J
OURNAL DE
T
HÉORIE DES
N
OMBRES DE
B
ORDEAUX
J
OHANNES
B
UCHMANN
M
ARKUS
M
AURER
B
ODO
M
ÖLLER
Cryptography based on number fields with large regulator
Journal de Théorie des Nombres de Bordeaux, tome
12, n
o2 (2000),
p. 293-307
<http://www.numdam.org/item?id=JTNB_2000__12_2_293_0>
© Université Bordeaux 1, 2000, tous droits réservés.
L’accès aux archives de la revue « Journal de Théorie des Nombres de Bordeaux » (http://jtnb.cedram.org/) implique l’accord avec les condi-tions générales d’utilisation (http://www.numdam.org/conditions). Toute uti-lisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit conte-nir la présente mention de copyright.
Article numérisé dans le cadre du programme Numérisation de documents anciens mathématiques
Cryptography
based
onnumber
fields
with
large regulator
par JOHANNES
BUCHMANN,
MARKUS MAURER et BODOMÖLLER
RÉSUMÉ. Nous introduisons une variante du
protocole
designa-ture et d’identification de
Fiat-Shamir,
basée sur la difficultépra-tique
qu’il
y a à calculer desgénérateurs
des idéaux principauxdans les corps de nombres. Nous montrons en outre comment
utiliser les
heuristiques
de Cohen-Lenstra-Martinet pour lesgrou-pes de classes dans le but de construire des corps de nombres dans
lesquels
le calcul degénérateurs
des idéaux principaux est encorehors d’atteinte.
ABSTRACT. We
explain
a variant of the Fiat-Shamir identificationand signature
protocol
that is based on theintractability
ofcom-puting generators of
principal
ideals inalgebraic
number fields. We also show how to use the Cohen-Lenstra-Martinet heuristicsfor class groups to construct number fields in which computing
generators of
principal
ideals is intractable.1. Introduction
The
security
ofpublic key
cryptosystems
is based on theintractability
ofcomputational problems
in mathematics and inparticular
in numberthe-ory.
Examples
are theproblems
offactoring
integers
orcomputing
discretelogarithms
in certain finite abelian groups(see
[24]).
However,
there iscurrently
no suchproblem
whosecomputational
difficulty
can beproved.
On the
contrary:
Experience
with thefactoring
problem
shows thatunex-pected breakthroughs
arealways possible.
Toguarantee
thatpublic key
cryptography
ispossible
even if thecurrently
usedsystems
arebroken,
it isnecessary to
identify
alternativecomputational problems
that can be used as the basis ofpublic
key
schemes.In this paper, we consider the
principal
idealproblems
(PIP):
Let 0 be an order of analgebraic
number field F. Given aprincipal
O-idealI,
find agenerator
of thatideal,
i.e. an element a E F such that I = a0. Weshow how to use the heuristics of
Cohen,
Lenstra,
and Martinet([13], [14],
[15],
and[16])
for class groups ofalgebraic
number fields togenerate
orders for which PIP isintractable,
and wepresent
PIP-FS,
a variant of theFiat-Shamir identification and
signature
scheme[17]
whosesecurity
is based onPIP. We describe an
implementation
of PIP-FS in realquadratic fields,
wediscuss its
security,
and wepresent
timings
that show that PIP-FS has thepotential
to becomepractical.
PIP is a
special
case of the number field discretelogarithm
problem
(NFDL),
which was introduced in[8].
There,
it has beensuggested
todevelop cryptographic
primitives
based on NFDL. For number fields withlarge
classnumber,
a new scheme has beenpresented
in[2];
also somepre-viously
knowncryptographic
schemes such as[18]
and[26]
can beadopted
to the class group of a number field since
they
do notrequire
knowledge
of the group order
(cf. [2]
and[19)).
A bit commitment and an oblivioustransfer scheme for
real-quadratic
number fields have been described in[3].
Here,
wepresent
first identification andsignature
schemes for number fieldswith
large
regulators.
We show how togenerate
such fields that are suitablefor
cryptographic applications.
This paper is
organized
as follows: In Section2,
wepresent
ageneral
version of the Fiat-Shamir
protocol
(FS).
In Section3,
weexplain PIP-FS,
an FS variant based on PIP in number fields. A detaileddescription
ofthe
implementation
of PIP-FS in realquadratic
number fields isgiven
inSection 4.
2. Fiat-Shamir identification
In this
section,
wepresent
afairly
general
version of the Fiat-Shamiridentification
protocol
(FS).
(For
generalizations
of theoriginal
Fiat-Shamir scheme[17],
see also[12]
and[11].)
The
goal
of the FSprotocol
is that oneparty,
called the prover, convincesthe other
party,
called theverifier.,
of hisknowledge
of aprivate
key
withoutrevealing
any relevant informationconcerning
thatprivate
key.
We will alsoexplain
how adigital signature
scheme can be obtained from thisprotocol.
In the
setup
phase
of theprotocol,
the prover and the verifier agree ontwo abelian groups G and
H,
on ahomomorphism cp :
G -H,
and on apositive integer
k. The prover selects k groupelements 9i
EG,
1 i k. The sequence(gl, ..., gk)
is hisprivate
key.
He thencomputes
hi
=cp(gi),
1 i k. The sequence
(hl,
...,hk)
is hispublic key.
(In
theoriginal
Fiat-Shamirprotocol,
akey
issuing
center isresponsible
for
selecting G,
H,
and cp
such that the center canefficiently
invert cpusing
certain additionalinformation,
which must bekept
secret. Then thecomponents
of anyprover’s
public
key
can be derived from adescription
applying
a hashfunction;
thekey
issuing
center cancompute
anappropriate
private
key
and pass it to the prover. We note that our variant of theFiat-Shamir
protocol
does not have thisproperty.
Instead,
public
keys
must beexplicitly
given,
as e.g. in Schnorr’s identification scheme[28].)
The FS identification
protocol
works as follows:1.
(Commitment
andWitness)
The proverrandomly
selects acommit-ment g E G and
computes
the witness h = Theprover sends
the witness h to the verifier.
2.
(Challenge)
The verifier selects achallenge
e E10, Ilk
and sends it tothe prover.
3.
(Response)
The provercomputes
the response r =g
giei
z andsends it to the verifier.
4.
(Verification)
The verifier checks whether =cp(r).
Clearly,
a prover who knows theprivate
key
can convince the verifier ofhis
identity.
Assume that cp has the
following
one wayproperty:
Withoutknowledge
of the
private
key,
it is intractable tocompute,
given
( fl, ..., fk)
E10,
±Ilk
where at least one
f i
is not0,
an s withp(s) =
IT1
We show that theprobability
to detect that a prover does not know theprivate
key
is at least1-1/2 k.
To increase theprobability,
the basicprotocol
can berepeated
several times.
If the prover is able to
give
the correct answer for two differentchal-lenges
and(el, ... ,
e’),
then he knowsr, r’
E G such thatk
cp(r)
=hii
andcp(r’)
=h;i.
Thisimplies
that he cancom-pute s
=r’r-1
such thatp(s) =
he’-ei .
Note thate’ -
ei Ef 0, :l:1}.
By assumption, computing s
without theknowledge
of theprivate
key
isintractable.
Therefore,
acheating
prover cannot know the correct answerfor two different
challenges,
and theprobability
for him to be detected isat least
I - 1/2 k
When we
explain
our variant PIP-FS in Section3,
we will also showthat the verifier or an observer are not able to derive the
private
key
from information transmittedduring
theprotocol.
The FS identification
protocol
is efficient ifmultiplication
in the groupsG and H can be
performed efficiently
and if thehomomorphism
cp can becomputed
efficiently.
In the
following
way, the FS identificationprotocol
can be transformedinto a
signature
protocol. Suppose
a document d is to besigned.
Thesigner
selects acommitment g
andcomputes
the witness h as in the aboveprotocol.
Togenerate
thechallenge,
thesigner
uses acryptographic
hashfunction
f
(see
[24]).
Hecomputes
f (d o
h)
where o is concatenation andchallenge
is the sequence of the first k bits of the hash value. Thesigna-ture consists of the witness and the response. The verifier
computes
thechallenge
from the witness and the document andproceeds
as in the FSprotocol.
3. PIP-FS
We
explain PIP-FS,
our FS variant that is based on theintractability
ofsolving
theprincipal
idealproblem
in number fields. Let F be analgebraic
number field and let 0 be an order of F. In the Fiat-Shamir
protocol,
we usethe
multiplicative
group F* of all non-zero elements inF,
themultiplicative
group
of
principal
fractional0-ideals,
and thehomomorphism
With this choice of
G,
H,
and cp, thegeneral
Fiat-Shamirprotocol
describedin the
previous
section can beimplemented.
We call theresulting protocol
PIP-FS.
In order for PIP-FS to be secure,
inverting
cp must be intractable.Invert-ing
p meanssolving
theprincipal
idealproblem
for 0-ideals. We discussthe
difficulty
of this PIP. The two most efficient methods known forsolv-ing
theprincipal
idealproblem
are thebabystep-giantstep
algorithm
[7] [1]
and the index calculus method
[29] [6].
Therunning
time of thebabystep-giantstep
algorithm
is where n is thedegree
ofF, A
isthe discriminant of
0,
and R is theregulator
of 0. Moreprecisely,
thefollowing
is true. Let I be aprincipal
0-ideal. Let a be agenerator
ofI such that the euclidean
length
of thelogarithmic embedding
of a(see
[4])
isminimal,
and let a be thatlength.
Then a can becomputed
intime
no(n)
minla,
Therunning
time of the index calculusalgorithm
isThus,
in order for theprincipal
idealproblem
to beintractable,
thediscriminant,
theregulator,
and the minimallogarithmic length
of thegenerators
must besufficiently
large.
We note that noPohlig-Hellman
attack(see
[24])
is known for PIP.Therefore,
no further condition for the order 0 appears to be necessary.For the
appropriate
choice of the order0,
we use theanalytic
classnumber formula
[4]
and the heuristics ofCohen,
Lenstra,
and Martinet([13], [14], [15], [16]).
Theanalytic
class number formula tells us that theproduct
of the class number h and theregulator
R of thealgebraic
number field F isasymptotically
proportional
towhere 0
is the discriminant of F. The heuristics ofCohen, Lenstra,
and Martinetpredict
when the class number is small with veryhigh probability.
Thus,
if we choose the1. with
sufficiently large
discriminant in order to make index calculus attack infeasible and2. with small class number
(using
the heuristics ofCohen, Lenstra,
andMartinet),
then the
principal
idealproblem
appears to be intractable.Next,
we must answer thequestion
how thekeys,
commitment,
witness,
challenge,
and response are selected orcomputed.
The idea is to use reducedprincipal
0-ideals and theirgenerators.
We willexplain
this in detail for thecase of real
quadratic
orders. The methodsexplained
for these orders canbe
generalized
togeneral
orders. This will beexplained
in aforthcoming
paper.
4. PIP-FS in real
quadratic
fieldsIn this
section,
we show how toimplement
PIP-FSusing
a realquadratic
order in which the
principal
idealproblem
is intractable. Inparticular,
weexplain
1. how the order 0 is
selected,
2. how the
private
key
and the commitment are selected andrepresented,
3. how the
public
key,
thewitness,
and the response arecomputed
andrepresented,
and4. how the verification is
performed.
We let 0 be a real
quadratic
order of discriminantA,
class numberh,
and
regulator
R.By F
we denote the field of fractions of 0.4.1. The order. As
explained
in Section3,
we have to choose the order 0 such that both the index calculusalgorithm
and thebabystep-giantstep
algorithm
cannot be used to solve theprincipal
idealproblem
in 0. Wewill,
infact,
choose 0 as a maximal order.The most efficient variant of the index calculus
algorithm
that iscur-rently
known is due to Jacobson[21].
Extrapolating
experiments
with Jacobson’salgorithm,
Hamdy
[19]
found that thedifhculty
ofapplying
the index calculusalgorithm
in an order with a 687 bit discriminant is the same as thedifficulty
offactoring
a 1024 bit number with the number field sieve.Therefore,
werequire
thatFurther
comparisons
can be found in Table 1.To make the
babystep-giantstep
attackimpossible,
we choose the ordersuch that
where 160 is a
security
parameter.
The reason for this choice isgiven
TABLE 1.
Comparison
offactoring
with the number fieldsieve and
solving
PIP-FS with index calculus.To
satisfy
requirement
(2),
we choose A to be theproduct
of two randomprimes
3 mod 4. We will show belowthat, assuming
the Cohen-Lenstra heuristics[13]
and the extended Riemannhypothesis,
condition(2)
is satisfied with
probability
1 -2-~2 ,
N,
ifFor
example,
ifkl
+k2
=240,
we obtain that A >25°9
is sufficient. So if(1)
holds,
then(2)
is satisfied.Choosing
A to be theproduct
of twoprimes
has additional
appeal
when theseprimes
are not disclosed.Being
able tosolve PIP for
arbitrary
reducedprincipal
idealsimplies being
able to factor the discriminant([9], [27]).
Thus in this case PIP isprovably
at least ashard as
breaking
cryptosystems
such as RSA thatrely
on theassumption
that
factoring
integers
of this form is intractable.So let us
explain why
it suffices to choose Aaccording
to(3).
Since A issquare-free,
0 is a maximal order. We can relate theregulator R
tothe class number h
by
using
theanalytic
class number formula[4]:
Wehave 2hR =
~ ~
whereL(1, X) _
flp
prime(l -
is thevalue at 1 of the Dedekind L-series for the Kronecker
symbol X
= (~).
So our initial condition(2)
translates to > *Assuming
theERH,
wehave, by
a result of Littlewood[23],
thatL(1,
x)
>(1
-I- 1where q
= . 0.5772... is Euler’s constant(cf.
[25],
where it is also discussed how 1 +o(l)
can bereplaced by
explicit
bounds).
As12e~/~r2
4,
certainly
L(I,
X)
>4(1
+ and from this we obtain the new conditionWe now examine the class number h in more detail. For the even
part
ofh,
we can use well-known theorems from genustheory
[20]:
Since A is theFor
estimating
the oddpart
of the classnumber,
weapply
the heuristicsof Cohen and Lenstra
[13]
with theassumption
that our restriction on thechoice of A does not affect the statistical behaviour of the odd
part
of the class number. Then theprobability
that h > x isasymptotic
to1 / (2x)
(cf.
[13],
§
9,
(C12) a).
Withprobability
at least 1-2-~2,
we have h2*~2 .
By substituting
this into(4),
we obtain the conditionAssuming
that A islarge enough
such that 1 +o(l)
can beomitted,
wearrive at
(3).
4.2. Reduced 0-ideals. To
implement
PIP-FS in0,
we use reduced0-ideals,
which we describe in this section. For more details on reducedideals,
we refer to[27]
and[30].
Every
fractional 0-ideal I has arepresentation
where q
is apositive
rationalnumber, a
is apositive integer,
and b is aninteger.
The numbers q and a areuniquely
determined. Theinteger
b isunique
modulo 2a. For a >ae,
we choose b such that -a b a; for aB/A,
we choose b such thatJ3 -
2a bae.
Werepresent
Iby
(q,
a,b,
c)
where c =(b2 -
A)/(4a)
E Z.If q
= 1,
then we write I =(a,
b,
c).
The 0-ideal I =
(a, b, c)
is called reduced ifIVK - 2al
I
bU1.
IfI =
(a,
b,
c)
is a reduced0-ideal,
then lal
+Icl
01.
Thisimplies
thatthe number of reduced 0-ideals is finite. For
example,
the order 0 itself isa reduced
principal
0-ideal.We
explain
the reductionoperator
p, which is the basicalgorithmic
prim-itive in reduction
theory
of 0-ideals. If I =(q,
a,
b,
c)
is an0-ideal,
thenwith
We can also write this as
If I is not
reduced,
then a reduced ideal J that isequivalent
to I and an1.
Set -y
= 1 and J = I.2. While J is not
reduced, replace y by
and Jby
p(J).
This
algorithm
terminates with the correct result inquadratic
time. Wewrite q
=-y(I)
and J =reduce(I).
The fact that reduction of O-ideals is
possible
inpolynomial
timeimplies
the
following
theorem,
which shows thatusing
only
reduced O-idea,ls doesnot harm the
security
of PIP-FS.Theorem 4.1. There is a
polynomials
time reductionfrom
PIPfor
D-idealsto PIP
for
reduced O-ideals.Proof.
Let I be a fractional O-ideal. Instead ofsolving
PIP forI,
we solvePIP for J =
reduce(7) =
If J is notprincipal,
then I is notprincipal.
If J is
principal
and J= a0,
then I isprincipal
and I = DRestricted to the set of reduced ideals in an
equivalence
class ofO-ideals,
the reduction
operator
p is a transitivepermutation.
Thisimplies
thatthere is a
positive integer
p such that the set of reducedprincipal
idealsis
fpz (0) :
0 ip}
andp2(O)
= if andonly
if i- j
mod p.
IfI =
(a,
b,
c)
isreduced,
thenwhich can also be written as
We also have
(see
[27,
Lemma3.2]
and
for reduced I.
From
(10)
and(11),
we obtain thefollowing
lemma,
which is used inthe construction of the
private
andpublic key
and the commitment andwitness.
Lemma 4.2. Let r be a real number,. Then there is a reduced O-ideal that
has a
positive
generator
a withIlna - r[
(In~)/4.
Proof.
Let r > 0. SetIo
=0,
ao =
1,
Ii+l =
p(1i),
ai+l = ThenIi
is a reduced O-ideal withgenerator
cx2, cx2 >0,
0 In 0152i+l - In 0152i =(In A) /2
by
(10),
andlimi,,,,,Inai
= ooby
(11).
Thisimplies
the assertion. For r0,
theproof
isanalogous
and usesp-1.
D4.3. Private
key,
commitment, public
key,
and witness. Assume that A is chosen as described in Section 4.1.The
private
key
and the commitment are chosen such that thecorre-sponding
principal
idealproblems
are difficult. We nowexplain
how we can choose them asgenerators
of reducedprincipal
ideals.It follows from Theorem 4.1 that is is not harder to solve PIP for O-ideals than for reduced O-ideals.
Therefore,
we may limit ourselves togenerators
of reduced 0-ideals when
choosing
theprivate
key
and the commitment.We denote the set of all reduced
principal
O-idealsby
Po.
Thepublic
key
and the witnesses arecomputed
using
the functionwhich is described in Section 4.6.
Here,
we use thefollowing
properties
ofthat function:
1. Given n E
N,
the valueclose(n)
can becomputed
inpolynomial
time.2. For every n E
N,
there is apositive
generator
a ofclose(n)
withcan [
(lnA)/4
+1,
where c =((ln 0)/2
+ 21.
It can becom-puted
inpolynomial
time.3.
The
restriction of close to any interval of2ki
consecutiveintegers
isinjective,
where 160 is chosen as in Section 4.1.To
generate
theprivate
key,
the proverrandomly
chooses kintegers
nl, ..., nk in
[0,2kl -
1].
Thecorresponding
public key
is(I1, ..., Ik)
withIi
=close(n2),
1 i k. For thegeneration
of thecommitment,
weneed two more
security
parameters
N. Theinteger 1~2
is chosensuch that an event that
happens
withprobability
1 /2~2
is consideredprac-tically
impossible.
Parameter1~3
is chosen such that2k3
is an upper bound for the number ofapplications
of the PIP-FSprotocol
with onekey
pair.
For
example,
k3
= 30 allows to use the samekey
pair
every second formore than 30 years. The commitment is a random
integer n
E[0,2£ -
1~,
-f-1~2
+k3
+ 1. The witness is I =close(n) .
4.4.
Response
and verification. Let A and c be as in Section 4.3. Let(nl, ..., nk )
be theprivate
key
and(h, ... , Ik )
thecorresponding
public key,
both chosen as in theprevious
section. Assume that n is acommitment,
I =
close(n)
is thecorresponding
witness,
and(e1, ..., ek)
E is thechallenge.
Then the response is r = n +eini .
Using
r, the verifieris able to
verify
that there is agenerator
of i that is close to cr.This is
explained
in Section 4.7.4.5.
Security.
Weexplain why
PIP-FS as described is secure. LetPl
[0, ..., 2kl -
1],
it isimpossible
to tabulate the elements ofPi
withgen-erators or to guess a
private
key yielding
the samepublic key.
Weana-lyze
the timerequired
tocompute
agenerator
of an element I ofPi.
LetI =
close(n)
with n E[0,2~ -1].
Sinceby
(2)
we have R >c - 2 ki,
it followsthat the
logarithm
of the smallestpositive generator
of I isapproximately
cn.
Therefore,
thebabystep-giantstep algorithm
[1]
forcomputing
agen-erator of I takes
2~1 ~2 Do(1)
bitoperations.
So it isimpossible
tocompute
a
generator
of I this way.Also, by
choice ofA, determining
agenerator
of I
by
the index calculusalgorithm
isimpossible.
Hence, computing
gen-erators for elements of
Pi
is intractable. Similararguments
apply
to close restricted to any other interval[m,...,
m +2~1 -
1~,
and hence to close onintervals
(o, ..., b~
whereNow we show that
knowledge
of values of r, collected from up to2 k3
executions of the
protocol,
withoverwhelming probability
does not allow the verifier or an observer to deduce any sub-sum of the secrets nl, ..., n~.For
simplicity,
assume that an attackertargets
only
which is mosteasily
doneby
always
using
thechallenge
( 1, 0, ..., 0),
so that r = n +nl .
As n E
[0, 2~ - 1],
this response ronly
reveals that nl E[r
-2~ -~-1,
r].
It isknown beforehand that nl E
[0,2~ -
1~,
so r ishelpful
fordetermining
nlonly
if r -2~
+ 1 > 0 or r2ki - 1,
whichimplies
that n +2 ki -2t
> 0or n
2kl - 1,
respectively.
Thus,
foruniformly
chosen n E[0,2£ -
1],
the
probability
is less than 2 - Combined over2 k3
iterations of theprotocol,
theprobability
still is less than 1 -(1 -
2 -2~1-~ ) 2k3 ,
i.e. under2 ~ 2~1-~ ~ 2k3
= 2-~2 ,
whichby
choice of1~2
is considerednegligible.
4.6. The function close. Let
k2,
1~3, .~, l~, 0, F, A,
and R be as inSection 4.3. We
explain
theimplementation
of a functionwith the
properties
from Section 4.3where Po
is the set of all reducedprincipal
0-ideals. We will show that this function restricted to any interval of2ki
consecutiveintegers
isinjective,
and that for any n E N the idealclose(n)
has apositive generator
a withcn[
(lnA)/4
+ 1 whereThis function is used for the
generation
of thepublic key,
thecomputation
of thewitness,
and in the verification.Let n e N. The
algorithm
computes
b =[1092 n]
+1,
i.e. thebinary
length
of n, and t =cn/2b.
Then itrecursively
computes,
for 0 ib,
reduced O-ideals
Ii
that havepositive
generators
0152i withTo initialize the
recursion,
an 0-ideal10
iscomputed
that has apositive
generator
ao withI In ao - t) I
(lnA)/4
+ 1. This is doneby
thefollowing
procedure:
1. Set
Io = 0,
0:0 = 1.2. While
(In A) /4,
set 0:0 = andIo
=p(Io).
It follows from
(10)
and(11)
that thealgorithm
terminates with the correctresult after
0(ln
A)
iterations of the whileloop.
Since theimplementation
uses rational
approximations
to thelogarithms,
it canonly
guarantee
thatwhen the while-condition is found to be false. The details are
explained
below.Next we
explain
the recursion. WhenIi
has beenfound,
ib,
thenIi+1
is
computed
as follows.First,
the idealIi
is determined. This is aprincipal
0-ideal with
generator
0:;.
Note thatSo
In a?
ispretty
close to2i+lt,
but(13)
may not be satisfied.Also,
the idealIi
is,
ingeneral,
not reduced. To makeI2
reduced,
the reductionalgorithm
explained
above isapplied.
Ityields
a reducedprincipal
0-idealIi+1
and an element 1’i+l E F* such thatli+l
=1’i+lIl.
If In1’i+l is too
small,
then wereplace
1’i+lby
1’i+la(Ii+l)
andby
until(13)
holds for ai+1 =
1’i+ 1 aT .
If is toolarge,
then wereplace
1’i+ 1by
and
Ii+l
by
until(13)
holds for Notethat is a
generator
of the reducedprincipal
idealIi+l.
As we can
only
work withapproximations
to thelogarithms, things
aresomewhat more difficult. We
explain
the details. To obtain(13),
weap-proximate
In a2by
a rationalnumber a2
withfor 0 i
b,
and each l’i+l is chosen such thatThen ai+l = satisfies
(13).
To find such that
(16)
holds,
we work with rationalapproximations
to the
logarithms
andmodify
thealgorithm
from above as follows:If,
afterreduction,
theapproximation
to thelogarithm
1’i+l is toosmall,
we startwith ,3o
= 1’i+l and determine idealsby
iterativeapplication
ofp, such that
2i+lt -
2ai
islarger
than orequal
to theapproximation
ofbut smaller than the
approximation
of If thelogarithm
ofis too
large,
we usep-1
instead. At theend,
1’i+l isreplaced by
ordepending
of whichlogarithm
approximation
is closer to2i+1t -
2ai.
2. Set T =
2ai.
3.
If bo T,
do thefollowing:
Set j
= 0. WhileT,
setJj+l
=flj+i
= andcompute
with1/4;
replace
j
Otherwise:
Set j
= 1. While >T,
replace j by j -
1;
setjj-1
= = andcompute
with1/4.
4. then set
Ii+l
=Jj-l
and =Otherwise,
set
Ii+l
=Jj
and =We prove that this
procedure
is correct.Theorem 4.3. -yi+1 determined
by
theprocedure satisfies
(16).
Proof.
LetT,
bj
be as in theprocedure
andlet j
be with the value atthe end of the
procedure.
It isIf T -
T,
set c =Otherwise,
set c =bj.
First,
we examine the case T It islc - Tj
+1/4
T~,
lln,3j -
T~}
+1/2.
So,
(10)
implies
Iln1’i+l -
TI
(In
A)/4
+1/2.
The second case is T . It is
Iln1’i+1 -
TI
c - T ~
+1 /4 ~
- - - - -
-We can use the same
arguments
for the third case T DThe initial value ao is
computed by executing
theprocedure
with i= -1,
I-1
=0,
anda-1 = 0. Then the
procedure
determines ,0, and we setcxo =
70.
Finally,
we remark that theapproximations
ai can becomputed
asfol-lows. Each
generator
is of the form aj = .After 73
has beencomputed by
theprocedure above,
weapproximate
itslogarithm by
cj suchthat
lcj - ln7jl
[
2-n+j-b-3.
. We set ao = co and a2+1 =2ai
+ Thenai satisfies
(15)
for 0 i b.4.7.
Implementing
the verification. In the verificationstep,
theveri-fier knows the
positive integer
r, theprincipal
O-idealsI, h, ..., Ik ,
and the exponents el, ..., e~ E~0,1~.
He wants toverify
that theprincipal
O-ideal1 n7=1
17i
Zhas a
positive
generator
a such that In ct is close to cr, where cis defined
according
to(12).
The verifier uses the reduction
algorithm
from Section 4.2 tocompute
a reduced O-ideal J and 7 E F* with J =
~yI
17i.
This is done asfollows:
2. For i =
1, ...,1:
Ifei =
1,
thenreplace q by
and Jby
reduce
If a is a
generator
of then aq is agenerator
of J. SinceI
I1f=1
Ii
has apositive generator
whoselogarithm
is close to cr and sinceIn I
issmall,
it follows that the reduced O-ideal J has agenerator
whoselogarithm
is close to cr. The verifier canverify
thisby computing
K =close(r)
andby searching
for J in theneighborhood
of K. Moreprecisely,
he
applies
thefollowing algorithm
where n is chosenaccording
to Theorem 4.4: .1.
Compute
K =close(r).
SetKr
=Ki
= K and i = 0.2. While i n,
J ~
KI
andJ ~
Kr
replace
iby
i +1,
Kr
by
p(Kr),
andKi
by
p-l(KI).
In the next
theorem,
wegive
an upper bound on the number ofsteps
that are necessary for the verification to succeed.
Theorem 4.4.
If r
is chosenaccording
to theprotocol,
then theverification
succeedsa f ter
at most n = +(In A) /4
+1) /In 21
iterations,
whereProof.
LetJi-l
denote the value of J before the i-th iteration of thefor-loop
used in the reduction ofIII:==117i.
ThenIn(32A)
holds for each i(see
[30,
Theorem5.2~ ) .
Thisimplies
Assume that the response is
correct,
i.e.,
there exists apositive
generator
a E F* with = aO andIlna -
cr~ [
((1n0)/4+1)(1+~~ 1
ei).
It follows from
(17)
that there is agenerator
~3
=aq of J with
Iln /3 - cr
x.
By
(13),
we have~close(cr) - cr) [
(lnA)/4
+ 1. Since weapply
p andp 1
to find J and sinceby
(11)
thestep
width of two suchapplications
isat least In
2,
we obtain the assertion. D4.8.
Timings.
We haveimplemented
the realquadratic
order PIP-FS identificationprotocol
in C++. Therunning
timesgiven
in this section has been measured on a PentiumII,
300MHz,
64 MB main memory,running
SuSe Linux
2.0.35, using
thecompiler
egcs-2.91.57
withoption
-02,
andusing
the LiDIA-2.0library
[22]
with libI asunderlying
kernel arithmetic.All
timings
aregiven
in seconds.The
setup
is as follows. For each m E{687,968,1208,1665,2084},
wechoose several discriminants with m
bits,
run theprotocol,
including
order andkey
generation,
and measure the average time per discriminant. Wehave run the tests with k =
30, i.e.,
theprobability
that acheating
proverbits set to 1.
Furthermore,
thesecurity
parameters
are chosen as1~1
=160,
1~2
=80,
and~3
= 30(see
Section4.3).
References
[1] 1. BIEHL, J. BUCHMANN, Algorithms for quadratic orders. In: Mathematics of Computation 1943-1993: a half-century of computational mathematics, Vancouver 1993, W. Gautschi,
Ed., vol. 48 of Proceedings of Symposia in Applied Mathematics, American Mathematical
Society (1995), pp. 425-449.
[2] I. BIEHL, J. BUCHMANN, S. HAMDY, A. MEYER, A signature scheme based on the
intractabil-ity of extracting roots. Tech. Rep. TI-1/00, Technische Universität Darmstadt, Fachbereich Informatik, 2000. http: //www. informatik. tu-darmstadt. de/TI/Veroeffentlichung/TR/.
[3] I. BIEHL, B. MEYER, C. THIEL, Cryptographic protocols based on real-quadratic A-fields
(ex-tended abstract). In Advances in Cryptology - ASIACRYPT ’96, K. Kim and T. Matsumoto, Eds., vol. 1163 of Lecture Notes in Computer Science, Springer-Verlag (1996), pp. 15-25.
[4] Z. I. BOREVICH, I. R. SHAFAREVICH, Number theory. Academic Press, New York (1966).
[5] G. BRASSARD, Ed., Advances in Cryptology - CRYPTO ’89, vol. 435 of Lecture Notes in
Computer Science, Springer-Verlag (1990).
[6] J. BUCHMANN, On the computation of units and class numbers by a generalization of
La-grange’s algorithm. Journal of Number Theory 26 (1987), 8-30.
[7] J. BUCHMANN, it Zur Komplexität der Berechnung von Einheiten und Klassenzahlen
algebra-ischer Zahlkörper. Habilitationsschrift (1987).
[8] J. BUCHMANN, S. PAULUS, A one way function based on ideal arithmetic in number fields. In: Advances in Cryptology - CRYPTO ’97, B. S. Kaliski, Ed., vol. 1294 of Lecture Notes in Computer Science, Springer-Verlag (1997), pp. 385-394.
[9] J. BUCHMANN, H. C. WILLIAMS, A key exchange system based on real quadratic fields. In
Brassard [5], pp. 335-343.
[10] D. A. BUELL, Binary quadratic forms. Springer-Verlag, New York (1989).
[11] M. V. D. BURMESTER, Y. DESMEDT, F. PIPER, M. WALKER, A general zero-knowledge scheme. In: Advances in Cryptology - EUROCRYPT ’89, J.-J. Quisquater and J. Vande-walle, Eds., vol. 434 of Lecture Notes in Computer Science, Springer-Verlag (1990), pp. 122-133.
[12] D. CHAUM, J.-H. EVERTSE, J. VAN DE GRAAF, An improved protocol for demonstrating
posession of discrete logarithms and some generalizations. In: Advances in Cryptology -EUROCRYPT ’87, D. Chaum and W. L. Price, Eds., vol. 304 of Lecture Notes in Computer
Science, Springer-Verlag (1988), pp. 127-142.
[13] H. COHEN, J. W. LENSTRA, JR., Heuristics on class groups of number fields. In: Number
Theory, Noordwijkerhout 1983, H. Jager, Ed., vol. 1068 of Lecture Notes in Mathematics.
Springer-Verlag (1984), pp. 33-62.
[14] H. COHEN, J. MARTINET, Class groups of number fields: numerical heuristics. Mathematics of Computation 48 (1987), 123-137.
[15] H. COHEN, J. MARTINET, Étude heuristique des groupes de classes des corps de nombres. Journal für die reine und angewandte Mathematik 404 (1990), 39-76.
[16] H. COHEN, J. MARTINET, Heuristics on class groups: Some good primes are not too good.
[17] A. FIAT, A. SHAMIR, How to prove yourself: practical solutions to identification and sig-nature problems. In: Advances in Cryptology - CRYPTO ’86 (1987), A. M. Odlyzko, Ed., vol. 263 of Lecture Notes in Computer Science, Springer-Verlag, pp. 186-194.
[18] L. C. GUILLOU, J.-J. QUISQUATER, A practical zero-knowledge protocol fitted to security
microprocessors minimizing both transmission and memory. In: Advances in Cryptology
- EUROCRYPT ’88
(1988), C. G. Günther , Ed., vol. 330 of Lecture Notes in Computer
Science, Springer-Verlag, pp. 123-128.
[19] S. HAMDY, B. MÖLLER, Security of cryptosystems based on class groups of imaginary qua-dratic orders. In: Advances in Cryptology - ASIACRYPT 2000 (2000), T. Matsumoto, Ed., Lecture Notes in Computer Science, Springer-Verlag. To appear.
[20] E. HECKE, Vorlesungen über die Theorie der Algebraischen Zahlen. Leipzig (1923). [21] M. J. JACOBSON, JR., Subexponential Class Group Computation in Quadratic Orders. PhD
thesis, Technische Universität Darmstadt, Fachbereich Informatik, Darmstadt, Germany,
1999.
[22] LiDIA - a C++ library for computational number theory. http://www.informatik.
tu-darmstadt . de/TI/LiDIA/. The LiDIA Group.
[23] J. E. LITTLEWOOD, On the class number of the corpus
P(~-k).
Proceedings of the London Mathematical Society 2nd series 27 (1928), 358-372.[24] A. J. MENEZES, P. C. VAN OORSCHOT, S. A. VANSTONE, Handbook of Applied Cryptography. CRC Press (1997).
[25] R. A. MOLLIN, H. C. WILLIAMS, Computation of the class number of a real quadratic field.
Utilitas Mathematica 41 (1992), 59-308.
[26] G. POUPARD, J. STERN, Security analysis of a practical "on the fly" authentication and siganture generation. In: Advances in Cryptology - EUROCRYPT ’98 (1998), K. Nyberg, Ed., vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, pp. 422-436.
[27] R. SCHEIDLER, J. BUCHMANN, H. C. WILLIAMS, A key-exchange protocol using real quadratic
fields. Journal of Cryptology 7 (1994), 171-199.
[28] C. P. SCHNORR, Efficient identification and signatures for smart cards. In: Brassard [5], pp. 239-252.
[29] U. VOLLMER, Asymptotically fast discrete logarithms in quadratic number fields. In: Algo-rithmic Number Theory, ANTS-IV (2000), W. Bosma, Ed., vol. 1838 of Lecture Notes in
Computer Science, Springer-Verlag, pp. 581-594.
[30] H.C. WILLIAMS, M.C. WUNDERLICH, On the parallel generation of the residues for the continued fraction factoring algorithm. Mathematics of Computation 48 (1987), 405-423.
Johannes BUCHMANN, Markus MAURER, Bodo M6LLER
Technische Universitat Darmstadt Fachbereich Informatik
Alexanderstr. 10 64283 Darmstadt Germany
