Support Therma Labs
Group Theory in Cryptography
Support Therma Labs
Group Theory in Cryptography
Share Dialog
Share Dialog
Subscribe to Therma Labs
Subscribe to Therma Labs
Cryptographic systems rely fundamentally on the algebraic structure of groups. Informally, a group is a set GG equipped with a binary operation (often denoted “⋅⋅” or “+”) satisfying four axioms. First, closure: for all a,b∈Ga,b∈G, the product a⋅ba⋅b is also in GG. Second, associativity: (a⋅b)⋅c=a⋅(b⋅c)(a⋅b)⋅c=a⋅(b⋅c) for all a,b,c∈Ga,b,c∈G. Third, an identity element ee exists in GG such that e⋅a=a⋅e=ae⋅a=a⋅e=a for every a∈Ga∈G. Fourth, every element has a unique inverse: for each a∈Ga∈G there is a−1∈Ga−1∈G with a⋅a−1=a−1⋅a=ea⋅a−1=a−1⋅a=e. (Closure is often implicit in saying “the operation is a law of composition on GG”) When all four axioms hold, (G,⋅)(G,⋅) is a group.
Groups used in cryptography are typically finite. A common example is the integers modulo nn under addition (this forms an infinite or finite group depending on context) or under multiplication mod a prime. A subgroup of particular interest is the cyclic subgroup generated by an element: if g∈Gg∈G has order mm (so gm=egm=e), then the set {g0,e,g1,g2,…,gm−1}{g0,e,g1,g2,…,gm−1} is a cyclic group of order mm. In a finite prime-order group one often chooses a generator gg so that every group element is a power of gg (i.e. G=⟨g⟩G=⟨g⟩). For example, in the multiplicative group of integers mod pp, denoted Fp∗={1,2,…,p−1}Fp∗={1,2,…,p−1}, if gg is a generator then its cyclic subgroup of order qq (with q∣p−1q∣p−1) consists of {1,g,g2,…,gq−1}{1,g,g2,…,gq−1} with gq≡1(modp)gq≡1(modp)n. Such cyclic groups underpin schemes like Diffie–Hellman and DSA.
Many groups of interest in cryptography are abelian (commutative). An abelian group satisfies a⋅b=b⋅aa⋅b=b⋅a for all a,b∈Ga,b∈G. Equivalently, one often uses additive notation a+ba+b with identity 00 and writes a+b=b+aa+b=b+a. Abelian groups are simpler to work with, and most practical cryptographic groups are abelian (for example, Z/pZZ/pZ under addition, or the multiplicative group Fp∗Fp∗, or elliptic curve point groups). In such groups one freely uses notation like na=a+a+⋯+ana=a+a+⋯+a (repeated addition) or gkgk for repeated multiplication.
A field is an algebraic structure with two operations (addition and multiplication) satisfying commutativity, associativity, distributivity, and the existence of additive and multiplicative identities and inverses (except 0 has no multiplicative inverse). Many cryptographic constructions use finite fields. The simplest example is the prime field FpFp for prime pp, consisting of the integers {0,1,…,p−1}{0,1,…,p−1} with addition and multiplication performed modulo pp. In other words, if pp is prime then
Fp={0,1,…,p−1},Fp={0,1,…,p−1},
with a+ba+b and a⋅ba⋅b defined modp. This indeed satisfies all field axioms: addition and multiplication are closed, associative, commutative, and distributive, with identities 00 and 11, and every nonzero element has a multiplicative inverse (by Fermat’s little theorem).
In FpFp the set of nonzero elements Fp∗={1,…,p−1}Fp∗={1,…,p−1} forms a cyclic multiplicative group of order p−1p−1. One typically works in a large prime-order subgroup: if qq is a prime dividing p−1p−1, one chooses a generator gg of the unique cyclic subgroup of order qq (so q ∣ (p−1)q∣(p−1) and gq≡1(modp)gq≡1(modp))n. In cryptographic key exchange (e.g. finite-field Diffie–Hellman), the base gg and prime pp are public parameters, and the security rests on the difficulty of solving exponentiation inversely (the discrete logarithm). Beyond prime fields, one also uses binary fields F2mF2m and extension fields FpnFpn in standards, but the prime-field FpFp model suffices for many protocols.
Central to many cryptosystems is the discrete logarithm problem (DLP) in a finite group. In a cyclic group G=⟨g⟩G=⟨g⟩ of order mm, the DLP is: given gg and an element h∈Gh∈G, find the integer kk (if it exists) such that
gk=h .gk=h.
Equivalently, kk is the discrete logarithm of hh to the base gg. In multiplicative notation this is gk=hgk=h, and in additive notation (e.g.\ in an elliptic curve) one writes kP=RkP=R. For an elliptic curve group, NIST observes that if R=kPR=kP then kk is called the discrete logarithm of RR to the base p. The DLP is believed to be hard when GG is chosen appropriately (large prime order, random generator). In fact, the security of Diffie–Hellman key exchange, DSA/ECDSA digital signatures, and related schemes depends on the intractability of computing discrete logs in either Fp∗Fp∗ or elliptic curve group. (NIST explicitly states that approved key-establishment schemes “depend upon the intractability of the discrete logarithm problem in certain settings”) No subexponential-time classical algorithm is known for general DLP in suitably chosen groups.
An elliptic curve over a field KK (e.g.\ K=FpK=Fp or F2mF2m) is given by a nonsingular cubic equation. In prime-characteristic fields it is common to use the short Weierstrass form
E:y2=x3+ax+b ,E:y2=x3+ax+b,
where a,b∈Ka,b∈K and the discriminant 4a3+27b2≠04a3+27b2=0 ensures no singuarities. The points on EE are the affine solutions (x,y)∈K2(x,y)∈K2 satisfying the equation, together with a distinguished “point at infinity” OO. Remarkably, these points form a group under a geometric “chord-and-tangent” addition law: given two points P=(xP,yP)P=(xP,yP) and Q=(xQ,yQ)Q=(xQ,yQ) on EE, one draws the line through PP and QQ (or the tangent at PP if P=QP=Q), finds its third intersection RR with the curve, and then reflects RR in the xx-axis to obtain P+QP+Q. One verifies that this operation is associative, commutative, and has identity OO (the point at infinity)n. In particular, SEC 1 (a standard for ECC) explicitly notes that OO is a special point called the point at infinity
Points on an elliptic curve over a finite field form a finite abelian group E(K)E(K). Its size #E(K)#E(K) is often (by Hasse’s theorem) roughly q+1q+1 if K=FqK=Fq, and one usually selects a large prime divisor of #E(K)#E(K) as the order of the cryptographic subgroup. Concretely, standardized curves (such as those in NIST FIPS 186-5 or SEC 2) are chosen so that E(K)E(K) contains a cyclic subgroup of large prime order nn. Then a generator point G∈E(K)G∈E(K) of that subgroup is published. Scalar multiplication kGkG (adding GG to itself kk times) is easy, while the reverse problem (“given GG and kGkG, find kk”) is the elliptic curve discrete logarithm problem (ECDLP)n. The presumed hardness of ECDLP allows elliptic-curve Diffie–Hellman, ECDSA, etc., to achieve strong security at smaller key sizes than finite-field DLP schemes.
Standards bodies define many details of elliptic-curve groups. For example, NIST SP 800-186 (2023) surveys recommended elliptic curves over prime fields and explicitly mentions the curve secp256k1 (used by Bitcoin and Ethereum) as an approved curve for blockchain appications. SEC 1 (Standards for Efficient Cryptography, version 2.0) provides the mathematical foundations of ECC, including noting that the point at infinity OO is the additive identity. (SEC 1 also describes how to encode curve points to bytes, verify group membership, etc.) In practice, a standard curve such as secp256k1 or NIST P-256 is used as the underlying group; cryptographic protocols then operate on the subgroup generated by its base point.
The difficulty of the discrete logarithm problem in these groups is critical. In a prime field group Fp∗Fp∗, the best known classical attacks are sub-exponential (e.g. number field sieve), but for elliptic curves no sub-exponential classical attack is known. NIST and others note that if the group’s order nn is a large prime, then computing kk from GG and kGkG (or computing xx from gg and gxgx) is assumed hard. This is why ECC allows 256-bit keys to match roughly 3072-bit RSA security: ECDLP appears much harder to solve for equivalently sized parameters. Standards such as FIPS 186-5 specify domain parameters (curve coefficients, base point, order nn) so that the subgroup is prime-order and cofactor small, maximizing DLP difficulty. Ethereum’s key agreement (ECDH) and signature (ECDSA) schemes implicitly rely on secp256k1’s DLP hardness.
In the Ethereum protocol, each account’s key pair uses the secp256k1 elliptic curve. The Ethereum Yellow Paper formally specifies that a private key prpr is mapped to a public key via ECDSA on secp256k1, and then to an address by taking the rightmost 160 bits of the Keccak-256 hash of the public key. In equations (ref. (214)–(215) of the Yellow Paper), if KEC(⋅)KEC(⋅) denotes Keccak-256 and ECDSAPUBKEY(pr)ECDSAPUBKEY(pr) the 64-byte public key on secp256k1, then the address is
A(pr)=KEC(ECDSAPUBKEY(pr))96..255 ,A(pr)=KEC(ECDSAPUBKEY(pr))96..255,
i.e. bits 96–255 of the hash. The Yellow Paper also enforces the requirement 0<r,s<secp256k1n0<r,s<secp256k1n in signatures (where secp256k1nsecp256k1n is the curve order). More simply, Ethereum uses the same curve and signature scheme as Bitcoin, but with Keccak-256 instead of SHA-256 for hashing. In sum, secp256k1’s use in Ethereum is explicitly acknowledged by standards: NIST SP 800-186 even lists secp256k1 as a curve allowed for blockchain-related use, and the Ethereum spec (Yellow Paper) defines addresses and signatures in terms of secp256k1 ECDSA.
Group theory provides the algebraic backbone of cryptography. Formalizing groups (closure, associativity, identity, inverses) and special cases like abelian group and fields lays the foundation. Cryptographic protocols rest on finite fields (e.g.\ FpFp) and on elliptic curve groups (points on y2=x3+ax+by2=x3+ax+b over FqFq). The key hardness assumption is the discrete logarithm problem in these groups. Modern standards (FIPS, SEC, etc.) codify specific groups and parameters: for example, SEC 1 states that the elliptic-curve “point at infinity” is the group identity, and NIST SP 800-186 officially recognizes secp256k1 for blockchain use. Ethereum’s usage of secp256k1 (Yellow Paper definitions) is a concrete example: each Ethereum account is an ECDSA key on an elliptic-curve group, and security derives from group properties and DLP hardness. In sum, rigorous group-theoretic concepts pervade cryptography, from defining the algebraic setting to ensuring the intractability that underlies protocols.
References: Formal definitions and discussions of groups can be found in algebra texts (cf. math.mit.edu). NIST and SECG documents detail cryptographic applications: e.g. NIST SP 800-186 (2023) on elliptic curvesnvlpubs.nist.govnvlpubs.nist.gov, NIST SP 800-56A on discrete-log key schemesnvlpubs.nist.govnvlpubs.nist.gov, and SEC 1 v2.0 on ECC foundationssecg.org. Ethereum’s Yellow Paper (formal spec) provides the exact definitions of addresses and signatures using secp256k1files.gitter.im.
Cryptographic systems rely fundamentally on the algebraic structure of groups. Informally, a group is a set GG equipped with a binary operation (often denoted “⋅⋅” or “+”) satisfying four axioms. First, closure: for all a,b∈Ga,b∈G, the product a⋅ba⋅b is also in GG. Second, associativity: (a⋅b)⋅c=a⋅(b⋅c)(a⋅b)⋅c=a⋅(b⋅c) for all a,b,c∈Ga,b,c∈G. Third, an identity element ee exists in GG such that e⋅a=a⋅e=ae⋅a=a⋅e=a for every a∈Ga∈G. Fourth, every element has a unique inverse: for each a∈Ga∈G there is a−1∈Ga−1∈G with a⋅a−1=a−1⋅a=ea⋅a−1=a−1⋅a=e. (Closure is often implicit in saying “the operation is a law of composition on GG”) When all four axioms hold, (G,⋅)(G,⋅) is a group.
Groups used in cryptography are typically finite. A common example is the integers modulo nn under addition (this forms an infinite or finite group depending on context) or under multiplication mod a prime. A subgroup of particular interest is the cyclic subgroup generated by an element: if g∈Gg∈G has order mm (so gm=egm=e), then the set {g0,e,g1,g2,…,gm−1}{g0,e,g1,g2,…,gm−1} is a cyclic group of order mm. In a finite prime-order group one often chooses a generator gg so that every group element is a power of gg (i.e. G=⟨g⟩G=⟨g⟩). For example, in the multiplicative group of integers mod pp, denoted Fp∗={1,2,…,p−1}Fp∗={1,2,…,p−1}, if gg is a generator then its cyclic subgroup of order qq (with q∣p−1q∣p−1) consists of {1,g,g2,…,gq−1}{1,g,g2,…,gq−1} with gq≡1(modp)gq≡1(modp)n. Such cyclic groups underpin schemes like Diffie–Hellman and DSA.
Many groups of interest in cryptography are abelian (commutative). An abelian group satisfies a⋅b=b⋅aa⋅b=b⋅a for all a,b∈Ga,b∈G. Equivalently, one often uses additive notation a+ba+b with identity 00 and writes a+b=b+aa+b=b+a. Abelian groups are simpler to work with, and most practical cryptographic groups are abelian (for example, Z/pZZ/pZ under addition, or the multiplicative group Fp∗Fp∗, or elliptic curve point groups). In such groups one freely uses notation like na=a+a+⋯+ana=a+a+⋯+a (repeated addition) or gkgk for repeated multiplication.
A field is an algebraic structure with two operations (addition and multiplication) satisfying commutativity, associativity, distributivity, and the existence of additive and multiplicative identities and inverses (except 0 has no multiplicative inverse). Many cryptographic constructions use finite fields. The simplest example is the prime field FpFp for prime pp, consisting of the integers {0,1,…,p−1}{0,1,…,p−1} with addition and multiplication performed modulo pp. In other words, if pp is prime then
Fp={0,1,…,p−1},Fp={0,1,…,p−1},
with a+ba+b and a⋅ba⋅b defined modp. This indeed satisfies all field axioms: addition and multiplication are closed, associative, commutative, and distributive, with identities 00 and 11, and every nonzero element has a multiplicative inverse (by Fermat’s little theorem).
In FpFp the set of nonzero elements Fp∗={1,…,p−1}Fp∗={1,…,p−1} forms a cyclic multiplicative group of order p−1p−1. One typically works in a large prime-order subgroup: if qq is a prime dividing p−1p−1, one chooses a generator gg of the unique cyclic subgroup of order qq (so q ∣ (p−1)q∣(p−1) and gq≡1(modp)gq≡1(modp))n. In cryptographic key exchange (e.g. finite-field Diffie–Hellman), the base gg and prime pp are public parameters, and the security rests on the difficulty of solving exponentiation inversely (the discrete logarithm). Beyond prime fields, one also uses binary fields F2mF2m and extension fields FpnFpn in standards, but the prime-field FpFp model suffices for many protocols.
Central to many cryptosystems is the discrete logarithm problem (DLP) in a finite group. In a cyclic group G=⟨g⟩G=⟨g⟩ of order mm, the DLP is: given gg and an element h∈Gh∈G, find the integer kk (if it exists) such that
gk=h .gk=h.
Equivalently, kk is the discrete logarithm of hh to the base gg. In multiplicative notation this is gk=hgk=h, and in additive notation (e.g.\ in an elliptic curve) one writes kP=RkP=R. For an elliptic curve group, NIST observes that if R=kPR=kP then kk is called the discrete logarithm of RR to the base p. The DLP is believed to be hard when GG is chosen appropriately (large prime order, random generator). In fact, the security of Diffie–Hellman key exchange, DSA/ECDSA digital signatures, and related schemes depends on the intractability of computing discrete logs in either Fp∗Fp∗ or elliptic curve group. (NIST explicitly states that approved key-establishment schemes “depend upon the intractability of the discrete logarithm problem in certain settings”) No subexponential-time classical algorithm is known for general DLP in suitably chosen groups.
An elliptic curve over a field KK (e.g.\ K=FpK=Fp or F2mF2m) is given by a nonsingular cubic equation. In prime-characteristic fields it is common to use the short Weierstrass form
E:y2=x3+ax+b ,E:y2=x3+ax+b,
where a,b∈Ka,b∈K and the discriminant 4a3+27b2≠04a3+27b2=0 ensures no singuarities. The points on EE are the affine solutions (x,y)∈K2(x,y)∈K2 satisfying the equation, together with a distinguished “point at infinity” OO. Remarkably, these points form a group under a geometric “chord-and-tangent” addition law: given two points P=(xP,yP)P=(xP,yP) and Q=(xQ,yQ)Q=(xQ,yQ) on EE, one draws the line through PP and QQ (or the tangent at PP if P=QP=Q), finds its third intersection RR with the curve, and then reflects RR in the xx-axis to obtain P+QP+Q. One verifies that this operation is associative, commutative, and has identity OO (the point at infinity)n. In particular, SEC 1 (a standard for ECC) explicitly notes that OO is a special point called the point at infinity
Points on an elliptic curve over a finite field form a finite abelian group E(K)E(K). Its size #E(K)#E(K) is often (by Hasse’s theorem) roughly q+1q+1 if K=FqK=Fq, and one usually selects a large prime divisor of #E(K)#E(K) as the order of the cryptographic subgroup. Concretely, standardized curves (such as those in NIST FIPS 186-5 or SEC 2) are chosen so that E(K)E(K) contains a cyclic subgroup of large prime order nn. Then a generator point G∈E(K)G∈E(K) of that subgroup is published. Scalar multiplication kGkG (adding GG to itself kk times) is easy, while the reverse problem (“given GG and kGkG, find kk”) is the elliptic curve discrete logarithm problem (ECDLP)n. The presumed hardness of ECDLP allows elliptic-curve Diffie–Hellman, ECDSA, etc., to achieve strong security at smaller key sizes than finite-field DLP schemes.
Standards bodies define many details of elliptic-curve groups. For example, NIST SP 800-186 (2023) surveys recommended elliptic curves over prime fields and explicitly mentions the curve secp256k1 (used by Bitcoin and Ethereum) as an approved curve for blockchain appications. SEC 1 (Standards for Efficient Cryptography, version 2.0) provides the mathematical foundations of ECC, including noting that the point at infinity OO is the additive identity. (SEC 1 also describes how to encode curve points to bytes, verify group membership, etc.) In practice, a standard curve such as secp256k1 or NIST P-256 is used as the underlying group; cryptographic protocols then operate on the subgroup generated by its base point.
The difficulty of the discrete logarithm problem in these groups is critical. In a prime field group Fp∗Fp∗, the best known classical attacks are sub-exponential (e.g. number field sieve), but for elliptic curves no sub-exponential classical attack is known. NIST and others note that if the group’s order nn is a large prime, then computing kk from GG and kGkG (or computing xx from gg and gxgx) is assumed hard. This is why ECC allows 256-bit keys to match roughly 3072-bit RSA security: ECDLP appears much harder to solve for equivalently sized parameters. Standards such as FIPS 186-5 specify domain parameters (curve coefficients, base point, order nn) so that the subgroup is prime-order and cofactor small, maximizing DLP difficulty. Ethereum’s key agreement (ECDH) and signature (ECDSA) schemes implicitly rely on secp256k1’s DLP hardness.
In the Ethereum protocol, each account’s key pair uses the secp256k1 elliptic curve. The Ethereum Yellow Paper formally specifies that a private key prpr is mapped to a public key via ECDSA on secp256k1, and then to an address by taking the rightmost 160 bits of the Keccak-256 hash of the public key. In equations (ref. (214)–(215) of the Yellow Paper), if KEC(⋅)KEC(⋅) denotes Keccak-256 and ECDSAPUBKEY(pr)ECDSAPUBKEY(pr) the 64-byte public key on secp256k1, then the address is
A(pr)=KEC(ECDSAPUBKEY(pr))96..255 ,A(pr)=KEC(ECDSAPUBKEY(pr))96..255,
i.e. bits 96–255 of the hash. The Yellow Paper also enforces the requirement 0<r,s<secp256k1n0<r,s<secp256k1n in signatures (where secp256k1nsecp256k1n is the curve order). More simply, Ethereum uses the same curve and signature scheme as Bitcoin, but with Keccak-256 instead of SHA-256 for hashing. In sum, secp256k1’s use in Ethereum is explicitly acknowledged by standards: NIST SP 800-186 even lists secp256k1 as a curve allowed for blockchain-related use, and the Ethereum spec (Yellow Paper) defines addresses and signatures in terms of secp256k1 ECDSA.
Group theory provides the algebraic backbone of cryptography. Formalizing groups (closure, associativity, identity, inverses) and special cases like abelian group and fields lays the foundation. Cryptographic protocols rest on finite fields (e.g.\ FpFp) and on elliptic curve groups (points on y2=x3+ax+by2=x3+ax+b over FqFq). The key hardness assumption is the discrete logarithm problem in these groups. Modern standards (FIPS, SEC, etc.) codify specific groups and parameters: for example, SEC 1 states that the elliptic-curve “point at infinity” is the group identity, and NIST SP 800-186 officially recognizes secp256k1 for blockchain use. Ethereum’s usage of secp256k1 (Yellow Paper definitions) is a concrete example: each Ethereum account is an ECDSA key on an elliptic-curve group, and security derives from group properties and DLP hardness. In sum, rigorous group-theoretic concepts pervade cryptography, from defining the algebraic setting to ensuring the intractability that underlies protocols.
References: Formal definitions and discussions of groups can be found in algebra texts (cf. math.mit.edu). NIST and SECG documents detail cryptographic applications: e.g. NIST SP 800-186 (2023) on elliptic curvesnvlpubs.nist.govnvlpubs.nist.gov, NIST SP 800-56A on discrete-log key schemesnvlpubs.nist.govnvlpubs.nist.gov, and SEC 1 v2.0 on ECC foundationssecg.org. Ethereum’s Yellow Paper (formal spec) provides the exact definitions of addresses and signatures using secp256k1files.gitter.im.
<100 subscribers
<100 subscribers
No activity yet