Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an r-th power residue for all small factors of p − 1. The corresponding Diffie-Hellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that given p, ϑ of the above form it is infeasible to distinguish in reasonable time between DH distribution and triples of numbers chosen

Let # be an integer of multiplicative order t # 1 modulo a prime p. We introduce and estimate sums of the form S Z (p, t, a) = T X s=1 exp (2#ia# zs /p) with a sequence Z = (z 1 , . . . , z T ) such that kz 1 , . . . , kz T is a permutation of z 1 , . . . , z T , both sequences taken modulo t, for su#ciently many distinct modulo t values of k. Such sequences include # x n for x = 1, . . . , t with an integer n # 1; # x n for x = 1, . . . , t and gcd(x, t) = 1 with an integer n # 1; # e x for x = 1, . . . , T with an integer e, where T is the period of the sequence e x modulo t. Some of our results can be extended to composite moduli and to sums of multiplicative characters as well. Character sums with the above sequences have some cryptographic motivation and applications and have been considered in several papers by J. B. Friedlander, D. Lieman and I. E. Shparlinski. In particular we generalize and improve several previous bounds. 1 Introduction In thi...

Abstract. The inversive congruential method is an attractive alternative to the classical linear congruential method for pseudorandom number generation. In this paper we present the first nontrivial bounds on the discrepancy of individual sequences of inversive congruential pseudorandom numbers in parts of the period. The proof is based on a new bound for certain incomplete exponential sums. 1.

Abstract. Let m = pl be a product of two distinct primes p and l. Weshow that for almost all exponents e with gcd(e, ϕ(m)) = 1 the RSA pairs (x, xe) are uniformly distributed modulo m when x runs through • the group of units Z ∗ m modulo m (that is, as in the classical RSA scheme); • the set of k-products x = ai1 ···ai, 1 ≤ i1 < ·· · < ik ≤ n, where k a1, ·· ·,an ∈ Z ∗ m are selected at random (that is, as in the recently introduced RSA scheme with precomputation). These results are based on some new bounds of exponential sums. 1.

We show that, under some natural conditions, the pairs (r, s) produced by the ElGamal signature scheme are uniformly distributed. In particular this implies that values of r and s are not correlated. The results is based on some news estimates of exponential sums. Keywords: ElGamal signature scheme, Exponential sums, Uniform distribution Running header: Distribution of the ElGamal Signature 1 1 Introduction Let p # 3 be a prime and let g be a primitive root modulo p, that is, gcd(g, p) = 1 and g k ## 1 (mod p), k = 1, . . . , p - 2. For an integer m # 2 we also denote by ZZ m the set of integers k # [0, m- 1] and by ZZ # m the subset of ZZ # m consisting the integers k with gcd(k, m) = 1. The ElGamal signature scheme, can be described in the following way. Let M be a finite set of messages to be signed and let h : M# ZZ p-1 be an arbitrary function, usually called a hash-function. We assume that the primitive root g is publicly known. For an integer k we define the...

Abstract We obtain a lower bound on the linear complexity profile of the power generator of pseudo-random numbers modulo a Blum integer. A different method is also proposed to estimate the linear complexity profile of the Blum-Blum-Shub generator. In particular, these results imply that lattice reduction attacks on such generators are not feasible.

Let IF p be a prime field of p elements and let g be an element of IF p of multiplicative order t modulo p. We show that for any " ? 0 and t p 1=3+" the Diffie--Hellman pairs (x; g x ) are uniformly distributed in the Descartes product ZZ t \Theta IF p , where x runs through ffi the residue ring ZZ t modulo t (that is, as in the classical DiffieHellman scheme); ffi the all k-sums x = a i 1 + : : : + a i k , 1 i 1 ! : : : ! i k n, where a 1 ; : : : ; a n 2 ZZ t are selected at random (that is, as in the recently introduced Diffie--Hellman scheme with precomputation). These results are new and nontrivial even if t = p \Gamma 1, that is, if g is a primitive root. The method based on some bounds of exponential sums. Key words and phrases: Diffie--Hellman cryptosystem, Uniform distribution, Precomputation, Exponential sums Address for correspondence: Igor Shparlinski, Department of Computing, Macquarie University, North Ryde, NSW 2109, Australia FAX: [61 - 2] 98509551 E-mail: i...

Let # # ZZ m , gcd(#, m) = 1 and suppose that # has multiplicative order t. We show that provided t # m 19/20+# the triples (# x , # y , # xy ), x, y = 1, . . . , t, are uniformly distributed modulo m. This is based on the upper bounds t X x,y=1 exp