Abstract. We present a new construction of non-committing encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2-round protocol, matching the round complexity of Canetti et al. and improving upon that in Damg˚ard and Nielsen. – Weaker assumptions. Our construction is based on trapdoor simulatable cryptosystems, a new primitive that we introduce as a relaxation of those used in previous works. We also show how to realize this primitive based on hardness of factoring. – Improved efficiency. The amortized complexity of encrypting a single bit is O(1) public key operations on a constant-sized plaintext in the underlying cryptosystem. As a result, we obtain the first non-committing public-key encryption schemes under hardness of factoring and worst-case lattice assumptions; previously, such schemes were only known under the CDH and RSA assumptions. Combined with existing work on secure multi-party computation, we obtain protocols for multi-party computation secure against a malicious adversary that may adaptively corrupt an arbitrary number of parties under weaker assumptions than were previously known. Specifically, we obtain the first adaptively secure multi-party protocols based on hardness of factoring in both the stand-alone setting and the UC setting with a common reference string. Key words: public-key encryption, adaptive corruption, non-committing encryption, secure multi-party computation. 1

(In memory of Serge Lang) Four decades ago, Mikio Sato and John Tate predicted the shape of probability distributions to which certain “error terms ” in number theory conform. Their prediction—known as the Sato-Tate

What follows is an expanded version of my lectures at the NATO School on Equidistribution. I have tried to keep the informal style of the lectures. In particular, I have sometimes oversimplified matters in order to convey the spirit of an argument. Lecture 1: The Cramér model and gaps between consecutive primes The prime number theorem tells us that π(x), the number of primes below x, is ∼ x / logx. Equivalently, if pn denotes the n-th smallest prime number then pn ∼ n log n. What is the distribution of the gaps between consecutive primes, pn+1 − pn? We have just seen that pn+1 − pn is approximately log n “on average”. How often do we get a gap of size 2 logn, say; or of size 1 log n? One way to make this question precise 2 is to fix an interval [α, β] (with 0 ≤ α < β) and ask for

ABSTRACT. Under two assumptions, we determine the distribution of the difference between two functions each counting the numbers � x that are in a given arithmetic progression modulo q and the product of two primes. The two assumptions are (i) the Extended Riemann Hypothesis for Dirichlet L-functions modulo q, and (ii) that the imaginary parts of the nontrivial zeros of these L-functions are linearly independent over the rationals. Our results are analogs of similar results proved for primes in arithmetic progressions by Rubinstein and Sarnak. 1.

Abstract. Taking r>0, let π2r(x) denote the number of prime pairs (p, p + 2r) withp ≤ x. The prime-pair conjecture of Hardy and Littlewood (1923) asserts that π2r(x) ∼ 2C2r li2(x) with an explicit constant C2r> 0. There seems to be no good conjecture for the remainders ω2r(x) =π2r(x)−2C2r li2(x) that corresponds to Riemann’s formula for π(x)−li(x). However, there is a heuristic approximate formula for averages of the remainders ω2r(x) which is supported by numerical results. 1.

Abstract. We consider statistical properties of the sequence of ordered pairs obtained by taking the sequence of prime numbers and reducing modulo m. Using an inclusion/exclusion argument and a cut-off of an infinite product suggested by Pólya, we obtain a heuristic formula for the “probability ” that a pair of consecutive prime numbers of size approximately x will be congruent to (a, a+d) modulo m. We demonstrate some symmetries of our formula. We test our formula and some of its consequences against data for x in various ranges. 1.

In this lecture celebrating the 150th anniversary of the seminal paper of Riemann, we discuss various approaches to interesting questions concerning the distribution of primes, including several that do not involve the Riemann zeta-function.

Abstract. Taking r>0, let π2r(x) denote the number of prime pairs (p, p + 2r) withp ≤ x. The prime-pair conjecture of Hardy and Littlewood (1923) asserts that π2r(x) ∼ 2C2r li2(x) with an explicit constant C2r> 0. There seems to be no good conjecture for the remainders ω2r(x) =π2r(x)−2C2r li2(x) that corresponds to Riemann’s formula for π(x)−li(x). However, there is a heuristic approximate formula for averages of the remainders ω2r(x) which is supported by numerical results. 1.