Security Estimates for Quadratic Field Based Cryptosystems
Jean-François Biasse, Jacobson John Michael, Silverster K. Alan
aa r X i v : . [ c s . CR ] A p r Security Estimates for Quadratic Field BasedCryptosystems
Jean-Fran¸cois Biasse , Michael J. Jacobson, Jr. ⋆ , and Alan K. Silvester ´Ecole Polytechnique, 91128 Palaiseau, France [email protected] Department of Computer Science, University of Calgary2500 University Drive NW, Calgary, Alberta, Canada T2N 1N4 [email protected] Department of Mathematics and Statistics, University of Calgary2500 University Drive NW, Calgary, Alberta, Canada T2N 1N4 [email protected]
Abstract.
We describe implementations for solving the discrete loga-rithm problem in the class group of an imaginary quadratic field andin the infrastructure of a real quadratic field. The algorithms used in-corporate improvements over previously-used algorithms, and extensivenumerical results are presented demonstrating their efficiency. This datais used as the basis for extrapolations, used to provide recommendationsfor parameter sizes providing approximately the same level of securityas block ciphers with 80 , , , , and 256-bit symmetric keys. Quadratic fields were proposed as a setting for public-key cryptosystems in thelate 1980s by Buchmann and Williams [7, 8]. There are two types of quadraticfields, imaginary and real. In the imaginary case, cryptosystems are based onarithmetic in the ideal class group (a finite abelian group), and the discretelogarithm problem is the computational problem on which the security is based.In the real case, the so-called infrastructure is used instead, and the securityis based on the analogue of the discrete logarithm problem in this structure,namely the principal ideal problem.Although neither of these problems is resistant to quantum computers, cryp-tography in quadratic fields is nevertheless an interesting alternative to morewidely-used settings. Both discrete logarithm problems can be solved in subex-ponential time using index calculus algorithms, but with asymptotically slowercomplexity than the state-of-the art algorithms for integer factorization andcomputing discrete logarithms in finite fields. In addition, the only known rela-tionship to the quadratic field discrete logarithm problems from other compu-tational problems used in cryptography is that integer factorization reduces toboth of the quadratic field problems. Thus, both of these are at least as hard as ⋆ The second author is supported in part by NSERC of Canada. actoring, and the lack of known relationships to other computational problemsimplies that the breaking of other cryptosystems, such as those based on ellipticor hyperelliptic curves, will not necessarily break those set in quadratic fields.Examining the security of quadratic field based cryptosystems is therefore ofinterest.The fastest algorithms for solving discrete logarithm problem in quadraticfields are based on an improved version of Buchmann’s index-calculus algorithmdue to Jacobson [17]. The algorithms include a number of practical enhancementsto the original algorithm of Buchmann [5], including the use of self-initializedsieving to generate relations, a single large prime variant, and practice-orientedalgorithms for the required linear algebra. These algorithms enabled the compu-tation of a discrete logarithm in the class group of an imaginary quadratic fieldwith 90 decimal digit discriminant [15], and the solution of the principal idealproblem for a real quadratic field with 65 decimal digit discriminant [18].Since this work, a number of further improvements have been proposed. Bi-asse [3] presented practical improvements to the corresponding algorithm forimaginary quadratic fields, including a double large prime variant and improvedalgorithms for the required linear algebra. The resulting algorithm was indeedfaster then the previous state-of-the-art and enabled the computation of the idealclass group of an imaginary quadratic field with 110 decimal digit discriminant.These improvements were adapted to the case of real quadratic fields by Biasseand Jacobson [4], along with the incorporation of a batch smoothness test ofBernstein [2], resulting in similar speed-ups in that case.In this paper, we adapt the improvements of Biasse and Jacobson to thecomputation of discrete logarithms in the class group of an imaginary quadraticfield and the principal ideal problem in the infrastructure of a real quadratic field.We use versions of the algorithms that rely on easier linear algebra problems thanthose described in [17]. In the imaginary case, this idea is due to Vollmer [26]; ourwork represents the first implementation of his method. Our data obtained showsthat our algorithms are indeed faster than previous methods. We use our datato estimate parameter sizes for quadratic field cryptosystems that offer securityequivalent to NIST’s five recommended security levels [25]. In the imaginary case,these recommendations update previous results of Hamdy and M¨oller [14], andin the real case this is the first time such recommendations have been provided.The paper is organized as follows. In the next section, we briefly recall therequired background of ideal arithmetic in quadratic fields, and give an overviewof the index-calculus algorithms for solving the two discrete logarithms in Sec-tion 3. Our numerical results are described in Section 4, followed by the securityparameter estimates in Section 5.
We begin with a brief overview of arithmetic in quadratic fields. For more detailson the theory, algorithms, and cryptographic applications of quadratic fields, see[20].et K = Q ( √ ∆ ) be the quadratic field of discriminant ∆, where ∆ is a non-zero integer congruent to 0 or 1 modulo 4 with ∆ or ∆/ Z in K , called the maximal order, is denoted by O ∆ . The ideals of O ∆ are the main objects of interest in terms of cryptographic applications. Anideal can be represented by the two dimensional Z -module a = s " a Z + b + √ ∆ Z , where a, b, s ∈ Z and 4 a | b − ∆. The integers a and s are unique, and b isdefined modulo 2 a. The ideal a is said to be primitive if s = 1 . The norm of a isgiven by N ( a ) = as . Ideals can be multiplied using Gauss’ composition formulas for integral binaryquadratic forms. Ideal norm respects this operation. The prime ideals of O ∆ havethe form p Z + ( b p + √ ∆ ) / Z where p is a prime that is split or ramified in K, i.e.,the Kronecker symbol ( ∆/p ) = − . As O ∆ is a Dedekind domain, every idealcan be factored uniquely as a product of prime ideals. To factor a , it sufficesto factor N ( a ) and, for each prime p dividing the norm, determine whether theprime ideal p or p − divides a according to whether b is congruent to b p or − b p modulo 2 p. Two ideals a , b are said to be equivalent, denoted by a ∼ b , if there exist α, β ∈ O ∆ such that ( α ) a = ( β ) b , where ( α ) denotes the principal ideal generatedby α. This is in fact an equivalence relation, and the set of equivalence classesforms a finite abelian group called the class group, denoted by Cl ∆ . Its order iscalled the class number, and is denoted by h ∆ . Arithmetic in the class group is performed on reduced ideal representativesof the equivalence classes. An ideal a is reduced if it is primitive and N ( a ) isa minimum in a . Reduced ideals have the property that a, b < p | ∆ | , yieldingreasonably small representatives of each group element. The group operationthen consists of multiplying two reduced ideals and computing a reduced idealequivalent to the product. This operation is efficient and can be performed in O (log | ∆ | ) bit operations.In the case of imaginary quadratic fields, we have h ∆ ≈ p | ∆ | , and thatevery element in Cl ∆ contains exactly one reduced ideal. Thus, the ideal classgroup can be used as the basis of most public-key cryptosystems that requirearithmetic in a finite abelian group. The only wrinkle is that computing the classnumber h ∆ seems to be as hard as solving the discrete logarithm problem, soonly cryptosystems for which the group order is not known can be used.In real quadratic fields, the class group tends to be small; in fact, a conjectureof Gauss predicts that h ∆ = 1 infinitely often, and the Cohen-Lenstra heuristics[11] predict that this happens about 75% of the time for prime discriminants.Thus, the discrete logarithm problem in the class group is not in general suitablefor cryptographic use.Another consequence of small class groups in the real case is that there areno longer unique reduced ideal representatives in each equivalence class. Instead,we have that h ∆ R ∆ ≈ √ ∆, where the regulator R ∆ roughly approximates howany reduced ideals are in each equivalence class. Thus, since h ∆ is frequentlysmall, there are roughly √ ∆ equivalent reduced ideals in each equivalence class.The infrastructure, namely the set of reduced principal ideals, is used for cryp-tographic purposes instead of the class group. Although this structure is not afinite abelian group, the analogue of exponentiation (computing a reduced prin-cipal ideal ( α ) with log α as close to a given number as possible) is efficient andcan be used as a one-way problem suitable for public-key cryptography. Theinverse of this problem, computing an approximation of the unknown log α froma reduced principal ideal given in Z -basis representation, is called the principalideal problem or infrastructure discrete logarithm problem, and is believed to beof similar difficulty to the discrete logarithm problem in the class group of animaginary quadratic field. The fastest algorithms in practice for computing discrete logarithms in the classgroup and infrastructure use the index-calculus framework. Like other index-calculus algorithms, these algorithms rely on finding certain smooth quantities,those whose prime divisors are all small in some sense. In the case of quadraticfields, one searches for smooth principal ideals for which all prime ideal divisorshave norm less than a given bound B. The set of prime ideals p , . . . , p n with N ( p i ) ≤ B is called the factor base, denoted by B . A principal ideal ( α ) = p e · · · p e n n with α ∈ K that factors completely overthe factor base yields the relation ( e , . . . , e n , log | α | ) . In the imaginary case, thelog | α | coefficients are not required and are ignored. The key to the index-calculusapproach is the fact, proved by Buchmann [5], that the set of all relations formsa sublattice Λ ⊂ Z n × R of determinant h ∆ R ∆ as long as the prime ideals inthe factor base generate Cl ∆ . This follows, in part, due to the fact that L, theinteger component of Λ, is the kernel of the homomorphism φ : Z n Cl ∆ givenby p e · · · p e n n for ( e , . . . , e n ) ∈ Z n . The homomorphism theorem then impliesthat Z n /L ∼ = Cl ∆ . In the imaginary case, where the log | α | terms are omitted, therelation lattice consists only of the integer part, and the corresponding resultswere proved by Hafner and McCurley [12].The main idea behind the algorithms described in [17] for solving the classgroup and infrastructure discrete logarithm problems is to find random relationsuntil they generate the entire relation lattice Λ. Suppose A is a matrix whoserows contain the integer coordinates of the relations, and v is a vector containingthe real parts. To check whether the relations generate Λ, we begin by computingthe Hermite normal form of A and then calculating its determinant, giving us amultiple h of the class number h ∆ . We also compute a multiple of the regulator R ∆ . Using the analytic class number formula and Bach’s L (1 , χ )-approximationmethod [1], we construct bounds such that h ∆ R ∆ itself is the only integer mul-tiple of the product of the class number and regulator satisfying h ∗ < h ∆ < h ∗ ;if hR satisfies these bounds, then h and R are the correct class number andregulator and the set of relations given in A generates Λ. multiple R of the regulator R ∆ can be computed either from a basis of thekernel of the row-space of A (as in [17]) or by randomly sampling from the kernelas described by Vollmer [27]. Every kernel vector x corresponds to a multiple ofthe regulator via x · v = mR ∆ . Given v and a set of kernel vectors, an algorithmof Maurer [24, Sec 12.1] is used to compute the “real GCD” of the regulatormultiples with guaranteed numerical accuracy, where the real GCD of m R ∆ and m R ∆ is defined to be gcd( m , m ) R ∆ . To solve the discrete logarithm problem in Cl ∆ , we compute the structureof Cl ∆ , i.e., integers m , . . . , m k with m i +1 | m i for i = 1 , . . . , k − Cl ∆ ∼ = Z /m Z × · · · × Z /m k Z , and an explicit isomorphism from Z n to Z /m Z ×· · · × Z /m k . Then, to compute x such that g x ∼ a , we find ideals equivalentto g and a that factor over the factor base and maps these vectors in Z n to Z /m Z × · · · × Z /m k , where the discrete logarithm problem can be solved easily.To solve the infrastructure discrete logarithm problem for a , we find an idealequivalent to a that factors over the factor base. Suppose the factorization isgiven by v ∈ Z n . Then, since L is the kernel of φ, if a is principal, v must bea linear combination of the elements of L. This can be determined by solving x A = v , where as before the rows of A are the vectors in L. Furthermore, wehave log α = x · v (mod R ∆ ) is a solution to the infrastructure discrete loga-rithm problem. The approximation of log α is computed to guaranteed numericalaccuracy using another algorithm of Maurer [24, Sec 5.5].If it is necessary to verify the solvability of the problem instance, then onemust verify that the relations generate all of Λ, for example, as described above.The best methods for this certification are conditional on the Generalized Rie-mann Hypothesis, both for their expected running time and their correctness.However, in a cryptographic application, it can safely be assumed that the prob-lem instance does have a solution (for example, if it comes from the Diffie-Hellman key exchange protocol), and simplifications are possible. In particular,the correctness of the computed solution can be determined without certifyingthat the relations generate Λ, for example, by verifying that g x = a . As a result,the relatively expensive linear algebra required (computing Hermite normal formand kernel of the row space) can be replaced by linear system solving.In the imaginary case, if the discrete logarithm is known to exist, one can usean algorithm due to Vollmer [26, 28]. Instead of computing the structure of Cl ∆ , one finds ideals equivalent to g and a that factor over the factor base. Then,combining these factorizations with the rest of the relations and solving a linearsystem yields a solution of the discrete logarithm problem. If the linear systemcannot be solved, then the relations do not generate Λ, and the process is simplyrepeated after generating some additional relations. The expected asymptoticcomplexity of this method, under reasonable assumptions about the generationof relations, is O ( L | ∆ | [1 / , √ / o (1)]) [28, 6], where L N [ e, c ] = exp (cid:0) c (log N ) e (log log N ) − e (cid:1) for e, c constants and 0 ≤ e ≤ . In practice, all the improvements to relation gen-eration and simplifying the relation matrix described in [3] can be applied. Whensing practical versions for generating relations, such as sieving as described in[17], it is conjectured that the algorithm has complexity O ( L | ∆ | [1 / , o (1)]) . In the real case, we also do not need to compute the Hermite normal form,as only a multiple of R ∆ suffices. The consequence of not certifying that we havethe true regulator is that the solutions obtained for the infrastructure discretelogarithm problem may not be minimal. However, for cryptographic purposesthis is sufficient, as these values can still be used to break the correspondingprotocols in the same way that a non-minimal solution to the discrete loga-rithm problem suffices to break group-based protocols. Thus, we use Vollmer’sapproach [27] based on randomly sampling from the kernel of A. This methodcomputes a multiple that is with high probability equal to the regulator in time O ( L | ∆ | [1 / , √ / o (1)]) by computing the multiple corresponding to randomelements in the kernel of the row space of A. These random elements can also befound by linear system solving. The resulting algorithm has the same complexityas that in the imaginary case. In practice, all the improvements described in [4]can be applied. When these are used, including sieving as described in [17], wealso conjecture that the algorithm has complexity O ( L | ∆ | [1 / , o (1)]) . Our implementation takes advantage of the latest practical improvements inideal class group computation and regulator computation for quadratic numberfields, described in detail in [3, 4]. In the following, we give a brief outline of themethods we used for the experiments described in this paper.To speed up the relation collection phase, we combined the double large primevariation with the self-initialized quadratic sieve strategy of [17], as descried in[3]. This results in a considerable speed-up in the time required for finding arelation, at the cost of a growth of the dimensions of the relation matrix. Wealso used Bernstein’s batch smoothness test [2] to enhance the relation collectionphase as described in [4], by simultaneously testing residues produced by thesieve for smoothness.The algorithms involved in the linear algebra phase are highly sensitive to thedimensions of the relation matrix. As the double large prime variation inducessignificant growth in the dimensions of the relation matrix, one needs to performGaussian elimination to reduce the number of columns in order to make thelinear algebra phase feasible. We used a graph-based elimination strategy firstdescribed by Cavallar [9] for factorization, and then adapted by Biasse [3] to thecontext of quadratic fields. At the end of the process, we test if the resultingmatrix A red has full rank by reducing it modulo a word-sized prime. If not, wecollect more relation and repeat the algorithm.For solving the discrete logarithm problem in the imaginary case, we imple-mented the algorithm due to Vollmer [26, 28] . Given two ideals a and g suchthat g x ∼ a for some integer x , we find two extra relations ( e , . . . , e n , ,
0) and( f , . . . , f n , ,
1) such that p e · · · p e n n g ∼ (1) and p f · · · p f n n a − ∼ (1) over thextended factor base B ∪ (cid:8) g , a − (cid:9) . The extra relations are obtained by multi-plying a − and g by random power products of primes in B and sieving withthe resulting ideal to find an equivalent ideal that is smooth over B . Once theserelations have been found, we construct the matrix A ′ := A (0) e . . . e n f . . . f n , and solve the system x A ′ = (0 , . . . , , x necessar-ily equals the discrete logarithm x . We used certSolveRedLong from the IMLlibrary [10] to solve these linear systems.As the impact of Vollmer’s and Bernstein’s algorithms on the overall timefor class group and discrete logarithm computation in the imaginary case hadnot been studied, we provide numerical data in Table 1 for discriminants of sizebetween 140 and 220 bits. The timings, given in seconds, are averages of threedifferent random prime discriminants, obtained with 2.4 GHz Opterons with8GB or memory. We denote by “DL” the discrete logarithm computation usingVollmer’s method and by “CL” the class group computation. “CL Batch” and“DL Batch” denote the times obtained when also using Bernstein’s algorithm.We list the optimal factor base size for each algorithm and discriminant size(obtained via additional numerical experiments), the time for each of the mainparts of the algorithm, and the total time. In all cases we allowed two large primesand took enough relations to ensure that A red have full rank. Our results showthat enhancing relation generation with Bernstein’s algorithm is beneficial in allcases. In addition, using Vollmer’s algorithm for computing discrete logarithmsis faster than the approach of [17] that also requires the class group.To solve the infrastructure discrete logarithm problem, we first need to com-pute an approximation of the regulator. For this purpose, we used an improvedversion of Vollmer’s system solving based algorithm [27] described by Biasseand Jacobson [4]. In order to find elements of the kernel, the algorithm createsextra relations r i , 0 ≤ i ≤ k for some small integer k (in our experiments, wealways have k ≤ k linear systems X i A = r i using thefunction certSolveRedLong from the IML library [10]. We augment the matrix A by adding the r i as extra rows, and augment the vectors X i with k − − n + i, yielding A ′ := Ar i , X ′ i := (cid:16) X i . . . − . . . (cid:17) . The X ′ i are kernel vectors of A ′ , which can be used along with the vector v containing the real parts of the relations, to compute a multiple of the regulatorwith Maurer’s algorithm [24, Sec 12.1]. As shown in Vollmer [27], this multiple is able 1. Comparison between class group computation and Vollmer AlgorithmSize Strategy |B|
Sieving Elimination Linear algebra Total140 CL 200 2.66 0.63 1.79 5.08CL Batch 200 1.93 0.65 1.78 4.36DL 200 2.57 0.44 0.8 3.81DL batch 200 1.92 0.41 0.76 3.09160 CL 300 11.77 1.04 8.20 21.01CL Batch 300 9.91 0.87 8.19 18.97DL 350 10.17 0.73 2.75 13.65DL batch 400 6.80 0.96 3.05 10.81180 CL 400 17.47 0.98 12.83 31.28CL Batch 400 14.56 0.97 12.9 28.43DL 500 15.00 1.40 4.93 21.33DL batch 500 11.35 1.34 4.46 17.15200 CL 800 158.27 7.82 81.84 247.93CL Batch 800 133.78 7.82 81.58 223.18DL 1000 126.61 9.9 21.45 157.96DL batch 1100 85.00 11.21 26.85 123.06220 CL 1500 619.99 20.99 457.45 1098.43CL Batch 1500 529.59 19.56 447.29 996.44DL 1700 567.56 27.77 86.38 681.71DL batch 1600 540.37 24.23 73.76 638.36 equal to the regulator with high probability. In [4], it is shown that this method isfaster than the one requiring a kernel basis because it only requires the solutionto a few linear systems, and it can be adapted in such a way that the linearsystem involves A red .Our algorithm to solve the infrastructure discrete logarithm problem alsomakes use of the system solving algorithm. The input ideal a is first decomposedover the factor base, as in the imaginary case, yielding the factorization a =( γ ) p e · · · p n e n . Then, we solve the system x A = ( e , . . . , e n ) and compute anumerical approximation to guaranteed precision of log | α | modulo our regulatormultiple using Maurer’s algorithm [24, Sec 5.5] from γ, the coefficients of x , andthe real parts of the relation stored in v . The results of our experiments for the imaginary case are given in Table 2,and for the real case in Table 3. They were obtained on 2.4 GHz Xeon with2GB of memory. For each bit length of ∆, denoted by “size( ∆ ),” we list theaverage time in seconds required to solve an instance of the appropriate discretelogarithm problem ( t ∆ ) and standard deviation (std). In the imaginary case, foreach discriminant size less than 220 bits, 14 instances of the discrete logarithmproblem were solved. For size 230 and 256 we solved 10 , and for size 280 and 300we solved 5 examples. In the real case, 10 instances were solved for each size upto 256 , , and 4 for size 300 . able 2. Average run times for the discrete logarithm problem in Cl ∆ , ∆ < ∆ ) t ∆ (sec) std L | ∆ | [1 / , √ /t ∆ L | ∆ | [1 / , /t ∆
140 7.89 2.33 6 . × . ×
142 8.80 1.90 7 . × . ×
144 9.91 3.13 7 . × . ×
146 10.23 1.69 8 . × . ×
148 11.80 3.45 9 . × . ×
150 12.88 2.66 10 . × . ×
152 14.42 3.38 11 . × . ×
154 17.64 5.61 10 . × . ×
156 22.06 5.57 10 . × . ×
158 28.74 12.11 9 . × . ×
160 27.12 8.77 12 . × . ×
162 32.72 15.49 12 . × . ×
164 31.08 6.85 15 . × . ×
166 41.93 14.65 13 . × . ×
168 51.92 16.51 13 . × . ×
170 59.77 15.42 13 . × . ×
172 68.39 17.79 14 . × . ×
174 99.20 62.61 11 . × . ×
176 124.86 80.29 11 . × . ×
178 140.50 55.41 12 . × . ×
180 202.42 145.98 9 . × . ×
182 166.33 63.91 14 . × . ×
184 150.76 58.37 18 . × . ×
186 198.72 63.23 17 . × . ×
188 225.90 94.94 17 . × . ×
190 277.67 234.93 17 . × . ×
192 348.88 134.36 16 . × . ×
194 395.54 192.26 16 . × . ×
196 547.33 272.83 14 . × . ×
198 525.94 153.63 17 . × . ×
200 565.43 182.75 1 . × . ×
202 561.36 202.80 2 . × . ×
204 535.29 205.68 2 . × . ×
206 776.64 243.35 2 . × . ×
208 677.43 200.08 3 . × . ×
210 1050.64 501.31 2 . × . ×
212 1189.71 410.98 2 . × . ×
214 1104.83 308.57 3 . × . ×
216 1417.64 352.27 2 . × . ×
218 2185.80 798.95 2 . × . ×
220 2559.79 1255.94 2 . × . ×
230 3424.40 1255.94 3 . × . ×
256 22992.70 13062.14 4 . × . ×
280 88031.08 34148.54 6 . × . ×
300 702142.20 334566.51 3 . × . × able 3. Average run times for the infrastructure discrete logarithm problem.size( ∆ ) t ∆ (sec) std L | ∆ | [1 / , √ /t ∆ L | ∆ | [1 / , /t ∆
140 11.95 3.13 4 . × . ×
142 12.47 2.06 4 . × . ×
144 15.95 5.79 4 . × . ×
146 14.61 2.94 6 . × . ×
148 17.05 3.46 6 . × . ×
150 21.65 4.55 6 . × . ×
152 25.65 7.15 6 . × . ×
154 29.01 6.97 6 . × . ×
156 27.52 4.79 8 . × . ×
158 33.59 8.80 8 . × . ×
160 36.27 12.28 9 . × . ×
162 43.55 10.73 9 . × . ×
164 49.37 11.76 9 . × . ×
166 59.73 17.18 9 . × . ×
168 73.66 18.56 9 . × . ×
170 75.50 19.80 1 . × . ×
172 101.00 20.84 9 . × . ×
174 94.80 38.87 1 . × . ×
176 106.30 23.77 1 . × . ×
178 149.70 44.04 1 . × . ×
180 132.70 30.25 1 . × . ×
182 178.80 25.67 1 . × . ×
184 211.40 52.14 1 . × . ×
186 258.20 110.95 1 . × . ×
188 352.70 94.50 1 . × . ×
190 290.90 46.57 1 . × . ×
192 316.80 51.75 1 . × . ×
194 412.90 71.90 1 . × . ×
196 395.40 94.71 2 . × . ×
198 492.30 156.69 1 . × . ×
200 598.90 187.19 1 . × . ×
202 791.40 285.74 1 . × . ×
204 888.10 396.85 1 . × . ×
206 928.40 311.37 1 . × . ×
208 1036.10 260.82 2 . × . ×
210 1262.30 415.32 2 . × . ×
212 1582.30 377.22 1 . × . ×
214 1545.10 432.42 2 . × . ×
216 1450.80 453.85 2 . × . ×
218 2105.00 650.64 2 . × . ×
220 2435.70 802.57 2 . × . ×
230 5680.90 1379.94 2 . × . ×
256 29394.01 7824.15 3 . × . ×
280 80962.80 27721.01 6 . × . ×
300 442409.00 237989.12 5 . × . × or the extrapolations in the next section, we need to have a good estimateof the asymptotic running time of the algorithm. As described in the previoussection, the best proven run time is O ( L | ∆ | [1 / , √ / o (1)] , but as we usesieving to generate relations, this can likely be reduced to O ( L | ∆ | [1 / , o (1)]) . To test which running time is most likely to hold for the algorithm we imple-mented, we list L | ∆ | [1 / , √ / /t ∆ and L | ∆ | [1 / , /t ∆ in Table 2 and Table 3.In both cases, our data supports the hypothesis that the run time of our al-gorithm is indeed closer to O ( L | ∆ | [1 / , o (1)]) , with the exception of a fewoutliers corresponding to instances where only a few instances of the discretelogarithm were computed for that size, General purpose recommendations for securely choosing discriminants for use inquadratic field cryptography can be found in [14] for the imaginary case and [18]for the real case. In both cases, it usually suffices to use prime discriminants,as this forces the class number h ∆ to be odd. In the imaginary case, one thenrelies on the Cohen-Lenstra heuristics [11] to guarantee that the class number isnot smooth with high probability. In the real case, one uses the Cohen-Lenstraheuristics to guarantee that the class number is very small (and that the infras-tructure is therefore large) with high probability.Our goal is to estimate what bit lengths of appropriately-chosen discrimi-nants, in both the imaginary and real cases, are required to provide approxi-mately the same level of security as the RSA moduli recommended by NIST[25]. The five security levels recommended by NIST correspond to using secureblock ciphers with keys of 80 , , , , and 256 bits. The estimates usedby NIST indicate that RSA moduli of size 1024 , , , , and 15360should be used.To estimate the required sizes of discriminants, we follow the approach ofHamdy and M¨oller [14], who provided such estimates for the imaginary case. Ourresults update these in the sense that our estimates are based on our improvedalgorithms for solving the discrete logarithms in quadratic fields, as well as thelatest data available for factoring large RSA moduli. Our estimates for realquadratic fields are the first such estimates produced.Following, Hamdy and M¨oller, suppose that an algorithm with asymptoticrunning time L N [ e, c ] runs in time t on input N . Then, the running time t ofthe algorithm on input N can be estimated using the equation L N [ e, c ] L N [ e, c ] = t t . (1)We can also use the equation to estimate an input N that will cause the algo-rithm to have running time t , again given the time t for input N . The first step is to estimate the time required to factor the RSA numbersof the sizes recommended by NIST. The best algorithm for factoring large inte-gers is the generalized number field sieve [22], whose asymptotic running times heuristically L N [1 / , p / o (1)] . To date, the largest RSA number fac-tored is RSA-768, a 768 bit integer [21]. It is estimated in [21] that the totalcomputation required 2000 2 . . . × MIPS-years. Using this estimatein conjunction with (1) yields the estimated running times to factor RSA moduliof the sizes recommended by NIST given in Table 4. When using this method,we use N = 2 and N = 2 b , where b is the bit length of the RSA moduli forwhich we compute a run time estimate.The second step is to estimate the discriminant sizes for which the discretelogarithm problems require approximately the same running time. The resultsin Table 2 and Table 3 suggest that L N [1 / , o (1)] is a good estimate of theasymptotic running time for both algorithms. Thus, we use L N [1 / ,
1] in (1), asignoring the o (1) results in a conservative under-estimate of the actual runningtime. For N and t , we take the largest discriminant size in each table forwhich at least 10 instances of the discrete logarithm problem were run and thecorresponding running time (in MIPS-years); thus we used 256 in the imaginarycase and 230 in the real case. We take for t the target running time in MIPS-years. To convert the times in seconds from Table 2 and Table 3 to MIPS-years,we assume that the 2 . b for which L b [1 / , > L N [1 / , t /t . Our results are listed in Table 4. We list the size in bits of RSA moduli(denoted by “
RSA ”), discriminants of imaginary quadratic fields (denoted by“ ∆ (imaginary)”), and real quadratic fields (denoted by “ ∆ (real”) for whichfactoring and the quadratic field discrete logarithm problems all have the sameestimated running time. For comparison purposes, we also list the discriminantsizes recommended in [14], denoted by “ ∆ (imaginary, old).” Note that theseestimates were based on different equivalent MIPS-years running times, as thelargest factoring effort at the time was RSA-512. In addition, they are based onan implementation of the imaginary quadratic field discrete logarithm algorithmfrom [17], which is slower than the improved version from this paper. Conse-quently, our security parameter estimates are slightly larger than those from[14]. We note also that the recommended discriminant sizes are slightly smallerin the real case, as the infrastructure discrete logarithm problem requires moretime to solve on average than the discrete logarithm in the imaginary case. It is possible to produce more accurate security parameter estimates by takingmore factors into account as is done, for example, by Lenstra and Verheul [23], aswell as using a more accurate performance measure than MIPS-year. However,our results nevertheless provide a good rough guideline on the required discrim- able 4.
Security Parameter EstimatesRSA ∆ (imaginary, old) ∆ (imaginary) ∆ (real) Est. run time (MIPS-years)768 540 640 634 8 . × . × . × . × . × . × inant sizes that is likely sufficiently accurate in the inexact science of predictingsecurity levels.It would also be of interest to conduct a new comparison of the efficiency ofRSA as compared to the cryptosystems based on quadratic fields. Due to the dif-ferences in the asymptotic complexities of integer factorization and the discretelogarithm problems in quadratic fields, it is clear that there is a point wherethe cryptosystems based on quadratic fields will be faster than RSA. However,ideal arithmetic is somewhat more complicated than the simple integer arith-metic required for RSA, and in fact Hamdy’s conclusion [13] was that even withsmaller parameters, cryptography using quadratic fields was not competitive atthe security levels of interest. There have been a number of recent advances inideal arithmetic in both the imaginary and real cases (see, for example, [16] and[19]) that warrant revisiting this issue. References
1. E. Bach,
Explicit bounds for primality testing and related problems , Math. Comp. (1990), no. 191, 355–380.2. D. Bernstein, How to find smooth parts of integers , submitted to
Mathematics ofComputation .3. J.-F. Biasse,
Improvements in the computation of ideal class groups of imaginaryquadratic number fields , To appear in
Advances in Mathematics of Communi-cations , see .4. J.-F. Biasse and M. J. Jacobson, Jr.,
Practical improvements to class group andregulator computation of real quadratic fields , 2010, To appear in ANTS 9.5. J. Buchmann,
A subexponential algorithm for the determination of class groups andregulators of algebraic number fields , S´eminaire de Th´eorie des Nombres (Paris),1988–89, pp. 27–41.6. J. Buchmann and U. Vollmer,
Binary quadratic forms: An algorithmic approach ,Algorithms and Computation in Mathematics, vol. 20, Springer-Verlag, Berlin,2007.7. J. Buchmann and H. C. Williams,
A key-exchange system based on imaginaryquadratic fields , Journal of Cryptology (1988), 107–118.. , A key-exchange system based on real quadratic fields , CRYPTO ’89, Lec-ture Notes in Computer Science, vol. 435, 1989, pp. 335–343.9. S. Cavallar,
Strategies in filtering in the number field sieve , ANTS-IV: Proceedingsof the 4th International Symposium on Algorithmic Number Theory, Lecture Notesin Computer Science, vol. 1838, Springer-Verlag, 2000, pp. 209–232.10. Z. Chen, A. Storjohann, and C. Fletcher,
IML: Integer Matrix Library , availableat , 2007.11. H. Cohen and H. W. Lenstra, Jr.,
Heuristics on class groups of number fields ,Number Theory, Lecture Notes in Math., vol. 1068, Springer-Verlag, New York,1983, pp. 33–62.12. J. L. Hafner and K. S. McCurley,
A rigorous subexponential algorithm for compu-tation of class groups , J. Amer. Math. Soc. (1989), 837–850.13. S. Hamdy, ¨Uber die Sicherheit und Effizienz kryptografischer Verfahren mit Klas-sengruppen imagin¨ar-quadratischer Zahlk¨orper , Ph.D. thesis, Technische Univer-sit¨at Darmstadt, Darmstadt, Germany, 2002.14. S. Hamdy and B. M¨oller, Security of cryptosystems based on class groups of imagi-nary quadratic orders , Advances in Cryptology - ASIACRYPT 2000, Lecture Notesin Computer Science, vol. 1976, 2000, pp. 234–247.15. D. H¨uhnlein, M. J. Jacobson, Jr., and D. Weber,
Towards practical non-interactivepublic-key cryptosystems using non-maximal imaginary quadratic orders , Designs,Codes and Cryptography (2003), no. 3, 281–299.16. L. Imbert, M. J. Jacobson, Jr., and A. Schmidt, Fast ideal cubing in imaginaryquadratic number and function fields , To appear in to Advances in Mathematics ofCommunication, 2010.17. M. J. Jacobson, Jr.,
Computing discrete logarithms in quadratic orders , Journal ofCryptology (2000), 473–492.18. M. J. Jacobson, Jr., R. Scheidler, and H. C. Williams, The efficiency and securityof a real quadratic field based key exchange protocol , Public-Key Cryptography andComputational Number Theory (Warsaw, Poland), de Gruyter, 2001, pp. 89–112.19. ,
An improved real quadratic field based key exchange procedure , Journal ofCryptology (2006), 211–239.20. M. J. Jacobson, Jr. and H. C. Williams, Solving the Pell equation , CMS Books inMathematics, Springer-Verlag, 2009, ISBN 978-0-387-84922-5.21. T. Kleinjung, K. Aoki, J. Franke, A. K. Lenstra, E. Thom´e, J. W. Bos, P. Gaudry,A. Kruppa, P. L. Montgomery, D. A. Osvik, H. te Riele, A. Timofeev, and P. Zim-merman,
Factorization of a 768-bit RSA modulus , Eprint archive no. 2010/006,2010.22. A. K. Lenstra and H. W. Lenstra, Jr.,
The development of the number field sieve ,Lecture Notes in Mathematics, vol. 1554, Springer-Verlag, Berlin, 1993.23. A. K. Lenstra and E. Verheul,
Selecting cryptographic key sizes , Proceedings ofPublic Key Cryptography 2000, Lecture Notes in Computer Science, vol. 1751,2000, pp. 446–465.24. M. Maurer,
Regulator approximation and fundamental unit computation for real-quadratic orders , Ph.D. thesis, Technische Universit¨at Darmstadt, Darmstadt, Ger-many, 2000.25. National Institute of Standards and Technology (NIST),
Recommendation forKey Management — Part 1: General (Revised) , NIST Special Publication 800-57, March, 2007, see: http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf .6. U. Vollmer,
Asymptotically fast discrete logarithms in quadratic number fields , Al-gorithmic Number Theory — ANTS-IV, Lecture Notes in Computer Science, vol.1838, 2000, pp. 581–594.27. ,
An accelerated Buchmann algorithm for regulator computation in realquadratic fields , Algorithmic Number Theory — ANTS-V, Lecture Notes in Com-puter Science, vol. 2369, 2002, pp. 148–162.28. ,