Schnorr group

A Schnorr group is a large prime-order subgroup of $mathbb\{Z\}^*\_p$, the multiplicative group of integers modulo p for some prime $p$. To generate such a group, generate $p,\; q,\; r$ such that

:$p\; =\; qr\; +\; 1$

with $p,\; q$ prime. Then choose random $h$ in the range until you find one such that

:$h^r\; otequiv\; 1quad(hbox\{mod\}quad\; p).$

This value

:$g\; =\; h^rquadhbox\{mod\}quad\; p$

is a generator of a subgroup of $mathbb\{Z\}^*\_p$ of order $q$.

Schnorr groups are useful in discrete log based cryptosystems including Schnorr signatures and DSA. In such applications, typically $p$ is chosen to be large enough to resist index-calculus and related methods of solving the discrete-log problem (perhaps 1024-2048 bits), while $q$ is large enough to resist the birthday attack on discrete log problems, which works in any group (perhaps 160-512 bits). Because the Schnorr group is of prime order, it has no non-trivial subgroups, thwarting small subgroup attacks. Implementations of protocols that use Schnorr groups must verify where appropriate that integers supplied by other parties are in fact members of the Schnorr group; $x$ is a member of the group if and $x^q\; equiv\; 1quad(hbox\{mod\}quad\; p)$. It will usually also be appropriate to reject $x\; =\; 1$.

Schnorr groups were proposed for cryptographic use by Claus P. Schnorr.

"See also:" Topics in cryptography