A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudo-prime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than presently-used algorithms for generating only pseudo-primes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval. Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy t...

We consider the problem of determining whether a lacunary (also called a sparse or super-sparse) polynomial f is a perfect power, that is, f = h r for some other polynomial h and r ∈ N, and of finding h and r should they exist. We show how to determine if f is a perfect power in time polynomial in the number of non-zero terms of f, and in terms of log deg f, i.e., polynomial in the size of the lacunary representation. The algorithm works over Fq[x] (for large characteristic) and over Z[x], where the cost is also polynomial in log ‖f‖∞. We also give a Monte Carlo algorithm to find h if it exists, for which our proposed algorithm requires polynomial time in the output size, i.e., the sparsity and height of h. Conjectures of Erdös and Schinzel, and recent work of Zannier, suggest that h must be sparse. Subject to a slightly stronger conjectures we give an extremely efficient algorithm to find h via a form of sparse Newton iteration. We demonstrate the efficiency of these algorithms with an implementation using the C++ library NTL. 1.

Abstract. We present the pseudosquares prime sieve, which finds all primes up to n. Define p to be the smallest prime such that the pseudosquare Lp>n/(π(p)(log n) 2); here π(x) is the prime counting function. Our algorithm requires only O(π(p)n) arithmetic operations and O(π(p)logn) space. It uses the pseudosquares primality test of Lukes, Patterson, and Williams. Under the assumption of the Extended Riemann Hypothesis, we have p ≤ 2(log n) 2, but it is conjectured that p ∼ 1 log nlog log n. Thus, log2 the conjectured complexity of our prime sieve is O(n log n) arithmetic operations in O((log n) 2) space. The primes generated by our algorithm are proven prime unconditionally. The best current unconditional bound known is p ≤ n 1/(4√e−ɛ) 1.132, implying a running time of roughly n using roughly n 0.132 space. Existing prime sieves are generally faster but take much more space, greatly limiting their range (O(n / log log n)operationswithn 1/3+ɛ space, or O(n) operationswithn 1/4 conjectured space). Our algorithm found all 13284 primes in the interval [10 33,10 33 +10 6] in about 4 minutes on a1.3GHzPentiumIV. We also present an algorithm to find all pseudosquares Lp up to n in sublinear time using very little space. Our innovation here is a new, space-efficient implementation of the wheel datastructure. 1

We describe a polynomial time algorithm to compute Jacobi symbols of exponentially large integers of special form, including so-called sparse integers which are exponentially large integers with only polynomially many non-zero binary digits. In a number of papers sequences of Jacobi symbols have been proposed as generators of cryptographically secure pseudorandom bits. Our algorithm allows us to use much larger moduli in such constructions. We also use our algorithm to design a probabilistic polynomial time test which decides if a given integer of the aforementioned type is a perfect square (assuming the Extended Riemann Hypothesis). We also obtain analogues of these results for polynomials over finite fields. Moreover, in this case the perfect square testing algorithm is unconditional. These results can be compared with many known NP-hardness results for some natural problems on sparse integers and polynomials.