Efficient noninteractive certification of RSA moduli and beyond

In many applications, it is important to verify that an RSA public key (N; e) speci es a permutation over the entire space ZN, in order to prevent attacks due to adversarially-generated public keys. We design and implement a simple and e cient noninteractive zero-knowledge protocol (in the random oracle model) for this task. Applications concerned about adversarial key generation can just append our proof to the RSA public key without any other modi cations to existing code or cryptographic libraries. Users need only perform a one-time veri cation of the proof to ensure that raising to the power e is a permutation of the integers modulo N. For typical parameter settings, the proof consists of nine integers modulo N; generating the proof and verifying it both require about nine modular exponentiations. We extend our results beyond RSA keys and also provide e cient noninteractive zero- knowledge proofs for other properties of N, which can be used to certify that N is suitable for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for similar languages, our protocols are more e cient and do not require interaction, which enables a broader class of applications.https://eprint.iacr.org/2018/057First author draf

The pseudosquares prime sieve

Abstract. We present the pseudosquares prime sieve

Divisibility, Smoothness and Cryptographic Applications

This paper deals with products of moderate-size primes, familiarly known as smooth numbers. Smooth numbers play a crucial role in information theory, signal processing and cryptography. We present various properties of smooth numbers relating to their enumeration, distribution and occurrence in various integer sequences. We then turn our attention to cryptographic applications in which smooth numbers play a pivotal role

On the Factor Refinement Principle and its Implementation on Multicore Architectures

The factor refinement principle turns a partial factorization of integers (or polynomi­ als) into a more complete factorization represented by basis elements and exponents, with basis elements that are pairwise coprime. There are lots of applications of this refinement technique such as simplifying systems of polynomial inequations and, more generally, speeding up certain algebraic algorithms by eliminating redundant expressions that may occur during intermediate computations. Successive GCD computations and divisions are used to accomplish this task until all the basis elements are pairwise coprime. Moreover, square-free factorization (which is the first step of many factorization algorithms) is used to remove the repeated patterns from each input element. Differentiation, division and GCD calculation op­ erations are required to complete this pre-processing step. Both factor refinement and square-free factorization often rely on plain (quadratic) algorithms for multipli­ cation but can be substantially improved with asymptotically fast multiplication on sufficiently large input. In this work, we review the working principles and complexity estimates of the factor refinement, in case of plain arithmetic, as well as asymptotically fast arithmetic. Following this review process, we design, analyze and implement parallel adaptations of these factor refinement algorithms. We consider several algorithm optimization techniques such as data locality analysis, balancing subproblems, etc. to fully exploit modern multicore architectures. The Cilk++ implementation of our parallel algorithm based on the augment refinement principle of Bach, Driscoll and Shallit achieves linear speedup for input data of sufficiently large size

Detecting perfect powers by factoring into coprimes

This paper presents an algorithm that, given an integer n> 1, finds the largest integer k such that n is a kth power. A previous algorithm by the first author took time b 1+o(1) where b = lg n; more precisely, time b exp(O ( √ lg b lg lg b)); conjecturally, time b(lg b) O(1). The new algorithm takes time b(lg b) O(1). It relies on relatively complicated subroutines—specifically, on the first author’s fast algorithm to factor integers into coprimes—but it allows a proof of the b(lg b) O(1) bound without much background; the previous proof of b 1+o(1) relied on transcendental number theory. The computation of k is the first step, and occasionally the bottleneck, in many number-theoretic algorithms: the Agrawal-Kayal-Saxena primality test, for example, and the number-field sieve for integer factorization

Detecting perfect powers by factoring into coprimes.

This paper presents an algorithm that, given an integer n > 1, finds the largest integer k such that n is a kth power. A previous algorithm by the first author took time b1+o(1) where b = lg n; more precisely, time b exp(O(√lg b lg lg b)); conjecturally, time b(lg b)O(1) The new algorithm takes time 6(lgb)O(1). It relies on relatively complicated subroutines - specifically, on the first author's fast algorithm to factor integers into coprimes-but it allows a proof of the b(lgb)O(1) bound without much background; the previous proof of b1+o(1) relied on transcendental number theory. The computation of k is the first step, and occasionally the bottleneck, in many number-theoretic algorithms: the Agrawal-Kayal-Saxena primality test, for example, and the number-field sieve for integer factorization

Order computations in generic groups

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Mathematics, 2007.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 205-211).We consider the problem of computing the order of an element in a generic group. The two standard algorithms, Pollard's rho method and Shanks' baby-steps giant-steps technique, both use [theta](N^1/2) group operations to compute abs([alpha])=N. A lower bound of [omega](N^1/2) has been conjectured. We disprove this conjecture, presenting a generic algorithm with complexity o(N^1/2). The running time is O((N/loglogN)^1/2) when N is prime, but for nearly half the integers N..., the complexity is O(N^1/3). If only a single success in a random sequence of problems is required, the running time is subexponential. We prove that a generic algorithm can compute [alpha] for all [alpha]... in near linear time plus the cost of single order computation with N=[lambda](S), where [lambda](S)=lcm[alpha] over [alpha]... For abelian groups, a random S...G or constant size suffices to compute [lamda](G), the exponent of the group. Having computed [lambda](G), we show that in most cases the structure of an abelian group G can be determined using an additional O(N^[delta]/4) group operations, given and O(N^[delta]) bound on abs(G)=N. The median complexity is approximately O(N^1/3) for many distributions of finite abelian groups, and o(N^1/2) in all but an extreme set of cases. A lower bound of [omega](N^1/2) had been assumed, based on a similar bound for the discrete logarithm problem. We apply these results to compute the ideal class groups of imaginary quadratic number fields, a standard test case for generic algorithms. the record class group computation by generic algorithm, for discriminant -4(10 +1), involved some 240 million group operations over the course of 15 days on a Sun SparcStation4. We accomplish the same task using 1/1000th the group operations, taking less than 3 seconds on a PC. Comparisons with non-generic algorithms for class group computation are also favorable in many cases. We successfully computed several class groups with discriminants containing more than 100 digits. These are believed to be the largest class groups ever computedby Andrew V. Sutherland.Ph.D