0

I was curious to learn if there is a simple method/algorithm through which I can obtain a generator g for a 20-digit prime integer to implement in Elgamal cryptosystem.

Zod
  • 1
  • 1
  • 2

1 Answers1

1

The best way to do this is pick your prime such that finding a generator is easy. Often the best way is to find a prime p such that q=2p+1 is also prime. Then in the multiplicative group of order q, elements will have order 2p, p, 2 or 1. Most will have order 2p, so just pick a number g and check that g^2 and g^p are not 1, then it will have order 2p and thus be a generator of the group.

If the prime is given (say q), then the order of the group will be q-1 and you will need to factorise q-1 into prime factors (which is not always easy). Then when picking your candidate g, you need to check that g^x (for x ranging through all combinations of prime factors that are less than q-1) is not 1, then you'll know that g has order q-1 and is a generator. Which is why, if you can pick your prime q, it's easier to make sure that q-1 factorises nicely into just two primes.

Charles Craven
  • 19
  • 1
  • I appreciate your answer but I forgot to mention I'm a complete rookie at cryptography knowing the very basic of cryposystems. So equation like "q=2p+1" and phrase such as " multiplicative group of order q" are Greek and German to me . May I know which resources to read up so I can close the gaps in order to understand what you are saying. Thank you – Zod Dec 17 '21 at 19:25
  • Ah gotcha - I don't know the best resources, but I can try and explain the method more simply: 1. Pick a 20-digit prime number, call it p. Check if 2*p + 1 is also prime - if it is, great! Let's call 2*p + 1 q. q will be our 20-digit prime that we use for el-Gamal. (if it isn't, try again!) 2. Pick any number less than q, call it g. Check that g^2 (mod q) is not 1. Also check that g^p (mod q) is not 1. If neither of them are 1, we can be sure that by multiplying g by itself (mod q) we will "generate" every number between 1 and q. Thus g is a "generator" for the numbers between 1 and q – Charles Craven Dec 17 '21 at 19:54
  • if `p` and `q` is a prime than `q` in `q = 2p+1` is called safe-prime and `p` is called [Sophie Germain primes](https://en.wikipedia.org/wiki/Safe_and_Sophie_Germain_primes). The reason we use them we can guarantee that we can a generator of order `p` so that the security is exact. Using `q` is not preferred. [See also here](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange#Security) and read more [here](https://crypto.stackexchange.com/a/83478/18298) – kelalaka Dec 17 '21 at 20:16
  • As you can see the Legendre Symbol leaks the lower order bit of `g^a` if `g` is the generator of the full group. – kelalaka Dec 17 '21 at 20:29
  • Thanks all for the replies, definitely gave further clarity. Just wanted further clarification on these: 1. Should I use q or p for my 20 digit prime integer? By Charles Craven 's reply am I correct to understand I will need 2 checks, firstly that p is prime then secondly 2p+1 is prime 2. Why would "g^2 (mod q) is not 1" & "g^p (mod q) is not 1" ensure that "by multiplying g by itself (mod q) we will "generate" every number between 1 and q." – Zod Dec 18 '21 at 06:42
  • There is a theory behind this; [Lagrange theorem on the group theory](https://en.wikipedia.org/wiki/Lagrange's_theorem_(group_theory)) that order of a subgroup divides the order of the group, and the converse is not true in general. However, you can expect that there are subgroups of order `2,p,2p` if `g^2 = 1` then the order is 2. that's it! – kelalaka Dec 18 '21 at 07:27