Results 1  10
of
26
On the statistical properties of Diffie–Hellman distributions
 MR 2001k:11258 Zbl 0997.11066
"... Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that giv ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that given p, ϑ of the above form it is infeasible to distinguish in reasonable time between DH distribution and triples of numbers chosen
On certain exponential sums and the distribution of DiffieHellman triples
 J. London Math. Soc
, 1999
"... Let g be a primitive root modulo a prime p. It is proved that the triples (gx,gy,gxy), x,y�1,…,p�1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let ε�0 be fixed. Then p−� x,y=� exp0 2πiagx�bgy�cgxy ..."
Abstract

Cited by 26 (14 self)
 Add to MetaCart
Let g be a primitive root modulo a prime p. It is proved that the triples (gx,gy,gxy), x,y�1,…,p�1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let ε�0 be fixed. Then p−� x,y=� exp0 2πiagx�bgy�cgxy
Period of the power generator and small values of Carmichael’s function
 Math.Comp.,70
"... Abstract. Consider the pseudorandom number generator un ≡ u e n−1 (mod m), 0 ≤ un ≤ m − 1, n =1, 2,..., where we are given the modulus m, the initial value u0 = ϑ and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, l are different primes of the same ..."
Abstract

Cited by 18 (11 self)
 Add to MetaCart
Abstract. Consider the pseudorandom number generator un ≡ u e n−1 (mod m), 0 ≤ un ≤ m − 1, n =1, 2,..., where we are given the modulus m, the initial value u0 = ϑ and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, l are different primes of the same magnitude. It is known from work of the first and third authors that for moduli m = pl, if the period of the sequence (un) exceeds m3/4+ε, then the sequence is uniformly distributed. We show rigorously that for almost all choices of p, l it is the case that for almost all choices of ϑ, e, the period of the power generator exceeds (pl) 1−ε. And so, in this case, the power generator is uniformly distributed. We also give some other cryptographic applications, namely, to rulingout the cycling attack on the RSA cryptosystem and to socalled timerelease crypto. The principal tool is an estimate related to the Carmichael function λ(m), the size of the largest cyclic subgroup of the multiplicative group of residues modulo m. In particular, we show that for any ∆ ≥ (log log N) 3,wehave λ(m) ≥ N exp(−∆) for all integers m with 1 ≤ m ≤ N, apartfromatmost N exp −0.69 ( ∆ log ∆) 1/3) exceptions. 1.
The distribution of totients
, 1998
"... This paper is an announcement of many new results concerning the set of totients, i.e. the set of values taken by Euler’s φfunction. The main functions studied are V (x), the number of totients not exceeding x, A(m), the number of solutions of φ(x) =m(the “multiplicity ” of m), and Vk(x), the numb ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
This paper is an announcement of many new results concerning the set of totients, i.e. the set of values taken by Euler’s φfunction. The main functions studied are V (x), the number of totients not exceeding x, A(m), the number of solutions of φ(x) =m(the “multiplicity ” of m), and Vk(x), the number of m ≤ x with A(m) =k. The first of the main results of the paper is a determination of the true order of V (x). It is also shown that for each k ≥ 1, if there is a totient with multiplicity k, thenVk(x)≫V(x). We further show that every multiplicity k ≥ 2 is possible, settling an old conjecture of Sierpiński. An older conjecture of Carmichael states that no totient has multiplicity 1. This remains an open problem, but some progress can be reported. In particular, the results stated above imply that if there is one counterexample, then a positive proportion of all totients are counterexamples. Determining the order of V (x) andVk(x) also provides a description of the “normal ” multiplicative structure of totients. This takes the form of bounds on the sizes of the prime factors of a preimage of a typical totient. One corollary is that the normal number of prime factors of a totient ≤ x is c log log x, wherec≈2.186. Lastly, similar results are proved for the set of values taken by a general multiplicative arithmetic function, such as the sum of divisors function, whose behavior is similar to that of Euler’s function.
Uniform Circuits for Division: Consequences and Problems
 Electronic Colloquium on Computational Complexity 7:065
, 2000
"... Integer division has been known to lie in Puniform TC 0 since the mid1980's, and recently this was improved to L uniform TC 0 . At the time that the results in this paper were proved and submitted for conference presentation, it was unknown whether division lay in DLOGTIMEuniform TC 0 (also ..."
Abstract

Cited by 13 (6 self)
 Add to MetaCart
Integer division has been known to lie in Puniform TC 0 since the mid1980's, and recently this was improved to L uniform TC 0 . At the time that the results in this paper were proved and submitted for conference presentation, it was unknown whether division lay in DLOGTIMEuniform TC 0 (also known as FOM). We obtain tight bounds on the uniformity required for division, by showing that division is complete for the complexity class FOM + POW obtained by augmenting FOM with a predicate for powering modulo small primes. We also show that, under a wellknown numbertheoretic conjecture (that there are many "smooth" primes), POW (and hence division) lies in FOM. Building on this work, Hesse has shown recently that division is in FOM [17].
Hidden number problem with hidden multipliers, timedrelease crypto and noisy exponentiation
 Math. Comp
"... Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the pr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the problem where the “multipliers ” t are not known but rather certain approximations to them are given. We present a probabilistic polynomial time solution when the error is small enough, and we show that the problem cannot be solved if the error is sufficiently large. We apply the result to the bit security of “timedrelease crypto ” introduced by Rivest, Shamir and Wagner, to noisy exponentiation blackboxes and to the bit security of the “inverse” exponentiation. We also show that it implies a certain bit security result for Weil pairing on elliptic curves. 1.
On the period of the linear congruential and power generators
 Acta Arith
"... We consider two standard pseudorandom number generators from number theory: the linear congruential generator and the power generator. For the former, we are given integers e, b, n (with e, n> 1) and a seed u0, and we compute the sequence ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
We consider two standard pseudorandom number generators from number theory: the linear congruential generator and the power generator. For the former, we are given integers e, b, n (with e, n> 1) and a seed u0, and we compute the sequence
The iterated Carmichael λ function and the number of cycles of the power generator
, 2005
"... A common pseudorandom number generator is the power generator: x ↦ → x ℓ (mod n). Here, ℓ, n are fixed integers at least 2, and one constructs a pseudorandom sequence by starting at some residue mod n and iterating this ℓth power map. (Because it is the easiest to compute, one often takes ℓ = 2; thi ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
A common pseudorandom number generator is the power generator: x ↦ → x ℓ (mod n). Here, ℓ, n are fixed integers at least 2, and one constructs a pseudorandom sequence by starting at some residue mod n and iterating this ℓth power map. (Because it is the easiest to compute, one often takes ℓ = 2; this case is known as the BBS generator, for Blum,
On values taken by the largest prime factor of shifted primes
 Journal of the Australian Mathematical Society
"... Let P denote the set of prime numbers, and let P(n) denote the largest prime factor of an integer n> 1. We show that, for every real number 32/17 < η < (4 + 3 √ 2)/4, there exists a constant c(η)> 1 such that for every integer a � = 0, the set � p ∈ P: p = P(q − a) for some prime q with p η < q < c( ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Let P denote the set of prime numbers, and let P(n) denote the largest prime factor of an integer n> 1. We show that, for every real number 32/17 < η < (4 + 3 √ 2)/4, there exists a constant c(η)> 1 such that for every integer a � = 0, the set � p ∈ P: p = P(q − a) for some prime q with p η < q < c(η) p η � has relative asymptotic density one in the set of all prime numbers. Moreover, in the range 2 ≤ η < (4+3 √ 2)/4, one can take c(η) = 1+ε for any fixed ε> 0. In particular, our results imply that for every real number 0.486 ≤ ϑ ≤ 0.531, the relation P(q − a) ≍ q ϑ holds for infinitely many primes q. We use this result to derive a lower bound on the number of distinct prime divisors of the value of the Carmichael function taken on a product of shifted primes. Finally, we study iterates of the map q ↦ → P(q − a) for a> 0, and show that for infinitely many primes q, this map can be iterated at least (log log q) 1+o(1) times before it terminates. 1.