Period of the power generator and small values of Carmichael's function

Consider the pseudorandom number generator u n ≡ u e n-1 (mod m), 0 ≤ u n ≤ m - 1, n = 1,2,..., where we are given the modulus m, the initial value u 0 = and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, I are different primes of the same magnitude. It is known from work of the first and third authors that for moduli m = pl, if the period of the sequence (u n ) exceeds m 3/4+e , then the sequence is uniformly distributed. We show rigorously that for almost all choices of p, l it is the case that for almost all choices of , e, the period of the power generator exceeds (pl) 1-e . And so, in this case, the power generator is uniformly distributed. We also give some other cryptographic applications, namely, to ruling-out the cycling attack on the RSA cryptosystem and to so-called time-release crypto. The principal tool is an estimate related to the Carmichael function λ(m), the size of the largest cyclic subgroup of the multiplicative group of residues modulo m. In particular, we show that for any Δ ≥ (log log N) 3 , we have λ(m) ≥ N exp(-Δ) for all integers m with l ≤ m ≤ N, apart from at most N exp (-0.69(Δ log Δ) 1/3 ) exceptions.

[1]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[2]  Igor E. Shparlinski,et al.  On the distribution of the power generator , 2001, Math. Comput..

[3]  Igor E. Shparlinski,et al.  On the linear complexity profile of the power generator , 2000, IEEE Trans. Inf. Theory.

[4]  Bruce Geist,et al.  Analysis of Iterated Modular Exponentiation: The Orbits of xα mod N , 1998, Des. Codes Cryptogr..

[5]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[6]  Thomas W. Cusick Properties of the x2 mod N pseudorandom number generator , 1995, IEEE Trans. Inf. Theory.

[7]  P. Erdos,et al.  Carmichael's lambda function , 1991 .

[8]  Carl Pomerance,et al.  On the distribution of amicable numbers. , 1977 .

[9]  Carl Pomerance,et al.  On the distribution of amicable numbers. II. , 1977 .

[10]  Robert D. Silverman,et al.  Are 'Strong' Primes Needed for RSA , 2001, IACR Cryptol. ePrint Arch..

[11]  Johan Håstad,et al.  The security of individual RSA bits , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[12]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[13]  Claus-Peter Schnorr,et al.  Stronger Security Proofs for RSA and Rabin Bits , 1997, Journal of Cryptology.

[14]  Igor E. Shparlinski,et al.  On the Linear Complexity of the Power Generator , 2001, Des. Codes Cryptogr..

[15]  Antal Balog,et al.  The Prime k-Tuplets Conjecture on Average , 1990 .

[16]  Igor E. Shparlinski,et al.  On the Distribution of the RSA Generator , 1998, SETA.

[17]  Ronald L. Rivest,et al.  Remarks on a Proposed Cryptanalytic Attack on the M.I.T. Public-Key Cryptosystem , 1978, Cryptologia.

[18]  U. Maurer Fast generation of prime numbers and secure public-key cryptographic parameters , 1995, Journal of Cryptology.

[19]  C. Ding,et al.  Stream Ciphers and Number Theory , 1998 .

[20]  P. Erdös,et al.  On a problem of Oppenheim concerning “factorisatio numerorum” , 1983 .

[21]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[22]  A. Harles Sieve Methods , 2001 .

[23]  C. Pomerance,et al.  There are infinitely many Carmichael numbers , 1994 .

[24]  Glyn Harman,et al.  Shifted primes without large prime factors , 1998 .

[25]  G. Tenenbaum,et al.  Integers without large prime factors , 1993 .