AFCS / Spring 2015

Groups
Prof.Dr. Ferucio Laurenţiu Ţiplea

“Al. I. Cuza” University of Iaşi

Department of Computer Science
Iasi 740083, Romania
E-mail: [email protected]
URL: http://www.infoiasi.ro/˜fltiplea

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 1/30

Contents

1. Definitions, examples, basic properties

2. Subgroups. Lagrange’s theorem
3. Cyclic groups
4. The group Z∗m
5. The discrete logarithm problem
6. Applications to cryptography

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 2/30

 1. Definitions, examples, basic properties

Definition 1 A group is a 4-tuple (G, ·,′ , e) which consists of a set G, a

binary operation · on G, a unary operation ′ on G, and a nullary
operation e ∈ G such that:
· is associative;
(∀x ∈ G)(x · e = e · x = x);
(∀x ∈ G)(x · x′ = x′ · x = e).

Remark 1 Let (G, ·,′ , e) be a group.

1. The element e is called the unity of G. It is unique and it is also
denoted by 1G or even 1;
2. For any x, x′ is unique with the property x · x′ = x′ · x = e. x′ is
called the inverse of x and it is also denoted by x−1 .

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 3/30

 1. Definitions, examples, basic properties

Conventions to be used when no confusions may arise:

We will usually denote groups just by their carrier sets. That is, we
will often say “Let G be a group”;
When the binary operation of a group is denoted additively (by +),
then the unary operation will be denoted by “−” and the nullary
operation by 0. However, in such a case, “−” should not be
confused with the subtraction operation, and 0 with the number
zero.
We will often omit the symbol of the binary operation when two or
more elements of the group are operated by it. That is, we will
write ab instead of a · b.

Definition 2 A group (G, ·,′ , e) is called commutative if · is a

commutative operation.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 4/30

 1. Definitions, examples, basic properties

Basic notations:
1. multiplicatively denoted groups:
a0 = e;
an = an−1 · a, for any n ≥ 1;
a−1 = a′ , where a′ is the inverse of a;
a−n = (a−1 )n , for any n ≥ 1;
2. additively denoted groups:
0a = 0;
na = (n − 1)a + a, for any n ≥ 1;
(−1)a = −a, where −a is the inverse of a;
(−n)a = n(−a), for any n ≥ 1,

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 5/30

 1. Definitions, examples, basic properties

Proposition 1 Let G be a group, a, b ∈ G, and m, n ∈ Z. Then, the

following properties hold true:
(1) (a−1 )−1 = a;
(2) (ab)−1 = b−1 a−1 ;
(3) am an = am+n = an am ;
(4) (am )n = amn = (an )m ;
(5) a−m = (a−1 )m = (am )−1 .

You are invited to rewrite these properties under the additive notation.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 6/30

1. Definitions, examples, basic properties

Example 1
1. (Z, +, −, 0), (Q, +, −, 0), (R, +, −, 0), and (C, +, −, 0) are
commutative groups.
2. (Q∗ , ·, −1 , 1), (R∗ , ·, −1 , 1), and (C∗ , ·, −1 , 1) are commutative
groups.
3. (nZ, +, −, 0) is a commutative group, and (nZ, ·, 1) is a
commutative monoid.
4. (Zm , +, −, 0) is a cyclic commutative group, and (Z∗m , ·, −1 , 1) is a
commutative group, for any m ≥ 1.
5. Let A be a set. The set of all bijective function from A to A,
together with the function composition operation, the function
inverse operation, and the identity function from A to A, forms a
groups called the permutations group of A or the symmetric group
of A. It is usually denoted by Sym(A).

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 7/30

 1. Definitions, examples, basic properties

Solving equations in groups:

Proposition 2 Let G be a semigroup.

(1) If G is a group, then, for any a, b ∈ G, the equations ax = b and
ya = b have unique solutions in G.
(2) If, for any a, b ∈ G, the equations ax = b and ya = b have unique
solutions in G, then G is a group.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 8/30

 2. Subgroups. Lagrange’s theorem

Definition 3 A group (H, ◦,′′ , eH ) is a subgroup of a group (G, ·,′ , eG )

if ◦ = ·|H , ′′ =′ |H , and eH = eG .

When H is a subgroup of G we will write H ≤ G.

Example 2 Considering the groups in Example 1, it follows:

Z ≤ Q ≤ R ≤ C;
Q ∗ ≤ R∗ ≤ C∗ ;
nZ ≤ Z, for any n ∈ Z. Moreover, any subgroup of Z is of the form
nZ, for some n ≥ 0.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 9/30

 2. Subgroups. Lagrange’s theorem

Proposition 3 Let (G, ·,′ , e) be a group and H ⊆ G a non-empty

subset. The following statements are equivalent:
(1) H ≤ G;
(2) ab ∈ H and a′ ∈ H, for any a, b ∈ H;
(3) ab′ ∈ H, for any a, b ∈ H.

Corollary 1 Let (G, ·,′ , e) be a finite group. Then, a non-empty subset

H of G is a subgroup of G iff ab ∈ H, for any a, b ∈ H.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 10/30

 2. Subgroups. Lagrange’s theorem

Let G be a group and H ≤ G. Define two binary relations on G, ∼H

and H ∼, by
a ∼H b ⇔ (∃c ∈ H)(b = ac)
aH∼b ⇔ (∃c ∈ H)(b = ca),
for a, b ∈ G.

Proposition 4 Let G be a group, H ≤ G, and a, b ∈ G.

a ∼H b iff a′ b ∈ H.
a H ∼ b iff ba′ ∈ H.
∼H and H ∼ are equivalence relations on G.
[a]∼H = aH and [a]H∼ = Ha.
H, aH, and Ha are pairwise equipotent sets.
{Ha|a ∈ G} and {aH|a ∈ G} are equipotent sets.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 11/30

 2. Subgroups. Lagrange’s theorem

Let G be a finite group and H ≤ G. The index of H in G is defined by

(G : H) = |{Ha|a ∈ G}| = |{aH|a ∈ G}|.

Theorem 1 (Lagrange’s Theorem)

For any finite group G and H ≤ G,

|G| = (G : H)|H|.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 12/30

 3. Cyclic groups

A group G is cyclic if it can be generated by one of its elements. That

is,
if G is written multiplicatively, then G is cyclic if

G = hai = {an |n ∈ Z},

for some a ∈ G;
if G is written additively, then G is cyclic if

G = hai = {na|n ∈ Z},

for some a ∈ G.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 13/30

3. Cyclic groups

Example 3
1. (Z, +, −, 0) is an infinite cyclic group generated by 1.

2. For any m ≥ 1, (Zm , +, −, 0) is a finite cyclic group:

if m = 1, then the group is generated by 0;

if m > 1, then the group is generated by 1.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 14/30

 3. Cyclic groups

Theorem 2 Let a be an element of a group (G, ·,′ , e). Then, exactly

one of the following two properties holds true:
(1) an 6= am for any integers n 6= m, and the cyclic subgroup
generated by a is isomorphic to (Z, +, −, 0);

(2) there exists r > 0 such that:

(a) ar = e;
(b) au = av iff u ≡ v mod r, for any u, v ∈ Z;

(c) hai = {a0 , a1 , . . . , ar−1 } has exactly r elements;

(d) the subgroup hai is isomorphic to the cyclic group (Zr , +, −, 0).

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 15/30

 3. Cyclic groups

The order of an element a of a group G, denoted ordG (a), is the order

of the subgroup generated by a.

Theorem 3 Let (G, ·,′ , e) be a group and a ∈ G be an element of finite

order. Then:
(1) ordG (a) = min{r ≥ 1|ar = e};
(2) if G is finite, then ordG (a)||G|;
(3) (∀s ∈ Z)(as = e ⇔ ordG (a)|s);

(4) if G is finite, then a|G| = e;

(5) (∀s, t ∈ Z)(as = at ⇔ s ≡ t mod ordG (a));
(6) (∀t ∈ Z)(ordG (at ) = ordG (a)/(t, ordG (a)));
(7) if ordG (a) = r1 r2 and r1 , r2 > 1, then ordG (ar1 ) = r2 .

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 16/30

 3. Cyclic groups

Corollary 2 Let (G, ·,′ , e) be a group and a, b ∈ G be elements of finite

order. If a and b commute and (ordG (a), ordG (b)) = 1, then
ordG (ab) = ordG (a)ordG (b).

Theorem 4 Let (G, ·,′ , e) be a finite group and a ∈ G. Then,

(1) G = hai iff ordG (a) = |G|;

(2) a generates G iff a|G|/q 6= e, for any prime factor q of |G|;

(3) if a is a generator of G, then for any t ∈ Z, at is a generator of G iff

(t, |G|) = 1;

(4) if G is cyclic, then it has φ(|G|) generators.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 17/30

 4. The group Z∗m

Let m ≥ 1. Recall that

Z∗m = {a ∈ Zm |(a, m) = 1}

and (Z∗m , ·, −1 , 1) is a commutative group. Moreover, |Z∗m | = φ(m).

Given a ∈ Z∗m , denote

ordm (a) = ordZ∗m (a).

ordm (a) is called the order of a modulo m.

When Z∗m is a cyclic group, its generators are also called primitive
roots modulo m.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 18/30

 4. The group Z∗m

Directly from Theorem 3 we obtain the following properties.

Proposition 5 Let m ≥ 1 and a ∈ Z∗m . Then:

(1) ordm (a) = min{k ≥ 1|ak ≡ 1 mod m};

(2) if ak ≡ 1 mod m, then ordm (a)|k. In particular, ordm (a)|φ(m);

(3) ordm (a) = φ(m) iff aφ(m)/q 6≡ 1 mod m, for any prime factor q of
φ(m);

(4) ak ≡ al mod m iff k ≡ l mod ordm (a);

(5) a0 mod m, a1 mod m, . . . , aordm (a)−1 mod m are pairwise distinct;

(6) ordm (ak mod m) = ordm (a)/(k, ordm (a)), for any k ≥ 1;

(7) if ordm (a) = d1 d2 , then ordm (ad1 mod m) = d2 .

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 19/30

 4. The group Z∗m

Corollary 3 Let m ≥ 1 and a, b ∈ Z∗m . If ordm (a) and ordm (b) are
co-prime, then ordm (ab mod m) = ordm (a)ordm (b).

Proposition 6 Let m ≥ 1 and a ∈ Z∗m . Then:

(1) a is a primitive root modulo m iff ordm (a) = φ(m);
(2) a is a primitive root modulo m iff

(∀q)(q prime factor of φ(m) ⇒ aφ(m)/q 6≡ 1 mod m);

(3) if a is a primitive root modulo m, then, for any k ≥ 1, ak is a

primitive root modulo m iff (k, φ(m)) = 1;
(4) if there are primitive roots modulo m, then there are exactly
φ(φ(m)) primitive roots.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 20/30

 4. The group Z∗m

Theorem 5 There are primitive roots modulo m iff m = 1, 2, 4, pk , 2pk ,

where p ≥ 3 is a prime number and k ≥ 1.

Example 4
There are primitive roots modulo 50 because 50 = 2 · 52 .
Moreover, there are φ(φ(50)) = φ(20) = 8 primitive roots modulo
50.
There is no primitive root modulo 150.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 21/30

 5. The discrete logarithm problem

If G is a finite cyclic group and a is a generator of G, then

G = {a0 = e, a1 , . . . , a|G|−1 }.

Given b ∈ G, there exists k < |G| such that b = ak . k is called the index
of b w.r.t. a or the discrete logarithm of b to base a. When G = Z∗m , k is
called the discrete logarithm of b to base a modulo m and it is usually
denoted by loga b mod m.

Discrete Logarithm Problem (DLP)

Instance: finite cyclic group G, generator a of G, and b ∈ G;
Question: find k < |G| such that b = ak .

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 22/30

 5. The discrete logarithm problem

Facts:
No efficient algorithm for computing general discrete algorithms is
known;
The naive approach is to raise a to powers i until the desired b is
found (this method is sometimes called trial multiplication). The
complexity of this method is linear in the size of the group and,
therefore, it is exponential in the number of bits of the size of the
group;

While computing discrete logarithms is apparently difficult, the

inverse problem of discrete exponentiation is easy (polynomial).
This asymmetry has been exploited in the construction of
cryptographic schemes: ElGamal encryption and digital signature,
Diffie-Hellman key exchange protocol etc.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 23/30

 6. Applications to cryptography

ElGamal digital signature:

let p be a (large) prime and α be a primitive root in Z∗p ;

P = Z∗p ;
S = Z∗p × Zp−1 ;
K = {(p, α, a, β)|a ∈ Zp−1 , β = αa mod p};
for any K = (p, α, a, β) and k ∈ Z∗p−1 , and any x ∈ Z∗p ,
the message x is signed by
sigK (x, k) = (γ, δ),
where γ = αk mod p and δ = (x − aγ)k −1 mod (p − 1)
the verification of the signature (γ, δ) for x is performed by
verK (x, (γ, δ)) = 1 ⇔ β γ γ δ ≡ αx mod p;
p, α and β are public, and a and k are secret.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 24/30

 6. Applications to cryptography

Example 5 Let p = 467, α = 2, and a = 127. Then,

β = αa mod p = 2127 mod 467 = 132.

Assume that we want to sign x = 100 using k = 213 (k ∈ Z∗466 and

k −1 = 431). Then:
γ = 2213 mod 467 = 29,
and
δ = (100 − 127 · 29) · 431 mod 466 = 51.
Therefore, sigK (x, k) = (29, 51).
In order to verify the signature we compute

13229 · 2951 mod 467 and 2100 mod 467

and accept the signature if they are equal.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 25/30

 6. Applications to cryptography

Attack: If the secret value k is used to sign two distinct messages x1

and x2 , then the secret parameter a could be easily computed.
Let sigK (x1 ) = (γ, δ1 ) and sigK (x2 ) = (γ, δ2 ) (the same k has been
used). Therefore,
β γ γ δ1 ≡ αx1 mod p
and
β γ γ δ2 ≡ αx2 mod p,
which lead to
αx1 −x2 ≡ γ δ1 −δ2 mod p.
Because γ = αk mod p, we get

αx1 −x2 ≡ αk(δ1 −δ2 ) mod p,

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 26/30

 6. Applications to cryptography

which is equivalent to

k(δ1 − δ2 ) ≡ x1 − x2 mod (p − 1).

The solutions modulo p − 1 to this equation are of the form

(k0 + i(p − 1)/d) mod (p − 1),

where k0 is an arbitrary solution, d = (δ1 − δ2 , p − 1), and 0 ≤ i < d.

k0 can be obtained by the extended Euclidean algorithm, and k can be
obtained by checking the equation γ ≡ αk mod p.
If k is recovered, then the parameter a can be easily recovered from
the equation δ = (x − aγ)k −1 mod (p − 1), and the signature scheme is
broken.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 27/30

6. Applications to cryptography

Digital Signature Standard (DSS) is the American standard for

digital signatures;
DSS was proposed by NIST in 1991, and adopted in 1994;
DSS is a variation of the ElGamal digital signature. This variation
is based on the following remark: the prime p in the ElGamal
digital signature should be a 512-bit or 1024-bit number in order to
ensure security. This fact leads to signatures that are too large to
be used on smart cards;
DSS modifies ElGamal digital signature so that the computations
are done in a subgroup Zq of Z∗p by using an element α ∈ Z∗p of
order q.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 28/30

6. Applications to cryptography

Digital Signature Standard (DSS)

let p a prime, q a prime factor of p − 1, and α an element of order q

in Z∗p ;
P = Z∗p ;
S = Zq × Zq ;
K = {(p, q, α, a, β)|a ∈ Zq ∧ β = αa mod p};
for any K = (p, q, α, a, β) and k ∈ Z∗q , and any x ∈ Z∗p ,
sigK (x, k) = (γ, δ), where γ = (αk mod p) mod q and
δ = (x + aγ)k −1 mod q;
verK (x, (γ, δ)) = 1 ⇔ (αe1 β e2 mod p) mod q = γ, where
e1 = xδ −1 mod q and e2 = γδ −1 mod q;
p, q, α, and β are public, and a is secret.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 29/30

 6. Applications to cryptography

Computing primitive roots:

Recall that an element α ∈ Z∗m is a primitive root modulo m iff

αφ(m)/q 6≡ 1 mod m, for any prime factor q of φ(m).

If p = 2q + 1 and p and q are primes, then α ∈ Z∗p is a primitive root

modulo p iff α2 6≡ 1 mod p and αq 6≡ 1 mod p. Moreover, there are
φ(φ(p)) = q − 1 primitive roots modulo p, which shows that the
probability that a randomly generated number α ∈ Z∗p is a primitive root
is approximately 1/2.

If α is a primitive root modulo a prime p and q is a prime factor of p − 1,

p−1
then α q mod p is an element or order q.

F.L. Ţiplea/AFCS/Spring 2015/Groups – p. 30/30