Data Service Outsourcing and Privacy Protection in Mobile Internet

1.1.2.1. Mobile social networks

Social networking has already become an important integral part of our daily lives, enabling us to contact our friends and families. Nowadays, the pervasive use of the mobile Internet and the social connections fosters a promising mobile social network (MSN) where reliable, comfortable, and efficient computation and communication tools are provided to improve the quality of our work and life.

MSN is social networking where individuals with similar interests converse and connect with one another through their mobile phone and/or tablet. Much like web-based social networking, mobile social networking occurs in virtual communities [1].

Similar to many online social networking sites, such as Facebook and Twitter, there are just as many social networks on mobile devices. They offer vast number of functions including multimedia posts, photo sharing, and instant messaging. Most of these mobile applications offer free international calling and texting capabilities. Today, social networking applications are not just for the social aspect but are frequently used for professional aspects as well, such as LinkedIn, which is still constantly growing. Along with sharing multimedia posts and instant messaging, social networks are commonly used to connect immigrants in a new country. While the thought of moving to a new country may be intimidating for many, social media can be used to connect immigrants of the same land together to make assimilation a little less stressful [2].

1.1.2.2. Mobile ad hoc networks

Due to the limitation of the applications in the wire communication, the need of the extension of applications via the mobile Internet becomes necessary. The growth of laptops and 802.11/Wi-Fi wireless networks has made mobile ad hoc networks (MANETs) a popular research topic since the mid-1990s.

A mobile ad hoc network (MANET), also known as wireless ad hoc network [3] or ad hoc wireless network, is continuously self-configuring, infrastructure-less network of mobile devices connected using wireless channels [4]. Each device in a MANET is free to move independently in any direction and will therefore change its links to other devices frequently. Such networks may operate by themselves or may be connected to the larger Internet. They may contain one or multiple and different transceivers between nodes. This results in a highly dynamic, autonomous topology [5].

MANETs can be used in many applications, ranging from sensors for environment, vehicular ad hoc communications, road safety, smart home, peer-to-peer messaging, air/land/navy defense, weapons, robots, etc. A typical instance is health monitoring, which may include heart rate, blood pressure, etc. [6]. This can be constant, in the case of a patient in a hospital or event driven in the case of a wearable sensor that automatically reports your location to an ambulance team in case of an emergency. Animals can have sensors attached to them in order to track their movements for migration patterns, feeding habits, or other research purposes [7]. Another example is used in disaster rescue operations. Sensors may also be attached to unmanned aerial vehicles (UAVs) for surveillance or environment mapping [8]. In the case of autonomous UAV-aided search and rescue, this would be considered an event mapping application, since the UAVs are deployed to search an area but will only transmit data back when a person has been found.

1.1.2.3. Mobile payment

Since the rapid economic growth, the methods of payment have changed a lot all over the world. Given by the development of the mobile Internet, the mobile payment becomes more pervasive in Asian countries, especially in China.

Mobile payment (also referred to as mobile money, mobile money transfer, and mobile wallet) generally refers to payment services operated under financial regulation and performed from or via a mobile device. Instead of paying with cash, check, or credit cards, a consumer can use a mobile to pay for a wide range of services and digital or hard goods.

Although the concept of using non-coin-based currency systems has a long history [9], it is only recently that the technology to support such systems has become widely available.

2.1.1.1. Primes and divisibility

Let Z be the set of integers. We say that a divides b (denoted as a | b ) if there exists an integer c satisfying a c = b for a , b , c ∈ R Z . If a does not divide b , we write a ∤ b . Despite that this definition makes sense even when one or more of these integers are negative or zero, we are only interested in the case when a , b , c are all positive. A direct observation is that if a | b and a | c , then a | ( x b + y c ) for any x , y ∈ R Z .

If a | b and a is positive, a is regarded as a divisor or factor of b . Furthermore, a is also called a nontrivial factor of b in case a ∉ { 1, b } . A positive integer p ( > 1 ) is considered as prime if it has no nontrivial factors, i.e., it has only two divisors: 1 and p itself. A positive integer greater than 1 is called composite if this integer is not a prime number. It is the convention to know that “1” is neither prime nor composite.

According to the fundamental theorem of arithmetic, every integer greater than 1 can be expressed uniquely as a product of primes. Namely, any positive integer n > 1 can be written as n = ∏ i p i e i such that { p i } are distinct primes and e i ≥ 1 for all i ; furthermore, the { p i } and { e i } are uniquely determined up to ordering.

Proposition 2.1

Let a and b be two integers and b > 0 . Then there exist unique integers q , r satisfying a = q b + r and 0 ≤ r < b .

c is known as the greatest common divisor of two nonnegative integers a and b (written as gcd ( a , b ) ) if c is the largest integer satisfying c | a and c | b . It is noted that gcd ( 0,0 ) are not defined, whereas gcd ( b ,0 ) = gcd ( 0, b ) = b . The notion of greatest common divisor also makes sense when either or both of a , b are negative, but we will never need this; therefore, when we write gcd ( a , b ) , we always assume that a , b ≥ 0 . Note that if p is prime, then gcd ( a , p ) is either equal to 1 or p . a and b are called relatively prime if gcd ( a , b ) = 1 .

Proposition 2.2

Let a , b be two positive integers. Then there exist x , y ∈ Z such that a x + b y = gcd ( a , b ) . Furthermore, gcd ( a , b ) is the smallest positive integer that can be expressed in this manner.

Proof. Let I denote the set { a x + b y } where x , y are chosen from Z . Note that I certainly contains some positive integers since at least a , b ∈ I such that a = a × 1 + b × 0 and b = a × 0 + b × 1 . Let d denote the smallest positive integer in I . We claim that d = gcd ( a , b ) due to the fact that d can be represented as d = a x + b y for some x , y ∈ Z (recall that d ∈ I ). In addition, to show that d = gcd ( a , b ) , we must show that d | a and d | b and that d is the largest integer with this property. In fact, we can show that d divides every element in I . To prove this, take arbitrary c ∈ I such that c = a x ′ + b y ′ with x ′ , y ′ ∈ Z . According to Proposition 2.1, we have c = q d + r with q and r being integers and 0 ≤ r < d . Then

There is a contradiction between r ≠ 0 and the choice of d as the smallest positive integer in I . Thus, it is obvious that r = 0 and hence d | c .

Since both a and b are elements in I , the above shows that d | a and d | b . Suppose there exists d ′ > d such that d ′ | a and d ′ | b . Then d ′ | a x + b y ; since the latter is equal to d , this means d ′ | d , which is impossible if d ′ is larger than d . It is concluded that d is the largest integer dividing both a and b and hence d = gcd ( a , b ) .

Given a and b , the Euclidean algorithm can be used to compute gcd ( a , b ) in polynomial time. The extended Euclidean algorithm can be used to compute the coefficients x , y (as in Proposition 2.1) in polynomial time as well. Interested readers can refer to [68] for more details.

Proposition 2.3

If c | a b and gcd ( a , c ) = 1 , then c | b . In particular, if p is prime and p | a b , then either p | a or p | b .

Proof. It is easy to observe that c × α = a b for some integer α since c | a b . From gcd ( a , c ) = 1 then, according to the previous proposition, there exist integers x , y such that 1 = a x + c y . Multiplying both sides by b , we obtain

Since ( α x + y b ) is an integer, it follows that c | b .

The second part of this proposition follows from the fact that if p ∤ a , then gcd ( a , p ) = 1 .

Proposition 2.4

If p | N , q | N , and gcd ( p , q ) = 1 , then p q | N .

Proof. We can see p α = N and q β = N from p | N and q | N and obtain 1 = p x + q y from Proposition 2.2, where α , β , x , y are all integers. Multiplying both sides of the last equation by N , we obtain N = p x N + q y N = p x q β + q y p α = p q ( x β + y α ) . Thus, p q | N .

2.1.1.2. Modular arithmetic

Let a , b , N be integers with N > 1 . Let [ a   mod   N ] denote the remainder of a ∈ Z upon division by N . In more detail, according to Proposition 2.1, there exist unique q and r such that a = q N + r and 0 ≤ r < N , and [ a   mod   N ] is defined as this remainder r . Namely, 0 ≤ [ a   mod   N ] < N . The process of mapping a to [ a   mod   N ] is called reduction modulo N .

a and b are regarded as congruent modulo N (written as a = b   mod   N ) if [ a mod N ] = [ b mod N ] , that is to say, the remainder when a is divided by N is equivalent to the remainder when b is divided by N . In this manner, a = b   mod   N if and only if N | ( a − b ) . Note that a = [ b   mod   N ] implies a = b   mod   N , but not vice versa. For example, 36 = 18   mod   18 but 36 ≠ [ 18   mod   18 ] = 0 .

We remark that congruence modulo N is an equivalence relation, i.e., it is reflexive ( a = a   mod   N for all a ), symmetric ( a = b   mod   N implies b = a   mod   N ), and transitive (if a = b   mod   N and b = c   mod   N , then a = c   mod   N ). Congruence modulo N also obeys the standard rules of arithmetic with respect to addition, subtraction, and multiplication, so if a = a ′   mod   N and b = b ′   mod   N , then ( a + b ) = ( a ′ + b ′ )   mod   N and a b = a ′ b ′   mod   N . Thus, the calculations of congruence modulo N can be simplified by “reducing and then adding/multiplying” instead of “adding/multiplying and then reducing.”

Example 1. Let us compute [ 3193015 × 590702   mod   100 ] . Since 3193015 = 15   mod   100 and 590702 = 2   mod   100 , we have

The cost of alternate approach to derive the answer (viz., computing the product 3193015 × 590702 and then reducing the answer modulo 100) is much more expensive.

Different from addition, subtraction, and multiplication, the division operation in congruence modulo N has not been involved. That is to say, if a = a ′   mod   N and b = b ′   mod   N , then it is not necessarily true that a / b = a ′ / b ′   mod   N ; in fact, the expression “ a / b mod N ” is not, in general, defined well. As a specific example related to the division, a b = c b   mod   N does not necessarily imply that a = c   mod   N .

Example 2. Take N = 12 . Then 3 × 3 = 9 = 3 × 7   mod   12 , but 3 ≠ 7   mod   24 .

However, a meaningful notion of division has also been defined for congruence modulo N . If for a given integer a there exists an integer a − 1 such that a × a − 1 = 1   mod   N , a − 1 is viewed as a (multiplicative) inverse of a modulo N , and a is considered as invertible modulo N . It is obvious to observe that if α is a multiplicative inverse of a modulo N , then so is [ α   mod   N ] ; furthermore, if α ′ is another multiplicative inverse, then [ α mod N ] = [ α ′ mod N ] . We can simply let a − 1 denote the unique multiplicative inverse of a that lies in the range { 0, … , N − 1 } if a is invertible.

In this way, division by a modulo N is defined as multiplication by a − 1 modulo N if a is invertible modulo N (i.e., c / a is defined as c × a − 1   mod   N ) . We stress that division by a is only defined when a is invertible. If c × a = b × a   mod   N and a are invertible, then we may divide each side of the equation by a (or, equivalently, multiply each side by a − 1 ) to obtain

We see that in this case, division works “as expected” by adopting the idea of invertible integers. The natural question is that which integers are invertible modulo of a given modulus N. To answer this question fully, Proposition 2.2 is used in the following proposition:

Proposition 2.5

Let a , N be integers with N > 1 . Then a is invertible modulo if and only if gcd ( a , N ) = 1 .

Proof. Assume a is invertible modulo N , and let b denote its inverse. It is evident that a ≠ 0 since 0 × b = 0   mod   N regardless of the value of b . Since a × b = 1   mod   N , the definition of congruence modulo N implies that a × b − 1 = α × N for some α ∈ Z . Equivalently, b × a − α × N = 1 . According to Proposition 2.2, this implies gcd ( a , N ) = 1 .

Conversely, if gcd ( a , N ) = 1 , then according to Proposition 2.2, there exist integers x , y such that a x + N y = 1 . Reducing each side of this equation, modulo N gives a x = 1   mod , and it is easy to see that x is a multiplicative inverse of a .

Example 3. Let N = 13 and a = 10 . Then 10 × 4 + ( − 3 ) × 13 = 1 , and so 4 = [ 4   mod   13 ] is the inverse of 10. One can verify that 10 × 4 = 1   mod   13 .

2.1.2.1. Group theory

Assume G be a set. A binary operation ∘ defined over the set G (written as g ∘ h if g , h ∈ G ) is simply a function that takes as input two elements of G and outputs another element in the set G . The formal definition of a group is described as follows:

Definition 2.1. A group is a set G pairing with a binary operation ∘ such that:

Closure law: For all g , h ∈ G , the result of g ∘ h still remains in the set G .

Identity law: There exists an identity element e ∈ G such that for all g ∈ G , e ∘ g = g = g ∘ e .

Inverse law: For all g ∈ G , there exists an element h ∈ G such that g ∘ h = e = h ∘ g . Such an h is called an inverse element of g .

Associative law: For all g 1 , g 2 , g 3 ∈ G , ( g 1 ∘ g 2 ) ∘ g 3 = g 1 ∘ ( g 2 ∘ g 3 ) .

In this way, the set G along with the binary operation ∘ is defined as a group. When the set G has a finite number of elements, ( G , ∘ ) is viewed as a finite group, and | G | denotes the order of the group, that is, the number of elements in G .

If g ∘ h = h ∘ g for all g , h ∈ G , this group is called abelian group or commutative group. In this book, we will always deal with finite and abelian (commutative) groups.

If ( G , ∘ ) is a group, a set H ⊆ G pairing with the operation ∘ is called a subgroup of ( G , ∘ ) if the set H forms a group under the involved operation ∘ . To check that ( H , ∘ ) is a subgroup, we need to verify closure, existence of identity and inverses, and associativity according to Definition 2.1. (In fact, associativity is inherited automatically from the group ( G , ∘ ) .) Every group ( G , ∘ ) always has the trivial subgroups ( G , ∘ ) and ({ e }, ∘ ). ( H , ∘ ) is called a strict subgroup of ( G , ∘ ) if H ≠ G .

Associativity implies that the notation of long expression g 1 ∘ g 2 ∘ ⋯ ∘ g n without parentheses is unambiguous since it does not matter in what order we perform the operation ∘ .

It is easy to see that the identity element in a group ( G , ∘ ) is unique, and thus we can therefore refer to the identity element of a group. One can also demonstrate that each element g of a group has a unique inverse element.

In general, the abstract notation ∘ will not be used to denote the group operation directly. Either the additive notation or the multiplicative notation will be used instead depending on the involved group. In case the additive notation has been adopted, the group operation applied to two elements g , h in the group is denoted as g + h ; the identity element is denoted as “0,” and the inverse element of g is denoted as − g . In case the multiplicative notation has been employed, the group operation applied to g , h in the group is denoted as g × h or simply g h ; the identity element is denoted as “1,” and the inverse element of g is denoted as g − 1 . As in the case of multiplication modulo N , we also define division by g as multiplication by g − 1 (i.e., [ ( h / g )   mod   N ] is defined as [ ( h × g − 1 )   mod   N ]). Finally, we remark that this does not imply that the group operation corresponds to the addition or multiplication operation for integers. Instead, this merely serves as useful general notation.

Example 4. A set may be formed as a group under one operation, but not another operation. For example, the set of integers Z forms an abelian group under the addition operation: the identity element is “0,” and every integer g has inverse identity − g . On the other hand, it does not form a group under multiplication operation since, for example, the multiplicative inverse of the integer “0” does not make sense.

Example 5. The set of complex numbers C is not a group under multiplication, since “0” does not have a multiplicative inverse. The set of nonzero complex numbers, however, is an abelian group under multiplication with identity “1.”

Example 6. Let N ≥ 2 be an integer. The set { 0, … , N − 1 } with respect to addition modulo N is an abelian group of order N : closure is obvious; associativity and commutativity follow from the fact that the integers satisfy these properties; the identity element is 0; and, since a + ( N − a ) = 0   mod   N , it follows that the inverse element of any element a is [ ( N − a )   mod   N ] . We denote this group by ( Z N , + ) . (Occasionally, the notion Z N will also be used to denote the set { 0, … , N − 1 } without involving any particular operation.)

The “cancelation law” for groups has been demonstrated in the following lemma.

Lemma 2.1 Let ( G , × ) be a group and a , b , c ∈ G . If a × c = b × c , then a = b . In particular, if a × c = c , then a is the identity element in G .

Proof. We know a × c = b × c . Multiplying both sides by the unique inverse element c − 1 of the element c , we obtain a = b . In detail

Group exponentiation: It is often useful to be able to describe the group operation applied n times to a fixed element g , where n is a positive integer. As for the additive operation, we demonstrate this as n ⋅ g or n g , that is,

Note that n is an integer, while g is a group element. So n g does not represent the group operation applied to n and g (indeed, we are working in a group where the group operation is written additively). However, the operation “behaves fortunately as it should,” for example, if g ∈ G and n , n ′ are integers, then ( n g ) + ( n ′ g ) = ( n + n ′ ) g , n ( n ′ g ) = ( n n ′ ) g and 1 ⋅ g = g . In an abelian group G with g , h ∈ G , ( n g ) + ( n h ) = n ( g + h ) .

As for the multiplicative operation, we demonstrate application of the group operation n times to an element g by g n . That is,

The familiar rules of exponentiation follow: g n × g n ′ = g n + n ′ , ( g n ) n ′ = g n n ′ , and g 1 = g . Also, if G is a commutative group and g , h ∈ G , then g n ⋅ h n = ( g h ) n .

The above notation can be extended to the case when n is zero or a negative integer in the natural way. Generally, we leave g r undefined if r is not an integer. As for additive operation, we have 0 ⋅ g = d e f 0 and ( − n ) ⋅ g = d e f n ⋅ ( − g ) such that n is a positive integer. (Note that in the equation “ 0 ⋅ g = 0 ,” the “0” on the left-hand side is the integer 0, while the “0” on the right-hand side is the identity element in the group.) As one would expect, it can be shown that ( − n ) ⋅ g = − ( n g ) . As for multiplicative notation, g 0 = d e f 1 and g − n = d e f ( g − 1 ) n . Again, as expected, one can show that g − n = ( g n ) − 1 .

Theorem 2.1

If ( G , × ) is a finite group with the order m = | G | , then for any element g ∈ G , g m = 1 .

Proof. We prove the theorem only for the commutative group ( G , × ) (despite it holds for any finite group). Fix arbitrary g ∈ G , and let g 1 , ⋯ , g m be the elements of G . We claim that

It is noted that g × g i = g × g j implies g i = g j according to the cancelation law shown in Lemma 2.1. Thus m elements in parentheses on the right-hand side of the displayed equation are pairwise different from each other. By considering that there are exactly m elements in G , the m elements being multiplied together on the right-hand side are simply all elements of G in some permuted order. The order in which all elements of the group are multiplied does not matter due to the fact that the group ( G , × ) is commutative, and thus the result of the right-hand side is identical to the result of left-hand side.

Fueled by the fact that ( G , × ) is commutative, all occurrences of the element g can be pulled out, and we can obtain

Once again by the cancelation law in the group, it is obvious that g m = 1 .

Corollary 2.1

If ( G , × ) is a finite group with the order m = | G | > 1 , then for any element g ∈ G and any integer i , g i = g [ i   mod   m ] .

Proof. According to Proposition 2.1, i can be expressed as q m + r , where q , r are integers and r can be demonstrated as [ i mod m ] . By Theorem 2.1,

holds.

Example 7. As for the additive operation, the above corollary means that if g is an element in a group with order m , then i ⋅ g = [ i       mod   m ] ⋅ g . As an example, consider the group Z 25 of order m = 25 , and take g = 13 . The corollary can be instantiated as

Corollary 2.2

Let ( G , × ) be a finite group with order m = | G | > 1 . Let e > 0 be an integer, and define the function f e : G → G by f e ( g ) = g e . If gcd ( e , m ) = 1 , then f e is a permutation. Furthermore, if d = [ e − 1   mod   m ] , then f d is the inverse of f e .

Proof. According to Proposition 2.5, e is invertible modulo m due to the fact that gcd ( e , m ) = 1 . To show that f d is the inverse of f e , for any g ∈ G , we have

2.1.2.2. Group ( Z N * , × )

As mentioned before, the set Z N = { 0, … , N − 1 } pairing with the addition operation modulo N can be regarded as a group. One natural problem is that whether the set { 0, … , N − 1 } associated with the multiplication operation modulo N can be viewed as a group or not. It is obvious that “1” can be considered as the identity element for the multiplication modulo N. However, not every element in this set is invertible associated with the multiplication modulo N, for example, the multiplicative inverse element of “0” obviously does not make sense. What make matters worse, if N = 8 , then the elements “2,” “4,” and “6” are not invertible by exhaustively trying every possible elements in { 0, … ,7 } . Thus, it is necessary to identify which elements in { 0, … , N − 1 } are invertible modulo N. Depending on Proposition 2.5, the element a ∈ { 0, … , N − 1 } is invertible if and only if gcd ( a , N ) = 1 . It is also easy to observe that the inverse element of a resides in the range { 0, … , N − 1 } . This results in the definition of the following set for N > 1 :

In other words, Z N * includes integers in the set { 1, … , N − 1 } that are relatively prime to N.

Based on the discussion above, the identity element and inverse element associated with each element can be found in Z N * . Furthermore, the commutativity and associativity features inherit from Z N directly. To discuss the feature of closure, let a , b ∈ Z N * and c = [ a × b   mod   N ] , and then assume c ∉ Z N * . This implies that gcd ( c , N ) ≠ 1 , and so a prime p exists such that p | N and p | c . From c = [ a × b   mod   N ] , we see that a × b = q N + c for some integer q and thus p | a × b . Based on Proposition 2.3, we obtain p | a or p | b and, thus, contradict either gcd ( a , N ) = 1 or gcd ( b , N ) = 1 (recall that a , b ∈ Z N * ). In short, the set Z N * with respect to the multiplication operation modulo N forms a group.

Proposition 2.6

Z N * is a commutative group pairing with the multiplication operation modulo N when N > 1 is an integer.

Let ϕ ( N ) denote the order of the group ( Z N * , × ) such that ϕ ( N ) ( = d e f | Z N * | ) and ϕ is called the Euler phi function. To compute the value of ϕ ( N ) , we first consider the case when N is prime, i.e., N = p . In this case, all elements in { 1, … , p − 1 } are relatively prime to p , and so ϕ ( p ) = | Z p * | = p − 1 . We then consider the case N = p × q such that p , q are distinct primes. We see that either p | a or q | a if an integer a ∈ { 1, … , N − 1 } is not relatively prime to N . Note that a cannot be divided by both p and q simultaneously since this would imply p q | a and contradict a < N ( = p × q ) . The elements in { 1, … , N − 1 } that can be divided by p are exactly the ( q − 1 ) elements p ,2 p ,3 p , … , ( q − 1 ) p , and the elements that can be divided by q are exactly the ( p − 1 ) elements q ,2 q , … , ( p − 1 ) q . Thus, the number of elements that are neither divisible by p or q is therefore given by

That is to say, ϕ ( N ) = ( p − 1 ) ( q − 1 ) when N is the product of two distinct primes p and q .

Theorem 2.2

Let N = ∏ i p i e i , where the { p i } are distinct primes and e i ≥ 1 . Then ϕ ( N ) = N × ∏ i ( 1 − 1 p i − 1 ) .

Example 8. Take N = 24 = 3 ⋅ 2 3 . Then Z 24 * = { 1,5,7,11,13,17,19,23 } and | Z N * | = 8 = 24 × ( 1 − 1 2 ) × ( 1 − 1 3 ) = ϕ ( 24 ) . The inverse identity of 5 in Z N * is 5 itself, since 5 × 5 = 25 = 1   mod   24 .

Until now, the set Z N * under the multiplication operation modulo N is shown to be a group with order ϕ ( N ) . According to the Theorem 2.1, we get the following theorem directly:

Theorem 2.3

Take arbitrary N > 1 and a ∈ Z N * ; then we obtain

For the specific case when N = p is prime and a ∈ { 1, … , p − 1 } , we have

By Corollary 2.2, we obtain the following theorem easily:

Theorem 2.4

Let N > 1 be an integer. For integer e > 0 , we define f e : Z N * → Z N * as f e ( x ) = x e   mod . If e is relatively prime to ϕ ( N ) , then f e is a permutation. Moreover, if d = [ e − 1   mod   ϕ ( N ) ] , then f d is the inverse of f e .

Definition 2.2. A function f : G → H is said to be an isomorphism from a group ( G , ∘ G ) to another group ( H , ∘ H ) if (1) f is a bijective mapping, and (2) for all g 1 , g 2 ∈ G , we have f ( g 1 ∘ G   g 2 ) = f ( g 1 ) ∘ H   f ( g 2 ) . If these properties hold, then we say the group ( G , ∘ G ) and the group ( H , ∘ H ) are isomorphic and write this as G ≅ H .

Group isomorphisms: An isomorphism from a group to another group provides an alternate and equivalent approach to think about the structure of groups. For example, if the group ( G , ∘ G ) is finite and G ≅ H , then the group ( H , ∘ H ) must be finite and have the same order as G . Also, if there exists an isomorphism f from a group ( G , ∘ G ) to another group ( H , ∘ H ) , then f − 1 is an isomorphism from ( H , ∘ H ) to ( G , ∘ G ) .

Example 9. The bijective mapping f where f ( n ) = 2 n is an isomorphism from the group ( Z , + ) to the group ( Z 2 n , + ) because f ( a + b ) = 2 ( a + b ) = 2 a + 2 b = f ( a ) + f ( b ) , where Z 2 n denotes the set of even integers and + is the addition operation for the integers.

Example 10. The bijective mapping f where f ( n ) = 3 n is an isomorphism from the group ( Z 6 , + ) to the group ( Z 7 * , × ) , where + and × denote the addition operation modulo 6 and the multiplication operation modulo 7 . On the one hand, 3 0 = 1 , 3 1 = 3 , 3 2 = 2 , 3 3 = 6 , 3 4 = 4 , and 3 5 = 5 . On the other hand, f ( 2 + 3 ) = 3 ( 2 + 3 ) = 3 2 × 3 3 = f ( 2 ) × f ( 3 ) .

2.1.2.3. Chinese remainder theorem

Theorem 2.5

Let n 1 , n 2 , … , n k be integers that are pairwise relatively prime, i.e., gcd ( n i , n j ) = 1 for i ≠ j . Then there exists a unique solution modulo of the product n = n 1 × n 2 × … n k to the following system of congruences:

The solution to the system of congruences shown in Theorem 2.5 can be calculated as

where

and

The solution can also be represented in a slightly different way which makes it easier to be understood. Namely, we can rewrite Eq. (2.1) as

such that

So the solution of the Chinese remainder theory can be regarded essentially as an integer version of Lagrange interpolation, where a polynomial is created according to k points by calculating a similar set of coefficients that are either 0 or 1 and thus enforce the desired behavior at the given points.

Example 11. Consider the following system of congruences:

According to the solution of the Chinese remainder theorem, we see that

so that

In this example we can also think of the solution as finding integers e 1 , e 2 , and e 3 such that

and

2.1.2.4. Cyclic groups and generators

Let ( G , × ) be a finite group with order m. For arbitrary g ∈ G , consider the set

According to Theorem 2.1, g m = 1 . If i ≤ m denotes the smallest positive integer for which g i = 1 , then the above sequence repeats after i terms (i.e., g i = g 0 , g i + 1 = g 1 , ⋯ , g 2 i = g 0 , etc.), and so

It is obvious to see that ⟨ g ⟩ contains exactly i elements since if g j = g k with 0 ≤ j < k < i , then g k − j ≠ 1 thanks to the choice of i .

It is easy to observe that ( ⟨ g ⟩ , × ) can be regarded as a subgroup of ( G , × ) , which is generated by the element g . If the order of the subgroup ( ⟨ g ⟩ , × ) is i , then i is called the o r d e r of the element g .

Definition 2.3. If ( G , × ) is a finite group and g is randomly chosen from G , then the order of element g is defined as the smallest positive integer i such that g i = 1 .

Proposition 2.7

If G is a finite group, and g ∈ G is an element with order i , then for any integer x , we have g x = g [ x   m o d   i ] .

Proof. The proof of this proposition is similar to the proof of Corollary 2.1, and thus we omit it here.

Proposition 2.8

If G is a finite group and g ∈ G is an element with order i , then g x = g y if and only if x = y   mod   i .

Proof. If x = y   mod   i , then [ x   mod   i ] = [ y   mod   i ] , and according to the previous proposition, we directly have

On the other hand, from g x = g y , we can easily obtain g x ′ = g y ′ from the previous proposition, where x ′ = [ x   mod   i ] and y ′ = [ y   mod   i ] . We in turn get g x ′ ( g y ′ ) − 1 = g x ′ − y ′ = 1 . If x ′ ≠ y ′ , the difference x ′ − y ′ is then a nonzero integer smaller than i since both x ′ and y ′ are smaller than i . There is contradiction between the fact that i is the order of the element g and the fact that x ′ − y ′ is a nonzero integer smaller than i . Therefore, we obtain x = y ′ directly.

The identity element of any group ( G , ∘ ) , features with the order 1 , can generate the group ( ⟨ e ⟩ , ∘ ) . Furthermore, identity element is known as the only element with order 1 . On the other hand, if an element g ∈ G features with the order m (where m denotes the order of the group ( G , ∘ ) ) can be found, then ⟨ g ⟩ = G . In other words, G can be generated by the element g and considered as a cyclic group. Here, g is called a generator of G . (Different from the identity element, a cyclic group may have multiple generators.) If g is a generator of cyclic group ( G , ∘ ) , then, by definition, every element h ∈ G can be derived by computing g x for some x ∈ { 0, … , m − 1 } .

Proposition 2.9

Let ( G , ∘ ) be a finite group with order m , and the element g ∈ G features with the order i . Then i | m .

Proof. By Theorem 2.1, g m = 1 . According to Proposition 2.7, we have g m = g [ m   mod   i ] in case the element g features with the order i . If i ∤ m , then i ′ = d e f [ m   mod   i ] is a nonzero integer smaller than i such that g i ′ = 1 . This contradicts the fact that i is the order of the element g.

Corollary 2.3

If ( G , ∘ ) is a group with prime order p , then this group is cyclic. Furthermore, all elements of G other than the identity element are generators of ( G , ∘ ) .

Proof. Based on Proposition 2.9, the only possible orders of elements in the group ( G , ∘ ) are 1 and p. Only the identity element features with the order 1, and so all other elements own order p and can generate the original group.

In addition to the groups of prime order, the additive group Z N , for N > 1 , provides another example of a cyclic group, whereas the element 1 offers the function of generator.

Theorem 2.6

If p is prime, then ( Z p * , × ) forms a cyclic group.

The proof of this theorem is outside the scope of this book, and the interesting reader can refer to for more details.

Example 12. Consider the group ( Z 11 * , × ) , which is cyclic by the previous theorem. We have ⟨ 10 ⟩ = { 1,10 } , and so 10 is not a generator. However,

and so 2 is a generator of Z 11 * .

Given a cyclic group G with order q , we can represent this group by a generator g ∈ G as G = { g 0 , g 1 , ⋯ , g q − 1 } . In other words, each element h ∈ G can be expressed as h = g x such that x ∈ Z q . Correspondingly, x is called the discrete logarithm of h with respect to the generator g such that x = log g h . Note that the logarithms in this case are regarded as “discrete” because these logarithm values range over a finite range, as opposed to “standard” logarithms from calculus whose values are within an infinite set.

The discrete logarithm problem in a cyclic group G with respect to a given generator g is to calculate x such that g x = h with the input of a random element h ∈ G . Formally speaking, G is a polynomial-time algorithm with the input 1 n to output a cyclic group G with order q and a generator g ∈ G . In addition, the group operation in G is required to be computed efficiently (i.e., in time polynomial in n ). Consider the following experiment between a given algorithm A and the algorithm G :

The discrete logarithm experiment D L o g A , G ( n )

1. Given the parameter n , the algorithm G outputs ( G , q , g ), where G denotes a cyclic group with order q and g is a generator of G such that | | q | | = n .

2. Choose h ← G randomly.

3. Given { G , q , g , h } , the task of A is to output x ∈ Z q .

4. This experiment outputs 1 if g x = h and 0 otherwise.

Definition 2.4. The discrete logarithm problem is said to be hard relative to the algorithm G if, for all probabilistic, polynomial-time algorithms A , the probability Pr [ D L o g A , G ( n ) = 1 ] is negligible.