Black-box group algorithm for finding the subgroup generated by a subset

Idea and outline
Before beginning, we replace $$S$$ by $$S \cup S^{-1}$$. Note that this does not affect the subgroup generated, but does simplify some of our searches for cycles in the Cayley graph.

Broad idea
The idea is to construct the Cayley graph for the subgroup generated by $$S$$. Each iteration of our process goes one layer further out from the part of the graph that has been constructed so far.

At each iteration, we keep track of which elements of the group correspond to the boundary of the Cayley graph so far, i.e., which are the elements that have just been added in the final iteration. For the next iteration, it suffices to look only at the edges emanating from these. We also keep track of which elements have already been included in the graph, so that we can identify repetitions as we move through the graph.

Outer loop of algorithm
Each step of the outer loop corresponds to expanding one step more in the whole Cayley graph.

From a storage viewpoint, it is necessary only to store, for the $$i^{th}$$ stage, the values $$H_{i-1},F_{i-1}, F_{i-2}$$ and none of the smaller $$F_j$$s or $$H_j$$s.

The process within each step
We now detail the $$i^{th}$$ step in detail, for $$i \ge 1$$.

Why this works
It remains to prove that the process within each step has the desired properties, i.e., if the input from the $$(i-1)^{th}$$ stage is correct, then the output at the $$i^{th}$$ stage is correct.

First, note that the original, untrimmed set $$K$$ contains all the possibilities for elements that have minimum word length precisely $$i$$. We need to show that our trimming process brings us down to precisely the elements that have minimum word length precisely $$i$$. In other words, we need to show that if an element of $$K$$ has minimum word length less than $$i$$, that minimum word length must be either $$i - 1$$ or $$i - 2$$.

To see this, suppose the minimum word length is $$j \le i - 3$$. Then, we get an equality of the form:

$$\! fs = h$$

where $$f \in F_{i-1}, s\in S, h \in H_{i-3}$$.

Rearranging, we get:

$$\! f = hs^{-1}$$

Thus, we have rewritten $$f \in F_{i-1}$$ as an element of $$H_{i-2}$$ (this is crucially where we use that our generating set is a symmetric subset, hence closed under taking inverses), a contradiction to the definition.

Analysis of running time
The running time of each step is $$O(|(F_{i-1}||S|) + O(|F_{i-2}|)$$ times the costs of the black box group operations (performing multiplication, inverting elements). Since the $$F_j$$s are all pairwise disjoint and their union is bounded in size by the size of the whole group, the running time is $$O(|G||S|)$$ times the cost of the group multiplication and equality checking. If we make the log-size assumption, then this is $$O(Ns)$$ times a polynomial in $$\log N$$.