EXPONENTIAL SUMS EQUIDISTRIBUTION

Similar documents
Jean Bourgain Institute for Advanced Study Princeton, NJ 08540

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Sum-Product Problem: New Generalisations and Applications

Dixon s Factorization method

Roots of Polynomials in Subgroups of F p and Applications to Congruences

CS March 17, 2009

1 Number Theory Basics

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Basic Algorithms in Number Theory

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Introduction to Cryptology. Lecture 20

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Math/Mthe 418/818. Review Questions

Introduction to Elliptic Curve Cryptography. Anupam Datta

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Part II. Number Theory. Year

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

Basic Algorithms in Number Theory

Efficient Pseudorandom Generators Based on the DDH Assumption

Other Public-Key Cryptosystems

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

MATH 361: NUMBER THEORY FOURTH LECTURE

Basic elements of number theory

Basic elements of number theory

BURGESS INEQUALITY IN F p 2. Mei-Chu Chang

2 More on Congruences

Lagrange s Theorem. Philippe B. Laval. Current Semester KSU. Philippe B. Laval (KSU) Lagrange s Theorem Current Semester 1 / 10

Lecture 6: Cryptanalysis of public-key algorithms.,

Chapter 8. Introduction to Number Theory

On the parity of k-th powers modulo p

Congruent Number Problem and Elliptic curves

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Mathematical Foundations of Public-Key Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Elementary Number Theory MARUCO. Summer, 2018

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

A. Algebra and Number Theory

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Generalizing the Hardy-Littlewood Method for Primes

Definition of a finite group

The group (Z/nZ) February 17, In these notes we figure out the structure of the unit group (Z/nZ) where n > 1 is an integer.

Aspects of Pairing Inversion

CPSC 467b: Cryptography and Computer Security

Lecture 14: Hardness Assumptions

An Introduction to Elliptic Curve Cryptography

Pseudo-random Number Generation. Qiuliang Tang

MATH 363: Discrete Mathematics

EXPONENTIAL SUMS OVER THE SEQUENCES OF PRN S PRODUCED BY INVERSIVE GENERATORS

Discrete Logarithm Problem

1. multiplication is commutative and associative;

FINITE GROUPS AND EQUATIONS OVER FINITE FIELDS A PROBLEM SET FOR ARIZONA WINTER SCHOOL 2016

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

PATTERNS OF PRIMES IN ARITHMETIC PROGRESSIONS

Public-Key Cryptosystems CHAPTER 4

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Elliptic Curve Discrete Logarithm Problem

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Cryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press

Possible Group Structures of Elliptic Curves over Finite Fields

Number Theory Notes Spring 2011

Stream Ciphers and Number Theory

Public Key Algorithms

Mathematics of Cryptography

Discrete mathematics I - Number theory

Number Theory. Modular Arithmetic

CS 6260 Some number theory

How does the computer generate observations from various distributions specified after input analysis?

Lecture 11 - Basic Number Theory.

Public-key Cryptography and elliptic curves

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

PRACTICE PROBLEMS: SET 1

Roots of Sparse Polynomials over a Finite Field

CSc 466/566. Computer Security. 5 : Cryptography Basics

ON CARMICHAEL NUMBERS IN ARITHMETIC PROGRESSIONS

Public Key Encryption

Lecture 1: Introduction to Public key cryptography

Quadratic Congruences, the Quadratic Formula, and Euler s Criterion

Introduction Diophantine Equations The ABC conjecture Consequences. The ABC conjecture. Brian Conrad. September 12, 2013

Pseudo-Random Numbers Generators. Anne GILLE-GENEST. March 1, Premia Introduction Definitions Good generators...

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

The RSA Cipher and its Algorithmic Foundations

Introduction to Modern Cryptography. Benny Chor

Part IA Numbers and Sets

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

COMBINING VARIABLES ERROR PROPAGATION. What is the error on a quantity that is a function of several random variables

Unit equations in characteristic p. Peter Koymans

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Sums of Consecutive Perfect Powers is Seldom a Perfect Power

Elliptic Curves: Theory and Application

Elementary Number Theory and Cryptography, 2014

Factorization & Primality Testing

Public Key Cryptography

CPSC 467: Cryptography and Computer Security

On sum-product representations in Z q

Periodicity and Distribution Properties of Combined FCSR Sequences

Transcription:

EXPONENTIAL SUMS EQUIDISTRIBUTION PSEUDORANDOMNESS (1) Exponential sums over subgroups General philosophy: multiplicative subgroups are well-distributed even if they are very small Conjecture. (M-V-W) max a F p H < F p, H log p e p (ax) = o( H ). (0) x H Equidistribution is known under the stronger assumption log H > C log p log log p (1) where C > 1 is some constant. This is the strongest result obtained so far towards M-V-W. Follows from Theorem 1. Let H < F p, H = pδ. max e p (ax) < p δ H x H (a,p)=1 with ( δ > exp C ). δ Problem 1. Relax condition (1). 1

Remark. There is obviously a wide gap between Theorem 1 and the M-V-W conjecture. Instead of an exponential sum bound, one could consider the following property max I p 0 (2) where the maximum is taken over all intervals I [1, p] such that I ah = φ for some a F p (note that (0) (2)). Again (1) is the weakest density assumption known to imply (2). On the other hand, property (2) always hold if we let H be the multiplicative group generated by two given integers r, s Z +, which are not powers of the same integer (by Furstenberg s theorem). In fact, an effective version of this principle was established in [BLMV]. Assuming (r, s) = 1, one has indeed for p max I p < (log log log p) c (3) with c > 0 an absolute constant (same property in (Z/NZ) with N arbitrary, provided (rs, N) = 1 and (a, N) = 1). Problem 2. Establish (2) under weaker assumption than (1). Problem 3. Improve upon (3). Theorem 1 is obtained from sum/product theory in F p. In fact, there are the following statements of more general nature and relevant to the multi-source randomness extractor issue. Theorem 2 Theorem 1 Theorem 3 gives equidistribution under optimal entropy condition on the sources. Theorem 2. A 1,..., A r F p arbitrary sets satisfying 0 < δ < 1, r Z +, r > Cδ 1 A i > p δ (1 i r). e p (x 1...x r ) < p δ A 1 A r x 1 A 1,...,x r A r δ = C r 2

Theorem 3. 0 < δ < 1 4, r Z + A 1,..., A r F p arbitrary sets satisfying A i > p δ (1 i r) A i > p 1+δ. 1 i r ( e p (x 1...x r ) < p δ δ A 1... A r δ = r x 1 A 1,...,x r A r ) Cr. Theorem 2 implies also an analogue of Theorem 1 for multiplicative orbits (possibly incomplete) of an element g F p. Theorem 4. Let g F p and ord p(g) = g = t. Assume further t t 1 > p δ. max (a,p)=1 t 1 s=1 e p (ag s ) < p δ.t 1 ( δ = exp C ). δ Many applications (cf. book K-S). Similar theory have been developed for general modulus. In particular Theorem 5. Assume H < (Z/qZ), H > q δ. max e q (ax) < H q δ (a,q)=1 with δ = δ (δ), independent of q. x H The case of incomplete sums requires further assumptions. 3

Theorem 6. Given δ > 0 there is δ > 0 such that if q Z + (suff. large) and g (Z/qZ) satisfies q q ord q (g) > (q ) δ. max (ξ,q)=1 t e q (ξg s ) < q δ t for t > q δ. s=1 Theorem 4 was also extended to general fields. Theorem 7. Given δ > 0, there is δ > 0 such that if q = p m (suff. large) and g F q of order t with max gcd(t, p ν 1) < q δ t. 1 ν<m ν m max ξ F q ψ(ξg s ) < q δ t 1 for t 1 > q δ. s t 1 ψ(x) = e p (Trx) Trx = x + x p + + x pm 1. (2) Mordell Type Sums (sparse polynomials) Formulation for prime modulus Theorem 8. (complete sums) Given ε > 0, r Z +, there is δ = δ(r, ε) > 0 such that if p prime (suff larger) following holds. Let r f(x) = a i.x k i Z[X] (a i, p) = 1 i=1 with exponents 1 k i < p 1 satisfying (k i, p 1) < p 1 ε (k i k j, p 1) < p 1 ε if i j. p ( ) e p f(x) < p 1 δ. x=1 Difference condition needed. Ex e p (x p 1 2 +1 x) = p 1 + O( p). 2 x 4

Theorem 5. (incomplete sums) Let g 1,..., g r F p satisfy Let (a i, p) = 1. t 1 s=1 ord p (g i ) > p ε ord p (g i g 1 j ) > p ε if i 1. ( r ) e p a i gi s < p δ t 1 for t 1 > p ε. i=1 Dependence of δ = δ(r, ε) of the form ( ( 1 )) δ(r, ε) = exp Cr ε + log r (4) r log log p is a limitation of method. Problem 4. Improve on (2) In particular, relax condition in r. (3) Some Applications to Equidistribution A). Diffie-Hellman Key Uniform distribution of blocks of bits of ({ θ x } { θ y }), }, Big{ θxy m m m (un-distinguishability assumption) Results as soon as 1 x,y T m = p or m = p, q(p q (Blum integer). 0 p (θ), 0 q (θ) > m ε T > m ε. B). Linear Congruential Generator X n+1 = ax n + c 5 (modm)

m prime (ex. m = 2 31 1) or m = 2 k (k = 32) uniform distribution of short sequences. C). Power Generators m = pq (Blum) (e, m) = 1 (θ, m) = 1 { u0 = θ e = 2 Blum-Blum-Shub ( e, (p 1)(q 1) ) RSA. u n+1 = u 2 n Unconditional proofs of joint-distribution properties D). Estimation of other exponential sums involving exponential functions (in particular related to D-H crypto-system). Example. Assume p 1 has a divisor p ε < q < p 1 ε. p 2 e p (ag x + bg x2 ) < p 1 δ x=0 for g generator of F p, (a, p) = 1 = (b, p). (4) Decimation Conjecture and Related Decimation conjecture from GORESKY-KLAPPER in Arithmetic Cross-correlation of FCSR sequences feedback with carry shift registers equivalent with the following conjecture. 6

GK-Conjecture. p prime (d, p 1) = 1, 0 < A < p/2, d < p/2 (A, d) (1, 1) E = {2, 4,..., p 1} Z/pZ even residues. {Ax d : x E} E except for (p, A, d) = (5, 3, 3), (7, 1, 5), (11,9,3),(11,3,7),(11,5, 9),(13,1,5). Verified for p < 2.10 6. GK-conjecture motivated the following result of B-B-K related to Theorem 8 (but weakening the condition on the exponent differences k i k j ). Theorem 10. (BBK) Given r 2 and ε > 0, there are such that the following holds. Let 1 k 1 < < k r < p 1 satisfy B = B(r, ε), δ = δ(r, ε) (k i, p 1) < p 1 ε (k i k j, p 1) < p B if i j. Let p > C(r, ε) and N i (1 i r) such that N i > p 1 δ., if a 1,..., a r l 1,..., l r [1, p 1], the system of congruences a i x k i l i + y i (modp) has a solution in the box (x, y 1,..., y r ) [1, p 1] r i=1 [1, N i]. 7

Proof combines Theorem 8 with geometry of intersections of varieties of Fermat type. Note that GK-problem amounts to solve { x y1 with (x, y 1, y 2 ) [1, p 1] E E. Ax d = 1 + y 2 (mod p) (5) From Theorem 10, it follows that the GK-conjecture holds for p sufficiently large. Eventually, (3) was attacked by classical methods (Stepanov for binomial sum) in B-C-P-P involving explicit numerical calculations. Theorem 11. G-K conjecture holds for p > 2.26.10 55 Problem 5. Improve on Theorem 11. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback