Abstract
Let N and α be integers larger than 1. Define an orbit to be the collection of residues in \(Z_N^* \) generated byiteratively applying \(x \to x^\alpha \) mod N to an element \(x \in Z_N^* \) which eventually maps back to itself.An orbit's length is the number of distinct residues in the orbit. When N isa large bicomposite integer, such as is commonly used in many cryptographicapplications, and when certain prime factorizations related to N are known,all orbit lengths and the number of orbits of each possible length can beefficiently computed using the results presented. If the required integerfactorizations are only partially known, the risk that a randomly selectedperiodic element might produce an orbit shorter than some (typically large)divisor of \(\phi (\phi (N))\) can be bounded. The information needed to producesuch a bound is fully available when the prime factors of N are generatedusing the prime generation algorithm defined in Maurer maur. Resultspresented can assist in choosing wisely a modulus N for the Blum, Blum, andShub pseudo-random bit generator. If N is a bicomposite RSA modulus, theanalysis shows how to quantify the risk posed by an iterated encryptionattack.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Werner Alexi, Benny Chor, Oded Goldreich, and Claus P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, Siam Journal of Computing, Vol. 17, No.2 (1988) pp. 194-209.
Derek Atkins, Michael Graff, Arjen K. Lenstra, and Paul C. Leyland, The magic words are squeamish ossifrage, Advances in Cryptology - Asiacrypt'94, pp. 263-277 (1994).
L. Blum, M. Blum, and M. Shub, A simple unpredictable pseudo-random number generator, Siam Journal of Computing, Vol. 15, No.2 (1986) pp. 364-381.
David M. Burton, Elementary Number Theory, Wm. C. Brown Publishers, Dubuque, Iowa (1994).
Benny Chor, Oded Goldreich, and Shafi Goldwasser, The bit security of modular squaring given partial factorization of the modulus, Advances in Cryptology: Proceedings of Crypto 85 (1986) pp. 448-457.
Donald E. Knuth. The Art of Computer Programming: Seminumerical Algorithms, volume 2, Addison-Wesley, Reading, MA (1981).
Ueli M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, Journal of Cryptology, Vol. 8 (1995) pp. 123-155.
H. C. Pocklington, The determination of the prime or composite nature of large numbers by Fermat's Theorem, Proceedings of the Cambridge Philosophical Society 18 (1914-1916) pp. 29-30.
Umesh V. Vazirani and Vijay V. Vazirani, Efficient and secure pseudo-random number generation, Proc. 25th IEEE Symposium on Foundations of Computer Science (1984) pp. 458-463.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Brennan, J.J., Geist, B. Analysis of Iterated Modular Exponentiation: The Orbits of xα mod N. Designs, Codes and Cryptography 13, 229–245 (1998). https://doi.org/10.1023/A:1008289605486
Issue Date:
DOI: https://doi.org/10.1023/A:1008289605486