Quadratic orders for {NESSIE} - Overview and parameter sizes of three public key families

In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identiication. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a nite eld or the jacobian of (hyper-) elliptic curves over nite elds, will stay secure forever, it is especially important to provide a variety of diierent primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three diierent public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real BuWi89,ScBW94], BiBT94,HaMa00,HuPa00] and imaginary BuWi88,BBHM00] quadratic orders are very interesting from a conservative point of view, because their DL-problem is known to be at least as hard as, and when considering todays algorithms apparently much harder than, factoring (arbitrary) integers. On the other hand the systems in the NICE-family HJPT98,PaTa98,HuMe00] are 'only equivalent' to factoring integers of the form qp 2 and very attractive for practical application, because they allow very eecient decryption and signature generation. Besides an overview of all these systems, we will propose a reenement of LeVe00], which allows to compare the diiculty of diierent cryptographic problems in a more sophisticated, yet practical, manner. We will use this framework to derive the necessary key sizes for the proposed families.

[1]  E. Okamoto,et al.  Faster factoring of integers of a special form , 1996 .

[2]  Johannes A. Buchmann,et al.  A Signature Scheme Based on the Intractability of Computing Roots , 2002, Des. Codes Cryptogr..

[3]  Michael J. Jacobson,et al.  Subexponential class group computation in quadratic orders , 1999 .

[4]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[5]  Damian Weber,et al.  The Solution of McCurley's Discrete Log Challenge , 1998, CRYPTO.

[6]  Tsuyoshi Takagi,et al.  NICE - New Ideal Coset Encryption , 1999, CHES.

[7]  Johannes A. Buchmann,et al.  A Key Exchange System Based on Real Quadratic Fields , 1989, CRYPTO.

[8]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[9]  Adi Shamir,et al.  Analysis and Optimization of the TWINKLE Factoring Device , 2000, EUROCRYPT.

[10]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[11]  Tsuyoshi Takagi,et al.  A New Public-Key Cryptosystem over a Quadratic Order with Quadratic Decryption Time , 2000, Journal of Cryptology.

[12]  Johannes A. Buchmann,et al.  Cryptographic Protocols Based on Discrete Logarithms in Real-quadratic Orders , 1994, CRYPTO.

[13]  Johannes Buchmann,et al.  Implementation of a key exchange protocol using real quadratic fields (extended abstract) , 1991 .

[14]  Tsuyoshi Takagi,et al.  Reducing Logarithms in Totally Non-maximal Imaginary Quadratic Orders to Logarithms in Finite Fields , 1999, ASIACRYPT.

[15]  Tsuyoshi Takagi,et al.  A Cryptosystem Based on Non-maximal Imaginary Quadratic Orders with Fast Decryption , 1998, EUROCRYPT.

[16]  Johannes Buchmann,et al.  Algorithms for quadratic orders , 1994 .

[17]  Arjen K. Lenstra,et al.  Factorization of RSA-140 Using the Number Field Sieve , 1999, ASIACRYPT.

[18]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[19]  Markus Maurer,et al.  Feige-Fiat-Shamir Identification Based on Real Quadratic Fields , 1999 .

[20]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[21]  D. Shanks Class number, a theory of factorization, and genera , 1971 .