Square root-based black-box group algorithm for element order-finding problem

Idea and outline
The algorithm as presented here relies only on the multiplication algorithm and knowledge of the identity element, and it does not require the use of the inverse map.

Let $$m$$ be a positive integer chosen such that $$m - 1$$ is greater than $$\sqrt{B}$$.

Consider two sets:

$$S_1$$ is the set of powers $$\{ g, g^2, \dots, g^{m-1} \}$$

$$S_2$$ is the set of similar powers for $$g^m$$, i.e., $$\{ g^m, (g^m)^2, \dots, (g^m)^{m-1} \}$$.

The algorithm is as follows:


 * 1) We construct $$S_1$$ left to right, with each new element obtained by multiplying its predecessor by $$g$$. If at any stage we get to the identity element, we stop there -- that's the order of $$g$$. If not, we constructed the whole of $$S_1$$.
 * 2) $$g^m$$ is constructed by multiplying the last element of $$S_1$$ by $$g$$. We then construct the elements of $$S_2$$ from left to right, with each new element obtained by multiplying its predecessor by $$g^m$$. Every time we construct a new element of $$S_2$$, we check if it is equal to any of the elements of $$S_1$$, going from right to left on $$S_1$$. Suppose the first collision happens for $$(g^m)^a = g^b$$. Then, the order of $$g$$ is $$ma - b$$.