Homomorphisms by Example

A homomorphism between two groups exists if a structure preserving map between the two groups exists.

Suppose we have two algebraic data structures (A,)(A,\square) and (B,)(B, \blacksquare), where the binary operator of AA is \square and the binary operator of BB is \blacksquare.

A homomorphism from AA to BB exists if and only if there exists a function ϕ:AB\phi: A\rightarrow B such that

ϕ(aiaj)=ϕ(ai)ϕ(aj)  ai,ajA\phi(a_i \square a_j)=\phi(a_i)\blacksquare\phi(a_j)\space\space\forall a_i,a_j\in A

In other words, if aiaj=aka_i \square a_j = a_k, then ϕ(ai)ϕ(aj)=ϕ(ak)\phi(a_i) \blacksquare \phi(a_j) = \phi(a_k).

Note that a homomorphism is one-directional. The function ϕ\phi takes elements in AA and maps them to elements in BB. We have no requirements about “going backwards.”

We’ll first show some simple examples, provide some clarification, and then provide more complex examples.

Simple examples of Homomorphisms

All integers under addition to all even integers under addition

Let AA be the set of all integers under addition, and let BB be the set of all even integers under addition. It is clear that both AA and BB are groups.

Let ϕ(x)=2x\phi(x)=2x

We see that ϕ\phi defines a homomorphism from AA to BB because the following is true for any pair of integers aia_i and aja_j

ϕ(ai+aj)=ϕ(ai)+ϕ(aj)2(ai+aj)=2(ai)+2(aj)\begin{align*} \phi(a_i+a_j)&=\phi(a_i)+\phi(a_j)\\ 2(a_i+a_j)&=2(a_i)+2(a_j) \end{align*}

All strings under concatenation to all integers zero or greater

For example, let AA be the Monoid of all strings (including the empty string) under concatenation, and let BB be the Monoid of all integers zero or greater under addition.

There exists a homomorphism from AA to BB because there exists a function ϕ\phi that maps strings to integers zero or greater and preserves the following property

ϕ(ai+aj)=ϕ(ai)+ϕ(aj)\phi(a_i+a_j)=\phi(a_i)+\phi(a_j)

In this case, ϕ\phi is the length of the string. For example:

Rare4Skills6RareSkills10\begin{align*} \text{Rare}&\rightarrow 4\\ \text{Skills}&\rightarrow 6\\ \text{RareSkills}&\rightarrow 10\\ \end{align*}

Here, we have

ϕ(Rare)=4ϕ(Skills)=6ϕ(RareSkills)=10ϕ(concat(Rare,Skills))=ϕ(Rare)+ϕ(Skills)\begin{align*} \phi(\text{Rare})&=4\\ \phi(\text{Skills})&=6\\ \phi(\text{RareSkills})&=10\\ \phi(\mathsf{concat}(\text{Rare},\text{Skills}))&=\phi(\text{Rare})+\phi(\text{Skills})\\ \end{align*}

All real numbers under addition to all n×mn\times m matrices of real number under addition

Some homomorphisms may seem rather trivial once you get the hang of them. This is an example of such a homomorphism. In this case, our function ϕ\phi simply repeats the real number n×mn\times m times. For example, if n=3n=3 and m=2m=2, then ϕ(8.8)\phi(8.8) would be:

[8.88.88.88.88.88.8]\begin{bmatrix} 8.8&8.8\\ 8.8&8.8\\ 8.8&8.8 \end{bmatrix}

As an example, if ϕ(8.8+0.2)=ϕ(8.8)+ϕ(0.2)\phi(8.8 + 0.2)=\phi(8.8)+\phi(0.2) because

[999999]=[8.88.88.88.88.88.8]+[0.20.20.20.20.20.2]\begin{bmatrix} 9&9\\ 9&9\\ 9&9\\ \end{bmatrix}= \begin{bmatrix} 8.8&8.8\\ 8.8&8.8\\ 8.8&8.8 \end{bmatrix}+ \begin{bmatrix} 0.2&0.2\\ 0.2&0.2\\ 0.2&0.2\\ \end{bmatrix}

Clarifications about Homomorphisms

  • ϕ\phi must work with every possible pair of elements from AA (including pairs of the same element). However, it does not need to “access” all the elements of BB. For example, a homomorphism that maps every element in AA to the identity element in BB is a valid homomorphism, but not a useful one. It’s called the trivial homomorphism.
  • If we choose two arbitrary sets with a binary operator, a homomorphism may not necessarily exist.
  • There may be a homomorphism from AA to BB, but not necessarily from BB to AA.
  • If there is a homomorphism from AA to BB and from BB to AA, and ϕ\phi is the map from AA to BB, the inverse of ϕ\phi may not necessarily be a valid map for the homomorphism from BB to AA

More examples of homomorphisms

Integers under addition to integer powers of bb under multiplication

Suppose we have group A=(Z,+)A=(\mathbb{Z},+) (the set of all integers under addition) and the group BB, which is the set of all integer powers of bb under multiplication, i.e., B=(bi : iZ,×)B=(b^i\space:\space i\in\mathbb{Z}, \times). We can arbitrarily set b=2b=2 to make the example easier to think about.

There exists a homomorphism from AA to BB, defined by ϕ(x)=bx\phi(x)=b^x. By the rules of algebra,

ϕ(ai+aj)=ϕ(ai)×ϕ(aj)bai+aj=baibaj\begin{align*} \phi(a_i+a_j)&=\phi(a_i)\times\phi(a_j)\\ b^{a_i + a_j}&=b^{a_i}b^{a_j} \end{align*}

To understand why this relationship holds, consider that

bai=bbbai timesb^{a_i}=\underbrace{b\cdot b\cdot\dots\cdot b}_{{a_i} \text{ times}}
baj=bbbaj timesb^{a_j}=\underbrace{b\cdot b\cdot\dots\cdot b}_{{a_j} \text{ times}}
bai+aj=bbbai timesbbbaj timesb^{a_i + a_j}=\underbrace{b\cdot b\cdot\dots\cdot b}_{{a_i} \text{ times}} \cdot \underbrace{b \cdot b \cdot \dots \cdot b}_{a_j \text{ times}}
bai+aj=bbbbbbai+aj timesb^{a_i +a_j}=\underbrace{b\cdot b\cdot\dots\cdot b\cdot b\cdot b\dots\cdot b}_{{a_i+a_j} \text{ times}}

Integers under addition to integer powers of bb under multiplication modulo a prime number

n×mn\times m matrices under addition to integers under addition

In this case, ϕ\phi simply adds up all the elements in a matrix. Why this works is left as an exercise for the reader.

2×22\times2 matrices of integers under multiplication to integers under multiplication

There is a homomorphism from the first to the second Monoid because ϕ\phi is the determinant of the matrix and the following rule holds:

XY=Zdet(X)det(Y)=det(Z)XY=Z\rightarrow\det(X)\det(Y)=\det(Z)

where X,Y,ZX,Y,Z are 2×22\times2 integer matrices. Why these are two algebraic data structures are Monoids and not groups are left as an exercise for the reader.

The group of rational numbers (excluding rational numbers where the denominator is a multiple of pp) to addition modulo pp

This concept was already taught in our article on finite fields, but we didn’t use the term “homomorphism” to describe it.

Let AA be the group of all rational numbers whose denominators are not a multiple of pp, under addition. Let BB be the finite field modulo pp.

There exists a homomorphism from group AA to group BB. ϕ\phi is

ϕ(x)=numerator(x)×modular_inverse(denominator(x))(modp)\phi(x) = \mathsf{numerator}(x)\times\mathsf{modular\_inverse}(\mathsf{denominator}(x)) \pmod p

Or in Python:

p = 11
def phi(num, den):
    return num * pow(den, -1, p) % p

For example:

  • 1/3+3/5=14/151/3 + 3/5 = 14/15
  • 1/31/3 is congruent to 6(mod17)6 \pmod {17}
  • 3/53/5 is congruent to 4(mod17)4 \pmod {17}
  • 4+610(mod17)4 + 6\equiv10 \pmod {17}
  • 14/1510(mod17)14/15\equiv 10 \pmod {17}

Saying 1/31/3 is congruent to 6(mod17)6 \pmod {17} is equivalent to the statement ϕ(1/3)=6\phi(1/3)=6.

The Monoid of rational numbers (excluding rational numbers where the denominator is a multiple of pp) to multiplication modulo pp (excluding zero)

Let’s use the same example as above, but with multiplication. The function ϕ\phi remains the same.

  • 1/33/5=1/51/3 * 3/5 = 1/5
  • 1/31/3 is congruent to 6(mod17)6 \pmod {17}
  • 3/53/5 is congruent to 4(mod17)4 \pmod {17}
  • 4×67(mod17)4 \times 6\equiv7 \pmod {17}
  • 1/57(mod17)1/5\equiv 7 \pmod {17}

Exercises for the reader

Find a homomorphism for the following pairs of algebraic data structures. If you get stuck (or just don’t want to solve the problem), you can Google the answer or consult with a chatbot.

  1. Real numbers under addition to polynomials with real coefficients under addition.
  2. Polynomials with real coefficients to real numbers under addition. Hint: even though this look similar to problem 1, the function ϕ\phi will be completely unrelated to the answer for the previous problem.
  3. Positive real numbers greater than zero under multiplication to all real numbers under addition.

Homomorphic Encryption

If ϕ\phi is computationally difficult to invert, then ϕ\phi homomorphically encrypts the elements of AA.

Let AA be all integers under addition, and BB be the target group and \blacksquare be binary operator of BB.

Zero Knowledge Addition, example 1

Suppose we wish to prove to a verifier that we computed 2+3=52 + 3=5. We would give the verifier (x,y,5)(x, y, 5) where x=ϕ(2),y=ϕ(3)x=\phi(2), y= \phi(3) and the verifier check that:

xy=?ϕ(5)x\blacksquare y \stackrel{?}=\phi(5)

Note that homomorphic encryption implies that the verifier knows the function ϕ\phi.

Zero Knowledge Addition, example 2

A prover makes the claim, “I have two numbers aa and bb, and bb is five times aa.” The prover sends ϕ(a)\phi(a) and ϕ(b)\phi(b) to the verifier, and the verifier checks that

ϕ(a)+ϕ(a)+ϕ(a)+ϕ(a)+ϕ(a)=ϕ(b)\phi(a) + \phi(a) + \phi(a) + \phi(a) + \phi(a) = \phi(b)

Remember, “multiplication” here is not the binary operator, it’s simply shorthand for repeated addition.

In these examples, note that we didn’t say anything about what elements of BB are or what \blacksquare is. BB can be scary mathematical objects, and \blacksquare can be a scary mathematical operator, but that doesn’t matter.

This is the beauty of abstract algebra: we don’t need to know. As long as it has the properties we care about, we can reason about its behavior even if we know nothing about the implementation.

Motivation

Okay cool; we understand groups and homomorphisms, but how does this help us? The reason I went through all the effort explaining this is because I want you to understand the statement below:

“Elliptic curve points in a finite field under addition are a finite cyclic group and integers under addition are homomorphic to this group.”

You probably don’t know what elliptic curve points are or what adding them means, but you do know:

  1. The set of elliptic curve points under addition produces another elliptic curve point.
  2. The binary operator that takes two elliptic curve points and returns another elliptic curve point is associative.
  3. The set of elliptic curve points contains an identity element.
  4. The elliptic curve group has an identity element, which is unique.
  5. Each elliptic curve point has an inverse such that adding a point and its inverse produces the identity.
  6. Because the group is cyclic, every elliptic curve point can be generated by repeatedly applying the binary operator to some generator element.
  7. Because the group of elliptic curve points is cyclic, it is also an abelian group.
  8. Because it is a finite group, the order is finite.
  9. Because of the homomorphism, we have a strong idea of how the binary operator for elliptic curve points behaves. We can use the elliptic curve point binary operator to “add integers” in a certain sense.

Even though you don’t know what elliptic curve points are, you already know nine things about them!

So whatever these bizarre objects “elliptic curve points” are, you know it behaves like, and has the same properties as the groups we discussed above.

Believe it or not, you are already 90% of the way to comprehending elliptic curves. It’s far easier to make sense of elliptic curves by understanding their similarity to other familiar structures than to try to understand their funky math from the ground up.

This is similar to me telling you that Ethereum uses “Patricia Merkle trees” to store state. You may not know what a “Patricia tree” or a “Merkle tree” is, but you do know:

  • It has a root.
  • You can probably access elements in logarithmic time, or at least that is the intent.
  • Something useful is stored in the leaves.
  • There exists some algorithm to traverse the tree and access a leaf you care about.

So when I tell you elliptic curve points under addition form a group, you should already know what to look out for when you learn about that subject.

Again, groups don’t need to be mysterious moon math. You’ve worked with groups intuitively as a programmer. Now you have a concrete word to describe this recurring phenomenon.

It’s far more efficient to say “group” than it is to say “this is a set with a way to combine elements associatively and the elements all have blah blah blah.”

I know this may seem like a huge tangent, but trust me, understanding “homomorphism” enables us to succinctly describe a concept that we will regularly see. It will also come in handy again when we discuss Quadratic Arithmetic Programs. Homomorphisms appear frequently in the ZK world.

Imagine trying to discuss tree data structures without a word for “roots” or “leaves.” That would be immensely frustrating.

Summary

A homomorphism from AA to BB exists if and only if a function ϕ\phi exists that takes an element from AA and returns and element from BB and ϕ(aiaj)=ϕ(ai)ϕ(aj)\phi(a_i \square a_j)=\phi(a_i)\blacksquare\phi(a_j) or all aia_i and aja_j in AA, where \square is the binary operator of AA and \blacksquare is the binary operator of BB. The existence of ϕ\phi is sufficient for the homomorphism to exist.

Homomorphisms are not necessarily bidirectional. They are only required to work in one direction, from AA to BB.

If ϕ:AB\phi: A \rightarrow B is computationally difficult to invert, then ϕ\phi homomorphically encrypts the elements of AA. That means we can validate claims about computations in AA using elements in BB.

The good news is, we are done with our treatment of abstract algebra, and we now have a strong foundation to move on to elliptic curves.

Ready to Get Started?Join Thousands of Users Today

Start your free trial now and experience the difference. No credit card required.

© 2025 Better-Start. All rights reserved.

Product

Resources

Company

Legal