/ NetNews Usenet Archive 1992 #20 / NN_1992_20.iso / spool / sci / math / 11109

< prev

next >

MacOS 8.1

Win98

DOS

browse contents

view JSON data

view as text

+--------+-------------------------+-------------------------+--------+--------+
|00000000| 4e 65 77 73 67 72 6f 75 | 70 73 3a 20 73 63 69 2e |Newsgrou|ps: sci.|
|00000010| 6d 61 74 68 0a 50 61 74 | 68 3a 20 73 70 61 72 6b |math.Pat|h: spark|
|00000020| 79 21 75 75 6e 65 74 21 | 7a 61 70 68 6f 64 2e 6d |y!uunet!|zaphod.m|
|00000030| 70 73 2e 6f 68 69 6f 2d | 73 74 61 74 65 2e 65 64 |ps.ohio-|state.ed|
|00000040| 75 21 63 73 2e 75 74 65 | 78 61 73 2e 65 64 75 21 |u!cs.ute|xas.edu!|
|00000050| 75 77 6d 2e 65 64 75 21 | 75 78 31 2e 63 73 6f 2e |uwm.edu!|ux1.cso.|
|00000060| 75 69 75 63 2e 65 64 75 | 21 63 65 62 6c 61 69 72 |uiuc.edu|!ceblair|
|00000070| 0a 46 72 6f 6d 3a 20 63 | 65 62 6c 61 69 72 40 75 |.From: c|eblair@u|
|00000080| 78 31 2e 63 73 6f 2e 75 | 69 75 63 2e 65 64 75 20 |x1.cso.u|iuc.edu |
|00000090| 28 43 68 61 72 6c 65 73 | 20 42 6c 61 69 72 29 0a |(Charles| Blair).|
|000000a0| 53 75 62 6a 65 63 74 3a | 20 43 52 59 50 54 4f 47 |Subject:| CRYPTOG|
|000000b0| 52 41 50 48 59 20 4e 4f | 54 45 53 20 28 70 61 72 |RAPHY NO|TES (par|
|000000c0| 74 20 32 20 6f 66 20 32 | 29 0a 4d 65 73 73 61 67 |t 2 of 2|).Messag|
|000000d0| 65 2d 49 44 3a 20 3c 42 | 75 39 48 44 41 2e 33 6f |e-ID: <B|u9HDA.3o|
|000000e0| 41 40 75 78 31 2e 63 73 | 6f 2e 75 69 75 63 2e 65 |A@ux1.cs|o.uiuc.e|
|000000f0| 64 75 3e 0a 4f 72 67 61 | 6e 69 7a 61 74 69 6f 6e |du>.Orga|nization|
|00000100| 3a 20 55 6e 69 76 65 72 | 73 69 74 79 20 6f 66 20 |: Univer|sity of |
|00000110| 49 6c 6c 69 6e 6f 69 73 | 20 61 74 20 55 72 62 61 |Illinois| at Urba|
|00000120| 6e 61 0a 44 61 74 65 3a | 20 54 75 65 2c 20 38 20 |na.Date:| Tue, 8 |
|00000130| 53 65 70 20 31 39 39 32 | 20 31 33 3a 32 36 3a 35 |Sep 1992| 13:26:5|
|00000140| 36 20 47 4d 54 0a 4c 69 | 6e 65 73 3a 20 35 38 37 |6 GMT.Li|nes: 587|
|00000150| 0a 0a 0a 25 20 20 20 54 | 68 69 73 20 69 73 20 74 |...%   T|his is t|
|00000160| 68 65 20 73 65 63 6f 6e | 64 20 70 61 72 74 20 6f |he secon|d part o|
|00000170| 66 20 73 6f 6d 65 20 6e | 6f 74 65 73 20 6f 6e 20 |f some n|otes on |
|00000180| 63 72 79 70 74 6f 67 72 | 61 70 68 79 2e 20 20 49 |cryptogr|aphy.  I|
|00000190| 74 20 69 73 20 61 20 4c | 61 54 65 58 0a 25 66 69 |t is a L|aTeX.%fi|
|000001a0| 6c 65 2e 20 20 54 6f 20 | 6d 61 6b 65 20 69 74 20 |le.  To |make it |
|000001b0| 77 6f 72 6b 2c 20 79 6f | 75 20 6d 75 73 74 20 63 |work, yo|u must c|
|000001c0| 6f 6e 63 61 74 65 6e 61 | 74 65 20 77 69 74 68 20 |oncatena|te with |
|000001d0| 74 68 65 20 66 69 72 73 | 74 20 70 61 72 74 2c 20 |the firs|t part, |
|000001e0| 6f 72 20 61 74 0a 25 6c | 65 61 73 74 20 74 68 65 |or at.%l|east the|
|000001f0| 20 70 61 72 74 20 75 70 | 20 74 6f 20 62 75 74 20 | part up| to but |
|00000200| 6e 6f 74 20 69 6e 63 6c | 75 64 69 6e 67 20 5c 73 |not incl|uding \s|
|00000210| 65 63 74 69 6f 6e 7b 45 | 6e 63 72 79 70 74 69 6f |ection{E|ncryptio|
|00000220| 6e 20 53 79 73 74 65 6d | 73 7d 0a 25 0a 5c 73 65 |n System|s}.%.\se|
|00000230| 63 74 69 6f 6e 7b 50 72 | 6f 62 61 62 69 6c 69 73 |ction{Pr|obabilis|
|00000240| 74 69 63 20 45 6e 63 72 | 79 70 74 69 6f 6e 5c 6c |tic Encr|yption\l|
|00000250| 61 62 65 6c 7b 70 72 6f | 7d 7d 0a 5b 52 65 66 65 |abel{pro|}}.[Refe|
|00000260| 72 65 6e 63 65 73 20 74 | 6f 20 60 60 74 68 65 20 |rences t|o ``the |
|00000270| 70 61 70 65 72 27 27 20 | 69 6e 20 74 68 69 73 20 |paper'' |in this |
|00000280| 73 65 63 74 69 6f 6e 20 | 61 72 65 20 74 6f 20 60 |section |are to `|
|00000290| 60 50 72 6f 62 61 62 69 | 6c 69 73 74 69 63 0a 45 |`Probabi|listic.E|
|000002a0| 6e 63 72 79 70 74 69 6f | 6e 2c 27 27 20 69 6e 20 |ncryptio|n,'' in |
|000002b0| 7b 5c 69 74 20 4a 6f 75 | 72 6e 61 6c 20 6f 66 20 |{\it Jou|rnal of |
|000002c0| 43 6f 6d 70 75 74 65 72 | 20 5c 26 20 53 79 73 74 |Computer| \& Syst|
|000002d0| 65 6d 20 53 63 69 65 6e | 63 65 73 5c 2f 7d 7e 32 |em Scien|ces\/}~2|
|000002e0| 38 2c 0a 70 70 2e 7e 32 | 37 30 2d 2d 32 39 39 2e |8,.pp.~2|70--299.|
|000002f0| 20 49 20 68 61 76 65 20 | 61 6c 73 6f 20 75 73 65 | I have |also use|
|00000300| 64 20 7b 5c 69 74 20 50 | 72 69 6d 61 6c 69 74 79 |d {\it P|rimality|
|00000310| 20 61 6e 64 20 43 72 79 | 70 74 6f 67 72 61 70 68 | and Cry|ptograph|
|00000320| 79 7d 2c 0a 62 79 20 45 | 2e 7e 4b 72 61 6e 61 6b |y},.by E|.~Kranak|
|00000330| 69 73 5d 5c 70 71 0a 53 | 6f 20 66 61 72 2c 20 74 |is]\pq.S|o far, t|
|00000340| 68 65 20 70 75 62 6c 69 | 63 20 6b 65 79 20 73 79 |he publi|c key sy|
|00000350| 73 74 65 6d 73 20 68 61 | 76 65 20 62 65 65 6e 20 |stems ha|ve been |
|00000360| 66 75 6e 63 74 69 6f 6e | 73 20 24 66 24 20 73 75 |function|s $f$ su|
|00000370| 63 68 20 74 68 61 74 20 | 0a 74 68 65 20 6d 65 73 |ch that |.the mes|
|00000380| 73 61 67 65 20 24 4d 24 | 20 70 72 65 73 75 6d 61 |sage $M$| presuma|
|00000390| 62 6c 79 20 63 61 6e 6e | 6f 74 20 62 65 20 63 6f |bly cann|ot be co|
|000003a0| 6d 70 75 74 65 64 20 66 | 72 6f 6d 20 74 68 65 20 |mputed f|rom the |
|000003b0| 65 6e 63 6f 64 69 6e 67 | 20 24 66 28 4d 29 24 2e |encoding| $f(M)$.|
|000003c0| 0a 41 20 66 75 72 74 68 | 65 72 20 63 6f 6e 63 65 |.A furth|er conce|
|000003d0| 72 6e 20 61 72 69 73 65 | 73 20 61 73 20 74 6f 20 |rn arise|s as to |
|000003e0| 77 68 65 74 68 65 72 2c | 20 65 76 65 6e 20 69 66 |whether,| even if|
|000003f0| 20 74 68 65 20 61 64 76 | 65 72 73 61 72 79 20 63 | the adv|ersary c|
|00000400| 61 6e 6e 6f 74 0a 69 64 | 65 6e 74 69 66 79 20 24 |annot.id|entify $|
|00000410| 4d 24 20 65 78 61 63 74 | 6c 79 2c 20 68 65 20 6d |M$ exact|ly, he m|
|00000420| 61 79 20 62 65 20 61 62 | 6c 65 20 74 6f 20 6f 62 |ay be ab|le to ob|
|00000430| 74 61 69 6e 20 73 6f 6d | 65 20 70 61 72 74 69 61 |tain som|e partia|
|00000440| 6c 20 69 6e 66 6f 72 6d | 61 74 69 6f 6e 0a 61 62 |l inform|ation.ab|
|00000450| 6f 75 74 20 24 4d 24 2c | 20 66 6f 72 20 65 78 61 |out $M$,| for exa|
|00000460| 6d 70 6c 65 20 74 65 6c | 6c 20 77 68 65 74 68 65 |mple tel|l whethe|
|00000470| 72 20 24 4d 24 20 69 73 | 20 61 6e 20 65 76 65 6e |r $M$ is| an even|
|00000480| 20 6e 75 6d 62 65 72 2c | 20 61 20 73 71 75 61 72 | number,| a squar|
|00000490| 65 2c 0a 61 20 70 6f 77 | 65 72 20 6f 66 20 32 2c |e,.a pow|er of 2,|
|000004a0| 20 65 74 63 2e 5c 70 71 | 20 41 6e 20 65 78 74 72 | etc.\pq| An extr|
|000004b0| 65 6d 65 20 63 61 73 65 | 20 6f 66 20 74 68 69 73 |eme case| of this|
|000004c0| 20 77 6f 75 6c 64 20 62 | 65 20 61 20 73 63 65 6e | would b|e a scen|
|000004d0| 61 72 69 6f 0a 69 6e 20 | 77 68 69 63 68 20 74 68 |ario.in |which th|
|000004e0| 65 20 61 64 76 65 72 73 | 61 72 79 20 6b 6e 6f 77 |e advers|ary know|
|000004f0| 73 20 74 68 65 20 6d 65 | 73 73 61 67 65 20 69 73 |s the me|ssage is|
|00000500| 20 6f 6e 65 20 6f 66 20 | 74 77 6f 20 70 6f 73 73 | one of |two poss|
|00000510| 69 62 69 6c 69 74 69 65 | 73 2c 0a 24 4d 5f 31 24 |ibilitie|s,.$M_1$|
|00000520| 20 6f 72 20 24 4d 5f 32 | 24 2e 20 53 69 6e 63 65 | or $M_2|$. Since|
|00000530| 20 77 65 20 68 61 76 65 | 20 62 65 65 6e 20 61 73 | we have| been as|
|00000540| 73 75 6d 69 6e 67 20 74 | 68 61 74 20 74 68 65 20 |suming t|hat the |
|00000550| 66 75 6e 63 74 69 6f 6e | 20 24 66 24 20 69 73 0a |function| $f$ is.|
|00000560| 65 61 73 79 20 74 6f 20 | 63 61 6c 63 75 6c 61 74 |easy to |calculat|
|00000570| 65 2c 20 61 6c 6c 20 74 | 68 65 20 61 64 76 65 72 |e, all t|he adver|
|00000580| 73 61 72 79 20 6e 65 65 | 64 73 20 74 6f 20 64 6f |sary nee|ds to do|
|00000590| 20 69 73 20 63 6f 6d 70 | 61 72 65 20 24 66 28 4d | is comp|are $f(M|
|000005a0| 5f 31 29 24 20 61 6e 64 | 0a 24 66 28 4d 5f 32 29 |_1)$ and|.$f(M_2)|
|000005b0| 24 20 77 69 74 68 20 74 | 68 65 20 63 69 70 68 65 |$ with t|he ciphe|
|000005c0| 72 74 65 78 74 2e 0a 5c | 70 71 20 50 72 6f 62 61 |rtext..\|pq Proba|
|000005d0| 62 69 6c 69 73 74 69 63 | 20 65 6e 63 72 79 70 74 |bilistic| encrypt|
|000005e0| 69 6f 6e 20 69 73 20 61 | 20 73 79 73 74 65 6d 20 |ion is a| system |
|000005f0| 64 65 73 69 67 6e 65 64 | 20 74 6f 20 61 76 6f 69 |designed| to avoi|
|00000600| 64 20 74 68 65 73 65 20 | 70 72 6f 62 6c 65 6d 73 |d these |problems|
|00000610| 2e 0a 49 6e 73 74 65 61 | 64 20 6f 66 20 24 66 28 |..Instea|d of $f(|
|00000620| 4d 29 24 20 62 65 69 6e | 67 20 61 20 73 69 6e 67 |M)$ bein|g a sing|
|00000630| 6c 65 20 6e 75 6d 62 65 | 72 2c 20 74 68 65 20 63 |le numbe|r, the c|
|00000640| 61 6c 63 75 6c 61 74 69 | 6f 6e 20 6f 66 20 24 66 |alculati|on of $f|
|00000650| 28 4d 29 24 20 69 6e 76 | 6f 6c 76 65 73 0a 74 68 |(M)$ inv|olves.th|
|00000660| 65 20 73 65 6e 64 65 72 | 20 64 6f 69 6e 67 20 73 |e sender| doing s|
|00000670| 6f 6d 65 20 74 68 69 6e | 67 73 20 72 61 6e 64 6f |ome thin|gs rando|
|00000680| 6d 6c 79 20 64 75 72 69 | 6e 67 20 74 68 65 20 63 |mly duri|ng the c|
|00000690| 61 6c 63 75 6c 61 74 69 | 6f 6e 2c 20 73 6f 20 74 |alculati|on, so t|
|000006a0| 68 61 74 20 24 4d 24 0a | 68 61 73 20 6d 61 6e 79 |hat $M$.|has many|
|000006b0| 20 64 69 66 66 65 72 65 | 6e 74 20 65 6e 63 72 79 | differe|nt encry|
|000006c0| 70 74 69 6f 6e 73 2e 20 | 20 49 6e 64 65 65 64 2c |ptions. | Indeed,|
|000006d0| 20 74 68 65 20 70 72 6f | 62 61 62 69 6c 69 74 79 | the pro|bability|
|000006e0| 20 73 68 6f 75 6c 64 20 | 62 65 20 76 65 72 79 0a | should |be very.|
|000006f0| 63 6c 6f 73 65 20 74 6f | 20 31 20 74 68 61 74 20 |close to| 1 that |
|00000700| 69 66 20 74 68 65 20 73 | 61 6d 65 20 6d 65 73 73 |if the s|ame mess|
|00000710| 61 67 65 20 69 73 20 73 | 65 6e 74 20 74 77 69 63 |age is s|ent twic|
|00000720| 65 2c 20 74 68 65 20 65 | 6e 63 72 79 70 74 69 6f |e, the e|ncryptio|
|00000730| 6e 73 20 73 68 6f 75 6c | 64 0a 62 65 20 64 69 66 |ns shoul|d.be dif|
|00000740| 66 65 72 65 6e 74 2e 0a | 5c 73 75 62 73 65 63 74 |ferent..|\subsect|
|00000750| 69 6f 6e 7b 54 68 65 20 | 47 6f 6c 64 77 61 73 73 |ion{The |Goldwass|
|00000760| 65 72 2d 4d 69 63 61 6c | 69 20 65 6e 63 72 79 70 |er-Mical|i encryp|
|00000770| 74 69 6f 6e 20 73 79 73 | 74 65 6d 7d 0a 41 73 20 |tion sys|tem}.As |
|00000780| 69 6e 20 6d 61 6e 79 20 | 70 72 65 76 69 6f 75 73 |in many |previous|
|00000790| 6c 79 20 64 69 73 63 75 | 73 73 65 64 20 73 79 73 |ly discu|ssed sys|
|000007a0| 74 65 6d 73 2c 20 74 68 | 65 20 70 65 72 73 6f 6e |tems, th|e person|
|000007b0| 20 72 65 63 65 69 76 69 | 6e 67 20 6d 65 73 73 61 | receivi|ng messa|
|000007c0| 67 65 73 0a 63 68 6f 6f | 73 65 73 20 74 77 6f 20 |ges.choo|ses two |
|000007d0| 70 72 69 6d 65 73 20 28 | 24 5c 73 69 6d 31 30 30 |primes (|$\sim100|
|000007e0| 24 20 64 69 67 69 74 73 | 29 20 24 70 2c 71 24 20 |$ digits|) $p,q$ |
|000007f0| 61 6e 64 20 61 6e 6e 6f | 75 6e 63 65 73 20 24 6e |and anno|unces $n|
|00000800| 3d 70 71 24 2e 0a 54 68 | 69 73 20 73 79 73 74 65 |=pq$..Th|is syste|
|00000810| 6d 20 69 73 20 63 6f 6e | 63 65 72 6e 65 64 20 77 |m is con|cerned w|
|00000820| 69 74 68 20 77 68 65 74 | 68 65 72 2c 20 66 6f 72 |ith whet|her, for|
|00000830| 20 61 20 67 69 76 65 6e | 20 6e 75 6d 62 65 72 20 | a given| number |
|00000840| 24 61 24 2c 20 74 68 65 | 72 65 20 69 73 0a 24 78 |$a$, the|re is.$x|
|00000850| 24 20 77 69 74 68 20 24 | 5c 63 6f 7b 78 5e 32 7d |$ with $|\co{x^2}|
|00000860| 61 6e 24 2e 20 53 75 63 | 68 20 24 61 24 20 61 72 |an$. Suc|h $a$ ar|
|00000870| 65 20 63 61 6c 6c 65 64 | 20 7b 5c 69 74 20 73 71 |e called| {\it sq|
|00000880| 75 61 72 65 73 5c 2f 7d | 20 6f 72 20 28 69 6e 20 |uares\/}| or (in |
|00000890| 6d 6f 73 74 0a 62 6f 6f | 6b 73 20 61 6e 64 20 70 |most.boo|ks and p|
|000008a0| 61 70 65 72 73 29 20 7b | 5c 69 74 20 71 75 61 64 |apers) {|\it quad|
|000008b0| 72 61 74 69 63 20 72 65 | 73 69 64 75 65 73 7d 2e |ratic re|sidues}.|
|000008c0| 20 46 6f 72 20 74 65 63 | 68 6e 69 63 61 6c 20 72 | For tec|hnical r|
|000008d0| 65 61 73 6f 6e 73 2c 20 | 77 68 65 6e 0a 77 65 20 |easons, |when.we |
|000008e0| 72 65 66 65 72 20 74 6f | 20 73 71 75 61 72 65 73 |refer to| squares|
|000008f0| 20 6d 6f 64 20 24 6e 24 | 2c 20 77 65 20 77 69 6c | mod $n$|, we wil|
|00000900| 6c 20 65 78 63 6c 75 64 | 65 20 24 61 24 20 77 68 |l exclud|e $a$ wh|
|00000910| 69 63 68 20 61 72 65 20 | 64 69 76 69 73 69 62 6c |ich are |divisibl|
|00000920| 65 20 62 79 0a 24 70 24 | 20 6f 72 20 24 71 24 2e |e by.$p$| or $q$.|
|00000930| 0a 54 68 65 20 66 6f 6c | 6c 6f 77 69 6e 67 20 66 |.The fol|lowing f|
|00000940| 61 63 74 73 20 61 72 65 | 20 65 61 73 79 20 74 6f |acts are| easy to|
|00000950| 20 70 72 6f 76 65 2c 20 | 69 6e 20 73 6f 6d 65 20 | prove, |in some |
|00000960| 63 61 73 65 73 20 75 73 | 69 6e 67 20 70 72 69 6d |cases us|ing prim|
|00000970| 69 74 69 76 65 20 72 6f | 6f 74 73 2e 0a 5c 62 65 |itive ro|ots..\be|
|00000980| 67 69 6e 7b 4c 65 7d 20 | 49 66 20 24 61 2c 62 24 |gin{Le} |If $a,b$|
|00000990| 20 61 72 65 20 73 71 75 | 61 72 65 73 2c 20 74 68 | are squ|ares, th|
|000009a0| 65 6e 20 24 61 62 24 20 | 69 73 20 61 20 73 71 75 |en $ab$ |is a squ|
|000009b0| 61 72 65 2e 0a 49 66 20 | 24 61 24 20 69 73 20 61 |are..If |$a$ is a|
|000009c0| 20 73 71 75 61 72 65 20 | 61 6e 64 20 24 62 24 20 | square |and $b$ |
|000009d0| 69 73 20 6e 6f 74 20 61 | 20 73 71 75 61 72 65 2c |is not a| square,|
|000009e0| 20 74 68 65 6e 20 24 61 | 62 24 20 69 73 20 6e 6f | then $a|b$ is no|
|000009f0| 74 20 61 20 73 71 75 61 | 72 65 2e 0a 5c 6c 61 62 |t a squa|re..\lab|
|00000a00| 65 6c 7b 70 72 6f 64 7d | 5c 65 6e 64 7b 4c 65 7d |el{prod}|\end{Le}|
|00000a10| 0a 5c 62 65 67 69 6e 7b | 4c 65 7d 20 24 61 24 20 |.\begin{|Le} $a$ |
|00000a20| 69 73 20 61 20 73 71 75 | 61 72 65 20 6d 6f 64 20 |is a squ|are mod |
|00000a30| 24 6e 24 20 69 66 20 61 | 6e 64 20 6f 6e 6c 79 20 |$n$ if a|nd only |
|00000a40| 69 66 20 69 74 20 69 73 | 20 61 20 73 71 75 61 72 |if it is| a squar|
|00000a50| 65 20 6d 6f 64 20 24 70 | 24 0a 61 6e 64 20 61 20 |e mod $p|$.and a |
|00000a60| 73 71 75 61 72 65 20 6d | 6f 64 20 24 71 24 2e 5c |square m|od $q$.\|
|00000a70| 6c 61 62 65 6c 7b 6b 6e | 31 7d 5c 65 6e 64 7b 4c |label{kn|1}\end{L|
|00000a80| 65 7d 0a 5c 62 65 67 69 | 6e 7b 4c 65 7d 20 4c 65 |e}.\begi|n{Le} Le|
|00000a90| 74 20 24 68 3d 5c 66 72 | 61 63 7b 70 2d 31 7d 32 |t $h=\fr|ac{p-1}2|
|00000aa0| 24 2e 20 20 49 66 20 24 | 61 24 20 69 73 20 61 20 |$.  If $|a$ is a |
|00000ab0| 73 71 75 61 72 65 20 6d | 6f 64 20 24 70 24 2c 20 |square m|od $p$, |
|00000ac0| 24 5c 63 6f 20 7b 61 5e | 68 7d 31 70 24 2e 0a 49 |$\co {a^|h}1p$..I|
|00000ad0| 66 20 24 61 24 20 69 73 | 20 6e 6f 74 20 61 20 73 |f $a$ is| not a s|
|00000ae0| 71 75 61 72 65 2c 20 24 | 61 5e 68 5c 65 71 75 69 |quare, $|a^h\equi|
|00000af0| 76 2d 31 24 2e 5c 6c 61 | 62 65 6c 7b 6b 6e 32 7d |v-1$.\la|bel{kn2}|
|00000b00| 5c 65 6e 64 7b 4c 65 7d | 0a 54 68 69 73 20 69 6d |\end{Le}|.This im|
|00000b10| 70 6c 69 65 73 20 74 68 | 61 74 2c 20 69 66 20 24 |plies th|at, if $|
|00000b20| 70 24 20 61 6e 64 20 24 | 71 24 20 61 72 65 20 6b |p$ and $|q$ are k|
|00000b30| 6e 6f 77 6e 2c 20 69 74 | 20 69 73 20 65 61 73 79 |nown, it| is easy|
|00000b40| 20 74 6f 20 64 65 63 69 | 64 65 20 77 68 65 74 68 | to deci|de wheth|
|00000b50| 65 72 0a 24 61 24 20 69 | 73 20 61 20 73 71 75 61 |er.$a$ i|s a squa|
|00000b60| 72 65 2e 20 20 54 68 65 | 20 65 6e 63 72 79 70 74 |re.  The| encrypt|
|00000b70| 69 6f 6e 20 73 79 73 74 | 65 6d 20 64 65 70 65 6e |ion syst|em depen|
|00000b80| 64 73 20 6f 6e 20 74 68 | 65 20 61 73 73 75 6d 70 |ds on th|e assump|
|00000b90| 74 69 6f 6e 20 28 63 61 | 6c 6c 65 64 0a 51 52 41 |tion (ca|lled.QRA|
|00000ba0| 20 69 6e 20 74 68 65 20 | 70 61 70 65 72 20 5b 70 | in the |paper [p|
|00000bb0| 2e 7e 32 39 34 5d 29 20 | 74 68 61 74 20 74 68 69 |.~294]) |that thi|
|00000bc0| 73 20 70 72 6f 62 6c 65 | 6d 20 69 73 20 76 65 72 |s proble|m is ver|
|00000bd0| 79 20 64 69 66 66 69 63 | 75 6c 74 20 69 66 20 24 |y diffic|ult if $|
|00000be0| 70 2c 71 24 0a 61 72 65 | 20 75 6e 6b 6e 6f 77 6e |p,q$.are| unknown|
|00000bf0| 2e 5c 62 65 67 69 6e 7b | 4c 65 7d 20 24 31 2f 32 |.\begin{|Le} $1/2|
|00000c00| 24 20 6f 66 20 74 68 65 | 20 6e 75 6d 62 65 72 73 |$ of the| numbers|
|00000c10| 20 66 72 6f 6d 20 31 20 | 74 6f 20 24 70 2d 31 24 | from 1 |to $p-1$|
|00000c20| 20 61 72 65 20 73 71 75 | 61 72 65 73 0a 6d 6f 64 | are squ|ares.mod|
|00000c30| 20 24 70 24 2e 20 20 20 | 20 20 54 61 6b 65 20 74 | $p$.   |  Take t|
|00000c40| 68 65 20 6e 75 6d 62 65 | 72 73 20 66 72 6f 6d 20 |he numbe|rs from |
|00000c50| 31 20 74 6f 20 24 6e 24 | 20 61 6e 64 20 6c 65 61 |1 to $n$| and lea|
|00000c60| 76 65 20 6f 75 74 20 74 | 68 6f 73 65 20 64 69 76 |ve out t|hose div|
|00000c70| 69 73 69 62 6c 65 0a 62 | 79 20 24 70 24 20 6f 72 |isible.b|y $p$ or|
|00000c80| 20 62 79 20 24 71 24 2e | 20 44 69 76 69 64 65 20 | by $q$.| Divide |
|00000c90| 74 68 65 20 72 65 6d 61 | 69 6e 69 6e 67 20 24 28 |the rema|ining $(|
|00000ca0| 70 2d 31 29 28 71 2d 31 | 29 24 20 6e 75 6d 62 65 |p-1)(q-1|)$ numbe|
|00000cb0| 72 73 20 69 6e 74 6f 20 | 66 6f 75 72 20 67 72 6f |rs into |four gro|
|00000cc0| 75 70 73 20 0a 61 63 63 | 6f 72 64 69 6e 67 20 74 |ups .acc|ording t|
|00000cd0| 6f 20 77 68 65 74 68 65 | 72 20 74 68 65 79 20 61 |o whethe|r they a|
|00000ce0| 72 65 20 73 71 75 61 72 | 65 73 20 6f 72 20 6e 6f |re squar|es or no|
|00000cf0| 74 20 6d 6f 64 20 24 70 | 24 20 61 6e 64 20 61 6c |t mod $p|$ and al|
|00000d00| 73 6f 20 6d 6f 64 20 24 | 71 24 2e 0a 54 68 65 72 |so mod $|q$..Ther|
|00000d10| 65 20 61 72 65 20 24 28 | 70 2d 31 29 28 71 2d 31 |e are $(|p-1)(q-1|
|00000d20| 29 2f 34 24 20 6e 75 6d | 62 65 72 73 20 69 6e 20 |)/4$ num|bers in |
|00000d30| 65 61 63 68 20 67 72 6f | 75 70 2e 5c 65 6e 64 7b |each gro|up.\end{|
|00000d40| 4c 65 7d 0a 5c 70 71 20 | 54 68 65 20 6e 75 6d 62 |Le}.\pq |The numb|
|00000d50| 65 72 73 20 77 68 69 63 | 68 20 61 72 65 20 6e 6f |ers whic|h are no|
|00000d60| 74 20 73 71 75 61 72 65 | 73 20 6d 6f 64 20 24 70 |t square|s mod $p|
|00000d70| 24 20 61 6e 64 20 61 6c | 73 6f 20 6e 6f 74 20 73 |$ and al|so not s|
|00000d80| 71 75 61 72 65 73 20 6d | 6f 64 20 24 71 24 0a 61 |quares m|od $q$.a|
|00000d90| 72 65 20 63 61 6c 6c 65 | 64 20 7b 5c 69 74 20 70 |re calle|d {\it p|
|00000da0| 73 65 75 64 6f 2d 73 71 | 75 61 72 65 73 7d 2e 20 |seudo-sq|uares}. |
|00000db0| 20 45 78 61 6d 70 6c 65 | 3a 20 49 66 20 24 70 3d | Example|: If $p=|
|00000dc0| 35 24 2c 20 24 71 3d 37 | 24 2c 20 74 68 65 20 73 |5$, $q=7|$, the s|
|00000dd0| 71 75 61 72 65 73 0a 6d | 6f 64 7e 33 35 20 61 72 |quares.m|od~35 ar|
|00000de0| 65 20 31 2c 20 34 2c 20 | 39 2c 20 31 36 2c 20 32 |e 1, 4, |9, 16, 2|
|00000df0| 39 2c 20 31 31 20 28 24 | 32 39 5c 65 71 75 69 76 |9, 11 ($|29\equiv|
|00000e00| 38 5e 32 24 2c 20 24 31 | 31 5c 65 71 75 69 76 39 |8^2$, $1|1\equiv9|
|00000e10| 5e 32 24 3b 20 0a 6e 6f | 74 65 20 77 65 20 64 6f |^2$; .no|te we do|
|00000e20| 6e 27 74 20 69 6e 63 6c | 75 64 65 20 32 35 20 61 |n't incl|ude 25 a|
|00000e30| 6e 64 20 31 34 2c 20 62 | 65 63 61 75 73 65 0a 74 |nd 14, b|ecause.t|
|00000e40| 68 65 79 27 72 65 20 64 | 69 76 69 73 69 62 6c 65 |hey're d|ivisible|
|00000e50| 20 62 79 20 24 70 2c 71 | 24 29 2e 20 20 54 68 65 | by $p,q|$).  The|
|00000e60| 20 70 73 65 75 64 6f 2d | 73 71 75 61 72 65 73 20 | pseudo-|squares |
|00000e70| 6d 75 73 74 20 62 65 20 | 63 6f 6e 67 72 75 65 6e |must be |congruen|
|00000e80| 74 20 74 6f 0a 32 20 6f | 72 20 33 20 6d 6f 64 7e |t to.2 o|r 3 mod~|
|00000e90| 35 20 61 6e 64 20 74 6f | 20 33 2c 20 35 2c 20 6f |5 and to| 3, 5, o|
|00000ea0| 72 20 36 20 6d 6f 64 7e | 37 2e 20 20 54 68 75 73 |r 6 mod~|7.  Thus|
|00000eb0| 20 74 68 65 20 70 73 65 | 75 64 6f 2d 73 71 75 61 | the pse|udo-squa|
|00000ec0| 72 65 73 20 61 72 65 0a | 31 37 2c 20 31 32 2c 20 |res are.|17, 12, |
|00000ed0| 32 37 2c 20 33 2c 20 33 | 33 2c 20 31 33 2e 0a 5c |27, 3, 3|3, 13..\|
|00000ee0| 70 71 20 54 68 65 20 65 | 6e 63 72 79 70 74 69 6f |pq The e|ncryptio|
|00000ef0| 6e 20 73 79 73 74 65 6d | 20 69 73 20 70 72 69 6d |n system| is prim|
|00000f00| 61 72 69 6c 79 20 63 6f | 6e 63 65 72 6e 65 64 20 |arily co|ncerned |
|00000f10| 77 69 74 68 20 74 68 65 | 20 75 6e 69 6f 6e 20 6f |with the| union o|
|00000f20| 66 20 74 68 65 0a 73 65 | 74 20 6f 66 20 73 71 75 |f the.se|t of squ|
|00000f30| 61 72 65 73 20 61 6e 64 | 20 70 73 65 75 64 6f 2d |ares and| pseudo-|
|00000f40| 73 71 75 61 72 65 73 2d | 2d 2d 20 74 68 69 73 20 |squares-|-- this |
|00000f50| 73 65 74 20 69 73 20 75 | 6e 66 6f 72 74 75 6e 61 |set is u|nfortuna|
|00000f60| 74 65 6c 79 20 64 65 6e | 6f 74 65 64 0a 62 6f 74 |tely den|oted.bot|
|00000f70| 68 20 62 79 20 24 5a 5e | 31 5f 6e 24 20 28 70 2e |h by $Z^|1_n$ (p.|
|00000f80| 7e 32 39 31 29 20 61 6e | 64 20 62 79 20 24 5a 5e |~291) an|d by $Z^|
|00000f90| 7b 7b 7d 2b 31 7d 5f 6e | 24 2e 20 53 69 6e 63 65 |{{}+1}_n|$. Since|
|00000fa0| 20 65 78 61 63 74 6c 79 | 20 68 61 6c 66 20 74 68 | exactly| half th|
|00000fb0| 65 0a 6d 65 6d 62 65 72 | 73 20 6f 66 20 24 5a 5e |e.member|s of $Z^|
|00000fc0| 31 5f 6e 24 20 61 72 65 | 20 73 71 75 61 72 65 73 |1_n$ are| squares|
|00000fd0| 2c 20 74 68 65 20 63 72 | 75 64 65 20 69 64 65 61 |, the cr|ude idea|
|00000fe0| 20 6f 66 20 73 61 79 69 | 6e 67 20 60 60 74 68 69 | of sayi|ng ``thi|
|00000ff0| 73 20 69 73 20 61 0a 73 | 71 75 61 72 65 27 27 20 |s is a.s|quare'' |
|00001000| 61 6c 6c 20 74 68 65 20 | 74 69 6d 65 20 77 69 6c |all the |time wil|
|00001010| 6c 0a 6f 6e 6c 79 20 62 | 65 20 72 69 67 68 74 20 |l.only b|e right |
|00001020| 68 61 6c 66 20 74 68 65 | 20 74 69 6d 65 2e 20 20 |half the| time.  |
|00001030| 28 51 52 41 29 20 73 61 | 79 73 20 74 68 61 74 20 |(QRA) sa|ys that |
|00001040| 6e 6f 20 61 6c 67 6f 72 | 69 74 68 6d 20 74 68 61 |no algor|ithm tha|
|00001050| 74 20 72 75 6e 73 0a 69 | 6e 20 61 20 72 65 61 73 |t runs.i|n a reas|
|00001060| 6f 6e 61 62 6c 65 20 61 | 6d 6f 75 6e 74 20 6f 66 |onable a|mount of|
|00001070| 20 74 69 6d 65 20 63 61 | 6e 20 64 6f 20 6d 75 63 | time ca|n do muc|
|00001080| 68 20 62 65 74 74 65 72 | 20 74 68 61 6e 20 74 68 |h better| than th|
|00001090| 69 73 2e 20 20 5b 74 68 | 65 20 70 72 65 63 69 73 |is.  [th|e precis|
|000010a0| 65 0a 64 65 66 69 6e 69 | 74 69 6f 6e 73 20 6f 66 |e.defini|tions of|
|000010b0| 20 60 60 72 65 61 73 6f | 6e 61 62 6c 65 27 27 20 | ``reaso|nable'' |
|000010c0| 61 6e 64 20 60 60 6d 75 | 63 68 20 62 65 74 74 65 |and ``mu|ch bette|
|000010d0| 72 27 27 20 61 72 65 20 | 77 68 61 74 20 72 65 71 |r'' are |what req|
|000010e0| 75 69 72 65 20 74 68 65 | 0a 63 6f 6e 63 65 70 74 |uire the|.concept|
|000010f0| 73 20 6f 66 20 63 69 72 | 63 75 69 74 73 20 6f 66 |s of cir|cuits of|
|00001100| 20 73 69 7a 65 20 24 6b | 24 20 61 6e 64 20 60 60 | size $k|$ and ``|
|00001110| 24 5c 65 70 73 69 6c 6f | 6e 24 2d 61 70 70 72 6f |$\epsilo|n$-appro|
|00001120| 78 69 6d 61 74 69 6e 67 | 27 27 5d 0a 5c 70 71 20 |ximating|''].\pq |
|00001130| 49 6e 20 61 64 64 69 74 | 69 6f 6e 20 74 6f 20 61 |In addit|ion to a|
|00001140| 6e 6e 6f 75 6e 63 69 6e | 67 20 24 6e 24 2c 20 74 |nnouncin|g $n$, t|
|00001150| 68 65 20 70 65 72 73 6f | 6e 20 72 65 63 65 69 76 |he perso|n receiv|
|00001160| 69 6e 67 20 6d 65 73 73 | 61 67 65 73 20 61 6e 6e |ing mess|ages ann|
|00001170| 6f 75 6e 63 65 73 0a 6f | 6e 65 20 70 73 65 75 64 |ounces.o|ne pseud|
|00001180| 6f 2d 73 71 75 61 72 65 | 20 24 79 24 2e 20 20 54 |o-square| $y$.  T|
|00001190| 6f 20 73 65 6e 64 20 61 | 20 73 65 71 75 65 6e 63 |o send a| sequenc|
|000011a0| 65 20 6f 66 20 30 27 73 | 20 61 6e 64 20 31 27 73 |e of 0's| and 1's|
|000011b0| 2c 20 74 68 65 20 73 65 | 6e 64 65 72 20 0a 63 6f |, the se|nder .co|
|000011c0| 6e 76 65 72 74 73 20 74 | 68 65 6d 20 69 6e 74 6f |nverts t|hem into|
|000011d0| 20 6e 75 6d 62 65 72 73 | 20 61 73 20 66 6f 6c 6c | numbers| as foll|
|000011e0| 6f 77 73 3a 20 66 6f 72 | 20 65 61 63 68 20 6e 75 |ows: for| each nu|
|000011f0| 6d 62 65 72 20 69 6e 20 | 74 68 65 20 73 65 71 75 |mber in |the sequ|
|00001200| 65 6e 63 65 2c 0a 61 6e | 20 24 78 24 20 69 73 20 |ence,.an| $x$ is |
|00001210| 63 68 6f 73 65 6e 20 7b | 5c 69 74 20 61 74 20 72 |chosen {|\it at r|
|00001220| 61 6e 64 6f 6d 7d 2e 20 | 20 20 30 20 69 73 20 63 |andom}. |  0 is c|
|00001230| 6f 6e 76 65 72 74 65 64 | 20 69 6e 74 6f 20 24 78 |onverted| into $x|
|00001240| 5e 32 24 20 6d 6f 64 7e | 6e 2c 20 20 31 20 69 73 |^2$ mod~|n,  1 is|
|00001250| 0a 63 6f 6e 76 65 72 74 | 65 64 20 69 6e 74 6f 20 |.convert|ed into |
|00001260| 24 79 78 5e 32 24 2e 20 | 20 45 61 63 68 20 30 20 |$yx^2$. | Each 0 |
|00001270| 6f 72 20 31 20 69 6e 20 | 74 68 65 20 73 65 71 75 |or 1 in |the sequ|
|00001280| 65 6e 63 65 20 63 61 6e | 20 62 65 20 63 6f 6e 76 |ence can| be conv|
|00001290| 65 72 74 65 64 0a 28 64 | 65 70 65 6e 64 69 6e 67 |erted.(d|epending|
|000012a0| 20 6f 6e 20 74 68 65 20 | 63 68 6f 69 63 65 20 6f | on the |choice o|
|000012b0| 66 20 24 78 24 29 20 69 | 6e 74 6f 20 6f 6e 65 20 |f $x$) i|nto one |
|000012c0| 6f 66 20 24 28 70 2d 31 | 29 28 71 2d 31 29 2f 34 |of $(p-1|)(q-1)/4|
|000012d0| 24 20 64 69 66 66 65 72 | 65 6e 74 0a 6e 75 6d 62 |$ differ|ent.numb|
|000012e0| 65 72 73 2e 20 20 49 66 | 20 74 68 65 20 6d 65 73 |ers.  If| the mes|
|000012f0| 73 61 67 65 20 69 73 20 | 6f 66 20 6c 65 6e 67 74 |sage is |of lengt|
|00001300| 68 20 35 30 30 20 28 61 | 62 6f 75 74 20 6f 6e 65 |h 500 (a|bout one|
|00001310| 20 6c 69 6e 65 20 6f 66 | 20 6f 72 64 69 6e 61 72 | line of| ordinar|
|00001320| 79 0a 74 65 78 74 29 2c | 20 61 6e 64 20 24 70 2c |y.text),| and $p,|
|00001330| 71 5c 61 70 70 72 6f 78 | 31 30 5e 7b 31 30 30 7d |q\approx|10^{100}|
|00001340| 24 2c 20 74 68 65 20 6d | 65 73 73 61 67 65 20 63 |$, the m|essage c|
|00001350| 61 6e 20 62 65 20 65 6e | 63 6f 64 65 64 20 69 6e |an be en|coded in|
|00001360| 74 6f 20 0a 24 7e 28 31 | 2f 34 29 31 30 5e 7b 31 |to .$~(1|/4)10^{1|
|00001370| 30 30 30 30 30 7d 24 20 | 64 69 66 66 65 72 65 6e |00000}$ |differen|
|00001380| 74 20 70 6f 73 73 69 62 | 6c 65 20 63 69 70 68 65 |t possib|le ciphe|
|00001390| 72 74 65 78 74 73 2e 0a | 5c 70 71 20 42 79 20 4c |rtexts..|\pq By L|
|000013a0| 65 6d 6d 61 7e 5c 72 65 | 66 7b 70 72 6f 64 7d 2c |emma~\re|f{prod},|
|000013b0| 20 30 27 73 20 61 72 65 | 20 63 6f 6e 76 65 72 74 | 0's are| convert|
|000013c0| 65 64 20 74 6f 20 73 71 | 75 61 72 65 73 2c 20 31 |ed to sq|uares, 1|
|000013d0| 27 73 20 61 72 65 20 63 | 6f 6e 76 65 72 74 65 64 |'s are c|onverted|
|000013e0| 0a 74 6f 20 70 73 65 75 | 64 6f 2d 73 71 75 61 72 |.to pseu|do-squar|
|000013f0| 65 73 2e 20 20 53 69 6e | 63 65 20 74 68 65 20 72 |es.  Sin|ce the r|
|00001400| 65 63 65 69 76 65 72 20 | 6b 6e 6f 77 73 20 24 70 |eceiver |knows $p|
|00001410| 2c 71 24 2c 20 4c 65 6d | 6d 61 73 7e 5c 72 65 66 |,q$, Lem|mas~\ref|
|00001420| 7b 6b 6e 31 7d 0a 61 6e | 64 7e 5c 72 65 66 7b 6b |{kn1}.an|d~\ref{k|
|00001430| 6e 32 7d 20 73 68 6f 77 | 20 68 65 20 63 61 6e 20 |n2} show| he can |
|00001440| 65 66 66 69 63 69 65 6e | 74 6c 79 20 64 65 63 6f |efficien|tly deco|
|00001450| 64 65 20 74 68 65 20 6d | 65 73 73 61 67 65 2e 0a |de the m|essage..|
|00001460| 5c 70 71 20 49 6e 20 74 | 68 65 20 73 75 62 73 65 |\pq In t|he subse|
|00001470| 71 75 65 6e 74 20 73 65 | 63 74 69 6f 6e 73 2c 20 |quent se|ctions, |
|00001480| 77 65 20 77 69 6c 6c 20 | 67 69 76 65 20 74 68 65 |we will |give the|
|00001490| 20 65 73 73 65 6e 74 69 | 61 6c 20 69 64 65 61 73 | essenti|al ideas|
|000014a0| 0a 6f 66 20 47 6f 6c 64 | 77 61 73 73 65 72 20 5c |.of Gold|wasser \|
|000014b0| 26 20 4d 69 63 61 6c 69 | 27 73 20 70 72 6f 6f 66 |& Micali|'s proof|
|000014c0| 20 74 68 61 74 20 28 61 | 73 73 75 6d 69 6e 67 20 | that (a|ssuming |
|000014d0| 51 52 41 29 20 74 68 69 | 73 20 73 79 73 74 65 6d |QRA) thi|s system|
|000014e0| 20 77 69 6c 6c 0a 70 72 | 65 76 65 6e 74 20 74 68 | will.pr|event th|
|000014f0| 65 20 61 64 76 65 72 73 | 61 72 79 20 66 72 6f 6d |e advers|ary from|
|00001500| 20 0a 6f 62 74 61 69 6e | 69 6e 67 20 61 6e 79 20 | .obtain|ing any |
|00001510| 70 61 72 74 69 61 6c 20 | 69 6e 66 6f 72 6d 61 74 |partial |informat|
|00001520| 69 6f 6e 20 61 62 6f 75 | 74 20 74 68 65 20 70 6c |ion abou|t the pl|
|00001530| 61 69 6e 74 65 78 74 2e | 0a 5c 73 75 62 73 65 63 |aintext.|.\subsec|
|00001540| 74 69 6f 6e 7b 57 65 61 | 6b 20 6c 61 77 73 20 6f |tion{Wea|k laws o|
|00001550| 66 20 6c 61 72 67 65 20 | 6e 75 6d 62 65 72 73 7d |f large |numbers}|
|00001560| 0a 42 6f 74 68 20 74 68 | 65 20 65 6e 63 72 79 70 |.Both th|e encryp|
|00001570| 74 69 6f 6e 20 61 6c 67 | 6f 72 69 74 68 6d 20 61 |tion alg|orithm a|
|00001580| 6e 64 20 74 68 65 20 68 | 79 70 6f 74 68 65 74 69 |nd the h|ypotheti|
|00001590| 63 61 6c 20 61 6c 67 6f | 72 69 74 68 6d 73 20 75 |cal algo|rithms u|
|000015a0| 73 65 64 20 62 79 0a 74 | 68 65 20 61 64 76 65 72 |sed by.t|he adver|
|000015b0| 73 61 72 79 20 69 6e 76 | 6f 6c 76 65 20 72 61 6e |sary inv|olve ran|
|000015c0| 64 6f 6d 20 65 76 65 6e | 74 73 2e 20 20 57 65 20 |dom even|ts.  We |
|000015d0| 77 69 6c 6c 20 6e 65 65 | 64 20 61 20 74 68 65 6f |will nee|d a theo|
|000015e0| 72 65 6d 20 74 68 61 74 | 20 73 61 79 73 0a 74 68 |rem that| says.th|
|000015f0| 61 74 2c 20 69 66 20 61 | 6e 20 65 76 65 6e 74 20 |at, if a|n event |
|00001600| 77 69 74 68 20 70 72 6f | 62 61 62 69 6c 69 74 79 |with pro|bability|
|00001610| 20 24 70 24 20 69 73 20 | 74 72 69 65 64 20 24 72 | $p$ is |tried $r|
|00001620| 24 20 74 69 6d 65 73 2c | 20 74 68 65 20 63 68 61 |$ times,| the cha|
|00001630| 6e 63 65 20 74 68 61 74 | 0a 74 68 65 20 6e 75 6d |nce that|.the num|
|00001640| 62 65 72 20 6f 66 20 73 | 75 63 63 65 73 73 65 73 |ber of s|uccesses|
|00001650| 20 69 73 20 6e 6f 74 20 | 63 6c 6f 73 65 20 74 6f | is not |close to|
|00001660| 20 24 70 72 24 20 69 73 | 20 73 6d 61 6c 6c 2e 20 | $pr$ is| small. |
|00001670| 20 54 68 65 20 70 61 70 | 65 72 20 75 73 65 73 25 | The pap|er uses%|
|00001680| 0a 5c 66 6f 6f 74 6e 6f | 74 65 7b 54 68 65 20 75 |.\footno|te{The u|
|00001690| 73 75 61 6c 20 63 65 6e | 74 72 61 6c 20 6c 69 6d |sual cen|tral lim|
|000016a0| 69 74 20 74 68 65 6f 72 | 65 6d 20 63 61 6e 6e 6f |it theor|em canno|
|000016b0| 74 20 62 65 20 75 73 65 | 64 20 62 65 63 61 75 73 |t be use|d becaus|
|000016c0| 65 20 69 74 20 64 6f 65 | 73 0a 6e 6f 74 20 74 65 |e it doe|s.not te|
|000016d0| 6c 6c 20 79 6f 75 20 68 | 6f 77 20 6c 61 72 67 65 |ll you h|ow large|
|000016e0| 20 24 72 24 20 6d 75 73 | 74 20 62 65 20 66 6f 72 | $r$ mus|t be for|
|000016f0| 20 74 68 65 20 6e 6f 72 | 6d 61 6c 20 64 69 73 74 | the nor|mal dist|
|00001700| 72 69 62 75 74 69 6f 6e | 20 74 6f 20 67 69 76 65 |ribution| to give|
|00001710| 0a 61 20 67 6f 6f 64 20 | 65 73 74 69 6d 61 74 65 |.a good |estimate|
|00001720| 2e 7d 0a 28 70 2e 7e 32 | 39 33 29 20 5c 62 65 67 |.}.(p.~2|93) \beg|
|00001730| 69 6e 7b 4c 65 7d 4c 65 | 74 20 24 53 5f 72 24 20 |in{Le}Le|t $S_r$ |
|00001740| 62 65 20 74 68 65 20 6e | 75 6d 62 65 72 20 6f 66 |be the n|umber of|
|00001750| 20 73 75 63 63 65 73 73 | 65 73 20 69 6e 20 24 72 | success|es in $r|
|00001760| 24 20 74 72 69 65 73 2e | 0a 46 6f 72 20 61 6e 79 |$ tries.|.For any|
|00001770| 20 24 5c 70 73 69 24 20 | 24 24 5c 50 72 5c 6c 65 | $\psi$ |$$\Pr\le|
|00001780| 66 74 28 5c 6c 65 66 74 | 7c 5c 66 72 61 63 7b 53 |ft(\left||\frac{S|
|00001790| 5f 72 7d 72 2d 70 5c 72 | 69 67 68 74 7c 0a 3e 5c |_r}r-p\r|ight|.>\|
|000017a0| 70 73 69 5c 72 69 67 68 | 74 29 3c 5c 66 72 61 63 |psi\righ|t)<\frac|
|000017b0| 31 7b 34 72 5c 70 73 69 | 5e 32 7d 24 24 0a 5c 6c |1{4r\psi|^2}$$.\l|
|000017c0| 61 62 65 6c 7b 77 65 61 | 6b 7d 5c 65 6e 64 7b 4c |abel{wea|k}\end{L|
|000017d0| 65 7d 0a 5c 70 61 72 7b | 5c 62 66 20 50 72 6f 6f |e}.\par{|\bf Proo|
|000017e0| 66 3a 7d 20 24 53 5f 72 | 24 20 69 73 20 61 20 72 |f:} $S_r|$ is a r|
|000017f0| 61 6e 64 6f 6d 20 76 61 | 72 69 61 62 6c 65 2c 20 |andom va|riable, |
|00001800| 77 68 69 63 68 20 69 73 | 20 74 68 65 20 73 75 6d |which is| the sum|
|00001810| 20 6f 66 20 24 72 24 0a | 69 6e 64 65 70 65 6e 64 | of $r$.|independ|
|00001820| 65 6e 74 20 72 61 6e 64 | 6f 6d 20 76 61 72 69 61 |ent rand|om varia|
|00001830| 62 6c 65 73 2c 20 65 61 | 63 68 20 68 61 76 69 6e |bles, ea|ch havin|
|00001840| 67 20 76 61 6c 75 65 20 | 30 20 6f 72 20 31 2e 20 |g value |0 or 1. |
|00001850| 20 4c 65 74 20 24 56 24 | 20 62 65 20 74 68 65 0a | Let $V$| be the.|
|00001860| 76 61 72 69 61 6e 63 65 | 20 6f 66 20 24 53 5f 72 |variance| of $S_r|
|00001870| 24 2e 20 20 45 61 63 68 | 20 6f 66 20 74 68 65 20 |$.  Each| of the |
|00001880| 30 2d 2d 31 20 76 61 72 | 69 61 62 6c 65 73 20 68 |0--1 var|iables h|
|00001890| 61 73 20 76 61 72 69 61 | 6e 63 65 20 24 5c 6c 65 |as varia|nce $\le|
|000018a0| 31 2f 34 24 2c 0a 73 6f | 20 24 24 72 5e 32 5c 70 |1/4$,.so| $$r^2\p|
|000018b0| 73 69 5e 32 5c 50 72 28 | 7c 53 5f 72 2d 72 70 7c |si^2\Pr(||S_r-rp||
|000018c0| 3e 72 5c 70 73 69 29 3c | 56 5c 6c 65 5c 66 72 61 |>r\psi)<|V\le\fra|
|000018d0| 63 20 72 34 24 24 0a 5c | 70 71 20 4c 65 6d 6d 61 |c r4$$.\|pq Lemma|
|000018e0| 20 5c 72 65 66 7b 77 65 | 61 6b 7d 20 70 72 6f 76 | \ref{we|ak} prov|
|000018f0| 69 64 65 73 20 61 20 76 | 65 72 79 20 72 6f 75 67 |ides a v|ery roug|
|00001900| 68 20 65 73 74 69 6d 61 | 74 65 20 6f 66 20 74 68 |h estima|te of th|
|00001910| 65 20 70 72 6f 62 61 62 | 69 6c 69 74 79 2e 0a 41 |e probab|ility..A|
|00001920| 6e 20 69 6d 70 72 6f 76 | 65 6d 65 6e 74 20 72 65 |n improv|ement re|
|00001930| 71 75 69 72 69 6e 67 20 | 6d 75 63 68 20 6d 6f 72 |quiring |much mor|
|00001940| 65 20 77 6f 72 6b 20 69 | 73 3a 0a 5c 62 65 67 69 |e work i|s:.\begi|
|00001950| 6e 7b 4c 65 7d 20 5c 6c | 61 62 65 6c 7b 73 74 72 |n{Le} \l|abel{str|
|00001960| 6f 6e 67 7d 57 69 74 68 | 20 74 68 65 20 73 61 6d |ong}With| the sam|
|00001970| 65 20 6e 6f 74 61 74 69 | 6f 6e 20 61 73 20 4c 65 |e notati|on as Le|
|00001980| 6d 6d 61 7e 5c 72 65 66 | 7b 77 65 61 6b 7d 2c 20 |mma~\ref|{weak}, |
|00001990| 0a 5c 62 65 67 69 6e 7b | 65 71 6e 61 72 72 61 79 |.\begin{|eqnarray|
|000019a0| 2a 7d 26 26 5c 50 72 5c | 6c 65 66 74 28 5c 66 72 |*}&&\Pr\|left(\fr|
|000019b0| 61 63 7b 53 5f 72 7d 72 | 5c 67 65 20 70 2b 5c 70 |ac{S_r}r|\ge p+\p|
|000019c0| 73 69 5c 72 69 67 68 74 | 29 5c 5c 26 26 0a 5c 6c |si\right|)\\&&.\l|
|000019d0| 65 5c 66 72 61 63 31 7b | 5c 73 71 72 74 7b 32 5c |e\frac1{|\sqrt{2\|
|000019e0| 70 69 20 72 28 70 2b 5c | 70 73 69 29 28 31 2d 70 |pi r(p+\|psi)(1-p|
|000019f0| 2d 5c 70 73 69 29 7d 7d | 0a 5c 6c 65 66 74 28 5c |-\psi)}}|.\left(\|
|00001a00| 66 72 61 63 7b 28 31 2d | 70 29 28 70 2b 5c 70 73 |frac{(1-|p)(p+\ps|
|00001a10| 69 29 7d 5c 70 73 69 5c | 72 69 67 68 74 29 5c 65 |i)}\psi\|right)\e|
|00001a20| 78 70 5c 6c 65 66 74 28 | 0a 2d 5c 66 72 61 63 7b |xp\left(|.-\frac{|
|00001a30| 72 5c 70 73 69 5e 32 28 | 31 2b 5c 70 73 69 29 7d |r\psi^2(|1+\psi)}|
|00001a40| 7b 32 28 31 2d 70 29 28 | 70 2b 5c 70 73 69 29 7d |{2(1-p)(|p+\psi)}|
|00001a50| 5c 72 69 67 68 74 29 0a | 5c 71 71 75 61 64 28 2a |\right).|\qquad(*|
|00001a60| 29 5c 65 6e 64 7b 65 71 | 6e 61 72 72 61 79 2a 7d |)\end{eq|narray*}|
|00001a70| 5c 65 6e 64 7b 4c 65 7d | 0a 5c 70 61 72 20 46 6f |\end{Le}|.\par Fo|
|00001a80| 72 20 63 6f 6d 70 61 72 | 69 73 6f 6e 2c 20 69 66 |r compar|ison, if|
|00001a90| 20 24 70 3d 2e 35 24 2c | 20 24 72 3d 31 30 30 30 | $p=.5$,| $r=1000|
|00001aa0| 24 2c 20 74 68 65 20 70 | 72 6f 62 61 62 69 6c 69 |$, the p|robabili|
|00001ab0| 74 79 20 74 68 61 74 20 | 74 68 65 72 65 20 61 72 |ty that |there ar|
|00001ac0| 65 0a 24 5c 67 65 35 32 | 30 24 20 73 75 63 63 65 |e.$\ge52|0$ succe|
|00001ad0| 73 73 65 73 20 69 73 20 | 2e 31 30 38 37 2e 20 20 |sses is |.1087.  |
|00001ae0| 4c 65 6d 6d 61 7e 5c 72 | 65 66 7b 77 65 61 6b 7d |Lemma~\r|ef{weak}|
|00001af0| 20 67 69 76 65 73 25 0a | 5c 66 6f 6f 74 6e 6f 74 | gives%.|\footnot|
|00001b00| 65 7b 57 65 20 64 69 76 | 69 64 65 20 62 79 20 32 |e{We div|ide by 2|
|00001b10| 20 74 6f 20 65 6c 69 6d | 69 6e 61 74 65 20 74 68 | to elim|inate th|
|00001b20| 65 20 70 72 6f 62 61 62 | 69 6c 69 74 79 20 6f 66 |e probab|ility of|
|00001b30| 20 24 5c 6c 65 34 38 30 | 24 2e 7d 0a 61 6e 20 75 | $\le480|$.}.an u|
|00001b40| 70 70 65 72 20 6c 69 6d | 69 74 20 6f 66 20 2e 33 |pper lim|it of .3|
|00001b50| 31 32 35 2c 0a 77 68 69 | 6c 65 20 4c 65 6d 6d 61 |125,.whi|le Lemma|
|00001b60| 7e 5c 72 65 66 7b 73 74 | 72 6f 6e 67 7d 20 67 69 |~\ref{st|rong} gi|
|00001b70| 76 65 73 20 2e 31 34 39 | 38 2e 20 20 28 74 68 65 |ves .149|8.  (the|
|00001b80| 73 65 20 66 69 67 75 72 | 65 73 20 63 6f 75 72 74 |se figur|es court|
|00001b90| 65 73 79 20 6f 66 20 0a | 4d 61 74 68 65 6d 61 74 |esy of .|Mathemat|
|00001ba0| 69 63 61 29 5c 70 71 20 | 4f 6e 65 20 72 65 61 73 |ica)\pq |One reas|
|00001bb0| 6f 6e 20 74 68 65 20 70 | 61 70 65 72 20 64 6f 65 |on the p|aper doe|
|00001bc0| 73 20 6e 6f 74 0a 75 73 | 65 20 4c 65 6d 6d 61 7e |s not.us|e Lemma~|
|00001bd0| 5c 72 65 66 7b 73 74 72 | 6f 6e 67 7d 20 69 73 20 |\ref{str|ong} is |
|00001be0| 74 68 61 74 20 69 74 20 | 64 6f 65 73 20 6e 6f 74 |that it |does not|
|00001bf0| 20 67 69 76 65 20 61 20 | 73 69 6d 70 6c 65 20 66 | give a |simple f|
|00001c00| 6f 72 6d 75 6c 61 20 66 | 6f 72 0a 68 6f 77 20 6c |ormula f|or.how l|
|00001c10| 61 72 67 65 20 24 72 24 | 20 77 6f 75 6c 64 20 68 |arge $r$| would h|
|00001c20| 61 76 65 20 74 6f 20 62 | 65 20 69 6e 20 74 65 72 |ave to b|e in ter|
|00001c30| 6d 73 20 6f 66 20 74 68 | 65 20 6f 74 68 65 72 20 |ms of th|e other |
|00001c40| 71 75 61 6e 74 69 74 69 | 65 73 2e 20 57 65 20 77 |quantiti|es. We w|
|00001c50| 69 6c 6c 0a 6e 6f 74 20 | 75 73 65 20 74 68 69 73 |ill.not |use this|
|00001c60| 20 72 65 73 75 6c 74 20 | 6c 61 74 65 72 2c 20 61 | result |later, a|
|00001c70| 6e 64 20 79 6f 75 20 73 | 68 6f 75 6c 64 20 73 6b |nd you s|hould sk|
|00001c80| 69 70 20 74 6f 20 73 65 | 63 74 69 6f 6e 7e 5c 72 |ip to se|ction~\r|
|00001c90| 65 66 7b 53 61 7d 0a 75 | 6e 6c 65 73 73 20 79 6f |ef{Sa}.u|nless yo|
|00001ca0| 75 20 6c 69 6b 65 20 74 | 6f 20 6d 61 6e 69 70 75 |u like t|o manipu|
|00001cb0| 6c 61 74 65 20 66 6f 72 | 6d 75 6c 61 73 2e 0a 5c |late for|mulas..\|
|00001cc0| 70 71 7b 5c 62 66 20 50 | 72 6f 6f 66 3a 7d 20 57 |pq{\bf P|roof:} W|
|00001cd0| 65 20 77 69 6c 6c 20 61 | 73 73 75 6d 65 20 24 70 |e will a|ssume $p|
|00001ce0| 72 2b 72 5c 70 73 69 24 | 20 69 73 20 69 6e 74 65 |r+r\psi$| is inte|
|00001cf0| 67 65 72 2e 0a 46 72 6f | 6d 20 74 68 65 20 62 69 |ger..Fro|m the bi|
|00001d00| 6e 6f 6d 69 61 6c 20 74 | 68 65 6f 72 65 6d 3a 0a |nomial t|heorem:.|
|00001d10| 5c 62 65 67 69 6e 7b 65 | 71 6e 61 72 72 61 79 2a |\begin{e|qnarray*|
|00001d20| 7d 0a 5c 50 72 28 53 5f | 72 5c 67 65 20 72 70 2b |}.\Pr(S_|r\ge rp+|
|00001d30| 72 5c 70 73 69 29 26 3d | 26 5c 73 75 6d 5f 7b 69 |r\psi)&=|&\sum_{i|
|00001d40| 5c 67 65 20 70 72 2b 72 | 5c 70 73 69 7d 0a 5c 6c |\ge pr+r|\psi}.\l|
|00001d50| 65 66 74 28 5c 62 65 67 | 69 6e 7b 61 72 72 61 79 |eft(\beg|in{array|
|00001d60| 7d 7b 63 7d 72 5c 5c 69 | 5c 65 6e 64 7b 61 72 72 |}{c}r\\i|\end{arr|
|00001d70| 61 79 7d 0a 5c 72 69 67 | 68 74 29 70 5e 69 28 31 |ay}.\rig|ht)p^i(1|
|00001d80| 2d 70 29 5e 7b 72 2d 69 | 7d 5c 5c 26 5c 6c 65 26 |-p)^{r-i|}\\&\le&|
|00001d90| 5c 6c 65 66 74 28 5c 62 | 65 67 69 6e 7b 61 72 72 |\left(\b|egin{arr|
|00001da0| 61 79 7d 7b 63 7d 72 5c | 5c 70 72 2b 72 5c 70 73 |ay}{c}r\|\pr+r\ps|
|00001db0| 69 5c 65 6e 64 7b 61 72 | 72 61 79 7d 0a 5c 72 69 |i\end{ar|ray}.\ri|
|00001dc0| 67 68 74 29 70 5e 7b 70 | 72 2b 72 5c 70 73 69 7d |ght)p^{p|r+r\psi}|
|00001dd0| 28 31 2d 70 29 5e 7b 72 | 2d 70 72 2d 72 5c 70 73 |(1-p)^{r|-pr-r\ps|
|00001de0| 69 7d 28 31 2b 5c 61 6c | 70 68 61 2b 5c 61 6c 70 |i}(1+\al|pha+\alp|
|00001df0| 68 61 5e 32 2b 5c 64 6f | 74 73 29 5c 5c 0a 26 26 |ha^2+\do|ts)\\.&&|
|00001e00| 5c 68 62 6f 78 7b 77 68 | 65 72 65 20 7d 5c 61 6c |\hbox{wh|ere }\al|
|00001e10| 70 68 61 3d 5c 66 72 61 | 63 7b 70 28 72 2d 70 72 |pha=\fra|c{p(r-pr|
|00001e20| 2d 72 5c 70 73 69 29 7d | 7b 28 31 2d 70 29 28 70 |-r\psi)}|{(1-p)(p|
|00001e30| 72 2b 72 5c 70 73 69 2b | 31 29 7d 0a 5c 65 6e 64 |r+r\psi+|1)}.\end|
|00001e40| 7b 65 71 6e 61 72 72 61 | 79 2a 7d 24 70 2b 5c 70 |{eqnarra|y*}$p+\p|
|00001e50| 73 69 5c 6c 65 31 24 20 | 69 6d 70 6c 69 65 73 20 |si\le1$ |implies |
|00001e60| 24 70 2d 70 5c 70 73 69 | 2d 70 5e 32 3e 30 24 20 |$p-p\psi|-p^2>0$ |
|00001e70| 61 6e 64 0a 24 24 5c 73 | 75 6d 5c 61 6c 70 68 61 |and.$$\s|um\alpha|
|00001e80| 5e 69 3d 5c 66 72 61 63 | 31 7b 31 2d 5c 61 6c 70 |^i=\frac|1{1-\alp|
|00001e90| 68 61 7d 3d 5c 66 72 61 | 63 7b 28 31 2d 70 29 28 |ha}=\fra|c{(1-p)(|
|00001ea0| 70 72 2b 72 5c 70 73 69 | 2b 31 29 7d 7b 72 5c 70 |pr+r\psi|+1)}{r\p|
|00001eb0| 73 69 2b 31 2d 70 7d 5c | 6c 65 0a 5c 66 72 61 63 |si+1-p}\|le.\frac|
|00001ec0| 7b 28 31 2d 70 29 28 70 | 2b 5c 70 73 69 29 7d 5c |{(1-p)(p|+\psi)}\|
|00001ed0| 70 73 69 24 24 20 77 68 | 69 63 68 20 67 69 76 65 |psi$$ wh|ich give|
|00001ee0| 73 20 74 68 65 20 73 65 | 63 6f 6e 64 20 66 61 63 |s the se|cond fac|
|00001ef0| 74 6f 72 20 6f 66 20 24 | 28 2a 29 24 2e 20 57 65 |tor of $|(*)$. We|
|00001f00| 0a 75 73 65 20 53 74 69 | 72 6c 69 6e 67 27 73 20 |.use Sti|rling's |
|00001f10| 66 6f 72 6d 75 6c 61 20 | 6f 6e 20 74 68 65 20 62 |formula |on the b|
|00001f20| 69 6e 6f 6d 69 61 6c 20 | 63 6f 65 66 66 69 63 69 |inomial |coeffici|
|00001f30| 65 6e 74 20 61 6e 64 20 | 67 72 6f 75 70 20 69 74 |ent and |group it|
|00001f40| 20 77 69 74 68 20 74 68 | 65 0a 70 6f 77 65 72 73 | with th|e.powers|
|00001f50| 20 6f 66 20 24 70 24 20 | 61 6e 64 20 24 31 2d 70 | of $p$ |and $1-p|
|00001f60| 24 20 74 6f 20 6f 62 74 | 61 69 6e 3a 0a 24 24 5c |$ to obt|ain:.$$\|
|00001f70| 6c 65 66 74 28 5c 66 72 | 61 63 20 31 7b 5c 73 71 |left(\fr|ac 1{\sq|
|00001f80| 72 74 7b 32 5c 70 69 20 | 72 28 70 2b 5c 70 73 69 |rt{2\pi |r(p+\psi|
|00001f90| 29 28 31 2d 70 2d 5c 70 | 73 69 29 7d 7d 5c 72 69 |)(1-p-\p|si)}}\ri|
|00001fa0| 67 68 74 29 0a 5c 6c 65 | 66 74 28 5c 66 72 61 63 |ght).\le|ft(\frac|
|00001fb0| 20 70 7b 70 2b 5c 70 73 | 69 7d 5c 72 69 67 68 74 | p{p+\ps|i}\right|
|00001fc0| 29 5e 7b 70 72 2b 72 5c | 70 73 69 7d 0a 5c 6c 65 |)^{pr+r\|psi}.\le|
|00001fd0| 66 74 28 5c 66 72 61 63 | 7b 31 2d 70 7d 7b 31 2d |ft(\frac|{1-p}{1-|
|00001fe0| 70 2d 5c 70 73 69 7d 5c | 72 69 67 68 74 29 5e 7b |p-\psi}\|right)^{|
|00001ff0| 72 2d 70 72 2d 5c 70 73 | 69 20 72 7d 5c 71 75 61 |r-pr-\ps|i r}\qua|
|00002000| 64 28 2a 2a 29 24 24 0a | 54 68 65 20 66 69 72 73 |d(**)$$.|The firs|
|00002010| 74 20 66 61 63 74 6f 72 | 20 6f 66 20 24 28 2a 2a |t factor| of $(**|
|00002020| 29 24 20 69 73 20 74 68 | 65 20 66 69 72 73 74 20 |)$ is th|e first |
|00002030| 66 61 63 74 6f 72 20 6f | 66 20 24 28 2a 29 24 2e |factor o|f $(*)$.|
|00002040| 20 20 57 65 0a 6f 62 74 | 61 69 6e 20 75 70 70 65 |  We.obt|ain uppe|
|00002050| 72 20 62 6f 75 6e 64 73 | 20 6f 6e 20 74 68 65 20 |r bounds| on the |
|00002060| 72 65 73 74 20 6f 66 20 | 24 28 2a 2a 29 24 2c 20 |rest of |$(**)$, |
|00002070| 75 73 69 6e 67 20 24 24 | 2d 41 2d 5c 66 72 61 63 |using $$|-A-\frac|
|00002080| 7b 41 5e 32 7d 7b 32 28 | 31 2d 41 29 7d 0a 5c 6c |{A^2}{2(|1-A)}.\l|
|00002090| 65 20 5c 6c 6e 28 31 2d | 41 29 5c 6c 65 2d 41 2d |e \ln(1-|A)\le-A-|
|000020a0| 5c 66 72 61 63 7b 41 5e | 32 7d 32 24 24 28 74 68 |\frac{A^|2}2$$(th|
|000020b0| 65 20 6c 6f 77 65 72 20 | 62 6f 75 6e 64 20 6f 6e |e lower |bound on|
|000020c0| 20 24 5c 6c 6e 28 31 2d | 41 29 24 20 0a 69 6e 76 | $\ln(1-|A)$ .inv|
|000020d0| 6f 6c 76 65 73 20 61 20 | 67 65 6f 6d 65 74 72 69 |olves a |geometri|
|000020e0| 63 20 73 65 72 69 65 73 | 29 0a 5c 62 65 67 69 6e |c series|).\begin|
|000020f0| 7b 65 71 6e 61 72 72 61 | 79 2a 7d 28 70 72 2b 72 |{eqnarra|y*}(pr+r|
|00002100| 5c 70 73 69 29 5c 6c 6e | 5c 6c 65 66 74 28 31 2d |\psi)\ln|\left(1-|
|00002110| 5c 66 72 61 63 5c 70 73 | 69 7b 70 2b 5c 70 73 69 |\frac\ps|i{p+\psi|
|00002120| 7d 5c 72 69 67 68 74 29 | 0a 26 5c 6c 65 26 2d 72 |}\right)|.&\le&-r|
|00002130| 5c 70 73 69 2d 5c 66 72 | 61 63 7b 72 5c 70 73 69 |\psi-\fr|ac{r\psi|
|00002140| 5e 32 7d 7b 32 28 70 2b | 5c 70 73 69 29 7d 5c 5c |^2}{2(p+|\psi)}\\|
|00002150| 0a 28 70 72 2b 5c 70 73 | 69 20 72 2d 72 29 5c 6c |.(pr+\ps|i r-r)\l|
|00002160| 6e 5c 6c 65 66 74 28 31 | 2d 5c 66 72 61 63 5c 70 |n\left(1|-\frac\p|
|00002170| 73 69 7b 31 2d 70 7d 5c | 72 69 67 68 74 29 26 5c |si{1-p}\|right)&\|
|00002180| 6c 65 26 0a 5c 66 72 61 | 63 7b 28 72 2d 70 72 2d |le&.\fra|c{(r-pr-|
|00002190| 72 5c 70 73 69 29 5c 70 | 73 69 7d 7b 31 2d 70 7d |r\psi)\p|si}{1-p}|
|000021a0| 2b 0a 5c 66 72 61 63 7b | 28 72 2d 70 72 2d 72 5c |+.\frac{|(r-pr-r\|
|000021b0| 70 73 69 29 5c 70 73 69 | 5e 32 28 31 2d 70 29 7d |psi)\psi|^2(1-p)}|
|000021c0| 7b 32 28 31 2d 70 29 5e | 32 28 31 2d 70 2d 5c 70 |{2(1-p)^|2(1-p-\p|
|000021d0| 73 69 29 7d 5c 5c 0a 26 | 3d 26 72 5c 70 73 69 2d |si)}\\.&|=&r\psi-|
|000021e0| 5c 66 72 61 63 7b 5c 70 | 73 69 5e 32 72 7d 7b 31 |\frac{\p|si^2r}{1|
|000021f0| 2d 70 7d 5c 6c 65 66 74 | 28 2d 31 2b 5c 66 72 61 |-p}\left|(-1+\fra|
|00002200| 63 31 32 5c 72 69 67 68 | 74 29 5c 65 6e 64 7b 65 |c12\righ|t)\end{e|
|00002210| 71 6e 61 72 72 61 79 2a | 7d 0a 41 64 64 69 6e 67 |qnarray*|}.Adding|
|00002220| 20 74 68 65 73 65 20 61 | 6e 64 20 75 73 69 6e 67 | these a|nd using|
|00002230| 20 24 5c 65 78 70 24 20 | 67 69 76 65 73 20 74 68 | $\exp$ |gives th|
|00002240| 65 20 72 65 6d 61 69 6e | 69 6e 67 20 66 61 63 74 |e remain|ing fact|
|00002250| 6f 72 20 6f 66 20 24 28 | 2a 29 24 2e 0a 5c 73 75 |or of $(|*)$..\su|
|00002260| 62 73 65 63 74 69 6f 6e | 7b 54 68 65 20 6d 61 67 |bsection|{The mag|
|00002270| 69 63 20 6f 66 20 73 61 | 6d 70 6c 69 6e 67 5c 6c |ic of sa|mpling\l|
|00002280| 61 62 65 6c 7b 53 61 7d | 7d 0a 57 65 20 68 61 76 |abel{Sa}|}.We hav|
|00002290| 65 20 24 31 30 5e 36 24 | 20 65 6e 76 65 6c 6f 70 |e $10^6$| envelop|
|000022a0| 65 73 2e 20 20 49 6e 73 | 69 64 65 20 65 61 63 68 |es.  Ins|ide each|
|000022b0| 20 65 6e 76 65 6c 6f 70 | 65 20 69 73 20 61 20 70 | envelop|e is a p|
|000022c0| 69 65 63 65 20 6f 66 20 | 70 61 70 65 72 20 77 69 |iece of |paper wi|
|000022d0| 74 68 0a 30 20 6f 72 20 | 31 20 77 72 69 74 74 65 |th.0 or |1 writte|
|000022e0| 6e 20 6f 6e 20 69 74 2e | 20 20 49 66 20 77 65 20 |n on it.|  If we |
|000022f0| 77 61 6e 74 20 74 6f 20 | 6b 6e 6f 77 20 65 78 61 |want to |know exa|
|00002300| 63 74 6c 79 20 68 6f 77 | 20 6d 61 6e 79 20 65 6e |ctly how| many en|
|00002310| 76 65 6c 6f 70 65 73 20 | 68 61 76 65 0a 65 61 63 |velopes |have.eac|
|00002320| 68 20 6e 75 6d 62 65 72 | 2c 20 77 65 20 68 61 76 |h number|, we hav|
|00002330| 65 20 74 6f 20 6f 70 65 | 6e 20 74 68 65 6d 20 61 |e to ope|n them a|
|00002340| 6c 6c 2e 20 20 53 75 70 | 70 6f 73 65 20 77 65 20 |ll.  Sup|pose we |
|00002350| 77 61 6e 74 20 74 6f 20 | 65 73 74 69 6d 61 74 65 |want to |estimate|
|00002360| 20 74 68 65 0a 66 72 61 | 63 74 69 6f 6e 20 6f 66 | the.fra|ction of|
|00002370| 20 74 68 65 20 65 6e 76 | 65 6c 6f 70 65 73 20 6f | the env|elopes o|
|00002380| 66 20 65 61 63 68 20 6b | 69 6e 64 2c 20 61 6e 64 |f each k|ind, and|
|00002390| 20 77 65 20 77 61 6e 74 | 20 74 68 65 20 70 72 6f | we want| the pro|
|000023a0| 70 6f 72 74 69 6f 6e 20 | 74 6f 20 62 65 0a 61 63 |portion |to be.ac|
|000023b0| 63 75 72 61 74 65 20 74 | 6f 20 77 69 74 68 69 6e |curate t|o within|
|000023c0| 20 2e 30 35 2e 20 20 4e | 6f 77 20 77 65 20 6e 65 | .05.  N|ow we ne|
|000023d0| 65 64 20 6f 6e 6c 79 20 | 6f 70 65 6e 20 24 39 28 |ed only |open $9(|
|000023e0| 31 30 5e 35 29 24 20 65 | 6e 76 65 6c 6f 70 65 73 |10^5)$ e|nvelopes|
|000023f0| 2e 0a 5c 70 71 20 54 68 | 65 20 73 69 74 75 61 74 |..\pq Th|e situat|
|00002400| 69 6f 6e 20 63 68 61 6e | 67 65 73 20 64 72 61 6d |ion chan|ges dram|
|00002410| 61 74 69 63 61 6c 6c 79 | 20 69 66 20 77 65 20 6f |atically| if we o|
|00002420| 6e 6c 79 20 77 61 6e 74 | 20 74 6f 20 65 73 74 69 |nly want| to esti|
|00002430| 6d 61 74 65 20 74 68 65 | 0a 70 72 6f 70 6f 72 74 |mate the|.proport|
|00002440| 69 6f 6e 20 77 69 74 68 | 20 68 69 67 68 20 70 72 |ion with| high pr|
|00002450| 6f 62 61 62 69 6c 69 74 | 79 2e 20 20 49 66 20 77 |obabilit|y.  If w|
|00002460| 65 20 61 72 65 20 77 69 | 6c 6c 69 6e 67 20 74 6f |e are wi|lling to|
|00002470| 20 61 63 63 65 70 74 20 | 61 20 2e 30 31 0a 70 72 | accept |a .01.pr|
|00002480| 6f 62 61 62 69 6c 69 74 | 79 20 6f 66 20 61 6e 20 |obabilit|y of an |
|00002490| 65 72 72 6f 72 20 24 3e | 2e 30 35 24 2c 20 4c 65 |error $>|.05$, Le|
|000024a0| 6d 6d 61 7e 5c 72 65 66 | 7b 77 65 61 6b 7d 20 69 |mma~\ref|{weak} i|
|000024b0| 6d 70 6c 69 65 73 20 77 | 65 20 6f 6e 6c 79 20 6e |mplies w|e only n|
|000024c0| 65 65 64 0a 74 6f 20 6f | 70 65 6e 20 61 20 72 61 |eed.to o|pen a ra|
|000024d0| 6e 64 6f 6d 6c 79 20 63 | 68 6f 73 65 6e 20 73 61 |ndomly c|hosen sa|
|000024e0| 6d 70 6c 65 20 6f 66 20 | 24 31 30 5e 34 24 20 65 |mple of |$10^4$ e|
|000024f0| 6e 76 65 6c 6f 70 65 73 | 5c 66 6f 6f 74 6e 6f 74 |nvelopes|\footnot|
|00002500| 65 7b 4c 65 6d 6d 61 0a | 5c 72 65 66 7b 73 74 72 |e{Lemma.|\ref{str|
|00002510| 6f 6e 67 7d 20 61 6e 64 | 20 4d 61 74 68 6d 61 74 |ong} and| Mathmat|
|00002520| 69 63 61 20 73 75 67 67 | 65 73 74 20 34 30 30 20 |ica sugg|est 400 |
|00002530| 65 6e 76 65 6c 6f 70 65 | 73 20 61 72 65 20 65 6e |envelope|s are en|
|00002540| 6f 75 67 68 2e 7d 2e 0a | 5c 70 71 20 54 68 65 20 |ough.}..|\pq The |
|00002550| 73 70 65 63 69 61 6c 20 | 66 65 61 74 75 72 65 20 |special |feature |
|00002560| 6f 66 20 70 72 6f 62 6c | 65 6d 73 20 69 6e 76 6f |of probl|ems invo|
|00002570| 6c 76 69 6e 67 20 73 71 | 75 61 72 65 73 20 61 6e |lving sq|uares an|
|00002580| 64 20 70 73 65 75 64 6f | 2d 25 0a 73 71 75 61 72 |d pseudo|-%.squar|
|00002590| 65 73 20 69 73 20 74 68 | 61 74 20 73 61 6d 70 6c |es is th|at sampl|
|000025a0| 69 6e 67 20 69 73 20 70 | 6f 73 73 69 62 6c 65 2e |ing is p|ossible.|
|000025b0| 20 20 57 65 20 73 61 77 | 20 69 6e 20 6f 75 72 20 |  We saw| in our |
|000025c0| 64 69 73 63 75 73 73 69 | 6f 6e 20 6f 66 0a 74 68 |discussi|on of.th|
|000025d0| 65 20 52 61 62 69 6e 20 | 73 79 73 74 65 6d 20 74 |e Rabin |system t|
|000025e0| 68 61 74 20 65 76 65 72 | 79 20 6e 75 6d 62 65 72 |hat ever|y number|
|000025f0| 20 6d 6f 64 20 24 6e 24 | 20 68 61 73 20 66 6f 75 | mod $n$| has fou|
|00002600| 72 20 73 71 75 61 72 65 | 20 72 6f 6f 74 73 2e 0a |r square| roots..|
|00002610| 54 68 75 73 20 69 66 20 | 77 65 20 63 68 6f 6f 73 |Thus if |we choos|
|00002620| 65 20 6f 6e 65 20 6f 66 | 20 74 68 65 20 24 28 70 |e one of| the $(p|
|00002630| 2d 31 29 28 71 2d 31 29 | 24 20 6e 75 6d 62 65 72 |-1)(q-1)|$ number|
|00002640| 73 20 24 78 24 20 6e 6f | 74 20 64 69 76 69 73 69 |s $x$ no|t divisi|
|00002650| 62 6c 65 25 0a 5c 66 6f | 6f 74 6e 6f 74 65 7b 45 |ble%.\fo|otnote{E|
|00002660| 76 65 6e 20 74 68 6f 75 | 67 68 20 24 70 2c 71 24 |ven thou|gh $p,q$|
|00002670| 20 61 72 65 20 75 6e 6b | 6e 6f 77 6e 2c 20 74 68 | are unk|nown, th|
|00002680| 65 20 67 63 64 20 6f 66 | 20 24 78 2c 6e 24 20 63 |e gcd of| $x,n$ c|
|00002690| 61 6e 0a 62 65 20 63 6f | 6d 70 75 74 65 64 2e 7d |an.be co|mputed.}|
|000026a0| 20 62 79 20 24 70 24 20 | 6f 72 20 24 71 24 0a 20 | by $p$ |or $q$. |
|000026b0| 61 6e 64 20 63 6f 6d 70 | 75 74 65 20 24 78 5e 32 |and comp|ute $x^2|
|000026c0| 24 7e 6d 6f 64 7e 6e 2c | 20 65 61 63 68 20 73 71 |$~mod~n,| each sq|
|000026d0| 75 61 72 65 20 68 61 73 | 20 61 20 24 28 70 2d 31 |uare has| a $(p-1|
|000026e0| 29 28 71 2d 31 29 2f 34 | 24 0a 63 68 61 6e 63 65 |)(q-1)/4|$.chance|
|000026f0| 20 6f 66 20 62 65 69 6e | 67 20 63 68 6f 73 65 6e | of bein|g chosen|
|00002700| 2e 20 20 49 74 20 69 73 | 20 61 6c 73 6f 20 69 6d |.  It is| also im|
|00002710| 70 6f 72 74 61 6e 74 20 | 74 68 61 74 20 69 74 20 |portant |that it |
|00002720| 69 73 20 70 6f 73 73 69 | 62 6c 65 20 74 6f 0a 73 |is possi|ble to.s|
|00002730| 61 6d 70 6c 65 20 66 72 | 6f 6d 20 24 5a 5e 31 5f |ample fr|om $Z^1_|
|00002740| 6e 24 20 28 74 68 65 20 | 73 65 74 20 6f 66 20 73 |n$ (the |set of s|
|00002750| 71 75 61 72 65 73 20 61 | 6e 64 20 70 73 65 75 64 |quares a|nd pseud|
|00002760| 6f 2d 73 71 75 61 72 65 | 73 29 20 65 76 65 6e 20 |o-square|s) even |
|00002770| 69 66 0a 24 70 2c 71 24 | 20 61 72 65 20 6e 6f 74 |if.$p,q$| are not|
|00002780| 20 6b 6e 6f 77 6e 2e 5c | 62 65 67 69 6e 7b 4c 65 | known.\|begin{Le|
|00002790| 7d 20 5c 6c 61 62 65 6c | 7b 4a 61 63 7d 54 68 65 |} \label|{Jac}The|
|000027a0| 72 65 20 69 73 20 61 6e | 20 65 66 66 69 63 69 65 |re is an| efficie|
|000027b0| 6e 74 20 61 6c 67 6f 72 | 69 74 68 6d 20 66 6f 72 |nt algor|ithm for|
|000027c0| 0a 64 65 63 69 64 69 6e | 67 20 69 66 20 24 61 5c |.decidin|g if $a\|
|000027d0| 69 6e 20 5a 5e 31 5f 6e | 24 2e 5c 65 6e 64 7b 4c |in Z^1_n|$.\end{L|
|000027e0| 65 7d 54 68 65 20 70 72 | 6f 6f 66 20 6f 66 20 74 |e}The pr|oof of t|
|000027f0| 68 69 73 20 69 73 20 64 | 69 66 66 69 63 75 6c 74 |his is d|ifficult|
|00002800| 2c 20 0a 69 6e 76 6f 6c | 76 69 6e 67 20 60 60 71 |, .invol|ving ``q|
|00002810| 75 61 64 72 61 74 69 63 | 20 72 65 63 69 70 72 6f |uadratic| recipro|
|00002820| 63 69 74 79 27 27 20 61 | 6e 64 20 74 68 65 20 60 |city'' a|nd the `|
|00002830| 60 4a 61 63 6f 62 69 20 | 73 79 6d 62 6f 6c 2e 27 |`Jacobi |symbol.'|
|00002840| 27 20 20 54 68 65 0a 61 | 6c 67 6f 72 69 74 68 6d |'  The.a|lgorithm|
|00002850| 20 69 74 73 65 6c 66 20 | 69 73 20 6e 6f 74 20 74 | itself |is not t|
|00002860| 68 61 74 20 63 6f 6d 70 | 6c 69 63 61 74 65 64 2c |hat comp|licated,|
|00002870| 20 61 6e 64 20 69 73 20 | 67 69 76 65 6e 20 69 6e | and is |given in|
|00002880| 20 74 68 65 20 52 53 41 | 20 0a 70 61 70 65 72 2e | the RSA| .paper.|
|00002890| 5c 70 71 20 47 69 76 65 | 6e 20 74 68 69 73 20 6c |\pq Give|n this l|
|000028a0| 65 6d 6d 61 2c 20 77 65 | 20 63 61 6e 20 73 61 6d |emma, we| can sam|
|000028b0| 70 6c 65 20 69 6e 20 24 | 5a 5e 31 5f 6e 24 20 62 |ple in $|Z^1_n$ b|
|000028c0| 79 20 63 68 6f 6f 73 69 | 6e 67 20 24 78 24 0a 61 |y choosi|ng $x$.a|
|000028d0| 74 20 72 61 6e 64 6f 6d | 20 61 6e 64 20 74 65 73 |t random| and tes|
|000028e0| 74 69 6e 67 20 69 66 20 | 69 74 20 69 73 20 69 6e |ting if |it is in|
|000028f0| 20 74 68 65 20 73 65 74 | 2e 20 20 49 66 20 6e 6f | the set|.  If no|
|00002900| 74 2c 20 61 6e 6f 74 68 | 65 72 20 24 78 24 20 69 |t, anoth|er $x$ i|
|00002910| 73 0a 63 68 6f 73 65 6e | 2e 20 20 53 69 6e 63 65 |s.chosen|.  Since|
|00002920| 20 72 6f 75 67 68 6c 79 | 20 68 61 6c 66 20 6f 66 | roughly| half of|
|00002930| 20 24 31 5c 6c 65 20 78 | 5c 6c 65 20 6e 24 20 69 | $1\le x|\le n$ i|
|00002940| 73 20 69 6e 20 24 5a 5e | 31 5f 6e 24 2c 20 74 68 |s in $Z^|1_n$, th|
|00002950| 69 73 20 77 6f 6e 27 74 | 0a 74 61 6b 65 20 74 6f |is won't|.take to|
|00002960| 6f 20 6c 6f 6e 67 2e 5c | 70 71 20 54 68 65 20 64 |o long.\|pq The d|
|00002970| 69 66 66 65 72 65 6e 74 | 20 73 61 6d 70 6c 69 6e |ifferent| samplin|
|00002980| 67 20 70 6f 73 73 69 62 | 69 6c 69 74 69 65 73 20 |g possib|ilities |
|00002990| 77 65 20 68 61 76 65 20 | 64 69 73 63 75 73 73 65 |we have |discusse|
|000029a0| 64 0a 73 6f 20 66 61 72 | 20 68 61 76 65 20 61 6c |d.so far| have al|
|000029b0| 6c 20 61 73 73 75 6d 65 | 64 20 74 68 61 74 20 6f |l assume|d that o|
|000029c0| 6e 6c 79 20 24 6e 24 20 | 77 61 73 20 6b 6e 6f 77 |nly $n$ |was know|
|000029d0| 6e 2e 20 20 49 66 20 77 | 65 20 61 72 65 20 67 69 |n.  If w|e are gi|
|000029e0| 76 65 6e 20 61 20 73 69 | 6e 67 6c 65 0a 70 73 65 |ven a si|ngle.pse|
|000029f0| 75 64 6f 2d 73 71 75 61 | 72 65 20 24 79 24 2c 20 |udo-squa|re $y$, |
|00002a00| 77 65 20 63 61 6e 20 73 | 61 6d 70 6c 65 20 61 6d |we can s|ample am|
|00002a10| 6f 6e 67 20 61 6c 6c 20 | 70 73 65 75 64 6f 2d 73 |ong all |pseudo-s|
|00002a20| 71 75 61 72 65 73 20 62 | 79 20 63 61 6c 63 75 6c |quares b|y calcul|
|00002a30| 61 74 69 6e 67 0a 24 79 | 78 5e 32 24 20 66 6f 72 |ating.$y|x^2$ for|
|00002a40| 20 24 78 24 20 72 61 6e | 64 6f 6d 6c 79 20 63 68 | $x$ ran|domly ch|
|00002a50| 6f 73 65 6e 2e 0a 5c 70 | 71 20 54 68 65 20 70 6f |osen..\p|q The po|
|00002a60| 73 73 69 62 69 6c 69 74 | 79 20 6f 66 20 64 6f 69 |ssibilit|y of doi|
|00002a70| 6e 67 20 74 68 65 73 65 | 20 76 61 72 69 6f 75 73 |ng these| various|
|00002a80| 20 6b 69 6e 64 73 20 6f | 66 20 73 61 6d 70 6c 69 | kinds o|f sampli|
|00002a90| 6e 67 0a 69 73 20 63 6c | 6f 73 65 6c 79 20 72 65 |ng.is cl|osely re|
|00002aa0| 6c 61 74 65 64 20 74 6f | 20 70 72 6f 70 65 72 74 |lated to| propert|
|00002ab0| 69 65 73 20 32 28 61 29 | 20 61 6e 64 20 28 63 29 |ies 2(a)| and (c)|
|00002ac0| 20 69 6e 20 74 68 65 20 | 70 61 70 65 72 20 28 70 | in the |paper (p|
|00002ad0| 2e 7e 32 37 37 29 2e 0a | 5c 73 75 62 73 65 63 74 |.~277)..|\subsect|
|00002ae0| 69 6f 6e 7b 44 65 74 65 | 72 6d 69 6e 69 6e 67 20 |ion{Dete|rmining |
|00002af0| 61 6c 67 6f 72 69 74 68 | 6d 20 70 65 72 66 6f 72 |algorith|m perfor|
|00002b00| 6d 61 6e 63 65 20 62 79 | 20 73 61 6d 70 6c 69 6e |mance by| samplin|
|00002b10| 67 7d 5c 6c 61 62 65 6c | 7b 73 61 6d 70 7d 0a 57 |g}\label|{samp}.W|
|00002b20| 65 20 61 72 65 20 69 6e | 74 65 72 65 73 74 65 64 |e are in|terested|
|00002b30| 20 69 6e 20 61 6c 67 6f | 72 69 74 68 6d 73 20 66 | in algo|rithms f|
|00002b40| 6f 72 20 64 65 63 69 64 | 69 6e 67 20 77 68 65 74 |or decid|ing whet|
|00002b50| 68 65 72 20 61 20 67 69 | 76 65 6e 20 6e 75 6d 62 |her a gi|ven numb|
|00002b60| 65 72 0a 69 73 20 6f 72 | 20 69 73 20 6e 6f 74 20 |er.is or| is not |
|00002b70| 61 20 73 71 75 61 72 65 | 2e 20 20 41 73 20 77 69 |a square|.  As wi|
|00002b80| 74 68 20 74 68 65 20 61 | 6c 67 6f 72 69 74 68 6d |th the a|lgorithm|
|00002b90| 20 69 6e 20 53 65 63 74 | 69 6f 6e 7e 5c 72 65 66 | in Sect|ion~\ref|
|00002ba0| 7b 70 72 69 6d 7d 2c 0a | 74 68 65 72 65 20 69 73 |{prim},.|there is|
|00002bb0| 20 73 6f 6d 65 20 70 72 | 6f 62 61 62 69 6c 69 74 | some pr|obabilit|
|00002bc0| 79 20 74 68 61 74 2c 20 | 66 6f 72 20 61 20 67 69 |y that, |for a gi|
|00002bd0| 76 65 6e 20 69 6e 70 75 | 74 20 24 61 24 2c 20 74 |ven inpu|t $a$, t|
|00002be0| 68 65 20 61 6c 67 6f 72 | 69 74 68 6d 0a 6d 61 79 |he algor|ithm.may|
|00002bf0| 20 67 69 76 65 20 74 68 | 65 20 77 72 6f 6e 67 20 | give th|e wrong |
|00002c00| 61 6e 73 77 65 72 2e 0a | 5c 70 71 20 4c 65 74 20 |answer..|\pq Let |
|00002c10| 24 70 5f 61 24 20 62 65 | 20 74 68 65 20 70 72 6f |$p_a$ be| the pro|
|00002c20| 62 61 62 69 6c 69 74 79 | 20 74 68 61 74 20 61 20 |bability| that a |
|00002c30| 67 69 76 65 6e 20 61 6c | 67 6f 72 69 74 68 6d 20 |given al|gorithm |
|00002c40| 67 69 76 65 73 20 74 68 | 65 20 63 6f 72 72 65 63 |gives th|e correc|
|00002c50| 74 0a 61 6e 73 77 65 72 | 20 66 6f 72 20 69 6e 70 |t.answer| for inp|
|00002c60| 75 74 20 24 61 24 2e 20 | 20 57 65 20 61 72 65 20 |ut $a$. | We are |
|00002c70| 61 6c 73 6f 20 69 6e 74 | 65 72 65 73 74 65 64 20 |also int|erested |
|00002c80| 69 6e 20 24 70 5f 53 24 | 2c 20 77 68 69 63 68 20 |in $p_S$|, which |
|00002c90| 69 73 20 74 68 65 0a 61 | 76 65 72 61 67 65 20 6f |is the.a|verage o|
|00002ca0| 66 20 24 70 5f 61 24 20 | 6f 76 65 72 20 61 6c 6c |f $p_a$ |over all|
|00002cb0| 20 73 71 75 61 72 65 73 | 20 24 61 24 2c 20 61 6e | squares| $a$, an|
|00002cc0| 64 20 24 70 5f 7b 50 53 | 7d 24 2c 20 74 68 65 20 |d $p_{PS|}$, the |
|00002cd0| 61 76 65 72 61 67 65 20 | 6f 76 65 72 0a 61 6c 6c |average |over.all|
|00002ce0| 20 70 73 65 75 64 6f 2d | 73 71 75 61 72 65 73 2c | pseudo-|squares,|
|00002cf0| 20 61 6e 64 20 24 70 5f | 5a 24 2c 20 74 68 65 20 | and $p_|Z$, the |
|00002d00| 61 76 65 72 61 67 65 20 | 6f 66 20 24 70 5f 61 24 |average |of $p_a$|
|00002d10| 20 6f 76 65 72 20 61 6c | 6c 20 24 61 5c 69 6e 20 | over al|l $a\in |
|00002d20| 5a 5e 31 5f 6e 24 2e 0a | 5c 70 71 20 49 66 20 77 |Z^1_n$..|\pq If w|
|00002d30| 65 20 61 72 65 20 67 69 | 76 65 6e 20 61 6e 20 61 |e are gi|ven an a|
|00002d40| 6c 67 6f 72 69 74 68 6d | 2c 20 77 65 20 63 61 6e |lgorithm|, we can|
|00002d50| 20 65 61 73 69 6c 79 20 | 64 65 74 65 72 6d 69 6e | easily |determin|
|00002d60| 65 20 24 70 5f 53 24 20 | 62 79 0a 72 75 6e 6e 69 |e $p_S$ |by.runni|
|00002d70| 6e 67 20 69 74 20 77 69 | 74 68 20 69 6e 70 75 74 |ng it wi|th input|
|00002d80| 20 24 61 3d 78 5e 32 24 | 20 6f 6e 20 61 20 73 61 | $a=x^2$| on a sa|
|00002d90| 6d 70 6c 65 20 6f 66 20 | 72 61 6e 64 6f 6d 6c 79 |mple of |randomly|
|00002da0| 20 63 68 6f 73 65 6e 20 | 24 78 24 20 61 6e 64 0a | chosen |$x$ and.|
|00002db0| 63 6f 75 6e 74 69 6e 67 | 20 74 68 65 20 6e 75 6d |counting| the num|
|00002dc0| 62 65 72 20 6f 66 20 74 | 69 6d 65 73 20 74 68 65 |ber of t|imes the|
|00002dd0| 20 61 6c 67 6f 72 69 74 | 68 6d 20 61 6e 73 77 65 | algorit|hm answe|
|00002de0| 72 73 20 60 60 74 68 69 | 73 20 69 73 20 61 20 73 |rs ``thi|s is a s|
|00002df0| 71 75 61 72 65 2e 27 27 | 0a 5c 70 71 20 54 68 65 |quare.''|.\pq The|
|00002e00| 20 70 72 6f 63 65 64 75 | 72 65 20 66 6f 72 20 64 | procedu|re for d|
|00002e10| 65 74 65 72 6d 69 6e 69 | 6e 67 20 24 70 5f 5a 24 |etermini|ng $p_Z$|
|00002e20| 20 69 73 20 6d 6f 72 65 | 20 65 6c 61 62 6f 72 61 | is more| elabora|
|00002e30| 74 65 2e 20 20 53 75 70 | 70 6f 73 65 20 77 65 0a |te.  Sup|pose we.|
|00002e40| 68 61 76 65 20 61 6e 20 | 61 6c 67 6f 72 69 74 68 |have an |algorith|
|00002e50| 6d 20 66 6f 72 20 77 68 | 69 63 68 20 24 70 5f 53 |m for wh|ich $p_S|
|00002e60| 3d 2e 36 24 2e 20 20 55 | 73 69 6e 67 20 4c 65 6d |=.6$.  U|sing Lem|
|00002e70| 6d 61 7e 5c 72 65 66 7b | 4a 61 63 7d 2c 20 67 65 |ma~\ref{|Jac}, ge|
|00002e80| 6e 65 72 61 74 65 0a 61 | 20 73 61 6d 70 6c 65 20 |nerate.a| sample |
|00002e90| 6f 66 20 31 30 30 20 6d | 65 6d 62 65 72 73 20 6f |of 100 m|embers o|
|00002ea0| 66 20 24 5c 7a 6f 24 2c | 20 61 6e 64 20 72 75 6e |f $\zo$,| and run|
|00002eb0| 20 74 68 65 20 61 6c 67 | 6f 72 69 74 68 6d 20 6f | the alg|orithm o|
|00002ec0| 6e 20 65 61 63 68 20 6f | 66 20 74 68 65 6d 2e 0a |n each o|f them..|
|00002ed0| 53 75 70 70 6f 73 65 20 | 77 65 20 67 65 74 20 74 |Suppose |we get t|
|00002ee0| 68 65 20 61 6e 73 77 65 | 72 20 60 60 74 68 69 73 |he answe|r ``this|
|00002ef0| 20 69 73 20 61 20 73 71 | 75 61 72 65 27 27 20 36 | is a sq|uare'' 6|
|00002f00| 35 20 74 69 6d 65 73 2e | 20 20 54 68 65 72 65 20 |5 times.|  There |
|00002f10| 61 72 65 20 0a 24 5c 73 | 69 6d 35 30 24 20 73 71 |are .$\s|im50$ sq|
|00002f20| 75 61 72 65 73 20 69 6e | 20 74 68 65 20 73 61 6d |uares in| the sam|
|00002f30| 70 6c 65 2c 20 6f 6e 20 | 77 68 69 63 68 20 74 68 |ple, on |which th|
|00002f40| 65 72 65 20 68 61 76 65 | 20 62 65 65 6e 20 2e 36 |ere have| been .6|
|00002f50| 28 35 30 29 20 63 6f 72 | 72 65 63 74 0a 72 65 73 |(50) cor|rect.res|
|00002f60| 70 6f 6e 73 65 73 20 61 | 6e 64 20 32 30 20 69 6e |ponses a|nd 20 in|
|00002f70| 63 6f 72 72 65 63 74 2e | 20 20 50 73 65 75 64 6f |correct.|  Pseudo|
|00002f80| 2d 73 71 75 61 72 65 73 | 20 68 61 76 65 20 62 65 |-squares| have be|
|00002f90| 65 6e 20 69 64 65 6e 74 | 69 66 69 65 64 20 61 73 |en ident|ified as|
|00002fa0| 20 0a 73 71 75 61 72 65 | 73 20 24 36 35 2d 33 30 | .square|s $65-30|
|00002fb0| 3d 33 35 24 20 74 69 6d | 65 73 2c 20 77 68 69 63 |=35$ tim|es, whic|
|00002fc0| 68 20 73 75 67 67 65 73 | 74 73 20 24 5c 70 73 5c |h sugges|ts $\ps\|
|00002fd0| 61 70 70 72 6f 78 31 35 | 2f 35 30 24 2e 20 20 46 |approx15|/50$.  F|
|00002fe0| 69 6e 61 6c 6c 79 0a 24 | 70 5f 5a 3d 28 70 5f 53 |inally.$|p_Z=(p_S|
|00002ff0| 2b 5c 70 73 29 2f 32 5c | 61 70 70 72 6f 78 2e 34 |+\ps)/2\|approx.4|
|00003000| 35 24 2e 5c 70 71 20 4c | 65 6d 6d 61 7e 5c 72 65 |5$.\pq L|emma~\re|
|00003010| 66 7b 77 65 61 6b 7d 20 | 6f 72 20 5c 72 65 66 7b |f{weak} |or \ref{|
|00003020| 73 74 72 6f 6e 67 7d 20 | 63 61 6e 0a 62 65 20 75 |strong} |can.be u|
|00003030| 73 65 64 20 74 6f 20 64 | 65 74 65 72 6d 69 6e 65 |sed to d|etermine|
|00003040| 20 74 68 65 20 70 72 6f | 62 61 62 69 6c 69 74 79 | the pro|bability|
|00003050| 20 74 68 61 74 20 74 68 | 65 73 65 20 65 73 74 69 | that th|ese esti|
|00003060| 6d 61 74 65 73 20 63 6f | 6d 65 20 77 69 74 68 69 |mates co|me withi|
|00003070| 6e 0a 61 20 73 70 65 63 | 69 66 69 65 64 20 61 6d |n.a spec|ified am|
|00003080| 6f 75 6e 74 2e 0a 5c 73 | 75 62 73 65 63 74 69 6f |ount..\s|ubsectio|
|00003090| 6e 7b 54 77 6f 20 76 65 | 72 73 69 6f 6e 73 20 6f |n{Two ve|rsions o|
|000030a0| 66 20 51 52 41 7d 0a 5c | 62 65 67 69 6e 7b 65 6e |f QRA}.\|begin{en|
|000030b0| 75 6d 65 72 61 74 65 7d | 5c 69 74 65 6d 20 54 68 |umerate}|\item Th|
|000030c0| 65 72 65 20 69 73 20 6e | 6f 20 65 66 66 69 63 69 |ere is n|o effici|
|000030d0| 65 6e 74 20 61 6c 67 6f | 72 69 74 68 6d 20 66 6f |ent algo|rithm fo|
|000030e0| 72 20 64 69 73 74 69 6e | 67 75 69 73 68 69 6e 67 |r distin|guishing|
|000030f0| 0a 73 71 75 61 72 65 73 | 20 66 72 6f 6d 20 70 73 |.squares| from ps|
|00003100| 65 75 64 6f 2d 73 71 75 | 61 72 65 73 20 77 69 74 |eudo-squ|ares wit|
|00003110| 68 20 24 70 5f 61 3e 31 | 2d 5c 65 70 73 69 6c 6f |h $p_a>1|-\epsilo|
|00003120| 6e 24 20 66 6f 72 20 61 | 6c 6c 20 24 61 5c 69 6e |n$ for a|ll $a\in|
|00003130| 20 5c 7a 6f 24 2e 0a 5c | 69 74 65 6d 20 54 68 65 | \zo$..\|item The|
|00003140| 72 65 20 69 73 20 6e 6f | 20 65 66 66 69 63 69 65 |re is no| efficie|
|00003150| 6e 74 20 61 6c 67 6f 72 | 69 74 68 6d 20 77 69 74 |nt algor|ithm wit|
|00003160| 68 20 24 70 5f 5a 3e 2e | 35 2b 5c 65 70 73 69 6c |h $p_Z>.|5+\epsil|
|00003170| 6f 6e 24 0a 5c 65 6e 64 | 7b 65 6e 75 6d 65 72 61 |on$.\end|{enumera|
|00003180| 74 65 7d 5c 70 61 72 20 | 49 74 20 77 6f 75 6c 64 |te}\par |It would|
|00003190| 20 73 65 65 6d 20 74 68 | 61 74 20 28 31 29 20 69 | seem th|at (1) i|
|000031a0| 73 20 6e 6f 74 20 61 73 | 20 73 74 72 6f 6e 67 20 |s not as| strong |
|000031b0| 61 73 20 28 32 29 2e 20 | 4e 6f 74 65 0a 74 68 61 |as (2). |Note.tha|
|000031c0| 74 20 28 32 29 20 77 6f | 75 6c 64 20 72 75 6c 65 |t (2) wo|uld rule|
|000031d0| 20 6f 75 74 20 61 6e 20 | 61 6c 67 6f 72 69 74 68 | out an |algorith|
|000031e0| 6d 20 77 69 74 68 20 24 | 70 5f 53 3d 2e 39 24 20 |m with $|p_S=.9$ |
|000031f0| 61 6e 64 20 24 5c 70 73 | 3d 2e 32 24 2e 20 20 54 |and $\ps|=.2$.  T|
|00003200| 68 69 73 20 0a 77 6f 75 | 6c 64 20 62 65 20 73 6f |his .wou|ld be so|
|00003210| 6d 65 74 68 69 6e 67 20 | 74 68 61 74 20 73 61 79 |mething |that say|
|00003220| 73 20 60 60 74 68 69 73 | 20 69 73 20 61 20 73 71 |s ``this| is a sq|
|00003230| 75 61 72 65 27 27 20 6d | 6f 73 74 20 6f 66 20 74 |uare'' m|ost of t|
|00003240| 68 65 20 74 69 6d 65 2c | 20 0a 6f 63 63 61 73 69 |he time,| .occasi|
|00003250| 6f 6e 61 6c 6c 79 20 63 | 6f 72 72 65 63 74 6c 79 |onally c|orrectly|
|00003260| 20 69 64 65 6e 74 69 66 | 79 69 6e 67 20 61 20 70 | identif|ying a p|
|00003270| 73 65 75 64 6f 2d 73 71 | 75 61 72 65 2e 20 20 48 |seudo-sq|uare.  H|
|00003280| 6f 77 65 76 65 72 2c 20 | 74 68 65 20 0a 70 61 70 |owever, |the .pap|
|00003290| 65 72 20 28 70 2e 7e 32 | 39 33 29 20 73 68 6f 77 |er (p.~2|93) show|
|000032a0| 73 20 74 68 61 74 20 28 | 31 29 20 69 6d 70 6c 69 |s that (|1) impli|
|000032b0| 65 73 20 28 32 29 2e 0a | 5c 70 71 20 53 75 70 70 |es (2)..|\pq Supp|
|000032c0| 6f 73 65 20 77 65 20 61 | 72 65 20 67 69 76 65 6e |ose we a|re given|
|000032d0| 20 61 6e 20 61 6c 67 6f | 72 69 74 68 6d 2e 20 20 | an algo|rithm.  |
|000032e0| 57 65 20 65 73 74 69 6d | 61 74 65 20 24 70 5f 53 |We estim|ate $p_S|
|000032f0| 2c 5c 70 73 2c 70 5f 5a | 24 20 77 69 74 68 0a 68 |,\ps,p_Z|$ with.h|
|00003300| 69 67 68 20 70 72 6f 62 | 61 62 69 6c 69 74 79 20 |igh prob|ability |
|00003310| 75 73 69 6e 67 20 74 68 | 65 20 74 65 63 68 6e 69 |using th|e techni|
|00003320| 71 75 65 73 20 69 6e 20 | 53 65 63 74 69 6f 6e 7e |ques in |Section~|
|00003330| 5c 72 65 66 7b 73 61 6d | 70 7d 2e 0a 54 6f 20 74 |\ref{sam|p}..To t|
|00003340| 61 6b 65 20 61 20 73 70 | 65 63 69 66 69 63 20 65 |ake a sp|ecific e|
|00003350| 78 61 6d 70 6c 65 2c 20 | 77 65 20 77 69 6c 6c 20 |xample, |we will |
|00003360| 61 73 73 75 6d 65 20 77 | 65 20 66 69 6e 64 20 24 |assume w|e find $|
|00003370| 70 5f 53 3d 2e 36 24 2c | 20 24 5c 70 73 3d 2e 34 |p_S=.6$,| $\ps=.4|
|00003380| 35 24 2e 0a 57 65 20 77 | 61 6e 74 20 74 6f 20 74 |5$..We w|ant to t|
|00003390| 65 73 74 20 77 68 65 74 | 68 65 72 20 24 61 24 20 |est whet|her $a$ |
|000033a0| 69 73 20 61 20 73 71 75 | 61 72 65 2e 20 20 52 75 |is a squ|are.  Ru|
|000033b0| 6e 20 74 68 65 20 61 6c | 67 6f 72 69 74 68 6d 20 |n the al|gorithm |
|000033c0| 6f 6e 20 24 61 78 5e 32 | 24 0a 66 6f 72 20 31 30 |on $ax^2|$.for 10|
|000033d0| 30 30 20 72 61 6e 64 6f | 6d 6c 79 20 63 68 6f 73 |00 rando|mly chos|
|000033e0| 65 6e 20 24 78 24 2e 20 | 49 66 20 24 61 24 20 69 |en $x$. |If $a$ i|
|000033f0| 73 20 61 20 73 71 75 61 | 72 65 2c 20 74 68 65 20 |s a squa|re, the |
|00003400| 61 6c 67 6f 72 69 74 68 | 6d 20 77 69 6c 6c 20 73 |algorith|m will s|
|00003410| 61 79 0a 60 60 74 68 69 | 73 20 69 73 20 61 20 73 |ay.``thi|s is a s|
|00003420| 71 75 61 72 65 27 27 20 | 24 5c 61 70 70 72 6f 78 |quare'' |$\approx|
|00003430| 36 30 30 24 20 74 69 6d | 65 73 2e 20 20 49 66 20 |600$ tim|es.  If |
|00003440| 24 61 24 20 69 73 20 61 | 20 70 73 65 75 64 6f 2d |$a$ is a| pseudo-|
|00003450| 73 71 75 61 72 65 2c 20 | 74 68 65 0a 61 6e 73 77 |square, |the.answ|
|00003460| 65 72 20 77 69 6c 6c 20 | 62 65 20 60 60 74 68 69 |er will |be ``thi|
|00003470| 73 20 69 73 20 61 20 73 | 71 75 61 72 65 27 27 20 |s is a s|quare'' |
|00003480| 24 5c 61 70 70 72 6f 78 | 35 35 30 24 20 74 69 6d |$\approx|550$ tim|
|00003490| 65 73 2e 0a 5c 73 75 62 | 73 65 63 74 69 6f 6e 7b |es..\sub|section{|
|000034a0| 4b 6e 6f 77 69 6e 67 20 | 61 20 70 73 65 75 64 6f |Knowing |a pseudo|
|000034b0| 2d 73 71 75 61 72 65 20 | 64 6f 65 73 20 6e 6f 74 |-square |does not|
|000034c0| 20 68 65 6c 70 20 6d 75 | 63 68 7d 0a 51 52 41 20 | help mu|ch}.QRA |
|000034d0| 74 61 6c 6b 73 20 61 62 | 6f 75 74 20 74 68 65 20 |talks ab|out the |
|000034e0| 61 62 69 6c 69 74 79 20 | 74 6f 20 69 64 65 6e 74 |ability |to ident|
|000034f0| 69 66 79 20 73 71 75 61 | 72 65 73 20 77 68 65 6e |ify squa|res when|
|00003500| 20 6f 6e 6c 79 20 24 6e | 24 20 69 73 20 6b 6e 6f | only $n|$ is kno|
|00003510| 77 6e 2e 0a 49 6e 20 74 | 68 65 20 70 72 6f 70 6f |wn..In t|he propo|
|00003520| 73 65 64 20 65 6e 63 72 | 79 70 74 69 6f 6e 20 73 |sed encr|yption s|
|00003530| 79 73 74 65 6d 2c 20 61 | 20 70 73 65 75 64 6f 2d |ystem, a| pseudo-|
|00003540| 73 71 75 61 72 65 20 24 | 79 24 20 69 73 20 61 6c |square $|y$ is al|
|00003550| 73 6f 20 61 6e 6e 6f 75 | 6e 63 65 64 2e 0a 54 68 |so annou|nced..Th|
|00003560| 65 20 70 61 70 65 72 20 | 73 68 6f 77 73 20 28 70 |e paper |shows (p|
|00003570| 2e 7e 32 39 35 29 20 74 | 68 61 74 20 74 68 69 73 |.~295) t|hat this|
|00003580| 20 64 6f 65 73 20 6e 6f | 74 20 6d 61 6b 65 20 74 | does no|t make t|
|00003590| 68 65 20 70 72 6f 62 6c | 65 6d 20 65 61 73 69 65 |he probl|em easie|
|000035a0| 72 2e 5c 70 71 0a 53 75 | 70 70 6f 73 65 20 77 65 |r.\pq.Su|ppose we|
|000035b0| 20 68 61 76 65 20 61 6e | 20 61 6c 67 6f 72 69 74 | have an| algorit|
|000035c0| 68 6d 20 77 68 69 63 68 | 20 74 61 6b 65 73 20 61 |hm which| takes a|
|000035d0| 73 20 69 6e 70 75 74 20 | 24 61 2c 79 24 20 61 6e |s input |$a,y$ an|
|000035e0| 64 20 74 72 69 65 73 20 | 74 6f 0a 64 65 63 69 64 |d tries |to.decid|
|000035f0| 65 20 69 66 20 24 61 24 | 20 69 73 20 61 20 73 71 |e if $a$| is a sq|
|00003600| 75 61 72 65 2e 20 41 73 | 73 75 6d 65 20 24 70 5f |uare. As|sume $p_|
|00003610| 5a 3d 2e 35 35 24 20 77 | 68 65 6e 65 76 65 72 20 |Z=.55$ w|henever |
|00003620| 24 79 24 20 69 73 20 61 | 20 70 73 65 75 64 6f 2d |$y$ is a| pseudo-|
|00003630| 73 71 75 61 72 65 2e 0a | 43 68 6f 6f 73 65 20 24 |square..|Choose $|
|00003640| 79 5c 69 6e 5c 7a 6f 24 | 20 61 74 20 72 61 6e 64 |y\in\zo$| at rand|
|00003650| 6f 6d 2c 20 74 68 65 6e | 20 75 73 65 20 74 68 65 |om, then| use the|
|00003660| 20 74 65 63 68 6e 69 71 | 75 65 73 20 66 72 6f 6d | techniq|ues from|
|00003670| 20 53 65 63 74 69 6f 6e | 7e 5c 72 65 66 7b 73 61 | Section|~\ref{sa|
|00003680| 6d 70 7d 0a 74 6f 20 65 | 73 74 69 6d 61 74 65 20 |mp}.to e|stimate |
|00003690| 24 70 5f 5a 24 2e 20 20 | 53 69 6e 63 65 20 68 61 |$p_Z$.  |Since ha|
|000036a0| 6c 66 20 74 68 65 20 6e | 75 6d 62 65 72 73 20 69 |lf the n|umbers i|
|000036b0| 6e 20 24 5c 7a 6f 24 20 | 61 72 65 20 70 73 65 75 |n $\zo$ |are pseu|
|000036c0| 64 6f 2d 73 71 75 61 72 | 65 73 2c 0a 79 6f 75 20 |do-squar|es,.you |
|000036d0| 77 69 6c 6c 20 71 75 69 | 63 6b 6c 79 20 66 69 6e |will qui|ckly fin|
|000036e0| 64 20 61 20 24 79 24 20 | 66 6f 72 20 77 68 69 63 |d a $y$ |for whic|
|000036f0| 68 20 24 70 5f 5a 3d 2e | 35 35 24 2e 0a 5c 73 75 |h $p_Z=.|55$..\su|
|00003700| 62 73 65 63 74 69 6f 6e | 7b 54 68 65 20 69 6e 61 |bsection|{The ina|
|00003710| 62 69 6c 69 74 79 20 74 | 6f 20 64 69 73 74 69 6e |bility t|o distin|
|00003720| 67 75 69 73 68 20 74 77 | 6f 20 70 6c 61 69 6e 74 |guish tw|o plaint|
|00003730| 65 78 74 73 7d 0a 54 68 | 65 6f 72 65 6d 7e 35 2e |exts}.Th|eorem~5.|
|00003740| 31 20 6f 66 20 74 68 65 | 20 70 61 70 65 72 20 61 |1 of the| paper a|
|00003750| 64 64 72 65 73 73 65 73 | 20 74 68 65 20 69 73 73 |ddresses| the iss|
|00003760| 75 65 20 77 65 20 6d 65 | 6e 74 69 6f 6e 65 64 20 |ue we me|ntioned |
|00003770| 61 74 20 74 68 65 0a 62 | 65 67 69 6e 6e 69 6e 67 |at the.b|eginning|
|00003780| 20 6f 66 20 73 65 63 74 | 69 6f 6e 7e 5c 72 65 66 | of sect|ion~\ref|
|00003790| 7b 70 72 6f 7d 2e 20 20 | 49 74 20 73 68 6f 77 73 |{pro}.  |It shows|
|000037a0| 20 74 68 61 74 20 69 66 | 20 77 65 20 68 61 76 65 | that if| we have|
|000037b0| 20 61 6e 20 61 6c 67 6f | 72 69 74 68 6d 0a 77 68 | an algo|rithm.wh|
|000037c0| 69 63 68 0a 63 61 6e 20 | 69 64 65 6e 74 69 66 79 |ich.can |identify|
|000037d0| 20 6d 65 73 73 61 67 65 | 73 20 24 6d 5f 31 24 20 | message|s $m_1$ |
|000037e0| 61 6e 64 20 24 6d 5f 32 | 24 0a 61 6e 64 20 20 65 |and $m_2|$.and  e|
|000037f0| 66 66 69 63 69 65 6e 74 | 6c 79 20 74 65 6c 6c 20 |fficient|ly tell |
|00003800| 74 68 65 20 64 69 66 66 | 65 72 65 6e 63 65 20 62 |the diff|erence b|
|00003810| 65 74 77 65 65 6e 20 61 | 6e 20 65 6e 25 0a 63 72 |etween a|n en%.cr|
|00003820| 79 70 74 69 6f 6e 20 6f | 66 20 24 6d 5f 31 24 20 |yption o|f $m_1$ |
|00003830| 61 6e 64 20 61 6e 20 65 | 6e 63 72 79 70 74 69 6f |and an e|ncryptio|
|00003840| 6e 20 6f 66 20 24 6d 5f | 32 24 2c 20 74 68 65 6e |n of $m_|2$, then|
|00003850| 20 77 65 20 63 6f 75 6c | 64 20 63 6f 6e 73 74 72 | we coul|d constr|
|00003860| 75 63 74 0a 61 6e 20 61 | 6c 67 6f 72 69 74 68 6d |uct.an a|lgorithm|
|00003870| 20 77 68 69 63 68 20 65 | 66 66 69 63 69 65 6e 74 | which e|fficient|
|00003880| 6c 79 20 64 69 73 74 69 | 6e 67 75 69 73 68 65 73 |ly disti|nguishes|
|00003890| 20 73 71 75 61 72 65 73 | 20 66 72 6f 6d 20 70 73 | squares| from ps|
|000038a0| 65 75 64 6f 2d 73 71 75 | 61 72 65 73 2e 0a 54 68 |eudo-squ|ares..Th|
|000038b0| 75 73 20 28 51 52 41 29 | 20 69 6d 70 6c 69 65 73 |us (QRA)| implies|
|000038c0| 20 77 65 20 63 61 6e 6e | 6f 74 20 74 65 6c 6c 20 | we cann|ot tell |
|000038d0| 74 68 65 20 64 69 66 66 | 65 72 65 6e 63 65 20 62 |the diff|erence b|
|000038e0| 65 74 77 65 65 6e 20 24 | 6d 5f 31 24 0a 61 6e 64 |etween $|m_1$.and|
|000038f0| 20 24 6d 5f 32 24 2e 20 | 5c 70 71 20 7b 5c 62 66 | $m_2$. |\pq {\bf|
|00003900| 20 50 72 6f 6f 66 3a 7d | 5c 66 6f 6f 74 6e 6f 74 | Proof:}|\footnot|
|00003910| 65 7b 54 68 65 20 61 72 | 67 75 6d 65 6e 74 20 77 |e{The ar|gument w|
|00003920| 65 20 67 69 76 65 20 69 | 73 20 61 0a 73 69 6d 70 |e give i|s a.simp|
|00003930| 6c 69 66 69 63 61 74 69 | 6f 6e 20 6f 66 20 74 68 |lificati|on of th|
|00003940| 65 20 6f 6e 65 20 69 6e | 20 74 68 65 20 70 61 70 |e one in| the pap|
|00003950| 65 72 2c 20 69 6e 20 74 | 68 61 74 20 77 65 20 64 |er, in t|hat we d|
|00003960| 6f 20 6e 6f 74 20 75 73 | 65 20 74 68 65 0a 60 60 |o not us|e the.``|
|00003970| 73 61 6d 70 6c 69 6e 67 | 20 77 61 6c 6b 2e 27 27 |sampling| walk.''|
|00003980| 20 20 54 68 65 20 6d 6f | 72 65 20 63 6f 6d 70 6c |  The mo|re compl|
|00003990| 69 63 61 74 65 64 20 61 | 72 67 75 6d 65 6e 74 20 |icated a|rgument |
|000039a0| 73 65 65 6d 73 20 74 6f | 20 62 65 20 6e 65 63 65 |seems to| be nece|
|000039b0| 73 73 61 72 79 0a 74 6f | 20 61 6e 61 6c 79 7a 65 |ssary.to| analyze|
|000039c0| 20 65 6e 63 72 79 70 74 | 69 6f 6e 20 73 79 73 74 | encrypt|ion syst|
|000039d0| 65 6d 73 20 69 6e 20 67 | 65 6e 65 72 61 6c 2c 20 |ems in g|eneral, |
|000039e0| 61 73 20 6f 70 70 6f 73 | 65 64 20 74 6f 20 74 68 |as oppos|ed to th|
|000039f0| 6f 73 65 20 62 61 73 65 | 64 0a 6f 6e 20 73 71 75 |ose base|d.on squ|
|00003a00| 61 72 65 73 20 61 6e 64 | 20 70 73 65 75 64 6f 2d |ares and| pseudo-|
|00003a10| 73 71 75 61 72 65 73 2e | 7d 20 53 75 70 70 6f 73 |squares.|} Suppos|
|00003a20| 65 20 77 65 20 61 72 65 | 20 74 72 79 69 6e 67 20 |e we are| trying |
|00003a30| 74 6f 20 64 65 63 69 64 | 65 0a 77 68 65 74 68 65 |to decid|e.whethe|
|00003a40| 72 20 24 61 5c 69 6e 5c | 7a 6f 24 0a 20 69 73 20 |r $a\in\|zo$. is |
|00003a50| 61 20 73 71 75 61 72 65 | 20 61 6e 64 20 74 68 61 |a square| and tha|
|00003a60| 74 20 74 68 65 20 74 77 | 6f 20 64 69 73 74 69 6e |t the tw|o distin|
|00003a70| 67 75 69 73 68 61 62 6c | 65 0a 20 6d 65 73 73 61 |guishabl|e. messa|
|00003a80| 67 65 73 20 61 72 65 20 | 5c 62 65 67 69 6e 7b 65 |ges are |\begin{e|
|00003a90| 71 6e 61 72 72 61 79 2a | 7d 6d 5f 31 26 3d 26 30 |qnarray*|}m_1&=&0|
|00003aa0| 31 30 30 31 30 31 31 5c | 5c 6d 5f 32 26 3d 26 31 |1001011\|\m_2&=&1|
|00003ab0| 31 31 30 31 31 30 31 20 | 5c 65 6e 64 7b 65 71 6e |1101101 |\end{eqn|
|00003ac0| 61 72 72 61 79 2a 7d 43 | 68 6f 6f 73 65 0a 38 20 |array*}C|hoose.8 |
|00003ad0| 24 78 5f 69 24 20 72 61 | 6e 64 6f 6d 6c 79 20 61 |$x_i$ ra|ndomly a|
|00003ae0| 6e 64 20 63 6f 6e 73 69 | 64 65 72 20 74 68 65 20 |nd consi|der the |
|00003af0| 73 65 71 75 65 6e 63 65 | 73 20 24 24 5c 76 62 6f |sequence|s $$\vbo|
|00003b00| 78 7b 5c 68 61 6c 69 67 | 6e 7b 26 5c 68 66 69 6c |x{\halig|n{&\hfil|
|00003b10| 5c 71 75 61 64 24 23 24 | 5c 63 72 0a 78 5f 31 5e |\quad$#$|\cr.x_1^|
|00003b20| 32 26 61 78 5f 32 5e 32 | 26 78 5f 33 5e 32 26 78 |2&ax_2^2|&x_3^2&x|
|00003b30| 5f 34 5e 32 26 61 78 5f | 35 5e 32 26 78 5f 36 5e |_4^2&ax_|5^2&x_6^|
|00003b40| 32 20 26 61 78 5f 37 5e | 32 26 61 78 5f 38 5e 32 |2 &ax_7^|2&ax_8^2|
|00003b50| 5c 63 72 20 61 78 5f 31 | 5e 32 26 61 78 5f 32 5e |\cr ax_1|^2&ax_2^|
|00003b60| 32 26 61 78 5f 33 5e 32 | 26 78 5f 34 5e 32 26 61 |2&ax_3^2|&x_4^2&a|
|00003b70| 78 5f 35 5e 32 26 61 78 | 5f 36 5e 32 26 78 5f 37 |x_5^2&ax|_6^2&x_7|
|00003b80| 5e 32 26 61 78 5f 38 5e | 32 5c 63 72 7d 7d 24 24 |^2&ax_8^|2\cr}}$$|
|00003b90| 0a 49 66 20 24 61 24 20 | 69 73 20 61 20 70 73 65 |.If $a$ |is a pse|
|00003ba0| 75 64 6f 2d 73 71 75 61 | 72 65 2c 20 74 68 65 73 |udo-squa|re, thes|
|00003bb0| 65 20 77 69 6c 6c 20 62 | 65 20 72 61 6e 64 6f 6d |e will b|e random|
|00003bc0| 6c 79 20 63 68 6f 73 65 | 6e 20 65 6e 63 6f 64 69 |ly chose|n encodi|
|00003bd0| 6e 67 73 0a 6f 66 20 20 | 24 6d 5f 31 24 20 61 6e |ngs.of  |$m_1$ an|
|00003be0| 64 20 24 6d 5f 32 24 2e | 20 20 49 6e 20 74 68 69 |d $m_2$.|  In thi|
|00003bf0| 73 20 63 61 73 65 2c 20 | 74 68 65 20 70 65 72 66 |s case, |the perf|
|00003c00| 6f 72 6d 61 6e 63 65 20 | 6f 66 20 6f 75 72 20 61 |ormance |of our a|
|00003c10| 73 73 75 6d 65 64 0a 61 | 6c 67 6f 72 69 74 68 6d |ssumed.a|lgorithm|
|00003c20| 20 6f 6e 20 74 68 65 20 | 74 77 6f 20 73 65 71 75 | on the |two sequ|
|00003c30| 65 6e 63 65 73 20 28 61 | 76 65 72 61 67 65 64 20 |ences (a|veraged |
|00003c40| 6f 76 65 72 20 72 65 70 | 65 61 74 65 64 20 72 61 |over rep|eated ra|
|00003c50| 6e 64 6f 6d 20 63 68 6f | 69 63 65 73 0a 6f 66 20 |ndom cho|ices.of |
|00003c60| 24 78 5f 69 24 29 20 77 | 69 6c 6c 20 62 65 20 64 |$x_i$) w|ill be d|
|00003c70| 69 66 66 65 72 65 6e 74 | 2e 20 20 49 66 20 24 61 |ifferent|.  If $a|
|00003c80| 24 20 69 73 20 61 20 73 | 71 75 61 72 65 2c 20 62 |$ is a s|quare, b|
|00003c90| 6f 74 68 20 73 65 71 75 | 65 6e 63 65 73 0a 77 69 |oth sequ|ences.wi|
|00003ca0| 6c 6c 20 62 65 20 72 61 | 6e 64 6f 6d 6c 79 20 63 |ll be ra|ndomly c|
|00003cb0| 68 6f 73 65 6e 20 65 6e | 63 6f 64 69 6e 67 73 20 |hosen en|codings |
|00003cc0| 6f 66 20 74 68 65 20 6d | 65 73 73 61 67 65 20 63 |of the m|essage c|
|00003cd0| 6f 6e 73 69 73 74 69 6e | 67 20 6f 66 0a 61 6c 6c |onsistin|g of.all|
|00003ce0| 20 30 27 73 2c 20 73 6f | 20 74 68 65 20 61 6c 67 | 0's, so| the alg|
|00003cf0| 6f 72 69 74 68 6d 27 73 | 20 72 65 73 70 6f 6e 73 |orithm's| respons|
|00003d00| 65 20 6f 6e 20 61 76 65 | 72 61 67 65 20 74 6f 20 |e on ave|rage to |
|00003d10| 74 68 65 20 74 77 6f 20 | 73 65 71 75 65 6e 63 65 |the two |sequence|
|00003d20| 73 0a 77 69 6c 6c 20 62 | 65 20 69 64 65 6e 74 69 |s.will b|e identi|
|00003d30| 63 61 6c 2e 0a 5c 73 75 | 62 73 65 63 74 69 6f 6e |cal..\su|bsection|
|00003d40| 7b 53 65 6d 61 6e 74 69 | 63 20 53 65 63 75 72 69 |{Semanti|c Securi|
|00003d50| 74 79 7d 20 54 68 65 6f | 72 65 6d 7e 35 2e 32 20 |ty} Theo|rem~5.2 |
|00003d60| 6f 66 20 74 68 65 20 70 | 61 70 65 72 20 73 68 6f |of the p|aper sho|
|00003d70| 77 73 20 74 68 61 74 0a | 74 68 65 72 65 20 69 73 |ws that.|there is|
|00003d80| 20 6e 6f 20 70 72 6f 70 | 65 72 74 79 20 6f 66 20 | no prop|erty of |
|00003d90| 74 68 65 20 70 6c 61 69 | 6e 74 65 78 74 20 6d 65 |the plai|ntext me|
|00003da0| 73 73 61 67 65 20 77 68 | 69 63 68 20 63 61 6e 20 |ssage wh|ich can |
|00003db0| 62 65 20 65 66 66 69 63 | 69 65 6e 74 6c 79 0a 65 |be effic|iently.e|
|00003dc0| 73 74 69 6d 61 74 65 64 | 20 62 79 20 6c 6f 6f 6b |stimated| by look|
|00003dd0| 69 6e 67 20 61 74 20 74 | 68 65 20 63 69 70 68 65 |ing at t|he ciphe|
|00003de0| 72 74 65 78 74 2e 20 20 | 54 79 70 69 63 61 6c 20 |rtext.  |Typical |
|00003df0| 70 72 6f 70 65 72 74 69 | 65 73 20 6d 69 67 68 74 |properti|es might|
|00003e00| 0a 62 65 20 60 60 74 68 | 65 20 6c 61 73 74 20 62 |.be ``th|e last b|
|00003e10| 69 74 20 6f 66 20 74 68 | 65 20 70 6c 61 69 6e 74 |it of th|e plaint|
|00003e20| 65 78 74 20 69 73 20 30 | 27 27 20 6f 72 20 60 60 |ext is 0|'' or ``|
|00003e30| 74 68 65 20 6e 75 6d 62 | 65 72 20 6f 66 20 31 27 |the numb|er of 1'|
|00003e40| 73 0a 69 73 20 74 77 69 | 63 65 20 61 73 20 6d 75 |s.is twi|ce as mu|
|00003e50| 63 68 20 61 73 20 74 68 | 65 20 6e 75 6d 62 65 72 |ch as th|e number|
|00003e60| 20 6f 66 20 30 27 73 2e | 27 27 20 20 49 6e 20 67 | of 0's.|''  In g|
|00003e70| 65 6e 65 72 61 6c 2c 20 | 61 20 70 72 6f 70 65 72 |eneral, |a proper|
|00003e80| 74 79 0a 69 73 20 64 65 | 66 69 6e 65 64 20 69 6e |ty.is de|fined in|
|00003e90| 20 74 68 65 20 70 61 70 | 65 72 20 61 73 20 74 68 | the pap|er as th|
|00003ea0| 65 20 76 61 6c 75 65 20 | 6f 66 20 61 20 66 75 6e |e value |of a fun|
|00003eb0| 63 74 69 6f 6e 20 24 66 | 28 6d 29 24 20 77 68 69 |ction $f|(m)$ whi|
|00003ec0| 63 68 0a 74 61 6b 65 73 | 20 61 20 6d 65 73 73 61 |ch.takes| a messa|
|00003ed0| 67 65 20 61 73 20 69 6e | 70 75 74 20 61 6e 64 20 |ge as in|put and |
|00003ee0| 67 69 76 65 73 20 61 20 | 6e 75 6d 62 65 72 20 61 |gives a |number a|
|00003ef0| 73 20 6f 75 74 70 75 74 | 2e 20 20 49 66 20 24 66 |s output|.  If $f|
|00003f00| 28 6d 29 24 0a 69 73 20 | 63 6f 6e 73 74 61 6e 74 |(m)$.is |constant|
|00003f10| 20 66 6f 72 20 61 6c 6c | 20 24 6d 24 2c 20 70 72 | for all| $m$, pr|
|00003f20| 65 64 69 63 74 69 6f 6e | 20 6f 66 20 24 66 28 6d |ediction| of $f(m|
|00003f30| 29 24 20 69 73 20 74 72 | 69 76 69 61 6c 2e 20 20 |)$ is tr|ivial.  |
|00003f40| 53 69 6d 69 6c 61 72 6c | 79 2c 0a 69 66 20 24 66 |Similarl|y,.if $f|
|00003f50| 28 6d 29 24 20 69 73 20 | 61 6c 6d 6f 73 74 20 63 |(m)$ is |almost c|
|00003f60| 6f 6e 73 74 61 6e 74 20 | 66 6f 72 20 61 6c 6d 6f |onstant |for almo|
|00003f70| 73 74 20 61 6c 6c 20 24 | 6d 24 2c 20 74 68 65 72 |st all $|m$, ther|
|00003f80| 65 20 69 73 20 61 20 73 | 69 6d 70 6c 65 0a 61 6c |e is a s|imple.al|
|00003f90| 67 6f 72 69 74 68 6d 20 | 77 68 69 63 68 20 77 69 |gorithm |which wi|
|00003fa0| 6c 6c 20 62 65 20 63 6c | 6f 73 65 20 74 6f 20 72 |ll be cl|ose to r|
|00003fb0| 69 67 68 74 20 77 69 74 | 68 20 68 69 67 68 20 70 |ight wit|h high p|
|00003fc0| 72 6f 62 25 20 61 62 69 | 6c 69 74 79 2e 0a 20 5c |rob% abi|lity.. \|
|00003fd0| 70 71 20 57 65 20 77 69 | 73 68 20 74 6f 20 73 68 |pq We wi|sh to sh|
|00003fe0| 6f 77 20 74 68 61 74 2c | 20 65 78 63 65 70 74 20 |ow that,| except |
|00003ff0| 69 6e 20 74 68 65 20 73 | 70 65 63 69 61 6c 20 63 |in the s|pecial c|
|00004000| 61 73 65 73 20 77 65 27 | 76 65 20 20 6d 65 6e 74 |ases we'|ve  ment|
|00004010| 69 6f 6e 65 64 2c 0a 74 | 68 65 72 65 20 69 73 20 |ioned,.t|here is |
|00004020| 6e 6f 20 65 66 66 69 63 | 69 65 6e 74 20 61 6c 67 |no effic|ient alg|
|00004030| 6f 72 69 74 68 6d 20 77 | 68 69 63 68 20 77 69 6c |orithm w|hich wil|
|00004040| 6c 20 70 72 65 64 69 63 | 74 20 24 66 28 6d 29 24 |l predic|t $f(m)$|
|00004050| 20 66 72 6f 6d 0a 74 68 | 65 20 63 69 70 68 65 72 | from.th|e cipher|
|00004060| 74 65 78 74 20 66 6f 72 | 20 24 6d 24 2e 20 20 49 |text for| $m$.  I|
|00004070| 66 20 74 68 65 72 65 20 | 77 65 72 65 2c 0a 20 20 |f there |were,.  |
|00004080| 77 65 20 20 63 6f 75 6c | 64 20 72 75 6e 20 6f 75 |we  coul|d run ou|
|00004090| 72 20 61 6c 67 6f 72 69 | 74 68 6d 20 74 6f 20 65 |r algori|thm to e|
|000040a0| 73 74 69 6d 61 74 65 20 | 24 66 28 6d 29 24 0a 6f |stimate |$f(m)$.o|
|000040b0| 6e 20 74 68 65 20 63 69 | 70 68 65 72 74 65 78 74 |n the ci|phertext|
|000040c0| 20 66 72 6f 6d 20 72 61 | 6e 64 6f 6d 6c 79 20 67 | from ra|ndomly g|
|000040d0| 65 6e 65 72 61 74 65 64 | 20 24 6d 24 20 75 6e 74 |enerated| $m$ unt|
|000040e0| 69 6c 20 77 65 20 66 6f | 75 6e 64 20 24 6d 5f 31 |il we fo|und $m_1|
|000040f0| 24 2c 0a 24 6d 5f 32 24 | 20 6f 6e 20 77 68 69 63 |$,.$m_2$| on whic|
|00004100| 68 20 74 68 65 20 61 6c | 67 6f 72 69 74 68 6d 20 |h the al|gorithm |
|00004110| 62 65 68 61 76 65 64 20 | 64 69 66 66 65 72 65 6e |behaved |differen|
|00004120| 74 6c 79 2e 20 20 42 75 | 74 20 74 68 69 73 20 77 |tly.  Bu|t this w|
|00004130| 6f 75 6c 64 0a 63 6f 6e | 74 72 61 64 69 63 74 20 |ould.con|tradict |
|00004140| 74 68 65 20 72 65 73 75 | 6c 74 20 6f 66 20 74 68 |the resu|lt of th|
|00004150| 65 20 70 72 65 76 69 6f | 75 73 20 73 65 63 74 69 |e previo|us secti|
|00004160| 6f 6e 2e 0a 5c 70 71 20 | 5b 54 68 65 20 70 61 70 |on..\pq |[The pap|
|00004170| 65 72 20 70 6f 69 6e 74 | 73 20 6f 75 74 20 74 68 |er point|s out th|
|00004180| 61 74 20 69 74 20 69 73 | 20 6e 6f 74 20 61 73 73 |at it is| not ass|
|00004190| 75 6d 65 64 20 74 68 61 | 74 20 24 66 28 6d 29 24 |umed tha|t $f(m)$|
|000041a0| 20 69 73 0a 61 6e 20 65 | 61 73 69 6c 79 20 63 6f | is.an e|asily co|
|000041b0| 6d 70 75 74 61 62 6c 65 | 20 66 75 6e 63 74 69 6f |mputable| functio|
|000041c0| 6e 2e 20 20 49 20 74 68 | 69 6e 6b 20 74 68 69 73 |n.  I th|ink this|
|000041d0| 20 69 73 20 61 20 6d 69 | 6e 6f 72 20 69 73 73 75 | is a mi|nor issu|
|000041e0| 65 2e 0a 20 54 68 65 20 | 74 68 65 6f 72 65 6d 20 |e.. The |theorem |
|000041f0| 72 65 61 6c 6c 79 20 64 | 69 73 63 75 73 73 65 73 |really d|iscusses|
|00004200| 20 74 68 65 20 63 61 70 | 61 62 69 6c 69 74 69 65 | the cap|abilitie|
|00004210| 73 20 6f 66 20 61 20 61 | 6e 20 65 61 73 69 6c 79 |s of a a|n easily|
|00004220| 20 63 6f 6d 70 75 74 61 | 62 6c 65 0a 70 72 6f 67 | computa|ble.prog|
|00004230| 72 61 6d 20 66 6f 72 20 | 65 73 74 69 6d 61 74 69 |ram for |estimati|
|00004240| 6e 67 20 24 66 24 2e 5d | 0a 5c 73 75 62 73 65 63 |ng $f$.]|.\subsec|
|00004250| 74 69 6f 6e 7b 48 6f 77 | 20 74 6f 20 70 6c 61 79 |tion{How| to play|
|00004260| 20 70 6f 6b 65 72 20 6f | 76 65 72 20 74 68 65 20 | poker o|ver the |
|00004270| 74 65 6c 65 70 68 6f 6e | 65 7d 0a 57 65 20 77 69 |telephon|e}.We wi|
|00004280| 6c 6c 20 6e 6f 74 20 61 | 6e 61 6c 79 7a 65 20 61 |ll not a|nalyze a|
|00004290| 6e 20 65 6e 74 69 72 65 | 20 67 61 6d 65 20 6f 66 |n entire| game of|
|000042a0| 20 70 6f 6b 65 72 2c 20 | 62 75 74 20 6a 75 73 74 | poker, |but just|
|000042b0| 20 74 68 65 20 74 61 73 | 6b 0a 6f 66 20 65 61 63 | the tas|k.of eac|
|000042c0| 68 20 70 6c 61 79 65 72 | 20 5b 77 65 20 77 69 6c |h player| [we wil|
|000042d0| 6c 20 61 73 73 75 6d 65 | 20 6f 6e 6c 79 20 74 77 |l assume| only tw|
|000042e0| 6f 20 70 6c 61 79 65 72 | 73 5d 0a 20 67 65 74 74 |o player|s]. gett|
|000042f0| 69 6e 67 20 64 65 61 6c | 74 20 63 61 72 64 73 20 |ing deal|t cards |
|00004300| 73 6f 20 74 68 61 74 20 | 28 69 29 20 65 61 63 68 |so that |(i) each|
|00004310| 20 70 6c 61 79 65 72 20 | 67 65 74 73 20 68 69 73 | player |gets his|
|00004320| 20 63 61 72 64 73 20 61 | 74 0a 72 61 6e 64 6f 6d | cards a|t.random|
|00004330| 2c 20 77 69 74 68 20 61 | 6c 6c 20 63 61 72 64 73 |, with a|ll cards|
|00004340| 20 65 71 75 61 6c 6c 79 | 20 6c 69 6b 65 6c 79 20 | equally| likely |
|00004350| 28 69 69 29 20 6e 65 69 | 74 68 65 72 20 70 6c 61 |(ii) nei|ther pla|
|00004360| 79 65 72 20 6b 6e 6f 77 | 73 0a 77 68 61 74 20 68 |yer know|s.what h|
|00004370| 69 73 20 6f 70 70 6f 6e | 65 6e 74 20 68 61 73 20 |is oppon|ent has |
|00004380| 28 69 69 69 29 20 74 68 | 65 20 70 6c 61 79 65 72 |(iii) th|e player|
|00004390| 73 20 63 61 6e 6e 6f 74 | 20 67 65 74 20 74 68 65 |s cannot| get the|
|000043a0| 20 73 61 6d 65 20 63 61 | 72 64 73 2e 0a 59 6f 75 | same ca|rds..You|
|000043b0| 20 77 69 6c 6c 20 70 72 | 6f 62 61 62 6c 79 20 61 | will pr|obably a|
|000043c0| 70 70 72 65 63 69 61 74 | 65 20 74 68 65 20 70 72 |ppreciat|e the pr|
|000043d0| 6f 63 65 64 75 72 65 20 | 6d 6f 72 65 20 69 66 20 |ocedure |more if |
|000043e0| 79 6f 75 20 66 69 72 73 | 74 20 74 72 79 0a 74 6f |you firs|t try.to|
|000043f0| 20 64 65 76 69 73 65 20 | 61 20 77 61 79 20 6f 66 | devise |a way of|
|00004400| 20 64 6f 69 6e 67 20 74 | 68 69 73 20 79 6f 75 72 | doing t|his your|
|00004410| 73 65 6c 66 2e 5c 70 71 | 0a 53 65 76 65 72 61 6c |self.\pq|.Several|
|00004420| 20 70 72 65 76 69 6f 75 | 73 20 61 74 74 65 6d 70 | previou|s attemp|
|00004430| 74 73 20 74 6f 20 75 73 | 65 20 63 72 79 70 74 6f |ts to us|e crypto|
|00004440| 67 72 61 70 68 69 63 20 | 64 65 76 69 63 65 73 20 |graphic |devices |
|00004450| 66 6f 72 20 74 68 69 73 | 0a 70 75 72 70 6f 73 65 |for this|.purpose|
|00004460| 20 77 65 72 65 20 66 6c | 61 77 65 64 5c 66 6f 6f | were fl|awed\foo|
|00004470| 74 6e 6f 74 65 7b 52 2e | 5c 20 4c 69 70 74 6f 6e |tnote{R.|\ Lipton|
|00004480| 2c 20 60 60 48 6f 77 20 | 74 6f 20 63 68 65 61 74 |, ``How |to cheat|
|00004490| 20 61 74 20 6d 65 6e 74 | 61 6c 0a 70 6f 6b 65 72 | at ment|al.poker|
|000044a0| 2c 27 27 20 7b 5c 69 74 | 20 50 72 6f 63 65 65 64 |,'' {\it| Proceed|
|000044b0| 69 6e 67 73 20 6f 66 20 | 41 4d 53 20 53 68 6f 72 |ings of |AMS Shor|
|000044c0| 74 20 43 6f 75 72 73 65 | 20 6f 6e 20 43 72 79 70 |t Course| on Cryp|
|000044d0| 74 6f 67 72 61 70 68 79 | 7d 7d 2e 0a 20 54 68 65 |tography|}}.. The|
|000044e0| 20 65 6c 61 62 6f 72 61 | 74 65 20 70 72 6f 63 65 | elabora|te proce|
|000044f0| 64 75 72 65 20 77 65 20 | 64 65 73 63 72 69 62 65 |dure we |describe|
|00004500| 20 69 73 20 62 61 73 65 | 64 20 6f 6e 20 73 6f 6d | is base|d on som|
|00004510| 65 20 6e 75 6d 62 65 72 | 2d 74 68 65 6f 72 79 0a |e number|-theory.|
|00004520| 74 6f 6f 6c 73 20 64 65 | 76 65 6c 6f 70 65 64 20 |tools de|veloped |
|00004530| 69 6e 20 73 65 63 74 69 | 6f 6e 7e 5c 72 65 66 7b |in secti|on~\ref{|
|00004540| 52 61 7d 0a 20 61 6e 64 | 20 65 61 72 6c 69 65 72 |Ra}. and| earlier|
|00004550| 20 69 6e 20 74 68 69 73 | 20 73 65 63 74 69 6f 6e | in this| section|
|00004560| 3a 5c 62 65 67 69 6e 7b | 65 6e 75 6d 65 72 61 74 |:\begin{|enumerat|
|00004570| 65 7d 0a 5c 69 74 65 6d | 20 49 66 20 24 6e 3d 70 |e}.\item| If $n=p|
|00004580| 71 24 20 61 6e 64 20 24 | 61 24 20 69 73 20 61 20 |q$ and $|a$ is a |
|00004590| 73 71 75 61 72 65 20 6d | 6f 64 7e 24 6e 24 2c 20 |square m|od~$n$, |
|000045a0| 69 74 20 68 61 73 20 66 | 6f 75 72 20 73 71 75 61 |it has f|our squa|
|000045b0| 72 65 0a 72 6f 6f 74 73 | 2e 20 49 66 20 77 65 20 |re.roots|. If we |
|000045c0| 6b 6e 6f 77 20 72 6f 6f | 74 73 20 24 72 5f 31 2c |know roo|ts $r_1,|
|000045d0| 72 5f 32 24 20 77 69 74 | 68 20 24 72 5f 31 5c 6e |r_2$ wit|h $r_1\n|
|000045e0| 6f 74 5c 65 71 75 69 76 | 5c 70 6d 20 72 5f 32 24 |ot\equiv|\pm r_2$|
|000045f0| 2c 0a 77 65 20 63 61 6e | 20 66 69 6e 64 20 24 70 |,.we can| find $p|
|00004600| 24 2c 20 24 71 24 2e 5c | 69 74 65 6d 20 49 66 20 |$, $q$.\|item If |
|00004610| 24 5c 63 6f 20 70 33 34 | 24 2c 20 24 61 24 20 69 |$\co p34|$, $a$ i|
|00004620| 73 20 61 20 73 71 75 61 | 72 65 20 6d 6f 64 20 24 |s a squa|re mod $|
|00004630| 70 24 0a 69 66 20 61 6e | 64 20 6f 6e 6c 79 20 69 |p$.if an|d only i|
|00004640| 66 20 24 2d 61 24 20 69 | 73 20 6e 6f 74 20 61 20 |f $-a$ i|s not a |
|00004650| 73 71 75 61 72 65 20 28 | 4c 65 6d 6d 61 7e 5c 72 |square (|Lemma~\r|
|00004660| 65 66 7b 6b 6e 32 7d 29 | 2e 0a 49 66 20 77 65 20 |ef{kn2})|..If we |
|00004670| 61 6c 73 6f 20 68 61 76 | 65 20 24 5c 63 6f 20 71 |also hav|e $\co q|
|00004680| 33 34 24 2c 0a 74 68 65 | 6e 20 24 61 5c 69 6e 5c |34$,.the|n $a\in\|
|00004690| 7a 6f 24 20 69 66 20 61 | 6e 64 20 6f 6e 6c 79 20 |zo$ if a|nd only |
|000046a0| 69 66 20 24 2d 61 5c 69 | 6e 5c 7a 6f 24 2e 5c 69 |if $-a\i|n\zo$.\i|
|000046b0| 74 65 6d 20 57 65 20 63 | 61 6e 20 74 65 73 74 20 |tem We c|an test |
|000046c0| 77 68 65 74 68 65 72 0a | 6f 72 20 6e 6f 74 20 24 |whether.|or not $|
|000046d0| 61 5c 69 6e 5c 7a 6f 24 | 20 77 69 74 68 6f 75 74 |a\in\zo$| without|
|000046e0| 20 6b 6e 6f 77 69 6e 67 | 20 24 70 2c 71 24 2e 5c | knowing| $p,q$.\|
|000046f0| 65 6e 64 7b 65 6e 75 6d | 65 72 61 74 65 7d 0a 5c |end{enum|erate}.\|
|00004700| 70 71 20 54 77 6f 20 74 | 65 63 68 6e 69 71 75 65 |pq Two t|echnique|
|00004710| 73 20 61 72 65 20 75 73 | 65 64 20 72 65 70 65 61 |s are us|ed repea|
|00004720| 74 65 64 6c 79 2e 20 20 | 54 68 65 79 20 61 72 65 |tedly.  |They are|
|00004730| 20 61 6c 73 6f 20 6f 66 | 20 69 6e 74 65 72 65 73 | also of| interes|
|00004740| 74 0a 69 6e 20 6f 74 68 | 65 72 20 61 70 70 6c 69 |t.in oth|er appli|
|00004750| 63 61 74 69 6f 6e 73 2e | 5c 62 65 67 69 6e 7b 54 |cations.|\begin{T|
|00004760| 68 7d 5b 72 61 6e 64 6f | 6d 20 6e 75 6d 62 65 72 |h}[rando|m number|
|00004770| 73 5d 5c 6c 61 62 65 6c | 7b 52 7d 20 42 20 63 61 |s]\label|{R} B ca|
|00004780| 6e 20 67 65 6e 65 72 61 | 74 65 0a 61 20 72 61 6e |n genera|te.a ran|
|00004790| 64 6f 6d 20 6e 75 6d 62 | 65 72 20 73 6f 20 74 68 |dom numb|er so th|
|000047a0| 61 74 20 41 20 64 6f 65 | 73 20 6e 6f 74 20 6b 6e |at A doe|s not kn|
|000047b0| 6f 77 20 69 74 73 20 76 | 61 6c 75 65 20 6e 6f 77 |ow its v|alue now|
|000047c0| 2c 20 62 75 74 20 63 61 | 6e 0a 76 65 72 69 66 79 |, but ca|n.verify|
|000047d0| 20 69 74 20 6c 61 74 65 | 72 2e 20 5c 65 6e 64 7b | it late|r. \end{|
|000047e0| 54 68 7d 41 20 60 60 66 | 69 72 73 74 20 74 72 79 |Th}A ``f|irst try|
|000047f0| 27 27 20 6d 69 67 68 74 | 20 62 65 20 66 6f 72 20 |'' might| be for |
|00004800| 42 20 74 6f 20 67 65 6e | 65 72 61 74 65 0a 61 20 |B to gen|erate.a |
|00004810| 72 61 6e 64 6f 6d 20 6e | 75 6d 62 65 72 20 61 6e |random n|umber an|
|00004820| 64 20 67 69 76 65 20 61 | 6e 20 65 6e 63 72 79 70 |d give a|n encryp|
|00004830| 74 69 6f 6e 20 6f 66 20 | 69 74 20 74 6f 20 41 2c |tion of |it to A,|
|00004840| 20 77 69 74 68 20 74 68 | 65 20 6b 65 79 0a 20 72 | with th|e key. r|
|00004850| 65 76 65 61 6c 65 64 20 | 66 6f 72 20 76 65 72 69 |evealed |for veri|
|00004860| 66 69 63 61 74 69 6f 6e | 20 6c 61 74 65 72 2e 20 |fication| later. |
|00004870| 20 54 68 69 73 20 64 6f | 65 73 20 6e 6f 74 20 77 | This do|es not w|
|00004880| 6f 72 6b 2c 20 73 69 6e | 63 65 0a 41 20 63 61 6e |ork, sin|ce.A can|
|00004890| 6e 6f 74 20 62 65 20 73 | 75 72 65 20 74 68 61 74 |not be s|ure that|
|000048a0| 20 42 20 63 68 6f 73 65 | 20 68 69 73 20 6e 75 6d | B chose| his num|
|000048b0| 62 65 72 20 61 74 20 72 | 61 6e 64 6f 6d 2e 5c 70 |ber at r|andom.\p|
|000048c0| 71 20 54 6f 20 69 6e 73 | 75 72 65 0a 72 61 6e 64 |q To ins|ure.rand|
|000048d0| 6f 6d 6e 65 73 73 2c 20 | 41 20 67 69 76 65 73 20 |omness, |A gives |
|000048e0| 42 20 61 20 73 65 63 6f | 6e 64 20 6e 75 6d 62 65 |B a seco|nd numbe|
|000048f0| 72 20 28 77 68 69 63 68 | 20 41 20 69 73 20 73 75 |r (which| A is su|
|00004900| 70 70 6f 73 65 64 20 74 | 6f 0a 63 68 6f 6f 73 65 |pposed t|o.choose|
|00004910| 20 61 74 20 20 72 61 6e | 64 6f 6d 29 20 61 66 74 | at  ran|dom) aft|
|00004920| 65 72 20 72 65 63 65 69 | 76 69 6e 67 20 42 27 73 |er recei|ving B's|
|00004930| 20 65 6e 63 72 79 70 74 | 69 6f 6e 2c 20 0a 61 6e | encrypt|ion, .an|
|00004940| 64 20 74 68 65 20 6e 75 | 6d 62 65 72 20 75 73 65 |d the nu|mber use|
|00004950| 64 20 62 79 20 42 20 69 | 73 20 74 68 65 20 60 60 |d by B i|s the ``|
|00004960| 65 78 63 6c 75 73 69 76 | 65 20 6f 72 27 27 20 6f |exclusiv|e or'' o|
|00004970| 66 20 74 68 65 20 74 77 | 6f 3a 0a 5c 62 65 67 69 |f the tw|o:.\begi|
|00004980| 6e 7b 63 65 6e 74 65 72 | 7d 5c 62 65 67 69 6e 7b |n{center|}\begin{|
|00004990| 74 61 62 75 6c 61 72 7d | 7b 72 7d 20 41 20 63 68 |tabular}|{r} A ch|
|000049a0| 6f 6f 73 65 73 20 30 31 | 31 30 30 30 31 5c 5c 42 |ooses 01|10001\\B|
|000049b0| 20 63 68 6f 6f 73 65 73 | 20 31 30 31 31 30 31 31 | chooses| 1011011|
|000049c0| 5c 5c 0a 5c 63 6c 69 6e | 65 7b 31 2d 31 7d 42 20 |\\.\clin|e{1-1}B |
|000049d0| 75 73 65 73 20 31 31 30 | 31 30 31 30 5c 65 6e 64 |uses 110|1010\end|
|000049e0| 7b 74 61 62 75 6c 61 72 | 7d 5c 65 6e 64 7b 63 65 |{tabular|}\end{ce|
|000049f0| 6e 74 65 72 7d 0a 45 76 | 65 6e 20 69 66 20 6f 6e |nter}.Ev|en if on|
|00004a00| 65 20 6f 66 20 74 68 65 | 20 70 6c 61 79 65 72 73 |e of the| players|
|00004a10| 20 64 6f 65 73 20 6e 6f | 74 20 63 68 6f 6f 73 65 | does no|t choose|
|00004a20| 20 68 69 73 20 6e 75 6d | 62 65 72 20 61 74 20 72 | his num|ber at r|
|00004a30| 61 6e 64 6f 6d 2c 0a 74 | 68 65 20 72 65 73 75 6c |andom,.t|he resul|
|00004a40| 74 20 77 69 6c 6c 20 62 | 65 20 72 61 6e 64 6f 6d |t will b|e random|
|00004a50| 20 61 73 20 6c 6f 6e 67 | 20 61 73 20 74 68 65 20 | as long| as the |
|00004a60| 6f 74 68 65 72 20 70 6c | 61 79 65 72 20 64 6f 65 |other pl|ayer doe|
|00004a70| 73 2e 0a 5c 62 65 67 69 | 6e 7b 54 68 7d 5c 6c 61 |s..\begi|n{Th}\la|
|00004a80| 62 65 6c 7b 55 55 7d 42 | 20 63 61 6e 20 61 73 6b |bel{UU}B| can ask|
|00004a90| 20 41 20 61 20 71 75 65 | 73 74 69 6f 6e 20 72 65 | A a que|stion re|
|00004aa0| 6c 61 74 65 64 20 74 6f | 20 24 6e 24 2e 20 20 54 |lated to| $n$.  T|
|00004ab0| 68 65 20 61 6e 73 77 65 | 72 20 74 6f 0a 74 68 69 |he answe|r to.thi|
|00004ac0| 73 20 71 75 65 73 74 69 | 6f 6e 20 6d 61 79 20 6f |s questi|on may o|
|00004ad0| 72 20 6d 61 79 20 6e 6f | 74 20 61 6c 6c 6f 77 20 |r may no|t allow |
|00004ae0| 42 20 74 6f 20 66 61 63 | 74 6f 72 20 24 6e 24 2e |B to fac|tor $n$.|
|00004af0| 20 20 41 74 20 74 68 65 | 20 74 69 6d 65 0a 74 68 |  At the| time.th|
|00004b00| 65 20 71 75 65 73 74 69 | 6f 6e 20 69 73 20 61 73 |e questi|on is as|
|00004b10| 6b 65 64 2c 20 41 20 63 | 61 6e 6e 6f 74 20 74 65 |ked, A c|annot te|
|00004b20| 6c 6c 20 77 68 65 74 68 | 65 72 20 74 68 65 20 61 |ll wheth|er the a|
|00004b30| 6e 73 77 65 72 20 68 65 | 20 67 69 76 65 73 0a 42 |nswer he| gives.B|
|00004b40| 20 69 73 20 75 73 65 66 | 75 6c 20 6f 72 20 20 75 | is usef|ul or  u|
|00004b50| 73 65 6c 65 73 73 2c 20 | 62 75 74 20 74 68 69 73 |seless, |but this|
|00004b60| 20 63 61 6e 20 62 65 20 | 76 65 72 69 66 69 65 64 | can be |verified|
|00004b70| 20 6c 61 74 65 72 2e 5c | 65 6e 64 7b 54 68 7d 0a | later.\|end{Th}.|
|00004b80| 7b 5c 62 66 20 50 72 6f | 6f 66 3a 7d 20 41 20 63 |{\bf Pro|of:} A c|
|00004b90| 68 6f 6f 73 65 73 20 70 | 72 69 6d 65 73 20 24 5c |hooses p|rimes $\|
|00004ba0| 63 6f 7b 70 2c 71 7d 33 | 34 24 2c 20 61 6e 64 20 |co{p,q}3|4$, and |
|00004bb0| 61 6e 6e 6f 75 6e 63 65 | 73 20 24 6e 3d 70 71 24 |announce|s $n=pq$|
|00004bc0| 2e 0a 20 55 73 69 6e 67 | 20 74 68 65 20 74 65 63 |.. Using| the tec|
|00004bd0| 68 6e 69 71 75 65 20 6f | 66 20 54 68 65 6f 72 65 |hnique o|f Theore|
|00004be0| 6d 7e 5c 72 65 66 7b 52 | 7d 2c 20 42 20 67 65 6e |m~\ref{R|}, B gen|
|00004bf0| 65 72 61 74 65 73 20 61 | 20 72 61 6e 64 6f 6d 20 |erates a| random |
|00004c00| 24 78 24 2c 20 61 6e 64 | 0a 77 69 6c 6c 20 61 73 |$x$, and|.will as|
|00004c10| 6b 20 41 20 66 6f 72 20 | 61 20 73 71 75 61 72 65 |k A for |a square|
|00004c20| 20 72 6f 6f 74 20 6f 66 | 20 24 61 5c 65 71 75 69 | root of| $a\equi|
|00004c30| 76 20 78 5e 32 24 2e 20 | 20 41 74 20 74 68 65 20 |v x^2$. | At the |
|00004c40| 74 69 6d 65 20 74 68 65 | 0a 71 75 65 73 74 69 6f |time the|.questio|
|00004c50| 6e 20 69 73 20 61 73 6b | 65 64 2c 20 41 20 77 69 |n is ask|ed, A wi|
|00004c60| 6c 6c 20 6b 6e 6f 77 20 | 24 61 24 20 62 75 74 20 |ll know |$a$ but |
|00004c70| 6e 6f 74 20 24 78 24 2e | 20 20 42 20 69 73 20 61 |not $x$.|  B is a|
|00004c80| 6c 6c 6f 77 65 64 20 74 | 6f 0a 73 70 65 63 69 66 |llowed t|o.specif|
|00004c90| 79 20 77 68 65 74 68 65 | 72 20 74 68 65 20 73 71 |y whethe|r the sq|
|00004ca0| 75 61 72 65 20 72 6f 6f | 74 20 41 20 67 69 76 65 |uare roo|t A give|
|00004cb0| 73 20 68 69 6d 20 69 73 | 20 6f 72 20 69 73 20 6e |s him is| or is n|
|00004cc0| 6f 74 20 69 6e 20 24 5c | 7a 6f 24 2e 5c 70 71 0a |ot in $\|zo$.\pq.|
|00004cd0| 20 49 66 20 24 78 5c 69 | 6e 5c 7a 6f 24 20 61 6e | If $x\i|n\zo$ an|
|00004ce0| 64 20 42 20 73 70 65 63 | 69 66 69 65 73 20 74 68 |d B spec|ifies th|
|00004cf0| 61 74 20 74 68 65 20 73 | 71 75 61 72 65 20 72 6f |at the s|quare ro|
|00004d00| 6f 74 20 69 73 20 69 6e | 20 24 5c 7a 6f 24 2c 0a |ot is in| $\zo$,.|
|00004d10| 41 20 77 69 6c 6c 20 67 | 69 76 65 20 42 20 24 5c |A will g|ive B $\|
|00004d20| 70 6d 20 78 24 2c 20 77 | 68 69 63 68 20 69 73 20 |pm x$, w|hich is |
|00004d30| 75 73 65 6c 65 73 73 2e | 20 20 42 20 63 61 6e 20 |useless.|  B can |
|00004d40| 67 65 74 20 75 73 65 66 | 75 6c 20 69 6e 66 6f 72 |get usef|ul infor|
|00004d50| 6d 61 74 69 6f 6e 0a 62 | 79 20 73 70 65 63 69 66 |mation.b|y specif|
|00004d60| 79 69 6e 67 20 74 68 61 | 74 20 74 68 65 20 73 71 |ying tha|t the sq|
|00004d70| 75 61 72 65 20 72 6f 6f | 74 20 69 73 20 6e 6f 74 |uare roo|t is not|
|00004d80| 20 69 6e 20 24 5c 7a 6f | 24 2e 20 20 49 66 20 24 | in $\zo|$.  If $|
|00004d90| 78 5c 6e 6f 74 5c 69 6e | 5c 7a 6f 24 2c 0a 74 68 |x\not\in|\zo$,.th|
|00004da0| 65 20 73 71 75 61 72 65 | 20 72 6f 6f 74 20 69 6e |e square| root in|
|00004db0| 20 24 5c 7a 6f 24 20 77 | 69 6c 6c 20 62 65 20 75 | $\zo$ w|ill be u|
|00004dc0| 73 65 66 75 6c 2c 20 61 | 6e 64 20 74 68 65 20 6f |seful, a|nd the o|
|00004dd0| 74 68 65 72 20 77 69 6c | 6c 20 62 65 0a 75 73 65 |ther wil|l be.use|
|00004de0| 6c 65 73 73 2e 20 20 5c | 70 71 20 53 69 6e 63 65 |less.  \|pq Since|
|00004df0| 20 24 78 24 20 69 73 20 | 20 72 61 6e 64 6f 6d 6c | $x$ is | randoml|
|00004e00| 79 20 63 68 6f 73 65 6e | 2c 20 61 6e 64 20 68 61 |y chosen|, and ha|
|00004e10| 6c 66 20 74 68 65 20 70 | 6f 73 73 69 62 6c 65 0a |lf the p|ossible.|
|00004e20| 24 78 24 20 61 72 65 20 | 69 6e 20 24 5c 7a 6f 24 |$x$ are |in $\zo$|
|00004e30| 20 61 6e 64 20 68 61 6c | 66 20 61 72 65 20 6e 6f | and hal|f are no|
|00004e40| 74 2c 20 41 20 77 69 6c | 6c 20 6e 6f 74 20 62 65 |t, A wil|l not be|
|00004e50| 20 61 62 6c 65 20 74 6f | 20 67 75 65 73 73 0a 72 | able to| guess.r|
|00004e60| 69 67 68 74 20 6d 6f 72 | 65 20 74 68 61 6e 20 68 |ight mor|e than h|
|00004e70| 61 6c 66 20 74 68 65 20 | 74 69 6d 65 20 77 68 65 |alf the |time whe|
|00004e80| 74 68 65 72 20 68 65 20 | 69 73 20 62 65 69 6e 67 |ther he |is being|
|00004e90| 20 61 73 6b 65 64 20 66 | 6f 72 20 75 73 65 66 75 | asked f|or usefu|
|00004ea0| 6c 0a 6f 72 20 75 73 65 | 6c 65 73 73 20 69 6e 66 |l.or use|less inf|
|00004eb0| 6f 72 6d 61 74 69 6f 6e | 2e 0a 5c 73 75 62 73 75 |ormation|..\subsu|
|00004ec0| 62 73 65 63 74 69 6f 6e | 2a 7b 54 68 65 20 70 72 |bsection|*{The pr|
|00004ed0| 6f 63 65 64 75 72 65 7d | 0a 5c 62 65 67 69 6e 7b |ocedure}|.\begin{|
|00004ee0| 65 6e 75 6d 65 72 61 74 | 65 7d 5c 69 74 65 6d 20 |enumerat|e}\item |
|00004ef0| 41 20 61 6e 6e 6f 75 6e | 63 65 73 20 24 6e 5f 31 |A announ|ces $n_1|
|00004f00| 2c 5c 64 6f 74 73 20 6e | 5f 7b 35 32 7d 24 2c 20 |,\dots n|_{52}$, |
|00004f10| 65 61 63 68 20 6f 66 0a | 77 68 69 63 68 20 69 73 |each of.|which is|
|00004f20| 20 61 20 70 72 6f 64 75 | 63 74 20 6f 66 20 74 77 | a produ|ct of tw|
|00004f30| 6f 20 6c 61 72 67 65 20 | 70 72 69 6d 65 73 20 24 |o large |primes $|
|00004f40| 5c 63 6f 7b 7d 33 34 24 | 2e 20 20 48 65 20 65 6e |\co{}34$|.  He en|
|00004f50| 63 6f 64 65 73 20 74 68 | 65 0a 6e 61 6d 65 73 20 |codes th|e.names |
|00004f60| 6f 66 20 74 68 65 20 64 | 69 66 66 65 72 65 6e 74 |of the d|ifferent|
|00004f70| 20 63 61 72 64 73 20 75 | 73 69 6e 67 20 64 69 66 | cards u|sing dif|
|00004f80| 66 65 72 65 6e 74 20 24 | 6e 5f 69 24 20 61 6e 64 |ferent $|n_i$ and|
|00004f90| 20 61 6c 73 6f 20 61 6e | 6e 6f 75 6e 63 65 73 0a | also an|nounces.|
|00004fa0| 74 68 65 73 65 2e 20 20 | 5b 69 66 20 42 20 66 69 |these.  |[if B fi|
|00004fb0| 6e 64 73 20 74 68 65 20 | 66 61 63 74 6f 72 73 0a |nds the |factors.|
|00004fc0| 6f 66 20 6f 6e 65 20 6f | 66 20 74 68 65 20 24 6e |of one o|f the $n|
|00004fd0| 5f 69 24 2c 20 69 74 20 | 64 6f 65 73 20 6e 6f 74 |_i$, it |does not|
|00004fe0| 20 68 65 6c 70 20 68 69 | 6d 20 69 64 65 6e 74 69 | help hi|m identi|
|00004ff0| 66 79 20 74 68 65 20 6f | 74 68 65 72 20 63 61 72 |fy the o|ther car|
|00005000| 64 73 5d 0a 42 20 64 6f | 65 73 20 74 68 65 20 73 |ds].B do|es the s|
|00005010| 61 6d 65 20 74 68 69 6e | 67 20 75 73 69 6e 67 20 |ame thin|g using |
|00005020| 24 6d 5f 31 2c 5c 64 6f | 74 73 20 6d 5f 7b 35 32 |$m_1,\do|ts m_{52|
|00005030| 7d 24 2e 0a 5c 69 74 65 | 6d 20 54 6f 20 67 65 74 |}$..\ite|m To get|
|00005040| 20 61 20 63 61 72 64 2c | 20 42 20 61 73 6b 73 20 | a card,| B asks |
|00005050| 41 20 6f 6e 65 20 71 75 | 65 73 74 69 6f 6e 20 66 |A one qu|estion f|
|00005060| 6f 72 20 65 61 63 68 20 | 24 6e 5f 69 24 2c 20 75 |or each |$n_i$, u|
|00005070| 73 69 6e 67 0a 74 68 65 | 20 70 72 6f 63 65 64 75 |sing.the| procedu|
|00005080| 72 65 20 6f 66 20 54 68 | 65 6f 72 65 6d 7e 5c 72 |re of Th|eorem~\r|
|00005090| 65 66 7b 55 55 7d 2e 20 | 20 35 31 20 6f 66 20 74 |ef{UU}. | 51 of t|
|000050a0| 68 65 20 71 75 65 73 74 | 69 6f 6e 73 20 77 69 6c |he quest|ions wil|
|000050b0| 6c 20 62 65 20 75 73 65 | 6c 65 73 73 2e 0a 20 54 |l be use|less.. T|
|000050c0| 68 65 20 20 75 73 65 66 | 75 6c 20 71 75 65 73 74 |he  usef|ul quest|
|000050d0| 69 6f 6e 20 61 6c 6c 6f | 77 73 20 42 20 74 6f 20 |ion allo|ws B to |
|000050e0| 64 65 63 6f 64 65 20 74 | 68 65 20 6e 61 6d 65 20 |decode t|he name |
|000050f0| 6f 66 20 74 68 65 20 63 | 61 72 64 20 68 65 0a 72 |of the c|ard he.r|
|00005100| 65 63 65 69 76 65 73 2e | 20 5b 69 74 20 69 73 20 |eceives.| [it is |
|00005110| 63 72 75 63 69 61 6c 20 | 74 68 61 74 20 41 20 77 |crucial |that A w|
|00005120| 69 6c 6c 20 62 65 20 61 | 62 6c 65 20 74 6f 20 76 |ill be a|ble to v|
|00005130| 65 72 69 66 79 20 74 68 | 65 20 75 73 65 6c 65 73 |erify th|e useles|
|00005140| 73 6e 65 73 73 0a 6f 66 | 20 74 68 65 20 6f 74 68 |sness.of| the oth|
|00005150| 65 72 20 35 31 20 71 75 | 65 73 74 69 6f 6e 73 20 |er 51 qu|estions |
|00005160| 61 66 74 65 72 20 74 68 | 65 20 67 61 6d 65 2e 5d |after th|e game.]|
|00005170| 0a 5c 69 74 65 6d 20 42 | 20 64 65 6c 65 74 65 73 |.\item B| deletes|
|00005180| 20 74 68 65 20 24 6d 5f | 69 24 20 63 6f 72 72 65 | the $m_|i$ corre|
|00005190| 73 70 6f 6e 64 69 6e 67 | 20 74 6f 20 74 68 65 20 |sponding| to the |
|000051a0| 63 61 72 64 20 68 65 20 | 72 65 63 65 69 76 65 64 |card he |received|
|000051b0| 0a 28 74 68 69 73 20 65 | 6e 73 75 72 65 73 20 41 |.(this e|nsures A|
|000051c0| 20 77 69 6c 6c 20 6e 6f | 74 20 67 65 74 20 74 68 | will no|t get th|
|000051d0| 69 73 20 63 61 72 64 29 | 2e 0a 5c 69 74 65 6d 20 |is card)|..\item |
|000051e0| 41 20 67 65 74 73 20 61 | 20 63 61 72 64 20 62 79 |A gets a| card by|
|000051f0| 20 61 73 6b 69 6e 67 20 | 35 31 20 71 75 65 73 74 | asking |51 quest|
|00005200| 69 6f 6e 73 20 61 62 6f | 75 74 20 74 68 65 20 72 |ions abo|ut the r|
|00005210| 65 6d 61 69 6e 69 6e 67 | 0a 24 6d 5f 69 24 2c 20 |emaining|.$m_i$, |
|00005220| 20 6f 66 20 77 68 69 63 | 68 20 35 30 20 61 72 65 | of whic|h 50 are|
|00005230| 20 75 73 65 6c 65 73 73 | 2e 0a 48 65 20 64 65 6c | useless|..He del|
|00005240| 65 74 65 73 20 74 68 65 | 20 24 6e 5f 69 24 20 63 |etes the| $n_i$ c|
|00005250| 6f 72 72 65 73 70 6f 6e | 64 69 6e 67 20 74 6f 20 |orrespon|ding to |
|00005260| 74 68 69 73 20 63 61 72 | 64 2e 0a 5c 69 74 65 6d |this car|d..\item|
|00005270| 20 49 66 20 42 20 67 65 | 74 73 20 61 20 73 65 63 | If B ge|ts a sec|
|00005280| 6f 6e 64 20 63 61 72 64 | 2c 20 68 65 20 61 73 6b |ond card|, he ask|
|00005290| 73 20 35 31 20 71 75 65 | 73 74 69 6f 6e 73 2e 20 |s 51 que|stions. |
|000052a0| 20 48 65 20 61 76 6f 69 | 64 73 0a 67 65 74 74 69 | He avoi|ds.getti|
|000052b0| 6e 67 20 74 68 65 20 73 | 61 6d 65 20 63 61 72 64 |ng the s|ame card|
|000052c0| 20 74 77 69 63 65 20 62 | 79 20 6e 6f 74 20 61 73 | twice b|y not as|
|000052d0| 6b 69 6e 67 20 61 20 75 | 73 65 66 75 6c 20 71 75 |king a u|seful qu|
|000052e0| 65 73 74 69 6f 6e 20 61 | 62 6f 75 74 0a 74 68 65 |estion a|bout.the|
|000052f0| 20 73 61 6d 65 20 24 6e | 5f 69 24 20 61 73 20 74 | same $n|_i$ as t|
|00005300| 68 65 20 66 69 72 73 74 | 20 74 69 6d 65 2e 5c 65 |he first| time.\e|
|00005310| 6e 64 7b 65 6e 75 6d 65 | 72 61 74 65 7d 0a 54 68 |nd{enume|rate}.Th|
|00005320| 69 73 20 70 72 6f 63 65 | 64 75 72 65 20 69 73 20 |is proce|dure is |
|00005330| 74 6f 6f 20 63 75 6d 62 | 65 72 73 6f 6d 65 20 74 |too cumb|ersome t|
|00005340| 6f 20 62 65 20 70 72 61 | 63 74 69 63 61 6c 2c 20 |o be pra|ctical, |
|00005350| 62 75 74 20 69 74 20 69 | 73 20 61 20 67 6f 6f 64 |but it i|s a good|
|00005360| 0a 65 78 61 6d 70 6c 65 | 20 6f 66 20 74 68 65 20 |.example| of the |
|00005370| 6b 69 6e 64 73 20 6f 66 | 20 74 68 69 6e 67 73 20 |kinds of| things |
|00005380| 74 68 61 74 20 63 61 6e | 20 62 65 20 64 6f 6e 65 |that can| be done|
|00005390| 20 75 73 69 6e 67 20 63 | 72 79 70 74 6f 67 72 61 | using c|ryptogra|
|000053a0| 70 68 69 63 0a 70 72 6f | 63 65 64 75 72 65 73 2e |phic.pro|cedures.|
|000053b0| 20 20 43 75 72 72 65 6e | 74 20 72 65 73 65 61 72 |  Curren|t resear|
|000053c0| 63 68 20 66 6f 63 75 73 | 73 65 73 20 6f 6e 20 6f |ch focus|ses on o|
|000053d0| 74 68 65 72 20 74 61 73 | 6b 73 20 69 6e 76 6f 6c |ther tas|ks invol|
|000053e0| 76 69 6e 67 0a 65 78 63 | 68 61 6e 67 65 73 20 6f |ving.exc|hanges o|
|000053f0| 66 20 65 6e 63 72 79 70 | 74 65 64 20 61 6e 64 20 |f encryp|ted and |
|00005400| 70 61 72 74 69 61 6c 6c | 79 20 65 6e 63 72 79 70 |partiall|y encryp|
|00005410| 74 65 64 20 69 6e 66 6f | 72 6d 61 74 69 6f 6e 20 |ted info|rmation |
|00005420| 62 65 74 77 65 65 6e 0a | 74 77 6f 20 70 6c 61 79 |between.|two play|
|00005430| 65 72 73 2e 20 0a 5c 73 | 65 63 74 69 6f 6e 7b 50 |ers. .\s|ection{P|
|00005440| 73 65 75 64 6f 2d 72 61 | 6e 64 6f 6d 20 6e 75 6d |seudo-ra|ndom num|
|00005450| 62 65 72 20 67 65 6e 65 | 72 61 74 6f 72 73 7d 5b |ber gene|rators}[|
|00005460| 54 68 69 73 20 73 65 63 | 74 69 6f 6e 20 69 73 20 |This sec|tion is |
|00005470| 62 61 73 65 64 20 6f 6e | 20 42 6c 75 6d 2c 20 42 |based on| Blum, B|
|00005480| 6c 75 6d 2c 0a 5c 26 20 | 53 68 75 62 2c 20 60 60 |lum,.\& |Shub, ``|
|00005490| 41 20 73 69 6d 70 6c 65 | 20 75 6e 70 72 65 64 69 |A simple| unpredi|
|000054a0| 63 74 61 62 6c 65 20 70 | 73 65 75 64 6f 2d 72 61 |ctable p|seudo-ra|
|000054b0| 6e 64 6f 6d 20 6e 75 6d | 62 65 72 20 67 65 6e 65 |ndom num|ber gene|
|000054c0| 72 61 74 6f 72 2c 27 27 | 0a 7b 5c 69 74 20 53 49 |rator,''|.{\it SI|
|000054d0| 41 4d 20 4a 2e 20 43 6f | 6d 70 75 74 69 6e 67 5c |AM J. Co|mputing\|
|000054e0| 2f 7d 7e 31 35 2c 20 33 | 36 34 2d 2d 33 38 33 2e |/}~15, 3|64--383.|
|000054f0| 5d 5c 70 71 0a 4d 61 6e | 79 20 70 72 6f 67 72 61 |]\pq.Man|y progra|
|00005500| 6d 73 20 28 65 2e 7e 67 | 2e 2c 20 73 69 6d 75 6c |ms (e.~g|., simul|
|00005510| 61 74 69 6f 6e 73 2c 20 | 6f 6e 65 2d 74 69 6d 65 |ations, |one-time|
|00005520| 2d 70 61 64 73 29 20 6d | 61 6b 65 20 75 73 65 20 |-pads) m|ake use |
|00005530| 6f 66 20 6e 75 6d 62 65 | 72 73 0a 74 68 61 74 20 |of numbe|rs.that |
|00005540| 61 72 65 20 73 75 70 70 | 6f 73 65 64 20 74 6f 20 |are supp|osed to |
|00005550| 62 65 20 72 61 6e 64 6f | 6d 2e 20 20 41 20 67 65 |be rando|m.  A ge|
|00005560| 6e 75 69 6e 65 20 73 6f | 75 72 63 65 20 6f 66 20 |nuine so|urce of |
|00005570| 72 61 6e 64 6f 6d 6e 65 | 73 73 20 6d 69 67 68 74 |randomne|ss might|
|00005580| 0a 62 65 20 61 20 73 75 | 62 72 6f 75 74 69 6e 65 |.be a su|broutine|
|00005590| 20 74 68 61 74 20 6d 61 | 64 65 20 63 61 6c 6c 73 | that ma|de calls|
|000055a0| 20 6f 6e 20 73 6f 6d 65 | 74 68 69 6e 67 20 6c 69 | on some|thing li|
|000055b0| 6b 65 20 61 20 62 75 69 | 6c 74 2d 69 6e 20 47 65 |ke a bui|lt-in Ge|
|000055c0| 69 67 65 72 0a 63 6f 75 | 6e 74 65 72 2e 20 20 57 |iger.cou|nter.  W|
|000055d0| 65 20 77 69 6c 6c 20 62 | 65 20 63 6f 6e 63 65 72 |e will b|e concer|
|000055e0| 6e 65 64 20 77 69 74 68 | 20 61 6c 67 6f 72 69 74 |ned with| algorit|
|000055f0| 68 6d 73 20 74 68 61 74 | 20 70 72 6f 64 75 63 65 |hms that| produce|
|00005600| 20 61 20 73 65 71 75 65 | 6e 63 65 0a 6f 66 20 6e | a seque|nce.of n|
|00005610| 75 6d 62 65 72 73 20 28 | 75 73 75 61 6c 6c 79 20 |umbers (|usually |
|00005620| 30 27 73 20 61 6e 64 20 | 31 27 73 29 20 77 68 69 |0's and |1's) whi|
|00005630| 63 68 20 61 70 70 65 61 | 72 73 20 72 61 6e 64 6f |ch appea|rs rando|
|00005640| 6d 20 28 70 72 65 63 69 | 73 65 20 64 65 66 69 6e |m (preci|se defin|
|00005650| 69 74 69 6f 6e 0a 77 69 | 6c 6c 20 62 65 20 67 69 |ition.wi|ll be gi|
|00005660| 76 65 6e 20 6c 61 74 65 | 72 29 2e 5c 70 71 20 41 |ven late|r).\pq A|
|00005670| 20 74 79 70 69 63 61 6c | 20 65 78 61 6d 70 6c 65 | typical| example|
|00005680| 20 6f 66 20 73 75 63 68 | 20 61 6e 20 61 6c 67 6f | of such| an algo|
|00005690| 72 69 74 68 6d 20 69 73 | 20 74 68 65 0a 66 75 6e |rithm is| the.fun|
|000056a0| 63 74 69 6f 6e 20 7b 5c | 74 74 20 72 61 6e 64 28 |ction {\|tt rand(|
|000056b0| 29 7d 20 69 6e 20 74 68 | 65 20 43 20 70 72 6f 67 |)} in th|e C prog|
|000056c0| 72 61 6d 6d 69 6e 67 20 | 6c 61 6e 67 75 61 67 65 |ramming |language|
|000056d0| 2e 20 45 61 63 68 20 63 | 61 6c 6c 20 75 70 64 61 |. Each c|all upda|
|000056e0| 74 65 73 0a 61 6e 20 69 | 6e 74 65 72 6e 61 6c 6c |tes.an i|nternall|
|000056f0| 79 20 6d 61 69 6e 74 61 | 69 6e 65 64 20 24 4e 24 |y mainta|ined $N$|
|00005700| 20 75 73 69 6e 67 20 74 | 68 65 20 66 6f 72 6d 75 | using t|he formu|
|00005710| 6c 61 0a 24 24 4e 3d 4e | 2a 31 31 30 33 35 31 35 |la.$$N=N|*1103515|
|00005720| 32 34 35 2b 31 32 33 34 | 35 5c 71 75 61 64 5c 68 |245+1234|5\quad\h|
|00005730| 62 6f 78 7b 6d 6f 64 20 | 7d 20 34 32 39 34 39 36 |box{mod |} 429496|
|00005740| 37 32 39 36 3d 32 5e 7b | 33 32 7d 24 24 77 69 74 |7296=2^{|32}$$wit|
|00005750| 68 20 74 68 65 20 0a 6f | 75 74 70 75 74 20 67 69 |h the .o|utput gi|
|00005760| 76 65 6e 20 62 79 20 24 | 32 5e 7b 2d 31 36 7d 4e |ven by $|2^{-16}N|
|00005770| 24 7e 6d 6f 64 7e 24 32 | 5e 7b 31 35 7d 24 2e 5c |$~mod~$2|^{15}$.\|
|00005780| 70 71 20 49 20 72 65 63 | 65 6e 74 6c 79 20 77 72 |pq I rec|ently wr|
|00005790| 6f 74 65 20 61 20 70 72 | 6f 67 72 61 6d 0a 74 6f |ote a pr|ogram.to|
|000057a0| 20 72 6f 6c 6c 20 64 69 | 63 65 20 77 68 69 63 68 | roll di|ce which|
|000057b0| 20 69 6e 76 6f 6c 76 65 | 64 20 75 73 69 6e 67 20 | involve|d using |
|000057c0| 7b 5c 74 74 20 72 61 6e | 64 28 29 7d 7e 6d 6f 64 |{\tt ran|d()}~mod|
|000057d0| 7e 36 2e 20 20 49 6e 20 | 6f 76 65 72 20 31 30 30 |~6.  In |over 100|
|000057e0| 0a 63 61 6c 6c 73 2c 20 | 69 74 20 6e 65 76 65 72 |.calls, |it never|
|000057f0| 20 68 61 70 70 65 6e 65 | 64 20 74 68 61 74 20 74 | happene|d that t|
|00005800| 68 65 20 73 61 6d 65 20 | 6e 75 6d 62 65 72 20 6f |he same |number o|
|00005810| 63 63 75 72 72 65 64 20 | 6f 6e 20 74 77 6f 20 63 |ccurred |on two c|
|00005820| 6f 6e 73 65 63 75 74 69 | 76 65 0a 20 72 6f 6c 6c |onsecuti|ve. roll|
|00005830| 73 2c 20 65 76 65 6e 20 | 74 68 6f 75 67 68 20 74 |s, even |though t|
|00005840| 68 69 73 20 73 68 6f 75 | 6c 64 20 68 61 76 65 20 |his shou|ld have |
|00005850| 68 61 70 70 65 6e 65 64 | 20 61 62 6f 75 74 20 24 |happened| about $|
|00005860| 31 2f 36 28 31 30 30 29 | 24 20 74 69 6d 65 73 21 |1/6(100)|$ times!|
|00005870| 0a 54 68 69 73 20 73 75 | 67 67 65 73 74 73 20 74 |.This su|ggests t|
|00005880| 68 69 73 20 70 61 72 74 | 69 63 75 6c 61 72 20 67 |his part|icular g|
|00005890| 65 6e 65 72 61 74 6f 72 | 20 68 61 73 20 73 6f 6d |enerator| has som|
|000058a0| 65 20 70 72 6f 62 6c 65 | 6d 73 2e 5c 66 6f 6f 74 |e proble|ms.\foot|
|000058b0| 6e 6f 74 65 7b 4b 6e 75 | 74 68 0a 73 75 67 67 65 |note{Knu|th.sugge|
|000058c0| 73 74 73 20 74 68 61 74 | 20 61 20 62 65 74 74 65 |sts that| a bette|
|000058d0| 72 20 77 61 79 20 74 6f | 20 6f 62 74 61 69 6e 20 |r way to| obtain |
|000058e0| 61 20 72 61 6e 64 6f 6d | 20 6e 75 6d 62 65 72 20 |a random| number |
|000058f0| 62 65 74 77 65 65 6e 20 | 30 20 61 6e 64 7e 24 6b |between |0 and~$k|
|00005900| 2d 31 24 0a 69 73 20 74 | 6f 20 75 73 65 20 24 6b |-1$.is t|o use $k|
|00005910| 5c 2c 24 7b 5c 74 74 20 | 72 61 6e 64 28 29 7d 24 |\,${\tt |rand()}$|
|00005920| 7b 7d 2f 4d 24 2c 20 77 | 68 65 72 65 20 24 4d 24 |{}/M$, w|here $M$|
|00005930| 20 69 73 20 74 68 65 20 | 6d 61 78 69 6d 75 6d 20 | is the |maximum |
|00005940| 76 61 6c 75 65 20 6f 66 | 20 7b 5c 74 74 0a 72 61 |value of| {\tt.ra|
|00005950| 6e 64 28 29 7d 2e 7d 5c | 70 71 20 49 6e 20 74 68 |nd()}.}\|pq In th|
|00005960| 69 73 20 73 65 63 74 69 | 6f 6e 2c 20 77 65 20 77 |is secti|on, we w|
|00005970| 69 6c 6c 20 70 72 65 73 | 65 6e 74 20 72 61 6e 64 |ill pres|ent rand|
|00005980| 6f 6d 20 6e 75 6d 62 65 | 72 20 67 65 6e 65 72 61 |om numbe|r genera|
|00005990| 74 6f 72 73 0a 66 6f 72 | 20 77 68 69 63 68 20 69 |tors.for| which i|
|000059a0| 74 20 63 61 6e 20 62 65 | 20 70 72 6f 76 65 64 20 |t can be| proved |
|000059b0| 28 67 69 76 65 6e 20 61 | 73 73 75 6d 70 74 69 6f |(given a|ssumptio|
|000059c0| 6e 73 20 6c 69 6b 65 20 | 28 51 52 41 29 29 20 74 |ns like |(QRA)) t|
|000059d0| 68 61 74 20 73 75 63 68 | 0a 70 72 6f 62 6c 65 6d |hat such|.problem|
|000059e0| 73 20 77 69 6c 6c 20 6e | 6f 74 20 6f 63 63 75 72 |s will n|ot occur|
|000059f0| 2e 0a 5c 73 75 62 73 65 | 63 74 69 6f 6e 7b 54 68 |..\subse|ction{Th|
|00005a00| 65 20 51 75 61 64 72 61 | 74 69 63 20 47 65 6e 65 |e Quadra|tic Gene|
|00005a10| 72 61 74 6f 72 7d 20 4c | 65 74 20 24 6e 3d 70 71 |rator} L|et $n=pq|
|00005a20| 24 2c 20 77 68 65 72 65 | 20 24 70 2c 71 24 20 61 |$, where| $p,q$ a|
|00005a30| 72 65 20 70 72 69 6d 65 | 73 0a 24 5c 63 6f 7b 7d |re prime|s.$\co{}|
|00005a40| 33 34 24 2e 20 20 46 6f | 72 20 65 61 63 68 20 70 |34$.  Fo|r each p|
|00005a50| 72 69 6d 65 2c 20 24 61 | 24 20 69 73 20 61 20 73 |rime, $a|$ is a s|
|00005a60| 71 75 61 72 65 20 69 66 | 20 61 6e 64 20 6f 6e 6c |quare if| and onl|
|00005a70| 79 20 69 66 20 24 2d 61 | 24 20 69 73 20 6e 6f 74 |y if $-a|$ is not|
|00005a80| 0a 61 20 73 71 75 61 72 | 65 20 28 4c 65 6d 6d 61 |.a squar|e (Lemma|
|00005a90| 7e 5c 72 65 66 7b 6b 6e | 32 7d 29 2e 0a 54 68 69 |~\ref{kn|2})..Thi|
|00005aa0| 73 20 69 6d 70 6c 69 65 | 73 20 74 68 61 74 2c 20 |s implie|s that, |
|00005ab0| 69 66 20 24 5c 63 6f 20 | 78 7b 5c 70 6d 20 61 5f |if $\co |x{\pm a_|
|00005ac0| 31 7d 70 24 20 61 6e 64 | 20 24 5c 63 6f 20 78 7b |1}p$ and| $\co x{|
|00005ad0| 5c 70 6d 20 61 5f 32 7d | 71 24 2c 0a 74 68 65 72 |\pm a_2}|q$,.ther|
|00005ae0| 65 20 77 69 6c 6c 20 62 | 65 20 65 78 61 63 74 6c |e will b|e exactl|
|00005af0| 79 20 6f 6e 65 20 63 68 | 6f 69 63 65 20 77 68 69 |y one ch|oice whi|
|00005b00| 63 68 20 6d 61 6b 65 73 | 20 24 78 24 20 61 20 73 |ch makes| $x$ a s|
|00005b10| 71 75 61 72 65 20 6d 6f | 64 7e 24 6e 24 2e 0a 48 |quare mo|d~$n$..H|
|00005b20| 65 6e 63 65 2c 20 69 66 | 20 24 62 24 20 69 73 20 |ence, if| $b$ is |
|00005b30| 61 20 73 71 75 61 72 65 | 20 6d 6f 64 7e 24 6e 24 |a square| mod~$n$|
|00005b40| 2c 20 65 78 61 63 74 6c | 79 20 6f 6e 65 20 6f 66 |, exactl|y one of|
|00005b50| 20 69 74 73 20 66 6f 75 | 72 20 73 71 75 61 72 65 | its fou|r square|
|00005b60| 20 72 6f 6f 74 73 0a 77 | 69 6c 6c 20 61 6c 73 6f | roots.w|ill also|
|00005b70| 20 62 65 20 61 20 73 71 | 75 61 72 65 2e 20 20 54 | be a sq|uare.  T|
|00005b80| 68 69 73 20 7b 5c 69 74 | 20 70 72 69 6e 63 69 70 |his {\it| princip|
|00005b90| 61 6c 5c 2f 7d 20 73 71 | 75 61 72 65 20 72 6f 6f |al\/} sq|uare roo|
|00005ba0| 74 20 77 69 6c 6c 20 62 | 65 0a 64 65 6e 6f 74 65 |t will b|e.denote|
|00005bb0| 64 20 62 79 20 24 5c 73 | 71 72 74 20 62 24 2e 0a |d by $\s|qrt b$..|
|00005bc0| 5c 70 71 20 54 68 65 20 | 71 75 61 64 72 61 74 69 |\pq The |quadrati|
|00005bd0| 63 20 67 65 6e 65 72 61 | 74 6f 72 20 75 73 65 73 |c genera|tor uses|
|00005be0| 20 61 20 72 61 6e 64 6f | 6d 6c 79 20 63 68 6f 73 | a rando|mly chos|
|00005bf0| 65 6e 20 73 71 75 61 72 | 65 20 24 78 24 20 28 63 |en squar|e $x$ (c|
|00005c00| 61 6c 6c 65 64 20 74 68 | 65 20 0a 7b 5c 69 74 20 |alled th|e .{\it |
|00005c10| 73 65 65 64 5c 2f 7d 29 | 20 6e 6f 74 20 64 69 76 |seed\/})| not div|
|00005c20| 69 73 69 62 6c 65 20 62 | 79 20 24 70 24 20 6f 72 |isible b|y $p$ or|
|00005c30| 20 24 71 24 20 74 6f 20 | 67 65 6e 65 72 61 74 65 | $q$ to |generate|
|00005c40| 20 61 20 73 65 71 75 65 | 6e 63 65 20 6f 66 0a 30 | a seque|nce of.0|
|00005c50| 27 73 20 61 6e 64 20 31 | 27 73 20 28 7b 5c 69 74 |'s and 1|'s ({\it|
|00005c60| 20 62 69 74 73 5c 2f 7d | 29 2e 20 20 54 68 65 20 | bits\/}|).  The |
|00005c70| 73 65 71 75 65 6e 63 65 | 20 69 73 20 24 61 5f 69 |sequence| is $a_i|
|00005c80| 24 7e 6d 6f 64 7e 32 2c | 20 77 68 65 72 65 20 24 |$~mod~2,| where $|
|00005c90| 61 5f 30 3d 78 24 0a 61 | 6e 64 20 24 5c 63 6f 7b |a_0=x$.a|nd $\co{|
|00005ca0| 61 5f 7b 69 2b 31 7d 7d | 7b 5c 73 71 72 74 7b 61 |a_{i+1}}|{\sqrt{a|
|00005cb0| 5f 69 7d 7d 6e 24 3a 24 | 24 78 5c 20 5c 68 62 6f |_i}}n$:$|$x\ \hbo|
|00005cc0| 78 7b 6d 6f 64 20 7d 32 | 5c 71 75 61 64 5c 73 71 |x{mod }2|\quad\sq|
|00005cd0| 72 74 20 78 5c 68 62 6f | 78 7b 20 6d 6f 64 20 7d |rt x\hbo|x{ mod }|
|00005ce0| 32 0a 5c 71 75 61 64 5c | 73 71 72 74 7b 5c 73 71 |2.\quad\|sqrt{\sq|
|00005cf0| 72 74 7b 78 7d 7d 5c 68 | 62 6f 78 7b 20 6d 6f 64 |rt{x}}\h|box{ mod|
|00005d00| 20 7d 32 5c 71 75 61 64 | 5c 64 6f 74 73 24 24 0a | }2\quad|\dots$$.|
|00005d10| 28 66 72 6f 6d 20 61 20 | 70 72 61 63 74 69 63 61 |(from a |practica|
|00005d20| 6c 20 70 6f 69 6e 74 20 | 6f 66 20 76 69 65 77 2c |l point |of view,|
|00005d30| 20 69 74 20 69 73 20 73 | 69 6d 70 6c 65 72 20 74 | it is s|impler t|
|00005d40| 6f 20 67 65 6e 65 72 61 | 74 65 20 74 68 65 20 73 |o genera|te the s|
|00005d50| 65 71 75 65 6e 63 65 0a | 73 74 61 72 74 69 6e 67 |equence.|starting|
|00005d60| 20 77 69 74 68 20 74 68 | 65 20 6c 61 73 74 20 6e | with th|e last n|
|00005d70| 75 6d 62 65 72 20 61 6e | 64 20 73 71 75 61 72 69 |umber an|d squari|
|00005d80| 6e 67 29 5c 70 71 0a 41 | 73 20 61 20 73 6d 61 6c |ng)\pq.A|s a smal|
|00005d90| 6c 20 65 78 61 6d 70 6c | 65 20 77 69 74 68 20 24 |l exampl|e with $|
|00005da0| 6e 3d 35 38 39 3d 31 39 | 28 33 31 29 24 20 61 6e |n=589=19|(31)$ an|
|00005db0| 64 20 24 78 3d 38 31 24 | 2c 20 74 68 65 20 73 65 |d $x=81$|, the se|
|00005dc0| 71 75 65 6e 63 65 20 6f | 66 20 24 61 5f 69 24 20 |quence o|f $a_i$ |
|00005dd0| 69 73 0a 24 24 38 31 5c | 71 75 61 64 39 5c 71 75 |is.$$81\|quad9\qu|
|00005de0| 61 64 35 38 36 5c 71 75 | 61 64 31 37 35 5c 71 75 |ad586\qu|ad175\qu|
|00005df0| 61 64 31 31 32 5c 71 75 | 61 64 34 34 33 5c 71 75 |ad112\qu|ad443\qu|
|00005e00| 61 64 32 31 34 5c 71 75 | 61 64 32 33 37 5c 64 6f |ad214\qu|ad237\do|
|00005e10| 74 73 24 24 28 6e 6f 74 | 65 0a 74 68 61 74 20 24 |ts$$(not|e.that $|
|00005e20| 5c 73 71 72 74 20 39 3d | 2d 33 24 2c 20 6e 6f 74 |\sqrt 9=|-3$, not|
|00005e30| 7e 33 29 20 77 68 69 63 | 68 20 67 69 76 65 73 20 |~3) whic|h gives |
|00005e40| 74 68 65 20 73 65 71 75 | 65 6e 63 65 20 6f 66 20 |the sequ|ence of |
|00005e50| 62 69 74 73 20 31 31 30 | 31 30 31 30 31 2e 0a 5c |bits 110|10101..\|
|00005e60| 73 75 62 73 65 63 74 69 | 6f 6e 7b 54 68 65 20 4e |subsecti|on{The N|
|00005e70| 65 78 74 20 42 69 74 20 | 54 68 65 6f 72 65 6d 7d |ext Bit |Theorem}|
|00005e80| 0a 49 74 20 77 6f 75 6c | 64 20 63 65 72 74 61 69 |.It woul|d certai|
|00005e90| 6e 6c 79 20 62 65 20 75 | 6e 64 65 73 69 72 61 62 |nly be u|ndesirab|
|00005ea0| 6c 65 20 69 66 20 74 68 | 65 72 65 20 77 65 72 65 |le if th|ere were|
|00005eb0| 20 61 6e 20 65 66 66 69 | 63 69 65 6e 74 20 61 6c | an effi|cient al|
|00005ec0| 67 6f 72 69 74 68 6d 0a | 77 68 69 63 68 20 74 6f |gorithm.|which to|
|00005ed0| 6f 6b 20 61 73 20 69 6e | 70 75 74 20 74 68 65 20 |ok as in|put the |
|00005ee0| 66 69 72 73 74 20 24 6b | 24 20 62 69 74 73 20 6f |first $k|$ bits o|
|00005ef0| 66 20 74 68 65 20 73 65 | 71 75 65 6e 63 65 20 66 |f the se|quence f|
|00005f00| 72 6f 6d 20 74 68 65 20 | 67 65 6e 65 72 61 74 6f |rom the |generato|
|00005f10| 72 0a 61 6e 64 20 67 75 | 65 73 73 65 64 20 74 68 |r.and gu|essed th|
|00005f20| 65 20 24 28 6b 2b 31 29 | 24 2d 73 74 20 62 69 74 |e $(k+1)|$-st bit|
|00005f30| 20 77 69 74 68 20 70 72 | 6f 62 61 62 69 6c 69 74 | with pr|obabilit|
|00005f40| 79 20 6d 75 63 68 20 67 | 72 65 61 74 65 72 20 74 |y much g|reater t|
|00005f50| 68 61 6e 20 24 31 2f 32 | 24 2e 0a 57 65 20 73 61 |han $1/2|$..We sa|
|00005f60| 79 20 61 20 67 65 6e 65 | 72 61 74 6f 72 20 73 61 |y a gene|rator sa|
|00005f70| 74 69 73 66 69 65 73 20 | 74 68 65 20 7b 5c 69 74 |tisfies |the {\it|
|00005f80| 20 4e 65 78 74 20 42 69 | 74 20 43 6f 6e 64 69 74 | Next Bi|t Condit|
|00005f90| 69 6f 6e 5c 2f 7d 20 69 | 66 20 74 68 65 72 65 20 |ion\/} i|f there |
|00005fa0| 69 73 0a 6e 6f 20 73 75 | 63 68 20 61 6c 67 6f 72 |is.no su|ch algor|
|00005fb0| 69 74 68 6d 2e 5c 62 65 | 67 69 6e 7b 54 68 7d 49 |ithm.\be|gin{Th}I|
|00005fc0| 66 20 28 51 52 41 29 20 | 69 73 20 74 72 75 65 2c |f (QRA) |is true,|
|00005fd0| 20 74 68 65 20 71 75 61 | 64 72 61 74 69 63 20 67 | the qua|dratic g|
|00005fe0| 65 6e 65 72 61 74 6f 72 | 0a 73 61 74 69 73 66 69 |enerator|.satisfi|
|00005ff0| 65 73 20 74 68 65 20 4e | 65 78 74 20 42 69 74 20 |es the N|ext Bit |
|00006000| 43 6f 6e 64 69 74 69 6f | 6e 2e 5c 65 6e 64 7b 54 |Conditio|n.\end{T|
|00006010| 68 7d 7b 5c 62 66 20 50 | 72 6f 6f 66 3a 7d 20 57 |h}{\bf P|roof:} W|
|00006020| 65 20 77 69 6c 6c 20 73 | 68 6f 77 20 74 68 61 74 |e will s|how that|
|00006030| 0a 61 6e 20 61 6c 67 6f | 72 69 74 68 6d 20 74 68 |.an algo|rithm th|
|00006040| 61 74 20 63 6f 75 6c 64 | 20 70 72 65 64 69 63 74 |at could| predict|
|00006050| 20 74 68 65 20 24 28 6b | 2b 31 29 24 2d 73 74 20 | the $(k|+1)$-st |
|00006060| 62 69 74 20 63 6f 75 6c | 64 20 62 65 20 75 73 65 |bit coul|d be use|
|00006070| 64 20 74 6f 0a 64 69 73 | 74 69 6e 67 75 69 73 68 |d to.dis|tinguish|
|00006080| 20 73 71 75 61 72 65 73 | 20 66 72 6f 6d 20 70 73 | squares| from ps|
|00006090| 65 75 64 6f 2d 73 71 75 | 61 72 65 73 20 6d 6f 64 |eudo-squ|ares mod|
|000060a0| 7e 24 6e 24 2e 5c 70 71 | 20 4c 65 74 20 24 62 5c |~$n$.\pq| Let $b\|
|000060b0| 69 6e 5c 7a 6f 24 2e 20 | 54 68 65 0a 73 65 71 75 |in\zo$. |The.sequ|
|000060c0| 65 6e 63 65 20 6f 66 20 | 6c 65 6e 67 74 68 20 24 |ence of |length $|
|000060d0| 6b 24 20 24 24 62 5e 7b | 32 5e 6b 7d 5c 71 75 61 |k$ $$b^{|2^k}\qua|
|000060e0| 64 20 62 5e 7b 32 5e 7b | 6b 2d 31 7d 7d 5c 64 6f |d b^{2^{|k-1}}\do|
|000060f0| 74 73 20 62 5e 34 5c 71 | 75 61 64 20 62 5e 32 24 |ts b^4\q|uad b^2$|
|00006100| 24 0a 63 61 6e 20 62 65 | 20 63 6f 6e 73 69 64 65 |$.can be| conside|
|00006110| 72 65 64 20 61 73 20 63 | 6f 6d 69 6e 67 20 66 72 |red as c|oming fr|
|00006120| 6f 6d 20 74 68 65 20 71 | 75 61 64 72 61 74 69 63 |om the q|uadratic|
|00006130| 20 67 65 6e 65 72 61 74 | 6f 72 20 77 69 74 68 20 | generat|or with |
|00006140| 73 65 65 64 20 74 68 65 | 0a 66 69 72 73 74 20 74 |seed the|.first t|
|00006150| 65 72 6d 20 6f 66 20 74 | 68 65 20 73 65 71 75 65 |erm of t|he seque|
|00006160| 6e 63 65 2e 20 20 49 66 | 20 77 65 20 74 61 6b 65 |nce.  If| we take|
|00006170| 20 74 68 69 73 20 73 65 | 71 75 65 6e 63 65 20 6d | this se|quence m|
|00006180| 6f 64 7e 32 20 61 6e 64 | 20 67 69 76 65 0a 69 74 |od~2 and| give.it|
|00006190| 20 74 6f 20 6f 75 72 20 | 70 72 65 64 69 63 74 6f | to our |predicto|
|000061a0| 72 2c 20 77 65 20 77 6f | 75 6c 64 20 67 65 74 20 |r, we wo|uld get |
|000061b0| 61 20 67 75 65 73 73 20 | 61 73 20 74 6f 20 77 68 |a guess |as to wh|
|000061c0| 65 74 68 65 72 20 24 24 | 5c 63 6f 0a 7b 5c 73 71 |ether $$|\co.{\sq|
|000061d0| 72 74 7b 62 5e 32 7d 7d | 7b 30 5c 68 62 6f 78 7b |rt{b^2}}|{0\hbox{|
|000061e0| 20 6f 72 20 7d 31 7d 32 | 24 24 77 68 69 63 68 20 | or }1}2|$$which |
|000061f0| 68 61 73 20 70 72 6f 62 | 61 62 69 6c 69 74 79 20 |has prob|ability |
|00006200| 24 3e 31 2f 32 24 20 6f | 66 20 62 65 69 6e 67 0a |$>1/2$ o|f being.|
|00006210| 72 69 67 68 74 2e 20 20 | 54 68 65 20 70 72 69 6e |right.  |The prin|
|00006220| 63 69 70 6c 65 20 73 71 | 75 61 72 65 20 72 6f 6f |ciple sq|uare roo|
|00006230| 74 20 6f 66 20 24 62 5e | 32 24 20 69 73 20 24 62 |t of $b^|2$ is $b|
|00006240| 24 20 69 66 20 24 62 24 | 20 69 73 20 61 20 73 71 |$ if $b$| is a sq|
|00006250| 75 61 72 65 2c 0a 24 6e | 2d 62 24 20 69 66 20 24 |uare,.$n|-b$ if $|
|00006260| 62 24 20 69 73 20 61 20 | 70 73 65 75 64 6f 2d 73 |b$ is a |pseudo-s|
|00006270| 71 75 61 72 65 2e 20 20 | 53 69 6e 63 65 20 24 62 |quare.  |Since $b|
|00006280| 5c 6e 6f 74 5c 65 71 75 | 69 76 20 6e 2d 62 24 7e |\not\equ|iv n-b$~|
|00006290| 6d 6f 64 7e 32 2c 20 74 | 68 65 0a 69 6e 66 6f 72 |mod~2, t|he.infor|
|000062a0| 6d 61 74 69 6f 6e 20 66 | 72 6f 6d 20 74 68 65 20 |mation f|rom the |
|000062b0| 70 72 65 64 69 63 74 6f | 72 20 67 69 76 65 73 20 |predicto|r gives |
|000062c0| 75 73 20 61 20 67 75 65 | 73 73 20 61 73 20 74 6f |us a gue|ss as to|
|000062d0| 20 77 68 65 74 68 65 72 | 20 24 62 24 20 69 73 0a | whether| $b$ is.|
|000062e0| 61 20 73 71 75 61 72 65 | 2e 0a 5c 73 75 62 73 65 |a square|..\subse|
|000062f0| 63 74 69 6f 6e 7b 54 68 | 65 20 45 66 66 69 63 69 |ction{Th|e Effici|
|00006300| 65 6e 74 20 54 65 73 74 | 20 54 68 65 6f 72 65 6d |ent Test| Theorem|
|00006310| 7d 0a 57 68 65 6e 20 77 | 65 20 61 72 65 20 67 69 |}.When w|e are gi|
|00006320| 76 65 6e 20 61 20 73 65 | 71 75 65 6e 63 65 20 6f |ven a se|quence o|
|00006330| 66 20 62 69 74 73 20 66 | 72 6f 6d 20 61 20 70 73 |f bits f|rom a ps|
|00006340| 65 75 64 6f 2d 72 61 6e | 64 6f 6d 20 6e 75 6d 62 |eudo-ran|dom numb|
|00006350| 65 72 20 67 65 6e 65 72 | 61 74 6f 72 2c 0a 77 65 |er gener|ator,.we|
|00006360| 20 6f 66 74 65 6e 20 74 | 65 73 74 20 74 68 65 20 | often t|est the |
|00006370| 71 75 61 6c 69 74 79 20 | 6f 66 20 74 68 65 20 67 |quality |of the g|
|00006380| 65 6e 65 72 61 74 6f 72 | 20 62 79 20 64 6f 69 6e |enerator| by doin|
|00006390| 67 20 74 68 69 6e 67 73 | 20 6c 69 6b 65 20 63 6f |g things| like co|
|000063a0| 75 6e 74 69 6e 67 0a 74 | 68 65 20 66 72 61 63 74 |unting.t|he fract|
|000063b0| 69 6f 6e 20 6f 66 20 30 | 27 73 2c 20 74 68 65 20 |ion of 0|'s, the |
|000063c0| 66 72 61 63 74 69 6f 6e | 20 6f 66 20 73 75 62 73 |fraction| of subs|
|000063d0| 65 71 75 65 6e 63 65 73 | 20 6f 66 20 74 68 65 20 |equences| of the |
|000063e0| 66 6f 72 6d 20 31 31 31 | 2c 20 65 74 63 2e 0a 5c |form 111|, etc..\|
|000063f0| 70 71 20 41 20 7b 5c 69 | 74 20 74 65 73 74 5c 2f |pq A {\i|t test\/|
+--------+-------------------------+-------------------------+--------+--------+