Adjoint representations of black box groups ${\rm PSL}_2(\mathbb{F}_q)$

Given a black box group $\mathsf{Y}$ encrypting $\rm{PSL}_2(\mathbb{F})$ over an unknown field $\mathbb{F}$ of unknown odd characteristic $p$ and a global exponent $E$ for $\mathsf{Y}$ (that is, an integer $E$ such that $\mathsf{y}^E=1$ for all $\mathsf{y} \in \mathsf{Y}$), we present a Las Vegas algorithm which constructs a unipotent element in $\mathsf{Y}$. The running time of our algorithm is polynomial in $\log E$. This answers the question posed by Babai and Beals in 1999. We also find the characteristic of the underlying field in time polynomial in $\log E$ and linear in $p$. Furthermore, we construct, in probabilistic time polynomial in $\log E$, 1. a black box group $\mathsf{X}$ encrypting $\rm{PGL}_2(\mathbb{F}) \cong\rm{SO}_3(\mathbb{F})$, its subgroup $\mathsf{Y}^\circ$ of index $2$ isomorphic to $\mathsf{Y}$ and a probabilistic polynomial in $\log E$ time isomorphism $\mathsf{Y}^\circ \longrightarrow \mathsf{Y}$; 2. a black box field $\mathsf{K}$, and 3. polynomial time, in $\log E$, isomorphisms \[ \rm{SO}_3(\mathsf{K}) \longrightarrow \mathsf{X} \longrightarrow \rm{SO}_3(\mathsf{K}). \] If, in addition, we know $p$ and the standard explicitly given finite field $\mathbb{F}$ isomorphic to $\mathbb{F}$ then we construct, in time polynomial in $\log E$, isomorphism \[ \rm{SO}_3(\mathbb{F})\longrightarrow \rm{SO}_3(\mathsf{K}). \] Unlike many papers on black box groups, our algorithms make no use of additional oracles other than the black box group operations. Moreover, our result acts as an $\rm{SL}_2$-oracle in the black box group theory. We implemented our algorithms in GAP and tested them for groups such as $\rm{PSL}_2(\mathbb{F})$ for $|\mathbb{F}|=115756986668303657898962467957$ (a prime number).

1. Introduction 1.1.The principal results.Black box groups were introduced by Babai and Szemeredi [4] as an idealized setting for randomized algorithms for solving permutation and matrix group problems in computational group theory.A black box group X is a black box (or an oracle, or a device, or an algorithm) operating with 0-1 strings of uniform length which encrypt (not necessarily in a unique way) elements of some finite group G.In various classes of black box problems the isomorphism type of G could be known in advance or unknown.
All black box groups in this paper are assumed to satisfy Axioms BB1-BB4 from Sections 2.1 and 2.2 although all algorithms in this paper work under weaker axioms BB1-BB3 and BB5 (the latter is from Section 2.3).In particular, we assume that for every black box groups X we are given a global exponent, that is, an integer E such that x E = 1 for all x ∈ X.
We propose an algorithm which solves the old problem by Babai and Beals [2, Problem 10.1] that remained open since 1999.We prove the following theorem.
Theorem 1.1.Given a global exponent E for a black box group Y encrypting PSL 2 over some finite field of unknown odd characteristic p, we construct a non-trivial unipotent element in Y in time linear in p and polynomial in log E. In particular, we find the characteristic p of the underlying field.
If the characteristic p is known in advance, then we construct a non-trivial unipotent element in Y in time polynomial in log E.
In case of p = 2, the Babai-Beals problem has been solved by Kantor and Kassabov [22], we briefly discuss its version in Section 3.8 as an illustration of our methods.
Note that, in the first part of the statement of Theorem 1.1, we do not have any information about the ground field of the group Y.However, we use some form of an upper bound on the size of this field which is implicitly present in the global exponent E.
In the special case of matrix groups, Theorem 1.1 takes the form that also remained unknown until now.
Corollary 1.2.Given matrices g 1 , . . ., g m in a group GL n (F) of matrices over a finite field F p k of odd characteristic p which generate subgroup G isomorphic to SL 2 (F p l ), we can find in G a non-trivial unipotent element in probabilistic time polynomial in k, l, m, n and log p.
Our next result is the solution to the problem of recognizing a black box group encrypting PSL 2 defined over a field of unknown odd characteristic.
Theorem 1.3.Given a global exponent E for a black box group Y encrypting PSL 2 over some finite field of unknown odd characteristic p, we construct, in probabilistic time polynomial in log E, • a black box group X encrypting SO 3 over the same field as Y and an effective embedding Y ֒→ X; • a black box field K, and • the following isomorphisms If p is known and F is the standard explicitly given finite field of characteristic p isomorphic to the field on which Y is defined, then we also construct, in log E-time, an isomorphism SO 3 (F) −→ SO 3 (K).
Since, by Theorem 1.1, we can find the characteristic p of the underlying field in time linear in p and polynomial in log E, we have a stronger result in small odd characteristics: Corollary 1.4.We construct, in time linear in p and polynomial in log E, an isomorphism X ←→ SO 3 (F), where F is the standard explicitly given finite field.
In particular this means that, in small odd characteristics, our algorithm fully replaces the so-called "SL 2 oracle", an assumption of existence of two-way polynomial time isomorphism between arbitrary black box group encrypting SL 2 (F p k ) and the group SL 2 (F p k ) over the standard explicitly given field F p k .The first use of an "SL 2 oracle" appeared in 2001; quite a number of papers referring to SL 2 oracles followed.
1.2.A very brief outline of the proof.The proof of Theorem 1.3 will be achieved as a sequence of steps some of which are interesting on their own.
(a) We embed Y ֒→ X, where X encrypts SO 3 (F), see Theorem 4.1.(b) Using involutions in X, we construct a black box projective plane P that encrypts the projective plane of the 3-dimensional space of adjoint representation of PGL 2 (F) ≃ SO 3 (F) on its Lie algebra l = sl 2 (F).(c) We coordinatize P by homogeneous coordinates over a black box field K constructed in the projective plane P. (d) We use the action of X on P to construct a matrix representation X −→ SO 3 (K).
(f) The map SO 3 (F) ✲ ✲ SO 3 (K) is constructed from the canonical isomorphism F ✲ ✲ K from the standard finite field F onto a black box field K; this isomorphism is polynomial time and exists due to a result by Maurer and Raub [27] formulated in our paper as Theorem 2.2 (the complexity of the inverse isomorphism is unknown).
1.3.Monte-Carlo algorithms.Recall that a Monte-Carlo algorithm is a randomized algorithm which gives a correct output to a decision problem with probability strictly bigger than 1/2.The probability of having incorrect output can be made arbitrarily small by running the algorithm sufficiently many times.A Monte-Carlo algorithm with outputs "yes" and "no" is called one-sided if the output "yes" is always correct.A special case of Montes-Carlo algorithms is a Las Vegas algorithm which either outputs a correct answer or reports failure.A detailed comparison of Monte-Carlo and Las Vegas algorithms, both from practical and theoretical point, can be found in [1].
By the nature of our axioms, all algorithms for black box groups (in the sense of Axioms BB1-BB4 and BB5) are Monte-Carlo.In most applications, our algorithms can be easily made Las Vegas if additional information of some kind is provided about X-for example a set of its generators, that is, strings in X which represent a generating set of the group G encrypted by X, or the order of the field F.
The results of this paper suggest that the distinction between Monte-Carlo and Las Vegas probabilistic algorithms is external to the structural theory of black box groups although, of course, it remains quite natural and crucially important in its concrete applications.

Terminology and notation.
In what follows we make extensive use of the language of projective geometry, see, for example Coxeter [15] and Hartshorne [20].Group theoretic terminology mostly follows [18].1.5.Organization of the paper.In Section 2, we discuss the axioms of black box groups and black box fields.We also prove the Tonelli-Shanks algorithm for black box groups.In Section 3, we introduce morphisms and protomorphisms of black box groups and the procedure called the reification of an involution.We also explain how our arguments work in the even characteristic producing a unipotent element in PSL 2 (2 n ).In Section 4, we prove a theorem about constructing a black box group encrypting SO 3 from a black box group encrypting PSL 2 .In Section 5, we discuss the geometry of involutions in SO 3 and in Section 6, we construct the black box projective plane.In Section 7, we summarize the procedures we can handle in the black box projective plane.In Section 8, we construct a black box subgroup encrypting Sym 4 in a black box group encrypting SO 3 and in Section 9, we apply Hilbert's coordinatization to the black box projective plane and construct a black box field.In Section 10, we prove Theorem 1.1 and in Section 11, we prove Theorem 1.3.In Section 12, we present the complexities of the procedures presented in this paper.Finally, in Section 13, we make a few remarks about possible improvements in our algorithms.

Black box groups
2.1.Axioms for black box groups.The functionality of a black box X for a finite group G is specified by the following axioms.
BB1 X produces strings of fixed length l(X) encrypting random (almost) uniformly distributed elements from G; this is done in probabilistic time polynomial in l(X).BB2 X computes, in probabilistic time polynomial in l(X), a string encrypting the product of two group elements given by strings or a string encrypting the inverse of an element given by a string.BB3 X decides, in probabilistic time polynomial in l(X), whether two strings encrypt the same element in G-therefore identification of strings is a canonical projection We shall say in this situation that X is a black box over G or that a black box X encrypts the group G. Notice that we are not making any assumptions of practical computability or the time complexity of the projection π.
A typical example of a black box group is provided by a group G generated in a big matrix group GL n (r k ) by several matrices g 1 , . . ., g l .The product replacement algorithm [13] produces a sample of (almost) independent elements from a distribution on G which is close to the uniform distribution (see a discussion and further development in [3,11,17,26,31,30,32]).We can, of course, multiply, invert, compare matrices.Therefore the computer routines for these operations together with the sampling of the product replacement algorithm run on the tuple of generators (g 1 , . . ., g l ) can be viewed as a black box X encrypting the group G.The group G could be unknown-in which case we are interested in its isomorphism type-or its isomorphism type could be known, as it happens in a variety of other black box problems.
The concept of a black box can be applied to rings, fields, and, as we can see in this paper, even to projective planes.

2.2.
Global exponent and Axiom BB4.Notice that even in routine examples the number of elements of a matrix group G could be astronomical, thus making many natural questions about the black box X over G-for example, finding the isomorphism type or the order of G-inaccessible for all known deterministic methods.Even when G is cyclic and thus is characterized by its order, existing approaches to finding exact multiplicative orders of matrices over large finite fields are conditional and involve prime factorization of large integers.
Nevertheless black box problems for matrix groups have a feature which makes them more accessible: BB4 We are given a global exponent of X, that is, a natural number E such that π(x) E = 1 for all strings x ∈ X while computation of x E is computationally feasible (say, log E is polynomially bounded in terms of log |G|).If we know factorization of E into prime factors, we can find the order of any element x ∈ X as the minimal divisor e of E such that x e = 1.However, we wish to work with linear groups over fields of large characteristic where factorization of E is becoming unfeasible.Our approach allows us to avoid determination of orders of random elements from X and consequently avoid making any assumptions about the prime factorization of the global exponent.
For a black box group X arising from a subgroup in the ambient group GL n (r k ), the exponent of GL n (r k ) can be taken for a global exponent of X.
2.3.Axiom BB5.Our last comment on the axiomatic of black box groups is an observation that in almost all our work in this and subsequent papers [8,10,38,39] Axiom BB4 can be replaced by its corollary, Axiom BB5.
BB5 We are given a partial 1-or 2-valued function ρ of two variables on X that computes, in probabilistic time polynomial in l(X), square roots in cyclic subgroups of X in the following sense: if x ∈ X and y ∈ x has square roots in x then ρ(x, y) is the set of these roots.In particular, • if |x| is even, ρ(x, 1) is the subgroup of order 2 in x ; • if |x| is even, then, consecutively applying ρ(x, •) to 2-elements in x , we can find 2-elements in x of every order present; • if |x| is odd, and y ∈ x then ρ(x, y) is the unique square root of y in x .We emphasize that Axiom BB5 provides everything needed for construction of centralizers of involutions by the maps ζ 0 and ζ 1 [7].
Axiom BB5 follows from BB4 by the Tonelli-Shanks algorithm [35,36] applied to the cyclic group x , see the next lemma included here for completeness of exposition (usually the Tonelli-Shanks algorithm is formulated only for multiplicative groups of finite fields).
Lemma 2.1 (The Tonelli-Shanks Algorithm).Let T be a cyclic black box group of known global exponent E. Let z be an element in T that has a square root in T. Then an element t ∈ T such that t 2 = z can be found in probabilistic polynomial time in log E.
Proof.We set E = 2 m n where (2, n) = 1.Given g ∈ T, we shall say that l is the 2-height of g, if |g n | = 2 l ; notice that this is equivalent to 2 l being the largest power of 2 that divides the order |g| of g.
Let g ∈ T be an element with maximal 2-height l, that is, the order g is divisible by the maximum power of 2 dividing the order of T.Then, clearly, g can not be a square in T namely there are no elements y ∈ T such that y 2 = g.We set a := z (n+1)/2 , b := z n , c := g n and run the loop: • When d = 0, the element a is the desired square root of z.
In this paper, we assume that all our black box groups satisfy assumptions BB1-BB4 or BB1-BB3 and B5.We emphasize that we do not assume that black box groups under consideration in this paper are given as subgroups of ambient matrix groups; thus our approach is wider than the setup of the computational matrix group project [23].Notice that we are not using the Discrete Logarithm Oracles for finite fields F q : in our setup, we start with a black box group without any access to the field over which the group is defined.
2.4.Black box fields.We define black box fields by analogy with black box groups, and the reader may wish to compare our exposition with [6].We note here that, in this paper, we do not necessarily know the characteristic of the field.Therefore we slightly generalize the definition of a black box field given in [6,27] by removing the assumption that the characteristic of the field is known.
A black box (finite) field K is an oracle or an algorithm operating on 0-1 strings of uniform length (input length) which encrypts some finite field F. The oracle can compute x + y, xy and decides whether x = y for any strings x, y ∈ K.If the characteristic p is known, we say that K is a black box field of known characteristic p.We refer the reader to [6,27] for more details of black box fields of known characteristic and their applications to cryptography.
In this paper, we shall be using some results about the isomorphism problem for black box fields of known characteristic p [27], that is, the problem of constructing an isomorphism and its inverse between K and an explicitly given finite field F p n .
The explicit data for a finite field of cardinality p n is defined to be a system of structure constants over the prime field, that is n 3 elements (c ijk ) n i,j,k=1 of the prime field F p = Z/pZ (represented as integers in [0, p − 1]) so that F p n becomes a field with ordinary addition and multiplication by elements of F p , and multiplication determined by where s 1 , s 2 , . . ., s n denotes a basis of F p n over F p .The concept of an explicitly given field of order p n is robust; indeed, Lenstra Jr. has shown in [24, Theorem 1.2] that for any two fields A and B of order p n given by two sets of structure constants (a ijk ) n i,j,k=1 and (b ijk ) n i,j,k=1 an isomorphism A −→ B can be constructed in time polynomial in n log p.
Maurer and Raub [27] proved that a construction of an isomorphism and its inverse between a black box field K of known characteristic p and an explicitly given field F p n is reducible in polynomial time to the same problem for the prime subfield in K and F p .
Using our terminology, their proof can be reformulated to yield the following result.
Theorem 2.2.Let K and L be black box fields of known characteristic p encrypting the same finite field and K 0 , L 0 their prime subfield.Then an isomorphism K 0 −→ L 0 can be extended in time polynomial in the input length to an isomorphism Obviously, if char K = p and p is known, we can find multiplicative inverses easily and therefore we always have an isomorphism F p −→ K 0 .The existence of the reverse isomorphism F p ←− K 0 would follow from solution of the discrete logarithm problem in K 0 .In particular, this means that, for small primes p, every black box field of order p n is effectively isomorphic to F p n .

Morphisms and protomorphisms
3.1.Morphisms.Given two black boxes X and Y encrypting finite groups G and H, respectively, we say that a map ζ which assigns strings from X to strings from Y is a morphism of black box groups, if • the map ζ is computable in probabilistic time polynomial in l(X) and l(Y), and • there is an abstract homomorphism φ : G → H such that the following diagram is commutative: where π X and π Y are the canonical projections of X and Y onto G and H, respectively.
We shall say in this situation that a morphism ζ encrypts the homomorphism φ.For example, morphisms arise naturally when a black box group X is given by a generating set and we replace a generating set for the black box group X by a more convenient one and start sampling the product replacement algorithm for the new generating set; in fact, we replace a black box for X and deal with a morphism Y −→ X from the new black box Y into X.
Slightly abusing terminology, we say that a morphism ζ is an embedding, or an epimorphism, etc., if φ has these properties.In accordance with standard conventions, hooked arrows Black box subgroups will be constructed in this paper in one of the following three ways: • We generate Y by some strings y 1 , . . ., y m ∈ X and use some version of the product replacement algorithm [13] for random sampling.
with the natural projection In practice this means (although in some cases we use a more sophisticated construction) that we can find strings x 1 , . . ., x k generating X with known images We shall construct new black boxes from the given ones, and in these constructions strings in X will actually be pointers to other black boxes.Therefore it is convenient to think of elements of black boxes as other black boxes-the same way as in the ZF set theory all objects are sets, with some sets being elements of others.A projective plane constructed in Section 6 provides a good example: it could be seen as consisting of points and lines, where a "line" is a black box that produces random "points" on this line and a "point" is a black box that produces random "lines" passing through this point.
In a black box group X, it is frequently useful to associate with an element encrypted by a string x ∈ X a black box for the graph of a specific homomorphism, namely, the conjugation by x, viewed as a subgroup of the direct product X × X, the latter provided with group operations and equality relation in the obvious way: From the computational point of view, treating a homomorphism X −→ Y of black box groups X and Y as a black box subgroup in their direct product X × Y has happened to be an efficient conceptualization of previously inaccessible objects, as can be seen, for example, in "reification of involutions", see Section 3.7.
Given black box groups X 1 , . . ., X n , we can define their direct product in an expected way, consecutively sampling strings x i ∈ X i to form a random ntuple (x 1 , . . ., x n ) ∈ X, and carrying out group operations on X component-wise.
Later in the paper we are using semidirect products of black box groups.They arise in a situation when we have two black box group X and Y and a polynomial time in l(X) and l(Y) procedure for the action of Y on X by automorphisms, , y 1 y 2 ).3.5.Amalgamation of local proto-involutions.Let X be a black box group encrypting a group G. Expanding the terminology from the previous section, a proto-involution F on X is a black box subgroup F < X × X for the graph of an involutive automorphism of X.
Theorem 3.1 (Amalgamation of local proto-involutions).If F 1 , . . ., F k is a consistent system of proto-involutions on black box subgroups in X, then Proof.The proof is self-evident.
We shall call F the amalgam of proto-involutions F 1 , . . ., F k .Theorem 3.2 (Augmentation of a black box group by a proto-involution).If F < X × X is a proto-involution on X representing an involutive automorphism φ on G, we can construct an involutive automorphism α of F by setting Then the semidirect product F ⋊ {1, α} is a black box encrypting G ⋊ φ , with F canonically projecting onto G.
Proof.The proof is self-evident.Theorems 3.1 and 3.2 provide the conceptional frame of construction of a black group encrypting SO 3 (F) from a black box group encrypting PSL 2 (F), see Theorem 4.1.
3.6.Centralizer of a proto-involution.Let F < X × X be a proto-involution on X as defined in Section 3.5.We shall denote pairs of strings in F as (x, x ϕ ) and set If x ∈ X is an element of even order then the last non-identity element in the sequence is an involution and denoted by i(x).
If x ∈ X is an element of odd order then the element y = x (m+1)/2 obviously satisfies y 2 = x and is the unique square root of x in x ; we denote y = √ x.
It follows from the arguments in [7,12] that we have the map If X is a simple group of Lie type, then, as shown in [33], ζ 1 is defined with probability O(1/n) where n is the Lie rank of X.Furthermore, the same calculation as in [7,Section 6] proves that elements ζ 1 ((x, x ϕ )) are uniformly distributed over C X (ϕ).Therefore ζ 1 provides an efficient black box for C X (ϕ).Observe that this construction still works if Axiom BB4 is replaced by a weaker Axiom BB5.
The map ζ 0 is useful when we are interested mostly in involutions in C X (ϕ), as it happens, for example, in reification of involutions, see Section 3.7.

3.7.
Reification of an involution.We approach the most fascinating part of the story: identification of an involution in X from its description.We shall call this procedure the reification of an involution.
Following the notation from the previous subsection, assume that F < X × X is a proto-involution on X corresponding to an inner automorphism of G, more specifically, to conjugation by an involution h ∈ G.We want to find in X a string x that represents h.Obviously, x ∈ C X (ϕ), and C X (ϕ) can be constructed as described in the previous subsection.Denote Y 1 = C X (ϕ) and observe that x ∈ Z(Y 1 ).Find in Y 1 an involution y 1 and compute Y 2 = C Y1 (y 1 ), and so on.
If G is a simple group of Lie type of odd characteristic and of Lie rank n, the length of chains of centralizers is bounded by a polynomial in its Lie rank (and in any case their centralizer chains are not longer than chains of subgroups in G), giving a crude upper bound of log |G|.Also, elements of even order (hence involutions) in Lie groups of odd characteristic are abundant by [21].Therefore in this particular situation the process quickly produces a subgroup Y l which contains x and has the property that all involutions in Y l belong to Z(Y l ) and therefore (taken together with the identity element) form an elementary abelian 2-subgroup Z. Since x ∈ Z, it can be identified in Z by testing every possibility.These crude estimates show that the reification procedure works in probabilistic time polynomial in |Z| and log E, where E is the global exponent of X.
In this paper, reification of involutions is applied to SO 3 (F) in odd characteristic, where proper centralizers are abelian or dihedral, and where Z is at most of order 4, making the implementation of the procedure pretty fast.
More generally, if G is a simple group of Lie type and odd characteristic, then the computation of Z(C X (ϕ)) can be done in time polynomial in log E only by the technique of the analysis of centralizers of involutions developed in [8,10,38]; details of the enhanced procedure will be published elsewhere, they are not needed in this paper.
3.8.Involutions in PSL 2 (2 n ).Let X be a black box group encrypting PSL 2 (2 n ) for some n 2. A paper by Kantor and Kassabov [22] contains a construction of an involution in X, a result analogous to the results in this paper.We shall now show how involutions in PSL 2 (2 n ) can be most naturally constructed by our methods.
• Take in X two non-commuting elements y 1 and y 2 of odd orders > 3 (for large n, any two random elements would go with probability pretty close to 1) and generate  Proof.We recall from the table of the centralizers of involutions in [19,Table 4.5.1] that G has one conjugacy class of external involutive diagonal automorphisms.Let d be its representative, then C G (d) = S ⋊ w where S is a torus of order (q − 1)/2 or (q + 1)/2 depending on q ≡ −1 mod 4 or q ≡ 1 mod 4, respectively, and w is an involution inverting S. Observe that the order of the torus S is odd.Take an involution t ∈ C G (d) inverting S and assume that t is contained in some maximal torus T .By Frattini argument, G • N G d (T ) = G d and we can assume without loss of generality that d normalizes T .
Notice that T, S = G and d centralizes S and inverts every element in T .Therefore we can apply amalgamation and augmentation of proto-involutions by using Theorem 3.1 and Theorem 3.2.
Construction of tori T and S in Y with these properties goes as follows.We construct an involution u ∈ Y and its centralizer C := C Y (u).Note that C = T ⋊ w for some torus T of even order containing the involution u.Now we find a random element y ∈ Y such that the element z := uu y has odd order and set S := z .Since w is an involution inverting T, by [28, I.8], a random element in C is a generator of T with probability O(1/ log log |F|).Moreover, by the similar arguments, the element z is also a generator of some maximal torus S of odd order with probability O(1/ log log |F|).
Hence as soon as we have such tori T and S in Y, the amalgam δ of local proto-involutions For two distinct involutions s, t ∈ X, we denote the only involution in X that commutes with both s and t (if such involution exists) as j(s, t).
Proof.Notice first of all that, due to basic properties of groups SO 3 (F), the involution j commuting with s and t exists and unique in Aut(SO 3 (F)) = SO 3 (F).
We set z := st.Observe first that since z is not a unipotent element, the involution j commuting with both s and t exists.If the order of z is even, then j is the unique involution in z which can be computed by square-and-multiply method.If z has odd order, then observe that j centralizes Z = z and inverts every element in the torus T s containing s; construction of T s is similar to construction of tori in the proof of Theorem 4.1.Since the order of z is odd, we have |Z| ≥ 3 and so X = T s , Z .Now the involution j can be found by amalgamating local proto-involutions and reifying the result.The last step can be run very efficiently due to the fact that, in G = SO 3 (F) where F is a finite field of odd characteristic |F| > 9, involutions r ∈ G have the property that Z(C G (r)) = r , see details in Section 3.7.

Geometry of involutions in PGL
, where F is a finite field of odd characteristic p.This is the most basic of all groups of Lie type, and for that reason it is very tightly built in the black box setting.We shall see that actions of involutions from G control properties of every facet of the structure of the group and its Lie algebra.Involutions are multifunctional: they act as pointers to tori in the group G, to toric subalgebras in the Lie algebra l = Lie(G) of G, to points and to lines in the projective plane associated with l as F-vector space, and they control the polarity in this plane.5.1.Involutions.The Lie algebra l = sl 2 is a vector space of 2 × 2 matrices of trace 0 with the Lie bracket [A, B] = AB − BA.The isomorphism PGL 2 (F) ≃ SO 3 (F) comes from the adjoint action of PGL 2 (F) on its Lie algebra sl 2 , that is, action by conjugation on sl 2 .In this action, the group PGL 2 becomes the group of automorphisms of l = sl 2 and therefore preserves the Killing form K on l, K(α, β) = Tr (ad(α) • ad(β)) ; moreover, it coincides with the orthogonal group SO 3 (l, K) since K is a symmetric bilinear form.
We denote by l the 3-dimensional F-vector space of the canonical representation of G = SO 3 (F).The vectors in l will be denoted by low case Greek letters.
Note that a vector σ ∈ l is semisimple in the Lie algebra sense if and only if K(σ, σ) = 0 and nilpotent if and only if K(σ, σ) = 0.
Every semisimple element σ in l gives rise to an involution in G, the half-turn s σ around the one-dimensional space generated by σ: Observe that the half-turn s σ is not changed if we replace σ by a non-zero scalar multiple cσ.
Moreover, every involution in G is a half-turn.Indeed, in its adjoint action on l, every involution s from G has eigenvalues +1, −1, −1.If σ is an eigenvector for s for the eigenvalue +1 then obviously s = s σ .Denote the +1-eigenspace (the axis of the half-turn) s as t s .Obviously, t s is a 1-dimensional non-isotropic subspace of l and thus a toric subalgebra of l.If T s is a torus in G containing s then t s = Lie(T s ), the Lie algebra of T s .
Therefore the set I of involutions in G is in one-to-one correspondence with the set of regular points of the projective plane P = P(l) (that is, images in P of semisimple elements of l).

5.2.
Lines.Notice that every 1-dimensional subspace a in l is a Lie subalgebra of l and coincides with the Lie algebra Lie(A) of some 1-dimensional algebraic subgroup A < G. Assuming that |F| = q, the latter belongs to one of the three conjugacy classes: • split tori: cyclic subgroups of order q − 1, • non-split tori: cyclic subgroups of order q + 1, • maximal unipotent subgroups of order q, see the beautiful paper by Boris Weisfeiler [37].
Therefore the set with the set of points of the projective plane P. We shall call W the Weisfeiler plane.
It will be convenient to identify W with the dual plane P * of P and treat elements of W as lines of P. For that we need to describe the incidence relation, that is, the sets of points belonging to a line.There will be two kinds of points: • involutive (or toric, or semisimple, or regular ), and • unipotent (or parabolic, or tangent ).
The set of all involutive points in P is simply the set of all involutions in G.If A is 1-dimensional subgroup in G, the line ℓ(A) associated with it contains all involutions inverting A; if w is one of these involutions, then ℓ(A) coincides with the coset Aw.
The key to our analysis is the following simple observation which is the basis of projective metric geometry in the sense of Bachmann [5].For s, t ∈ I, denote This is a non-associative binary operation satisfying identities: [25] introduced these identities for algebraic axiomatization of symmetric spaces; axiom SD3 is called the left self-distributivity, see Dehornoy [16].The involutary plane I with the conjugation operation • is a finite field analogue of the real hyperbolic (Lobachevsky) plane viewed as a symmetric space; we shall refer to its geometry as Lobachevsky geometry.

Harmonic conjugation.
The following two simple observations will be useful in the analysis of our constructions.Lemma 5.2.Involutions s, t and s • t = t s are collinear.
Proof.This immediately follows from Fact 5.1 since is an involution.Lemma 5.3.Let s and t be two distinct commuting involutions in I, and assume that r ∈ I has the property that s r = t.Then (a) r = sh ±1 where h ±1 are two square roots of st in T st ; (b) the points r 1 = sh and r 2 = sh −1 are harmonic conjugate with respect to s and t.
Proof.(a) The subgroup r, s, t is dihedral of order 8 and it lies in the dihedral group C G (st) = T st ⋊ r , where the statement becomes obvious.(b) Conjugation by s is a projective collineation of P; it centralizes s and t and swaps r 1 and r 2 which means that r 1 and r 2 are harmonic conjugate with respect to s and t.If A is of order q − 1, the coset Aw contains q − 1 involutions, while every line in a projective plane contains q + 1 points.The missing points are maximal unipotent subgroups of G treated as points of P; the line associated with a 1-dimensional subgroup A contains the point associated with the maximal unipotent subgroup U if and only if A normalizes U .We know that every split torus normalizes exactly two maximal unipotent subgroup, which adds the two missing points to the associated line.
If |A| = q, A is a maximal unipotent subgroup and therefore normalizes itself, which adds the missing point to its line ℓ(A).
Finally, if |A| = q + 1, then A is a non-split torus and therefore normalizes no unipotent subgroups; all q + 1 points in the associated line ℓ(A) are involutive.

5.6.
Quadric.There is another way to map (partially) W to P: assign to each torus T < G the only involution i(T ) contained in T .Reversing this map, we assign to each involution s ∈ I the torus T s ∈ W which contains s and identify s with the Lie subalgebra t s = Lie(T s ) seen as a point in P.
If U ∈ W is a maximal unipotent subgroup in G then its Lie algebra u = Lie(U ) is a singular point in P and belongs to the quadric Q in P given by the equation K(ν, ν) = 0 in terms of the Killing form K(• , •) on l.Notice that so the quadric Q is the missing (that is, not represented by involutions) part of the projective plane P. We find ourselves in the axiomatic set-up of projective metric geometry in terms of groups and involutions as it was developed by Bachmann [5] and his school, especially by Schröder [34].The following result is the apex of projective metric geometry.
Fact 5.4.(Schröder [34]) Let Γ be a projective plane and let Ω be a set of points that contains at most two points of any line of Γ. Assume further that the points in Γ Ω are in a one-to-one correspondence with the set I of involutions of some group G in such a way that any three involutions i, j, k ∈ I correspond to collinear points in Γ Ω if and only if their product ijk ∈ I. Then there exist a field K and a quadratic form Q on the 3-dimensional vector space K 3 such that Γ = P 2 (K) and Ω is the quadric in P 2 (K) given by the equation Q(x) = 0.
As we can see, the configuration that we are in is well understood in the abstract group theory; our task is to analyse it using black box group theory methods.Our principal difficulty is that when we look at the configuration where P, I, Q are playing the roles of Γ, I, and Ω, respectively, the quadric Q is invisible.Indeed, the probability for a random element from G to be unipotent, or for two random involutions from G to produce a unipotent element as their product is O(1/|F|)that is, astronomically small for a large field F. But, as we shall soon see, although we do not have in our possession the quadric Q yet, we have the associated polarity.

Polarity.
The key geometric property of half-turns is that two distinct involutions s σ and s τ commute if and only if σ and τ are orthogonal to each other, that is, K(σ, τ ) = 0, and even more so, We say that points x, y ∈ P are perpendicular to each other if they represent 1-dimensional subspaces in l which are orthogonal to each other; we shall denote this by x ⊥ y.The polar image π(x) of a point x ∈ P is defined as It is a straight line in P. Observe further that x ∈ P is a toric point if and only if x ∈ π(x) and is a unipotent point if and only if x ∈ π(x).Now, we shall describe π(U ) for a unipotent point U seen as a maximal unipotent subgroup.A torus t < l normalizes a nilpotent subalgebra u < l if and only if b = t ⊕ u is a Borel subalgebra in l.Since u is the nilpotent radical of b, the Killing form restricted to b degenerates on u, which means that b ⊥ u; but this could happen if and only if t ⊥ u.Therefore, in terms of the Weisfeiler plane W, For an involution t ∈ I, we denote ̟(t) = π(t) ∩ I. Then we have Observe that ̟(t) = T w for some involution w, that is, the coset of T = T t consisting of involutions inverting T .
Similarly, for a unipotent point U , we have Depending on the nature of the point t ∈ P, lacks 0, 1 or 2 points of intersection of the straight line π(t) with the quadric Q and contains, respectively, q + 1, q, or q − 1 points.These three types of lines are called elliptic, parabolic, and hyperbolic, respectively.The parabolic lines are tangent lines to Q, that is, lines having exactly one point with Q in common.In I, a parabolic line appears as the coset U t of a maximal unipotent subgroup U in G with respect to an involution t inverting every element in U .

The black box projective plane
Let X be a black box group encrypting PGL 2 (F) ≃ SO 3 (F) where F is a finite field of odd characteristic.
Using the black box X as a computational engine, we shall construct a black box that encrypts the projective plane P; abusing notation, we shall denote it by the same letter P. Abusing notation again, we use the symbol I to denote the set of involutions in X and view I as a subset of P.
The elements or objects of P, points and lines, are pointers to certain black boxes which will be described now.

6.1.
Points.There are two types of points in P; regular and parabolic.
A regular point is a pointer to a triple (s, T s , ̟(s)) where s ∈ I is an involution, a T s is its torus, that is, the cyclic subgroup of index 2 in C X (s), and is the set of regular points in the polar line π(s), where w ∈ C X (s) is an involution inverting T s .A parabolic point is the same as a parabolic line as defined below.

6.2.
Lines.There are two types of lines in P; toric and parabolic.
A parabolic line u is a pointer to a black box for a subgroup U⋊ t where U < X encrypts a maximal unipotent subgroup U < G and t ∈ X encrypts an involution inverting every element in U .The line u is incident to two kinds of points: • q regular points, involutions in the coset Ut; and • u itself, seen as a point.A toric or regular line l is a black box for a subgroup T ⋊ w where T < X encrypts a torus T in G and w ∈ X encrypts an involution that inverts every element in T .A toric line is incident to the following points: • If |T | = q + 1 then l is incident only to points represented by involutions in the coset Tw; then l is incident to q − 1 points represented by involutions in the coset Tw and, in addition, two parabolic points which will be constructed later but in abstract terms correspond to two maximal unipotent subgroups normalized by T.

6.3.
Serendipity construction of parabolic lines.It happens very rarely that a line through two random regular points s and t is parabolic; the probability of this event behaves asymptotically as O(1/|F|) and becomes astronomically small for a large field F. However if it happens by a sheer strike of luck, we get a unipotent element u = st and a black box for the parabolic subgroup and the set Us of regular points in the parabolic line.We shall say in this occasion that we constructed a parabolic line u = s ∨ t as the joint of regular points s and t.

6.4.
A line through two regular points.For two distinct involutions s, t ∈ I, define j(s, t) as the only involution in I that commutes with both s and t.If j(s, t) does not exist for some s, t ∈ I then u = st is an unipotent element and s ∨ t = u Ts ⋊ t is a parabolic line through s and t.If j(s, t) exists then the regular part of the line s ∨ t through s and t can be computed as (s ∨ t) ∩ I = ̟(j(s, t)).
Therefore computing j(s, t) attains critical importance for our algorithms.This is easy when st is of even order, in that case j(s, t) is defined as the only involution in the cyclic group st .If R = st is of odd order, we do not immediately have j = j(s, t) but we know that its action on X is uniquely defined by the following conditions: • j centralizes R; and • j inverts every element in the torus T = T t .
As a consequence, we can draw a line x ∨ y through any two distinct points x, y ∈ I; this is a black box which produces, among other useful goods, the following sets of involutions: Indeed if the lines k and l contain a common involution w then their involutive parts k ∩ I and l ∩ I are inverted by w.Obviously, w can be reified from these conditions.
If the lines k and l have no involution in common, then they intersect in a parabolic point and we find ourselves in a serendipity situation: this event is exceedingly rare and manifests itself in π(k) ∨ π(l) being a parabolic line (and we identify parabolic lines with their tangent points on the quadric): 6.6.Polar projection.If s is a regular point, then s is not incident to its polar line π(s).If x = s is another point, the line s∨x is different from π(s), and therefore the lines s ∨ x and π(s) have a unique common point We shall denote the map defined by the rule This map is nothing more but the central projection with the center s onto π(s).We shall call it the polar projection with center s or polar projection on the (regular) line l = π(s).When s is chosen to be a point at infinity, ξ s can be seen as the orthogonal projection of an affine part of P onto l = π(s).It is easy to check that the following two formulae for ξ s are equivalent: = j(j(x, s), s).

Bisection of angles.
Lemma 6.1.Let X be a black box group encrypting SO 3 (F), where F is a finite field of unknown odd characteristic.Assume that i, j ∈ X be two conjugate involutions.
Then, given an exponent E for X, we can find an involution x ∈ X such that i x = j in time polynomial in log E.
Proof.We set E = 2 m n where (2, n) = 1, and set z = ij.If the order of z is odd, that is, z n = 1, then notice that i z (n+1)/2 = j.Now, z (n+1)/2 j is an involution conjugating i to j.
Assume now that the order of z is even and k is the involution in z , which is obtained by repeated square-and-multiply method applied to the element z n = 1.We denote by Y the subgroup in X encrypting PSL 2 (F); it is well-known that |X : Y| = 2 and Y ⊳ X.Let T be the maximal torus in X containing k and observe that z = ij ∈ T 2 because i and j, being conjugate, simultaneously belong or do not belong to Y.
We can now apply the Tonelli-Shanks Lemma 2.1 and find t ∈ T such that t 2 = z; after that we have Lemma 6.2.Let X be a black box group encrypting SO 3 (F), where F is a finite field of unknown odd characteristic.Then, with a given exponent E for X, we can represent arbitrary element x ∈ X of order |x| > 2 as a product of two involutions from X in time polynomial in log E.
Proof.This is another application of reification of involutions.Take an arbitrary semisimple element y ∈ X and reify the involution r that inverts x and y.This works in the same way as in the construction of the intersection of the non-parabolic lines.If we end up with a serendipitous discovery of a unipotent element, we need to repeat reification with other choice of y.When we have the involution r, we can decompose x = r • rx.

Toolbox for constructions in the Lobachevsky plane
By restricting all our constructions to I, we can treat I as a structure on its own, a black box Lobachevsky plane.It is a black box that (a) produces uniformly distributed points from I; (b) checks the equality of points; (c) checks collinearity of triples of points; (d) for any two points s, t ∈ I, computes the half turn of t around s, which we denote by s • t; (e) for any involution t ∈ I, produces uniformly distributed regular points in the polar image of t: (f) for any two distinct points s, t ∈ I, produces uniformly distributed regular points on the line s ∨ t through s and t; (g) for a regular line l given by its two distinct points s and t, constructs its pole ̟(l) (uniquely determined by condition ̟(̟(l)) = l) as ̟(l) = j(s, t); (h) for any two distinct lines k and l, finds its intersection point k ∧ l or, if the lines k and ℓ do not intersect in I and therefore their intersection point z belongs to Q, computes the tangent line to Q at the point z; (i) for a point s ∈ I, computes the polar projection x → j(j(x, s), s); (j) for any two points s, t ∈ I conjugate under the action of X, finds r ∈ I such that r • s = t (Lemma 6.1); (k) represents any element of X as a product of two involutions from X (Lemma 6.2).
The key point is that operations (g), (h), and (i) may serendipitously fail; of course, this happens with asymptotically small probability O(1/|F|), but still, in theory it may happen.In this case, we accidentally leave I and find a nontrivial unipotent element u ∈ X.In our next paper [9] we explain what to do with u; in this paper, we can simply ignore it either by re-doing calculation from the beginning, or by extending our calculations to the whole plane P.
However, in Section 10 we show how to enforce serendipity by directing calculations towards a unipotent element in X.

Construction of Sym 4
The fundamental procedure in the coordinatization of P is to construct a black box subgroup encrypting Sym 4 in a black box group encrypting SO 3 over some finite field of odd characteristic.As we shall see, a Sym 4 subgroup provides us with a convenient basis triangle in P. Therefore, we first prove the following theorem.Theorem 8.1.Let X be a black box group encrypting SO 3 (F), where F is a finite field of unknown odd characteristic.Then, with a given exponent E for X, there is an algorithm constructing a subgroup encrypting Sym 4 which runs in time polynomial in log E.
Let G ∼ = SO 3 (F), where F is a finite field of odd characteristic.It is well-known that G has two conjugacy classes of involutions.We say that an involution is of +type if the order of its centralizer is 2(q −1) and −-type if the order of its centralizer is 2(q + 1).Notice that C G (i) = T ⋊ w where T is a torus of order (q ± 1) and w is an involution inverting T .We will consider the involutions of +-type if q ≡ 1 mod 4 and −-type if q ≡ −1 mod 4 so that the order of the torus T is always divisible by 4; we call them involutions of right type.
We set 5-tuple (i, j, x, s, T ) where i ∈ G is an involution of right type, T < G is the torus in C G (i), j ∈ G is an involution of right type which inverts T , x ∈ G is an element of order 3 normalizing i, j and s ∈ T is an element of order 4. We also set k = ij and note that k is also of right type.Clearly i, j, x ∼ = Alt 4 and i, j, x, s ∼ = Sym 4 .
The crucial part of the algorithm in the construction of Sym 4 in X encrypting SO 3 (F) is the construction of an element x ∈ X of order 3 permuting some mutually commuting involutions i, j, k ∈ X of right type.The following lemma provides explicit construction of such an element.Proof.Observe first that i n1 = j g and j n2 = s.Then, since s = k gn −1 1 , we have and the claim follows.It is now clear that i x = k since ij = k, and x has order 3. Lemma 8.3.Let G, i, j, k, h 1 and h 2 be as in Lemma 8.2.Then the probability that h 1 and h 2 have odd orders is bounded from below by 1  2 − 1 2|F| .Proof.We first note that the subgroup i, x ∼ = Alt 4 is a subgroup of L ≤ G where L ∼ = PSL 2 (F), so the involutions i, j, k belong to a normal subgroup isomorphic to PSL 2 (F).Therefore it is enough to compute the estimate in H ∼ = PSL 2 (F).Notice that all involutions in H are conjugate.Therefore the probability that h 1 and h 2 have odd orders is the same as the probability of the product of two random involutions from H to be of odd order.
We set |F| = q and we denote by a one of these numbers (q ± 1)/2 which is odd and by b the other one.Then |H| = q(q 2 − 1)/2 = 2abq and |C H (i)| = 2b for any involution i ∈ H. Hence the total number of involutions is Now we compute the number of pairs of involutions (i, j) such that their product ij belongs to a torus of order a.Let T be a torus of order a.Then N H (T ) is a dihedral group of order 2a.Therefore the involutions in N H (T ) form the coset N H (T )\T since a is odd.Hence, for every torus of order a, we have a 2 pairs of involutions whose product belong to T .The number of tori of order a is |H|/|N H (T )| = 2abq/2a = bq.Hence, there are bqa 2 pairs of involutions whose product belong to a torus of order a.Thus the desired probability is Proof of Theorem 8.1.Let E = 2 m n where (2, n) = 1.We first construct an involution i ∈ X of right type and an element s ∈ C X (i) of order 4. Let i ∈ X be an involution constructed from a random element by taking its power using squareand-multiply method.To check whether i is an involution of right type or not, we search for an element s ∈ C := C X (i) of order 4. Note that a random element from C can be constructed efficiently by the method described in [7,12] together with the results in [33].If i is of right type, then C contains elements of order 4.
Since C = T ⋊ w where T is a torus of order q ± 1 and w is an involution which inverts T, a random element from C has order divisible by 4 with probability at least 1/4.As soon as we find an element h ∈ C such that h n = 1 and h 2n = 1, then we construct an element s ∈ h of order 4 by repeated square-and-multiple method.If we can not find an element of order 4 in C, we deduce that i is not of right type and we start from the beginning.Let i ∈ X be a right type involution.The coset Tw of T in C consists of the involutions inverting T, so half of the elements of C are the involutions inverting T and half of the involutions in Tw are of the same type as i.We construct an involution j ∈ C and check whether j is an involution of right type by following the same arguments above.
Finally, for commuting right type involutions i, j ∈ X, we construct an element x of order 3 normalizing i, j by using Lemma 8.2.The probability of constructing such an element x ∈ X is at least

Coordinatization
All we need now is to carry out Hilbert's coordinatization of P [20] using our toolbox from Section 7. Then the action of X on I by conjugation will give us a morphism X −→ SO 3 (K) for some black box field K that encrypts a finite field F of odd characteristic.9.1.The spinor basis.A construction from Section 8 yields a subgroup H ≃ Sym 4 and all its 24 elements as concrete strings in X, and we shall need to introduce special notation for most of these elements, they will play the central role in later calculations.The symbol H is chosen to emphasize that the group H ≃ Sym 4 controls the quaternionic structure on l as well as cross-ratio and harmonic conjugation on P.
We denote the three involutions in the 4-group E = O 2 (H) by e 1 , e 2 , e 3 .If t 1 , t 2 , t 3 are their centralizers in l, we know that they are orthogonal to each other and l = t 1 ⊕ t 2 ⊕ t 3 is the weight decomposition for the action of E on l and is therefore a grading of l: Moreover, an element θ of order 3 from H cyclically permutes t 1 , t 2 , t 3 , which allows us to select a basis in l made of , and ǫ 3 = ǫ θ 2 ∈ t 3 .Since E lies in the commutator of H, the involutions e i ∈ E have spinor norm 1 and therefore vectors ǫ i can be chosen to satisfy forming an orthonormal basis in l, In particular, the quadric Q in P can be written by the equation in the coordinates x 1 , x 2 , x 3 associated with the basis ǫ 1 , ǫ 2 , ǫ 3 .
In addition, the basis ǫ 1 , ǫ 2 , ǫ 3 seen as a basis of Lie algebra l obviously satisfies the Lie relations for some fixed a ∈ F * q .What we found is an analogue of a spinor basis (or Pauli basis) from quantum mechanics and will be discussed in detail elsewhere.9.2.First steps towards the coordinatization of P. We know that ǫ 1 , ǫ 2 , ǫ 3 form an orthonormal basis in l and e 1 , e 2 , e 3 have homogeneous coordinates (1, 0, 0), (0, 1, 0), (0, 0, 1); and the quadric Q is given in coordinates x 1 , x 2 , x 3 associated with this basis by the equation Following traditional notation, we represent lines in P by equations of the form and treat the tuple [X 1 , X 2 , X 3 ] as the homogeneous coordinates of the line.
We shall now construct a black box field K. Towards this end, let us take for the extended field K ∪ {∞} the set of points on the coordinate line e 1 ∨ e 3 assigning the coordinate x 1 = 0 to e 3 and x 1 = ∞ to e 1 .
Taking into account that the coordinatization of P has to be consistent with the action of X, and, in particular, with the action of H on the basis e 1 , e 2 , e 3 , we see that if we take the line e 1 ∨ e 2 for the line at infinity, we have the following: And this is the same picture in homogeneous coordinates: We shall gradually assign coordinates to more and more points in P, at every step ensuring that the coordinatization is consistent with the action of X on I and P and hence with the vector space structure on l.If a point x ∈ P has coordinates x 1 , x 2 , x 3 , we shall write and similarly denote lines by their coordinates, We note that (x 1 , x 2 , x 3 ) and [X 1 , X 2 , X 3 ] are homogeneous coordinates, they are defined up to multiplication by a non-zero scalar.
Observe that polarity has a very simple meaning in terms of homogeneous coordinates associated with an orthonormal basis: In particular, polar images of the base points ǫ i have equations x i = 0, i = 1, 2, 3, and homogeneous coordinates When restricted to I, the polar image of a point s ∈ I, is a coset of the torus T s containing s in the centralizer C X (s) = T s ⋊ w where w is an involution inverting T s .Therefore they can be easily computed by the Altseimer-Bray algorithm [7,12].
So we have, in the black box setup, the following picture.
We shall soon add new points to this picture.9.3.The unity element in K.So far, we know which elements on the x 1coordinate line represent point 0 and ∞ and now we construct the point x 1 = 1.We shall do that by exploiting the group H in full.
Let θ be an element of order 3 in H which permutes the basis points e 1 , e 2 , e 3 .Pick in N H ( θ ) an involution d 1 which commutes with e 1 .Observe that E ⋊ d 1 is a dihedral group of order 8 and therefore e d1 2 = e 3 .Now turn to the use of homogeneous coordinates.Recall that e 2 = (0, 1, 0) and e 3 = (0, 0, 1).There are two involutions which conjugate e 2 and e 3 : We can assign to d 1 the coordinates (0, 1, 1) and set So we have now a richer picture: 9.4.More about H.We record for future use that the natural isomorphism where Sym 4 is seen as the symmetric group of the set { 0, 1, 2, 3 } in notation chosen in such a way that .
In particular, e 2 .9.5.Affine coordinates.Taking, as we have already did, the line x 3 = 0 for the line at infinity and the lines x 2 = 0 and x 1 = 0 for the coordinate axes, we get Observe that this assignment of coordinates agrees with action by H.In particular, conjugations by d 3 moves the points with x 1 -coordinates 0, 1, ∞ on the x 1 -axis e 1 ∨e 3 to the points with x 2 -coordinates 0, 1, ∞, respectively, on the x 2 -axis e 2 ∨ e 3 .Therefore we can treat both coordinate axes, the x 1 -axis e 1 ∨ e 3 and the x 2 -axis e 2 ∨ e 3 as the two copies of the projective line K ∪ {∞} over the black box field K that we will construct on the x 1 -axis.Now on "this side of infinity", on the affine plane x 3 = 0, the homogeneous coordinates of arbitrary point x can be written as (x 1 , x 2 , 1), where x 1 = ξ e2 (x) and x 2 = ξ e1 (x) are polar projections of x onto the coordinate axes: and we get the classical coordinatization of the affine plane [15]: even before we defined operations of the field K-the latter will be done in the rest of this section.If x lies on the line at infinity x 3 = 0 then we can take any point x ′ on the line e 3 ∨ x, construct its affine coordinates (x ′ 1 , x ′ 2 , 1) as above and take the triple (x ′ 1 , x ′ 2 , 0) for the homogeneous coordinates of x. 9.6.Addition ⊕ on K. Now we can introduce the field operations in the usual way, as shown on the following two diagrams, see Hartshorne [20] for details.
In terms of our toolbox, we first construct In terms of our toolbox, we first construct the line If x = (χ, 0, 1) is a point in the x 1 -axis, s (0,0,1) (x) = s (0,0,1) ((χ, 0, 1)) = (0, 0, 2) − (χ, 0, 1) = (−χ, 0, 1) = ⊖ x and Therefore the field operations of taking negative and inversion x → ⊖ x, x → x ⊖ on K are computable by single conjugations.This completes the construction of the black box field K. 9.9.Square roots in K. Given an element x ∈ K, a number of polynomial time Las Vegas algorithms allow us to find a square root of x in K, if it exists.In our context, the most suitable appears to be Ozdemir's singular elliptic curve algorithm [29].
10. Enforced serendipity: construction of unipotent elements 10.1.Subplane over F p .Denote by K 0 the prime subfield (of order p) of K.
Starting from element 1 ∈ K, we can construct the image of every residue modulo p by double-and-add algorithm, that is, we can compute the canonical map This can be carried on the both x 1 -and x 2 -axes.After computing points x 1 and x 2 on the corresponding axes, we can find the point x = (x 1 , x 2 , 1) as Hence we can construct the image in P of any point (x 1 , x 2 , 1) in the affine plane over F p .10.2.A serendipitous path to parabolic points, Proof of Theorem 1.1.Let Y be a black box group encrypting PSL 2 (F) for some finite field F of unknown odd characteristic p.By Theorem 4.1, we construct a black box group X encrypting SO 3 (F).Then, we construct a black box subgroup H of X encrypting Sym 4 containing three commuting involutions e 1 , e 2 , e 3 of right type.By following the procedures described in Section 9, we have a black box field K with addition, ⊕, and multiplication, ⊗, together with the procedures for computing multiplicative and additive inverses.Let K be defined on the axis e 1 ∨ e 3 , that is, Let d 1 be the unit element on the axis e 1 ∨ e 3 found as described in Subsection 9.3.
Observe that if p ≡ −1 mod 4, then adding d 1 to itself on the coordinate axis e 1 ∨ e 3 results in constructing the zero element e 3 in the field K after p iterations whereas if p ≡ 1 mod 4 then there exists a positive integer c < p such that c 2 + 1 ≡ 0 mod p and so (c − 1)d 1 ⊕ d 1 fails, that is, the procedure for this addition produces two involutions t and s whose product u = ts is a nontrivial unipotent element in X.
Thus, if p ≡ 1 mod 4, then we check whether the element u has order c 2 + 1 by using repeated square-and-multiply method.In this case, clearly, p = c 2 + 1.If p ≡ −1 mod 4, then obtaining the involution e 3 by adding d 1 to itself repeatedly determines the characteristic p.To construct a unipotent element, in this case, we first find field elements c, d ∈ F p satisfying c 2 + d 2 + 1 = 0 by using the Tonelli-Shanks algorithm.Note that the half of the elements in F p are square.Then, the construction of the image in P of the point (c, d, 1) results in one of the functions in our toolbox returning the result outside of I, that is, in discovery of two involutions t and s whose product u = ts is a nontrivial unipotent element in X.
So far we tested our algorithm for finding unipotent elements in SO 3 (F p ) (in an old version of GAP on an old laptop) for 10-digit primes like p = 5463458053, which had provided a sufficient proof of concept.
11. Coordinatization of the action of X on I, Proof of Theorem 1.3 11.1.Construction of the morphism X −→ SO 3 (K).Abusing notation, let us denote strings in X by the same symbols as elements in G ≃ SO 3 (F) that they encrypt.
The aim of this section is to represent the action of an arbitrary element x ∈ X on the projective plane P by a 3 × 3 matrix ρ(x) with coefficient in K.We shall consider several cases: Case 1.We set Case 2. Now we compute ρ(u) for an arbitrary involution u ∈ X in "general position" in the sense that u does not commute with any of e i , i = 1, 2, 3.
If now u ∈ X, involutions u i = e u i , i = 1, 2, 3, represent in the projective plane P vectors ǫ u i .We can compute the homogeneous coordinates (u i1 , u i2 , u i3 ) of u i using construction from Section 9.5.The vector (u i1 , u i2 , u i3 ) is a scalar multiple of ǫ u i .We have to normalize it by finding a scalar c i ∈ K such that (see Section 9.9).The choice of signs ± is dictated by the need to make the matrix an involution from SO 3 (K); that is, U has to have determinant 1 and be symmetric.The choice of signs could happen to be not unique and defined up to simultaneous change of two signs, that is, up to multiplication of U on the right by one of the matrices ρ(e i ).Since U and ρ(e i ) are involutions, their product U ρ(e i ) can happen to be an involution if and only if U and ρ(e i ) commute, which is excluded by our choice of u.
Case 3. Now let u ∈ X be an involution not in general position, say u ∈ C X (e 1 ).Recall that C = C X (e 1 ) is a dihedral group.If u = e 1 , we are in Case 1.If u = e 1 , we do random search for an involution v ∈ X such that v and w := u v do not commute with any e 1 , e 2 , e 3 (this condition is satisfied with probability 1 − O( 1 q )).Then u = vwv and we can compute ρ(v) and ρ(w) as in Case 2 and then compute Case 4. This is the general case.By Lemma 6.2, we know that every x ∈ X is either an involution, or a product of two or three involutions, say x = uv; so we compute ρ where ρ(u) and ρ(v) are computed as in Cases 2 and 3.This gives us an algorithm constructing a morphism 11.2.Construction of the morphism SO 3 (K) −→ X.It is well known that each element in SO 3 (K) is an involution or a product of two involutions, therefore it will suffice to compute ρ −1 (r) for an involution r ∈ SO 3 (K).
We shall think of r as matrix in the same orthonormal basis in which As it was with computation of ρ, we can easily reduce computation of ρ −1 (r) to the case when r is in general position, that is, does not commute with any ρ(e i ), i = 1, 2, 3.
Being an involution, r is a symmetric matrix; denote its rows as r 1 , r 2 , r 3 .Now construct in P points s i which have in the homogeneous coordinates associated with the basis e 1 , e 2 , e 3 the coordinated vectors r i , i = 1, 2, 3.The preimage s = ρ −1 (r) satisfies the condition e s i = s i , i = 1, 2, 3. and is in general position with respect to {e i }; therefore s is uniquely defined by these conditions.
We can compute an involution t 1 ∈ X such that e t1 1 = s 1 .Then the element (not necessarily an involution) x = st 1 belongs to C = C X (e 1 ) and sends e 2 to e x 2 = e st1 2 = s t1 2 ∈ C. We solve the conjugation problem once more, this time in C, and identify this element x ∈ C; it is defined uniquely up to multiplication by an element from E = e 1 , e 2 , so we get a coset Ex as an answer.Now s ∈ Ext 1 , and, being in general position, is the only involution there.11.3.Construction of the morphism SO 3 (F) → SO 3 (K).Since, in this case, p is known, the order q of the field on which X is defined can be found by Algorithm 5.5 in [39].Let F be standard explicitly given finite field of order q and F 0 be the prime subfield.Assume also that K 0 is the prime subfield of K. Then the isomorphism F 0 → K 0 be extended to an isomorphism in time polynomial in the input length to an isomorphism F → K [27].

Complexities
In this section, we compute the complexities of the main procedures presented in this paper.
Let X be a black box group encrypting SO 3 (F) for some finite field F of odd characteristic.Let µ denote an upper bound on the time requirement for each group operation in X and ξ an upper bound on the time requirement, per element, for the construction of random elements of X.
Recall that we are working under the assumptions of Axioms BB1-BB3 and either BB4 or BB5.To that end, we denote by ρ an upper bound for time required for any of the following operations: • given an element x ∈ X, determine whether it is of odd or even order; • given an element x ∈ X of even order, compute an involution in x ; • given an element x ∈ X of odd order, compute its square root √ x in x .If E is a global exponent of X, then it is easy to see that ρ = O(µ log E).We shall express complexities of our procedures in terms of µ, ξ, ρ and E. If the size |F| = q of the underlying field is known in advance, then we have ρ = O(µ log q) and E can be chosen to be O(log q) but we do not assume that knowledge in the estimates that follow.We set E = 2 m n where (2, n) = 1.
12.1.Constructing an involution in X.At least the quarter of elements in X are of even order [21,Corollary 5.3], therefore an involution can be constructed from a random element in time O(ξ + ρ).
12.2.Centralizer of an involution s in X.We shall use the map ζ 1 from [7], which produces uniformly distributed random elements in C X (s).By the structure of tori and their conjugacy classes in X, it is easy to see that the product of two conjugate involutions has odd order with probability bounded from below by constant, see, for example, [33].Since C := C X (s) = T s ⋊ w , where T s is a torus of order (|F| ± 1) and w is an involution inverting T s , the half of the elements in C are the involutions inverting T s and, by [28, I.8], the probability of finding a generator of T s is O(1/ log log |F|).Hence the black box group C can be constructed in time O((ξ + µ + ρ) log log E).
12.3.Reification of an involution in X, Lemma 4.2.Given two involutions s, t ∈ X, we shall find the complexity of constructing the involution j := j(s, t) which commutes with both s and t.
Set z = st; it is computed in time µ.Testing z for being of odd or even order takes time ρ.
If z has even order, then j ∈ z can be computed in time ρ, giving the total time µ + 2ρ.
If z has odd order, then we construct C X (s) in time O((ξ + µ + ρ) log log E) as in Subsection 12.2.Note that the elements in the generating set for C X (s) which are not involutions can be taken to be generators for the torus T s containing s.Let S Ts be a generating set for T s .By [28, I.8], we can take |S Ts | = O(log log |F|).Clearly S = S Ts ∪ {z} is a generating set for X and computing the action of j on S takes O(µ log log |F|) time.Hence, we run the product replacement algorithm on S to construct a random element x together with its conjugate x j .This takes time 2ξ.Since the elements of the form x j x have odd orders with probability bounded from below by a constant, see [33], the construction of C X (j) takes O((ξ+µ+ρ) log log E) time.Finally, the involution j can be constructed from an element of even order from the torus in C X (j) by square-and-multiply method.Hence, if z has odd order, the overall cost is O((ξ + µ + ρ) log log E).
12.4.A line through s and t.Given two involutions s, t ∈ X, the line passing through s and t is the coset T j s where j = j(s, t) is the involution commuting with both s and t and C X (j) = T j ⋊ s .Therefore, by Subsection 12.3, the total time needed to construct j and C X (j) is O((ξ + µ + ρ) log log E).
12.5.Intersection of two distinct lines k and l.Given involutions s 1 , s 2 , t 1 , t 2 ∈ X, where s 1 , s 2 define a line k and t 1 , t 2 define a line l, the intersection of k and l, if exists, is the involution j(j(s 1 , s 2 ), j(t 1 , t 2 )).Therefore it can be computed in time O((ξ + µ + ρ) log log E).
12.6.Tonelli-Shanks algorithm, Lemma 2.1.We follow the outline presented in the proof of Lemma 2.1.Let T be a cyclic black box group and let E = 2 m n be an exponent for T with n odd.Let z ∈ T be an element that has a square root in T. Checking whether z has odd or even order takes ρ time.If |z| is odd, the involutions u ∈ e 1 ∨ e 3 with the coordinate (c, 0, 1) and v ∈ e 1 ∨ e 2 with the coordinate (0, d, 1) takes O(log p(ξ + µ + ρ) log log E).The intersection of the lines passing through e 2 and u, and e 1 and v has the coordinate (c, d, 1).Clearly the point (c, d, 1) lies on the quadric, so the procedure to construct the intersection of these two lines produces a unipotent element.Thus if p ≡ −1 mod 4, the the construction of a unipotent element takes O(p(ξ + µ + ρ) log log E) + µ log E log log E + k 2 log 2 p).
We note here that if p is given as an input, then, by using double-and-add method, one can construct a unipotent element in time O(log p(ξ+µ+ρ) log log E)+ µ log E log log E) if p ≡ 1 mod 4, or O(log p((ξ +µ+ρ) log log E)+µ log E log log E + k 2 log 2 p) if p ≡ −1 mod 4. 12.13.Morphism X → SO 3 (K).We shall find the complexity to represent an involution u ∈ X in SO 3 (K).Observe that it is enough to compute the complexity when u does not commute with some commuting right type involutions e 1 , e 2 , e 3 ∈ X.Then, together with the computations in Subsection 12.8 the complexity of the representation of an arbitrary element follows.5: Adding all the complexities above, we get O((ξ + µ + ρ) log E log log E).
12.14.Morphism SO 3 (K) → X.Let r ∈ SO 3 (K) be an involution.As in Subsection 12.13, it is enough to find the complexity for the construction of a black box group element representing r when r does not commute with ρ(e 1 ), ρ(e 2 ), ρ(e 3 ).Let r 1 , r 2 , r 3 be the rows of r.Constructing the involutions s 1 , s 2 , s 3 ∈ P with the homogenous coordinates r 1 , r 2 , r 3 involve only reifications of involutions and intersections of lines.Therefore it takes O((ξ + µ + ρ) log log E) time.
Constructing the desired involution s ∈ X such that e s i = s i involves two times bisection of angles so it takes O((ξ +µ+ρ) log log E +µm 2 log E) time by Subsection 12.7.
Writing an arbitrary element x ∈ SO 3 (K) as a product of involutions involves only reification of an involution r that inverts x and a random element y ∈ SO 3 (K).Since a matrix multiplication and taking inverse of an element in SO 3 (K) involves only constant number of multiplications and additions in K, it takes O((ξ + µ + ρ) log log E) time by Subsection 12.11.Therefore, constructing C SO3(K) (r) takes O((ξ + µ + ρ) log log 2 E log E) time.
Hence the overall cost to construct the black box group element representing r is O((ξ + µ + ρ) log log 2 E log E + µm 2 log E).

Theorem 4 . 1 .
Let Y be a black box group encrypting a group G = PSL 2 (F), where F is a finite field of unknown odd characteristic.Then, with a given exponent E for Y, there is a polynomial time in log E algorithm which constructs an external automorphism δ of Y that encrypts a diagonal type automorphism d of G of order 2 so that the semidirect product X = Y ⋊ δ encrypts G ⋊ d ≃ SO 3 (F).

Fact 5 . 1 .
Involutions r, s, t ∈ I are collinear in P if and only if rst ∈ I. 5.3.I as a finite symmetric space.Now we shall study the action of I on itself by conjugation.

5. 5 .
Missing points in I. Different lines in I contain different number of points.

. 5 .
Intersection of two lines.We use again reification of involutions for finding intersection k ∧ l of any two non-parabolic lines k and l: k∧l = the common point of k and l, if this point belongs to I; otherwise, the tangent line through the common parabolic point of k and l.

Lemma 8 . 2 . 1 +1 2 1 and s = k gn −1 1 . 2 +1 2 2 .
Let G ∼ = SO 3 (F), where F is a finite field of odd characteristic.Let i, j, k ∈ G be mutually commuting involutions of right type and g ∈ G be an arbitrary element.Assume that h 1 = ij g has odd order m 1 and set n 1 = h m Assume also that h 2 = js has odd order m 2 and set n 2 = h m Then the element x = gn −1 1 n −1 2 permutes i, j, k and x has order 3.

x 1 = 9 . 8 .
x 2 as e 3 ∨ d 3 , then the point c = (1, 1) as (e 3 ∨ d 3 ) ∧ (d 2 ∨ e 2 ), and point d = (a, a) as d = (e 3 ∨ d 3 ) ∧ (a ∨ e 2 ), then the point at infinity of the line b ∨ c as ∞ b,c = (b ∨ c) ∧ (e 1 ∨ e 2 ), the line through the point d parallel to b ∨ c as d ∨ ∞ b,c , and, finally, the product a ⊗ b as the point of intersection of that line with the x 1 -axis e 1 ∨ e 3 : a ⊗ b = (e 1 ∨ e 3 ) ∧ (d ∨ ∞ b,c ).Inversion and negation in K. Forming the negative x → ⊖ x and inversion x → x ⊖ on K are much easier compute than addition and multiplication.Here are two useful observations.

1 : 2 : 3 :u 2 i1 +u 2 i2 +u 2 4 :
Construction of right type involutions e 1 , e 2 , e 3 in X takes O(ξ+ρ+µ log E) time.Computing the homogenous coordinates of e u i = (u i1 , u i2 , u i3 ) involves the construction of coordinate axes, unit elements on the corresponding axes and the intersection of the corresponding lines.Hence the overall cost is O((ξ + ρ) log log E + µ log E log log E).Normalization of (u i1 , u i2 , u i3 ) involves the computation of 1 i3 and its square root c i in K.The computation of the quotient takes O((ξ + µ + ρ) log log E) time and, by using, for example, [29, Algorithm 1], the computation of square roots in K involves constant number of field operations and double-and-add method in K so it takes O((ξ + µ + ρ) log E log log E) time.The time needed to compute the matrix U = uij ci is O((ξ+µ+ρ) log log E).
Black box subgroups.If we have an embedding of black box groups Y ֒→ X, we shall say that Y is a subgroup of X.

•
Given black box subgroups Y 1 , . . ., Y k in X, we generate a subgroup Y = Y 1 , . . ., Y k by taking generating sets in Y i and combining them into a generating set in Y. of black box groups as a black box subgroup Z ֒→ X × Y encrypting F : ζ ✲ Y Protomorphisms.Let X and Y be black box groups encrypting groups G and H, respectively, and π the canonical projection of X × Y onto G × H.A protomorphism Z between black box groups X and Y is a black box subgroup Z < X × Y such that π(Z) is a the graph of a homomorphism from G to H or from H to G-the direction of homomorphism is not set here.We say that Z encrypts this homomorphism.
observe that it is isomorphic to PSL 2 (2 m ) for some m > 3.• It is a well-known property of subgroups PSL 2 (2 m ) that Y 1 and Y 2 are inverted by some involution x ∈ Y. Hence we have two consistent protoinvolutions F 1 and F 2 describing automorphisms y → y −1 of Y 1 , Y 2 , respectively.• Form the amalgam F = F 1 , F 2 ; and proto-involution ϕ is the action by conjugation by x. • The centralizer C X (ϕ) is a Sylow 2-subgroup containing x. 4. Construction of SO 3 from PSL 2 It will become clear later in this paper that black box groups PGL 2 ∼ = SO 3 are more open to analysis than SL 2 or PSL 2 .Therefore, extending a black box group encrypting PSL 2 (F) to a black box group encrypting SO 3 (F) is important and it results from amalgamation of proto-involutions, Theorem 3.1, and augmentation of a black box group by a proto-involution, Theorem 3.2.
is a proto-involution of Y encrypting the external involutive diagonal automorphism d of G, see Theorem 3.1.All we need is to augment Y by δ, see Theorem 3.2.4.1.Reification of involutions in SO 3 (F).Reification of proto-involutions, as desribed in Section 3.7, is the most important procedure involved in our construction of unipotent elements in SO 3 (F) and in the proof of Theorem 1.3.
Theorem 4.2.Let X be a black box group encrypting SO 3 (F), where F is a finite field of unknown odd characteristic and F > 9. Let s, t ∈ X be two distinct involutions such that st is not a unipotent element.Then, with a given exponent E for X, there is an algorithm which runs in time polynomial in log E constructing the involution j commuting with s and t.