Hugh C. Williams

A

Let N have a prime divisor p such that p + 1 has only small prime divisors. A method is described which will allow for the determination of p, given N. This method is analogous to the p — 1 method of factoring which was described in 1974 by Pollard. The results of testing this method on a large number of composite numbers are also presented.

p+1

We describe another key-exchange system which, while based on the general idea of the well-known scheme of Diffie and Hellman, seems to be more secure than that technique. The new system is based on the arithmetic of an imaginary quadratic field, and makes use, specifically, of the properties of the class group of such a field.

method of factoring

We show how the theory of real quadratic congruence function fields can be used to produce a secure key distribution protocol. The technique is similar to that advocated by Diffie and Hellman in 1976, but instead of making use of a group for its underlying structure, makes use of a structure which is “almost” a group. The method is an extension of the recent ideas of Scheidler, Buchmann and Williams, but, because it is implemented in these function fields, several of the difficulties with their protocol can be eliminated. A detailed description of the protocol is provided, together with a discussion of the algorithms needed to effect it.

A key-exchange system based on imaginary quadratic fields

Let O be a real quadratic order of discriminant Δ. For elements α in O we develop a compact representation whose binary length is polynomially bounded in log log H(α), log N(α) and log Δ where H(α) is the height of α and N(α) is the norm of α. We show that using compact representations we can in polynomial time compute norms, signs, products, and inverses of numbers in O and principal ideals generated by numbers in O. We also show how to compare numbers given in compact representation in polynomial time.

Key-Exchange in Real Quadratic Congruence Function Fields

In 1976 Diffie and Hellman first introduced their well-known key-exchange protocol which is based on exponentiation in the multiplicative group GF(p)* of integers relatively prime to a large primep (see [8]). Since then, this scheme has been extended to numerous other finite groups. Recently, Buchmann and Williams [2] introduced a version of the Diffie-Hellman protocol which uses the infrastructure of a real quadratic field. Theirs is the first such system not to require an underlying group structure, but rather a structure which is “almost” like that of a group. We give here a more detailed description of this scheme as well as state the required algorithms and considerations for their implementation.

Short Representation of Quadratic Integers

It is well known that the RSA public-key cryptosystem can be broken if the composite modulus can be factored. It is nor known, however, whether the problem of breaking any RSA system is equivalent in difficulty to factoring the modulus. In 1979 Rabin [5] introduced a public-key cryptosystem which is as difficult to break as it is to factor a modulus R=p1p2, where p1p2 are two distinct large primes. Esaentially Rabin suggested that the designer of such a scheme first determine p1 and p2, keep them secret and make R public. Anyone wishing to send a secure message H (0 < M < R ) to the designer would encrypt M as K , where

An M 3 public-key encryption scheme

K \equiv M^2 (\bmod R)

Some remarks concerning the M.I.T. public-key cryptosystem

and 0 < K < R, then transmit K to the designer.