An Efficient NICE-Schnorr-Type Signature Scheme

  • Detlef Hühnlein
  • Johannes Merkle
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1751)


Recently there was proposed a novel public key cryptosystem [17] based on non-maximal imaginary quadratic orders with quadratic decryption time. This scheme was later on called NICE for New Ideal Coset Encryption [6]. First implementations show that the decryption is as efficient as RSA-encryption with e=216+1. It was an open question whether it is possible to construct comparably efficient signature schemes based on non-maximal imaginary quadratic orders. The major drawbacks of the ElGamal-type [7] and RSA/Rabin-type signature schemes [8] proposed so far are the slow signature generation and the very inefficient system setup, which involves the computation of the class number h1) of the maximal order with a subexponential time algorithm. To avoid this tedious computation it was proposed to use totally non-maximal orders, where h1)=1, to set up DSA analogues. Very recently however it was shown in [10], that the discrete logarithm problem in this case can be reduced to finite fields and hence there seems to be no advantage in using DSA analogues based on totally non-maximal orders.

In this work we will introduce an efficient NICE-Schnorr-type signature scheme based on conventional non-maximal imaginary quadratic orders which solves both above problems. It gets its strength from the difficulty of factoring the discriminant Δp=-rp2, r,p prime. To avoid the computation of h1), our proposed signature scheme only operates in (a subgroup of) the kernel of the map φ\(^{\rm -1}_{Cl}\), which allows to switch from the class group of the non-maximal order to the maximal order. Note that a similar setup is used in NICE. For an efficient signature generation one may use the novel arithmetic [9] for elements of Ker(φ\(^{\rm -1}_{Cl}\)). While the signature generation using this arithmetic is already slightly faster than in the original scheme, we will show in this work that we can even do better by applying the Chinese Remainder Theorem for \((\mathcal{O}_{\Delta_1} / p \mathcal{O}_{\Delta_1})^*\). First implementations show that the signature generation of our scheme is more than twice as fast as in the original scheme in \(\mathbb{F}_p^*\), which makes it very attractive for practical applications.


  1. 1.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: a Paradigm for Designing Efficient Protocols. In: Proceedings of the 1st ACM Conference on Computer and Communcations Security, Fairfax, Virginia, USA, pp. 62–73. ACM press, New York (1993)CrossRefGoogle Scholar
  2. 2.
    Borevich, Z.I., Shafarevich, I.R.: Number Theory. Academic Press, New York (1966)Google Scholar
  3. 3.
    Cohen, H.: A Course in Computational Algebraic Number Theory. In: CADE 1982, vol. 138, Springer, Berlin (1993)Google Scholar
  4. 4.
    Cox, D.A.: Primes of the form x2 + ny2. John Wiley & Sons, New York (1989)Google Scholar
  5. 5.
    Girault, M.: An identity based identification scheme based on discrete logarithms modulo a composite number. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991)Google Scholar
  6. 6.
    Hartmann, M., Paulus, S., Takagi, T.: NICE - New Ideal Coset Encryption. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, p. 328. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Hühnlein, D., Jacobson, M.J., Paulus, S., Takagi, T.: A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 294–307. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Hühnlein, D., Meyer, A., Takagi, T.: Rabin and RSA analogues based on nonmaximal imaginary quadratic orders. In: Proceedings of ICICS 1998, pp. 221–240 (1998) ISBN 89-85305-14-XGoogle Scholar
  9. 9.
    Hühnlein, D.: Efficient implementation of cryptosystems based on nonmaximal imaginary quadratic orders. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, p. 147. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Hühnlein, D., Takagi, T.: Reducing logarithms in totally non-maximal imaginary quadratic orders to logarithms in finite fields. To appear in Proceedings of ASIACRYPT 1999. LNCS, Springer, Heidelberg (1999), preprint via Google Scholar
  11. 11.
    Hühnlein, D.: A survey of cryptosystems based on imaginary quadratic orders (1999) (forthcoming)Google Scholar
  12. 12.
    Jacobson Jr., M.J.: Subexponential Class Group Computation in Quadratic Orders, PhD thesis, TU Darmstadt (1999) (to appear)Google Scholar
  13. 13.
    LiDIA: A C++ library for algorithmic number theory, via,
  14. 14.
    Mao, W.: Cryptoanalysis in Prime Order Subgroups of ZZ∗n, contribution to IEEEP1363, manuscript via (1998),
  15. 15.
    National Institute of Standards and Technology (NIST): Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186, FIPS-186, May 19 (1994)Google Scholar
  16. 16.
    Neukirch, J.: Algebraische Zahlentheorie. Springer, Berlin (1992)MATHGoogle Scholar
  17. 17.
    Paulus, S., Takagi, T.: A completely new public key cryptosystem with quadratic decryption time. Journal of Cryptology (1998) (to appear) preprint via,
  18. 18.
    Peralta, R., Okamoto, E.: Faster factoring of integers of a special form IEICE Trans. Fundamentals E-79-A(4), 489–493 (1996)Google Scholar
  19. 19.
    Pointcheval, D., Stern, J.: Security Proofs for Signature Schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
  20. 20.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Detlef Hühnlein
    • 1
  • Johannes Merkle
    • 1
  1. 1.secunet Security Networks AGEschbornGermany

Personalised recommendations