-1

How can I use C++ to find a cyclic group of prime order? I require the element of this group to be 128 bits.

In need to find this kind of group to execute cryptographic operations.

zhen liu
  • 13
  • 1
  • Before going into language (C++) and libraries considerations which made the question off-topic on crypto-SE, what kind of cryptographic property must the group have? When it comes to asymmetric cryptography (signature, public-key encryption), the Discrete Logarithm Problem needs to be hard, and no group with a 128-bit representation of group elements is enough. Nothing below 160-bit has been proposed for the last 10 years, and that's >50000 times safer then 128-bit. After you have defined the desired properties, you need to choose the kind of group. Modular? Elliptic-curve? Other? – fgrieu Mar 29 '23 at 14:32
  • I need a cyclic group that satisfies the order of prime, and the length is 128 bits (I want to do a simple test, not for an actual application), I use this cyclic to perform the element blinding and de-blinding, that's why it needs to be the order of prime. – zhen liu Mar 29 '23 at 14:45
  • The simplest group matching your requirement "cyclic group of prime order" is the group of addition modulo p for a prime p of 128 bits. Then addition modulo p is a cyclic group of prime order p. The 128-bit integer 2**128-159 is a suitable p. That group has no direct application to asymmetric cryptography (signature, public key encryption). Since "blinding" is a very wide term, I can't tell if that group is suitable for your goal, which is unspecified. – fgrieu Mar 29 '23 at 15:21
  • 2
    The question is off-topic here too as it needs focus and details/clarity. Maybe we should migrate it crypto-SE. – President James K. Polk Mar 29 '23 at 16:13
  • @President James K. Polk: The question already was posted on crypto-SE and is off-topic there, as is any question on the tune of "How can I use C++ to…". Plus it's vague on goals. It could become on-topic for crypto-SE under two conditions: not asking for code in a particular language (asking for algorithm is OK); and stating which kind of cryptographic operations are thought. – fgrieu Mar 29 '23 at 16:26

1 Answers1

-1

First of all, thank you for helping me think about this. I finally resolve my problem, the code is shared below.

#include <iostream>
#include <vector>
#include <cryptlib.h>
#include <integer.h>
#include <nbtheory.h>
#include <osrng.h>
using namespace CryptoPP;

bool MillerRabinTest(const Integer& n, unsigned int rounds) {
    // Check for small values of n
    if (n <= 3) {
        return n == 2 || n == 3;
    }

    // Find k and m such that n-1 = 2^k * m, where m is odd
    Integer m = n - 1;
    unsigned int k = 0;
    while (m.IsEven()) {
        m >>= 1;
        k++;
    }

    // Run the Miller-Rabin primality test for 'rounds' rounds
    AutoSeededRandomPool rng;
    for (unsigned int i = 0; i < rounds; i++) {
        // Generate a random base a such that 1 < a < n-1
        Integer a = Integer(rng, 2, n - 2);

        // Compute b = a^m (mod n)
        Integer b = ModularExponentiation(a, m, n);

        // If b == 1 or b == n-1, then n passes this round of the test
        if (b == 1 || b == n - 1) {
            continue;
        }

        // Run the test for k-1 additional times
        bool isPrime = false;
        for (unsigned int j = 0; j < k - 1; j++) {
            // Compute b = b^2 (mod n)
            b = ModularExponentiation(b, 2, n);

            // If b == n-1, then n passes this round of the test
            if (b == n - 1) {
                isPrime = true;
                break;
            }
        }

        if (!isPrime) {
            return false;
        }
    }

    // If n has passed all rounds of the test, then it is probably prime
    return true;
}


Integer fastPower(const Integer& x, const Integer& y, const Integer& prime)
{
    Integer res = 1;
    Integer x_mod_p = x;
    Integer y_copy = y;

    while (y_copy > 0) {
        if (y_copy.IsOdd()) {
            res = (res * x_mod_p) % prime;
        }

        x_mod_p = (x_mod_p * x_mod_p) % prime;
        y_copy >>= 1;

    }

    return res;
}

class CyclicGroup {
private:
    static const int EQUAL = 0;
    Integer TWO = Integer(2);

    Integer p, g, q;

public:
    CyclicGroup(int bitLength) {
        init(bitLength);
    }

    void init(int bitLength) {
        while (true) {
            AutoSeededRandomPool prng;
            //q = Integer(prng, bitLength, 40);
            AlgorithmParameters params = MakeParameters("BitLength", 128)
                ("RandomNumberType", Integer::PRIME);

            q.GenerateRandom(prng, params);

            p = (q * TWO) + Integer::One();

            if (!MillerRabinTest(p, 40)) {
                continue;
            }

            while (true) {
                g = Integer(prng, TWO, p - Integer::One());

                Integer exp = (p - Integer::One()) / q;

                if (ModularExponentiation(g, exp, p) != Integer::One()) {
                    break;
                }
            }

            break;
        }
    }

    Integer getRandomElement() {
        AutoSeededRandomPool prng;
        return ModularExponentiation(g, Integer(prng, p.ByteCount()), p);
    }

    std::vector<Integer> getElements() {
        std::vector<Integer> elements;

        Integer index = Integer::One();
        Integer element = Integer::Zero();

        while (element != Integer::One()) {
            element = ModularExponentiation(g, index, p);
            elements.push_back(element);

            index++; // index++
        }

        return elements;
    }

    Integer getModulus() {
        return p;
    }

    Integer getGenerator() {
        return g;
    }

    Integer getOrder() {
        return q;
    }
};

int main() {
    CyclicGroup group(128);

    Integer p = group.getModulus();
    Integer g = group.getGenerator();
    Integer q = group.getOrder();

    std::cout << "Modulo: p=" << std::hex << group.getModulus() << std::endl;
    std::cout << "Generator: g=" << std::hex << group.getGenerator() << std::endl; 
    std::cout << "Group order: q=" << std::hex << group.getOrder() << std::endl;

    Integer H = g * g % p;
    Integer r = 1000;
    Integer rInv = r.InverseMod(q);

    Integer a1 = fastPower(H, r, p);
    Integer a2 = fastPower(a1, rInv, p);

    std::cout << H << std::endl;
    std::cout << a2 << std::endl;
}
zhen liu
  • 13
  • 1
  • This finds something different from what you requested. This finds a prime `p` whose multiplicative group is cyclic. The order of this group is `p - 1`, though, which is not prime. – Raymond Chen Mar 31 '23 at 02:21
  • Actually, the order is q , not p-1 , you can refer to [(https://crypto.stackexchange.com/questions/22716/generation-of-a-cyclic-group-of-prime-order)](https://crypto.stackexchange.com/questions/22716/generation-of-a-cyclic-group-of-prime-order). Try smaller bits, like 5 or 6 bits, you can output the elements through the public function ``` getElements ```. – zhen liu Mar 31 '23 at 06:06
  • @Raymond Chen Of course g^(p-1) = 1 mod p, it is not because the order is p-1, it is because euler's theorem, but it does not mean the order is p-1. – zhen liu Mar 31 '23 at 06:10
  • At any rate, you don't know whether `q` is prime. – Raymond Chen Mar 31 '23 at 13:15