2010 . 1 1 .

2354
511.622

. .
,
22.IV.2010

, .
: , , , , , .
On application of class groups of ideals of quadratic fields to the construction
of public key cryptosystems
M. M. Gluhov
Academy of Cryptography of Russian Federation, Moscow
Abstract. The paper contains a brief survey on cryptosystems based on imaginary and
real quadratic fields.
Key words: quadratic field, ring of integer numbers of quadratic fields, class group, algorithmic reduction of ideals, key exchange system, discrete logarithm problem.
Citation: Mathematical Aspects of Cryptography, 2010, vol. 1, no. 1, pp. 2354 (Russian).
2010 . .

. .

24

, , Q (. [1273]).

Q. , ,
.
,
. ( )
. ,
, .
. :

Ln ( e, c ) = exp c ( log n ) ( log log n )

e

1 e

) , n N , cR, c > 0, 0 e 1,

Ln() = .

1.

[111].
( , ) Q, , Q. m ( x) .
, Q( ) Q
, n = [Q( ):Q]. m ( x) Q n
1 = , 2 , , n . , .
s t , (s, t) Q( ).
______________ ______________

25

Q( )

= a0 + a1 + ... + an 1 n 1 , a0 , a1 ,..., an 1 Q.
, (1, ,..., n 1 ) Q( ) Q. Q( ).
Q( ) ,
Q( ), m ( x) Z[x]. Q0( )
Q( ) . Q( ) r Z, r Q0( ). Q( )
, ,
. , , Q( ), Q0( )
, 0 0*.

Q .
. , i ,

i , i = 1, , n.
N( ) = 1 ( )... n ( ) Tr( ) = 1 ( ) + ... + n ( )
. N(x) Tr(x)
.
, :
N( ),Tr( ) Q, N( ) = N( )N( ) , Tr( + ) = Tr( ) + Tr( ) .

0 N( ),Tr( ) Z, |N( )
( N( ) 0), 0* |N( ) | = 1.
0* , 0*
m m- 1 s + t 1
.
0* , 0* .
I(0) 0. ,
I(0) v1,,vk,
= (v1,,vk).
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

26

, 0
= ( , ) , Z. (,+) n. ,
w1,,wn A,
(1)
= z1w1 + + zn wn ,
z1,,zn Z. Z- ,
= [w1,,wn]. (,+) (0,+),
N(A). ,
N(A) = [0:].
, .
= ( ), N(A) = |N( )|. .
n w1,,wn
d ( w1 ,, wn ) = ( w1 , , wn ) ,
2

( w1 , , wn ) = det i ( w j ) .

w1,,wn Z- , d(w1,,wn) , , = 0.
d(), , , d,
. , Z-.
N ( A) =

d ( A) / d .

, ,
N(AB) = N(A)N(B).
.

. , ,
, , ______________ ______________

27

0 , 0,

. , . , Z , , , , .
, , (I(0) , 0, . (I(0)
,
.
(1),
w1,,wk , z1,,zk
0. (1), w1,,wk .
. I().
, I(0) I() I()\ I(0)
0 .
. 0 .
, 0 , = , . . = (1/c)A. . ,
(0) 0,
= P1k1 ...Pmkm ,
P1 ,..., Pm , k1,,km
( ). ,
I() , ,
.
,
I1(). I()/I1()
( ) Cl().
, (
) h().
h() Cl() .
h() , ,
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

28

Q 2, . , .

2.
Q

( D ) , D 0 1 .

c Q , D < 0, ,
, D > 0. Q

( D)

= a + b D , a, b Q.
' = a b D . b 0,
x2 2ax + a2 b2D,
N( ) = a2b2D Tr( ) = 2.
,

Q0

( D) a

b 2 D, 2a Z.

Q
1) Q 0

( D ) = {a + b

2) Q 0

( D ) = a + b2

( D):

D ; a, b Z , D 1 (mod 4),
D

; a, b Z, a b ( mod 2 ) , D 1 (mod 4).

d Q

( D)

4D D, Z-

(1, D )

1+ D
1,
.
2

______________ ______________

29

(1, w), w =

d+ d
,
2

( D ) .
Q ( D ) (0,1), D < 0, (2,0), D > 0.

Z- Q

Q 0 D

( )

D < 0 D > 0. , <1> D < 3 <1>< >

D > 0, > 0 (
D ). ln Q

( D ) R(d), d -

( R d).
{0}:

b+ d
Z ,
A = q aZ +
2

q Q, a, b, c = ( b 2 d ) / 4a Z , q > 0, a > 0, ( a, b, c ) =1, a < b a.

q(a,b,c).
, q = 1, ,
(a,b,c) = 1, |b| a c b 0, |b| = a = .
a,b,c (a,b,c).
, 0 (0), ,
. .
Q 0 D ,

( )

, :
d
d
I a) = 1 Pi = [p, bi+w], i = 1,2,
p
p
, b1,b2
(2 + d)2 d (mod p);
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

30

d
I b) = 1 ();
p
d
I ) = 0 P = [p, w].
p

= 2 Q 0

( D ) , -

2, :
II a) d 1 (mod 8) P1 = [2, w], P2 = [2, 1+w];
II b) d 1 (mod 8), d 1 (mod 4) (2);
II c) d 1 (mod 4) P = [2, 1+w];
II d) d 2 (mod 4) P = [2, w].
, , Z,
Q 0

( D ) . , I a) II

a) (p) = P1P2, I c), II c) II d) (p) = P2.

, B Q 0

( D ) , -

( ), ( ) , ( ) = ( )B.
, Q

( D) .

( ( D )) ,

, Q

( ) = B. h(d)
:
h(d ) =

d
d
L(1, ) d < 4, (2)
L(1, ) d > 0, h ( d ) =

2 R(d )

|d|,
1

( p)
L(1, ) = 1
,
p
p

Z.
, :
h(d ) =

1
x
( x) ln sin
d> 0,

R(d ) 0< x < d / 2

d
( x , d ) =1

______________ ______________


h(d ) =

31

1
( x) x d < 0.
d 0< x < d
( x , d ) =1

,
h(d) d, h(d).
. , , ,
d

( d)

h(d)

( d)

1+

, 0 < <1.

: h(d) =

( d ),

= 0,461559

, , , ,
, h(d) d .
,
h(d). , h(d) = 1.

.
,
. h(d) , -, (McCurley .) [53, 32], , 1971 . (Shanks D.) [68].
.
(2)
,
h(d) 2B.
(
) :
f Cl(d) fh(d) = 1.
(3)

(babystepgiantstep) [B, 2B].
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

32

(3)
Cl(d) (Schoof R. J.) [66] Cl(d).
h(d) Ld(21/2). [53] , , ,
, Ld(321/2/4). , 321/2/41,06.
,
Q D

( )

Z.

f ( x, y ) = ax 2 + bxy + cy 2

(4)

d(f) = b24ac S(f) = (a,b,c) . f ,

S(f) = 1. d < 0 a > 0, f .
d
F(d). SL(2,Z) (. .
22- Z 1). d(f) S(f)
. F(d) .

d. d < 0.
, . .
(4) > 0. , , , . , . .
SL(2,Z).
d < 0
Q 0 D c d

( )

(4)
( a , b, c ) = aZ +

b +
2

Z.

______________ ______________

33

, :
.

3. ,


1988 . [52].
.

.

(Buchmann J., Williams H.) [29],
.

Q 0 D d < 0.

( )

, ,

. ,
, d .
, , a < d / 3 ,
, a < d / 4 , .
, [29].
U, V
. U V
0 1 D < 0
I Q 0 D . -

( )

: U V -

x y 1, D , U V
I , V U I . U V Iy Ix x y.
U, V x

____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

34

.
U, V J, Ixy.
, . J . [29] J. , x,y, I, Ix, Iy.
,
.
.

i = (ai,bi,ci), i = 1,2, , 12 = 3 = d0(a3,b3,c3),
a3 = d1

2a
a1a2
, b3 = b2 b3 = b2 2 ( v ( s + b2 ) wc2 ) ,
2
d0
d0
c3 =

b32 d
b +b
, s= 1 2 ,
4a
2

d 0 = (a1 , a2 , s ), u , v, w Z, ua1 + va2 + ws = d 0 ,

d1 = ( a1 , a2 , s, c1 , c2 , b1 s ) .

, 1,2 , d1 = 1.
, (log2d).

. . Z
. . .
,
(. [6, 15, 49, 60, 65, 67, 68]).
[49].
, [15].
.
(4) f = [a,b,c].

a,b,c, . ,
d < 0, f > 0 a < 0. ,
______________ ______________

35

. , a > 0, d F+(d). :
0 1
Mu =
, tu ( f ( x , y ) ) = f
1 u

( ( x, y ) M ) .
u

, f = [a,b,c] F+(d),
tu(f) = [a1,b1,c1] F+(d) a1 = c, b1 = b+2cu, c1 = abu+cu2. (5)
, f F+(d) (., ,
[15]).
f tu, u

a1 < 2au + b < a1.

(5). 1 > a1, .
1 = a1 b1 < 0, , t0, f1 = [c1,b1,a1]. 1 < a1.
f1 , f.
,
[ai,bi,ci], a < a1 < a2 < , k fk = [ak,bk,ck].
k. , a d , f1
, . , k < 3. a > d , a1 < a/2. , a < d / 4 f1 , :
a

k log 2
d

+ 2.

, f = [a,b,c]
(||f||3) , ||f||
|abc|. ,
a + b, ab O(max{||a||,||b||}), O(||a||||b||).
[15] .

| c | +b
v ( f ) = sign ( c )

2|c|

____________________________ 2010, . 1, 1, . 2354 ____________________________

36

. .

, f, tv(f)(f) (tv(f))2(f) a < b a , |v(f)| 2 |a| |v(f)| |c|. ,

(||f||2). d > 0.
, [29].

() Cl(d),
Cl(d). ,
Cl(d) .


,
, Cl(d).
Cl(d) d < 0, , 1989 . (. [53], [32]).
Cl(d) h(d) , . 2
[53], [68].
- [30], [22].
.

(6)
Cl(d) = <g1><gr>, ord (gi) = ni, i = 1,,r,
Cl(d)

= , , Cl(d).
(6) ,
r

i =1

i =1

= gia( i ) , = gib( i )

(7)

( i ) x b ( i ) ( mod ni ) , i =1,, r.

(i)x b(i) (mod ni) gib(i) gi(i) ni. .

-.
______________ ______________

37

- (6) (7).
, Q 0

( D ) , (0) (1),

.
1,,Pk

P ( ) = (1) ,
t i

i = 1,,k. (b1,,bk) ,
(t(1),,t(k)), , b1,,bk,

S = UMV = diag(n1,,nr,1,,1).
U = (u(ij)) Qi = Pju(ij), j = 1,r, (6),
gi Qi. ,

V1 = (v(ij)), i = Qjv(ij). ,
Cl(d) h1,,hk 1,,Pk, g1,,gr.
(7)
, h1,,hk.
(v(1),,v(k)), 0 v(i) d 1,
, Aiv(i),
.
, ,

Piw(i).

= hi
.
. w(i)v(i)

(7).
, P1,,Pk
, Ld(),
Ld(1/4).
Ld().
[22]
k, r, ni, h(d) d = (410t +4) t = 24, 29, 34, d = 4F7, F7 7- . ____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

38

. k r : k = 1404, 1902, 2609, 3257 r = 3, 3, 4, 2.

Cl(d) [24, 70, 45]
. , [24] ,
O(log4(d)). [38] . , - Ld(321/2/4), -
,
-. [46] ,
Ld(1) .
, Cl(d)
,
. ,
,
.
d Q D .

( )

, d , h(d)
, . . .
h(d)
(2). d, h(d), . , ,
.

4. ,


. 3 ,
Cl(d)
Q D .

( )

( ) , , , Cl(d) h(d).
, ______________ ______________

39

d,
, RSA, - , .
, Cl(d)
, .
[41] ()
. , (. [19,3743,45,57,58]).
. Q D

( )

Q0

( D ) , Z- r 2. ,

D < 0,

b d1 + d1
,
qa +

d1 Z, d1 < 0, d1 0 1 (mod 4) d1 Z,
a,bZ, a > 0, a < b a, qQ. d1
d1 1 (mod 4) d1/4 d1 0 (mod 4),
O(d1) , . , O(d1)
Q 0 D Q D d1. O(d1) -

( )

( )

, d1 d1 = f2d, f, dZ, d
. , , , Q d1 = Q d , O ( d1 ) O ( d ) ,

( ) ( )
. . Q ( d ) Q ( D ) 1

d.
O(d1) ,
Q 0 D , , ,

( )

, , ,
Cl(d1) h(d1). ,
____________________________ 2010, . 1, 1, . 2354 ____________________________

40

. .

Cl(d1) , , ,
Cl(d1) .
[41] , , d1 = f2d < 0,
c h(d1) h(d), h(d1) h(d) f:
d
h ( d1 ) = h ( f 2 d ) = h ( d ) f 1 ,
q
d
, q
q f.
d1 = f2d < 0 h(d), ,
, . . h(d) = 1, , RSA -.
-, d1 = f2d < 0 [41].
d1.
, .
(S. Paulus, T. Takagi) , d1
( , 1998 . [59]).

O(log2d1).

[41] , . , . 19981999 .
, RSA [43],
DSA [19]. ( Z/mZ m)
d1 = f2d < 0, f = q, d = p, p 3
(mod 4), d = 4p , , q .
RSA d1 = f2d < 0, f = pq
______________ ______________

41

p, q, d , h(d) = 1. ,

d
d
h ( d1 ) = p 1 q 1 .
p
q

, f = pq. RSA
RSA. RSA , .
, , [40], . ,
DSA . ,
.
, ,
d1.
[45], ,
d1 = 2d O(log3) d
GF() = 1 GF(2)
p
d
= 1 .
p
[37]
, NICE- (New Ideal Coset Encryption).
,
, . ,
RSA.
.
d1 = f2d 1536 n = pq
RSA RSA 751,3 ms, NICE-
6,2 ms. , NICE-
-, ,
.
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

42

[38],
, . ,
( 2000 .) .

5. ,

1989 . [29] .
. . (R Scheidler)
[27],
Q D , D > 0. -

( )

,
. , D > 0 ,
.
. . ,
, ,
[21]. S.
[69]
, S S . .
A B
> 0, I(c), , (I(c),c).

1, D ,

I(ac) (I(ac),ac) . b, I(bc) (I(bc),bc) .

A, B
I(abc), .
, I ,
______________ ______________

43

, , .
, (
) [970].
, . [62]


. , .
[48]. [44] ,
. [62] ,
,
. (a,b,c) , ,
, . ,
. [70] -,
()
S LD

( 2 ) . , -

S, . .
S ,

D. [46, 50]
, . , , .
[24] , . .
I(xy) (I(xy), xy)
y > 0. (log2D) (log D).
[27] [14],
Crypto-94.

,
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

44

.
.
D D > 0
OD = Z + Z

D+ D
.
2

OD Q
D

( D ) . -

) )

A = q Za + Z b + D / 2a , a,bZ, qQ, a > 0, q > 0, c = b2 D/4a Z.

a, q , b
2. ,
b ,

2a + D < b<

D a < D

a < b < a a >

D.

q = 1.
= Z + Z(), () = b + D / 2a .

, ()
() () > 1, 0 < (A) <1.
, a < D b< D . , , D.
D SD.
, = , Q

( D)

, , = ,
D, = k, D, kZ. ,

Log = log+ kRD,

RD = log D. log+RDZ
,
(,) ( (), = D).
k (,),
k , k. A k :
= (1/), = log k, ,
log k<log k OD.
______________ ______________

45

, , > 0.
(,). m
. m- (,) (,r),
, = m((A) + c),
r = (x,B). , . . . (,r) exp((A,c),m). ,

SD, c R, n,m N: (exp((A,c),m), n) = (exp((A,c), n), m).

,
. [14] , .
,
. . , , .
,
, ,
Q D D < 0

( )

. Q D D > 0,

( )

. e
[63] Q D , D

( )

n + 1 n > 2. ,
k (ln d),
d, , . ,
2 Rd
2R
k d , Rd = O d ln d .
ln d
ln 2
, k
, a + b d + d / 2
2

(a,b)
____________________________ 2010, . 1, 1, . 2354 ____________________________

. .

46

, , .

- , h(d)
.
, , .
, D = n2 + 1 h(d) . , - n2 + 1
,
.
2000 . [25], ,
.
.
() () G, H, : G H k. ,
(g1,,gk) G (h1,,hk) , hi = (gi), i = 1,,k.
.
1. g G, h = (g) h .
2. e = (1,,ek) {0,1}k .
3. r = g g1e1 ...g kek .

4. hh1e1 ...hkek = (r ) .
11/2k,
.
[25] G, H F*
F = Q D , F -

( )

: F * P , () = F0, F0 = Q 0

( D).

: Z- F0 ,
, , ______________ ______________

47

. ,
,
0 .
, . , ( )
.

O(R1/2do(1)) exp(O(log d loglog d)1/2).

, R, d
h(d), :
, d ,
.
,
[49]. ,
[34], , d = 2687
21024. :

1024
1536
2048
3072
4096

687
958
1208
1665
2084

d.
, , d
1,2 3 (mod 4),

R > 2k1 ln d
1 2 k2 k1 160
d
> 2k1 + k2 +1 .
ln d ln ln d
,

Cl0(d) Cl(d). , , ,
Cl0(d) 0,977575 (. [5],
____________________________ 2010, . 1, 1, . 2354 ____________________________

48

. .

. 291). [5] , .
1. .
2. h(d) 1/p+1/p2.
x
3. h( p ) , , 8

1 4.
, R(d)
d , h(d) , ,

ln(R(d)h(d)) ~ ln d .
d, h(d) = 1.
[34]

d = 2m, m = 687,968,1208,1665,2084, k1 = 160, k2 = 80.
, 11/230. Pentium II, 300MHz, 64 MB.
, .
.
687
958
1208 1665 2084
m
0,98 3,96 13, 25 16,16 63, 42
d
54,87 84,56 122,74 196, 4 291,76

3, 23 4,86
7,03
10,7 16,03
h
7,15 11,04 16, 45
3, 28 4,96

2001 . . , . . [47]
, S
. , , . , , (S,*), (*) .
.
, I S ,
a, b , ______________ ______________

49

I a , I b , . J R , I ab .
( f , p) I f R, p N,
1 f < 2 p . ( J , d ) , J , I, d N d

J = ( ) I , | (2 p / d ) 1|< f 2 p .
J ,
( f , p) . ,

| d 2 p |< fd 22 p , , d 2 p
fd 22 p .
( f , p) , ,
( f , p) .
, .

,
, 2 >46H2log2H ( 2 p 3072 DH 2
).
2006 . [48] [47]. -, , ( f , p) d. , , ( f , p) . , ( f , p) I
p N , f R,1 f < 2 p ( J , d , k ) , J
, I , d N , 2 p < d 2 p +1 , k Z K ,
J = ( ) I | (2 p k / d ) 1|< f 2 p . -,
[69], .
,
[47],
.
____________________________ 2010, . 1, 1, . 2354 ____________________________

50

. .

, , .
m
r1
log 2
795 0,04 0,38
1384 0,11 1,05
1732 0,15 1,63
3460 0,50 6,34
5704 1,32 17,97

r2
0,13
0,30
0, 43
1, 45
3,86

r1 / r2
2,8948
3, 4518
3,7925
4,3814
4,6553

1- , m, r1 , r2

[47], [48] .
.
[47] , , . (a,b,c) ,
, , . ,
.

. ,
. 1994 . . , Q D D > 0

( )

- Ld(1,144).
2000 . . [70] , 1,44 2 1,41.
( ) . [50]. ,
. ,
(log D)1/3(loglog D)1/3,
, .

.
, , , .
______________ ______________

51

1. . ., . . . .: , 1964.
2. . . .: , 1940.
3. . ., . .
. ., 1998.
4. Ankeny N. C., Artin E., Chowla S. The class-number of real quadratic number
fields. Ann. Math., 1952, v. 56, 3, . 479493.
5. Cohen H. A course in computational algebraic number theory. Berlin:
Springer, 1993.
6. Cohen H., Diaz F., Olivier M. Computing ray class groups, conductors and discriminants. In: ANTS-II, Lect. Notes Comp. Sci., 1996, v. 1122, p. 4957.
7. Kuroda S. Uber die klassenzahlen algebraischer zahlkorper. Nagoya Math.
J., 1950, v. 1, p. 110.
8. Lagarias J. C. Worst-case complexity bounds for algorithms in theory of
integral quadratic forms. J. Algorithms, 1980, v. 1, p. 142186.
9. Pohst M., Zassenhaus H. Algorithmic algebraic number theory. Cambridge: Cambridge Univ. Press, 1989.
10. Pohst M. Computational algebraic number theory. Birkhuser, 1993.
11. Stefenhagen P. The arithmetic of number rings. MSRI Publ., 2008, v. 44,
p. 209266.
12. Atkin A. O. L. Letter to Shanks on the programs NUDUPL and NUCOMP,
1998 (. van der Poorten A.J. A note on NUCOMP. Math. Comp., 2003,
v. 72, p. 19351946).
13. Biehl J., Buchmann J. A. Algorithms for quadratic orders. In: Proc. Symp.
Appl. Math., 1994, v. 48, p. 425449.
14. Biehl J., Buchmann J. A., Thiel Ch. Cryptographic protocols based on discrete
logarithms in real-quadratic orders. In: CRYPTO94, Lect. Notes Comp.
Sci., 1994, v. 839, p. 5660.
15. Biehl J., Buchmann J. A. An analysis of the reduction algorithms for binary
quadratic forms. In: P. Engel and H. Syta Voronoi`s Impact on Modern
Science, v. 1. Kyiv: Kyiv Institute of Math., National Acad. Sci., 1998.
16. Biehl J., Buchmann J. A., Hamdy S., Meyer A. Cryptographic protocols based
on the intractability of extracting roots and computing discrete logarithms.
Tech. Rep. Darmstadt: Technology Univ., 1999.
17. Biehl J., Buchmann J. A., Hamdy S., Meyer A. A signature scheme based on
the intractability of computing roots. Des., Codes and Cryptography, 2002,
v. 25, p. 223236.
18. Biehl J., Meyer ., Thiel Ch. Cryptology protocol based on real-quadratic Afields. In: ASIACRYPT96, Lect. Notes Comp. Sci., 1996, v. 1163, p. 1525.
19. Biehl J., Paulus S., Takagi T. An efficient undeniable signature scheme based
on non-maximal imaginary quadratic orders. Tech. Rep. Darmstadt:
Univ.Technology, 1999.
____________________________ 2010, . 1, 1, . 2354 ____________________________

52

. .

20. Buchmann J. On the computation of units and class numbers by a generalization of Lagrange algorithms. J. Number Theory, 1987, v. 26, p. 830.
21. Buchmann J. Number theoretic algorithms and cryptology. In: Proc.
FCT91, Lect. Notes Comp. Sci., 1991, v. 529, p. 1621.
22. Buchmann J., Dullmann S. On the computation of discrete logarithms in
class groups. In: CRYPTO 90, Lect. Notes Comp. Sci., 1991, v. 537,
p. 134139.
23. Buchmann J., Dullmann S. A probabilistic class group and regulator algorithm and its implementation. In: Computational number theory. BerlinNew York: Springer, 1991, p. 5372.
24. Buchmann J., Dullman H., Williams H. C. On the complexity and efficiency a
new key exchange system. In: EUROCRYPT 89, Lect. Notes Comp. Sci.,
1990, v. 434, p. 597616.
25. Buchmann J., Maurer M., Mller B. Cryptography based on number fields
with large regulator. Tech. Rep. TI-5, 2000, p. 112.
26. Buchmann J., Paulus S. A one way function based on ideal arithmetic in
number fields. In: CRYPTO 97, 1997, p. 385394.
27. Buchmann J., Scheidler R., Williams H.C. A key exchange system based on
real quadratic fields. In: CRYPTO 89, Lect. Notes Comp. Sci., 1990,
v. 435, p. 335343.
28. Buchmann J., Williams H. C. A key exchange protocol using real quadratic
fields. J. Cryptology, 1994, 3, p. 171199.
29. Buchmann J., Williams H. C. A key exchange system based on imaginary quadratic fields. J. Cryptology, 1988, 1, p. 107118.
30. Dullman S. Ein neues Verfahren zum offentlichen Schusselaustausch.
Master thesis. Dusseldorf: Dusseldorf Univ. Press, 1988.
31. Estes D., Adleman L. M., Kompella K., McCurley K. S., Miller G. L. Breaking
the OngSchnorrShamir signature scheme for quadratic number fields.
In: CRYPTO1985, Lect. Notes Comp. Sci., 1986, v. 218, p. 313.
32. Hafner J. L., McCurley K. S. A rigorous subexponential algorithm for computation of class groups. J. Amer. Math. Soc., 1989, v. 2, p. 837850.
33. Hamdy S. The key-length of DL-based cryptosystems in class group. Manuscript, 1999.
34. Hamdy S., Maurer M. Feige-Fiat-Shamir identification based on real quadratic fields. Technischer Bericht TU-Darmstadt, 2000.
35. Hamdy S., Mller B. Security of cryptosystems based on class groups of imaginary quadratic orders. In: ASIACRYPT2000, Lect. Notes Comput.
Sci., 2000, v. 1976, p. 234247.
36. Hamdy S. Performance and security of cryptosystems based on class groups
of imaginary quadratic orders. Manuscript, 2000.
37. Hartmann M., Paulus S., Takagi T. NICE New Ideal Coset Encryption.
In: CHES99, Lect. Note. Comp. Sci., 1999, v. 1717, p. 341352.
______________ ______________

53

38. Hhnlein D. A survey of cryptosystems based on imaginary quadratic orders.

2000, 15 pp. http://citeseerx.ist.psu.edu/.
39. Hhnlein D. Quadratic orders for NESSIE overview and parameter sizes of
three public key families. 2001, 19 pp. http://citeseerx.ist.psu.edu/.
40. Hhnlein D. Efficient implementation of cryptosystems based on non-maximal
imaginary quadratic orders. Lect. Notes Comp. Sci., 2000, v. 1758,
p. 147162.
41. Hhnlein D., Jacobson M. J., Paulus S., Takagi T. A cryptosystem based on
non-maximal quadratic orders with fast decryption. In: EUROCRYPT98,
Lect. Notes Comp. Sci., 1998, v. 1403, p. 294307.
42. Hhnlein D., Merkle J. An efficient NICE-Schnorr-type cryptosystem.
Lect. Notes Comp. Sci., 2000, v. 1751, p. 328339.
43. Hhnlein D., Meyer A., Takagi T. Rabin and RSA analogues based on nonmaximal imaginary quadratic orders. In: Proc. CICS98, 1998, p. 221240.
44. Hhnlein D., Paulus S. On the implementation of cryptosystems based on real
quadratic number fields. In: 7th Ann. Workshop Select. Areas Cryptography, Lect. Notes Comp. Sci., 2001, v. 2012, p. 288302.
45. Hhnlein D., Takagi T. Reduction logarithms in totally non-maximal quadratic orders to logarithms in finite fields. In: ASIACRYPT99, Lect. Notes
Comp. Sci., 1999, v. 1716, p. 220231.
46. Jacobson M. J.(Jr.). Computing of discrete logarithms in quadratic orders.
J. Cryptology, 2000, v. 13, No 4, p. 437492.
47. Jacobson M. J.(Jr.), Scheidler R., Williams H. C. Efficient and security of a
real quadratic field based-key exchange protocol. In: Public-Key Cryptography and Comput. Number Theory. Berlin, 2001, p. 89112.
48. Jacobson M. J.(Jr.), Scheidler R., Williams H. C. An improved real quadratic
field based key exchange procedure. J. Cryptology, 2006, v. 19, 2,
p. 211239.
49. Jacobson M. J.(Jr.), Sawilla R. E., Williams H. C. Efficient ideal reduction in
quadratic field based-key exchange protocol. J. Comp. Sci., 2006, 1,
p. 83116.
50. Jacobson M. J.(Jr.) Subexponential class group computations in quadratic
orders. Ph. D. thesis. Darmstadt, 1999.
51. Kaplan P., Williams K. S. The distance between ideals in the orders of a real
quadratic field. Enzeign. Math., v. 36, No. 34, p. 321358.
52. McCurley K. A key distribution system equivalent to factoring. J. Cryptology, 1988, v. 1, p. 95105.
53. McCurley K. Cryptology key distribution and computation in class groups.
Number Theory Appl., ser. C, 1989, v. 265, p. 459479.
54. Meyer A. Ein neues Identifications- und Signaturverfahren uber imaginarquadratischen Zahlkorpern. Master Thesis. Saarbrucken: University of
Saarbrucken, 1997.
____________________________ 2010, . 1, 1, . 2354 ____________________________

54

. .

55. Mollin R. A., Williams H. C. Computation of the class number of a real quadratic field. Util. Math., 1992, v. 41, p. 59308.
56. Oesterle J. Nombre de classes des corps quadraticues imaginarires. Soc.
Math. De France, 1985, p. 309323.
57. Ong H., Schnorr C. P., Shamir A. An efficient signature scheme based on quadratic forms. In: Proc. 16th ACM Symp. Theory of Computing, 1984,
p. 208216.
58. Paulus S. An algorithm of subexponential type computing the class group of
quadratic orders over principal ideal domains. Lect. Notes Comp. Sci.,
1996, v. 1122, p. 243257.
59. Paulus S., Takagi T. A new public-key cryptosystem over the quadratic order
with quadratic decryption time. J. Cryptology, 2000, v. 13, p. 263272.
60. Rickert N. W. Efficient reduction of quadratic forms. In: Computers and
Math. N.Y.: Springer, 1989, p. 135139.
61. Sawilla R. E. Fast ideal arithmetic in quadratic fields. Master Thesis.
Calgary, Calgary Univ. Press, 2004.
62. Scheidler R., Buchmann J., Williams H. C. Implementation of a key exchange
protocol using some real quadratic fields. In: EUROCRYPT90, Lect.
Notes Comp. Sci., 1991, v. 473, p. 98109.
63. Scheidler R., Buchmann J., Williams H. C. A key-exchange protocol using
real quadratic fields. J. Cryptology, 1994, v. 7, p. 171199.
64. Schielzeth D., Pohst M. E. On real quadratic number fields suitable for cryptography. J. Exper. Math., 2005, v. 14, 2, p. 189197.
65. Schnhage A. Fast reduction and composition of binary quadratic forms.
In: On Symbolic and Algebraic Computation, ACM, 1991, p. 128133.
66. Schoof R. J. Quadratic fields and factorization. In: Computational Methods
in Number Theory. Part II. Amsterdam: Math. Centrum Tracts, 1983,
p. 235286.
67. Seysen M. A probabilistic factoring algorithm with quadratic forms of negative discriminant. Math. mp., 1987, v. 48, p. 737780.
68. Shanks D. Class number, a theory of factorization and genera. In: Proc.
Symp. Pure Math. AMS, 1971, v. 20, p. 415440.
69. Shanks D. The infrastructure of real quadratic fields and its application. In:
Proc. 1972 Number Theory Conf. Colorado: Boulder, 1973, p. 217224.
70. Vollmer U. Asymptotically fast discrete logarithms in quadratic fields. In:
ANTS2000, Lect. Notes Comp. Sci., 2000, v. 1838, p. 581594.
71. Weber D. Computing discrete logarithms with quadratic number rings. In:
EUROCRYPT97, Lect. Notes Comp. Sci., 1997, v. 1233, p. 171183.
72. Williams H. A modification of the RSA public-key encryption procedure.
IEEE Trans. Inf. Theory, 1980, v. IT-26, p. 726729.
73. Williams H. Some public-key crypto-functions as intractable as factorization.
Cryptologia, 1985, v. 9, 3, p. 223237.
______________ ______________