3

For some cryptographic methods you can construct them. e.g. elliptic curves (product of two cyclic groups) or Diffie–Hellman (can be product of n-cyclic groups). But they have no usage because at a possible attack you can reduce the problem to a single group.

So is there any cryptographic method which benefits (or equal) from multiple cyclic groups?

Interested in general but best case would be if their individual group size should somehow be changeable, independent and not too small. Their product should be the whole group size or a constant times bigger. The group number should be finite. In best case 3 or not that much more.

Given two group elements it should be unknown (hard to compute) how to compute one out of he other. The attacker has access to the program during runtime. He only don't know how those two elements were generated.

J. Doe
  • 573
  • 4
  • 15
  • Could you add some references for the definition, please? – ckamath Aug 12 '19 at 20:29
  • It sounds like you have something in mind; might you list the actual requirements? – poncho Aug 12 '19 at 21:04
  • @Occams_Trimmersry mixed up something. Changed the question. – J. Doe Aug 13 '19 at 11:51
  • The multiplicative groups used in RSA are isomorphic to products of two (or more) large cyclic groups, and that fact is rather central to the operation of the system. But I'm not sure if that's what you're asking about. – Ilmari Karonen Aug 13 '19 at 15:04
  • can there be an extension of a finite field, can it be represented as a product of two or more cyclic groups? – vbujym Aug 13 '19 at 19:55
  • @IlmariKaronen given RSA (m^e)^d = m mod pq. Which would be the two cyclic groups? m^e mod pq can produced N=pq elements. While testing around with the product of two related groups I could only produce phi(N)=(p-1)*(q-1) different elements. – J. Doe Aug 13 '19 at 20:49
  • 1
    The multiplicative group modulo $n$ only contains the elements coprime to $n=pq$, of which there are $(p-1)(q-1)$. The full multiplicative structure of integers modulo $n$ is only a monoid, since some of its elements have no multiplicative inverse. (That said, RSA still works for those messages too. But almost all messages are invertible anyway, and so part of the multiplicative group; if fact, finding a non-invertible message is just as hard as factoring $n$.) – Ilmari Karonen Aug 14 '19 at 09:58

0 Answers0