, Introduction and References only) Benny Chor Oded Goldreich MIT \Gamma Laboratory for Computer Science Cambridge, Massachusetts 02139 ABSTRACT \Gamma A new model for weak random physical sources is presented. The new model strictly generalizes previous models (e.g. the Santha and Vazirani model [24]). The sources considered output strings according to probability distributions in which no single string is too probable. The new model provides a fruitful viewpoint on problems studied previously as: ffl Extracting almost perfect bits from sources of weak randomness: the question of possibility as well as the question of efficiency of such extraction schemes are addressed. ffl Probabilistic Communication Complexity: it is shown that most functions have linear communication complexity in a very strong probabilistic sense. ffl Robustness of BPP with respect to sources of weak randomness (generalizing a result of Vazirani and Vazirani [27]). The paper has appeared in SIAM Journal o...

Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and base g is equivalent to computing discrete logarithms in G to the base g when a certain side information string S of length 2 log jGj is given, where S depends only on jGj but not on the definition of G and appears to be of no help for computing discrete logarithms in G. If every prime factor p of jGj is such that one of a list of expressions in p, including p \Gamma 1 and p + 1, is smooth for an appropriate smoothness bound, then S can efficiently be constructed and therefore breaking the Diffie-Hellman protocol is equivalent to computing discrete logarithms.

. This paper consists of three parts. First, various types of Diffie-Hellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the Diffie-Hellman protocol is investigated. Second, we derive several new conditions for the polynomial-time equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms in G which extend former results by den Boer and Maurer. Finally, efficient constructions of Diffie-Hellman groups with provable equivalence are described. Keywords. Public-key cryptography, Diffie-Hellman protocol, Discrete logarithms, Elliptic curves. 1 Introduction Let G be a cyclic group with generator g. The Diffie-Hellman (DH) problem [6] is, for given g u and g v , to compute g uv . A possible group for the DH protocol [6] is Z p , where p is a prime number, or an elliptic curve over a finite field [17],[9]. The DH problem is at most as diffi...

Both uniform and non-uniform results concerning the security of the Diffie-Hellman key-exchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the Diffie-Hellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the Diffie-Hellman problem and the discrete logarithm problem are polynomial-time equivalent in G. Second, it is proved that the Diffie-Hellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...

The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie-Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.

. We survey various results and conjectures concerning multiple polylogarithms and the multiple zeta function. Among the results, we announce our resolution of several conjectures on multiple zeta values. We also provide a new integral representation for the general multiple polylogarithm, and develop a q-analogue of the shuffle product. 1.

Abstract. Consider the pseudorandom number generator un ≡ u e n−1 (mod m), 0 ≤ un ≤ m − 1, n =1, 2,..., where we are given the modulus m, the initial value u0 = ϑ and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, l are different primes of the same magnitude. It is known from work of the first and third authors that for moduli m = pl, if the period of the sequence (un) exceeds m3/4+ε, then the sequence is uniformly distributed. We show rigorously that for almost all choices of p, l it is the case that for almost all choices of ϑ, e, the period of the power generator exceeds (pl) 1−ε. And so, in this case, the power generator is uniformly distributed. We also give some other cryptographic applications, namely, to rulingout the cycling attack on the RSA cryptosystem and to so-called time-release crypto. The principal tool is an estimate related to the Carmichael function λ(m), the size of the largest cyclic subgroup of the multiplicative group of residues modulo m. In particular, we show that for any ∆ ≥ (log log N) 3,wehave λ(m) ≥ N exp(−∆) for all integers m with 1 ≤ m ≤ N, apartfromatmost N exp −0.69 ( ∆ log ∆) 1/3) exceptions. 1.

Integer division has been known to lie in P-uniform TC 0 since the mid-1980's, and recently this was improved to L- uniform TC 0 . At the time that the results in this paper were proved and submitted for conference presentation, it was unknown whether division lay in DLOGTIME-uniform TC 0 (also known as FOM). We obtain tight bounds on the uniformity required for division, by showing that division is complete for the complexity class FOM + POW obtained by augmenting FOM with a predicate for powering modulo small primes. We also show that, under a well-known number-theoretic conjecture (that there are many "smooth" primes), POW (and hence division) lies in FOM. Building on this work, Hesse has shown recently that division is in FOM [17].

. We discuss the issue of the parameterized computational complexity of a number of problems of interest in cryptography. We show that the problem of determining whether an n-digit number has a prime divisor less than or equal to n k can be solved in expected time f(k)n 3 by a randomized algorithm that employs elliptic curve factorization techniques (this result depends on an unproved but plausible number-theoretic conjecture). An analogous computational problem concerning discrete logarithms is directly relevant to some proposed cryptosystem implementations. Our result suggests caution about implementations which fix a parameter such as the size or Hamming weight of keys. We show that several parameterized problems of relevance to cryptography, including k-Subset Sum, k-Perfect Code, and k-Subset Product are likely to be intractable with respect to fixed-parameter complexity. In particular, we show that they cannot be solved in time f(k)n ff , where ff is independent...

Abstract. Define Ψ(x, y) to be the number of positive integers n ≤ x such that n has no prime divisor larger than y. We present a simple algorithm that log log x approximates Ψ(x, y) inO(y { log y + 1}) floating point operations. log log y This algorithm is based directly on a theorem of Hildebrand and Tenenbaum. We also present data which indicate that this algorithm is more accurate in practice than other known approximations, including the well-known approximation Ψ(x, y) ≈ xρ(log x / log y), where ρ(u) is Dickman’s function. 1.