John B. Friedlander

Primes in arithmetic progressions to large moduli

Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

The polynomial X2+ Y4 captures its primes

This article proves that there are infinitely many primes of the form a^2 + b^4, in fact getting the asymptotic formula. The main result is that \sum_{a^2 + b^4\le x} \Lambda(a^2 + b^4) = 4\pi^{-1}\kappa x^{3/4} (1 + O(\log\log x / \log x)) where a, b run over positive integers and \kappa = \int^1_0 (1 - t^4)^{1/2} dt = \Gamma(1/4)^2 /6\sqrt{2\pi}. Here of course, \Lambda denotes the von Mangoldt function and \Gamma the Euler gamma function.

Period of the power generator and small values of Carmichael's function

Consider the pseudorandom number generator u n ≡ u e n-1 (mod m), 0 ≤ u n ≤ m - 1, n = 1,2,..., where we are given the modulus m, the initial value u 0 = and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, I are different primes of the same magnitude. It is known from work of the first and third authors that for moduli m = pl, if the period of the sequence (u n ) exceeds m 3/4+e , then the sequence is uniformly distributed. We show rigorously that for almost all choices of p, l it is the case that for almost all choices of , e, the period of the power generator exceeds (pl) 1-e . And so, in this case, the power generator is uniformly distributed. We also give some other cryptographic applications, namely, to ruling-out the cycling attack on the RSA cryptosystem and to so-called time-release crypto. The principal tool is an estimate related to the Carmichael function λ(m), the size of the largest cyclic subgroup of the multiplicative group of residues modulo m. In particular, we show that for any Δ ≥ (log log N) 3 , we have λ(m) ≥ N exp(-Δ) for all integers m with l ≤ m ≤ N, apart from at most N exp (-0.69(Δ log Δ) 1/3 ) exceptions.

Character sums with exponential functions

Let be an integer of multiplicative order t ≥ 1 modulo a prime p. Sums of the form S * (p,t,a)= exp (2πia zs /p) are introduced and estimated, with F=(z 1 ,...,z T ) a sequence such that kz 1 ,..., kz T is a permutation of z 1 ,..., Z T , both sequences taken modulo t, for sufficiently many distinct modulo t values of k. Such sequences include x n for x = 1,..., t with an integer n ≥ 1; x n for x = 1,..., t and gcd (x, t) = 1 with an integer n ≥ 1; e x for x = 1,..., T with an integer e, where T is the period of the sequence e x modulo t. Some of the results can be extended to composite moduli and to sums of multiplicative characters as well. Character sums with the above sequences have some cryptographic motivation and applications and have been considered in several papers by J. B. Friedlander, D. Lieman and I. E. Shparlinski. In particular several previous bounds are generalized and improved.

Limitations to the Equi-Distribution of Primes I

In an earlier paper FG] we showed that the expected asymptotic formula (x; q; a) (x)==(q) does not hold uniformly in the range q < x= log N x, for any xed N > 0. There are several reasons to suspect that the expected asymptotic formula might hold, for large values of q, when a is kept xed. However, by a new construction, we show herein that this fails in the same ranges, for a xed and, indeed, for almost all a satisfying 0 < jaj < x= log N x.

On the distribution of the power generation

We present a new method to study the power generator of pseudorandom numbers modulo a Blum integer m. This includes as special cases the RSA generator and the Blum-Blum-Shub generator. We prove the uniform distribution of these, provided that the period t > m 3/4+δ with fixed δ > 0 and, under the same condition, the uniform distribution of a positive proportion of the leftmost and rightmost bits. This sharpens and generalizes previous results which dealt with the RSA generator, provided the period t > m 23/24+δ We apply our results to deduce that the period of the binary sequence of the rightmost bit has exponential length.

Estimates for character sums

We give a number of estimates for character sums Z EX(a+b) aE.V bER for rather general sets X, 7 . These give, in particular, a modified proof of the inequalities of P6lya-Vinogradov and of Burgess, which displays the latter as a generalization of the former.

ON CERTAIN EXPONENTIAL SUMS AND THE DISTRIBUTION OF DIFFIE–HELLMAN TRIPLES

Let g be a primitive root modulo a prime p. It is proved that the triples (gx, gy, gxy), x, y = 1, …, p−1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let e>0 be fixed. Then uniformly for any integers a, b, c with gcd(a, b, c, p) = 1. Incomplete sums are estimated as well. The question is motivated by the assumption, often made in cryptography, that the triples (gx, gy, gxy) cannot be distinguished from totally random triples in feasible computation time. The results imply that this is in any case true for a constant fraction of the most significant bits, and for a constant fraction of the least significant bits.

On the Distribution of the RSA Generator

Let 19, m and e be integers such that gcd(19, m) = 1. Then one can define the sequence (un) by the recurrence relation