Algorithmic problems in twisted groups of Lie type

Algorithmic problems in t wisted groups of Lie t yp e Jonas Henrik Amb j¨ orn B¨ a¨ arnhiel m A thesis submitted for the degree of Do ctor of Philosophy at Queen Mary , Univ ersit y of London Declaration I hereby declare that, to the b est of my knowledge, the material contained in this thesis is original and m y own w ork, except where otherwise indicated, cited, or commonly-known. I hav e no t submitted any o f this material in partial of complete fulﬁlment of requirements for another degree at this or an y o ther univ ersity . 2 Abstract This thesis con tains a collection of a lg orithms for working with the twisted groups of Lie type known as Suzuki gr oups, and s mall and large R e e gr oups. The t wo main problems under consideration are c onstruct ive r e c o gnition and c onstru ct ive memb ership testing . W e also cons ide r pro blems of g e nerating and co n- jugating Sylow and maximal subgroups. The algorithms are motiv ated b y , and form a pa rt of, the Matrix Gro up Recog- nition Pro ject. Obtaining both theoretically and practically eﬃcient algorithms has bee n a cen tral g oal. The a lgorithms have been develop ed with, a nd implemented in, the computer algebra system Magma . 3 Con ten ts Declaration 2 Abstract 3 List of Figures 6 Ac knowledgemen ts 7 Notation 8 Chapter 1. Int ro duction and preliminaries 10 1.1. In tro duction 10 1.2. Preliminaries 12 Chapter 2. Twisted exceptional groups 26 2.1. Suzuki groups 26 2.2. Small Ree g roups 32 2.3. Big Ree gr oups 41 Chapter 3. Constructive recog nitio n and membership testing 48 3.1. Suzuki groups 49 3.2. Small Ree g roups 70 3.3. Big Ree gr oups 92 Chapter 4. Sylow subgroups 106 4.1. Suzuki groups 10 6 4.2. Small Ree g roups 110 4.3. Big Ree gr oups 113 Chapter 5. Maximal subgroups 115 5.1. Suzuki groups 11 5 5.2. Small Ree g roups 117 5.3. Big Ree gr oups 120 Chapter 6. Implemen tation and pe rformance 122 6.1. Suzuki groups 12 3 6.2. Small Ree g roups 124 6.3. Big Ree gr oups 125 4 CONTENTS 5 Bibliogra phy 127 List of Figures 6.1 Be nchmark of Suzuki stabiliser computation 124 6.2 Be nchmark of Suzuki conjugation 125 6.3 Be nchmark of small Ree co njugation 126 6.4 Be nchmark of Large Ree co njugation 126 6 Ac kn o wledgemen ts I would ﬁrst o f all like to tha nk my s uper visor, Char les Leedham- Gr een, for endless help and encouragement. I would also like to tha nk the follo wing people , since they have help ed me to v a r ious extent during the work presented in this thesis: John Bray , Peter Bro oksbank, John Ca nnon, Sergei Haller, Derek Holt, Alexander Hulpke, Bill Ka ntor, Ross Lawther, Martin Lieb eck, Klaus Lux, F rank L ¨ ubeck, Scott Murray , Eamo nn O’Brien, Geoﬀrey Robinson, C o lv a Roney- Dougal, Alexander Ryba, ´ Akos Seress , Leonard Soicher, Mark Sta ther , Bill Unger , Maud de Visscher, Rob ert Wilson. 7 Notation ¯ F Algebraic c lo sure of the ﬁeld F g h conjugate of g b y h , i.e. g h = h − 1 g h [ g , h ] commutator of g and h , i.e. [ g , h ] = g − 1 h − 1 g h T r ( g ) trace of the matrix g C n cyclic group of order n , i.e. C n ∼ = Z /n Z F q ﬁnite ﬁeld of size q (o r its additive g roup) F × q m ultiplicative g roup of F q ξ ( d ) The num b er of ﬁeld op e rations required by a r andom element ora cle for GL( d, q ). ξ The num ber of ﬁeld op erations required by a random element or acle for GL( k , q ) with k co nstant χ D ( q ) num b er of ﬁeld op er ations required b y a discrete logarithm o racle in F q χ F ( d, q ) num b er of ﬁeld oper ations r equired b y an in teger factorisation o racle (whic h factorises q i − 1, for 1 6 i 6 d ) Mat n ( R ) matrix alg e bra of n × n matrices ov er ring R I n ident ity n × n matrix E i,j matrix with 1 in pos ition ( i, j ) and 0 elsewhere | g | orde r of a group element g φ Euler totient function σ 0 ( n ) num b er of p ositive divisors of n ∈ N (where σ 0 ( n ) < 2 (1+ ε ) log e ( n ) / log log e ( n ) ) ψ F rob enius automorphism in a ﬁeld F ( i.e. ψ : x 7→ x p where char ( F ) = p ) Φ( G ) F r attini subgroup of G (in ter section of all maximal subgroups o f G ) O p ( G ) largest normal p -subgro up of G G P stabiliser in G of the point P G ′ derived subgro up (comm utator s ubgroup) of G N G ( H ) normalise r of H in G C G ( g ) centraliser of g in G Z( G ) centre of G End H ( M ) algebra of H -endo morphisms of G -mo dule M , where H 6 G Aut( M ) automor phism group of G -module M (if G 6 GL( d, q ) = H then Aut( M ) = C H ( G )) S 2 ( M ) symmetric square of mo dule M over a ﬁeld F (where M ⊗ M = S 2 ( M ) ⊕ ∧ 2 ( M ) if char( F ) > 2) ∧ 2 ( M ) exterior squar e of mo dule M 8 NOT A TION 9 Sym( O ) symmetric group o n the set O Sym( n ) symmetric gr oup on n p oints D n dihedral gro up of order n P ( V ) pr o jectiv e space corresp onding to v ector space V P n ( F ) n -dimensio nal pro jectiv e space ov er the ﬁeld F [ G : H ] index of H in G G.H extension of G b y H (a group E such that G P E and E /G ∼ = H ) G : H split extension of G b y H (as with G.H but E also has a subgroup H 0 ∼ = H such that E = GH 0 and G ∩ H 0 = h 1 i ) O  ·  standard time complexity notation Ψ Automorphisms deﬁning Sz( q ) or Ree( q ) ϕ, θ, ρ gr oup homomorphisms CHAPTER 1 In tro duction and preliminaries 1.1. In tro duction This thesis contains a lg orithms for some computational problems in volving a few clas ses of the ﬁnite simple g roups. The main fo cus is on providing eﬃcient algorithms fo r co nstructive recognition and constr uc tive members hip testing, but we also consider the conjugacy problem for Sylo w and ma x imal subgroups. The work is in the a rea o f c omputational gr oup the ory (abbrev iated CGT), where o ne studies algorithmic a sp ects of gro ups , or so lves group theoretic problems using computers. A g r oup can b e represented as a da ta structur e in several wa ys, and p erhaps the mos t imp or tant ones a re p ermutation gr oups , m atr ix gr oups and ﬁnitely pr esente d gr oups . The per m utation group setting has been studied since the early 1970 ’s, and the basic technique which underlies most alg orithms is the co nstruction of a b ase and a st ro ng gener ating set . If G is a p er mut ation g roup of degr e e n , this involv es constructing a descending chain of s ubg roups of G , where each subgr oup in the chain has index a t most n in its predecess or. The permutation group algor ithm machinery is summarised in [ Ser03 ]. F o r matrix groups, the classica l metho d is also to construct a base and strong generating set. How ever, in genera l a matrix gr o up has no faithful per mut ation representation whose degree is polynomia l in the size of the input. Hence the indices in the subg roup chain will b e to o large and the p er mu tation group algorithms w ill not b e eﬃcient. F or exa mple, SL( d, q ) has no prop er s ubgroup of index less than ( q d − 1 ) / ( q − 1), a nd q is e xp o nential in the size of the input, since a matrix has size O  d 2 log( q )  . Historically there w ere tw o scho ols w ithin CGT. One c o nsists o f p eople with a more computational complexity background, whose primary goal was to ﬁnd the- oretically go o d (polyno mial time) algorithms. The implemen tation and practical per formance of the alg o rithms w ere less imp ortant, s ince the computational com- plexity view, based on ma ny real examples, is tha t if the “p olynomial ba rrier” is broken, then further resea rch will sure ly lead also to go o d pra ctical algo r ithms. The other school consists of p eople with a more group theor etic background, whose pri- mary goal was to solve computational problems in g roup theo ry (histor ically often one-time pro blems with the spo radic groups), and hence to dev elop algo rithms that can b e easily implemented and that run fast on the current har dware and on the 10 1.1. INTRODUCTION 11 sp eciﬁc input in question. The asymptotic co mplexity o f the algor ithms w as less impo rtant, and p erhaps did not ev en make sense in the case of sp or adic groups. The distinction b etw een these sc ho ols ha s b ecome less noticeable during the last 15 years, but during that time there has also b een m uch work on algor ithms for matrix groups, and there are tw o main approaches that roughly co rresp ond to these tw o schoo ls. The ﬁrst approach is the “black box” approach, that consider s the matrix groups as black b ox gr oups (see [ Ser03 , pp. 1 7]). This was initiated by [ Luk92 ] (but go es back to [ BS84 ]) a nd muc h of it is summaris ed in [ BB99 ]. The other a pproach is the “geometric” approach, a lso known as The Matrix Gr oup R e c o gnition Pr oje ct (abbreviated MGRP), whose underlying idea is to use a famous theorem o f Asch bacher[ Asc84 ] which r oughly says that a ma trix g roup either pre- serves some geometric structure, or is a simple group. Although the author has a background p erhaps more in the computational complexity scho ol, the w ork in this thesis forms a pa rt of MGRP . The ﬁrst sp eciﬁc goal in that approa ch is to obtain an eﬃcient algo rithm that ﬁnds a comp osition series of a matrix gro up. There exists a recursive a lgorithm[ LG01 ] for this, which relies on a num be r o f other alg orithms that determine which kind of geometric structure is preserved, and the ba s e cases in the recurs ion ar e the clas s es of ﬁnite simple groups. Hence this algorithm reduces the problem of ﬁnding a co mpo sition s eries to v arious problems concerning the comp osition factors of the matrix gro up, which are simple groups. The work pres ent ed here is ab out computing with some o f these simple groups. F o r each simple group, a num b er of problems a r ise. The simple gr oup is given as G = h X i 6 P GL( d, q ) for some d, q and we need to consider the following pr oblems: (1) The pr oblem of r e c o gnition or naming o f G , i.e. dec ide the na me of G , as in the classiﬁcation of the ﬁnite s imple groups. (2) The c onstru ctive memb ership pro blem. Giv en g ∈ P GL( d, q ), de c ide whether or not g ∈ G , a nd if so expres s g as a straig h t line pro gram in X . (3) The problem of c onstructive r e c o gnition . Construct an isomorphism ϕ from G to a standar d c opy H of G such tha t ϕ ( g ) can b e computed eﬃciently for every g ∈ G . Such an iso mo rphism is ca lled eﬀe ctive . Also of interest is to construct an e ﬀective inverse of ϕ − 1 , which es sentially is constructive mem b ership testing. T o ﬁnd a comp ositio n series using [ LG01 ], the pro blems involving the com- po sition factor s that w e need to solve are naming and constructive membership. How ever, the eﬀective isomorphisms of these comp osition factors to standard copies can also b e v ery useful. Given such iso mo rphisms, many problems, s o metimes in- cluding constructive member ship, can b e reduced to the standar d copies. Hence these isomorphisms play a central role in computing with a ma tr ix group once a comp osition series has been co nstructed. 1.2. PRELIM INARIES 12 In general, the constructive recognition problem is computationally ha rder than the constructive membership pro blem, whic h in turn is harder than the naming problem. Mo st of o ur eﬀor ts will ther e fo re go tow a rds solving co nstructive r ecog- nition. In fact, the naming pr o blem is not consider e d in every case here, sinc e the algorithm of [ BKPS02 ] solves this pr oblem. How e ver, that a lgorithm is a Monte Carlo alg orithm, and in some ca ses we can improve o n that a nd provide Las V egas algorithms (see Section 1.2.2). The algorithms pr esented here are not black b ox a lgorithms, but rely heavily on the fact that the gr o up elements are matr ic es, and use the repres ent ation the- ory of the groups in question. How ever, the alg orithms will work with a ll p ossible representations of the groups , so a us e r of the alg o rithms can consider them bla ck box in that sense. 1.2. Preliminaries W e now g ive pre liminary discussions and results tha t will be necessar y later on. 1.2.1. Comple xit y. W e shall b e concerned with the time complexity of the algorithms inv o lved, where the basic op erations ar e the ﬁeld op era tions, and not the bit op eratio ns. All simple ar ithmetic with matrices can b e done using O  d 3  ﬁeld op era tions, and raising a matrix to the O  q  power can be done using O  d 3  ﬁeld op er ations using [ CLG97 ]. These co mplexity b o unds arise when using the naive matr ix multiplication algorithm, which uses O  d 3  ﬁeld op er ations to mult iply t wo d × d matrices. More eﬃcien t a lg orithms for ma trix m ultiplica tion do ex is t. Some ar e also fast in pr a ctice, like the famo us alg o rithm of Stra ssen[ Str69 ], which uses O  d log 2 7  ﬁeld op era tions. Curr ently , the most eﬃcient matrix multiplication algorithm is the Co pper smith-Winograd alg o rithm of [ CW 90, CKSU05 ], which uses O  d 2 . 376  ﬁeld op erations, but it is not practical. The improvemen ts made b y these algorithms over the naiv e matr ix m ultiplication algorithm a re not noticeable in practice for the matrix dimens io ns that are currently within rang e in the MGRP . Therefore we will only us e the na ive algor ithm, whic h also simpliﬁes the complex it y statements. When we are given a group G 6 GL ( d, q ) deﬁned by a se t X of generator s, the size of the input is O  | X | d 2 log( q )  . A ﬁeld elemen t tak es up O  log( q )  space, a nd a matrix has d 2 ent ries. W e shall often a s sume an or acle for the discr ete logar ithm problem in F q (see [ vzGG03 , Section 20 . 3 ] and [ Shp9 9 , Chapter 3]). In the general discrete loga rithm problem, we consider a cy clic group G of o rder n . The input is a gener ator α of G , and so me x ∈ G . The ta sk is to ﬁnd 1 6 k < n such that α k = x . In F q the m ultiplicative group F × q is cy c lic, and the discrete logarithm pr oblem turns up. It is a famous a nd well-studied problem in theor etical computer science a nd computational n um b er theory , and it is unkno wn if it is NP -complete or if it is in P , although the la tter w ould b e very surprising. Cur rently the most eﬃcient algorithm 1.2. PRELIM INARIES 13 has sub-exp onential complexity . Ther e ar e a lso algorithms for sp ecial cases, and an impo rtant cas e for us is when q = 2 n . Then w e can use Copp ersmith’s a lgorithm of [ Cop84, GM93 ], which is muc h faster in pr actice than the general a lgorithms. It is not polyno mia l time, but has time co mplexity O  exp( cn 1 / 3 log( n ) 2 / 3 )  , where c > 0 is a sma ll c o nstant. W e shall assume that the discrete logarithm o r acle in F q uses O  χ D ( q )  ﬁeld op erations. Similarly we will sometimes as sume an orac le fo r the integer factorisatio n prob- lem (see [ vzGG03 , Chapter 19]), whose status in the complexity hierarch y is similar to the discrete lo garithm problem. More precisely , we sha ll a ssume we have an or- acle that, given d > 1 a nd F q , factoris es all the integers q i − 1 for 1 6 i 6 d , using O  χ F ( d, q )  ﬁeld opera tions. By [ BB99 , Theorem 8 . 2], a ssuming the Extended Rie- mann Hyp o thesis this is equiv alent to the standar d integer factor isation pr oblem. The reaso n for having this slightly diﬀerent fa ctorisation oracle will beco me clear in Section 1.2.5. Except for these ora cles, our algorithms will b e p o lynomial time, s o from a computational complexity per sp ective o ur res ults will imply that the problems we study can be r educed to the discrete logarithm problem or the in teger factorisation problem. This is in line with MGRP , whose goa l from a complexity p o int o f v iew is to prove that computations with matr ix groups are no t harder than (and hence equally hard as) these t w o well-kno wn problems. 1.2.2. Probabilisti c algorithms. The algorithms we consider are pro babilis- tic of the types known as Monte Carlo o r L as V e gas algorithms. These types of algorithms ar e discussed in [ Ser03 , Sec tio n 1.3 ] and [ HE O05 , Section 3.2.1]. In short, a Monte Ca r lo algorithm for a language X is a probabilistic algorithm with an input parameter ε ∈ (0 , 1) suc h that on input x • if x ∈ X then the algorithm returns tr ue with probability at least 1 − ε (otherwise it returns false ), • if x / ∈ X then the a lgorithm returns false . The parameter ε is therefo re the maxim um error probability . This type of algo - rithm is als o calle d one-side d Monte Carlo algorithm with no false ne gatives . The languages with such alg orithms form the complexity c lass RP . In the same wa y one ca n deﬁne algorithms with no false p ositives, and the corresp onding la ng uages form the cla ss co - RP . The class ZPP = RP ∩ co - RP co nsists of the languages that hav e Las V eg as algo r ithms, and these are the t yp e of algo rithms that we will be most concerned with. A Las V egas alg orithm either returns failu re , with pro b- ability at most ε , or otherwise retur ns a co rrect result. Such an a lgorithm is easily contructed g iven a Monte Carlo algorithm of each type. The time c omplexity o f a Las V ega s alg orithm naturally depends on ε . Las V egas alg o rithms can be presented concisely a s proba bilistic algo rithms that either r eturn a correct result, with proba bilit y b ounded b elow by 1 / p ( n ) for some p olyno mial p ( n ) in the size n of the input, or otherwise re turn fai lure . By 1.2. PRELIM INARIES 14 enclosing such an a lgorithm in a lo op that iterates ⌈ log ε/ log (1 − 1 /p ( n )) ⌉ times, we obtain an algo rithm that r eturns fail ure with pr obability at most ε , and hence is a Las V egas algor ithm in the above sense. Clea r ly if the enclosed alg orithm is po lynomial time, the Las V egas algo rithm is p olynomial time. One can also enclose the a lg orithm in a loo p that itera tes until the algorithm returns a corr ect result, th us obtaining a pro ba bilistic time complexity , and the exp ected num be r o f iteratio ns is then O  p ( n )  . This is the way we present Las V eg as algorithms since it is the one that is close s t to how the algo rithm is used in practice. 1.2.3. Straigh t line programs. F or c onstructive membership testing , we wan t to express an element of a group G = h X i as a word in X . Actually , it should be a st ra ight line pr o gr am , abbreviated to SLP . If we e xpress the e lement s as w ords, the length of the words migh t be too larg e, requir ing exp onential space complexit y . An SLP is a da ta structure for words, which e nsures that during ev aluation, subw or ds occur ring multiple times are not c o mputed more often than during co n- struction. Often we w ant to express a n element as an SLP in or der to obtain its homomorphic ima g e in a nother gro up H = h Y i wher e | X | = | Y | . The ev aluation time for the SLP is then b o unded b y the time to construct it times the ratio of the time required for a g roup oper a tion in H and in G . F o rmally , given a set of g enerator s X , an SLP is a sequence ( s 1 , s 2 , . . . , s n ) where each s i represents one of the following • an x ∈ X • a pro duct s j s k , where j, k < i • a p ow er s n j where j < i and n ∈ Z • a conjugate s s k j where j, k < i so s i is either a pointer in to X , a pair of pointers to ea r lier elemen ts of the sequence, or a pointer to an ea r lier e lement and an in teger. T o construct an SLP for a word, one starts by lis ting po inters to the g enerators of X , and then builds up the w ord. T o ev a luate the S LP , g o through the sequence and per fo rm the sp eciﬁed ope rations. Since we use p ointers to the elemen ts of X , we can immediately ev aluate the SLP on Y , by just changing the p ointers so that they po int to elements of Y . 1.2.4. Solving p olynomi al equations. One of the main themes in this w ork is that we reduce search pr oblems in c omputational gr oup theory to the problem of solving p olyno mial equa tions over ﬁnite ﬁelds. The metho d we use to ﬁnd the solutions of a system of p oly nomial equations is the classical resultant tec hnique, describ ed in [ vzGG03 , Sectio n 6 . 8]. F or co mpleteness, we als o sta te the cor r e- sp onding result for univ ariate p olynomials. Theorem 1. 1. L et f ∈ F q [ x ] have de gr e e d . Ther e exists a L as V e gas algorithm that ﬁnds al l the r o ots of f that lie in F q . Th e exp e cte d t ime c omplexity is O  d (log d ) 2 log log( d ) log( dq )  ﬁeld op er ations. 1.2. PRELIM INARIES 15 Proof. Immediate fro m [ vzGG03 , Co rollary 14.16 ].  Theorem 1.2. L et f 1 , . . . , f k ∈ F q [ x, y ] = R b e such that the ide al I = h f 1 , . . . , f k i P R is zer o-dimensional. L et n x = max i deg x f i > max i deg y f i = n y . Ther e exists a L as V e gas algorithm that ﬁnds the c orr esp onding aﬃne variety V ( I ) ⊂ F 2 q . The exp e cte d time c omplexity is O  k n 3 x (log n x ) 2 log log( n x ) log( n x q )  ﬁeld op er ations. Proof. F ollowing [ vzGG03 , Section 6 . 8], we compute k − 1 pairwise res ultants of the f i with respect to y to obtain k − 1 univ ariate polynomia ls in x . By [ vz GG03 , Theorem 6 . 37], the exp ected time complexity will b e O  k ( n x n 2 y + n 2 x n y )  ﬁeld op- erations and the resultants will be non- zero since the ideal is zero -dimensional. W e ca n ﬁnd the se t X 1 of ro ots of the ﬁrst p o lynomial, then ﬁnd the roo ts X 2 of the se c ond polyno mial and simultaneously ﬁnd X 1 ∩ X 2 . By contin uing in the same wa y w e can ﬁnd the se t X of common roots of the resultants. Since their deg rees will be O  n 2 x  , by Theor em 1.1 w e can ﬁnd X using O  k n 2 x (log ( n 2 x )) 2 log log( n 2 x ) log( n 2 x q )  ﬁeld op erations. Clearly | X | ∈ O  n 2 x  . W e then substitute each a ∈ X into the k p olynomials a nd obtain univ ar iate po lynomials f 1 ( a, y ) , . . . , f k ( a, y ). These will hav e degrees O  n y  and as ab ove we ﬁnd the set Y a of their common ro o ts using O  k n y (log ( n y )) 2 log log( n y ) log( n y q )  ﬁeld o pe r ations. Clear ly V ( I ) = { ( a, b ) | a ∈ X, b ∈ Y a } and hence we can ﬁnd V ( I ) using O  | X | kn y (log ( n y )) 2 log log( n y ) log( n y q )  ﬁeld op eratio ns . Thus the time com- plexity is as stated.  The follo wing r esult is a genera lisation of the previous r e sult, a nd we omit the pro of, since it is c omplicated and outside the s cop e of this thesis. Theorem 1.3. L et f 1 , . . . , f k ∈ F q [ x 1 , . . . , x k ] = F b e such t hat the ide al I = h f 1 , . . . , f k i P F is z er o-dimensional. L et n = max i,j deg x j f i . Ther e exists a L as V e gas algorithm that ﬁnds the c orr esp onding aﬃne variety V ( I ) ⊂ F k q . The exp e cte d time c omplexity is O  ( k n 3 + n k k 2 (log n ) 2 log log( n k ) log( n k q )) k  ﬁeld op er ations. As can be seen, if the num b er of equatio ns, the num b e r of v ariables and the degree of the equa tio ns are constant, then the v ariety of a z ero-dimensio na l ide a l can b e found in p olynomia l time. That is the situation we will b e most concer ned with. As an alternative to the resultant tec hnique, one can compute a Gr¨ obner basis and then ﬁnd the v ariety . By [ LL91 ], if the ideal is zero-dimensio na l the time complexity is O  n O  k   where n is the maxim um degree of the p oly nomials and k is the num ber of v a riables. Hence in the situation above this will b e po lynomial time. 1.2.5. Orders of i n v e rtible matrices. The or der of a group element g is the smallest k ∈ N such that g k = 1. W e denote the order of g by | g | . F or elements g of a matrix group G 6 GL( d, q ), an a lgorithm for ﬁnding | g | is pr esented in [ CLG97 ]. In ge ne r al, to obtain the pr e cise order, this algo rithm require s a fac torisation of q i − 1 for 1 6 i 6 d , otherwise it might return a multiple of the cor rect order. 1.2. PRELIM INARIES 16 Therefore it dep ends o n the presumably diﬃcult pr oblem of in teger factoris ation, see [ vzGG03 , Chapter 1 9]. How ever, in most of the ca ses w e will consider , it will turn out that a m ultiple of the correct or der will b e suﬃcient. F or exa mple, a t ce r tain points in o ur alg orithms we shall be concer ned with ﬁnding elements of order divid ing q − 1. Hence if we use the ab ove algorithm to ﬁnd the orde r of g ∈ G and it rep orts that | g | = q − 1, this is suﬃcien t fo r us to use g , even though w e might have | g | prop erly dividing q − 1. Hence in teger factorisation is av o ided in this case. In [ BB99 , Section 8] the concept of pseudo-or der is deﬁned. A pseudo-or de r of an elemen t g is a pro duct of primes and pseudo-primes. A pseudo-prime is a comp osite factor of q i − 1 for some i 6 d that ca nnot con venien tly be factoris ed. The order of g is a factor of the pse udo -order in which ea ch pseudo-prime is replaced b y a non-identit y factor of that pseudo-prime. Hence a pseudo-prime is not a m ultiple of a “known” prime, and any t w o pseudo-primes are relatively prime. The algorithm of [ CLG97 ] ca n a lso b e used to obtain a ps eudo-order , and for this it has time complexity O  d 3 log ( q ) lo g log ( q d )  ﬁeld oper ations. In fact, the algorithm computes the or der factorised into primes and pseudo-primes. Howev er , even if we ha ve just the pseudo-order , we can s till determine if a giv en prime divides the order, without in teger factorisation. Prop ositi o n 1.4. Le t G 6 GL( d, q ) . Ther e exists a L as V e gas algorithm that, given g ∈ G , a prime p ∈ N and e ∈ N , determines if p e | | g | and if so ﬁnds the p ower of g of or der p e , us ing O  d 3 log( q ) lo g log ( q d )  ﬁeld op er ations. Proof. Use [ CLG97 ] to ﬁnd a pseudo- o rder n of g . Assume that n = p k s where p ∤ s , a nd | g | = p l r where p ∤ r , l 6 k and r | s . Since p is given, [ CLG97 ] will make sure that k = l , so w e assume that this is the ca se. Moreov er, from [ CLG97 ] we see g cd( r , s/r ) = 1. If a prime p 1 divides s/r w e must hav e p 1 6 = p . So if p 1 | | g | we must ha ve p 1 | r and hence p 1 = 1. Thus gcd( s/r, | g | ) = 1. Hence   g s/r   = | g | , | g r | = p l and | g s | =   ( g s/r ) r   = p l . Therefore g sp l − e 6 = 1 if and only if p e | | g | . Then g sp l − e has order p e .  1.2.6. Random group elemen ts. Our analysis assumes that w e can con- struct uniformly (o r nearly uniformly) distributed rando m elements of a group G = h X i 6 GL( d, q ). The algo rithm of [ Bab91 ] pro duces independent nearly uni- formly distributed ra ndom elements, but it is not a practical algorithm. It has a prepro cess ing step with time complexit y O  log | G | 5  group op erations, and each random element is then found using O  log | G |  group oper ations. A mor e commonly use d algo r ithm is the pr o duct r eplac ement algorithm of [ CLGM + 95 ]. It also consis ts of a prepr o cessing s tep, which is p olynomial time by [ Pak00 ], a nd e ach random element is then found using a constant num b er o f group ope r ations (usually 2 ). This alg orithm is prac tica l and included in Magma and GAP . Mos t of the theor y ab out it is summarised in [ Pa k01 ]. F or a dis cussion of both these alg orithms, s e e [ Ser03 , pp. 2 6 -30]. 1.2. PRELIM INARIES 17 W e sha ll ass ume tha t we hav e a ra ndom element o racle, which pro duces a uniformly random element of h X i using O  ξ ( d )  ﬁeld o p e rations, and returns it as an SLP in X . An impor tant is sue is the length of the SL P s that are co mputed. The length of the SLP s must b e p olynomial, otherwise it would not b e polynomia l time to ev aluate them. W e assume that SLP s of rando m elements hav e length O  n  where n is the nu mber of r andom element s that hav e been sele c ted so far during the execution of the algorithm. In [ LGM02 ], a v ar iant of the pro duct replace ment a lg orithm is pr esented that ﬁnds random elemen ts of the normal c lo sure of a subgroup. This will be used here to ﬁnd random ele ments of the der ived subg r oup of a gro up h X i , using the fact that this is pr ecisely the normal closure of h [ x, y ] : x, y ∈ X i . 1.2.7. Constructiv e recognition ov erview. If V is an F G -mo dule for some group G and ﬁeld F , with action f : V × F G → V , a nd if Φ is an automorphism of G , denote by V Φ the F G -mo dule which has the same elements as V and where the a ction is g iven by ( v , g ) 7→ f ( v , Φ( g )) for g ∈ G and v ∈ V Φ , ex tended to F G by line a rity . W e call V Φ a twiste d version of V , or V twiste d by Φ. If G is a matrix group and the automorphism Φ is a ﬁeld automo r phism, we ca ll it a Galois twist . F r om [ HEO05 , Section 7 . 5 . 4] we k now that G preserves a classical (non- unitary) form if and only if V is iso morphic to its dual. W e shall use this fa c t o ccasiona lly . When we say that a n algorithm is “g iven a gr oup h X i ”, then the gener ating set X is ﬁx e d and known to the algorithm. In other words, the a lg orithm is given the generating set X and will ope rate in h X i . Deﬁnition 1.5. Let G, H b e matrix groups. An is o morphism ϕ : G → H is eﬀe ctive if there exists a poly nomial time Las V egas algor ithm that co mputes ϕ ( g ) for an y given g ∈ G . Of course, an eﬀectiv e isomorphism might be de ter ministic, since P ⊆ ZPP . Deﬁnition 1. 6. The problem o f c onstructive r e c o gnition is : Input : A matrix group G = h X i with standard cop y H ∼ = G . Ouput : An eﬀective isomor phism ϕ : G → H , such that ϕ − 1 is also eﬀectiv e. Now cons ide r an exceptional gr oup with standar d co py H 6 GL ( d, F q ), where F q has c haracter istic p . The standard copies of the exceptional groups under consid- eration will be deﬁned in Chapter 2. Our algor ithms should b e able to co nstructively recognise any input group G 6 GL( d ′ , q ′ ) that is isomorphic to H . The assumptions that we make on the input group G are: (1) G acts absolutely irreducibly on F d ′ q ′ , (2) G is written ov er the minimal ﬁeld mo dulo scalars, (3) G is known to be iso morphic to H , and hence d and q a re known. 1.2. PRELIM INARIES 18 A user of our algor ithms ca n easily ﬁrst apply the algor ithms of [ HR9 4 ] and [ GLGO06 ], describ ed in Sectio ns 1.2.10.1 and 1.2.10 .2, to make the gr oup satisfy the ﬁr st tw o a ssumptions. The last tw o assumptions remov e m uch of the need for input veriﬁcation using non-explicit recognition. They are motiv ated b y the context in which o ur alg orithms are supp osed to b e used. The idea is that o ur algo rithms will serve as a base c a se for the a lgorithm of [ LG01 ] o r a similar a lgorithm. In the ba se cas e it w ill b e known that the group under consideration is almost simple mo dulo sca lars. W e can then assume that the alg o rithm can decide if it is dealing with a group of Lie type. Then it ca n use the Monte Carlo a lgorithm of [ OL05 ] to determine the deﬁning characteristic o f the g roup, and next us e the Monte Carlo algorithm of [ BKPS02 ] to determine the name o f the group, a s w ell as the deﬁning ﬁeld size q . This standard machinery motiv a tes our assumptions. Because the group has only b een identiﬁed by a Monte Carlo alg o rithm, ther e is a small non- zero probability that o ur algor ithms mig ht b e executed on the wrong g roup. This has to be kept in mind when implementing the algorithms. W e do not a ssume that the input is tens or indecomp osable, since the tenso r decomp osition algorithm describ ed in Section 1.2.10.3 is no t po ly nomial time. A n umber of diﬀeren t cases arise: (1) G 6 GL( d ′ , F q ′ ) where F q ′ has characteristic p ′ 6 = p . This is called the cr oss char acteristic case. Then [ LS74 ] a nd [ SZ93 ] tells us that q ∈ O  f ( d ′ )  for some p olyno mial f . This means that q is po lynomial in the size of the input, whic h is not the c a se in g eneral. In this case w e can therefor e use algor ithms which nor ma lly ar e exp onential time. In particular, by [ BB99 , Theor em 8.6] we can use the classical per mu tation gr oup metho ds. Therefore we will only consider the case when we are given a g roup in deﬁning char acteristic , so that p = p ′ . (2) G 6 GL( d ′ , F s ) where d ′ > d and F s 6 F q . Let W be the mo dule of G . If W is iso morphic to a tensor pro duct of t wo mo dules which b oth have dimension less than dim W , then we say that W is tensor de c omp osable . Otherwise W is tensor inde c omp osable . Every p o ssible W is isomorphic to a tensor pro duct of twisted versions of tenso r indecomp osa ble mo dules of G (and hence of H ). By the Stein b erg tensor pr o duct theorem of [ Ste63 ], in our cases the twists are Galois t wis ts and the num b er o f tensor indecomp osa ble modules is indep endent of the ﬁeld size, up to t wists. If W is tens or decomp osable, we w ant to co nstruct a tensor indec o m- po sable repres e n tation V of G . In gener al, this is done using the tensor decomp osition alg orithm describ ed in Sec tio n 1.2.10 .3 on W , which a lso provides an eﬀectiv e isomor phism fr o m W to V ( i.e. b etw een their acting groups). But since the a lgorithm is not poly no mial time, a sp ecial version of one its subroutines has to b e provided for ea ch exceptional group. 1.2. PRELIM INARIES 19 If W is tens o r indecomp o sable, we wan t to construct a represe n tation V of G of dimension d , and we wan t do it in a wa y that als o cons tructs an eﬀective iso mo rphism. In principle this is alw ays po s sible by computing tensor pro ducts of W and chopping them with the Mea tAxe, beca use a comp osition factor o f dimension d will always turn up. Ho wev e r , this is not alwa ys a practica l a lgorithm, and the time co mplexity is not v ery go o d. Note that if the minimal ﬁeld F s is a prop er s ubﬁeld of F q , then the tensor de c o mp o sition will not succeed. Since we assume that we kno w q , we c an embed W canonically into an F q G -mo dule. In this c ase we shall therefore always as sume that s = q , cont rary to our s e cond a s sumption ab ov e. (3) G 6 GL( d, F q ), so that, b y [ Ste63 ], G is conjugate to H in GL( d, F q ). This is the most interesting case since there are no standard metho ds, and we shall devote muc h eﬀort to this case for the exceptional groups that we consider. A central issue will be to ﬁnd elements of order a m ultiple of p . This is a ser ious obstacle since b y [ IKS95, GL01 ], the prop o r tion ρ ( G ) of these elements in G satisﬁes 2 5 q < ρ ( G ) < 5 q . (1.1) Hence we cannot ﬁnd elemen ts of or der a m ultiple of p b y random sear ch in po lynomial time, so there is no straightforw ard wa y to ﬁnd them. T o b e able to deal with these v a rious cases, we need to know a ll the absolutely irreducible tensor indecompo sable repr esentations of H in deﬁning characteristic. W e also need to know how they arise fro m the natur al r epr esentat ion , which is the representation of dimension d over F q . In our cases, this information is provided by [ L ¨ ub01 ]. 1.2.8. Constructiv e me m b ership testing ov erview. The other computa- tional problem that w e shall consider is the follo wing. Deﬁnition 1. 7. The problem o f c onstructive memb ership testing is: Input : A matrix group G = h X i , an elemen t g ∈ U > G . Output : If g ∈ G , then true a nd a n S LP for g in X , false otherwise. In our ca ses, U is alwa ys taken to b e the genera l linear group. One ca n take t wo slig ht ly diﬀerent approaches to the pr oblem of expr essing an element a s an SLP in the given g e ne r ators, dep e nding on whether one wan ts to ﬁnd an eﬀective isomorphism or ﬁnd standard generators . (1) The approach using an eﬀectiv e isomorphis m. (a) Given G = h X i with s tandard copy H , ﬁr st solve constr uctive recog- nition a nd o btain an eﬀective iso morphism ϕ : G → H . Hence o btain a generating set ϕ ( X ) o f H . (b) Given g ∈ G , express ϕ ( g ) as a n SLP in ϕ ( X ), hence also expr essing g in X . 1.2. PRELIM INARIES 20 (2) The approach using standard genera tors. (a) Given G = h X i with sta nda rd cop y H = h y 1 , . . . , y k i , ﬁnd g 1 , . . . , g k ∈ G as SLP s in X , suc h that the ma pping g i 7→ y i is an iso morphism. (b) Given g ∈ G , e xpress g a s an SLP in { g 1 , . . . , g k } , hence also express- ing it in X . In the ﬁrst case, the constructive mem be r ship testing takes place in H , whic h is probably faster than in G , so in this case we use the sta nda rd co p y in co mputa- tions. In the second cas e , the s tandard copy is only used as a theor e tica l tool. As it stands, the ﬁr st appr oach is stro nger, since it provides the eﬀective isomorphism, and the standard generators in G can b e obtained in the ﬁrst approach, if necessary . How ever, if the representation theor y of G is k nown, so tha t w e can construc t a mo dule isomorphic to the mo dule o f G from the mo dule of H , then the standar d generator s ca n b e used, tog ether with the Mea tAxe, to solve co nstructive recog- nition. Hence the tw o approaches ar e not v ery diﬀerent. One ca n also mix them in v arious w ays, for example in the ﬁr st case by ﬁnding standard g enerator s in H expressed in ϕ ( X ), and then o nly express ea ch element in the standard genera tors, which might b e easier than to express the elemen ts directly in ϕ ( X ). 1.2.9. CGT metho ds. Here we describ e so me a lgorithmic metho ds that w e will us e. Like many metho ds in CGT they are not really algorithms ( i.e. they may not terminate o n all inputs), or if they are they hav e very bad (worst-cas e ) time complexity . Nev ertheless, they can be use ful for particular g roups, as in o ur cases. 1.2.9.1. The dihe dr al t r ick. This trick is a metho d for conjuga ting inv olutions ( i.e. elements of order 2) to each other in a black-box group, deﬁned by a set of generator s. The nice feature is that if the inv olutions a re given as str a ight line progra ms in the generator s, the c o njugating element will be found as a straight line progra m. The dihedral trick is based on the following observ ation. Prop ositi o n 1.8. Le t G b e a gr oup and let a, b ∈ G b e involutions such t hat | ba | = 2 k + 1 for some k ∈ Z . Then ( ba ) k c onjugates a t o b . Proof. Observe that ( ba ) − k a ( ba ) k = ( ba ) k +1 a ( ba ) k = ( ba ) k b ( ba ) k = ( ba ) k a ( ba ) k − 1 = · · · = ( ba ) a = b since a and b a re involutions.  Theorem 1.9 (The dihedral tr ick) . L et G = h X i 6 GL( d, q ) . A ssume that the pr ob ability of the pr o duct of two r andom c onjugate involutions in G having o dd or der is at le ast 1 /c . Ther e exists a L as V e gas algo rithm that, given c onjugate involutions a, b ∈ G , ﬁnds g ∈ G su ch that a g = b . If a, b ar e given as SLP s of lengths l a , l b , then g wil l b e found as an SLP of length O  c ( l a + l b )  . The algorithm has ex p e ct e d time c omplexity O  c ( ξ ( d ) + d 3 log( q ) log log( q d ))  ﬁeld op er ations. Proof. The a lgorithm pr o ceeds as follows: (1) Find random h ∈ G a nd let a 1 = a h . 1.2. PRELIM INARIES 21 (2) Let b 1 = ba 1 . Use Pr op osition 1.4 to determine if b 1 has even order , and if so, return to the ﬁr st step. (3) Let n = ( | b 1 | − 1) / 2 and le t g = hb n 1 = h ( a h b ) n . By Prop os ition 1.8, this is a La s V egas algo rithm. The pro bability that b 1 has o dd order is 1 /c and hence the exp ected time complexity is as stated. Note that if a and b a r e given as SLP s in X , then we obtain g as an SL P in X .  1.2.9.2. Involution c entr alisers. In [ HLO + 06 ] an algorithm is describ ed that reduces the constructive member ship pro blem in a group G to the same proble m in three in volution cent raliser s in G . The reduction a lgorithm is known a s the Ryb a algorithm a nd can b e a conv enient metho d to so lve the constr uctive membership problem. How ever, there are obstacles : (1) W e hav e to s o lve the constructive membership problem in the in volution centralisers of G . In pr inciple this can b e done using the Ryba algo rithm recursively , but such a blind descent might not be very sa tisfactory . F or instance, it mig h t not b e ea sy to determine the time complexity of such a pr o cedure. Another appr o ach is to provide a sp ecial algor ithm for the inv olutio n ce ntraliser. This assumes that the str uc tur e of G and its inv o- lution centralisers ar e kno wn, whic h it will b e in the cases we consider. (2) W e hav e to ﬁnd inv olutions in G . As describ ed in Sectio n 1.2 .7, this is a serious o bstacle if the deﬁning ﬁeld F q of G has characteristic 2. In o dd characteristic the s ituation is b etter, and in [ HLO + 06 ] it is prov ed that the Ryba algorithm is po lynomial time in this case. Another approach is to provide a sp ecial algor ithm that ﬁnds inv o lutions. (3) W e have to ﬁnd generators Y for C G ( j ) o f a giv en in volution j ∈ G = h X i . This is p ossible using the Br ay algorithm of [ Bra00 ]. It works by com- puting random elements of C G ( j ) until the who le ce n traliser is genera ted. This automatically gives the elemen ts of Y as SLP s in X , which is a central feature needed b y the Ryba algorithm. There ar e tw o is sues inv olved when using this algorithm. Firs t, the generator s that are co mputed may not b e uniformly rando m in C G ( j ), so that we might hav e trouble gener ating the whole centraliser. In [ HLO + 06 ] it is shown that this is not a problem with the ex c eptional gro ups . Second, we need to provide an a lgorithm that determines if the whole centraliser has been generated. In the ca ses that we will co ns ider, this will b e p ossible. It sho uld b e noted that the Bray algorithm works for any blac k-b ox group and not just for matrix groups. Given these obstacles, we will s till use the Ryba algorithm fo r co nstructive mem b ership testing in some cas es. W e will also use the Bray algo rithm indep en- dent ly , s ince it is a p ow erful too l. 1.2. PRELIM INARIES 22 1.2.9.3. The F ormula. Like the dihedral trick, this is a metho d for conjugating elements to each other. F or a g roup G , denote by Φ( G ) the F r attini sub gr oup of G , which is the in tersection of the maximal subgroups o f G . Lemma 1.1 0 (The F ormula) . L et G ∼ = H : C n , wher e H is a 2 -gr oup and n is o dd. If a, b ∈ G have or der n = 2 k + 1 and a ≡ b m o d H , then b ≡ a g mo d Φ( H ) wher e g = ( ba ) k . Proof. The order s of a, b are their orders in C n . Hence we can re pla ce H with H/ Φ( H ) witho ut a ﬀecting the r est of the assumptions. W e can therefore r educe to the case when Φ( H ) = h 1 i , in other w ords when H is element ary ab elian. Then a = a 1 g , b = b 1 g , with | g | = n and a 1 , b 1 ∈ H . W e w ant to prove that a h = b where h = ( ba ) k or equiv alently that ( ba ) k b = a ( ba ) k . Now ( ba ) k = ( b 1 g a 1 g ) k = ( b 1 a g − 1 1 g 2 ) k . W e can mov e a ll o ccurrences of g to the right, so that ( ba ) k = b 1+ g − 2 + g − 4 + ··· + g − 2( k − 1) 1 a g − 1 + g − 3 + ··· + g − 2 k − 1 1 g 2 k from whic h we see that ( ba ) k b 1 g = b 1+ g − 2 + g − 4 + ··· + g − 2 k 1 a g − 1 + g − 3 + ··· + g − 2 k − 1 1 g 2 k +1 a 1 g ( ba ) k = b g − 1 + g − 3 + ··· + g − 2 k − 1 1 a 1+ g − 2 + g − 4 + ··· + g − 2 k 1 g 2 k +1 and we wan t these to be equal. Since g 2 k +1 = 1, we see that ( b a ) k b, a ( ba ) k ∈ H , and bec a use H is elementary ab elian, they are equal if a nd o nly if their pr o duct is the identit y . But clearly ( ba ) k ba ( ba ) k = b s 1 a s 1 , where s = P k i =0 g − i , and ﬁnally b s 1 a s 1 = ( b 1 g ) 2 k +1 ( a 1 g ) 2 k +1 = 1.  Corollary 1. 11. L et H ∼ = P : C n , wher e P is a 2 -gr oup and n is o dd, and let G ∼ = H : S for some gr oup S . If a ∈ H has or der n = 2 k + 1 then for h ∈ G , such that a ≡ a h mo d P , we have a g − 1 h ≡ a m o d Φ( P ) , wher e g = ( a h a ) k . Proof. Observe that b oth a and a h hav e order n and lie in H E G . Now apply Lemma 1.10, conclude that a g ≡ a h mo d Φ( P ), and the result follows.  1.2.9.4. R e c o gnition of PSL(2 , q ) . In [ CLGO06 ], an algor ithm for constructive recognition and constructive membership testing of PSL(2 , q ) is presented. This algorithm is in several aspec ts the o r iginal which our algo rithms are mo delled after, and it is in itself a n extension of [ CLG01 ], which ha ndles the natural representation. W e will use [ CLGO06 ] since PSL(2 , q ) a rise as subgroups of some of the excep- tional gro ups that we consider. Because o f this, we state the main results her e. Let σ 0 ( d ) b e the num b er of divisors o f d ∈ N . F ro m [ H W79 , pp. 64 , 359 , 262 ], we k now that for ev ery ε > 0 , if d is suﬃciently la rge then σ 0 ( d ) < 2 (1+ ε ) log e ( d ) / log log e ( d ) . Here, PSL(2 , q ) is viewed as a quo tien t o f SL(2 , q ). Hence the ele ments are cosets of matrices. Theorem 1.12. Assume an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL ( d, q ) satisfying the assumptions 1.2. PRELIM INARIES 23 in Se ction 1.2.7 , with h X i ∼ = (P)SL(2 , q ) and q = p e , ﬁn ds an eﬀe ctive isomorphism ϕ : h X i → (P)SL(2 , q ) and p erforms pr epr o c essing for c onst ructive memb ership testing. The algorithm has exp e cte d time c omplexity O  ( ξ ( d ) + d 3 log( q ) log lo g( q d )) log log( q ) + d 5 σ 0 ( d ) | X | + dχ D ( q ) + ξ ( d ) d  ﬁeld op er ations. The inverse of ϕ is also eﬀe ctive. Each image of ϕ c an b e c ompute d using O  d 3  ﬁeld op er ations, and e ach pr e-image using O  d 3 log( q ) log lo g( q ) + e 3  ﬁeld op er ations. A fter the algorithm has run , c onstructive memb ership testing of g ∈ GL( d, q ) uses O  d 3 log( q ) log lo g( q ) + e 3  ﬁeld op er ations, and the r esult ing SLP has length O  log( q ) log lo g( q )  . The existence o f this constructive recognition algorithm has led to se veral other co nstructive recognition a lgorithms for the c la ssical gr oups[ BK01, Bro03a, Bro03b, BK06 ], which ar e p olynomial time a ssuming an o r acle for constr uctive recognition of PSL(2 , q ). In some situatio ns we shall also need a fas t no n- constructive re c ognition algo- rithm of PSL(2 , q ). It will be used to test if a given subgr oup of PSL(2 , q ) is in fact the w ho le of PSL(2 , q ), so it is enough to hav e a Monte Ca rlo alg orithm with no false p ositives. W e need to us e it in any representation, so the correct context is a black-box gro up. Theorem 1.13. L et G = h X i 6 GL( d, q ′ ) . Assume that G is isomorphic to a sub gr oup of P SL(2 , q ) and that q is known. Ther e exist s a one-s ide d Monte Carlo algorithm with no false p ositives t hat determines if G ∼ = PSL(2 , q ) . Given maximum err or pr ob ability ε > 0 , t he time c omplexity is O  ( ξ ( d ) + d 3 log( q ) log log( q d )) ⌈ log ( ε ) / lo g ( δ ) ⌉  ﬁeld op er ations, wher e δ = (1 − φ ( q − 1) / ( q − 1))(1 − φ ( q + 1) / ( q + 1)) . Proof. It is well k nown that PSL(2 , F q ) is g enerated by tw o elements having order dividing ( q ± 1) / 2, unless one o f them lie in PSL(2 , F s ) for some F s < F q . W e ar e thus led to an alg orithm that p erfor ms a t most n steps. In each step it ﬁnds tw o r andom elements g and h of G and co mputes their pseudo- o rders. If g has order dividing ( q − 1) / 2, it then determines if g lies in some P SL(2 , F s ) by testing if g ( s − 1) / 2 = 1. If q = p a then the p os s ible v alues of s ar e p b where b | a , so there are σ 0 ( a ) subﬁelds. If g do e s not lie in an y PSL(2 , F s ) then g is r emembered. Now do similarly for h . Then, if it has found the t wo elements, it retur ns true . On the o ther ha nd, if it completes the n steps without ﬁnding these elements, it returns false . The prop ortion in PSL(2 , q ) of elemen ts of order ( q ± 1) / 2 is φ ( q ± 1) / ( q ± 1), so the pr obability tha t G ∼ = PSL(2 , q ) but we fail to ﬁnd the elemen ts is at most δ n . W e re q uire δ n 6 ε and hence n can b e chosen as ⌈ lo g( ε ) / lo g( δ ) ⌉ .  1.2. PRELIM INARIES 24 1.2.10. Asc h bac her classes. The Asch bacher classiﬁca tion of [ Asc84 ] cla s- siﬁes matr ix gr o ups into a nu mber o f cla sses, and a ma jor part o f the MGRP ha s bee n to develop algorithms that determine cons tructively if a given matrix gr oup belo ngs to a certain class. Some o f these a lgorithms are used her e. 1.2.10.1 . The Me atAxe. Let G = h X i 6 GL( d, q ) acting on a mo dule V ∼ = F d q . The algor ithm known as the Me atAxe determines if V is ir reducible. If not, it ﬁnds a pro p e r non-trivia l submo dule W of V , and a change of basis matrix c ∈ GL( d, q ) that ex hibits the action of G on W and o n V /W . In other words, the ﬁrst dim W rows of c form a basis o f W , and g c is blo ck low er tria ngular for ev ery g ∈ G . Applying the MeatAxe recur sively , one ﬁnds a co mpo sition series of V , and a change of basis that exhibits the action of G on the c o mpo sition factor s of V . Hence w e also obtain eﬀective iso morphisms from G to the groups acting on the comp osition factors of V . The MeatAxe was or iginally develop ed by Parker in [ Par84 ] and later extended and forma lised in to a La s V e gas alg orithm by Holt and Rees in [ HR94 ]. They a lso explain how very similar algor ithms can b e used to tes t if V is a bs olutely irreducible, and if two mo dules are is omorphic. These are also La s V ega s alg orithms w ith the same time complexity as the MeatAxe. The w orst case of the Me a tAxe is trea ted in [ IL00 ], where it is pr ov ed that the exp ected time complexity is O  | X | d 4  ﬁeld op erations. Unless the module is reducible and a ll comp os ition fac to rs of the mo dule are isomorphic, the expected time complexity is O  | X | d 3  ﬁeld o p e rations. The MeatAxe is also fast in practice and is implemen ted b oth in Magma a nd GAP . This imp or tant feature is the reas on that it is used rather than the ﬁrst known po lynomial time algo rithm for the same problem, which w as given in [ R ´ on90 ] (and is, at best, O  | X | d 6  ). Some related problems are the follo wing: • Determine if G acts absolutely irreducibly on V . • Given t wo irreducible G -mo dules U, W of dimension d , determine if they are is omorphic, and if so ﬁnd a change o f ba sis matr ix c ∈ GL( d, q ) that conjugates U to W . • Given that G ac ts abso lutely irreducibly on V , determine if G pres erves a classica l form and if so ﬁnd a ma trix for the fo r m. • Find a basis for End G ( V ) as matrices of degree d . Algorithms for these pr oblems a re descr ib ed in [ H E O05 , Sectio n 7 . 5] and they all have expected time complexity O  | X | d 3  ﬁeld o pe r ations. W e will refer to the algorithms for all these pr oblems as “the Mea tAxe”. 1.2.10.2 . Writing matrix gr oups over su bﬁelds. If G = h X i 6 GL( d, F q ), then G might be conjugate in GL( d, F q ) to a s ubgroup of GL( d, F s ) where F s < F q , so that q is a pr op er pow er o f s . An algorithm for deciding if this is case is given in [ GLGO06 ]. It is a Las V egas algo r ithm with exp ected time complex- it y O  σ 0 (log( q ))( | X | d 3 + d 2 log( q ))  ﬁeld op erations. In case G can be written ov er a subﬁeld, then the a lgorithm also returns a conjugating matrix c that exhibits this 1.2. PRELIM INARIES 25 fact, i.e. so that G c can be immediately embedded in GL( d, F s ). The algo rithm can also write a g roup o ver a subﬁeld modulo scalars. 1.2.10.3 . T ensor de c omp osition. Now let G = h X i 6 GL( d, q ) acting o n a mo d- ule V ∼ = F d q . The mo dule mig ht ha ve the structure of a tensor pro duct V ∼ = U 1 ⊗ U 2 , so that G 6 G 1 ◦ G 2 where G 1 6 GL( U 1 ) and G 2 6 GL( U 2 ). The Las V egas algorithm of [ LGO97a ] determines if V has the structure of a tensor pr o duct, and if so it also returns a change of bas is c ∈ GL( d, q ) which exhibits the tensor decomp os ition. In other words, g c is an explicit Kr oneck er pro duct for each g ∈ G . The images o f g in G 1 and G 2 can therefo re immediately b e extracted from g c , a nd hence w e obtain an eﬀective em b edding of G in to G 1 ◦ G 2 . By [ LGO97b ], for tensor decomp osition it is suﬃcient to ﬁnd a ﬂ at in a pr o - jective geometry co rresp onding to the decomp ositio n. A ﬂat is a subspa ce of V of the form A ⊗ U 2 or U 1 ⊗ B wher e A and B ar e pr op er subspaces of U 1 and U 2 resp ec- tively . This ﬂat contains a p oint , which is a ﬂat with dim A = 1 o r dim B = 1. If we can provide a propo sed ﬂat to the alg orithm o f [ LGO97 a ], then it will verify that it is a ﬂat, and if so ﬁnd a tensor decomp osition, using exp ected O  | X | d 3 log( q )  ﬁeld op erations. How ever, in genera l ther e is no eﬃcient algo rithm for ﬁnding a ﬂat of V . If we wan t a p olynomia l time algorithm for decomp osing a sp eciﬁc tensor pr o duct, w e therefore hav e to provide an eﬃcient alg orithm that ﬁnds a ﬂat. 1.2.11. Conjectures. Mos t of the re s ults pres e n ted will depe nd on a few conjectures. This migh t b e considered awkward and so mewhat non-ma thematical, but it is a r esult of how the work in this thesis was produce d. In a lmost every case with the algor ithms that are presented, the implementation of the alg orithm did e x ist b efore the pro of o f correctness of the algor ithm. In fac t, the algor ithms hav e b een develop ed using a rather empirical metho d, a n interpla y betw een theor y (mathematical thought) and practice (prog ramming). W e consider this to b e an essential fea ture of the work, and it has proven to b e an eﬀective wa y to develop algorithms that are go o d in b oth theory and pra ctice. How ever, it ha s lead to the fact that there are certain results that ha ve b een left unprov en, either beca use they hav e been to o ha r d to prov e o r hav e b een from a n area of ma thema tics outside the scop e of this thesis (usually both). But bec ause o f the wa y the algorithms hav e bee n developed, there s hould be no doubt that every one of the conjectures a re true. The implemen tations of the algo rithms hav e bee n tested on a v ast n umber of inputs, and therefore the conjectures hav e also b een tested equally many times. There has been no case of a conjecture failing. More detailed information ab o ut the implementations can b e found in Chapter 6. CHAPTER 2 Twisted exceptional groups Here we will present the necess ary theory ab o ut the twisted gr oups under con- sideration. 2.1. Suzuki groups The family of exceptio na l groups now known as the Su z u ki gr oups were ﬁr st found b y Suzuki in [ Suz60, Suz62, Suz64 ], and also describ ed in [ HB82 , Chapter 11] which is the exp o s ition that we follow. They s ho uld not b e confused with the Suzuki 2-gro ups or the sp o radic Suzuki group. 2.1.1. Deﬁnition and prop erties. W e b egin by deﬁning our standard c o py of the Suzuk i gro up. F o llowing [ HB82 , Cha pter 11], let q = 2 2 m +1 for some m > 0 and let π be the unique automorphism of F q such that π 2 ( x ) = x 2 for every x ∈ F q , i.e. π ( x ) = x t where t = 2 m +1 = √ 2 q . F or a, b ∈ F q and c ∈ F × q , deﬁne the following matrices: S ( a, b ) =       1 0 0 0 a 1 0 0 b π ( a ) 1 0 a 2 π ( a ) + ab + π ( b ) aπ ( a ) + b a 1       , (2.1) M ( c ) =       c 1+2 m 0 0 0 0 c 2 m 0 0 0 0 c − 2 m 0 0 0 0 c − 1 − 2 m       , (2.2) T =       0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0       . (2.3) By deﬁnition, Sz( q ) =  S ( a, b ) , M ( c ) , T | a, b ∈ F q , c ∈ F × q  . (2.4) If w e deﬁne F = { S ( a, b ) | a, b ∈ F q } (2.5) H =  M ( c ) | c ∈ F × q  (2.6) 26 2.1. SUZUKI GROUPS 27 then F 6 Sz( q ) with |F | = q 2 and H ∼ = F × q so that H is cy clic of or der q − 1. Moreov er, we ca n write M ( c ) as M ( c ) = M ′ ( λ ) =       λ t +1 0 0 0 0 λ 0 0 0 0 λ − 1 0 0 0 0 λ − t − 1       (2.7) where λ = c 2 m . Hence M ( λ ) t = M ′ ( λ ). The following res ult follows from [ HB82 , Chapter 11]. Theorem 2.1. (1) The or der of the Suzuki gr oup is | Sz( q ) | = q 2 ( q 2 + 1)( q − 1) (2.8) and q 2 + 1 = ( q + t + 1 )( q − t + 1) . (2) gcd( q − 1 , q 2 + 1) = 1 and henc e the thr e e factors in (2.8) ar e p airwise r elatively prime. (3) F or al l a 1 , b 1 , a 2 , b 2 ∈ F q and λ ∈ F × q : S ( a 1 , b 1 ) S ( a 2 , b 2 ) = S ( a 1 + a 2 , b 1 + b 2 + a t 1 a 2 ) (2.9) S ( a, b ) − 1 = S ( a, b + a t +1 ) (2.10 ) S ( a 1 , b 1 ) S ( a 2 ,b 2 ) = S ( a 1 , b 1 + a t 1 a 2 + a 1 a t 2 ) (2.11) S ( a, b ) M ′ ( λ ) = S ( λ t a, λ t +2 b ) . (2.12) (4) Ther e ex ists O ⊆ P 3 ( F q ) on which Sz( q ) acts faithful ly and doubly tr ansi- tively, s u ch that n o nontrivial element of Sz( q ) ﬁxes mor e than 2 p oints. This set is O = { (1 : 0 : 0 : 0) } ∪  ( ab + π ( a ) a 2 + π ( b ) : b : a : 1) | a, b ∈ F q  . (2.13) (5) The stabiliser of P ∞ = (1 : 0 : 0 : 0) ∈ O is F H and if P 0 = (0 : 0 : 0 : 1) then t he stabiliser of ( P ∞ , P 0 ) is H . (6) Z( F ) = { S (0 , b ) | b ∈ F q } . (7) F H is a F r ob enius gr oup with F r ob enius kernel F . (8) Sz( q ) has cyclic Hal l su b gr oups U 1 and U 2 of or ders q ± t + 1 . These act ﬁxe d p oint fr e ely on O and irr e du cibly on F 4 q . F or e ach non-trivial g ∈ U i , we have C G ( g ) = U i . (9) The c onjugates of F , H , U 1 and U 2 p artition Sz( q ) . (10) The pr op ortion of elements of or der q − 1 in F H is φ ( q − 1) / ( q − 1) , wher e φ is the Euler totient function. Remark 2 .2 (Standard g enerators of Sz( q )) . As s tandard gener ators for Sz( q ) we will use { S (1 , 0) , M ′ ( λ ) , T } , 2.1. SUZUKI GROUPS 28 where λ is a primitive e lement of F q , whose minimal p olyno mial is the deﬁning po lynomial of F q . Other sets are possible : in [ Bra07 ], the standard generators are n S (1 , 0) − 1 , M ′ ( λ ) 2 m , T o , and Ma gma uses n S (1 , 0) M ′ ( λ ) q/ 2 , M ′ ( λ ) 1 − 2 m , T o . F r om [ HB82 , Chapter 11, Rema rk 3 . 12] we also immediately obtain the fol- lowing result. Theorem 2.3. A maximal sub gr oup of G = Sz( q ) is c onjugate to one of the fol- lowing su b gr oups. (1) The p oint st abiliser F H . (2) The n ormaliser N G ( H ) ∼ = D 2( q − 1) . (3) The normalisers B i = N G ( U i ) for i = 1 , 2 . These satisfy B i = h U i , t i i wher e u t i = u q for every u ∈ U i and [ B i : U i ] = 4 . (4) Sz( s ) wher e q is a pr op er p ower of s . Prop ositi o n 2 .4. L et G = Sz( q ) . (1) Distinct c onjugates of F , H , U 1 or U 2 interse ct trivial ly. (2) The sub gr oups of G of or der q 2 ar e c onjugate, and t her e ar e q 2 + 1 distinct c onjugates. (3) The cyclic sub gr oups of G of or der q − 1 ar e c onjugate, and ther e ar e q 2 ( q 2 + 1) / 2 distinct c onjugates. (4) The cyclic su b gr oups of G of or der q ± t + 1 ar e c onjugate, and ther e ar e q 2 ( q − 1)( q ∓ t + 1 ) / 4 distinct c onjugates. Proof. (1) By Theorem 2.1, each conjugate o f F ﬁxes exac tly o ne p o in t of O . If an element g lies in tw o distinct c o njugates it must ﬁx t wo distinct po int s and hence lie in a conjugate of H . But, by the pa rtitioning, the conjugates of H and F in tersect trivially , so g = 1. If H 6 = H x for so me x ∈ G and g ∈ H ∩ H x , then g ﬁxe s more than 2 po int s of O , so that g = 1. If U i 6 = U x i for so me x ∈ G and g ∈ U i ∩ U x i , then C G ( g ) = h U i ∪ U x i i = G , so that g = 1. (2) This is clear since these subgroups a re Sylow 2-subgroups , a nd hence con- jugate to F . Each subgro up ﬁxes a p oint o f O a nd hence there ar e |O| distinct conjugates. (3) Because of the par titioning, an element o f o r der q − 1 must lie in a c o n- jugate o f H , which m ust b e the cyclic subgro up that it generates . By Theorem 2.3 there are [ G : N G ( H )] = q 2 ( q 2 + 1) / 2 distinct conjugates. (4) Analogous to the previous c a se.  Prop ositi o n 2 .5. L et G = Sz( q ) and let φ b e the Euler totient function. 2.1. SUZUKI GROUPS 29 (1) The numb er of elements in G t hat ﬁx at le ast one p oint of O is q 2 ( q − 1)( q 2 + q + 2) / 2 . (2) The n u mb er of elements in G of or der q − 1 is φ ( q − 1) q 2 ( q 2 + 1) / 2 . (3) The nu mb er of elements in G of or der q ± t + 1 is φ ( q ± t + 1)( q ∓ t + 1) q 2 ( q − 1 ) / 4 . Proof. (1) By Theorem 2.1, if g ∈ G ﬁxes exactly one po int, then g is in a conjugate of F , and if g ﬁxes t wo p oints, then g is in a co njugate of H . Hence b y P rop osition 2.4, ther e are ( |F | − 1 )( q 2 + 1) elemen ts that ﬁx exactly one p oint. Similarly , there are q 2 ( q 2 + 1)( |H | − 1) / 2 elemen ts that ﬁx exactly t wo p oints. Thu s the n umber of elemen ts that ﬁx at least one p oint is 1 + ( |F | − 1)( q 2 + 1) + q 2 ( q 2 + 1)( |H| − 1) / 2 = q 2 ( q − 1)( q 2 + q + 2) 2 . (2.14) (2) By Prop osition 2.4, an element of or der q − 1 must lie in a conjugate of H . Since distinct c onjugates intersect triv ially , the n umber of such elements is the n umber of generator s of all cyclic subgroups of order q − 1. (3) Analogous to the previous c a se.  Prop ositi o n 2 .6. If g ∈ G = Sz( q ) is u niformly r andom, then Pr[ | g | = q − 1 ] = φ ( q − 1) 2( q − 1) > 1 12 lo g log( q ) (2.15) Pr[ | g | = q ± t + 1] = φ ( q ± t + 1) 4( q ± t + 1) > 1 24 lo g log( q ) (2.16) Pr[ g ﬁ x es a p oint of O ] = q 2 + q + 2 2( q 2 + 1) > 1 2 (2.17) and henc e the exp e cte d numb er of r andom sele ctions r e quir e d to obtain an element of or der q − 1 or q ± t + 1 is O  log lo g q  , and O  1  to obtain an element that ﬁxes a p oint. Proof. The ﬁrst e quality follows immediately from Theorem 2.1 and Prop o- sition 2.5. The inequalities follo w from [ M SC96 , Section II.8 ]. Clearly the num b er of selections r e quired is geometrically distributed, wher e the success probabilities for each selection are given by the inequalities. Hence the exp ectations are as stated.  Prop ositi o n 2 .7. L et G = Sz( q ) . (1) F or every g ∈ G , distinct c onjugates of C G ( g ) interse ct trivial ly. (2) If H 6 G is cyclic of or der q − 1 and g ∈ G \ N G ( H ) then | H g H | = ( q − 1 ) 2 . Proof. (1) By Theorem 2.1, we co nsider thre e c a ses. If g lies in a con- jugate F of F , then C G ( g ) 6 F . If g 6 = 1 lies in a conjugate H of H , then C G ( g ) = H and if g lies in a conjugate U of U 1 or U 2 , then C G ( g ) = U . In each case the result follows from Prop os ition 2.4. 2.1. SUZUKI GROUPS 30 (2) Since | H | = q − 1 it is enough to show that H ∩ H g = h 1 i . This fo llows immediately from Prop osition 2.4.  Prop ositi o n 2.8. Elements of o dd or der in Sz( q ) that have the same tr ac e ar e c onjugate. Proof. F rom [ Suz62 , § 1 7 ], the num b er of conjugacy classes of non-identit y elements of o dd order is q − 1, and a ll elements of even order hav e tr ace 0. Observe that S (0 , b ) T =       0 0 0 1 0 0 1 0 0 1 0 b 1 0 b b t       . (2.18) Since b ca n b e any element o f F q , so can T r ( S (0 , b ) T ), and this also implies that S (0 , b ) T has o dd order when b 6 = 0. Therefo r e there a re q − 1 p ossible tra c es for non-identit y elements of o dd order, and elements with diﬀerent trace must b e non- conjugate, so all conjugacy classes must hav e diﬀeren t traces.  Prop ositi o n 2.9. The pr op ortion of elements of or der 4 among the elements of tr ac e 0 is 1 − 1 /q + 1 /q 2 − 1 /q 3 . Proof. The elements o f tra ce 0 a re those with orders 1 , 2 , 4, and a part fro m the identit y these are the elemen ts that ﬁx precis ely one p oint of O . F rom the pro o f of Prop osition 2.5, there are q 4 elements of trace 0. The elements of order 4 lie in a conjuga te of F , and there are q 2 − q elements in each conjugate. Hence from Pr o p o sition 2.4 there are q ( q − 1)( q 2 + 1) elemen ts of order 4.  Prop ositi o n 2.10. L et P = ( p 1 : p 2 : p 3 : p 4 ) ∈ O g b e uniformly r andom, wher e O g = { Rg | R ∈ O } for some g ∈ GL(4 , q ) . Then (1) Pr[ p i 6 = 0 | i = 1 , . . . , 4] >  1 − q + 2 q 2 + 1  4 . (2.19) (2) If Q = ( q 1 : q 2 : q 3 : q 4 ) ∈ O g is ﬁx e d, then Pr[ p t 2 q t +2 3 6 = q t 2 p t +2 3 ] > 1 − 1 + ( t + 2) q q 2 + 1 . (2.20) Proof. (1) By [ HB82 , Chapter 11, Lemma 3 . 4 ], O is an ovoid, so it int ersects an y (pro jective) line in P 3 ( F q ) in at most 2 points. The co ndition p i = 0 deﬁnes a pro jective plane P ⊆ P 3 ( F q ). If O g ∩ P 6 = ∅ then it contains a p oint A , and there a re q + 1 lines in P that passes through A . E ach one of these lines passes through at most one other p o in t of O g , but ea ch line contains q + 1 p oints of P , and hence at least q of those p oints are no t in O g . Moreov er, each pa ir of lines ha s only the p oint A in co mmon. Now w e hav e cons idered 1 + q ( q + 1) distinct po in ts of P , which are all points o f P , and we hav e prov ed that at most q + 2 of those lie in O g . 2.1. SUZUKI GROUPS 31 (2) Clearly , p t 2 q t +2 3 = q t 2 p t +2 3 if and only if p 2 q t +1 3 = q 2 p t +1 3 . If P = P ′ g , where P ∞ 6 = P ′ ∈ O and g = [ g i,j ], then p i = g 1 ,i ( a t +2 + b t + ab ) + g 2 ,i b + g 3 ,i a + g 4 ,i for some a, b ∈ F q . Int ro ducing indeterminates x and y in place a and b , it follows tha t the express ion p 2 q t +1 3 − q 2 p t +1 3 is a p olynomial f ∈ F q [ x, y ] with deg x ( f ) 6 3 t + 4 and deg y ( f ) 6 t + 2. F or each a ∈ F q , the num b er of r o ots o f f ( a, y ) is therefore at most t + 2, so the n umber o f r o ots of f is at most q ( t + 2).  Prop ositi o n 2 .11. If g 1 , g 2 ∈ F H ar e uniformly r andom, then Pr[ | [ g 1 , g 2 ] | = 4] = 1 − 1 q − 1 . (2.21) Proof. Let A = F H / Z( F ). B y Theo r em 2.1, [ g 1 , g 2 ] ∈ F and ha s or de r 4 if and only if [ g 1 , g 2 ] / ∈ Z( F ) ⊳ F H . It therefor e suﬃces to ﬁnd the pr op ortion of pair s k 1 , k 2 ∈ A such that [ k 1 , k 2 ] = 1. If k 1 = 1 then k 2 can be any element o f A , which co n tributes q ( q − 1) pair s. If 1 6 = k 1 ∈ F / Z( F ) ∼ = F q then C A ( k 1 ) = F / Z( F ), so we again o btain q ( q − 1) pairs. Finally , if k 1 / ∈ F / Z( F ) then | C A ( k 1 ) | = q − 1, so we obtain q ( q − 2)( q − 1) pairs. Thu s we obtain q 2 ( q − 1) pairs from a total of | A × A | = q 2 ( q − 1) 2 pairs, and the result follows.  Prop ositi o n 2 .12. L et G = Sz( q ) . If x, y ∈ G ar e u niformly r andom, then Pr[ h x, y i = G ] = 1 − O  σ 0 (log( q )) /q 2  (2.22) Proof. By (2.8) and Theorem 2 .3, the maximal subgroup M 6 G with sma ll- est index is M = F H . Then [ G : M ] = q 2 + 1 and since M = N G ( M ), ther e are q 2 + 1 conjugates of M . Pr[ h x, y i 6 M g some g ∈ G ] 6 q 2 +1 X i =1 Pr[ h x, y i 6 M ] = 1 q 2 + 1 (2.23) The probability that h x, y i lies in any maximal not co njuga te to M must b e less than 1 / ( q 2 + 1) bec ause the other maxima ls hav e lar ger indices. There are O  σ 0 (log( q ))  nu mber of conjugacy classes of maxima l subgroups, a nd hence the pr obability tha t h x, y i lies in a maximal subgroup is O  σ 0 (log( q )) /q 2  .  2.1.2. Alternativ e deﬁniti on. The way we hav e deﬁned the Suzuki g roups resembles the original deﬁnition, but it is not cle a r that the groups ar e exceptional groups of Lie type. This was ﬁrs t proved in [ Ono62, Ono63 ]. A more common wa y to deﬁne the g roups ar e as the ﬁxed p oints of a certain automor phism of Sp(4 , q ). This a pproach is follow ed in [ Wi l05 , Cha pter 4 . 10], and it provides a more straightforward metho d to deal with non-constructive reco gnition of Sz( q ). 2.2. SMALL REE GR OUPS 32 Let Sp(4 , q ) denote the standard copy of the symplectic gr oup, preserving the following symplectic form: J =       0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0       . (2.24) F r om [ Wil05 , Chapter 4 . 10 ], we know that the elemen ts of Sz( q ) ar e precis ely the ﬁxed p oints of an automorphism Ψ of Sp(4 , q ). Computing Ψ( g ) for s ome g ∈ Sp(4 , q ) a mounts to taking a submatrix o f the exter ior square of g a nd then replacing each matrix en try x by x 2 m . Moreover, Ψ is deﬁned on Sp(4 , F ) for F > F q . A more detailed description o f ho w to compute Ψ( g ) can b e found in [ W il05 , Chapter 4 . 10]. Lemma 2.13. L et G 6 Sp(4 , q ) have natura l mo dule V and assume t hat V is absolutely irr e ducible. Then G h 6 Sz( q ) for some h ∈ GL(4 , q ) if and only if V ∼ = V Ψ . Proof. Assume G h 6 Sz( q ). Both G a nd Sz( q ) pres erve the form (2.24), and this for m is unique up to a s calar m ultiple, s inc e V is absolutely irr educible. There- fore hJ h T = λJ for some λ ∈ F × q . But if µ = √ λ − 1 then ( µh ) J ( µh ) T = J , so tha t µh ∈ Sp(4 , q ). Moreover, G h = G µh , a nd hence we may a ssume that h ∈ Sp(4 , q ). Let x = h Ψ ( h − 1 ) and observe that for each g ∈ G , Ψ( g h ) = g h . It follows that g x = Ψ( h ) g h Ψ( h − 1 ) = Ψ ( hg h h − 1 ) = Ψ ( g ) (2.25) so V ∼ = V Ψ . Conv e r sely , assume that V ∼ = V Ψ . Then there is some h ∈ GL(4 , q ) such that for each g ∈ G we have g h = Ψ( g ). As a bove, since b oth G a nd Ψ ( G ) preserve the form (2.24), w e ma y assume that h ∈ Sp(4 , q ). Let K b e the algebraic closure of F q . The Steinberg- Lang Theorem (see [ Ste77 ]) asserts that there exists x ∈ Sp(4 , K ) such that h = x − 1 Ψ( x ). It follo ws that Ψ( g x − 1 ) = Ψ ( g ) h − 1 x − 1 = g x − 1 (2.26) so that G x − 1 6 Sz( q ). Thus G is co njugate in GL(4 , K ) to a s ubgroup S of Sz( q ), and it follows fr om [ CR06 , Theorem 2 9 . 7], that G is conjugate to S in GL(4 , q ).  2.1.3. T ensor indecomp osable represent ations. It follows from [ L ¨ ub01 ] that over an alg ebraically closed ﬁeld in deﬁning characteristic, up to Galo is twists, there is only one absolutely irreducible tensor indecomp osable r epresentation of Sz( q ) : the natural representation. 2.2. Small Ree groups The small Ree groups w ere ﬁrst descr ib ed in [ Ree60, Re e61c ]. Their structure has b een in vestigated in [ W ar63, W ar66, LN85, K le88 ]. A s ho rt survey is also given in [ HB 8 2 , Chapter 11]. They should not be confused with the Big Ree groups, which are describ ed in Section 2.3. 2.2. SMALL REE GR OUPS 33 2.2.1. Deﬁnition and prop erti es. W e now deﬁne our sta ndard co py of the Ree groups. The generato rs that w e use are those describ ed in [ KLM01 ]. Let q = 3 2 m +1 for some m > 0 and let t = 3 m . F or x ∈ F q and λ ∈ F × q , deﬁne the matrices α ( x ) =              1 x t 0 0 − x 3 t +1 − x 3 t +2 x 4 t +2 0 1 x x t +1 − x 2 t +1 0 − x 3 t +2 0 0 1 x t − x 2 t 0 x 3 t +1 0 0 0 1 x t 0 0 0 0 0 0 1 − x x t +1 0 0 0 0 0 1 − x t 0 0 0 0 0 0 1              (2.27) β ( x ) =              1 0 − x t 0 − x 0 − x t +1 0 1 0 x t 0 − x 2 t 0 0 0 1 0 0 0 x 0 0 0 1 0 x t 0 0 0 0 0 1 0 x t 0 0 0 0 0 1 0 0 0 0 0 0 0 1              (2.28) γ ( x ) =              1 0 0 − x t 0 − x − x 2 t 0 1 0 0 − x t 0 x 0 0 1 0 0 x t 0 0 0 0 1 0 0 − x t 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1              (2.29) h ( λ ) =              λ t 0 0 0 0 0 0 0 λ 1 − t 0 0 0 0 0 0 0 λ 2 t − 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 λ 1 − 2 t 0 0 0 0 0 0 0 λ t − 1 0 0 0 0 0 0 0 λ − t              (2.30) Υ =              0 0 0 0 0 0 − 1 0 0 0 0 0 − 1 0 0 0 0 0 − 1 0 0 0 0 0 − 1 0 0 0 0 0 − 1 0 0 0 0 0 − 1 0 0 0 0 0 − 1 0 0 0 0 0 0              (2.31) and deﬁne the Ree g roup as Ree( q ) =  α ( x ) , β ( x ) , γ ( x ) , h ( λ ) , Υ | x ∈ F q , λ ∈ F × q  . (2.32) 2.2. SMALL REE GR OUPS 34 Also, deﬁne the subgroups o f upper tr iangular a nd diagonal matrices: U ( q ) = h α ( x ) , β ( x ) , γ ( x ) | x ∈ F q i (2.33) H ( q ) =  h ( λ ) | λ ∈ F × q  ∼ = F × q . (2.34) F r om [ LN85 ] we then know that each element of U ( q ) can b e e xpressed in a unique wa y as S ( a, b, c ) = α ( a ) β ( b ) γ ( c ) (2.35) so that U ( q ) = { S ( a, b , c ) | a, b, c ∈ F q } , and it follo ws that | U ( q ) | = q 3 . W e also know that U ( q ) is a Sylo w 3-subg r oup of Ree( q ), and direc t calculations show that S ( a 1 , b 1 , c 1 ) S ( a 2 , b 2 , c 2 ) = = S ( a 1 + a 2 , b 1 + b 2 − a 1 a 3 t 2 , c 1 + c 2 − a 2 b 1 + a 1 a 3 t +1 2 − a 2 1 a 3 t 2 ) , (2.36) S ( a, b, c ) − 1 = S ( − a, − ( b + a 3 t +1 ) , − ( c + ab − a 3 t +2 )) , (2.37) S ( a 1 , b 1 , c 1 ) S ( a 2 ,b 2 ,c 2 ) = = S ( a 1 , b 1 − a 1 a 3 t 2 + a 2 a 3 t 1 , c 1 + a 1 b 2 − a 2 b 1 + a 1 a 3 t +1 2 − a 2 a 3 t +1 1 − a 2 1 a 3 t 2 + a 2 2 a 3 t 1 ) (2.38) and S ( a, b, c ) h ( λ ) = S ( λ 3 t − 2 a, λ 1 − 3 t b, λ − 1 c ) . (2.39) Remark 2.14 (Standar d genera tors of Ree( q )) . As standard gener ators for Ree( q ) we will use { S (1 , 0 , 0) , h ( λ ) , Υ } , where λ is a primitive e lement of F q , whose minimal p olyno mial is the deﬁning po lynomial of F q . The Ree groups preser ve a s ymmetric bilinear form o n F 7 q , r epresented b y the matrix J =              0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 − 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0              (2.40) F r om [ W ar66 ] and [ HB82 , Chapter 11] we immediately obtain Prop ositi o n 2 .15. L et G = Ree( q ) . (1) | G | = q 3 ( q 3 + 1)( q − 1) wher e gcd( q 3 + 1 , q − 1) = 2 . (2) Conjugates of U ( q ) interse ct trivial ly. (3) The c entr e Z( U ( q )) = { S (0 , 0 , c ) | c ∈ F q } . (4) The derive d gr oup U ( q ) ′ = { S (0 , b , c ) | b, c ∈ F q } , and its elements have or der 3 . 2.2. SMALL REE GR OUPS 35 (5) The elements in U ( q ) \ U ( q ) ′ = { S ( a, b, c ) | a 6 = 0 } have or der 9 and their cub es form Z( U ( q )) \ h 1 i . (6) N G ( U ( q )) = U ( q ) H ( q ) and G acts doubly tr ansitively on the right c osets of N G ( U ( q )) , i.e. on a set of size q 3 + 1 . (7) U ( q ) H ( q ) is a F r ob enius gr oup with F r ob enius kernel U ( q ) . (8) The pr op ortion of elements of or der q − 1 in U ( q ) H ( q ) is φ ( q − 1) / ( q − 1 ) , wher e φ is the Euler t ot ient function. F o r our purpos es, w e w ant another set to act (eq uiv alently) on. Prop ositi o n 2.1 6. Ther e exists O ⊆ P 6 ( F q ) on which G = Ree( q ) acts faithful ly and doubly tr ansitively. This set is O = { (0 : 0 : 0 : 0 : 0 : 0 : 1) } ∪ { (1 : a t : − b t : ( ab ) t − c t : − b − a 3 t +1 − ( ac ) t : − c − ( bc ) t − a 3 t +2 − a t b 2 t : a t c − b t +1 + a 4 t +2 − c 2 t − a 3 t +1 b t − ( abc ) t ) } (2.41) Mor e over, the st abiliser of P ∞ = (0 : 0 : 0 : 0 : 0 : 0 : 1) is U ( q ) H ( q ) , t he stabiliser of P 0 = (1 : 0 : 0 : 0 : 0 : 0 : 0) is ( U ( q ) H ( q )) Υ and the stabiliser of ( P ∞ , P 0 ) is H ( q ) . Proof. Notice that O \ { P ∞ } consists of the ﬁrst r ows of the e lement s of U ( q ) H ( q ). F ro m Prop osition 2.15 it follows that G is the disjoint union of U ( q ) H ( q ) and U ( q ) H ( q )Υ U ( q ) H ( q ). Deﬁne a ma p b etw een the G -sets as ( U ( q ) H ( q )) g 7→ P ∞ g . If g ∈ U ( q ) H ( q ) then P ∞ g = P ∞ and hence the stabiliser of P ∞ is U ( q ) H ( q ). If g / ∈ U ( q ) H ( q ) then g = x Υ y where x, y ∈ U ( q ) H ( q ). Hence P ∞ g = P 0 y ∈ O s ince P 0 y is the ﬁrst r ow of y . It follows that the map deﬁnes an equiv alence betw een the G -sets.  Prop ositi o n 2 .17. L et G = Ree( q ) . (1) The stabiliser in G of any two distinct p oints of O is c onjugate to H ( q ) , and the stabiliser of any triple of p oints has or der 2 . (2) The n u mb er of elements in G that ﬁx ex actly one p oint is q 6 − 1 . (3) All involutions in G ar e c onjugate in G . (4) An involution ﬁ xes q + 1 p oints. Proof. (1) Immediate from [ HB82 , Chapter 11, Theo rem 13 . 2(d)]. (2) A sta bilis er o f a po int is conjuga te to U ( q ) H ( q ), and there are |O | conju- gates. T he elements ﬁxing ex actly one p oint are the non-tr iv ial elements of U ( q ). Ther efore the num ber of such element s is |O | ( | U ( q ) | − 1) = ( q 3 + 1)( q 3 − 1) = ( q 6 − 1). (3) Immediate from [ HB82 , Chapter 11, Theo rem 13 . 2(e)]. (4) Each inv olution is co njugate to h ( − 1) = dia g( − 1 , 1 , − 1 , 1 , − 1 , 1 , − 1) . 2.2. SMALL REE GR OUPS 36 Evidently , h ( − 1) ﬁxes P ∞ since h ( − 1) ∈ H ( q ) and if P = ( p 1 : · · · : p 7 ) ∈ O with p 1 6 = 0, then P is ﬁxed b y h ( − 1) if and only if p 2 = p 4 = p 6 = 0. But then P is uniquely determined by p 3 , so there ar e q p ossible choices for P . Thus the num b er of p oints ﬁxed by h ( − 1) is q + 1.  Prop ositi o n 2.18. L et G = Ree ( q ) with natur al mo dule V and let j ∈ G b e an involution. Then V | C G ( j ) ∼ = S j ⊕ T j wher e dim S j = 3 and dim T j = 4 . Mor e over, S j is irr e ducible and j acts trivial ly on S j . Proof. By P rop osition 2.17, j is co njugate to h ( − 1) = dia g ( − 1 , 1 , − 1 , 1 , − 1 , 1 , − 1) so it has t wo eigenspaces S j and T j for 1 and − 1 resp ectively . Clearly dim S j = 3 and dim T j = 4, a nd it is suﬃcient to s how that these a re preser ved by PSL(2 , q ), so that they are in fact submo dules of V j . Let v ∈ S j and g ∈ PSL(2 , q ). Then ( v g ) j = ( v j ) g = v g since g centralises j and j ﬁxes v , which shows that v g ∈ S j , so this subspace is ﬁxed by PSL(2 , q ). Similarly , T j is also ﬁxed. Let γ : V × V → V be the bilinear form preserved b y G . O bserve that if x ∈ S j , y ∈ V j then γ ( x, y ) = γ ( xj, y j ) = γ ( x, − y ) = − γ ( x, y ) = 0 and hence V j ⊆ S ⊥ j . If γ | S j is degener ate then also S j ⊆ S ⊥ j so that S j ⊆ V ⊥ which is imposs ible since γ is non-degenerate. Hence γ | S j is non-degener a te and S j is isomorphic to its dua l. Now if S j is reducible, it m ust split as a direct sum of tw o submo dules of dimension 1 and 2. Since j acts trivially o n S j , it is in fact a module for PSL(2 , q ), but PSL(2 , q ) have no irreducible mo dules of dimension 2. Therefore S j m ust be irreducible.  Lemma 2.19. L et g ∈ G 6 GL( d, F ) with d o dd and F any ﬁ nite ﬁ eld, and assume that G pr eserves a non-de gener ate biline ar form and that det( g ) = 1 . Then g has 1 as an eigenvalue. Proof. Let V = F d be the na tural module of G . Let f : V × V → F b e a non-degenera te bilinear form pr eserved by G . Over ¯ F , the multiset o f eig env alues of g is λ 1 , . . . , λ d . Let E λ 1 , . . . , E λ d be the co rresp onding e ig enspaces (some o f them might be e q ual). If v ∈ E λ i and w ∈ E λ j then f ( v , w ) = f ( v g , w g ) = f ( v λ i , w λ j ) = λ i λ j f ( v , w ) so either λ i λ j = 1 or f ( v , w ) = 0. Ho wev er , for a giv en i there must b e s ome j such that λ i λ j = 1, o therwise f ( v , w ) = 0 for every v ∈ E λ i and w ∈ V , which is impo ssible since f is non-degenera te. Hence the eigenv alues can b e a r ranged into pa irs of inv erse v alues. Since d is o dd, ther e m ust be a k such tha t λ k is left over. The above argument then implies that λ 2 k = 1, and ﬁnally 1 = det( g ) = λ k .  F r om [ LN85 ] and [ Kl e88 ] we obtain 2.2. SMALL REE GR OUPS 37 Prop ositi o n 2 .20. A maximal sub gr oup of G = Ree( q ) is c onjugate t o one of the fol lowing sub gr oups • N G ( U ( q )) = U ( q ) H ( q ) , the p oint st abiliser . • C G ( j ) ∼ = h j i × PSL(2 , q ) , the c entr aliser of an involution j . • N G ( A 0 ) ∼ = (C 2 × C 2 × A 0 ): C 6 , wher e A 0 6 Ree( q ) is cyclic of or der ( q + 1) / 4 . • N G ( A 1 ) ∼ = A 1 : C 6 , wher e A 1 6 Ree( q ) is cyclic of or der q + 1 − 3 t . • N G ( A 2 ) ∼ = A 2 : C 6 , wher e A 2 6 Ree( q ) is cyclic of or der q + 1 + 3 t . • Ree( s ) wher e q is a pr op er p ower of s . Mor e over, al l maximal sub gr oups exc ept the last ar e r e ducible. Proof. It is suﬃcient to pr ov e the ﬁnal statemen t. Clearly the po int stabilis e r is reducible, and the involution cen traliser is re- ducible b y Prop osition 2.18. Let H b e a normaliser of a cyclic subgroup a nd let x b e a genera tor of the cyclic subgroup that is normalised. Since G 6 SO(7 , q ), b y Lemma 2.19, x has an eigenspace E for the eig env alue 1, wher e V 6 = E 6 = { 0 } . Given v ∈ E and h ∈ H , we see that ( v h ) x h = v h so tha t v h is ﬁxed by  x h  = h x i . This implies that v h ∈ E and th us E is a prop er non-trivia l H - inv a riant s ubspace, so H is reducible.  Prop ositi o n 2 .21. L et G = Ree( q ) . (1) All cyclic sub gr oups of G = Ree( q ) of or der q − 1 ar e c onjugate to H ( q ) and henc e e ach one is a st abiliser of two p oints of O . (2) All cyclic sub gr oups of or der ( q + 1) / 2 or q ± 3 t + 1 ar e c onjugate. (3) If C is a cyclic sub gr oup of or der q ± 3 t + 1 , then distinct c onjugates of C interse ct trivial ly. (4) If C is a cyclic sub gr oup of or der ( q + 1 ) / 2 , C > C ′ ∼ = A 0 and x ∈ G \ N G ( C ′ ) , then C ∩ C x = h 1 i . Proof. (1) Let C = h g i 6 G be c y clic of order q − 1 and let p b e an o dd prime such that p | q − 1 . Then there exists k ∈ Z suc h that   g k   = p . Since q 3 + 1 ≡ 2 (mo d p ), the cycle structure o f g k on O must be a n umber o f p -cycles and 2 ﬁxed po int s P a nd Q . Since G is doubly trans itive there exists x ∈ G suc h that P x = P ∞ and Qx = P 0 . Now either g ﬁxes P and Q or in ter changes them, so g x ∈ N G ( H ( q )) = h H ( q ) , Υ i ∼ = D 2( q − 1) . Hence h g x i = H ( q ) since that is the unique cyclic subgroup of order q − 1 in h H ( q ) , Υ i . (2) This follows immediately from [ LN85 , Lemma 2]. (3) Let C be suc h a cyclic subgroup. If C 6 = C x for some x ∈ G and g ∈ C ∩ C x , then C G ( g ) = h C ∪ C x i . But h C ∪ C x i = G , so that g = 1. (4) Since h C ∪ C x i = G , this is analo g ous to the previo us case.  Prop ositi o n 2 .22. L et G = Ree( q ) and let φ b e the Euler totient function. 2.2. SMALL REE GR OUPS 38 (1) The c entr aliser of an involution j ∈ G is isomorph ic to h j i × PSL(2 , q ) and henc e has or der q ( q 2 − 1) . (2) The n u mb er of involutions in G is q 2 ( q 2 − q + 1) . (3) The n u mb er of elements in G of or der q − 1 is φ ( q − 1) q 3 ( q 3 + 1) / 2 . (4) The nu mb er of elements in G of or der ( q + 1 ) / 2 is φ (( q + 1) / 2) q 3 ( q − 1)( q 2 − q + 1) / 6 . (5) The numb er of elements in G of or der ( q ± 3 t + 1) is φ ( q ± 3 t + 1) q 3 ( q 2 − 1)( q ∓ 3 t + 1) / 6 . (6) The numb er of elements in G of even or der is q 2 (7 q 5 − 2 3 q 4 + 8 q 3 + 2 3 q 2 − 39 q + 24) / 24 . (7) The nu mb er of elements in G t hat ﬁx at le ast one p oint is q 2 ( q 5 − q 4 + 3 q 2 − 5 q + 2) / 2 Proof. (1) Immediate from [ HB82 , Chapter 11]. (2) All inv olutio ns are conjugate, and the index in G of the inv olution cen- traliser is q 3 ( q 3 + 1)( q − 1) q ( q 2 − 1) = q 2 ( q 2 − q + 1) (2.42) where we hav e used the fact that q 3 + 1 = ( q + 1)( q 2 − q + 1). (3) By Prop os ition 2.21, ea ch cyclic subgroup of order q − 1 is a stabiliser of t wo p o in ts and is unique ly determined by the pair of po in ts that it ﬁxes. Hence the n umber of cyclic subgroups of o rder q − 1 is      O 2      = q 3 ( q 3 + 1) 2 . (2.43) By Prop os ition 2.1 7, the in tersection of t wo dis tinct subgroups has order 2, so the n um be r of elements of or de r q − 1 is the n umber of generators of all these subgroups. (4) By Prop osition 2.2 1, the num b er of cy c lic subgroups of order ( q + 1) / 2 is [ G : N G ( A 0 )] = q 3 ( q − 1)( q 2 − q + 1) / 6. Since distinct co njugates inter- sect trivia lly , the num ber of elemen ts of order ( q + 1 ) / 2 is the num b er of generator s of these subgro ups. (5) Analogous to the previous c a se. (6) By [ LN85 , Lemma 2], ev ery element o f ev en or der lies in a cyclic subgroup of o rder q − 1 or ( q + 1) / 2 . In ea ch cyclic subg roup o f order q − 1 there is a unique inv olutio n and hence ( q − 3) / 2 non-involutions of even order, and similarly ( q − 3) / 4 in a cyclic subg r oup of order ( q + 1) / 2. By Prop ositio n 2.21 the total n umber of elemen ts of ev en order is therefore ( q − 3)( q 3 + 1) q 3 / 4 + ( q − 3)( q − 1)( q 2 − q + 1) q 3 / 24 + q 2 ( q 2 − q + 1) = q 2 (7 q 5 − 23 q 4 + 8 q 3 + 23 q 2 − 39 q + 24) / 24 (2.44) (7) The only non-trivial elemen ts of G that ﬁx mor e tha n 2 p oints ar e inv olu- tions. Hence in each cyclic subgr oup of or der q − 1 there a re q − 3 elements that ﬁx ex actly 2 p oints, so b y Prop o sition 2.17, the num b er of element s 2.2. SMALL REE GR OUPS 39 that ﬁx at least one point is q 6 + ( q − 3)( q 3 + 1) q 3 2 + q 2 ( q 2 − q + 1) = = q 2 ( q 5 − q 4 + 3 q 2 − 5 q + 2) 2 (2.45)  Lemma 2.23. If g ∈ G = Ree( q ) is uniformly ra ndom, then Pr[ | g | = q − 1 ] = φ ( q − 1) 2( q − 1) > 1 12 lo g log ( q ) (2.46) Pr[ | g | = q ± 3 t + 1 ] = φ ( q ± 3 t + 1) 6( q ± 3 t + 1) > 1 36 lo g log ( q ) (2.47) Pr[ | g | = ( q + 1) / 2] = φ (( q + 1) / 2) 6( q + 1) > 1 36 lo g log ( q ) (2.48) Pr[ | g | even ] = 7 q 2 − 9 q − 24 24 q ( q + 1) > 1 / 4 (2.49) Pr[ g ﬁ x es a p oint ] = − 2 + 3 q + q 4 2( q + q 4 ) > 1 / 2 (2.50) Proof. In eac h c a se, the ﬁrst equalit y follows from Prop ositio n 2 .22 and Prop ositio n 2.15. In the ﬁrst case, the inequality follows from [ MSC96 , Sectio n II.8 ], and in the o ther cases the inequa lities are clear since m > 0.  Corollary 2. 24. In G = Ree( q ) , the exp e cte d numb er of r andom sele ctions r e qu ir e d to obtain an element of or der q − 1 , q ± 3 t + 1 or ( q + 1) / 2 is O  log lo g q  , and O  1  to obtain an element that ﬁxes a p oint, or an element of even or der. Proof. Clearly the n um be r o f sele c tions is geometrically distributed, where the success proba bilities for each selection ar e g iven by Lemma 2.23. Hence the exp ectations are as stated.  Prop ositi o n 2.25. Elements in Ree( q ) of or der prime to 3 with the same tr ac e ar e c onjugate. Proof. F rom [ W ar66 ], the n umber of co njugacy classes of non-identit y ele- men ts of order prime to 3 is q − 1 . O bserve that for λ ∈ F × q , T r( S (0 , 0 , 1)Υ h ( λ )) = λ t − 1 and | S (0 , 0 , 1)Υ h ( λ ) | is prime to 3 if a lso λ 6 = − 1 . Moreov er, h ( − 1) ha s order 2 and trace − 1 so there ar e q − 1 poss ible tr aces for non-identit y elements o f o rder prime to 3, and elemen ts with diﬀerent tra ce m ust be no n-conjugate. Th us all conjugacy c la sses must hav e diﬀerent tr aces.  Prop ositi o n 2.26. If i, j ∈ Ree ( q ) ar e uniformly r andom involutions, then Pr[ | ij | o dd ] > c for some c onstant c > 0 . Proof. F ollows immediately from [ WP06 , Theore m 1 3].  Prop ositi o n 2 .27. L et G = P SL(2 , q ) . If x, y ∈ G ar e uniformly r andom, then Pr[ h x, y i = G ] = 1 − O  σ 0 (log( q )) /q  (2.51) 2.2. SMALL REE GR OUPS 40 Proof. The maxima l subgroup M 6 G consisting of the upp er tria ngular matrices mo dulo scala rs has index q + 1, and a ll subgr oups isomor phic to M are conjugate. Since M = N G ( M ), there are q + 1 conjugates o f M . Pr[ h x, y i 6 M g some g ∈ G ] 6 q +1 X i =1 Pr[ h x, y i 6 M ] = 1 q + 1 (2.52) The other maximal subg roups have index strictly grea ter than q + 1, so the proba - bilit y that h x, y i lies in an y max imal not c o njugate to M m ust b e less than 1 / ( q + 1). The n umber of co njugacy classes of maximal subgr oups is O  σ 0 (log( q ))  , and hence the probability that h x, y i lies in a maximal subgroup is O  σ 0 (log( q )) /q  .  Prop ositi o n 2.28 . L et P = ( p 1 : · · · : p 7 ) ∈ O g b e uniformly r andom, wher e O g = { Rg | R ∈ O } for some g ∈ GL(7 , q ) . Then (1) Pr[ p 3 6 = 0] > 1 − tq 2 + 1 q 3 + 1 . (2.53) (2) If Q = ( q 1 : · · · : q 7 ) ∈ O g is given, then Pr[ p 3 q 3 t +1 2 6 = q 3 p 3 t +1 2 ] > 1 − 1 + q 2 (3 t + 1) q 3 + 1 . (2.54) Proof. If P = P ′ g , where P ∞ 6 = P ′ ∈ O and g = [ g i,j ], then p i = g 1 ,i + a t g 2 ,i − b t g 3 ,i + (( ab ) t − c t ) g 4 ,i + ( − b − a 3 t +1 − ( ac ) t ) g 5 ,i + ( − c − ( bc ) t − a 3 t +2 − a t b 2 t ) g 6 ,i + ( a t c − b t +1 + a 4 t +2 − c 2 t − a 3 t +1 b t − ( abc ) t ) g 7 ,i for some a, b, c ∈ F q . (1) By introducing indeterminates x , y and z in pla ce of a , b and c , it follows that p 3 is a p olynomial f ∈ F q [ x, y , z ] with deg x ( f ) 6 4 t + 2, deg y ( f ) 6 2 t and deg z ( f ) 6 t . F o r each ( a, b ) ∈ F 2 q , the n umber of r o ots of f ( a, b, z ) is therefore at most t , so the n um be r of ro ots o f f is a t most q 2 (3 t + 1). (2) Similarly , by introducing indeterminates x , y and z in place of a , b and c , it follows that the expressio n p 3 q 3 t +1 2 − q 3 p 3 t +1 2 is a polynomial f ∈ F q [ x, y , z ] with deg x ( f ) 6 10 t + 6, deg y ( f ) 6 5 t + 1 and deg z ( f ) 6 3 t + 1. F o r each ( a, b ) ∈ F 2 q , the num b er of r o ots of f ( a, b, z ) is therefo r e at most 3 t + 1 , so the n umber of ro ots of f is at most q 2 (3 t + 1).  Prop ositi o n 2.29. If g 1 , g 2 ∈ U ( q ) H ( q ) ar e un iformly r andom and indep endent, then Pr[ | [ g 1 , g 2 ] | = 9] = 1 − 1 q − 1 (2.55) Proof. By Prop osition 2.15, [ g 1 , g 2 ] ∈ U ( q ) and has or der 9 if and o nly if [ g 1 , g 2 ] / ∈ U ( q ) ′ ⊳ U ( q ) H ( q ). It is therefore suﬃcien t to ﬁnd the prop or tio n of (un- ordered) pairs k 1 , k 2 ∈ U ( q ) H ( q ) /U ( q ) ′ = A such that [ k 1 , k 2 ] = 1. If k 1 = 1 then k 2 can b e a ny element o f A , which gives q ( q − 1) pairs. If 1 6 = k 1 ∈ U ( q ) /U ( q ) ′ ∼ = F q then C A ( k 1 ) = U ( q ) /U ( q ) ′ , so we a gain obtain q ( q − 1 ) pairs. Finally , if k 1 / ∈ U ( q ) then | C A ( k 1 ) | = q − 1 so w e o btain q ( q − 2)( q − 1) pairs . 2.3. BIG REE GR OUP S 41 Thu s we obtain q 2 ( q − 1) pairs from a total of | A × A | = q 2 ( q − 1) 2 pairs, and the result follows.  2.2.2. Alternativ e d e ﬁnition. The deﬁnition o f Ree( q ) that we hav e given is the one that bes t suits most our purpose s. Howev er , to deal with non- c onstructive recognition, w e need to men tion the more common deﬁnition o f Ree( q ). F o llowing [ Wi l05 , Chapter 4] a nd [ Wil 06 ], the exceptional group G 2 ( q ) is constructed by consider ing the Cayley algebr a O (the octo nion algebra ), which ha s dimension 8, and deﬁning G 2 ( q ) to be the automorphism group of O . Th us each element of G 2 ( q ) ﬁxes the identit y a nd prese r ves the algebr a multiplication, a nd it follows that it is isomorphic to a s ubgroup of SO(7 , q ). F ur ther more, when q is an o dd p ower of 3 , the group G 2 ( q ) has a cer tain au- tomorphism Ψ, so metimes called the exc eptional outer automorphism , whose se t of ﬁxed points for m a group, and this is deﬁned to b e the Ree gro up Ree( q ) = 2 G 2 ( q ). A more detailed des cription of how to compute Ψ( g ) can be fo und in [ Wi l06 ]. 2.2.3. T ensor indecomp osable represent ations. It follows from [ L ¨ ub01 ] that over an alg ebraically closed ﬁeld in deﬁning characteristic, up to Galo is twists, there a re prec isely tw o absolutely irreducible tenso r indec o mpo sable r epresentations of Ree( q ): the natur a l representation and a r epresentation of dimension 27 . Let V be the natural mo dule of Ree( q ), of dimension 7. The symmetric squa re S 2 ( V ) has dimension 28, and is a direct sum of tw o submo dules of dimensions 1 and 27. The 1-dimensional submo dule arises beca us e Ree( q ) preserves a quadratic form. 2.3. Big R ee groups The Big Ree groups were ﬁrst described in [ Ree61a, Ree 6 1b ], a nd are co vered in [ Wil 05 , Chapter 4]. The maximal subgr oups are given in [ Mal91 ], a nd repre- sentativ es of the conjuga cy classes a re given in [ Shi74 ] and [ Shi75 ]. An elementary construction, suitable for our purpos es, is desc r ib ed in [ Wil06 ]. 2.3.1. Deﬁnition and prop erties. W e take the deﬁnition of the sta ndard copy of 2 F 4 ( q ) from [ Wil06 ]. The exceptional group F 4 ( q ) is constructed b y considering the exceptional Jor- dan algebra (the Alb ert algebr a), which has dimension 27, and deﬁning F 4 ( q ) to b e its automorphism gro up. Thus each element of F 4 ( q ) ﬁxes the identit y and preserves the algebra m ultiplication, and one can show that it is a subg roup o f O − (26 , q ). F ur ther more, when q is an o dd power of 2, the gr oup F 4 ( q ) has a certain automorphism Ψ whose set of ﬁxed po ints form a gro up, and this is deﬁned to b e the Big Ree group 2 F 4 ( q ). A mo re detailed descriptio n of how to compute Ψ( g ) c an be fo und in [ Wi l06 ]. Let t = 2 m +1 = √ 2 q and let V = F 26 q . F rom [ Wil06 ] w e immediately obtain: 2.3. BIG REE GR OUP S 42 Prop ositi o n 2.30 . Le t G = 2 F 4 ( q ) and g ∈ G with | g | = q − 1 . Then g is c onju gate in G to an element of the form ς ( a, b ) = dia g( a, b, a t − 1 b t − 1 , ab 1 − t , a t b − 1 , ba 1 − t , b t − 1 , b 1 − t a 2 − t , ab − 1 , a t − 1 , 1 , a − 1 b t , b 2 − t a 1 − t , a t − 1 b t − 2 , ab − t , 1 , a 1 − t , ba − 1 , a t − 2 b t − 1 , b 1 − t , a t − 1 b − 1 , ba − t , a − 1 b t − 1 , b 1 − t a 1 − t , b − 1 , a − 1 ) (2.56) for some a, b ∈ F × q . Let { e 1 , . . . , e 26 } b e the s tandard ba sis of V . F ollowing [ Wil06 ], we then deﬁne the following matrices as per m utations on this basis:  =(15 , 12)(14 , 13)(2 , 5)(7 , 8)(19 , 20)(22 , 25)(3 , 4)(6 , 9 )(1 8 , 21)(24 , 23) (2 .57) κ = (11 , 1 6 )(1 , 2)(8 , 13)(14 , 19)(25 , 26)(7 , 10) (5 , 12 )(1 5 , 22 )(1 7 , 20 )(4 , 6)(9 , 18)(21 , 23) (2.58) W e also deﬁne linear transformatio ns z and ν , where z ﬁx e s e i for i = 1 , . . . , 15 and otherwise acts as follows: e 16 7→ e 1 + e 16 e 17 7→ e 1 + e 17 e 18 7→ e 2 + e 18 (2.59) e 19 7→ e 3 + e 19 e 20 7→ e 4 + e 20 e 21 7→ e 5 + e 21 (2.60) e 22 7→ e 2 + e 6 + e 22 e 23 7→ e 3 + e 7 + e 23 e 24 7→ e 4 + e 8 + e 24 (2.61) e 25 7→ e 5 + e 9 + e 25 e 26 7→ e 1 + e 10 + e 11 + e 26 (2.62) F ur ther more, we deﬁne a block-diago na l matrix ζ as follows: ζ 1 =       1 0 0 0 1 1 0 0 1 1 1 0 1 0 1 1       (2.63) ζ 2 =            1 0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 1 1 1 1 0 0 1 1 0 1 1 0 0 0 1 0 0 1            (2.64) ζ 3 = h 1 i (2.65) and then ζ has diagonal blocks ζ 3 , ζ 1 , ζ 1 , ζ 3 , ζ 2 , ζ 3 , ζ 1 , ζ 1 , ζ 3 . Finally , ν ﬁx e s e i for i ∈ { 1 , 3 , 4 , 5 , 8 , 9 , 14 , 15 , 21 , 24 , 2 5 } and otherwise ac ts as follows: e 2 7→ e 1 + e 2 e 6 7→ e 4 + e 6 e 7 7→ e 5 + e 7 (2.66) e 10 7→ e 5 + e 10 e 11 7→ e 9 + e 11 e 12 7→ e 5 + e 7 + e 10 + e 12 (2.67) 2.3. BIG REE GR OUP S 43 e 13 7→ e 8 + e 13 e 16 7→ e 9 + e 16 e 17 7→ e 15 + e 17 (2.68) e 18 7→ e 9 + e 11 + e 16 + e 18 e 19 7→ e 14 + e 19 e 20 7→ e 15 + e 20 (2.69) e 22 7→ e 15 + e 17 + e 20 + e 22 e 23 7→ e 21 + e 23 e 26 7→ e 25 + e 26 (2.70) F r om [ Wil06 ] we then immediately obtain: Theorem 2.3 1. L et λ b e a primitive element of F q . The element s  , κ , z , ν and ζ lie in 2 F 4 ( q ) , and if G = h ς (1 , λ ) , ν ζ i , then G ∼ = 2 F 4 ( q ) . Prop ositi o n 2 .32. L et G = 2 F 4 ( q ) and g ∈ G with | g | = ( q − 1)( q + t + 1 ) . Then g q + t +1 is c onjugate in G to ς (1 , b ) , which we write as h ( λ, µ ) = diag(1 , λ, µλ − 1 , λµ − 1 , λ − 1 , λ, µλ − 1 , λµ − 1 , λ − 1 , 1 , 1 , µ, λ 2 µ − 1 , µλ − 2 , µ − 1 , 1 , 1 , λ, µλ − 1 , λµ − 1 , λ − 1 , λ, µλ − 1 , λµ − 1 , λ − 1 , 1) (2.71) wher e λ = b ∈ F × q and µ = λ t . Proof. Using the notation of [ Shi75 , Page 10], we see that with r esp ect to a s uitable ba s is, g lies in T (4) ∼ = C q − 1 × C q + t +1 and that g q + t +1 will have the form ( ǫ, ǫ 2 θ − 1 , 1 , 1) for s ome ǫ ∈ F × q . Hence it will lie in one of the facto rs o f T (1) ∼ = C 2 q − 1 .  Prop ositi o n 2 .33. If g ∈ G = 2 F 4 ( q ) is uniformly r andom, then Pr[ | g | = ( q − 1)( q + t + 1 )] > 5349 54080 log log( q ) ≈ 1 10 lo g log( q ) (2.72) and henc e the exp e cte d numb er of r andom sele ctions r e quir e d to obtain an element of or der ( q − 1)( q + t + 1) is O  log lo g q  . Proof. Using the no tation of [ Shi75 , Page 10], we see that such elements lie in a conjugate of T (4) ∼ = C q − 1 × C q + t +1 . The prop o r tion of the elements in T (4) is therefore φ ( q − 1) φ ( q + t + 1 ) / (( q − 1)( q + t + 1 )). F r om [ Shi75 , T able IV] we see tha t the elements in T (4) a re of types t 9 and t 10 and that the to tal num b er of suc h elements in G is ( q + t ) | G | 4 q 2 ( q + t + 1 )( q − 1)( q 2 + 1) + ( q − 2)( q + t ) | G | 8( q − 1)( q + t + 1 ) . The prop ortion in G of the elements of the requir ed order is ther efore at least φ ( q − 1) φ ( q + t + 1) ( q − 1)( q + t + 1 )  ( q + t ) 4 q 2 ( q + t + 1)( q − 1)( q 2 + 1) + ( q − 2)( q + t ) 8( q − 1)( q + t + 1 )  and the expressio n in parentheses is minimised when m = 1. The r esult now follows from [ MSC96 , Section II.8 ].  By deﬁnition we hav e the inc lus ions 2 F 4 ( q ) < F 4 ( q ) < O − (26 , q ) < Sp(26 , q ) < SL(26 , q ) < GL(26 , q ), so 2 F 4 ( q ) pr eserves a quadratic form Q ∗ with ass o ciated 2.3. BIG REE GR OUP S 44 bilinear form β ∗ . It follows from [ Wil06 ] tha t Q ∗ ( e i ) =    1 i ∈ { 1 1 , 16 } 0 i / ∈ { 11 , 1 6 } (2.73) β ∗ ( e i , e j ) = δ i, 27 − j (2.74) Prop ositi o n 2.34 . In G = 2 F 4 ( q ) , t her e ar e t wo c onjugacy classes of involutions. The rank of an involution is the num b er of 2 -blo cks in the J or dan form. Name Centr aliser Maximal p ar ab olic R ank R epr esentative 2 A [ q 10 ]: Sz( q ) [ q 10 ]:(Sz( q ) × C q − 1 ) 1 0  2 B [ q 9 ]: PSL(2 , q ) [ q 11 ]:(PSL(2 , q ) × C q − 1 ) 12 κ Mor e over, in the 2 A c ase the c entr e of the c entr aliser has or der q . The cyclic gr oup C q − 1 acts ﬁ xe d-p oint fr e ely on [ q 10 ] . L et i, j ∈ G b e involutions. If i and j ar e c onjugate, then | i j | is o dd with pr ob ability 1 − O  1 /q  . If i and j ar e n ot c onjugate, then | ij | is even. Proof. The structure of the centralisers can be found in [ Mal91 ]. The state- men t ab out i and j follows immediately fro m [ WP06 , Theorem 13].  Corollary 2.35 (The dihedral tr ick) . Ther e ex ists a L as V e gas algorithm that, given h X i 6 GL(26 , q ) such that h X i = 2 F 4 ( q ) and given c onjugate involutions a, b ∈ h X i , ﬁnds c ∈ h X i such that a c = b . If a, b ar e given as SLP s of length O  n  , then c wil l b e found as an SLP of length O  n  . The algorithm has exp e cte d time c omplexity O  ξ  ﬁeld op er ations. Proof. F ollows fro m P rop osition 2.34 and Theo r em 1.9.  Prop ositi o n 2.36. L et λ b e a primitive element of F q . A max imal p ar ab olic of typ e 2 A is c onjugate to h ζ , z κκ , , ν , ς (1 , λ ) , ς ( λ, 1) i , which c onsists of lower blo ck- triangular matric es. A maximal p ar ab olic of typ e 2 B is c onjugate t o h ς (1 , λ ) , ς ( λ, 1) , κ, ν, ζ , ζ κ , ζ κ , ζ κκ , ν  , ν κ , ν κ i . Proof. F ollows immediately from [ Wi l06 ].  Conjecture 2. 37. L et j ∈ G = 2 F 4 ( q ) b e an involution of class 2 A and let H 6 C G ( j ) satisfy H > Z (C G ( j )) and H > S wher e S ∼ = Sz( q ) . (1) L et g ∈ H b e un iformly r andom such that | g | = 2 l . Then g l ∈ Z(C G ( j )) with pr ob ability 1 − O  1 /q  . (2) If H = C G ( j ) and g ∈ H is uniformly r andom such that | g | = 4 l , then with high pr ob ability g l ∈ O 2 ( H ) and g 2 l ∈ Z( H ) . Conjecture 2.3 8 . L et j 1 , j 2 ∈ G = 2 F 4 ( q ) b e involutions of class 2 A such that j 2 ∈ Z(C G ( j 1 )) . Then the pr op ortion of h ∈ G such that j h 1 = j 2 , | h | = q − 1 and h C G ( j 1 ) , h i < G is high. 2.3. BIG REE GR OUP S 45 Conjecture 2. 39. L et j ∈ G = 2 F 4 ( q ) b e an involution. L et H 6 C G ( j ) satisfy H > Z(C G ( j )) and H > S wher e S ∼ = Sz( q ) . L et M b e the natura l mo dule of G . Class of j Constituents and multiplicities of M | H 2 A ( S 4 , 4) , (1 , 6) , ( S ψ t 4 , 1) 2 B ( R 2 ⊗ R ψ i 2 , 2) , ( R ψ j 2 , 2) , ( R 2 , 1) , ( R ψ k 2 , 4) , (1 , 4) Wher e S 4 is t he natur al mo dule for Sz( q ) , R 2 is t he natur al mo dule for SL(2 , q ) and 0 6 i, j, k 6 2 m . In the 2 A c ase, M | H has submo dules of dimensions 26 , 2 5 , 21 , 20 , 17 , 16 , 15 , 11 , 10 , 9 , 6 , 5 , 1 , 0 . It has q + 1 submo dules of dimensions 10 and 16 , and the others ar e u n ique. In t he 2 B c ase, M | H has su bmo dules of every dimension 0 , . . . , 26 . I t has 2 submo dules of dimensions 7 , 9 , 10 , 1 3 , 16 , 17 , 19 , q + 1 submo dules of dimensions 11 and 15 and q + 2 submo dules of dimensions 12 and 1 4 . Al l the others ar e un ique. Conjecture 2.40. L et j ∈ G = 2 F 4 ( q ) b e an involution of class 2 A , let P = O 2 (C G ( j )) and let H b e the c orr esp onding maximal su b gr oup. (1) P is n ilp otent of class 2 and has exp onent 4 . (2) P has a subnormal series P = P 0 ⊲ P 1 ⊲ P 2 ⊲ P 3 ⊲ P 4 = 1 wher e | P 0 /P 1 | = | P 2 /P 3 | = q 4 , | P 1 /P 2 | = | P 3 /P 4 | = q . (3) The series induc es a ﬁ ltr ation of H , so P i /P i +1 ar e F q H -mo dules, for i = 0 , . . . , 3 . (4) Φ( P 0 ) = P ′ 0 = P 2 , P ′ 1 = P 3 , P 2 is elementary ab elian and Z(C G ( j )) = Z( P ) = P 3 . (5) P has exp onent- 2 c entr al series P = P 0 ⊲ P 2 ⊲ P 4 = 1 (6) Pr e-images of non- identity elements of P 0 /P 1 have or der 4 and their squar es, which lie in P 2 and have non-trivial images in P 2 /P 3 , ar e in- volutions of class 2 B . (7) Pr e-images of non- identity elements of P 1 /P 2 have or der 4 and their squar es, which lie in P 3 and have non-trivial images in P 3 /P 4 , ar e in- volutions of class 2 A . (8) As H -mo dules, P /P 2 is not isomorphic to P 2 . By [ Mal91 ], G has a maximal subgroup S ∼ = Sz( q ) ≀ C 2 , so from Section 2.1 w e know that S co ntains elements of order 4( q − 1). Conjecture 2.41. L et H 6 G = 2 F 4 ( q ) b e such that H ∼ = Sz( q ) × Sz( q ) and let Sz( q ) ∼ = S 6 H b e one of its dir e ct factors. L et M b e the mo dule of S and let S 4 b e the natu r al mo dule of S . (1) M ∼ =  ⊕ 4 i =1 1 + S 4  ⊕ (1 .S ψ t 4 . 1) . 2.3. BIG REE GR OUP S 46 (2) M has c omp osition factors with mu ltiplicities: ( S 4 , 4) , (1 , 6) , ( S ψ t 4 , 1) . Conjecture 2.42. L et S 6 G = 2 F 4 ( q ) b e su ch that S ∼ = Sz( q ) × Sz( q ) and let M b e the mo dule of G . (1) The elements of S of or der 4( q − 1) have 1 as an eigenvalue of mu ltiplicity 6 . The pr op ortion of t hese elements in G (taken over every S ) is 1 / (2 q ) . (2) M | S ∼ = M 16 ⊕ M 10 wher e dim M i = i . (3) M 16 is absolutely irr e ducible and M 16 ∼ = S 1 ⊗ S 2 . M 10 has shap e 1 . ( S 3 ⊕ S 4 ) . 1 . The S i ar e natur al Sz( q ) -mo dules. (4) M | S has endomorphi sm ring End( M | S ) ∼ = F 3 q and automorphism gr oup Aut( M | S ) ∼ = C 2 × C q − 1 × C q − 1 . Prop ositi o n 2.43 . L et S 6 G = 2 F 4 ( q ) such t hat S ∼ = Sz( q ) × Sz( q ) and let M b e the mo dule of G . Then Aut( M | S ) ∩ O − (26 , q ) ∼ = C 2 . Proof. The subgro up of O − (26 , q ) that pres e r ves the direct sum deco mpo si- tion o f M | S has shap e O + (16 , q ) × O − (10 , q ) (the 16 -dimensional part is of plus t yp e since M 16 is a tenso r pr o duct of natural Suzuki mo dules, and these preserve orthogo nal forms of plus type). This implies that Aut( M | S ) ∩ O − (26 , q ) = (Aut( M 16 ) ∩ O + (16 , q )) × (Aut ( M 10 ) ∩ O − (10 , q )) Since M 16 is abso lutely irr e ducible, Aut( M 16 ) consists o f scalar s only , but there are no sca lars in O + (16 , q ). Hence it suﬃces to s how that Aut( M 10 ) ∩ O − (10 , q ) ∼ = C 2 . With resp ect to a suitable basis, an endomo rphism of M 10 has the form e ( α, β ) = αI 10 + β E 10 , 1 . It preser ves the bilinear form β ∗ restricted to M 10 if α = 1 , a nd it preserves the quadratic form Q ∗ restricted to M 10 if e (1 , β ) is a transvection. This implies that only 2 v alues of β are po ssible.  Prop ositi o n 2 .44. L et λ b e a primitive element of F q . The sub gr oup h z , ,  κ , ς (1 , λ ) , ς ( λ, 1) i is isomorphic to Sz( q ) ≀ C 2 . It c ontains S = h z κκ , , ς (1 , λ ) i and h = κκ , wher e S ∼ = Sz( q ) and [ S h , S ] = h 1 i . The sub gr oup h ν , ς (1 , λ ) , ς ( λ, 1) , κ, , κ i is isomorph ic t o Sp(4 , q ): C 2 . Proof. F ollows immediately from [ Wi l06 ].  Conjecture 2.4 5. L et a ∈ G = 2 F 4 ( q ) b e such that | a | = q − 1 and a is c onjugate to some h ( λ, µ ) with λ t = µ ∈ F × q . The pr op ortion of b ∈ G such that the elements in h a i b with 1 as an eigenvalue of multiplicity 6 also have even or der and p ower up to an involution of class 2 A , is b ounde d b elow by a c onstant c 2 > 0 . Conjecture 2.46. Th e pr op ortion of elements in G that have 1 as an eigenvalue of m ultiplicity 6 is c 3 ∈ O  1 /q  . Conjecture 2.4 7. L et a ∈ G = 2 F 4 ( q ) b e such that | a | = q − 1 and a is c onjugate to some h ( λ, µ ) with λ t = µ ∈ F × q . Then N G ( h a i ) ∼ = D 2( q − 1) × Sz( q ) and ther e exists 2.3. BIG REE GR OUP S 47 an absolute c onstant c su ch that for every b ∈ G \ N G ( h a i ) , the nu mb er of g ∈ h a i b that have 1 as an eigenvalue of multiplicity at le ast 6 is b ounde d ab ove by c . Prop ositi o n 2. 48. L et G = 2 F 4 ( q ) with n atur al mo dule M and let H < G b e a maximal su b gr oup. Then either M | H is r e ducible or H ∼ = 2 F 4 ( s ) wher e q is a pr op er p ower of s . Proof. F ollows fro m [ M al91 ].  2.3.2. T ensor indecomp osable represent ations. It follows from [ L ¨ ub01 ] that over an alg ebraically closed ﬁeld in deﬁning characteristic, up to Galo is twists, there are pr ecisely three absolutely irre ducible tensor indeco mp os able repre s ent a- tions of 2 F 4 ( q ): (1) the natural representation V of dimensio n 26, (2) a submo dule of S of V ⊗ V of dimensio n 246, (3) a submo dule of V ⊗ S o f dimensio n 4096 CHAPTER 3 Constructiv e recognition and mem b ership testing Here we will pre s ent the algo rithms for co nstructive reco gnition a nd construc- tive membership testing. The metho ds we use ar e sp ecialis ed to e a ch family of exceptional groups, so we treat each family sepa rately . When the metho ds are sim- ilar b e t ween the families, w e present a c o mplete account for each family , in order to make each section self-co ntained. In the cases where we hav e a non-constr uc tive recognition algorithm that impro ves on [ BKPS02 ], we will also present it here. Recall the v ar io us cas es of constructive r ecognition o f matrix groups, given in Section 1.2.7. F or each g r oup, we will deal with some, but not a lwa y s all, o f the cases that arise. W e ﬁrst giv e an ov erview of the v ario us metho ds. F ro m Chapter 2 we know that b o th the Suzuki gr oups a nd the small Ree groups act doubly tra nsitively on q 2 + 1 and q 3 + 1 pro jectiv e p oints, resp ectively (the ﬁelds o f size q hav e diﬀerent characteristics), and the idea of how to deal with these g roups is to think of them as p ermutation groups. In fact we pr o ceed similar ly as in [ C LGO0 6 ] for PSL(2 , q ), which acts do ubly transitively on q + 1 pro jective points. The essential problem in all these case s is to ﬁnd an eﬃcie nt algo rithm that ﬁnds an element of the gro up that maps one pr o jectiv e point to ano ther. In PSL(2 , q ) the a lgorithm pro ceeds by ﬁnding a random elemen t o f o rder q − 1 and considering a random coset o f the s ubgroup g enerated by this element. Since the coset is exp o nent ially large, we cannot pro cess every element, and the idea is instead to construct the require d element by solving equa tions. W e therefore consider a matrix whose entries are indeterminates. In this way w e reduce the coset search problem to tw o other problems from co mputational algebra: ﬁnding ro ots of quadratic equations ov er a ﬁnite ﬁeld, and the fa mous discr ete lo garithm pr oblem . In the Suzuki groups, the num b er of po ints is q 2 + 1 instead of q + 1 , a nd this requires us to consider double co sets of ele ments o f order q − 1, instead of co s ets. The pr o blem is again reduced to ﬁnding ro ots o f univ a riate polyno mials, in this case of degree at mos t 6 0, as well as to the discrete loga r ithm pr oblem. The small Ree groups are dealt with slightly diﬀerently , s ince w e can easily ﬁnd in volutions by random search and then use the Bray algor ithm to ﬁnd the cen- traliser of an in volution. Then the module o f the group r estricted to the centraliser decomp oses, and this is used to ﬁnd an element that maps one pro jective p oint to another. 48 3.1. SUZUKI GROUPS 49 The B ig Ree g roups c a nnot b e cons ide r ed as p e rmutation gro ups in the same wa y , so the ess ential problem in this case is to ﬁnd an in volution expressed as a pro duct of the given generator s. Again the idea is to ﬁnd a cy clic subgroup of order q − 1 and sea rch for elemen ts of ev en order in random cose ts of this subgroup. The underlying observ ation is that the elements o f even or der are characterised by having 1 as an e igenv alue with a certain multiplicit y . Ther efore we can ag ain c o nsider matrices who se e ntries ar e indeterminates and c onstruct the requir e d element of even order. 3.1. Suzuki groups Here we will us e the notation fro m Section 2.1. W e will refer to Conjectures 3.4, 3.18, 3.19, 3.21 and 3.24 s imu ltaneously as the Suzuki Conje ctur es . W e now give an ov e r view of the algorithm for co nstructive recog nitio n and constructive members hip testing. It will b e for mally prov ed as Theorem 3.26. (1) Given a group G ∼ = Sz( q ), satisfying the ass umptions in Section 1.2 .7, we know fro m Section 2.1.3 that the mo dule of G is isomorphic to a tensor pro duct of t wisted copies of the natural module of G . Hence w e ﬁrst tenso r decomp ose this mo dule. This is describ e d in Section 3.1.5. (2) The resulting groups in dimension 4 are conjugates of the standa r d cop y , so w e ﬁnd a conjugating elemen t. This is desc rib ed in Section 3.1.4. (3) Finally we are in Sz( q ). Now we can p erfor m prepro ce ssing for co nstructive mem b ership testing and o ther problems we w ant to solve. This is describ ed in Section 3.1.3. Given a dis crete logarithm oracle, the whole pro cess has time complexity sligh tly worse than O  d 5 + log ( q )  ﬁeld op era tions, assuming that G is given by a bo unded nu mber of generator s. 3.1.1. Recogniti on. W e now discuss how to non-constructively r ecognise Sz( q ). W e are given a group h X i 6 GL(4 , q ) and we wan t to dec ide whether or no t h X i = Sz( q ), the group deﬁned in (2.4). T o do this, it suﬃces to determine if X ⊆ Sz( q ) and if X doe s not generate a prop er subgroup, i.e. if X is not contained in a maxima l s ubgroup. T o deter mine if g ∈ X is in Sz( q ), ﬁrst determine if g preser ves the symplectic form of Sp(4 , q ) and then determine if g is a ﬁxed po int o f the automorphism Ψ of Sp(4 , q ), men tioned in Section 2.1. The recognition algorithm relies on the follo wing result. Lemma 3. 1. L et H = h X i 6 Sz( q ) = G , wher e X = { x 1 , . . . , x n } , let C = { [ x i , x j ] | 1 6 i < j 6 n } and let M b e t he n atur al mo dule of H . Then H = G if and only if the fol lowing hold: (1) M is an absolutely irr e ducible H -mo dule. (2) H c annot b e written over a pr op er subﬁeld. (3) C 6 = { 1 } and for every c ∈ C \ { 1 } ther e exists x ∈ X such that [ c, c x ] 6 = 1 . 3.1. SUZUKI GROUPS 50 Proof. By The o rem 2.3, the maximal subgro ups o f G that do satisfy the ﬁr s t t wo c onditions are N G ( H ), B 1 and B 2 . F or each, the derived group is contained in the no r malised cy clic group, so all these maximal subgroups a r e metab elian. If H is con tained in one o f them and H is not ab elia n, then C 6 = { 1 } , but [ c, c x ] = 1 for every c ∈ C and x ∈ X since the s econd derived gr oup of H is trivial. Hence the last condition is not satisﬁed. Conv e r sely , assume that H = G . Then clearly , the ﬁrst tw o conditions ar e satisﬁed, and C 6 = { 1 } . Assume that the last condition is fals e, so for some c ∈ C \{ 1 } we hav e that [ c, c x ] = 1 for every x ∈ X . This implies tha t c x ∈ C G ( c ) ∩ C G ( c ) x − 1 , and it follows fr o m Prop ositio n 2.7 that C G ( c ) = C G ( c ) x − 1 . Th us C G ( c ) = C G ( c ) g for all g ∈ G , so C G ( c ) ⊳ G , but G is simple and we have a contradiction.  Theorem 3.2. Ther e ex ist s a L as V e gas algorithm t hat, given h X i 6 GL(4 , q ) , de cides whether or not h X i = Sz( q ) . It has exp e cte d time c omplexity O  | X | 2 + σ 0 (log( q ))( | X | + log( q ))  ﬁeld op er ations. Proof. The a lgorithm pr o ceeds as follows. (1) Determine if every x ∈ X is in Sz( q ), and return false if not. (2) Determine if h X i is absolutely irreducible, and return false if not. (3) Determine if h X i can be wr itten ov er a smaller ﬁeld. If so, r eturn false . (4) Using the no tation of Lemma 3.1, try to ﬁnd c ∈ C suc h that c 6 = 1. Return false if it cannot b e found. (5) If such c can b e found, and if [ c, c x ] 6 = 1 for some x ∈ X , then r eturn true , else return false . F r om the dis c us sion at the beg inning of this section, the ﬁr st step is easily done using O  | X |  ﬁeld opera tions. The MeatAxe can b e used to determine if the natural mo dule is absolutely irreducible; the a lg orithm describ ed in Section 1 .2.10.2 ca n b e used to determine if h X i c an be written over a smaller ﬁeld. The rest o f the algor ithm is a straightforw ard application of the last condition in Lemma 3.1, except that it is suﬃcient to use the c o ndition for o ne non-tr ivial commutator c . By Lemma 3.1, if [ c, c x ] 6 = 1 then h X i = Sz( q ); but if [ c, c x ] = 1, then C h X i ( c ) ⊳ h X i and we cannot hav e Sz( q ). It follows fro m Sec tion 1.2 .10 that the exp ected time complexity of the al- gorithm is as s ta ted. Since the Mea tAxe is Las V egas, this algor ithm is also Las V eg as.  W e are a lso interested in determining if a given group is a c onjugate o f Sz( q ), without neces s arily ﬁnding a conjugating elemen t. W e cons ider the subgroups of Sp(4 , q ) and r ule out all except thos e isomorphic to Sz( q ). This relies on the fact that, up to Galois automo r phisms, Sz( q ) has only one equiv alence class of faithful representations in GL(4 , q ), so if w e can show that G ∼ = Sz( q ) then G is a conjugate of Sz( q ). 3.1. SUZUKI GROUPS 51 Theorem 3.3. Ther e ex ist s a L as V e gas algorithm t hat, given h X i 6 GL(4 , q ) , de cides whether or not ther e exists h ∈ GL(4 , q ) such that h X i h = Sz( q ) . The algorithm has exp e cte d time c omplexity O  | X | 2 + σ 0 (log( q ))( | X | + log ( q ))  ﬁeld op er ations. Proof. Let G = h X i . The algor ithm pr o ceeds a s follows. (1) Determine if G is absolutely irreducible, and r eturn false if no t. (2) Determine if G preserves a non-degenera te symplectic fo r m M . If so we conclude that G is a s ubgroup of a conjugate of Sp(4 , q ), a nd if not then return f alse . Since G is abs olutely irr educible, the fo rm is unique up to a scalar mult iple. (3) Conjugate G s o that it pr eserves the for m J . This amo unts to ﬁnding a symplectic basis, i.e. ﬁnding a n invertible matrix X suc h tha t X J X T = M , which is eas ily done. Then G X preserves the for m J and thus G X 6 Sp(4 , q ) so that we can apply Ψ. (4) Determine if V ∼ = V Ψ , whe r e V is the natura l mo dule for G and Ψ is the automorphism from Lemma 2.13. If so w e conclude that G is a subgroup of some conjugate of Sz ( q ), and if not then return false . (5) Determine if G is a pr op er subgr oup of Sz( q ), i.e. if it is contained in a maximal s ubgroup. This can be done using Lemma 3.1. If so, then return false , else return true . F r om the descriptions in Section 1.2.10 .1 , the algo rithms for ﬁnding a preser ved form and for module is omorphism testing ar e Las V eg as, with the same expec ted time complexity as the MeatAxe. Hence w e obtain a La s V egas algorithm, with the same expe c ted time complex it y as the algorithm fro m Theorem 3 .2.  3.1.2. Finding an ele men t of a stabili ser. In this section the matrix degree is constant, so we set ξ = ξ (4). In constructive mem b ership testing for Sz( q ) the essential pro blem is to ﬁnd an elemen t of the stabiliser of a given point P ∈ O , expressed a s an SLP in our given gener ators X of G = Sz( q ). The idea is to map P to Q 6 = P by a random g 1 ∈ G , and then compute g 2 ∈ G such that P g 2 = Q , so that g 1 g − 1 2 ∈ G P . Thu s the problem is to ﬁnd a n element that ma ps P to Q , and the idea is to search for it in double cos ets of cyclic subgr oups of order q − 1. W e ﬁr st give an ov e r view of the metho d. Begin by selecting r andom a, h ∈ G such that a has pseudo- order q − 1, and consider the equation P a j ha i = Q (3.1) in the t wo indetermina tes i, j . If w e can solve this equa tion for i and j , th us obtaining int egers k , l such tha t 1 6 k , l 6 q − 1 and P a l ha k = Q , then we hav e an element that maps P to Q . Since a has order dividing q − 1, b y Prop ositio n 2 .4, a is conjugate to a matrix M ′ ( λ ) for some λ ∈ F × q . This implies that we can dia gonalise a and obtain a 3.1. SUZUKI GROUPS 52 matrix x ∈ GL(4 , q ) such that M ′ ( λ ) x = a . It follows that if w e deﬁne P ′ = P x − 1 , Q ′ = Qx − 1 and g = h x − 1 then (3.1) is equiv alent to P ′ M ′ ( λ ) j g M ′ ( λ ) i = Q ′ . (3.2) Now c hange indeterminates to α and β b y letting α = λ j and β = λ i , so that we obtain the following equation: P ′ M ′ ( α ) g M ′ ( β ) = Q ′ . ( 3.3) This determines four equations in α and β , a nd in Section 3.1 .2.1 w e will de- scrib e how to ﬁnd solutions for them. A solution ( γ , δ ) ∈ F × q × F × q determines M ′ ( γ ) , M ′ ( δ ) ∈ H , and hence also c, d ∈ H = H x . If | a | = q − 1 then h a i = H , s o that there ex is t integers k and l as ab ove with a l = c and a k = d . These in tegers can b e found by computing discrete loga rithms, since we also hav e λ l = γ and λ k = δ . Hence we obtain a solutio n to (3.1) from the so lution to (3.3). If | a | is a pro per divisor of q − 1, then it might happ en that c / ∈ h a i or d / ∈ h a i , but b y Prop os ition 2.6 we know that this is unlikely . Thu s the ov erall algorithm is as in Algo rithm 3 .1. W e prov e that the algorithm is correct in Sectio n 3.1.2.2. Algorithm 3.1: FindMappingElement ( X , P , Q ) 1 Input: Generating set X for G = Sz( q ) and po ints P 6 = Q ∈ O . 2 Output: A random elemen t g of G , a s an SL P in X , s uch that P g = Q . // Ass umes the existence of a function S ol veEqua tion that solves (3.3). // Also assumes tha t DiscreteLog re turns a p os itive integer if a // dis crete logar ithm exists, and 0 otherwise. rep eat 3 // Find random elemen t a of pseudo-order q − 1 rep eat 4 a := Random ( G ) 5 un til | a | | q − 1 6 ( M ′ ( λ ) , x ) := Diag onalise ( a ) 7 // Now M ′ ( λ ) x = a rep eat 8 h := Random ( G ) 9 ﬂag := Sol veEqua tion ( h x − 1 , P x − 1 , Qx − 1 ) 10 un ti l ﬂag 11 Let ( γ , δ ) b e a solution to (3.3). 12 l := DiscreteLog ( λ, γ ) 13 k := DiscreteLog ( λ, δ ) 14 un til k > 0 and l > 0 15 return a l ha k 3.1.2.1. Solving e quation (3.3) . W e will now show how to obtain the solutions of (3.3). I t might happ e n that there a re no solutions, in which case the metho d describ ed here will detect this a nd return with failure. 3.1. SUZUKI GROUPS 53 By letting P ′ = ( q 1 : q 2 : q 3 : q 4 ), Q ′ = ( r 1 : r 2 : r 3 : r 4 ) a nd g = [ g i,j ], we can write out (3.3) a nd obtain ( q 1 g 1 , 1 α t +1 + q 2 g 2 , 1 α + q 3 g 3 , 1 α − 1 + q 4 g 4 , 1 α − t − 1 ) β t +1 = C r 1 ( q 1 g 1 , 2 α t +1 + q 2 g 2 , 2 α + q 3 g 3 , 2 α − 1 + q 4 g 4 , 2 α − t − 1 ) β = C r 2 ( q 1 g 1 , 3 α t +1 + q 2 g 2 , 3 α + q 3 g 3 , 3 α − 1 + q 4 g 4 , 3 α − t − 1 ) β − 1 = C r 3 ( q 1 g 1 , 4 α t +1 + q 2 g 2 , 4 α + q 3 g 3 , 4 α − 1 + q 4 g 4 , 4 α − t − 1 ) β − t − 1 = C r 4 (3.4) for some constant C ∈ F q . Henceforth, we as sume that r i 6 = 0 for i = 1 , . . . , 4, since this is the diﬃcult ca s e, a nd also very likely when q is larg e, as can b e seen from Prop ositio n 2.10. A method similar to the one de s crib ed in this s ection will solve (3.3) when some r i = 0 and Algorithm 3.1 does not a ssume that all r i 6 = 0. F o r con venience, w e denote the expressio ns in the pa rentheses a t the left hand sides of (3.4) as K , L , M and N resp ectively . Since C = Lβ r − 1 2 we obtain three equations K β t = r 1 r − 1 2 L M β − 2 = r 3 r − 1 2 L N β − t − 2 = r 4 r − 1 2 L (3.5) and in particular β is a function of α , since β = q L − 1 M r − 1 3 r 2 . (3 .6) If we elimina te β and β t by us ing the ﬁrst t wo equations into the thir d in (3.5), w e obtain N K r 2 r 3 = r 1 r 4 M L (3.7) and by raising the ﬁrst equation to the t -th p ower and substituting in to the second, we obtain r 1 r t/ 2 3 L 1+ t/ 2 = r 1+ t/ 2 2 M t/ 2 K. (3.8) Also, C = M β − 1 r − 1 3 and if we pro ceed similarly , we o btain t wo more equations N t Lr t +1 3 = M t +1 r 2 r t 4 (3.9) N L t/ 2 r 1+ t/ 2 3 = M 1+ t/ 2 r 4 r t/ 2 2 . (3.10) Now (3.7), (3.8) , (3.9) and (3.10) ar e equations in α only , and by multiplying them by suita ble p ow ers of α , they ca n b e turned in to po ly nomial equa tions such that α only o ccurs to the p owers ti for i = 1 , . . . , 4 and to lower p ow ers that a re independent of t . The suitable p ow ers of α a re 2 t + 2 , t + t/ 2 + 2, 2 t + 3 and 2 t + t/ 2 + 2, resp ectively . 3.1. SUZUKI GROUPS 54 Thu s we obtain the following four equations . α 4 t c 1 + α 3 t c 2 + α 2 t c 3 + α t c 4 = d 1 α 4 t c 5 + α 3 t c 6 + α 2 t c 7 + α t c 8 = d 2 α 4 t c 9 + α 3 t c 10 + α 2 t c 11 + α t c 12 = d 3 α 4 t c 13 + α 3 t c 14 + α 2 t c 15 + α t c 16 = d 4 (3.11) The c i and d j are po lynomials in α with degree indep e nden t of t , for i = 1 , . . . , 16 and j = 1 , . . . , 4 resp ectively , s o (3.11) can b e considered a linear system in the v ariables α nt for n = 1 , . . . , 4, with co e ﬃcie nts c i and d j . Now the aim is to o btain a single po ly nomial in α o f bo unded deg ree. F or this we need the following conjecture . Conjecture 3.4. F or every P ′ = P x − 1 , Q ′ = Qx − 1 , g = h x − 1 wher e P, Q ∈ O , h ∈ G and x ∈ GL(4 , q ) , if we r e gar d (3.11) as simult ane ous line ar e quations in the variables α nt for n = 1 , . . . , 4 , over the p olynomial ring F q [ α ] , then it has n on-zer o determinant. In other w ords, the determinant of the co eﬃcients c i is not the zero polyno mial. Lemma 3.5 . Assume Conje ctur e 3.4 . Given P ′ , Q ′ and g as in Conje ctu r e 3.4 , ther e exists a univariate p olynomial f ( α ) ∈ F q [ α ] of de gr e e at most 6 0 , such that for every ( γ , δ ) ∈ F × q × F × q that is a solution for ( α, β ) in (3 .3) , we have f ( γ ) = 0 . Proof. So far in this sectio n we have shown that if we can solve (3.11) we can also solve (3.3). F rom the four eq uations of (3.11) w e can eliminate α t . W e can solve for α 4 t from the fourth equa tion, and substitute in to the third, thus o btaining a rational express io n with no o ccurr ence of α 4 t . Contin uing this w ay and substituting int o the other equations, w e obtain a n e xpression for α t in ter ms of the c i and the d i only . This can b e substituted into any of the equations of (3.11), where α nt for n = 1 , . . . , 4 is obtained b y p owering up the ex pression for α t . Th us we o btain a rational expression f 1 ( α ) of degree independent of t . W e now take f ( α ) to be the nu merator of f 1 . In other words, we think of the α nt as indep endent v ariables and of (3.11) as a linear sys tem in these v aria bles, with co eﬃcients in F q [ α ]. By Conjecture 3 .4 we can solve this linear system. Two p ossible problems can o ccur : f is identically zero or so me of the denomina- tors of the expressions for α nt , n = 1 , . . . , 4 turn out to b e 0. How ever, Co njectur e 3.4 rules out these p o s sibilities. By Cr amer’s rule, the express io n for α t is a ra tional expression where the numerator is a determinant, so it co ns ists of sums of pro d- ucts of c i and d j . E ach pro duct consists of three c i and one d j . B y considering the calculations lea ding up to (3.1 1), it is clear that ea ch of the pro ducts has degr ee at most 15 . Therefor e the expres sion for α 4 t and hence also f ( α ) ha s degr ee at most 60. W e hav e only done elementary algebr a to o btain f ( α ) from (3.11), and it is clear that (3.11) w as obtained from (3.4) by e le mentary means only . Hence all solutio ns 3.1. SUZUKI GROUPS 55 ( γ , δ ) to (3.4) must also sa tis fy f ( γ ) = 0, althoug h there may not be any suc h solutions, and f ( α ) may also hav e other zeros .  Corollary 3 .6. A ssume Conje cture 3.4 . Ther e exists a L as V e gas algorithm t hat, given P ′ , Q ′ and g as in Conje ctu r e 3.4 , ﬁnds al l ( γ , δ ) ∈ F × q × F × q that ar e solut ions of (3.3) . The algorithm has exp e cte d time c omplexity O  log q  ﬁeld op er ations. Proof. Let f ( α ) b e the po lynomial constructed in Lemma 3 .5. T o ﬁnd a ll solutions to (3.3), we ﬁnd the ze ros γ of f ( α ), compute the co rresp onding δ for each zero γ using (3.6), and c heck which pair s ( γ , δ ) sa tisfy (3.4). These pairs m ust be a ll solutions of (3.3). The only work needed is simple matrix a rithmetic a nd ﬁnding the ro ots of a p olynomia l of b ounded deg ree ov er F q . Hence the exp ected time complexity is O  log q  ﬁeld op er ations. The algor ithm is Las V eg as, since b y T heo rem 1.1 the algorithm for ﬁnding the ro o ts of f ( α ) is La s V ega s , with this exp ected time com- plexity .  By following the pro cedur e outlined in Lemma 3.5, it is straig ht forward to obtain an ex pression for f ( α ), whe r e the c o eﬃcients are expressio ns in the entries of g , P ′ and Q ′ , but we will not dis play it here, since it w ould take up to o muc h space. 3.1.2.2. Corr e ctness and c omplexity. There are tw o issues when co nsidering the correctnes s of Algo rithm 3 .1. Using the no tation in the algor ithm, w e hav e to s how that (3.3) has a solution with high probability , and that the int egers k and l ar e po sitive with high probability . The alg orithm in Co rollary 3.6 tries to ﬁnd a n element in the double coset H g H , where g = h x − 1 , and we will see that this succ eeds with high proba bilit y when g / ∈ N G ( H ), which is very likely . If the element a has or der precisely q − 1, then from the dis cussion at the beg inning of Sectio n 3.1.2, w e know that the in tegers k a nd l will be pos itive. By Prop ositio n 2.6 we know that it is likely that a has order precisely q − 1 rather tha n just a div isor of q − 1. Lemma 3.7. Assume Conje ct u r e 3.4 . L et G = Sz( q ) and let P ∈ O and a, h ∈ G b e given, such that | a | = q − 1 . L et Q ∈ O b e un iformly r andom. If h / ∈ N G ( h a i ) , then ( q − 1) 2 ( q 2 + 1) deg f 6 Pr[ Q ∈ P h a i h h a i ] 6 ( q − 1) 2 q 2 + 1 (3.12) wher e f ( α ) is the p olynomial c onstructe d in L emm a 3.5 . If inst e ad h ∈ N G ( h a i ) then Pr[ Q ∈ P h a i h h a i ] = ( q − 1)( q 2 − 1) + 2 ( q 2 + 1) 2 . (3.13) Proof. If h / ∈ N G ( h a i ) then by Lemma 2.7, |h a i h h a i| = ( q − 1 ) 2 , and hence | P h a i h h a i| 6 ( q − 1) 2 . 3.1. SUZUKI GROUPS 56 On the other hand, fo r ev ery Q ∈ O we have |{ ( k 1 , k 2 ) | k 1 , k 2 ∈ h a i , P k 1 hk 2 = Q }| 6 deg f (3.14) since this is the eq ua tion we co nsider in Section 3.1.2.1, and from Lemma 3.5 we know that a ll solutions must b e ro ots of f . Thus | P h a i h h a i| > |h a i h h a i| / deg f . Since Q is unifor mly r andom from O , and |O | = q 2 + 1, the result follows. If h ∈ N G ( h a i ) then h a i h h a i = h h a i , and | P h h a i| = |h a i| if h a i do es not ﬁx P h . By Prop osition 2.4, the num b er of cyclic s ubgroups of or der q − 1 is  |O| 2  and |O| − 1 such subgro ups ﬁx P h . Mor eov er, if h a i ﬁxes P h then P h h a i = { P h } . Thus Pr[ Q ∈ P h a i h h a i ] = Pr[ Q ∈ P h h a i ] P r[ P ha 6 = P h ]+ + Pr[ Q = P h ] Pr[ P ha = P h ] = | P h h a i| |O| 1 − |O| − 1  |O | 2  ! + 1 |O| |O| − 1  |O | 2  (3.15) and the r esult follows.  Theorem 3. 8 . A s s ume Conje ctur e 3.4 and an or acle for t he discr ete lo garithm pr oblem in F q . Algori thm 3.1 is a L as V e gas algorithm with exp e ct e d time c omplex- ity O  ( ξ + χ D ( q ) + log( q ) log log( q )) log log( q )  ﬁeld op er ations. The length of the r etur n e d SL P is O  log lo g( q )  . Proof. W e use the notation from the algo rithm. Let g = h x − 1 , H = H x , P ′ = P x − 1 and Q ′ = Qx − 1 . Corolla ry 3.6 implies that line 10 will succeed if Q ′ ∈ P ′ H g H . If | a | = q − 1, then H = h a i , and the previous condition is equiv alent to Q ∈ P h a i h h a i . Moreover, if | a | = q − 1 then line 14 will alw ays succeed. Let s b e the probability that the return statement is r eached. The n s satisﬁes the following inequality . s > Pr[ | a | = q − 1](Pr[ h ∈ N G ( h a i )] Pr[ Q ∈ P h a i h h a i | h ∈ N G ( h a i )]+ + Pr[ h / ∈ N G ( h a i )] Pr[ Q ∈ P h a i h h a i | h / ∈ N G ( h a i )]) . (3.16) Since h is uniformly r andom, using Theorem 2.3 w e o btain Pr[ h ∈ N G ( h a i )] = 2( q − 1) | G | = 2 q 2 ( q 2 + 1) . (3.17) F r om Prop osition 2.6 and Lemma 3 .7 we obtain s > φ ( q − 1) 2( q − 1)  ( q − 1) 2 ( q 2 + 1) deg f − 2 q 2 ( q 2 + 1) ( q − 1) 2 ( q 2 + 1) + 2 q 2 ( q 2 + 1) 2 + ( q − 1)( q 2 − 1) ( q 2 + 1) 2  = = φ ( q − 1) 2( q − 1) deg f + O  1 /q  . (3.18) By Prop os ition 2.6, the expe cted num b er of iter ations of the outer rep eat state- men t is O  log lo g( q )  . The exp ected num b er of random se le ctions to ﬁnd h is O  1  . By T heo rem 1.1, dia gonalising a matrix us es ex pe c ted O  log q  ﬁeld oper ations, since it in volv es ﬁnding the eigenv alues, i.e. ﬁnding the ro ots of a po lynomial of 3.1. SUZUKI GROUPS 57 constant degr ee over F q . Clear ly , the e x pe c ted time co mplexity for ﬁnding a is O  ξ + log( q ) lo g log ( q )  ﬁeld op erations. F r om Corolla ry 3.6, it follows that line 9 uses O  log q  ﬁeld op erations. W e con- clude that Algorithm 3 .1 uses exp ected O  ( ξ + χ D ( q ) + log ( q ) log log ( q ) ) log log ( q )  ﬁeld op erations. Each c a ll to Alg o rithm 3.1 uses indep endent random e le men ts, s o the double cosets under co nsideration are uniformly random a nd indep e nden t. Therefore the elements returned by Algor ithm 3 .1 m ust be unifor mly random. The returned S LP is comp osed of SL P s of a and h , b oth of which ha ve length O  log lo g( q )  bec ause of the n umber of iterations of the lo ops.  Corollary 3.9. A ssume Conje ctur e 3.4 and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL(4 , q ) such that G = h X i = Sz( q ) and P ∈ O , ﬁnds a u n iformly r andom g ∈ G P , expr esse d as an S LP in X . The algorithm has exp e cte d time c omplexity O  ( ξ + χ D ( q ) + log ( q ) log log( q )) log log( q )  ﬁeld op er ations. The length of the r etu rne d SLP is O  log lo g( q )  . Proof. W e compute g as follows. (1) Find random x ∈ G . Let Q = P x and rep eat unt il P 6 = Q . (2) Use Algorithm 3.1 to ﬁnd y ∈ G such that Qy = P . (3) Now g = xy ∈ G P . W e see from Algor ithm 3.1 that the choice of y do es not depend on x . Hence g is uniformly ra ndo m, since x is uniformly rando m. The r efore this is a Las V egas algorithm. The probability that P = Q is 1 / |O| , so the dominating term in the complexity is the call to Algorithm 3.1, with exp ected time complexit y given b y Theorem 3.8. The element g will be expre s sed as an SLP in X , since x is random and elements from Algo r ithm 3 .1 ar e expre s sed as SLP s. Clea rly the length of the SL P is the sa me as the length of the SL P s fro m Alg orithm 3.1.  Remark 3.10. In fact, the algo rithm of Coro llary 3.9 w orks in any conjugate o f Sz( q ), since in Algorithm 3.1 the diag onalisation alwa ys mov es into the standard copy . 3.1.3. Constructiv e m em b ershi p testing. W e will now giv e an a lgorithm for constructive membership testing in Sz( q ). Given a set of gener ators X , suc h that G = h X i = Sz( q ), and given g ∈ G , we want to expr ess g as an SL P in X . The matr ix deg ree is co nstant her e, so we set ξ = ξ (4). Membership testing is straightforward, using the ﬁrst steps from the algorithm in Theor em 3 .2, and will not be c o nsidered here. 3.1.3.1. Pr epr o c essing. The algorithm for constructive membership testing has a prepr o cessing step a nd a main step. The pre pr o cessing step c onsists of ﬁnding “standard generator s” for O 2 ( G P ∞ ) = F a nd O 2 ( G P 0 ). In the ca s e of O 2 ( G P ∞ ) the 3.1. SUZUKI GROUPS 58 standard generators a re deﬁned as matr ic es { S ( a i , x i ) } n i =1 ∪ { S (0 , b i ) } n i =1 for some unspe ciﬁed x i ∈ F q , such that { a 1 , . . . , a n } and { b 1 , . . . , b n } form vector space bases of F q ov e r F 2 (so n = lo g 2 q = 2 m + 1). Lemma 3.11. Ther e exist algorithms for the fol lowing r ow r e ductions. (1) Given g = M ′ ( λ ) S ( a, b ) ∈ G P ∞ , ﬁnd h ∈ O 2 ( G P ∞ ) expr esse d in the standar d gener ators, such that g h = M ′ ( λ ) . (2) Given g = S ( a, b ) M ′ ( λ ) ∈ G P ∞ , ﬁnd h ∈ O 2 ( G P ∞ ) expr esse d in the standar d gener ators, such that hg = M ′ ( λ ) . (3) Given P ∞ 6 = P ∈ O , ﬁ n d g ∈ O 2 ( G P ∞ ) expr esse d in the standar d gener a- tors, such that P g = P 0 . Analo gous algorithms ex ist for G P 0 . If the standar d gener ators ar e expr esse d as SLP s of length O  n  , the elements r eturne d wil l have length O  n log( q )  . The t ime c omplexity of the algorithms is O  log( q ) 3  ﬁeld op er ations. Proof. The a lgorithms are as follows. (1) (a) Solve a linear system o f size log ( q ) to co nstruct the linear com bination a = g 2 , 1 /g 2 , 2 = P 2 m +1 i =1 α i a i with α i ∈ F 2 . Let h ′ = Q 2 m +1 i =1 S ( a i , x i ) α i and g ′ = g h ′ , so that g ′ = M ′ ( λ ) S (0 , b ′ ) for some b ′ ∈ F q . (b) Solve a linear system of size lo g ( q ) to construct the linear com bination b ′ = g ′ 3 , 1 /g ′ 3 , 3 = P 2 m +1 i =1 β i b i with β i ∈ F 2 . Let h ′′ = Q 2 m +1 i =1 S (0 , b i ) β i and g ′′ = g ′ h ′′ , so that g ′′ = M ′ ( λ ). (c) Now h = h ′ h ′′ . (2) Analogous to the previous c a se. (3) (a) Normalis e P so that P = ( ab + a t +2 + b t : b : a : 1 ) for some a, b ∈ F q . Solve a linear system of size log ( q ) to construct the linear com bination a = P 2 m +1 i =1 α i a i with α i ∈ F 2 . Let h ′ = Q 2 m +1 i =1 S ( a i , x i ) α i . (b) Solve a linear system of size lo g ( q ) to construct the linear com bination b + h ′ 3 , 1 = P 2 m +1 i =1 β i b i with β i ∈ F 2 . Let h ′′ = Q 2 m +1 i =1 S (0 , b i ) β i (c) Now g = h ′ h ′′ maps P to P 0 . Clearly the dominating term in the time complexity is the solving o f the linear systems, which requir es O  log( q ) 3  ﬁeld op era tio ns. The elements returned are constructed using O  log( q )  m ultiplications, hence the length of the SLP follows.  Theorem 3.12 . Assu me Conje ctur e 3.4 and an or acle for the discr ete lo garithm pr oblem in F q . The pr epr o c essing step is a L as V e gas algorithm that ﬁn ds standar d gener ators for O 2 ( G P ∞ ) and O 2 ( G P 0 ) , as SLP s in X of length O  log lo g( q ) 2  . It has exp e cte d time c omplexity O  ( ξ + χ D ( q ) + log( q ) log log( q ))(log log( q )) 2  ﬁeld op er ations. Proof. The pr epro cessing step proce eds as fo llows. (1) Find random elements a 1 ∈ G P ∞ and b 1 ∈ G P 0 using the alg orithm from Corollar y 3.9. Rep eat until a 1 can b e diago na lised to M ′ ( λ ) ∈ G , where λ ∈ F × q and λ do e s not lie in a prop er subﬁeld of F q . Do similarly for b 1 . 3.1. SUZUKI GROUPS 59 (2) Find random elements a 2 ∈ G P ∞ and b 2 ∈ G P 0 using the alg orithm from Corollar y 3 .9. Let c 1 = [ a 1 , a 2 ], c 2 = [ b 1 , b 2 ]. Rep ea t un til | c 1 | = | c 2 | = 4. (3) Let Y ∞ = { c 1 , a 1 } and Y 0 = { c 2 , b 1 } . As standa r d generators for O 2 ( G P ∞ ) we now take L = 2 m +1 [ i =1 n c d i 1 1 , ( c 2 1 ) d i 1 o (3.19) and similarly we obtain U for O 2 ( G P 0 ). It follows from (2.9) and (2.12) that (3.1 9) provides the standard genera tors for G P ∞ . These are expressed as S LP s in X , since this is true for the elemen ts returned from the algorithm describ ed in Corollary 3 .9. Hence the algorithm is Las V egas. By Corollary 3.9, the expected time to ﬁnd a 1 and b 1 is O  ( ξ + χ D ( q ) + log( q ) log log( q )) log lo g( q )  , and these are uniformly distr ibuted indep endent ran- dom elements. The elements of order dividing q − 1 can be diagona lised as requir ed. By Theore m 2.1, the prop or tion of elements of order q − 1 in G P ∞ and G P 0 is φ ( q − 1) / ( q − 1 ). Hence the exp ected time fo r the ﬁrst step is O  ( ξ + χ D ( q ) + log( q ) log log( q ))(log log( q )) 2  ﬁeld op erations. Similarly , b y P rop ositio n 2.11 the e xp e c ted time for the se cond step is O  ( ξ + χ D ( q ) + log( q ) log log( q ))(log log ( q )) 2  ﬁeld o p e rations. By the rema r k preceding the theorem, L determines tw o sets of ﬁeld elemen ts { a 1 , . . . , a 2 m +1 } and { b 1 , . . . , b 2 m +1 } . In this case ea ch a i = aλ i and b i = bλ i ( t +1) , for some ﬁxed a , b ∈ F × q , where λ is as in the alg orithm. Since λ do es not lie in a prop er subﬁeld, these sets form v ector space ba ses of F q ov e r F 2 . T o determine if a 1 or b 1 diagonalis e to some M ′ ( λ ) it is suﬃcient to consider the eigenv alues on the diago nal, since b oth a 1 and b 1 are triangular. T o determine if λ lies in a prop er s ubﬁeld, it is suﬃcient to determine if | λ | | 2 n − 1, fo r so me prop er divisor n of 2 m + 1. Hence the dominating term in the complexity is the ﬁrst step.  3.1.3.2. Main algorithm. Now we consider the algor ithm that expresses g as an SLP in X . It is given formally as Algorithm 3 .2. Theorem 3.13. Algorithm 3.2 is a L as V e gas algorithm with exp e cte d time c om- plexity O  ξ +lo g( q ) 3  ﬁeld op er ations. The length of the SLP is O  log( q )(log lo g( q )) 2  . Proof. First observe that since r is rando mly c hosen w e obtain it as an SL P . On line 4 we check if g r ﬁxes a p oint, and from P rop osition 2.6 we see that the probability that the test succeeds is at least 1 / 2. The elements found at lines 5 and 7 ar e constructed using Lemma 3.11, so we can obtain them as SLP s. The element h found at line 1 0 clearly has tr a ce x , a nd it is c o nstructed using Lemma 3.11, s o we o btain it as an SLP . F ro m Lemma 2.8 we kno w that h is co njugate to M ′ ( λ ) and therefore must ﬁx 2 p o ints of O . Hence lines 13 and 14 make sense, and the elements found are constructed using Lemma 3.11 and therefor e w e obtain them as SLP s. 3.1. SUZUKI GROUPS 60 Algorithm 3.2: ElementToSLP ( L, U, g ) 1 Input: Standard generato rs L for G P ∞ and U for G P 0 . Matrix g ∈ h X i = G . 2 Output: An SLP for g in X . rep eat 3 r := Random ( G ) 4 un til g r has an eigenspace Q ∈ O 5 Find z 1 ∈ G P ∞ using L such that Qz 1 = P 0 . 6 // Now ( g r ) z 1 ∈ G P 0 . 7 Find z 2 ∈ G P 0 using U such that ( g r ) z 1 z 2 = M ′ ( λ ) for so me λ ∈ F × q . 8 // Expr ess diag onal matrix a s SLP 9 x := T r( M ′ ( λ )) 10 Find h = [ S (0 , ( x t ) 1 / 4 ) , S (0 , 1) T ] using L ∪ U . 11 // Now T r( h ) = x . 12 Let P 1 , P 2 ∈ O be the ﬁxed p oints o f h . 13 Find a ∈ G P ∞ using L s uch that P 1 a = P 0 . 14 Find b ∈ G P 0 using U such that ( P 2 a ) b = P ∞ . 15 // Now h ab ∈ G P ∞ ∩ G P 0 = H , so h ab ∈  M ′ ( λ ) ± 1  . 16 if h ab = M ′ ( λ ) then 17 Let w b e an SLP for ( h ab z − 1 2 ) z − 1 1 r − 1 . 18 return w else 19 Let w b e an SLP for (( h ab ) − 1 z − 1 2 ) z − 1 1 r − 1 . 20 return w end The o nly elemen ts in H that a r e conjugate to h are M ′ ( λ ) ± 1 , so cle arly h ab m ust b e one of them. Finally , the elemen ts that make up w w ere fo und a s SLP s, a nd it is clear that if w e ev aluate w w e obtain g . Hence the alg o rithm is La s V egas. F r om Lemma 3.11 it follows that lines 5, 7, 10, 13 a nd 14 use O  log( q ) 3  ﬁeld op erations. Finding the ﬁxed p oints of h , a nd per forming the check at line 4 only amounts to considering e ig enspaces, whic h uses O  log q  ﬁeld op erations. Th us the expec ted time complexity of the algor ithm is O  ξ + log q 3  ﬁeld op erations. The S LP s of the s tandard g enerator s ha ve length O  log lo g( q ) 2  . B e c ause o f the row op erations, w will hav e length O  log( q )(log log ( q )) 2  .  3.1.4. Conjugates of the standard cop y. No w we assume that we are given G 6 GL(4 , q ) such tha t G is a conjugate of Sz( q ), and w e turn to the problem of ﬁnding some g ∈ GL(4 , q ) suc h that G g = Sz( q ), th us obtaining an iso morphism to the standard copy . The matr ix degree is co nstant here, so w e set ξ = ξ (4) Lemma 3. 14. Ther e exists a L as V e gas algorithm that, given h X i 6 GL(4 , q ) such that h X i h = Sz( q ) for some h ∈ GL(4 , q ) , ﬁnds a p oint P ∈ O h − 1 = 3.1. SUZUKI GROUPS 61  Qh − 1 | Q ∈ O  . The algorithm has exp e cte d time c omplexity O  ( ξ + log( q ) log log ( q )) lo g log( q )  ﬁeld op er ations. Proof. Clearly O h − 1 is the set on which h X i acts doubly transitively . F o r a matrix M ′ ( λ ) ∈ Sz( q ) w e see that the eigenspaces corr e sp o nding to the eigenv alues λ ± ( t +1) will b e in O . Mo reov er, ev ery element of order div iding q − 1, in every conjugate G of Sz( q ), will ha ve eigenv alues of the form µ ± ( t +1) , µ ± 1 for some µ ∈ F × q , and the eige ns paces corr esp onding to µ ± ( t +1) will lie in the set on which G acts doubly transitively . Hence to ﬁnd a p o int P ∈ O h − 1 it is suﬃcien t to ﬁnd a random g ∈ h X i , of order dividing q − 1. W e compute the pseudo-or der using expected O  log( q ) log log( q )  ﬁeld op era tions, and by Pr op osition 2.6, the exp ected time to ﬁnd the element is O  ( ξ + log( q ) lo g log ( q )) log lo g( q )  ﬁeld o pe r ations. W e then ﬁnd the eigenspaces of g . Clearly this is a La s V ega s alg o rithm with the stated time complexity .  Lemma 3.15. Ther e exists a L as V e gas algorithm that, given h X i 6 GL(4 , q ) such that h X i d = Sz( q ) wher e d = dia g( d 1 , d 2 , d 3 , d 4 ) ∈ GL(4 , q ) , ﬁnds a diago nal matrix e ∈ GL(4 , q ) such that h X i e = Sz( q ) , using exp e cte d O  ( ξ + log ( q ) log log( q )) log log( q ) + | X |  ﬁeld op er ations. Proof. Let G = h X i . Since G d = Sz( q ), G must pr eserve the symplectic form K = dJ d =       0 0 0 d 1 d 4 0 0 d 2 d 3 0 0 d 2 d 3 0 0 d 1 d 4 0 0 0       (3.20) where J is given b y (2.24). Using the MeatAxe, we can ﬁnd this form, which is de- termined up to a scala r multiple. Hence the diago na l matrix e = diag ( e 1 , e 2 , e 3 , e 4 ), that we wan t to ﬁnd, is also determined up to a scalar multiple (and up to multi- plication b y a diagonal matrix in Sz( q )). Since e must take J to K , we m ust hav e K 1 , 4 = d 1 d 4 = e 1 e 4 and K 2 , 4 = d 2 d 3 = e 2 e 3 . Beca use e is deter mined up to a scalar multiple, we can choo se e 4 = 1 and e 1 = K 1 , 4 . Hence it only remains to determine e 2 and e 3 . T o conjugate G in to Sz( q ), w e must hav e P e ∈ O for every P ∈ O d − 1 , which is the set o n which G acts doubly transitively . By Lemma 3.1 4, we ca n ﬁnd P = ( p 1 : p 2 : p 3 : 1 ) ∈ O d − 1 , a nd the condition P e = ( p 1 K 1 , 4 : p 2 e 2 : p 3 e 3 : 1) ∈ O is given by (2.13) and amo unts to p 2 p 3 K 2 , 3 + ( p 2 e 2 ) t + ( p 3 e 3 ) t +2 − p 1 K 1 , 4 = 0 (3.21) which is a poly nomial equation in the t wo v ariables e 2 and e 3 . 3.1. SUZUKI GROUPS 62 Notice that we can co nsider e t 2 to b e the v ariable, instead of e 2 , since if x = e t 2 , then e 2 = √ x t . Similarly , we can let e t +2 3 be the v ariable instead o f e 3 , since if y = e t +2 3 then e 3 = y 1 − t/ 2 . Thus instead of (3.21) we obtain a linear equation p t 2 x + p t +2 3 y = p 1 K 1 , 4 − p 2 p 3 K 2 , 3 (3.22) in the v ariables x, y . Thus the co mplete algorithm for ﬁnding e pro ceeds as follows. (1) Find the form K that is pr eserved by G , using the MeatAxe. (2) Find P ∈ O d − 1 using Lemma 3.14. (3) Let P = ( p 1 : p 2 : p 3 : p 4 ) and ﬁnd Q = ( q 1 : q 2 : q 3 : q 4 ) using Lemma 3 .14 un til the following linear system in the v aria bles x and y is non-singular. p t 2 x + p t +2 3 y = p 1 K 1 , 4 − p 2 p 3 K 2 , 3 q t 2 x + q t +2 3 y = q 1 K 1 , 4 − q 2 q 3 K 2 , 3 (3.23) By Prop os ition 2.1 0, the pro bability of ﬁnding suc h a Q is 1 − O  1 / √ q  . (4) Let ( α, β ) b e a so lutio n to the linear system. The diagonal matrix e = diag( K 1 , 4 , √ α t , β 1 − t/ 2 , 1) now satisﬁes G e = Sz( q ). By Lemma 3.14 and Section 1.2.1 0.1, this is a La s V egas algor ithm that uses ex - pec ted O  ( ξ + log( q ) log log ( q )) lo g log ( q ) + | X |  ﬁeld op erations.  Lemma 3.16 . Ther e exists a L as V e gas algorithm that, given subset s X , Y P and Y Q of GL(4 , q ) such that O 2 ( G P ) < h Y P i 6 G P and O 2 ( G Q ) < h Y Q i 6 G Q , r esp e ctively, wher e h X i = G , G h = Sz( q ) for some h ∈ GL(4 , q ) and P 6 = Q ∈ O h − 1 , ﬁnds k ∈ GL(4 , q ) such that ( G k ) d = Sz( q ) for some diagonal m atrix d ∈ GL(4 , q ) . The algorithm has exp e cte d t ime c omplexity O  | X |  ﬁeld op er ations. Proof. Notice that the natural mo dule V = F 4 q of F H is uniserial with four non-zero submodules, namely V i =  ( v 1 , v 2 , v 3 , v 4 ) ∈ F 4 q | v j = 0 , j > i  for i = 1 , . . . , 4. Hence the same is true for h Y P i and h Y Q i (but the submo dules will b e diﬀerent) since they lie in conjugates of F H . Now the algorithm pro ceeds as follows. (1) Let V = F 4 q be the natural module for h Y P i a nd h Y Q i . Find comp osition series V = V P 4 > V P 3 > V P 2 > V P 1 and V = V Q 4 > V Q 3 > V Q 2 > V Q 1 using the MeatAxe. (2) Let U 1 = V P 1 , U 2 = V P 2 ∩ V Q 3 , U 3 = V P 3 ∩ V Q 2 and U 4 = V Q 1 . F or each i = 1 , . . . , 4 , choos e u i ∈ U i . (3) Now let k be the matr ix suc h that k − 1 has u i as row i , for i = 1 , . . . , 4. W e now mo tiv ate the second step of the algorithm. One can cho ose a basis that exhibits the series  V P i  , in o ther w ords, such that the matr ices acting on the mo dule are low er triangula r with resp ect to this basis. Similarly one can cho ose a basis that exhibits the ser ie s n V Q i o . On the other hand, since P 6 = Q , there exists g ′ ∈ Sz( q ) suc h that P hg ′ = P ∞ and Qhg ′ = P 0 . If w e let z = hg ′ , then h Y P i z and h Y Q i z consist of lo wer a nd upp er 3.1. SUZUKI GROUPS 63 triangular matrices, resp ectively . Thus, the rows of z − 1 form a bas is o f V that exhibits the series  V P i  and the s eries n V Q i o in reversed order. With re s pe c t to this basis, it is clear that dim V P 2 ∩ V Q 3 = 1, dim V P 3 ∩ V Q 2 = 1 and that a ll the U i are distinct. Hence the basis chosen in the alg orithm exhibits the s eries  V P i  , and it exhibits the series n V Q i o in reverse or der. Therefor e the chosen k satisﬁes that h Y P i k is low er triang ular a nd h Y Q i k is upper tria ngular. The former implies that k z − 1 is a lower triangular matrix, and the la tter that it is an upper triangular matrix, and hence it must diag onal. Thu s the matrix k found in the alg orithm satisﬁes z = k d for some diagona l matrix d ∈ GL(4 , q ). Since Sz( q ) = G h = G z = ( G k ) d , the a lgorithm r eturns a correct r esult, a nd it is Las V ega s b ecause the MeatAxe is Las V e g as. Cle a rly the exp ected time complex ity is the same a s the MeatAxe, so the algo rithm uses O  | X |  ﬁeld op erations.  Theorem 3.17. Assume Conje ctu r e 3.4 . Ther e exists a L as V e gas algorithm t hat, given a c onjugate h X i of Sz( q ) , ﬁnds g ∈ GL(4 , q ) s uch that h X i g = Sz( q ) . The algorithm has exp e cte d time c omplexity O  ( ξ + log( q ) log log( q ))(log log ( q )) 2 + | X |  ﬁeld op er ations. Proof. Let G = h X i . By Rema r k 3 .10, w e can use Cor o llary 3 .9 in G , a nd hence we can ﬁnd generator s for a stabilise r of a po int in G , using the alg orithm describ ed in Theor em 3.12. In this cas e we do not need the elemen ts as SLP s, so a discrete log oracle is not neces sary . (1) Find p oints P , Q ∈ O h − 1 using Lemma 3.14. Repeat until P 6 = Q . (2) Find generating sets Y P and Y Q such that O 2 ( G P ) < h Y P i 6 G P and O 2 ( G Q ) < h Y Q i 6 G Q using the ﬁrst three steps of the a lg orithm fr om the pro of of Theorem 3.12. (3) Find k ∈ GL(4 , q ) such that ( G k ) d = Sz( q ) for some diagonal matrix d ∈ GL(4 , q ), using Lemma 3.16. (4) Find a diagonal matrix e using Lemma 3 .15. (5) Now g = k e satisﬁes that G g = Sz( q ). Be Lemma 3.14, 3.16 a nd 3.1 5, a nd the pro of of Theorem 3 .12, this is a La s V eg as algorithm with ex pec ted time complex it y as stated.  3.1.5. T ensor decomp os i tion. Now a ssume that G 6 GL( d, q ) w he r e G ∼ = Sz( q ), d > 4 and q = 2 2 m +1 for some m > 0. Then Aut F q = h ψ i , where ψ is the F r ob enius automorphism. Let W b e the given mo dule of G of dimension d and let V b e the natural mo dule of Sz( q ) of dimension 4. F ro m Section 1.2.7 and Section 2.1.3 w e kno w that W ∼ = V ψ i 0 ⊗ V ψ i 1 ⊗ · · · ⊗ V ψ i n − 1 (3.24) for some integers 0 6 i 0 < i 1 < · · · < i n − 1 6 2 m . In fact, we may assume that i 0 = 0 a nd clear ly d = dim W = (dim V ) n = 4 n . As describ ed in Section 1.2.7, we 3.1. SUZUKI GROUPS 64 now wan t to tensor deco mpo se W to obtain an eﬀective isomorphism fr om W to V . 3.1.5.1. The main algorithm. W e now describ e our main algor ithm that ﬁnds a tensor decomp o sition of W when q is large. It is suﬃcient to ﬁnd a ﬂat in W . F or k = 0 , . . . , n − 1, let H k 6 GL(4 , q ) be the image of the repres ent ation co rresp onding to V ψ i k , and let ρ k : G → H k be an isomorphism. Our goal is then to ﬁnd ρ k eﬀectively for some k . W e b egin with an ov er view of the metho d. O ur approa ch for ﬁnding a ﬂat in W is to consider eigenspa c es of an elemen t of G of o rder dividing q − 1. By Pr op osition 2.6 we know that such elements ar e easy to ﬁnd by ra ndo m s earch. Let g ∈ G where | g | = q − 1, and let t = 2 m +1 . By Prop os ition 2 .4 we know that for k = 0 , . . . , n − 1, ρ k ( g ) ha s four distinct eigenv alues λ ± 1 k and λ ± ( t +1) k for some λ k ∈ F × q . Also, the eigenspac es of ρ k ( g ) hav e dimension 1. O ur metho d for ﬁnding a ﬂat in W is to construct a line as a suitable sum of eigenspaces of g . Let E b e the multiset of eigenv a lues of g , so that | E | = d and every element o f E ha s the form λ j 0 0 λ j 1 1 · · · λ j n − 1 n − 1 (3.25) where each λ k ∈ F × q and each j k ∈ {± 1 , ± ( t + 1) } . A set E ′ ⊆ F × q that satisﬁes • | E ′ | = n • λ k ∈ E ′ or λ − 1 k ∈ E ′ for each k = 0 , . . . , n − 1 is a set o f b ase values for E . Clea r ly E is easily calculated from E ′ . Moreov er λ k = λ 2 i k 0 , and since | g | = q − 1 w e m ust have | λ k | = q − 1 for k = 0 , . . . , n − 1. F or every 0 6 k < l 6 n − 1 we have 0 < 2 i k ± 2 i l < q − 1 a nd therefore λ k 6 = λ ∓ 1 l . First we try to ﬁnd a set of bas e v alues for E . Conjecture 3.1 8. A s sume m > n . L et S = n p e/f : e, f ∈ E | e 6 = f o and P = { x ∈ S | ∀ e ∈ E ∃ y ∈  x, x − 1 , x t +1 , x − t − 1  :  ey x, e y x − 1 , ey x t +1 , ey x − t − 1  ⊆ E } . (3.26) Then the fol lowing hold: • P c ont ains a set of b ase values for E . • If the twists do not have a subse quenc e i r < i r + 1 < i r + 2 , then | P | = 2 n and henc e P c onsists of the b ase values and their inverses. If the t wists ha ve a subsequence of the form in the Co njectur e , or mo re gener ally a subsequence of length l , then Q j i =0 λ r + i ∈ P for every j = 0 , . . . , l − 1 . Hence we need more c o nditions to extract the base v alues. Conjecture 3.19. L et P b e as in L emma 3.1 8 . D eﬁne P ′ ⊆ P t o b e t hose x ∈ P for which ther e exists 0 = α 0 < α 1 < · · · < α n 6 2 m such that x α i ∈ P for every i = 0 , . . . , n . Then | P ′ | = 2 n and henc e P ′ c onsists of the b ase values and t heir inverses. 3.1. SUZUKI GROUPS 65 Let S i denote the sum of eigenspac e s of g corr esp onding to the eigenv alues λ j 0 0 · · · λ i · · · λ j n − 1 n − 1 and λ j 0 0 · · · λ − 1 i · · · λ j n − 1 n − 1 , where each j k ranges o ver {± 1 , ± ( t + 1) } . Lemma 3 .20. If dim S k = 2 · 4 n − 1 for some 0 6 k 6 n − 1 , then S k is a line in W . Proof. F or each i = 0 , . . . , n − 1, let e j i be an eigenv ector of ρ i ( g ) for the eigenv alue λ j i i , where j i ∈ {± 1 , ± ( t + 1) } . Observe that W contains the following subspace. L =  e j 0 ⊗ · · · ⊗ e j n − 1 | j i ∈ {± 1 , ± ( t + 1) } , i 6 = k , j k ∈ {± 1 }  Clearly , L is of the form V ψ i 0 ⊗ · · · ⊗ V ψ i k − 1 ⊗ A ⊗ V ψ i k +1 ⊗ · · · ⊗ V ψ i n − 1 where dim A = 2, so L is a line in W of dimension 2 · 4 n − 1 . If v = e j 0 ⊗ · · · ⊗ e j n − 1 ∈ L , then v g = e j 0 ρ 0 ( g ) ⊗ · · · ⊗ e j n − 1 ρ n − 1 ( g ) = λ j 0 0 e j 0 ⊗ · · · ⊗ λ j n − 1 n − 1 e j n − 1 = = λ j 0 0 · · · λ j n − 1 n − 1 v and hence v ∈ S k . Therefore L 6 S k , s o if dim S k = 2 · 4 n − 1 then L = S k and thu s S k is a line in W .  The success proba bilit y of the algor ithm for ﬁnding a ﬂat relies on the following Conjecture. Conjecture 3. 21. L et d = 4 n with n > 1 b e ﬁx e d. If q = 2 2 m +1 and m > n + 1 , then for every absolutely irr e ducible G 6 GL( d, q ) with G ∼ = Sz( q ) and every g ∈ G with | g | = q − 1 , we have dim S i = 2 · 4 n − 1 for some 0 6 i 6 n − 1 . The algorithm for ﬁnding a ﬂat is s hown as Algor ithm 3 .3 . Theorem 3.2 2. Assu me Conje ctur es 3.18 , 3.19 and 3 .2 1 . Algori thm 3.3 is a L as V e gas algorithm. The algorithm has exp e cte d time c omplexity O  ( ξ ( d ) + d 3 log( q ) lo g log ( q d )) log log ( q )  ﬁeld op er ations. Proof. The exp ected num b er of iter ations in the initial lo op is O  1  . Hence the expected time for the lo o p is O  ξ ( d ) + d 3 log( q ) lo g log ( q d )  ﬁeld oper ations. If | g | = q − 1 then line 7 will succeed, and Conjecture 3.21 asse r ts tha t line 11 will succ e ed for s o me i . If | g | is a pro p e r divisor of q − 1 then these lines might still s ucceed, and the pr obability that | g | = q − 1 is high. By Prop osition 2.6, the exp ected nu mber of iterations of the outer r ep eat statemen t is O  log lo g( q )  . If line 12 is rea ched, then the algorithm returns a correct result and hence it is Las V ega s. T o ﬁnd the eige nv alues of g , we calculate the characteristic p olyno mial of g using O  d 3  ﬁeld op era tions, and ﬁnd its ro ots using Theorem 1.1. By C o njectures 3.1. SUZUKI GROUPS 66 Algorithm 3.3: TensorDecomposeSz ( X ) 1 Input : Generating set X for G ∼ = Sz( q ) with natural mo dule W , where dim W = 4 n , n > 1, q = 2 2 m +1 with m > n and W is abso lutely irreducible and o ver F q . 2 Output : A line S in W . // Find BaseV alues is g iven by Conjectur e s 3.18 a nd 3.19. rep eat // Find random elemen t g of pseudo-order q − 1 rep eat 3 g := Rando m ( G ) 4 un til | g | | q − 1 5 E := Eigenv alues ( g ) 6 N := FindBa seV alues ( E ) 7 un til | N | = n 8 for i := 0 to n − 1 do // Let N = { λ 0 , . . . , λ n − 1 } 9 E i := n λ j 0 0 · · · λ i · · · λ j n − 1 n − 1 | j k ∈ {± 1 , ± ( t + 1) } o ∪ n λ j 0 0 · · · λ − 1 i · · · λ j n − 1 n − 1 | j k ∈ {± 1 , ± ( t + 1) } o 10 S i := P e ∈ E i Eigensp a ce ( g , e ) 11 if dim S i = 2 · 4 n − 1 then 12 return S i end end 3.18 and 3.1 9, the r est of the algo rithm us es O  d 2 n log( q )  ﬁeld op erations. Thus the theorem follows.  3.1.5.2. Smal l ﬁeld appr o ach. When q is sma ll, the feasibility of Algo r ithm 3.3 is not g ua ranteed. In that cas e the approach is to ﬁnd standard gener ators of G using permutation gro up techniques, then enumerate all tensor pro ducts of the for m (3.24) and for ea ch one w e determine if it is isomorphic to W . Since q is po lynomial in d , this will turn o ut to be an eﬃcient algorithm which is given as Algorithm 3.4. It ﬁnds a p ermutation representation o f G ∼ = Sz( q ), which is done using the following r esult. Lemma 3.23. Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) such that q = 2 2 m +1 with m > 0 and h X i ∼ = Sz( q ) , ﬁnds an eﬀe ctive inje ctive homomorph ism Π : h X i → Sym ( O ) wher e | O | = q 2 + 1 . The algori thm has exp e cte d time c omplexity O  q 2 ( ξ ( d ) + | X | d 2 + d 3 ) + d 4  ﬁeld op er ations. Proof. By The o rem 2.1, Sz( q ) acts doubly transitively on a set of size q 2 + 1. Hence G = h X i a lso acts doubly trans itively on O , where | O | = q 2 + 1, and we can ﬁnd the p ermutation repre s entation of G if we can ﬁnd a p oint P ∈ O . The set O is a set o f pro jectiv e p oints of F d q , a nd the algorithm pro c e eds as fo llows. (1) Cho ose random g ∈ G . Rep eat until | g | | q − 1 . 3.1. SUZUKI GROUPS 67 (2) Cho ose random x ∈ G a nd let h = g x . Rep eat un til [ g , h ] 4 = 1 and [ g , h ] 6 = 1. (3) Find a compo sition series fo r the mo dule M o f h g , h i and let P ⊆ M b e the submo dule of dimension 1 in the ser ies. (4) Find the orbit O = P G and compute the p ermutation gro up S 6 Sym( O ) of G on O , tog ether with an eﬀective iso morphism Π : G → S . By Pr op osition 2.4, e lement s in G of order dividing q − 1 ﬁx tw o p oints of O , and hence h g , h i 6 G P for so me P ∈ O if and only if g and h hav e a commo n ﬁxed po int . All compo sition fac to rs o f M ha ve dimension 1, so a comp os ition ser ies o f M must c o ntain a submo dule P of dimension 1 . This submo dule is a ﬁxed p o int for h g , h i and its orbit m ust have size q 2 + 1, since | G | = q 2 ( q 2 + 1)( q − 1 ) and | G P | = q 2 ( q − 1 ). It follows that P ∈ O . All elements o f G of even order lie in the derived group of a stabiliser of some po int , which is a lso a Sylow 2-subg roup of G , and the exp onent of this subgr oup is 4. Hence [ g , h ] 4 = 1 if and only if h g , h i lie in a stabiliser of some point, if and only if g a nd h have a common ﬁxed po int . T o ﬁnd the o rbit O = P G we can compute a Sc hreier tree on the generators X , with P as ro ot, using O  | X | | O | d 2  ﬁeld op erations. Then Π( g ) can b e co mputed for any g ∈ h X i using O  | O | d 2  ﬁeld op erations, b y co mputing the p ermutation o n O induced by g . Hence Π is eﬀective, a nd its image S is found by co mputing the image of each element of X . Therefore the alg orithm is correc t and it is c le arly Las V eg as. W e ﬁnd g using exp ected O  ( ξ ( d ) + d 3 log( q ) log log( q d )) log log ( q )  ﬁeld op- erations a nd we ﬁnd h using exp ected O  ( ξ ( d ) + d 3 ) q 2  ﬁeld op era tions. Then P is found using the MeatAxe, in exp ected O  d 4  ﬁeld op eratio ns . Th us the re sult follows.  Prop ositi o n 3.2 4. L et G = h X i 6 Sym( O ) su ch that G ∼ = Sz( q ) = H . Ther e exists a L as V e gas algorithm that ﬁnds x, h, z ∈ G as SLP s in X s uch t hat the map x 7→ S (1 , 0 ) h 7→ M ′ ( λ ) z 7→ T (3.27) is an isomorphism. Its t ime c omplexity is O  q 3 log( q ) 5  . The length of the r eturne d SLP s ar e O  q  . Proof. F ollows fro m [ BB 0 7 , Theorem 1].  Theorem 3.25. Assu me Conje cture 3.24 . Algori thm 3.4 is a L as V e gas algorithm with exp e cte d time c omplexity O  q 2 ( ξ ( d ) + | X | d 2 + d 3 log lo g( q ) + q 2 log( q ) 3 ) + d 3 ( | X |  2 m n − 1  + d )  ﬁeld op er ations. 3.1. SUZUKI GROUPS 68 Algorithm 3.4: SmallFieldTensorDecompose ( X ) 1 Input : Generating set X for G ∼ = Sz( q ) with natural mo dule W , where dim W = 4 n , n > 1, q = 2 2 m +1 , m > 0 a nd W is absolutely irreducible and o ver F q 2 Output : A change of basis matrix c which exhibits W as (3.24). // Find per mut ation representation, i.e. p ermutation gr oup and // c o rresp onding isomorphism 3 ( π , P G ) := S uzukiPermRep ( G ) 4 x, h, z := St andardGens ( P G ) 5 Ev alua te the SL P s o f x, h, z o n G to o btain the s e t Y . 6 H := h Y i 7 T := { ( i 1 , . . . , i n ) | 0 6 i 1 < · · · < i n 6 2 m } // L e t V b e the natural mo dule of H 8 for ( i 1 , . . . , i n ) ∈ T do 9 U := V ψ i 1 ⊗ · · · ⊗ V ψ i n // Find isomorphism betw een modules 10 ( ﬂag , c ) := Modul eIsomorphism ( U, W ) 11 if ﬂag = true then 12 return c end end Proof. The p ermutation representation π can b e found using Lemma 3.23, and the elements x, h, z are found using Conjecture 3.2 4. T esting if mo dules are isomorphic can be do ne using the MeatAxe. If the alg orithm returns a n element c then the change of basis deter mined by c exhibits W as a tensor product, so the algo rithm is La s V eg as. The lengths of the SLP s of x, h, z is O  q 2 log lo g( q )  , so w e need O  d 3 q 2 log lo g( q )  ﬁeld o pe r ations to obtain Y . The set T ha s size  2 m n − 1  . Mo dule isomo r phism testing uses O  | X | d 3  ﬁeld ope r ations. Hence b y Conjecture 3 .24 and Theorem 3 .23 the time complexity of the algor ithm is as stated.  3.1.6. Constructiv e recogniti on. Fina lly , we can now state and prove our main theorem. Theorem 3.26. Assume the Su zuki Conje ctu r es and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) satisfying the assu mptions in Se ction 1 .2.7 , with q = 2 2 m +1 , m > 0 and h X i ∼ = Sz( q ) , ﬁnds an eﬀe ctive isomorphism ϕ : h X i → Sz( q ) and p erforms pr epr o- c essing for c onstru ctive memb ership testing. The algorithm has exp e cte d time c om- plexity O  ξ ( d )( d 2 + (log log( q )) 2 ) + d 5 log lo g( d ) + d 4 | X | + d 3 log( q ) log lo g( q )(log( d ) + log lo g( q )) + lo g( q )(log log ( q )) 3 + χ D ( q )(log log( q )) 2  ﬁeld op er ations. The inverse of ϕ is also eﬀe ctive. Each image of ϕ c an b e c ompute d using O  d 3  ﬁeld op er ations, and e ach pr e-image u sing ex p e cte d O  ξ ( d ) + lo g( q ) 3 + d 3 log( q )(log log ( q )) 2  3.1. SUZUKI GROUPS 69 ﬁeld op er ations. Proof. Let V b e the mo dule of G = h X i . F r o m Section 2.1.3 we know that d = 4 n where n > 1. The a lgorithm pr o ceeds as follows: (1) If d = 4 then use Theorem 3 .17 to obtain y ∈ GL(4 , q ) s uch tha t G y = Sz( q ), and hence an eﬀective isomorphism ϕ : G → Sz( q ) deﬁned by g 7→ g y . (2) If m > n , use Algor ithm 3 .3 to ﬁnd a ﬂa t L 6 V . Then use the tens o r decomp osition algorithm describ ed in Section 1.2 .10.3 with L , to o btain x ∈ GL( d, q ) such the change of basis determined by x exhibits V as a tensor pro duct U ⊗ W , with dim U = 4. Let G U and G W be the images of the corresp onding representations. (3) If instead m 6 n then use Algo r ithm 3 .4 to ﬁnd x . (4) Deﬁne ρ U : G U ⊗ W → G U as g u ⊗ g w 7→ g u and let Y = { ρ U ( g x ) | g ∈ X } . Then h Y i is conjugate to Sz( q ). (5) Use Theorem 3.17 to get y ∈ GL(4 , q ) such that h Y i y = Sz( q ). (6) An eﬀective isomor phism ϕ : G → Sz( q ) is g iven by g 7→ ρ U ( g x ) y . The map ρ U is straightforward to compute, since given g ∈ GL( d, q ) it only inv o lves dividing g into submatrices of degr ee 4 n − 1 , checking that they are s calar multiples of each o ther and returning the 4 × 4 matrix consisting of these sc alars. Since x might not lie in G , but only in N GL( d,q ) ( G ) ∼ = G : F q , the result of ρ U might not hav e determinant 1. Howev e r , since every element of F q has a unique 4 th ro ot, we can easily scale the matrix to hav e determinant 1. Hence by Theor ems 3.22, 3 .25 and 3.17, the algorithm is Las V ega s and any image of ϕ can b e computed using O  d 3  ﬁeld op erations. In the case wher e we use Algorithm 3.4 we hav e m 6 n , hence  2 m n − 1  < d and q 6 d . The exp ected time complexity to ﬁnd x in this ca se is O  ξ ( d ) d 2 + d 4 ( | X | + d log log( d ))  ﬁeld op erations. By Theor em 3.22, ﬁnding L uses O  ( ξ ( d ) + d 3 log( q ) log log( q d )) log log ( q )  ﬁeld op erations. F rom Section 1.2.1 0.3, ﬁnding x uses O  d 3 log( q )  ﬁeld op erations when a ﬂat L is given. By Theo rem 3.17, ﬁnding y uses expected O  ( ξ + χ D ( q ) + log( q ) log log( q ))(log log( q )) 2 + | Y |  ﬁeld op erations , given a rando m element or- acle for h Y i that ﬁnds a random element using O  ξ  ﬁeld o pe r ations. In this case we can construct ra ndom elemen ts for h Y i using the r andom elemen t ora c le for h X i , and then w e will ﬁnd them in O  ξ ( d )  ﬁeld op erations. Hence the exp ected time complexity is a s stated. Finally , ϕ − 1 ( g ) is computed by ﬁrs t using Algorithm 3 .2 to o btain an S LP of g and then e v aluating it o n X . The necessary precomputations in Theor em 3.1 2 have already be e n made dur ing the application of Theore m 3 .17, and hence it follows fr o m Theorem 3.13 that the time complexity for computing the pre-image of g is as stated.  3.2. SMALL REE GR OUPS 70 3.2. Small Ree groups Here we will use the notation fro m Section 2.2. W e will re fer to Conjectures 3.44, 3 .50, 3 .51, 3.52, 3.57 and 3.60 simultaneously as the smal l R e e Conje ctu r es . W e now g ive an ov er view of the alg orithm for c o nstructive r e c ognition and constructive mem b ership testing. It will be for mally prov ed as Theorem 3.62. (1) Given a group G ∼ = Ree( q ), sa tis fying the assumptions in Sec tion 1.2.7, we know fro m Section 2.2.3 that the mo dule of G is isomorphic to a tensor pro duct of t wisted c opies of either the natura l mo dule of G or its 27- dimensional mo dule. Hence we ﬁrst tensor decomp ose this mo dule. This is describ ed in Section 3.2.5. (2) The resulting group has deg ree 7 or 27 . In the latter cas e we need to decomp ose it in to degree 7. This is describ ed in Sec tion 3.2.6. (3) Now we hav e a group of degree 7, so it is a conjugate of the s tandard copy . W e therefore ﬁnd a conjugating elemen t. This is describe d in Section 3.2.4. (4) Finally we are in Ree( q ). Now we can p erform prepro c e ssing for co ns truc- tive membership testing and o ther pro blems we wan t to solve. This is describ ed in Section 3.2.3. Given a dis crete logarithm oracle, the whole pro cess has time complexity sligh tly worse than O  d 6 + lo g( q ) 3  ﬁeld o pe r ations, ass uming that G is given by a bo unded nu mber of generator s. 3.2.1. Recogniti on. W e now co nsider the question of non-constructive recog- nition o f Ree( q ), so we w ant to ﬁnd an alg orithm that, given h X i 6 GL( d, q ), decides whether or not h X i ∼ = Ree( q ). W e will only consider this problem for the standard copy , i.e. w e will o nly answ er the q uestion whether or not h X i = Ree( q ). Theorem 3.27 . The r e exists a L as V e gas algorithm that, given h X i 6 GL(7 , q ) , de cides whether or n ot h X i = Ree( q ) . The algorithm has exp e cte d time c omplexity O  σ 0 (log( q ))( | X | + log( q ))  ﬁeld op er ations. Proof. Let G = Ree( q ), with natural mo dule M . The algorithm pro c e e ds as follows: (1) Determine if X ⊆ G and return false if not. All the following steps must succeed in order to conclude that a g iven g ∈ X also lies in G . (a) Determine if g ∈ SO(7 , q ), which is true if det g = 1 and if g J g T = J , where J is given by (2.40) and wher e g T denotes the transp ose o f g . (b) Determine if g ∈ G 2 ( q ), which is true if g preser ves the a lgebra multi- plication · of M . The multiplication table ca n e a sily be pr ecomputed using the fact that if v , w ∈ M then v · w = f ( v ⊗ w ), where f is a generator of Hom G ( M ⊗ M , M ) (whic h has dimension 1). (c) Determine if g is a ﬁxed point of the exceptiona l outer automorphism of G 2 ( q ), men tioned in Se c tion 2.2.2. Computing the automorphism 3.2. SMALL REE GR OUPS 71 amounts to extracting a s ubma trix of the exterior sq ua re of g and then replacing each matrix en try x b y x 3 m . (2) If h X i is not a prop er subg roup of G , or equiv alently if h X i is not con- tained in a maximal subgroup, r eturn true . Otherwise r eturn fals e . By Prop ositio n 2.20, it is suﬃcient to determine if h X i cannot b e written ov e r a smaller ﬁeld and if h X i is ir reducible. This can be done using the algorithms describ ed in Sections 1.2.10.1 and 1.2.10.2. Since the matrix degree is constant, the c omplexity of the ﬁrst s tep of the algorithm is O  1  ﬁeld op erations. F o r the same reason, the exp ected time of the algorithms in Sectio ns 1 .2.10.1 and 1.2 .10.2 is O  σ 0 (log( q ))( | X | + log ( q ))  ﬁeld op erations. Hence our recognition algorithm has expected time as s tated, and it is Las V ega s since the Mea tAxe is Las V egas.  3.2.2. Finding an e lement of a stabil iser. Let G = Ree( q ) = h X i . In this section the ma tr ix degre e is co nstant, so we set ξ = ξ (7). The algo rithm for the constructive members hip problem needs to ﬁnd independent ra ndom element s of G P for a given p oint P . This is straig htf orward if, for any pair of p oints P , Q ∈ O , we can ﬁnd g ∈ G as an SLP in X such that P g = Q . The genera l idea is to ﬁnd an inv olution j ∈ G by random search, and then compute C G ( j ) ∼ = h j i × PSL(2 , q ) using the Br ay algorithm des crib ed in Section 1.2.9.2. The given mo dule res tr icted to the centraliser splits up as in Prop osition 2.18, and the p oints P, Q ∈ O restrict to points in the 3-dimensional submo dule. If the restrictions satisfy certa in co nditions, w e can then ﬁnd an element g ∈ C G ( j ) that ma ps these restricted p oints to each other, and we obtain g as an SLP in the generator s of C G ( j ) using Theorem 1.1 2. It turns out that with high pro bability , we can then m ultiply g by an element that ﬁxes the restriction of P so that g also maps P to Q . A discrete logar ithm oracle is needed in that step. Since the Br ay algorithm pro duces g enerators for the centraliser as SLP s in X , we obtain g as a n SLP in X . If any of the steps fail, we can try again with ano ther involution j , so using this method we c an map P to Q for any pair of po ints P , Q ∈ O . It should be noted that it is easy to ﬁnd inv olutions using the method desc r ib ed in Section 1.2.5, since b y Corollar y 2.24 it is easy to ﬁnd elements of even o rder by random search. 3.2.2.1. The involution c entr aliser. T o use the Bray algorithm we need to pro- vide an algorithm that determines if the whole centraliser has been gener ated. Since we know wha t the structure of the centraliser should be, this po s es no problem. If we hav e the whole centraliser, the derived group should be PSL(2 , q ), and by Pr o p o- sition 2.2 7, with hig h proba bilit y it is suﬃcient to co mpute tw o random elemen ts of the derived group. Random element s of the derived group can be found as describ ed in Section 1.2.6. 3.2. SMALL REE GR OUPS 72 W e ca n ther e fore ﬁnd the inv olutio n centraliser C G ( j ) 6 G and C G ( j ) ′ ∼ = PSL(2 , q ). Lemma 3.28 . Ther e exists a L as V e gas algorithm that, given h Y i 6 G such that h Y i = C G ( j ) for some involution j ∈ G , ﬁnds • the s u bmo dule S j 6 V j describ e d in Pr op osition 2.18 , • an eﬀe ctive h Y i -mo dule homomorphi sm ϕ V : V j → S j , • the induc e d map ϕ O : P ( V j ) → P ( S j ) , • the c orr esp onding map ϕ G fr om the 7 -dimensional r epr esentation of C G ( j ) to t he 3 - dimensional r epr esentation. The m aps c an b e c ompute d u sing O  1  ﬁeld op er ations. The algorithm has ex p e cte d time c omplexity O  | Y |  ﬁeld op er ations. Proof. This is a straig ht forward applicatio n o f the Mea tAxe, so the fact that the a lgorithm is Las V egas and has the sta ted time complexity follows from Sec- tion 1.2.10 .1. The ma ps cons ist of a change of bas is follow ed by a pro jection to a subspace, and so the Lemma fo llows.  Lemma 3. 29. Use the notation of L emma 3.28 . Ther e ex ist s a L as V e gas algo- rithm that, given H = h Y i = ϕ G (C G ( j ) ′ ) for an involution j ∈ G , ﬁnds eﬀe ct ive isomorphi sms ρ G : h Y i → PSL(2 , q ) , π 3 : PSL(2 , q ) → h Y i and π 7 : h Y i → C G ( j ) ′ . The map π 3 is the symmetric squar e map of P SL(2 , q ) ; b oth ϕ G ◦ π 7 and π 3 ◦ ρ G ar e the identity on h Y i . The maps ρ G and π 3 c an b e c ompute d using O  1  ﬁeld op er ations and π 7 c an b e c omput e d using O  log( q ) 3  ﬁeld op er ations. The algorithm has exp e cte d time c omplexity O  ( ξ + log( q ) log log ( q )) lo g log( q ) + | Y | + χ D ( q )  ﬁeld op er ations. Proof. By Prop osition 2.1 8, the group h Y i is an irreducible 3 -dimensional copy of PSL(2 , q ), so it must be a conjugate o f the symmetric squar e of the natura l representation. By using a change of basis from the algorithm in Theor em 1 .12, we may assume tha t it is the symmetric square. Moreover, we can use Theorem 1.12 to constructively recognis e h Y i and obtain the map ρ G . W e can also solve the constructive mem ber ship problem in the standard copy , a nd by e v aluating str a ight line progra ms we obtain the maps π 3 and π 7 . It follows from Theorem 1.12 that the expe c ted time co mplexit y is as stated.  3.2.2.2. Finding a mapping element. W e now consider the algor ithm for ﬁnding elements that map one p oint of O to another. The notation from Lemma 3 .2 8 a nd 3.29 will be used. If we let M = h x i ⊕ h y i then we can iden tify P ( S j ) with the spac e of quadr atic forms in x and y mo dulo scalar s , so that S j =  x 2  ⊕ h xy i ⊕  y 2  . Then ϕ G (C G ( j ) ′ ) acts pro jectiv ely o n P ( S j ) and | P ( S j ) | =   P 2 ( F q )   = ( q 3 − 1) / ( q − 1) = q 2 + q + 1. Prop ositi o n 3 .30. Use the notation fr om L emma 3.28 and 3.29 . (1) The n u mb er of p oints in O t hat ar e c ontaine d in K e r( ϕ V ) is q + 1 . 3.2. SMALL REE GR OUPS 73 (2) The map ϕ O r estricte d to O is not inje ctive, and | ϕ O ( O ) | > q 2 . Proof. (1) The map ϕ V is the pro jection ont o S j , so the kernel are tho se vectors that lie in T j . F rom the pr o of of Prop osition 2.18, with resp ect to a suitable basis , T j is the − 1 -eigenspace of h ( − 1). Hence by Prop osition 2.17, |O ∩ P ( T j ) | = q + 1 . (2) Since |O| = q 3 + 1 a nd | P ( S j ) | = q 2 + q + 1, it is clear that the map is not injective. In the a b ov e basis, the map ϕ V is deﬁned by ( p 1 , . . . , p 7 ) 7→ ( p 2 , p 4 , p 6 ). Hence if P ∞ 6 = P ∈ O then ϕ O ( P ) = ( a t : ( ab ) t − c t : − c − ( bc ) t − a 3 t +2 − a t b 2 t ). If a = c = 0 we do not get a p oint in P 2 ( F q ) and if a = 0 and c 6 = 0 we obtain q po in ts. Now let a 6 = 0 and let ( x, y ) ∈ F 2 q such that x 2 + y 6 = 0. Then − x 2 − y is a s quare in F q if and only if ( − x 2 − y ) t is a square, so ( − x 2 − y ) 1 − t is alwa ys a square. Hence, if c = 0, b = x 3 t and a = ( − x 2 − y ) (1 − t ) / 4 , the image of P is (1 : x : y ) ∈ P 2 ( F q ). This gives q 2 − q po ints.  Prop ositi o n 3.3 1. Under the action of H = h Y i = ϕ G (C G ( j ) ′ ) , the set P ( S j ) splits up into 3 orbits. (1) The orbit c ontaining xy , i.e. the non-de gener ate quadr atic forms that r ep- r esent 0 , which has size q ( q + 1 ) / 2 . (2) The orbit c ontaining x 2 + y 2 , i.e. the non-de gener ate quadr atic forms t hat do n ot r epr esent 0 , which has size q ( q − 1 ) / 2 . (3) The orbit c ontaining x 2 (and y 2 ), i.e. the de gener ate quadr atic forms, which has size q + 1 . The pr e- image in SL(2 , q ) of ρ G ( ϕ G (C G ( j ) ′ ) xy ) is dihe dr al of or der 2( q − 1) , gen- er ate d by the matric es " α 0 0 α − 1 # " 0 1 − 1 0 # (3.28) wher e α is a primitive element of F q . Proof. Let g = " a b c d # be a ny elemen t of PSL(2 , q ), so that the symmetric square h = S 2 ( g ) = π 3 ( g ) ∈ ϕ G (C G ( j ) ′ ). Notice tha t h =    a 2 − ab b 2 ac ad + bc b d c 2 − ad d 2    (3.29) Let P = ( xy ) h , Q = ( x 2 ) h and R = ( x 2 + y 2 ) h be p oints in P ( S j ). Then P = ( ac ) x 2 + ( ad + b c ) xy + ( bd ) y 2 , and the e quation P = x 2 implies that b = 0 or d = 0. If b = 0 then d = 0 o r a = 0 whic h is imp ossible since det g = 1. Similarly , we cannot hav e d = 0 , a nd henc e xy and x 2 are not in the sa me orbit. 3.2. SMALL REE GR OUPS 74 Algorithm 3.5: FindMappingElement ( X , C G ( j ) , P , Q ) 1 Input : Generating set X for G = Ree( q ). Poin ts P 6 = Q ∈ O such that b oth ϕ O ( P ) and ϕ O ( Q ) are non-degenera te and represent 0. Inv olution centraliser C G ( j ) with the maps from Lemma 3.28 and 3 .29. 2 Output : An element h ∈ G , written as an SL P in X , s uch that P h = Q . 3 P 3 := ϕ O ( P ) 4 Q 3 := ϕ O ( Q ) 5 if ∃ upp er triang ular g ∈ PSL(2 , q ) such that P 3 π 3 ( g ) = Q 3 then 6 R 3 := ϕ O ( P π 7 ( π 3 ( g ))) 7 // Now R 3 = Q 3 8 Find c ∈ GL(3 , q ) such that ( xy ) c = R 3 9 Let D b e the image in PSL(2 , q ) of the diago nal matr ix in (3 .28) 10 s := π 7 ( π 3 ( D ) c ) 11 // No w h s i 6 ϕ − 1 G ( H R 3 ) 12 δ, z := Diagonalise ( s ) 13 // No w δ = s z 14 if ∃ λ ∈ F × q such that ( P π 7 ( π 3 ( g )) z ) h ( λ ) = Qz then 15 i := DiscreteLog ( δ, h ( λ )) 16 // Now δ i = h ( λ ) 17 return π 7 ( π 3 ( g )) s i end end 18 return f ail Similarly , let Q = a 2 x 2 − ( ab ) xy + b 2 y 2 , and then the equation Q = x 2 + y 2 implies tha t a = 0 or b = 0, which is imp ossible. Hence x 2 and x 2 + y 2 are no t in the same orbit. Finally , let R = ( a 2 + c 2 ) x 2 − ( ab + cd ) xy + ( b 2 + d 2 ) y 2 , and the equation R = xy implies that a 2 + c 2 = 0. Since − 1 is not a squa re in F q , we must have a = c = 0. But this is imp oss ible since det g = 1. Hence x 2 + y 2 and xy a re not in the sa me orbit. T o verify the orbit s iz es, co nsider the stabiliser s of the three points. Clear ly the equa tio n Q = x 2 implies that b = 0 , so the sta biliser of x 2 consists o f the (pro jections of the) lower triangular matrices . There are q − 1 choices for a and q choices for c , so the stabiliser has size q ( q − 1) / 2 mo dulo sca lars, and the index in H is therefore q + 1. Similarly , the equatio n P = xy implies that ac = bd = 0 . If a = d = 0 w e obtain a ma trix of order 2 and if b = c = 0 we obtain a diagonal matrix. It follo ws that the stabiliser is dihedral o f o r der q − 1, and that the pr e-image in SL(2 , q ) is as in (3.28). Finally , in a s imilar way w e obtain that the stabilis er of x 2 + y 2 has or der q + 1, and hence the three o r bits mak e up the whole of P ( S j ).  The algorithm that maps one point to ano ther is g iven as Alg orithm 3.5. 3.2. SMALL REE GR OUPS 75 3.2.2.3. Finding a st abilising element. The complete algorithm for ﬁnding a uniformly random ele ment of G P is then a s follows, given a genera ting set X for G and P ∈ O . (1) Find an in volution j ∈ G . (2) Compute probable generators for C G ( j ) us ing the Bray algorithm, and probable genera tors for C G ( j ) ′ by taking co mmu tators of the generators of C G ( j ). (3) Use the MeatAxe to verify that the mo dule for C G ( j ) ′ splits up only as in Pr op osition 2.18. Use Theorem 1.13 to verify that we hav e the who le of C G ( j ) ′ . Retur n to the previous step if no t. (4) Compute the maps ϕ O and ϕ G using Lemma 3.28. Return to the ﬁrs t step if P lies in the kernel of ϕ V , if ϕ O ( P ) is deg enerate, or if it do es not represent 0. (5) Compute the maps from Lemma 3 .29. (6) T a ke rando m g 1 ∈ C G ( j ) ′ and let Q = P g 1 . Then ϕ O ( Q ) = ϕ O ( P ) ϕ G ( g 1 ), so Q is not in the kernel of ϕ V , and ϕ O ( Q ) is no n-degenera te a nd repre- sents 0. Rep eat until P 6 = Q . (7) Use Algorithm 3.5 to ﬁnd g 2 ∈ C G ( j ) ′ such that Q = P g 2 . Return to the previous step if it fails, and otherwise r e turn g 1 g − 1 2 . 3.2.2.4. Corr e ctness and c omplexity. Lemma 3.32. If P ∈ O is un iformly r andom, such t hat P * Ker( ϕ V ) , then ϕ O ( P ) is non- de gener ate and re pr esents 0 with pr ob ability at le ast 1 / 2 + O  1 /q  . Proof. Since P is uniformly ra ndom and ϕ O was c hosen indep endently of P , it follows that ϕ O ( P ) is unifor mly ra ndom from ϕ O ( O ). F rom the pro of o f Prop ositio n 3.30, with proba bilit y 1 − O  1 /q  , ϕ O ( P ) = x 2 + bxy + cy 2 where (1 : b : c ) is uniformly distributed in P 2 ( F q ) such that b 2 + c 6 = 0. This repr esents 0 if the discriminant b 2 − c is a no n-zero square in F q . This is not the case if b 2 = c , but since b 2 + c 6 = 0, this implies b = c = 0 . If b 2 − c 6 = 0 then it is a square with pr obability 1 / 2 , so Pr[ b 2 − c ∈ ( F × q ) 2 ] = 1 2 (1 − 1 q 2 − q ) and the L emma follows.  Lemma 3.33. If P, Q ∈ ϕ O ( O ) ar e uniformly r andom, such that ϕ O ( P ) and ϕ O ( Q ) r epr esent 0 , then the pr ob ability that ther e exists an element g ∈ P SL(2 , q ) , such that t he pr e-image of g in SL(2 , q ) is upp er triangular and P π 3 ( g ) = Q , is at le ast 1 / 2 + O  1 /q  . Proof. Let P = x 2 + axy + by 2 , Q = x 2 + l xy + n y 2 and g = " u v 0 1 /u # (3.30) 3.2. SMALL REE GR OUPS 76 where (1 : a : b ) and (1 : l : n ) are uniformly distributed in P 2 ( F q ), u, v ∈ F q and u 6 = 0 . W e w ant to determine u, v such that P π 3 ( g ) = Q . Note that g is the pre-image in SL(2 , q ) of an element in PSL(2 , q ) and therefore ± u determine the same elemen t of PSL(2 , q ). The map π 3 is the symmetric square map, so π 3 ( g ) = S 2 ( g ) =    u 2 − uv v 2 0 1 v /u 0 0 1 /u 2    (3.31) This leads to the following equations: u 2 = C (3.3 2) − uv + a = C l (3.33) v 2 + av u − 1 + bu − 2 = C n (3.34) for some C ∈ F × q . W e can solve for u in (3.32) and for v in (3.33), so that (3 .3 4) bec omes C 2 ( n − m 2 ) + a 2 − b = 0 (3.35) This quadra tic equation has a solutio n if the dis criminant − ( n − m 2 )( a 2 − b ) ∈ ( F × q ) 2 . This do es not happ en if n = m 2 or b = a 2 , which each ha ppe ns with probability q / ( q 2 + q + 1). If the dis criminant is no n- zero then it is a squar e with probability 1 / 2. Therefore, the probability that w e can ﬁnd g is Pr[ − ( n − m 2 )( a 2 − b ) ∈ ( F × q ) 2 ] = 1 2 (1 − q q 2 + q + 1 ) 2 This is 1 / 2 + O  1 /q  and the Lemma follo ws.  Theorem 3.34. If Algorithm 3.5 r eturns an element g , t hen P g = Q . If P and Q ar e uniformly ra ndom, such that ϕ O ( P ) and ϕ O ( Q ) r epr esent 0 , then the pr ob ability that Algorithm 3.5 ﬁnds su ch an element is at le ast 1 / 4 + O  1 /q  . Proof. By P rop osition 3.3 1, the po int R 3 is in the same orbit as xy , so the element c at line 8 can easily be found by diagonalis ing the form c o rresp onding to R 3 . Then π 3 ( D ) c ∈ H R 3 is of order ( q − 1 ) / 2. Hence s also has order ( q − 1) / 2, and s ∈ ϕ − 1 G ( H R 3 ). By deﬁnition of Q , there exists h ∈ C G ( j ) ′ such that P h = Q , and if we let R = P π 7 ( g ) then Rπ 7 ( g ) − 1 h = Q and ϕ O ( R ) = R 3 = Q 3 . Hence ϕ G ( π 7 ( g ) − 1 h ) ∈ H Q 3 , and therefore π 7 ( g ) − 1 h ∈ ϕ − 1 G ( H R 3 ). By Pr o p osition 3.31, ϕ − 1 G ( H R 3 ) is dihedra l o f order q − 1 , and s generates a subgroup o f index 2 . Therefo re Pr[ π 7 ( g ) − 1 h ∈ h s i ] = 1 / 2, which is the success probability of line 14. It is straig ht forward to deter mine if λ exists, since h ( λ ) is diagonal. The s uc c ess probability of line 5 is given by Lemma 3.33. Hence the success proba bility of the algorithm is as stated.  3.2. SMALL REE GR OUPS 77 Theorem 3.35. Ass ume an or acle for the discr ete lo garithm pr oblem in F q . The time c omplexity of Algorithm 3.5 is O  log( q ) 3 + χ D ( q )  ﬁeld op er ations. The length of t he r etu rne d SLP is O  log( q ) lo g log ( q )  . Proof. By Lemma 3.33, line 5 inv olves solving a q uadratic equation in F q , and hence uses O  1  ﬁeld op erations. Ev alua ting the maps π 3 and π 7 uses O  log( q ) 3  ﬁeld op er ations, and it is clear that the rest o f the a lg orithm can b e done using O  χ D ( q )  ﬁeld op erations. By Theorem 1.12, the length of the SLP fro m the constr uc tive members hip testing in PSL(2 , q ) is O  log( q ) lo g log ( q )  , which is therefore a lso the leng th of the returned SLP .  Corollary 3.36. Assume an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL(7 , q ) such that G = h X i = Ree( q ) and P ∈ O , c omputes a r andom element of G P as an SLP in X . The exp e cte d time c omplexity of the algorithm is O  ξ log log( q ) + log( q ) 3 + χ D ( q )  ﬁeld op er ations. The length of the re turne d SLP is O  log( q ) lo g log ( q )  . Proof. The a lgorithm is given in Section 3.2.2.3. An inv o lution is found by ﬁnding a random element and then use P rop osition 1.4. Hence by Cor ollary 2.24, the exp ected time to ﬁnd an inv o lutio n is O  ξ + log( q ) log log( q )  ﬁeld op erations. As describ ed in Section 1.2.9.2, the Bray a lgorithm will pro duce uniformly random elements of the centraliser. Hence as descr ibe d in Section 1.2 .6, we can also obtain uniformly random elements of its derived g roup. By Prop ositio n 2.27, t wo random elements will genera te PSL(2 , q ) with high proba bilit y . This implies that the exp ected time to obtain pr obable ge ne r ators for PSL(2 , q ) is O  1  ﬁeld op erations. By Prop ositio n 3 .31, the p oint Q is equal to P with pro bability 2 / ( q ( q + 1)) and by Lemma 3.32 the po int P do not represent zer o with probability 1 / 2, so the exp ected time of the p enultimate step is O  1  ﬁeld op erations. Since the p oints P, Q can b e considered uniformly rando m and independent in Algorithm 3.5, the element retur ned by tha t a lgorithm is uniformly rando m. Hence the elemen t returned by the algorithm in Section 3.2.2.3 is unifor mly random. The expe c ted time complex ity of the last step is g iven by Theo r em 3.3 5 and 3.34. It follows by the above and fr om Lemma 3 .28 and 3.2 9 a nd Coro llary 2.23 that the expec ted time complexit y of the a lg orithm in Section 3 .2.2.3 is as stated. The a lgorithm is clea rly La s V egas, since it is straightforward to chec k that the element we compute rea lly ﬁxes the p oint P .  Remark 3. 3 7. The elements r eturned b y the algo rithm in C o rollar y 3.3 6 are not uniformly random fr o m the whole of G P , but fro m G P ∩ C G ( j ). Hence, to obtain generator s for the whole stabiliser, it is necessary to execute the algor ithm at least t wice, with diﬀerent choices of the inv o lution j . 3.2. SMALL REE GR OUPS 78 Remark 3 .38. The algo rithm in Cor o llary 3.36 works in any conjuga te of Ree( q ), since it does no t a ssume that the ma trices lie in the sta nda rd copy . 3.2.3. Constructiv e m em b ershi p testing. W e no w descr ib e the co nstruc- tive mem b e r ship algo r ithm for our standa r d copy Ree( q ). The ma tr ix deg ree is constant here , so we set ξ = ξ (7). Giv en a set of generato rs X , such that G = h X i = Ree( q ), and given an element g ∈ G , we want to express g as an S LP in X . Membership testing is str aightforw ard, using the ﬁrst step fro m the algo rithm in Theorem 3.27, and will not b e cons idered her e. The general structure of the algorithm is the same as the a lgorithm for the same problem in the Suzuki groups. It consists of a prepro cess ing step and a main step. 3.2.3.1. Pr epr o c essing. The prepro ces sing step consists of ﬁnding “ standard generator s” for O 3 ( G P ∞ ) = U ( q ) and O 3 ( G P 0 ). In the ca se of O 3 ( G P ∞ ) the sta n- dard generator s are deﬁned as matrices { S ( a i , x i , y i ) } n i =1 ∪ { S (0 , b i , z i ) } n i =1 ∪ { S (0 , 0 , c i ) } n i =1 (3.36) for some unsp eciﬁed x i , y i , z i ∈ F q , such that { a 1 , . . . , a n } , { b 1 , . . . , b n } , { c 1 , . . . , c n } form v ector space bases of F q ov e r F 3 (so n = lo g 3 q = 2 m + 1). Lemma 3.39. Ther e exist algorithms for the fol lowing r ow r e ductions. (1) Given g = h ( λ ) S ( a, b , c ) ∈ G P ∞ , ﬁnd h ∈ O 3 ( G P ∞ ) expr esse d in the standar d gener ators, such that g h = h ( λ ) . (2) Given g = S ( a, b, c ) h ( λ ) ∈ G P ∞ , ﬁnd h ∈ O 3 ( G P ∞ ) expr esse d in the standar d gener ators, such that hg = h ( λ ) . (3) Given P ∞ 6 = P ∈ O , ﬁ n d g ∈ O 3 ( G P ∞ ) expr esse d in the standar d gener a- tors, such that P g = P 0 . Analo gous algorithms ex ist for G P 0 . If the standar d gener ators ar e expr esse d as SLP s of length O  n  , the elements r eturne d wil l have length O  n log( q )  . The t ime c omplexity of the algorithms is O  log( q ) 3  ﬁeld op er ations. Proof. The a lgorithms are as follows. (1) (a) Solve a linear sy s tem of s ize log( q ) to cons truct the linea r combi- nation − a = − g 2 , 1 /g 2 , 2 = P 2 m +1 i =1 α i a i with α i ∈ F 3 . Let h ′ = Q 2 m +1 i =1 S ( a i , x i , y i ) α i and g ′ = g h ′ , so that g ′ = h ( λ ) S (0 , b ′ , c ′ ) for some b ′ , c ′ ∈ F q . (b) Solve a linear s y stem of size log( q ) to co nstruct the linear combi- nation − b ′ = − g ′ 3 , 1 /g ′ 3 , 3 = P 2 m +1 i =1 β i b i with β i ∈ F 3 . Let h ′′ = Q 2 m +1 i =1 S (0 , b i , y i ) β i and g ′′ = g ′ h ′′ , s o that g ′′ = h ′ ( λ ) S (0 , 0 , c ′′ ) for some c ′′ ∈ F q . (c) Solve a linear s ystem o f size log ( q ) to constr uct the linea r combi- nation − c ′′ = − g ′′ 4 , 1 /g ′′ 4 , 4 = P 2 m +1 i =1 γ i c i with γ i ∈ F 3 . Let h ′′′ = Q 2 m +1 i =1 S (0 , 0 , z i ) γ i and g ′′′ = g ′′ h ′′′ , so that g ′′′ = h ′ ( λ ). (d) Now h = h ′ h ′′ h ′′′ . 3.2. SMALL REE GR OUPS 79 (2) Analogous to the previous c a se. (3) (a) Normalis e P s o that P = (1 : p 1 : · · · : p 6 ). (b) Let α = − p 3 t 1 , β = ( p 1 α + p 2 ) 3 t and γ = (( αβ ) t + p 1 ( α t +1 + β t ) + p 2 α t + p 3 ) 3 t . Then S ( α, β , γ ) maps P to P ∞ . (c) Use the algorithm ab ov e to ﬁnd h ∈ O 3 ( G P ∞ ) such that S ( α, β , γ ) h = 1, and hence ex press S ( α, β , γ ) in the standard generato rs. Clearly the dominating term in the time complexity is the solving o f the linear systems, which requir es O  log( q ) 3  ﬁeld op era tio ns. The elements returned are constructed using O  log( q )  m ultiplications, hence the length of the SLP follows.  Theorem 3.40. Given an or acle for the discr ete lo garithm pr oblem in F q , the pr e- pr o c essing st ep is a L as V e gas algorithm t hat ﬁnds st andar d gener ators for O 3 ( G P ∞ ) and O 3 ( G P 0 ) as SLP s in X of length O  log( q )(log lo g( q )) 2  . It has ex p e cte d time c omplexity O  ( ξ log lo g( q ) + log ( q ) 3 + χ D ( q )) log log ( q )  ﬁeld op er ations. Proof. The pr epro cessing step proce eds as fo llows. (1) Find random elements a 1 ∈ G P ∞ and b 1 ∈ G P 0 using the alg orithm from Corollar y 3.36. Repea t un til a 1 can b e diago nalised to h ( λ ) ∈ G , where λ ∈ F × q and λ do e s not lie in a prop er subﬁeld of F q . Do similarly for b 1 . (2) Find random elements a 2 ∈ G P ∞ and b 2 ∈ G P 0 using the alg orithm from Corollar y 3.36. Let c 1 = [ a 1 , a 2 ], c 2 = [ b 1 , b 2 ]. Rep eat un til | c 1 | = | c 2 | = 9. (3) Let Y ∞ = { c 1 , a 1 } and Y 0 = { c 2 , b 1 } . As standa r d generators for O 3 ( G P ∞ ) we now take U = U 1 ∪ U 2 where U 1 = 2 m +1 [ i =1 n c a i 1 1 , ( c 3 1 ) a i 1 o (3.37) and U 2 = [ 1 6 i i  for i = 1 , . . . , 7. Hence the sa me is true for h Y P i and h Y Q i (but the submo dules will be diﬀer e n t) since they lie in conjugates of U ( q ) H ( q ). Now the algorithm pro ceeds as follows. (1) Let V = F 7 q be the natural module for h Y P i a nd h Y Q i . Find comp osition series V = V P 7 > V P 6 > V P 5 > V P 4 > V P 3 > V P 2 > V P 1 and V = V Q 7 > V Q 6 > V Q 5 > V Q 4 > V Q 3 > V Q 2 > V Q 1 using the MeatAxe. (2) Let U 1 = V P 1 , U 2 = V P 2 ∩ V Q 6 , U 3 = V P 3 ∩ V Q 5 , U 4 = V P 4 ∩ V Q 4 , U 5 = V P 5 ∩ V Q 3 , U 6 = V P 6 ∩ V Q 2 and U 7 = V Q 1 . F or ea ch i = 1 , . . . , 7, choo se u i ∈ U i . (3) Now let k be the matr ix suc h that k − 1 has u i as row i , for i = 1 , . . . , 7. 3.2. SMALL REE GR OUPS 84 The motiv ation for the second step is a nalogous to the pro of of Theo rem 3 .16. Thu s the matrix k found in the a lgorithm sa tisﬁes that z = k d for some dia gonal matrix d ∈ GL(7 , q ). Since Ree( q ) = G h = G z = ( G k ) d , the algorithm returns a correct r esult, a nd it is Las V egas b eca use the MeatAxe is La s V egas. Clea rly it has the same time complexit y as the Mea tAxe.  Theorem 3. 47. Assume Conje ctur e 3 .44 and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given a c onjugate h X i of Ree( q ) , ﬁnds g ∈ GL(7 , q ) such that h X i g = Ree( q ) . The algorithm has ex p e ct e d time c omplexity O  ( ξ log lo g( q ) + log ( q ) 3 + χ D ( q )) log lo g( q ) + | X |  ﬁeld op er ations. Proof. Let G = h X i . By Remark 3.38, we can use Corolla ry 3.36 in G , so w e can ﬁnd genera tors for a stabiliser of a p oint in G , using the a lg orithm describ ed in Theorem 3.40. (1) Find p oints P , Q ∈ O h − 1 using Lemma 3.43. Repeat until P 6 = Q . (2) Find generating sets Y P and Y Q such that O 3 ( G P ) < h Y P i 6 G P and O 3 ( G Q ) < h Y Q i 6 G Q using the ﬁrst tw o steps of the algo rithm from the pro of of Theorem 3.40. (3) Find k ∈ GL(7 , q ) suc h tha t ( G k ) d = Ree( q ) for some diagona l matrix d ∈ GL(7 , q ), using Lemma 3.46. (4) Find a diagonal matrix e using Lemma 3 .45. (5) Now g = k e satisﬁes that G g = Ree( q ). Be Lemma 3.14, 3.46 a nd 3.4 5, a nd the pro of of Theorem 3 .40, this is a La s V eg as algorithm with time complex it y as stated.  3.2.5. T ensor decomp os i tion. Now a ssume that G 6 GL( d, q ) w he r e G ∼ = Ree( q ), d > 7 and q = 3 2 m +1 for some m > 0. Then Aut F q = h ψ i , where ψ is the F rob e nius automor phism. Let W be the given mo dule of G and let V be the natural mo dule of Ree( q ), so that dim W = d a nd dim V = 7. F rom Section 1.2.7 and Section 2.2.3 we kno w that W ∼ = M ψ i 0 ⊗ M ψ i 1 ⊗ · · · ⊗ M ψ i n − 1 (3.45) for so me integers 0 6 i 0 < i 1 < · · · < i n − 1 6 2 m , and wher e M is either V o r the absolutely irreducible 27-dimensio nal submo dule S of the symmetric squa r e S 2 ( V ). In fact, we ma y a ssume tha t i 0 = 0. As des crib ed in Section 1.2.7, w e now wan t to tensor decomp ose W to obtain an eﬀective isomo rphism from W to V or to S . In the latter case we also have to deco mpo se S into V to obtain an isomorphis m betw een W and V . W e cons ider this pro blem in Sectio n 3 .2.6. Prop ositi o n 3.4 8. L et G 6 GL(27 , q ) such that G ∼ = Ree( q ) , let j ∈ G b e an involution and let H = C G ( j ) ′ ∼ = PSL(2 , q ) . Then S | H ∼ = V 6 ⊕ V 9 ⊕ V 12 as an H - mo dule, wher e dim V i = i . Mor e over, V 9 is absolutely irr e ducible, V 12 ∼ = V 4 .V ψ l 4 .V 4 and V 6 ∼ = 1 .V ψ k 4 . 1 , wher e k 6 = l . 3.2. SMALL REE GR OUPS 85 Proof. By P r op osition 2.18, V | H = V 3 ⊕ V 4 and hence V 3 = S 2 ( V 2 ) and V 4 = V 2 ⊗ V ψ n 2 where V 2 is the natural mo dule o f PSL(2 , q ) and n > 0 . 1 ⊕ S | H = S 2 ( V | H ) = S 2 ( S 2 ( V 2 )) ⊕ S 2 ( V 2 ⊗ V ψ n 2 ) ⊕ ( S 2 ( V 2 ) ⊗ V 2 ⊗ V ψ n 2 ) (3.46 ) Now consider S 2 ( V 2 ⊗ V ψ n 2 ) ⊕ ∧ 2 ( V 2 ⊗ V ψ n 2 ) = ( V 2 ⊗ V ψ n 2 ) ⊗ ( V 2 ⊗ V ψ n 2 ) = = ( V 2 ⊗ V 2 ) ⊗ ( V ψ n 2 ⊗ V ψ n 2 ) = ( S 2 ( V 2 ) ⊕ 1) ⊗ ( S 2 ( V ψ n 2 ) ⊕ 1) = = 1 ⊕ S 2 ( V 2 ) ⊕ S 2 ( V ψ n 2 ) ⊕ ( S 2 ( V 2 ) ⊗ S 2 ( V ψ n 2 )) (3.47) The ﬁnal s umma nd ha s dimensio n 9 a nd is absolutely ir reducible beca use it is of the form (3.4 5). Hence ∧ 2 ( V 2 ⊗ V ψ n 2 ) = S 2 ( V 2 ) ⊕ S 2 ( V ψ n 2 ) a nd S 2 ( V 2 ⊗ V ψ n 2 ) = 1 ⊕ V 9 as required. F ur ther more, a dire ct c a lculation shows that S 2 ( S 2 ( V 2 )) has shap e 1 . 1 . 1 ⊕ S 2 ( V 2 ) whe n restricted to F 3 , and ov er F q the S 2 ( V 2 ) must fuse with the middle comp osition factor, o ther wise the mo dule would no t b e self-dual ( S is se lf-dual since G preserves a bilinear form). Similarly , S 2 ( V 2 ) ⊗ V 2 ⊗ V ψ n 2 has shap e 1 . 1 . 1 ⊕ ( S 2 ( V 2 ) . S 2 ( V ψ n 2 ) . S 2 ( V 2 )) ov er F 3 . O ver F q each 1 fuses with a cor resp onding S 2 ( V 2 ) and we obtain the struc tur e of V 12 . This is also prov es that the 4-dimensional factor of V 6 is not isomorphic to any of the factors of V 12 .  Corollary 3. 49. L et G 6 GL(27 , q ) such that G ∼ = Ree( q ) , let j ∈ G b e an involution and let H = C G ( j ) ′ ∼ = PSL(2 , q ) . Then dim Ho m H ( S | H , S | H ) = 5 . Proof. By Pr op osition 3.48, Hom H ( S | H , S | H ) = Ho m H ( V 6 , S | H ) ⊕ Hom H ( V 9 , S | H ) ⊕ Hom H ( V 12 , S | H ) . The middle summand ha s dimension 1, b y Schu r’s Lemma. A homo morphism V 6 → S | H m ust map the 5-dimensional submo dule to itself or to 0. The comp osition fac to r of dimension 1 at the top can either be mapp ed to itself, or to the facto r at the b ottom. Hence dim Ho m H ( V 6 , S | H ) = 2 . Similarly , dim Hom H ( V 12 , S | H ) = 2 since the top factor can either be mapp ed to itself, or to the bottom factor . Thus the result follows.  Given a module W of the form (3 .4 5), w e no w co ns ider the pro blem o f ﬁnding a ﬂat. F or k = 0 , . . . , n − 1, let H k be the image o f the representation corresp onding to M ψ i k , so H k 6 GL(7 , q ) or H k 6 GL(27 , q ), and let ρ k : G → H k be a n isomorphism. Our goal is then to ﬁnd ρ k eﬀectively for some k . F o r λ ∈ F × q denote E λ =  1 , λ ± t , λ ± ( t − 1) , λ ± (2 t − 1)  . W e need the following conjectures. Conjecture 3.50. L et Ree( q ) ∼ = G 6 GL( d, q ) have mo dule W of the form (3 .45) , with dim W = d = 7 n for some n > 1 . 3.2. SMALL REE GR OUPS 86 L et g ∈ G have or der q − 1 and let E b e its m ultiset of eigenvalues. If 2 m > n then ther e exists λ ∈ F × q such that E λ ⊂ E , and t he s u m of t he eigensp ac es of g c orr esp onding to E λ has dimension dim V . Conjecture 3.51. L et Ree( q ) ∼ = G 6 GL( d, q ) have mo dule W of the form (3.45) and dim W = d > 7 . L et j ∈ G b e an involution. If W ha s tensor factors b oth of dimension 7 and 27 , then W | C G ( j ) has unique submo dules W 3 and W 4 of dimensions 3 and 4 , r esp e ctively, such that W 3 + W 4 is a p oint of W of dimension 7 . Conjecture 3.52. L et Ree( q ) ∼ = G 6 GL( d, q ) have mo dule W of the form (3.45) and dim W = 27 n for some n > 1 . L et j ∈ G b e an involution and let H = C G ( j ) ′ . If 2 m > n then dim Hom H ( S ψ i k | H , W | H ) = 5 , for some 0 6 k 6 n − 1 . Theorem 3. 53. Assume Conje ctur e 3.5 0 . Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) , wher e q = 3 2 m +1 , d = 7 n , n > 1 , 2 m > n and h X i ∼ = Ree( q ) , with mo dule W of the form (3 .4 5) , ﬁnds a p oint of W . The algorithm has exp e cte d time c omplexity O  ( ξ ( d ) + d 3 log( q ) lo g log ( q d )) log log ( q ) + d 4  ﬁeld op er ations. Proof. Let G = h X i . By Corolla r y 2.2 4, we ca n easily ﬁnd g ∈ G such that | g | | q − 1. Our approach is to construct a po int a s a suitable sum of eigenspaces of g . W e know that for k = 0 , . . . , n − 1, ρ k ( g ) has 7 eigenv alues λ ± t k , λ ± ( t − 1) k , λ ± (2 t − 1) k and 1 for so me λ k ∈ F × q . Let E be the multiset of eigenv alues of g . Ea ch eigenv alue has the form λ j 0 0 λ j 1 1 · · · λ j n − 1 n − 1 (3.48) where ea ch λ k ∈ F × q and ea ch j k ∈ {± t, ± ( t − 1) , ± (2 t − 1) , 1 } . W e can easily compute E . Because ea ch λ j k k may be 1, fo r ea ch k = 0 , . . . , n − 1 we hav e E λ k ⊂ E . W e can determine which λ ∈ E can b e one o f the λ k , since if λ = λ k for so me k , then E λ 3 t ⊂ E . Thu s w e ca n obtain a list, with length b etw een n and d , of subsets E λ of E . Now Conjecture 3.50 ass erts that there is some µ ∈ F × q such that E µ ⊂ E , and suc h that the sum of the eig enspaces corresp onding to E µ has dimension 7, and by its construction it must therefore b e a p oint of W . Since µ t ∈ E , the set E µ will be on our list, and w e ca n easily ﬁnd the p oint. The algor ithm is Las V egas, s ince w e can easily calculate the dimensions of the subspaces. The exp ected n um b er of r andom selections for ﬁnding g is O  log lo g( q )  , and we ca n ﬁnd its order using expe cted O  d 3 log( q ) log log( q d )  ﬁeld ope r ations. W e ﬁnd the characteristic p olyno mial using O  d 3  ﬁeld opera tions and then ﬁnd the eigenv alues us ing exp ected O  d (log d ) 2 log lo g( d ) lo g ( dq )  ﬁeld op era tions. Finally we us e the Algorithm fro m Section 1.2 .10.3 to verify that we hav e a p oint, using 3.2. SMALL REE GR OUPS 87 O  d 3 log( q )  ﬁeld op erations. The rest of the algorithm is linear algebra, and hence the expe cted time complexity is as stated.  Theorem 3. 54. Assume Conje ctur e 3.5 1 . Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) , wher e q = 3 2 m +1 , 7 | d , 2 7 | d and h X i ∼ = Ree( q ) , with mo dule W of the form (3.45) , ﬁnds a p oint of W . The algorithm has exp e cte d time c omplexity O  ξ ( d ) + d 3 log( q )(log lo g( q d ) + log( d ) 2 )  ﬁeld op er ations. Proof. Let G = h X i . Simila rly as in Co rollar y 3.36, we ﬁnd an inv o lution j ∈ G and pro bable genera tors fo r C G ( j ) ′ . W e c a n then use Theorem 1.13 to verify that we hav e got the whole cent raliser . Using the MeatAxe, we ﬁnd the comp ositio n fa c tors o f W | C G ( j ) . F or each pair of factors of dimensions 3 and 4 we co mpute mo dule homomor phisms into W | C G ( j ) and then ﬁnd the sum o f their ima ges. Conjecture 3.51 a s serts that this will pro duce a p oint o f W . W e can ea s ily ca lcu- late the dimensions o f the submo dules and use the tensor decomp ositio n algorithm to v erify that w e do obtain a p oint, so the a lgorithm is Las V egas. The expec ted time complexity fo r ﬁnding j is O  ξ ( d ) + d 3 log( q ) lo g log ( q d )  ﬁeld op era tions. F rom the pro of of Corollary 3.3 6 we see that we can ﬁnd probable generator s for C G ( j ) and verify that we have the who le centraliser using expec ted O  ξ ( d ) + d 3 log( q ) log log( q d )  ﬁeld op era tions, if we let ε = log lo g ( q ) in Theorem 1.13. The MeatAxe use s exp ected O  d 3  ﬁeld op erations in this ca se, s ince the nu mber o f g enerators for the centraliser is consta n t. Then we consider O  log( d ) 2  pairs of submo dules, and for ea ch one w e use the tens o r deco mpo sition algorithm to determine if we hav e a p oint, using O  d 3 log( q )  ﬁeld op era tions. Hence the exp ected time complexity is as stated.  Theorem 3. 55. Assume Conje ctur e 3 .52 and an or acle for the discr ete lo garithm pr oblem. Ther e exists a La s V e gas algorithm that, given h X i 6 GL( d, q ) , wher e q = 3 2 m +1 , d = 27 n , n > 1 , 2 m > n and h X i ∼ = Ree( q ) , with mo dule W of the form (3.45) , ﬁn ds a p oint of W . The algorithm has exp e cte d time c omplexity O  ( ξ ( d ) + d 3 log( q ) log log( q d )) log log ( q ) + log( q ) 3 + d 5 σ 0 ( d ) | X | + dχ D ( q ) + ξ ( d ) d  ﬁeld op er ations. Proof. Let G = h X i . Simila rly as in Co rollar y 3.36, we ﬁnd an inv o lution j ∈ G and pro bable gener ators for H = C G ( j ) ′ ∼ = PSL(2 , q ). W e can then use Theorem 1.13 to verify that w e ha ve got the whole cen traliser . Using the MeatAxe, we ﬁnd the compo sition factors of W | H . Let S 1 be the group cor r esp onding to a no n- trivial comp osition factor . Using Theore m 1 .12 w e constructively re cognise S 1 as PSL(2 , q ) and obtain an eﬀective isomorphism π 1 : PSL(2 , q ) → H . 3.2. SMALL REE GR OUPS 88 Now let R b e the image of the r epresentation corres po nding to S , so R 6 GL(27 , q ). Aga in we ﬁnd an inv olution j ′ ∈ R and probable g e nerators for K = C R ( j ′ ) ′ ∼ = PSL(2 , q ). As ab ove, we chop the module S | K with the Mea tAxe, con- structively recognis e one of its non-trivial factors and o btain an eﬀectiv e isomor- phism π 2 : P SL(2 , q ) → K . Note that b oth π 1 and π 2 hav e eﬀective in verses. Hence we ca n obtain standa rd generator s for H a nd K . F or each i = 0 , . . . , 2 m , do the following: (1) Find M = Hom PSL(2 ,q ) ( S ψ i | K , W | H ) using the s tandard generator s. (2) If dim M = 5, then ﬁnd r andom f ∈ M s uch that dim Ke r f = 0 . Us e the algorithm in Section 1.2.10.3 to determine if U = Im ( f ) is a p o int. F r om Prop os ition 3.48 w e know that S | K has a submo dule o f dimension 1. This implies that that W | H has a submo dule U ′ k = h v 1 i ⊗ · · · ⊗ h v k − 1 i ⊗ S ψ i k ⊗ h v k +1 i ⊗ · · · ⊗ h v n − 1 i ∼ = S ψ i k , for any k = 0 , . . . , n − 1, and some v 1 , . . . , v n − 1 (depending on k ). Mor eov er, Ho m PSL(2 ,q ) ( S ψ i k | K , W | H ) > Hom PSL(2 ,q ) ( S ψ i k | K , U ′ k ), and by Corollar y 3.49, the latter has dimension 5. But by Conjecture 3.52, for some i the former also has dimension 5, a nd hence these vector spa ces are equal. Therefo r e, for some i = i k , the subspace U found in the algorithm m ust be equa l to U ′ k , and hence it is a p oint. The exp ected time complexity for ﬁnding the in volutions is O  ξ ( d ) + d 3 log( q ) log log( q d )  ﬁeld op era tions. F rom the pro of of Corollary 3.3 6 we see that we can ﬁnd probable generator s for C G ( j ) and verify that we have the who le centraliser using expec ted O  ξ ( d ) + d 3 log( q ) lo g log ( q d )  ﬁeld op erations, if we let ε = log log( q ) in Theo- rem 1.1 3. The MeatAxe uses exp ected O  d 3  ﬁeld o p e rations in this case since the nu mber of g enerator s ar e cons ta nt . In the lo op, we requir e O  d 3 log( q )  ﬁeld op er- ations to v erify that U is a point. Hence the expec ted time complexit y follows from Theorem 1.12.  Conjectures 3.50 and 3.5 2 do not apply when 2 m 6 n , so in this case we need another alg orithm. Then q ∈ O  d  so we ar e conten t with an alg orithm that ha s time complexity p olynomial in q . The appr oach is no t to use tensor deco mp os ition, since in this cas e w e hav e no eﬃcie n t metho d of ﬁnding a ﬂat. Instead we ﬁnd standard gener ators of G using p ermutation group techniques, then enumerate all tensor pro ducts o f the form (3.45), a nd for each one w e determine if it is isomor phic to W . Lemma 3.56. Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) such that q = 3 2 m +1 with m > 0 and h X i ∼ = Ree( q ) , ﬁn ds an eﬀe ctive inje ct ive homomorph ism Π : h X i → Sym ( O ) wher e | O | = q 3 + 1 . The algori thm has exp e cte d time c omplexity O  q 3 ( ξ ( d ) + | X | d 2 + d 3 ) + d 4  ﬁeld op er ations. Proof. By Prop os ition 2.16, Ree( q ) acts do ubly tra nsitively on a set of size q 3 + 1. Hence G = h X i also acts doubly tr ansitively o n O , where | O | = q 3 + 1, and 3.2. SMALL REE GR OUPS 89 we can ﬁnd the p ermutation representation o f G if we can ﬁnd a p o in t P ∈ O . The set O is a set of pro jective points of F d q , a nd the algorithm pro c e eds as fo llows. (1) Cho ose random g ∈ G . Rep eat until | g | | q − 1 . (2) Cho ose random x ∈ G a nd let h = g x . Rep eat un til [ g , h ] 9 = 1 and [ g , h ] 6 = 1. (3) Find a compo sition series fo r the mo dule M o f h g , h i and let P ⊆ M b e the submo dule of dimension 1 in the ser ies. (4) Find the orbit O = P G and compute the p ermutation gro up S 6 Sym( O ) of G on O , tog ether with an eﬀective iso morphism Π : G → S . By Prop osition 2.2 1, elements in G o f order dividing q − 1 ﬁx tw o p oints of O , and hence h g , h i 6 G P for so me P ∈ O if and only if g and h hav e a commo n ﬁxed po int . All compo sition fac to rs o f M ha ve dimension 1, so a comp os ition ser ies o f M must c o ntain a submo dule P of dimension 1 . This submo dule is a ﬁxed p o int for h g , h i , and its orbit must ha ve size q 3 + 1, since | G | = q 3 ( q 3 + 1)( q − 1 ) and | G P | = q 3 ( q − 1 ). It follows that P ∈ O . All elements of G of order a p ow er of 3 lie in the derived g roup of a stabiliser of so me p oint, whic h is also a Sylow 3 -subgroup of G , and the expo nent o f this subgroup is 9. Hence [ g , h ] 9 = 1 if and only if h g , h i lie in a stabilise r o f so me p o int, if and o nly if g and h have a common ﬁxed p oint. T o ﬁnd the o rbit O = P G we c an compute a Sch reier tr ee on the generators in X with P a s ro ot, using O  | X | | O | d 2  ﬁeld op era tions. Then Π( g ) ca n be computed for any g ∈ h X i using O  | O | d 2  ﬁeld op erations, b y co mputing the p ermutation o n O induced by g . Hence Π is eﬀective, a nd its image S is found by co mputing the image of each element of X . Therefore the alg orithm is correc t and it is c le arly Las V eg as. W e ﬁnd g using exp ected O  ( ξ ( d ) + d 3 log( q ) log log( q d )) log log ( q )  ﬁeld op- erations a nd we ﬁnd h using exp ected O  ( ξ ( d ) + d 3 ) q 2  ﬁeld op era tions. Then P is found using the MeatAxe, in exp ected O  d 4  ﬁeld op eratio ns . Th us the re sult follows.  Conjecture 3.57. L et G = h X i 6 Sym( O ) su ch that G ∼ = Ree( q ) = H . Ther e exists a L as V e gas algorithm that ﬁnds x, h, z ∈ G as SLP s in X s uch t hat the map x 7→ S (1 , 0 , 0) (3.49) h 7→ h ( λ ) (3.50) z 7→ Υ (3.51) is an isomorph ism. It s time c omplexity is O  q 5 (log( q )) 4  ﬁeld op er ations. The length of t he r etu rne d SLP s ar e O  q 3 log lo g( q )  . Remark 3.58. There exists a n implementation of the a bove men tio ne d algo rithm, and the Conjecture is then it a lways pro duces a correct result and ha s the stated complexity . 3.2. SMALL REE GR OUPS 90 Theorem 3. 59. Assume Conje ctur e 3.5 7 . Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) , wher e q = 3 2 m +1 , n > 1 and d = 7 n or d = 27 n and h X i ∼ = Ree( q ) , with mo dule W of the form (3 .45) , ﬁnds a tensor de c omp osition of W . The algorithm has time c omplexity O  q 3 ( ξ ( d ) + | X | d 2 + d 3 log lo g( q ) + q 2 (log( q )) 4 ) + d 3 ( | X |  2 m n − 1  + d )  ﬁeld op er ations. Proof. Let G = h X i . The algor ithm pr o ceeds a s follows: (1) Find permutation r epresentation π : G → G S 6 Sym( q 3 + 1) using Lemma 3.56. (2) Find standar d generator s x, h, z ∈ G using Conjecture 3.57. Ev alua te them on G to obtain a g enerating set Y . (3) Let H = h Y i and let V be the mo dule of H . If 3 | d then replace V with S . (4) Construct each mo dule of dimension d of the form (3.45) using V as base . F o r each one test if it is is o morphic to W , using the MeatAxe. (5) Return the c hange of basis from the succe ssful isomorphism test. The r eturned change of basis ex hibits W as a tensor pro duct, so by Lemma 3.56 the algorithm is La s V egas . The lengths of the SLP s of x, h, z is O  q 3 log lo g( q )  , so w e need O  d 3 q 3 log lo g( q )  ﬁeld ope r ations to obtain Y . T he num be r of mo dules of dimension d o f the form (3.45) using V as bas e is  2 m n − 1  . Mo dule iso morphism testing uses O  | X | d 3  ﬁeld op erations. Hence by Co njecture 3.57 and Lemma 3.56 the time complexity of the algorithm is as stated.  3.2.6. Symmetric square decomp osi tion. The tw o basic irreducible mod- ules of Ree( q ) are the natura l module V of dimension 7, and a n irreducible submo d- ule S of the symmetric square S 2 ( V ). The symmetric s q uare itself is not irreducible, since Ree( q ) preser ves a qua dr atic form, and S 2 ( V ) therefore has a submodule of di- mension 1. The complement of this has dimension 27 and is the irr educible mo dule S . Conjecture 3.60. The ext erior squar e of S has a submo dule isomorphic to a twiste d version of V . Theorem 3. 61. Assume Conje ctur e 3.6 0 . Ther e exists a L as V e gas algorithm that, given h X i 6 GL(27 , q ) with mo dule W such t hat W is isomorphic to a twiste d version of S , ﬁnds an eﬀe ctive isomorphism fr om h X i to Ree( q ) g for some g ∈ GL(7 , q ) . The algorithm has exp e cte d time c omplexity O  | X |  ﬁeld op er ations. Proof. Using Co njectur e 3.6 0, this is just an application o f the MeatAxe. W e co nstruct the exterior squar e ∧ 2 ( W ) of W , whic h has dimension 35 1, a nd ﬁnd a comp osition series of this mo dule using the MeatAxe. B y the Conjecture, the natural mo dule of dimension 7 will be one of the comp os ition factors and the MeatAxe will provide an eﬀective isomor phism to this factor, in the form of a 3.2. SMALL REE GR OUPS 91 change of basis A ∈ GL (2 7 , q ) of W that exhibits the action on the comp osition factors. This induces an isomor phism ϕ : h X i → H , wher e H is conjugate to Ree( q ). F o r g ∈ h X i , ϕ ( g ) is co mputed b y taking a submatrix of g A of degree 7. Clearly ϕ can be computed using O  1  ﬁeld op erations. Since the Mea tAxe is Las V egas and has exp ected time complexity O  | X |  , the result follows.  3.2.7. Constructiv e recogniti on. Fina lly , we can now state and prove our main theorem. Theorem 3.62. Assume the sm al l R e e Conje ctur es, and an or acle for t he dis- cr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL( d, q ) satisfying the assumptions in Se ction 1.2 .7 , with q = 3 2 m +1 , m > 0 and h X i ∼ = Ree( q ) , ﬁ nds an eﬀe ctive isomorphism ϕ : h X i → Ree( q ) and p erforms pr epr o c essing for c onstructive memb ership testing. The algorithm has exp e cte d t ime c omplexity O  ξ ( d )( d 3 + (log log ( q )) 2 ) + d 6 log lo g( d ) + d 5 σ 0 ( d ) | X | + d 3 log( q ) log log( q ) log log( q d ) + log( q ) 3 log lo g( q ) + χ D ( q )( d + log log( q ))  ﬁeld op er- ations. Each image of ϕ c an b e c ompute d in O  d 3  ﬁeld op er ations, and e ach pr e-image in ex p e cte d O  ξ ( d ) + log ( q ) 3 + d 3 (log( q ) log log( q )) 2  ﬁeld op er ations. Proof. Let W be the mo dule o f G = h X i . The algorithm pro ceeds as follo ws: (1) If d = 7 then use Theorem 3 .47 to obtain y ∈ GL(7 , q ) s uch tha t G y = Ree( q ), a nd hence an eﬀective is o morphism ϕ : G → Ree( q ) deﬁned b y g 7→ g y . (2) If 3 ∤ d then d = 7 n for s ome n > 1 . If 2 m > n then us e Theor em 3.5 3 to ﬁnd a ﬂat L 6 M . If 3 | d but d is not a pro p e r p ow er o f 2 7 then use Theorem 3.54 to ﬁnd such a n L . Otherwise d = 27 n for some n > 1. If 2 m > n , then use T heo rem 3 .55 to ﬁnd a ﬂat L 6 M . (3) Use the tensor deco mpo sition algorithm describ ed in Section 1.2 .10.3 with L , to obtain x ∈ GL( d, q ) suc h the change o f basis determined by x exhibits W as a tenso r pro duct A ⊗ B , with dim A = 7 or dim A = 2 7. If d = 7 n or d = 27 n and 2 m 6 n then use Theo rem 3.59 to ﬁnd x . Let G A and G B be the imag es of the corresp onding r epresentations. (4) Deﬁne ρ A : G A ⊗ B → G A as g a ⊗ g b 7→ g a and let Y = { ρ A ( g x ) | g ∈ X } . If dim A = 27 then let θ b e the eﬀectiv e isomor phism fro m Theorem 3.61, otherwise let θ b e the identit y map. (5) Let Z = { θ ( x ) | x ∈ Y } . The n h Z i is conjugate to Ree( q ). Use Theor e m 3.47 to obtain y ∈ GL(7 , q ) such that h Z i y = Ree( q ). (6) An eﬀective isomor phism ϕ : G → Ree ( q ) is given by g 7→ θ ( ρ A ( g x )) y . The map ρ A is straightforward to compute, since given g ∈ GL( d, q ) it only inv olves dividing g into submatrices of degr ee d/ 7 or d/ 27, c hecking that they are sc a lar m ultiples of ea ch other and returning the 7 × 7 or 27 × 27 matrix consis ting of these 3.3. BIG REE GR OUP S 92 scalars . Since x migh t not lie in G , but only in N GL( d,q ) ( G ) ∼ = G : F q , the result of ρ A might not have determinan t 1 . How ever, since every element of F q has a unique 7th ro ot, we can easily scale the matrix to have determinant 1. Hence b y Theor em 3.53, Theorem 3.54, Theo rem 3.55, Section 1.2.10.3, Theo rem 3.61 and Theorem 3.47, the algorithm is Las V egas, and ϕ can be computed using O  d 3  ﬁeld op erations. In the case where we use Theor em 3.59 we hav e 2 m 6 n and he nc e q < 3 d . W e see that  2 m n − 1  ≤ n , and the time complexity of the algorithm to ﬁnd x , in Theorem 3.59, simpliﬁes to O  d 3 ( ξ ( d ) + | X | d 2 + d 3 log lo g( d ))  . In the other cases, ﬁnding L uses O  ( ξ ( d ) + d 3 log( q ) log log( q d )) log log ( q ) + d 5 σ 0 ( d ) | X | + dχ D ( q ) + ξ ( d ) d  ﬁeld op er ations. F rom Section 1.2.1 0.3, ﬁnding x uses O  d 3 log( q )  ﬁeld o p e rations when a ﬂat L is given. F r om Theorem 3.61 ﬁnding θ uses O  | Y |  ﬁeld op erations, and from Theor em 3.47, ﬁnding y uses O  ( ξ ( d ) log log( q ) + log( q ) 3 + χ D ( q )) log log ( q ) + | Z |  ﬁeld op era- tions. Hence the exp ected time co mplexity is as stated. Finally , ϕ − 1 ( g ) is computed by ﬁrs t using Algorithm 3 .6 to o btain an S LP of g and then e v aluating it o n X . The necessary precomputations in Theor em 3.4 0 have already be e n made dur ing the application of Theore m 3 .47, and hence it follows fr o m Theorem 3.42 that the time complexity for computing the pre-image of g is as stated.  3.3. Big R ee groups Here we will use the notation fro m Section 2.3. W e will re fer to Conjectures 2.37, 2.38, 2.39, 2.40, 2.4 1, 2 .42, 2.45, 2.46 a nd 3 .64 s im ultaneously as the Big R e e Conje ctur es . With the Big Ree gr oups, we will only deal with the natural repre sentation, the las t case in Section 1.2.7. W e will not attempt a ny tensor deco mpo sition, or decomp osition of the tenso r indec o mpo sables listed in Section 2 .3 .2. This can b e partly justiﬁed b y the fact that at the present time the o nly repr esentation, other than the one of dimensio n 26, that it is within prac tica l limits in the MGRP , is the o ne of dimensio n 24 6 . W e hav e s ome evidence that it is feasible to decompo se this r e pr esentation into the natural r epresentation us ing the technique known as c ondensation , see [ HEO05 , Section 7 . 4 . 5] and [ L W98 ]. The main constructive recog nition theore m is The o rem 3.79. 3.3.1. Recogniti on. W e now co nsider the question of non-constructive recog- nition o f 2 F 4 ( q ), so we wan t to ﬁnd a n a lgorithm tha t, given a set h X i 6 GL (2 6 , q ), decides whether or not h X i = 2 F 4 ( q ). Theorem 3.63. Ther e exists a L as V e gas algorithm that, given h X i 6 GL(26 , q ) , de cides whether or not h X i = 2 F 4 ( q ) . The algorithm has ex p e ct e d time c omplexity O  σ 0 (log( q ))( | X | + log( q ))  ﬁeld op er ations. Proof. Let G = 2 F 4 ( q ), with natural mo dule M . The a lgorithm pr o ceeds as follows: 3.3. BIG REE GR OUP S 93 (1) Determine if X ⊆ G and return false if not. All the following steps must succeed in order to conclude that a g iven g ∈ X also lies in G . (a) Determine if g ∈ O − (26 , q ), which is true if det g = 1 and if g Qg T = Q , where Q is the matrix corresp onding to the q uadratic form Q ∗ and where g T denotes the transp ose o f g . (b) Determine if g ∈ F 4 ( q ), which is true if g preserves the exceptional Jordan algebr a multiplication. This is e asy using the multiplication table given in [ Wil06 ]. (c) Determine if g is a ﬁxe d po int of the automorphism of F 4 ( q ) which deﬁnes 2 F 4 ( q ). By [ Wi l06 ], computing the automorphism amounts to taking a submatrix of the exterior squar e of g a nd then replacing each matrix entry x by x 2 m . (2) If h X i is not a prop er subg roup of G , or equiv alently if h X i is not con- tained in a maximal subgroup, r eturn true . Otherwise r eturn fals e . By Prop ositio n 2.48, it is suﬃcient to determine if h X i cannot be written ov e r a smaller ﬁeld and if h X i is irr e ducible. This can b e done using the Las V eg as algorithms from Sections 1.2.10.1 a nd 1.2.10.2. Since the matrix degree is constant, the c omplexity of the ﬁrst s tep of the algorithm is O  1  ﬁeld op erations. F or the same reaso n, the complexity of the algorithms from Sections 1.2 .10.1 and 1.2.1 0.2 is O  σ 0 (log( q ))( | X | + log( q ))  ﬁeld op erations. Hence the expected time complex ity is as stated.  3.3.2. Finding el ements of even order. In cons tr uctive reco gnition and mem b ership testing o f 2 F 4 ( q ), the essential problem is to ﬁnd elements of even order, as S LP s in the given generato rs. Let G = 2 F 4 ( q ) = h X i . W e b egin with an ov e r view of the metho d. The matrix degree is constant here, so w e set ξ = ξ (26). Cho ose random a ∈ G of order q − 1, by choosing a random ele men t of order ( q − 1 )( q + t + 1) and powering up. By Prop osition 2.3 3 it is easy to ﬁnd such elements, and b y Pr op osition 2.32, we can diago na lise a and obtain c ∈ GL(26 , q ) such that a c = δ = h ( λ, µ ) for some λ, µ ∈ F × q . Now choose r andom b ∈ G . Let B = b c and let A ( u, v ) b e a dia gonal matr ix of the sa me form a s h ( λ, µ ), wher e λ and µ are replaced b y indeterminates u and v , so A ( u, v ) is a matrix ov er the function ﬁeld F q ( u, v ). F o r any r, s ∈ F × q , s uch tha t r t = s , the matrix ( A ( r , s ) B ) c − 1 ∈ h a i b . Hence by Conjecture 2.45 if we can ﬁnd r, s such that r t = s and A ( r, s ) B ha s the eigenv alue 1 with m ultiplicit y 6, then with high pr obability A ( r, s ) B will hav e even or der. Prop ositi o n 3.64. Assu me Conje ctur e 2.47 . F or every b ∈ G \ N G ( h a i ) the 6 lowest c o eﬃcients f 1 , . . . , f 6 ∈ F q [ u, v ] of the char acteristic p olynomial of A ( u, v ) B − I 26 gener ate a zer o-dimensional ide al. Proof. Since b do es not no rmalise h a i , by Conjecture 2.47, there m ust be a bo unded n umber of solutions. Hence the sy stem m ust b e zero-dimensio nal.  3.3. BIG REE GR OUP S 94 Finally we can solve the discrete logar ithm pro blem and ﬁnd an integer k such that δ k = A ( r , s ). Then δ k B has even order, a nd therefore also a k b has even order. Since a and b are ra ndo m, we obtain a n ele men t of ev en order as a n SLP in X . The algorithm for ﬁnding elemen ts of ev en order is g iven formally as Algorithm 3.7. Lemma 3.65 . Assume Conje ctur e 2.4 7 . Ther e exist s a L as V e gas algorithm that, given t he m atric es A ( u, v ) and B , ﬁnds r , s ∈ F × q such that r t = s and A ( r, s ) B has 1 as an eigenvalue of multiplicity at le ast 6 . The algori thm has exp e cte d time c omplexity O  log q  ﬁeld op er ations. Proof. If we can ﬁnd the c haracter istic po lynomial f ( x ) ∈ F q ( u, v )[ x ] of A ( u, v ) B , then the condition we want to imp ose is that 1 should b e a ro ot o f m ultiplicity 6, or equiv alently tha t y 5 should divide g ( y ) = f ( y + 1). Hence we obtain 6 p o lynomial equations in u a nd v of b ounded degree. By Prop ositio n 3.64, we can use Theorem 1.2 to ﬁnd the p os s ible v alues for r and s . Thu s it only remains to ﬁnd f ( x ), whic h has the form f ( x ) = a n x n + · · · + a 1 x + a 0 (3.52) where a i ∈ F q ( u, v ) and 0 6 i 6 n 6 26. Recall that A ( u, v ) is dia gonal of the sa me form as h ( λ, µ ). This implies that in a n echelon form of A ( u, v ) B , the dia g onal has the form A ( u, v ) D for some diagonal ma tr ix D ∈ GL(26 , q ). W e obta in f ( x ) by m ultiplying these dia gonal elemen ts, and since the sum o f the p ositive pow ers of u on the diagonal is 10, and the sum of the po sitive powers of v on the diago nal is 6 , each a i has the form a i = X j c ij u z ij v y ij (3.53) where each c ij ∈ F q , − 10 6 z ij 6 10 and − 6 6 w ij 6 6. Because of these b ounds on the exp onents z ij and w ij , we can ﬁnd the c o eﬃ- cients c ij , and hence the c o eﬃcien ts a i and f ( x ), using interpo lation. E ach c ij is uniquely determined by at most (2 · 10 + 1)(2 · 6 + 1) = 273 v alues of u, v and the corres p o nding v a lue o f a i . Therefore, cho ose 273 ra ndom pairs ( e k , f k ) ∈ F q × F q . F or each pa ir , calculate the characteristic polyno mial of A ( e k , f k ) B , th us obtaining the co r resp onding v alues of the co eﬃcients a i . Fina lly perfor m the interpolatio n by solving n linea r sy s tems with 273 equations and v a riables. It is clear tha t the algorithm is Las V egas, and the domina ting term in the time complexit y is the ro ot ﬁnding o f univ ariate p olynomials of b o unded degree ov e r F q .  Lemma 3 . 66. Assume Conje ctu re s 2.46 and 2.47 . L et a ∈ G b e su ch that | a | = q − 1 and a is c onjugate to some h ( λ, µ ) with λ t = µ ∈ F × q . The pr op ortion of b ∈ G \ N G ( h a i ) , such that h a i b c ont ains an element with 1 as an eigenvalue of multiplicity 6 , is b ounde d b elow by a c onstant c 4 > 0 . 3.3. BIG REE GR OUP S 95 Proof. Giv e n s uch a coset h a i b , fro m the pro of of Lemma 3 .6 5 we see that our algorithm co ns tructs a b ounded num b er d 1 of candidates of elements o f the required type in the c o set. Let c b e the num b er of co sets co ntaining an element of the r equired t ype . B y Conjecture 2.46, the total num ber o f elements of the required t yp e is c 3 | G | . Hence c is minimised if all the c cosets cont ain d 1 such elements, in which case cd 1 = c 3 | G | . Thu s c > c 3 | G | /d 1 and the prop ortio n of co sets is c ( q − 1) / | G | > c 3 ( q − 1) /d 1 , which is b o unded below b y a constant c 4 > 0 since c 3 ∈ O  1 /q  .  Theorem 3.67. As s ume Conje ctur es 2.47 , 2 .4 6 and 2.45 , and an or acle for the discr ete lo garithm pr oblem in F q . Algorithm 3.7 is a L as V e gas algorithm with ex- p e ct e d time c omplexity O  ( ξ + log ( q ) log lo g( q ) + χ D ( q )) log lo g( q )  ﬁeld op er ations. The lengt h of t he r eturne d SLP is O  log lo g( q )  . Proof. By P rop osition 2.32, a is conjuga te to some h ( λ, µ ) and by Pr o p osition 2.33, we can ﬁnd h using exp ected O  ξ log log ( q )  ﬁeld o p e rations. The test at line 15 is easy s ince b either centralises or inv er ts a . F ur thermore, by Lemma 3.66, the test a t line 17 will succeed with high pro ba bilit y and by Conjecture 2.45, the test at line 19 will succeed with high probability . The test at line 21 can only fail if | a | is a prop er divis or of q − 1, which happens with low proba bilit y . Hence by Lemma 3.6 5, the alg o rithm is Las V egas and the time complex ity is as sta ted. Clear ly , the length of the SLP o f the re tur ned element is the same as the length of the S LP of h .  Algorithm 3.7: FindEvenOrderElement ( X ) 1 Input : h X i 6 GL(26 , q ) such that h X i ∼ = 2 F 4 ( q ). 2 Output : An element of h X i of even order, express ed as an SLP in X . 3 // Find ElementInCoset is given by Lemma 3.65 4 rep eat 5 rep eat 6 h := Random ( h X i ) 7 un til | h | | ( q − 1)( q + t + 1) 8 a := h q + t +1 9 δ, c := Diagonalise ( a ) 10 // No w a c = δ = h ( λ, µ ) where λ, µ ∈ F × q and µ = λ t 11 rep eat 12 rep eat 13 r ep eat 14 b := Random ( h X i ) 15 un til b / ∈ N G ( h a i ) 16 ( ﬂag , r, s ) := FindElementInCoset ( b c ) 17 un til ﬂag 18 // Now r t = s and A ( r , s ) b c has 1 a s a 6 -fold eigenv alue 19 un ti l | A ( r , s ) b c | is ev en 20 k := DiscreteLog ( δ 2 , 2 , r ) 21 un til k > 0 22 return a k b 3.3. BIG REE GR OUP S 96 Remark 3. 68. If w e are given g ∈ h X i ∼ = 2 F 4 ( q ), then a trivia l modiﬁca tion of Algorithm 3.7 ﬁnds an e lement of h X i , of even order , of the for m hg fo r s ome h ∈ h X i . If we also have an SLP of g in X , then w e will obtain hg as SL P , otherwise we will only obtain an SLP for h . Prop ositi o n 3.69. Assum e Conje cture 2.45 . With pr ob ability 1 − O  1 /q  , the el- ement r eturne d by Algorithm 3 .7 p owers up to an involution of class 2 A . Proof. F ollows immediately from Conjecture 2.45.  3.3.3. Constructiv e membershi p testi ng. The overall metho d w e use for constructive members hip testing in 2 F 4 ( q ) is the Ryb a algorithm describ ed in Sec- tion 1.2.9.2. Since we know that there are only t wo conjugacy class es of inv olutions in 2 F 4 ( q ), and since w e know the s tr ucture of their centralisers, w e can impro ve upo n the basic Ryba algorithm. When so lving constructive membership testing in the centralisers, instead of applying the Ryba algorithm recurs ively , we ca n do it in a mor e direct wa y using Theore m 1.12 and the algo rithms for constructive mem b ership testing in the Suzuki group, de s crib ed in Section 3.1. Inv olutions of class 2 A ca n b e found using Algorithm 3.7, a nd Conjecture 2.40 give us a metho d for ﬁnding in volutions of class 2 B using r andom search. The Ryba algor ithm needs to ﬁnd inv olutions of bo th classes, since it needs to ﬁnd tw o in volutions whose pro duct has even order . As a prepr o cessing step to Ryba , w e ca n therefor e ﬁnd an inv olutio n of ea ch class and compute their centralisers. In each call to Ryba we then conjugate the inv olutio ns that we ﬁnd to one of these tw o inv olutions, whic h r emov es the neces s it y of computing in volution centralisers at each c all. 3.3.3.1. The involution c en tr alisers. W e use the B r ay algo r ithm to ﬁnd gen- erating sets for the inv olution centralisers. This algorithm is describ ed in Sec tion 1.2.9.2. The following results show how to preco mpute generato rs and how to solve the constructive membership problem for a centraliser of an inv olution of c la ss 2 A , using o ur Suzuki gr oup algo rithms to constructively recognise Sz( q ). Analo gous results hold for the centraliser of an inv olution of class 2 B , using Theor em 1.12 to constructively recog nise SL(2 , q ). Lemma 3.70. Assume Conje cture 2.39 , and use its notation. Ther e ex ists a L as V e gas algorithm that, given h Y i 6 G 6 GL(26 , q ) su ch that G ∼ = 2 F 4 ( q ) , S 6 h Y i 6 C G ( j ) for an involution j ∈ G of class 2 A and S ∼ = Sz( q ) , ﬁnds a c omp osition series for the natur al mo dule M of h Y i such that the c omp osition factors ar e or der e d as 1 , S 4 , 1 , S 4 , 1 , S ψ t 4 , 1 , S 4 , 1 , S 4 , 1 , and ﬁnds the c orr esp onding ﬁltr ation of O 2 ( h Y i ) . The algorithm has time c omplexity O  | Y |  ﬁeld op er ations. Proof. By Prop ositio n 2.39 the comp osition fac tors are a s stated, a nd we just hav e to order them correctly . 3.3. BIG REE GR OUP S 97 (1) Find a c omp osition factor of F 1 of M , suc h that dim F 1 = 1, a nd ﬁnd H 1 = Hom h Y i ( M , F 1 ). By Conjecture 2.39, M has a unique 1-dimensional submo dule, so dim H 1 = 1. (2) Let M 25 = Ker α 1 where h α 1 i = H 1 . The n dim M 25 = 25 . (3) Let M 1 = M ⊥ 25 ∩ M 25 be the ortho gonal co mplemen t under the bilinear form preserved by G , so that dim M 1 = 1. (4) Find a comp ositio n facto r of F 4 of M 25 , suc h tha t dim F 4 = 4 , a nd ﬁnd H 4 = Hom h Y i ( M 25 , F 4 ). By Conjecture 2.39, M 25 has a unique 4- dimensional submo dule, s o dim H 4 = 1 for one o f its 5 comp osition factors of dimension 4. (5) Let M 21 = Ker α 4 where h α 4 i = H 4 . The n dim M 21 = 21 . (6) Let M 5 = M ⊥ 21 ∩ M 21 be the ortho gonal co mplemen t under the bilinear form preserved by G , so that dim M 5 = 5. (7) Now we hav e fo ur prop er submo dules M 1 , M 5 , M 21 , M 25 in the co mpo si- tion series that w e wan t to ﬁnd, and w e can obtain the other s ubmo dules by contin uing in the s ame w ay inside M 21 . The ﬁltra tion is determined by the comp ositio n facto rs, and immediately found. Clearly the time complexity is the same as the MeatAxe, which is O  | Y |  ﬁeld op erations.  Lemma 3.71. Ass u me t he S uzuki Conje ctur es, Conje ctur es 2.37 , 2 .38 , 2.39 and 2.40 , and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a Monte Carlo algorithm with no false p ositives that, given h Y i 6 G 6 GL(26 , q ) su ch that G ∼ = 2 F 4 ( q ) , S 6 h Y i 6 C G ( j ) and Z (C G ( j )) 6 h Y i , wher e j ∈ G is an involution of class 2 A and S ∼ = Sz( q ) : • de cides whether or n ot h Y i = C G ( j ) , • ﬁnds eﬀe ctive homomorp hisms ϕ : h Y i → Sz( q ) and π : Sz( q ) → h Y i , • ﬁnds u ∈ G such t hat | u | | q − 1 , C G ( j ) < h Y , u i and h Y , u i is c ontaine d in a maximal p ar ab olic in G , • ﬁnds h Z i 6 G such that h Z i = O 2 (C G ( j )) , and | Z | ∈ O  log( q )  . The algorithm has exp e cte d t ime c omplexity O  | Y | + log( q ) 3 + ( ξ + χ D ( q ))(log log ( q )) 2  ﬁeld op er ations. Proof. The a lgorithm pr o ceeds as follows: (1) Find a co mpo sition series of the natur al mo dule of h Y i , a s in Lemma 3.7 0. By pro jecting to the middle comp osition fa ctor we o btain an eﬀective surjective homomor phism ϕ 1 : h Y i → S 4 where S 4 6 GL(4 , q ) and S 4 ∼ = Sz( q ). Also o bta in an eﬀective surjective homomorphism ρ : O 2 ( h Y i ) → N , wher e N is the ﬁrst non-zer o blo ck in the ﬁltra tion of O 2 ( h Y i ) ( i.e. N is a v ector space). By Conjecture 2.40, dim N = 4. 3.3. BIG REE GR OUP S 98 (2) Use Theorem 3.2 6 to c onstructively rec o gnise ϕ 1 ( h Y i ) and obtain an ef- fective injective ho momorphism π : Sz( q ) → h Y i , and an eﬀective isomo r - phism ϕ 2 : S 4 → Sz( q ). No w ϕ = ϕ 2 ◦ ϕ 1 . (3) Find random g ∈ h Y i such that | g | = 2 l . By P rop osition 2 .34, the pro- po rtion of such element s is high. Rep ea t unt il g l = j ′ is of class 2 A a nd j ′ 6 = j , whic h b y Conjecture 2.37 ha pp ens with high pr obability . (4) Using the dihedral trick, ﬁnd h ∈ G such that j h = j ′ , | h | | q − 1 and h Y , h i is reducible. By Co njecture 2.38, these elemen ts are easy to ﬁnd. (5) Let u = h (( π ◦ ϕ )( h )) − 1 , so that u commutes with S . Now h C G ( j ) , u i is contained in a maximal parab olic, and C G ( j ) is a prop er subgroup, since u / ∈ C G ( j ), but h Y , u i is reducible and hence a prop e r subgroup o f G . (6) Diagonalise u to o btain ς ( a, b ) for some a, b ∈ F × q . Repeat the t wo prev ious steps (ﬁnd another h ) if a or b lie in a proper subﬁeld of F q . The probabilit y that this happe ns is low, since | h | = q − 1 with high probability . (7) Find random y 1 , . . . , y 4 ∈ h Y i , and let x i = y i (( π ◦ ϕ )( y i )) − 1 for i = 1 , . . . , 4. Then x 1 , . . . , x 4 are random elements of O 2 ( h Y i ). Return fa lse if ρ ( x 1 ) , . . . , ρ ( x 4 ) are no t linea rly independent elemen ts of N , since then with high probability h Y i < C G ( j ). Clea rly , if the elements ar e linear ly independent, then h Y i = C G ( j ) so the algo rithm has no false p ositives. (8) Find random x ∈ h Y i such that | x | = 4 k . By Conjecture 2.3 7, with high probability x 5 = x k ∈ O 2 ( h Y i ) and x 2 5 ∈ Z( h Y i ). Rep eat un til this is tr ue. (9) Finally let Z = 2 m +1 [ i =0 5 [ j =1 n x u i j , ( x 2 j ) u i o Clearly , the dominating term in the running time is T he o rem 3.26 a nd the computation of π , so the expected time complex it y is a s stated.  Lemma 3.7 2. A ssume the Suz u ki Conje ctur es, Conje ct ur es 2 .38 , 2.3 9 and 2.40 and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given G = h X i = 2 F 4 ( q ) and an involution j ∈ h X i of class 2 A , as an S LP in X of length O  n  , • ﬁnds h Y i 6 G such that h Y i = C G ( j ) , • ﬁnds eﬀe ctive inverse isomorph isms ϕ : h Y i → Sz( q ) and π : Sz( q ) → h Y i , • ﬁnds u ∈ G such t hat | u | | q − 1 , C G ( j ) < h Y , u i and h Y , u i is c ontaine d in a maximal p ar ab olic in G , • ﬁnds h Z i 6 G such that h Z i = O 2 (C G ( j )) , and | Z | ∈ O  log( q )  . The elements Y , Z, u ar e found as SLP s in X of length O  n  . The algorithm has exp e cte d time c omplexity O  | Y | + log( q ) 3 + ( ξ + χ D ( q ))(log log( q )) 2  ﬁeld op er ations. Proof. The a lgorithm pr o ceeds as follows: (1) Use the Bray algor ithm to ﬁnd probable generator s Y for C G ( j ). (2) Use the MeatAxe to split up the mo dule of h Y i and verify that it splits up as in Conjecture 2 .39. Use Theorem 3.3 to verify that the g roups acting 3.3. BIG REE GR OUP S 99 on the 4-dimensio nal submo dules ar e Suzuki groups. Return to the ﬁrst step if not. It then follo ws from Prop osition 2.34 that Z(C G ( j )) 6 h Y i . (3) Use Lemma 3.71 to determine if h Y i = C G ( j ). Return to the ﬁrst step if not. Since the algo rithm of Lemma 3 .71 has no fa ls e p ositives, this is Las V eg as. By Pr op osition 2.34, O  1  elements is suﬃcient to gener a te C G ( j ) with high prob- ability , so the exp ected time complexity is a s stated, and the elemen ts o f Y will b e found as SLP s o f the sa me length as j . F r om Lemma 3 .71 we a lso obtain u , Z , ϕ and π as needed. W e see from its pro of that u and Z will be found as SLP s of the s a me length as j .  Lemma 3.73. Ther e exists a L as V e gas algorithm that, given • h Y i , h Z i 6 G = h X i = 2 F 4 ( q ) such t hat h Y i = C G ( j ) and h Z i = O 2 ( h Y i ) wher e j ∈ G is an involution of class 2 A and Y , Z ar e given as SLP s in X of lengt h O  n  , • an eﬀe ctive surje ctive homomorphi sm ϕ : h Y i → Sz( q ) , • an eﬀe ctive inje ctive homomorphi sm π : Sz( q ) → h Y i , • g ∈ GL(26 , q ) , de cides whether or not g ∈ h Y i and if so r eturns an SLP of g in X of length O  n (log( q )(log lo g( q )) 2 + | Z | )  . The algorithm has exp e cte d t ime c omplexity O  ξ + log( q ) 3 + | Z |  ﬁeld op er ations. Proof. Note that ϕ consists of a change of basis followed b y a pro jection to a submatrix, and hence can b e a pplied to any elemen t of GL(2 6 , q ) using O  1  ﬁeld op erations. (1) Use Algorithm 3 .2 to express ϕ ( g ) in the gener ators o f Sz( q ), or r eturn false if ϕ ( g ) / ∈ Sz( q ). Hence we obtain an SLP fo r ( π ◦ ϕ )( g ) in Y , o f length O  log( q )(log lo g( q )) 2  . (2) Now h = g (( π ◦ ϕ )( g )) − 1 ∈ h Z i . Using the elements of Z , we can apply row reduction to h , and hence obtain an SL P for h in Z of length O  | Z |  . Return false if h is no t r educed to the iden tit y matrix using Z . (3) Since Y and Z are SLP s in X , in time O  log( q )(log lo g( q )) 2  we obtain an SLP for g in X , of the speciﬁed leng th. The exp ected time complexity then follows from Theorem 3.13.  W e a re now ready to s tate our modiﬁed Ryba algo rithm, which a ssumes that the precomputations given by the ab ov e r esults ha ve been do ne. Theorem 3.74. Assume Conje cture s 2.40 , 2.45 , 2.46 and 3.64 , and an or acle for the discr ete lo garithm pr oblem in F q . Algorithm 3.8 is a L as V e gas algorithm with exp e cte d time c omplexity O  ( ξ + χ D ( q )) log lo g( q ) + log( q ) 3 + | Z A | + | Z B |  ﬁeld op er ations. The length of t he r eturne d SLP is O  n (log( q )(log log ( q )) 2 + | Z A | + | Z B | )  wher e n is the length of the SL P s for X A , X B , Z A , Z B in X . 3.3. BIG REE GR OUP S 100 Algorithm 3.8: R yba ( X , g , X A , X B ) 1 Input : h X i 6 GL(26 , q ) such that h X i = 2 F 4 ( q ), g ∈ GL(26 , q ). Inv olutio n centralisers h X A i , h X B i 6 h X i for involutions j A , j B ∈ h X i of class 2 A and 2 B , respec tively . Eﬀectiv e surjective homomorphisms ϕ A : h X A i → Sz( q ), ϕ B : h X B i → SL(2 , q ). Eﬀective injective ho momorphisms π A : Sz( q ) → h X A i , π B : SL(2 , q ) → h X B i and Z A ⊆ h X A i , Z B ⊆ h X B i such that h Z A i = O 2 ( h X A i ) and h Z B i = O 2 ( h X B i ). 2 Output : If g ∈ h X i , tr ue and an SLP of g in X , otherwise f alse . // Find EvenOrderElement is given by Remark 3.68 3 Use Theorem 3.63 to deter mine if g ∈ h X i a nd return f alse if not. 4 rep eat 5 h := FindEv enOrderElement ( X , g ) 6 Let w h be the S LP r eturned for h . 7 Let z be a n in volution obtained from h by p ow ering up. 8 un til z is of clas s 2 A . 9 Find random in volution x ∈ h Z A i of class 2 B . 10 Let y b e an inv olution obtained fr o m xz by p ow er ing up. 11 Find c ∈ h X i as S LP in X , suc h that x c = j B . 12 Let w y be a n SLP for y c in X 13 if y is of class 2 A then 14 Find c ∈ h X i a s SLP in X , suc h that y c = j A . L e t Y := X A . else 15 Find c ∈ h X i a s SLP in X , suc h that y c = j B . L e t Y := X B . end 16 Let w z be a n SLP for z c in X . 17 Find c ∈ h X i as S LP in X , suc h that z c = j A . 18 Let w hg be a n SLP for h c in X . 19 Let w g := w − 1 h w hg be a n SLP for g in X . 20 return tr ue , w g Proof. By Theorem 3.67, the length of w h is O  log lo g( q )  . B y Remar k 3.68, h = h 1 g and w h is an SLP for h 1 . Then z is found using P rop osition 1.4, a nd by Pro po sition 3 .69 it is o f class 2 A with high probability . By Prop ositio n 2.3 4, the class can b e determined by computing the Jordan form. By Conjecture 2.4 0, x will hav e cla ss 2 B with high probability , and then xz has even order b y Prop os ition 2.3 4. Aga in we use Prop osition 1.4 to ﬁnd y . Using the dihedral trick, we ﬁnd c . Note tha t c will b e fo und as an SLP o f length O  n  , since we have an SLP for x , and we can a s sume that the SLP for j B has length O  n  . No w h x, z i is dihedr a l with central inv o lution y , so y c ∈ h X B i . Using the SL(2 , q ) version of Lemma 3.73, we ﬁnd w y using O  ξ + log ( q ) 3 + | Z B |  ﬁeld op erations, and w y has length O  n (log( q )(log lo g( q )) 2 + | Z B | )  . The next c is again found using the dihedr al trick, and comes as an SLP of the same leng th as w y . Then z c ∈ h Y i since y is cent ral in h x, z i . Hence w e ag ain use Lemma 3.73 (or its SL(2 , q ) version) to obtain w z , with the same length as w y (or with Z B replaced b y Z A ). 3.3. BIG REE GR OUP S 101 Finally , h clearly centralises z , and w e now hav e an SLP for z , so w e obtain another c as S LP in X , and use Lemma 3.73 to o btain a n SL P for h c . Hence we obtain w gh , which is an SLP for h , a nd ﬁnally an SLP w g for g . Since w h has leng th O  log lo g( q )  , the leng th of w g is as spe ciﬁed. The exp ected time complex it y follo ws from Theorem 3.67, Lemma 3.73 and Prop ositio n 1.4.  3.3.4. Conjugates of the standard copy . W e now consider the s ituation where w e are given h X i 6 GL(26 , q ), suc h that h X i ∼ = 2 F 4 ( q ), so that h X i is a conjugate of 2 F 4 ( q ), and the pr oblem is to ﬁnd g ∈ GL (26 , q ), such that h X i g = 2 F 4 ( q ). Lemma 3.75. Assume Conje ctur es 2.39 , 2.40 and 2.41 . Ther e ex ist s a L as V e gas algorithm that, given • G = h X i 6 GL(26 , q ) such t hat h X i ∼ = 2 F 4 ( q ) , • h Y i 6 h X i such that h Y i = C G ( j ) for some involut ion j ∈ G of class 2 A , • g ∈ h X i such that | g | | q − 1 , h g i ∩ h Y i = h 1 i and P = h Y , g i is c ontaine d in a maximal p ar ab olic in h X i , ﬁnds h Z i 6 h Y , g i su ch that h Z i = C P ( g ) ∼ = Sz( q ) × C q − 1 and h W i 6 h Z i such that h W i ∼ = Sz( q ) . The exp e cte d time c omplexity is O  σ 0 (log( q )) log ( q )  ﬁeld op er ations. If Y and g ar e given as SLP s in X of length O  n  , t hen Z and W wil l b e r eturne d as S LP s in X , also of length O  n  . Proof. By Conjecture 2.39 we hav e h Y i ∼ = [ q 10 ]: Sz( q ). Since h g i ∩ h Y i = h 1 i , it follo ws fro m Pr op osition 2.34 that h g i lies in the cyclic gr oup C q − 1 on to p of P . Then g a cts ﬁxed-p oint freely on O 2 ( P ) and hence C P ( g ) ∼ = Sz( q ) × C q − 1 and C P ( g ) ′ ∼ = Sz( q ). The algorithm pro ceeds as follows: (1) Cho ose rando m a 0 ∈ P and use Corollar y 1.11 to ﬁnd b 1 , such that a 1 = b − 1 1 a 0 centralises g mo dulo Φ(O 2 ( P )). (2) Use Co rollar y 1.11 to ﬁnd b 2 , s uch that c 1 = b − 1 2 a 1 centralises g modulo Φ(Φ(O 2 ( P ))). By Co njectur e 2.40, Φ(Φ(O 2 ( P ))) = h 1 i , so c 1 ∈ C P ( g ). Similarly ﬁnd c 2 ∈ C P ( g ). (3) Now Z = { g , c 1 , c 2 } satisﬁes h Z i 6 C P ( g ), so ﬁnd pr obable generators W for h Z i ′ . Clearly , h Z i = C P ( g ) if and only if h W i ∼ = Sz( q ). Use the MeatAxe to split up the mo dule for h W i a nd verify that it has the s truc- ture given by Conjecture 2.41. Return to the ﬁrst step if not. (4) F ro m the 4- dimens io nal submo dules, we obtain a n image W 4 of W in GL(4 , q ). Use Theorem 3 .3 to determine if h W 4 i ∼ = Sz( q ). Return to the ﬁrst step if not. 3.3. BIG REE GR OUP S 102 By Pr op osition 2.12, tw o random elements genera te Sz( q ) with high pro babil- it y , so the pro bability that h Z i ′ ∼ = Sz( q ) is als o high. Hence by Theorem 3 .3, the exp ected time complexity is as stated.  Lemma 3. 76. Assu me t he S uzuki Conje ctur es, the Big R e e Conje cture s and an or acle for the discr et e lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL(26 , q ) such that h X i ∼ = 2 F 4 ( q ) , ﬁnds h Y i 6 h X i and g ∈ h X i such that h Y i ∼ = Sz( q ) and h Y , g i ∼ = Sz( q ) ≀ C 2 . The elements of Y ar e expr esse d as S LP s in X of length O  log lo g( q )  ; g is ex pr esse d as an SL P in X of length O  (log lo g ( q )) 2  . The algorithm has exp e cte d time c omplexity O  | X | + lo g( q ) 3 + ( ξ + χ D ( q ))(log log( q )) 2  ﬁeld op er ations. Proof. The idea is to ﬁrst ﬁnd one co py of Sz( q ) b y ﬁnding a centraliser of an involution o f class 2 A , whic h has structur e [ q 10 ]: Sz( q ), then use the F ormula to ﬁnd the Sz( q ) inside this. Next we ﬁnd a maximal parab olic inside this Sz( q ) and use the dihedral trick and the F ormula to conjuga te it back to our inv o lution centraliser. The conjugating element together with the Sz( q ) will generate a copy of Sz( q ) ≀ C 2 . The algorithm pro ceeds as follows: (1) Use Algor ithm 3.7 to ﬁnd an element o f even or der a nd then use Prop osi- tion 1.4 to ﬁnd an in volution j ∈ h X i . Rep eat until j is of class 2 A , which by Pr op osition 3.69 happ ens with high probability . (2) Use L e mma 3.72 to ﬁnd h C i 6 h X i and y 1 ∈ h X i such tha t h C i = C G ( j ), | y 1 | | q − 1, y 1 / ∈ C G ( j ) and h C, y 1 i is contained in a maxima l parab olic in h X i . (3) Use Lemma 3.75 to ﬁnd h Y i 6 h C , y 1 i suc h that h Y i ∼ = Sz( q ) and h Y i commutes with y 1 . (4) Use the MeatAxe to split up the mo dule o f h Y i . By Conjecture 2.41 we obtain 4-dimensional submodules, and hence a homomor phism ρ : h Y i → GL(4 , q ). (5) Use Theorem 3.1 to ﬁnd a n eﬀective isomorphism ϕ : ρ ( h Y i ) → Sz( q ). (6) Use the ﬁrst steps o f the pro of of Theorem 3.12 to ﬁnd a ′ , y ′ 2 ∈ ρ ( h Y i ), as SLP s in the g enerator s of ρ ( h Y i ), such that | a ′ | = 4, | y ′ 2 | | q − 1 and h a ′ , y ′ 2 i is contained in a max ima l parab olic in ρ ( h Y i ). Ev alua te the SLP s on Y to obtain a, y 2 ∈ h Y i with similar prop erties. (7) Using the dihedral trick, ﬁnd h 1 ∈ h X i suc h that j h 1 = a 2 and let y 3 = y h 1 1 . Since h a, y 2 i is a pro pe r subg r oup of h Y i , it follows that  C G ( a 2 ) , y 2  is a prop er subgr oup of G , and hence it is co nt ained in a maximal par ab olic. Clearly  C G ( a 2 ) , y 3  is also contained in the same maximal par ab olic. W e know from the structure o f h a, y 2 i that y 2 / ∈ C G ( a 2 ), and since y 1 / ∈ C G ( j ), it follows that y 3 / ∈ C G ( a 2 ), so h y 2 i and h y 3 i both lie in a gr oup of shape [ q 10 ] : ( q − 1) and hence are conjugate mo dulo O 2 (C G ( a 2 )). Now we want to conjugate h y 3 i to h y 2 i while ﬁxing a 2 . 3.3. BIG REE GR OUP S 103 (8) Diagonalise y 2 and y 3 to obtain ς ( a 2 , b 2 ) and ς ( a 3 , b 3 ). Use the dis crete logarithm or acle to ﬁnd an integer k ∈ Z s uch that a k 2 = a 3 . If no such k exists, then ﬁnd another pair of a, y 2 , but this can only happ en if | y 2 | is a prop er divisor of q − 1. (9) Notice that y 3 also can dia g onalise to ς ( a − 1 3 , b 3 ), so no w y k 2 ≡ y 3 mo d O 2 (C G ( a 2 )) or y k 2 ≡ y − 1 3 mo d O 2 (C G ( a 2 )). In the latter ca se, in vert y 3 . (10) Use Lemma 1.10 to ﬁnd c 1 ∈  y k 2 , y 3  such that ( y k 2 ) c 1 ≡ y 3 mo d Φ(O 2 (C G ( a 2 ))) and then c 2 ∈  ( y k 2 ) c 1 , y 3  such that ( y k 2 ) c 1 c 2 ≡ y 3 mo d Φ(Φ(O 2 (C G ( a 2 )))) . By Conjecture 2.40, Φ(Φ(O 2 (C G ( a 2 )))) = h 1 i , so h y 2 i c 1 c 2 = h y 3 i . (11) Now h 2 = ( c 1 c 2 ) − 1 ∈ C G ( a 2 ) since by Lemma 1.1 0, bo th c 1 and c 2 cen- tralise a 2 . Clearly , h 2 conjugates h y 3 i to h y 2 i . Hence g = h 1 h 2 conjugates h j, y 1 i to  a 2 , y 2  , and by construction  a 2 , y 2  6 h Y i c o mmu tes with bo th j and y 1 . Since h j, y 1 i is contained in a maximal parab olic of an- other copy of Sz( q ), it follows tha t h Y i commutes with this co py . Th us h Y , g i ∼ = Sz( q ) ≀ C 2 . By Theorem 3.67, the leng th of the SLP for j is O  log lo g( q )  . Then by Lemma 3.72, the SL P s of C and y 1 will also ha ve length O  log lo g( q )  . By Lemma 3 .75, the SLP s for Y will hav e length O  log lo g( q )  . By Theorem 3.12, the SL P s for a and y 2 will hav e length O  log log( q ) 2  , a nd hence h 1 and h 2 will also hav e this length. The exp ected time complexity follows fro m Lemma 3.7 2.  Lemma 3.77 . Assume Conje ctur e 2.4 2 . Ther e exist s a L as V e gas algorithm that, given h X i , h Y i , h Z i 6 GL(26 , q ) su ch that h X i ∼ = 2 F 4 ( q ) = h Y i , h Z i ∼ = Sz( q ) × Sz( q ) and h Z i 6 h X i ∩ h Y i , ﬁnds g ∈ GL(26 , q ) su ch that h X i g = h Y i . The algorithm has exp e cte d time c omplexity O  | X | + | Y | + log( q )  ﬁeld op er ations. Proof. Let M be the mo dule of h Z i . Observe that g must centralise h Z i , so g ∈ C GL(26 ,q ) ( h Z i ) = Aut( M ) ⊆ End h Z i ( M ). By Conjecture 2.4 2, the endomorphism ring of M has dimension 3. T he a lgorithm pro ceeds as follo ws: (1) Use the Me a tAxe to ﬁnd e 1 , e 2 , e 3 ∈ GL(26 , q ) s uch that E nd h Z i ( M ) = ⊕ 3 i =1 h e i i . (2) Let x 1 , x 2 , x 3 be indeter minates and let h ( x 1 , x 2 , x 3 ) = 3 X i =1 x i e i ∈ Mat 26 ( F q [ x 1 , x 2 , x 3 ]) . (3) Use the Mea tAxe to ﬁnd matrices Q X , Q Y corres p o nding to the quadra tic forms preserved by h X i and h Y i . 3.3. BIG REE GR OUP S 104 (4) A necessa ry condition on h ( x 1 , x 2 , x 3 ) for it to conjugate h X i to h Y i is the following equation: h ( x 1 , x 2 , x 3 ) Q X h ( x 1 , x 2 , x 3 ) = Q Y (3.54) which determines 676 quadr a tic equatio ns in x 1 , x 2 , x 3 . (5) Hence we obtain P ⊆ F q [ x 1 , x 2 , x 3 ] whe r e ea ch element of P has degree 2 and | P | 6 676. Every f ∈ P has 7 co eﬃcients, so we obtain an additive group homomorphism ρ : h P i → F 7 q . (6) Now dim ρ ( P ) = 3, so let b 1 , b 2 , b 3 be a ba sis of ρ ( P ) and let f i = ρ − 1 ( b i ) ∈ P for i = 1 , . . . , 3 . (7) By Pro po sition 2.4 3, the v ariety of the ideal I = h f 1 , f 2 , f 3 i E F q [ x 1 , x 2 , x 3 ] has size 2. Find this v ariety using Theorem 1.3. (8) Let h 1 , h 2 be the c orresp o nding elements of E nd h Z i ( M ). Clear ly , one of them must also lie in Aut( M ) and conjuga te h X i to h Y i , since our g exists and s a tisﬁes the necessary co nditions which led to h 1 and h 2 . Use Theorem 3.63 to determine which h i satisﬁes h X i h i = h Y i . Clearly , this is a Las V egas alg o rithm and the expected time complex ity follows from Theorem 1.3.  Theorem 3.78. Assume the Su zuki Conje ctur es, the Big R e e Conje ctur es, and an or acle for the discr et e lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i , h Y i 6 GL(26 , q ) su ch that h X i ∼ = 2 F 4 ( q ) = h Y i , ﬁnds g ∈ GL(26 , q ) such that h X i g = h Y i . The algorithm has exp e cte d time c omplexity O  | X | + log( q ) 3 + ( ξ + χ D ( q ))(log log( q )) 2  ﬁeld op er ations. Proof. The a lgorithm pr o ceeds as follows: (1) Use Lemma 3.76 to ﬁnd S 1 ⊆ h X i and c 1 ∈ h X i such that h S 1 i ∼ = Sz( q ) and h S 1 , c 1 i ∼ = Sz( q ) ≀ C 2 . Let h S 2 i = h S 1 i c 1 so that h S 1 , S 2 i ∼ = Sz( q ) × Sz( q ). (2) Similarly ﬁnd S 3 , S 4 ⊆ h Y i such that h S 3 , S 4 i ∼ = Sz( q ) × Sz( q ). (3) Use the MeatAxe to split up the mo dules of each h S i i . By Prop os ition 2.41, we obtain 4-dimensiona l submo dules, and hence surjective homo- morphisms ρ i : h S i i → GL(4 , q ) for i = 1 , . . . , 4. (4) Use Theorem 3.1 to ﬁnd eﬀective iso morphisms ϕ i : ρ i ( h S i i ) → Sz( q ) for i = 1 , . . . , 4. If S is the standard genera ting s e t for Sz( q ), we then obtain standard gener ating sets R i for h S i i b y obtaining SLP s for S in the generator s of ρ i ( h S i i ) and then ev aluating these on S i . (5) Let M 1 be the mo dule for h R 1 , R 2 i and let M 2 be the mo dule for h R 3 , R 4 i . Now M 1 ∼ = M 2 , and all R i are equal, so we can use the MeatAxe to ﬁnd a change of basis matrix h 1 ∈ GL(26 , q ) betw een M 1 and M 2 . (6) Then h S 1 , S 2 i h 1 = h S 3 , S 4 i and henc e h S 3 , S 4 i 6 h X i h 1 ∩ h Y i . Use Lemma 3.77 to ﬁnd h 2 ∈ GL(26 , q ) such that h X i h 1 h 2 = h Y i . Hence g = h 1 h 2 . Clearly , this is a Las V egas alg o rithm and the expected time complex ity follows from Lemma 3.76.  3.3. BIG REE GR OUP S 105 3.3.5. Constructiv e recogniti on. Fina lly , we can now state and prove our main theorem. Theorem 3.79. As sume the Suzuki Conje ctur es, the Big Re e Conje ctues, and an or acle for the discr et e lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that, given h X i 6 GL(26 , q ) satisfying the assumptions in Se ction 1.2.7 , with q = 2 2 m +1 , m > 0 and h X i ∼ = 2 F 4 ( q ) , ﬁnds an eﬀe ct ive isomorphism ϕ : h X i → 2 F 4 ( q ) . The algorithm has exp e cte d time c omplexity O  ( ξ + χ D ( q ))(log log ( q )) 2 + | X | + log( q ) 3  ﬁeld op er ations. The inverse of ϕ is also eﬀe ctive. Each image and pr e-image of ϕ c an b e c om- pute d using O  1  ﬁeld op er ations. Proof. Use Theo rem 3.78 to obtain c ∈ GL(26 , q ) such tha t h X i c = 2 F 4 ( q ). An a n eﬀective isomor phism ϕ : h X i → 2 F 4 ( q ) is then deﬁned by g 7→ g c , whic h clearly can b e computed in O  1  ﬁeld ope r ations. The expec ted time complex ity follows from Theorem 3.78.  CHAPTER 4 Sylo w subgroup s W e will now describ e a lgorithms for ﬁnding and co njug a ting Sylow s ubgroups of the exceptional gr oups under cons ideration. Hence we consider the following problems: (1) Given h X i 6 GL( d, q ), s uch that h X i ∼ = G for one of our exceptional groups G , and g iven a prime num ber p | | G | , ﬁnd h Y i 6 h X i such that h Y i is a Sylow p -subgro up of h X i . (2) Given h X i 6 GL( d, q ), such tha t h X i ∼ = G for some of our exceptiona l groups G , and given a prime n um b e r p | | G | and h Y i , h Z i 6 h X i such that b o th h Y i and h Z i a r e Sylow p -subgroups of h X i , ﬁnd c ∈ h X i s uch that h Y i c = h Z i . The s econd problem is the diﬃcult one, a nd often there ar e some pr imes that are es p ecia lly diﬃcult. W e will refer to these problems as the “Sylow subgroup prob- lems” for a certain prime p . The ﬁrst pro blem is refer red to as “Sylow genera tion” and the s econd as “Sylow conjugation” . 4.1. Suzuki groups W e now c onsider the Sy low subgroup pr oblems for the Suzuki gr oups. W e will use the notation from Section 2.1, a nd w e will make heavy use of the fact that we can use Theo rem 3.26 to constr uctively recog nise the Suzuki groups . Hence we assume that G sa tisﬁes the assumptions in Section 1.2 .7, so Sz( q ) ∼ = G 6 GL( d, q ). By The o rem 2.1 and P rop osition 2.4, | G | = q 2 ( q 2 + 1)( q − 1 ) and all three factors are pairwis e relatively prime. Hence we obtain three case s for a Sylow p -subgroup S of G . (1) p divides q 2 , so p = 2. Then S is co njugate to F and hence S ﬁxes a unique po int P S of O , which is e asily found using the Me a tAxe. (2) p divides q − 1 . Then S is cyclic a nd co njugate to a subgroup of H . Hence S ﬁxes t w o distinct po int s P , Q ∈ O , and these p oints are easily found using the MeatAxe. (3) p divides q 2 + 1 . Then S is cyclic and conjuga te to a subg r oup of U 1 or U 2 , and S has no ﬁxed p oints. This is the diﬃcult case. Theorem 4. 1. Assume the S u zuki Conje ctur es and an or acle for the discr ete lo g- arithm pr oblem in F q . Ther e exist L as V e gas algorithms that solve the S ylow sub- gr oup pr oblems for p = 2 in Sz( q ) ∼ = G 6 GL( d, q ) . Onc e c onstructive r e c o gn i- tion has b e en p erforme d, the exp e cte d t ime c omplexity of the Sylow gener ation is 106 4.1. SUZUKI GROUPS 107 O  d 3 log( q )(log lo g( q )) 2  ﬁeld op er ations, and O  d 3 ( | Y | + | Z | + log( q )(log log ( q )) 2 ) + log( q ) 3  ﬁeld op er ations for the Sylow c onjugation. Proof. Let H = Sz( q ). Using the eﬀective isomorphism, it is s uﬃcient to solve the problems in the standard co py . The constructive rec o gnition uses Theorem 3.1 2 to ﬁnd sets L and U o f “ s tan- dard generator s” for H P ∞ and H P 0 , r esp ectively . A genera ting set for a ra ndo m Sylow 2-subg roup S of H can therefore b e computed b y taking a random h ∈ H , and as generating set for S ta ke L h . T o obtain a Sylow 2 -subgro up R of G , note that we alrea dy have the O  log( q )  generator s L and h as SL P s of length O  (log lo g ( q )) 2  , so we ca n ev aluate them on X . Hence the exp ected time complexity is as stated. Given t wo Sylow 2-subgroups of G , we use the eﬀective iso morphism to map them to H using O  d 3 ( | Y | + | Z | )  ﬁeld op er ations. W e can use the MeatAxe to ﬁnd the points P Y , P Z ∈ O that are ﬁxed b y the subgroups. Then us e Lemma 3.11 with U to ﬁnd a ∈ H P 0 such that P Y a = P ∞ and b ∈ H P 0 such that P Z b = P ∞ . Then a b − 1 conjugates one Sylow subgro up to the o ther, and we already have this element as an SLP of length O  log( q )(log lo g( q )) 2  . In the case wher e P Y = P ∞ and P Z = P 0 , w e know that T maps P Y to P Z . Then use Algorithm 3 .2 to obtain an SL P for T of length O  log( q )(log lo g( q )) 2  . Hence we can ev aluate it on X and obtain c ∈ G that conjugates h Y i to h Z i . Thu s the ex pec ted time complexity follows from Lemma 3.11 and Theor em 3.13.  Theorem 4. 2. Assume the S u zuki Conje ctur es and an or acle for the discr ete lo g- arithm pr oblem in F q . Ther e exist L as V e gas algorithms that solve the S ylow sub- gr oup pr oblems for p | q − 1 in Sz( q ) ∼ = G 6 GL( d, q ) . Onc e c onst ructive r e c o gni- tion has b e en p erforme d, the exp e cte d t ime c omplexity of the Sylow gener ation is O  ( ξ ( d ) + log( q ) lo g lo g( q ) + d 3 ) log log ( q )  ﬁeld op er ations, and O  d 3 ( | Y | + | Z | + log( q )(log lo g( q )) 2 ) + log( q ) 3  ﬁeld op er ations for the Sylow c onjugation. Proof. Let H = Sz( q ). In this ca s e the Sylow g eneration is ea sy , since w e can determine the highes t power e of p such that p e | q − 1, ﬁnd a r andom element of pseudo-orde r q − 1, use Pr op osition 1.4 to obtain an element of order p e , then ev alu- ate its SL P on X . By Pr op osition 2.6, the expected n um b er of r andom selections, a nd hence the length of the SLP , is O  log lo g q  , and we need O  log( q ) log log( q )  ﬁeld op erations to ﬁnd the order . Then we e v aluate the SLP on X using O  d 3 log lo g( q )  ﬁeld op erations, so the e xp e cted time complexity is as stated. F o r the Sylow co njugation, recall that the co nstructive recog nition uses Theo- rem 3.12 to ﬁnd sets L and U of “standard gener a tors” for H P ∞ and H P 0 , resp ec- tively . Given t wo Sylow p -s ubg roups of G , w e use the eﬀective is omorphism to map them to H using O  d 3 ( | Y | + | Z | )  ﬁeld op er ations. Let H Y , H Z 6 H b e the resulting subgroups. Using the MeatAxe, we can ﬁnd P Y 6 = Q Y ∈ O that are ﬁxed by H Y 4.1. SUZUKI GROUPS 108 and P Z 6 = Q Z ∈ O that ar e ﬁxed by H Z . Or der the p oints so tha t P Y 6 = P 0 and P Z 6 = P 0 . Use Lemma 3 .11 with U to ﬁnd a 1 ∈ H P 0 such that P Y a 1 = P ∞ . Then use L to ﬁnd a 2 ∈ H P ∞ such that Q Y a 1 a 2 = P 0 . Similar ly we ﬁnd b 1 , b 2 ∈ H such that P Z b 1 b 2 = P ∞ and Q Z b 1 b 2 = P 0 . Then a 1 a 2 ( b 1 b 2 ) − 1 conjugates one Sylow subgroup to the other , and w e alr e a dy hav e this element as an SL P of le ng th O  log( q )(log lo g( q )) 2  . Hence we can ev aluate it on X and obtain c ∈ G that co n- jugates h Y i to h Z i . Th us the exp ected time complexity is as stated.  Lemma 4.3. Ther e exists a L as V e gas algorithm that, given g , h ∈ Sz( q ) with | g | = | h | b oth dividing q ± t + 1 , ﬁnds c ∈ h g i such that c is c onjugate to h in Sz( q ) . The ex p e ct e d time c omplexity is O  log q  ﬁeld op er ations. Proof. The a lgorithm pr o ceeds as follows: (1) Find the minimal p olyno mia l f 1 of g . By Theo rem 2.1 , g ac ts irre ducibly on F 4 q , so f 1 is irreducible. Let F = F q [ x ] / h f 1 i , so that F is the splitting ﬁeld of f 1 . Clearly F ∼ = F q 4 and F × = h α i where α is a ro ot of f 1 . Moreov er, x 7→ g deﬁnes a n isomorphism F → F q ( h g i ), wher e the latter is the subﬁeld of Ma t 4 ( F q ) generated by g . (2) Find the minimal p olynomia l f 2 of h . Then F is also the s plitting ﬁeld of f 2 , and if β ∈ F is a ro ot o f f 2 , then β is expres sed as a p olyno mial f 3 in α , with co eﬃcients in F q . Simila r ly , x 7→ h deﬁnes a n is o morphism F → F q ( h h i ). (3) Now f 3 deﬁnes an isomor phis m F q ( h h i ) → F q ( h g i ) as h 7→ f 3 ( g ), b ecause h and f 3 ( g ) hav e the same minimal p olynomial. Hence if we let c = f 3 ( g ), then c has the s ame eigenv alues as h , so c and h a re conjugate in GL(4 , q ). Then | c | = | h | and T r( c ) = T r( h ), so b y Pr op osition 2.8, c is also conjugate to h in Sz ( q ). Moreover, bo th h g i and h c i are subg roups of F q ( h g i ) × , but since | c | = | h | = | g | , they must b e the same. Thus c ∈ h g i . By [ Gie95 ], the minimal po lynomial is found using O  1  ﬁeld op er ations. Hence by Theorem 1.1, the exp e c ted time complexit y is a s stated.  The conjuga tion algor ithm describ ed in the following result is essentially due to Mark Stather a nd Scott Murray . Theorem 4. 4. Assume the S u zuki Conje ctur es and an or acle for the discr ete lo g- arithm pr oblem in F q . Ther e exist L as V e gas algorithms that solve the S ylow sub- gr oup pr oblems for p | q 2 + 1 in Sz( q ) ∼ = G 6 GL( d, q ) . Onc e c onstru ct ive r e c o g- nition has b e en p erforme d, the exp e cte d time c omplexity of the Sylow gener ation is O  ( ξ ( d ) + log( q ) log log( q ) + d 3 ) log log( q )  ﬁeld op er ations, and O  ξ ( d ) + d 3 ( | Y | + | Z | + log( q )(log lo g( q )) 2 ) + log( q ) 3  ﬁeld op er ations for the Sylow c onjugation. 4.1. SUZUKI GROUPS 109 Proof. Let H = Sz( q ). The Sylow g eneration is analogo us to the cas e in Theorem 4.2, since b y Pr op osition 2.6 , we can easily ﬁnd elements of pse udo-order q ± t + 1. Given t wo Sylow p -s ubg roups of G , w e use the eﬀective is omorphism to map them to H , using O  d 3 ( | Y | + | Z | )  ﬁeld op erations. The resulting genera ting sets m ust cont ain ele men ts h y , h z ∈ H of order p , since the Sylow subgro ups are cyclic. Let J be as in (2.24), s o that H preser ves the symplectic form J , and let Ψ b e as in Section 2.1.2: the automorphism o f Sp(4 , q ) whose set of ﬁxed po int s is Sz( q ). (1) Use Lemma 4.3 to r eplace h y . Henceforth assume that h y and h z are conjugate in H . (2) Find g 1 ∈ GL(4 , q ) such that h g 1 y = h z . This can be done b y a similar ity test, o r co mputation of J ordan for ms , using [ Ste97 ]. The next step is to ﬁnd a matrix g 2 such that g 2 g 1 ∈ Sp(4 , q ), and g 2 g 1 also conjuga tes h y to h z . (3) Let A = C GL(4 ,q ) ( h y ) (the automo rphism g r oup of the mo dule of h h y i ). Since h h y i is irreducible, by Sch ur’s Lemma A ∼ = F × q 4 . Such an is o morphism θ : A → F q 4 , and its in verse, can be found using the MeatAxe. (4) Now deﬁne an automor phism ϕ of A a s ϕ ( a ) = J a T J − 1 . Then ϕ has order 2 a nd A ∼ = F × q 4 . Recall that F q 4 has a uniq ue automorphism of order 2 ( k 7→ k q 2 ), whic h m ust be θ ◦ ϕ ◦ θ − 1 . (5) Let t 1 = J g − T 1 J − 1 g − 1 1 and observe that t 1 ∈ A . W e want to ﬁnd g 2 ∈ A such that g 2 g 1 J ( g 2 g 1 ) T = J , which is e q uiv alent to ϕ ( g 2 ) g 2 = t 1 . Using θ , this is a norm equation in F q 4 ov e r F q 2 . In other words, we consider θ ( g 2 ) q 2 +1 = θ ( t 1 ), which is solved fo r example using [ HRD05 , Lemma 2.2]. (6) Hence g 2 g 1 lies in Sp(4 , q ), and g 2 ﬁxes h y , so g 2 g 1 conjugates h y to h z . The next step is to ﬁnd a ma trix g 3 , s uch that g 3 g 2 g 1 ∈ Sz( q ), and such that g 3 g 2 g 1 also conjugates h y to h z . Hence w e wan t g 3 ∈ Sp(4 , q ) and Ψ( g 3 g 2 g 1 ) = g 3 g 2 g 1 . (7) Find w ∈ F × q 4 of orde r q 2 + 1 , by taking the q 2 − 1 p ow e r of a pr imitive ele- men t. Then ϕ ( θ − 1 ( w )) θ − 1 ( w ) = 1, which implies that θ − 1 ( w ) J θ − 1 ( w ) T = J , a nd henc e θ − 1 ( w ) ∈ Sp(4 , q ). Similarly , every element of h w i gives rise to matrices in Sp(4 , q ). W e therefore w ant to ﬁnd a n integer i , suc h that w i = g 3 . (8) Moreov er, we w ant Ψ( θ − 1 ( w i ) g 2 g 1 ) = θ − 1 ( w i ) g 2 g 1 ⇔ Ψ( θ − 1 ( w )) i Ψ( g 2 g 1 ) = θ − 1 ( w ) i g 2 g 1 ⇔ Ψ( θ − 1 ( w )) i θ − 1 ( w ) − i = g 2 g 1 Ψ( g 2 g 1 ) − 1 ⇔ θ (Ψ ( θ − 1 ( w ))) i w − i = θ ( g 2 g 1 Ψ( g 2 g 1 ) − 1 ) (4.1) 4.2. SMALL REE GR OUPS 110 so if we let t 2 = θ ( g 2 g 1 Ψ( g 2 g 1 ) − 1 ), w e want to ﬁnd an integer i such that θ (Ψ ( θ − 1 ( w ))) i w − i = t 2 . (9) Use the discr ete log or a cle to ﬁnd k such that θ (Ψ( θ − 1 ( w ))) = w k . Since g 2 g 1 ∈ Sp(4 , q ) it fo llows that t 2 ∈ h w i . Use the discrete log o racle to ﬁnd n ∈ Z suc h that w n = t 2 . Our equa tion turns into ( k − 1) i ≡ n (mo d q 2 + 1), which we so lve to ﬁnd i . By [ HRD0 5 , Lemma 2.2], this whole pro cess uses exp ected O  log q  ﬁeld op- erations. Finally we use the eﬀective iso morphism to map the conjugating element back to G . Hence the time c omplexity is as stated.  4.2. Small Ree groups W e now co nsider the Sylow subg roup problems for the small Ree gro ups. W e will use the notatio n from Section 2.2, and we will make heavy use of the fa ct that we c a n use Theorem 3.62 to constructively recognise the small Ree groups. Hence w e assume that G sa tis ﬁes the a ssumptions in Section 1.2.7, so Ree( q ) ∼ = G 6 GL( d, q ). By Prop os ition 2.1 5, we o btain 4 cases for a Sylow p -s ubgroup S of G . (1) p = 2, so that b y [ HB82 , Chapter 1 1 , Theore m 13 . 2], S is elementary ab elian of order 8 and [N G ( S ) : S ] = 2 1. (2) p divides q 3 , so p = 3 . Then S is conjugate to U ( q ) and hence S ﬁxes a unique po int P S of O , which is e asily found using the Me a tAxe. (3) p div ide s q − 1 and p > 2. Then S is cyclic and conjugate to a subgroup of H ( q ). Hence S ﬁxes t wo distinct p o in ts P, Q ∈ O , and these p oints ar e easily found using the MeatAxe. (4) p divides q 3 + 1 and p > 2. Then S is cyclic and conjug a te to a subgro up of A 0 , A 1 or A 2 from Pr op osition 2.20. In this case, we hav e only s olved the Sylow genera tio n problem. Theorem 4.5. Assume the smal l Re e Conje ctur es and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exist L as V e gas algorithms that solve t he Sylow sub gr oup pr oblems for p = 3 in Ree( q ) ∼ = G 6 GL( d, q ) . Onc e c onstructive r e c o g- nition has b e en p erforme d, the exp e cte d time c omplexity of the Sylow gener ation is O  d 3 (log( q ) log log ( q )) 2  ﬁeld op er ations, and O  d 3 ( | Y | + | Z | + (log( q ) log lo g( q )) 2 ) + log( q ) 3  ﬁeld op er ations for the Sylow c onjugation. Proof. Let H = Ree( q ). The constr uctive recognition uses The o rem 3.40 to ﬁnd sets L and U o f “ s tandard generators” for H P ∞ and H P 0 , resp ectively . A genera ting set for a random Sylow 3- subgroup S of H can therefor e be com- puted b y ﬁnding a rando m h ∈ H , and as gener ating s et for S take { m g | m ∈ L } . T o obtain a Sylo w subg roup R of G , note that we already ha ve the O  log( q )  gen- erators of L and h as SLP s of le ngth O  log( q )(log log ( q ) 2 )  , so we can ev aluate them on X . Hence the expected time complexity is as stated. Given t wo Sylow 3-subgroups of G , we use the eﬀective iso morphism to map them to H using O  d 3 ( | Y | + | Z | )  ﬁeld op era tions. W e can use the MeatAxe to ﬁnd 4.2. SMALL REE GR OUPS 111 the po int s P Y , P Z ∈ O that are ﬁxed by the subg r oups. Then use Lemma 3.39 with U to ﬁnd a ∈ H , suc h that P Y a = P ∞ , and b ∈ H , such that P Z b = P ∞ . Then ab − 1 conjugates one Sy low subg r oup to the other, and w e alr eady have this element as an SLP of leng th O  (log( q ) lo g log( q )) 2  . In the case where P Y = P ∞ and P Z = P 0 , we know that Υ maps P Y to P Z . Then use Algorithm 3 .6 to obtain an SL P for Υ o f length O  (log( q ) lo g log( q )) 2  . Hence we can ev aluate it on X and obtain c ∈ G that conjugates h Y i to h Z i . Thu s the ex pec ted time complexity follows from Lemma 3.39 and Theor em 3.42.  Theorem 4.6. Assume the smal l Re e Conje ctur es and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exist L as V e gas algorithms that solve t he Sylow sub gr oup pr oblems for p | q − 1 , p > 2 , in Ree( q ) ∼ = G 6 GL( d, q ) . On c e c onst ructive r e c o gnition has b e en p erforme d, t he exp e cte d t ime c omplexity of the Sylow gener ation is O  ( ξ ( d ) + log ( q ) lo g log ( q ) + d 3 ) log log( q )  ﬁeld op er ations, and O  d 3 ( | Y | + | Z | + (log( q ) lo g log( q )) 2 ) + log( q ) 3  ﬁeld op er ations for the Sylow c onjugation. Proof. Let H = Ree( q ). In this case the Sylow generation is ea sy , since we can determine the highest pow er e of p such that p e | q − 1, ﬁnd a random elemen t of pseudo-orde r q − 1, use Prop osition 1.4 to obtain a n element of order p , then ev a luate its SLP on X . B y Prop os ition 2.23, the expected n umber o f random selections, and hence the length of the SLP is O  log lo g q  , and we need O  log( q ) log log( q )  ﬁeld op erations to ﬁnd the order . Then we e v aluate the SLP on X using O  d 3 log lo g( q )  ﬁeld op erations, so the e xp e cted time complexity is as stated. F o r the Sylow co njugation, recall that the co nstructive recog nition uses Theo- rem 3.40 to ﬁnd sets L and U of “standard gener a tors” for H P ∞ and H P 0 , resp ec- tively . Given t wo Sylow p -s ubg roups of G , w e use the eﬀective is omorphism to map them to H using O  d 3 ( | Y | + | Z | )  ﬁeld op er ations. Let H Y , H Z 6 H b e the resulting subgroups. Using the Mea tAxe, we can ﬁnd P Y , Q Y ∈ O that are ﬁxed by H Y and P Z , Q Z ∈ O that ar e ﬁxed by H Z . Orde r the points so that P Y 6 = P 0 and P Z 6 = P 0 . Use Lemma 3.3 9 with U to ﬁnd a 1 ∈ H P 0 , such that P Y a 1 = P ∞ . Then use L to ﬁnd a 2 ∈ H P ∞ , such that Q Y a 1 a 2 = P 0 . Similarly we ﬁnd b 1 , b 2 ∈ H , such that P Z b 1 b 2 = P ∞ and Q Z b 1 b 2 = P 0 . Then a 1 a 2 ( b 1 b 2 ) − 1 conjugates one Sylow subg roup to the o ther, and we already hav e this element as an SL P of length O  (log( q ) lo g log( q )) 2  . Hence we can ev alua te it on X and o btain c ∈ G tha t conjugates h Y i to h Z i . Th us the ex p ected time complex ity is as stated.  Theorem 4.7. Assume the smal l Re e Conje ctur es and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that solves t he Sylow gener ation pr oblem for p | q 3 + 1 , p > 2 , in Ree( q ) ∼ = G 6 GL( d, q ) . Onc e c on- structive r e c o gnition has b e en p erforme d, the exp e cte d time c omplexity of the Sylow gener ation is O  ( ξ ( d ) + lo g( q ) lo g log ( q ) + d 3 ) log log ( q )  ﬁeld op er ations. Proof. Let H = Ree( q ). The Sylow generation is ea s y , since w e can ﬁnd an element of pseudo-order q ± 3 t + 1 or ( q + 1) / 2 , us e Prop osition 1.4 to o btain an 4.2. SMALL REE GR OUPS 112 element of o rder p , then ev a luate its SLP on X . By Pro p o s ition 2.23, the expected nu mber o f random se lections, and hence the le ng th of the SLP is O  log lo g q  , and we need O  log( q ) log log( q )  ﬁeld op erations to ﬁnd the order. Then w e ev aluate the SLP on X using O  d 3 log lo g( q )  ﬁeld op era tions, so the exp ected time complexity is as s tated.  This result is due to Ma rk Stather and is the sa me as [ Sta06 , Lemma 4 . 35 ]. Lemma 4 .8. L et G b e a gr oup and let k ∈ Z b e such that | G | = 2 k n with n o dd. L et P 6 G have or der 2 k − 1 . L et h P , x i and h P , y i b e S ylow 2 -sub gr oups of G . Then | xy | = 2 t for some t ∈ Z if and only if h P , x i = h P, y i . Mor e over if | xy | = 2 t (2 s + 1) , then h P , x i ( y x ) s = h P, y i Proof. Let H = h P , xy i . Then H is a subgr oup of h P, x, y i of index 2, that contains P , but do es not contain x or y . Since P has index 2 in both h P, x i and h P, y i it follows that xy ∈ N H ( P ). But P is a Sylow 2-subgr oup of H so, | xy | = 2 k ⇔ xy ∈ P ⇔ h P, x i = h P, y i The second statement is an application of P rop osition 1.8, modulo H .  Theorem 4.9. Assume the sm al l R e e Conje ctur es and an or acle for the discr et e lo g- arithm pr oblem in F q . Ther e exists a L as V e gas algorithm t hat solves t he Sylow gen- er ation pr oblem for p = 2 in Ree( q ) ∼ = G 6 GL( d, q ) . Onc e c onstructive r e c o gnition has b e en p erforme d, the exp e cte d time c omplexity is O  ( ξ ( d ) + d 3 log( q )) lo g log( q ) + log( q ) 3 + χ D ( q )  ﬁeld op er ations. Proof. Let H = Ree( q ). W e w ant to ﬁnd three commuting inv olutions in H . Using the ﬁrst three steps o f the algor ithm in Sectio n 3 .2.2.3, we ﬁnd an involution j 1 ∈ H and C H ( j 1 ) ′ ∼ = PSL(2 , q ). Using the nota tion of that algo rithm, we can let the second in volution j 2 ∈ C H ( j 1 ) ′ be π 7 ( π 3 ( j )) wher e j is the second matr ix in (3.28). W e then w ant to ﬁnd the third involution in the cen traliser of j 2 in C H ( j 1 ) ′ . In our case this cent raliser has structure (C 2 × (C 2 : A 0 ). Hence its prop ortio n of elements of even o rder is 3 / 4, and 1 / 2 of its elements ar e inv olutions other than j 2 . Using the Bray algor ithm we can therefor e compute ra ndom elements of this centraliser until we ﬁnd such a n in volution j 3 . Clearly j 1 , j 2 , j 3 will all commute. As in the pro o f of Corollary 3.36, the exp e cted time to ﬁnd j 1 , constructively recognis e C H ( j 1 ) ′ and ﬁnd j 2 is O  ξ log log( q ) + + log ( q ) 3 + χ D ( q )  ﬁeld op erations. By the ab ov e , the exp ected time to ﬁnd j 3 is O  1  ﬁeld o p e rations. The in volutions will be found as SLP s, w he r e j 1 and j 3 hav e length O  1  , b ecause the generators of C H ( j 1 ) ′ are SLP s of length O  1  . By Lemma 3.29 and Theor e m 1.1 2, j 2 has length O  log( q ) log lo g( q )  . Thus we can ev alua te them on X using O  d 3 log( q ) log log( q )  ﬁeld op er ations, and the exp ected time complexity is as stated.  4.3. BIG REE GR OUP S 113 Theorem 4. 10. Ass u me the smal l R e e Conje ctur es and an or acle for the dis- cr ete lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm that solves the Sylow c onjugation pr oblem for p = 2 in Ree( q ) ∼ = G 6 GL( d, q ) . Onc e c on- structive r e c o gnition has b e en p erforme d, the exp e ct e d t ime c omplexity is O  ξ ( d ) + d 3 ((log( q ) log log ( q )) 2 + | Y | + | Z | ) + log( q ) 3  ﬁeld op er ations. Proof. Let H = Ree( q ). Given tw o Sylow 2- subgroups of G , we use the ef- fective isomorphism to map them to H , us ing O  d 3 ( | Y | + | Z | )  ﬁeld op er ations. The resulting generating sets are P = { y 1 , y 2 , y 3 } and S = { z 1 , z 2 , z 3 } , where both the y i and z i are c ommut ing involutions. W e may ass ume that h Y i 6 = h Z i so that P 6 = S . The algorithm pro ceeds as follows: (1) By Prop ositio n 2.26, we c an use the dihedral trick in H and hence ﬁnd c 1 ∈ H such that y c 1 1 = z 1 . W e then want to conjugate y 2 to z 2 while ﬁxing z 1 . (2) Using the ﬁr st steps o f the alg o rithm in Section 3.2.2.3, we ﬁnd C 1 = C H ( z 1 ) ∼ = h z 1 i × PSL(2 , q ), and use Theor em 1.13 to determine when we hav e the whole of C 1 . Observe that y c 1 i , z i ∈ C 1 for all i . (3) Cho ose r andom g ∈ C ′ 1 . If z 2 g has o dd orde r , then z 2 ∈ C ′ 1 . Conv ersely , if z 2 ∈ C ′ 1 then z 2 g has odd order with probability O  1  . Simila rly , if z 1 z 2 g has o dd order, then z 1 z 2 ∈ C ′ 1 , and the proba bility is the s ame. Rep eat un til either z 2 or z 1 z 2 has b een proved to lie in C ′ 1 and replace z 2 with this element . Do the same pro cedure with y c 1 2 , y c 1 3 , z 3 . (4) Now y c 1 2 , z 2 , y c 1 3 , z 3 ∈ C ′ 1 ∼ = PSL(2 , q ), and by [ WP06 , Theor em 1 3], the dihedral tr ick works in PSL(2 , q ). Hence ﬁnd c 2 ∈ C ′ 1 such that y c 1 c 2 2 = z 2 . (5) Let | y c 1 c 2 3 z 3 | = 2 t s , where s is odd. If s = 1 then let c 3 = 1 and o therwise let c 3 = ( y c 1 c 2 3 z 3 ) ( s − 1) / 2 . By Lemma 4.8, P c 1 c 2 c 3 = S . Finally , we use the eﬀective iso morphism to map c 1 c 2 c 3 back to G . As in the pro of of Corollar y 3.3 6, C 1 is found using exp ected O  ξ ( d ) + lo g( q ) lo g log ( q )  ﬁeld op erations, if we let ε = log lo g( q ) in Theor em 1.1 3. The exp ected time complex it y of the eﬀective isomorphism follows from Theorem 3.62.  4.3. Big R ee groups W e now consider the Sylow subgroup problems for the Big Ree gro ups. W e will use the notation fro m Section 2.3, and we will make heavy use of the fact that we can use Theorem 3.79 to constr uctively recognise the Big Ree gro ups. Ho wev er, we can o nly do this in the natural r e pr esentation, and hence we will only consider the Sylow subgro up problems in the natur al represe n tation. Hence w e assume that 2 F 4 ( q ) ∼ = G 6 GL(2 6 , q ). It follows from [ DS99 ] that if g ∈ G then | g | is even, or divides any of the n umbers  q + 1 , q − 1 , q ± t + 1 , q 2 ± 1 , q 2 − q + 1 , q 2 ± tq + q ± t + 1  . Hence we obtain several cases for a Sylow p -subgr oup S of G . 4.3. BIG REE GR OUP S 114 (1) p = 2. Then S has o rder q 12 and lies in C G ( j ) for some inv olution j of class 2 A . It consists of O 2 (C G ( j )) extended by a Sylow 2-subg roup in a Suzuki group contained in the cen traliser . (2) p divides o ∈ { q − 1 , q ± t + 1 } . Then S has s tructure C p × C p . If G > H ∼ = Sz( q ) × Sz( q ), then S is contained in H and consists of Sylow p -subgr oups from each Suzuki factor. (3) p divides q 2 − q + 1 or q 2 ± tq + q ± t + 1 . Then S is cyclic of o rder p , and hence these Sylow subgro ups are trivial to ﬁnd. W e do no t co nsider this case. (4) p divides q + 1. W e do not consider this case. Theorem 4. 11. Assu me t he Suz uki Conje ct ur es, the Big Re e Conje ctur es and an or acle for the discr et e lo garithm pr oblem in F q . Ther e exists a L as V e gas algorithm thats solve t he Sylow gener ation pr oblem for p = 2 in 2 F 4 ( q ) ∼ = h X i 6 GL(26 , q ) . Onc e c onstructive r e c o gnition has b e en p erforme d, the exp e cte d time c omplexity is O  log( q )(log lo g( q )) 2  ﬁeld op er ations. Proof. Let G = h X i . W e s e e from the pro o f of Theorem 3.78 that during the constructive recognition, we ﬁnd C G ( j ) for some inv olution j ∈ G of clas s 2 A . W e also ﬁnd h Y i , h Z i 6 C G ( j ) such that h Y i = O 2 (C G ( j )) and h Z i ∼ = Sz( q ). Moreov er, h Z i is constructively r ecognised, and Y , Z are expres sed as SLP s in X of length O  log lo g( q )  . Hence we can apply Theo rem 4.1 and obtain a Sylow 2 - subgroup h W i of h Z i using O  log( q )(log lo g( q )) 2  ﬁeld op erations. No w h Y , W i is a Sylow 2-subgr oup of G .  Theorem 4. 12. Assu me t he Suz uki Conje ct ur es, the Big Re e Conje ctur es and an or acle for the discr ete lo garithm pr oblem in F q . Ther e ex ist L as V e gas algorithms that solve the Sylow gener ation pr oblems for p | q − 1 or p | q ± t + 1 in 2 F 4 ( q ) ∼ = G 6 GL(2 6 , q ) . Onc e c onstruct ive r e c o gnition has b e en p erforme d, t he exp e cte d time c omplexity is O  ( ξ + log( q ) log log ( q )) lo g log( q )  ﬁeld op er ations. Proof. Let G = h X i . W e see from the pro of of Theorem 3.78 that during the constructive recognition, we ﬁnd h Y 1 i , h Y 2 i ∼ = Sz( q ), and they commute, so h Y 1 , Y 2 i ∼ = Sz( q ) × Sz( q ). Moreover, h Y 1 i and h Y 2 i are constructively reco gnised, and Y 1 , Y 2 are expressed as SLP s in X of length O  log lo g( q ) 2  . Hence we can apply Theor em 4 .2 or 4.4 and o bta in Sylow p -subgr oups o f h Y 1 i and h Y 2 i , using O  ( ξ + log( q ) log log( q )) log log( q )  ﬁeld op era tions. F ro m the pro of of the Theore ms, we see that ther e will be a constant num b er of ge ner ators, which will b e expres sed as SLP s in h Y i i of length O  log lo g( q )  . Hence we can e v aluate them on X using O  (log log( q )) 3  ﬁeld op erations.  CHAPTER 5 Maximal subgroups W e will now describe a lgorithms for ﬁnding and conjugating maximal subgr oups of the exceptional gr oups under cons ideration. Hence we consider the following problems: (1) Given h X i 6 GL( d, q ), such tha t h X i ∼ = G for some of our exceptiona l groups G , ﬁnd represe n tatives h Y 1 i , . . . , h Y n i o f the conjugacy classes of (some or all of ) the maximal subgroups o f G . (2) Given h X i 6 GL( d, q ), such tha t h X i ∼ = G for some of our exceptiona l groups G , and given h Y i , h Z i 6 h X i such that h Y i and h Z i are conjugate to a sp eciﬁed ma ximal subgro up of h X i , ﬁnd c ∈ h X i such that h Y i c = h Z i . It will turn out that b ecause o f the results ab o ut Sylow subgroup co njugation in Chapter 4, the second pr o blem will most often be easy . The ﬁrst proble m is therefore the diﬃcult one. W e will refer to these problems as the “ma ximal subgr oup problems”. The ﬁrst problem is referred to a s “ma ximal subgro up gener a tion” and the second as “maximal subg roup conjugation”. 5.1. Suzuki groups W e now consider the maximal subgroup pro blems for the Suzuki groups. W e will use the notatio n from Section 2.1, and we will make heavy use of the fa ct that we can use Theo rem 3.26 to constr uctively recog nise the Suzuki groups . Hence we assume that G sa tisﬁes the assumptions in Section 1.2 .7, so Sz( q ) ∼ = G 6 GL( d, q ). The maximal subgroups are given by Theorem 2.3. Theorem 5.1. As s ume the S uzuki Conje ctu r es, an or acle for the discr ete lo garithm pr oblem in F q and an or acle for the inte ger factorisation pr oblem. Ther e exist L as V e gas algorithms t hat solve the maximal sub gr oup c onjugation in Sz( q ) ∼ = G 6 GL( d, q ) . Onc e c onstructive r e c o gnition has b e en p erforme d, the exp e cte d time c om- plexity is O  ξ ( d ) lo g( q ) + log ( q ) 3 + d 3 (log( q )(log log ( q )) 2 + ( | Y | + | Z | ) σ 0 (log( q ))) + d 2 log( q ) σ 0 (log( q )) + χ F (4 , q )  ﬁeld op er ations. Proof. Let H = Sz( q ). In each case, we ﬁrst use the eﬀective is o morphism to map the subgro ups to H using O  d 3 ( | Y | + | Z | )  ﬁeld op erations. Ther efore w e henceforth assume that h Y i , h Z i 6 H . Observe that all maximal s ubgroups, except the Suzuki groups over s ubﬁelds, are the normalis ers of corres p o nding c yclic subg roups or Sylow 2-subgro ups. The 115 5.1. SUZUKI GROUPS 116 Sylow conjugation algo r ithms can conjuga te these cy clic subg roups around, not only the Sylow subgro ups that they co ntain. Mor eov er, the cyclic subgroups and Sylow 2-s ubgroups are the derived groups of the corre s po nding ma ximal subgro ups. Hence we can obtain proba ble genera tors for the c yclic s ubgroups or Sylow 2-subgro ups using O  ξ ( d ) lo g( q )  ﬁeld o pe r ations, and we ca n verify that we hav e the whole of these subg roups as follows: (1) F or B i , the genera tors of the derived group U i m ust co nt ain an element of order q ± t + 1. (2) F or N H ( H ), the generato r s of the derived gro up H must cont ain an ele- men t of order q − 1. (3) F or F H , we need not obtain the whole derived gr oup F . It is enough that we obtain a subgroup of the derived group that ﬁxes a unique p o in t of O , but this might require O  log( q )  generator s. Note that in these cas es we need the integer factor isation or acle to ﬁnd the precise orde r . When we have g enerator s for the cyclic subgroups , we use Theor em 4.1, 4.2 a nd 4.4 to ﬁnd conjugating elemen ts for the cyclic subgro ups. These ele- men ts will also conjugate the maximal subgroups, b ecause they normalise the cyclic subgroups. Finally , co nsider the ca se when h Y i and h Z i ar e isomo rphic to a Suzuki gr oup ov e r F s < F q . In this ca se we ﬁrst use the alg orithm in Section 1.2.1 0.2, to obtain c 1 , c 2 ∈ GL(4 , q ) that conjuga tes h Y i and h Z i in to GL (4 , s ). Then we use Theorem 3.17 to ﬁnd c 3 ∈ GL(4 , s ) that conjugates the Suzuki groups to each other. Hence c = c 1 c 3 c − 1 2 conjugates h Y i to h Z i , and therefore it normalise s H . How ever, c do e s not necess arily lie in H , but o nly in N GL(4 ,q ) ( H ) ∼ = H : F q , since neither c 1 nor c 2 are guaranteed to lie in H . Therefor e c = ( γ I 4 ) g where g ∈ H and γ ∈ F q . W e ca n ﬁnd γ by calculating the determinant and taking its (unique) 4th ro ot, so w e can divide by the scalar matrix, a nd we then end up with g , which also c o njugates h Y i to h Z i . Finally w e use the eﬀectiv e isomorphism to map g to G . The exp ected time complexity follows fro m Theorem 4.1, 4.2, 4.4 and 3.17.  Lemma 5.2. If g , h ∈ G = Sz( q ) s atisfy that | g | = 2 , | h | = 4 , | g h | = 4 and   g h 2   = q ± t + 1 , then h g , h i ∼ = C q ± t +1 : C 4 and henc e is a maximal sub gr oup of G . Proof. Clearly , h g , h i is an image in G of the g roup H =  x, y | x 2 , y 4 , ( xy ) 4  ∼ = Z 2 : C 4 . Since H is so luble and g h 2 has the sp eciﬁed o r der, h g , h i must be one of the B i from Theorem 2.3.  Theorem 5.3. Ass u me t he Su zuki Conje ct u r es, an or acle for the discr ete lo ga- rithm pr oblem in F q and an or acle for the inte ger factorisatio n pr oblem. Ther e exist L as V e gas algorithms that solve the maximal sub gr oup gener ation in Sz ( q ) ∼ = G 6 GL( d, q ) . Onc e c onstructive r e c o gnition has b e en p erforme d, the exp e cte d time c om- plexity is O  ξ ( d )( σ 0 (log( q )) + log log ( q )) + χ F (4 , q ) log log( q ) + σ 0 (log( q ))(log ( q ) 3 + d 3 log( q )(log lo g( q )) 2 )  ﬁeld op er ations. 5.2. SMALL REE GR OUPS 117 Proof. Let H = Sz( q ). Using the eﬀective isomorphism, it is s uﬃcient to obtain generators for the max imal subgroups in H . Let α ∈ F q be a primitive element. Clear ly F H = h M ′ ( α ) , S (1 , 0) i , and N H ( H ) = h M ′ ( α ) , T i . F or each e > 0 such that 2 e + 1 | 2 m + 1, w e ha ve F s < F q where s = 2 2 e +1 . Hence s − 1 | q − 1 and Sz( s ) =  T , S (1 , 0) , M ′ ( α ) ( q − 1) / ( s − 1)  . The diﬃcult case is therefo re B 1 and B 2 . W e wan t to us e L e mma 5 .2, with T and S ( a, b ) playing the roles of x and y . Hence w e pro ceed as follo ws: (1) Cho ose random g ∈ H o f order q ± t + 1. Note that we need the integer factorisatio n o racle, since we nee d the pre cise order o f g . Let λ = T r( g ). (2) Let a, b be indeterminates a nd consider the equa tions T r ( T S ( a, b )) = 0 and T r ( T S ( a, b ) 2 ) = λ . If we can ﬁnd so lutions for a , b , then by Pr o p osition 2.9, | T S ( a, b ) | = 4 with high probability , and P rop osition 2.8 implies that   T S ( a, b ) 2   = q ± t + 1. (3) The second equation implies a = λ t +2 , and T r( T S ( a, b )) = a t + a t +2 + ab + b t = 0 ⇔ a 2 + a 2 t +2 + a t b t + b 2 = 0 ⇒ b 2 + a t +1 b + a 2 + a 2 t = 0 (5.1) where the third equation is a t times the ﬁr st added to the second. (4) The quadr a tic equation has s o lutions b 1 = a t +1 P m +1 i =1 a − 2 i and b 2 = b 1 + a t +1 , which bo th give the v alue a s +2 (1 + P 2 m i =0 a − 2 i ) of T r( T S ( a, b )). Hence rep eat with another g if P 2 m i =0 a − 2 i 6 = 1, which happ ens with probability 1 / 2. (5) Lemma 5.2 now implies that h T , S ( a, b ) i is B 1 or B 2 . Finally , we s ee that we hav e O  σ 0 (log( q ))  generator s, which we map back to G us ing the eﬀectiv e isomorphism. Hence the exp ected time complexit y is a s stated.  5.2. Small Ree groups W e now consider the ma ximal subgro up problems for the small Ree groups. W e will use the no tation fro m Sec tio n 2.1. W e will make heavy use of the fact that we can use Theorem 3 .62 to constructively recognise the s ma ll Ree groups. Hence we assume that G sa tis ﬁes the a ssumptions in Section 1.2.7, so Ree( q ) ∼ = G 6 GL( d, q ). The maximal subgroups are given by Prop o sition 2.2 0. Theorem 5.4. Assume the smal l Re e Conje ctur es and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exist L as V e gas algorithms that solve the maxi- mal sub gr oup c onjugation in Ree( q ) ∼ = G 6 GL( d, q ) for the p oint stabiliser, the involution c entr aliser and R e e gr oups over subﬁelds. On c e c onstructive r e c o gni- tion has b e en p erforme d, the exp e cte d time c omplexity is O  ξ ( d ) lo g( q ) + log ( q ) 3 + χ D ( q ) log lo g( q )+ d 3 (( | Y | + | Z | ) σ 0 (log( q ))+ (log ( q ) lo g log( q )) 2 )+ d 2 log( q ) σ 0 (log( q ))  ﬁeld op er ations. 5.2. SMALL REE GR OUPS 118 Proof. Let H = Ree( q ). In each case, we ﬁrst use the e ﬀectiv e isomor phism to map the subgro ups to H using O  d 3 ( | Y | + | Z | )  ﬁeld op erations. Ther efore w e henceforth assume that h Y i , h Z i 6 H . Observe that the p oint stabiliser is the normaliser of a Sy low 3-subgroup, whic h is the der ived group of the point stabilis er. W e can therefor e obtain pro bable gener- ators for the Sylow 3-subgro up using O  ξ ( d ) lo g( q )  ﬁeld o p e rations. W e only need enough generator s so that they g enerate a subgroup of the derived group that ﬁxes a uniq ue p o int of O , and this we can easily verify using the Mea tAxe. When we have generator s for this subgroup, we use Theo rem 4.5 to ﬁnd a conjugating element. This element will also conjugate the ma ximal subgro up, beca use it no rmalises the Sylow subgro up. F o r the inv olution centraliser, we cho ose random elements of h Y i . Since h Y i ∼ = h y i × PSL(2 , q ) for s o me inv o lution y , with probability O  1  we will o btain an element of even order that p ow e r s up to y . W e can check tha t we obtain y since it is the unique inv olution that is centralised b y h Y i (a nd therefore by Y ). Hence we ca n ﬁnd the involutions y and z that are centralised b y h Y i and h Z i . By Pro po sition 2.26 we can use the dihedra l trick to ﬁnd c ∈ H that conjugates y to z , us ing O  log( q ) log lo g( q )  ﬁeld op erations. Since h Y i and h Z i centralise these, it follows that h Y i c = h Z i . Finally , cons ider the cas e when h Y i and h Z i are isomorphic to a Ree group ov e r F s < F q . In this ca se we ﬁrst use the alg orithm in Section 1.2.1 0.2, to obtain c 1 , c 2 ∈ GL(7 , q ) that conjuga tes h Y i and h Z i in to GL (7 , s ). Then we use Theorem 3.47 to ﬁnd c ∈ GL(7 , s ) that co njugates the res ulting Ree gr o ups to e ach other. Hence c 1 cc − 1 2 conjugates h Y i to h Z i , and hence no rmalises H . How ever, it do es not necessarily lie in H , but only in N GL(7 ,q ) ( H ) ∼ = H : F q , since neither c 1 nor c 2 has to lie in H . Therefor e it is of the form ( γ I 7 ) g , where g ∈ H and γ ∈ F q . W e ca n ﬁnd γ by calcula ting the de ter minant and taking the (unique) 7th ro ot, so we ca n divide by the scalar matrix, and w e then end up with g , that also conjuga tes h Y i to h Z i . Finally w e use the eﬀectiv e isomorphism to map the conjugating element back to G . The ex pe c ted time complex it y follows from Theorem 4.5, 3.47 and 3 .6 2.  Lemma 5.5 . If g , h ∈ G = Ree( q ) satisfy that | g | = 2 , | h | = 3 , | g h | = 6 and | [ g , h ] | = q ± 3 t + 1 or | [ g , h ] | = ( q + 1) / 2 , then h g , h i ∼ = C q ± 3 t +1 : C 6 or h g , h i ∼ = (C 2 × C 2 × C ( q +1) / 4 )): C 6 and henc e is a maximal sub gr oup of G . Proof. Clearly , h g , h i is an image in G of the g roup H =  x, y | x 2 , y 3 , ( xy ) 6  ∼ = Z 2 : C 6 . Since H is soluble and [ g , h ] has the s pec iﬁed order, h g , h i m ust b e one of the N G ( A i ) from Prop osition 2.20.  Lemma 5.6 . L et G = Re e ( q ) . F or e ach k ∈ { q ± 3 t + 1 , ( q + 1) / 2 } , ther e exist x, y ∈ G = Ree( q ) such t hat | x | = 2 , | y | = 3 , | xy | = 6 and | [ x, y ] | = k . Proof. Consider the cas e k = q ± 3 t + 1. There exists H 6 G such that H = h a i h b i ∼ = C k : C 6 with | a | = k and | b | = 6. Obs e rve that H ′ = h a i . If x = a − i b 3 5.2. SMALL REE GR OUPS 119 and y = a i [ b 3 , a i ] − 1 b − 2 then xy = b , and [ x, y ] = a j for some j , dep ending on i . Clearly w e can c ho ose i s uch that gcd( j, k ) = 1, and hence | [ x, y ] | = k . The other case is a nalogo us .  Lemma 5.7. Le t G = Ree( q ) and υ = h ( − 1)Υ . F or e ach k ∈ { q ± 3 t + 1 , ( q + 1) / 2 } , ther e exist a, b ∈ F q such that | Υ S (0 , a, b ) | = 6 and | [Υ , S (0 , a, b )] | = k or | υ S (0 , a, b ) | = 6 and | [ υ , S (0 , a, b )] | = k . Proof. Let ( x, y ) be as in Lemma 5.6. It is suﬃcient to prove that there exists a, b ∈ F q such that ( x, y ) is conjuga te to (Υ , S (0 , a, b )) or ( υ , S (0 , a, b )). Since y has order 3 , it ﬁxes a p o in t P . Also, G is doubly transitive s o there exists c 1 ∈ G such tha t P ∞ c 1 = P . Then y c 1 = S (0 , a, b ) for some a, b ∈ F q . Observe that x c 1 do es not ﬁx P ∞ , since otherwise | [ x, y ] | = 3. Now P ∞ x c 1 = R for s ome p oint R , and G P ∞ acts transitively o n the p oints other than P ∞ , so there e x ists c 2 ∈ G P ∞ such that Rc 2 = P 0 . Then x c 1 c 2 int er- changes P 0 and P ∞ , a nd s o do es Υ. Hence x c 1 c 2 Υ − 1 ∈ h h ( λ ) i , s o x c 1 c 2 = h ( λ ) i Υ, for some 0 6 i < q − 1. Let k ≡ i/ 2 (mo d ( q − 1) / 2) such that 0 6 k < q − 1, and let c 3 = h ( λ ) k . There are tw o p ossible v a lues for k , either 2 k = i or 2 k = i + ( q − 1 ) / 2. In the former case x c 1 c 2 c 3 = Υ, and in the latter case x c 1 c 2 c 3 = h ( λ ) ( q − 1) / 2 Υ = υ .  Conjecture 5.8 . L et q = 3 2 m +1 for some m > 0 and let t = 3 m . F or every a ∈ F × q , the ide als in F q [ b 1 , c 1 , b 2 , c 2 ] gener ate d by the fol lowing systems ar e zer o- dimensional:              b 2 2 + b 1 b 2 + c 2 2 = 0 b 2 1 + b 3 2 b 1 + c 2 1 = 0 1 − a − b 2 1 + b 4 2 + b 2 1 b 2 2 − c 2 1 − b 1 b 2 c 2 2 + c 4 2 − b 2 2 c 2 2 = 0 1 − a 3 t − b 6 2 + b 4 1 + b 6 2 b 2 1 − c 6 2 − c 2 1 b 3 2 b 1 + c 4 1 − b 2 1 c 2 1 = 0 (5.2)              b 2 2 − b 1 b 2 − c 2 2 = 0 b 2 1 − b 3 2 b 1 − c 2 1 = 0 1 − a − b 2 1 + b 4 2 + b 2 1 b 2 2 + c 2 1 − b 1 b 2 c 2 2 + c 4 2 + b 2 2 c 2 2 = 0 1 − a 3 t − b 6 2 + b 4 1 + b 6 2 b 2 1 + c 6 2 − c 2 1 b 3 2 b 1 + c 4 1 + b 2 1 c 2 1 = 0 (5.3) Theorem 5.9. Ass u me the smal l Re e Conje ctur es, Conje ct ur e 5.8 , an or acle for the discr ete lo garithm pr oblem in F q and an or acle for the inte ger factorisation pr oblem. Ther e exist L as V e gas algorithms that solve the maximal sub gr oup gener ation in Ree( q ) ∼ = G 6 GL( d, q ) . Onc e c onstructive r e c o gn ition has b e en p erforme d, the exp e cte d time c omplexity is O  ξ ( d )( σ 0 (log( q )) + log log ( q )) + χ F (7 , q ) log log( q ) + σ 0 (log( q ))( d 3 (log( q ) lo g log( q )) 2 + log( q ) 3 )  ﬁeld op er ations. Proof. Let H = Ree( q ). Using the eﬀective isomorphism, it is suﬃcient to obtain generators for the max imal subgroups in H . Let α ∈ F q be a primitiv e elemen t. Clearly U ( q ) H ( q ) = h h ( α ) , S (1 , 0 , 0) i , and b y following a pro cedur e similar to [ Wil06 ], w e see that C H ( h ( − 1)) = h h ( α ) , Υ , S (0 , 1 , 0) i . 5.3. BIG REE GR OUP S 120 F o r ea ch e > 0 suc h that 2 e + 1 | 2 m + 1, we hav e F s < F q where s = 3 2 e +1 . Hence s − 1 | q − 1 and Ree( s ) =  Υ , S (1 , 0 , 0) , h ( α ) ( q − 1) / ( s − 1)  . The diﬃcult cases ar e therefor e the N H ( A i ). In the light of Lemma 5.7, we can pro ceed as follows: (1) Cho ose r andom g ∈ H of or der q ± 3 t + 1 or ( q + 1) / 2, c o rresp onding to the order of A i . By Cor ollary 2.24 this is done using e x pe c ted O  ( ξ ( d ) + log( q ) lo g log ( q ) + χ F (7 , q )) log log( q )  ﬁeld op era tions. Note that we need the integer factorisation oracle since w e nee d the pre c ise order in this case. (2) In tro duce indeterminates x, y and consider the equations T r(Υ S (0 , x, y )) = 1 a nd T r([Υ , S (0 , x, y )]) = T r( g ), or s imilarly with υ instead of Υ. W e w a nt to ﬁnd solutions a, b for x, y as in the Lemma. By Pro p o sition 2.25, the trace determines the or der in these cases , which leads us to c onsider these equations. (3) Elements of order 6 hav e trace 1. Hence we obtain equations in x, y : T r (Υ S (0 , x, y )) = 1 (T r (Υ S (0 , x, y )) 3 t = 1 T r [Υ , S (0 , x, y )] = T r g (T r [Υ , S (0 , x, y )] ) 3 t = (T r g ) 3 t (5.4) By letting b 1 = x , b 2 = x t , c 1 = y , c 2 = y t , this is precisely one o f the systems in Co njectur e 5 .8, and thus w e can us e Theorem 1.3 to ﬁnd all solutions using O  log q  ﬁeld op erations. (4) By Lemma 5 .7, there will b e solutions a, b . By Lemma 5.5, the resulting S (0 , a, b ) genera tes N H ( A i ) together with Υ o r υ . Finally , we s ee that we hav e O  σ 0 (log( q ))  generator s, which we map back to G us ing the eﬀectiv e isomorphism. Hence the exp ected time complexit y is a s stated.  5.3. Big R ee groups W e now cons ider the maximal s ubgroup problems for the Big Ree groups. W e will use the notatio n from Section 2.3, and we will make heavy use of the fa ct that we can use Theorem 3.79 to co nstructively r ecognise the Big Ree groups. How ever, we can o nly do this in the natural r e pr esentation, and hence we will only consider the maximal subgroup pr oblems in the natural representation. The maximal subgroups are listed in [ Mal91 ], but we will only g enerate some of them. Theorem 5.10. As sume Conje ctur es 3.4 and 3.64 , and an or acle for the discr ete lo garithm pr oblem in F q . Ther e exist L as V e gas algorithms t hat, given 2 F 4 ( q ) ∼ = h X i 6 GL(26 , q ) ﬁn ds h Y 1 i , h Y 2 i , h Y 3 i , h Y 4 i 6 h X i s u ch that h Y 1 i and h Y 2 i ar e 5.3. BIG REE GR OUP S 121 the two maximal p ar ab olics, h Y 3 i ∼ = Sz( q ) ≀ C 2 and h Y 4 i ∼ = Sp(4 , q ): C 2 . Onc e c on- structive r e c o gnition has b e en p erforme d, the exp e cte d time c omplexity is O  1  ﬁeld op er ations. Proof. Let H = 2 F 4 ( q ), and let ϕ : h X i → H be the eﬀectiv e isomor phism. Generators for the subgro ups are g iven in Prop osition 2.3 6 a nd Pro p osition 2.44. Since they all hav e constant size, and pre-imag es o f ϕ can b e c omputed in O  1  ﬁeld op erations, w e obtain Y 1 , Y 2 , Y 3 , Y 4 in O  1  ﬁeld o p e rations.  CHAPTER 6 Implemen tation and p erformance All the algo rithms that hav e b een des crib ed hav e b een implemented in the computer alg ebra system Magma . As we rema rked in Sectio n 1.2.11, the imple- men tation has been a ma jor part of the work and has hea vily inﬂuenced the na ture of the theoretical results. The algor ithms hav e b een developed with the implemen- tation in mind from the start, and hence only algorithms that c a n b e implemented and executed on c ur rent hardware have been develop ed. This c hapter is co ncerned with the implementation, a nd w e will provide ex- per imental evidence of the fact tha t the algor ithms indeed are eﬃcient in practice. The e v idence will b e in the form o f b enchmark res ults, tables and dia grams. This chapter is therefor e not so muc h ab out mathematics, but rather a bo ut softw a re engineering or computer science. The implemen tations were developed during a time span of 2-3 y ears, us ing Mag ma v ersions 2.1 1-5 and a bove. The b enchmark results have all been pro duced using v ersion 2.13-12 , Intel64 ﬂav our, statically link ed. The hardware used during the benchmark was a PC, with an Intel Xeon CPU, clo ck e d at 2 . 80 GHz, a nd with 1 GB of RAM. The op erating system was Debian GNU/Lin ux Sarge, with kernel version 2.6 .8-12- em64t-p4-s mp. The implementations used the ex isting Magma implementations of the algo- rithms describ ed in Chapter 1. Thes e include implemen tations of the follo wing: • A discrete lo g algorithm, in particula r Copp ersmith’s algor ithm. The im- plement ation is describ ed in [ Tho01 ]. • The pro duct replacement algo r ithm. • The algor ithm fro m Theo rem 1.1. • The Or der algo r ithm, for ca lc ulating the or der (o r pseudo- order) o f a matrix. • The black b ox naming algo rithm from [ BKPS0 2 ]. • The algor ithms from Theor ems 1.1 2 a nd 1.13. • The three algo r ithms from Section 1.2.1 0. W e use d MA TLAB a nd [ R D0 5 ] to pro duce the ﬁgure s. In every ca se, the benchmark of an a lgorithm w as p er formed b y running the algorithm a num b er of times for each ﬁeld with size q lying in some sp eciﬁed range. W e then r ecorded the time t (in seconds) taken by the algorithm. How ever, to b e able to compare the b enchmark res ults with our stated time complexities, we wan t to display not the time in seco nds, but the n umber o f ﬁeld op e r ations. Moreover, the input size 122 6.1. SUZUKI GROUPS 123 is p olyno mial in lo g ( q ) and not q . Hence we ﬁrst r e corded the time t k for k m ul- tiplications in F q and display t/t k against lo g ( q ). Of co ur se, k = 1 is in principle enough, but w e c hose k = 10 6 to achiev e a scaling of the graph. In Magma , Zech log arithms are used for the ﬁnite ﬁeld arithmetic in F q if q 6 q Z (for some q Z , at present q Z ≈ 2 20 ), and for large r ﬁelds Magma represents the ﬁeld elements as po lynomials o ver the lar gest subﬁeld that is smaller than q Z , rather than o ver the prime ﬁeld. The reason is tha t the p o ly nomials then hav e few er terms, and hence the ﬁeld arithmetic is faster, than if the p olyno mials have co eﬃcients in the prime ﬁeld. Since the subﬁeld is small enough to use Zec h lo g arithms, a r ithmetic in the subﬁeld is no t m uch slow er than in the prime ﬁeld. Now cons ide r a ﬁeld o f size p n . If n is prime, there are no subﬁelds except the prime ﬁeld, and the ﬁeld ar ithmetic will b e slow, but if n has a divisor only s lightly smaller than q Z , then the ﬁeld arithmetic will be fast. Since it might ha ppen that n is prime but n + 1 is divisible b y q Z , we w ill get jumps in o ur b enchmark ﬁgures, unless w e turn oﬀ all thes e optimisations in Ma gma . T he r efore, this is what w e do, and hence a ny jumps are the result of group theoretical prop erties, the discrete log and factorisation oracles, and the probabilistic natur e of the a lgorithms. All the non-constr uctive r ecognition alg orithms that w e have pr esented, in Sec- tions 3.1.1, 3.2.1 and 3.3.1 ar e e x tremely fast, and in practice constant time for the ﬁeld sizes under c onsideration. Hence w e do not dis play any b enchmarks of them. 6.1. Suzuki groups In the cases of the Suzuki groups, the ﬁe ld size is always q = 2 2 m +1 for some m > 0. Hence we displa y the time a gainst m . In Figure 6.1 we show the b enchmark of the ﬁrst tw o steps of the algorithm in Theorem 3.12, where a stabilis e r in Sz( q ) of a p oint of O is computed. F or each ﬁeld size, we made 1 00 runs of the algorithms, us ing random gene r ating sets and random po ints. Notice that the time is very muc h domina ted by the discrete logar ithm compu- tations. The oscilla tions in the dis crete lo g timings hav e num ber theoretic reasons . When m = 52, the fac to risation of q − 1 con tains no prime with more than 6 dec- imal digits, hence discr ete log is very fast. O n the other hand, when m = 6 4 , the factorisatio n of q − 1 con tains a prime with 26 decimal digits. In Figure 6.2 we show the benchmark of the a lgorithm in Theorem 3 .17. F o r each ﬁeld size, we made 10 0 runs of the algor ithms, using r a ndom gener ating sets of random conjugates of Sz( q ). The time co mplexity stated in the theorem suggests that the graph should b e slightly w orse than line a r. Figur e 6.2 clea rly supp or ts this. The minor oscillations can hav e a t least tw o reaso ns. The a lgorithm is r andomised, and the c o re of the algorithm is to ﬁnd an elemen t of o rder q − 1 by random sear ch. The pro p o rtion of such elements is φ ( q − 1) / (2( q − 1)) whic h oscillates slightly when q increase s. 6.2. SMALL REE GR OUPS 124 10 20 30 40 50 60 70 80 0 2 4 6 8 10 Benchmark of Suzuki stabiliser computation m, where q = 2 2m + 1 Average time Total time Discrete log time Figure 6.1. Benchmark o f Suzuki s tabiliser computation W e do not include graphs o f the tensor decomp osition algor ithms for the Suzuki groups. The reason is that at the present time, they can only be ex ecuted on a small nu mber of inputs (cer tainly not more than d ∈ { 16 , 64 , 256 } and q ∈ { 8 , 3 2 , 12 8 } ) befo re running out of memory . Hence there is not m uc h of a g raph to display . 6.2. Small Ree groups In the cases o f the small Ree groups, the ﬁeld size is alwa ys q = 3 2 m +1 for so me m > 0. Hence we displa y the time a gainst m . In Figure 6.3 we show the benchmark of the a lgorithm in Theorem 3 .47. F o r each ﬁeld size, we made 10 0 runs of the algor ithms, using r a ndom gener ating sets of r andom co njugates o f Ree( q ). As can b e seen from the pro o f of the Theo rem, the algorithm in volv es man y ingredients: discrete log arithms, SLP ev aluations , SL(2 , q ) recognition. T o av oid making the gra ph unre a dable, w e a void displaying the timings for these v arious steps, a nd o nly displa y the tota l time. The gra ph still ha s jumps, for reasons similar as with the Suzuki gr oups. W e do not include graphs of the tensor decomp ositio n algorithms for the small Ree g r oups. The reas o n is that at the present time, they can only b e executed on a small num b er o f inputs (ce r tainly not more than d ∈ { 49 , 189 , 729 } and q ∈ { 27 , 24 3 } ) b efore running out of memory . Hence there is not muc h of a gra ph to display . 6.3. BIG REE GR OUP S 125 10 20 30 40 50 60 70 80 90 100 0.5 1 1.5 2 2.5 3 Benchmark of Suzuki conjugation m, where q = 2 2m + 1 Average time Figure 6.2. Benchmark o f Suzuki co njugation 6.3. Big R ee groups In the cases of the Big Ree groups, the ﬁeld size is alwa ys q = 2 2 m +1 for some m > 0. Hence we displa y the time a gainst m . In Fig ure 6.4 we show the benchmark of the algo rithm in Theore m 3 .79. This inv olves all the results presented for the Big Ree groups. F o r each ﬁeld size, we made 100 runs of the algorithms, using random generating sets of random conjugates o f 2 F 4 ( q ). As can b e seen from the pro of of the Theorem, the algorithm in volv e s man y ingredients: discrete logarithms, SLP ev aluations, Sz( q ) recognition, SL(2 , q ) rec ognition. T o avoid making the g raph unreadable, we av oid displaying the timings for these v arious steps, and only displa y the total time. 6.3. BIG REE GR OUP S 126 2 4 6 8 10 12 14 16 18 20 0 5 10 15 20 25 30 35 40 45 Benchmark of small Ree conjugation m, q = 3 2m + 1 Average time Figure 6.3. Benchmark o f s mall Ree conjugation 2 4 6 8 10 12 14 16 18 20 0 100 200 300 400 500 600 Benchmark of Large Ree recognition m, q = 2 2m + 1 Average time Figure 6.4. Benchmark o f La rge Ree conjugation Bibliograph y [Asc84] M. Asch bac her, On the maximal sub gr oups of the ﬁnit e c lassic al gr oups , Inv ent. Math. 76 (1984) , no. 3, 469–514. MR MR746539 (86a:20054) [Bab91] L´ aszl´ o Babai, L o c al exp ansion of vertex- tr ansitiv e gr aphs and r andom gener ation in ﬁnite gr oups , STOC ’91: Proceedings of the tw ent y-thir d annu al A CM symposi um on Theory of computing (New Y ork, N Y , USA), ACM Press, 1991, pp. 164–174. [BB99] L´ aszl´ o Babai and Rob ert Beals, A p olynomial-time the ory of black bo x g ro ups. I , Groups St. Andrews 1997 in Bat h, I, London Math. So c. Lecture Note Ser., vol. 260, Camb ridge Univ. Press, Cambridge, 1999 , pp. 30–64. M R M R1676609 (200 0h:20089) [BB07] John Br a y and Henrik B¨ a¨ arnhielm, Standar d gener ators for the Suzuki gr oups , preprint, 2007. [BK01] Peter A. Bro oksbank and William M. Kan tor, On c onstructi ve r e c o gnition of a black b ox PSL( d, q ), Groups and computation, I II (Co lumbus, O H , 1999 ), Ohio State Univ. Math. Res. Inst. Publ., v ol. 8, de Gruyter, Berlin, 2001 , pp. 95–111 . MR MR1829473 (2002m:20078 ) [BK06] , F ast c onstructive r e c o gnition of black b ox ortho gonal gr oups , J. Al gebra 300 (2006), no. 1, 256–288. M R MR2228648 [BKPS02] L´ aszl´ o Babai, William M. K antor, P´ eter P . P´ alfy , and ´ Ako s Seress, Black-b ox r e co g- nition of ﬁnite simple gr oups of Lie t yp e by statistics of element or ders , J. Group Theory 5 (2002), no. 4, 383–4 01. MR MR1931364 (2003i:20022) [Bra00] John N. Bray , An impr oved metho d for gener ating the c entr alizer of an involution , Arch. Math. (Basel) 74 (2000), no. 4, 241–24 5. MR M R1742633 (2001c:20063) [Bra07] , Pr esentations of the Suzuki gr oups , preprint, 2007. [Bro03a] Pete r A. Bro oksbank, Constructive r e co gnition of classic al g r oups in their natur al r epr esentation , J. Symbolic Comput. 35 (2003) , no. 2, 195–239. MR MR1958954 (2004c:200 82) [Bro03b] , F ast co nstructive r e co gnition of black-bo x unitary gro ups , LMS J. Comput. Math. 6 (2003), 162–197 (electronic) . MR M R2051584 (2005e:20075) [BS84] L´ aszl´ o Babai and Endre Szemer´ edi, On the co mplexity of matrix g r oup pr oblems, I , Pro c. 25th IEEE Symp os. F oundations Comp. Sci. , 1984, pp. 229–240. [CKSU05] Henry Cohn, Rob ert Kleinberg, Balazs Szegedy , and Christopher Umans, Gr oup- the or etic algorithms for matrix multiplic ation , FOCS ’05: Pro ceedings of the 46th Ann ual IEEE Symposium on F oundations of Computer Science (W ashington, DC , USA), IEEE Computer So ciet y , 2005, pp. 379–388. [CLG97] F rank Celler and C. R. Leedham-Green, Calculating the or der of an inve rtible ma- trix , Groups and computation, II (New Brunswick, NJ, 1995), DIMACS Ser. Dis- crete Math. Theoret. Comput. Sci., vol. 28, Amer. Math. Soc., Pro vidence, RI, 1997, pp. 55–60. MR MR1444130 (98g:2000 1) [CLG01] Marston Conder and Charles R. Leedh am-Green, F ast r ec o gnition of classic al gr oups over lar ge ﬁelds , Gr oups and computation, II I (Columbus, OH, 1999), Ohio State Univ. M ath. Res. Inst. Publ., vol. 8, de Gruyter, Berlin, 2001, pp. 113–121. MR MR1829474 (2002g:2000 1) 127 BIBLIOGRAPHY 128 [CLGM + 95] F rank Celler, Charles R. Leedham-Green, Scott H. Murr a y , Al ice C. Niemeye r, and E. A. O’ Brien, Gener ating r andom elements of a ﬁnite gr oup , Comm. Algebra 23 (1995), no. 13, 4931–4948. MR MR1356111 (96h:20115 ) [CLGO06] M. D. E. Conder, C. R. Leedha m-Green, and E. A. O’Brien, Constructive r e co gnition of PSL(2 , q ), T rans. Amer. Math. So c. 358 (2 006), no. 3, 1203–122 1 (electronic) . MR MR2187651 (2006j:20017) [Cop84] Don Coppersmith, F ast ev aluation of lo garithms in ﬁelds of char acteristic two , IEEE T rans. Inform. Theory 3 0 (1984), no. 4, 587–594 . MR M R755785 (85h:65041) [CR06] Charles W. Curtis and Irving Reiner, R epr esent ati on the ory of ﬁnite gr oups and asso ciative algebr as , AMS Chelsea Publishi ng, Providence , RI, 2006, Reprint of the 1962 original. MR MR2215618 (2006m:1600 1) [CW90] Don Coppersmith and Shmuel Winog rad, Matrix multiplic ation via arithmetic pr o gr essions , J. Sym b olic Comput. 9 (1990), no. 3, 251–280. MR MR1056627 (91i:68058) [DS99] Huiw en Deng and W ujie Shi, The c har acterization of Re e gr oups 2 F 4 ( q ) by their el- ement or ders , J. Algebra 217 (1999) , no. 1, 180–187. MR MR1700483 (2000i:20038) [Gie95] Mark Giesbrec ht , Ne arly optimal algorithms for c anonic al matrix forms , SIAM J. Comput. 24 (1995), no. 5, 948–969. MR MR1350753 (96f:65180) [GL01] Rob ert M. Guralnic k and F rank L¨ ubec k, O n p - singular elements in Cheval ley gr oups in char act e ristic p , Groups and computation, I I I (Columbus, OH, 1999), Ohio State Univ. M ath. Res. Inst. Publ., vol. 8, de Gruyter, Berlin, 2001, pp. 169–182. MR MR1829478 (2002d:2007 4) [GLGO06] S. P . Glasby , C. R. Leedham-Green, and E. A. O’Brien, Writing pr ojective r epr e- sentations over subﬁelds , J. A lgebra 295 (2006), no. 1, 51–61. M R MR2188850 (2006h:200 02) [GM93] Daniel M. Gordon and Kevin S. M cCurley , Massively p ar al lel c omputation of dis- cr et e lo garithms , CR YPTO ’92: Proceedings of the 12t h Annu al Int ernational Cryp- tology Conference on Adv ances in Cryptology (London, UK), Springer-V erlag, 1993, pp. 312–323. [HB82] Bertram Hupp ert and Norm an Black burn, Finite gr oups. III , Grundlehren der Math- ematisc hen Wissenschaften [F undamen tal Pr i nciples of Mathematical Sciences], vol. 243, Springer- V erlag, Berlin, 1982. MR MR662826 (84i:20001b) [HEO05] Derek F. Holt, Bettina Eic k, and Eamonn A. O’Brien, Handb o ok of c omputational gr oup the ory , Discrete Mathematics and its Applications (Boca Raton), Chapman & Hall/CRC, Boca Raton, FL, 2005. MR M R2129747 (2006f:20001) [HLO + 06] P . E. Holmes, S.A. Linton, E. A. O’Br i en, A. J. E. Ryba, and R. A. Wilson, Con- structive memb ership testing in black-bo x gro ups , pr epri nt , 2006. [HR94] Derek F. Holt and Sarah Rees, T esting mo dules for irr e ducibility , J. Austral. Math. Soc. Ser. A 57 (1994), no. 1, 1–16. MR M R1279282 (95e:200 23) [HRD05] Derek F. Holt and Colv a M. Roney-Dougal, Constructing maximal sub gro ups of clas- sic al gr oups , LMS J. Comput. Math. 8 (2005), 46–79 (electronic). MR MR2123130 (2005k:200 27) [HW79] G. H. Hardy and E. M. W right, An intr o duction to the the ory of numb ers , ﬁfth ed., The Clarendon Pr ess Oxford Universit y Pr ess, N ew Y ork, 1979. MR MR568909 (81i:10002) [IKS95] I. M. Isaacs, W. M. Kanto r, and N. Spaltenste in, On t he pr ob ability that a gr oup element is p -singular , J. Algebra 176 (1995), no. 1, 139–181. M R M R1345299 (96f:20035) [IL00] G´ abor Iv any os and Kl aus Lux, T r e ating the exc eptional c ases of t he Mea tAxe , Ex- peri men t. Math. 9 (2000), no. 3, 373–381. MR MR1795309 (2001j:16067) BIBLIOGRAPHY 129 [Kle88] Pe ter B. Klei dman, The maximal sub gr oups of the Cheval ley gr oups G 2 ( q ) with q o dd, the Re e gr oups 2 G 2 ( q ) , and their automorphism gr oups , J. Algebra 117 (1 988), no. 1, 30–71. MR M R 955589 (89j:20055) [KLM01] Gregor Kemper, F rank L ¨ ubec k, and Ka y Magaard, Matrix gener ators for the Re e gr oups 2 G 2 ( q ), Comm. Algebra 29 (200 1), no. 1, 407–413 . MR MR1842506 (2002e:200 25) [LG01] Charles R. Leedham-Green, The c omputational matrix gr oup pr oje ct , Groups and computation, II I (Colum bus, OH, 1999) , Ohio State Univ. Math. Res. Inst. Publ., v ol. 8, de Gruyter, Berlin, 2001, pp. 229–247. MR MR1829483 (2002d:20084) [LGM02] C. R. Leedham-Green and Scott H. Murray , V ariants of pr o duct r eplac ement , Computational and statistical group theory (Las V egas, N V/Hoboken, NJ, 2001), Con temp. Math., vol. 298, Amer. Math. So c., Pro vidence, RI, 2002, pp. 97–104. MR MR1929718 (2003h:2000 3) [LGO97a] C. R. Leedham-Green and E. A. O’Bri en, R e c o gnising tensor pr o ducts of matrix gr oups , Internat. J. Algebra Comput. 7 (19 97), no. 5, 541–559. MR MR1470352 (98h:20018 ) [LGO97b] , T ensor pr o ducts ar e pr oje ct ive ge ometrie s , J. Algebra 189 (1997 ), no. 2, 514–528. MR MR1438187 (98b:20073) [LL91] Y. N. Lakshman and Daniel Lazard, O n the c omplexity of zer o-dimensional alge- br aic sy stems , Eﬀective methods in algebraic geometry (Castigli oncello, 1990), Pr ogr. Math., vol. 94, Birkh¨ auser Boston, Boston, MA, 199 1, pp. 217–2 25. MR MR1106424 (92d:13017 ) [LN85] V. M. Levc huk and Y a. N. Nuzhin, The structur e of Re e gr oups , Algebra i Logik a 24 (1985), no. 1, 26–41, 122. M R MR816569 (87h:20085 ) [LS74] Vicent e Landazuri and Gary M. Seitz, On the minimal de g re es of pr oje c tive r epr esentations of the ﬁnit e Cheval ley gr oups , J. Al gebra 32 (1974), 418 –443. MR MR0360852 (50 #13299) [L ¨ ub01] F rank L¨ ub eck , Smal l de g r e e r epr ese nt ations of ﬁnite Cheval le y gr oups in deﬁn- ing char acteri st ic , LMS J. Comput. M ath. 4 (2001) , 135–169 (electronic). MR MR1901354 (2003e:200 13) [Luk92] Eugene M. Luks, Computing in solvable matrix gr oups , IEEE Symposium on F oun- dations of Computer Science, 1992, pp. 111–120. [L W98] Klaus Lux and Markus Wiegelmann, Condensing tensor pr o duct mo dules , The at- las of ﬁnite groups: ten years on (Bir mingham, 1995), London M ath. So c. Lec- ture Note Ser., vo l. 249, Camb ridge Univ. Press, Cambridge, 1998, pp. 174–190. MR MR1647421 (99i:20018) [Mal91] Gun ter Malle, The maximal sub gr oups of 2 F 4 ( q 2 ), J. Algebra 139 (1991), no. 1, 52–69. MR M R 1106340 (92d:20068) [MSC96] D. S. Mitrinovi ´ c, J. S´ andor, and B. Crstici, Handb o ok of numb er t he ory , Mathematics and i ts Applications, vo l. 351, Kluw er Acade mic Publishers Group, Dordrec ht , 1996. MR MR1374329 (97f:11001) [OL05] Eamonn A. O ´ Brien and M ar tin W. Lieb eck, Finding the char acteristic of a gro up of Lie typ e , J. London Math. Soc. (2005), to app ear. [Ono62] T ak ashi Ono, An identiﬁc ation of Suzuki gr oups with gr oups of gener alize d Lie typ e. , Ann. of Math. (2) 75 (1962), 251–259. MR MR0132780 (24 #A2616) [Ono63] , Corr ection t o “An identiﬁc ation of Suzuki gr oups with gr oups of gener alize d Lie typ e” , Ann. of Math. (2) 77 (1963) , 413. MR MR0144967 (26 #2507) [Pak0 0] Igor P ak, The pr o duct r eplac ement algorithm is p olynomial , FOCS ’00: Pro ceedings of the 41st Annua l Symposium on F oundations of Computer Science (W ashington, DC, USA), IEEE Computer Society , 2000, pp. 476–485. BIBLIOGRAPHY 130 [Pak0 1] , What do we know ab out the pr o duct r e plac ement algorithm? , Groups and computation, II I (Colum bus, OH, 1999) , Ohio State Univ. Math. Res. Inst. Publ., v ol. 8, de Gruyter, Berlin, 2001, pp. 301–347. MR MR1829489 (2002d:20107) [Par84] R . A. Parke r, The c omputer c alculation of mo dular char acters (the me at-axe) , Com- putational group theo ry (Durham, 1982), Academic P r ess, London, 1984, pp. 267– 274. MR MR760660 (85k:20041) [R D05] R Dev elopmen t Core T eam, R: A language and enviro nment for statisti c al c omput- ing , R F ounda tion for Statistical Computing, Vienna, Austria, 2005, 3-900051-07-0. [Ree60] R imhak Ree, A family of simple g r oups asso ciate d with the simple Lie algebr a of typ e ( G 2 ), Bull. Amer. Math. Soc. 66 (1960), 508–510. MR MR0125154 (23 #A2460a) [Ree61a] , A family of simple g r oups asso ciate d with the simple Lie algebr a of typ e ( F 4 ), Bul l . Amer. Math. So c. 67 (1961), 115–116 . MR M R0125155 (23 #A2460b) [Ree61b] , A family of simple g r oups asso ciate d with the simple Lie algebr a of typ e ( F 4 ), Am er. J. Math. 83 (1961), 401–420. MR MR0132781 (24 #A2617) [Ree61c] , A family of simple g r oups asso ciate d with the simple Lie algebr a of typ e ( G 2 ), Amer. J. Math. 83 (1961), 432–462. MR M R0138680 (25 #2123) [R´ on90] Laj os R´ ony ai, Computing the st ructur e of ﬁnite algebra s , J. Symbolic Comput. 9 (1990), no. 3, 355–373. M R MR1056632 (91h:68093 ) [Ser03] ´ Ako s Seress, Permutation gr oup algorithms , Cambridge T racts in Mathe matics, vol. 152, Cambridge Universit y Press, Cambridge, 2003. MR MR1970241 (2004c:200 08) [Shi74] K en-ich i Shino da, The c onjugacy classes of Cheval ley gr oups of ty p e ( F 4 ) over ﬁnite ﬁelds of char acteristic 2, J. F ac. Sci. Univ. T okyo Sect. I A Math. 21 (1974), 133–159. MR MR0349863 (50 #2356) [Shi75] , The c onjugacy classes of the ﬁnite Re e gr oups of typ e ( F 4 ), J. F ac. Sci. Univ. T okyo Sect. I A Math. 22 (1975), 1–15. MR MR0372064 (51 #8281) [Shp99] Igor E. Shparlinski, Finite ﬁelds: the ory and c omputation , M athematics and its Applications, v ol. 477, Kluw er Academic Publis hers, Dordr ec ht , 1999, The m eet- ing point of num b er theory , computer science, coding theory and cryptograph y . MR MR1745660 (2001g:1118 8) [Sta06] Mark James Stather, Algorithms for c omputing with ﬁnite matrix gr oups , Ph.D. thesis, Universit y of W arwic k, August 2006. [Ste63] R obert Steinberg, R e pr esentations of algebr aic gr oups , Nago y a Math. J. 22 (1963), 33–56. MR M R 0155937 (27 #5870) [Ste77] , On the or ems of Lie-Kolchin, Bor el, and Lang , Con tributions to al gebra (collection of pap ers dedicated to Ellis Kolch in), Academic Pr ess, New Y ork, 1977, pp. 349–354. MR MR0466336 (57 #6216) [Ste97] A llan Steel, A ne w algorithm for t he c omputation of can onic al forms of matric es over ﬁelds , J. Symbolic Comput. 24 (199 7), no. 3-4, 409–432 , Computational algebra and n umber theory (London, 1993) . MR M R1484489 (98m:65070) [Str69] V olker Strassen, Gaussian elimination is not optima l , Numer. M ath. 1 3 (196 9), 354– 356. MR MR0248973 (40 #2223) [Suz60] Michio Suzuki, A new typ e of simple gr oups of ﬁnite or der , Proc. Nat. Acad. Sci. U.S.A. 46 (1960), 868–870. M R MR0120283 (22 #11038) [Suz62] , On a class of doubly tra nsitive g ro ups , Ann. of Math. (2) 75 (1962) , 105–145. MR MR0136646 (25 #112) [Suz64] , On a c lass of doubly tr ansitive gr oups. II , Ann. of M ath. (2) 79 (196 4), 514–589. MR MR0162840 (29 #144) [SZ93] Gary M. Seitz and Alexander E. Zalesskii , On the minimal de gr ees of pr oje ctive r epr esentations of the ﬁnite Cheval ley gr oups. II , J. Algebra 158 (19 93), no. 1, 233– 243. MR MR1223676 (94h:20017) BIBLIOGRAPHY 131 [Tho01] Emman uel Thom´ e, Comp utation of discr ete lo garithms in F 2 607 , Adv ances in cryptology—ASIA CR YPT 2001 (Gold Coast), Lecture Notes in Comput. Sci., vol. 2248, Springer, Berlin, 2001, pp. 107–124. M R MR1934518 (2003h:940 51) [vzGG03] Joac him von zur Gathen and J ¨ urgen Gerhard, Mo dern c omputer algebr a , second ed., Camb ridge Univ ersity Press, Cambridge, 2003. MR MR2001757 (2004g:68202) [W ar63] Harold N. W ar d, O n Re e’s series of simple gr oups , Bull. A mer. Math. Soc. 69 (1963 ), 113–114. MR MR0141707 (25 #5104) [W ar66] , On Re e’s series of simple gr oups , T rans. Amer. Math. So c. 12 1 ( 1966), 62–89. MR M R 0197587 (33 #5752) [Wil05] R. A. Wilson, Finite simple gr oups , preprint, 2005. [Wil06] , Elementary c onstructions of the Re e gr oups , preprint , 2006. [WP06] R. A. Wilson and C. W. Park er , R e c o gnising simplicity of black-bo x gr oups , submitted (2006).

Algorithmic problems in twisted groups of Lie type

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment