In this work we investigate the di culty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic parameter, i.e. the discriminant, such that cryptosystems based on class groups of imaginary quadratic orders would o er a similar security as commonly used cryptosystems. 1

Abstract. We present a new non-interactive public key distribution system based on the class group of a non-maximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straight-forward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of ∆p = ∆1p 2. We present an algorithm for computing discrete logarithms in Cl(∆p) by reducing the problem to computing discrete logarithms in Cl(∆1) and either F ∗ p or F ∗ p2. We prove that a similar reduction works for arbitrary non-maximal orders, and that it has polynomial complexity if the factorization of the conductor is known.

Abstract. Cryptosystems based on the discrete logarithm problem in the infrastructure of a real quadratic number eld [7, 19, 2] are very interesting from a theoretical point of view, because this problem is known to be at least as hard as, and when considering todays algorithms { as in [11] { much harder than, factoring integers. However it seems that the cryptosystems sketched in [2] have not been implemented yet and consequently it is hard to evaluate the practical relevance of these systems. Furthermore as [2] lacks any proofs regarding the involved approximation precisions, it was not clear whether the second communication round, as required in [7, 19], really could be avoided without substantial slowdown. In this work we will prove a bound for the necessary approximation precision of an exponentiation using quadratic numbers in power product representation and show that the precision given in [2] can be lowered considerably. As the highly space consuming power products can not be applied in environments with limited RAM, we will propose a simple (CRIAD 1-) arithmetic which entirely avoids these power products. Beside the obvious savings in terms of space this method is also about 30% faster. Furthermore one may apply more sophisticated exponentiation techniques, which nally result in a ten-fold speedup compared to [2]. 1