. This paper presents a variant of the Rabin-Williams public-key signature system. The new system oers the same security and signing speed but much faster verication. Generic attacks against this system are provably as dicult as factorization. 1.

Cryptographic schemes are based on keys which are highly involved in granting their security. It is in general assumed that the source producing these keys has uniformly distribution, that is, it produces keys from a given key space with equal probability. Consequently, deviations from uniform distribution of the key source may be regarded a priori as a potential security breach, even if no dedicated attack is known, which might take advantage of these deviations. We propose in this paper a model for biased key sources and show that it is possible to prove some results about tolerance of biases, which have the property of being inherent to the bias itself and not requiring assumptions about unknown attacks, using these biases. The model is based on comparing the average case complexities of generic attacks to some number theoretical problems, with respect to uniform and to biased distributions. We also show the connection to information entropy based analysis of biased ...

Abstract. In this paper we analyze a simple method for generating prime numbers with fewer random bits. Assuming the Extended Riemann Hypothesis, we can prove that our method generates primes according to a distribution that can be made arbitrarily close to uniform. This is unlike the PRIMEINC algorithm studied by Brandt and Damg˚aard and its many variants implemented in numerous software packages, which reduce the number of random bits used at the price of a distribution easily distinguished from uniform. Our new method is also no more computationally expensive than the ones in current use, and opens up interesting options for prime number generation in constrained environments. Keywords: Public-key cryptography, prime number generation, RSA, efficient implementations, random bits. 1

Suppose X is the complex zero set of a finite collection of polynomials in Z[x1,..., xn]. We show that deciding whether X contains a point all of whose coordinates are dth roots of unity can be done within NP NP (relative to the sparse encoding), under a plausible assumption on primes in arithmetic progression. In particular, our hypothesis can still hold even under certain failures of the Generalized Riemann Hypothesis, such as the presence of Siegel-Landau zeroes. Furthermore, our complexity upper bound holds unconditionally when n=1. Finally, letting T be any multiplicative translate of an algebraic subgroup of (C∗) n, we show that deciding X? ⊇T is coNP-complete (relative to the sparse encoding), unconditionally. We thus obtain new non-trivial families of multivariate polynomial systems where deciding the existence of complex roots can be done unconditionally in the polynomial hierarchy — a family of complexity classes lying between PSPACE and P, intimately connected with the P? =NP Problem. We also discuss how our results can be viewed as an algorithmic analogue of Laurent’s solution of Chabauty’s Conjecture from arithmetic geometry. 1

We reveal a natural algebraic problem whose complexity appears to interpolate between the well-known complexity classes BQP and NP: ⋆ Decide whether a univariate polynomial with exactly m monomial terms has a p-adic rational root. In particular, we show that while (⋆) is doable in quantum randomized polynomial time when m = 2 (and no classical randomized polynomial time algorithm is known), (⋆) is nearly NP-hard for general m: Under a plausible hypothesis involving primes in arithmetic progression (implied by the Generalized Riemann Hypothesis for certain cyclotomic fields), a randomized polynomial time algorithm for (⋆) would imply the widely disbelieved inclusion NP⊆BPP. This type of quantum/classical interpolation phenomenon appears to new. 1 Introduction and Main Results Thanks to quantum computation, we now have exponential speed-ups for important practical problems such as Integer Factoring and Discrete Logarithm [Sho97]. However, a fundamental