let $\mathsf{K}$ be a black box field of known characteristic p encrypting an explicitly given finite field ${\mathbb{F}}_{p^n}$ and ${\mathsf{K}}_0$ the prime subfield of $\mathsf{K}$. Then the isomorphism problem between $\mathsf{K}$ and ${\mathbb{F}}_{p^n}$ can be efficiently reduced to the isomorphism problem between ${\mathsf{K}}_0$ and ${\mathbb{F}}_p$. In particular,

• an efficient isomorphism ${\mathsf{K}}_0⟶{\mathbb{F}}_p$ can be extended in time polynomial in the input length $l\left(\mathsf{K}\right)$ to an efficient isomorphism $\mathsf{K}⟶{\mathbb{F}}_{p^n};$
• there exists an isomorphism ${\mathbb{F}}_{p^n}⟶\mathsf{K}$ computable in time polynomial in $l\left(\mathsf{K}\right)$.

In our terminology, Theorem 2 provides a structural proxy for black box fields of known characteristic, see Section 4. Indeed, if $\mathsf{K}$ is a black box field of known characteristic p, then we can construct an isomorphism ${\mathbb{F}}_p=\mathbb{Z}/p\mathbb{Z}⟶{\mathsf{K}}_0$ by the map

$$m\mapsto \mathsf{1}+\mathsf{1}+\dots +\mathsf{1}\left(mtimes\right)$$

where $\mathsf{1}$ is the unit in ${\mathsf{K}}_0$; it is computable in linear in $logp$ time by double-and-add method. Construction of an isomorphism ${\mathsf{K}}_0⟶{\mathbb{F}}_p$ remains an open problem when p is an astronomically large prime.

4. Structural Proxy and Structure Recovery

Most groups of Lie type (we exclude ${}^{2}B_2$, ${}^{3}D_4$, ${}^{2}F_4$ and ${}^{2}G_2$ to avoid technical details) can be seen as functors $G:\mathcal{F}⟶\mathcal{G}$ from the category of fields $\mathcal{F}$ with an automorphism of order $⩽2$ to the category of groups $\mathcal{G}$. There are also other algebraic structures which can be defined in a similar way as functors from $\mathcal{F}$, for example projective planes or simple Lie algebras (viewed as rings). The following problem is natural and, as our results show, useful in this context.

• Structure recovery: Suppose that we are given a black box structure $\mathsf{X}\vDash A\left(\mathbb{F}\right)$. Construct, in time polynomial in $l\left(\mathsf{X}\right)$,

  –

  a black box field $\mathsf{K}\vDash \mathbb{F}$, and

  –

  an isomorphism $A\left(\mathsf{K}\right)⟶\mathsf{X}$.

If we construct a black box field $\mathsf{K}$ by using $\mathsf{X}$ as a computational engine, then we can construct the natural representation $A\left(\mathsf{K}\right)$ of the structure A over the black box field $\mathsf{K}$. A trickier part of structure recovery is construction of isomorphism $A\left(\mathsf{K}\right)⟶\mathsf{X}$. If we achieved that then by Maurer and Raub [6] (see also [1]), we have a computable in probabilistic polynomial time isomorphism ${\mathbb{F}}_q⟶\mathsf{K}$ and hence isomorphisms

$$A\left({\mathbb{F}}_q\right)⟶A\left(\mathsf{K}\right)⟶\mathsf{X}$$

producing a more powerful and useful structure recovery of $\mathsf{X}$.

If a structural recovery is achieved, this means that we can force the black box to produce cryptoelements with specific properties.

A much stronger and harder to achieve version of structure recovery is the concept of structure proxy.

• Construction of a structural proxy: Suppose that we are given a black box structure $\mathsf{X}\vDash A\left(\mathbb{F}\right)$. Construct, in time polynomial in $l\left(\mathsf{X}\right)$,

  –

  a black box field $\mathsf{K}\vDash \mathbb{F}$, and

  –

  two way bijective morphisms $A\left(\mathsf{K}\right)⟷\mathsf{X}$.

In this situation, we call $A\left(\mathsf{K}\right)$ a structural proxy of the black box $\mathsf{X}$.

Structure recoveries and structural proxies play a crucial role in our papers [1,3]. We construct there structural proxies for

• a black box projective plane with polarity $\mathsf{Z}\vDash \mathbb{P}\left({\mathbb{F}}_q\right)$;
• the projectivisation of a black box Lie algebra $\mathsf{Y}\vDash {\mathfrak{sl}}_2\left({\mathbb{F}}_q\right)$ (this one appears in disguise as construction of the “cross product” on the projective plane);
• black box groups ${\mathsf{X}}_1\vDash {\mathrm{SO}}_3\left({\mathbb{F}}_q\right)\simeq {\mathrm{PGL}}_2\left({\mathbb{F}}_q\right)$, ${\mathsf{X}}_2\vDash {\mathrm{PSL}}_2\left({\mathbb{F}}_q\right)$, ${\mathsf{X}}_3\vDash {\mathrm{SL}}_2\left({\mathbb{F}}_q\right)$.

In all these cases, q is odd.

Corollary 1 of the present paper adds to this list

• a structural proxy for the black box ring $\mathsf{R}\vDash {\mathrm{M}}_2\left({\mathbb{F}}_q\right)$, q odd.

Proof of Theorem 1 critically depends on the use of a structural proxy for groups ${\mathrm{SL}}_2$ constructed in [3]. The present paper is evidence of the power of this approach to black box algebra.

These observations strongly suggest that the black box analysis of most structures built from finite fields (and they dominate finite algebra) could be most likely reduced to black box analysis of fields, with implications for algebraic cryptography discussed in [2].

5. Preparing Proof of Theorem 1: Dihedral Subgroups of Order 8 in ${\mathrm{GL}}_{\mathbf{2}}\left(\mathbb{F}\right)$

We prove the following useful lemmas.

Lemma 1.

Let $G={\mathrm{GL}}_2\left(\mathbb{F}\right)$ where $\mathbb{F}$ is a finite field of odd characteristic. Then the subgroups isomorphic to a dihedral group of order 8 in G are all conjugate.

Proof. 

Let $e_1=\left[\begin{array}{cc}-1& 0\\ 0& 1\end{array}\right]$ and $w_1=\left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right]$. Then, it is easy to check that

$$e_1^2=w_1^4=1and{e}_1^{-1}{w}_1{e}_1=w_1^{-1}.$$

Therefore $D=\langle e_1,w_1\rangle$ is a dihedral group of order 8. Assume that $H=\langle r,s\mid r^2=s^4=1,r^{-1}sr=s^{-1}\rangle$ is any other dihedral group of order 8 in G and $e_1\mapsto r$, $w_1\mapsto s$ is an isomorphism. As r is an element of order 2, its characteristic polynomial is the same as the characteristic polynomial of the element $e_1$ and its matrix representation with respect to the ordered basis consisting of its eigenvectors corresponding to the eigenvalues $-1$ and 1 is the same matrix element $e_1$. This means that there exists $g\in G$ such that $r^g=e_1$. By a direct computation, we see that the elements of order 4 in G which are inverted by $e_1$ have the form

$$\left[\begin{array}{cc}0& t\\ -t^{-1}& 0\end{array}\right]$$

for some $0\ne t\in \mathbb{F}$. Since $\langle r^g,s^g\rangle$ is a dihedral group of order 8, we must have $s^g=\left[\begin{array}{cc}0& t\\ -t^{-1}& 0\end{array}\right]$ for some $0\ne t\in \mathbb{F}$. Since

$${\left[\begin{array}{cc}0& t\\ -t^{-1}& 0\end{array}\right]}^{\left[\begin{array}{cc}1& 0\\ 0& t^{-1}\end{array}\right]}=\left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right],$$

setting $h=\left[\begin{array}{cc}1& 0\\ 0& t^{-1}\end{array}\right]$, we have

$$r^{gh}=e_{1}and{s}^{gh}=w_1$$

which proves that $H^{gh}=D$ and all dihedral groups of order 8 in G are conjugate. □

Lemma 2.

In any black box field $\mathsf{K}$ of odd or zero characteristics, we can construct cryptoelements $\mathsf{0},\mathsf{1}$, and $-\mathsf{1}$ – without even knowing the characteristic of $\mathsf{K}$. After that, it can be directly checked that the matrices

$$\mathsf{e}\vDash \left[\begin{array}{cc}1& 0\\ 0& 1\end{array}\right],-\mathsf{e}\vDash \left[\begin{array}{cc}-1& 0\\ 0& -1\end{array}\right],{\mathsf{e}}_1\vDash \left[\begin{array}{cc}-1& 0\\ 0& 1\end{array}\right],{\mathsf{e}}_2\vDash \left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right]$$

(1)

together with

$${\mathsf{w}}_1\vDash \left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right],-{\mathsf{w}}_1\vDash \left[\begin{array}{cc}0& -1\\ -1& 0\end{array}\right],{\mathsf{w}}_2\vDash \left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right],-{\mathsf{w}}_2\vDash \left[\begin{array}{cc}0& -1\\ 1& 0\end{array}\right].$$

(2)

form a dihedral subgroup of order 8 in the matrix group $\mathsf{G}={\mathrm{GL}}_2\left(\mathsf{K}\right)$.

Proof. 

Obvious. □

We denote this group as $\mathsf{D}$. Elements listed in (1) form the elementary abelian subgroup $\mathsf{E}⊲\mathsf{D}$ of order 4. The element $\mathsf{e}$ is of course the identity of $\mathsf{G}$ and of the matrix ring ${\mathrm{M}}_{2\times 2}\left(\mathsf{K}\right)$. Elements $\mathsf{e}$ and $-\mathsf{e}$ belong to $Z\left(\mathsf{G}\right)$.

6. Proof of Theorem 1

We start with an obvious observation that even if the zero $\mathsf{0}\vDash 0$ is not given explicitly in the set-up of the black box ring $\mathsf{R}$, we can easily construct it by taking a random $\mathsf{r}\in \mathsf{R}$ and computing $\mathsf{0}=\mathsf{r}-\mathsf{r}$.

Construction of a structural proxy of $\mathsf{R}$ is explained in the steps below. The crucial ingredient of the proof is to construct the field of scalars and a dihedral group of order 8 in the multiplicative group of $\mathsf{R}$.

• Step 1: Construction of the black box group $\mathsf{X}\vDash {\mathrm{GL}}_2\left(\mathbb{F}\right)$. We temporarily assume, for the purpose of estimating probabilities, that $\left|\mathbb{F}\right|=q$.

Observe first that a random element in $R={\mathrm{M}}_{2\times 2}\left(\mathbb{F}\right)$ is invertible with probability $1-O\left({\displaystyle \frac{1}{q}}\right)$. Therefore a random element $\mathsf{r}\in \mathsf{R}$ is invertible with probability close to 1 when q is large. Now we use the global exponent E: For an invertible cryptoelement $\mathsf{r}\in \mathsf{R}$, we have ${\mathsf{r}}^E=\mathsf{1}$ where $\mathsf{1}$ encrypts the multiplicative identity of R. Therefore we can easily construct the identity cryptoelement in $\mathsf{R}$. Hence the invertible cryptoelements in $\mathsf{R}$ give us the black box group $\mathsf{X}\vDash {\mathrm{GL}}_2\left(\mathbb{F}\right)$.

• Step 2: Generation of trace 0 cryptoelements. Our next task is to construct in $\mathsf{R}$ a black box subring $\mathsf{Z}$ encrypting the subring $Z=Z\left(R\right)$ of scalar matrices in R. Of course, Z is a field, and therefore $\mathsf{Z}\vDash \mathbb{F}$. When $\mathsf{Z}$ is constructed, it will turn $\mathsf{R}$ into a black box $\mathsf{Z}$-algebra.

It is easy to check that, for any matrices $a,b\in {\mathrm{M}}_{2\times 2}\left(\mathbb{F}\right)$ over any field $\mathbb{F}$, the matrix ${[a,b]}^2={(ab-ba)}^2$ is a scalar matrix; hence we have a natural map

$$\begin{array}{ccc}\hfill \mathsf{R}\times \mathsf{R}& ⟶& \mathsf{Z}\hfill \\ \hfill (\mathsf{r},\mathsf{s})& \mapsto & {[\mathsf{r},\mathsf{s}]}^2\hfill \end{array}$$

with values in $\mathsf{Z}=Z\left(\mathsf{R}\right)$. We need to check that this map gives almost uniformly distributed cryptoelements in $\mathsf{Z}$.

Matrices of trace zero in ${\mathrm{M}}_{2\times 2}\left(\mathbb{F}\right)$ form the Lie subalgebra ${\mathfrak{sl}}_2\left(\mathbb{F}\right)$. The Lie algebra ${\mathfrak{gl}}_2\left(\mathbb{F}\right)$ of ${\mathrm{M}}_{2\times 2}\left(\mathbb{F}\right)$ can be decomposed as the sum of two ideals

$$\mathfrak{z}\oplus {\mathfrak{sl}}_2\left(\mathbb{F}\right),$$

where $\mathfrak{z}$ is the center of ${\mathfrak{gl}}_2\left(\mathbb{F}\right)$. Therefore the probability of an element $c\in {\mathfrak{sl}}_2\left(\mathbb{F}\right)$ to be a commutator of two independent random elements from ${\mathfrak{gl}}_2\left(\mathbb{F}\right)$ is the same as the probability of being a commutator of two independent random elements from ${\mathfrak{sl}}_2\left(\mathbb{F}\right)$. For estimating the latter, observe that if $c=[a,b]$ and $c\ne 0$, then a and b belong to the plane in ${\mathfrak{gl}}_2\left(\mathbb{F}\right)$ orthogonal to c with respect to the Killing form on ${\mathfrak{gl}}_2\left(\mathbb{F}\right)$; this plane does not contain c, if c is a semisimple element, and contains c, if c is nilpotent. It is easy to see that probability of c being a commutator of random elements from ${\mathfrak{sl}}_2\left({\mathbb{F}}_q\right)$ is ${\displaystyle \frac{1}{q^3}}+O\left({\displaystyle \frac{1}{q^4}}\right)$.

• Step 3: The quadratic form on ${\mathfrak{sl}}_2$. Now we turn our attention to the square map

  $$\begin{array}{ccc}\hfill \sigma :{\mathfrak{sl}}_2\left(\mathbb{F}\right)& ⟶& Z\hfill \\ \hfill s& \mapsto & s^2.\hfill \end{array}$$

Let s be a trace zero matrix,

$$s=\left[\begin{array}{cc}a& b\\ c& -a\end{array}\right],$$

then it is easy to check that

$$s^2=\left[\begin{array}{cc}{a}^2+bc& 0\\ 0& a^2+bc\end{array}\right],$$

and that $a^2+bc=-dets$ is proportional to the Killing quadratic form on ${\mathfrak{sl}}_2\left(\mathbb{F}\right)$. It is easy to see that elements of Z are images of random elements from ${\mathfrak{sl}}_2\left(\mathbb{F}\right)$ with probability ${\displaystyle \frac{1}{q}}+O\left({\displaystyle \frac{1}{q^2}}\right)$.

• Step 4: Construction of the field of scalars. Combining these two estimates, we see that the square map

  $$\begin{array}{ccc}\hfill R\times R& ⟶& Z\hfill \\ \hfill (a,b)& \mapsto & {[a,b]}^2\hfill \end{array}$$

  hits specific elements in Z with probabilities ${\displaystyle \frac{1}{q}}+O\left({\displaystyle \frac{1}{q^2}}\right)$, that is, it is essentially the uniform distribution. Therefore the map

  $$\begin{array}{ccc}\hfill \mathsf{R}\times \mathsf{R}& ⟶& \mathsf{Z}\hfill \\ \hfill (\mathsf{x},\mathsf{y})& \mapsto & {[\mathsf{x},\mathsf{y}]}^2\hfill \end{array}$$

  can be taken for a generator of random cryptoelements for the black box $\mathsf{Z}$; operations of addition, multiplication, inversion on $\mathsf{Z}$ are inherited from $\mathsf{R}$ and its multiplicative group.

• Step 4: Construction of a dihedral group of order 8. Our aim is to construct a dihedral group of order 8 in $\mathsf{X}$.

To construct in $\mathsf{X}$ a dihedral group of order 8, we consider the factor group $\tilde{\mathsf{X}}=\mathsf{X}/\mathsf{Z}\vDash {\mathrm{PGL}}_2\left(\mathbb{F}\right)$. Observe that we can use the black box $\mathsf{X}$ to carry out computations in $\tilde{\mathsf{X}}$ by replacing the equality relation in $\mathsf{X}$ by the new one:

$$\mathsf{x}\equiv \mathsf{y}$$

if and only if ${\mathsf{x}}^{-1}\mathsf{y}$ commutes with cryptoelements $\mathsf{r},\mathsf{s}$ of odd order and $[\mathsf{r},\mathsf{s}]\ne \mathsf{1}$. By [3], we can construct a black box field $\mathsf{K}$ inside the black box group $\tilde{\mathsf{X}}$ (this is done in [3]) and then surjective homomorphisms

$$\tilde{\mathsf{X}}\stackrel{\alpha }{⟵}{\mathrm{PGL}}_2\left(\mathsf{K}\right)\stackrel{\beta }{⟵}{\mathrm{GL}}_2\left(\mathsf{K}\right).$$

Notice that the black box fields $\mathsf{Z}$ and $\mathsf{K}$ come from completely different origins; the latter was constructed in [1] by coordinatisation of a projective plane structure on the set of involutions in $\tilde{\mathsf{X}}$.

Also notice that ${\mathrm{GL}}_2\left(\mathsf{K}\right)$ comes with the matrix algebra ${\mathrm{M}}_{2\times 2}\left(\mathsf{K}\right)$ and that the image $\alpha \circ \beta \left(\mathsf{e}\right)$ of the identity cryptoelement $\mathsf{e}\in {\mathrm{M}}_{2\times 2}\left(\mathsf{K}\right)$ is the identity cryptoelement of $\mathsf{Z}$. In later calculations, this will allow us to identify the cryptoelements representing $0,1,-1,2,{\displaystyle \frac{1}{2}}$ in the two fields and use for them the same notation. In our calculations we will be using only a tiny `shared’ fragment of the two fields. From now on we shall call cryptoelements in $\mathsf{K}$, ${\mathrm{M}}_{2\times 2}\left(\mathsf{K}\right)$, and ${\mathrm{GL}}_2\left(\mathsf{K}\right)$ just `elements’ – this level of deciphering will suffice for our purposes because the field $\mathsf{K}$ does not appear in the formulation of our results, Theorem 1$\mathsf{K}$ and Corollary 1, it plays only a temporary role.

Now we apply Lemma 2 to construct in $\mathsf{G}={\mathrm{GL}}_2\left(\mathsf{K}\right)$ the dihedral subgroup $\mathsf{D}$, its elements are listed in Equations (1) and (2). The image $\tilde{\mathsf{D}}=\alpha \circ \beta \left(\mathsf{D}\right)$ of $\mathsf{D}$ in $\tilde{\mathsf{X}}$ is the factor group $\mathsf{D}/Z\left(\mathsf{D}\right)$, we have to lift it to a dihedral group of order 8 in $\mathsf{X}$ which we will denote, abusing notation, by the same symbol $\mathsf{D}$, with the same notation for elements.

So far we know only elements $\mathsf{e}$ and $-\mathsf{e}$ from $Z\left(\mathsf{D}\right)<\mathsf{Z}$.

The full preimage of $\alpha \circ \beta \left(\mathsf{D}\right)<\tilde{\mathsf{X}}$ in $\mathsf{X}$ is $\mathsf{Z}\mathsf{D}$. We need to look with some attention at the cosets of $\mathsf{Z}$ in $\mathsf{Z}\mathsf{D}$. The factor group $\tilde{\mathsf{D}}=\mathsf{Z}\mathsf{D}/\mathsf{Z}$ is elementary abelian, therefore if $\mathsf{T}$ is a coset of $\mathsf{Z}$ in $\mathsf{Z}\mathsf{D}\setminus \mathsf{Z}$ then $\mathsf{Z}\cup \mathsf{T}$ is an abelian group which contains elements from $\mathsf{D}\setminus \mathsf{Z}$; of course these elements belong to $\mathsf{T}$. These elements can be of order 2 or 4.

Assume that the coset $\mathsf{T}$ contains an element of order 2 (involution). It is easy to see that $\mathsf{T}$ contains only two involutions, say $\mathsf{x}$ and $-\mathsf{x}$. Pick an arbitrary element $\mathsf{t}\in \mathsf{T}$, then $\mathsf{t}=\mathsf{z}\mathsf{x}$ for some $\mathsf{z}\in \mathsf{Z}$ and ${\mathsf{t}}^2={\mathsf{z}}^2{\mathsf{x}}^2={\mathsf{z}}^2$. We can construct square roots of ${\tilde{\mathsf{z}}}^2$ in the cyclic group ${\mathsf{Z}}^{*}$ by using the analog of Tonelli-Shanks algorithm for cyclic groups, see [1]. There are two of them,

$$\pm \mathsf{s}=\sqrt{{\mathsf{z}}^2},$$

and is easy to check that ${(\pm \mathsf{s}\mathsf{t})}^2={(\pm \mathsf{s}\mathsf{z}\mathsf{x})}^2=\mathsf{1}$, hence elements $\pm \mathsf{s}\mathsf{t}$ coincide with $\pm \mathsf{x}$ and belong to $\mathsf{D}$.

So we know involutions $\pm {\mathsf{e}}_1$ and $\pm {\mathsf{w}}_1$, but do not know the correct choice of signs.

• Step 5: Construction of a basis for $\mathsf{R}$. Our task now is to construct in $\mathsf{R}$ cryptoelements ${\left\{{\mathsf{e}}_{ij}\right\}}_{i,j=1,2}$ which are linearly independent over $\mathsf{Z}$ and satisfy the relation

  $${\mathsf{e}}_{ij}{\mathsf{e}}_{kl}=\left\{\begin{array}{cc}{\mathsf{e}}_{il}& ifj=k\\ \mathsf{0}& ifj\ne k\end{array}\right..$$

  (3)

We shall call a system of cryptoelements ${\left\{{\mathsf{e}}_{ij}\right\}}_{i,j=1,2}$ a standard basis for $\mathsf{R}$.

We will do that by manipulating elements from the subgroup $\mathsf{D}$ in the additive group of the ring $\mathsf{R}$. We have to consider four cases each one for a different choice of the signs ± of elements $\pm {\mathsf{e}}_1$ and $\pm {\mathsf{w}}_1$.

• Case 1, the lucky case. We pick at random an element in each pair of elements $\pm {\mathsf{e}}_1$ and $\pm {\mathsf{w}}_1$ and denote them ${\mathsf{e}}_1^{\prime }$ and ${\mathsf{w}}_1^{\prime }$, respectively. If we are lucky and have picked

  $${\mathsf{w}}_1^{\prime }\vDash \left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]and{\mathsf{e}}_1^{\prime }\vDash \left[\begin{array}{cc}-1& 0\\ 0& 1\end{array}\right]$$

  (and this should definitely happen in one of the cases), then the following calculations

  $$\begin{array}{ccc}\hfill {\mathsf{w}}_2^{\prime }& :=& {\mathsf{w}}_1^{\prime }·{\mathsf{e}}_1^{\prime }\vDash \left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]·\left[\begin{array}{cc}-1& 0\\ 0& 1\end{array}\right]=\left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right]\hfill \\ \hfill {\mathsf{e}}_{11}& :=& {\displaystyle \frac{1}{2}}(\mathsf{e}-{\mathsf{e}}_1)\vDash {\displaystyle \frac{1}{2}}\left(\left[\begin{array}{cc}1& 0\\ 0& 0\end{array}\right]-\left[\begin{array}{cc}-1& 0\\ 0& 1\end{array}\right]\right)=\left[\begin{array}{cc}1& 0\\ 0& 0\end{array}\right]\hfill \\ \hfill {\mathsf{e}}_{22}& :=& {\displaystyle \frac{1}{2}}(\mathsf{e}+{\mathsf{e}}_1)\vDash {\displaystyle \frac{1}{2}}\left(\left[\begin{array}{cc}1& 0\\ 0& 0\end{array}\right]+\left[\begin{array}{cc}-1& 0\\ 0& 1\end{array}\right]\right)=\left[\begin{array}{cc}0& 0\\ 0& 1\end{array}\right]\hfill \\ \hfill {\mathsf{e}}_{12}& :=& {\displaystyle \frac{1}{2}}({\mathsf{w}}_1^{\prime }+{\mathsf{w}}_2^{\prime })\vDash {\displaystyle \frac{1}{2}}\left(\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]+\left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right]\right)=\left[\begin{array}{cc}0& 1\\ 0& 0\end{array}\right]\hfill \\ \hfill {\mathsf{e}}_{21}& :=& {\displaystyle \frac{1}{2}}({\mathsf{w}}_1^{\prime }-{\mathsf{w}}_2^{\prime })\vDash {\displaystyle \frac{1}{2}}\left(\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]-\left[\begin{array}{cc}0& 1\\ -1& 0\end{array}\right]\right)=\left[\begin{array}{cc}0& 0\\ 1& 0\end{array}\right]\hfill \end{array}$$

  (4)

  Obviously, ${\left\{{\mathsf{e}}_{ij}\right\}}_{i,j=1,2}$ is a standard matrix basis in $\mathsf{R}$.

The symbol ⊧ here and from now on means that a particular cryptoelement from the ring $\mathsf{R}$ represents a particular element from ${\mathrm{M}}_{2\times 2}\left(\mathsf{K}\right)$. Obviously, ${\left\{{\mathsf{e}}_{ij}\right\}}_{i,j=1,2}$ is a standard matrix basis in $\mathsf{R}$ because its cryptoelements represent canonical matrix units in ${\mathrm{M}}_{2\times 2}\left(\mathsf{K}\right)$.

• Cases 2, 3, and 4. If we are not lucky in our choice of elements ${\mathsf{e}}_1^{\prime }$ and ${\mathsf{w}}_1^{\prime }$ and the system of cryptoelements ${\left\{{\mathsf{e}}_{ij}\right\}}_{i,j=1,2}$ found in Equations (4) does not satisfy the criteria of Equation (3), we adjust them within the group $\mathsf{D}$ realising the three remaining choices of signs.

Case 2: We keep ${\mathsf{e}}_1^{\prime }$ and replace ${\mathsf{w}}_1^{\prime }$ by setting ${\mathsf{w}}_1^{\prime }:=-\mathsf{e}{\mathsf{w}}_1^{\prime }$, so that now ${\mathsf{w}}_1^{\prime }\vDash \left[\begin{array}{cc}0& -1\\ -1& 0\end{array}\right]$.

Case 3: We replace ${\mathsf{e}}_1^{\prime }$ by setting ${\mathsf{e}}_1^{\prime }:=-\mathsf{e}{\mathsf{e}}_1^{\prime }$, so that now ${\mathsf{e}}_1^{\prime }\vDash \left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right]$, and keep ${\mathsf{w}}_1^{\prime }$.

Case 4: We replace ${\mathsf{e}}_1^{\prime }$ and ${\mathsf{w}}_1^{\prime }$ by setting ${\mathsf{e}}_1^{\prime }:=-\mathsf{e}{\mathsf{e}}_1^{\prime }$ and ${\mathsf{w}}_1^{\prime }:=-\mathsf{e}{\mathsf{w}}_1^{\prime }$, so that now ${\mathsf{e}}_1^{\prime }\vDash \left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right]$ and ${\mathsf{w}}_1^{\prime }\vDash \left[\begin{array}{cc}0& -1\\ -1& 0\end{array}\right]$.

In each of these cases we run exactly the same calculations as in Equations (4) until we discover a standard basis of $\mathsf{R}$ until we get the same result as in Equations 4.

• Step 6: Representation of cryptoelements in $\mathsf{R}$ by $2\times 2$ matrices over $\mathsf{Z}$. Let ${\left\{e_{ij}\right\}}_{i,j=1,2}$ be a standard basis for $R={\mathrm{M}}_2\left(\mathbb{F}\right)$ constructed in Step 5.

Take an arbitrary $\mathsf{x}\in \mathsf{R}$ and assume that

$$\mathsf{x}\vDash \left[\begin{array}{cc}{a}_{11}& a_{12}\\ a_{21}& a_{22}\end{array}\right]=\sum _{i,j}{a}_{ij}{e}_{ij},a_{ij}\in \mathbb{F}.$$

We should construct proxies for $a_{ij}$, $i,j=1,2$, that is, we should construct cryptoelements ${\mathsf{z}}_{ij}\in \mathsf{Z}$ such that ${\mathsf{z}}_{ij}\vDash a_{ij}$ and

$$\mathsf{x}=\sum _{i,j}{\mathsf{z}}_{ij}{\mathsf{e}}_{ij},$$

where ${\mathsf{e}}_{ij}$, $i,j=1,2$, are the cryptoelements constructed in Step 5. Since we have made an exhaustive search there, we may assume that cryptoelements ${\mathsf{e}}_{ij}$ represent the standard matrix units and

$${\mathsf{w}}_1^{\prime }\vDash \left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right].$$

We start by setting the cryptoelements ${\mathsf{x}}_{ij}\in \mathsf{R}$:

$$\begin{array}{ccc}\hfill {\mathsf{x}}_{11}& :=& {\mathsf{e}}_{11}\mathsf{x}{\mathsf{e}}_{11}\vDash a_{11}{e}_{11}\hfill \\ \hfill {\mathsf{x}}_{22}& :=& {\mathsf{e}}_{22}\mathsf{x}{\mathsf{e}}_{22}\vDash a_{22}{e}_{22}\hfill \\ \hfill {\mathsf{x}}_{12}& :=& {\mathsf{e}}_{11}\mathsf{x}{\mathsf{e}}_{22}\vDash a_{12}{e}_{12}\hfill \\ \hfill {\mathsf{x}}_{21}& :=& {\mathsf{e}}_{22}\mathsf{x}{\mathsf{e}}_{11}\vDash a_{21}{e}_{21}\hfill \end{array}$$

Notice that ${\mathsf{e}}_{11}^{{\mathsf{w}}_1^{\prime }}={\mathsf{e}}_{22}$ and ${\mathsf{e}}_{22}^{{\mathsf{w}}_1^{\prime }}={\mathsf{e}}_{11}$. This allows us to produce scalar matrices:

$${\mathsf{z}}_{11}:={\mathsf{x}}_{11}+{\mathsf{x}}_{11}^{{\mathsf{w}}_1^{\prime }}\vDash \left[\begin{array}{cc}{a}_{11}& 0\\ 0& a_{11}\end{array}\right],$$

hence

$${\mathsf{x}}_{11}={\mathsf{z}}_{11}{\mathsf{e}}_{11}.$$

Similarly,

$${\mathsf{z}}_{22}:={\mathsf{x}}_{22}+{\mathsf{x}}_{22}^{{\mathsf{w}}_1^{\prime }}\vDash \left[\begin{array}{cc}{a}_{22}& 0\\ 0& a_{22}\end{array}\right],$$

hence

$${\mathsf{x}}_{22}={\mathsf{z}}_{22}{\mathsf{e}}_{22}.$$

Two other matrix element of $\mathsf{x}$ can be obtained as follows:

$${\mathsf{z}}_{12}:={\mathsf{w}}_1^{\prime }{\mathsf{x}}_{12}+{\mathsf{x}}_{12}{\mathsf{w}}_1^{\prime }\vDash \left[\begin{array}{cc}{a}_{12}& 0\\ 0& a_{12}\end{array}\right],$$

yielding

$${\mathsf{x}}_{12}={\mathsf{z}}_{12}{\mathsf{e}}_{12},$$

and similarly

$${\mathsf{z}}_{21}:={\mathsf{w}}_1^{\prime }{\mathsf{x}}_{21}+{\mathsf{x}}_{21}{\mathsf{w}}_1^{\prime }\vDash \left[\begin{array}{cc}{a}_{21}& 0\\ 0& a_{21}\end{array}\right],$$

yielding

$${\mathsf{x}}_{21}={\mathsf{z}}_{21}{\mathsf{e}}_{21}.$$

Hence, we have

$$\sum _{i,j}{\mathsf{z}}_{ij}{\mathsf{e}}_{ij}\vDash \left[\begin{array}{cc}{a}_{11}& a_{12}\\ a_{21}& a_{22}\end{array}\right],$$

and

$$\sum _{i,j}{\mathsf{z}}_{ij}{\mathsf{e}}_{ij}=\mathsf{x}$$

which establishes a two way isomorphism between $\mathsf{R}$ and $M_{2\times 2}\left(\mathsf{Z}\right)$.