Join Log in
Score:2
J. Doe avatar Crypto

Any way to find $g,P$ for max cycle size in Blum–Micali with $x_{i+1} = g^{x_i} \mod P $ and $x_0 = g$?

at flag
J. Doe

For some $g$ and prime $P$ the sequence $$x_{i+1} = g^{x_i} \mod P $$ $$ x_0 = g$$ can contain all numbers from $1$ to $P-1$ and with this it is a pseudo-random permutation of those numbers (EDIT: seems to be not the case).

Is there any (quick) way to find big/safe values for $P$ and related $g$ which can still produce every number from $1$ to $P-1$?

Some examples:

With $P=5, g=3$ the sequence would be $$\begin{split} &[3, 3^3\equiv 2, 3^{2} \equiv 4, 3^{4} \equiv 1] \mod 5 \\ \equiv&[3, 2, 4, 1] \mod 5 \end{split}$$

Or for $P=23, g=20$ the values would be: $$[20,18,2,9,5,10,8,6,16,13,14,4,12,3,19,17,7,21,15,11,22,1]$$ or $P=59, g=39$

It looks like not every $P$ has such a value $g$. In some test run small $P$ often had no more than one suitable $g$.
[ 107: 94]
[ 359: 97]
[ 467: 72]
[ 587: 150,375]
[ 719: 284]

So far only $P=587$ got more than one $g$ in my test run. (Edit: I only checked for $P=2q+1$ with $q$ a prime, other $P$ can work as well)

side questions:
Will multiple $g$ be more common for larger $P$?
Or will larger $P$ tend to have no $g$ at all?

main question:
Is there any (quick) way to find big/safe values for $P$ and a related $g$ ?

76
0 + 0
poncho avatar
my flag
poncho
A scan for $p < 2000$ also found these $p$ with multiple $g$'s: 751, 809, 811, 877, 883, 907, 941, 1039, 1279, 1307, 1373, 1619, 1627, 1637, 1693, 1811, 1847, 1877, 1889 (which has 3 $g$'s), 1949, 1979; this certainly makes it plausible that multiple $g$s might be more common for larger $P$..
1
Reply
Score:1
Daniel S avatar Crypto
ru flag
Daniel S

I'm afraid that I can offer little the way of proofs, but I do have some observations and heuristics.

Firstly the map will only be a permutation if $g$ is a primitive root modulo $P$. We note that there are $\phi(P-1)$ primitive roots and that primes with many primitive roots will have more $g$ for which the permutation might be a full cycle. The primes with the greatest proportion of primitive roots are of the form $P=2q+1$ where $q$ is also prime. Note that all of your examples are of this form.

Next we note that not all permutations are possible as we will always have the sequence $P-1\mapsto 1\mapsto g$. Only a proportion $1/(P-1)(P-2)$ of permutations will have this property and only $1/(P-2)(P-3)$ full cycles will have this property. We also note that even values always map to quadratic residues and odd values always map to quadratic non-residues (with further restrictions for other multiples/powers that divide $P-1$). This is a more powerful restriction which only a proportion $1/\binom{P-1}{(P-1)/2}$ of permutations having this property. It's not immediately clear to me what proportion of full cycles will meet his restriction.

IN PROGRESS

0 + 0
poncho avatar
my flag
poncho
As composed, this treats the mapping $x \rightarrow g^x$ as a random permutation - it's not clear that's the appropriate model.
0
Reply
Daniel S avatar
ru flag
Daniel S
Agreed. These are reasons why the map is not a pseudo-random permutation as was posited in the first sentence of OP.
0
Reply
J. Doe avatar
at flag
J. Doe
(I my search I limited $P$ to be $2q+1$. Other $P,g$ are also possible. E.g. like $[41,6] [61,10] [139,40] [149,56] [173,154] [181,104] ...$)
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.