Approximately counting semismooth integers

An integer $n$ is $(y,z)$-semismooth if $n=pm$ where $m$ is an integer with all prime divisors $\le y$ and $p$ is 1 or a prime $\le z$. arge quantities of semismooth integers are utilized in modern integer factoring algorithms, such as the number field sieve, that incorporate the so-called large prime variant. Thus, it is useful for factoring practitioners to be able to estimate the value of $\Psi(x,y,z)$, the number of $(y,z)$-semismooth integers up to $x$, so that they can better set algorithm parameters and minimize running times, which could be weeks or months on a cluster supercomputer. In this paper, we explore several algorithms to approximate $\Psi(x,y,z)$ using a generalization of Buchstab's identity with numeric integration.Comment: To appear in ISSAC 2013, Boston M

Two Compact Incremental Prime Sieves

A prime sieve is an algorithm that finds the primes up to a bound $n$. We say that a prime sieve is incremental, if it can quickly determine if $n+1$ is prime after having found all primes up to $n$. We say a sieve is compact if it uses roughly $\sqrt{n}$ space or less. In this paper we present two new results: (1) We describe the rolling sieve, a practical, incremental prime sieve that takes $O(n\log\log n)$ time and $O(\sqrt{n}\log n)$ bits of space, and (2) We show how to modify the sieve of Atkin and Bernstein (2004) to obtain a sieve that is simultaneously sublinear, compact, and incremental. The second result solves an open problem given by Paul Pritchard in 1994

A note on Low Order assumptions in RSA groups

In this short note, we show that substantially weaker Low Order assumptions are sufficient to prove the soundness of Pietrzak’s protocol for proof of exponentiation in groups of unknown order. This constitutes the first step to a better understanding of the asymptotic computational complexity of breaking the soundness of the protocol. Furthermore, we prove the equivalence of the (weaker) Low Order assumption(s) and the Factoring assumption in RSA groups for a non-negligible portion of moduli. We argue that in practice our reduction applies for a considerable amount of deployed moduli. Our results have cryptographic applications, most importantly in the theory of recently proposed verifiable delay function constructions. Finally, we describe how to certify RSA moduli free of low order elements

Imaginary Quadratic Class Groups and a Survey of Time-Lock Cryptographic Applications

Imaginary quadratic class groups have been proposed as one of the main hidden-order group candidates for time-lock cryptographic applications such as verifiable delay functions (VDFs). They have the advantage over RSA groups that they do \emph{not} need a trusted setup. However, they have historically been significantly less studied by the cryptographic research community. This survey provides an introduction to the theory of imaginary quadratic class groups and discusses several considerations that need to be taken into account for practical applications. In particular, we describe the relevant computational problems and the main classical and quantum algorithms that can be used to solve them. From this discussion, it follows that choosing a discriminant $\Delta=-p$ with $p\equiv 3\mod{4}$ prime is one of the most promising ways to pick a class group \CL(\Delta) without the need for a trusted setup, while simultaneously making sure that there are no easy to find elements of low order in \CL(\Delta). We provide experimental data on class groups belonging to discriminants of this form, and compare them to the Cohen-Lenstra heuristics which predict the average behaviour of \CL(\Delta) belonging to a random \emph{fundamental} discriminant. Afterwards, we describe the most prominent constructions of VDFs based on hidden-order groups, and discuss their soundness and sequentiality when implemented in imaginary quadratic class groups. Finally, we briefly touch upon the post-quantum security of VDFs in imaginary quadratic class groups, where the time on can use a fixed group is upper bounded by the runtime of quantum polynomial time order computation algorithms