Group theory
Recall the definition of a group:
https://en.wikipedia.org/wiki/Group_(mathematics)#Definition
There are tons and tons of groups.
Some are infinite and some are finite.
Cryptography is mostly concerned with finite groups.
Common groups in cryptography
is addition modulo .
is multiplication modulo on elements coprime to .
The multiplicative part of .
Elliptic curve groups.
Multiplicative or additive notation
When we talk about a generic group we will sometimes think of the operation as being multiplication.
Other times we will think of it as being more like addition.
Additive notation:
The identity is 0
The inverse of is
.
The DLP: Solve for in the equation: .
Multiplicative or additive notation
When we talk about a generic group we will sometimes think of the operation as being multiplication.
Other times we will think of it as being more like addition.
Multiplicative notation:
The identity is 1
The inverse of is
.
The DLP: Solve for in the equation: .
The order of an element
Given in , the order of is the smallest positive integer such that .
Cyclic groups
The group is cyclic if it contains an element of order .
In other words some single element generates .
There is some such that every is for some index .
Theorem
For every prime , the group is a finite cyclic group.
Theorem
For every element of a finite group , the order of divides .
Proof:
Let be given:
Therefore
This implies that the order of divides .
It also generalizes FLT to finite groups.
Theorem
Let be a finite cyclic group. Then
The number of primitive elements of is .
If is prime, then all elements in are primitive.
Note that if is prime then is never prime.
But when is prime and , then , and any element is a generator.
Subgroups
A subgroup is a subset of a group that is closed under the group operation.
Example of a subgroup
The powers of are a subgroup of the group , whenever .
Check closure:
Let and be two powers of 7 mod for integers .
Then
.
But is obviously a power of .
Therefore the powers of 7 are closed under the group operation.
Therefore the powers of 7 form a subgroup.
In the above example there is nothing special about 7 (or even ) and so we get the following theorem of group theory:
Theorem: Cyclic subgroup theorem
Let be a finite group. Then every element with is the generator of a cyclic subgroup with elements.
Proof:
In our subgroup example, replace with and with .
Enumerating all cyclic subgroups
It's possible for two different elements of to generate the same cyclic subgroup.
Here is an example of that happening.
Observation
Notice that the group is not cyclic.
Also observe that some distinct subgroups have the same cardinality.
An example of this is and .
We will see below that in a cyclic group this never happens: No two distinct subgroups have the same cardinality in a cyclic group.
Studying cyclic subgroups
In the above example where , you can see that 3 and 11 generate the same subgroup.
This happens because 3 is itself a primitive element of the subgroup generated by 11 (and vice versa).
Observe that the intersection of two subgroups is always a subgroup!
is not cyclic and so no subgroup is equal to the whole group.
But the whole group is always a subgroup of itself.
Let's try the same experiment with a cyclic group.
Thinking about subgroups
In the above example we saw that most subgroups of are big.
That is because the orders of the elements determine the orders of the subgroups.
So any subgroup must be a size that divides .
But is a safe prime because ( is twice a prime).
The point of a safe prime is exactly that only has big subgroups (except for the unique subgroup of size 2, ).
Let's try the same experiment with an "unsafe" prime.
Thinking about subgroups
In the case of , has lots of divisors.
For that reason it has many subgroups, and some of them are too small to be safe from brute force on DLP.
The following is an interesting group theoretic fact that is true even when and are not cyclic:
Theorem (Lagrange's Theorem)
Let be a subgroup of . Then divides .
Proof sketch
Sets of the form partition .
Cyclic Subgroup Theorem:
Let be a finite cyclic group of order and let be a generator of .
Then for every integer that divides there exists exactly one cyclic subgroup of of order .
This subgroups is generated by .
consists exactly of the elements that satisfy .
There are no other subgroups.
Safe primes again
Okay, so what are the subgroups of a safe prime?
Recall that is safe if where is prime.
You can see from the definition that the only divisors of are 1, 2, , and .
Let's see an example.
Safe primes
You can see from the above output that the only really dangerous base for the DLP in this group is the element of order 2.
The number of bits in is only one less than , so even if the base is in the subgroup of size , this is okay.
And it's really easy to check whether has order 2:
Just see if .
And since is prime this is only true for .
It's similarly easy to see if the order of is .
Thus for a safe prime we can find a verifiable generator.
Diffie Helman in openssl
Below we will verify that the Diffie Hellman parameters produced by OpenSSL yield a safe prime.
Because of this fact generating DH params takes much longer than RSA params, even if the bit length is the same.
Safe prime
In the above experiment .
Thus we can be sure that the order of is , because if it were in the subgroup of size its order would have to divide .
But in that case we would have observed .
The general DLP
The DLP is a problem that can be stated in any group (not just our simple "mod p") groups.
Definition: The Generalized Discrete Logarithm Problem
Given is a finite cyclic group with the group operation and cardinality .
We consider a primitive element and another element .
The DLP is finding the integer where such that :
Elliptic Curve groups
In particular you can have the DLP in an elliptic curve group.
We won't give the details for this.
But: If we use DLP in and also DLP in elliptic curve groups, why are the keys for elliptic curve groups so much shorter?
We've seen that for elliptic curves, 256 bits gives 128 bit security, while for we need about 3000 bits.
Why is one group vulnerable to DLP attacks and the other group not?
Index calculus
The main reason key sizes for elliptic curve groups are smaller is that is vulnerable to an attack called the index calculus.
Again, we won't go into the details, but you can study this on your own if you want.
No one knows of any way to apply this attack to the DLP in elliptic curve groups.
There is some speculation however that the parameters for elliptic curve groups are backdoored by NSA.
However if this is true, they have not yet bothered to destroy any of the dozens of cryptocurrencies based on a NIST curve.
Cyclic group theorem applied to elliptic curves...
The Cyclic Group theorem still applies to even though is "weird".
That's because the theorem applies to any cyclic group, no matter how weird.
The cyclic group theorem applied to
It turns out Galois Fields are cyclic. paper