an order is an n-dimensional lattice in K: O=Za1+Za2+⋯+Zan where {a1,…,an} is a basis of K, the maximal order of K is OK and plays the role of integers (generalizes integers from Q to Q(α)) in Q(α).
O an order of K. IO the set of invertible fractional ideals of O, PO the set of fractional principal invertible ideals of O, then ClO=IO/PO. Outs the same class elements differing from a principal fractional ideal factor (α), α∈K. It’s a finite group by Minkowski bound
to each discriminant Δ is attached a finite abelian group, the ideal class group denoted Cl(Δ), the quotient of the group sof (invertible fractional) ideals of OΔ by the subgroup of principal ideals.
order of the class group is called the class number h(Δ)
of Imaginary Quadratic Fields
Imaginary quadratic fields are finite extensions of the field of the rationals, of degree 2 (vector space)
bit-size of the discriminant determines the hardness of the discret elog
h(Δ) is in general close to Δ so that one can compute its bit size using th analytic class number formula (McCurley 89) in polynomial time
h(Δ) can be computed from Δ in subexponential time L1/2(∣Δ∣)
no trusted setup needed contrary to RSA when the prime factorisation of the modulus of the RSA group needs to be unknown.
Dlog hard to compute in Cl(Δ) with complexity L1/2(∣Δ∣)
system of representatives of the classes with notion of reduced ideals, equivalence relation on froms from the action of SL2(Z)
form (a,b,c) corresponding to f(X,Y)=aX2+bXY+cY2 of discriminant Δ
ideals of the form aZ+2−b+ΔZ where a,b∈N, and smaller than Δ when the ideal is reduced, if not, one has with a bit of algebra that ∣b∣≤∣a∣≤Δ/3 and ∣c∣≤∣Δ∣ where Δ is the discriminant
explicit correspondence between ideals and forms (a,b,c)⟺aZ+2−b+ΔZ
form is reduced if −a<b≤a and a≤c or if a=c then b≥0