A Survey of Cryptosystems Based on Imaginary Quadratic Orders

  • Detlef Hühnlein
Part of the DuD-Fachbeiträge book series (DUD)


Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken.

A promising candidate for a group in which the DL-problem seems to be hard is the class group’ Cl(Δ) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88].Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on non-maximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RS A encryption with e = 216 +1. Very recently there was proposed an efficient NICE-Schnorr type signature scheme [HuMe99] for which the signature generation is more than twice as fast as in the original scheme based on F*p.

Due to these results there has been increasing interest in cryptosystems based on imaginary quadratic orders. Therefore it seems necessary to provide an up to date survey to facilitate further work in this direction. Our survey will discuss the history, the state of the art and future directions of cryptosystems based on imaginary quadratic orders.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BiBu98]
    I. Biehl, J. Buchmann: An analysis of the reduction algorithms for binary quadratic forms, in P. Engel, H. Syta (Ed.): Voronoi’s Impact on Modern Science, Vol. 1, Institute of Mathematics of National Academy of Sciences, Kyiv, Ukraine, 1998.Google Scholar
  2. [BBHM99]
    I. Biehl, J. Buchmann, S. Hamdy, A. Meyer: Cryptographic Protocols Based on the Intractibility of Extracting Roots and Computing Discrete Logarithms, Technical Report, University of Technology, Darmstadt, 1999. Welcome.html"Google Scholar
  3. [BiPT99]
    I. Biehl, S. Paulus, T. Takagi: An efficient undeniable signature scheme based on non-maximal imaginary quadratic orders, Technical Report, University of Technology, Darmstadt, 1999. Veroeffentlichung/TR/Welcome. htmlGoogle Scholar
  4. [BoSh66]
    Z.I. Borevich, I.R. Shafarevich: Number Theory Academic Press: New York, 1966.Google Scholar
  5. [Bren99]
    R. Brent: ECM champs. techpapers/Richard.Brent/champs.ecmGoogle Scholar
  6. [BGMW93]
    E. Brickell, D. Gordon, K. McCurley, D. Wilson: Fast Exponentiation with Precomputation, Proceedings of Eurocrypt’ 92, Springer LNCS 658, 1993, S. 200–207.Google Scholar
  7. [BuDu91]
    J. Buchmann, S. Düllmann: On the computation of discrete logarithms in class groups, Advances in Cryptology — CRYPTO’ 90, Springer LNCS 773, 1991, S. 134–139.Google Scholar
  8. [BuDW90]
    J. Buchmann, S. Düllmann, H.C. Williams: On the complexity and efficiency of a new key exchange system, Advances in Cryptology — EUROCRYPT’ 89, Springer LNCS 434, 1990, S. 597–616.Google Scholar
  9. [BuWi88]
    J. Buchmann, H.C. Williams: A key-exchange system based on imagninary quadratic fields. Journal of Cryptology Vol. 1, 1988, S. 107–118.MathSciNetzbMATHCrossRefGoogle Scholar
  10. [Buel89]
    D.A. Buell: Binary Quadratic Forms — Classical Theory and Modern Computations, Springer, 1989.Google Scholar
  11. [CDE+96]
    J. Cowie, B. Dodson, M. Elkenbracht-Huizing, A.K. Lenstra, P.L. Montgomery, J. Zayer: A worldwide number field sieve factoring record: on to 512 bits, proceedings of ASIACRYPT’96, Springer LNCS 1163, 1996, S. 382–394.MathSciNetGoogle Scholar
  12. [Cohe93]
    H. Cohen: A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics 138, Springer, 1993.Google Scholar
  13. [CoOS86]
    D. Coppersmith, A.M. Odlyzko, R. Schroeppel: Discrete logarithms in GF(p), Algorithmica, Vol. 1, 1986, S. 1–15.MathSciNetzbMATHCrossRefGoogle Scholar
  14. [Cox89]
    D.A. Cox: Primes of the form x 2 + ny 2, John Wiley & Sons, 1989.Google Scholar
  15. [DiHe76]
    W. Diffie, M. Hellman: New directions in cryptography, IEEE Transactions on Information Theory Vol. 22, 1976, S. 472–492.MathSciNetCrossRefGoogle Scholar
  16. [Duel88]
    S. Düllmann: Ein neues Verfahren zum öffentlichen Schlüsselaustausch, Diplomarbeit, Universit”at Düsseldorf, 1988.Google Scholar
  17. [Duel91]
    S. Düllmann: Ein Algorithmus zur Bestimmung der Klassenzahl positiv def-initer binärer quadratischer Formen, Dissertation, Universit”at Saarbrücken, 1991.Google Scholar
  18. [FiSh86]
    A. Fiat, A. Shamir: How to prove yourself: Practical solutions to identification and signature problems, Advances in Cryptology, Proceedings of CRYPTO’ 86, Springer LNCS 263, 1987, S. 186–194.MathSciNetGoogle Scholar
  19. [GausOl]
    C.F. Gau”s: Disquisitiones Arithmeticae, 1801, reprinted 1986 by Springer, ISBN 0-387-96254-9.Google Scholar
  20. [Gord93]
    D.M. Gordon: Discrete logarithms in GF(p) using the number field sieve, SIAM Journal on Discrete Mathematics Vol. 6, 1993, S. 124–138.MathSciNetzbMATHCrossRefGoogle Scholar
  21. [Hamd99]
    S. Hamdy: The key-length of DL-based cryptosystems in class groups, 1999.Google Scholar
  22. [HaMC89]
    J.L. Hafner, K.S. McCurley: A rigorous subexponential algorithm for computation of class groups, Journal of the American Mathematical Society, Vol. 2, 1989, S. 837–850.MathSciNetzbMATHCrossRefGoogle Scholar
  23. [HaPT99]
    M. Hartmann, S. Paulus, T. Takagi: NICE — New Ideal Coset Encryption, CHES, erscheint in Springer LNCS, 1999. Scholar
  24. [Hua82]
    L.K. Hua: Introduction to Number Theory. Springer, 1982.Google Scholar
  25. [HJPT98]
    D. Hühnlein, M.J. Jacobson, S. Paulus, T. Takagi: A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption, Advances in Cryptology — EUROCRYPT’ 98, Springer LNCS 1403, 1998, S. 294–307.CrossRefGoogle Scholar
  26. [HuMT98]
    D. Hühnlein, A. Meyer, T. Takagi: Rabin and RSA analogues based on non-maximal imaginary quadratic orders, Proceedings of ICICS’ 98, 1998, S. 221–240.Google Scholar
  27. [Hueh99]
    D. Hühnlein: Efficient implementation of cryptosystems based on non-maximal imaginary quadratic orders, erscheint in Proceedings of SAC’99, Springer LNCS 1758, 2000, S. 150–167,"Google Scholar
  28. [HuMe99]
    D. Hühnlein, J. Merkle: An efficient NICE-Schnorr-type cryptosystem, erscheint in PKC2000, Melbourne, Januar 2000, Springer LNCS. http://www. Scholar
  29. [HuTa99]
    D. Hühnlein, T. Takagi: Reducing logarithms in totally non-maximal imaginary quadratic orders to logarithms in finite fields, Advances in Cryptology — Asiacrypt’99, Springer LNCS 1716, 1999, S. 219.CrossRefGoogle Scholar
  30. [Jaco99]
    M.J. Jacobson Jr.: Subexponential Class Group Computation in Quadratic Orders, Berichte aus der Informatik, Shaker, ISBN 3-8265-6374-3, 1999.Google Scholar
  31. [JoQu99]
    M. Joye, J.J. Quisquater: On Rabin-type signatures, Research contribution to IEEE-P1363, 1999. Scholar
  32. [Lens82]
    H.W. Lenstra: On the computation of regulators and class numbers of quadratic fields, London Math. Soc. Lecture Notes, Vol. 56, 1982, S. 123–150.MathSciNetGoogle Scholar
  33. [Lens87]
    H.W. Lenstra: Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126, 1987, S. 649–673.MathSciNetzbMATHCrossRefGoogle Scholar
  34. [LeLe93]
    A.K. Lenstra, H.W. Lenstra Jr. (Ed.): The development of the number field sieve, Lecture Notes in Mathematics, Springer, 1993.Google Scholar
  35. [Lens96]
    H.W. Lenstra: Complex Multiplication Structure of Elliptic Curves, Journal of Number Theory, Vol. 56, No. 2, 1996, S. 227–241.MathSciNetzbMATHCrossRefGoogle Scholar
  36. [LiDI99]
    LiDIA: A c++ library for algorithmic number theory, http://www. Scholar
  37. [MaYa96]
    U. Maurer, Y. Yacobi: A non-interactive public-key distribution system, Design Codes and Cryptography, No. 9, 1996, S. 305–316.MathSciNetzbMATHGoogle Scholar
  38. [McCu89]
    K.S. McCurley: Cryptographic key distribution and computation in class groups, Number Theory and applications, NATO ASI series, Series C, Vol. 265, Dordrecht, 1989, S. 459–479.MathSciNetGoogle Scholar
  39. [Meye97]
    A. Meyer: Ein neues Identifikations-und Signaturverfahren über imaginärquadratischen Zahlkörpern, Diplomarbeit, Universit”at Saarbrücken, 1997. Scholar
  40. [NIST94]
    National Institute of Standards and Technology (NIST): Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186, FIPS-186, 19. Mai 1994.Google Scholar
  41. [Neuk92]
    J. Neukirch, Algebraische Zahlentheorie, Springer, 1992.Google Scholar
  42. [PaTa98a]
    S. Paulus, T. Takagi: A new public key cryptosystem with quadratic decryption time, erscheint in Journal of Cryptology, 1998. http://www.informatik. Scholar
  43. [PaTa98b]
    S. Paulus, T. Takagi: A generalization of the Diffie-Hellman problem based on the coset problem allowing fast decryption, Proceedings of ICICS’ 98, 1998.Google Scholar
  44. [PeOk96]
    R. Peralta, E. Okamoto: Faster factoring of integers of a special form, IEICE Trans. Fundamentals, Vol. E-79-A, No. 4, 1996, S. 489–493.Google Scholar
  45. [CDL+99]
    S. Cavallar, B. Dodson, A. Lenstra, P. Leyland, W. Lioen, P.L. Montgomery, B. Murphy, H. te Riele, P. Zimmerman: Factorization of RSA-140 Using the Number Field Sieve, Proceedings of ASIACRYPT’99, Springer LNCS 1716, 1999, S. 195–207.Google Scholar
  46. [TeR+99]
    H. te Riele & al.: Factorization of RSA-155 with the Number Field Sieve, posting in sci.crypt.research, August 1999.Google Scholar
  47. [RiSA78]
    R. Rivest, A. Shamir, L. Adleman: A method for obtaining digital signatures and public key-cryptosystems, Communications of the ACM, Vol. 21, 1978, S. 120–126.MathSciNetzbMATHCrossRefGoogle Scholar
  48. [Seys87]
    M. Seysen: A probabilistic factoring algorithm with quadratic forms of negative discriminant, Math. Comp. 48, 1987, S. 737–780.MathSciNetCrossRefGoogle Scholar
  49. [Silv87]
    R.D. Silverman: The multiple polynomial quadratic sieve, Math. Comp. 48, 1987, S. 329–229.MathSciNetzbMATHCrossRefGoogle Scholar
  50. [Scho83]
    R.J. Schoof: Quadratic Fields and Factorization. In: H.W. Lenstra, R. Ti-jdeman (Ed.): Computational Methods in Number Theory. Math. Centrum Tracts 155, Part II, Amsterdam, 1983, S. 235–286.Google Scholar
  51. [ScLe84]
    C.P. Schnorr, H.W. Lenstra: A Monte Carlo factoring algorithm with linear storage, Mathematics of Computation, Vol. 43, 1984, S. 289–312.MathSciNetzbMATHCrossRefGoogle Scholar
  52. [Shan71a]
    D. Shanks: Gauss’ ternary form reduction and the 2-Sylow subgroup, Math. Comp. 25, 1971, S. 837–853.MathSciNetzbMATHGoogle Scholar
  53. [Shan71b]
    D. Shanks: Class number, a theory of factorization and genera, Proc. Symposium Pure Mathematics, American Mathematical Society 20, 1971, S. 415–440.MathSciNetGoogle Scholar
  54. [Webe98]
    D. Weber: Computing discrete logarithms with quadratic number rings, Advances in Cryptology — EUROCRYPT’ 98, Springer LNCS 1403, 1998, S. 171–183.CrossRefGoogle Scholar

Copyright information

© Friedr. Vieweg & Sohn Verlagsgesellschaft mbH, Braunschweig/Wiesbaden 2000

Authors and Affiliations

  • Detlef Hühnlein
    • 1
  1. 1.Secunet Security Networks AGEschbornDeutschland

Personalised recommendations