Results 1  10
of
31
Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups
 In proceedings of EUROCRYPT ’02, LNCS series
, 2002
"... We study the problem of root extraction in finite Abelian groups, where the group order is unknown. This is a natural generalization of the problem of decrypting RSA ciphertexts. We study the complexity of this problem for generic algorithms, that is, algorithms that work for any group and do not us ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
We study the problem of root extraction in finite Abelian groups, where the group order is unknown. This is a natural generalization of the problem of decrypting RSA ciphertexts. We study the complexity of this problem for generic algorithms, that is, algorithms that work for any group and do not use any special properties of the group at hand. We prove an exponential lower bound on the generic complexity of root extraction, even if the algorithm can choose the "public exponent" itself. In other words, both the standard and the strong RSA assumption are provably true w.r.t. generic algorithms. The results hold for arbitrary groups, so security w.r.t. generic attacks follows for any cryptographic construction based on root extracting. As an example of this, we revisit CramerShoup signature scheme [CS99]. We modify the scheme such that it becomes a generic algorithm. This allows us to implement it in RSA groups without the original restriction that the modulus must be a product of safe primes. It can also be implemented in class groups. In all cases, security follows from a well defined complexity assumption (the strong root assumption), without relying on random oracles, and the assumption is shown to be true w.r.t. generic attacks. 1
Towards Practical Noninteractive Public Key Cryptosystems Using Nonmaximal Imaginary Quadratic Orders
 in Selected Areas in Cryptography, Lecture Notes in Computer Science
, 2000
"... Abstract. We present a new noninteractive public key distribution system based on the class group of a nonmaximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic su ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new noninteractive public key distribution system based on the class group of a nonmaximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straightforward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of ∆p = ∆1p 2. We present an algorithm for computing discrete logarithms in Cl(∆p) by reducing the problem to computing discrete logarithms in Cl(∆1) and either F ∗ p or F ∗ p2. We prove that a similar reduction works for arbitrary nonmaximal orders, and that it has polynomial complexity if the factorization of the conductor is known.
The efficiency and security of a real quadratic field based key exchange protocol
 DE GRUYTER
, 2001
"... Most cryptographic key exchange protocols make use of the presumed difficulty of solving the discrete logarithm problem (DLP) in a certain finite group as the basis of their security. Recently, real quadratic number fields have been proposed for use in the development of such protocols. Breaking suc ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Most cryptographic key exchange protocols make use of the presumed difficulty of solving the discrete logarithm problem (DLP) in a certain finite group as the basis of their security. Recently, real quadratic number fields have been proposed for use in the development of such protocols. Breaking such schemes is known to be at least as difficult a problem as integer factorization; furthermore, these are the first discrete logarithm based systems to utilize a structure which is not a group, specifically the collection of reduced ideals which belong to the principal class of the number field. For this structure the DLP is essentially that of determining a generator of a given principal ideal. Unfortunately, there are a few implementationrelated disadvantages to these schemes, such as the need for high precision floating point arithmetic and an ambiguity problem that requires a short, second round of communication. In this paper we describe work that has led to the resolution of some of these difficulties. Furthermore, we discuss the security of the system, concentrating on the most recent techniques for solving the DLP in a real quadratic number field.
Compact representation of quadratic integers and integer points on some elliptic curves
 Rocky Mountain J. Math
"... Let Q ( √ d) be a real quadratic field. Following [Mau] we define a compact representation of an algebraic number β ∈ Q ( √ d) to be β = k∏ ..."
Abstract

Cited by 10 (8 self)
 Add to MetaCart
(Show Context)
Let Q ( √ d) be a real quadratic field. Following [Mau] we define a compact representation of an algebraic number β ∈ Q ( √ d) to be β = k∏
Improvements in the computation of ideal class groups of imaginary quadratic number fields
 ADVANCES IN MATHEMATICS OF COMPUTATION
"... We investigate improvements to the algorithm for the computation of ideal class group described by Jacobson in the imaginary quadratic case. These improvements rely on the large prime strategy and a new method for performing the linear algebra phase. We achieve a significant speedup and are able ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We investigate improvements to the algorithm for the computation of ideal class group described by Jacobson in the imaginary quadratic case. These improvements rely on the large prime strategy and a new method for performing the linear algebra phase. We achieve a significant speedup and are able to compute 110decimal digits discriminant ideal class group in less than a week.
Security of cryptosystems based on class groups of imaginary quadratic orders
, 2000
"... In this work we investigate the difficulty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
In this work we investigate the difficulty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic parameter, i.e. the discriminant, such that cryptosystems based on class groups of imaginary quadratic orders would offer a similar security as commonly used cryptosystems.
Reducing Logarithms in Totally NonMaximal Imaginary Quadratic Orders to Logarithms in Finite Fields (Extended Abstract)
, 1999
"... Since nobody can guarantee that the computation of discrete logarithms in elliptic curves or IF p remains intractible for the future it is important to study cryptosystems based on alternative groups. A promising candidate, which was proposed by Buchmann and Williams [8], is the class group Cl(\D ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Since nobody can guarantee that the computation of discrete logarithms in elliptic curves or IF p remains intractible for the future it is important to study cryptosystems based on alternative groups. A promising candidate, which was proposed by Buchmann and Williams [8], is the class group Cl(\Delta) of an imaginary quadratic order O \Delta . This ring is isomorphic to the endomorphism ring of a nonsupersingular elliptic curve over a finite field. While in the meantime there was found a subexponential algorithm for the computation of discrete logarithms in Cl(\Delta) [16], this algorithm only has running time L \Delta [ 1 2 ; c] and is far less efficient than the number field sieve with L p [ 1 3 ; c] to compute logarithms in IF p . Thus one may choose the parameters smaller to obtain the same level of security. It is an open question whether there is an L \Delta [ 1 3 ; c] algorithm to compute discrete logarithms in arbitrary Cl(\Delta). Recently there were proposed cry...
Computing Discrete Logarithms in Quadratic Orders
, 2000
"... We present efficient algorithms for computing discrete logarithms in the class group of a quadratic order and for principality testing in a real quadratic order, based on the work of Düllmann and Abel. We show how the idea of generating relations with sieving can be applied to improve the performan ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
We present efficient algorithms for computing discrete logarithms in the class group of a quadratic order and for principality testing in a real quadratic order, based on the work of Düllmann and Abel. We show how the idea of generating relations with sieving can be applied to improve the performance of these algorithms. Computational results are presented which demonstrate that our new techniques yield a significant increase in the sizes of discriminants for which these discrete logarithm problems can be solved.
On the implementation of cryptosystems based on real quadratic number fields
 Seventh Annual Workshop on Selected Areas in Cryptography  SAC2000, Lecture Notes in Computer Science
, 2000
"... Abstract. Cryptosystems based on the discrete logarithm problem in the infrastructure of a real quadratic number eld [7, 19, 2] are very interesting from a theoretical point of view, because this problem is known to be at least as hard as, and when considering todays algorithms { as in [11] { much ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. Cryptosystems based on the discrete logarithm problem in the infrastructure of a real quadratic number eld [7, 19, 2] are very interesting from a theoretical point of view, because this problem is known to be at least as hard as, and when considering todays algorithms { as in [11] { much harder than, factoring integers. However it seems that the cryptosystems sketched in [2] have not been implemented yet and consequently it is hard to evaluate the practical relevance of these systems. Furthermore as [2] lacks any proofs regarding the involved approximation precisions, it was not clear whether the second communication round, as required in [7, 19], really could be avoided without substantial slowdown. In this work we will prove a bound for the necessary approximation precision of an exponentiation using quadratic numbers in power product representation and show that the precision given in [2] can be lowered considerably. As the highly space consuming power products can not be applied in environments with limited RAM, we will propose a simple (CRIAD 1) arithmetic which entirely avoids these power products. Beside the obvious savings in terms of space this method is also about 30% faster. Furthermore one may apply more sophisticated exponentiation techniques, which nally result in a tenfold speedup compared to [2]. 1
THE INFRASTRUCTURE OF A GLOBAL FIELD OF ARBITRARY UNIT RANK
, 2008
"... In the past, the infrastructure of a number or (global) function field has been used for computation of units. In the case of a onedimensional infrastructure, i.e. in the case of unit rank one, one has a binary operation which is similar to multiplication, called a giant step, which was introduced ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
In the past, the infrastructure of a number or (global) function field has been used for computation of units. In the case of a onedimensional infrastructure, i.e. in the case of unit rank one, one has a binary operation which is similar to multiplication, called a giant step, which was introduced by D. Shanks. In this paper, we show a general way to interpret infrastructure in the case of arbitrary unit rank, which gives a giant step. Moreover, we relate the infrastructure and the giant step to the arithmetic in the divisor class group. Finally, we give explicit algorithms in the function field case for computing, and show how the baby stepgiant step method for unit computation generalizes to the case of arbitrary unit rank.