Results 1 
7 of
7
Security of cryptosystems based on class groups of imaginary quadratic orders
 Okamoto (Ed.): Advances in Cryptology ASIACRYPT 2000, SpringerVerlag LNCS
, 1976
"... In this work we investigate the di culty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic pa ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
In this work we investigate the di culty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic parameter, i.e. the discriminant, such that cryptosystems based on class groups of imaginary quadratic orders would o er a similar security as commonly used cryptosystems. 1
Towards Practical Noninteractive Public Key Cryptosystems Using Nonmaximal Imaginary Quadratic Orders
 in Selected Areas in Cryptography, Lecture Notes in Computer Science
, 2000
"... Abstract. We present a new noninteractive public key distribution system based on the class group of a nonmaximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic su ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. We present a new noninteractive public key distribution system based on the class group of a nonmaximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straightforward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of ∆p = ∆1p 2. We present an algorithm for computing discrete logarithms in Cl(∆p) by reducing the problem to computing discrete logarithms in Cl(∆1) and either F ∗ p or F ∗ p2. We prove that a similar reduction works for arbitrary nonmaximal orders, and that it has polynomial complexity if the factorization of the conductor is known.
Efficient implementation of cryptosystems based on nonmaximal imaginary quadratic orders
"... In [14] there is proposed an ElGamaltype cryptosystem based on nonmaximal imaginary quadratic orders with trapdoor decryption. The trapdoor information is the factorization of the nonfundamental discriminant p = 1p 2. The NICEcryptosystem (New Ideal Coset Encryption) [24, 12] is an e cient va ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
In [14] there is proposed an ElGamaltype cryptosystem based on nonmaximal imaginary quadratic orders with trapdoor decryption. The trapdoor information is the factorization of the nonfundamental discriminant p = 1p 2. The NICEcryptosystem (New Ideal Coset Encryption) [24, 12] is an e cient variant thereof, which uses an element g k 2 Ker (;1;1 Cl) Cl ( p), where k is random and Cl: Cl ( p)! Cl ( 1) is a map between the class groups of the nonmaximal and maximal order, to mask the message in the ElGamal cryptosystem. This mask simply "disappears " during decryption, which essentially consists of computing;1 Cl.Thus NICE features quadratic decryption time and hence is very well suited for applications in which acentral server has to decrypt a large number of ciphertexts in a short time. In this work we will introduce an efficient batch decryption method for NICE, which allows to speed up the decryption by about 30 % for a batch size of 100 messages. In [17] there is proposed a NICESchnorrtype signature scheme. In this scheme one uses the group Ker (;1 Cl) instead of IF p. Thus instead of modular arithmetic one would need to apply standard ideal arithmetic (multiply and reduce) using algorithms from [5] for example. Because every group operation needs the application of the Extended Euclidean Algorithm the implementation would be very inefficient. Especially the signing process, which would typically be performed on a smartcard with limited computational power would be too slow to allow practical application. In this work we will introduce an entirely new arithmetic for elements in Ker (;1 Cl), which uses the generator and ringequivalence for exponentiation. Thus the signer essentially performs the exponentiation in (O 1 =pO 1) , which turns out to be about twenty times as fast as conventional ideal arithmetic. Furthermore in [17] it is shown, how one can further speed up this exponentiation by application of the Chinese Remainder Theorem for (O 1 =pO 1). With this arithmetic the signature generation is about forty times as fast as with conventional ideal arithmetic and more than twice as fast as in the original Schnorr scheme [26].
Quadratic orders for NESSIE  Overview and parameter sizes of three public key families
, 2000
"... . In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudorandom functions and public key primitives for digital signatures, encryption and identification. Since ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudorandom functions and public key primitives for digital signatures, encryption and identification. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a finite field or the jacobian of (hyper) elliptic curves over finite fields, will stay secure forever, it is especially important to provide a variety of different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three different public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real...
A survey of cryptosystems based on imaginary quadratic orders (Extended Abstract)
, 1999
"... Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A pro ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A promising candidate for a group in which the DLproblem seems to be hard is the class group Cl(\Delta) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88]. Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on nonmaximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RSA encryption with e = 2 16 + 1. Very recently there was proposed an efficient NICESchnorr type signature scheme [HuMe99]...
An efficient NICESchnorrtype signature scheme (Extended Abstract)
, 1999
"... Recently there was proposed a novel public key cryptosystem [11] based on nonmaximal imaginary quadratic orders with quadratic decryption time. This scheme was later on called NICE for New Ideal Coset Encryption [4]. First implementations show that the decryption is as efficient as RSAencryption ..."
Abstract
 Add to MetaCart
Recently there was proposed a novel public key cryptosystem [11] based on nonmaximal imaginary quadratic orders with quadratic decryption time. This scheme was later on called NICE for New Ideal Coset Encryption [4]. First implementations show that the decryption is as efficient as RSAencryption with e = 2 16 + 1. It was an open question whether it is possible to construct comparably efficient signature schemes based on nonmaximal imaginary quadratic orders. The major drawbacks of the ElGamaltype [5] and RSA/Rabintype signature schemes [6] proposed so far are the slow signature generation and the very inefficient system setup, which involves the computation of the class number h(\Delta 1 ) of the maximal order with a subexponential time algorithm. To avoid this tedious computation it was proposed to use totally nonmaximal orders, where h(\Delta 1 ) = 1, to set up DSA analogues. Very recently however it was shown in [8], that the discrete logarithm problem in this case ...
Constructing Twisted Anomalous Elliptic Curves
"... Abstract—Huhnlein et al showed that for totally nonaximal imaginary quadratic orders, the discrete logarithm problem can be reduced to the discrete logarithm problem in some finite fields. In previous work we showed that for twisted anomalous elliptic curves, the logarithm problem can also be reduc ..."
Abstract
 Add to MetaCart
Abstract—Huhnlein et al showed that for totally nonaximal imaginary quadratic orders, the discrete logarithm problem can be reduced to the discrete logarithm problem in some finite fields. In previous work we showed that for twisted anomalous elliptic curves, the logarithm problem can also be reduced to the logarithm problem in some finite fields. In this work we present an algorithm to construct this class of elliptic curves. Index Terms—discrete logarithm problem, imaginary quadratic order, elliptic curve, anomalous curve I I.