Imaginary quadratic orders with given prime factor of class number

نویسنده

  • Alexander Rostovtsev
چکیده

Abelian class group Cl(D) of imaginary quadratic order with odd squarefree discriminant D is used in public key cryptosystems, based on discrete logarithm problem in class group and in cryptosystems, based on isogenies of elliptic curves. Discrete logarithm problem in Cl(D) is hard if #Cl(D) is prime or has large prime divisor. But no algorithms for generating such D are known. We propose probabilistic algorithm that gives discriminant of imaginary quadratic order with subgroup of given prime order l. Algorithm is based on properties of Hilbert class field polynomial HD for elliptic curve ( ) l p E  over field of p l elements. Let trace of Frobenius endomorphism is T, discriminant of Frobenius endomorphism D = T 2 − 4p and ( ( )) l p p j E ∉   . Then deg(HD) = #Cl(OD) and #Cl(D) ≡ 0 (mod l). If Diophantine equation D = T 2 − 4p with variables 4 ( | |) l O D < , prime p and T has solution only for l = 1, then class number is prime. 1. Class group of imaginary quadratic order Let a, b, c ∈  and Q = (a, b, c) = {ax + bxy + cy} — integral quadratic form of discriminant D = b − 4ac. Form Q is positive definite if D < 0 and a > 0. If variables x, y run through , Q runs through subset of . Equivalent forms have equal sets of values (possibly permuted). It is sufficient to consider forms with (a, b, c) = 1, D is not perfect square and a > 1. If Q is positive definite form, then Q(x, y) ≥ 0 and Q = 0 if and only if x = 0 and y = 0. All considered forms are positive definite. Equivalent forms have the same discriminant. Equivalence partitions set of forms with given discriminant into finite set of classes. For given D pair (a, b) completely defines the quadratic form: 2

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

New quadratic polynomials with high densities of prime values

Hardy and Littlewood’s Conjecture F implies that the asymptotic density of prime values of the polynomials fA(x) = x 2 + x + A, A ∈ Z, is related to the discriminant ∆ = 1 − 4A of fA(x) via a quantity C(∆). The larger C(∆) is, the higher the asymptotic density of prime values for any quadratic polynomial of discriminant ∆. A technique of Bach allows one to estimate C(∆) accurately for any ∆ < 0...

متن کامل

Indivisibility of class numbers of imaginary quadratic fields

We quantify a recent theorem of Wiles on class numbers of imaginary quadratic fields by proving an estimate for the number of negative fundamental discriminants down to −X whose class numbers are indivisible by a given prime and whose imaginary quadratic fields satisfy any given set of local conditions. This estimate matches the best results in the direction of the Cohen–Lenstra heuristics for ...

متن کامل

Subexponential Class Group Computation in Quadratic Orders (abstract)

In 1989, the first subexponential algorithm for computing the class group of an imaginary quadratic order was introduced by Hafner and McCurley. Their algorithm is based on an integer factorization algorithm due to Seysen, and is conditional on the truth of the Extended Riemann Hypothesis. Not long after, their result was generalized to arbitrary algebraic number fields by Buchmann. Efficient v...

متن کامل

On the Public Key Cryptosystems over Class Semigroups of Imaginary Quadratic Non-maximal Orders

In this paper we will propose the methods for finding the non-invertible ideals corresponding to non-primitive quadratic forms and clarify the structures of class semigroups of imaginary quadratic orders which were given by Zanardo and Zannier [8], and we will give a general algorithm for calculating power of ideals/classes via the Dirichlet composition of quadratic forms which is applicable to...

متن کامل

Rabin and RSA analogues based on non-maximal imaginary quadratic orders

In and there are proposed ElGamal type cryptosys tems based on non maximal imaginary quadratic orders with fast trap door decryption The trapdoor information is the factorization of the non fundamental discriminant q q We will extend the ideas given there to set up Rabin and RSA analogues based on non maximal imagi nary quadratic orders To implement the Rabin analogue we will introduce a new al...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IACR Cryptology ePrint Archive

دوره 2008  شماره 

صفحات  -

تاریخ انتشار 2008