with prime. Then choose random h in the range until you find one such that
is a generator of a subgroup of of order q.
Schnorr groups are useful in discrete log based cryptosystems including Schnorr signatures and DSA. In such applications, typically p is chosen to be large enough to resist index-calculus and related methods of solving the discrete-log problem (perhaps 1024-2048 bits), while q is large enough to resist the birthday attack on discrete log problems, which works in any group (perhaps 160-512 bits). Because the Schnorr group is of prime order, it has no non-trivial subgroups, thwarting small subgroup attacks. Implementations of protocols that use Schnorr groups must verify where appropriate that integers supplied by other parties are in fact members of the Schnorr group; x is a member of the group if and . Any member of the group except the element 1 is also a generator of the group.
Schnorr groups were proposed for cryptographic use by Claus P. Schnorr.
See also: Topics in cryptography