Abstract. This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model. 1

Abstract. The noisy polynomial interpolation problem is a new intractability assumption introduced last year in oblivious polynomial evaluation. It also appeared independently in password identification schemes, due to its connection with secret sharing schemes based on Lagrange’s polynomial interpolation. This paper presents new algorithms to solve the noisy polynomial interpolation problem. In particular, we prove a reduction from noisy polynomial interpolation to the lattice shortest vector problem, when the parameters satisfy a certain condition that we make explicit. Standard lattice reduction techniques appear to solve many instances of the problem. It follows that noisy polynomial interpolation is much easier than expected. We therefore suggest simple modifications to several cryptographic schemes recently proposed, in order to change the intractability assumption. We also discuss analogous methods for the related noisy Chinese remaindering problem arising from the well-known analogy between polynomials and integers. 1

We survey four variants of RSA designed to speed up RSA decryption and signing. We only consider variants that are backwards compatible in the sense that a system using one of these variants can interoperate with systems using standard RSA.

this paper we present new undeniable signature schemes which are constructed over an imaginary quadratic field. The basic scheme contains zero-knowledge confirmation and disavowal protocols which require operations of cubic bit complexity by the signer. In case one omits the part of the protocols which is costly the confirmation and disavowal protocol are not zero-knowledge but honest-verifier zeroknowledge; the remaining operations for the signer have quadratic bit complexity. Additionally, the information which can be learned by a dishonest verifier can be characterized but will not be helpful to fake new signatures. Even tracing the operations done in this part leaks no information. In our basic scheme, the secret key of the signer is not needed to perform the additional operations for the zero-knowledge property; one can delegate this part to be performed by a certified software running on a terminal or PC to which the chip card is connected. Tracing the computations done by the certified software is allowed. One only has to be guaranteed that the results computed by this program are not manipulated. So, either in the basic protocol or in applications in which one knows the verifier to be trustworthy the tasks of the signer using the secret information can be performed in quadratic bit complexity, e.g. on a smart card. Buchmann and Williams proposed the first algorithm which achieves the DiffieHellman key distribution scheme using the class group in an imaginary quadratic field [5]. Later, Hafner and McCurley discovered the sub-exponential algorithm against the discrete logarithm problem of the class group [20]. Since then, cryptosystems over class groups have not gained much attention in practice. Recently, Huhnlein et. al. proposed an ElGamal-type public key crypt...

We present a new cryptosystem based on ideal arithmetic in quadratic orders. The method of our trapdoor is different from the Diffie-Hellman key distribution scheme or the RSA cryptosystem. The plaintext m is encrypted by mp r , where p is a fixed element and r is a random integer, so our proposed cryptosystem is a probabilistic encryption scheme and has the homomorphy property. The most prominent property of our cryptosystem is the cost of the decryption, which is of quadratic bit complexity in the length of the public key. Our implementation shows that it is comparably as fast as the encryption time of the RSA cryptosystem with e = 2 16 + 1. The security of our cryptosystem is closely related to factoring the discriminant of a quadratic order. When we choose appropriate sizes of the parameters, the currently known fast algorithms, for examples, the elliptic curve method, the number field sieve, the Hafner-McCurley algorithm, are not applicable. We also discuss that the chosen cip...

. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identification. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a finite field or the jacobian of (hyper-) elliptic curves over finite fields, will stay secure forever, it is especially important to provide a variety of different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three different public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real...

to be existentially unforgeable against chosen-message attacks assuming that the approximate e-th root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer factorization problem or the discrete logarithm problem. One way to p solve the AER problem is to factor the integer n, where n 2 q and p and q are primes of the same bitlength. The parameters recommended ensure that ESIGN resists all known attacks for factoring integers of this form. 2 Protocol specification 2.1 ESIGN key pairs For the security parameter pLen, k each entity does the following: 1. Randomly select two distinct primes, p, q, each of bitsize k and compute p n 2. Select an integer 4. 3. A’s public key is¢n£e£k¤; A’s private key is¢p£q¤. e¡ In addition, one needs to specify a hash function H¥whose output length is k bits. 2.2 ESIGN signature generation To sign a message m, an entity A with the private key¢p£q¤does the following: 1. Compute H¥¦¢m¤,and let be bit. H¢m¤ obtained from by H¥¦¢m¤ 2 q. deleting the most significant 2. Pick r uniformly from§r ¨ at random gcd¢r£p ¤ Zpq: 1©.

We describe a novel public-key cryptosystem, EPOC (Efficient Probabilistic Public-Key Encryption), which has three versions: EPOC-1, EPOC-2 and EPOC-3. EPOC-1 is a publickey encryption system that uses a one-way trapdoor function and a random function (hash function). EPOC-2 and EPOC-3 are public-key encryption systems that use a one-way trapdoor function, two random functions (hash functions) and a symmetric-key encryption (e.g., one-time padding and block-ciphers).

Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A promising candidate for a group in which the DL-problem seems to be hard is the class group Cl(\Delta) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88]. Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on non-maximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RSA encryption with e = 2 16 + 1. Very recently there was proposed an efficient NICE-Schnorr type signature scheme [HuMe99]...

Recently there was proposed a novel public key cryptosystem [11] based on nonmaximal imaginary quadratic orders with quadratic decryption time. This scheme was later on called NICE for New Ideal Coset Encryption [4]. First implementations show that the decryption is as efficient as RSA-encryption with e = 2 16 + 1. It was an open question whether it is possible to construct comparably efficient signature schemes based on non-maximal imaginary quadratic orders. The major drawbacks of the ElGamal-type [5] and RSA/Rabin-type signature schemes [6] proposed so far are the slow signature generation and the very inefficient system setup, which involves the computation of the class number h(\Delta 1 ) of the maximal order with a subexponential time algorithm. To avoid this tedious computation it was proposed to use totally nonmaximal orders, where h(\Delta 1 ) = 1, to set up DSA analogues. Very recently however it was shown in [8], that the discrete logarithm problem in this case ...