1

I have two prime numbers $p$ (1024 bits) and $q$ (160 bits) such that $q$ divides $p-1$. Now I want to find an element $b$ in $\mathbb{Z}_p$ with the order of $q$. That means that $b^q \equiv 1 \mod p$.

I tried to choose $b$ at random and than check if the congruence holds, but it seems that this is not a good approach since it doesn't give an answer in a reasonable time. So is there any way to find $b$ efficiently?

mangart
  • 11
  • 2
  • I think this is a different question, because finding a generator by trial and error will be much easier than finding an element with a different order. I think the probability of hitting an element with non-trivial order is $1 - \varphi(n)/n$ which is generally negligibly close to zero (the probability of hitting a generator is $\varphi(n)/n$). This suggests the need for a more efficient approach than trial and error which works for finding a generator. – Mikero Jan 05 '22 at 22:00
  • 2
    From Poncho's answer: One easy way of selecting a random generator is to select a random value $h$ between 2 and $p-1$, and compute $h^{(p-1)/q} \bmod p$; if that value is not 1 (and with high probability, it won't be), then $h^{(p-1)/q} \bmod p$ is your random generator. – kelalaka Jan 05 '22 at 22:01
  • @kelalaka As far as I know a generator is an element that can generate all the elements of the group and so the order of that element would be $p-1$, but I am trying to find an element $b$ that has the order $q$ which is much smaller than $p-1$ and also $b$ by this definition is not a generator of the group. – mangart Jan 05 '22 at 22:15
  • 1
    That is what the answer includes. Read carefully. – kelalaka Jan 05 '22 at 22:19
  • @kelalaka Oh I see, the answer is actually in the Wikipedia article linked in that answer, about the Schnorr group. So that actually answers my question. Thank you so much and sorry for not reading your suggested question more thoroughly the first time. – mangart Jan 05 '22 at 22:39
  • 1
    If $q$ is prime, my answer is the right one. If it is not, but its factorization is known, then my answer (which some simple post tests works). If the factorization is unknown, then I don't believe there is a way that works all the time (but you can get one that works with probability $> 0.99$ – poncho Jan 05 '22 at 22:56

0 Answers0