An undeniable signature scheme consists of several components: a public and a secret key, a method to sign a message and two interactive protocols. Fo

Transcription

1 Ecient Undeniable Signature Schemes based on Ideal Arithmetic in Quadratic Orders Ingrid Biehl Technische Universitat Darmstadt, Alexanderstr. 10, D-64283, Darmstadt, Germany Sachar Paulus KOBIL Computer GmbH, Weinsheimer Strasse 71, D Worms, Germany Tsuyoshi Takagi NTT Software Laboratories, Immermannstr. 40, D-40210, Dusseldorf, Germany 1 Motivation In 1989 Chaum and van Antwerpen introduced a variant of the concept of a digital signature scheme, the undeniable signatures [9]. A signature of this kind cannot be veried without the interaction of the signer. The standard example for its application is its use by a software development company: the distributed software is signed by means of an undeniable signature of the company to allow legal users to ensure themselves that they use unmodied software. Since interaction with the seller is needed to check the signature, illegal users either cannot check and risk to use some virus-infected software or will be traced by the software-seller as soon as they ask for interactive verication. 1

2 An undeniable signature scheme consists of several components: a public and a secret key, a method to sign a message and two interactive protocols. For convincing someone of the authenticity of a message the correctness of the signature is proven in the conrmation protocol. On the other hand a signer has to be able to prove that a faked signature attributed to him is invalid. This is achieved by another interactive protocol between signer and verier, called disavowal protocol. In case conrmation and disavowal protocol are zero-knowledge protocols the scheme is called zero-knowledge undeniable signature scheme. These too were invented by Chaum (see [8]). To our knowledge the undeniable signature schemes known so far include considerable computations done by the signer, which take cubic bit complexity in the length of the public key. These might be too time-consuming in case the operations which have to be done by the signer have to be performed by a chip card containing the secret key of the signer. In this paper we present new undeniable signature schemes which are constructed over an imaginary quadratic eld. The basic scheme contains zero-knowledge con- rmation and disavowal protocols which require operations of cubic bit complexity by the signer. In case one omits the part of the protocols which is costly the con- rmation and disavowal protocol are not zero-knowledge but honest-verier zeroknowledge; the remaining operations for the signer have quadratic bit complexity. Additionally, the information which can be learned by a dishonest verier can be characterized but will not be helpful to fake new signatures. Even tracing the operations done in this part leaks no information. In our basic scheme, the secret key of the signer is not needed to perform the additional operations for the zero-knowledge property; one can delegate this part to be performed by a certied software running on a terminal or PC to which the chip card is connected. Tracing the computations done by the certied software is allowed. One only has to be guaranteed that the results computed by this program are not manipulated. So, either in the basic protocol or in applications in which one knows the verier to be trustworthy the tasks of the signer using the secret information can be performed in quadratic bit complexity, e.g. on a smart card. Buchmann and Williams proposed the rst algorithm which achieves the Die- Hellman key distribution scheme using the class group in an imaginary quadratic eld [5]. Later, Hafner and McCurley discovered the sub-exponential algorithm against the discrete logarithm problem of the class group [20]. Since then, cryptosystems over class groups have not gained much attention in practice. Recently, Huhnlein et. al. proposed an ElGamal-type public key cryptosystem with faster decryption process in class groups of imaginary quadratic elds [19]. Here we call it the HJPT cryptosystem. Denote by Cl( q ) and Cl( 1 ) the class group of the non-maximal order and that of the maximal order respectively. The technique used in HJPT cryptosystem is to \switch" the ideals between Cl( q ) and Cl( 1 ). Note that the arithmetic of the switching is fast i.e., has quadratic bit complexity in the 2

3 bit length of the public key. In [27] a numbertheoretic technique for the construction of some very ecient probabilistic encryption scheme is developed. We use the \switching" technique developed in the above papers for the creation of our undeniable signature schemes. The security of our signature schemes are based upon some new number theoretic problems over quadratic orders. When we choose appropriate sizes of the parameters, the currently known fast algorithms like the elliptic curve method [21], the number eld sieve [23] and the Hafner-McCurley algorithm [20] are not applicable. 2 Undeniable Signature Schemes Undeniable signatures were introduced by Chaum and van Antwerpen in [9]. Most undeniable signature schemes presented in the literature are based on the discrete logarithm problem. In [16] an undeniable signature scheme is presented which is based in the RSA signature scheme and which achieves a considerable level of eciency. Nevertheless, the running time of the operations performed both by the signer as well as by the verier has cubic bit complexity in the length of the public key. Undeniable signature schemes have the extraordinary property that signatures for messages cannot be checked without the help of the signer. This allows the signer to decide which persons may check the authenticity of the message. For convincing someone of the authenticity of a message the correctness of the signature is proven in a protocol, which is called conrmation protocol. On the other hand a signer has to be able to prove that a fake signature which is attributed to him is invalid. This is achieved by another interactive protocol between signer and verier, called disavowal protocol. Apart from the existence of the conrmation and the disavowal protocol there has to exist an algorithm which creates pairs of messages and pseudo-signatures such that these cannot be distinguished from correct ones. Damgard and Pedersen call this property signature indistinguishability. Without this property a verier needs no interaction with the prover in the conrmation protocol since he just has to use the test which distinguishes wrong and correct signatures. Moreover, generated signatures should not help to create new signatures without the knowledge of the private key of the signer. This is called unforgeability. In case conrmation and disavowal protocols have the zero-knowledge property the signature is called zero-knowledge undeniable signature which was invented by Chaum in [8]. We shortly explain that property. Informally, a protocol between a party prover P, which either has unlimited computing power or has some relevant secret information, and a party verier V which is supposed to have polynomially 3

4 limited running time, is called zero-knowledge (see [17]), if the protocol leaks no information, even if the verier is dishonest and tries to gain information which cannot be computed by himself. The sequence of messages exchanged between prover and verier is called transcript. To be more precise: if a protocol is zero-knowledge, then for each (even dishonest) verier Turing machine V 0 there is a probabilistic Turing machine S V 0 with expected polynomial running time, called simulator which creates outputs which look like transcripts of a correctly performed protocol between prover and verier. The probability distribution of the output of the simulator has to be similar to the probability distribution of the transcripts of the protocol. If both distributions are identical the protocol is called perfect zero-knowledge. If the sum "(k) of the dierence of both distributions is negligible, i.e. for all polynomials p we have p(k) tends to 0 with growing k, the protocol is statistically zero-knowledge. "(k) There exist more criteria depending on the distinguishability of those distributions; we will only be concerned with the latter one. If a simulator Turing machine only can be constructed for a honest verier the protocol is called honest-verier zero-knowledge. Originally zero-knowledge protocols were introduced to dene a class of languages in the complexity theoretical sense. A language L belongs to the class ZK if there is an interactive protocol between a prover and a verier in which the prover is able to convince the verier that the common input x belongs to L and which is zero-knowledge. The protocol has to guarantee that the prover will be able to convince the (honest) verier with high probability in case the input belongs to the language. This property is called completeness. Otherwise even a dishonest prover may not be able to convince the verier with non-negligible probability if the input belongs not to L (soundness). For sake of brevity we omit the formal denitions of zero-knowledge, undeniable signature schemes and of zero-knowledge undeniable signature scheme here and refer the reader to [17], [18] and [12]. 3 Quadratic Orders There are plenty of cryptographic primitives in quadratic elds and several public key cryptosystems have been proposed [6]. We briey explain the class group of a quadratic order. A more complete treatment may be found in [11]. Let 2 ZZ not a square such that 0; 1 (mod 4). We call a (quadratic) discriminant. is called a fundamental discriminant if 1 (mod 4) and is square-free, or =4 2; 3 (mod 4) and is square-free. Every discriminant can be represented by 1 f 2, where 1 is a fundamental discriminant and f is an integer, and we denote f = 1 f 2. We consider only negative discriminants in this paper. Let q f = iq jf j be the square root of f on the upper half plane. Then we p call O f = ZZ + f + f 2 ZZ the quadratic order of discriminant f. It is an integral 4

5 domain. If f is not a fundamental discriminant then O f O 1 and O f has nite index f in O 1. Moreover, we have O f = ZZ+fO 1. The order O f is called the non-maximal order with conductor f, and the order O 1 is called the maximal order. Every element 2 O f is represented by = (x + yq f )=2; x; y 2 ZZ. For = (x + yq f )=2, we denote by 0 = (x? yq f )=2 its (complex) conjugate. The norm of is dened as N() = 0 = (x 2? y 2 f )=4. A subset a of O f is an q (integral) ideal of O f if + 2 a whenever ; 2 a, and ( f + f )=2 2 a whenever 2 a. Every ideal a of O f is given by a = m 0 q b f azz ZZ A ; (1) where m 2 ZZ, a 2 ZZ >0, and b 2 ZZ such that b 2 f (mod 4a). This expression is unique if we choose?a < b a. Then (m; a; b) is called the standard representation of a. The norm of an ideal a is dened by N(a) = am. a is said to be primitive if m = 1. In that case, we represent a by (a; b). For two given ideals a; b, we can dene their product ab (see, for example, [5]). The computation of a representation of ab needs O((log(maxfN(a); N(b)g) 2 ) bit operations. We describe the class group of O f. An ideal a is called prime to f if GCD(N(a); f) = 1 holds. The ideals of O f prime to f form an Abelian group; denote it by I f (f). Two ideals a and b are called equivalent if there is a 2 O f such that a = b. Denote by a b this equivalence relation. For an element 2 O f the ideal O f is called a principal ideal. The principal ideals P f (f) which are prime to f form a subgroup of I f (f). The quotient group I f (f)=p f (f) is called the class group of O f ; denote it by Cl( f ). The order of this group is denoted by h( f ). For a primitive ideal a in I f (f), we say that a = (a; b) is reduced if jbj a c = (b 2? f )=4a and additionally b 0 if a = c or a = jbj. There is only one reduced ideal in every equivalence class. Denote by Red f (a) the reduced ideal equivalent to a 2 I f (f). An algorithm to compute Red f (a) from a is described in [5] and requires O((log(N(a)) 2 ) bit operations. We identify each class of the class group with the unique reduced ideal. It is easy to verify that N(a) < q jf j=3 holds for every reduced ideal a 2 I f (f). Conversely, a primitive ideal a 2 I f (f) with small norm such that N(a) < q jf j=4 is always a reduced ideal. It turns out that we can compute the representation of the product of two classes of the class group in O((log q j f j) 2 ) bit operations. See [3]. 5

6 The Map Cl( q )! Cl( 1 ) In [11], the relationship between ideals in the maximal order O 1 and in the nonmaximal order O f is investigated. If a is an ideal in I f (f) then A = ao 1 is an ideal in I 1 (f) and N(a) = N(A). Similarly, if A is an ideal in I 1 (f) then a = A\O f is an ideal in I f (f) and N(A) = N(a). The map : a 7! ao 1 induces an isomorphism I f (f)!i 1 (f). The inverse of this map is?1 : A 7! A \ O f. Let f = q be a prime and q j 1 j=3 < q. Then all the reduced ideals in Cl( 1 ) are prime to the conductor q [19]. Thus we can consider the following map based on : ' q : Cl( q )?! Cl( 1 ) a 7?! Red 1 (ao 1 ); where we identify a class of qboth class groups with the unique reduced ideal in that class. (Note that if q > j1 j=3 we also can dene this map; we possibly have to compute an ideal equivalent to a which is prime to q. See [19].) A practical algorithm to compute ' q is as follows: Algorithm GoToMaxOrder Input: A reduced ideal a = (a; b) 2 Cl( q ), the discriminant q, the fundamental discriminant 1, and the conductor q Output: A reduced ideal A = ' q (a) = (A; B). 1. A a 2. b O q mod 2 3. Solve 1 = q + a for ; 2 ZZ using the extended Euclidean algorithm 4. B b + ab O mod 2a 5. (A; B) Red 1 (A; B) 6. RETURN (A; B) Note that the map GoToMaxOrder is dierent from the map described in [19]. Every step of this algorithm requires O((log q j q j) 2 ) bit operations, thus the complexity of this algorithm is quadratic. We discuss the \inverse" map '?1 q. The map ' q : Cl( q )! Cl( 1 ) is surjective and we have h( q ) = h( 1 ) (q? ( 1 =q)), where ( 1 =q) is the Kronecker-symbol (See, for example, [11]). Denote by Ker(' q ) the kernel of the map ' q : Cl( q )! Cl( 1 ) which is a cyclic subgroup of Cl( q ) with order q? ( 1 =q). If two ideals a; b in Cl( q ) satisfy ' q (a) = ' q (b), then we call them kernel-equivalent ideals. Let p be a generator of Ker(' q ). Then all kernel-equivalent ideals to a in Ker(' q ) are represented by ap r, where r = 0; 1; 2; : : : ; q? ( 1 =q)? 1. So there is a (q? ( 1 =q))- fold ambiguity for the inverse of the map ' q. This ambiguity provides us with the intractable problem which will be used in the new undeniable signature scheme. We will distinguish a unique representative ideal from these preimages using the size of the norm of an ideal. Consider the quotient group Cl( q )=Ker(' q ), then 6

7 the cardinality of Cl( q )=Ker(' q ) is equal to that of Cl( 1 ). The norm of any reduced ideal in Cl( 1 ) is smaller than q j 1 j=3. By our assumption q j 1 j=3 < q, all ideals in Cl( 1 ) are prime to the conductor q. Therefore for a reduced ideal A in Cl( 1 ) we can dene the ideal a =?1 (A) = A \ O q in I q (q). Note that all ideals a =?1 (A) for A 2 Cl( 1 ) are reduced in Cl( q ), and any two of them are neither equivalent nor kernel-equivalent. We dene the representatives of Cl( q )=Ker(' q ) to be the ideals a =?1 (A); A 2 Cl( 1 ). Denote by '?1 q this restricted inverse map; a practical algorithm to compute the map '?1 q is as follows: Algorithm Inverse Input: A reduced ideal A = (A; B) 2 Cl( 1 ), the conductor q Output: A reduced ideal a 2 Cl( q ) such that '?1 q (A) = a = (a; b). 1. a A 2. b Bq mod 2a 3. RETURN (a; b) This algorithm obviously requires only O((log( q j 1 j)) 2 ) bit operations. Although the input of algorithm Inverse is restricted to the reduced ideals in Cl( 1 ), we can compute?1 (A)for any primitive ideal A as input. 4 Intractable Problems We discuss several problems which are expected to be intractable in this setting. The Discrete Logarithm Decision Problem (DLDP): Fix a discriminant. Given a reduced ideal a 2 ZZ decide whether for a given ideal c there exists an integer ` such that c = Red (a`): The best known method for solving this problem consists in a variant of the algorithm of Hafner-McCurley [20]. It has subexponential running time. Since it is an index-calculus-type algorithm, every additional discrete logarithm decision problem for the same discriminant can be solved in polynomial time. But the choice of parameters will be such that this algorithm will not be applicable in practice. Thus we dene the DLDP assumption: The discrete logarithm decision problem is intractable. It follows immediately Lemma 1 Fix a discriminant. Let three reduced ideals a; b; c be given with b not in the subgroup generated by a but c either in the subgroup generated by a or of the form a`b k with `; k > 0. Under the DLDP assumption it is intractable to decide 7

8 whether c is element of the subgroup generated by a or the subgroup generated by both a and b in the class group Cl(). Next, we consider the new number theoretic problem. We use the same notation as in Section 3. In the new undeniable signature scheme, we make an element p of the kernel Ker(' q ) public. Dene the following problem: The Kernel Problem (KP): Fix a non-fundamental discriminant q. Given an element p in Ker(' q ) factor the discriminant q. There is no ecient algorithm known which may be able to solve the kernel problem and actually uses the knowledge of a kernel element. In Appendix A.3 there is a discussion on its diculty. Thus we dene the KP assumption: The kernel problem is intractable. Related to this problem is the following: The Kernel Decision Problem (KDP): Fix a non-fundamental discriminant q. Given a reduced ideal a in the non-maximal order decide whether a 2 Ker(' q ). Note that KDP is equal to DLDP over Ker(' q ) which is the subgroup of Cl( q ). Currently there is no algorithm known which may decide this problem in less time than factoring the discriminant q. Thus we dene the KDP assumption: The kernel decision problem is intractable if 1 and q are unknown. The last problem will be important in the generation of the signature. For a message ideal m in Cl( q ), the signature ideal s is dened to be the ideal with the smallest norm among all ideals which are kernel-equivalent to m. Dene the following problem. The Small Kernel-Equivalent Problem (SKEP): Fix a non-fundamental discriminant q. Given an element m in Cl( q ) compute the ideal with smallest norm in the kernel-equivalence class of m. As we discussed in Section 3, this is the problem which determines the smallest ideal in a given kernel-equivalent class in Cl( q ), and all kernel-equivalent classes of a are represented by ap r, where p is a generator of Ker(' q ) and r = 0; 1; 2; : : : ; q? ( 1 =q)?1. Because the norm of ap r is unpredictable, it is intractable to nd such an ideal. On the other hand, to determine the signature ideal for a message ideal m, the signer uses the map ' q which consists of ' q = Red 1. In Appendix A.2, we can prove that to compute is as hard as factoring the non-fundamental discriminant q. Thus we dene the SKEP assumption: The small kernel-equivalent problem is intractable if 1 and q are unknown. Note that the two problems KDP and SKEP are easy if the non-fundamental discriminant q is factored. It is obvious that if there is an algorithm to solve SKEP, then we can solve KDP using it. We get the following implications: solving KP ) solving SKEP ) solving KDP. Completely independent of these problems is DLDP: even if q is factored, DLDP does not become any easier - as far as we know. 8

9 5 A Zero-Knowledge Protocol for L ker In this section we present a zero-knowledge subprotocol which will be used in the next section for the conrmation and disavowal protocols of the undeniable signature. We use the same notation as in Section 3. Let L ker = f(a; h; q) : a is not in the kernel of ' q, h is in the kernel of ' q, q is a non-fundamental discriminantg. We present a Zero-Knowledge Protocol for L ker. ZK-Protocol for L ker q (basic variant): Let t m 2, k = j q j=3. Prover and verier repeat v times the following steps: 1. Challenge construction: The verier randomly and independently chooses k? 1 bit integers `; j and a bit b. He sets c = a jb h` and sends as challenge c to the prover. 2. Proof of correct construction (subprotocol): 2.1 The verier generates for 1 i t some blinding factors t i = a j i h`i and computes w i = t i c. He sends the pairs (t i ; w i ) to the prover. 2.2 The prover randomly chooses r = r 1 : : : r t 2 f0; 1g t and sends r to the verier. 2.3 The verier sends (x i ; y i ) = (j i ; `i) if r i is 0 and (x i ; y i ) = (j i + j b; ` + `i) if r i = 1 for i = 1; : : : ; t. 2.4 The prover checks whether a x i hy i = t 1?r i i w r i i for 1 i t (Correctness check). If this is not fullled for some i he rejects and stops the protocol. 3. Response: Using the secret keys 1 ; q, the prover computes and sends d to the verier. d = ( 1 if GoToMaxOrder(c) 6= O1 0 if GoToMaxOrder(c) = O 1 4. Check: The verier checks whether d = b. If so, the next round is started. Otherwise, he rejects. If the protocol was not stopped until here, the verier accepts the proof. Theorem 1 The above protocol is a zero-knowledge protocol for L ker. The probability for the prover to cheat the verier is 2?v under the DLDP assumption. 9

10 In case one omits the subprotocol Proof of correct construction in the above basic variant one gets a variant which is a honest-verier zero-knowledge protocol. Moreover, one can characterize which information can be learned by an dishonest verier in the variant of the above protocol which omits the subprotocol Proof of correct construction: the dishonest verier can abuse the prover as an oracle to decide whether some ideals are in the kernel of ' q or not. Due to current knowledge, this is of no additional help to fake signatures in our scheme. Note that apart from the subprotocol Proof of correct construction the computations made by the prover have quadratic bit complexity. The computations of the prover in this subprotocol are of cubic bit complexity in the length of the public key. Moreover, we stress that for the computations of the prover done in the subprotocol Proof of correct construction no secret knowledge of the prover is needed. Thus, it can be delegated to some third instance for which the correctness of the computational results is guaranteed. 6 The New Undeniable Signature Schemes Generate two random primes p; q > 4 such that p 3 (mod 4) and let 1 =?p. Let Cl( 1 ) be the class group of the maximal order with discriminant 1 and Cl( q ) be the class group of the non-maximal order with conductor q. q will be public, whilst its factorization into 1 and q will be kept private. The discriminant 1 and the conductor q are large primes to prevent breaking the cryptosystem by factoring q. In the key generation, we choose an ideal p from the kernel Ker(' q ) which is a generator of the kernel and make q p public. The message ideal m is an ideal in Cl( q ) with norm greater than b j 1 j=3c. The signature for m is computed by applying ' q to m and then lifting it to the non-maximal order to an ideal s q with N(s) < jq j=3. Thus m=s is an element of the kernel of ' q. Since the kernel decision problem is assumed to be intractable verication of a signature needs the interaction with the signer who knows q. q 1. Key generation: Generate two random large primes p; q > 4 with p 3 (mod 4) and p=3 < q. Let 1 =?p and q = 1 q 2. Let k be the bit length of b q j 1 j=3c. Choose an ideal p in the kernel of ' q which is a generator of the kernel. Since the kernel is cyclic with known order, a few random trials will lead to a generator. Then (p; q ; k) is the public key and q is the secret key. 2. Signature Generation: Let m be the message. Start the embedding algorithm explained below to get m as the representation of a reduced ideal in Cl( q ) with N(m) > 2 k+1. We create the signature for m as follows: compute Inverse(GoToMaxOrder(m)). Then (m; s) is the pair of message and signature. 10

11 3. Conrmation Protocol: Given (m; s) the verier generates the embedding ideal m of the message m. He checks whether the pair has the correct form, i.e. whether N(s) < 2 k+1. If not he accepts the claim of the prover that the signature is a fake. Otherwise he computes h = m s and randomly chooses a reduced ideal a. With high probability a is not in the kernel. Then the signer and verier interact in the zero-knowledge protocol for L ker with input (a; h; q ). 4. Disavowal Protocol: The verier generates the embedding ideal m of the message m. He checks whether N(s) < 2 k+1. If not he accepts the claim of the prover that the signature is a fake. Otherwise he computes h = m. Then, signer s and verier interact in the zero-knowledge protocol for L ker with input (h; p; q ) supposed the verier is convinced that p is in the kernel. If the verier is not convinced about p being in the kernel he has to choose a random ideal - which with high probability will not be in the kernel - sends this to the prover and has to be convinced about p by the zero-knowledge protocol for (a; p; q ). If it happens that a is in the kernel, then the same zk-protocol can be used by the prover to prove this. To embed (a hash value of) a message which has to be signed, we have to assure that the message ideal will be dierent from the signature ideal, i.e. that the message ideal does not belong to the image of the map ' q?1. This is done by requiring that the message ideal has norm at least greater than j 1 j=3 < 2 k+1. Remember that for an ideal given by (a; b) we know that (a; b) is reduced in O q if a < q jq j=2. Let k q be the bit length of j q j and m the (hash value of a) message of length n. (Typically n = 128 and k q = 1024). We set x to be the concatenation of m and a sequence of k q =2?3?n zeroes, i.e. x = mjj0 k q=2?3?n. We determine the smallest prime l greater than x which fullls ( q =l) = 1. This can be done eectively using a few trials of primality tests and Jacobi symbol computations. With very high probability we will nd such a l with l? x < 2 k q=2?3?n. Observe that by this embedding method, every message will be embedded uniquely, since the \message bits" will never be changed. Then we compute b such that q b 2 mod 4l with?l < b l. This can also be done eectively using the RESSOL algorithm of Shanks [26]. Then a = (l; b) is a reduced ideal with N(a) x 2 k=2?3 q j q j=32, which is much larger than q j1 j=3. The generation q of p simply works as follows: choose a number 2 O 1 with norm less than j q j=4, compute the standard representation of the ideal O 1 and compute p = Inverse(O 1 ). This is explained in [19]. Then p 2 ker ' q. 6.1 Discussion of the Scheme One has to check that it makes no sense for a dishonest signer to publish a key which is not of the correct form. The parameter p is used only in the disavowal protocol. Either the verier can check it by means of a zero-knowledge protocol 11

12 or there might exist a trusted third party which checks the correctness of the key and thus the correctness of p before it certies the public key and includes it in the corresponding directories. According to the zero-knowledge property of the protocol for L ker conrmation and disavowal protocol are zero-knowledge or at least honest-verier zero-knowledge. Next we discuss the signature-indistinguishability. Pseudo-signatures for some given message m can be created by taking an ideal a with N(a) < 2 k+1 and then embedding m as explained above. Then one sets (m; a) as pseudo-signature. It seems to be intractable to distinguish these tuples from correct signatures since the only method known consists in the decision problem whether h = m is an element of the kernel or a not (KDP). (But we cannot prove the problem of distinguishing correct signatures from incorrect signatures in this case by reducing it to the general kernel decision problem: Since the embedding ideals of the embedding algorithm are of very special form we cannot create correct signatures under the assumption that some given ideal h is in the kernel. Taking randomly a with N(a) < 2 k+1 and computing m = h a will, with high probability, not lead to an ideal of the correct form.) Using another embedding strategy, we can prove signature-indistinguishability. In case one uses the honest verier variant of the protocol for L ker at rst sight it is not clear whether the transcripts of the protocol can be misused by a dishonest verier to convince later on a third party about the correctness of the signature. But this is not possible if the kernel-decision problem is intractable. A transcript consists of a sequence of pairs of an ideal and the information whether this ideal is in the kernel or not. To be able to check whether a string is a correct transcript of the protocol, one must be able to decide whether a given ideal is in the kernel. Each verier is able to create soem pseudo-transcript by himself. If the verier knows for the challenge-ideals whether they are in the kernel or not he can put the correct bit in the transcript even without interaction with the signer. If he does not know whether a challenge-ideal is in the kernel he can put at this position a randomly chosen bit. Neither the verier himself nor some third person can distinguish such a pseudo-transcript from a correct one without being able to solve the kernel-decision problem. Finally, we have to analyze whether the signature scheme is unforgeable. If the nonfundamental discriminant q can be factored, then it is easy to forge the signature. In Appendix A.1, we discuss the sizes of the secret parameters 1 ; q which prevent the success of known factoring algorithms. Because an element in Ker(' q ) is public, we must take into account the KP assumption. The direct method to generate a forged signature is to solve the SKEP, which is currently a dicult problem. Hence the unforgeability of our proposed signature is based on two assumptions, i.e. KP assumption and SKEP assumption. The class group Cl( q ) has the homomorphy property, so it may be possible to generate an invalid pair (m; s) using one or several known pairs (m i ; s i ) for some i. To prevent these homomorphic forgeries, we may use a one-way hash for the original 12

13 message m before embedding it into the message ideal m. 7 Eciency Considerations The operations performed by the verier take cubic bit complexity in the length of the public key. In applications the verier's computations are done on a PC and the signer's operations are performed by the microprocessor of a smart card with the help of a PC, whereas the operations on the smart card take quadratic bit complexity. The computations of the signer for the honest verier take quadratic running time. Practical tests show a good promise for very ecient implementations on smart cards. References [1] E. Bach, \Explicit bounds for primality testing and related problems", Mathematics of Computation 55 (1990). pp. 355 { 380. [2] I. Biehl, J. Buchmann and T. Papanikolaou, \LiDIA - A library for computational number theory", The LiDIA Group, Universitat des Saarlandes, Saarbrucken, Germany, [3] I. Biehl and J. Buchmann, \An analysis of the reduction algorithms for binary quadratic forms", in P. Engel, H. Syta (eds.), \Voronoi's Impact on Modern Science", vol. I, Institute of Mathematics of National Academy of Sciences, Kyiv, Ukraine, [4] J. Boyar, D. Chaum and I. Damgard, \Convertible undeniable signatures", Advances in Cryptology { CRYPTO '90, LNCS 537, (1991), pp [5] J. Buchmann and H. C. Williams, \A key-exchange system based on imaginary quadratic elds," Journal of Cryptology, 1, (1988), pp [6] J. Buchmann and H. C. Williams, \Quadratic elds and cryptography," London Math. Soc. Lecture Note Series 154, (1990), pp [7] J. Buchmann, S. Dullmann, and H. C. Williams, \On the complexity and eciency of a new key exchange system," Advances in Cryptology { EURO- CRYPT '89, LNCS 434, (1990), pp [8] D. Chaum, \Zero-Knowledge undeniable signatures", Advances in Cryptology { EUROCRYPT '90, LNCS 473, (1991), pp [9] D. Chaum and H. van Antwerpen, \Undeniable signatures", Advances in Cryptology { CRYPTO '89, LNCS 435, (1990), pp

14 [10] J. Cowie, B. Dodson, R. Elkenbracht-Huizing, A. K. Lenstra; P. L. Montgomery and J. Zayer, \A world wide number eld sieve factoring record: on to 512 bits," Advances in Cryptology { ASIACRYPT '96, LNCS 1163, (1996), pp [11] D. A. Cox, \Primes of the form x 2 + ny 2 ", John Wiley & Sons, New York, (1989). [12] I. Damgard and T. Pedersen, \New convertible signature schemes", Advances in Cryptology { EUROCRYPT'96, LNCS 1070, (1996), pp [13] W. Die and M. Hellman, \New directions in cryptography," IEEE Transactions on Information Theory, 22, (1976), pp [14] ECMNET Project, [15] T. ElGamal, \A public key cryptosystem and a signature scheme based on discrete logarithm in GF (p)," IEEE Transactions on Information Theory, 31, (1985), pp [16] R. Gennaro, H. Krawczyk and T. Rabin, \RSA-Based Undeniable Signatures", Crypto'97, (1997). [17] S. Goldwasser, S. Micali and C. Racko, \The Knowledge Complexity of Interactive Proof Systems", STOC'85, (1985), pp [18] S. Goldwasser, S. Micali and C. Racko, \The Knowledge Complexity of Interactive Proof Systems", SIAM J. Computing 18, (1986), pp [19] D. Huhnlein, M. J. Jacobson, Jr., S. Paulus and T. Takagi, \A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption," Advances in Cryptology { EUROCRYPT '98, LNCS 1403, (1998), pp [20] J. L. Hafner and K. S. McCurley, \A rigorous subexponential algorithm for computation of class groups, " J. Amer. Math. Soc., 2, (1989), pp [21] H. W. Lenstra, Jr., \Factoring integers with elliptic curves", Annals of Mathematics, 126, (1987), pp [22] H. W. Lenstra, Jr., \Fast and rigorous factorization under the generalized Riemann hypothesis", Tech. Report , University of Chicago (1987). [23] A. K. Lenstra and H. W. Lenstra, Jr. (Eds.), \The development of the number eld sieve", Lecture Notes in Mathematics, 1554, Springer, (1991). [24] K. S. McCurley, \A key distribution system equivalent to factoring," Journal of Cryptology, 1, (1988), pp [25] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, \Handbook of applied cryptography", CRC Press, (1996). 14

15 [26] M. Naor and M. Yung, \Public key cryptosystems provably secure against chosen ciphertext attacks", Proceedings of STOC 22, (1990), pp [27] S. Paulus and T. Takagi, \A new public-key cryptosystem over quadratic orders with quadratic decryption Time", submitted to Journal of Cryptology, (1998). [28] R. Peralta and E. Okamoto, \Faster factoring of integers of a special form," IEICE Trans. Fundamentals, Vol.E79-A, No.4, (1996), pp [29] J. Rompel, \One-way functions are necessary and sucient for secure signatures", Proceedings of STOC 22, (1990), pp [30] R. Rivest, A. Shamir and L. M. Adleman, \A method for obtaining digital signatures and public key cryptosystems," Communications of the ACM, 21(2), (1978), pp [31] R. Rivest and R. D. Silverman; \Are `strong' primes needed for RSA," The 1997 RSA Laboratories Seminar Series, Seminars Proceedings, (1997). [32] R. J. Schoof, \Quadratic Fields and Factorization", in H.W. Lenstra, R. Tijdeman, (eds.), \Computational Methods in Number Theory", Math. Centrum Tracts 155, Part II, Amsterdam, (1983), pp [33] D. Shanks, \On Gauss and composition I, II", in R.A. Mollin, editor, \Proc. NATO ASI on Number Theory and Applications", Kluwer Academic Press, (1989), pp A Some Number Theoretic Problems In this appendix we discuss the basic security of our undeniable signature scheme. Most intractable problems are strongly related to the corresponding public-key cryptosystem [27]. If the discriminant q can be factored, our proposed undeniable signature scheme is completely broken. At rst, we consider the size of the secret parameters 1 and q to prevent breaking the cryptosystem by factoring q. On the other hand, an attacker may somehow compute the image (a) in the maximal order O 1 for some ideal a of O q. We prove that to compute the map (a) is as intractable as factoring q. In our cryptosystem, we make an ideal p in Ker(' q ) public. We discuss that according to current knowledge the knowledge of such an ideal does not bring any advantage for factoring the discriminant. A.1 The Size of the Secret Parameters 1 ; q We discuss the size of the secret parameters 1 =?p and q which prevents attacks by the known factoring algorithms. Let L N [s; c] = exp((c+o(1)) log s (N) log log 1?s (N)). 15

16 The number eld sieve [23] and the elliptic curve method [21] are the dierent types of factoring algorithms which have to be taken care of; other factoring algorithms are more or less slower [25] [31]. The number eld sieve is the fastest factoring algorithm, and the running time depends on the total bit length of the composite number j q j; it is of the order of L jqj[1=3; (64=9) 1=3 ]. Currently, the fastest implementation for the number eld sieve factored a 130-digit ( 431-bit) RSA modulus [10]. If we choose q to be larger than 768 bits, the number eld sieve becomes infeasible. On the other hand, the elliptic curve method depends on the size of the primes p or q and the expected running time is L r [1=2; 2 1=2 ], where r is p or q. The fastest implementation for the elliptic curve method found an 48-digit ( 159-bit) prime factor [14]. If we choose p and q to be larger than 256 bits, the elliptic curve method becomes infeasible. Therefore, the 768 bit discriminant q with 256 bit p; q is secure for cryptographic purposes. We wonder if there exists a special algorithm for factoring the composite number with squared prime factor. In our knowledge, the only one algorithm is presented for this problem by Peralta-Okamoto [28]. They make the elliptic curve method faster by considering the distribution of the Jacobi symbol. For examples, for nding the 40-digit ( 133-bit) prime factor, the algorithm is 25-time faster than the original elliptic curve method. Its improvement is negligible and is not a real threat. A.2 Security of Only the one who knows the conductor q can compute the map ' q and then it is possible to forge the signature. The map ' q consists of ' q = Red 1. If attackers somehow can compute the ideal (a) in maximal order which is the image of an ideal a in Cl( q ), then the signature ideal s may be generated. Here, we can prove that the discriminant q can be factored using few iterations of any algorithm which computes the image of. Theorem 2 Assume that there exists the algorithm AL which computes for the primitive ideal a = (a 1 ; a 2 ) 2 I q (q) a primitive ideal A = (A 1 ; A 2 ) 2 I 1 (q) such that A = (a) without knowing the conductor q. By using the algorithm AL as an oracle, the discriminant q = q 2 can be factored in random polynomial time. This theorem means that nobody can \switch" the primitive ideal (a; b) to the maximal order without the knowledge of the conductor q. A.3 Knowledge of p Let p be the public key which is the element in Ker(' q ). We will argue that the knowledge of p does not substantially help to factor q using currently known fast 16

17 algorithms. For simplicity, we assume p is the generator of the group Ker(' q ), so the order of p is q? (q= 1 ). A non-trivial ambiguous ideal is an ideal f in Cl( q ) such that f 2 1 and f 6 1. If a non-trivial ambiguous ideal in the order O q is known, we can factor the discriminant q [32]. For the discriminant q of our cryptosystem, there are only 1 non-trivial ambiguous ideals in Cl( q ). Moreover, the non-trivial ambiguous ideals lie in the group Ker(' q ), so the probability that p r for a random r will be a non-trivial ambiguous ideal is negligible. It is unknown that other ideals in Ker(' q ) except the ambiguous ideals can be used for factoring the discriminant q. In our signature scheme, we publish the ideal p. A possible attack to nd a nontrivial ambiguous ideal for a given p is to compute the order of p in the group Cl( q ). The fastest algorithm to compute the order of p in the group Cl( q ) is the Hafner- McCurley algorithm [20]. Its running time is the subexponential L jqj[1=2; 2 1=2 ] which is much slower than factoring q. This shows that with the currently known algorithms, the knowledge of p does with high probability not help in factoring q. B Practicability In order to demonstrate the eciency of our undeniable signature, we have implemented the function Inverse(GoToMaxOrder(m)) using the LiDIA library [2]. It should be emphasized here that our implementation was not optimized for cryptographic purposes it is only intended to provide a comparison between the RSA cryptosystem and our new undeniable signature. The results are shown in table 1. We also show the running time of the exponentiation a r in the class group Cl( q ), where a is an ideal r is an random integer. Bit length of the modul RSA encryption 6 ms 10 ms 19 ms 31 ms RSA classical decryption 470 ms 1032 ms 3045 ms 7006 ms RSA decryption with CRT 89 ms 187 ms 520 ms 1068 ms Exponentiation in Cl( q ) for p q n 1= ms 7650 ms ms ms Inverse(GoToMaxOrder(m)) for p q n 1=3 8 ms 13 ms 22 ms 30 ms Exponentiation in Cl( q ) for p n 1= ms ms ms Inverse(GoToMaxOrder(m)) for p n 1=4-12 ms 22 ms 32 ms Table 1: Average timings for these functions compared to RSA over 100 randomly chosen pairs of primes of the specied size on a SPARC station 4 (110 MHz) using the LiDIA library 17