TY - GEN
T1 - Reducing logarithms in totally non-maximal imaginary quadratic orders to logarithms in finite fields
AU - Huhnlein, Detlef
AU - Takagi, Tsuyoshi
N1 - Publisher Copyright:
© Springer-Verlag Berlin Heidelberg 1999.
PY - 1999
Y1 - 1999
N2 - We discuss the discrete logarithm problem over the class group Cl(Δ) of an imaginary quadratic order OΔ, which was proposed as a public-key cryptosystem by Buchmann and Williams [8]. While in the meantime there has been found a subexponential algorithm for the computation of discrete logarithms in Cl(Δ) [16], this algorithm only has running time LΔ[1/2, c] and is far less efficient than the number field sieve with Lp[1/3, c] to compute logarithms in IF*p. Thus one can choose smaller parameters to obtain the same level of security. It is an open question whether there is an LΔ[1/3, c] algorithm to compute discrete logarithms in arbitrary Cl(Δ). In this work we focus on the special case of totally non-maximal imaginary quadratic orders OΔpsuch that Δp = Δ1p2 and the class number of the maximal order h(Δ1) = 1, and we will show that there is an LΔp[1/3, c] lgorithm to compute discrete logarithms over the class group Cl(Δp). The logarithm problem in Cl(Δp) can be reduced in (expected) O(log3 p) bit operations to the logarithm problem in IF*p (if (Δ1/ p) = 1) or IF *p2 (if (Δ1/ p) = -1) respectively. This result implies that the recently proposed efficient DSA-analogue in totally non-maximal imaginary quadratic order OΔp [21] are only as secure as the original DSA scheme based on finite fields and hence loose much of its attractiveness.
AB - We discuss the discrete logarithm problem over the class group Cl(Δ) of an imaginary quadratic order OΔ, which was proposed as a public-key cryptosystem by Buchmann and Williams [8]. While in the meantime there has been found a subexponential algorithm for the computation of discrete logarithms in Cl(Δ) [16], this algorithm only has running time LΔ[1/2, c] and is far less efficient than the number field sieve with Lp[1/3, c] to compute logarithms in IF*p. Thus one can choose smaller parameters to obtain the same level of security. It is an open question whether there is an LΔ[1/3, c] algorithm to compute discrete logarithms in arbitrary Cl(Δ). In this work we focus on the special case of totally non-maximal imaginary quadratic orders OΔpsuch that Δp = Δ1p2 and the class number of the maximal order h(Δ1) = 1, and we will show that there is an LΔp[1/3, c] lgorithm to compute discrete logarithms over the class group Cl(Δp). The logarithm problem in Cl(Δp) can be reduced in (expected) O(log3 p) bit operations to the logarithm problem in IF*p (if (Δ1/ p) = 1) or IF *p2 (if (Δ1/ p) = -1) respectively. This result implies that the recently proposed efficient DSA-analogue in totally non-maximal imaginary quadratic order OΔp [21] are only as secure as the original DSA scheme based on finite fields and hence loose much of its attractiveness.
UR - http://www.scopus.com/inward/record.url?scp=46749154744&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=46749154744&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-48000-6_18
DO - 10.1007/978-3-540-48000-6_18
M3 - Conference contribution
AN - SCOPUS:46749154744
SN - 3540666664
SN - 9783540666660
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 220
EP - 231
BT - Advances in Cryptology - ASIACRYPT 1999 - International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
A2 - Lam, Kwok Yan
A2 - Okamoto, Eiji
A2 - Xing, Chaoping
PB - Springer Verlag
T2 - 5th International Conference on the Theory and Applications of Cryptology and Information Security, ASIACRYPT 1999
Y2 - 14 November 1999 through 18 November 1999
ER -