New public-key cryptosystems with fast decryption

ii iii Acknowledgements First of all, I would like to thank Prof. Johannes Buchmann for giving me the opportunity to join his research group, organizing the joint research between TUD and NTT, and promoting this doctor thesis as my supervisor. His suggestions and helpful support improve this work significantly. I would also like to thank Prof. Kouichi Sakurai for accepting the task of the second referee. He gives me several important comments for this doctor thesis. Finally I wish to thank my family and friends, especially my wife Julia, for all their encouragement and support, without which I would never have completed this work. page GoToMaxOrder algorithm Cl(∆ q) → Cl(∆ 1) 10 Inverse algorithm Cl(∆ 1) → Cl(∆ q) 11 Reduction reduction algorithm Red ∆ 18 PkQ Decryption decryption of the PkQ cryptosystem 31 Nk Decryption decryption of the Nk cryptosystem 36 Nk Rabin Decryption decryption of the Nk Rabin cryptosystem 42 ix x CONTENTS Chapter 1 Preface This thesis is about the construction, analysis and implementation of efficient public-key cryptosystems. The public-key cryptosystem which is used most frequently throughout the world is the RSA cryptosystem [RSA78] [PKCS]. As an alternative to the RSA cryptosystem, elliptic curve cryptosystems have been introduced [Kob87] [Mil86]. Here we are interested in constructing new public-key cryptosystems which are different from both the RSA cryptosystem and elliptic curve cryptosystems. The theoretical foundation for the construction of a public-key cryptosystem is the following statement: A public-key cryptosystem has an encryption function E and a decryption function D which are published for all persons. Each person has a public key e and the corresponding secret key d. When person B wishes to send a message m to person A, then B uses the public-key e A of A to encrypt m: c = E e A (m), E : a encryption function with e A. (1.1) Ciphertext c is sent to person B possibly through an open network. Then person A decrypts the ciphertext c using the secret key d A which only person A knows: m = D d A (c), D : a decryption function with d A. (1.2) Here we have the relationship m = D d A (E e A (m)). All persons can compute E e A (·) using the public key e A , but the only person who can execute D d A (·) is A. Using this mechanism, …