Eficient implementation of cryptosystems based on non-maximal imaginary quadratic orders

Abstract

In [14] there is proposed an ElGamal-type cryptosystem based on non-maximal imaginary quadratic orders with trapdoor decryption. The trapdoor information is the factorization of the non-fundamental discriminant Δp = Δ1p2. The NICE-cryptosystem (New Ideal Coset En-cryption) [24,12] is an eficient variant thereof, which uses an element gk ϵ Ker(ϕ −1Cl) ⊆ Cl(Δp), where k is random and ϕ −1Cl: Cl(Δpp) → Cl(Δ1) is a map between the class groups of the non-maximal and maximal order, to mask the message in the ElGamal cryptosystem. This mask simply "disappears" during decryption, which essentially consists of computing ϕ −1Cl. Thus NICE features quadratic decryption time and hence is very well suited for applications in which a central server has to decrypt a large number of ciphertexts in a short time. In this work we will introduce an eficient batch decryption method for NICE, which allows to speed up the decryption by about 30% for a batch size of 100 messages. In [17] there is proposed a NICE-Schnorr-type signature scheme. In this scheme one uses the group Ker(ϕ-1Cl) instead of IF*p. Thus instead of modular arithmetic one would need to apply standard ideal arithmetic (multiply and reduce) using algorithms from [5] for example. Because every group operation needs the application of the Extended Euclidean Algorithm the implementation would be very ineficient. Especially the signing process, which would typically be performed on a smartcard with limited computational power would be too slow to allow practical application. In this work we will introduce an entirely new arithmetic for elements in Ker(ϕ −1Cl), which uses the generator and ring-equivalence for exponentiation. Thus the signer essentially performs the exponentiation in (OΔ1=pOΔ1) *, which turns out to be about twenty times as fast as conventional ideal arithmetic. Furthermore in [17] it is shown, how one can further speed up this exponentiation by application of the Chinese Remainder Theorem for (OΔ1=pOΔ1) *. With this arithmetic the signature generation is about forty times as fast as with conventional ideal arithmetic and more than twice as fast as in the original Schnorr scheme [26].