Imaginary quadratic orders with given prime factor of class number

Abelian class group Cl(D) of imaginary quadratic order with odd squarefree discriminant D is used in public key cryptosystems, based on discrete logarithm problem in class group and in cryptosystems, based on isogenies of elliptic curves. Discrete logarithm problem in Cl(D) is hard if #Cl(D) is prime or has large prime divisor. But no algorithms for generating such D are known. We propose probabilistic algorithm that gives discriminant of imaginary quadratic order with subgroup of given prime order l. Algorithm is based on properties of Hilbert class field polynomial HD for elliptic curve ( ) l p E  over field of p l elements. Let trace of Frobenius endomorphism is T, discriminant of Frobenius endomorphism D = T 2 − 4p and ( ( )) l p p j E ∉   . Then deg(HD) = #Cl(OD) and #Cl(D) ≡ 0 (mod l). If Diophantine equation D = T 2 − 4p with variables 4 ( | |) l O D < , prime p and T has solution only for l = 1, then class number is prime. 1. Class group of imaginary quadratic order Let a, b, c ∈  and Q = (a, b, c) = {ax + bxy + cy} — integral quadratic form of discriminant D = b − 4ac. Form Q is positive definite if D < 0 and a > 0. If variables x, y run through , Q runs through subset of . Equivalent forms have equal sets of values (possibly permuted). It is sufficient to consider forms with (a, b, c) = 1, D is not perfect square and a > 1. If Q is positive definite form, then Q(x, y) ≥ 0 and Q = 0 if and only if x = 0 and y = 0. All considered forms are positive definite. Equivalent forms have the same discriminant. Equivalence partitions set of forms with given discriminant into finite set of classes. For given D pair (a, b) completely defines the quadratic form: 2