Subgroups, Cosets and Lagrange’s Theorem

In this short note, we discuss subgroups, cosets and prove Lagrange's theorem. These algebraic concepts come up in various places in cryptography research and can be important to internalize.

We start with some simple facts. Given a group

(G, \cdot)

, a subgroup

(H, \cdot) \leq (G, \cdot)

has the same composition rules as the original group, has the same identity element

e

, and composition of two of its elements remains within the subgroup (closed under composition). Composition is associative and the inverse elements are part of the subgroup as well. In other words,

(H, \cdot)

has all the properties of a group in itself.

G

itself and

{e}

are both subgroups of

G

, although

G

is not a proper subgroup.

Lagrange's theorem is about the orders (or cardinalities) of the subgroups of a group. Given a group

(G, \cdot)

of order

| G |

, its subgroups cannot simply have any arbitrary order. Langrange's theorem states that the order of any subgroup

(H, \cdot)

(G, \cdot)

must have an order

| H |

, that divides

| G |

, i.e.

\exists k \in N

such that

| G | = k | H |

This is due to the idea of cosets, (non-intersecting) partitionings of a group, associated with any one of its given subgroups. We will show that each coset in a partition associated with a subgroup has the same cardinality. Therefore, the cardinality of a coset in a partition must divide the order of the group. Further, the subgroup itself is one of the cosets of the partition associated with itself and therefore has an order that divides the order of the group as well.

The notation used for a left coset of

H

g H

. It is the set

g H = {h \in H | g \cdot h}

where

g

can be any element of

G

. If

g = e

, the identity element, then

g H = H

and this is the only coset in the partition associated with

H

that is a subgroup. The rest of the cosets are not groups themselves since they do not intersect with

H

and therefore do not contain the identity element

e

, which is a requirement for being a group.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

In the figure above, left cosets associated with the subgroup

H

of group

G

are shown as an example. All the cosets have the same order

| H |

, they partition the entire group

G

, and do not intersect with each other. The only subgroup in the partition is

H = e H

itself. Note that multiple (

| G | / | H |

to be precise) group elements,

g^{+}, g^{-} \in G

will map the subgroup

H

into the same coset,

g^{+} H = g^{-} H

, in general. Further,

g_{i} \in g_{i} H

is also easy to show, as

e \in H

An algorithm to find cosets: In order to obtain all the left cosets associated with a subgroup

H

, we start with the identity element of the group

g_{0} = e

and a set of cosets,

C_{H} = {g_{0} H = e H = H}

, which we will incrementally grow.

At each step, we pick an element of

G

that is not in any of the cosets in

C_{H}

so far. In the first step, this corresponds to a

g_{1} \in G

s.t.

g_{1} \notin H

. Then, the second coset associated with

H

is chosen as

g_{1} H

. This is added to the set, which becomes

C_{H} = {H, g_{1} H}

In the second step, we again pick an element of

G

that is not in any of the cosets in

C_{H}

so far. This corresponds to a

g_{2} \in G

s.t.

g_{2} \notin H \cup g_{1} H

. Then, the third coset associated with

H

is chosen as

g_{2} H

. This is added to the set as well, which becomes

C_{H} = {H, g_{1} H, g_{2} H}

We continue this process until we run out of elements of

G

that are not in the set of cosets so far and we end up with the set of cosets

C_{H} = {H, g_{1} H, . . ., g_{k - 1} H}

. In the next section, we will analyze some of the properties of this resulting set to prove Lagrange's theorem we introduced earlier.

Lagrange's theorem: Lagrange's theorem states that any subgroup

H

of a group

G

has an order that evenly divides the order of the group, i.e.

| G | / | H | = k \in N

We analyze the coset algorithm and its output to prove this theorem. Given that the algorithm generates a set of cosets associated with subgroup

H

C_{H} = {H, g_{1} H, . . ., g_{k - 1} H}

, if each set within

C_{H}

has the same cardinality, its elements collectively partition (meaning no intersecting) and cover the group

G

, then

| G | / | H | = k \in N

follows.

$C_{H}$ covers
$G$ : Consider the case where

C_{H}

did not cover

G

after the algorithm terminates. In that case, there would exists a

g^{+} \in G

that is not part of any element of

C_{H}

and the algorithm could not terminate as there would be another step where a new coset would be added. This leads to a contradiction.

Every element of

G

is in some coset in

C_{H}

$C_{H}$ partitions
$G$ : It is easy to see that every element of each coset in

C_{H}

is in

G

due to the fact that groups are closed under composition. Taken together with with the fact that

C_{H}

covers

G

, we can conclude that the union of all cosets in

C_{H}

is simply

G

\cup g_{i} H = G

Based on the above, in order to show that

C_{H}

partitions

G

, we only need to show that these cosets are non-intersecting with each other. In other words, we need to show that

\forall (i, j) \in {1, . . ., k}^{2}

s.t.

i \neq j

g_{i} H \cap g_{j} H = \emptyset

, i.e. their intersection is empty. This requires some care.

Cosets in

$C_{H}$ are non-intersecting:: Assume that there is a common element in both

H

and

g_{1} H

, i.e.

f \in H

and

f \in g_{1} H

. Then, since

f \in g_{1} H

, there must exist another element

h \in H

that satisfies

f = g_{1} \cdot h

. Since

h

has an inverse

h^{- 1} \in H

as well,

f \cdot h^{- 1} = g_{1} \cdot h \cdot h^{- 1} = g_{1}

should remain within the subgroup

H

due to closure under composition. However,

g_{1}

was specifically chosen to be an element of

G

that is not an element of

H

, which leads to a contradiction.

Now, assume that

H \cap g_{1} H = \emptyset

but

g_{1} H \cap g_{2} H \neq \emptyset

. Then, there must be a common element

f \in g_{1} H

and

f \in g_{2} H

. Similarly, There must exist an

h_{1} \in H

and

h_{2} \in H

that satisfy,

f = g_{1} \cdot h_{1}

and

f = g_{2} \cdot h_{2}

respectively. Then, we can consider

h_{2}^{- 1} \in H

and the right multiplication

f \cdot h_{2}^{- 1} = g_{1} \cdot h_{1} \cdot h_{2}^{- 1} = g_{2} \cdot h_{2} \cdot h_{2}^{- 1} = g_{2}

. We know that

g_{1} \cdot h_{1} \cdot h_{2}^{- 1} = g_{2}

is an element of

g_{1} H

since

h_{1} \cdot h_{2}^{- 1}

is in

H

. But, we specifically chose

g_{2}

to be not in

H

g_{1} H

. This lead to a contradiction.

A similar argument can be made for the case where

H \cap g_{1} H = \emptyset

but

H \cap g_{2} H \neq \emptyset

, which similarly leads to a contradiction. Using the same argument, we can show that all cosets are non-intersecting with each other.

Since the cosets in

C_{H}

are non-intersecting and

\cup g_{i} H = G

C_{H}

partitions

G

Proof of Lagrange's theorem: Finally, we need to show that all the cosets in

C_{H}

have the same cardinality

| H |

, which would imply

| G | / | H | = k \in N

Given any coset

g_{i} H = {h \in H | g_{i} \cdot h}

, it is clear that its cardinality cannot exceed

| H |

from the definition. Suppose that

g_{i} H

has an element

f

that is mapped to from two different elements of the subgroup,

h_{s}, h_{p} \in H

s.t.

h_{s} \neq h_{p}

, i.e.

f = g_{i} \cdot h_{s} = g_{i} \cdot h_{p}

. However,

g_{i} \in G

has an inverse element

g_{i}^{- 1} \in G

that could be left multiplied with

f

to obtain

g_{i}^{- 1} \cdot f = g_{i}^{- 1} \cdot g_{i} \cdot h_{s} = g_{i}^{- 1} \cdot g_{i} \cdot h_{p}

. This would imply that

h_{s} = h_{p}

which is a contradiction.

Therefore, every unique element

h \in H

maps to a unique element

f \in g_{i} H

for all cosets

g_{i}

and each coset has cardinality

| H |

. As a corollary,

| G | = k | H |

for a

k \in N

. This concludes the proof of Lagrange's theorem.

Read more

Vector Commitments

Set Commitments

Single-element Commitments

Elements of Commitment Schemes