Rigorously Analyzed Algorithms for the Discrete Logarithm Problem in Quadratic Number Fields Vom Fachbereich Informatik der Technischen Universit¨at Darmstadt genehmigte Dissertation zur Erreichung des akademischen Grades Doctor rerum naturalium (Dr. rer. nat.) von Dipl.-Math. Ulrich Vollmer aus Berlin Referenten: Prof. Dr. Johannes Buchmann (TU Darmstadt) Prof.dr. Peter Stevenhagen (Universiteit Leiden, NL) Tag der Einreichung: 15. September 2003 Tag der mundlichen¨ Prufung:¨ 28. Oktober 2003 Darmstadt, 2003 Hochschulkennziffer: D 17 To my parents and To all who were denied an academic education by political arbitrariness Acknowledgements At this point I would like to take the opportunity to thank at least some of those people whose support enabled me to do the research which led to this thesis. First of all I would like to thank my thesis advisor, Prof. Dr. Johannes Buchmann, for proposing the topic, for his advice and support and the investment of time for discussions that provided ideas and impetus especially at the important initial phase of my thesis research. He has proved to be a wonderful guide into the world of academia. I would like to thank Prof.dr. Stevenhagen for evaluating and carefully reading this thesis on short notice, and the detailed comments for improve- ment he made. I would like to thank the Deutsche Forschungsgemeinschaft for financing the project on Number Field Cryptography and thereby providing the finan- cial support for our Number Field Cryptography group comprised of Safuat Hamdy, Andreas Meyer and myself. I would like to thank those mathematicians who introduced me to the richness and beauty of mathematics in general and number theory in par- ticular, among which I would like to mention in particular Prof. Dr. Klaus Haberland (FSU Jena), and Prof. Glenn Stevens, Ph.D. (BU, Boston). I would also like to thank the EPN, Quito, and especially Prof. Hallo for pro- viding me with the opportunity to develop and teach my first cryptography course. The interest of professors and students of this institution has done much to motivate me to cross from mathematics into computer science. I would like to thank my colleagues at the Theoretical Computer Science group in Darmstadt for the friendly, stimulating atmosphere they contribu- ted so much to, and in particular my long-time office-mate Safuat Hamdy. Last, but far from least I would like to thank my wife, Susan Stewart, for her never ceasing love, tolerance and support during the turbulent years during which we both completed our PhD while raising our wonderful daugh- ters Anita and Sylvia; and my parents who longed so much to see this work completed. Zusammenfassung Das Ziel der vorliegenden Arbeit besteht in der Analyse der Komplexit¨at des Diskreten-Logarithmus-Problems (DLP) und verwandter Probleme in quadratischen Ordnungen. Die Bedeutung dieser Probleme entspringt in erster Linie ihrer Anwen- dung fur¨ die Quadratische-Zahlk¨orper-Kryptographie (QNFC). QNFC wur- de von Buchmann und Williams [BW88], [BW90] vorgeschlagen und be- ruht auf der Annahme, daß das DLP in quadratischen Ordnungen schwer zu l¨osen ist. Wenn wir die Frage beantworten wollen, ob und ab welcher Schlusselgr¨ ¨oße QNFC sicher ist, mussen¨ wir die Komplexit¨at des DLP stu- dieren. Diese Promotionsarbeit verfolgt einen rigorosen theoretischen Ansatz. Im Falle der probabilistischen Algorithmen legt die Analyse die wohlfundierte und weithin akzeptierte Verallgemeinerte Riemannsche Hypothese zugrunde. Ausgangspunkt fur¨ die vorgestellten deterministischen Algorithmen wa- ren die Arbeiten von Shanks [Sha71], [Sha72] und die Abwandlung der Shanksschen Idee fur¨ allgemeine Gruppen durch Terr [Ter00]. Die Analy- se der Laufzeit ist detailliert und weist neben der dominierenden Wurzel des Regulators die geringstm¨ogliche Potenz aus, mit welcher der Logarithmus der Diskriminante in die Laufzeitschranke eingeht. Ausgangspunkt fur¨ die vorgestellten probabilistischen Algorithmen wa- ren die Arbeit von Hafner und McCurley [HM89] fur¨ negative Diskrimi- nanten und die Arbeit von Buchmann [Buc90] fur¨ positive. Der Kern des verfolgten Ansatzes liegt in der Beschr¨ankung der Berechnungen auf die essentiellen Daten (insbesondere partielle statt voller Relationengitter und beweisbar dunn¨ besetzte Basen) und dem Einsatz schnellerer Teilalgorith- men. Ein solcher Teilagorithmus ist ein neu entwickelter Algorithmus fur¨ die Berechnung der Hermite-Normalform (HNF) einer ganzzahligen Matrix in kubischer Zeit. In der Konsequenz erhalten wir die derzeit schnellsten deterministischen und probabilistischen Algorithmen fur¨ die untersuchten Probleme und eine obere Schranke fur¨ die Komplexit¨at des DLP. Abstract The purpose of this thesis is to study the complexity of the discrete logarithm problem (DLP) and related problems in quadratic orders. The significance of these problems stems in large part from their applica- tion in quadratic number field cryptography (QNFC). QNFC was proposed by Buchmann and Williams [BW88], [BW90], and relies on the fact that the DLP in quadratic orders is hard. The question whether QNFC is secure at all, and the choice of cryptographically secure key-sizes, if it is, requires the study of the difficulty of the DLP. This thesis takes a rigorous theoretical approach to this question. In the case of the probabilistic algorithms the analysis relies on the well-established Generalized Riemann Hypothesis (GRH). Starting point for the proposed deterministic algorithms were the works of Shanks [Sha71], [Sha72] and the variant of Shanks’ idea for general groups suggested by Terr [Ter00]. We give a detailed analysis of the run-time of our algorithms and indicate apart from the square root of the regulator at which (minimzed) power the logarithm of the discriminant enters the run-time bound. Starting point for the proposed probabilistic algorithms were the work of Hafner and McCurley [HM89] for negative discriminants and of Buchmann [Buc90] for positive ones. The heart of the presented approach lies in the restriction of the computations to essential data (in particular partial instead of full relation lattice and sparse bases) and the use of fast sub-algorithms. One of these sub-algorithms is a newly developed algorithm for the com- putation of the Hermite Normal Form (HNF) of an integer matrix in cubic time. In summary we obtain the currently fastest deterministic and probabi- listic algorithms for the problems at hand, and gives a rigorous analysis of their properties. Thus we establish an upper bound for the complexity of the DLP. Inhaltsverzeichnis 1 Introduction 1 1.1 The problems ........................... 1 1.2 Application in Number Field Cryptography .......... 3 1.3 Prior work ............................. 4 1.4 Results ............................... 5 1.5 Complexity ............................ 6 2 Reduction 7 2.1 Ideals ............................... 7 2.2 Representation of field elements ................. 8 2.3 Reduction ............................. 10 2.4 Infrastructure ........................... 11 2.5 Auxiliary algorithms ....................... 14 2.6 Computing Log .......................... 15 3 Deterministic Algorithms 19 3.1 The baby-step giant-step strategy ................ 19 3.2 General discrete logarithm algorithm .............. 21 3.3 Baby-step giant-step ideal sequences .............. 22 3.4 Fundamental Unit ........................ 28 3.5 Discrete logarithm ........................ 32 3.5.1 PrincipalBSTable1 and BSteps1 .......... 35 3.5.2 PrincipalBSTable2 and BSteps2 .......... 35 3.5.3 GSWidth ........................ 38 3.5.4 GSteps .......................... 39 3.5.5 Analysis of TerrDL ................... 42 4 Probabilistic Algorithms 47 4.1 Abstract relation lattices ..................... 48 4.2 Relation lattices on class group generators ........... 51 4.3 Random relations ......................... 53 4.4 Smooth reduced ideals ...................... 54 4.5 Random ideal classes ....................... 57 i ii INHALTSVERZEICHNIS 4.6 Random ideals on a given cycle ................. 60 4.7 Potential relations ........................ 67 4.8 Generating full rank relation lattices .............. 68 4.9 Generating essentially full relation lattices ........... 71 4.10 Regulator computation ...................... 79 4.11 Checking correctness ....................... 86 4.12 Summary ............................. 87 5 Computing the HNF 93 List of Algorithms 2.1 Find reduced ideal closely on the right of a .......... 17 2.2 Find reduced ideal closely on the left of a ........... 17 2.3 Find reduced ideal immediately on the left of a ........ 17 2.4 Find reduced ideal immediately on the right of a ....... 18 2.5 Enumerate reduced ideals on the right of a .......... 18 2.6 Compute quadratic integer of given length ........... 18 3.1 General discrete logarithm algorithm .............. 21 3.2 Baby Step ............................. 29 3.3 Giant Step ............................ 29 3.4 Deterministic Computation of Fundamental Unit ....... 30 3.5 Baby steps on the principal cycle ................ 36 3.6 Baby steps starting at a ..................... 36 3.7 Baby step sequence construction (B) .............. 37 3.8 Determination of giant-step width ............... 38 3.9 Computing giant-step ideals (A) ................ 39 3.10 Computing giant-step ideals (B) ................ 40 3.11 Deterministic Discrete logarithm algorithm in I∆ ....... 43 4.1 Power product in the class group ................ 58 4.2 Power product with relative generator ............. 59 4.3 Random ideal