In this work we investigate the di culty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic parameter, i.e. the discriminant, such that cryptosystems based on class groups of imaginary quadratic orders would o er a similar security as commonly used cryptosystems. 1

In [14] there is proposed an ElGamal-type cryptosystem based on non-maximal imaginary quadratic orders with trapdoor decryption. The trapdoor information is the factorization of the non-fundamental discriminant p = 1p 2. The NICE-cryptosystem (New Ideal Coset En-cryption) [24, 12] is an e cient variant thereof, which uses an element g k 2 Ker (;1;1 Cl) Cl ( p), where k is random and Cl: Cl ( p)! Cl ( 1) is a map between the class groups of the non-maximal and maximal order, to mask the message in the ElGamal cryptosystem. This mask simply "disappears " during decryption, which essentially consists of computing;1 Cl.Thus NICE features quadratic decryption time and hence is very well suited for applications in which acentral server has to decrypt a large number of ciphertexts in a short time. In this work we will introduce an efficient batch decryption method for NICE, which allows to speed up the decryption by about 30 % for a batch size of 100 messages. In [17] there is proposed a NICE-Schnorr-type signature scheme. In this scheme one uses the group Ker (;1 Cl) instead of IF p. Thus instead of modular arithmetic one would need to apply standard ideal arithmetic (multiply and reduce) using algorithms from [5] for example. Because every group operation needs the application of the Extended Euclidean Algorithm the implementation would be very inefficient. Especially the signing process, which would typically be performed on a smartcard with limited computational power would be too slow to allow practical application. In this work we will introduce an entirely new arithmetic for elements in Ker (;1 Cl), which uses the generator and ring-equivalence for exponentiation. Thus the signer essentially performs the exponentiation in (O 1 =pO 1) , which turns out to be about twenty times as fast as conventional ideal arithmetic. Furthermore in [17] it is shown, how one can further speed up this exponentiation by application of the Chinese Remainder Theorem for (O 1 =pO 1). With this arithmetic the signature generation is about forty times as fast as with conventional ideal arithmetic and more than twice as fast as in the original Schnorr scheme [26].

Abstract. We present a new non-interactive public key distribution system based on the class group of a non-maximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straight-forward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of ∆p = ∆1p 2. We present an algorithm for computing discrete logarithms in Cl(∆p) by reducing the problem to computing discrete logarithms in Cl(∆1) and either F ∗ p or F ∗ p2. We prove that a similar reduction works for arbitrary non-maximal orders, and that it has polynomial complexity if the factorization of the conductor is known.

. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identification. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a finite field or the jacobian of (hyper-) elliptic curves over finite fields, will stay secure forever, it is especially important to provide a variety of different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three different public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real...

Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A promising candidate for a group in which the DL-problem seems to be hard is the class group Cl(\Delta) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88]. Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on non-maximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RSA encryption with e = 2 16 + 1. Very recently there was proposed an efficient NICE-Schnorr type signature scheme [HuMe99]...

Recently there was proposed a novel public key cryptosystem [11] based on nonmaximal imaginary quadratic orders with quadratic decryption time. This scheme was later on called NICE for New Ideal Coset Encryption [4]. First implementations show that the decryption is as efficient as RSA-encryption with e = 2 16 + 1. It was an open question whether it is possible to construct comparably efficient signature schemes based on non-maximal imaginary quadratic orders. The major drawbacks of the ElGamal-type [5] and RSA/Rabin-type signature schemes [6] proposed so far are the slow signature generation and the very inefficient system setup, which involves the computation of the class number h(\Delta 1 ) of the maximal order with a subexponential time algorithm. To avoid this tedious computation it was proposed to use totally nonmaximal orders, where h(\Delta 1 ) = 1, to set up DSA analogues. Very recently however it was shown in [8], that the discrete logarithm problem in this case ...