Group

Related Concepts

Field; Generator; Order; Subgroup

Definition

A group is a set of elements with a certain well-defined mathematical structure under a group operation.

Theory

A group \(G = (S{,}^{\circ })\) is defined by a set of elements S and a group operation ^∘ that satisfy the following group axioms:

• Closure: For all \(x,y \in S,{x}^{\circ }y \in S\).

• Associativity: For all \(x,y,z \in S,{({x}^{\circ }y)}^{\circ }z = {x}^{\circ }({y}^{\circ }z)\).

• Identity: There exists an identity element, denoted I, such that for all \(x \in S,{x}^{\circ }I = {I}^{\circ }x = x\).

• Inverse: For all \(x \in S\), there exists an inversey such that \({x}^{\circ }y = {y}^{\circ }x = I\).

A group is commutative (also called Abelian) if the group operation does not depend on the ordering of the elements, i.e., if for all \(x,y \in S,{x}^{\circ }y = {y}^{\circ }x\). A group is cyclic if it has a single generator, i.e., an element g such that every element of the group can be obtained by repeated composition with g and its inverse, starting with the identity element. The order of a group G, denoted #G, is the number of elements in G.

Groups commonly employed in cryptography include the following:

• A multiplicative group modulo a prime, where S consists of the set of integers (i.e., residue classes) modulo a prime p, excluding 0, and the group operation is multiplication. This group is typically denoted by \({{\text{ Z}}_{p}}^{{_\ast}}\), where \({\text{ Z}}_{p}\) denotes the integers modulo p, and ^∗ denotes that the group operation is multiplication and 0 is excluded. The order of \({{\text{ Z}}_{p}}^{{_\ast}}\) is p − 1.

(This group is the same as the multiplicative group of the finite field F _p .)

• A subgroup of a multiplicative group modulo a prime, i.e., a subset of elements in \({{\text{ Z}}_{p}}^{{_\ast}}\) that is closed under multiplication. Typically, the subgroup is selected so that its order is a prime number. For instance, the Digital Signature Algorithm (Digital Signature Standard) operates in a subgroup of order q of \({{\text{ Z}}_{p}}^{{_\ast}}\), where p and q are large primes and q divides p − 1.

• A subgroup of the multiplicative group of an extension field \({\text{ F}}_{{q}^{d}}\).

• A subgroup of an elliptic curve group. If the elliptic curve group has a prime order, then the subgroup is the same as the elliptic curve group.

All these examples are cyclic and commutative. An elliptic curve group itself may be noncyclic, but the subgroup of interest itself is typically cyclic.

A group is formally denoted by both the set and the group operation, i.e., \((S{,}^{\circ })\), but in cryptography, sometimes only the set S is denoted and the group operation is implied. In cryptography, the group operation is typically either denoted by multiplication or addition. In the former case, repeated application of the group operation is denoted by exponentiation (e.g., g ^a); in the latter, it is denoted by scalar multiplication (e.g., aP where P is the group element).

Applications

Groups are primarily associated with public-key cryptography, but they also have some applications to symmetric cryptosystems. For instance, several researchers investigated whether the set of keys in the Data Encryption Standard forms a group [2,  3], which could significantly weaken the standard; the set of keys does not.

Braid groups are a notable example of a noncommutative group in public-key cryptography [1,  4,  5].