this paper we present new undeniable signature schemes which are constructed over an imaginary quadratic field. The basic scheme contains zero-knowledge confirmation and disavowal protocols which require operations of cubic bit complexity by the signer. In case one omits the part of the protocols which is costly the confirmation and disavowal protocol are not zero-knowledge but honest-verifier zeroknowledge; the remaining operations for the signer have quadratic bit complexity. Additionally, the information which can be learned by a dishonest verifier can be characterized but will not be helpful to fake new signatures. Even tracing the operations done in this part leaks no information. In our basic scheme, the secret key of the signer is not needed to perform the additional operations for the zero-knowledge property; one can delegate this part to be performed by a certified software running on a terminal or PC to which the chip card is connected. Tracing the computations done by the certified software is allowed. One only has to be guaranteed that the results computed by this program are not manipulated. So, either in the basic protocol or in applications in which one knows the verifier to be trustworthy the tasks of the signer using the secret information can be performed in quadratic bit complexity, e.g. on a smart card. Buchmann and Williams proposed the first algorithm which achieves the DiffieHellman key distribution scheme using the class group in an imaginary quadratic field [5]. Later, Hafner and McCurley discovered the sub-exponential algorithm against the discrete logarithm problem of the class group [20]. Since then, cryptosystems over class groups have not gained much attention in practice. Recently, Huhnlein et. al. proposed an ElGamal-type public key crypt...

In [14] there is proposed an ElGamal-type cryptosystem based on non-maximal imaginary quadratic orders with trapdoor decryption. The trapdoor information is the factorization of the non-fundamental discriminant p = 1p 2. The NICE-cryptosystem (New Ideal Coset En-cryption) [24, 12] is an e cient variant thereof, which uses an element g k 2 Ker (;1;1 Cl) Cl ( p), where k is random and Cl: Cl ( p)! Cl ( 1) is a map between the class groups of the non-maximal and maximal order, to mask the message in the ElGamal cryptosystem. This mask simply "disappears " during decryption, which essentially consists of computing;1 Cl.Thus NICE features quadratic decryption time and hence is very well suited for applications in which acentral server has to decrypt a large number of ciphertexts in a short time. In this work we will introduce an efficient batch decryption method for NICE, which allows to speed up the decryption by about 30 % for a batch size of 100 messages. In [17] there is proposed a NICE-Schnorr-type signature scheme. In this scheme one uses the group Ker (;1 Cl) instead of IF p. Thus instead of modular arithmetic one would need to apply standard ideal arithmetic (multiply and reduce) using algorithms from [5] for example. Because every group operation needs the application of the Extended Euclidean Algorithm the implementation would be very inefficient. Especially the signing process, which would typically be performed on a smartcard with limited computational power would be too slow to allow practical application. In this work we will introduce an entirely new arithmetic for elements in Ker (;1 Cl), which uses the generator and ring-equivalence for exponentiation. Thus the signer essentially performs the exponentiation in (O 1 =pO 1) , which turns out to be about twenty times as fast as conventional ideal arithmetic. Furthermore in [17] it is shown, how one can further speed up this exponentiation by application of the Chinese Remainder Theorem for (O 1 =pO 1). With this arithmetic the signature generation is about forty times as fast as with conventional ideal arithmetic and more than twice as fast as in the original Schnorr scheme [26].

Abstract. In [14] and [21] there are proposed ElGamal-type cryptosystems based on non-maximal imaginary quadratic orders with fast trapdoor decryption. The trapdoor information is the factorization of the non-fundamental discriminant q = q 2.We will extend the ideas given there to set up Rabin and RSA analogues based on non-maximal imaginary quadratic orders. To implement theRabin analogue we will introduce a new algorithm, which reduces the computation of square roots in Cl ( q) to the computation of square roots in Cl (). This is more e cient than the classical Gaussian algorithm. If the class number h ()for =;p, p 3 mod 4 prime, is known, it is possible to extract square roots by a simple exponentiantion. In this case it is easy to set up RSA analogues as well. It will be shown, that breaking the Rabin analogue is as hard as factoring, just like the original scheme in (ZZ=nZZ). The major advantage of our schemes compared to the original Rabin and RSA schemes is that they are immune against the currently known low exponent attacks and the chosen ciphertext attack from [10].

. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identification. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a finite field or the jacobian of (hyper-) elliptic curves over finite fields, will stay secure forever, it is especially important to provide a variety of different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three different public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real...

Abstract. In 2000, Paulus and Takagi introduced a public key cryptosystem called NICE that exploits the relationship between maximal and non-maximal orders in imaginary quadratic number fields. Relying on the intractability of integer factorization, NICE provides a similar level of security as RSA, but has faster decryption. This paper presents REAL-NICE, an adaptation of NICE to orders in real quadratic fields. REAL-NICE supports smaller public keys than NICE, and while preliminary computations suggest that it is somewhat slower than NICE, it still significantly outperforms RSA in decryption. 1