1

For $p=2q+1$,where p and q are primes, we have subgroups of order $p−1$, $q$, $2$ and $1$. To find $G_q$, usually we just check that $g^q\bmod p=1$ and that's it.

However,here it's mentioned that there is a chance (very unlikely but still) that a group satisfying $g^q\bmod p=1$ is of order $1$ or $2$.

Ok, suppose we start checking whether $g^q\bmod p$ is equal to $1$ starting from $g=2$ (to eliminatie $g=1$). I don't see how a subgroup can satisfy $g^q\bmod p=1$ and be of order $2$ (so $g^2\bmod p=1$ too). It seems that for all even $a$ in $g^a\bmod p$ the result is $1$. On the other hand, since $p$ is a prime and $g^q\bmod p=1$ holds, then for all odd $a$ odd it's equal to $1$ too. I fail to see, how any generater except $g =1$ can satisfy it. Do we rally need to chech that $g^2\bmod p$ is not $1$?

Additional question, is it a good idea to check all integers in the increasing order starting from $g=2$? Is there any security issues related to a small $g$? Suppose, in the real ElGamal implementation with $p$ of 1024-bits or 2048-bits, I check all $g$ from $2$ till I find the $G_q$ subgroup generator.

pintor
  • 558
  • 3
  • 14

2 Answers2

4

Assuming you have the same setting as the linked question (in particular $q$ is prime, it's true: you cannot have $g^2 = 1\bmod p$ and $g^q = 1\bmod p$ simultaneously unless $g=1$ or $q=2$.

It's important to notice that if the condition $g^q = 1\bmod p$ is satisfied and $g$ is not the identity, then $g$ will be a generator.

I think that what PulpSpy means in the answer you linked is that either you're lucky and $g^q = 1\bmod p$, with $g$ not the identity, or you're not lucky and $g^2 = 1\bmod p$ (not both congruences simultaneously), in which case you have to try again with another $g$.

Daniel
  • 4,102
  • 1
  • 23
  • 36
3

Do we rally need to chech that $g^2 \bmod p$ is not $1$?

The only values of $g$ for which this is true are $g=1$ and $g=p-1$; avoid those two values, and you don't need that check.

Additional question, is it a good idea to check all integers in the increasing order starting from $g=2$?

Well, there's no specific security reason to say that's a bad idea, however there are easier ways:

  • If we select $p \equiv 7 \pmod 8$, then $g=2$ will always be of order $q$

  • $g=4$ will always have order $q$ (as it is always a quadratic residue).

Is there any security issues related to a small $g$?

No, there are no issues. We can show that solving the CDH problem with respect to a small $g$ is no easier than the general case.

poncho
  • 154,064
  • 12
  • 239
  • 382