On the Security of Cryptosystems with Quadratic Decryption: The Nicest Cryptanalysis

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5479)


We describe the first polynomial time chosen-plaintext total break of the NICE family of cryptosystems based on ideal arithmetic in imaginary quadratic orders, introduced in the late 90’s by Hartmann, Paulus and Takagi [HPT99]. The singular interest of these encryption schemes is their natural quadratic decryption time procedure that consists essentially in applying Euclid’s algorithm. The only current specific cryptanalysis of these schemes is Jaulmes and Joux’s chosen-ciphertext attack to recover the secret key [JJ00]. Originally, Hartmann et al. claimed that the security against a total break attack relies only on the difficulty of factoring the public discriminant \(\Delta_q=-pq^2\), although the public key was also composed of a specific element of the class group of the order of discriminant Δ q , which is crucial to reach the quadratic decryption complexity. In this article, we propose a drastic cryptanalysis which factors Δ q (and hence recovers the secret key), only given this element, in cubic time in the security parameter. As a result, performing our cryptanalysis on a cryptographic example takes less than a second on a standard PC.


Polynomial time total break quadratic decryption NICE cryptosystems imaginary quadratic field-based cryptography 


  1. [BPT04]
    Biehl, I., Paulus, S., Takagi, T.: Efficient Undeniable Signature Schemes based on Ideal Arithmetic in Quadratic Orders. Des. Codes Cryptography 31(2), 99–123 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  2. [BDH99]
    Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring N = p r q for large r. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. [BST02]
    Buchmann, J., Sakurai, K., Takagi, T.: An IND-CCA2 Public-Key Cryptosystem with Fast Decryption. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 51–71. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. [BW88]
    Buchmann, J., Williams, H.C.: A Key-Exchange System based on Imaginary Quadratic Fields. J. Cryptology 1, 107–118 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  5. [BTW95]
    Buchmann, J., Thiel, C., Williams, H.C.: Short Representation of Quadratic Integers. In: Proc. of CANT 1992, Math. Appl., vol. 325, pp. 159–185. Kluwer Academic Press, Dordrecht (1995)Google Scholar
  6. [CNP99]
    Coron, J.-S., Naccache, D., Paillier, P.: Accelerating Okamoto-Uchiyama public-key cryptosystem. Electronics Letters 35(4), 291–292 (1999)CrossRefGoogle Scholar
  7. [Coh00]
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2000)Google Scholar
  8. [Cox99]
    Cox, D.A.: Primes of the form x 2 + ny 2. John Wiley & Sons, Chichester (1999)Google Scholar
  9. [HM89]
    Hafner, J.L., McCurley, K.S.: A Rigorous Subexponential Algorithm for Computation of Class Group. J. Amer. Math. Soc. 2(4), 837–850 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  10. [HPT99]
    Hartmann, M., Paulus, S., Takagi, T.: NICE - New Ideal Coset Encryption. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 328–339. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. [Huh00]
    Hühnlein, D.: Efficient Implementation of Cryptosystems Based on Non-maximal Imaginary Quadratic Orders. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 147–167. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. [Huh01]
    Hühnlein, D.: Faster Generation of NICE-Schnorr-Type Signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 1–12. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. [HJPT98]
    Hühnlein, D., Jacobson Jr., M.J., Paulus, S., Takagi, T.: A Cryptosystem Based on Non-maximal Imaginary Quadratic Orders with Fast Decryption. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 294–307. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. [HJW03]
    Hühnlein, D., Jacobson Jr., M., Weber, D.: Towards Practical Non Interactive Public-Key Cryptosystems Using Non-Maximal Imaginary Quadratic Orders. Des. Codes Cryptography 30(3), 281–299 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  15. [HM00]
    Hühnlein, D., Merkle, J.: An Efficient NICE-Schnorr-Type Signature Scheme. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 14–27. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. [HMT99]
    Hühnlein, D., Meyer, A., Takagi, T.: Rabin and RSA Analogues Based on Non-maximal Imaginary Quadratic Orders. In: Proc. of ICISC 1998, pp. 221–240 (1999)Google Scholar
  17. [JSW08]
    Jacobson Jr., M.J., Scheidler, R., Weimer, D.: An Adaptation of the NICE Cryptosystem to Real Quadratic Orders. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 191–208. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. [JJ00]
    Jaulmes, É., Joux, A.: A NICE cryptanalysis. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 382–391. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. [LL93]
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): AMCP 1998. LNM, vol. 1554, p. 131. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  20. [Len87]
    Lenstra Jr., H.W.: Factoring integers with elliptic curves. Annals of Mathematics 126(2), 649–673 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  21. [McC89]
    McCurley, K.S.: Cryptographic Key Distribution and Computation in Class Groups. In: Proc. of NATO ASI on Number Theory and Applications, pp. 459–479. Kluwer Academic Press, Dordrecht (1989)Google Scholar
  22. [OP01]
    Okamoto, T., Pointcheval, D.: REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. [Pai99]
    Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. [Poi00]
    Pointcheval, D.: Chosen-Ciphertext Security for Any One-Way Cryptosystem. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 129–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. [Poi05]
    Pointcheval, D.: Provable Security for Public Key Schemes. In: Advanced Courses CRM Barcelona, Advanced Course on Contemporary Cryptology, pp. 133–189. Birkhäuser Publishers, Basel (2005)Google Scholar
  26. [PT99]
    Paulus, S., Takagi, T.: A generalization of the Diffie-Hellman problem and related cryptosystems allowing fast decryption. In: Proc. of ICISC 1998, pp. 211–220 (1999)Google Scholar
  27. [PT00]
    Paulus, S., Takagi, T.: A New Public-Key Cryptosystem over a Quadratic Order with Quadratic Decryption Time. J. Cryptology 13(2), 263–272 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  28. [Sch82]
    Schoof, R.: Quadratic fields and factorization. Computational Methods in Number Theory, MC-Tracts 154/155, 235–286 (1982)Google Scholar
  29. [Sch00]
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  30. [VV07]
    Vallée, B., Vera, A.: Lattice Reduction in Two Dimensions: Analyses under Realistic Probabilistic Models. In: Proc. of AofA 2007, DMTCS. AH, pp. 181–216 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.PRISM - Université de Versailles St-Quentin-en-YvelinesVersailles CedexFrance
  2. 2.GREYC - Université de Caen-Basse Normandie Boulevard du Maréchal JuinCaen CedexFrance

Personalised recommendations