J. Math. Cryptol. 8 (2014), 115–140 DOI 10.1515/jmc-2013-0001 © de Gruyter 2014

The distribution of quadratic residues and non-residues in the Goldwasser–Micali type of cryptosystem

Benjamin Justus Communicated by Spyros Magliveras

Abstract. We provide unconditional results and conditional ones under the assumption of GRH (Generalized Riemann Hypothesis) on the distribution of quadratic residues and quadratic non-residues in Z=N Z, where N pq is an RSA modulus used in the Gold- wasser–Micali cryptosystem. The paper alsoD discusses cryptographic implications of the results obtained.

Keywords. Quadratic residuosity problem, Goldwasser–Micali cryptosystem, quadratic residues distribution.

2010 Mathematics Subject Classification. 94A60, 11A15.

1 Introduction

Goldwasser and Micali in [6] introduced the concept of probabilistic encryption. In the same paper, they proved that their probabilistic public-key encryption scheme is secure based on the hardness of the quadratic residuosity problem. Given a composite integer N , and a positive integer a relative prime to N , the quadratic residuosity problem is to decide whether a is a quadratic residue or a quadratic non-residue modulo N (i.e. whether or not x2 a mod N has a solu- D tion). The modulus N in the Goldwasser–Micali cryptosystem is a typical RSA modulus used in the RSA cryptosystem. That is, N pq for odd distinct primes D p; q about the same size. The quadratic residuosity problem is known to be com- putationally hard if the factorization of N is not known, see Section 2. The prob- lem currently does not admit polynomial time solutions, and is listed as an open problem [1]. Given the difficulty of the quadratic residuosity problem, one could ask how the quadratic residues and quadratic non-residues are distributed in the Goldwasser– Micali cryptosystem. The following questions are not only interesting but also important in certain specialized cryptanalytic applications. 116 B. Justus

(i) Given a pattern of quadratic residues and non-residues (a string containing consecutive residues or non-residues), how is the pattern distributed in the ring Z=N Z?

(ii) Given a subset A (possibly sparse) of the ring Z=N Z, what is the proportion of quadratic residues and non-residues in the set A?

(iii) Fix a square-free integer l. What is the density of the RSA moduli among the positive integer for which l is a quadratic residue (resp. quadratic non- residue)?

With regard to question (i), there is a result of Davenport [4, 5] in the setting of finite field Fp Z=pZ where p is a large prime. Davenport considered the D problem of estimating the number of s consecutive quadratic residues (resp. non- residues) in Z=pZ. Davenport showed that the number of s consecutive quadratic residues (resp. non-residues) for large p is

p  Os.p /; 2s C where 3  < 1. The error terms derived by Davenport were later improved 4 Ä [2, 10] using Weil’s bound and made explicit. In this paper, we generalize Davenport’s result to the setting Z=N Z where N D pq. Let N . / be the Jacobi symbol to the modulus N . Clearly N .n/ 1 D N
D ˙ if n is relative prime to N . For a given pattern of 1 of length s, we are inter- ˙ ested in counting the number of occurrences of the pattern in the sequence N .n/, s 0 n < N . Precisely, let .0; : : : ; s 1/ 1; 1 be a binary vector of length s. Ä 2 ¹ º Consider the set

® ¯ D 0 n < N N .n i/ i for all 0 i s 1 : WD Ä W C D Ä Ä The theorem we prove is

Theorem 1.1. Let N pq where p; q are distinct odd prime numbers satisfying D 1 < p; q cN 1=2 for a fixed c > 0. Let s be a positive integer satisfying 1 s 1 Ä 1 Äs Ä . 2 ı/ log2 N where 0 < ı < 2 . Then for any .0; : : : ; s 1/ 1; 1 , we have 2 ¹ º

N 1 2 D O.N 2 log N /: j j D 2s C The implied constant depends only ı and c. Quadratic residues distribution 117

Our treatment of the theorem allows generalization to the case where N is square-free and the error term in the theorem can be made explicit in terms of s. One immediate consequence of Theorem 1.1 is that for a suitable length s, the pattern of ( 1) derived from the Jacobi symbol of length s tends to a uniform dis- ˙ tribution. Another application of the theorem is a connection of how the pattern distribution can be used to describe the complexity of predicting cryptographically strong pseudorandom bit generators whose constructions are based on the Legen- dre and Jacobi symbols [3]. The method used in the proof of Theorem 1.1 however does not allow us to ob- tain a similar asymptotic result in the study of the pattern distribution of quadratic residues and non-residues modulo N . The principal difficulty here is our inability of bounding non-trivially character sums of the type X XX p.f .n; i// q.f .n; j //; n i j ¤ where f .x; y/ is a certain type of polynomial in ZŒx; y. With regard to question (ii), we consider in this paper two types of A. The first type of A consists of arithmetic sequences whose distribution can be studied using analytic theory of L-functions. Such instances include for example the sequence of prime numbers, the sequence of square-free integers, etc. In Section 4, we prove a simplest result in this direction:

Theorem 1.2. Let N pq where p; q are distinct odd primes. Let 0 < ı 1. Define the sets D Ä

A ® prime l < N ı l is quadratic residue mod N ¯; WD W NA ® prime l < N ı l is quadratic non-residue mod N ¯: WD W Then under the assumption of GRH, we have

ı N ı A O.N 2 log N /; j j D 4ı log N C ı 3N ı NA O.N 2 log N /: j j D 4ı log N C The implied constants depend only on ı. We should remark that the assumption of GRH is necessary in order to have the desired asymptotic result. Without the assumption of GRH, the error terms based on the current state of the zero-free region of Dirichlet L-functions are as large as ı 1=2  N C , see Proposition 4.1. 118 B. Justus

The second type of A we consider is a subinterval or a union of subintervals in Œ1; N . We start with the case of a single subinterval. For a subinterval ŒQ; Q C H  Œ1; N  where H is a positive integer, consider the sets  A ®n Q < n Q H; n is quadratic residue mod N ¯; WD W Ä C NA ®n Q < n Q H; n is quadratic non-residue mod N ¯: WD W Ä C Since there are about 1=4 quadratic residues and 3=4 quadratic non-residues in Z=N Z, one could expect the same proportions of residues and non-residues hold true for an interval inside Œ1; N  if one believes the residues (resp. non-residues) are uniformly distributed. Indeed, we have the following result.

Proposition 1.3. Let N pq where p; q are distinct odd primes. Let c1; c2 be D 1=2 1=4 ı positive real numbers such that 1 < p; q c1N and H c2N C . Then we have Ä  2 1 1 2ı
A H O H 1 4ı ; j j D 4 C C 2 3 1 2ı
NA H O H 1 4ı j j D 4 C C 1 for every 0 < ı . The implied constants depend only on ı, c1 and c2. Ä 2 Recently Heath-Brown [7] discovered a mean-value character sum estimate which includes the original Burgess bound as a special case. The advantage of Heath-Brown’s mean-value estimate lies in the fact that one is now able to bound non-trivially on average character sums whose ranges are as small as N  pro- vided there are sufficiently many of them. We make this precise in the following theorem. Let I .Q ;Q H , 1 k J be a collection of disjoint subintervals k D k k C k Ä Ä inside the interval Œ1; N . Consider the sets

J ° [ ± A n I I n is quadratic residue mod N ; WD 2 WD k W k 1 D J ° [ ± NA n I I n is quadratic non-residue mod N : WD 2 WD k W k 1 D Theorem 1.4. Let N pq where p; q are distinct odd prime numbers satisfying 1=2 D 1 < p; q cN . Let positive real numbers ı; ı1; ı2 be given such that 0 < ı 1 Ä Ä , 0 < ı1; ı2 < 1, and 0 < ı1 ı2 1. Suppose for large N , 4 C Ä ı1 ı2 H c1N ; 1 k J;J c2N ; k  Ä Ä  Quadratic residues distribution 119

where c1; c2 > 0. Then we have

1 2 A I O I 1 ı
; j j D 4j j C j j 3 2 NA I O I 1 ı
j j D 4j j C j j provided the following conditions hold:

ı2 1 ı ı1 > 2ı; ı1 : C 3  4.1 ı/ C 1 ı

The implied constants depend only on ı; ı1; ı2; c1; c2.

Question (iii) set out in the introduction can be viewed as an inverse scenario of question (ii). As we fix a square-free integer l, we are interested in knowing the density of those integers having two prime factors for which l is a quadratic residue. Consider the sets

Q.x l/ ®n pq x p q; l is quadratic residue mod n¯; I WD D Ä W ¤ NQ.x l/ ®n pq x p q; l is quadratic non-residue mod n¯: I WD D Ä W ¤ Theorem 1.5. Let 2 < l log log x be a square-free positive integer. Then Ä x  x Á Q.x l/ log log x O log log log x ; j I j D 4 log x C log x 3x  x Á NQ.x l/ log log x O log log log x : j I j D 4 log x C log x

It is well known that the number of integers having two distinct prime factors x log log x is asymptotic to log x for large x. Theorem 1.5 shows that the proportion of residues 1=4 (resp. non-residues 3=4) is the same for both families: (1) running over ring elements for a fixed modulus N ; (2) running over N pq for a fixed D square-free integer l. We could pose here a more cryptanalytic relevant question: what is the density of the RSA moduli among the natural integers for which l is a quadratic residue (resp. non-residue). In this direction, the author [9] defined two notions of RSA modulus which correspond to the current methods of generating a usable modulus for the RSA cryptosystem. The first method of generating an RSA modulus is to pick a prime q that is near a predetermined prime p of suitable bit-length. An in- stance of implementation of this method is the generation of safe primes. Consider 120 B. Justus the sets S.x l; ; c/ ®n pq x p < q x p; p xc; I WD D Ä W Ä Ä l is quadratic residue mod n¯; NS.x l; ; c/ ®n pq x p < q x p; p xc; I WD D Ä W Ä Ä l is quadratic non-residue mod n¯:

Here the parameter c describes the size of p. We can always take c 1 since p Ä 2 is the smaller of the two prime factors. The parameter  is the description of how close q is located towards p. In this paper, we prove the following:

Theorem 1.6. Let l be a square-free positive integer satisfying 2 < l log x. Let Ä 0 <  < 1 and 0 < c 1 be fixed. Then we have Ä 2 8 2c  2c  1 x C x C
1  < 2 O 3 ; c ; 8c. c/ log x C log x Ä 2 S.x l; ; c/ C c.1 Â/
x x
1  1 j I j D log C O ; < c ; : .1 c/.1 Â/ 4 log x log2 x 2 2 C Ä 8 2c  2c  3 x C x C
1  < 2 O 3 ; c ; 8c. c/ log x C log x Ä 2 NS.x l; ; c/ C c.1 Â/
3x x
1 Â 1 j I j D log C O ; < c : : .1 c/.1 Â/ 4 log x log2 x 2 2 C Ä Notice that the proportion of residues (resp. non-residues) in Theorem 1.6 is 1=8 (resp. 3=8) instead of the usual 1=4 (resp. 3=4). The halving of the proportion is expected because we have enforced the condition p < q in the definition of the set S.x l; ; c/. Regarding applications of the theorem, we immediately have in I the following a useful cryptanalytic result. Corollary 1.7 quantifies the probability that a randomly generated integer of the prescribed bit-length is a desired RSA modulus (satisfying the distance condition among p and q), and furthermore for which modulus a square-free l is a quadratic residue (resp. non-residue). The result has implications in chosen-plaintext attack scenarios in the Goldwasser– Micali cryptosystem.

Corollary 1.7. Let positive integers m, n and l be given such that 2m l n. C Ä Let s be a square-free positive integer satisfying 2 < s n. Randomly generate a Ä positive integer N with at most n bits. Consider the following conditions: (1) N is an RSA modulus whose prime factors have at most m l bits and are at most C l bits apart; (2) s is a quadratic non-residue modulo N . Then the probability that N satisfies conditions (1) and (2) is asymptotic to (as n ) ! 1 3 P.N / : D .log 2/2.ml m2/2n 2m l 2 C C Quadratic residues distribution 121

Another common method of generating an RSA modulus is by randomly choos- ing p and q in an interval. Consider the sets:

B.x l; a; b/ ®n pq x xa < p q xb; I WD D Ä W ¤ Ä l is quadratic residue mod n¯; NB.x l; a; b/ ®n pq x xa < p q xb; I WD D Ä W ¤ Ä l is quadratic non-residue mod n¯:

In the direction of finding the density of such RSA moduli satisfying the speci- fied quadratic residue conditions, we prove:

Theorem 1.8. Let l be a square-free positive integer satisfying 2 < l log x. Let 1 Ä a; b be two positive real numbers such that a < 2 and a < b < 1. Then the following estimates hold:

8 1 x2b x2b
1 < 2 2 O 3 ; b ; B.x l; a; b/ 4b log x C log x Ä 2 j I j D log b
x O x
; b > 1 ; : 1 b 4 log x log2 x 2 C 8 3 x2b x2b
1 < 2 2 O 3 ; b ; NB.x l; a; b/ 4b log x C log x Ä 2 j I j D log b
3x O x
; b > 1 : : 1 b 4 log x log2 x 2 C As an immediate corollary of Theorem 1.8, we have

Corollary 1.9. Let positive integers m, n and l be given such that m 1 < l n . Ä 2 Let s be a square-free positive integer satisfying 2 < s n. Randomly generate Ä a positive integer N with at most n bits. Consider the following conditions: (1) N is an RSA modulus whose prime factors have at least m bits and at most l bits; (2) s is a quadratic non-residue modulo N . Then the probability that N satisfies conditions (1) and (2) is asymptotic to (as n ) ! 1 3 P.N / : 2 2 n 2l 3 D .log 2/ l 2 C

2 Background and elementary facts

In this paper, a positive integer N is always a product of two distinct odd primes p; q unless it is specified otherwise. Let p . / be the Legendre symbol to the D p
modulus p, and N . / the Jacobi symbol to the modulus N . By Kronecker’s D N
extension of the Legendre symbol and the Jacobi symbol, p; N can be viewed as primitive quadratic characters with the conductor p and N , respectively. 122 B. Justus

Let Z=N Z be the ring of integers modulo N , and Z=N Z the multiplicative subgroup of units. Among Z=N Z, half the numbers have Jacobi symbol equal to 1, and half the numbers have Jacobi symbol equal to 1. If a is a positive integer relative prime to N , a is a quadratic residue modulo N if and only if a is a quadratic residue modulo p and a quadratic residue modulo q. In terms of the quadratic symbols, a is a quadratic residue modulo N if and only if p.a/ 1 and q.a/ 1. Thus the quadratic residuosity problem is easy if D D the factorization of N pq is known since the problem of computing Legendre D symbols admits polynomial time solutions. The group of units Z=N Z consists of elements, among which precisely 1=4 of them are quadratic residues and 3=4 of them quadratic non-residues. The well-known Burgess’s bound is as follows:

Theorem 2.1 (D. Burgess). Let be a primitive character of conductor N > 1. Then 1 r 1 X 1 C2  S .Q; H / .n/ H r N 4r C WD  Q

3 Deduction of Theorem 1.1

We start with the following proposition which is reminiscent of Weil’s bound.

Proposition 3.1. Let .mod N/ be a primitive character of conductor N of order h. Let f .x/ ZŒx be a polynomial written as 2 s Y f .x/ .x a /dk ; D C k k 1 D where dk are positive integers and ak are any integers. Define YY  .ai aj /: D i j ¤ Suppose the condition .d1; : : : ; ds; h/ 1 D is satisfied. Then we have

ˇ X ˇ !.N / 1 1 ˇ .f .x//ˇ .s 1/ .; N / 2 N 2 ; ˇ ˇ Ä x .mod N/ where !.N / is the number of divisors of N . Quadratic residues distribution 123

Proof. See for instance [8, Corollary 12.12].

Recall the set ® ¯ D 0 n < N N .n i/ i for all 0 i s 1 : WD Ä W C D Ä Ä Lemma 3.2. Let N pq where p and q are distinct primes, and s a positive D integer such that 1 s min.p; q/. Set D0 0 n < N there exists i; 0 Ä Ä WD ¹ Ä W Ä i s 1; N .n i/ 0 . Then Ä C D º 2 D0 s.p q/ s : j j D C

Proof. Notice that N .n i/ 0 if and only if p .n i/ or q .n i/. Consider C D j C j C the sets E ®0 n < N n i 0 .mod l/¯ i;l WD Ä W C Á with 0 i s 1 and l p; q . Clearly, we have E pq=l, and Ä Ä 2 ¹ º j i;l j D s 1 [ [ D0 E : D i;l i 0 l p;q D D Since s min.p; q/, we have E E for i j . Consequently, any Ä i;l \ j;l D; ¤ intersection of more than two distinct of these sets is empty. Furthermore, since ® ¯ Ei;p Ej;q 0 n < N n i .mod p/ and n j .mod q/ ; \ D Ä W Á Á we have Ei;p Ej;q 1 for 0 i; j s 1. By the inclusion-exclusion j \ j D Ä Ä principle, it follows that

s 1 s 1 s 1 X X X X 2 D0 E Ei;p Ej;q s.p q/ s : j j D j i;l j j \ j D C i 0 l p;q i 0j 0 D 2¹ º D D Proof of Theorem 1.1. The idea of the proof goes back to Davenport. The sum

N s s 1 1 X Y
S 1 i N .n i/ WD 2s C C n 0 i 0 D D counts the number of occurrences of the pattern .0; : : : ; s 1/ for the Jacobi sym- bol provided N does not vanish. Thus in view of Lemma 3.2,

1 D S O. D0 / S O .N 2 log N /: (3.1) j j D C j j D C ı;c 124 B. Justus

We have s N s 1 1 X X S s C s i0 il 1 D 2 C 2


l 1 0 i0<

N s 1 2 1
N 1 2
S C O .s 1/ N 2 s O N 2 log N : D 2s C C D 2s C ı The theorem is now proved in view of (3.1).

Remark 3.3. If one imitates the proof of Theorem 1.1 to study, say the distribution of quadratic residues modulo N , one is lead to consider the sum N s s 1 1 X Y

1 p.n i/ 1 q.n i/ : 4s C C C C n 0 i 0 D D N s After an expansion, it is not hard to see that the main term comes off as 4s and the off-diagonal terms l 1 l 1 X X X X  Y Á  Y Á p .n i / q .n j / C k C k l .i0;:::;il 1/ .j0;:::;jl 1/ n k 0 k 0 D D .i0;:::;il 1/ .j0;:::;jl 1/ ¤ require a non-trivial treatment if one wishes to obtain an asymptotic result. At present, bounding non-trivially the off-diagonal terms seems difficult. Quadratic residues distribution 125

4 Residue proportion for sequences: Proof of Theorem 1.2

We only estimate A , the estimate of NA (the non-residue case) follows from j j j j the fact A NA O.1/ .N ı /: j j C j j C D For .1; 2/ .1; 1/; .1; 0/; .0; 1/ define the sets 2 ¹ º ® ı ¯ A ; prime l < N p.l/ 1; q.l/ 2 : 1 2 WD W D D

Since a prime l is a quadratic residue modulo N if and only if p.l/ q.l/ 1, D D our goal of estimating A is the same as estimating the size of the set A1;1. Notice j j the cardinality of A1;0 and A0;1 is at most 1. We need the following proposition before proving Theorem 1.2.

Proposition 4.1. Let A > 0, and a primitive Dirichlet character modulo N > 2. We have 1 X N 2 x .p/ A p x  log x Ä for any A > 0. The implied constant depends only on A. Furthermore suppose the truth of GRH. Then the bound can be improved as

X 1 .p/ x 2 log N x: p x  Ä Proof. The first statement of the proposition is a variation of the Siegel–Walfisz theorem, the shape of the bound is essentially dictated by the location of a possible Landau–Siegel zero. The proof of the first statement can be for instance found in [8, Corollary 5.29]. On the other hand, we have (see [8, Proposition 5.25])

 X X x 1  x 2 Á ƒ.n/ .n/ ı x O log xN ; (4.1)  T n x D  C Ä Im./ T j jÄ where ı 1 if 0 and ı 0 otherwise,  runs over the zeros of L.s; /, D D D and T satisfies 1 T x. Here ƒ. / is the von Mangoldt function. Assuming Ä Ä
the truth of GRH, then every  has the real part equal to 1 , i.e.  1 it. In 2 D 2 C (4.1), set T x1=2. And since the number of zeros of L.s; / in the critical strip D T NT is asymptotic to  log 2e , we have by performing partial summation

X 1 2 ƒ.n/ .n/ x 2 log N x: n x  Ä 126 B. Justus

On the other hand, we have

X X 1 ƒ.n/ .n/ .p/ log p O.x 2 log x/: n x D p x C Ä Ä Therefore X 1 2 .p/ log p x 2 log N x p x  Ä which implies the second statement after a simple partial summation.

Proof of Theorem 1.2. We have that

1 X .1 p.l//.1 q.l// 4 C C l

The first sum in (4.2) is the main term; we have by the prime number theorem

ı X N ı
1 O N 2 log N ; D ı log N C ı l

X ı .l/ N 2 log N; p; q; N : ı 2 ¹ º l

5 Residue proportion for a single interval

Proof of Proposition 1.3. For .1; 2/ .1; 1/; .1; 0/; .0; 1/ , define the sets 2 ¹ º ® ¯ A ; n Q < n Q H; p.n/ 1; q.n/ 2 : 1 2 WD W Ä C D D Quadratic residues distribution 127

We have 1 X A A1;1 .1 p.n//.1 q.n// O. A1;0 A0;1 / j j D j j D 4 C C C j j C j j Q

H 1 ı 1 1 2 E c ;c N 4 2 c H 1 4ı :  min.p; q/  1 2 C  2 C The character sums in (5.1) can be bounded using the Burgess estimate, for in- stance

1 r 1 1 1 r 1 1 C2  . 4 ı/.1 r / C2  S .Q H/ ;r H r N 4r C c N C C 4r C : N I   2 1 Notice for r > 2ı , 1 Á 1Á r 1 1 ı ı 1 C < ı : 4 C r C 4r2 4 C 2r

1 Thus we have with the choice r of size ı ,

2 2 1 ı ı 1 2ı S .Q H/ N 4 2 c H 1 4ı : (5.2) N I c2;ı C  2 C

The bound (5.2) also holds for S .Q H/ and S .Q H/. That settles the p I q I case A after putting (5.2) in (5.1). The estimate of NA (the non-residue case) j j j j follows from the fact

A NA O. A1;0 A0;1 / H: j j C j j C j j C j j D

5.1 A mean-value estimate: Proof of Theorem 1.4 The key ingredient in the proof of Theorem 1.4 is a Burgess type of mean-value estimate for character sums due to Heath-Brown [7].

Theorem 5.1 (D. R. Heath-Brown). Let r N and let  > 0 be a real number. 2 Suppose is a primitive character to the modulus N > 1, and let a positive integer H N be given. Suppose that 0 N1 < N2 < < NJ < N are integers such thatÄ Ä


Nj 1 Nj H; 1 j < J: C  Ä 128 B. Justus

Then J X 3r 3r 3 3 3  max S.Nj ; h/ ;r H N 4 C 4r C h H j j  j 1 Ä D under any of the three conditions (i) r 1, D 1  (ii) r 3 and H N 2r , or Ä  C 1  (iii) N is cube-free and H N 2r .  C Among the three conditions for which the theorem is valid, only condition (iii) is applicable to us. The theorem basically says that under suitable spacing condi- tions among the intervals, the Burgess type of estimates are available.

Proof of Theorem 1.4. For .1; 2/ .1; 1/; .1; 0/; .0; 1/ , define the sets 2 ¹ º J ° [ ± A ; n I I p.n/ 1; q.n/ 2 : 1 2 WD 2 WD k W D D k 1 D We have

J 1 X X A A1;1 .1 p.n//.1 q.n// O. A1;0 A0;1 / j j D j j D 4 C C C j j C j j k 1 n Ik D 2 J 1 1 X
1 I S .Q H / S .Q H / S .Q H / Oc.N 2 /: D 4j j C 4 p kI k C q kI k C N kI k C k 1 D (5.3)

The character sums in (5.3) can be bounded based on Heath-Brown’s mean-value estimate. We have Qk 1 Qk H, 1 k J where H mink Hk. Thus for 1 C  Ä Ä D ı1 > 2r , we have by Hölder’s inequality

J J 1 X  X 3r Á 3r .1 1 / S .Q H / S .Q H / J 3r N kI k Ä j N kI k j k 1 k 1 D D 1 1 1 1 1 4r 2  ı2.1 / ;r;c H r N C 4r C N 3r  2 1 1 1 1 ı1.1 r / 4r 2 ı2.1 3r /  c N C C 4r C C  1 ı1 ı2 r 1 .ı1 ı2/ . C / N C r C 3r 4r2 : D Quadratic residues distribution 129

Notice that

ı1 ı2 r 1 ı1 ı2 Á C > ı (5.4) r C 3r 4r2 r C 3r provided

ı2 1 1 ı1 : (5.5) C 3  4.1 ı/ C 4r.1 ı/ In the range 0 < ı 1 , we may choose r of size 1 . Thus condition (5.5) becomes Ä 4 4ı

ı2 1 ı ı1 : C 3  4.1 ı/ C 1 ı Now in view of (5.4), we have

J ı1 ı2 X .ı1 ı2/ ı. / S .Q H / N r 3r N kI k ı;c1;c2 C C k 1 D ı .ı ı / 4ı2.ı 2 / .ı ı / ı2.ı ı / N 1 2 1 3 N 1 2 1 2  C C  C C 2 2 .ı1 ı2/.1 ı / 1 ı N c ;c I : D C  1 2 j j PJ PJ Similarly the sums S .Q H /, S .Q H / have the same k 1 p kI k k 1 q kI k upper bound. Finally, theD estimate of NA (theD non-residue case) follows from j j the fact

A NA O. A1;0 A0;1 / I : j j C j j C j j C j j D j j

6 Residue proportion for integers having two prime factors

We start with a lemma.

Lemma 6.1. Let A 1 be a positive integer, and x > 2 a real number bounded  away from the positive integers (i.e. x Œx ı for some 0 < ı < 1=2). Then  X 1 log log x  1 Á O : A x D A C A p x p log p log x log x Ä The implied constant depends only on A. 130 B. Justus

Proof. We have X 1 1 X 1 A x D A log p A p x p log p log x p x p.1 log x / Ä Ä 1  X 1  1 X log p ÁÁ O A p A log x p D log x p x C p x Ä Ä 1
log log x OA.1/ : D logA x C

Proof of Theorem 1.5. For .1; 2/ .1; 1/; .1; 0/; .0; 1/; .0; 0/ , define the sets 2 ¹ º ® ¯ Q.x l/ ; n pq x p q; p.n/ 1; q.n/ 2 : I 1 2 WD D Ä W ¤ D D We have X X 2 2 Q.x l/0;0 !.l/ log l; j I j D   p l q x j Ä p q l;p q j ¤ 1 X X x Q.x l/0;1 .1 q.l// !.l/.x/ .log l/ ; j I j D 2 C   log x p l q x j Ä p q−l 1 X X x Q.x l/1;0 .1 p.l// !.l/.x/ .log l/ : j I j D 2 C   log x q l p x j Ä q p−l Now,

Q.x l/ Q.x l/1;1 j I j D j I j 1 X .1 p.l//.1 q.l// 4 D pq x C C Ä
p q O Q.x l/0;0 Q.x l/0;1 Q.x l/1;0 ¤ C j I j C j I j C j I j 1 X X X X Á 1 p.l/ q.l/ .l/ 4 N D pq x C pq x C pq x C pq x p Äq p Äq p Äq p Äq ¤ ¤ ¤ ¤  x Á O .log l/ : (6.1) C log x The main term in (6.1) is X x  x Á 1 log log x O .log log x/2 (6.2) log x 2 pq x D C log x p Äq ¤ Quadratic residues distribution 131 which counts the number of integers having exactly two distinct prime factors (the error-term is due to Selberg [11]). And X X X X X N .x/ p.l/ q.l/ p.l/ q.l/ O..x// D D C pq x p x q x p x q x Ä Ä Ä p Ä Ä p p q p q ¤ ¤ Xˇ X ˇ 1 X 1 ˇ q.l/ˇ O..x// A l 2 x O..x// Ä ˇ ˇ C  p logA x C p x q x p x p Ä Ä p Ä 1 l 2 x log log x x A .x/ : (6.3)  logA x C  log x

In the above, the character sum over q is estimated by using the Siegel–Walfisz l bound (Proposition 4.1) since . / q q.l/ is a primitive Dirichlet character of W ! modulus l or 4l, and the sum over
p is bounded by using Lemma 6.1. Similarly, we have X x .x/ : (6.4) p;q log x pq x ¹ º  p Äq ¤ This settles the case Q.x l/ after placing (6.2), (6.3), and (6.4) in (6.1). Fi- j I j nally, the estimate of NQ.x l/ (the non-residue case) follows from the fact j I j
Q.x l/ NQ.x l/ O Q.x l/0;0 Q.x l/1;0 Q.x l/0;1 j I j C j I j C j I j C j I j C j I j X x log log x  x Á 1 O .log log x/2 : log x 2 D pq x D C log x p Äq ¤

7 RSA moduli density calculation I: Proof of Theorem 1.6 and Corollary 1.7

We begin with a lemma.

Lemma 7.1. Let real numbers  0 and c > 0 be given. Let A > 0. Then for  large x,

X p x2c  x2c Á O : A Â D A A 1 C A;Â;c A 2 p xc log x p 2c. c/ log C x log C x Ä C 132 B. Justus

Proof. The result follows from a simple partial summation and the estimate X z2  z2 Á p O : 2 log z 2 p z D C log z Ä Proof of Theorem 1.6. For .1; 2/ .1; 1/; .1; 0/; .0; 1/; .0; 0/ , define the sets 2 ¹ º ® Â c S.x l; ; c/1;2 n pq x p < q x p; p x ; I WD D Ä W Ä Ä ¯ p.l/ 1; q.l/ 2 : D D We have X X 2 2 S0;0 1 !.l/ log l; j j D   p l q l j p

S.x l; ; c/ S.x l; ; c/1;1 j I j D j I j 1 X X .1 p.l//.1 q.l// O. S0;0 S0;1 S1;0 / D 4 C C C j j C j j C j j p xc p

8 2c  2c  1 x C x C
1  < 2 O 3 ; c ; X X 2c. c/ log x C log x Ä 2 1 C c.1 Â/
x x
1 Â 1 c D log C O ; < c : p x p

Proposition 7.2. Let A 4 be given. Then in the range c 1 Â , for  Ä 2 D p; q; N we have

1 2c  X X X l 2 x C .l/ A;Â;c : WD  logA x c;Â; p xc p

1 2c  X X X X ˇ X ˇ l 2 x .l/ .l/ ˇ .l/ˇ C : p q ˇ q ˇ A;Â;c A D c Ä c  log x c;Â; N p x p

1 c c 2 2c  1 x X 1 x  c l x C II A;c l 2 1 l 2 .x C / :  logA 1 x  logA 1 x  logA x xc

Proof. We have X X X X X N .l/ N .l/ I II: D 1 Â Â C 1 Â q D C c;Â; N p

Similarly, we have 1 X l 2 x log log x A;Â;c :  logA x c;Â; q

The last character sum involving p is more delicate, we have X X X X X p.l/ p.l/ I II: D 1 Â Â C 1 Â q D C c;Â; p p

1 Â 8 c ˆq; x 2 < q x ; c < c c Ä1 c min.x ; q; x=q/ x ; x < q x ; (7.3) D Ä 1 Â ˆ x 1 c : ; x < q x C2 : q Ä Quadratic residues distribution 135

Thus in view of the conditions (7.3), X X II p.l/ D 1 Â 1 Â p min.xc ;q; x / x 2

1 2c 1 X q l 2 x 2 R A l A 1 c A ;  1 Â log q  log x x 2

S.x l; ; c/ NS.x l; ; c/ O. S0;0 S0;1 S1;0 / j I j C j I j C j j C j j C j j ˇ®  c¯ˇ ˇ n pq x p < q x p; p x ˇ: D D Ä W Ä Ä The size of the above set in the respective ranges is already evaluated in (7.2).

Proof of Corollary 1.7. Let s and t be positive integers. Recall that s and t are l-bits apart if s  t Á 1 < or 2l : t s Ä The set of RSA moduli with at most n bits and whose prime factors have at most m bits and are at most l bits apart, and for which s is a quadratic non-residue, 136 B. Justus has the cardinality twice the size of the following set:

 l mÁ NS 2n s; ; ®N pq < 2n p < q < 2l p; p < 2m; I n n WD D W s is quadratic non-residue mod N ¯:

Since, as a consequence of Theorem 1.6,

ˇ  l mÁˇ 3 22m l 22m l Á ˇNS 2n s; ; ˇ C O C ; ˇ I n n ˇ D 8 .ml m2/.log 2/2 C n3 C we have, for large n,

3 P.N / : D .log 2/2.ml m2/2n 2m l 2 C C

8 RSA moduli density calculation II: Proof of Theorem 1.8 and Corollary 1.9

Proof of Theorem 1.8. For .1; 2/ .1; 1/; .1; 0/; .0; 1/; .0; 0/ , define the sets 2 ¹ º

® a b B.x l; a; b/1;2 n pq x x < p q x ; I WD D Ä W ¤ Ä ¯ p.l/ 1; q.l/ 2 : D D

We have

X X 2 2 B0;0 1 !.l/ log l; j j D   p l q min.xb; x / j Ä p q l;q p j ¤ b 1 X X b x B0;1 .1 q.l// !.l/.x / .log l/ ; j j D 2 C Ä b log x p l q min.xb; x / j Ä p q−l b 1 X X b x B1;0 .1 p.l// !.l/.x / .log l/ : j j D 2 C Ä b log x xa

Now,

B.x l; a; b/ B.x l; a; b/1;1 j I j D j I j 1 X X .1 p.l//.1 q.l// D 4 C C xa

8 1 x2b x2b
1 X X < 2 2 O 3 ; b 2 ; 1 b log x C log x Ä (8.2) D log b
x O x
; b > 1 : a b a b x : 1 b log x log2 x 2 x

1 , respectively. Ä 2 2 1 Proposition 8.1. Let A 4. Then in the range b 2 , for p; q; N we have  Ä D

1 2b X X X l 2 x .l/ A;b : WD  logA x a;b; xa

1 Proposition 8.2. Let A 3. We have in the range < b < 1 for p; q; N ,  2 D 1 X X X l 2 x log log x .l/ A;b : WD  logA x a;b; xa

X X X ˇ X ˇ b II p.l/ q.l/ ˇ q.l/ˇ O..x // D Ä ˇ ˇ C x1 b

B.x l; a; b/ NB.x l; a; b/ O. B0;0 B1;0 B0;1 / j I j C j I j C j j C j j C j j ˇ® a b¯ˇ ˇ n pq x x < p q x ˇ: D D Ä W ¤ Ä The size of the above set in the respective ranges is already evaluated in (8.2). Quadratic residues distribution 139

Proof of Corollary 1.9. The set of RSA moduli with at most n bits whose prime factors have at least m bits and at most l bits, and for which modulus s is a quadratic non-residue, is the set

®N pq < 2n 2m 1 < p < q < 2l ; s is quadratic non-residue mod N ¯: D W The cardinality of the set above is half the cardinality of NB.2n s; m 1 ; l / . j I n n j Since, as a consequence of Theorem 1.8,

ˇ  m 1 l Áˇ 3 22l 22l Á ˇNB 2n s; ; ˇ O ; ˇ I n n ˇ D 4 .log 2/2l2 C n3 we have, for large n, 3 P.N / : 2 2 n 2l 3 D .log 2/ l 2 C

Acknowledgments. The author wishes to thank the anonymous referees, whose comments helped to strengthen Lemma 3.2, and improve the overall presentation of this paper.

Bibliography

[1] L. M. Adleman, On distinguishing prime numbers from composite numbers (ab- stract), in: 21st Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society (1980), 387–406. [2] E. Bach, Realistic analysis of some randomized algorithms, in: Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC), ACM (1987), 453– 461. [3] I. B. Damgård, On the randomness of Legendre and Jacobi sequences, in: Advances in Cryptology (Crypto ’88), Lecture Notes in Comput. Sci. 403, Springer, Berlin (1990), 163–172. [4] H. Davenport, On the distribution of quadratic residues .mod p/, J. London Math. Soc. 6 (1931), 49–54. [5] H. Davenport, On character sums in finite fields, Acta Math. 71 (1939), 99–121. [6] S. Goldwasser and S. Micali, Probabilistic encryption, J. Comput. System Sci. 28 (1984), 270–299. [7] D. R. Heath-Brown, Burgess’s bounds for character sums, in: Number Theory and Related Fields, Springer Proc. Math. Stat. 43, Springer, New York (2013), 199–213. [8] H. Iwaniec and E. Kowalski, Analytic Number Theory, Amer. Math. Soc. Colloq. Publ. 53, American Mathematical Society, Providence, 2004. 140 B. Justus

[9] B. Justus, On integers with two prime factors, Albanian J. Math. 3 (2009), 189–197. [10] R. Peralta, On the distribution of quadratic residues and nonresidues modulo a prime number, Math. Comp. 58 (1992), 433–440. [11] A. Selberg, Note on a paper by L. G. Sathe, J. Indian Math. Soc. (N.S.) 18 (1954), 83–87.

Received January 5, 2013; revised November 29, 2013; accepted December 20, 2013.

Author information Benjamin Justus, Labor für IT-Sicherheit, Stegerwaldstr. 39, 48565 Steinfurt, Germany; and Lab-STICC, Télécom Bretagne, Cesson Sévigné Cedex, France. E-mail: [email protected]