Discrete logarithm weak group

Question

I'm looking for weak groups in discrete logarithm, that $x$ can be extracted from $Y$ in polynomial time where $Y \equiv g^x \pmod{p}$ .

I thought one way is to produce a prime $p$ that $p-1$ is an smooth integer which then makes discrete logarithm problem easy using Pohlig-Hellman algorithm but i couldn't find any algorithm for generating such primes. Trivially, we can generate random numbers and then check if it's prime and if it's prime, check if $p-1$ can be factorized to a set of small prime numbers. It can be done in another way, considering a set of small prime numbers and generating random exponents for every prime in the set, multiplying all primes powered to their exponent. By doing so, we have a number $r$ that can be factorized to small prime numbers and then we can check if $r+1$ is prime.

Clearly these methods are just trial and error and may take a long time to find such prime, specially when it comes to generating 256 bit prime numbers. Is there any better algorithm ?

What are other ways to generate a 256 bit long weak modulus?

Answer 1

Is there any better algorithm ?

Actually, your second algorithm (select a small set of primes $\{ 2, q_1, q_2, ..., q_n \}$ and check if $\ 2q_1 q_2 ... q_n + 1$ is prime) is quite efficient. You say that it's trial and error (and it is), however it's about as efficient as the traditional algorithms we use to search for primes; if you're looking for an $q$ bit prime, then you'd expect to need to try an average of $\log(2^q) / 2 = q \log(2)/2$ sets of primes before finding one that makes up a prime (actually, a bit less, because you know apriori the numbers you generate won't have $q_1, q_2, ..., q_n$ as a factor).

An alternative approach to creating a weak DLog problem is to make $g$ weak; that is, generate a $p$ of the form $2qr + 1$, where $q$ is a small prime and $r$ is a large one (and the same algorithm can be used to seach for it). Then, you select $g$ to be of order $q$ (that is, you select a random value $h$ and set $g = h^{2r} \bmod p$, and check that it's not 1); if $q$ is an $m$-bit prime, then the discrete log problem will take $O(2^{m/2})$ time; for example, $m=32$ makes this solvable in milliseconds.

Of course, the use of either approach can be fairly easily detected by someone examining $p$ and $g$...