Chemistry - Schnorr group

A Schnorr group is a large prime-order subgroup of $\mathbb{Z}^*_p$ , the multiplicative group of integers modulo p for some prime $p$ . To generate such a group, generate $p, q, r$ such that $p = q r + 1$ with $p, q$ prime. Then choose random $h$ in the range $1 < h < p$ until you find one such that $h^r \ne 1\quad(\hbox{mod}\quad p)$ . This value $g = h^r\quad\hbox{mod}\quad p$ is a generator of a subgroup of $\mathbb{Z}^*_p$ of order $q$ .

Schnorr groups are useful in discrete log based cryptosystems including Schnorr signatures and DSA. In such applications, typically $p$ is chosen to be large enough to resist index-calculus and related methods of solving the discrete-log problem (perhaps 1024-2048 bits), while $q$ is large enough to resist the birthday attack on discrete log problems, which works in any group (perhaps 160-512 bits). Because the Schnorr group is of prime order, it has no non-trivial subgroups, thwarting small subgroup attacks . Implementations of protocols that use Schnorr groups must verify where appropriate that integers supplied by other parties are in fact members of the Schnorr group; $x$ is a member of the group if $0 < x < p$ and $x^q = 1\quad(\hbox{mod}\quad p)$ . It will usually also be appropriate to reject $x = 1$ .

Schnorr groups were proposed for cryptographic use by Claus-Peter Schnorr .

See also: Topics in cryptography

Categories: Asymmetric-key cryptosystems | Number theory | Group theory