## Quadratic orders for NESSIE - Overview and parameter sizes of three public key families (2000)

Citations: | 3 - 2 self |

### BibTeX

@TECHREPORT{Hühnlein00quadraticorders,

author = {Detlef Hühnlein},

title = {Quadratic orders for NESSIE - Overview and parameter sizes of three public key families},

institution = {},

year = {2000}

}

### OpenURL

### Abstract

. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identification. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a finite field or the jacobian of (hyper-) elliptic curves over finite fields, will stay secure forever, it is especially important to provide a variety of different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three different public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real...

### Citations

1199 | A public key cryptosystem and a signature scheme based on discrete logarithms
- Elgamal
- 1985
(Show Context)
Citation Context ...ams [BuWi88]. As, unlike for the multiplicative group of a finite field IF q or elliptic curves E(IF q ) for example, one does not know the group order h(\Delta) in advance, one can not apply ElGamal =-=[ElGa85]-=- or DSA [DSA94] signatures, but needs to use either a Schnorr-analogue without reduction modulo the group order, as analysed in [PoSt98], or the recent RDSA-variant [BBHM00]. Apart from this differenc... |

959 | A Course in Computational Algebraic Number Theory - Cohen - 1993 |

269 | Selecting cryptographic key sizes
- Lenstra, Verheulc
- 2001
(Show Context)
Citation Context ...rm qp 2 and very attractive for practical application, because they allow very efficient decryption and signature generation. Besides an overview of all these systems, we will propose a refinement of =-=[LeVe00]-=-, which allows to compare the difficulty of different cryptographic problems in a more sophisticated, yet practical, manner. We will use this framework to derive the necessary key sizes for the propos... |

244 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ...er than the conventional ECM, for factoring numbers \Deltap 2 . However it seems that this claim is not verified in practice yet and therefore we do not take this alleged improvement into account. By =-=[Lens87]-=- we know that ECM has an asymptotic running time L p h 1=2 + o(1); p 2 i ; where p is the factor to be found in some large integer n. As p and j\Deltaj have approximately the same size, x digits, then... |

114 | Introduction to number theory - Hua |

90 | The discrete logarithm problem on elliptic curves of trace one - Smart - 1999 |

88 | Algebraische Zahlentheorie - Neukirch - 1992 |

85 | An algorithm for solving the discrete log problem on hyperelliptic curves - Gaudry |

65 |
Factoring integers with the number field sieve,” in The development of the number field sieve, ser
- Buhler, Jr, et al.
- 1993
(Show Context)
Citation Context ...oblem for integers n = pq, where p; q are random primes of roughly the same magnitute. The asymptotically and practically best algorithm to solve this problem is the General Number Field Sieve (GNFS) =-=[BuLP93]-=- with running time Ln h 1=3; 3 p 64=9 i . The factorization of RSA140 [CDL+99] took about 2000 MY. For the factorization of RSA155 [CDL+00] there were about 8000 MY necessary. Let ~ L x = L 10 x h 1=3... |

52 | Class number, a theory of factorization, and genera - Shanks - 1971 |

49 |
The infrastructure of a real quadratic field and its applications
- Shanks
- 1972
(Show Context)
Citation Context ... as the principal class, i.e. the neutral element of the class group Cl(\Delta) of a real quadratic order has many reduced ideals and these reduced ideals form some infrastructure, as noted by Shanks =-=[Shan72]-=-, one is able to set up DL-based cryptosystems inside the principal class, as proposed by Buchmann and Williams [BuWi89]. However as the set of reduced principal ideals only resembles a group, one has... |

37 | Primes of the Form x + ny - Cox - 1989 |

33 | Factoring a 512-bit RSA modulus - Cavallar, Dodson, et al. |

33 | Security analysis of a practical “on the fly” authentication and signature generation
- Poupard, Stern
- 1998
(Show Context)
Citation Context ...the group order h(\Delta) in advance, one can not apply ElGamal [ElGa85] or DSA [DSA94] signatures, but needs to use either a Schnorr-analogue without reduction modulo the group order, as analysed in =-=[PoSt98]-=-, or the recent RDSA-variant [BBHM00]. Apart from this difference one can construct any kind of DL-based cryptosystem in Cl(\Delta). The group operation is performed by multiplication [Jaco99, MULTIPL... |

27 |
Subexponential Class Group Computation in Quadratic Orders
- Jacobson
- 1999
(Show Context)
Citation Context ...we assume that a Pentium II with 500 MHz has about 500 MIPS. The currently best algorithm to compute discrete logarithms in Cl(\Delta) is an analogue of the Multiple Polynomial Quadratic Sieve (MPQS) =-=[Jaco99]-=- with an asymptotic running time of L j\Deltaj [1=2; 1]. We use the running time experiments given in [Jaco99, Table 6.1, page 121] to obtain an estimate for our desired constant c DL\Gammaimag . We w... |

25 | The solution of McCurley’s discrete log challenge - Weber, Denny - 1998 |

21 |
Quadratic fields and factorization
- Schoof
- 1982
(Show Context)
Citation Context ...forms= \Sigma" n for some n 2 ZZ, where " is the smallest unit larger than 1. " is called the fundamental unit and R \Delta = log " is called the regulator of Q( p \Delta). It is w=-=ell known (see e.g. [Scho83]-=-), that the computation of R \Delta is at least as hard as factoring \Delta. A primitive ideal is called reduced if \Gammab + p \Delta ! 2a ! b + p \Delta. For two equivalent ideals a and b = fla we d... |

20 | Analysis and opti-mization of the TWINKLE factoring device - Lenstra, Shamir - 2000 |

19 | Faster factoring of integers of a special form
- Peralta, Okamoto
- 1996
(Show Context)
Citation Context ...ap 2 . This however may lead to a false estimate for numbers in the typical range up to (say) 1024 bits. Therefore we will need to consider the Elliptic Curve Method (ECM) and possibly the refinement =-=[PeOk96]-=- for this special situation. Peralta and Okamoto claim that their algorithm will be up to 40 times faster than the conventional ECM, for factoring numbers \Deltap 2 . However it seems that this claim ... |

18 | T.: A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption
- Hühnlein, Jr, et al.
- 1998
(Show Context)
Citation Context ...This mapping is of central importance for all cryptosystems in Section 4.3. The algorithms GoToMaxOrder (a; f) to compute ' \Gamma1 and GoToNonMaxOrder(A; f) to compute ' respectively may be found in =-=[HJPT98]-=-. Note that for the most important case, where f is prime, one knows that all reduced ideals in Cl(\Deltaf 2 ) (and then of course also in Cl(\Delta)) are prime to f if one chooses f ? p j\Deltaj. Not... |

17 | Implementation of a key-exchange protocol using real quadratic fields - Scheidler, Buchmann, et al. - 1994 |

16 |
A key exchange system based on real quadratic fields (extended abstract
- Buchmann, Williams
- 1990
(Show Context)
Citation Context ...ed ideals and these reduced ideals form some infrastructure, as noted by Shanks [Shan72], one is able to set up DL-based cryptosystems inside the principal class, as proposed by Buchmann and Williams =-=[BuWi89]-=-. However as the set of reduced principal ideals only resembles a group, one has to take additional measurements -- like discussed in [BiBT94,HuPa00] -- to allow efficient implementation of arbitrary ... |

15 | Private communication - Weber |

13 | Cryptographic protocols based on discrete logarithms in realquadratic fields - Biehl, Buchmann, et al. - 1994 |

9 | Computing Discrete Logarithms with the Number Field Sieve”, Algorithmic Number Theory - Weber - 1996 |

8 | Reducing logarithms in totally nonmaximal imaginary quadratic orders to logarithms in finite fields,”ASIACRYPT
- Huhnlein, Takagi, et al.
- 1999
(Show Context)
Citation Context ...ervative point of view, because their DL-problem is known to be at least as hard as, and when considering todays algorithms apparently much harder than, factoring integers. Furthermore it is shown in =-=[HuTa99]-=-, that the DL-problem in IF p k , for k 2 f1; 2g is equivalent to the computation of discrete logarithms in the very special class of totally non-maximal imaginary quadratic orders [HuTa99]. Thus the ... |

7 | T.: A new public key cryptosystem over quadratic orders with quadratic decryption time
- Paulus, Takagi
- 2000
(Show Context)
Citation Context ...l : Cl(\Deltaf 2 ) ! Cl(\Delta) from (5) to speed up the decryption step in an ElGamal-type encryption scheme, which is typically performed on a smart card for example. This rough idea was refined in =-=[PaTa98]-=- to obtain the NICE 5 -cryptosystem which features very efficient decryption. The basic idea is to use an element p 2 Ker(OE \Gamma1 Cl ) to mask the message-ideal m in the ElGamal-encryption scheme. ... |

7 | A key exchange protocol using real quadratic fields - Scheidler, Buchmann, et al. - 1994 |

6 | Efficient implementation of cryptosystems based on non-maximal imaginary quadratic orders
- Huhnlein
- 1999
(Show Context)
Citation Context ...h RSA and e = 2 16 + 1. Therefore NICE is especially advantageous if a central instance needs to perform many decryptions in short time. For this scenario one may use the batch decryption method from =-=[Hueh99]-=- to obtain another speedup of about 30%. However it should be noted that experiments [HaPT99] on a Siemens SLE66-chip, which is highly optimized for RSA-computation, do not (yet) yield this impressive... |

5 | Algorithms for quadratic orders - Biehl, Buchmann - 1994 |

4 | A Signature Scheme Based on the Intractability of Computing Roots
- Biehl, Buchmann, et al.
- 2002
(Show Context)
Citation Context ... one can not apply ElGamal [ElGa85] or DSA [DSA94] signatures, but needs to use either a Schnorr-analogue without reduction modulo the group order, as analysed in [PoSt98], or the recent RDSA-variant =-=[BBHM00]-=-. Apart from this difference one can construct any kind of DL-based cryptosystem in Cl(\Delta). The group operation is performed by multiplication [Jaco99, MULTIPLY, Algorithm 2.3] followed by reducti... |

4 |
A key-exchange system based on imagninary quadratic fields
- Buchmann, Williams
- 1988
(Show Context)
Citation Context ...ent computations in the class group Cl(\Delta), \Delta ! 0. Therefore one is able to construct (almost) arbitrary DL-based cryptosystems using this group, like first proposed by Buchmann and Williams =-=[BuWi88]-=-. We will return to this topic in Section 4.1. 2.3 Real quadratic orders In this Section we will assume that \Delta ? 0 and O \Delta is a real quadratic order. In O \Delta there are infinitely many un... |

3 |
A numerical investigation into the length of the period of the continued fraction expansion of p D
- Williams
- 1981
(Show Context)
Citation Context ...lent reduced ideal a = ae(A). We denote (ns1) successive applications of ae() by ae n (). If a is a reduced ideal then ae n (a) is also reduced and there is some l 2 ZZ?1 , such that a = ae l (a). In =-=[Will81]-=- it is shown that, for arbitrary \Delta, the smallest such l may be as large as O( p \Delta log log \Delta). As there are -- in general -- exponentially many reduced ideals in a given equivalence clas... |

2 | Feige-Fiat-Shamir identification based on real quadratic fields - Hamdy, Maurer - 1999 |

2 |
An efficient NICE-Schnorr-type cryptosystem, to appear at PKC2000
- Huhnlein, Merkle
- 2000
(Show Context)
Citation Context ... time. The key idea in NICE is to replace the group IF p in a classical DL-cryptosystem with the group Ker(OE \Gamma1 Cl ). Therefore it is straightforward to construct a Schnorrtype signature scheme =-=[HuMe00]-=- in (a subgroup of) this group. Using the efficient 5 NICE is an abbreviation for New Ideal Coset Encryption. kernel-arithmetic from [Hueh99,HuMe00] one obtains a signature generation for this scheme,... |

1 |
General Processor Information, version
- Burd
- 2000
(Show Context)
Citation Context ...size of the number to be factored. P. Zimmermann [StZi00] estimated the time needed for one curve with 512 bit modulus on an Alpha 21264 with 500 MHz using GMP-ECM to be about 54 seconds. Considering =-=[Burd00]-=- one may assume that this machine has about 1,000 MIPS. These assumptions will serve as basis to obtain practical estimates. Adjusting the running time for one curve on this machine to different sizes... |

1 | Smart: Constructive and destructive factes of weil descent on elliptic curves, see http://www.hpl.hp.com/news/ecc.html - Gaudry, Hess, et al. |

1 |
Takagi: NICE - New Ideal Coset Encryption, appeared at CHES
- Hartmann, Paulus, et al.
- 1999
(Show Context)
Citation Context ... to perform many decryptions in short time. For this scenario one may use the batch decryption method from [Hueh99] to obtain another speedup of about 30%. However it should be noted that experiments =-=[HaPT99]-=- on a Siemens SLE66-chip, which is highly optimized for RSA-computation, do not (yet) yield this impressive running time. The key idea in NICE is to replace the group IF p in a classical DL-cryptosyst... |

1 |
Joux: A NICE Cryptoanalysis
- Jaulmes, A
(Show Context)
Citation Context ...dratic orders. The systems from the NICE-family [HJPT98,PaTa98,HaPT99,Hueh99,HuMe00] allow very efficient decryption and signature generation. On should note, that the recent chosen ciphertext attack =-=[JaJo00]-=- against the NICE-encryption scheme can easily be prevented in practice by adding appropriate redundancy. Besides an overview of the proposed families we will also introduce a refinement of [LeVe00], ... |

1 |
State-of-the art in implementing algorithms for the (ordinary) discrete logarithm problem, talk at ECC'99
- Lercier
(Show Context)
Citation Context ...ficient algorithm for the computation of discrete logarithms in arbitrary class groups Cl(\Delta) can be used to compute discrete logarithms in IF p k , for k 2 f1; 2g. 3 For the last value, given in =-=[Lerc99]-=-, we assume that a Pentium II with 500 MHz has about 500 MIPS. The currently best algorithm to compute discrete logarithms in Cl(\Delta) is an analogue of the Multiple Polynomial Quadratic Sieve (MPQS... |

1 |
for Cryptographic Primitives, Version 2.2
- Call
(Show Context)
Citation Context ...curity Networks AG Mergenthalerallee 77-81, D-65760 Eschborn, Germany huehnlein@secunet.de Abstract. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives =-=[NESSIE]-=- soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identification. Since the security of ... |

1 | Factoring integers with the TWINKLE device, appeared at CHES - Shamir - 1999 |