Bach, E., "How to Generate Factored Random Numbers," SIAM Journal on Computing 17(2), 179-193 (April 1988).  Home/Search   Document Not in Database   Summary   Related Articles   Check

..... Let S V be the family of probabilistic circuits which on input G do the following: 1. Let k be the size of the input graph G 2. Select a random string to be used as the random string for the veri er 3. Select a random k bit prime number p such that the factorization of p 1 is known [1]. 4. Select a random generator, g, of Z p . 5. Select a random element, Q, of Z p . 6. Select a random hash function, H, from H k . 7. Run on input (p; g; Q; H) and random string to obtain ( X 1 ; Y 1 ) X k ; Y k ) W 1;1 ; Z 1;1 ) W k;k ; Z k;k ) B 1 ; ....

E. Bach. how to generate factored random numbers. Siam Journal of Computing, 17, 1988.

....on RSA. We first construct the following common domain trapdoor system. The common domain, given security parameter n, is f0; 1g . A permutation over f0; 1g is chosen as follows. First choose a number N uniformly from [2 : 2 ] together with its factorization (via Bach s algorithm [B]) Next choose a prime 2 e 2 n 1 . This way, we are assured that gcd(e; OE(N) 1, where OE( is Euler s totient function, even if the factorization of N is not known. Let f N (x) x e (mod N) if x N and f N (x) x otherwise. With non negligible probability N is a product of two ....

E. Bach, "How to generate factored random numbers", SIAM J. on Comput., Vol. 17, No. 2, 1988, pp. 179-193.

....e is a (k log k) bit random prime and for j = 1, l the number n j is a uniformly random (k log k) bit number and d j = e 1 mod #(n j ) To compute d j the key generator G must generate uniformly (or indistinguishably close to uniformly) random n j in such a way that #(n j ) is known. In [2] it was shown how to do this. An oblivious index (e, n 1 , n l ) # G is simply generated by picking e as before and picking the n j uniformly random. The only problem for G 1 in faking bits for the index (e, n 1 , n l ) is the prime e. On how to do this see the proof of ....

Eric Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179--193, April 1988.

....4: Index and trapdoor generation A note on the algorithms is necessary. By n j # [2 k log k 1 ; 2 k log k ] known factorisation we mean, that n j should be picked uniformly random from [2 k log k 1 ; 2 k log k ] and that we should obtain its prime factorisation at the same time. In [1] it is shown how to do this in probabilistic polynomial time the algorithm obtains a distribution negligible close to the uniform distribution which su#ce for our application. By e # primes[2 k log k , 2 k log k 1 ] we mean that e should be picked uniformly random as a prime between 2 k ....

ERIC BACH. How to generate factored random numbers. In S. Rao Kosaraju, editor, SIAM Journal on Computing, volume 17, pages 179--193. Society for Industrial and Applied Mathematics. Philadelphia. Pennsylvania, 1988.

....terminate in polynomial time and are quite ecient in practice; and Las Vegas probabilistic algorithms which are always correct, generate as output a deterministic polynomial time checkable proof of correctness, and run in expected polynomial time. Not only can random primes be generated, but Bach [11] has also shown how to create a random k bit composite number in a factored form which which uses primality testing as a subroutine. On the other hand, to factor a number n seems to require time proportional to e c p ln(n) ln ln(n) 3) where the constant c is 1 for the fastest algorithms. ....

Eric Bach. How to generate factored random numbers. SIAM J. Computing, 17(2):179-193, April 1988.

....however, the adversary now also knows additional information about p, q and g, namely, the very coin tosses that generated them. This that may help the adversary solve the discrete log problem in the g generated subgroup modulo p. For instance, if p and q are found by running Bach s algorithm [Bac88], then one also gets the entire factorization of p 1, which may perhaps be useful to a clever DLP algorithm. Fix 1. The x simply consists of realizing this weakness and incorporating the (p; q; g) generation process into the DLP assumption. To be precise, one needs to incorporate also the ....

Eric Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179{ 193, April 1988.

....above algorithm requires an expected O(n 2 ) random bits. We now show how to perform poly(n) dependent iterations of the loop using only O(n) random bits (rather than doing O(n) independent iterations using O(n 2 ) random bits) We will use, however, a probabilistic primality tester of Bach [Bach], which is a randomness efficient version of the Miller Rabin [M, R2] primality tester. Theorem 4.8 (randomness efficient primality tester [Bach] There exists a probabilistic polynomial time algorithm that on input P uses jP j random bits so that if P is a prime then the algorithm always ....

....random bits (rather than doing O(n) independent iterations using O(n 2 ) random bits) We will use, however, a probabilistic primality tester of Bach [Bach] which is a randomness efficient version of the Miller Rabin [M, R2] primality tester. Theorem 4. 8 (randomness efficient primality tester [Bach]) There exists a probabilistic polynomial time algorithm that on input P uses jP j random bits so that if P is a prime then the algorithm always accepts, and otherwise (i.e. P is a composite) the algorithm accepts with probability at most 1 p P . Combining the above procedures, we have ....

E. Bach, How to generate factored random numbers, SIAM J. Comput., vol. 17(2), 1988, pp. 179193.

....e is a (k log k) bit random prime and for j = 1, l the number n j is uniformly random (k log k) bit number and d j = e 1 mod#(n j ) To compute d j the key generator G must generate uniformly (or indistinguishably close to uniformly) random n j in such a way that #(n i ) is known. In [2] it was shown how to do this. An oblivious i (e, n 1 , n l ) # G is simply generated by picking e as before and picking the n j uniformly random. The only problem for G 1 in faking bits for the index (e, n 1 , n l ) is the prime e. On how to do this see the proof of theorem ....

Eric Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179--193, April 1988.

....can later control this random string. We proceed as follows, where x of length n is the common input, and t(n) is a polynomial which bounds the running time of V : Step 1: P generates a random prime number p together with the prime factorization of p Gamma 1. He does this via Bach s algorithm [2]: he keeps picking random numbers in factored form until he gets one whose successor is a prime. He then picks a generator g of Z p and a random element s 2 Z p . he sends p; g; s and the prime factorization of p Gamma 1 to V . Step 2: V checks that p is prime, and using the prime ....

Bach, E., "How to Generate Factored Random Numbers," SIAM Journal on Computing 17(2), 179-193 (April 1988).

....is calculating the probability that N is selected. Here the problem is that N should be a product of two primes of equal length n. Estimating the number of N s of this form can be done either analytically or empirically , generating random pre factored numbers (according to Bach s algorithm [2]) and testing which fraction has the proper form. The catch, however, is that the proof that N is a Blum integer only shows that it has two distinct prime divisors (and is not a perfect square) it does not necessarily imply that these primes are of length n. This has no effect of the soundness of ....

E. Bach, How to generate factored random numbers, SIAM J. Computing 17, 1988, 179--193.

....10 16 . Jaeschke [42] has also derived correctness bounds for the Miller Rabin test when applied for several bases. In this paper we consider the problem of generating random primes together with a certificate of primality. Our results draw on Pocklington s, Pratt s and on Bach s work [69] 75] [4]: the certificate for a prime p contains a partial factorization of p Gamma 1. However, in contrast to Bach s algorithm [4] for generating (truly) random factored integers, our algorithm does not make use of a general primality test. Of course, if such a general primality test were sufficiently ....

....paper we consider the problem of generating random primes together with a certificate of primality. Our results draw on Pocklington s, Pratt s and on Bach s work [69] 75] 4] the certificate for a prime p contains a partial factorization of p Gamma 1. However, in contrast to Bach s algorithm [4] for generating (truly) random factored integers, our algorithm does not make use of a general primality test. Of course, if such a general primality test were sufficiently fast, it could in our context be used directly for generating primes, without a detour to generating random partially ....

E. Bach, How to generate factored random numbers, SIAM Journal on Computing, Vol. 17, No. 4, pp. 173-193, 1988.

....recognized in R (see Rem1 94 ) it follows that C3 is in R. If anything, the importance of this problem has grown since 1986, since there have been numerous cryptosystems proposed since then that require the ability to construct large primes, sometimes with special properties. See [Pom90] Ref3 [Bac88], Pla79] See also Ref1. 4 Prime in an arithmetic progression C4 Input a; n 2 N. Output p 2Primes with p j a (mod n) if gcd(a; n) 1. O4 Is C4 in P Rem4 86 It was conjectured by Heath Brown [HB78] that if gcd(a; n) 1, then the least prime p j a (mod n) is O(n log 2 n) and this would ....

Eric Bach. How to generate factored random numbers. SIAM Journal of Computing, 17:179--193, 1988.

....this sort (which are more than sufficient for our purpose) As a result we get that: a) If the RSA assumption holds for a uniformly distributed value of N , then it also holds under the restriction N 2 G n . b) The uniform distribution over G n can be efficiently sampled (using Bach s algorithm [5]) Given (a) and (b) it seems that this restriction is rather reasonable. 5 Actually, without knowledge of (N ) we cannot really compute SP Z (N) d . However, for every input x, we can still compute y such that SP Z (N) d (x) y mod (N ) Such a value y would be just as ....

E. Bach, How to generate factored random numbers, SIAM J. Comput., vol. 17(2), 1988, pp. 179-193.

....first construct the following common domain trapdoor system. The common domain, given security parameter n, is f0; 1g n . A permutation over f0; 1g n is chosen as follows. First choose a number N uniformly from [2 n Gamma1 : 2 n ] together with its factorization (via Bach s algorithm [B]) Next choose a prime 2 n e 2 n 1 . This way, we are assured that gcd(e; OE(N) 1, where OE( is Euler s totient function, even if the factorization of N is not known. Let f N (x) x e (mod N) if x N and f N (x) x otherwise. With non negligible probability N is a product of ....

E. Bach, "How to generate factored random numbers", SIAM J. on Comput., Vol. 17, No. 2, 1988, pp. 179-193.

No context found.

E. Bach, How to Generate Factored Random Numbers, SIAM J. Computing, 17 (1988), pp. 179-193.

.... lengths of the prime factors of a random number can be obtained by choosing a random uniformly from (0; 1) this gives the relative length of the first factor and then proceeding recursively with the smaller interval (0; 1 Gamma ) This was previously applied to prime factorizations in [1]. To illustrate, we derive a recurrence for F (ff) the asymptotic probability that none of n s prime factors exceed n ff . This is the probability that all lengths chosen by random bisection are ff; conditioning on the first length , we should have F (ff) Z ff 0 F ( ff 1 Gamma )d: ....

E. Bach. How to generate factored random numbers. SIAM J. Comput., 17:179-- 193, 1988.

.... Random Factored Numbers, Easily Adam Kalai akalai cs.cmu.edu In his award winning dissertation, Eric Bach presents an efficient algorithm for generating a uniformly random integer in a specified range, along with its prime factorization [1, 2]. The following algorithm solves the same problem in a much simpler but slightly less efficient manner: Algorithm: Input: Integer N 0. Output: A uniformly random number 1 m N . 1. Generate a sequence N s 1 s 2 : s l = 1 by uniformly choosing s 1 2 f1; 2; Ng and s i 1 2 f1; ....

E. Bach, How to Generate Factored Random Numbers, SIAM J. Computing, 17 (1988), pp. 179-193.

No context found.

Bach, E., "How to Generate Factored Random Numbers," SIAM Journal on Computing 17(2), 179-193 (April 1988).

No context found.

E. Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179-193, 1988.

No context found.

E. Bach. How to generate factored random numbers. SIAM Journal on Computing, 17:179--193, 1988.

No context found.

E. Bach. How to Generate Factored Random Numbers. SIAM Journal of Computing, vol. 17, no. 2, pp. 179-193, 1988.

No context found.

Eric Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179--193, April 1988.

No context found.

Eric Bach. How to generate factored random numbers. SIAM Journal on Computing, 17(2):179-- 193, April 1988.

No context found.

E. Bach. How to generate factored random numbers. SIAM Journal on Computing, 17:179--193, 1988.

No context found.

E. Bach, "How to generate factored random numbers", SIAM J. on Comput., Vol. 17, No. 2, 1988, pp. 179-193.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC