Innovations in Computer Science 2011 Cycle Detection, Order Finding and Discrete Log with Jumps Sourav Chakraborty1 David Garc¶³a-Soriano1 Arie Matsliah1 1CWI, Amsterdam, Netherlands [email protected] [email protected] [email protected] Abstract: Let S be a ¯nite set. Given a function f : S ! S and an element a 2 S, de¯ne f 0(a) = a and f i(a) = f(f i¡1(a)) for all i ¸ 1. Let s ¸ 0 and r > 0 be the smallest integers such that f s(a) = f s+r(a). Determining s and r, given a 2 S and a black-box oracle to f, is the cycle-detection problem. When f is bijective (i.e., f is a permutation of S), the order-¯nding problem is to ¯nd the smallest r > 0 such that f r(a) = a, and the discrete-log problem is, given an additional element b 2 S, to ¯nd the smallest k ¸ 0 such that f k(a) = b. We study the query complexity of these problems with oracles that allow \jumps" to distant positions in the 0 1 2 ¤ m sequencea ¹ , f (a)f (a)f (a) ¢ ¢ ¢ 2 S at unit cost. Speci¯cally, for every m 2 N the oracle Of is de¯ned, which m i for every a 2 S allows to look ahead at any position i < m in the sequencea ¹; that is, Of (a; i) = f (a) for every (a; i) 2 S £ [m]. 1 We show that with an unrestricted oracle Of , the cycle-detection and order-¯nding problems can be solved using O(log s+log r= log log log r) and O(log r= log log log r) queries, respectively, regardless of jSj. This is nearly optimal, as we also prove lower bounds of ­(log s + log r= log log r) and ­(log r= log log r) queries. Interestingly, forp the discrete-log problem, our results combined with the algorithm of Sutherland [8] imply a lower bound of ­( r= log r) queries (where r is the size of the cycle to which both a and b belong), which is tight up to the log r factor. This contrasts with the fact that, with generic group-operation oracles, the problems of order ¯nding and discrete log are known to have polynomially related query complexities. m We also provide algorithms and lower bounds for general oracles Of , m 2 N, improving results from earlier work. In particular, with m = poly(r), our lower bound for order-¯nding improves the previous bound of ­(e r1=3) queries, proved by Cleve [2], to ­(e r1=2), which is nearly optimal. Keywords: cycle detection, order ¯nding, period ¯nding, query complexity, sublinear algorithms. In the present paper the main measure of e±ciency 1 Introduction considered is the query complexity (number of ele- ments of sequencea ¹ inspected). Clearly, with the Cycle detection, order ¯nding and discrete log standard oracle, which only allows to evaluate f on are well-studied problems in various settings and a certain input, one cannot do better than evaluating models. There are plenty of algorithms, lower f at least s + r times. Here we consider the more bounds and more general time-space trade-o® powerful oracles, which allow longer \jumps" in the results known for these problems (some of the sequencea ¹ at unit cost. highlights can be found on the Wikipedia pages http://en.wikipedia.org/wiki/Cycle detection and There are various scenarios in which our objective http://en.wikipedia.org/wiki/Discrete log). to minimize the number of such queries may make sense. One example is when S is the set of possible In most of the relevant literature, time and space states of a system and f corresponds to a program complexity are the main measures of e±ciency for al- being executed on it; that is, f maps a given state a gorithms solving these problems. The classical \tor- to the state f(a) reached on completion of the next toise and hare" algorithm of Floyd [3] is probably execution step. In this setting, running the program i the best example of a cycle-detecting algorithm with for i > 1 steps and then reading the state f (a) may optimal space complexity: it uses only two pointers be almost as fast as reading just the next state f(a). to elements in S, which move through the sequence a¹ = f 0(a)f 1(a) ¢ ¢ ¢ at di®erent speeds, and detects a We are aware of two works that are directly re- cycle after O(s + r) steps (and function evaluations). lated to the model we study here. First is the decade- old work of Cleve [2], where a query-complexity lower 284 CYCLE DETECTION, ORDER FINDING AND DISCRETE LOG WITH JUMPS bound is shown for order-¯nding. Second is the more to ¼, ¯nd the smallest r > 0 such that ¼r(a) = a; recent work of Lachish and Newman [5], who study this is the length of the cycle to which a belongs the related problem of periodicity testing. in the cycle decomposition of ¼. Similarly, one can view this as the problem of ¯nding the period Also somewhat related are the works in which S length r in a purely periodic sequencea ¹, in which corresponds to a group, and the complexity of these a0; : : : ; ar¡1 are distinct and ai = ai+r for all problems is measured in terms of the number of group i ¸ 0 (i.e. s = 0).1 The m-restricted oracle is operations required before obtaining the result. See viewed in this setting as allowing one to query more on this in Section 5.3. position p + i ofa ¹ (where 0 · i < m), provided p = 0 or is a previously queried position. 2 De¯nition of the model and ² Discrete log: Given a; b 2 S and oracle access to ¼, ¯nd the smallest k > 0 such that ¼k(a) = b. problems If no such k exists (i.e. a and b belong to di®erent cycles), output 1. Unless explicitly mentioned otherwise, all indices in this paper are 0-based by default; likewise, [m] = f0; 1; : : : ; m ¡ 1g. The symbol log denotes loga- 3 Our results rithms to the base 2, and ln denotes the natural log- arithm. For notational brevity, instead of writing 1) Cycle detection maxflog x; 1g, we de¯ne log x to be 1 when x < 2 1 in order for expressions such as log log n to be de¯ned We show that with the unrestricted oracle Of , for all n. O(log s + log r= log log log r) queries are su±cient for cycle detection. Furthermore, if r is promised to be a prime power then O(log s + log r= log log r) queries 2.1 The model su±ce. We also show a nearly matching lower bound of ­(log s + log r= log log r) queries for this problem. Here S is a ¯nite set and f an arbitrary function mapping S to itself. In the unrestricted case we are For restricted oracles Om we prove an upper bound 1 f given an oracle Of : S £ N ! S that maps every of O (log s + s=m + log r= log log log r + r= log m) query (a; i) to f i(a). (The iterated function f i(a) is queries, and a lower bound of de¯ned as f 0(a) = a and f i(a) = f i¡1(f(a)).) In m the m-restricted case, where m 2 N, the oracle Of : ­(log s + s=m + log r= log log r+ S £ [m] ! S is de¯ned similarly, except restriction p 0 · i < m must hold. When we want to impose the + r=(log m log r) + r=m) additional constraint that f be a permutation of S, queries. we may write ¼ instead of f. 2) Order ¯nding in permutations 2.2 The problems 1 For Of we show that O(log r= log log log r) The problems we consider here are: queries are su±cient for order ¯nding (here too, O(log r= log log r) queries su±ce if r is promised to ² Cycle detection: Given a 2 S and oracle ac- be a prime power), and that ­(log r= log log r) queries cess to f, ¯nd the smallest s ¸ 0 and r > 0 such are necessary. that f s(a) = f s+r(a). Considering the sequence For the general oracle Om we prove an upper a¹ = a a ::: given by a = f i(a), it is easily seen f 0 1 i bound of O (log r= log log log r + r= log m) queries, and that a0; : : : ; ar+s¡1 are distinct and ai = ai+r p whenever i ¸ s. In this case an equivalent de¯- a lower bound of ­(log r= log log r+ r=(log m log r)+ nition avoiding an explicit mention of the func- 1One may also consider the problem of ¯nding the period of tion f is an oracle that allows probing a sequence a general sequence (not arising from a permutation), where the ¤ same value may appear several times within each period. In this a¹ 2 S having the property that ai = aj implies a = a . The integer r is called the length case, upper and lower bounds of £(r) queries are straightfor- i+1 j+1 ward (for any type of oracle). However, in the property-testing of the cycle, and s its starting position. setting, where the task is to distinguish periodic sequences from ² Order ¯nding: Given a 2 S and oracle access those that are \far from periodic", highly non-trivial bounds were obtained in [5] 285 S.