Efficient Implementation of Cryptosystems Based on Non-maximal Imaginary Quadratic Orders

In [14] there is proposed an ElGamal-type cryptosystem based on non-maximal imaginary quadratic orders with trapdoor decryption. The trapdoor information is the factorization of the non-fundamental discriminant ∆p = ∆1p . The NICE-cryptosystem (New Ideal Coset En-cryption) [24,12] is an efficient variant thereof, which uses an element g ∈ Ker(φ−1 Cl ) ⊆ Cl(∆p), where k is random and φ−1 Cl : Cl(∆p) → Cl(∆1) is a map between the class groups of the non-maximal and maximal order, to mask the message in the ElGamal cryptosystem. This mask simply ”disappears” during decryption, which essentially consists of computing φ−1 Cl . Thus NICE features quadratic decryption time and hence is very well suited for applications in which a central server has to decrypt a large number of ciphertexts in a short time. In this work we will introduce an efficient batch decryption method for NICE, which allows to speed up the decryption by about 30% for a batch size of 100 messages. In [17] there is proposed a NICE-Schnorr-type signature scheme. In this scheme one uses the group Ker(φ−1 Cl ) instead of IF ∗ p. Thus instead of modular arithmetic one would need to apply standard ideal arithmetic (multiply and reduce) using algorithms from [5] for example. Because every group operation needs the application of the Extended Euclidean Algorithm the implementation would be very inefficient. Especially the signing process, which would typically be performed on a smartcard with limited computational power would be too slow to allow practical application. In this work we will introduce an entirely new arithmetic for elements in Ker(φ−1 Cl ), which uses the generator and ring-equivalence for exponentiation. Thus the signer essentially performs the exponentiation in (O∆1/pO∆1 )∗, which turns out to be about twenty times as fast as conventional ideal arithmetic. Furthermore in [17] it is shown, how one can further speed up this exponentiation by application of the Chinese Remainder Theorem for (O∆1/pO∆1 )∗. With this arithmetic the signature generation is about forty times as fast as with conventional ideal arithmetic and more than twice as fast as in the original Schnorr scheme [26]. Howard Heys and Carlisle Adams (Eds.): SAC’99, LNCS 1758, pp. 147–162, 2000. c © Springer-Verlag Berlin Heidelberg 2000