How (not) to hash into class groups of imaginary quadratic fields?

István András Seres∗1 , Péter Burcsi†1 , and Péter Kutas‡ 1,2

1
Eötvös Loránd University
2
University of Birmingham

January 9, 2024

Abstract
Class groups of imaginary quadratic fields (class groups for short) have seen a resurgence in cryptography
as transparent groups of unknown order. They are a prime candidate for being a trustless alternative to RSA
groups because class groups do not need a (distributed) trusted setup to sample a cryptographically secure
group of unknown order. Class groups have recently found many applications in verifiable secret sharing, secure
multiparty computation, transparent polynomial commitments, and perhaps most importantly, in time-based
cryptography, i.e., verifiable delay functions, (homomorphic) time-lock puzzles, timed commitments, etc.
However, there are various roadblocks to making class groups widespread in practical cryptographic deploy-
ments. We initiate the rigorous study of hashing into class groups. Specifically, we want to sample a uniformly
distributed group element in a class group such that nobody knows its discrete logarithm with respect to any
public parameter. We point out several flawed algorithms in numerous publicly available class group libraries.
We further illustrate the insecurity of these hash functions by showing concrete attacks against cryptographic
protocols, i.e., verifiable delay functions, if they were deployed with one of those broken hash-to-class group
functions. We propose two families of cryptographically secure hash functions into class groups. We implement
these constructions and evaluate their performance. We release our implementation as an open-source library.

1 Introduction
Sampling a uniformly random group element is a fundamental cryptographic primitive in numerous protocols. It is
applied in various algorithms to sample public parameters or map messages to group elements in encryption [BF01]
or signature schemes [BLS01]. In some groups of interest, such as Z∗p or Z∗N (for a prime p and a semiprime N with
unknown factorization) this is a simple task assuming a cryptographically secure hash function H : {0, 1}∗ → {0, 1}2λ
for some security parameter λ, see efficient constructions in [KL07]. For other cryptographically interesting groups,
such as elliptic curve groups, this is a non-trivial task that spurred a long line of research initiated mainly by
Icart [Ica09] and refined by Farashahi, Shparlinski, and Voloch [FSV09] and extended to pairing-friendly curves (and
is already being standardized [FHSS+ 23]) by Wahby and Boneh [WB19] among others [FFS+ 13, FT12, SBC+ 09].
Buchmann and Williams first proposed cryptography based on class groups of imaginary quadratic fields (class
groups for short) in 1988 [BW88]. Recently, class groups have seen a revived interest in the cryptographic community
as class groups offer a transparent instantiation for groups of unknown order. While it is cumbersome to establish
an RSA group Z∗N in a trust-minimized way, one either conducts a secure multi-party computation protocol among
many peers to create a semiprime without unknown factorization [BF97, HMR+ 19, CHI+ 21, BDF+ 23] or samples
a gigantic modulus that will be guaranteed to have large enough prime factors. On the other hand, class groups
allow one to sample a group of unknown order transparently, i.e., by choosing the discriminant ∆ = −p to be
a large enough prime, as there is no efficient algorithm to compute the order of Cl(∆). Class groups were used
to build numerous novel cryptographic protocols such as dynamic accumulators [Lip12], linearly homomorphic
encryption scheme [CL15], polynomial commitments [BFS20a, AGL+ 22, SB23] and a plethora of protocols in time-
based cryptography, for instance, verifiable delay functions [BBBF18, Pie19, Wes19], (homomorphic) time-lock
puzzles [RSW96, MT19], timed commitments [BN00, TCLM21], etc. Even though class groups are a promising
∗ [email protected].
† [email protected].
‡ [email protected].

1
candidate to instantiate cryptographic protocols, they are both less studied from a theoretical (lack of more rigorous
cryptanalysis [BKSW20]) and less developed from a practical (lack of more high-quality implementations [BCIL23]
and developer tooling) point of view.
In this paper, we aim to bring class groups closer to real-world cryptographic deployments by initiating the study
of cryptographically secure hash functions onto the elements of a class group of imaginary quadratic fields. To our
knowledge, this is the first time one has built this fundamental building block for class groups of imaginary quadratic
fields. The previous construction neither proves its security nor implements and evaluates its performance [Wes19].
Moreover, we improve and extend the aforementioned solution.

1.1 Applications of hashing into class groups

Hashing into reduced binary quadratic forms is essential in many cryptographic applications. We detail five protocols
that rely on a cryptographically secure hash-to-class-group function.

Verifiable delay functions [BBBF18] In a verifiable delay function (VDF) g : {0, 1}∗ → G for a group of
T
unknown order G [RSS20], one computes g(x) := H(x)2 for some time (or delay) parameter T , which is typically
35−45
T ≈2 , and hash function H(·) that maps into G [Pie19, Wes19]. As Wesolowski noted in [Wes19], applying a
hash function H(·) in the VDF g(·) is paramount. To see this, let us consider the variant of g(·), where there was
T
no application of H(·) on the input x. Then observe that the adversary by computing g(x) = x2 ∈ G could obtain
T
g(xα ) from g(x) with a single exponentiation, that is, g(xα ) = g(x)α , since x → x2 is a group homomorphism.
This contradicts the sequentiality requirement of VDFs, as we require that g(x) should take T sequential steps on
any input x as opposed to the O(log T ) step to compute a single exponentiation.
At the time of this writing, the only deployed class group VDF is run by the Chia network [CP19]. They obviate
the problem of hashing into a fixed class group by selecting a new class group Cl(∆) for each epoch by generating
a random prime discriminant ∆ such that ∆ ≡ 7 mod 8. For every freshly generated Cl(∆), they start the VDF
from the fixed form (2, 1, ∆+1
8 ) which is a canonical ideal of norm 2. Interestingly, the isogeny-based VDF over Fp
from [DFMPS19] is analogous to this construction in the following sense. Namely, computing powers of an ideal of
norm 2 translates to a chain of 2-isogenies on the elliptic curve side. In [DFMPS19], they need a trusted setup to
avoid certain shortcut attacks exactly because it is believed to be hard to hash onto the set of supersingular elliptic
curves over Fp (or even to the full supersingular isogeny graph in general, for that matter [BBD+ 22]).
Contrary to the approach of Chia, we anticipate that future deployments of class group VDFs in programmable
blockchains will likely use a fixed class group Cl(∆) for a transparently and carefully chosen ∆, i.e., such that it
does not contain backdoors [BKSW20]. The use of a fixed, standardized class group is also motivated by prospec-
tive applications such as distributed randomness beacons [CMB23], time-stamping services [LSS20], consensus
algorithms [Lon19], contract signing [BN00], or lotteries [GS98]. We envision that using a fixed class group in a
programmable blockchain will ease these future applications’ interoperability, programmability, and extendability.

Timed commitments from class groups [TCLM21] Thyagarajan et al. built an efficient CCA timed com-
mitment in class groups. One of the key ingredients of their construction relies on sampling a well-formed, uniformly
random public key pk ∈ G that is a class group element. Their construction faces numerous technical challenges due
to the lack of a secure hash function with the codomain of the applied class group G. With such a cryptographic
tool, their entire construction could be simplified and made more efficient.

Zero-knowledge proofs (of knowledge) in groups of unknown order [BBF19] Certain Σ-protocols in
generic groups of unknown order can achieve at most soundness 1/2 per challenge. This impossibility result was
overcome in [BBF19], achieving negligible soundness error using a short unstructured common-reference string
containing two fresh random generic group generators. In practice, one must sample these random group elements
via a cryptographically secure hash-to-class group function.

Transparent polynomial commitment schemes [BFS20b, AGL+ 22, SB23] Recently, several transparent
polynomial commitment schemes have been instantiated in class groups. These protocols often need an unstructured
common reference string of many uniformly random class group elements. These group elements could be generated
via a cryptographically secure hash-to-class group function.

The SPAR integer factoring algorithm [SL84] Finally, the integer factoring algorithm of Schnorr–Seysen–Lenstra
also relies on the ability to sample uniformly random class group elements in Cl(∆).

2
1.2 Desiderata for a hash function into class groups
We call a hash function to a class group cryptographically secure if the function HBQForm : {0, 1}∗ → G, maps to a
class group G, and satisfies the following four essential properties.
• Deterministic, efficient, and constant time. Evaluating the function HBQForm (·) should be efficient and
must take constant time on any input to avoid timing attacks. This is non-trivial already in the case of
hashing to elliptic curve functions [Ica09].
• Collision resistance. It should be hard for any efficient adversary (i.e., probabilistic polynomial time (PPT))
to find two messages m1 ̸= m2 such that HBQForm (m1 ) = HBQForm (m2 ).
• One-way function. For any image HBQForm (m) of the hash function, no PPT adversary should be able to
output the pre-image m with non-negligible probability 1/poly(λ).
• Uniformly distributed. The hash function’s HBQForm (·) codomain must be uniformly distributed in the
class group G, i.e., among all reduced binary quadratic forms with a given discriminant ∆. This requirement
eliminates many attempts implemented and used in various libraries implementing class group arithmetics.

Our contributions In this work, we make the following contributions.

Flawed hash functions. We review two hash functions onto class groups implemented in various open-source
libraries, e.g., SageMath. We demonstrate that both fall short of being an efficient and secure hash function
thanks to various vulnerabilities, e.g., the codomain of the hash function is nonuniform or highly skewed.
Furthermore, we show concrete attacks against cryptographic protocols, i.e., verifiable delay functions, if they
were deployed with one of these insecure hash-to-class group functions.
Provably secure hash constructions. We propose two families of secure and efficient hash functions with class
group codomains. The first construction family is inspired by the key generation algorithm of CSIDH [CLM+ 18].
Meanwhile, the second family of hash functions extends and improves the hash function of Wesolowski [Wes19].
We prove both of our constructions’ security by only relying on standard cryptographic assumptions, i.e., only
assuming cryptographically secure hash functions to {0, 1}λ .
Open-source implementation. We build efficient algorithms that hash securely into class groups of imaginary
quadratic fields. Additionally, we provide a publicly available implementation of our proposed hash functions
in Python3 at the following link: https://www.github.com/seresistvanandras/hashingToClassGroups.
The rest of this paper is organized as follows. In Section 2, we provide the necessary background on (reduced)
binary quadratic forms and class groups. In Section 3, we show several insecure but used methods to hash into class
groups. In Section 4, we provide algorithms that are cryptographically secure hash functions and their codomain
is a class group of imaginary quadratic fields. We detail our performance evaluation of the three proposed hash
functions in Section 5. Finally, our paper concludes with open research problems and future directions in Section 6.

2 Preliminaries
2.1 Notations and definitions
The security parameter is denoted as λ. We assume a cryptographically secure hash function H : {0, 1}∗ → {0, 1}2λ
of λ bits of security. Furthermore, we also assume a deterministic hash function HPrimes : {0, 1}∗ → Primes(λ) with
codomain of prime numbers with λ bitlength. Such a primitive was first discussed and built by Cachin P et al. in
the context of private information retrieval [CMS99]. The divisor function d(n) : N → N; d(n) := d|n 1 assigns
the number of divisors to n. Let factors(n) denote the multiset of the prime factors of n, i.e., with multiplicity.
$
Whenever we sample x from a set S uniformly at random, we write x ∈R S or sometimes x ← − S. U (c, d) denotes
the uniform probability distribution on the [c, d] interval. We denote by b = SqrtModP(a, p) the algorithm which
2 a
returns b (the smallest positive) such that b ≡ a mod p iff. = 1, otherwise it returns ⊥.
p
Most of the following definitions, lemmas, and theorems can be found in the excellent textbook of Buchmann
and Vollmer on binary quadratic forms [BV07]. We refer to a binary quadratic form f (x, y) = ax2 + bxy + cy 2
by the triple of its coefficients, i.e., f = (a, b, c). In this work, we solely work with integral quadratic forms, i.e.,
(a, b, c) ∈ Z3 .

3
Definition 1 (Discriminant of a form). The discriminant ∆ of a form f = (a, b, c) is the integer ∆ := b2 − 4ac.
We work with (the equivalence classes of) forms with the same discriminant ∆ in class group cryptography.
Hence, when representing a form, we can usually drop the last coefficient c and refer to a form as the pair (a, b)
since the fixed discriminant will be evident from the context. Note ∆ ≡ 0 mod 4 ∨ ∆ ≡ 1 mod 4, though in our
applications ∆ < 0 and
 prime. Sometimes
 we denote the discriminant of a form f as ∆(f ). The matrix of a form is
a b/2
defined as M (f ) := . Thus, the form f (x, y) can be rewritten as f (x, y) = (x, y)M (f )(x, y)T . We are
b/2 c
interested in the transformations of a form f by linear transformations
 
s t
U= ∈ Z2×2 , (1)
u v
such that det(U ) = 1, i.e., U ∈ SL(2, Z). We define U (x, y) := (sx + ty, ux + vy). Then (f U )(x, y) =
(det(U ))f (U (x, y)). We treat forms as equivalents that can be transformed into each other
 with
 linear trans-
1 1
formations. An important infinite subgroup of SL(2, Z) is generated by the matrix T := and we denote
0 1
the generated subgroup as    
s 1 s
Γ= T = :s∈Z . (2)
0 1
The cyclic group Γ acts on the set of positive definite forms. A small computation shows that the elements in the
Γ-orbit of f can be given by
f T s = (a, b + 2sa, f (s, 1)). (s ∈ Z) (3)

2.2 A primer on reduction theory and class groups

This paper focuses solely on forms with negative discriminant ∆, which are the most relevant to cryptography.
Moreover, we will only focus on positive definite binary quadratic forms as we define next.
Definition 2 (Positive definite forms). A form f is positive definite if ∀(x, y) ̸= (0, 0), (x, y) ∈ R2 : f (x, y) > 0.
It is easy to show that a form f = (a, b) is positive definite if and only if ∆(f ) < 0 ∧ a > 0.
Definition 3 (Normal binary quadratic form). A form f is said to be normal if −a < b ≤ a.
Definition 4 (Reduced binary quadratic form). We say that a positive definite form f = (a, b, c) is reduced if it is
normal, a ≤ c, and if b ≥ 0 for a = c.
Given a non-reduced form, we can obtain a reduced form by the repeated application of the following two
efficient operations.
Definition 5 (Normalization operation). The normalization operation on the form (a,b,c) is given by η(a, b, c) :=
(a, b + 2ra, ar2 + br + c), where r = ⌊ a−b
2a ⌋.
Definition 6 (Reduction operation). The reduction operation on the form (a, b, c) is defined as ρ(a, b, c) := (c, −b +
2sc, cs2 − bs + a), where s = ⌊ c+b
2c ⌋. It also outputs a 2 × 2 matrix T such that M (a, b, c)T = M (ρ(a, b, c)).
Unlike the normalization operation η, the reduction operation may need multiple iterations before reducing a
form. To reduce a form f , one computes f ← η(f ) then repeatedly compute f ← ρ(f ) until f is reduced. It can
be shown that the number of reduction stepsp performed by the reduction algorithm ρ(·) when applied to a positive
definite form f = (a, b, c) is at most ⌊log2 (a/ |∆|)⌋ + 2. q
It is easy to see that for a reduced binary quadratic form (a, b, c), we have that |b|≤ a ≤ |∆| 3 . This is because
we have then |∆|= 4ac − b2 ≥ 4a2 − a2 = 3a2 . A reduced form with a given discriminant ∆ is typically represented
as the pair (a, b), i.e., this representation has a size ≈ log2 (|∆|). Dobson, Galbraith, and Smith showed how to
compress a reduced form to a representation that only has 34 log2 (|∆|) bits [DGS20]. However, in this paper, we
denote reduced binary quadratic forms simply with their uncompressed representation, i.e., (a, b). Sometimes, we
explicitly spell out the full representation (a, b, c) of a (reduced) binary quadratic form. One can introduce an
Abelian group operation and create a group of unknown order from (the equivalence classes of) reduced binary
quadratic forms with a given discriminant ∆. This is the famous class group already known to Gauss in 1801. In
the rest of this paper, we use the notations Cl(∆) and G interchangeably to mean a class group of the imaginary
quadratic field with discriminant ∆. By a slight abuse of notation, we also denote the set of reduced binary quadratic
forms with discriminant ∆ by Cl(∆). Recall the class group Cl(∆) is isomorphic to the usual class group of fractional
ideals modulo principal ideals [BV07].

4
Complexity of computing |Cl(∆)| There is no known efficient polynomial-timepalgorithm to compute the order
of Cl(∆). Sutherland’s algorithm has exponential worst-case complexity, i.e., O( |Cl(∆)|/log log|Cl(∆)|) [Sut07].
However, Sutherland’s algorithm can exploit the structure of Cl(∆) and runs significantly faster when |Cl(∆)|
is smooth. The security implications of Sutherland’s algorithm in the context of class group cryptography are
extensively studied in [DGS20]. Currently, the fastest algorithm to compute the order of the class group Cl(∆)
runs in subexponential time that is L|∆| (1/2) and is due to Hafner and McCurley [HM89]. Moreover, Buchmann’s
algorithm can additionally compute the structure of Cl(∆). We refer the reader to Biasse et al. [BJJS10] for a
modern treatment of the security of class group cryptography. We mention the current computational record for
computing the order of a class group held by Beullens, Kleinjung, and Vercauteren, whereby the authors calculated
|Cl(∆)| using the Hafner-McCurley algorithm for a discriminant ∆ of 512-bits running in 52 core years [BKV19].
Definition 7 (Conductor). The conductor of a discriminant ∆ is the largest positive integer f such that ∆/f 2 is
a discriminant. We denote it by f (∆).
A fundamental discriminant has f (∆) = 1. In our applications, we solely consider (negative) prime discriminants;
hence, we only work with f (∆) = 1.
We denote the set of integral binary quadratic forms with a given discriminant and a coefficient as F(∆, a) :=
{(a, b, c)Γ : b, c ∈ Z, ∆(a, b, c) = ∆}. The number of such forms is denoted as R(∆, a) = |F(∆, a)|. Note the
forms in F(∆, a) are not necessarily reduced, though by definition they belong to different Γ-orbits. It can be
shown that the function R(∆, ·) is a multiplicative function, i.e., for coprime positive integers a1 , a2 we have
R(∆, a1 a2 ) = R(∆, a1 )R(∆, a2 ). Therefore, we need to establish the values of this function at prime powers pe .
Next, we recall this result in the following theorem whose proof can be found in [BV07].
Theorem 1 (R(∆, a) for a prime a = p and prime power a = pe .). Let p be a prime:
 
∆
• If a = p, then R(∆, p) = + 1.
p
• If a = pe , and e ≥ 1 then we have the following cases:
 
∆
– If = −1, then R(∆, pe ) = 0.
p
 
∆
– If = 0, e ≥ 2, p ∤ f (∆), then R(∆, pe ) = 0.
p
 
∆
– If = 1, then R(∆, pe ) = 2.
p
Theorem 2 (Establishing F(∆, p) for a prime p). If R(∆, p) ≥ 1, then we can compute the corresponding prime
forms (p, b, c) as follows.
• If p = 2, if ∆ is odd, then b = 1, else b = 2(∆/4 mod 2). Return: (p, b, (b2 − ∆)/(4p)).

• If p ≥ 3, then let b ← SqrtModP(∆, p). Return: (p, ±b, (b2 − ∆)/(4p)).

q 1. By multiplicativity of R(∆, ·) and by Theorem 1, R(∆, ·) is always a power of two when positive. Note if
Remark
a ≤ |∆| 2 2 |∆|
4 , then all the forms in R(∆, a) are reduced since necessarily |b|≤ a, cf. Theorem 2, because b ≤ a ≤ 4 .
q
Therefore, the resulting form’s c coefficient will be at least c ≥ |∆|4 , meaning that the form is reduced as a ≤ c
q q
|∆| |∆|
holds as well. In other words, if 4 ≤ a ≤ 3 , then it might be the case that not all forms are reduced in
F(∆, a). This phenomenon is clearly displayed in Figure 1a.
Theorem 3 (Dirichlet’s class number formula (1839)). When ∆ ≤ −5, Dirichlet’s class number formula asserts
that p
|∆|L(1, χ∆ )
|Cl(∆)|= . (4)
π
Remark 2. Typically L(1, χ∆ ) is in the interval [0.1, 10] [Sou07].

5
3 How not to hash into class groups of imaginary quadratic fields?
This section reviews cryptographically insecure hash functions developed and used in various open-source libraries,
e.g., the SageMath mathematical software library. We argue why these simple solutions do not meet our requirements
and should not be used in security-critical applications. We denote the insecure hash functions in the sequel as
h∗ (·).

3.1 Group elements with known discrete logarithm

In some applications, it is necessary to sample group elements whose discrete logarithm is unknown to any other
element from the set of public parameters. For instance, this is the case in the timed commitment application of
class groups as proposed by [TCLM21]. Additionally, for certain zero-knowledge proofs of knowledge in groups of
unknown order, if the adversary knows the discrete logarithm of the public parameters, they can break the soundness
of the proof system [BBF19]. Therefore, in these applications, such a simple hash function as h∗1 : {0, 1}∗ → G :
h∗1 (m) := g h(m) for a class group element g ∈ G and a cryptographically secure hash function h, is insecure.

3.2 Uniformly random b

A natural idea for choosing
q a random reduced quadratic form (a, b, c) ∈ Cl(∆) would be to first choose a uniformly
|∆|
random value b ∈ [0, 3 ] and specify a, c accordingly. Below, we investigate this approach by analyzing the
distribution of coefficient b of reduced forms in Cl(∆). A similar strategy is employed by the most popular class
group cryptography package on GitHub written in Rust1 . This strategy’s implicit assumption
q is that
q the distribution
of the reduced form’s b coefficient in Cl(∆) follows a discrete uniform distribution in [− |∆| 3 ,
|∆|
3 ]. As we show
in Theorem 4, this does not hold for random ∆: there is a bias in the distribution of b proportional to ≈ 21 log ∆−log b.
This indicates that this natural idea fails to sample a uniform class group element from Cl(∆), hence contradicting
our desiderata, cf. Section 1.2.

Definition 8 (The distribution of coefficient b in Cl(∆)). Let us denote by B∆ the discrete probability distribution
of the coefficient b of the reduced forms in Cl(∆), i.e.,

|{(a, c)|∃(a, c) : (a, b, c) ∈ Cl(∆)}|

Pr[B∆ = b] := . (5)
|Cl(∆)|

Note B∆ is a symmetrical distribution, i.e., ∀b ∈ Z : Pr[B∆ = b] = Pr[B∆ = −b] holds, since if (a, b, c) ∈ Cl(∆)
then (a, b, c)−1 = (a, −b, c) ∈ Cl(∆). For an illustrative example of the probability distribution B∆ , see Figure 1.
Analogously, we define the discrete probability distribution of the coefficient a as follows.
Definition 9. (The distribution of coefficient a in Cl(∆)) Let us denote by A∆ the discrete probability distribution
of the coefficient a of the reduced forms in Cl(∆), i.e.,

|{(b, c)|∃(b, c) : (a, b, c) ∈ Cl(∆)}|

Pr[A∆ = a] := . (6)
|Cl(∆)|

We p compare the probability distributions of A∆ and B∆ to the discrete uniform distribution on the interval
I = [0, |∆|/3] by applying Pearson’s χ2 statistic
p [Pea92]. Our null hypothesis is that A∆ and B∆ follow uniform
distributions on I. We divide I into ⌈log( |∆|/3)⌉ intervals and compute the corresponding χ2 statistics. Given
the extremely low p-values, we reject both hypotheses. For an illustrative example, see Table 1 for the chi-square
statistics, and see Figure 1 for the actual empirical probability distributions for a medium-sized 30-bit discriminant.
Next, we characterize the asymptotic behavior of B∆ , i.e., we describe the discrete probability distribution of
the coefficient b of reduced forms in Cl(∆) when the discriminant ∆ goes to infinity. For a medium-sized class
group, see our measurement in Figure 1. Note that if B  ∆ would
√
follow
 a uniform distribution, then we would have
∀b ∈ [− |∆|/3, |∆|/3] : Pr[B∆ = b] = |Cl(∆)| 3L(1,χ∆ )
p p
q
|∆|
≈ C∆ = 2π , where C∆ is a constant dependent solely on
2 3
the discriminant ∆, applying the Dirichlet class number formula, cf. Theorem 3.
We first give an estimate on the expected number of reduced forms where coefficient b is fixed, while the
discriminant ∆ is chosen uniformly from an interval.
1 See ZenGo-X Class group implementation: https://github.com/ZenGo-X/class.

6
 Coefficient a in Cl(−831, 370, 543)
a [0, l] [l, 2l] [2l, 3l] [3l, 4l] [4l, 5l] [5l, 6l] [6l, 7l] [7l, 8l] [8l, 9l] [9l, 10l]
Uniform 1202.9 1202.9 1202.9 1202.9 1202.9 1202.9 1202.9 1202.9 1202.9 1202.9
Empirical 1345 1350 1288 1330 1274 1372 1324 1322 1174 250
Coefficient b in Cl(−831, 370, 543)
b [0, l] [l, 2l] [2l, 3l] [3l, 4l] [4l, 5l] [5l, 6l] [6l, 7l] [7l, 8l] [8l, 9l] [9l, 10l]
Uniform 601.5 601.5 601.5 601.5 601.5 601.5 601.5 601.5 601.5 601.5
Empirical 2, 148 1, 100 816 655 452 343 252 144 72 33

Table 1: We compare the uniform distribution and the discrete probability distributions of the reduced forms’
coefficients a and b, i.e., A∆ and B∆ , pfor ∆ = −831, 370, 543, using Pearson’s χ2 test. We divided the |Cl(∆)|=
12, 029 class group elements into ⌈log( |∆|/3)⌉ = 10 intervals, i.e., l = 1665. In both cases, we observe extremely
large χ2 statistics, i.e., 861.73 and 6173.28 for coefficient a and b, respectively. The corresponding p-values are
1.08 · 10−179 and 0. Hence, we reject both null hypotheses. Since B∆ is a symmetrical distribution, we only show
here the positive part of the distribution. See also Figure 1 for a visualization of these discrete distributions.

Theorem 4 (Expected number of forms with given b). Let b be an arbitrary natural number and D > b2 . Choose
∆ uniformly from the interval [−2D, −D) with the condition that b2 ≡ ∆ (mod 4). Denote by Ab (∆) the number
of reduced forms in Cl(∆) with coefficient b. Then we have for the expected value of Ab (∆):
1
E∆ (Ab (∆)) = log D − log b + O(1), (7)
2
where the O(1) is independent of b and D.
2
−∆
Proof. Recall that Ab (∆) is equal to the number of integers a with b ≤ a ≤ c where c = b 4a ∈ Z. The inequality
q
b2 −∆ b2 −∆
a ≤ c is equivalent to a ≤ 4 . Thus, we have to count the divisors of 4 that are between b and the
square root. For an individual value of ∆, this is a hard computational task, but we can sum over all values of
2 2
b2 +2D
∆ ∈ [−2D, −D). We note that the values of b −∆ 4 are exactly the integers in the interval ( b +D
4 , 4 ]. We give
D b2 −∆ 3D
both lower and upper bounds, using the estimates 4 < 4 ≤ 4 .
X X X
C := Ab (∆) = 1 (8)
2 +D b2 +2D
√
∆∈[−2D,−D) x∈( b , 4 ] a|x,b≤a≤ x
4
2
b −∆
By changing the order of summations and using the lower bound D4 < 4 , we obtain:
X X
C ≥ C ′ := 1 (9)
√D b2 +D b2 +2D
b≤a≤ 4 k,x=ak∈( 4 , 4 ]

We can evaluate the inner sum by counting the multiples of a ∈ [b, D

4 ]:
√D
X4  b2 + 2D   b2 + D 
C′ = − (10)
4a 4a
a=b

√ the floor function ⌊(·)⌋ resulting in O(1) error in each term in the sum. Altogether, we have an error term
We omit
in O( D). Now, we can move the terms independent from a out and get:
√D
4
√
 2 2
X
b + 2D b + D 1
C′ = − + O( D) (11)
4 4 a
a=b
q
By approximating the harmonic sum using Euler-MacLaurin formula in [b, D 4 ], we have:
!
√
r
D D
C′ = log − log b + O(1) + O( D) (12)
4 4

7
 D
√
The O(1) error term is multiplied by 4, hence, it majorates the O( D) error term:
 
D 1
C′ = log D − log b + O(1) (13)
4 2
′
The upper bound derivation qis similar. One only needs to modify C in Equation (9) by letting the outer
summation in C ′ run from b to 3D
4 . The rest of the proof is identical.
C 1
Hence, the average value of Ab is E(Ab ) = D/4 = 2 log D − log b + O(1).

16 Reduced binary quadratic forms Reduced binary quadratic forms

14
12
10 101
Count

Count
8
6
4
2
100
0
0 2500 5000 7500 10000 12500 15000 15000 10000 5000 0 5000 10000 15000
Coefficient a of the binary quadratic forms with = -831370543 Coefficient b of the binary quadratic forms with = -831370543

(a) Coefficient a. (b) Coefficient b

Figure 1: Illustrating the distribution of the coefficient a and b of reduced binary quadratic forms in the class
group Cl(∆) with the medium-sized discriminant ∆ = −831, 370, 543. The distribution of coefficient a is partially
q
characterized in Theorem 1. Note the heights of the bars in the left figure are powers of two, except when |∆| 4 ≤
q
|∆|
a≤ 3 , i.e., towards the far right end of the figure, cf. Remark 1. We investigate the distribution of coefficient
b in Theorem 4 and in Remark 3. Note the left figure is lin-lin, while the right is log-lin. We enclose an example
distribution for coefficient c as well, cf. Figure 10.

Corollary 1. Since the expected value of the uniform distributions behaves differently than the expected value of
b established above, we conclude that sampling a uniformly random b (and choosing coefficient a accordingly) does
not yield a secure hash-to-class group function.
2
Remark 3. Heuristically, it is natural to assume that the number and the sizes of divisors of b −∆ 4 behave similarly
to the statement of Theorem 4 whenever we consider a fixed discriminant ∆ and let b chosen randomly from a
sufficiently long interval, i.e., the length of the interval is in O(|∆|ε ), where 0 < ε < 12 . We leave it to future work
to prove this heuristic statement precisely.
Conjecture 1 (Distribution of b for a fixed ∆). Let ∆ < 0 be a fixed discriminant. Then there exist c1 , c2 , ε > 0
such that for a randomly chosen b ∈ [B, 2B), with B ∈ O(|∆|ε ), the average number of forms for b is:

Eb∈[B,2B) (Ab (∆)) = c1 log|∆|−c2 log b + O(1). (14)

3.2.1 The discrete probability distribution of the coefficient c

Usually, the coefficient c is not part of the forms’ representations as most libraries represent forms simply as (a, b).
Consequently, we did not find any libraries that would have sampled a pseudorandom class group element by first
sampling its c coefficient. Nonetheless, it might be the case that future hash-to-class group functions will use this
direction. We leave this to future work. In Appendix A, we heuristically characterize the probability distribution of
the c coefficients of reduced forms in Cl(∆). Additionally, we provide the empirical distribution of the c coefficients
for a medium-sized discriminant, cf. Figure 10.

8
 How not to hash into class groups? vol. #3.
R
Public parameters: G ← GGen(λ), H : {0, 1}∗ → {0, 1}2λ a cryptographically secure hash function.
Public inputs: x ∈ {0, 1}∗ .

1. cnt = 0.
2. h ← H(x||cnt). Let (a, b) := (h[0 : λ], h[λ : 2λ]). //Note the form (a, b) is most likely a non-reduced
form.
3. If (a, b) ∈ Cl(∆) then: Return ρ(a, b).

• else cnt = cnt + 1, and goto 2.

Figure 2: This hash-to-class group function is implemented and used by the SageMath open-source mathematical
software system. The application of this hash function in certain cryptographic protocols, e.g., in verifiable delay
functions, makes the cryptosystem’s deployment completely insecure, cf. Section 3.4.

3.3 Random form and reduce

R
Another
q seemingly correct approach might be to sample uniformly random a binary quadratic form (a, b) ←
|∆| 2 2
[0, 3 ] or from some other simple interval [a, b] . This approach is implemented by the Sage Quadratic Forms
package2 . It is well documented 3 . The problem of these approaches is that the resulting reduced binary quadratic
forms, i.e., the class group elements, are not uniformly distributed in those intervals. In particular, as we show
next, this would result in a highly skewed non-uniform distribution of reduced binary quadratic forms. Therefore,
this approach is also completely insecure for cryptographic purposes, cf. Section 3.4. The next theorem formally
characterizes the probability distribution of class group elements output by the function above. For an empirical
measurement, see Figure 3a.
Theorem 5 (Distribution of random forms). Let h∗3 (·) : {0, 1}∗ → G denote the insecure hash function described
∗
above, cf. Figure 2.
p The output distribution of h3 (·) follows a power-law distribution in the class group G. More
formally, ∀a ∈ [1, |∆|/3] we have
 
∗ ′ ′ ′ ′ 1
Pr[h3 (s) = (a , b )|(a, b) ∈ Cl(∆) ∧ ρ(a , b ) = (a, b)] = Θ . (15)
s a

q Let f = (a, b) ∈ Cl(∆) be a reduced binary quadratic form, and we assume that f was sampled from
Proof.
[0, |∆| 2 s
3 ] . An easy calculation shows that the Γ-orbit of f contains forms f T = (a, b + 2sa, f (s, 1)) for s ∈ Z,
q
cf. Equation (3). We observe that the generated Γ-orbit’s cardinality in the considered interval [0, |∆| 2
3 ] is
n q o j q |∆| −b k q
Rf Γ := f T s |s ∈ Z ∧ f T s ∈ [0, |∆|
3 ]
2
= 3
2a . Denoting the set of all quadratic forms in [0, |∆| 2
3 ] with
Rf Γ
discriminant ∆ by A(∆), we get the desired |A(∆)| = Θ( a1 ) probability stated in Equation (15).

3.4 Breaking cryptographic protocols instantiated with flawed hash-to-class group

functions
Next, we show that certain cryptographic protocols become completely insecure when instantiated with one of the
insecure hash-to-class group functions described in this section. As an illustrative example, we consider a verifiable
delay function (VDF) protocol instantiated with the hash function described in Section 3.3. More formally, we
T
consider the VDF function g ∗ (x) : {0, 1}∗ → G; x → (h∗3 (x))2 ∈ G, where T is the delay parameter and h∗3 (·) is
the insecure hash function presented in Section 3.3. We show that an adversary who precomputes all the VDF
2 See SageMath random quadratic form function implementation: https://github.com/sagemath/sage/blob/develop/src/sage/

quadratic_forms/random_quadraticform.py.
3 See SageMath random quadratic form function documentation: https://doc.sagemath.org/html/en/reference/quadratic_forms/

sage/quadratic_forms/random_quadraticform.html.

9
 Equivalence Classes of
Binary Quadratic Forms (ax2 + bx + c) with = -5507
0
20
The distribution of reduced forms for the discriminant -831370543
20
104
15

Equivalence classes of forms

40
103

a
10
60
Count

102

80
5
101

0 20 40 60 80
b
100 101 102 103 104 0
Identifier of the reduced form

(a) The skewed power-law distribution ofp reduced binary

quadratic forms among all forms in [0, |∆|/3]2 for the (b)pThe distribution of equivalent binary quadratic forms in
medium-sized discriminant ∆ = −831, 370, 543. [0, |∆|/3]2 for a small-sized discriminant ∆ = −5, 507.
p
Figure 3: A family of insecure hash functions chooses uniformly random forms (a, b) from the square [0, |∆|/3]2
and subsequently reduces it. In these two figures, we analyze the distribution of the output of this hashing strategy
induced on the reduced forms, i.e., group elements in Cl(∆). The deployment of this broken hash function would
lead to attacks in certain cryptographic applications, e.g., verifiable delay functions, cf. Section 3.4.

T
values z 2 for ∀z : z = (a, b) ∈ Cl(∆) ∧ a ∈ [0, poly(λ)] will be able to compute the VDF output with non-negligible
probability in λ without computing T sequential squarings in G. In other words, a VDF adversary can exploit the
skewed power law distribution of the insecure hash function h∗3 (·) on the class group Cl(∆) by anticipating that the
hash output will likely produce forms (a, b) with small norms a ∈ [0, poly(λ)].
h∗
We say that a precomputing adversary Ag∗3 (λ) outputs 1 and breaks the VDF g ∗ (·) iff. h∗3 (s) = (a, b) such
that a ≤ poly(λ). Next, we compute the probability that the adversary breaks the (sequentiality of the) VDF. Let
B ∈ poly(λ).
RB 1
h∗ dx [ln x]B ln(B)
Pr[Ag∗ (λ) = 1] ≈ R √ 1 x
3
= √1 = p = log√|∆|/3 (B). (16)
|∆|/3 1
dx [ln x]
|∆|/3 ln( |∆|/3)
1 x 1
p 1/λ h∗
By choosing B := |∆|/3 , we ensure that Pr[Ag∗3 (λ) = 1] ≈ λ1 that is non-negligible in λ, while B ∈ poly(λ).
Let us consider the following concrete parameters. For λ = 85-bit security, we need a discriminant ∆ with 3400
p 1/λ
bits [DGS20]. Thus, if one chooses B := |∆|/3 ≈ 220 , then they need to precompute roughly B VDF evaluations
on binary quadratic forms (a, b) such that a ∈ B. This computation could be done in parallel time T using B
20
processors. The success probability of this preprocessing attack is roughly ≈ 1700 = 1.17%, i.e., non-negligible in
λ.

4 How to hash into class groups of imaginary quadratic fields?

In this section, we show how to hash securely and efficiently into class groups. Additionally, we prove the security
of our constructions, investigate their friendliness to zero-knowledge proofs, and secure multiparty computation
applications.

10
 How to hash into class groups? Construction. #1.
R
Public parameters: G ← GGen(λ), H : {0, 1}∗ → {0, 1}d a secure hash function. A precomputation outputs
{fi }di=1 ∈ Cl(∆)d forms with small prime norms, i.e., ∀i ∈ [1, d] : fi = (pi , bi ) ∈ Cl(∆) for some “small” prime
pi ∈ [2, O(log|∆|)].
Inputs: x ∈ {0, 1}∗ .
1. Let b := H(x) and bi be the ith bit of b.
d
fibi (∈ Cl(∆)).
Q
2. Return:
i=1

Figure 4: This hash function to class groups of imaginary quadratic fields is reminiscent of the key generation
algorithm of CSIDH [CLM+ 18]. The number of the generating ideals d to achieve 2−k statistical uniformity of the
codomain is precisely defined in Theorem 6.

4.1 Construction #1: Using a generating set of ideals à la CSIDH.

The idea of the following construction is reminiscent of the secret key generation algorithm of CSIDH [CLM+ 18].
In a pre-computation phase, we sample f1 , . . . , fd binary quadratic forms with small prime norms (the a coefficient
of the form is a small prime p ∈ O(log|∆|)) in Cl(∆)). Heuristically, these group elements are well-distributed and
approximately generate the whole group Cl(∆) if the number of generating ideals d is chosen properly [Dix08]. We
hash the input x with the hash function H(·) to obtain random bits b = (b1 , . . . , bd ) and output the approximately
d
fibi . Next, we prove the security of this hash construction.
Q
equidistributed group element
i=1

Theorem 6 (Construction #1. is secure). The hash function described in Section 4.1 is a cryptographically secure
hash function with the codomain of a class group Cl(∆) assuming a one-way function H(·) onto {0, 1}d whenever
d ≥ 2 log|Cl(∆)|+h + 2k yielding a 2−k -uniform distribution in Cl(∆) with probability at least 1 − 2−h .
Proof. We show that Construction #1. satisfies our desiderata. We will first handle the one-way and the collision
resistance properties together. The output of the function is an ideal whose prime factors lie in the set f1 , . . . , fd .
Thus, by simple trial division, one can factor this ideal and retrieve the output of the hash function H. Thus, if one
could find a collision or invert this function, that would imply that H is not cryptographically secure (i.e., one-way),
which is a contradiction.
Now we look at the uniform distribution property. Since the construction has the same image as the Naor-
Reingold type PRF from [BKW20, Theorem 23], the same theorem applies in this context as well. Similar con-
structions also appear in [MOT20] and [ADFMP20]. The group theoretic statement with regards to the codomain’s
statistical uniformity was proved in [Dix08, Theorem 3.].

4.2 Construction #2: Wesolowski’s construction.

A folklore approach was proposed by Wesolowski in the conference version’s appendix of [Wes19] and  implemented
∆
q
|∆|
by Pope 4 . The construction’s idea is to generate a uniformly random prime p ∈ [0, 4 ], and if = 1 (which
p
should happen on average with probability ≈ 1/2), we can choose from two
√ binary quadratic forms (p, b) and (p, −b),
where b is obtained by a modular square root computation, i.e., b := ( ∆ mod p).

Theorem 7 (Construction #2. is secure). The hash function in Figure 5 is a cryptographically secure hash function
with the codomain of a class group of imaginary quadratic fields assuming that a HPrimes (·) hash function with prime
number codomain exists.
Proof. We show that Construction #2. satisfies our desiderata. It is easy to see that all the desired properties (i.e.,
collision resistance, one-wayness, and uniform distribution of the codomain) can be reduced in a straightforward
manner to the corresponding property of the underlying hash function HPrimes (·).
4 See: https://github.com/GiacomoPope/ClassGroups/blob/main/classgroup.py.

11
 How to hash into class groups? Construction. #2.
R
Public parameters: G ← GGen(λ), HPrimes : {0, 1}∗ → Primes(λ) a cryptographically secure hash function.
Inputs: x ∈ {0, 1}∗ .

1. i = 0.
$
p
2. Compute p := HPrimes (x||i). // For the sake of uniform distribution p must be large, i.e., p ← [0, |∆|/4].
We also need to ensure the reducedness of the form.
√
 
∆
3. If = 1 then let b := ( ∆ mod p).
p
• else i = i + 1, and goto 2. //There is no prime form (p, ·) ∈ Cl(∆), cf. Theorem 1.
 
∆
4. Let s := (p ≡ 3). // If = 1, then there are two modular square roots: b and −b. We need to choose
p
one of them deterministically.
• If s == 0 ∨ s == 1: Return (p, b).
• elif s == 2: Return (p, −b).

Figure 5: Wesolowski’s original hash-to-class group construction had been implicitly introduced (though without
security proofs, implementation, and performance evaluation) in the conference version of [Wes19]. We extend and
improve this construction in Figure 6.

Remark 4. One small aspect of both constructions is that collisions can occur at places that are not collisions for
the utilized cryptographically secure hash function, as two different ideals can represent the same element in the
class group. However, these are usually pretty rare, and if a relatively small number of these collisions are found,
then there is a simple way of computing the order of the class group. Let I1 , . . . , In be a fixed set of prime ideals.
n
Iiki is principal clearly form a lattice (this is often called the
Q
Integer vectors of the form (k1 , . . . , kn ) for which
i=1
relation lattice). If one can find n linearly independent vectors in this lattice (thus a lattice basis), then one can
compute the determinant of the lattice in polynomial time, which is known to be equal to the class number. For
further details, the reader is referred to [BKV19].

4.2.1 Improving Wesolowski’s construction

We want to highlight two major rooms for improvement in the hash function’s original version as proposed in the
appendix of the conference version of [Wes19], cf. Figure 5.
• Inefficiency. Wesolowski’s construction is rather inefficient compared to the first proposed construction,
as we show empirically in Section 5.2. This is due to the costly primality checks in the second step of the
algorithm. Another computational bottleneck is the modular square root function calculation in the third
step, as it must be computed modulo a large prime p, cf. Section 5.1.
• Lack of surjectivity. Even though the codomain of this hash function is uniformly distributed in Cl(∆), it
might be desirable to produce not only prime forms as the output of a hash-to-class group function.

We can kill these two birds with one stone. The high-level idea of our improved version of Wesolowski’s
construction in Figure 6 is as follows. Instead of just generating prime forms (p, b) ∈ Cl(∆),
p for some large prime p,
we will allow the first step of the algorithm to sample any composite integer a ∈R [0, |∆|/3]. However, we need
to sample carefully the coefficient a, as we need its factorization as well to be able to compute the corresponding
coefficient
√ b. For computing the coefficient b, we must be able to compute modular square roots modulo a as
b = ∆ mod a, cf. Theorem 2. However, if one does not know the factorization of a, then this is a hard problem,
also known as the RSA assumption. In fact, for a semiprime N , the ability to compute modular square roots is
equivalent to factoring. Therefore, we need to sample a random coefficient a along with its factorization. Efficient
algorithms to generate a random factored number are available due to Bach [Bac88]. We recall that in our specific

12
 How to hash into class groups? Construction. #2. (Improved version)
R
Public parameters: G ← GGen(λ), HPrimes : {0, 1}∗ → Primes(λ) a cryptographically secure hash function.
Inputs: x ∈ Z, Cl(∆), N .
$
1. (a, P) ←− BachWithBias(N, ∆).// P = factors(a). See Figure 7.
√
2. Apply Chinese-Remainder Theorem to compute [B] := ( ∆ mod a). // We know the factors of a. Note
[B] is a list.
3. Let δ denote the number of prime factors of a. Note B has 2δ elements. Let b := B[a mod 2δ ]. Return:
(a, b). //We deterministically select one of the modular square roots using the previously generated
factored random a.

Figure 6: An improved version of Wesolowski’s hash function.

application, we need to generate these factored random numbers with a bias toward integers having multiple prime
factors. This is due to the theorem that characterizes the coefficient a in reduced forms, cf. Theorem 1. Therefore,
we slightly need to modify Bach’s algorithm, cf. Figure 7.

Generating factored random numbers [Bac88] with

prime factor multiplicity bias

Public parameters: ∆ discriminant, N0 ∈ Z+ small integer, y = 1, P = {∅} the multiset of prime factors.
BachWithBias(N, ∆):

1. If N ≤ N0 . Sample x ∈R (N/2, N ] with bias R(∆, a). Factor x. Return: (x, factors(x)).
2. While: True.
(a) q, P := genFactorWithBias(N,∆) // q = pα ∧ 2 ≤ q ≤ N .
(b) N ′ := N/q.
$
(c) (z, P ′ ) ←
−BachWithBias(N ′ , ∆).
(d) y := q · z, P := P ∪ P ′ . Sample µ ∈R U (0, 1).
(e) if gcd(q, z) = 1, then µ := µ/R(∆, q).
log N/2
(f) If µ ≤ log y then Return: (y, P).

Subroutine: genFactorWithBias(N,∆):
1. Sample an integer j ∈R [1, log2 (N )]. Let q := 2j + r, where the integer r is such that r ∈R [0, 2j ].

2. Sample ν ∈R U (0, 1).

 
∆
(a) If q is a prime power q = pα ∧ q ≤ N ∧ ν ≤ δN (q) · 2log2 (q) ∧ = 1 then Return: (q, factors(q)).
p
//We define δN (q) in Section 4.2.1.
(b) else goto 1.

Figure 7: A modified version of Bach’s factored random number generation algorithm [Bac88]. In our hash-to-class
k
group application, we need to sample factored random numbers proportional
  to 2 , where k is the number of their
∆
different prime factors. Moreover, any prime factor p must also satisfy = 1. Modifications are written in red.
p

We remark that in Step (2a) in Figure 7 of the genFactorWithBias(N, ∆) subroutine, one can efficiently decide

13
whether q is a prime power. Generating random numbers with the appropriate bias is achieved through the
adjustment in Step (2e) µ := µ/R(∆, q) which multiplies the overall bias of the returned x by R(∆, q) for each
prime power factor q, resulting in the correct bias by the multiplicative property of R(∆, ·), cf. Theorem 1. The
function δ (q) for a prime power q = pα is defined as log p · RF(N/2q,N/q) , where RF(K, L) is the number of
N log N N
integers x in the interval (K, L] counted with multiplicity R(∆, x). The proof that the generated random numbers
have the desired distribution is essentially identical to that of Theorem 1 in [Bac88]. For efficiency, RF(·, ·) should
be approximated for large N . Heuristically, a number a with k distinct prime factors has a 1/2k probability of
having positive bias R(∆, x), and then the bias is 2k (with slight adjustments when 2 is one of the prime factors).
Therefore, RF(K, L) is expected to be around L − K. Based on empirical observations, we recommend using the
approximation RF(K, L) ≈ c∆ · (L − K), where c∆ can be estimated by looking at values of L and K where an
exact computation of RF(K, L) is feasible.
Wesolowski’s extended hash-to-class group function is enclosed in Figure 6 along with its subroutine, our modified
Bach’s algorithm in Figure 7 that samples a uniform reduced binary quadratic form in Cl(∆). We evaluate its
improved performance in Section 5.2.

4.3 Zero-knowledge and secure Multiparty computation (MPC) friendliness

A recent line of research in symmetric-key primitives investigates the possibility of constructing hash functions,
pseudorandom functions that are efficient both in zero-knowledge proofs and multiparty computation (MPC) ap-
pliations [GRR+ 16], i.e., they have minimal multiplicative complexity [AGR+ 16]. The MiMC, Poseidon, and
Reinforced concrete hash functions [GKR+ 21, GKL+ 22] are notable constructions, among many others.
Our proposed hash functions do not have minimal multiplicative complexity. Hence, verifying the hash function
evaluation (i.e., proving that y = H(x) in zero knowledge for a secret witness x) in an arithmetic circuit will be
somewhat computationally intensive. However, we describe a few simple tricks that can make the implementation
of our hash-to-class group functions significantly more efficient in zkSNARK and MPC applications. A recurring
?
observation in designing circuit-friendly algorithms is to realize that for most functions, e.g., division (y = xa ), it
?
is significantly faster to verify the correctness of the function in the circuit (e.g., by checking that y · a = x) than
evaluating the function in the “forward” direction [KPS18]. We apply this insight in the class group context.

Reduction of binary quadratic forms. One can verify the computational integrity of the reduction of a form
f to ρ(f ), cf. Definition 6. Instead of directly computing the reduction function ρ(·) in the arithmetic circuit, the
prover can additionally supply the reduction matrix T , and the circuit would only verify a matrix multiplication,
?
i.e., M (f ) · T = M (ρ(f )), where M (·) is the matrix form of a binary quadratic form, cf. Section 2.1. Additionally,
the circuit must check that ρ(f ) = (a, b) is a reduced binary quadratic form, i.e., |b|≤ a, and that T ∈ SL(2, Z) by
confirming that det(T ) = 1. Analogously, one can verify efficiently that two forms f, g are equivalent without the
?
costly reductions in the circuit. Specifically, the prover needs to provide T ∈ SL(2, Z) such that M (f ) · T = M (g),
which can be verified efficiently inside the circuit.

Class Group operation. The class group operation is notoriously slow, e.g., compared to the elliptic curve group
operation. Our first proposed hash function evaluates O(log|∆|) class group operations. Directly computing these
class group operations is prohibitively expensive as each class group requires O(log|∆|) reduction steps. Thus, the
total number of reduction steps would be O(log2 |∆|) for a single hash evaluation, which is clearly costly. However,
instead of directly computing f1 · f2 ∈ G in the arithmetic circuit, one can more efficiently verify the correctness of
f1 · f2 = f3 for any f1 , f2 , f3 ∈ Cl(∆). Specifically, this could be achieved as follows. Let f1 = ax21 + bx1 y1 + cy12 and
f2 = αx22 +βx2 y2 +γy22 be the operands. Note, that we consider (x1 , y1 ) and (x2 , y2 ) as independent variables. Thus,
the goal of the prover is to prove the correctness of a polynomial multiplication over the integers such that f1 ·f2 = f3
for f3 = AX 2 + BXY + CY 2 , where X = jx1 x2 + kx1 y2 + ly1 x2 + my1 y2 and Y = rx1 x2 + sx1 y2 + ty1 x2 + uy1 y2 .
The prover sends A, B, C, X(= (j, k, l, m)), Y (= (r, s, t, u)) of f3 to the verifier. Afterwards, the verifier samples a
?
uniform r ∈R [0, 2λ ] and checks that f1 (r) · f2 (r) = f3 (r). One can make this proof system non-interactive using the
standard Fiat-Shamir transformation [FS86]. In the non-interactive version of this protocol, the verifier’s random
challenge r is obtained as r ← H(f1 , f2 , A, B, C, X, Y ) for some cryptographically secure hash function to {0, 1}2λ .
The soundness of the proof system is guaranteed by applying the Schwartz–Zippel lemma for polynomial identity
testing.

14
 ?
Squaring. In a similar manner, one can efficiently verify a squaring of a form f = (a, b, c) in Cl(∆), i.e., f · f = g.
The result f 2 should be f 2 = (a2 , b − 2aµ, µ2 − bµ−c
a ), where µ is the solution of the linear congruence bx ≡ c
mod a. One needs to prove in the circuit that for µ, it indeed holds bµ ≡ c mod a. Once µ is verified, f 2 can be
computed by the arithmetic circuit. Verifying µ is done efficiently if the prover additionally discloses l ∈ Z and the
circuit checks that bµ − c = la. Therefore, verifying one squaring operation requires four integer multiplications to
establish (a, b) inside the arithmetic circuit.

5 Implementation and Performance Evaluation

In this section, we report our open-source implementation and evaluate the performance of the cryptographically
secure hash function constructions described in Section 4.

5.1 Theoretical Performance Evaluation

Next, we evaluate the computational complexity of the suggested hash functions.

CSIDH hash (cf. Section 4.1). This function only computes compositions of reduced binary quadratic forms.
The fastest algorithm to compute the class group composition is NUCOMP [Sha89]. NUCOMP has a complexity
O(µ(n) · n) on n-bit discriminants, where µ(·) denotes the complexity of the applied integer multiplication
algorithm. Using an FFT-based multiplication algorithm NUCOMP and thus, this hash function achieves
the asymptotic complexity O(log2 |∆|log log|∆|). However, we expect concretely better performance from the
CSIDH hash than the Wesolowski hash, cf. Figure 8, even though they have the same asymptotic complexity.
Multiplying two small norm elements is significantly more efficient than multiplying two random elements.
Thus, a natural optimization is to apply a memory-runtime tradeoff, whereby one precomputes all 2k products
of small norm prime forms for a sliding window of length k ≈ 4 − 6. Afterward, these precomputed products
could be stored in a lookup table. In the online evaluation phase, the precomputed values are read from the
lookup table and multiplied together. Alternatively, one might consider not only binary exponents in Step
2 of Figure 4 but longer ones to shorten the necessary number of the generating ideals. We did not explore
these optimizations in our implementation, and we leave these promising optimization techniques for future
work.
Wesolowski hash (cf. Section 4.2). The two main computationally intensive parts of Wesolowski’s original
hash function are the hashing to prime parts and the Tonelli-Shanks algorithm for computing modular square
roots. The Miller-Rabin primality testing algorithm [Mil75] implemented with an FFT-based multiplication
algorithm has a complexity O(k log2 p log log p), where k is the number of rounds performed to achieve 2−2k
2
soundness error. The p Tonelli-Shanks algorithm has a O(log p) expected complexity. Since the randomly
sampled prime p ≈ |∆|, therefore the Wesolowski hash has an overall O(k log2 |∆|log log|∆|) asymptotic
complexity.

5.2 Empirical Performance Evaluation

We implemented all three proposed hash functions in Python3, and all our source codes are available in our open-
source library: https://www.github.com/seresistvanandras/hashingToClassGroups. We note that our proof
of concept code is highly unoptimized. Therefore, we suggest the reader to consider solely the ratios (when we
compare different hash functions) of the following running times and not their absolute values. We ran all our
evaluations on a consumer laptop, a MacBook Air (2017), running on a 1,8 GHz Dual-Core Intel Core i5 processor.
We note that our implementations are not constant time. We leave it to future work to make our implementations
constant time.

Our benchmarks. In our first benchmark, we randomly generated discriminants with bit sizes of 32 bits up to 128
bits to evaluate the hash functions. We hashed 1, 000 random messages for each randomly generated discriminant,
cf. Figure 9a. For all discriminants, we applied the Miller-Rabin primality testing [Mil75] in Wesolowski’s hash
function with 30 iterations corresponding to ≈ 2−60 soundness error, i.e., that we erroneously generate a composite
integer deemed prime. In our second benchmark, we evaluate our hash to class group functions for cryptographically
sized discriminants. Specifically, we randomly sampled discriminants of 256-bit length up to 4096-bit length with
a step size of 256 bits. For each discriminant, we hashed 100 random messages and reported the average running

15
 1e 5

10.0
8

1.0 6

time (sec)
time (sec)

4
0.1
2

0.0
0
256 512 768 1024 1280 1536 1792 2048 2304
256 512 768 1024 1280 1536 1792 2048 2304 bit length of the discriminant
bit length of the prime
(b) Time to calculate the class group operation in Cl(∆), with
(a) Time to sample a pseudoprime with the Miller-Rabin the discriminant ∆ of given bit size, i.e., from 256 bits to 2304
probabilistic primality testing method (k = 30 iteration). bits.

Figure 8: We compare the running times of generating a pseudoprime p (soundness error ≈ 2−60 ) and calculate the
class group operation in Cl(∆) for various cryptographically relevant parameters p and ∆. These two operations
are the main bottlenecks of our proposed hash-to-class group functions.

0.010
Wesolowski Hash 12 Wesolowski Hash
CSIDH Hash CSIDH Hash
Wesolowski Improved Hash Wesolowski Improved Hash
0.008 10

8
0.006
time (sec)
time (sec)

6
0.004
4

0.002 2

0.000 0
40 60 80 100 120 500 1000 1500 2000 2500 3000 3500 4000
log2 (| |) log2 (| |)

(a) Running time for small discriminants. (b) Running time for cryptographic parameters.

Figure 9: We evaluate the running time of our proposed hash functions to class groups. We average the running
time of 1000 hashing operations for both hash functions from 32 bits up to 128 bits discriminants (left). We average
the running time of 100 hashing operations for both hash functions up to 4096 bits discriminants (right).

time of these hash evaluations, cf. Figure 9b. Naturally, in the case of the CSIDH hash function, we did not count
the one-time preprocessing step’s running time. Specifically, in the preprocessing step, we generated 2 log|∆| small
prime-norm ideals satisfying the requirement of Theorem 6.
For small parameters, the Wesolowski hash is faster than the CSIDH hash, cf. Figure 9a. However, we observe
in the experimental running times for cryptographically secure parameters that Wesolowski’s hash-to-class group
function is significantly slower than the one inspired by [CLM+ 18]. We attribute this to the cost of primality testing
dominating the running times for larger discriminants. Nevertheless, in cryptographically relevant parameters, both
constructions are unbearably slow. In particular, in a class group with 4096-bit discriminant, the Wesolowski hash
would take ≈ 10 seconds on average. Interestingly, our improved version of Wesolowski’s hash function, cf. Figure 6,
outperforms both previous folklore hash functions for all cryptographically secure discriminants (1024 bits and
more), see Figure 9b. We leave it to future work as an exciting research direction to improve the efficiency of these

16
proposed hash functions that will be necessary for real-world cryptographic deployments.

6 Conclusion and Future Directions

In this work, we studied the problem of cryptographically securely hashing into class groups of imaginary quadratic
fields. We have shown that several widely used open-source libraries apply insecure hashing algorithms that might
affect the security of cryptographic protocols that use those libraries. Furthermore, we proposed three secure
hashing algorithms, proved their security, and extensively evaluated their performance on real-world parameters.
Despite our over-arching analysis, we leave several directions for future work open. On the practical side,
designing more performant and secure hash functions into class groups is an interesting open problem. We also left
a constant-time implementation of our proposed hash functions as future work. From a theoretical point of view,
it would be interesting to characterize in full generality the discrete probability distributions of the coefficients b or
c of reduced forms in Cl(∆). Such a piece of information could help design novel hash functions into class groups
of imaginary quadratic fields.

Acknowledgements. We thank Antonio Sanso for introducing us to the VDF deployment design of the Chia
network. We thank Michael Zhu for inspiring Section 4.3. This research was supported by the Ministry of Culture
and Innovation and the National Research, Development, and Innovation Office within the Quantum Information
National Laboratory of Hungary (Grant No. 2022-2.1.1-NL-2022-00004). Péter Kutas is supported by the János
Bolyai Research Scholarship of the Hungarian Academy of Sciences and by the UNKP-23-5 New National Excellence
Program. Péter Kutas is also partly supported by EPSRC through grant number EP/V011324/1.

References
[ADFMP20] Navid Alamati, Luca De Feo, Hart Montgomery, and Sikhar Patranabis. Cryptographic group actions
and applications. In Advances in Cryptology–ASIACRYPT 2020: 26th International Conference on
the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, December
7–11, 2020, Proceedings, Part II 26, pages 411–439. Springer, 2020. [page 11.]
[AGL+ 22] Arasu Arun, Chaya Ganesh, Satya Lokam, Tushar Mopuri, and Sriram Sridhar. Dew: transparent
constant-sized zksnarks. Cryptology ePrint Archive, 2022. [pages 1 and 2.]
[AGR+ 16] Martin Albrecht, Lorenzo Grassi, Christian Rechberger, Arnab Roy, and Tyge Tiessen. Mimc: Effi-
cient encryption and cryptographic hashing with minimal multiplicative complexity. In International
Conference on the Theory and Application of Cryptology and Information Security, pages 191–219.
Springer, 2016. [page 14.]
[Bac88] Eric Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179–193,
1988. [pages 12, 13, and 14.]
[BBBF18] Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. Verifiable delay functions. In Hovav
Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part I, volume 10991 of LNCS, pages
757–788. Springer, Heidelberg, August 2018. [pages 1 and 2.]
[BBD+ 22] Jeremy Booher, Ross Bowden, Javad Doliskani, Tako Boris Fouotsa, Steven D Galbraith, Sabrina
Kunzweiler, Simon-Philipp Merz, Christophe Petit, Benjamin Smith, Katherine E Stange, et al. Failing
to hash into supersingular isogeny graphs. arXiv preprint arXiv:2205.00135, 2022. [page 2.]
[BBF19] Dan Boneh, Benedikt Bünz, and Ben Fisch. Batching techniques for accumulators with applications to
iops and stateless blockchains. In Advances in Cryptology–CRYPTO 2019: 39th Annual International
Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2019, Proceedings, Part I 39, pages
561–586. Springer, 2019. [pages 2 and 6.]
[BCIL23] Cyril Bouvier, Guilhem Castagnos, Laurent Imbert, and Fabien Laguillaumie. I want to ride my bicycl:
Bicycl implements cryptography in class groups. Journal of Cryptology, 36(3):17, 2023. [page 2.]
[BDF+ 23] Jakob Burkhardt, Ivan Damgård, Tore Kasper Frederiksen, Satrajit Ghosh, and Claudio Orlandi.
Improved distributed rsa key generation using the miller-rabin test. In Proceedings of the 2023 ACM
SIGSAC Conference on Computer and Communications Security, pages 2501–2515, 2023. [page 1.]

17
[BF97] Dan Boneh and Matthew Franklin. Efficient generation of shared rsa keys. In Advances in Cryp-
tology—CRYPTO’97: 17th Annual International Cryptology Conference Santa Barbara, California,
USA August 17–21, 1997 Proceedings 17, pages 425–439. Springer, 1997. [page 1.]
[BF01] Dan Boneh and Matt Franklin. Identity-based encryption from the weil pairing. In Annual interna-
tional cryptology conference, pages 213–229. Springer, 2001. [page 1.]

[BFS20a] Benedikt Bünz, Ben Fisch, and Alan Szepieniec. Transparent SNARKs from DARK compilers. In
Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020, Part I, volume 12105 of LNCS, pages
677–706. Springer, Heidelberg, May 2020. [page 1.]
[BFS20b] Benedikt Bünz, Ben Fisch, and Alan Szepieniec. Transparent snarks from dark compilers. In Ad-
vances in Cryptology–EUROCRYPT 2020: 39th Annual International Conference on the Theory and
Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part I 39,
pages 677–706. Springer, 2020. [page 2.]
[BJJS10] Jean-François Biasse, Michael J Jacobson Jr, and Alan K Silvester. Security estimates for quadratic
field based cryptosystems. In Australasian Conference on Information Security and Privacy, pages
233–247. Springer, 2010. [page 5.]

[BKSW20] Karim Belabas, Thorsten Kleinjung, Antonio Sanso, and Benjamin Wesolowski. A note on the low
order assumption in class group of an imaginary quadratic number fields. Cryptology ePrint Archive,
2020. [page 2.]
[BKV19] Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. Csi-fish: efficient isogeny based signa-
tures through class group computations. In International Conference on the Theory and Application
of Cryptology and Information Security, pages 227–247. Springer, 2019. [pages 5 and 12.]
[BKW20] Dan Boneh, Dmitry Kogan, and Katharine Woo. Oblivious pseudorandom functions from isogenies.
In Advances in Cryptology–ASIACRYPT 2020: 26th International Conference on the Theory and
Application of Cryptology and Information Security, Daejeon, South Korea, December 7–11, 2020,
Proceedings, Part II 26, pages 520–550. Springer, 2020. [page 11.]

[BLS01] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil pairing. In Interna-
tional conference on the theory and application of cryptology and information security, pages 514–532.
Springer, 2001. [page 1.]
[BN00] Dan Boneh and Moni Naor. Timed commitments. In Annual international cryptology conference,
pages 236–254. Springer, 2000. [pages 1 and 2.]
[BV07] Johannes Buchmann and Ulrich Vollmer. Binary quadratic forms. Springer, 2007. [pages 3, 4, and 5.]

[BW88] Johannes Buchmann and Hugh C. Williams. A key-exchange system based on imaginary quadratic
fields. Journal of Cryptology, 1:107–118, 1988. [page 1.]

[CHI+ 21] Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, Abhi
Shelat, Muthu Venkitasubramaniam, and Ruihan Wang. Diogenes: Lightweight scalable rsa modulus
generation with a dishonest majority. In 2021 IEEE Symposium on Security and Privacy (SP), pages
590–607. IEEE, 2021. [page 1.]
[CL15] Guilhem Castagnos and Fabien Laguillaumie. Linearly homomorphic encryption from. In Cryptogra-
phers’ Track at the RSA Conference, pages 487–505. Springer, 2015. [page 1.]
[CLM+ 18] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. Csidh: an efficient
post-quantum commutative group action. In Advances in Cryptology–ASIACRYPT 2018: 24th Inter-
national Conference on the Theory and Application of Cryptology and Information Security, Brisbane,
QLD, Australia, December 2–6, 2018, Proceedings, Part III 24, pages 395–427. Springer, 2018. [pages 3,
11, and 16.]

[CMB23] Kevin Choi, Aathira Manoj, and Joseph Bonneau. Sok: Distributed randomness beacons. Cryptology
ePrint Archive, 2023. [page 2.]

18
[CMS99] Christian Cachin, Silvio Micali, and Markus Stadler. Computationally private information retrieval
with polylogarithmic communication. In Advances in Cryptology—EUROCRYPT’99: International
Conference on the Theory and Application of Cryptographic Techniques Prague, Czech Republic, May
2–6, 1999 Proceedings 18, pages 402–414. Springer, 1999. [page 3.]
[CP19] Bram Cohen and Krzysztof Pietrzak. The chia network blockchain. White Paper, Chia. net, 9, 2019.
[page 2.]

[DFI95] William Duke, John B Friedlander, and Henryk Iwaniec. Equidistribution of roots of a quadratic
congruence to prime moduli. Annals of Mathematics, 141(2):423–441, 1995. [page 22.]
[DFMPS19] Luca De Feo, Simon Masson, Christophe Petit, and Antonio Sanso. Verifiable delay functions from
supersingular isogenies and pairings. In Advances in Cryptology–ASIACRYPT 2019: 25th Interna-
tional Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan,
December 8–12, 2019, Proceedings, Part I 25, pages 248–277. Springer, 2019. [page 2.]
[DGS20] Samuel Dobson, Steven D Galbraith, and Benjamin Smith. Trustless groups of unknown order with
hyperelliptic curves. IACR Cryptol. ePrint Arch., 2020:196, 2020. [pages 4, 5, and 10.]

[Dix08] John D Dixon. Generating random elements in finite groups. the electronic journal of combinatorics,
pages R94–R94, 2008. [page 11.]
[FFS+ 13] Reza R Farashahi, Pierre-Alain Fouque, Igor Shparlinski, Mehdi Tibouchi, and J Voloch. Indif-
ferentiable deterministic hashing to elliptic and hyperelliptic curves. Mathematics of Computation,
82(281):491–512, 2013. [page 1.]

[FHSS+ 23] Armando Faz-Hernandez, Sam Scott, Nick Sullivan, Riad S. Wahby, and Christopher A. Wood. Hash-
ing to Elliptic Curves. RFC 9380, August 2023. [page 1.]
[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature
problems. In Conference on the theory and application of cryptographic techniques, pages 186–194.
Springer, 1986. [page 14.]

[FSV09] Reza R Farashahi, Igor E Shparlinski, and José Felipe Voloch. On hashing into elliptic curves. Journal
of Mathematical Cryptology, 3(4):353–360, 2009. [page 1.]
[FT12] Pierre-Alain Fouque and Mehdi Tibouchi. Indifferentiable hashing to barreto–naehrig curves. In
Progress in Cryptology–LATINCRYPT 2012: 2nd International Conference on Cryptology and Infor-
mation Security in Latin America, Santiago, Chile, October 7-10, 2012. Proceedings 2, pages 1–17.
Springer, 2012. [page 1.]
[GKL+ 22] Lorenzo Grassi, Dmitry Khovratovich, Reinhard Lüftenegger, Christian Rechberger, Markus Schofneg-
ger, and Roman Walch. Reinforced concrete: A fast hash function for verifiable computation. In
Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages
1323–1335, 2022. [page 14.]

[GKR+ 21] Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, and Markus Schofnegger.
Poseidon: A new hash function for {Zero-Knowledge} proof systems. In 30th USENIX Security
Symposium (USENIX Security 21), pages 519–535, 2021. [page 14.]
[GRR+ 16] Lorenzo Grassi, Christian Rechberger, Dragos Rotaru, Peter Scholl, and Nigel P Smart. Mpc-friendly
symmetric key primitives. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and
Communications Security, pages 430–443, 2016. [page 14.]
[GS98] David M Goldschlag and Stuart G Stubblebine. Publicly verifiable lotteries: Applications of delaying
functions. In International Conference on Financial Cryptography, pages 214–226. Springer, 1998.
[page 2.]

[HM89] James L Hafner and Kevin S McCurley. A rigorous subexponential algorithm for computation of class
groups. Journal of the American mathematical society, 2(4):837–850, 1989. [page 5.]

19
[HMR+ 19] Carmit Hazay, Gert Læssøe Mikkelsen, Tal Rabin, Tomas Toft, and Angelo Agatino Nicolosi. Efficient
rsa key generation and threshold paillier in the two-party setting. Journal of Cryptology, 32:265–323,
2019. [page 1.]
[Ica09] Thomas Icart. How to hash into elliptic curves. In Annual International Cryptology Conference, pages
303–316. Springer, 2009. [pages 1 and 3.]

[KL07] Jonathan Katz and Yehuda Lindell. Introduction to modern cryptography: principles and protocols.
Chapman and hall/CRC, 2007. [page 1.]
[KPS18] Ahmed Kosba, Charalampos Papamanthou, and Elaine Shi. xjsnark: A framework for efficient veri-
fiable computation. In 2018 IEEE Symposium on Security and Privacy (SP), pages 944–961. IEEE,
2018. [page 14.]

[Lip12] Helger Lipmaa. Secure accumulators from euclidean rings without trusted setup. In Applied Cryp-
tography and Network Security: 10th International Conference, ACNS 2012, Singapore, June 26-29,
2012. Proceedings 10, pages 224–240. Springer, 2012. [page 1.]
[Lon19] Jieyi Long. Nakamoto consensus with verifiable delay puzzle. arXiv preprint arXiv:1908.06394, 2019.
[page 2.]

[LSS20] Esteban Landerreche, Marc Stevens, and Christian Schaffner. Non-interactive cryptographic times-
tamping based on verifiable delay functions. In Financial Cryptography and Data Security: 24th
International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10–14, 2020 Revised Selected
Papers 24, pages 541–558. Springer, 2020. [page 2.]

[Mil75] Gary L Miller. Riemann’s hypothesis and tests for primality. In Proceedings of the seventh annual
ACM symposium on Theory of computing, pages 234–239, 1975. [page 15.]
[MOT20] Tomoki Moriya, Hiroshi Onuki, and Tsuyoshi Takagi. Sigamal: a supersingular isogeny-based pke and
its application to a prf. In Advances in Cryptology–ASIACRYPT 2020: 26th International Confer-
ence on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea,
December 7–11, 2020, Proceedings, Part II 26, pages 551–580. Springer, 2020. [page 11.]
[MT19] Giulio Malavolta and Sri Aravinda Krishnan Thyagarajan. Homomorphic time-lock puzzles and ap-
plications. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part I, volume
11692 of LNCS, pages 620–649. Springer, Heidelberg, August 2019. [page 1.]
[Pea92] Karl Pearson. On the criterion that a given system of deviations from the probable in the case of a
correlated system of variables is such that it can be reasonably supposed to have arisen from random
sampling. Springer, 1992. [page 6.]
[Pie19] Krzysztof Pietrzak. Simple verifiable delay functions. In 10th innovations in theoretical computer
science conference (itcs 2019). Schloss-Dagstuhl-Leibniz Zentrum für Informatik, 2019. [pages 1 and 2.]

[RSS20] Lior Rotem, Gil Segev, and Ido Shahaf. Generic-group delay functions require hidden-order groups. In
Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages
155–180. Springer, 2020. [page 2.]
[RSW96] Ronald L Rivest, Adi Shamir, and David A Wagner. Time-lock puzzles and timed-release crypto.
1996. [page 1.]

[SB23] István András Seres and Péter Burcsi. Behemoth: transparent polynomial commitment scheme with
constant opening proof size and verifier time. Cryptology ePrint Archive, 2023. [pages 1 and 2.]
[SBC+ 09] Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J Dominguez Perez, and Ezekiel J Kachisa.
Fast hashing to g 2 on pairing-friendly curves. In International Conference on Pairing-Based Cryp-
tography, pages 102–113. Springer, 2009. [page 1.]

[Sha89] Daniel Shanks. On gauss and composition i, ii. In Proc. NATO ASI on Number Theory and Applica-
tions, pages 163–179. Kluwer Academic Press Dordrecht, 1989. [page 15.]

20
[SL84] C-P Schnorr and Hendrik W Lenstra. A monte carlo factoring algorithm with linear storage. Mathe-
matics of Computation, 43(167):289–311, 1984. [page 2.]
[Sou07] K Soundararajan. The number of imaginary quadratic fields with a given class number. Hardy-
Ramanujan Journal, 30, 2007. [page 5.]
[Sut07] Andrew V Sutherland. Order computations in generic groups. PhD thesis, Massachusetts Institute of
Technology, 2007. [page 5.]
[TCLM21] Sri Aravinda Krishnan Thyagarajan, Guilhem Castagnos, Fabian Laguillaumie, and Giulio Malavolta.
Efficient cca timed commitments in class groups. In Proceedings of the 2021 ACM SIGSAC Conference
on Computer and Communications Security, pages 2663–2684, 2021. [pages 1, 2, and 6.]

[WB19] Riad S Wahby and Dan Boneh. Fast and simple constant-time hashing to the bls12-381 elliptic curve.
Cryptology ePrint Archive, 2019. [page 1.]
[Wes19] Benjamin Wesolowski. Efficient verifiable delay functions. In Yuval Ishai and Vincent Rijmen, editors,
EUROCRYPT 2019, Part III, volume 11478 of LNCS, pages 379–407. Springer, Heidelberg, May 2019.
[pages 1, 2, 3, 11, and 12.]

A The coefficient c of reduced forms

In the following, we aim to characterize heuristically the asymptotic behavior of the discrete probability distribution
of the reduced binary quadratic forms’ c coefficient in Cl(∆). We introduce a similar definition to Definition 9.

Definition 10. (The distribution of coefficient c in Cl(∆)) Let us denote by C∆ the discrete probability distribution
of the coefficient c of the reduced forms in Cl(∆), i.e.,

|{(a, b)|∃(a, b) : (a, b, c) ∈ Cl(∆)}|

Pr[C∆ = c] := . (17)
|Cl(∆)|
q
b2 −∆ |∆|
Let C(a,b) := {(a, b)|(a, b, c) ∈ Cl(∆)}, i.e., recall this condition implies that c | 4 ∧ |b|≤ a ≤ 3 ∧ a ≤ c.
We want to obtain close estimates on |Ca | for a fixed, large ∆.

8 Reduced binary quadratic forms

7
6
5
Count

4
3
2
1
0
103 104 105 106
Coefficient c of the binary quadratic forms with = -4819543

Figure 10: Illustrating the distribution of the coefficient a and b of reduced binary quadratic forms in the class
group Cl(∆) with the medium-sized discriminant ∆ = −4, 819, 543.

21
 For the sake ofsimplicity,
 let us only consider prime forms in Ca , i.e., a = p for a prime p. Recall Theorem 1,
∆
that is Cp ̸= ∅ iff. = 1. If Cp ̸= ∅, then one can compute the b coefficients of the prime form (p, b) as the two
p
modular square roots, i.e., b ← SqrtModP(∆, p), cf. Theorem 2. Applying the equidistribution theorems of p Duke,
Friedlander, and Iwaniec [DFI95], we assert that the rationals X ∼ pb is equidistributed in [0, 1] for p ∈ [0, |∆|/4]
2 √
and b < p. Therefore, we have the distribution X 2 ∼ pb 2 has FX 2 (x) = x ∈ [0, 1], and the density function of X 2
dFX 2 (x) 1
is fX 2 (x) = dx = √
2 x
.
2
−∆
Looking ahead, we wish to establish heuristically the distribution of c = b 4p . Our goal is to obtain a heuristic
characterization of the cumulative distribution function for the coefficient c of reduced prime forms. More formally,
h b2 − ∆  
∆ p i
FC∆ (x) := Pr[C∆ ≤ x] = Pr ≤x: = 1 ∧ p ∈ [2, |∆|/4] ∧ b/p ∼ U (0, 1)] . (18)
4p p
 
∆ p
Let P := {p|p prime ∧ = 1 ∧ p ∈ [2, |∆|/4]}. In Equation (18), we can heuristically think of the probability
p
2
−∆
Pr[ b 4p ≤ x] as follows: pick p ∈R P and we pretend that b/p is a uniform random variable in [0, 1] (even though
p determines b up to sign). Rearranging terms, we obtain:
"   #
 2   2  2
b −∆ b −∆ p b ∆
Pr ≤ x = Pr p ≤ x = Pr − ≤x (19)
4p 4p2 4 p 4p

Expressing b/p in terms of the other terms, the expression becomes:

"  #
2  
b 4x ∆ 4x ∆
Pr ≤ + 2 = Pr X 2 ≤ + 2 =: Gx,p . (20)
p p p p p

We observe the following elementary

√ bounds for coefficient c. Recall b ≤ a ≤c. Thus, 4c2 ≥ 4ac = b2 − ∆ ≥ −∆.
|∆|
Therefore, 4c2 ≥ −∆, i.e., c ≥ 2 . Therefore, we focus on estimating the distribution function for x ≥ |∆|1/2+ε
for ε > 0. For such an x, we have p > |∆|1/2−ε if 0 ≤ 4x ∆
p + p2 , cf. Equation (20). The probability Gx,p = 0 for
−∆
√ −∆
p < 4x , and Gx,p = 1 for p > 2x − 4x2 + ∆ ≈ 4x for x in this range. Thus, the expected value of Gx,p = 1 for
a random p is approximately equal to the probability that p > −∆ 4x . Since p is a random prime from the interval
q
|∆|
[2, 4 ], we obtain

|∆| |∆| p !
/log |∆|
FC∆ (x) ≈ 1 − q 4x q4x
=1−Θ (21)
|∆| |∆| x
4 /log 4

The last step is due to the fact that the quotient of the logarithmic terms only contributed a small constant factor.
Backed by the previous heuristics for prime forms and based on empirical investigation, we formulate the following
conjecture for all binary quadratic forms’ coefficient c in Cl(∆).
Conjecture 2. The cumulative distribution function GC∆ (·) of all reduced binary quadratic forms’ coefficient c in
Cl(∆), i.e., the distribution C∆ for x ≥ |∆|1/2+ε follows
p !
|∆|
GC∆ (x) = 1 − Θ . (22)
x

22