A Signature Scheme Based on the Intractability of Computing Roots

A Signature Scheme Based on the Intractability of Computing Roots Ingrid Biehl

Johannes Buchmann Safuat Hamdy February 22, 2000

Andreas Meyer

Abstract

We present RDSA, a variant of the DSA signature scheme, whose security is based on the intractability of extracting roots in a nite abelian group. We prove that RDSA is secure against an adaptively chosen message attack in the random oracle model if and only if computing roots in the underlying group is intractable. We report on a very ecient implementation of RDSA in the class group of imaginary quadratic orders. We also show how to construct class groups of algebraic number elds of degree > 2 in which RDSA can be implemented.

1 Introduction Many protocols of public key cryptography can be securely implemented in a nite abelian group which satises the following properties: 1. There are ecient public algorithms for multiplication, inversion, and equality testing of group elements. 2. The group order is publicly known. 3. The discrete logarithm problem in the group is intractable. Examples are the multiplicative group of a nite eld and the group of points of an elliptic curve over a nite eld. In [3] and [2] the use of class groups of algebraic number elds in cryptography was suggested. While those groups satisfy the rst and the third of the above conditions, no ecient algorithm for computing their order is known. Therefore, protocols which require the knowledge of the group order cannot be implemented in class groups. It is in particular unclear how to implement ecient signature algorithms, such as the DSA, ElGamal, and Schnorr schemes [9, 8, 18], in those groups. This is very unfortunate since the intractability of the discrete logarithm problem in number elds (NFDL) appears to be an alternative basis for secure cryptographic protocols: The best known algorithms require the solution of an index calculus problem and many shortest vector problems in lattices. The running time of the best known algorithms for solving those problems is exponential in the degree of the number eld and subexpontial in the binary length of its discrminant. In this paper we present RDSA, a modication of the DSA signature scheme, which can be implemented in a nite abelian group G of unknown order. The security of RDSA is based on

2 The group

2

the root problem : Given a prime number p which does not divide the order of G and a group element  nd the pth root of . We prove that RDSA is secure against an adaptively chosen message attack if and only if the root problem is intractable. We also present a polynomial time reduction of the root problem to the problem of computing non-zero integer multiples of the order of a group element (order problem ). This means that the problem of computing the group order, which gave rise to the construction of RDSA, is a necessary condition for the security of RDSA. We also give a polynomial time reduction from the order problem to the discrete logarithm problem in G. One candidate for implementing RDSA is the class group of an algebraic number eld. All known algorithms for solving the root problem in class groups require the solution of the order problem and the order problem in class groups appears to be intractable. We present implementations of RDSA in class groups of imaginary quadratic number elds. Their eciency is comparable to the eciency of the RSA-signature protocol. We also show how to construct algebraic number elds of degree > 2 whose class groups can be used to implement RDSA. In an analogous way it is possible to modify the Schnorr signature scheme [18] in such a way that it can be implemented in groups of unknown order. Moreover, the Guillou-Quisquater scheme [10] whose security is based on the diculty of the root problem in the primitive residue class group modulo an RSA-modulus can be easily generalized to groups, in which the order problem is intractable. This will be discussed in future papers. The paper is organized as follows: In Section 2 we present the general description of the groups in which we are working. Section 3 contains the description of RDSA. In Section 4 we discuss the security of RDSA. We give polynomial time reductions of the root problem to the order problem and of the order problem to the discrete logarithm problem. We also prove that the protocols are secure against adaptively chosen message attacks if and only if the root problem is intractable in the underlying group. In Section 5 we present experimental data which show that our protocols can be very eciently implemented in class groups of imaginary quadratic elds. We also explain how to construct algebraic number elds of degree > 2 whose class groups can be used to implement our protocols.

2 The group In this paper G is a nite abelian group written multiplicatively with neutral element 1G . We assume that the group elements are represented as bit strings and that we have  an oracle for choosing random elements from G with uniform distribution,  an oracle that given two elements ; 2 G decides whether or not  = ,  an oracle that given two elements ; 2 G returns the product 
,  an oracle that given an element  2 G returns the inverse ?1 2 G. By a group operation we mean a query to one of the last three oracles. Using the oracle for multiplication, fast exponentiation of group elements can be implemented using standard techniques (cf. [15, Chap. 14]).

3 RDSA

3

We also assume that we know the order of magnitude of the group order jGj, i.e. a positive integer L with L  jGj  2L. We do not assume that the group order is known. In fact, in order for RDSA to be secure, the computation of jGj must be intractable (see Sect. 4).

3 RDSA In this section we present RDSA, a modication of the DSA signature scheme which does not require the knowledge of the order of the group G. In the description A is the signer, B is the verier, and M 2 f0; 1g is the message to be signed. Moreover, for x; y 2 f0; 1g we denote by xky the concatenation of x and y. We assume that for positive integers s; t, s  t we can choose random numbers with uniform distribution from fs; s + 1; : : : ; tg. We also use a cryptographic hash functions which map strings in f0; 1g to f0; 1; : : : ; p ? 1g for some positive integer p. The idea is the following: DSA requires the knowledge of the order jGj and of a large prime divisor p of jGj. The group order is used to project group elements into the subgroup of order p. The signature s of the message M is obtained by reducing x = k?1 (h(M ) + ar) modulo p where k; M; a; r have the usual meaning (e.g. see [15, Sect. 11.5]). The verication works because s = x for any element in the subgroup of order p. The reduction of x mod p is important for the security of the protocol. Without this reduction an attack is possible which uses the Chinese remainder theorem. Since we do not know a large divisor of jGj we to select a random prime p which determines the size of the exponents used in RDSA. The signature s is determined by reducing some exponent x modulo p. As in DSA, the verier obtains s. He is also able to compute the group element  = x for some 2 G without knowing x. But now x 6= s . Hence, the verication s =  does not work anymore. In order to make the verication work the signer divides x with remainder by p, i.e. he writes x = `p + s; 0  s < p :

(1)

In addition to s the verier receives  = ` . Now he can verify that x =  = s p. Since  is the pth root of  ?s , computing pth roots must be intractable. Otherwise, anybody can compute a group element  which makes the verication work. We now present RDSA: 1. System setup A randomly selects an element 2 G and a prime p. A randomly selects an integer a where 1 < a < p and computes  = a . A's public key is (G; ; ; p), the private key is a. 2. Signature A randomly selects an integer k such that 0  k < p. A computes % = k . A computes x = a + kh(M k%). A computes nonnegative integers s and ` such that x = `p + s with 0  s < p. A computes  = ` . the signature of the message M is S = (s; %; ). 3. Verication B accepts if and only if 1  s < p and s = %h(M k%) ?p .

4 Security

4

Theorem 1

If A and B follow the protocol, then the verication of the ElGamal signature scheme as given succeeds. Proof: We have %h(M k%) ?p = a kh(M k%) ?`p = s : 2

Theorem 2

If an attacker is able to solve the root problem in polynomial time, then he can forge valid RDSA signatures for any message in polynomial time without knowing the secret key. Proof: Since p is chosen randomly, the probability for p to divide jGj is negligible. Given , , and M , the attacker arbitrarily selects % 2 G and s 2 f0; : : : ; p ? 1g and computes h(M k%). He computes , the pth root of %h(M k%) ?s. Then (s; %; ) is a valid RDSA signature of M .

2

Computing a RDSA signature requires two exponentiations in G. The verication takes three exponentiations. The signature consists of one integer and two group elements.

4 Security In this section we discuss the security of RDSA. We rst discuss the diculty of the root problem. Then we show that RDSA is secure against an adaptively chosen message attack in the random oracle model if and only if the root problem in the underlying group is intractable.

4.1 The diculty of the root problem

We let G be a nite abelian group and consider the following problems:

Root problem Given a prime number p which does not divide the order jGj of G and an element  of G. Find a pth root of , i.e. an element of G with p = . Order problem Given an element  of G. Find a non zero multiple of the order of . Discrete logarithm problem Given elements  and of G. Find a non negative integer k with k = .

In Theorem 2 we have shown that the security of RDSA requires the intractability of the root problem. The original motivation for the invention of RDSA was the intractability of the order problem in class groups of algebraic number elds. Also, the security of RDSA is related to the diculty of the discrete logarithm problem. The next theorem describes the relationship between those problems.

Theorem 3

There are polynomial time reductions from the root problem to the order problem and from the order problem to the discrete logarithm problem. Proof: We present a polynomial time reduction of the root problem to the order problem. Let p be a prime which does not divide the order of G and let  2 G. To compute the uniquely determined pth root of  we compute a non zero multiple n of the order of . As long as p divides n we replace n by n=p. Since p does not divide the order of G, the resulting n is still a

4.2 Breaking RDSA and the order problem are equivalent

5

multiple of the order of  and p does not divide n. We use the extended euclidean algorithm to compute an integer x with px  1 mod n. Then px =  and therefore x is the pth root of . Next, we present a polynomial time reduction from the order problem to the discrete logarithm problem. Let  2 G. We want to nd a non zero multiple of the order of . We compute a discrete logarithm x  0 of ?1 to the base . Then x+1 = 1. Hence, x + 1 is a positive multiple of the order of . 2 How dicult is the root problem? All known algorithms which solve the root problem in any group require the solution of the order problem. One such algorithm is described in the proof of Theorem 3. The order problem can only be dicult if the order of random elements in G is large with a very high probability. The next theorem shows that this is true if jGj has a large prime divisor. By ordG we denote the order of an element of the group G.

TheoremQ4 Let jGj = p pe(p) be the prime factorization of jGj. Then the probability for p to divide the order of a random element of G is 1 ? pe1p . Proof: Let F be the set of prime divisors of jGj. By theQfundamental theorem on nite abelian groups any 2 G has a unique representation = p2F p where the order of p is a power of p. The order of is divisible by p if and only if p = 6 1G . The number of elements 6 1G in G, whose order is a power of p, is pe(Qp) ? 1. Therefore, The number of elements in = G whose order is divisible by p is (p(e(p) ? 1) q6=p qe(q) = jGj ? jGj=pe(p) . This implies the ( )

assertion. 2 We give an example. Suppose that jGj has a prime divisor p with p  2160 . Then the probability for the order of a randomly chosen group element to be divisible by that prime is at least 1 ? 2?160 which is almost 1.

4.2 Breaking RDSA and the order problem are equivalent

In this section we show that RDSA is secure against an adaptively chosen message attack in the random oracle model if and only if the root problem in the underlying group is intractable. We consider a family of groups G of increasing group order. The size of the representation of a group element is bounded by a polynomial in the logarithm of the group order. An algorithm is called polynomial time algorithm if the number of group operations executed by this algorithm is bounded by a polynomial in log jGj. As in the random oracle model, we assume that our hash functions are random functions. We rst note, that if we do not use the random oracle h (i.e. if we replace h(M k%) by M ), then the following existential forgeries are possible. They are variants of the forgeries from [17]. 1. the one-parameter forgery: Let y 2 f0; : : : ; p ? 1g be randomly chosen. Let % =  y , M  ?1 mod p, s = ?y mod p, and `M = (M + 1)=p. Then with  = %`h the triple (%; s; ) is a valid signature for the message M . 2. the two-parameter forgery: Let x 2 f1; : : : ; p ? 1g and y 2 f0; : : : ; p ? 1g be randomly chosen. Let % = x y ,

4.2 Breaking RDSA and the order problem are equivalent

6

M  ?x?1 mod p, s = ?x?1 y mod p, `M = (Mx +1)=p, `s = (My ? s)=p. Then with  = `M `s the triple (%; s; ) is a valid signature for the message M .

In the following we assume that the values of the hash functions are in f1; 2; : : : ; p ? 1g. We rst show, that RDSA is secure against existential forgery with a no-message attack in the sense of [17].

Lemma 5

Consider a no-message attack in the random oracle model. Probabilities are taken over random tapes, random oracles and public keys. If an existential forgery has non-negligible probability of success, then the root problem can be solved in polynomial time. Proof: Suppose we want to solve the root problem for (G; p; ). Choose  = b for some random 1 < b < pL2 and set =  p . Assume that an attacker can create with non-negligible probability correct signatures with respect to the public signature key (G; p; ; ) using a nomessage attack. Then, the forking lemma in [17] proves that the attacker can create with non-negligible probability two dierent valid signatures (M; %; h; s; ) and (M; %; h0 ; s0 ; 0 ) for some h 6= h0 under usage of the same random tape. Let O denote the order of and ` resp. `0 the discrete logarithm of  resp. 0 w.r.t. . Since s = %h ?p and s = %h (0 )?p we have 0

0

sh0 ? s0 h  a(h0 ? h) + p(`h0 ? `0 h) mod O :

(2)

a  v + p`v ? ap`w ? pw(`h0 ? `0 h) mod O :

(3)

Let w  (h0 ? h)?1 mod p, then w(h0 ? h) = 1+ p`w . Multiply (2) by w and let w(sh0 ? s0h) = v + p`v such that 0  v < p. Then With  = `v ?`w ?h w (0 )hw we get  = v p = ( v )p. Thus bv  is a pth root of . 2 The next step is to prove the security of RDSA against adaptively chosen message attacks. A usual method to prove this is to show that the signer can be simulated by a simulator Turing machine which generates an indistinguishable output distribution. If there is such a simulator then there is no need for an attacker to use the signer as an oracle for the creation of new signature but he can simply use the simulator. The new attacker consists of the old attacker and the simulator as a subroutine. It forms a probabilistic Turing machine that creates an output distribution using a no-message attack (since the signer is not used) which is indistinguishable from the outputs distribution of the adaptively chosen message attack. By Lemma 5 such an existential forgery using a no-message attack is infeasible if the root problem is infeasible. Thus it is sucient to prove the existence of a simulator for the signer in order to prove the unforgeability using an adaptively chosen message attack. We explain the construction of the simulator in more details: Let R = f1; 1 ; 2 ; 3 ; : : : ; p?1 g. If A follows the protocol, then % 2 R, and each element of R will occur for some k. Now consider the one-parameter forgery. Here % = y+a , thus a hypothetic k may be larger than p ? 1 and therefore % 2= R. If a and y are uniform random numbers, then k < p will occur with probability 1=2. In the two-parameter forgery the discrepancy is even more extreme, since here k = ax + y. Therefore, if it is impossible to determine whether % 2 R for a given %, then a forged RDSA signature seems to be distinguishable from a legitimate RDSA signature. In order to get provable (statistical) indistinguishability, we must relax the conditions on k in the signature step: Let K = pL2 . Instead of requiring 0  k < p we let 0  k < K . 0

4.2 Breaking RDSA and the order problem are equivalent

7

Lemma 6

Let L be an integer such that L  jGj  2L, and let K = pL2 . If in the RDSA signature scheme k is uniformly chosen in f1; 2; : : : ; K ? 1g, then a simulator using the two-parameter forgery with 0  y < K will generate pairs (h; %) with a distribution which is polynomially indistinguishable from the distribution of pairs (h; %) generated by the signer. Proof: We show that the output distribution of the above simulator is indistinguishable from that of the signer if for any message M and any element % each value k appears as output of the random oracle with the same probability, provided that k; y were uniformly distributed in f0; : : : ; K ? 1g. At rst for simplicity reasons we assume that K is equal to pjGj (i.e. signer and simulator randomly choose integers 0  k < pjGj resp. 0  y < pjGj uniformly distributed). Then for each value s; %; h there is a uniquely determined  such that p = %h ?s . The probability for the signer to output the 4-tuple (%; h; s; ) is (p?1 1) K1 since each value h appears with equal, i.e. (p?1 1) probability and there are p values k = k0 + djGj (0  k0 < jGj) which lead to % but only for a uniquely determined 0  d < p follows s = a + kh = a + k0 h + dhjGj mod p, i.e. k is uniquely determined and appears with probability 1=K . Similarly the probability that the simulator outputs (%; h; s; ) is (p?1 1) K1 : the value of 0 < x < p is determined by h, since h = ?x?1 mod p. But there are p values y = y0 + djGj (0  y0 < jGj, 0  d < p) which the simulator may have chosen such that x y = %. Given s and h we know that y = h?1 s mod p thus there is exactly one y and one x the simulator may have chosen to output the given 4-tuple. Note that there is a unique correspondence between such a 4-tuple and a value 0  k < pjGj resp. a pair (x; y) with 0 < x < p; 0  y < pjGj. Thus, under our simplifying assumption K = pjGj the output distribution of the signer and the simulator are identical, i.e. the statistical dierence
pjGj = 0. Since jGj is not known we have chosen a dierent value K = pL2 where L is an approximation for jGj. Then there are uniquely determined 0 < v; 0 < B < pjGj such that pL2 = vpjGj + B . Then the signer will produce the 4-tuples with corresponding k satisfying 0  k  B with probability vpL+1 and 4-tuples with corresponding k satisfying B < k < pjGj with probability pLv . Thus the statistical dierence between the probabilities created by the signer under K = pjGj and under K = pL2 is   1 v + 1 1  v
sig = (B + 1) pL2 ? pjGj + (pjGj ? B ? 1) pjGj ? pL2 : 2

2

Since pL2  vpjGj we get vpL+1 ? pj1Gj  pL1 . Since pL2  (v + 1)pjGj we get pj1Gj ? pLv  pL1 . Thus jGj  4
sig  (B + 1) pL1 2 + (pjGj ? B ? 1) pL1 2 = ppL 2 jGj 2

2

2

2

since L  jGj  2L. Thus this value is negligible. By the identical argument one sees that the simulator's output distributions for K = pjGj and for K = pL2 are statistically indistinguishable (call that dierence
sig). Thus by the triangle inequality one gets as an upper bound for the statistical dierence
between the output distributions of the simulator and the signer both under K = pL2 the sum of the dierences

sim +
pjGj +
sig is negligible. 2

5 Implementation in class groups of number elds

8

Theorem 7

If an existential forgery of a RDSA signature using an adaptively chosen message attack has non-negligible probability of success, then the root problem can be solved in probabilistic polynomial time. Probabilities are taken over random tapes, random oracles and public keys. Proof: If there is an attacker who forges signatures existentially using an adaptively chosen message attack, then, as shown in the above lemma the signers part can be replaced by a simulator. The result is a probabilistic polynomial time attacker without access to the signer, i.e. an existential forgery using a no-message attack. Thus, the theorem follows from Lemma 5. 2

5 Implementation in class groups of number elds In this section we present families of algebraic number elds whose class groups can be used to implement RDSA. We rst identify algebraic number elds whose class groups satisfy the conditions of Section 2. Then we describe class groups in which the root problem is intractable. Finally, we present timings.

5.1 Good class groups

Let K be an algebraic number eld of degree n over Q . For an introduction to algebraic number theory we refer to [1]. Let h be the class number of K, i.e. the order of its class group. The size of the number eld K is measured by its discriminant
. The elements of the class group can be represented by n  n matrices with integer entries whose absolute value is bounded by j
j. The class group Cl of K has all the properties from Section 2, except that an ecient equality test for Cl only exists if the regulator of K is small. Hence, number elds which can be used in our context, must have small regulators. An obvious choice are imaginary quadratic number elds since their regulator is 1 and there is a very ecient equality test in their class groups. Stender [19] considers number elds

p K = Q ( n Dn  d);

(4)

where n 2 f3; 4; 6g, D; d 2 Z>0, and d satises some further condition. We call them Stender elds. Stender explicitly determines the regulator of those elds. They turn out to be very small. Upper bounds for the regulators are shown in Table 1.

5.1 Good class groups

9

Table 1: Bounds for regulator and class number of Stender elds, D > 16 Degree Upper bound for the regulator Lower bound for the class number 5c
D3 n = 3 R < 2
ln(2D) h> 144 (ln(2D))2

p

n=4

R < 4
(ln( 3
D))2

h>

n=6

R < 9324
ln(2D)

h>

c

136


pD

3

(ln( 3
D))2

c

10

D
2 35812448
 ln(2D)

Now suppose that in the class group of K there is an ecient equality test. The known algorithms for solving the root problem in the class group require the solution of the order problem. It is therefore necessary that the class number is large and has suciently large prime divisors. We explain how this can be advanced. The discriminant, the class number, and the regulator of K are related by the analytic class number formula (see [1])

p

w j
j h = s+t t 2 R

(5)

where  is the residue of the  -function of K at s = 1, w is the number of roots of unity in K (typically, we have w = 2), s and t are positive integers such that s + 2t = n. By [7] we have the following lower bound for the class number of imaginary quadratic elds:   1 Y 1 ? b2ppc ln j
j (6) h> 7000 p j j
j p+1 where bxc denotes the greatest integer  x for a real number x. Using the heuristics of Cohen and Lenstra [5] it can be shown that the class number h has suciently large divisors. In the general case the Brauer-Siegel Theorem (see [13]) tells us that for suciently small R the class number h is of the order of magnitude of j
j . The class numbers of the Stender elds are tabulated in Table 2. Also, it can be deduced from the heuristics of Cohen and Martinet [6] that the class groups of number elds with small regulator have large prime divisors. Neis [16] has computed class numbers of a few Stender elds (see Table 2). His results shows that those class numbers have large divisors. 1 2

Table 2: Explicit examples for Stender elds, n = 3
R h Prime factorization of h  1075464  ?1036 28:8  1016 24  36  66361  29634377 1:9 45 20 4 8 48670427  ?10 36:4  10 2  3  13  48823  6724003589 1:0 D

5.2 Class groups of imaginary quadratic orders

5.2 Class groups of imaginary quadratic orders

10

We p have implemented RDSA in class groups of imaginary quadratic orders O
= Z + Z(
+
)=2 where
is the discriminant of O
. We call this signature protocol IQ-DSA. For background on imaginary quadratic orders we refer to [4]. Class groups of imaginary quadratic orders satisfy the assumptions of Section 2. Also, the only known methods for solving the root problem in those class groups require the solution of the order problem. The fastestp known algorithm for solving the order problem has subexponential running time Lj
j[1=2; 43 2] [20]. Therefore, for suciently large discriminants the root problem is intractable in those groups. We have used class groups for discriminants of size 690, 960, 1210, and 1670 bits. It follows from the experiments in [11] which are based on the methods in [12] that the diculty of the root problem in the corresponding class groups is comparable to the diculty of factoring 1024, 1536, 2048, and 3072 RSA-moduli. We have compared IQ-DSA with the RSA signature protocol. The implementations were done in C++ using LiDIA [14]. For the signature step in IQ-DSA we used a simple xed-base exponentiation method and since inversion of imaginary quadratic ideals is trivial, we have combined that with a signed-digit exponent recoding, while for the verication we applied a simultaneous multiple exponentiation method (cf. [15, Chap. 14]). Our RSA-implementation uses the secret exponent 216 + 1. In the signature step we used Chinese remaindering and a sliding-window technique for the exponentiation in the signature step. The implementations were done in C++ using LiDIA [14]. The timings for IQ-DSA, given in milliseconds, and the public key sizes, given in bits, are shown in Table 3, for comparison with RSA see Table 4. Each value is the average over 2000 signatures. All computations were performed on a Sun with Sparc Ultra II processor, 333 MHz. Table 3: Timings for IQ-DSA Size of IQ-DSA
Signing Verifying Sig.-Size 690 189 536 1540 960 336 935 2080 1210 460 1303 2580 1670 772 2193 3500

6 Open Problems and Further Research

11

Table 4: Timings for RSA Size of RSA p resp. n Signing Verifying Sig.-Size 1024 148 3 1024 1536 419 7 1536 2048 918 11 2048 3072 2692 23 3072

6 Open Problems and Further Research This paper raises a number of interesting research problems: 1. Can we prove more precise results about the size and the structure of the class numbers of Stender elds? 2. Can the new protocols be implemented eciently in number elds of degree n > 2?

References [1] Borevic, Z. I., and Safarevic, I. R. Number theory. Academic Press, 1966. [2] Buchmann, J., and Paulus, S. A One Way Function Based on Ideal Arithmetic in Number Fields. In Advances in Cryptology  CRYPTO '97 (1997), B. S. Kaliski, Ed., no. 1294 in Lecture Notes in Computer Science, SpringerVerlag, pp. 385394. [3] Buchmann, J., and Williams, H. C. A Key-Exchange System Based on Imaginary Quadratic Fields. Journal of Cryptology 1, 3 (1988), 107118. [4] Cohen, H. A Course in Computational Algebraic Number Theory, vol. 138 of Graduate Texts in Mathematics. SpringerVerlag, 1995. [5] Cohen, H., and Lenstra, Jr., H. W. Heuristics on class groups of number elds. In Number Theory, Lecture notes in Math., vol. 1068. Springer-Verlag, New York, 1983, pp. 3362. [6] Cohen, H., and Martinet, J. Class groups of number elds: numerical heuristics. Math. Comp., 48 (1987), 123137. [7] Cox, D. A. Primes of the form x2 + ny2 . John Wiley & Sons, 1989. [8] ElGamal, T. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory 31, 4 (1985), 469472. [9] FIPS 186. Digital Signature Standard, 1994.

References

12

[10] Guillou, L. C., and Quisquater, J.-J. A Practical Zero-Knowledge Protocol Fitted To Security Microprocessors Minimizing Both Transmission and Memory. In Advances in Cryptology  EUROCRYPT '88 (1988), C. G. Günther, Ed., no. 330 in Lecture Notes in Computer Science, SpringerVerlag, pp. 123128. [11] Hamdy, S. On the Performance of DL-based Cryptosystems in Class Groups of Quadratic Orders. To appear. [12] Jacobson, Jr., M. J. Subexponential Class Group Computation in Quadratic Orders. PhD thesis, Fachbereich Informatik, TU Darmstadt, Darmstadt, Germany, 1999. [13] Lang, S. Algebraic Number Theory, 2 ed., vol. 110 of Graduate Texts in Mathematics. SpringerVerlag, 1994. [14] LiDIA  A C++ Library For Computational Number Theory. http://www.informatik. tu-darmstadt.de/TI/LiDIA/. The LiDIA Group. [15] Menezes, A. J., van Oorschot, P. C., and Vanstone, S. A. Handbook of Applied Cryptography. CRC Press, 1997. [16] Neis, S. Berechnung von Klassengruppen. PhD thesis, Fachbereich Informatik, TU Darmstadt, Darmstadt, Germany, 1999. Preliminary Version. [17] Pointcheval, D., and Stern, J. Security Proofs for Signature Schemes. In Advances in Cryptology  EUROCRYPT '96 (1996), U. Maurer, Ed., no. 1070 in Lecture Notes in Computer Science, SpringerVerlag, pp. 387398. [18] Schnorr, C. P. Ecient Signature Generation by Smart Cards. Journal of Cryptology 4, 3 (1991), 161174. [19] Stender, H.-J. Eine Formel für Grundeinheiten in reinen algebraischen Zahlkörpern dritten, vierten und sechsten Grades. Journal of Number Theory 7, 2 (1975), 235250. [20] Vollmer, U. Asymptotically Fast Discrete Logarithms in Quadratic Number Fields. Submitted to ANTS IV.