## Security of cryptosystems based on class groups of imaginary quadratic orders (2000)

### Cached

### Download Links

Citations: | 8 - 1 self |

### BibTeX

@MISC{Hamdy00securityof,

author = {Safuat Hamdy and Bodo Möller},

title = {Security of cryptosystems based on class groups of imaginary quadratic orders},

year = {2000}

}

### Years of Citing Articles

### OpenURL

### Abstract

In this work we investigate the difficulty of the discrete logarithm problem in class groups of imaginary quadratic orders. In particular, we discuss several strategies to compute discrete logarithms in those class groups. Based on heuristic reasoning, we give advice for selecting the cryptographic parameter, i.e. the discriminant, such that cryptosystems based on class groups of imaginary quadratic orders would offer a similar security as commonly used cryptosystems.

### Citations

2724 | S.A Vanstone,"Handbook of Applied Cryptography - Menezes, Oorschot - 1997 |

987 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1996
(Show Context)
Citation Context ...lecting the security parameters. 2 Class groups Recall that we consider class groups of imaginary quadratic elds only. We shall state only some necessary facts without proofs; for details we refer to =-=[8, 5]-=-. Let ∆ be a negative integer such that ∆ ≡ 0, 1 (mod 4). Then ∆ is the discriminant of a unique order O∆ = Z + Z(∆ + √ ∆)/2 of Q( √ ∆). O∆ is maximal if and only if ∆ is fundamental, i.e. ∆ or ∆/4 is... |

208 |
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...t doesn't require knowledge of the group order has been proposed. Computing roots without knowing the class number also appears to be intractable. This makes the Guillou-Quisquater signature protocol =-=[10]-=- suitable for class groups, since in this protocol even the signer does not need to know the class number. Moreover, in [1] a variant of DSA was presented that is based on the intractability to comput... |

113 |
Primes of the form x 2 + ny 2
- Cox
- 1989
(Show Context)
Citation Context ...lecting the security parameters. 2 Class groups Recall that we consider class groups of imaginary quadratic elds only. We shall state only some necessary facts without proofs; for details we refer to =-=[8, 5]-=-. Let ∆ be a negative integer such that ∆ ≡ 0, 1 (mod 4). Then ∆ is the discriminant of a unique order O∆ = Z + Z(∆ + √ ∆)/2 of Q( √ ∆). O∆ is maximal if and only if ∆ is fundamental, i.e. ∆ or ∆/4 is... |

64 |
A rigorous subexponential algorithm for computation of class groups
- Hafner, McCurley
- 1989
(Show Context)
Citation Context ... whether the Cl-DLP is really harder than the IFP. The Cl-DLP can be solved with2 Security of Cryptosystems Based on Class Groups a subexponential index-calculus algorithm due to Hafner and McCurley =-=[11]-=-. This algorithm was improved by Düllmann [9]. Recently, in [28] it has been rigorously [ √ proven that ] for solving 1 3 the Cl-DLP one can expect a running time proportional to L |∆| 2 , 4 2 + o(1) ... |

59 |
Sharper bounds for the Chebyshev functions θ(x) and ψ(x
- Rosser, Schoenfeld
- 1975
(Show Context)
Citation Context ... p group operations to nd q. In order to nd a smoothness-bound, we must consider the easiest case, i.e. e(pi, B) = 1 for all pi. Now ∑ p<q log2 p = θ(q)/ ln 2, where θ is the Chebyshev θ-function. In =-=[23, 24]-=- it was shown that 0.998697 x < θ(x) < 1.001093 x for all x ≥ 1155901 (under assumption of the Riemann hypothesis, it is even possible to show that |θ(x) − x| = 1/(8π) √ x ln 2 x for x ≥ 599, cf. [23,... |

37 |
A key-exchange system based on imaginary quadratic fields
- Buchman, Williams
- 1988
(Show Context)
Citation Context ...rs would o er a similar security as commonly used cryptosystems. 1 Introduction Cryptosystems based on class groups of imaginary quadratic orders (IQC) have been rst proposed by Buchmann and Williams =-=[3, 4]-=- in 1988 and 1990. Since then, there was no clear advice on how to select the cryptographic parameter, i.e. the discriminant of the quadratic order. The goal of this work is to close this gap. In part... |

37 | Primes of the Form x + ny - Cox - 1989 |

36 |
The Future of Integer Factorization
- Odlyzko
- 1995
(Show Context)
Citation Context ...al running time for smaller input parameters. If x1 and x2 are inputs for an algorithm with expected running time Lx[e, c] and t1 is the running time of the algorithm when executed with x1, then (see =-=[20]-=- or [17]) the running time t2 of the algorithm with input x2 can be estimated by the equation Lx1 [e, c] t1 = . (1) [e, c] t2 Lx2 However, this holds only if the sizes of x1 and x2 do not di er too mu... |

30 | A Course in Number Theory - Rose - 1988 |

27 | Subexponential Class Group Computation in Quadratic Orders - Jacobson - 1999 |

15 | A C++ library for computational number theory, http://www.informatik.tu-darmstadt.de/TI/LiDIA - LiDIA |

14 | Sharper bounds for the Chebyshev functions (x) and (x - Rosser, Schoenfeld - 1975 |

14 |
Ein Algorithmus zur Bestimmung der Klassengruppe positiv definiter binärer quadratischer Formen, Ph.D.thesis,Universität des Saarlandes
- Düllmann
- 1991
(Show Context)
Citation Context ...IFP. The Cl-DLP can be solved with2 Security of Cryptosystems Based on Class Groups a subexponential index-calculus algorithm due to Hafner and McCurley [11]. This algorithm was improved by Düllmann =-=[9]-=-. Recently, in [28] it has been rigorously [ √ proven that ] for solving 1 3 the Cl-DLP one can expect a running time proportional to L |∆| 2 , 4 2 + o(1) , where ∆ is the discriminant of the imaginar... |

13 |
Heuristics on class groups
- Cohen, Lenstra
- 1984
(Show Context)
Citation Context ...algorithm takes √ π|G|/2 group operations (ignoring lower order terms) for cyclic groups G. Moreover, r-fold parallelization speeds the λ-method up by factor r. By the heuristics of Cohen and Lenstra =-=[7, 6]-=-, the probability that Clodd(∆) is cyclic is equal to 0.9775 . . . . Moreover, it can be deduced from the heuristics that if Clodd(∆) is not cyclic, then with high probability Clodd(∆) has a cyclic su... |

12 | Asymptotically fast discrete logarithms in quadratic
- VOLLMER
- 2000
(Show Context)
Citation Context ...n be solved with2 Security of Cryptosystems Based on Class Groups a subexponential index-calculus algorithm due to Hafner and McCurley [11]. This algorithm was improved by Düllmann [9]. Recently, in =-=[28]-=- it has been rigorously [ √ proven that ] for solving 1 3 the Cl-DLP one can expect a running time proportional to L |∆| 2 , 4 2 + o(1) , where ∆ is the discriminant of the imaginary quadratic order. ... |

10 | Approximating the number of integers free of large prime factors
- Hunter, Sorenson
- 1997
(Show Context)
Citation Context ...mooth with non-negligible probability. Speci cally, let B = M 1/u ; then the probability that a random positive integer less than M is B-smooth is approximately ρ(u), where ρ is Dickmann's ρ-function =-=[14]-=-. We arrive at an estimated probability of at most ρ(u) ln ln M for the class number being B-smooth by c√ |∆| where is either 1 or 8 depending on how ∆ is chosen (section 3.1.1) and where c = 0.461559... |

10 | le 2-groupe des classes d’idéaux des corps quadratiques - Kaplan, Sur - 1974 |

9 | A one way function based on ideal arithmetic
- Buchmann, Paulus
(Show Context)
Citation Context ...atic orders (Cl-DLP). The Cl-DLP can be extended to class groups of orders of number elds with arbitrarily high degree, and in furthermore, there is a generalization of the discrete logarithm problem =-=[2]-=-. However, in this work we shall focus only on imaginary quadratic elds, and whenever the term class groups appears in the sequel, we actually mean class groups of imaginary quadratic orders. It is we... |

8 | Reducing logarithms in totally nonmaximal imaginary quadratic orders to logarithms in finite fields,”ASIACRYPT
- Huhnlein, Takagi, et al.
- 1999
(Show Context)
Citation Context ... class numbers of large fundamental discriminants (see below), this could be a nice way to avoid it altogether. However, the Cl-DLP in Cl(−8p 2 ) can be reduced in polynomial time to the GF-DLP in Fp =-=[13]-=-. Currently no e cient reductions of this type for maximal orders are known, therefore we shall use only class groups of maximal orders, and in the sequel ∆ will always be fundamental and thus O∆ will... |

6 |
Heuristics on class groups of number elds
- Cohen, Lenstra
- 1983
(Show Context)
Citation Context ...algorithm takes √ π|G|/2 group operations (ignoring lower order terms) for cyclic groups G. Moreover, r-fold parallelization speeds the λ-method up by factor r. By the heuristics of Cohen and Lenstra =-=[7, 6]-=-, the probability that Clodd(∆) is cyclic is equal to 0.9775 . . . . Moreover, it can be deduced from the heuristics that if Clodd(∆) is not cyclic, then with high probability Clodd(∆) has a cyclic su... |

3 | Cryptographic Protocols Based on the Intractibility of Extracting Roots and Computing Discrete Logarithms
- Biehl, Buchmann, et al.
- 1999
(Show Context)
Citation Context ...ars to be intractable. This makes the Guillou-Quisquater signature protocol [10] suitable for class groups, since in this protocol even the signer does not need to know the class number. Moreover, in =-=[1]-=- a variant of DSA was presented that is based on the intractability to compute roots in nite abelian groups. This paper is organized as follows: In Section 2 we recall the background we need, and in S... |

3 | le 2-groupe des classes d'id~aux des corps quadratiques - KAPLAN, Sur - 1976 |

3 |
Selecting Cryptographic Keysizes
- Lenstra, Verheul
(Show Context)
Citation Context ...ng time for smaller input parameters. If x1 and x2 are inputs for an algorithm with expected running time Lx[e, c] and t1 is the running time of the algorithm when executed with x1, then (see [20] or =-=[17]-=-) the running time t2 of the algorithm with input x2 can be estimated by the equation Lx1 [e, c] t1 = . (1) [e, c] t2 Lx2 However, this holds only if the sizes of x1 and x2 do not di er too much, othe... |

3 | Quadratic orders for nessie — overview and parameter sizes of three public key families
- Hühnlein
- 2000
(Show Context)
Citation Context ...n x1, then t2 will be a signi cant overestimate. To obtain more precise estimates a ner expression for the running time must be used or the o(1) term must be taken into account by modifying (1) as in =-=[12]-=-. We stick to (1), since the estimates presented here di er only slightly from those given in [12]. magnitude of n expected no. of MIPS-years to factor n 2512 8.00 × 103 2768 4.91 × 107 21024 5.99 × 1... |

3 |
Security analysis of a practical \on the authentication and siganture generation
- Poupard, Stern
- 1998
(Show Context)
Citation Context .... Computing the order of an arbitrary class group appears to be as hard as computing discrete logarithms in class groups, because there's no e cient algorithm known that computes the class number. In =-=[21]-=- a variant of the Schnorr signature scheme that doesn't require knowledge of the group order has been proposed. Computing roots without knowing the class number also appears to be intractable. This ma... |

2 |
The Mythical MIPS Year
- Silverman
- 1999
(Show Context)
Citation Context ...ions were performed on a SUN-workstation with a Sparc ULTRA-170 processor. SUN Microsystems does not publish MIPS ratings for its machines, and in fact, the unit MIPS-year is actually not appropriate =-=[25]-=-. However, it is widely used, so for simplicity we assume 100 MIPS, which is a [ value of reasonable order of magnitude for this machine. By 1 Table 2 let us assume that L |∆| 2 , 1] /t∆ = 1.8 × 107 s... |

1 |
Quadratic elds and cryptography
- Buchmann, Williams
- 1990
(Show Context)
Citation Context ...rs would o er a similar security as commonly used cryptosystems. 1 Introduction Cryptosystems based on class groups of imaginary quadratic orders (IQC) have been rst proposed by Buchmann and Williams =-=[3, 4]-=- in 1988 and 1990. Since then, there was no clear advice on how to select the cryptographic parameter, i.e. the discriminant of the quadratic order. The goal of this work is to close this gap. In part... |

1 | Ein Algorithmus zur Bestimmung der Klassengruppe positiv deniter bin#rer quadratischer Formen - Dllmann - 1991 |

1 | Quadratic orders for NESSIE Overview and parameter sizes of three public key families - Hhnlein |

1 | Security Analysis of a Practical ion the AEyj Authentication and Siganture Generation - Poupard, Stern - 1998 |

1 |
Factorization of a 512-bits RSA key using the Number Field Sieve. Announcment on the Number Theory List (NMBRTHRY@listserv.nodak.edu
- Riele, J
- 1999
(Show Context)
Citation Context ...ptosystems Based on Class Groups Table 1 shows some extrapolated running times for the GNFS. They are based on data points of the factorization of RSA-155 (155 decimal digits, 512 bits) with the GNFS =-=[26]-=-. In particular, it was estimated that about 8000 MIPS-years were spent. To estimate the expected running time of the MPQS for DL-computations in class groups for large groups, we made extensive exper... |

1 |
Parallel Collusion Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ... Class Groups 3.3 Class group computations by Pollard's λ method We now consider Pollard's λ method for computing discrete logarithms, orders of group elements and hence roots of group elements. From =-=[27]-=- it is known that the unparallelized version of this algorithm takes √ π|G|/2 group operations (ignoring lower order terms) for cyclic groups G. Moreover, r-fold parallelization speeds the λ-method up... |