Reducing Logarithms in Totally Non-maximal Imaginary Quadratic Orders to Logarithms in Finite Fields

We discuss the discrete logarithm problem over the class group Cl(Δ) of an imaginary quadratic order O Δ , which was proposed as a public-key cryptosystem by Buchmann and Williams [8]. While in the meantime there has been found a subexponential algorithm for the computation of discrete logarithms in Cl(Δ) [16], this algorithm only has running time L Δ [1/2,c] and is far less efficient than the number field sieve with L p [1/3,c] to compute logarithms in IF * p . Thus one can choose smaller parameters to obtain the same level of security. It is an open question whether there is an L Δ [1/3,c] algorithm to compute discrete logarithms in arbitrary Cl(Δ). In this work we focus on the special case of totally non-maximal imaginary quadratic orders O Δp such that Δ p = Δ 1p2 and the class number of the maximal order h(Δ 1 ) = 1, and we will show that there is an L Δp [1/3,c] algorithm to compute discrete logarithms over the class group Cl(Δ p ). The logarithm problem in Cl(Δ p ) can be reduced in (expected) O(log 3 p) bit operations to the logarithm problem in IF * p (if (Δ 1 /p) = 1) or IF* p 2 (if (Δ 1 /p) = -1) respectively. This result implies that the recently proposed efficient DSA-analogue in totally non-maximal imaginary quadratic order O Δp [21] are only as secure as the original DSA scheme based on finite fields and hence loose much of its attractiveness.

[1]  K. McCurley,et al.  A rigorous subexponential algorithm for computation of class groups , 1989 .

[2]  Tsuyoshi Takagi,et al.  A Cryptosystem Based on Non-maximal Imaginary Quadratic Orders with Fast Decryption , 1998, EUROCRYPT.

[3]  Alejandro Buchmann,et al.  An analysis of the reduction algorithms for binary quadratic forms , 1997 .

[4]  Tsuyoshi Takagi,et al.  NICE - New Ideal Coset Encryption , 1999, CHES.

[5]  Tsuyoshi Takagi,et al.  Rabin and RSA analogues based on non-maximal imaginary quadratic orders , 1998, ICISC.

[6]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[7]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[8]  Loo Keng Hua,et al.  Introduction to number theory , 1982 .

[9]  Robert D. Silverman The multiple polynomial quadratic sieve , 1987 .

[10]  Dj Daniel Bernstein,et al.  A general number field sieve implementation , 1993 .

[11]  Johannes A. Buchmann,et al.  On the Computation of Discrete Logarithms in Class Groups , 1990, CRYPTO.

[12]  Detlef Hühnlein,et al.  Efficient Implementation of Cryptosystems Based on Non-maximal Imaginary Quadratic Orders , 1999, Selected Areas in Cryptography.

[13]  Michael J. Jacobson,et al.  Subexponential class group computation in quadratic orders , 1999 .

[14]  Tsuyoshi Takagi,et al.  A New Public-Key Cryptosystem over a Quadratic Order with Quadratic Decryption Time , 2000, Journal of Cryptology.

[15]  Arjen K. Lenstra,et al.  A World Wide Number Field Sieve Factoring Record: On to 512 Bits , 1996, ASIACRYPT.

[16]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[17]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[18]  Damian Weber,et al.  Computing Discrete Logarithms with Quadratic Number Rings , 1998, EUROCRYPT.

[19]  Detlef Hühnlein,et al.  A Survey of Cryptosystems Based on Imaginary Quadratic Orders , 2000 .

[20]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[21]  Johannes A. Buchmann,et al.  On the Complexity and Efficiency of a New Key Exchange System , 1989, EUROCRYPT.

[22]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .