We describe implementations for solving the discrete logarithm problem in the class group of an imaginary quadratic field and in the infrastructure of a real quadratic field. The algorithms used incorporate improvements over previously-used algorithms, and extensive numerical results are presented demonstrating their efficiency. This data is used as the basis for extrapolations, used to provide recommendations for parameter sizes providing approximately the same level of security as block ciphers with $80,$ $112,$ $128,$ $192,$ and $256$-bit symmetric keys.
Deep Dive into Security Estimates for Quadratic Field Based Cryptosystems.
We describe implementations for solving the discrete logarithm problem in the class group of an imaginary quadratic field and in the infrastructure of a real quadratic field. The algorithms used incorporate improvements over previously-used algorithms, and extensive numerical results are presented demonstrating their efficiency. This data is used as the basis for extrapolations, used to provide recommendations for parameter sizes providing approximately the same level of security as block ciphers with $80,$ $112,$ $128,$ $192,$ and $256$-bit symmetric keys.
Quadratic fields were proposed as a setting for public-key cryptosystems in the late 1980s by Buchmann and Williams [7,8]. There are two types of quadratic fields, imaginary and real. In the imaginary case, cryptosystems are based on arithmetic in the ideal class group (a finite abelian group), and the discrete logarithm problem is the computational problem on which the security is based. In the real case, the so-called infrastructure is used instead, and the security is based on the analogue of the discrete logarithm problem in this structure, namely the principal ideal problem.
Although neither of these problems is resistant to quantum computers, cryptography in quadratic fields is nevertheless an interesting alternative to more widely-used settings. Both discrete logarithm problems can be solved in subexponential time using index calculus algorithms, but with asymptotically slower complexity than the state-of-the art algorithms for integer factorization and computing discrete logarithms in finite fields. In addition, the only known relationship to the quadratic field discrete logarithm problems from other computational problems used in cryptography is that integer factorization reduces to both of the quadratic field problems. Thus, both of these are at least as hard as ⋆ The second author is supported in part by NSERC of Canada.
factoring, and the lack of known relationships to other computational problems implies that the breaking of other cryptosystems, such as those based on elliptic or hyperelliptic curves, will not necessarily break those set in quadratic fields. Examining the security of quadratic field based cryptosystems is therefore of interest.
The fastest algorithms for solving discrete logarithm problem in quadratic fields are based on an improved version of Buchmann’s index-calculus algorithm due to Jacobson [17]. The algorithms include a number of practical enhancements to the original algorithm of Buchmann [5], including the use of self-initialized sieving to generate relations, a single large prime variant, and practice-oriented algorithms for the required linear algebra. These algorithms enabled the computation of a discrete logarithm in the class group of an imaginary quadratic field with 90 decimal digit discriminant [15], and the solution of the principal ideal problem for a real quadratic field with 65 decimal digit discriminant [18].
Since this work, a number of further improvements have been proposed. Biasse [3] presented practical improvements to the corresponding algorithm for imaginary quadratic fields, including a double large prime variant and improved algorithms for the required linear algebra. The resulting algorithm was indeed faster then the previous state-of-the-art and enabled the computation of the ideal class group of an imaginary quadratic field with 110 decimal digit discriminant. These improvements were adapted to the case of real quadratic fields by Biasse and Jacobson [4], along with the incorporation of a batch smoothness test of Bernstein [2], resulting in similar speed-ups in that case.
In this paper, we adapt the improvements of Biasse and Jacobson to the computation of discrete logarithms in the class group of an imaginary quadratic field and the principal ideal problem in the infrastructure of a real quadratic field. We use versions of the algorithms that rely on easier linear algebra problems than those described in [17]. In the imaginary case, this idea is due to Vollmer [26]; our work represents the first implementation of his method. Our data obtained shows that our algorithms are indeed faster than previous methods. We use our data to estimate parameter sizes for quadratic field cryptosystems that offer security equivalent to NIST’s five recommended security levels [25]. In the imaginary case, these recommendations update previous results of Hamdy and Möller [14], and in the real case this is the first time such recommendations have been provided.
The paper is organized as follows. In the next section, we briefly recall the required background of ideal arithmetic in quadratic fields, and give an overview of the index-calculus algorithms for solving the two discrete logarithms in Section 3. Our numerical results are described in Section 4, followed by the security parameter estimates in Section 5.
We begin with a brief overview of arithmetic in quadratic fields. For more details on the theory, algorithms, and cryptographic applications of quadratic fields, see [20].
be the quadratic field of discriminant ∆, where ∆ is a nonzero integer congruent to 0 or 1 modulo 4 with ∆ or ∆/4 square-free. The integral closure of Z in K, called the maximal order, is denoted by O ∆ . The ideals of O ∆ are the main objects of interest in terms of cryptographic applications. An ideal can be represented by the two dimensional Z-module
where a, b, s ∈ Z and 4a | b 2 -∆. The integers a and s are unique, and b is defined modulo 2a. The ideal a is said to be primitive
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
