Detlef Hühnlein

Towards Practical Non-interactive Public Key Cryptosystems Using Non-maximal Imaginary Quadratic Orders

We present a new non-interactive public-key distribution system based on the class group of a non-maximal imaginary quadratic order Cl( Δp). The main advantage of our system over earlier proposals based on (Z/nZ)* [25,27] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straight-forward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. Computational results demonstrate that a key generation center (KGC) with modest computational resources can set up a key distribution system using reasonably secure public system parameters. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of Δp=Δ1p2. We present an algorithm for computing discrete logarithms in Cl(Δp) by reducing the problem to computing discrete logarithms in Cl(Δ1) and either F*p or F*p2. Our algorithm is a specific case of the more general algorithm used in the setting of ray class groups [5]. We prove—for arbitrary non-maximal orders—that this reduction to discrete logarithms in the maximal order and a small number of finite fields has polynomial complexity if the factorization of the conductor is known.

A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption

We introduce a new cryptosystem with trapdoor decryption based on the difficulty of computing discrete logarithms in the class group of the nonmaximal imaginary quadratic order N Δq, where δq = δq2, δ square-free and q prime. The trapdoor information is the conductor q. Knowledge of this trapdoor information enables one to switch to and from the class group of the maximal order N Δ, where the representatives of the ideal classes have smaller coefficients. Thus, the decryption procedure may be performed in the class group of N Δ rather than in the class group of the public N Δq, which is much more efficient. We show that inverting our proposed cryptosystem is computationally equivalent to factoring the non-fundamental discriminant δq, which is intractable for a suitable choice of δ and q. We also describe how signature schemes in N Δq may be set up using this trapdoor information. Furthermore, we illustrate how one may embed key escrow capability into classical imaginary quadratic field cryptosystems.

Reducing Logarithms in Totally Non-maximal Imaginary Quadratic Orders to Logarithms in Finite Fields

We discuss the discrete logarithm problem over the class group Cl(Δ) of an imaginary quadratic order O Δ , which was proposed as a public-key cryptosystem by Buchmann and Williams [8]. While in the meantime there has been found a subexponential algorithm for the computation of discrete logarithms in Cl(Δ) [16], this algorithm only has running time L Δ [1/2,c] and is far less efficient than the number field sieve with L p [1/3,c] to compute logarithms in IF * p . Thus one can choose smaller parameters to obtain the same level of security. It is an open question whether there is an L Δ [1/3,c] algorithm to compute discrete logarithms in arbitrary Cl(Δ). In this work we focus on the special case of totally non-maximal imaginary quadratic orders O Δp such that Δ p = Δ 1p2 and the class number of the maximal order h(Δ 1 ) = 1, and we will show that there is an L Δp [1/3,c] algorithm to compute discrete logarithms over the class group Cl(Δ p ). The logarithm problem in Cl(Δ p ) can be reduced in (expected) O(log 3 p) bit operations to the logarithm problem in IF * p (if (Δ 1 /p) = 1) or IF* p 2 (if (Δ 1 /p) = -1) respectively. This result implies that the recently proposed efficient DSA-analogue in totally non-maximal imaginary quadratic order O Δp [21] are only as secure as the original DSA scheme based on finite fields and hence loose much of its attractiveness.

An Efficient NICE-Schnorr-Type Signature Scheme

Recently there was proposed a novel public key cryptosystem [17] based on non-maximal imaginary quadratic orders with quadratic decryption time. This scheme was later on called NICE for New Ideal Coset Encryption [6]. First implementations show that the decryption is as efficient as RSA-encryption with e=216+1. It was an open question whether it is possible to construct comparably efficient signature schemes based on non-maximal imaginary quadratic orders. The major drawbacks of the ElGamal-type [7] and RSA/Rabin-type signature schemes [8] proposed so far are the slow signature generation and the very inefficient system setup, which involves the computation of the class number h(Δ1) of the maximal order with a subexponential time algorithm. To avoid this tedious computation it was proposed to use totally non-maximal orders, where h(Δ1)=1, to set up DSA analogues. Very recently however it was shown in [10], that the discrete logarithm problem in this case can be reduced to finite fields and hence there seems to be no advantage in using DSA analogues based on totally non-maximal orders.

On the Implementation of Cryptosystems Based on Real Quadratic Number Fields (Extended Abstract)

Cryptosystems based on the discrete logarithm problem in the infrastructure of a real quadratic number field [7],[19],[2] are very interesting from a theoretical point of view, because this problem is known to be at least as hard as, and when considering todays algorithms - as in [11] - much harder than, factoring integers. However it seems that the cryptosystems sketched in [2] have not been implemented yet and consequently it is hard to evaluate the practical relevance of these systems. Furthermore as [2] lacks any proofs regarding the involved approximation precisions, it was not clear whether the second communication round, as required in [7],[19], really could be avoided without substantial slowdown. In this work we will prove a bound for the necessary approximation precision of an exponentiation using quadratic numbers in power product representation and show that the precision given in [2] can be lowered considerably. As the highly space consuming power products can not be applied in environments with limited RAM, we will propose a simple (CRIAD1-) arithmetic which entirely avoids these power products. Beside the obvious savings in terms of space this method is also about 30% faster. Furthermore one may apply more sophisticated exponentiation techniques, which finally result in a ten-fold speedup compared to [2]. CRIAD is an abbreviation for Close Reduced Ideal and Approximated relative Distance

Towards Practical Non-interactive Public Key Cryptosystems Using Non-maximal Imaginary Quadratic Orders (Extended Abstract)

We present a new non-interactive public key distribution system based on the class group of a non-maximal imaginary quadratic order Cl(Δp). The main advantage of our system over earlier proposals based on (ℤ/nℤ). [19],[21] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straight-forward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of Δp = Δ1p2. We present an algorithm for computing discrete logarithms in Cl(Δp) by reducing the problem to computing discrete logarithms in Cl(Δ1) and either Fp or Fp2. We prove that a similar reduction works for arbitrary non-maximal orders, and that it has polynomial complexity if the factorization of the conductor is known.

How to Qualify Electronic Signatures and Time Stamps

In this work we will show how non-qualified electronic signatures and time stamps can be efficiently enhanced in order to equip them with similar features as qualified ones. In particular we will show how non-qualified electronic signatures can be used in business processes which require the written form. Furthermore we will show how to construct ”interval-qualified” (IQ) time stamps which may serve as cost efficient alternative to qualified time stamps issued by a trusted authority. An IQ time stamp issued at time t i is linked to two qualified time stamps issued at time T 1 and T 2, in a way that one is able to prove that T 1

Sicherheitsaspekte beim chipkartenbasierten Identitätsnachweis

Mit der Einfuhrung des neuen Personalausweises wurde insbesondere auch der elektronische Identitatsnachweis gemas § 18 PAuswG ermoglicht, mit dem Ausweisinhaber ihre Identitat gegenuber offentlichen und nicht-offentlichen Stellen elektronisch nachweisen konnen. In analoger Weise konnen auch andere Chipkarten, wie z. B. die elektronische Gesundheitskarte oder Bank- und Signaturkarten fur die sichere Authentisierung und den Chipkarten-basierten Identitatsnachweis genutzt werden. Damit hierbei jeweils dem Stand der Technik entsprechende Masnahmen zur Sicherstellung von Datenschutz und Datensicherheit vorgesehen werden konnen, sollen in diesem Beitrag die typischen Bedrohungen, Risiken und Sicherheitsaspekte fur den Chipkarten-basierten Identitatsnachweis in systematischer Weise betrachtet werden.