Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

• n is prime. Then G is cyclic by Theorem 1. • n = pc for some prime p and c > 1. In this case if there is no element of order n, then all the orders must divide pc−1. We get n = pc elements x such that xp c−1 = 1, violating (*). • n = pq for co-prime p and q. In this case let H and F be two subgroups of G defined as follows: H = {a : ap = 1} and F = {b : bq = 1}. Then |H| ≤ p < n and |F | ≤ q < n and also as subgroups of G both H and F satisfy (*). Thus by the induction hypothesis both H and F are cyclic and have generators a and b respectively. We claim that ab generates the entire group G. Indeed, let c be any element in G. Since p, q are coprime, there are x, y such that xq+yp = 1 and hence c = cxq+yp. But (cxq)p = 1 and (cyp)q = 1 and hence c is a product of an element of H and an element of F , and hence c = aibj for some i ∈ {0, . . . , p− 1} and j ∈ {0, . . . , q − 1}. Thus, to show that c = (ab)z for some z all we need to do is to find z such that z = i (mod p) and z = j (mod q), but this can be done using the Chinese Remainder Theorem.