Security Estimates for Quadratic Field Based Cryptosystems

We describe implementations for solving the discrete logarithm problem in the class group of an imaginary quadratic field and in the infrastructure of a real quadratic field. The algorithms used incorporate improvements over previously-used algorithms, and extensive numerical results are presented demonstrating their efficiency. This data is used as the basis for extrapolations, used to provide recommendations for parameter sizes providing approximately the same level of security as block ciphers with $80,$ $112,$ $128,$ $192,$ and $256$-bit symmetric keys.

💡 Research Summary

This paper presents a comprehensive study of the security of cryptographic schemes based on quadratic number fields, focusing on two distinct settings: the class group of an imaginary quadratic field and the infrastructure of a real quadratic field. Both settings give rise to discrete logarithm problems (DLPs) that serve as the hardness assumption for public‑key protocols. The authors implement state‑of‑the‑art index‑calculus algorithms for solving these DLPs, incorporating a series of practical enhancements that have been developed since the original Buchmann‑Williams proposals in the late 1980s.

The core of the work lies in improving the relation‑collection phase, which dominates the runtime of index‑calculus methods. The authors combine a double large‑prime variant with a self‑initialized quadratic sieve, dramatically increasing the probability of finding smooth principal ideals while keeping the sieving cost modest. To further accelerate smoothness testing, they integrate Bernstein’s batch smoothness test, allowing many candidate residues to be checked simultaneously. These refinements lead to a substantial reduction in the number of sieving iterations required to obtain a full set of relations.

Because the double large‑prime technique inflates the dimensions of the relation matrix, the authors adopt a graph‑based column elimination strategy originally proposed by Cavallar for integer factorisation and later adapted by Biasse for quadratic fields. This method efficiently reduces the matrix width before the linear‑algebra stage, making the subsequent Gaussian elimination tractable. After reduction, the matrix is tested for full rank modulo a small word‑size prime; if the rank is insufficient, additional relations are collected and the process repeats.

For solving the DLP in the imaginary class group, the implementation follows Völlmer’s linear‑system approach. Instead of reconstructing the full group structure, the algorithm finds two extra relations that link the target ideal and a generator, then solves a small linear system to recover the discrete logarithm. In the real‑field case, the same idea is applied to the infrastructure DLP: only a multiple of the regulator is needed, not the exact regulator, which eliminates the expensive regulator‑verification step. The regulator multiple is obtained by randomly sampling vectors from the kernel of the relation matrix and applying Maurer’s “real GCD” algorithm, yielding the correct multiple with high probability in sub‑exponential time.

Complexity analysis shows that, under standard heuristic assumptions about relation generation, the combined algorithm runs in expected time (O\big(L_{|\Delta|}