Structural Group Theory

Example: The "Clock" Partition (\( 3\mathbb{Z} \) in \( \mathbb{Z} \))

Consider the additive group of integers \( \mathbb{Z} \) and its subgroup \[ H = 3\mathbb{Z} = \{ \dots, -6, -3, 0, 3, 6, \dots \}. \] To find the cosets, we pick an element \( a \in \mathbb{Z} \) and add it to every element in \( H \):

• 0 + 3\(\mathbb{Z}\) = { \(\cdots\), -6, -3, 0, 3, 6, \(\cdots\) }
• 1 + 3\(\mathbb{Z}\) = { \(\cdots\), -5, -2, 1, 4, 7, \(\cdots\) }
• 2 + 3\(\mathbb{Z}\) = { \(\cdots\), -4, -1, 2, 5, 8, \(\cdots\) }
• 3 + 3\(\mathbb{Z}\) = { \(\cdots\), -3, 0, 3, 6, 9, \(\cdots\) } = 0 + 3\(\mathbb{Z}\)

This illustrates that the cosets are exactly the equivalence classes of the "modulo" relation. In CS terms, this is the mathematical foundation of a hash map where the keys are remainders.

Proof:

Let \(a_1 H, \, a_2 H, \, \ldots, \, a_r H\) denote the distinct left cosets of \(H\) in \(G\). For any \(a \in G\), Property 1 guarantees that \(a \in aH\). Since the cosets \(a_1 H, \ldots, a_r H\) exhaust all distinct cosets, we have \(aH = a_i H\) for some \(i\), which means \(a \in a_i H\). Therefore, every element of \(G\) belongs to one of these cosets: \[ G = a_1 H \cup \cdots \cup a_r H. \] By Property 4, this union is disjoint, so: \[ |G| = |a_1 H| + |a_2 H| + \cdots + |a_r H|. \] Since \(\forall i, \, |a_i H| = |H|\) by Property 6, we have \(|G| = r |H|\). Therefore, \[ r = \frac{|G|}{|H|}. \]

Proof for Fermat's Little Theorem:

By the division algorithm: \[ a = pm + r, \, 0 \leq r < p. \] Thus, \(a \bmod p = r\) and it suffices to prove that \(r^p \bmod p = r\). If \(r =0\), the result is trivial, we assume that \(r \in U(p)\). (Note that \(U(p) = \{1, 2, \ldots, p-1\}\) under multiplication modulo \(p\).)
Then, by the Corollary 3, \(r^{p-1} \bmod p = 1 \) and therefore, \(r^p \bmod p = r\),

Example: Subgroup Attacks and the Pohlig-Hellman Algorithm

In the Diffie-Hellman key exchange, two parties agree on a shared secret by exchanging values in a cyclic group \(G = \langle g \rangle\) of order \(n\). The security relies on the discrete logarithm problem (DLP): given \(g\) and \(h = g^x\), find the exponent \(x\).

Lagrange's Theorem reveals a critical vulnerability when \(n\) is composite. The Pohlig-Hellman algorithm exploits the subgroup structure guaranteed by Lagrange's Theorem to reduce the DLP in \(G\) to smaller DLPs in subgroups of prime-power order.

The Key Insight:

Suppose \(n = p_1^{e_1} p_2^{e_2} \cdots p_k^{e_k}\). For each prime power \(p_i^{e_i}\) dividing \(n\), consider the element \[ g_i = g^{n / p_i^{e_i}}. \] By Lagrange's Theorem, \(g_i\) has order exactly \(p_i^{e_i}\) since \[ (g_i)^{p_i^{e_i}} = g^n = e \quad \text{and} \quad (g_i)^{p_i^{e_i - 1}} = g^{n/p_i} \neq e. \] Similarly, define \(h_i = h^{n / p_i^{e_i}}\). Then \[ h_i = (g^x)^{n / p_i^{e_i}} = (g_i)^x, \] so solving \(h_i = (g_i)^{x_i}\) for \(x_i\) is a DLP in a subgroup of order \(p_i^{e_i}\), which yields \(x_i \equiv x \bmod{p_i^{e_i}}\).

Reconstructing the Solution:

Once we have all \(k\) congruences \[ x \equiv x_1 \bmod{p_1^{e_1}}, \quad x \equiv x_2 \bmod{p_2^{e_2}}, \quad \ldots, \quad x \equiv x_k \bmod{p_k^{e_k}}, \] the Chinese Remainder Theorem guarantees a unique solution modulo \(n\).

Complexity Implication:

The complexity of the Pohlig-Hellman algorithm is \[ O\left(\sum_{i=1}^{k} e_i \left(\log n + \sqrt{p_i}\right)\right) \] group operations. When all prime factors \(p_i\) are small (i.e., \(n\) is smooth), this is dramatically faster than the \(O(\sqrt{n})\) complexity of generic algorithms like baby-step giant-step. For example, if \(n = 2^{20}\), the DLP can be solved in roughly \(O(20 \cdot (\log n + \sqrt{2})) \approx O(20 \cdot 21.4)\) operations instead of \(O(\sqrt{2^{20}}) = O(1024)\) operations.

The Defense:

This is precisely why cryptographic protocols choose groups of prime order \(p\). By Lagrange's theorem, such groups have no nontrivial proper subgroups, rendering Pohlig-Hellman inapplicable and forcing attackers to confront the full difficulty of the DLP. We hope you can see the fundamental connection between abstract algebra and computer science.

Reference

A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997, pp. 107-109.

Examples:

• Abelian Groups:
  If \(G\) is Abelian, every subgroup is normal. Since \(ah = ha\) for all elements, clearly \(aH = Ha\).
• The Center \(Z(G)\):
  The center is always normal in \(G\) because its elements commute with everything by definition.
• The Alternating Group \(A_n\):
  In the previous chapter, we saw that \(|S_n| = 2|A_n|\). This implies that \(A_n\) has index 2 in \(S_n\).
  Theorem: Any subgroup of index 2 is always normal.
  (Why? One coset is \(H\) itself. The other coset must be \(G \setminus H\). Since this partition is unique, left and right cosets must match.)

Proof: If \(H\) is normal in \(G\), then for any \(x \in G\) and \(h \in H\), there is an \(h' \in H\) such that \(xh = h'x\). Multiplying by \(x^{-1}\) on the right gives \[ xhx^{-1} = h' \in H. \] Thus, \(xHx^{-1} \subseteq H\).

Conversely, suppose \(\forall x, \, xHx^{-1} \subseteq H\). Let \(x = a \in G\). Then we have \[ aHa^{-1} \subseteq H \text{ or } aH \subseteq Ha. \] On the other hand, consider \(x = a^{-1}\). Then we have \[ a^{-1}H(a^{-1})^{-1} = a^{-1}Ha \subseteq H. \] Thus, \(Ha \subseteq aH\).
Since \(aH \subseteq Ha\) and \(Ha \subseteq aH\), we conclude \(aH = Ha\).

Proof: First, to show that the operation is well-defined, we check if the following function is valid or not: \[ (G / H) \times (G / H) \to G / H. \] Suppose \(aH = a'H\) and \(bH = b'H\) for some elements \(a, a', b, b' \in G\). We must show that \(abH = a'b'H\).
From the assumption: \(aH = a'H \text{ and } bH = b'H \), we have \(a' = ah_1\) and \(b' = bh_2\) for some \(h_1, h_2 \in H\). Here, by Property 2 of Properties of Cosets and \(H \trianglelefteq G\), we have: \[ \begin{align*} a'b'H &= (ah_1)(bh_2) H \\\\ &= ah_1 b H \\\\ &= ah_1 H b \\\\ &= aHb \\\\ &= abH. \end{align*} \] Therefore, the operation is well-defined.

Now, we check group axioms for \(G / H\):

• Identity: \(eH = H\) serves as the identity because \((aH)(eH) = (ae)H = aH\).
• Inverse: The inverse of \(aH\) is \(a^{-1}H\) because \((aH)(a^{-1}H) = (aa^{-1})H = eH = H\).
• Associativity: Inherited directly from \(G\):\((aHbH)cH = (ab)HcH = (ab)cH = a(bc)H = aH(bc)H = aH(bHcH)\).

Example: The Integers Modulo \(n\) (\(\mathbb{Z}/n\mathbb{Z}\))

Let \(G = \mathbb{Z}\) (integers) and \(H = n\mathbb{Z}\) (multiples of \(n\)). Since \(\mathbb{Z}\) is Abelian, \(H\) is normal.
The cosets are: \[ 0+H, \quad 1+H, \quad 2+H, \quad \dots, \quad (n-1)+H. \] The factor group operation tells us how to add these cosets: \[ (a+H) + (b+H) = (a+b) + H. \] Does this look familiar? It is exactly modular arithmetic. The factor group \(\mathbb{Z}/n\mathbb{Z}\) is structurally identical (isomorphic) to the group \(\mathbb{Z}_n\).

Example: The Parity Map

Consider the group of integers \(\mathbb{Z}\) under addition and the group \(G_2 = \{1, -1\}\) under multiplication. Define a map \(\phi: \mathbb{Z} \to G_2\) based on whether a number is even or odd: \[ \phi(n) = \begin{cases} 1 & \text{if } n \text{ is even} \\ -1 & \text{if } n \text{ is odd} \end{cases} \] Is this a homomorphism? We check if \(\phi(a + b) = \phi(a)\phi(b)\).

• Even + Even = Even: \(\phi(E + E) = 1\) and \(\phi(E)\phi(E) = 1 \cdot 1 = 1\). (Match)
• Odd + Odd = Even: \(\phi(O + O) = 1\) and \(\phi(O)\phi(O) = (-1) \cdot (-1) = 1\). (Match)
• Even + Odd = Odd: \(\phi(E + O) = -1\) and \(\phi(E)\phi(O) = 1 \cdot (-1) = -1\). (Match)

Since the equation holds for all cases, \(\phi\) is a homomorphism. It "translates" the logic of addition into multiplication without breaking the truth of the statements.

Example: The Determinant Mapping

Let \(GL(n, \mathbb{R})\) be the General Linear Group (invertible \(n \times n\) matrices) and \(\mathbb{R}^*\) be the group of nonzero real numbers under multiplication.

Recall the property of determinants: \[ \det(AB) = \det(A)\det(B). \] This equation is exactly the homomorphism property. It tells us that the determinant mapping \(\det: GL(n, \mathbb{R}) \to \mathbb{R}^*\) defined by \(A \mapsto \det(A)\) is a homomorphism.

The kernel of this homomorphism is \[ \text{Ker } \det = \{A \in GL(n, \mathbb{R}) \mid \det(A) = 1\} \] This is the Special Linear Group, denoted \(SL(n, \mathbb{R})\). (Note that \(SL(n, \mathbb{R})\) is a normal subgroup of \(GL(n, \mathbb{R})\).)

Example: The Natural Projection \(\mathbb{Z} \to \mathbb{Z}_n\)

Let \(n\) be a fixed positive integer greater than 1. If \(a \bmod n = a'\) and \(b \bmod n = b'\), then \[ (a + b) \bmod n = (a' + b') \bmod n. \] This shows that the mapping \(\phi: \mathbb{Z} \to \mathbb{Z}_n\) defined by \(\phi(m) = m \bmod n\) is a homomorphism.

The kernel consists of all integers that map to \(0\): \[ \text{Ker }\phi = \{m \in \mathbb{Z} \mid m \bmod n = 0\} = n\mathbb{Z} = \langle n \rangle. \]

Example: Logarithms (The Slide Rule Principle)

Consider the additive group of real numbers \((\mathbb{R}, +)\) and the multiplicative group of positive real numbers \((\mathbb{R}^+, \times)\).
The function \(\phi(x) = e^x\) is an isomorphism between them: \[ \phi(a + b) = e^{a+b} = e^a \cdot e^b = \phi(a) \cdot \phi(b) \] This isomorphism tells us that addition in the world of exponents is identical to multiplication in the world of bases. This is the mathematical principle behind the Slide Rule: by transforming numbers into lengths (logs), we can multiply them simply by adding the lengths.

Example: Inner Automorphism in \(S_3\)

Consider the symmetric group \(S_3\) and let \(a = (1\, 2)\). The inner automorphism \(\phi_a\) induced by \(a\) is defined by: \[ \phi_a(x) = (1\, 2) \, x \, (1\, 2)^{-1} = (1\, 2) \, x \, (1\, 2). \] Let us compute \(\phi_a\) for each element of \(S_3\):

• \(\phi_a(\epsilon) = (1\, 2)\, \epsilon \,(1\, 2) = \epsilon\)
• \(\phi_a((1\, 2)) = (1\, 2)(1\, 2)(1\, 2) = (1\, 2)\)
• \(\phi_a((1\, 3)) = (1\, 2)(1\, 3)(1\, 2) = (2\, 3)\)
• \(\phi_a((2\, 3)) = (1\, 2)(2\, 3)(1\, 2) = (1\, 3)\)
• \(\phi_a((1\, 2\, 3)) = (1\, 2)(1\, 2\, 3)(1\, 2) = (1\, 3\, 2)\)
• \(\phi_a((1\, 3\, 2)) = (1\, 2)(1\, 3\, 2)(1\, 2) = (1\, 2\, 3)\)

Notice that \(\phi_a\) swaps \((1\, 3) \leftrightarrow (2\, 3)\) and \((1\, 2\, 3) \leftrightarrow (1\, 3\, 2)\), while fixing \(\epsilon\) and \((1\, 2)\). This is a nontrivial automorphism of \(S_3\).

Proof:

From any group \(G\), we construct a group \(\overline{G}\) of permutations that is isomorphic to \(G\). For any \(g \in G\), define a mapping \(T_g: G \to G\) by \(T_g (x) = gx\) for any \(x \in G\).

Let \(y \in G\). Since \(T_g(x) = T_g(y)\) implies \(gx = gy\), by left cancellation we have \(x =y\). Thus \(T_g\) is one-to-one. Also, \(T_g ( g^{-1} y) = y\), so \(T_g\) is onto. Thus, \(T_g\) is a permutation on the set of elements of \(G\).

Now, let \(\overline{G} = \{T_g \mid g \in G \}\). Then we claim that \(\overline{G}\) is a group under the operation of function composition. To verify this, we first observe that \(\forall g, h \in G\), \[ T_g T_h (x) = T_g (T_h(x)) = T_g(hx) = g(hx) = (gh)x = T_{gh}(x). \] Note that \(T_e\) is the identity since \[T_e (x) = ex =x \] and \((T_g)^{-1} = T_{g^{-1}}\) since \[ T_g \circ (T_g)^{-1} = T_e = T_{gg^{-1}} = T_g \circ T_{g^{-1}}. \] Since function composition is associative, we conclude that \(\overline{G}\) satisfies all the conditions to be a group.

For any \(g \in G\), define \(\phi (g) = T_g\). If \(T_g = T_h\), then \(T_g(e) = T_h (e)\), or \(ge = he\). Thus, \(g = h\) and \(\phi\) is one-to-one. Also, \(\phi\) is onto by the way \(\overline{G}\) was constructed.

Finally, let \(a, b \in G\). Then \[ \phi(ab) = T_{ab} = T_a T_b = \phi(a)\phi(b). \] Thus, \(\phi\) preserves operations.

Therefore, \(\phi\) is an isomorphism between \(G\) and \(\overline{G}\).

Proof:

Let \(\psi\) be the correspondence \(g \text{Ker } \phi \to \phi(g)\).
That \(\psi\) is well-defined and one-to-one follows directly from Property 5 of Elements under Homomorphism: \[ \phi(a) = \phi(b) \iff a\text{Ker }\phi = b\text{Ker }\phi. \] This ensures that the image depends only on the coset, not the representative, and that distinct cosets map to distinct values.

To show that \(\psi\) is operation-preserving, observe that: \[ \begin{align*} &\psi(x \text{Ker } \phi \, y \text{Ker } \phi) \\\\ &= \psi(xy \text{Ker }\phi) \\\\ &= \phi(xy) \\\\ &= \phi(x)\phi(y) \\\\ &= \psi(x \text{Ker }\phi)\psi(y \text{Ker }\phi). \end{align*} \] Finally, \(\psi\) is onto \(\phi(G)\) by the definition of the mapping.
Since \(\psi\) is well-defined, one-to-one, onto, and operation-preserving, it is an isomorphism.

Example: \(\mathbb{Z}/\langle n \rangle \cong \mathbb{Z}_n\)

Recall the natural projection \(\phi: \mathbb{Z} \to \mathbb{Z}_n\) defined by \(\phi(m) = m \bmod n\), whose kernel is \(\text{Ker }\phi = \langle n \rangle\).

By the First Isomorphism Theorem: \[ \mathbb{Z} / \langle n \rangle \cong \phi(\mathbb{Z}) = \mathbb{Z}_n. \] This confirms that the factor group \(\mathbb{Z}/\langle n \rangle = \mathbb{Z}/n\mathbb{Z}\) and the cyclic group \(\mathbb{Z}_n\) are structurally identical.