Constructions of Sequences with Almost Perfect Linear Complexity ...

Finite Fields and Their Applications 5, 301}313 (1999) Article ID !ta.1999.0251, available online at http://www.idealibrary.com on

Constructions of Sequences with Almost Perfect Linear Complexity Profile from Curves over Finite Fields Chaoping Xing Department of Mathematics, The National University of Singapore, Lower Kent Ridge Road, Singapore 119260 E-mail: [email protected]

Harald Niederreiter* Institute of Discrete Mathematics, Austrian Academy of Sciences, Sonnenfelsgasse 19, A-1010 Vienna, Austria E-mail: [email protected]

Kwok Yan Lam and Cunsheng Ding School of Computing, The National University of Singapore, Lower Kent Ridge Road, Singapore 119260 E-mail: [email protected], [email protected] Communicated by Peter Jau-Shyong Shiue

Received September 1, 1998; revised February 9, 1999

Sequences with almost perfect linear complexity pro"le are of importance for the linear complexity theory of sequences. In this paper we present several constructions of sequences with almost perfect linear complexity pro"le based on algebraic curves over "nite "elds. Moreover, some interesting consequences and examples are derived from our constructions.  1999 Academic Press Key =ords: sequences; linear complexity; algebraic curves over "nite "elds.

*Corresponding author. 301 1071-5797/99 $30.00 Copyright  1999 by Academic Press All rights of reproduction in any form reserved.

302

XING ET AL.

1. INTRODUCTION Because of their cryptographic signi"cance, sequences with almost perfect linear complexity pro"le are extensively investigated (see [1}5, 7, 8]). However, most papers are mainly concerned with existence or nonconstructive results. For instance, a criterion for d-perfect sequences in terms of the continued fraction expansion of the generating function is given in [1, 2] and the Hausdor! dimension of the set of d-perfect sequences is determined in [3]. In the paper [8], a construction of d-perfect sequences based on curves over "nite "elds is given and some interesting examples are presented there. The present paper is the continuation of [8] in the sense that the construction in [8] is being extended in this paper by again using curves over "nite "elds. We also give some consequences and calculate some explicit d-perfect sequences from our constructions. Let us brie#y recall some concepts regarding linear complexity pro"les of sequences. The linear complexity pro"le (simply denoted by lcp) of an in"nite sequence a of elements of a "nite "eld is the integer sequence +la (n), , L where la (n) is the linear complexity of the "rst n terms of the sequence a. The sequence a is called almost perfect if n la(n)" #O(1) for all n51. 2 A sequence a is called d-perfect for a positive integer d if one of the following equivalent conditions holds: (i) n#1!d n#d 4la(n)4 for all n, 2 2 or (ii) n#1!d la(n)5 for all n. 2 There is also the notion of a sequence a with perfect linear complexity pro"le, i.e.,

la(n)"

n 2

for all n51,

LINEAR COMPLEXITY PROFILE

303

where U V v denotes the least integer bigger than or equal to the real number v. In other words, a sequence with perfect linear complexity pro"le is nothing but a 1-perfect sequence. There is a very simple criterion for binary 1-perfect sequences [2, 7]. However, for q53 no simple criteria for 1-perfect sequences over F are known, except a criterion in terms of continued fraction expanO sions in [1, 2]. Section 5 in this paper presents some explicit 1-perfect sequences to illustrate our constructions in Section 3.

2. BACKGROUND ON CURVES OVER FINITE FIELDS For the "nite "eld F , let X be a smooth, absolutely irreducible, projective O algebraic curve de"ned over F . We express this fact by simply saying that O X/F is an algebraic curve. A point on X is called rational if all of its O coordinates belong to F . A divisor G of X is called rational if O GN"G for any automorphism p3Gal (F /F ). In this paper we always mean a raO O tional divisor whenever a divisor is mentioned. We denote by F (X) the function "eld of X. An element of F (X) is called O O a function. We write l for the normalized discrete valuation corresponding . to the point P of X/F . Let x3F (X)!+0, and denote by Z(x) (respectively, O O N(x)), the set of zeros (respectively, poles) of x. We de"ne the zero divisor of x by (x) " l (x)P  P3Z(x) .

(1)

(x) " (!l (x))P.  P3N(x) .

(2)

and the pole divisor of x by

Then (x) and (x) are both rational divisors. Furthermore, the principal   divisor of x is given by div(x)"(x) !(x) .  

(3)

The degree of div(x) is equal to zero, i.e., deg ((x) )" l (x)" (!l (x))"deg ((x) ).  . .  P3Z(x) P3N(x)

(4)

304

XING ET AL.

For a divisor G of X we form the F -vector space O L(G)"+x3F (X)!+0,:div(x)#G50,6+0,. O For a rational point P of X, an element t of F (X) is called a local parameter at O P if l (t)"1. Such a local parameter always exists for any rational point. . Now we choose a sequence +t , of elements in F (X) such that P P\ O l (t )"r . P for all integers r. For a given function f3F (X)!+0,, we can "nd an integer O v such that l ( f )5v. Hence, .




f l 50. . t T Put




f a" (P); T t T i.e., a is the value of the function f/t at P. Then a is an element of F . Note T T T O that the function f/t !a satis"es T T











f l !a 51; . t T T hence, we know that l .

f!a t T T 50. t T>

Put




a " T>



f!a t T T (P). t T>

Then a belongs to F and l ( f!a t !a t )5v#2. T> O . TT T> T> Assume that we have obtained a sequence +a ,K (m'v) of elements of P PT F such that O l

.






I f! a t 5k#1 P P PT

(5)

LINEAR COMPLEXITY PROFILE

305

for all v4k4m. Put




a " K>



f! K a t PT P P (P). t K>

Then a 3F and l ( f! K> a t )5m#2. In this way we continue our PT P P K> O . construction of a ; then we obtain an in"nite sequence +a , of elements of P P PT F such that O l

.






K f! a t 5m#1 P P PT

(6)

for all m5v. We summarize the above well-known construction in the formal expansion  f" a t . P P PT

(7)

This is called the local expansion of f at P. The above local expansion (7) will be the core of our constructions. We will use only the special case where t "tP for some local parameter t at P. For further background on algebraic P curves and their function "elds, we refer to [6].

3. CONSTRUCTIONS OF d-PERFECT SEQUENCES In this section we describe several new constructions of d-perfect sequences based on algebraic curves over "nite "elds. For the sake of easier reference we also recall the construction from [8] which is case (i) of Construction 1 below. We "x some notations for this section: X/F *an algebraic curve over F ; O O P2a rational point on X; t2a local parameter at P with deg((t) )"2;  f2a function in F (X)!F (t). O O CONSTRUCTION 1. This construction was presented in [8] for the case where l ( f )50. Now we extend this construction for the case where . l ( f )(0. Let us recall the result from [8]: . Case (i) l ( f )50. Consider the local expansion of f at P, .  f" a tL, L L

306

XING ET AL.

where the a are elements of F . De"ne the sequence consisting of some L O coe$cients of the above expansion, a ( f )"(a , a , a , 2 );     then we have PROPOSITION 3.1 (Theorem 3.1 of [8]). If d5deg (( f ) ) and l ( f )50,  . then the sequence a ( f ) constructed above is d-perfect.  Case (ii) l ( f )(0. Let v"!l ( f )'0. Then l (tT f )"0. Consider the . . . local expansion of f at P,  f"t\T a tL, L L where the a are elements of F . De"ne the sequence consisting of some L O coe$cients of the above expansion, a ( f )"(a , a , a , 2 );     then we have PROPOSITION 3.2. If d5deg (( f ) ) and l ( f )"!v(0, then the sequence  . a ( f ) constructed above is (d#v)-perfect.  Proof. The local expansion of tTf at P is  tT f" a tL L L and deg ((tT f ) )4deg (( f ) )#deg ((tT) )!deg (vP)4d#v.    The result follows from Proposition 3.1.

䊏

CONSTRUCTION 2. Case (i) l ( f )'0. Let v"l ( f )'0. Consider the . . local expansion of f at P,  f"tT a tL, L L

LINEAR COMPLEXITY PROFILE

307

where the a are elements of F . De"ne the sequence consisting of the L O coe$cients of the above expansion, a ( f )"(a , a , a , a , 2);      then we have PROPOSITION 3.3. If d5deg (( f ) ) and l ( f )"v'0, then the sequence  . a ( f ) constructed above is (d#v!1)-perfect.  Proof. It is su$cient to prove that

la



( f)

n!d!v#2 (n)5 2

for all n5d#v!1. Suppose that there exist r#14n elements j , 2 , j of F with j O0  P O P such that ja #j a #2#j a #j a "0 P G>P\ P\ G>P\  G  G\

(8)

for i"1, 2, 2 , n!r. Consider the function ¸"(j tP#j tP\#2#j ) f   P !(j a #(j a #j a )t#2#(j a #2#j a )tP\)tT. P  P  P\  P P\   Since j O0 and f , F (t), we know that ¸ is a nonzero element of F. By P O applying the recursion (8) and considering the local expansion of ¸ at P, we obtain l (¸)5n#v. . On the other hand, the pole divisor of ¸ satis"es deg ((¸) )4deg (( f ) )#deg ((tT>P\) )4d#2(v#r!1).    Therefore, n#v4l (¸)4deg ((¸) )"deg ((¸) )4d#2(v#r!1); .  

308

XING ET AL.

i.e., n!d!v#2 . r5 2 This implies that a ( f ) is (d#v!1)-perfect. 䊏  Case (ii) l ( f )40. Let !v"l ( f )40. Consider the local expansion of . . f at P,  f"t\T a tL, L L where the a are elements of F . De"ne the sequence consisting of the L O coe$cients of the above expansion, a ( f )"(a , a , a , a , 2 );      then we have PROPOSITION 3.4. If d5deg (( f ) ) and l ( f )"!v40, then the sequence  . a ( f ) constructed above is (d#v#1)-perfect.  Proof. Apply Proposition 3.3 with f replaced by ftT> and use the argument in the proof of Proposition 3.2. 䊏 CONSTRUCTION 3. pansion of f at P,

Suppose that l ( f )"!v40. Consider the local ex. T  f" b tH\T\# a tL, H L H L

where the b , a are elements of F . De"ne the sequence consisting of some H L O coe$cients of the above expansion, a ( f )"(a , a , a , 2);     then we have PROPOSITION 3.5. If d5deg (( f ) ) and l ( f )40, then the sequence a ( f )  .  constructed above is d-perfect. Proof. It is su$cient to prove that la



for all n5d.

(f)

n!d#1 (n)5 2

309

LINEAR COMPLEXITY PROFILE

Suppose that there exist r#14n elements j , 2 , j of F with j O0  P O P such that j a #j a #2#j a #j a "0 P G>P P\ G>P\  G>  G

(9)

for i"1, 2, 2 , n!r. Consider the function






T ¸"(j tP#j tP\#2#j ) f! b tH\T\ H   P H !(j a #(j a #j a )t#2#(j a #2#j a )tP). P  P  P\  P P   Since j O0 and f ,F (t), we know that ¸ is a nonzero element of F. By P O applying the recursion (9) and considering the local expansion of ¸ at P, we obtain l (¸)5n#1. . On the other hand, the pole divisor of ¸ satis"es deg ((¸) )4(deg (( f ) )!deg (vP))#(deg((tT) )!deg (vP))#deg ((tP) )     4d#2r. Therefore, n#14d#2r; i.e., n!d#1 . r5 2 The result follows.

䊏

4.

SOME GENERAL RESULTS

In this section we discuss some consequences of the constructions in Section 3. For two sequences a"(a , a , a , 2) and b"(b , b , b , 2) of       elements of F , we de"ne O a#b "(a : #b , a #b , a #b , 2 )       and a * b "(0, : a b , a b #a b , a b #a b #a b , 2 ).            

310

XING ET AL.

PROPOSITION 4.1. (i) If f, g3F (X) with l ( f )50, l (g)50, then O . . a ( f )#a (g) is d-perfect or ultimately periodic, where d"deg (( f#g) )    4deg (( f ) )# deg ((g) ).   (ii) If f, g3F (X) with l ( f )'0, l (g)'0, then a ( f ) * a (g) is d-perfect or O . .   ultimately periodic, where d"deg (( fg) )4deg (( f ) )#deg ((g) ).    Proof. This is a direct consequence of Proposition 3.1. 䊏 PROPOSITION 4.2. If G is a positive divisor of X of degree d with P,supp(G) and if f3L(G), then a ( f ) is d-perfect or ultimately periodic. Moreover,  a ( f )#a (g) is d-perfect or ultimately periodic for any f, g3L(G).   Proof. This is a direct consequence of Proposition 3.1. 䊏 The second topic of this section is the investigation of the lcp of sequences with a few changed terms. Our result shows that sequences from our constructions keep the same bounds on the lcp if a limited number of terms are changed. PROPOSITION 4.3. ¸et l ( f )50 and deg (( f ) )4d. ¹hen any sequence .  s obtained by changing the ,rst m terms of a ( f ) is (d#2m)-perfect. Moreover,  if the divisor m(t) is less than or equal to the divisor ( f ) , then s is still   d-perfect. Proof. Let f have the local expansion at P  f" a tL; L L then a ( f )"(a , a , a , 2 ).     Let c , c , 2 , c be m arbitrary elements of F and consider the new sequence   K O s"(c , c , 2 , c , a ,a , ).   K K> K> 2 Put K g"f! (a !c )tG, G G G then l (g)50 and deg ((g) )4d#2m. Hence, it follows from Proposition .  3.1 that s is (d#2m)-perfect since s"a (g).  If m(t) 4( f ) , then deg ((g) )4deg (( f ) )4d. This means that s is     d-perfect by Proposition 3.1. 䊏

LINEAR COMPLEXITY PROFILE

311

The third topic of this section is an example that shows an explicit and easy construction of d-perfect sequences over "nite "elds of even order from a polynomial of odd degree. PROPOSITION 4.4. ¸et q be a power of 2 and let g(x) be a polynomial of odd degree d in F [x] with g(0)"0. Suppose that O   g(x)G" a xH. H G H ¹hen the sequence (a , a , a , 2 ) is d-perfect.    Proof. Consider the curve X de"ned by y#y"g(x). Let P be the common zero of x and y. Then t "x : is a local parameter at P and deg ((t) )"2 and deg ((y) )"d. It is easy to verify that the local   expansion of y at P is   y" g(t)G" a tH. H G H The desired result follows from Proposition 3.1.

䊏

An example of Proposition 4.4 will be given in Section 5.

5.

EXAMPLES OF d-PERFECT SEQUENCES

In this section we explicitly calculate two examples to illustrate our constructions in Section 3 and Proposition 4.4, respectively. EXAMPLE 5.1. Some d-perfect sequences over example from our constructions in Section 3. We table. Our base curves are the projective line ¸ F (¸)"F (x) and the elliptic curve  

F are computed in this  list them in the following with the function "eld

E: y"x!x#1 with the function "eld F (E)"F (x, y). All sequences are obtained from   expansions at the point x"0 for the projective line and the point

312

XING ET AL.

(x, y)"(0, 1) for the elliptic curve E. We use several local parameters t and functions f to get our d-perfect sequences. Curve ¸ ¸ ¸ ¸ ¸ ¸ E E

t

f

Construction k

d-perfect

x(x!1) x(x!1) x(x!1) x(x!1) x/(x#1) x(x!1) x x

x 1/x x/(x#2) 1/(x#1) x/(x#1) x y !x/y

2 3 1 1 1 1 1 1

1 1 1 1 1 2 3 3

EXAMPLE 5.2. (i) Look at the polynomial g(x)"x, then   g(x)G" xH . G H Hence the sequence (1, 1, 0, 1, 0, 0, 0, 1, 2 ) is 1-perfect over F with q being O even by Proposition 4.4. This example was discussed by many authors (see [1, 4, 5, 8]). (ii) Let a be a root of x#x#1 in F . Consider the polynomial  g(x)"x#ax. Then    g(x)G" x;2H# aIxI . H I G Hence, the sequence (a, a, 1, a, 0, 1, 0, a, 0, 2) is 3-perfect over "elds F P for  all r51 by Proposition 4.4.

REFERENCES 1. H. Niederreiter, Continued fractions for formal power series, pseudorandom numbers, and linear complexity of sequences, in Contributions to General Algebra 5, Proc. Salzburg Conf., 1986, pp. 221}233, Teubner, Stuttgart, 1987. 2. H. Niederreiter, Sequences with almost perfect linear complexity pro"le, in Advances in Cryptology*EUROCRYPT '87 (D. Chaum and W. L. Price, Eds.), Lecture Notes in Computer Science, Vol. 304, pp. 37}51, Springer-Verlag, Berlin, 1988. 3. H. Niederreiter and M. Vielhaber, Linear complexity pro"les: Hausdor! dimensions for almost perfect pro"les and measures for general pro"les, J. Complexity 13 (1997), 353}383.

LINEAR COMPLEXITY PROFILE

313

4. R. A. Rueppel, &&Analysis and Design of Stream Ciphers,'' Springer-Verlag, Berlin, 1986. 5. R. A. Rueppel, Stream ciphers, in Contemporary Cryptology * The Science of Information Integrity (G. J. Simmons, Ed.), pp. 65}134, IEEE Press, New York, 1992. 6. H. Stichtenoth, &&Algebraic Function Fields and Codes,'' Springer-Verlag, Berlin, 1993. 7. M.-Z. Wang and J. L. Massey, The characterization of all binary sequences with a perfect linear complexity pro"le, paper presented at EUROCRYPT '86, LinkoK ping, 1986. 8. C. P. Xing and K. Y. Lam, Sequences with almost perfect linear complexity pro"les and curves over "nite "elds, IEEE ¹rans. Inform. ¹heory 45 (1999), 1267}1270.