Cryptographic Assumptions in Cyclic Groups
Department of Electrical Engineering, IIT Bombay
October 14, 2025
Cyclic Groups
Definition: Let G be a finite group. For g \in G, the subgroup generated by g is given by \langle g \rangle = \{1, g, g^2, \ldots , g^{i-1}\}. where i is the smallest positive integer for which g^i = 1.
Definition: Let G be a finite group. We call G a cyclic group if there exists a g \in G such that G = \langle g \rangle. Such a g is called a generator of G.
Examples
- 1 is a generator of \mathbb{Z}_N for all N > 1
- 3 and 5 are generators of \mathbb{Z}_7^*
Proposition: If G is a group of prime order p, then G is cyclic. Furthermore, all elements of G except the identity are generators of G.
The Discrete-Logarithm Assumption
The Discrete Logarithm
- If G is a cyclic group of order q with generator g, then we can write G = \{g^0, g^1, g^2,\ldots, g^{q-1}\} where g^0 = 1 is the identity element
- For every h \in G, there is a unique x \in \mathbb{Z}_q such that g^x = h
- We call this x the discrete logarithm of h with respect to g and write x = \log_g h
The Discrete-Logarithm Experiment
Let \mathcal{G} denote a polynomial-time, cyclic group generation algorithm which outputs a group, its order, and a generator
The discrete-logarithm experiment \textsf{DLog}_{\mathcal{A},\mathcal{G}}(n)
- Run \mathcal{G}(1^n) to obtain (G,q,g), where G is a cyclic group of order q (with \| q \| = n), and g is a generator of G
- Choose a uniform h \in G
- \mathcal{A} is given G, q, g, h, and outputs x \in \mathbb{Z}_q
- The output of the experiment is 1 if g^x = h, and 0 otherwise
The Discrete-Logarithm Assumption
Definition: We say the discrete-logarithm problem is hard relative to \mathcal{G} if for all PPT algorithms \mathcal{A} there exists a negligible function \textsf{negl} such that \Pr[\textsf{DLog}_{\mathcal{A}, \mathcal{G}}(n) = 1] \le \textsf{negl}(n).
The discrete-logarithm assumption states that there exists a \mathcal{G} relative to which the discrete-logarithm problem is hard
- We will see an example of \mathcal{G} later
The Diffie-Hellman Assumptions
Diffie-Hellman Protocol
The Diffie-Hellman Problems
Related to the problem of computing discrete logarithms, but not known to be equivalent to it
Two important variants
- Computational Diffie-Hellman (CDH) Problem
- Decisional Diffie-Hellman (DDH) Problem
Computational Diffie-Hellman (CDH) Problem
- Consider a cyclic group G with a generator g
- Given h_1, h_2 \in G, define \textsf{DH}_g(h_1, h_2) = g^{\log_g h_1 \cdot \log_g h_2}
- That is, if h_1 = g^{x_1} and h_2=g^{x_2} then \textsf{DH}_g(h_1, h_2) = g^{x_1\cdot x_2} = h_1^{x_2} = h_2^{x_1}
The CDH Experiment
Let \mathcal{G} denote a polynomial-time, cyclic group generation algorithm
The CDH experiment \textsf{CDH}_{\mathcal{A},\mathcal{G}}(n)
- Run \mathcal{G}(1^n) to obtain (G,q,g), where G is a cyclic group of order q (with \| q \| = n), and g is a generator of G
- Choose uniform x_1, x_2 \in \mathbb{Z}_q and compute h_1 = g^{x_1}, h_2 = g^{x_2}
- \mathcal{A} is given G, q, g, h_1, h_2, and outputs h \in G
- The output of the experiment is 1 if h = g^{x_1 x_2}, and 0 otherwise
The CDH Assumption
Definition: We say the CDH problem is hard relative to \mathcal{G} if for all PPT algorithms \mathcal{A} there exists a negligible function \textsf{negl} such that \Pr[\textsf{CDH}_{\mathcal{A}, \mathcal{G}}(n) = 1] \le \textsf{negl}(n).
The CDH assumption states that there exists a \mathcal{G} relative to which the CDH problem is hard
Relation between the DL and CDH Problems
- If discrete logarithms are easy to calculate in a group, then the CDH is also easy
- So the CDH assumption is a stronger assumption than the DL assumption
The DDH Assumption
Let \mathcal{G} denote a polynomial-time, cyclic group generation algorithm
Definition: We say the DDH problem is hard relative to \mathcal{G} if for all PPT algorithms \mathcal{A} there exists a negligible function \textsf{negl} such that \begin{align*} &\bigg| \Pr[\mathcal{A}(G,q,g,g^x,g^y,g^z) = 1] \\ &\ \ - \Pr[\mathcal{A}(G,q,g,g^x,g^y,g^{xy}) = 1]\bigg| \le \textsf{negl}(n)\end{align*} where x,y,z\in \mathbb{Z}_q are uniformly chosen
The DDH assumption states that there exists a \mathcal{G} relative to which the DDH problem is hard
Prime-Order Cyclic Groups
Cyclic groups of prime order are preferred because the DL problem is hardest in such groups
- DL problem in a group of order q becomes easier if q has small prime factors
Finding generators in prime-order cyclic groups is trivial
Subgroups of \mathbb{Z}_p^* and elliptic curves are two sources of prime-order cyclic groups
Prime-Order Subgroups of \mathbb{Z}_p^*
\mathbb{Z}_p^* is Cyclic for Prime p
Theorem: If p is a prime, then Z_p^* is a cyclic group of order p-1
Proof can be found in Prof. Forney’s notes
There exists an integer g \in \mathbb{Z}_p^* such that \mathbb{Z}_p^* = \left\{g^i \mid i \in \{0,1,2,\ldots,p-2\}\right\}
Finding a Prime-Order Subgroup
- Suppose we want to generate a subgroup of \mathbb{Z}_p^* whose order is an n-bit prime
- First, find an n-bit prime q
- Then for r \in \{1,2,\ldots\} check if rq+1 is a prime
- If such an r is found, set p= rq+1. Then G = \{ h^r \bmod p \mid h \in \mathbb{Z}_p^*\} is a subgroup of \mathbb{Z}_p^* of order q.
Subgroup of rth Residues
Theorem: Let p=rq+1 with p,q prime. Then G = \{ h^r \bmod p \mid h \in \mathbb{Z}_p^*\} is a subgroup of \mathbb{Z}_p^* of order q.
Proof
- The function f_r(x) = [x^r \bmod p] is an r-to-1 function in \mathbb{Z}_p^*
- As |\mathbb{Z}_p^*| = p-1 = rq, we have |G| = q
Finding a Generator of the Subgroup
G = \{ h^r \bmod p \mid h \in \mathbb{Z}_p^*\}
A generator of the subgroup G can be found as follows
- For p = rq+1, choose a uniform h \in \mathbb{Z}_p^* \setminus \{1\}
- If h^r \neq 1, then h^r is a generator of G
How large should p,q be?
Let n = \| q \| and l = \|p\|
Two types of algorithms are known for computing discrete logarithms in order-q subgroups of \mathbb{Z}_p^*
- First type runs in time \mathcal{O}(\sqrt{q}) = \mathcal{O}(2^{n/2})
- Second type runs in time 2^{\mathcal{O}\left((\log p)^{1/3}\cdot (\log\log p)^{2/3} \right)} = 2^{\mathcal{O}\left( l^{1/3} \cdot (\log l)^{2/3}\right)}
For a fixed security level, say 2^{128} operations, n and l should be chosen as small as possible
Further reading
- Section 9.3 of Katz and Lindell