Exponential functions, linear recurrence sequences

Exponential functions, linear recurrence sequences, and their applications Graham Everest, Alf van der Poorten, Igor Shparlinski, Thomas Ward

Draft dated May 20, 2002; please send any comments or corrections to [email protected] c

2002 the authors.

Contents Notation

5

Introduction

7

Part 1.

General Properties

13

Chapter 1. General Structure Of Recurrence Sequences 1.1. Main Definitions and Principal Properties 1.2. p-adic Analysis 1.3. Sums of S-units 1.4. The Skolem–Mahler–Lech Theorem, Multiplicity and Growth 1.5. Periodic Structure 1.6. Operations on Power Series and Linear Recurrence Sequences

15 15 23 27 30 47 64

Chapter 2. Character Sums and Solutions of Congruences 2.1. Bounds for Character Sums 2.2. Bounds for Other Character Sums 2.3. Character Sums in Characteristic Zero 2.4. Bounds for the Number of Solutions of Congruences

75 75 82 85 86

Chapter 3. Arithmetic Structure Of Recurrence Sequences 3.1. Prime Divisors of Recurrence Sequences 3.2. Primitive Divisors and the Index of Entry 3.3. Arithmetic Functions on Linear Recurrence Sequences 3.4. Powers in Recurrence Sequences

91 91 100 104 109

Chapter 4. Distribution in Finite Fields And Residue Rings 4.1. Distribution in Finite Fields 4.2. Distribution in Residue Rings

113 113 115

Chapter 5. Distribution Modulo 1 and Matrix Exponential Functions 5.1. Main Definitions and Metric Results 5.2. Explicit Constructions 5.3. Some Other Problems

123 123 126 130

Part 2.

135

Applications and Examples

Chapter 6. Applications to other Sequences 6.1. Algebraic and Exponential Polynomials 6.2. Linear Recurrence Sequences and Continued Fractions 6.3. Combinatorial Sequences 3

137 137 143 147

4

CONTENTS

6.4. Solutions of Diophantine Equations

155

Chapter 7. Elliptic divisibility sequences 7.1. Periodicity and Prime Apparition 7.2. Elliptic Curves 7.3. Growth Rates 7.4. Primes in Elliptic Divisibility Sequences 7.5. Heuristics on Prime Appearance 7.6. Open Problems

161 162 163 165 166 168 169

Chapter 8. Sequences arising in dynamics 8.1. Realization of Linear Recurrence Sequences 8.2. Local Realisability 8.3. Group Automorphisms and Subshifts 8.4. Realization in Rate

171 175 179 180 181

Chapter 9. Finite Fields and Algebraic Number Fields 9.1. Bases and Other Special Elements of Fields 9.2. Euclidean Algebraic Number Fields 9.3. Cyclotomic Fields and Gaussian Periods 9.4. Questions of Kodama and Robinson

183 183 188 194 198

Chapter 10. Pseudo-Random Number Generators 10.1. Uniformly Distributed Pseudo-Random Numbers 10.2. Pseudo-Random Number Generators in Cryptography

203 203 212

Chapter 11.1. 11.2. 11.3.

223 223 233 239

11. Computer Science And Coding Theory Finite Automata and Power Series Algorithms and Cryptography Coding Theory

Bibliography

247

Index

291

Notation Particular notation used is collected at the start of the index; some general notation is described here. ◦ N, Z, Z+ , Q, R, C are the sets of natural numbers, the integers, the non-negative integers, the rational numbers, the reals, and the complex numbers, respectively; ◦ Qp , Zp , Cp are the sets of the p-adic rationals, the p-adic integers, and the completion of the algebraic closure of Qp , respectively; ◦ ordp z is the p-adic order of z ∈ Cp ; ◦ P is the set of prime numbers; ◦ R is a commutative ring with 1; ◦ Fq is a finite field of q = pr elements, p ∈ P, r ∈ N; ◦ F∗q is the multiplicative group of Fq ; ◦ Fp , p ∈ P is identified with the set {0, 1, . . . , p − 1}; ◦ given a field F, F denotes the algebraic closure of F; thus Q is the field of all algebraic numbers; ◦ given a field F, the notations F[X], F(X), F[[X]], F((X)) denote the ring of polynomials over F, the field of rational functions over F, the ring of formal power series over F, and the field of formal Laurent series over F, respectively; ◦ if K is an algebraic number field, ZK denotes its ring of integers; ◦ H(f ) denotes the na¨ıve height of f ∈ Z[x1 , . . . , xm ], that is, the greatest absolute value of its coefficients; ◦ gcd(a1 , . . . , ak ) and lcm(a1 , . . . , ak ) respectively denote the greatest common divisor and the least common multiple of a1 , . . . , ak (which may be integers, ideals, polynomials, and so forth); ◦ ε denotes any fixed positive number (for example, the implied constants in the symbol ‘O’ may depend on ε); ◦ δij denotes Kronecker’s δ-function: δij = 1 if i = j, and δij = 0 otherwise; ◦ µ(k), ϕ(k), τ (k), σ(k) respectively denote the Möbius function, the Euler function, the number of integer positive divisors of k, and the sum of the integer positive divisors of k, where k is some non-zero integer; ◦ ν(k), P (k), Q(k) respectively are the number of distinct prime divisors of k, the greatest prime divisor of k, and the product of the prime divisors of k; thus, for example: ν(12) = 2, P (12) = 3, and Q(12) = 6); ◦ for a rational r = k/` with gcd(k, `) = 1, set P (r) = max{P (k), P (`)} and Q(r) = max{Q(k), Q(`)}; ◦ π(x) is the number of prime numbers not exceeding x; ◦ |X| denotes the cardinality of the set X; ◦ log x = log2 x, ln x = loge x; 5

6

NOTATION

◦ Log x = log x if x > 2, and Log x = 1 otherwise; ◦ a constant is effective if it can be computed in a finite number of steps; ◦ C(λ1 , λ2 , . . . ) or c(λ1 , λ2 , . . . ) denotes a constant depending on the parameters λ1 , λ2 , . . .. Such constants may be supposed to be effective, unless it is pointed out explicitly that they are not; ◦ a statement S(x) is true for almost all x ∈ N if the statement holds for N +o(N ) values of x ≤ N , N → ∞. Similarly, a statement S(p) is true for almost all p ∈ P if it holds for π(N ) + o(π(N )) values of p ≤ N , N → ∞; ◦ the symbol u t denotes the end of a proof.

Introduction We survey a selection of number-theoretic properties of linear recurrence sequences, and their direct generalizations. These include non-linear recurrence sequences and exponential polynomials. Applications of those results are described to motivate the material, and to show where some of the problems come from. In many sections we concentrate just on a particular example of linear recurrence sequences — the case of a single exponential. This case is of importance for a large variety of applications, and one can often say a little more in this case, so these examples are particularly instructive in suggesting directions for future study of linear recurrence sequences. The importance of recurrence sequences hardly needs to be explained. Their study is plainly of intrinsic interest, and has historically been a central part of number theory. Moreover, these sequences appear almost everywhere in mathematics and computer science. For example, the theory of power series representing rational functions [920], pseudo-random number generators [836], [837], [839], [1146]), kregular [63] and automatic sequences [653], and cellular automata [692]. Sequences of solutions of classes of interesting Diophantine equations form linear recurrence sequences — see [1059], [1053], [1154]. A huge variety of power series, for example zeta-functions of algebraic varieties over finite fields [644], zeta-functions of iterations of polynomial mappings [473], dynamical zeta functions of many dynamical systems [119], [688], [473], generating functions coming from group theory [991], [992], Hilbert series in commutative algebra [699], Poincaré series [117], [246], [991] and the like — are all known to be rational in many interesting cases. The coefficients of the series representing such functions are linear recurrence sequences, so many powerful results from the present study may be applied. Finally, we recall that linear recurrence sequences participated in the proof of Hilbert’s Tenth Problem ([697], [1186], [1185]). Linear recurrence sequences appear in many parts of the mathematical sciences in the wide sense (which include applied mathematics and theoretical computer science). For example, many systems of orthogonal polynomials, including the Tchebychev polynomials and their finite field analogues, the Dickson polynomials, satisfy recurrence relations. Linear recurrence sequences are also of importance in approximation theory and cryptography, and have arisen in computer graphics [710]. Once one allows even the slightest generalization of linear recurrence sequences, the list of applications extends even further. Several surveys of properties of linear recurrence sequences have recently been given; see, for example, [187], [644, Chap. 8], [728], [733], [801], [815], [920],[1059], [1080], [1121], [1154]. However, they do not cover as wide a range of important features and applications of linear recurrence sequences as we attempt to deal with 7

8

INTRODUCTION

here. We have relied on these surveys a great deal, and with them in mind try to use the ‘covering radius 1’ principle: For every result not proved here, either a direct reference or a pointer to an easily available survey in which it can be found is given. For all results, we try to recall the original version, some essential intermediate improvements, and — up to the authors’ limited knowledge — the best current form of the result. Details of the scope of this book should be clear from its table of contents; we do not repeat that here. Instead, we add several words about what we do not deal with. Firstly, it is striking to note that the binary recurrence un+2 = un+1 + un , one of the simplest linear recurrences whose solutions are not geometric progressions, has been a subject of mathematical scrutiny certainly since the publication of Fibonacci’s Liber abaci in 1202 [1089], and has an entire journal devoted to it [100]. With the exception of a few examples, no special properties of individual recurrences will be discussed. Secondly, one could write an enormous book devoted to only one particular case of linear recurrence sequences — polynomials. We do not deal with polynomials here. Nonetheless, this case alone justifies the great interest in general linear recurrence sequences. Indeed, we do give several applications to polynomials, but such applications are obtained using partially hidden — although not too deep — links between polynomials and linear recurrence sequences. Thirdly, a huge book could be written dealing with exponential polynomials as an example of entire functions; and therefore ultimately talking about properties of those functions. We barely consider any analytical features of exponential polynomials, though we mention some relevant results about the distribution of their zeros. We certainly do not deal with analytical properties of iteration of polynomial mappings. Thus the field of complex dynamics, and the celebrated Mandelbrot set is, a little to our regret, outside our scope. Recall that the Mandelbrot set is the 2 set of points c ∈ C for which the sequence of polynomial iterations zk = zk−1 + c, z0 = 0, is bounded; for details we refer to [132] and. In Section 1.5 we do consider some periodic properties of this and more general mappings. Fourthly, general statements about the behaviour — both Archimedean and p-adic — of sums of S-unit lie in the background of important results on linear recurrence sequences. Specifically, linear recurrence sequences provide a special case of S-unit sums. Nonetheless, we do not deal with sums of S-units or their applications systematically, instead presenting just the bounds we need. On the topic generally, we first recommend the pioneering papers [324] and [931] which appeared independently and contemporaneously (the latter as a preprint of Macquarie University in 1984). We point particularly to the book [1059] and the excellent survey papers [326], [328], [329], [440], [1008], [1053], [1154]. New applications of these results to sparse polynomials, see [442], [1017], [1018], to generalized Vandermonde determinants [1019] and to the study of Zd -actions by compact group automorphisms, see [1024], [1200], have been discovered. On the other hand, we do present some less well-known results about finitely generated groups, such as estimates of the size of their reduction modulo an integer ideal in an algebraic number field, and the testing of multiplicative independence of their generators. When results on S-unit sums are applied to linear recurrence sequences, an induction argument usually allows the conditions on non-vanishing

INTRODUCTION

9

proper sub-sums to be eliminated (such conditions are unavoidable in the general study of S-unit sums). Although objects are considered over different rings, the emphasis is on the conventional case of the integers. A linear recurrence sequence over the integers can often be considered as the trace of an exponential function over an algebraic number field. The coordinates of matrix exponential functions satisfy a linear recurrent equation. Such examples suggest that a single exponential only seems to be less general than a linear recurrence sequence. Of course that is not quite true, but in many important cases links between linear recurrence sequences and exponential functions in algebraic extensions really do play a crucial role. Michalev and Nechaev [733] give a survey of possible extensions of the theory of linear recurrence sequences to a wide class of rings and modules. The book comprises two parts. In the first part general results concerning linear recurrence sequences themselves are presented. The topics include various estimates for the number of solutions of equations, inequalities, congruences and estimates for exponential sums with linear recurrence sequences, as well as results on the behaviour of arithmetic functions on values of linear recurrence sequences. In the second part a selection of applications and special sequences are given. In many cases these applications require only straightforward use of results of the first part. In other cases the technique, or even just the spirit, of the results of the first part are used. It seems almost magical that, in many applications, linear recurrence sequences show up from several quite unrelated directions. A chapter on elliptic divisibility sequences is included to point out the beginning of an area of development analogous to linear recurrence sequences, but with interesting geometric and Diophantine methods coming to the fore. For previously known results complete proofs are generally not given unless they are very short or illuminating. The underlying ideas and connections with other results are discussed briefly. Filling the gaps in these arguments may be considered a useful (substantial) exercise. Several of the results are new; for these complete proofs are given. Some number-theoretic and algebraic background is needed, which is brought together here for convenience. First, standard results on the distribution of prime numbers, in particular the Prime Number Theorem π(x) ∼ x/ ln x, will be used. All such results can easily be found in [942], and in many other textbooks. Much stronger results are known, though these subtleties will not matter here. The following well-known consequences of the Prime Number Theorem, k ≥ ϕ(k) k/ Log log k,

ν(k) Log k/ Log log k

and P (k) ν(k) Log ν(k),

Q(k) ≥ exp ((1 + o(1))ν(k))

will also be needed. Second, many results here depend on bounds for linear forms in the logarithms of algebraic numbers. After the first results of Baker [49], and their p-adic generalizations, for example those of van der Poorten [912], a vast number of further results, generalizations and improvements have been obtained; appropriate references can be found in [1191]. For our purposes, the modern sharper bounds do

10

INTRODUCTION

not imply any essentially stronger results than those relying on [49] and [912]. In certain cases more recent results do allow the removal of some logarithmic terms; [1222] is an example. We mostly content ourselves with consequences of the relatively old results. The bounds used can be formulated in the following ‘multiplicative’ forms. Let γ1 , . . . , γm be non-zero elements of an algebraic number field K of degree d over Q with heights G1 , . . . , Gm . Set ω=

m−1 Y

Log Gi ,

Ω = ω log Gm ,

i=1

and let p be a prime ideal of ZK lying above the prime p. Then there are effective absolute constants c1 , c2 > 0 such that neither of the inequalities bm 0 < |γ1b1 . . . γm − 1| ≤ exp (−(c1 d)c2 m Ω Log ω Log B)

nor

bm ∞ > ordp γ1b1 . . . γm − 1 > pd (c1 d)c2 m Ω Log2 B/ log p

has a solution in integers b1 , . . . , bm with absolute value at most B. Moreover, it is known by [661], that if γ1 , . . . , γm are multiplicatively dependent, then there are integers |bi | = O(logm−1 G), where G = max{G1 , . . . , Gm } not all zero, such that bm γ1b1 . . . γm = 1. A more explicit bound is given which can be simplified as above if γ1 , . . . , γm are from a fixed algebraic number field. Such a result is an important ingredient in the specialization arguments below. It is also useful for studying ‘small’ bases of Sunit groups and for finding ‘small’ representations of elements of such groups [139], [153], [443]; see also [1006]. Ge [369] has described an algorithm, which for given γ1 , . . . , γm ∈ ZK and bm b1 , . . . , bm ∈ Z, verifies if the product γ1b1 · · · γm represents a unit of ZK . It runs in time polynomial in m, the heights, the degrees of γ1 , . . . , γm and in log |b1 |, . . ., log |bm | (the most essential condition). This is much faster than computing the products and then testing them. A third tool is p-adic analysis [28], [117], [548], and in particular the celebrated Strassmann Theorem [1133]. When it is applicable it produces very good estimates for the number of solution of equations; compare the estimate of [1003] based on new results on S-unit equations and that of [932] obtained by the p-adic method. On the other hand, a disadvantage of this approach is its apparent non-effectiveness in estimating the size of solutions. The simple observation that any field of zero characteristic over which a linear recurrence sequence is defined may be assumed to be finitely generated over Q will be used repeatedly. Indeed, it is enough to consider the field obtained from Q by adjoining the initial values and the coefficients of the characteristic polynomial. Then, using specialization arguments [920] and [931], we may restrict ourselves to studying sequences over an algebraic extension of Qp or even just over Qp , using a nice idea of Cassels [186]. Cassels shows that given any field F, finitely generated over Q, and any finite subset M ∈ F, there exist infinitely many rational primes p such that there is an embedding ϕ : F −→ Qp with ordp ϕ(µ) = 0 for all µ ∈ M. A critical feature is that the embedding is into Qp , rather than a ‘brute force’ embedding into an algebraic extension of Qp . The upshot is that for many natural

INTRODUCTION

11

problems over general fields of zero characteristic, one can expect to get results that are not worse than the corresponding one in the algebraic number field case, or even for the case of rational numbers. Moreover, there are a number of examples in the case of function fields where even stronger results can be obtained, see [114], [138], [145], [149], [693], [775] [821], [898], [935], [1040], [1175], [1176], [1191], [1224]. Finally, several results are based on estimates for the number of solution of Sunit equations. To describe these, let S be a finite set of valuation of an algebraic number field K, containing all the Archimedean valuations. An element u ∈ K is called an S-unit if kukv = 1 for all valuations v 6∈ S. Let a1 , . . . , an be non-zero elements of K and let d = [K : Q]. Consider the linear equation a1 u1 + . . . + an un = 1, in S-units u1 , . . . , un such that no proper sub-sums ai1 ui1 + · · · + aim uim , m < n, vanish. In order to make the text more accessible, a short section explaining the connection between S-unit equations and linear recurrences is included. Evertse [323] proves that, for n = 2, the number of solutions does not exceed 3 × 7d+2|S| . Notice that d ≤ 2|S| because S includes all Archimedean valuations, so the bound can be simplified to 3 × 74|S| . This result has been improved by Beukers and Schlickewei [83] (some analogues of these results have recently been obtained in [1176]). They provide a similar bound for equations in elements of finitely generated multiplicative groups of C∗ . More precisely, they show that for groups G with r generators the equation u1 +u2 = 1, u1 , u2 ∈ G has at most 28r+8 solutions. Although elements of G are S-units for an appropriate set S, the size of S cannot be estimated in terms of r. The result is very precise because Erdös, Stewart and Tijdeman [307] show that for K = Q the number of solutions can be more than h i −1/2 exp (4 + o(1)) (s/ log s) , s → ∞, for some S with |S| = s. Evertse, Moree, Stewart, and Tijdeman [327] extended this result, showing that for an arbitrary n ≥ 2 and sufficiently large s there are S-unit equations with |S| = s and n2 1−1/n −1/n exp (1 + o(1)) s log s solutions, s → ∞. n−1 Bombieri, Mueller and Poe [114] propose an alternative method which leads to a weaker estimate, which can nonetheless be useful for other similar questions. For equations over an algebraic number field K, the dependence of the number of solutions on the degree d = [K : Q] has been studied by Grant [411]. The special case when G is the group of roots of unity is studied in a number of papers; see [273], [325], [1004], [1225]. More recently, these results were transferred to the equation a1 u1 +. . .+an un = 1, in elements u1 , . . . , un ∈ G, where G is a finitely generated multiplicative group of C∗ with r generators. Evertse, Schlickewei and Schmidt [329] prove that the number of solution of such an equation does not exceed exp (r + 2)(6n)4n .

12

INTRODUCTION

These and many other relevant results can be found in the exhaustive survey [328]. For n = 2 explicit upper bounds for the size of solutions [326] are known, but this is still an open problem for S-unit equations in n ≥ 3 variables, [324] and [931]. The question is related to the famous abc-conjecture. In the special case K = Q, that conjecture can be formulated as follows. Let a, b, c be relatively prime positive integers satisfying a + b = c, and let Y G= p. p∈P;p | abc

The abc-conjecture of Oesterlé and Masser claims that the bound c = O(G1+ε ) must then hold. The conjecture is motivated by function field results — in particular the Mason-Stothers theorem from polynomial algebra — which are invariably more straightforward than their number field analogues (for n = 2 as well as for n ≥ 3), see [50], [138], [149], [693], [821], [898], [902], [935], [1040], [1154], [1175], [1176], [1191], [1192], [1224] and their references. The strongest current unconditional estimate log c < G1/3+O(1/ Log log G) is obtained by Stewart and Yu [1122] using Yu’s strengthening [1221] of van der Poorten’s p-adic estimates for linear forms in logarithms of algebraic numbers [912]. Surprising results are obtained in [146] using a new ingenious method; see also [333]. It is also known, see [326], [440], that there are at most exp n236nd ! s6 log(4sd !) non-equivalent S-unit equations with more than 2(n+1)! −1 solutions, and, for n = 2, at most exp 2180d ! s6 log(8sd !) non-equivalent S-unit equations with more then 2 solutions, where s = |S|. Some basic results from the theory of finite fields and from algebraic number theory will be used. These can be found in [644] and [810], respectively. In surveys such as this, it is conventional to attach a list of open questions. Rather than doing this, the best current results known to the authors are presented; if a generalization is straightforward and can be done in the framework of the same arguments that is noted. Other generalizations or improvements should be considered implicit research problems. We do however mention attempts at improvements which seem hopeless in the light of today’s knowledge.

Part 1

General Properties

CHAPTER 1

General Structure Of Recurrence Sequences 1.1. Main Definitions and Principal Properties 1.1.1. Recurrence sequences. We restrict ourselves initially to linear recurrence sequences, defined over a commutative ring R with a unit 1. Nonetheless, many of the results and all the terminology below hold for much more general algebraic domains. Linearity of the defining recurrence relation is essential, as is the fact that the coefficients of that relation are constant elements of the ring of definition. The qualifier ‘linear’ will therefore be omitted unless it is needed for emphasis. A linear recurrence sequence is a sequence a = (a(x)) of elements of R satisfying a homogeneous linear recurrence relation (1.1)

a(x + n) = s1 a(x + n − 1) + . . . + sn−1 a(x + 1) + sn a(x) ,

x∈N

with constant coefficients sj ∈ R. We will suppose throughout that sn is not a zero divisor in R. 1.1.2. Characteristic polynomial. The polynomial f (X) = X n − s1 X n−1 − . . . − sn−1 X − sn associated to the relation (1.1) is called its characteristic polynomial, and the relation is said to be of order n. If R is a ring without zero divisors then there is a recurrence equation of minimal length satisfied by any linear recurrence sequence a; its characteristic polynomial is the minimal polynomial of the sequence a. The degree of that minimal polynomial is said to be the order of the linear recurrence sequence a. The minimal polynomial of the sequence a divides the characteristic polynomial of every recurrence relation satisfied by the sequence. Linear recurrence sequences of order 2 and 3 are called binary and ternary linear recurrence sequences respectively, and sequences over Z, Q, Q, R, C and Qp respectively are known as integer, rational, algebraic, real, complex and p-adic linear recurrence sequences. 1.1.3. Initial values. For a linear recurrence sequence defined by a recurrence relation (1.1) of order n the elements a(1), . . . , a(n) are called the initial values; they determine all other elements of the sequence. Further, if sn is an invertible element of R then the sequence may be continued in the opposite direction, yielding a(0), a(−1), a(−2), . . . . 1.1.4. Set of solutions of a recurrence relation over a field. Given a polynomial f defined over a field, consider the set L(f ) of all possible linear recurrence sequences satisfying the equation (1.1), and the set L∗ (f ) of all sequences 15

16

1. GENERAL STRUCTURE OF RECURRENCE SEQUENCES

for which f is their characteristic polynomial. If g is a divisor of f then L(g) ⊂ L(f ). If f is irreducible, than L∗ (f ) contains all sequences from L(f ) except the identically zero sequence. Theorem 1.1. Let f and g be two polynomial defined over a field. Then • {(c(x)) : c(x) = a(x) + b(x) a ∈ L(f ), b ∈ L(g)} = L(lcm(f, g)); • L(f ) ∩ L(g) = L(gcd(f, g)); • L(f ) ⊂ L(g) if and only if f g. For finite fields these results can be found in [591] or in [1228]; it is readily checked that the proofs do not depend on the characteristic. If c(x) = a(x)b(x), a ∈ L(f ), b ∈ L(g), then c is again a linear recurrence sequence, but describing its characteristic polynomial is not immediate. This will be dealt with in Section 1.4.10 below. The set L(f ) is a linear space of dimension n in the following sense. Consider the n basic sequences ai — the impulse sequences — with initial values ai (j) = δij ,

i, j = 1, . . . , n .

Any sequence satisfying the given recurrence relation can be uniquely represented as a linear combination n X a(x) = a(i)ai (x), x∈N i=1

of the relevant set of impulse sequences. To see this, notice that the right-hand side satisfies the relation (1.1), as does any linear combination of solutions of the relation, and it has the same initial values as does a. A minor modification of this remark yields the identity n X a(x + h) = a(h + i)ai (x), h, x ∈ Z+ . i=1

1.1.5. Finite linear recurrence sequences. For a field F and constants m, n, 0 ≤ 2m ≤ n + 1 Elkies [293] studies the subset Hm of Fn+1 of sequences (x(0), . . . , x(n)) satisfying some linear recurrence of degree m. Results on the geometry of the set Hm are found, particularly for F of finite characteristic. 1.1.6. Generalized power sums. A generalized power sum is a finite exponential sum m X a(x) = Ai (x)αix , x ∈ Z+ i=1 Pm with polynomial coefficients Ai (X). Write deg Ai = ni − 1 and set i=1 ni = n. The αi are the characteristic roots of the sum a(x), the positive integers ni are their multiplicities, and the Ai (X) are the coefficients. To understand the connection between generalized power sums and linear recurrence sequences, define an operator E on sequences by (E(a)) (x) = a(x + 1), so that (writing informally) (E − α)(xn−1 αx ) = ∆(xn−1 )αx , where the difference operator ∆ is defined by (∆(a)) (x) = a(x + 1) − a(x). Since ∆n (xn−1 ) = 0 and E is linear, the sum (1.2) is annihilated by the operator m Y (E − αi )ni = E n − s1 E n−1 − · · · − sn−1 E − sn . i=1

1.1. MAIN DEFINITIONS AND PRINCIPAL PROPERTIES

17

That is, the sequence a satisfies the recurrence relation (1.1). Notice that the characteristic roots αi are elements of some extension ring of the base ring R and that the coefficients Ai are defined over that extension. In particular, the sequence of traces of powers of algebraic numbers α, with ϑ ∈ K, where [K : Q] = d, a(h) = TK/Q (ϑαh ),

h ∈ Z+ ,

is a linear recurrence sequence satisfying a recurrence relation over Q of order at most d, and with characteristic polynomial the minimal polynomial of α over Q. This simple observation is used below in a variety of contexts. Conversely, assume first that the characteristic polynomial of the recurrence relation (1.1) has no repeated roots. Then every linear recurrence sequence satisfying (1.1) is a generalized power sum with constant coefficients. If f has repeated roots the matter is a bit more complicated in characteristic p 6= 0: A recurrence relation with characteristic roots of multiplicity exceeding p cannot have its general solution given by a generalized power sum. However, apart from this subtlety — and in any case for linear recurrence sequences defined over fields of characteristic zero — we shall see below that generally linear recurrence sequences are given by generalized power sums. Assume that the coefficient ring R is a field F, and let L denote the splitting field of the minimal polynomial f over F. Over L the polynomial factorizes as f (X) =

m Y

(X − αi )ni ;

i=1

and a has characteristic roots α1 , . . ., αm with multiplicities n1 , . . ., nm respectively. There are constants Aij ∈ L, j = 0, . . . , ni − 1 ; i = 1, . . . , m , such that m nX i −1 X x+j−i x (1.2) a(x) = Aij αi , x ∈ N. j i=1 j=0 If F has characteristic zero then (1.2) can be rewritten in the form (1.3)

a(x) =

m X

Ai (x)αix ,

x ∈ N,

i=1

with polynomials Ai (X) ∈ L[X] of degrees deg Ai ≤ ni −1, i = 1, . . . , m. Moreover, if the characteristic p of the field is at least max{n1 , . . . , nm } then (1.3) holds in any event; in particular we obtain an exponential polynomial if f (X) is square-free, so that the Ai (X) all are constant, or if the characteristic p is at least as great as the order n. It is easy to see that if f is the characteristic polynomial of a, then each polynomial Ai has degree precisely ni − 1, i = 1, . . . , m. 1.1.7. Groups of recurrence sequences. Again we restrict attention to the case of no repeated roots; thus f is a monic square-free polynomial over a field F of characteristic zero. Here it is convenient to consider two-sided sequences. Several authors have considered the following group structure defined on L(f ), more precisely on equivalence classes of sequences. Two sequences a and b from L(f ) are equivalent if for some λ ∈ F∗ and ` ∈ Z, λa(x + `) = b(x) for all x ∈ Z. That is, two sequences are equivalent if they differ by a shift and multiplication by a non-zero constant. Let G(f ) denote the set of equivalence classes.

18


A group structure on G(f ) may be defined as follows. In place of the representation (1.2)as a generalized power sum, consider the (n × n) Vandermonde matrix n W = αji−1 i,j=1 . Write ∆ for its determinant, and ∆j for the determinant of the matrix obtained from W by replacing its j-th column with (0, . . . , 0, 1)t . Then for every sequence a ∈ L(f ) there is a unique representation n 1 X a(x) = ∆i ai αix . ∆ i=1 Write a ↔ [a1 , . . . , an ] in this case, and define the product of two sequences a ↔ [a1 , . . . , an ] and b ↔ [b1 , . . . , bn ] to be the sequence c ↔ [a1 b1 , . . . , an bn ]. Define the product of two classes to be the product of their representatives; this product is well-defined by [54, Lemma 5.3.2]. By Theorem 5.13 below this operation makes G(f ) an abelian group. Ballot [54] provides a detailed analysis and gives applications of the group structure to the study of divisors of linear recurrence sequences. For more background on these groups in the binary case, see [608], [609]. 1.1.8. Dominating roots. For sequences over normed fields — and in particular over C — it is convenient to order the characteristic roots as |α1 | ≥ . . . ≥ |αm |. The r roots of maximum norm |α1 | = . . . = |αr | > |αr+1 | ≥ . . . ≥ |αm |, are called dominating roots. A sequence with a unique dominating root is often relatively easy to deal with. Thus, many results below are stated for such sequences only. Boyd [123] demonstrates that a unique dominating root is present for a wide class of irreducible characteristic polynomials. 1.1.9. Nondegeneracy. The linear recurrence sequence (1.1) is degenerate if it has a pair of distinct roots whose ratio is a root of unity. Conversely, if αix 6= αjx , 1 ≤ i < j ≤ m, x = 1, 2 . . . , it is non-degenerate. Over infinite fields this definition determines an important class of sequences. Furthermore, the study of arbitrary linear recurrence sequences can effectively be reduced to that of non-degenerate linear recurrence sequences in the following sense. Theorem 1.2. Let a be a linear recurrence sequence of order n over an algebraic number field K of degree d over Q. Then there is a constant ( exp 2n(3 log n)1/2 if d = 1, and M (d, n) ≤ 2nd+1 if d ≥ 2, such that for some M ≤ M (d, n) each subsequence (a(M x + `)) is either identically zero, or is non-degenerate. This theorem is essentially a combination of results of [74] (for d = 1) and of [972] (for d ≥ 2). The proof is based on a bound for the least common multiple of periods of roots of unity in K (the period of a root of unity ρ is the least t ∈ N with ρt = 1). See [1220] for some improvements and algorithmic applications of


19

those results. Schmidt [1028] provides an upper bound on the number of such arithmetic progressions which depends only on n. 1.1.10. Arithmetic sub-progressions. The following useful observation is related to the previous result. The Skolem–Mahler–Lech theorem, of which more below, is a particularly important application. Theorem 1.3. Any subsequence (a(kx + `)), k ∈ N , ` ∈ Z+ of a linear recurrence sequence a of order n is a linear recurrence sequence of order at most n. The converse does not hold in such generality, but is true in characteristic zero. In that case it is a non-trivial result that an arithmetic progression (more precisely, a finite number of interwoven arithmetic progressions) is essentially the only subsequence of a non-degenerate linear recurrence sequence which is again a linear recurrence sequence. Theorem 1.4. Let a be a non-degenerate linear recurrence sequence over a field of characteristic zero, and let (xh ) be an arbitrary sequence of distinct natural numbers. If (a(xh )) is a linear recurrence sequence then there is an integer d ≥ 1 and certain remainders ri ∈ {0, 1, . . . , d − 1} so that with at most finitely many exceptions the sequence (xh ) is the monotonically increasing sequence of integers of the shape dx + ri . This deep theorem follows from the work on sums of S-units, and thence the finiteness of total multiplicity, as proved in [324] and independently in [931]; see Section 1.4. 1.1.11. Rational functions. Linear recurrence sequences arise naturally as sequences of Taylor coefficients of rational functions; see [919]. Given a polynomial f of degree n define the reciprocal polynomial f − by f − (X) = X n f (X −1 ). Theorem 1.5. A sequence a satisfies the recurrence relation (1.1) with characteristic polynomial f ∈ R[X] if and only if it is the sequence of Taylor coefficients of a (formal) power series representing a rational function r(X)/f − (X), where r is a polynomial of degree less than n determined by the initial values of a. To see this, note that on comparing coefficients of X n+x , for x = 0, 1, . . . , f − (X)

∞ X

a(x)X x = r(X)

x=1

holds if and only if (1.1) holds. To test an arbitrary sequence a of elements of a field F for the property of being a linear recurrence sequence, consider the Kronecker–Hankel determinants ∆N,n (a) = det (a(n + i + j))0≤i,j≤N . P∞

Then f (z) = n=0 an z n represents a rational function if and only if for some n, ∆N,n (a) = 0 for all sufficiently large N . To see why this is so, consider the case where n = 0. If f is rational, then f (z) =

k X 0

ri z i /

` X 0

sj z j ,

20


P` j with s0 6= 0. Multiplying through by s(z) = 0 sj z shows that all the linear combinations s0 aL + s1 aK−1 + . . . sl aK−` vanish if L exceeds k and `. This shows that ∆N,n (a) = 0 because, from some point on, all the columns can be expressed as linear combinations of the early columns. The converse is similar. 1.1.12. Powers of matrices. Consider an arbitrary square matrix M defined over R, with the i, j-th entry of M x written mi,j (x). The Cayley-Hamilton theorem asserts that for each i, j the sequence mi,j is a linear recurrence sequence with characteristic polynomial the characteristic polynomial of M . Accordingly, let a denote the linear recurrence sequence of (1.1) and write A(x) for the row-vector (a(x), . . . , a(x + n − 1)). Let   0 0 0 ... 0 fn  1 0 0 . . . 0 fn−1     F =  0 1 0 . . . 0 fn−2   · · · ··· · ·  0 0 0 ... 1 f1 be the companion matrix of (1.1). Then A(x) = A(x − 1)F = A(0)F x ,

x ∈ Z+ .

1.1.13. Inhomogeneous relations. Now consider an inhomogeneous recurrence relation a(x + n) = s1 a(x + n − 1) + . . . + sn−1 a(x + 1) + sn a(x) + sn+1 ,

x ∈ Z+ .

The sequence a then satisfies the homogeneous recurrence relation a(x + n + 1) = (s1 + 1)a(x + n) +

n−1 X

(si+1 − fi )a(x + n − i) − sn a(x)

i=1

of order n + 1, with characteristic polynomial F (X) = (X n − s1 X n−1 − . . . − sn−1 X − sn )(X − 1). 1.1.14. Generalized exponential polynomials. Given the representation of recurrence sequences as generalized power sums from Section 1.1.6, it is natural to study sequences given by more general functions (1.4)

E(z) =

m X

Ai (z) exp (ψi (z)) ,

i=1

where, say, polynomials ψi appear in the exponents. Such functions are known as generalized exponential polynomials or just exponential polynomials. There is intrinsic interest in the study of the distribution of zeros (and other values) of such functions, and one might hope that these results would provide some insight into questions more closely related to the central topic of this book. It is also natural to consider analogous functions in several variables.


21

1.1.15. Taylor coefficients of solutions of linear differential equations. The sequence of coefficients of a power series representing a solution of a linear differential equations with polynomial coefficients satisfies a linear recurrence relation (1.5)

a(x + n) = s1 (x)a(x + n − 1) + . . . + sn−1 (x)a(x + 1) + sn (x)a(x)

with rational function coefficients. For further work on the combinatorial and arithmetic properties of the sequence of coefficients of such functions and their generalizations, see [65], [71], [173], [651], [652], [1110]. 1.1.16. q-Generalizations. The q-version of sequences satisfying (1.1) has been studied. Consider sequences satisfying relations (1.6)

a(x + n) = s1 (q x )a(x + n − 1) + . . . + sn−1 (q x )a(x + 1) + sn (q x )a(x)

with rational functions sj . Elements of such sequences are the coefficients of power series expansions of solutions r of functional equations of the form s X

Pj (X)r(q j X) = 0.

j=1

These and similar functions satisfying s X

j

Pj (X)R(X q ) = 0

j=1

are also studied in [63], [92], [657], [658], [660], [662]. If log x = t then r(t) = R(X), but this should not be taken to mean that the properties of power series coefficients for these two types of functions are the same. One can go further and consider coefficients of power series expansions of other interesting functions, such as those satisfying algebraic differential or functional equations, and multivariate functions. There are many exciting open problems and ingenious results in this direction. This topic will not be pursued here; there are expository papers [653], [924] and several recent research papers studying zeros of such functions [654], their arithmetic properties [275], [1026] and their general structure [63], [651], [652], [655], [657], [658], [660], [662], [719], [918]. 1.1.17. Non-linear recurrence relations; in particular continued fractions. A non-linear recurrence sequence satisfies a relation of the form (1.7)

a(x + n) = F (x, a(x + n − 1), . . . , a(x)) ,

x ∈ Z+ .

Here F is often a polynomial or a rational function, or some arithmetic function. Even choosing the simplest functions F yields a great variety of interesting sequences: From coefficients of algebraic functions and of solutions of differential equations, to the sequences appearing in the still unsolved ‘3x + 1’ or ‘Collatz’ problem; see Section 1.5. Even when n = 1 and F is independent of x, this encompasses iterations of functions as dynamical systems – see [511] for an attractive overview. A particularly important example of a non-linear recurrence sequence for number theory is given by the Gauss map 1 , X 6= 0, F (X) = X

22


where {z} denotes the fractional part of z ∈ R. Define the notation [c0 , c1 , c2 , . . .], by [c0 , c1 , c2 , . . . , cn ] = c0 + 1/[c1 , c2 , . . . , cn ]. If α = [c0 , c1 , c2 , . . .] is the continued fraction expansion of an irrational real number, then the sequence a0 = α, ax+1 = F (ax ), x = 0, 1, 2, . . . , is the sequence of complete quotients ax = [cx , cx+1 , . . .]. The continued fraction expansion of a quadratic irrational is eventually periodic, which implies that the numerators px and denominators qx of its convergents satisfy linear recurrence relations. In Section 6.2 we shall see that the converse holds as well. It is pointed out in [115] that for any algebraic number α the convergents px /qx satisfy a non-linear recurrence relation. Specifically, the partial quotients cx are given in terms of the previous convergents and √ the defining polynomial of the algebraic number. For example, in the case α = 3 2 one has 3(−1)x p2x−1 qx−2 cx = − . 3 qx−1 (p3x−1 − 2qx−1 ) qx−1 The continued fraction map is ergodic with respect to an absolutely continuous measure on (0, 1), which gives many results on the behaviour of typical orbits under F , and hence of the continued fraction expansion for almost every real number (see [228] for these results, and [1030] for an extensive discussion of generalizations of the continued fraction map; a ‘normal number’ for the continued fraction map is exhibited in [2]). More straightforward iterations of the floor function F (X) = bαXc, a(x + 1) = bαa(x)c ,

x ∈ N,

are also of interest [345]. The literature contains many further examples: For instance, recurrence sequences on algebraic varieties [248], [866] and on elliptic curves [890]. 1.1.18. Elliptic recurrence sequences. In the papers [1195] and [1196], Morgan Ward considered two-sided sequences satisfying the equation (1.8)

a(x + y)a(x − y) = a(y + 1)a(y − 1)a(x)2 − a(x + 1)a(x − 1)a(y)2 .

Such sequences are called elliptic because they can be parametrized by elliptic functions, and there are non-trivial connections between their growth rates and the canonical height on an associated elliptic curve. There is a surprising variety of such sequences. The sequences defined by a(x) = x, a(x) = x3 (the Legendre symbol modulo 3), and a(x) = (α1 α2 )−(x−1)/2

α1x − α2x α1 − α2

for any α1 6= α2 , satisfy (1.8). These matters will be expanded on in Chapter 7. 1.1.19. Several variable generalizations. Generalizations to the multivariate case make sense as well. For example, one can consider subsequences of the coefficients of power series expansions of rational functions in several variables [653]. Another way to generalize linear recurrence sequences to the many variable case is as follows. First note that linear recurrence sequences can be considered as the ‘additive’ generalization of single exponential functions. One can consider the

1.2. p-ADIC ANALYSIS

23

‘multiplicative’ generalization as well. That is, given multiplicatively independent elements λ1 , . . . , λr ∈ K consider the finitely-generated multiplicative group (1.9)

V = {λx1 1 . . . λxr r : x1 , . . . , xr ∈ Z} .

For example, the trace TK/Q (ϑλx1 1 . . . λxr r ) provides an exponential polynomial in several variables. 1.1.20. Other linear recurrence relations. For all the sequences mentioned thus far apart from the elliptic ones, the x-th term a(x) is expressed in terms of one or several previous terms, typically a(x − 1), . . ., a(x − n). A large class of very interesting sequences is defined by recurrence relations where the x-th term is expressed in terms of more distant terms, say in terms of a (bx/2c) , . . . , a (bx/nc)

or

a (x − bx/2c) , . . . , a (x − bx/nc) .

In fact, as has become clear relatively recently, their genesis is in automata theory where these relations arise quite naturally. Generally speaking, such sequences are beyond our scope. Several interesting examples reveal links to classical linear recurrence sequences; see Sections 6.3 and 11.1. Generally, these sequences arise from natural questions about binary (or q-ary) expansions of integers; they also arise in an algorithm for fast computation of elliptic divisibility sequences due to Shipsey [1044]. Going further, the subscripts may depend on the sequence itself. Two examples in the number-theory literature are a(x) = a (x − a(x − 1)) + a (x − a(x − 2)) and a(x) = a (x − a(x − 1)) + a (a(x − 1)) with a(1) = a(2) = 1 in both cases. We refer to [345] and to [436, Sect. E31] for precise references and some generalizations. A particularly interesting doublyindexed sequence from computer science is Ackerman’s function A : N2 → N, defined by A(0, n) = n + 1 A(m + 1, 0) = A(m, 1) A(m + 1, n + 1) = A(m, A(m + 1, n)); see [170] for a historical perspective on this function. 1.1.21. Integer sequences in general. Many more examples of sequences of the type described here, as well as a vast number of quite esoteric examples, can be found in the encyclopedia of Sloane and Plouffle [1098], [1099] as well as in [436]. In particular, the x-th term may depend on all previous terms. However, number-theoretic properties of such sequences are very hard to study except in an ad hoc fashion. 1.2. p-adic Analysis Methods of p-adic analysis yield many simple proofs of results about recurrence sequences. Throughout this section, let p denote a fixed prime. Any non-negative integer m has a p-adic expansion m = m0 + m1 p + m2 p2 + . . . + mk pk ,

24


with 0 ≤ mi ≤ p − 1 for i = 0, . . . , k. Formally, negative integers and rationals also have such a representation: For example, the formal identity (1.10)

1 + p + p 2 + p3 + p4 + . . . =

1 . 1−p

suggests the formal identity (1.11)

−1 = (p − 1) + (p − 1)p + (p − 1)p2 + (p − 1)p3 + . . . .

As discussed in Hardy’s classic monograph [453], the fact that a series diverges does not make it meaningless. Any series of the form (1.10) is divergent with respect to the usual absolute value, but turns out to be convergent with respect to a different measure of size. Let m be a positive integer, and write m = pordp (m) m0 where m0 is an integer co-prime to p and ordp (m) ∈ N is the order of p in m. The p-adic valuation of m is |m|p = p− ordp (m) . More generally, given any non-zero element x of Q, write x = pordp (x) x0 where ordp (x) ∈ Z and x0 is a rational number with no power of p in the numerator or denominator, and then define |x|p = p− ordp (x) . Further, define |0|p = 0. A sequence an in Q converges p-adically if it is Cauchy: |am − an |p → 0 as m, n → ∞. The function | · |p is a metric on Q, satisfying the properties (1.12)

|x + y|p ≤ |x|p + |y|p and |xy|p = |x|p |y|p .

Counting powers of each prime in the numerator and denominator of a rational shows the product formula Y 1 for all x ∈ Q∗ . (1.13) |x|p = |x| p∈P

The completion Qp of Q under | · |p is a complete metric space, the field of p-adic numbers. Any element of Qp may be written as a series of the form x−N p−N + · · · + x0 + x1 p + x2 p2 + · · · , where each xi satisfies 0 ≤ xi ≤ p − 1. The closure of Z is called the ring of p-adic integers , written Zp . It comprises all expressions of the form (1.14)

x0 + x1 p + x2 p2 + . . .

With respect to the p-adic metric, Zp is a compact space (that is, any infinite set has a limit point). To see this, notice that in any infinite set of expressions of the form (1.14), some infinite subset must share the same first coefficient. Similarly, an infinite subset of those must share the same second coefficient, and so on. This constructs a limit point of the infinite set. The next result is sometimes known as Strassman’s Theorem. A function f : Qp → Qp is analytic on the disc of radius r > 0 about z = a if it is given by a series f (z) = f0 + f1 (z − a) + f2 (z − a)2 + . . . where fi ∈ Qp , which converges for all values of z with |z − a|p < r. Similarly, a function is meromorphic on a disc of radius r if it is the quotient of two analytic function on that disc.

1.2. p-ADIC ANALYSIS

25

Theorem 1.6. Suppose f (z) = f0 + f1 z + f2 z 2 + . . . is analytic on a p-adic disc of radius r about z = a. Then there is a polynomial g and a function h analytic on the same disc, with f (z) = g(z)h(z), and such that h is never zero on the disc. If k = max{n : |fn |p } then g has degree k and therefore f has at most k zeros of the disc. Proof.For ease, we will give the proof in the case where a = 0 and r = 1. This proof was given originally by van der Poorten [910]. Each fi in the series expansion f (z) = f0 + f1 z + f2 z 2 + . . . is a p-adic integer so expand now in powers of p. Then f (z) = f0 (z) + f1 (z)p + f2 (z)p2 + . . . The convergence guarantees that each of the coefficients are polynomials in z with coefficients of fn (z) being p-adic units. Notice that the degree of f0 (z) is k. By the Euclidean algorithm, we can write f0 = g0 , and f1 = h1 g0 + g1 , with deg g1 < k. Now repeat this by writing f2 − h1 g1 = h2 g0 + g2 , with deg g2 < k. By induction, write fn − hn−1 g1 − . . . − h1 gn−1 = hn g0 + gn , with deg gn < k. Let h(z) = 1 +

∞ X

hn (z)pn , and g(z) =

n=1

∞ X

gn (z)pn .

n=0

Formally, this gives the required factorization because |h(z)|p = 1 for all z ∈ Zp , and g is a polynomial of degree k. The series are in fact well-defined because the coefficients of f0 = g0 are p-adic units so the coefficients of the hn (z) and gn (z) are p-adic integers. Thus the series converge on the disc. It follows from Strassman’s Theorem that if f is meromorphic on a disc of radius r then there is a polynomial g such that f g is analytic on the disc. 1.2.1. Recognizing Rational Functions. Given a power series ∞ X f (z) = an z n n=0

with coefficients an ∈ Z, it is often important to determine if the series is a rational function. A simple observation in this direction comes from complex analysis. P∞ Theorem 1.7. Suppose that f (z) = n=0 an z n is complex-analytic in a closed disc of radius R > 1. Then f is a polynomial. Proof. Let ∆ denote the circle of radius R about z = 0. Cauchy’s Theorem gives Z 1 f (z) an = dz. 2πi ∆ z n+1 Now |f (z)| is uniformly bounded on ∆ by M > 0 say. Then an elementary estimate gives an upper bound for |an | of M |an | < . 2πRn+1

26


As n → ∞ we see |an | → 0. Since the an are all integers, they are forced to be zero from some point on. This result can be strengthened: It is enough to know that f is meromorphic in a disc of radius R > 1. An extremely useful idea in many branches of mathematics is that the product formula (1.13) means that exponential growth or hyperbolicity must appear with respect to some p-adic valuation. P∞ Theorem 1.8. Suppose that f (z) = n=0 an z n is complex-analytic in a closed disc of radius R > 0, and p-adic analytic in a disc of radius r > 0, where rR > 1. Then f is a polynomial. Proof. The p-adic convergence of f on a (closed) disc of radius r means |an |p rn → 0 as n → ∞. Therefore, |an |p < Mp /rn for some constant Mp > 0. Putting this bound together with the earlier one for the complex valuation gives M Mp |an ||an |p < . 2π(rR)n+1 Letting n → ∞ shows that the right hand side tends to 0 because rR > 1. This forces an = 0 to be zero for all sufficiently large n because for any integer m, either m = 0 or 1 ≤ |m||m|p . Relaxing the condition on analyticity gives a criterion for rationality which Dwork attributes to Borel [274]. P∞ Theorem 1.9. Suppose f (z) = n=0 an z n is complex-analytic in a closed disc of radius R > 0, and is p-adic meromorphic on a disc of radius r > 0, where rR > 1. Then f is a rational function. Pe Proof. Choose a polynomial g(z) = 0 gn z n such that gf is analytic in a disc of radius r > 0; assume with out loss of generality that g0 = 1. Write g(z)f (z) = h(z) =

∞ X

bn z n .

n=0

Then |an | < M/Rn , and |bn |p < M/rn . For n > e, f g = h implies that the coefficients bn are linear combinations of the coefficients of f and g, (1.15)

bn = an + an−1 g1 + . . . + an−e ge .

Thus, for N > e, the Kronecker–Hankel matrix with first line an , . . . , an+e , bn+e , . . . , bn+N , has determinant ∆N,n (a) by replacing each column by a suitable linear combination of earlier columns. A simple estimate for the determinant gives |∆N,n (a)| < (N + 1)!M N +1 /R(n+2N )(N +1) and |∆N,n (a)|p < M N +1−e /rn(N +1−e) . Choose N so large that (rR)N +1 > 1. Then, for all sufficiently large n, |∆N,n (a)||∆N,n (a)|p < 1. It follows that ∆N,n (a) = 0 for all sufficiently large N , so f is rational.

1.3. SUMS OF S-UNITS

27

A simple application of Borel’s Theorem is to a special case of the Hadamard Quotient Problem (see page 68 for more details). P∞ Theorem 1.10. Suppose f (z) = n=0 an z n is a power P∞ seriesn over Z which is the Hadamard quotient of the power series g(z) = and h(z) = n=0 bn z P∞ n n=0 cn z with bn , cn ∈ Z. That is, an = bn /cn for all n. Assume there is a p-adic valuation such that one of the zeros of h strictly dominates the others. Then f is a rational function. Proof. Now f has a non-zero radius of convergence R say. Without loss of generality, assume the dominant root is 1. Then ∞ X n=0

an z n = g(z) +

r X ∞ X i

an θin z n ,

n=0

where |θi |p ≤ r < 1 for all i = 2, . . . , r. This gives a meromorphic continuation of f to a larger disc |z|p < 1/r. Now replace z by θ2 z to obtain a meromorphic continuation of f to a disc of radius 1/r2 . Keep doing this to give a meromorphic continuation to a disc of radius 1/rk for any k > 1. Eventually rk R > 1, in which case Borel’s Theorem 1.9 shows that f is rational. 1.3. Sums of S-units In this section we are going to see how powerful methods from the theory of Diophantine approximation can give insights into the arithmetic and growth of recurrence sequences. To motivate this, consider the possible size of the expression G(m, n) = 2m − 3n , for m, n ∈ N. It is possible to find m, n such that m log 2 ∼ n log 3, so it is reasonable to ask if there is a sequence (mj , nj ) with mj → ∞ and G(mj , nj ) → 0. This turns out not to be possible: Write X(m) = 2m , Y (n) = 3n , and suppose that X(m) > Y (n). Then G(m, n) < X(m). Theorem 1.11. Given any > 0, if X(m) > Y (n), then the inequality (1.16)

G(m, n) < X(m)1−

has only finitely many solutions with m, n ∈ N. To prove this, write the inequality in terms of S-units. Let S denote the set S = {2, 3} and write, for any integer x, |x|S = |x||x|2 |x|3 for the S-norm of x. Notice that the S-norm of an integer is 1 if and only if the integer comprises powers of 2 and 3 only in its prime factorization: Such an integer is called an S-unit. Notice that |X(m)Y (n)|S = 1 and |X(m) − Y (n)|2 = |X(m) − Y (n)|3 = 1. Given a solution of (1.16), write for simplicity X = X(m) and Y = Y (n); then (1.17)

|XY (X − Y )| · |XY (X − Y )|2 · |XY (X − Y )|3 < X 1− .

28


On cancelling X and noting that |X|3 = |Y |2 = 1, (1.17) simplifies to give (1.18)

|Y (X − Y )| · |X(X − Y )|2 · |X(X − Y )|3 < X − .

The next step requires a deep theorem from Diophantine approximation, the padic subspace theorem (see [328], [1001], [1002], [1008]). For x ∈ Zn , write kxk = maxi {|xi |}. Theorem 1.12. Suppose n > 1 and let S denotes a finite set of prime numbers. Suppose that L1 , . . . , Ln are linearly independent linear forms with rational coefficients and, for each p ∈ S, L1p , . . . , Lnp are linearly independent linear forms with p-adic coefficients. Then the solutions x ∈ Zn of the inequality Y |L1 (x) . . . Ln (x)| |L1p (x) . . . L1p (x)|p < kxk− p∈S

lie inside finitely many proper subspaces of Qn . Theorem 1.11 follows easily from the p-adic subspace theorem. Here n = 2 and (1.18) shows that the linear forms to consider are L1 = Y, L2 = X − Y ; L12 = X, L22 = X − Y ; L13 = Y, L23 = X − Y. If the inequality (1.16) had infinitely many solutions X, Y ∈ N, then (X, Y ) would lie inside a finite number of 1-dimensional subspaces. However, since X and Y are coprime, each subspace can only contain finitely many solutions of (1.16). Theorem 1.11 could also be proved using Baker’s Theorem, since G consists of only 2 terms. Indeed, Baker’s Theorem yields the better result that the inequality G < (log X)−A has only finitely many solutions, for some constant A > 0. However, the argument using the subspace theorem can be used as the base step for an induction to yield the following deep theorem: Given any finite set of prime numbers S, x ∈ Z is called an S-unit if it is composed only of powers of primes in S. Theorem 1.13. Given > 0, and any C > 0, the inequality |x1 + · · · + xn | < Ckxk1− has only finitely many solutions in S-units, under the assumption that no proper subsum vanishes. To make a result like this applicable to linear recurrence sequences two things are needed. Firstly, a similar result is needed for algebraic linear forms, both over Q and Qp for primes p. This presents no great difficulties. Secondly, a linear recurrence sequence can contain polynomial terms. These can be handled by working not with S-units above, but with a slight generalization. An S-unit x ∈ Z has |x|S = 1. The polynomial extension allows integers whose S-norm grows less that some small power of |x| – the power depending upon . For example, if S = {2} and x = nk 2n for k > 0 then for any δ > 0, |x|S < |x|δ for all but finitely many x. The next section traces the origins of the p-adic subspace theorem in Diophantine approximation.

1.3. SUMS OF S-UNITS

29

1.3.1. Diophantine Approximation. Suppose θ is a positive real number: How closely may θ be approximated by rationals p/q in reduced form. Dirichlet showed that the inequality θ − p < 1 q q2 has infinitely many solutions. For many years, lower bounds were sought in the case where θ is an algebraic number, culminating in Roth’s celebrated theorem. Theorem 1.14. Let θ be an algebraic number. Given any > 0, there is a constant C = C(θ, ) > 0 such that θ − p < C q q 2+ has only finitely many solutions. Thus, increasing the power 2 in Dirichlet’s inequality means there will only be finitely many solutions. As seen above, it is often useful to work with linear forms. Thus, both Dirichlet’s Theorem and Roth’s Theorem may be stated in terms of the size of |θq − p|. For n ≥ 2, let L(x) = a1 x1 + . . . + an xn denote a linear from in the vector = (x1 , . . . , xn ). For n = 2, Roth’s Theorem can be stated in the following way. Suppose a1 , a2 are algebraic numbers, and > 0 is given. Then the inequality |L(x)| < kxk−1− has only finitely many integral solutions x ∈ Z2 provided a1 /a2 is irrational. This re-formulation suggests how Roth’s Theorem might be extended to a statement about a linear form in algebraic numbers. The following was proved by W. Schmidt in 1972. Theorem 1.15. Given a linear form L(x) with a1 , . . . , an algebraic and generating a Z-module of rank n, the inequality |L(x)| < kxk1−n− has only finitely many integral solutions x ∈ Zn . This is a deep theorem in itself, but even it is subsumed by the subspace theorem. Theorem 1.16. Given n linearly independent linear forms Li with algebraic coefficients, the solutions x ∈ Zn of |L1 (x) . . . Ln (x)| < kxk− , lie in finitely many proper subspaces of Qn . To obtain Roth’s Theorem, this is applied with the two linear forms q and θq − p. To obtain the generalization to a linear form, simply augment that form by n − 1 of the coefficients, which are again linear forms. To conclude this account, Schlickewei generalized Schmidt’s Theorem by adjoining p-adic linear forms for a finite set of primes p. The inequalities given before all hold with algebraic linear forms provided a symmetry condition is fulfilled, which says that each of the forms must occur as often as any algebraic conjugate.

30


1.4. The Skolem–Mahler–Lech Theorem, Multiplicity and Growth The following statement is the celebrated Skolem–Mahler–Lech Theorem. Theorem 1.17. The set of zeros of a linear recurrence sequence over a field of characteristic zero comprises a finite set together with a finite number of arithmetic progressions. In both cases, the finite set alluded to may be empty, and the set referred to is the set of indices x for which a(x) = 0. Proof. The most important case of sequences defined over the rationals is sketched here. For a brief but detailed proof in the general case see for example [920]. Let L be the splitting field of the characteristic polynomial of the given linear recurrence sequence a, and choose a prime p with the property that all characteristic roots are units in Qp and the prime ideal (p) splits completely in L. Then, for each i, αip−1 ≡ 1 (mod p) so the p-adic logarithms logp αip−1 = logp 1 − (1 − αip−1 ) are defined, and ordp (logp αip−1 ) ≥ 1. This allows one to p-adically interpolate the (p − 1) sequences (a(r + (p − 1)x), 0 ≤ r ≤ p − 2, yielding p-adic analytic functions ar (t) =

m X

Ai (r + (p − 1)t)αir exp(t logp αip−1 ),

r = 0, 1, . . . , p − 2,

i=1

converging for ordp t > −1 + 1/(p − 1), and in particular on Zp . Since Z is a dense subset of the compact set Zp , if any of these functions has infinitely many integer zeros it must vanish identically. It follows by the pigeonhole principle that, if the original linear recurrence sequence a has infinitely many zeros, then at least one of those p − 1 functions vanishes. In particular, it follows that for some r, a(r + (p − 1)x) = 0, x = 1, 2, . . . . It follows that if the linear recurrence sequence has infinitely many zeros then it has a pair αi 6= αj of distinct characteristic roots for which (αi /αj )p−1 = 1. Thus Theorem 1.17 is the assertion that if the linear recurrence sequence is nondegenerate then, since there is no arithmetic progression of zeros, the number of zeros is finite. The result was first noticed by Skolem [1097] for the case when the exponential polynomial representing a is defined over Q, and generalized by Mahler [683] to exponential polynomials over algebraic number fields. The completely general case appears in [613] and [684]; the story and some additional references can be found in [1153] and [920]. A completely elementary proof is given in [451]. 1.4.1. Questions suggested by Skolem–Mahler–Lech. Several questions are suggested by Theorem 1.17, which include the following. • Can the size of the common difference of the arithmetic progressions in the degenerate case be estimated? • Can one apply the theorem to decide whether a given linear recurrence sequence has infinitely many zeros or not? • Can the number of zeros of a non-degenerate linear recurrence sequence be estimated? • How can one find the set of zeros effectively?

1.4. THE SKOLEM–MAHLER–LECH THEOREM, MULTIPLICITY AND GROWTH

31

• Can one improve on the general bounds for special interesting families of linear recurrence sequences? • For what other interesting classes of sequences does a similar result hold? • What happens in fields of positive characteristic? The literature on these questions is substantial, and most of them have a complete or a quite satisfactory partial solution. The exception is the fourth question: No effective method is known to find the set of all zeros for an arbitrary nondegenerate linear recurrence sequence. The simplest question — at least in principle — is the first. For a linear recurrence sequence of order n over an algebraic number field K with degree d over Q, the least common multiple of the differences of the corresponding zeroprogressions does not exceed M (d, n), where M (d, n) is given in Theorem 1.2. Since the bound in Theorem 1.2 does not depend on further particulars of the sequence itself, this gives a positive answer to the second question also; see [74], [972], [1167] and [1168] for details. 1.4.2. Multiplicity of a recurrence sequence. For a linear recurrence sequence a over a ring R and a fixed element c ∈ R denote by m(a, c) the multiplicity of the element c among the terms of the sequence a, that is the number of solution of the equation a(x) = c. Set m(a, c) = ∞ if there are infinitely many solution, and for brevity write m(a, 0) = m(a) for the zero multiplicity. The total multiplicity M (a) is the number of solutions of the equation a(x) = a(y), x 6= y; equivalently X M (a) = m(a, c) (m(a, c) − 1) . c∈R

The Skolem–Mahler–Lech Theorem shows that m(a, c) is finite; the same result for M (a) is more recent, see [324] and [931]. No effectively computable upper bound for M (a) is known, but for several special classes of sequences effective upper bounds on M (a) are known in the context of equations with linear recurrence sequences like (1.26), (1.27), (1.28) presented below. Introduce functions (1.19)

µ0 (n, R) = sup m(a), a

and

µ(n, R) =

sup

m(a, c),

m(a,c) 1 for M (ϑ) when ϑ is not a root of unity is a classical problem in the theory of algebraic numbers, see [122], [321, Chap. 1], and [810, Notes to Chap. 2]. Lehmer [615] first raised this question in connection with the growth rate of Lehmer–Pierce sequences (cf. page 171). A positive answer would imply a uniform upper bound for m(2, Q). The best current result from [260], M (ϑ) − 1 log3 log d/ log3 d, gives µ(2, K) = O(d1/2 log3/2 d log−3/2 log d) where d = [K : Q]. For smaller d this can be improved to µ(2, Q) ≤ 29 and µ(2, K) = 100 max{300, d}.


35

The paper [84] deals with complex linear recurrence sequences as well. In particular, it is shown that if A, α ∈ C and |α| > 2 then the equation Aαx +Aαx = 1 has at most 7 integer solutions. It is an immediate consequence of this result that for any A, α ∈ C the same equation has at most 2 solutions if |α| = 1 and at most 7 + 7 log 2/ |log |α|| solutions otherwise. 1.4.7. More remarks on multiplicity. There are other classes of linear recurrence sequences for which sharper upper bounds can be obtained. For example, if all the characteristic roots are real, then Rolle’s Theorem produces the bound (1.23)

m(a) ≤ 2n − 2 .

This reduces to m(a) ≤ n − 1 if all the roots are positive (see [905, Part 5, Chap. 1, Problem 75], and [920]). Voorhoeve [1179] provides results on the horizontal distribution of complex zeros of such polynomials, and many other relevant results. Although these bounds do not even imply that m0 (n, Z) < ∞, they give useful results. For many special sequences they give much better results than (1.20) or (1.21). A related but much simpler question is the following. Let N (n) be the largest N for which there is a complex linear recurrence sequence a of order n with |a(1)| = . . . = |a(N )| 6= |a(N + 1)|. It is shown in [676] that N (n) ≤ n2 − n + 1 for all n, and N (n) = n2 − n + 1 for every prime power n. Similarly, define M (n) to be the largest M for which there is a complex matrix exponential function A(x) = ϑF x and a complex (n × n) matrix F such that kA(1)k = . . . = kA(M )k = 6 kA(M + 1)k, where kAk denotes the Euclidean norm on A ∈ Cn . Then M (n) can be viewed as the largest number of consecutive terms of a matrix exponential function on a sphere. The same paper [676] establishes the upper bound M (n) ≤ n2 and the lower bound M (n) = (n − 1)2 for every prime power n = pr . For a fixed matrix A, the largest M is bounded by 2k` − k 2 , where k is the number of distinct zeros and ` is the degree of the minimal polynomial of F. Of course, similar questions may be asked for other sequences and other norms. 1.4.8. Finding the zeros of recurrence sequences. An effective upper bound for the possible solutions of the equation a(x) = 0 remains an intractable problem. Neither the S-unit equations nor Strassmann’s Theorem gives such a result. Both work with p-adic solutions, from which there seems no way back to Archimedean norms. This is a common obstacle in the theory of Diophantine equations (see [324], [326], [440], [808], [917], [920], [931], [1059], [1107]). Mignotte and Tzanakis [730] propose a useful method for dealing with equations of the form a(x) = c, and even the more general a(x) = s, where s is a variable multiplicatively generated by the elements of some finite set S. Their method is applicable in the following situation arising in practice. Assume one ‘knows’ the solution set; then the method helps to prove that there is indeed no other solution. Its practicality has been demonstrated on several examples, one of them related to Berstel’s sequence. 1.4.9. Growth of recurrence sequences. The simplest examples of linear recurrence sequences have a characteristic logarithmic growth rate (cf. Section 8.3.1), so the first question is to ask if they all do. The Skolem–Mahler–Lech

36


theorem gives the non-effective statement |a(x)| → ∞ for x → ∞ for any nondegenerate sequence a whose characteristic roots are not all roots of unity. The trivial upper bound |a(x)| ≤ A|α1 |x xn where A is the largest absolute value of the coefficients of polynomials Ai in the representation (1.3), is the first yardstick against which an understanding of the growth rate should be measured. In [659], the conjecture was made that any integer non-degenerate linear recurrence sequence has this maximal possible growth. This conjecture was proved independently by Evertse [324], and by van der Poorten and Schlickewei [931]. Theorem 1.19. For any algebraic non-degenerate linear recurrence sequence a, and any ε > 0, there exists a constant x0 (a, ε) for which |a(x)| ≥ |α1 |(1−ε)x , if x > x0 (a, ε). This result was obtained as a corollary of more general statements for S-unit equations. Unfortunately neither proof (they are essentially the same) is effective, in that they do not give an estimate for x0 (a, ε). Finding an effective version of this result is still an important open problem. Nonetheless, several results give lower bounds for |a(x)| in special cases. Because of that it make senses to try get general effective lower bounds for some special subsequences of the parameter x, or for almost all x. Indeed, before the proof of Theorem 1.19, a completely effective result in this direction was made in [659]. Theorem 1.20. For any integer non-degenerate linear recurrence sequence a of order n, the bound max |a(xi )| > |α1 |xi x−n i 0≤i≤n−1

holds for n successive terms xi = k(x + i) + ` of any arithmetic progression, k ∈ N, ` ∈ Z+ , provided x > x0 (a, k, `) where x0 (a, k, `) is an effective constant which depends on the sequence and the arithmetic progression. The proof is based on a generalization of Turan’s Theorem [1159] from [907], and on Theorem 1.3. A modification of this statement was also used in [621, Lemma 3]. It would be very useful to get a similar estimate uniformly in k and `. If that were done, one could immediately apply Szemerédi’s Theorem on sets without arithmetic progressions [1137] to deduce that the same bound holds for a set of x of asymptotic density 1. The same considerations may be used to estimate the number of zeros in a segment of a linear recurrence sequence. Theorem 1.3 implies that for any nondegenerate linear recurrence sequence over any finite ring R, the set of its zeros does not contain n consecutive terms of an arithmetic progression. This implies that the number of zeros a(x) = 0 on any interval M + 1 ≤ x ≤ M + N is o(N ). The same estimate holds for degenerate sequences as well, provided that the first N powers of the characteristic roots α1 , . . ., αm are pair-wise distinct. This remark is essential for sequences over finite fields where every sequence is degenerate. An application to coding theory is given in Section 11.3. No explicit version of Szemerédi’s Theorem is known, so o(N ) cannot be replaced by any explicit function (see however [118], [401], [458], [1138] for short


37

progressions). Szemerédi’s Theorem has also been used in the papers of Bezivin [89], [91], [92] and Denis [248]. A version of Theorem 1.20 for geometric progressions is proved in [659]. A modification of the method of [1070] gives the following result. Theorem 1.21. For any non-degenerate linear recurrence sequence a of order n over an algebraic number field K there is an effective constant c(a) such that, for any 1 ≤ H ≤ N , |a(x)| ≤ |α1 |N exp(−c(a)H) for at most n + µ0 (nn! , K) values of x with N − H ≤ x ≤ N . Proof. Let L be the splitting field of the characteristic polynomial of the sequence, and put M = N − H. Then the representation (1.3) gives a(M + x) =

m nX i −1 X i=1 j=1

(j)

(−1)j

Ai (M ) M j x αi x αi , j!

x ∈ N.

Enumerate the functions on the right-hand side in some order, and let tk (x) be the k-th term among the functions tk (x) = xj αix . Fix A > 0 and denote by M the set of x ∈ [0, H] with |a(M + x)| < A. Assume that |M| ≥ n + µ0 (n, L); from this we will obtain a lower bound for A of the form A ≥ |α1 |N exp(−c(a)H). i Define matrices Di (X1 , . . . , Xi ) = (tk (Xj ))j,k=1 with dimensions i = 1, . . ., n respectively. Begin by choosing an element x1 ∈ M such that t1 (x1 ) 6= 0 and let M1 = M\{x1 }. Now ∆1 = det D1 (x1 ) 6= 0. Suppose that we have selected xj ∈ Mj such that ∆j = det Dj (x1 , . . . , xj ) 6= 0, for each j = 1, . . . , i. If i < n we claim that we can select xi+1 ∈ Mi such that ∆j+1 = det Dj (x1 , . . . , xj+1 ) 6= 0. Indeed, Di (x1 , . . . , xi , x) is a linear recurrence sequence of order at most n over L which is non-degenerate because it contains at least one non-zero term ∆i ti+1 (x). Since |Mi | = |M| − i > µ0 (n, L), we can select xi+1 ∈ Mi with ∆j+1 6= 0. We then set Mi+1 = Mi \{xi }. This procedure constructs a matrix Dn (x1 , . . . , xn ) with ∆n = det Dn (x1 , . . . , xn ) 6= 0. Since A1 (x) is a non-zero polynomial of degree at most n1 − 1 ≤ n − 1, for any N (j) (j) and H, there is a j, 0 ≤ j ≤ n−1, with A1 (M ) 6= 0, and therefore A1 (M ) ≥ C(a) for some positive constant C(a). Now suppose t1 (x) is the term xj α1 . Then,   a(M + x1 ) t2 (x1 ) . . . tn (x1 ) (j) M A (M )α 1 1 ... ... ... ... . (−1)j 1 = det  j! ∆n a(M + xn ) t2 (xn ) . . . tn (xn ) Therefore (j)

|A1 (M )α1M | ≤ (n!)2 AH (n−1) |α1 |(n−1)H ∆−1 n . Clearly ∆n (x1 , . . . , xn ) 6= 0 is an algebraic integer of degree d = [L : Q] over Q, so | NL/Q (∆n )| ≥ 1. On the other hand, the absolute values of the conjugates of ∆n (x1 , . . . , xn ) do not exceed n!H n αnH , where α is the largest of the absolute value of α1 , . . . , αm and of their conjugates over Q. Hence, −d+1 ∆n (x1 , . . . , xn ) ≥ n!H n αnH .

38


It follows that C(a)|α1 |M ≤ (n!)2 AH (n−1) |α1 |(n−1)H n!H n αnH

d−1

.

Noting that d ≤ n!, and µ0 (n, L) ≤ µ0 (nn! , K), gives the theorem.

Theorem 1.21 immediately implies, under the same conditions, that 1/2 {x ≤ N : |a(x)| ≤ |α1 |x−x } = O(N 1/2 ). This also implies that for any ε > 0, and any function ψ(x) → ∞, |a(x)| ≥ |α1 |(1−ε)x and |a(x)| ≥ |α1 |x−ψ(x) log x for all x ≤ N with at most O(log N ) and o(N ) exceptions, respectively. It would be interesting to get the same result for a bounded function ψ. As suggested above, a combination of Theorem 1.20 and Szemerédi’s Theorem might provide such a result, namely that |a(x)| ≥ |α1 |x x−n for almost all x. Another implication of Theorem 1.21 is the formula N 1 X Log |a(x)| = 0.5N log |α1 | + O(N 1/2 ), N x=1

which is an asymptotic estimate for the average value of the Archimedean norm of the terms of a linear recurrence sequence. For the sequences of Theorem 1.22 below the error term can be replaced by O(Log N ). Both Theorem 1.21 and the asymptotic formula above can be extended to the case of exponential polynomials [319]. Lucht [675] presents a complete characterization of linear recurrence sequences PN a for which the mean value limN →∞ N1 x=1 a(x) exists. Some results of that paper have been generalized in [96]. In [934] an analogous formula is obtained for the p-adic norms (but with a non-effective error term). There it is shown that for an integer non-degenerate linear recurrence sequence a, and any prime p not dividing the constant term of the characteristic polynomial, there is a constant χp (a) such that (1.24)

N 1 X ordp a(x) = χp (a) + o(1). N x=1 a(x)6=0

For sequences of order 2 [1199] and 3 [580], [1198], the function ordp a(x) is understood in much more detail. A stronger asymptotic result is also known for binary integer recurrences [534]. For any binary integer non-degenerate sequence a(x) = A1 α1x + A2 α2x , there is a constant k(a) > 0 such that N 1 X Log |a(x)| = 0.5N log |α1 | + 0.5 log |A21 Dα1 | + O(N −k(a) ) N x=1

where D is the discriminant of the characteristic polynomial. The only nontrivial case is when α1 and α2 are complex conjugates; in this case |a(x)| = 2|A1 ||D|1/2 |α1 |n |sin (π(nϑ + ω))| where ϑ and ω are the arguments of the complex numbers α1 and A1 , respectively. Results on the distribution of the fractional parts of linear functions give the required asymptotic estimate. More precisely, we should also take into account the arithmetic structure of ϑ. For an arbitrary complex binary sequence a similar asymptotic can be obtained with o(N ) instead


39

of O(N −k(a) ). In the p-adic case, the general asymptotic above can be improved and obtained in an effective form. Similar results for average values (with respect to both Archimedean and padic norms) of sums of S-units are presented by Everest and Loxton in the series of papers [309], [310], [311], [312], [313], [314], [315]. For example, refining the classical result of Lang and its further improvements, Everest and Loxton [315] prove that, for most algebraic number field K of degree d over Q with unit group UK of rank r ≥ 2, the asymptotic formula w(r + 1)r U (Q) = (Log Q)r + O (Log Q)r−1−δ(K) Rr! holds (the exceptional cases to which the proof does not apply are fields containing Salem numbers; see [953], [954] for the details). Here U (Q) = {u ∈ UK : max |σ(u)| ≤ Q} , σ∈Gal(K/Q) R and w are the regulator and number of roots of unity of K respectively , and δ(K) = 10−13 d−10 (1 + 2 log d)−1 R−2r . Analogously, define Sa (Q) = {u ∈ UK : | T(K/Q) (au)| ≤ Q} for some fixed non-zero integer algebraic a ∈ K. The earlier paper of Everest [310] provides the asymptotic w(r + 1)r Sa (Q) = (Log Q)r + O (Log Q)r−1 . Rr! This is based on an estimate for U (Q), so the error term can probably be improved in the same way as is done for U (Q). Furthermore, denoting by fp (k) = |k|p− ordp k the p-free part of the integer k, and defining Sa,p (Q) = {u ∈ UK : fp T(K/Q) (au) ≤ Q} we have Sa,p (Q) = Sa (Q) + O (Log Q)r−1 Log log Q . This means that ‘on average’ ordp T(K/Q) (au) is small. In a subsequent paper, [311], Everest demonstrates that these kinds of questions are closely related to the celebrated Leopoldt conjecture. Further generalizations and improvements are obtained in [312], [313], and [314]. In particular, the paper [314] extends to multivariate exponential polynomials the asymptotic (1.24) for the average value of p-orders of terms of a linear recurrence sequence. It is also shown there that the main term is a rational number given by some p-adic integral. Some special cases are discussed where the error term can be estimated effectively. Unfortunately, that is not applicable to the original case of linear recurrence sequences, but it does include many other important sequences. For example, for any exponential polynomial E of the form E(z1 , . . . , zr ) = α1z1 α2z2 E1 (z3 , . . . , zr ) + E2 (z3 , . . . , zr ) over an algebraic number field K, under some mild conditions on α1 , α2 and the exponential polynomials E1 , E2 , the asymptotic formula X 1 E(z1 , . . . , zr ) = χp + O(Q−1/(m+1)e ) r Q −Q≤z1 ,...,zr ≤Q

40


is given. Here χp is a rational number presented as some p-adic integral, m is the number of different exponents in the representation of E, and e is the ramification index of p in K. Similar results are expected for general exponential polynomials, but the present estimates for p-adic orders of S-unit sums — where no general effective result is known — are not enough to prove them. Although this question and similar questions on the average value of logarithms of linear recurrence sequences are related, the results obtained are independent and do not imply one another. No general effective version of Theorem 1.19 is known, but there is a class of linear recurrence sequences where such a refinement is readily obtained. This is the class of sequences over C with r = 1 dominating characteristic roots. It is an easy exercise to estimate |a(x)| from below as |a(x)| ≥ C(a)|α1 |x ,

x ≥ x0 (a),

where C(a) and x0 (a) are effectively computable constants depending on the sequence a (recall that all the characteristic roots, including α1 , actually participate in the representation (1.3)). The case of a pair of dominating characteristic roots cannot be treated by elementary arguments. A non-effective estimate, based on the p-adic Roth theorem, was given in 1966 by Mahler [685]. It turns out that, if one is looking for an effective estimate, the need for bounds for linear forms in logarithms arise even for binary integer linear recurrence sequences. The approach is as follows. Consider the expression |A1 α1x + A2 α2x | = |A1 ||α1 |x |(−A2 /A1 )(α2 /α1 )x − 1|. where A1 , A2 , α1 , α2 are non-zero elements of some algebraic number field, |α1 | ≥ |α2 |, and α2 /α1 is not a root of unity. Appropriately choosing the branch of the logarithm, if |(−A2 /A1 )(α2 /α1 )x − 1| is small then | log(−A2 /A1 ) + x log(α2 /α1 ) − ikπ| is also small for some integer k = O(x) (with an effective implicit constant; for a quadratic field it can be shown that k ≤ 2(x + 1), see [1057]). One now applies any known lower bound for linear forms in logarithms. This approach may be found in the papers of Schinzel [995] and others. These results were sharpened in [1057]. Finally, Mignotte [724] shows that even the case of r = 3 dominating characteristic roots can be treated along these lines, yielding precisely the same lower bound. Thus all ternary integer linear recurrence sequences are automatically included. Theorem 1.22. For any integer non-degenerate linear recurrence sequence a of order n with r ≤ 3 dominating characteristic roots, |a(x)| ≥ |α1 |x x−k(a) ,

x ≥ x0 (a),

where k(a) and x0 (a) are effective constants depending on the sequence. For algebraic linear recurrence sequences, a slightly weaker estimate (1.25)

|a(x)| ≥ |α1 |x exp(−k(a) log2 x),

x ≥ x0 (a),

is obtained in [729]. One obtains precisely the same estimate as in Theorem 1.22 if α1 , α2 , α3 are simple roots. These estimates are nearly best possible, because for


41

any linear recurrence sequence |a(x)| = O(|α1 |x xn ). Note that the constants k(a) and x0 (a) in Theorem 1.22 and in (1.25) can also be estimated as k(a), x0 (a) ≤ c(f ) log H(a) where the constant c(f ) depends on the characteristic polynomial only, and H(a) is the largest height of the initial values a(1), . . . , a(n). This is a combination of Theorem 4 and 5 of the paper. It is mentioned in [729] that for r = 4 a p-adic version of the method can be used. It does not produce any lower bound (other than for the p-adic valuation) but it does provide an effective estimate for the largest zero of a ternary algebraic linear recurrence sequence whose characteristic polynomial has no multiple root. Related results are obtained in [1167], [1168]. For binary sequences, complicated explicit expressions for the constant c and x0 are computed in [516] and improved in [895]. To the authors’ knowledge, the constants in Mignotte’s general bound have not been computed. The paper [398] addresses algorithmic aspects of separation and estimation of the dominating characteristic roots. Dress and Luca [262], [264] give a characterization of the binary linear recurrence sequences a, depending on the size of |a(x)2 − a(x − 1)a(x + 1)|. 1.4.10. Further equations in linear recurrence sequences. Given a linear recurrence sequences a one may consider the number of solutions of the equation a(x) = a(y),

1 ≤ x < y;

thus counting total multiplicity, or the more general (1.26)

λa(x) = ηa(y),

x, y ∈ N;

λa(x) = ηb(y),

x, y ∈ N;

or even (1.27)

for two linear recurrence sequences a and b, and constants λ and η. See [4], [268] [517], [518], [605], [636], [725], [726], [727], [895], [1010], [1012], [1046], [1049]. In some of these papers λ and η are variables taking their values from some fixed S-unit group, in others one obtains a lower bound for the difference of the left-hand and right-hand sides. For example, Mignotte [727] finds all 20 solutions of the equation |a(x)| = |a(y)|, 1 ≤ x < y, in the case of the extremal Berstel’s sequence; (cf. page 33) 4 further solutions are found for x ≤ 0. Lewis and Turk [636] show that for any binary non-degenerate linear recurrence sequence over an algebraic number field K, a bound for x and y with a(x) = γa(y) can be effectively estimated (depending on the sequence and on γ). Moreover, it is also possible effectively to estimate the number of solutions for sequences over C. Solutions of the equation a(x) = c taken over all members of some family of binary linear recurrence sequences a have been considered in [493]. In [729] a generalization of (1.25) is given: Under the conditions of Theorem 1.22, |a(x) − a(y)| ≥ |α1 |x exp −k(a) log2 x Log y , x ≥ x0 (a), x > y. For binary sequences this is done in [1046], [1049] with log x instead of log2 x. Similar results are obtained in [729] for the equation (1.27) when a and b share the

42


same characteristic polynomial. As before, in most cases the largest solution can be estimated by a logarithmic function of the height parameters involved. Schlickewei and Schmidt [1009] consider the non-linear equation (1.28)

λa(x)k = ηa(y)` ,

x, y ∈ N.

By (1.3), this is a particular case of (1.27). They call a linear recurrence sequence exceptional if it has only one characteristic root, that is, if a(x) = A1 (x)α1x . They show that for any non-degenerate and non-exceptional sequence of complex numbers, the equation (1.28) has only finitely many solutions. Moreover, for sequences over algebraic number fields they provide an explicit bound for this number. Theorem 1.23. Let a be a non-degenerate and non-exceptional linear recurrence sequence of order n over an algebraic number field K with degree d over Q. Then the number of solutions of the equation (1.28) with k < ` and non-zero λ, η ∈ K does not exceed 2ω2

44d!(4n+k )!

,

where ω is the number of distinct prime ideal divisors of the characteristic roots. These assertions on complex and algebraic linear recurrence sequences are based on the corresponding results of [605] and [1011], respectively. Stronger results obtained in [1013] allow Theorem 1.23 to be refined. A variety of other results are known; many are too technical to warrant inclusion here. These results show that, up to some trivial exceptions, all the equations above have finitely many solutions, and in many cases the number of solutions can be effectively estimated. The exceptions are not self-evident. Although several authors show that the equations (1.26), (1.27) have only finitely many solutions other than for ‘sensitive’ sequences, an example due to Schlickewei and Schmidt [1010] shows that a trivial exception may not be easy to recognize. They cite √ √ a(x) = 3x (7 + 5 2)x + (7 − 5 2)x , √ √ √ √ b(y) = (−2y + 1) (1 + 2)(3 − 2 2)y + (1 − 2)(3 + 2 2)y , for which a(2t + 1) = b(3t + 2), t ∈ N. On the other hand, they show that for the non-degenerate situation, even the equation λa(x) + ηa(y) + νa(z) = 0,

x, y, z ∈ N

has only finitely many solutions. The closest relative of the class of linear recurrence sequences is the class of exponential polynomials. A variety of results on the distribution of zeros of complex and p-adic exponential polynomials were obtained in [908], [909], [910], [913], [929], [1150], [1178], [1179], [1181], [1180]; see also the references given in those papers to earlier work. Some of the results alluded to should be considered in the wider context of describing the zeros of functions satisfying systems of linear differential equations with rational coefficients, an important and growing area in modern transcendence theory — see [821] and the more recent survey [1191]. We start with a result from [910] which underlies the proof of the bound (1.22).


43

Theorem 1.24. Assume that the coefficients and the exponents of the nontrivial exponential polynomial (1.4), m X

E(z) =

Ai (z) exp (ψi (z)) ,

i=1

are elements of Cp , with ϑ = min (ordp ψi − 1/(p − 1)) > 0. 1≤m≤m

Then the number of zeros of E with ordp z > 0 does not exceed (n − 1) (1 + 1/ϑ(p − 1)) . Further improvements and generalizations can be found in [909] and [929]. Van der Poorten and Shparlinski [934] extend the bound (1.22) and Theorem 1.23 to exponential polynomials of the form (1.29)

F (z) =

m X

ψ (z)

Ai (z)αi i

.

i=1

Theorem 1.25. Let F be an exponential polynomial of the form (1.29), where the Ai are polynomials of degree at most t over an algebraic number field K, and the ψi are polynomials over Z of degree at most s. If the number of integer zeros, M (F ), is finite, then M (F ) ≤ 28d+1 mts(d + ω)4d , where ω is the number of distinct prime ideal divisors of α1 , . . . αm ∈ K and d = [K : Q]. The proof has two parts, the major part being finding an upper bound for the number of zeros of p-adic differential equations — which include exponential polynomials (1.29) — and the selection of an appropriate prime p. To formulate the upper bound more notation is needed. Let K be an algebraic number field with [K : Q] = d, and let p be an ideal lying above the rational prime p. As usual Kp denotes the completion of K in Cp , and Zp = {t ∈ Kp : ordp t ≥ 0}. Consider the function represented by the power series (1.30)

f (t) =

∞ X

fj tj

j=0

with coefficients fj ∈ Zp , satisfying a p-adic differential equation (1.31)

m−1 X di f (t) dm f = q (t) m−i dtm dti i=0

with qi (t) ∈ Zp [t], i = 1, . . . , m. The following statement is a combination of [934, Lemma 1, 2]. Theorem 1.26. If a function of the form (1.30), satisfying (1.31), has finitely many zeros in Zp , then the number of zeros does not exceed m + max (deg qi − i) pd (p − 1)/(p − 2). 1≤i≤m

44


For exponential polynomials over C, Tijdeman [1150] provides the upper bound 3(n − 1) + 4RΨ for the number of zeros of E given by (1.4) in any disc |z − z0 | ≤ R in the complex plane, where Ψ = max{|ψ1 |, . . . , |ψm |}. For exponential polynomials (1.4) with complex coefficients and complex frequencies, Voorhoeve [1178], [1179] obtains the following estimate. Let CE be the convex hull of the complex conjugates ψ 1 , . . . , ψ m of the frequencies of a complex exponential polynomial E given by (1.4). If Γ denotes the perimeter of CE , and γ the number of vertices, then in any disc of radius R, E has at most ΓR/2π + γ(n − 1)/2 zeros. Analogues of these results are also known for generalized exponential polynomials of the form (1.4) with Ai , ψi ∈ C[z]. In [1180], as a consequence of more general estimates, the bound 3(n − 1) + Ψ(4R) is found for the number of zeros of E, given by (1.4), in any disc |z − z0 | ≤ R of radius R. Here Ψ(ρ) = c1 ρ + . . . + cs ρs is a polynomial of degree s = max{deg ψ1 , . . . , deg ψm } with coefficients ψ (j) (z ) i 0 j = 1, . . . , s, cj = max , 1≤i≤m j! and n=

m X

(1 + deg Ai )sm−i .

i=1

In [1181] the special case of exponential polynomials with Ai ∈ C[z] and ψi ∈ R[z] is considered; in this case the exponential polynomial is either identically zero or has no more than m − 1 + (m2 − m + 1)t + (m − 1)(m2 − 2m + 3)(s − 1)/3 real zeros, where s = max{deg ψ1 , . . . , deg ψm },

t = max{deg A1 , . . . , deg Am }.

Equations of the form (1.32)

v1 + . . . + vn = 0

in elements v1 , . . . , vn of a finitely generated multiplicative group V have been studied in the context of S-unit equations, see [324], [326], [328], [329], [440], [931], and references given in the introduction. In the case of positive characteristic, equations like (1.32) have been recently studied by Masser in [695]. To describe this result, let G be any multiplicative abelian group and fix the value of n. A subset Σ of Gn is called broad if (1) Σ is infinite; (2) for each g ∈ G and i, 1 ≤ i ≤ n, there are only finitely many points (x1 , . . . , xn ) ∈ Σ with xi = g; (3) if n ≥ 2, then for each g ∈ G and each i, j, 1 ≤ i, j ≤ n, there are at most finitely many points (x1 , . . . , xn ) ∈ Σ with xi /xj = g. The following result is proved in [695].


45

Theorem 1.27. Let K be a field of positive characteristic, and let G be a finitely-generated subgroup of K∗ . Suppose that there are constants a1 , . . . , an in K for which the equation a1 x1 + · · · + an xn = 1 has a broad set of solutions (x1 , . . . , xn ∈ G. Then there exist b1 , . . . , bn ∈ K and g1 , . . . , gn ∈ G with gi 6= 1 and gi /gj 6= 1 for i 6= j (if n ≥ 2) such that the equation b1 g1k + · · · + bn gnk = 1 has infinitely many solutions k ∈ N. Multivariate equations of the form m X

Ai (x1 , . . . , xr )

r Y

xν αiν =0

ν=1

i=1

are considered in [1011], where the coefficients Ai are polynomials and the ‘characteristic roots’ αiν are elements of an algebraic number field K of degree d over Q. In this many variable case a uniform upper bound for the number of all solutions (x1 , . . . , xr ) cannot be expected, so a suitable equivalence relation on the solutions must be factored out and then the number of non-equivalent solutions can be estimated in terms of m, r, d, the number ω of prime ideal divisors of the αiν , and the largest degree of the polynomials Ai . In [1013] these bounds are improved, and the dependence on ω is eliminated. Another natural generalization of linear recurrence sequences are the sequences satisfying the recurrence equation (1.5) with rational functions in x as coefficients. Just as the class of linear recurrence sequences coincides with the class of sequences of Taylor coefficients of rational functions, the class of these generalized sequences coincides with the class of sequences of power series coefficients of functions satisfying linear differential equations with polynomial coefficients. The first analogue of the Skolem–Mahler–Lech Theorem for such sequences is given in [91] and then, for these and several further types of sequences, in [595]. Some arguments in [595] turned out to be faulty and were fixed in [97]. These papers on power series coefficients of solutions of various differential equations in particular deal with linear combinations of the form F (X) =

m X

Ai (X)Js (βi X t )

i=1

where the Ai are formal power series over Q (satisfying some mild conditions) and Js (X) =

∞ X Xj . (j!)s j=1

This class is quite wide and includes many interesting functions (see Corollaries 1–3 of the main theorem of [97]). For q-recurrence sequences satisfying (1.6), an analog of the Skolem–Mahler– Lech Theorem is given in [92]. All these results are qualitative; van der Poorten and Shparlinski provide the first quantitative results in this direction in [936]. These results were substantially improved by Bezivin [95], but they remain much weaker then those for the case of linear recurrence sequences.

46


Peth˝ o and Zimmer [890] considered the growth of recurrence sequences on elliptic curves. Write the group operation on an elliptic curve E additively, and define a sequence of rational points (Px ) using the recurrence Px+n = fn−1 Px+n−1 + . . . + f0 Px ,

x∈N

for integers f0 , . . . , fn−1 . It is shown that under some mild conditions the canonical height h(Px ) grows exponentially with x. For sequences — of many different kinds — over function fields of zero characteristic much more can be said, because for such fields there is a strong effective result on sums of S-units, (see the references mentioned in the Introduction). For example, Shapiro and Sparer [1040] prove that for any n ≥ 3 pairwise co-prime polynomials gi ∈ C[t], i = 1, . . . , n, not all constant, the equation g1x + . . . + gnx = 0 does not have any solutions with x ≥ n(n − 2). Such results in the number field case remain beyond the wildest dreams. Finally, the requirement in the Skolem–Mahler–Lech Theorem that the characteristic be zero is essential even in infinite fields (the case of sequences over finite fields is evidently special, and is dealt with in Section 2.4). The simplest example that shows this is the cubic recurrence sequence a(x) = (2z + 1)x − z x − (z + 1)x ,

x ∈ N,

over the function field Fp (z). It satisfies the non-degenerate recurrence relation a(x + 3) = (4z + 2)a(x + 2) − (5z 2 + 5z + 1)a(x + 1) + (2z 3 + 3z 2 + z)a(x), and has infinitely many zeros of the form x = pk , k = 1, 2, . . . . This is a slight modification of the corresponding example of [613]; see also [920]. This zero-set has a very special structure, so it remains possible that an analogue of the Skolem– Mahler–Lech theorem holds for infinite fields of positive characteristic p, with finite sets augmented by sets of the form ∞ [

pk M,

k=1

where M is a finite set. As a first step in this direction one might try to prove a logarithmic upper bound for the number of zeros a(x) = 0, 1 ≤ x ≤ N of a nondegenerate linear recurrence sequence a over an arbitrary field. We are not aware of any progress in this direction. The best previously known result is the bound o(N ) obtained in [89] following from Szemerédi’s Theorem. Denis [248] gives further applications and generalizations. For a non-degenerate linear recurrence sequence, Theorem 2.13 gives the effective bound O N 1−δn for the number of zeros among the first n terms of the sequence, where δn > 0 is defined in Section 2.4. Similar issues arise for S-unit equations over Fp (t), where there are infinite families of non-trivial solutions augmented by exceptional ones; this problem is of importance in finding the mixing structure of Zd -actions by automorphisms of compact groups [289], [536], [537], [695], [1022], [1023, Chap. VIII], [1024].

1.5. PERIODIC STRUCTURE

47

1.5. Periodic Structure A sequence a is called periodic or eventually periodic if a(x + t) = a(x) for some t ∈ N and all x ≥ x0 . The minimal t > 0 for which this holds is called the period of the sequence. If the periodicity condition holds with x0 = 0, the sequence is also called purely periodic. Every purely periodic sequence is a linear recurrence sequence. It is a little less evident, but still true that, over any field, any periodic sequence is a linear recurrence sequence. The period of a single exponential function g x is also known as its multiplicative order or its exponent; the period of g is the period of the sequence (g x ). If a ring R is finite then any linear recurrence sequence a over R of order n is periodic with period t ≤ |R|n − 1. Indeed, if the sequence has n consecutive zeros then all subsequent values are zero, and thus the period is 1. Next, there are at most Rn − 1 non-zero n-tuples over R. Thus for some 1 ≤ ` < k ≤ |R|n there must be two identical n-tuples (a(k), . . . , a(k + n − 1)) = (a(`), . . . , a(` + n − 1)) , say, and so a(x) = a(x + k − `), x ≥ `. If in addition f0 is an invertible element of R, we may also move in the opposite direction and obtain a(x) = a(x + ` − k) for all x ≥ 1. Sequences having the largest possible period |R|n are called M -sequences over R. Notice that, apart from the exclusion of the zero tuple and the remark on pure periodicity, the same arguments hold for non-linear sequences. Specifically, the period of a non-linear recurrence over a finite ring R is at most |R|n . Moreover, if the function F of (1.7) is periodic with respect to its first coordinate with some period T , then any solution of this recurrence equation is periodic with period t ≤ T |R|n . In particular, any integer sequence satisfying (1.5) with integer polynomial coefficients is periodic modulo any m ∈ N, with period t ≤ mn+1 . The periodic structure of linear recurrence sequences over a finite field has been understood for some time; it is conveniently summarized in the papers of Laksov [591] and Zierler [1228]. For residue rings, the same is done in papers of Hall [445] and Morgan Ward [1194]. Pinch [897] provides a lucid outline and several more new results. In the series of papers [502], [572], [575], [576], [582], [583], [733], [818], [819] attempts are made to deal with these two cases from the one general point of view of sequences over Galois rings. In particular, M -sequences over such rings have been studied. The length of the period is related to properties of the characteristic roots {α1 , . . . , αn }. In the most interesting case, when R = F is a field and the characteristic polynomial is square-free, t is a period if αit = 1, i = 1, . . . , n. For any polynomial f ∈ Fq [X] with f (0) 6= 0, there is a minimal T ∈ N for which f (X) X T − 1; T is called the period of f , written T = per(f ). Denote as usual the zeros of f by α1 , . . . , αm with multiplicities n1 , . . . , nm . Then per(f ) = pblogp N c lcm (per(α1 ), . . . , per(αm )) where N = max{n1 , . . . , nm } is the largest multiplicity of the characteristic roots and, for each i, per αi is the period or multiplicative order of αi in the algebraic closure of Fq . Notice that, in characteristic p, the polynomial X T − 1 may have multiple roots, of multiplicity ordp T . It follows that if f is a square-free monic

48


polynomial then all sequences in L∗ F (f ) have the same period t = per(f ) q n − 1. The following result follows from [897, Theorem 7, Prop. 8]. Theorem 1.28. If f is a monic polynomial over a finite field with f (0) 6= 0 then: • all sequences from L∗ (f ) have the same period t = per(f ); • the period of any other sequence from L(f ) divides t; • the number of sequences from L(f ) of least period T is X d µ(T /d)q deg gcd(f (X),X −1) . d|T

In particular, this shows that for sequences over a finite field Fq the upper bound q n − 1 for the period can be achieved. Thus, for example, a linear recurrence sequence over Fq is an M -sequence if and only if its characteristic polynomial is primitive over Fq . We shall see later that M -sequences over finite fields (and, more generally, sequences of large period) are important in many applications. Their construction involves finding primitive polynomials over finite fields, a problem in any case of great independent interest, see [1080, Chap. 2]. Although several very effective constructions and algorithms have been proposed, the general problem is still open. The special universal role of M -sequences over finite fields is shown by the following result. Theorem 1.29. Let a be an M -sequence of period q n − 1 over Fq . Then for any linear recurrence sequence b of order n with characteristic polynomial irreducible over Fq there are unique integers k, `, 1 ≤ k ≤ q n − 1, 0 ≤ ` ≤ q n − 2, such that b(x) = a(kx + `). Moreover, gcd(k, q n − 1) = (q n − 1)/t, where t is the period of b. In particular, all the other ϕ(q n − 1)(q n − 1) M -sequences can be represented in the form a(kx + `) with 1 ≤ k ≤ q n − 1, 0 ≤ ` ≤ q n − 2, gcd(k, q n − 1) = 1. Schmutz [1029] deals with the distribution of periods of polynomials in Fq [X]. Roughly speaking, he showed that for q fixed and n → ∞, almost all polynomials 2+o(1) in Fq [X] of degree n have period q n−(log n) . A seemingly more general question about the distribution of periods of matrices over Fq can be reduced to the previous question. For an (n × n)-matrix F over Fq , define per(F) to be the minimal T ∈ N with F T = I. Then per(F) = q n−(log n)

2+o(1)

for almost all matrices F ∈ SLn (Fq ); see also [452]. This is quite surprising, 1+o(1) because Stong [1131] shows that the average value of the period is q n−(log n) . n The total number of (n × n)-matrices over F2 of maximal period 2 − 1 was shown to be n−1 Y 1 n ϕ(2 − 1) (2n − 2k ) n k=1

by Fabris [330]. The existence of M -sequences in residue rings modulo a prime power is a natural problem. For instance, in the case of integer sequences the following important fact holds.

1.5. PERIODIC STRUCTURE

49

Theorem 1.30. Let p ≥ 3 be prime, and suppose that tk is the period modulo pk of an integer non-degenerate linear recurrence sequence a with characteristic polynomial f , and p6 f (0). If k0 is the minimal k with tk+1 > tk = . . . = t1 then t1 , if k < k0 ; tk = t1 pk−k0 , if k ≥ k0 . This is a generalization of the well-known fact that if g is a primitive root modulo p2 , then it is a primitive root modulo all powers pk . A further analogue is given in Theorem 1.31 below. It follows from Theorems 1.28 and 1.30 that, for p ≥ 3, the maximal period modulo pk of an integer linear recurrence sequence of order n is (pn − 1)pk−1 , and that moreover this bound can easily be attained. For p = 2 the situation is a little more complicated, but a similar result holds. For some special characteristic polynomials, there are sequences of period (2n −1)2k−1 modulo 2k , see [135], [445], [1194]. This is quite a surprising result in light of the fact that there is no primitive root modulo 2k with k ≥ 3. An analogue of Theorem 1.30 for the sequence of powers (with respect to the group law) of a rational point on an elliptic curve over Q is given by Ayad [40]. This has been applied to Diophantine questions on rational points on elliptic curves. The following result (well-known in the folklore) shows how to construct sequences of maximal period. Theorem 1.31. Let f ∈ Z[X] be a monic polynomial, primitive over Fp for some prime p ≥ 3. Set f0 (X) = f (X), f1 (X) = f (X) + p. Then for at least one of i = 0 or 1 any sequence a ∈ L(fi ) with gcd(a(1), . . . , a(n), p) = 1 has maximal period (pn − 1)pk−1 modulo pk for all k ∈ N. Proof. Since f is primitive over Fp , it is an irreducible polynomial over Fp and a fortiori over Q. Let α1 , . . . , αn denote its roots in the splitting field K of f over Q, and let p be a prime ideal divisor of p in K. Because f is irreducible modulo p it follows that p is of degree n, that is, N(p) = pn . The condition on the first two values of the sequence gives the representation a(x) =

n X

Ai αix ,

i=1

where the Ai are conjugates, and are units modulo p. This implies that tk , the period of a modulo pk , is equal to the least T with αiT ≡ 1 (mod pk ). Denote this T by Tk . Since α1 , . . . , αn are conjugates it is enough to require this congruence n for any one i. Note that we are given t1 = T1 = pn − 1. n Suppose that T2 = t2 = t1 = T1 N(p)−1 = p −1. Then αip −1 ≡ 1 (mod p2 ), n so f0 = f (0)p −1 ≡ 1 (mod p2 ). To complete the proof, notice that the same cannot happen for f (x)+p. Indeed, n

(f0 + p)p

−1

n

≡ f0p n

because (pn − 1)f0p

−1

−2

n

+ (pn − 1)f0p

6≡ 0 (mod p).

−2

n

p ≡ 1 + (pn − 1)f0p

−2

p 6≡ 1 (mod p2 ),

The following result shows that the elements of a linear recurrence sequence modulo a large power of a fixed prime can be represented as polynomials.

50


Theorem 1.32. Let p be a prime, and let ts be the period modulo ps of an integer non-degenerate linear recurrence sequence a with a square-free characteristic polynomial f such that p6 f (0). Set y (ν) = y(y − 1) · · · (y − ν + 1). Then (1) for integers y, m X 1 (ν) as (x)psν y (ν) a(x + yts ) = ν! ν=0

(mod pk ) , (ν)

where m is determined by ms < k ≤ (m + 1)s, and the sequences as defined by (ν−1)

a0s (x) = a(x),

a(ν) s (x) =

as

(ν−1)

(x + ts ) − as ps

(x)

,

are

ν ≥ 1.

(2) Moreover, for each x and s, there is an effectively computable constant C(a, p) depending on p and a so that min ordp a(ν) s (x) ≤ C(a, p).

ν=1,...,n

Proof. (1) Using no more than the periodicity of an arbitrary sequence, it is easy to check that formally, y X 1 (ν) a(x + yts ) = as (x)psν y (ν) , ν! ν=0

and the first claim is just the truncation of this modulo pk . (2) To estimate the p-adic orders, notice that a(ν) s (x)

=

m X

Ai (αits − 1)/ps

ν

αix .

i=1

Pick x ∈ N. If r = minν=1,...,n ordp aνs (x), then the representation above gives the condition Y (αits − αits )/ps ≡ 0 (mod pr ) 1≤i mn/2+ε at least. On the other hand, as discussed in Section 1.4.10, our knowledge of the period structure of a linear recurrence sequence modulo an arbitrary integer m is poor. If m = pk , then t m and (4.4) gives nothing for n ≥ 2. On the other hand, for this case much stronger results follow from (2.11) (if n = 1) and from Theorem 2.7. The case n = 2 is considerably easier than the case n ≥ 3: For binary sequences Somer [184] obtains more complete information about the value set. Morgan [757] gives a complete characterization of the value set for binary linear recurrence sequences of maximal period modulo 2m . The series of papers [180], [181], [182], [183] introduces a new measure of non-uniformity of distribution in residue rings, and provides a complete study for the case of binary sequences. The only interesting case when the asymptotic (4.4) is really useful is m = p, when M -sequences exist. For such m, other bounds of character sums given in Section 2.1 can be used. For the single exponential function a(x) = ag x , with gcd(a, p) = 1, of period t modulo p, (2.4) gives Tp (t, I) = t|I|/p + O t3/8 p1/4 log p . Analogously, (2.5) gives Tp (t, I) = t|I|/p + O t5/8 p1/8 log p . The case of Tp (N, I) with N < t can be worked out without any difficulties too. Even more is known if g is a primitive root modulo p. The famous results of Burgess [160] yields 2 Tp (N, I) = N |I|/p + O |I|1−cε for any interval I with |I| ≥ p1/4+ε . Denote by Qa,p (N, H) the average value Qa,p (N, H) =

1 p

X

2

(Tp (N, I) − N |I|/p)

0≤K≤p−1 I=[K+1,K+H]

over all intervals of length H. For a linear recurrence sequence a of order n the bound (4.5)

Qa,p (N, H) = O(pn−1 H log2 p)

4.2. DISTRIBUTION IN RESIDUE RINGS

117

can be proved by elementary methods. Indeed, Tp (N, I)

p N 1 XXX exp [2πiλ (a(x) − y) /p] p x=1

=

y∈I

λ=1

p−1 N NH 1 XXX + exp [2πiλ (a(x) − y) /p] , p p x=1

=

y∈I

λ=1

so Qa,p (N, H)

=

p−1 1 X p3

p−1 X

exp [2πiK(λ1 − λ2 )/p]

K=0 λ1 ,λ2 =1 N X

×

exp [2πi (λ1 a(x1 ) − λ2 a(x2 )) /p]

x1 ,x2 =1 H X

exp [2πi(λ1 y1 − λ2 y2 )/p]

y1 ,y2 =1

=

1 p3

p−1 X

N X

exp [2πi (λ1 a(x1 ) − λ2 a(x2 )) /p]

λ1 ,λ2 =1 x1 ,x2 =1 H X

exp [2πi(λ1 y1 − λ2 y2 )/p]

y1 ,y2 =1 p−1 X

exp [2πiK(λ1 − λ2 )/p] .

K=0

The sum over K is p if λ1 ≡ λ2 (mod p) and is 0 otherwise. Hence, Qa,p (N, H)

=

p−1 N 1 X X exp [2πiλ (a(x1 ) − a(x2 )) /p] p2 x ,x =1 λ=1

1

2

H X

exp [2πiλ(y1 − y2 )/p]

y1 ,y2 =1

=

!2 p−1 N 1 X X exp [2πiλa(x)/p] p2 x=1

H X

!2 exp [2πiλy/p] .

y=1

λ=1

Theorem 2.1 now shows that Qa,p (N, H) ≤ p

n−2

2

(n log p + 1)

p−1 X H X λ=1

!2 exp [2πiλy/p]

y=1

= pn−2 (n log p + 1)2 H(p − H), and (4.5) follows. For the average value of Qa,p (N, H) over all a ∈ L(f ) the formula (4.6)

1 X N H(p − H) Qa,p (N, H) = n p p2 a∈L(f )

can be derived from (2.8).

118

4. DISTRIBUTION IN FINITE FIELDS AND RESIDUE RINGS

Again, for the special case a(x) = ag x where gcd(a, p) = 1 and g is a primitive root modulo p, better results are known. Denote the function analogous to Qa,p (N, H) by Ra,g,p (N, H). Montgomery [737] proves that NH Ra,g,p (N, H) = 1 + O(Hp−1 + N p−1 + p1/2 HN −1 log3 p) p and then, applying a sieve method in a very ingenious way, he obtains another estimate NH Ra,g,p (N, H) = 1 + O(Hp−1 + N p−1 + p1/4+ε HN −3/4 p + p5/8+ε N −7/8 + p3/8+ε HN −1 ) . These estimates were motivated by applications to a sorting algorithm which will be considered in Section 11.2. For this application the case H = bp/N c is the important one. For such N and H, the last estimate simplifies to give the form Ra,g,p (N, H) ∼ N H/p,

N H ∼ p, p − 1 ≥ N ≥ p5/7+ε .

We have not written this bound in the form Ra,g,p (N, H) ∼ 1 as it is plausible that the same asymptotic holds for a wider range of parameters (since it follows from (4.6), this is true ‘on average’ over a). Montgomery [737] mentions that a very strong Generalized Lindelöf Hypothesis would imply the exponent 2/3 in place of 5/7. Currently the best known results from [556] can be summarized as follows:

(4.7)

 1 + o(1),     O(p5/4+ε N −7/4 ), Ra,g,p (N, bp/N c) = O(p11/8+ε N −2 ),    O(pN −1 ),

if if if if

N ≥ p5/7+ε ; p5/7+ε ≥ N ≥ p1/2 ; p1/2 ≥ N ≥ p1/3 ; p1/3 ≥ N.

Montgomery [737] also asks if a better estimate holds for Ra,g,p (N, H) ‘on average’ over all primitive roots g modulo p (for smaller values of N ). It is shown in [556] that this can be done in some cases; in particular X 1 Ra,g,p (N, H) = N Hp−1 + O(N H 2 p−2 + N 3 Hp−3/2+ε ) ϕ(p − 1) g where g runs over all the ϕ(p − 1) primitive roots modulo p. Several very interesting results about the distribution of exponential function modulo p have recently been obtained in the series of work [215], [216], [978]. It is quite possible the technique developed in these papers can be used to improve the above results on Ra,g,p (N, H). Next consider the case m = pk with p fixed, so all constants are allowed to depend on p. Put Tpk (I) = Tpk (tk , I), where tk is the period of the sequence modulo pk . It is an easy exercise to derive from Theorem 2.7 that under the conditions of that theorem, (4.8)

1−1/n+ε

Tpk (I) = tk |I|/pk + O(tk

).

For n = 1 – that is, for a single exponential function – Korobov [563], [564] provides a better estimate with error term O(1) instead of O(tεk ). He also obtains an explicit


119

bound for an arbitrary m which depends on the prime factorization of m and is O(1) if m is a product of powers of several fixed primes: Tm (I) = tk |I|/m + O(p1 . . . pr )

(4.9) p1k1

. . . pkr r .

This result will be used later in Sections 9.1 and 9.2. where m = For n = 1, the bound (2.12) implies an asymptotic for Tpk (N, I) as well. Indeed, Korobov [564] uses (2.12) to prove that 2 Tpk (N, I) = N |I|/pk + O N 1−c/r log pk , so (4.10)

Tpk (I) = N |I|/pk + o(N ) for N ≥ exp(Cp k 2/3 log1/3 k),

where Cp is some constant depending on p only. Some of Korobov’s results are also obtained by Stoneham [1127], [1128], [1129] but in a different form. For n ≥ 2 it is possible that ε in the error term of (4.8) can be removed, but certainly the bound cannot be reduced to O(1). On the other hand, the elementary theory of congruences shows that Tpk (I) > 0 for intervals I of length |I| > C(a, p). Theorem 4.5. Let p ≥ 3 be a fixed prime number and let a be an integer nondegenerate linear recurrence sequence with square-free characteristic polynomial f such that p6 f (0), and of period tk modulo pk . Then there is a constant C(a, p) such that Tpk (I) ≥ tk |I|/npk − C(a, p). Proof. Apply Theorem 1.32 with s = k − 1. Then a(x + yts ) ≡ a(x) + bs (x)ps y (mod pk ) where ar (x + tr ) − ar (x) br (x) = a(1) . r (x) = pr Let k0 be as in Theorem 1.30 and let s ≥ s0 = max{3, k0 }. Then s − 1 < s + 1 ≤ 2(s − 1) and Theorem 1.32 implies that a(x + ts ) = a(x + pts−1 ) ≡ a(x) + bs−1 ps−1 p

(mod ps + 1).

This congruence is equivalent to bs (x) ≡ bs−1 (x) (mod p). If bs0 (x) = b(x), then bs (x) ≡ b(x) (mod p). Therefore, for k = s + 1 ≥ s0 + 1, a(x + yts ) ≡ a(x) + b(x)ps y

(4.11)

(mod pk ),

x ∈ N.

Define the sets Xk = {x : 1 ≤ x ≤ tk , b(x) 6≡ 0 and let

(0) Tpr (I)

(mod p)},

be the number of solutions of the congruence a(x) ≡ y

(mod m), (0)

x ∈ Xk , y ∈ I. (0)

(0)

Applying lifting to (4.11) gives Tpk (I) = Tpk−1 (I) = . . . = Tps0 (I). Now assume (0)

that |I| = H ≥ ps0 – then Tps0 (I) = |Xs0 | bH/ps0 c. Clearly, b(x) is not identically zero modulo p (for if not ts0 = ts0 +1 , which contradicts s0 ≥ k0 ). Therefore it cannot contain n consecutive zeros modulo p, so |Xs0 | ≥ ts0 /n. Finally, 1 1 1 (0) Tpk (I) ≥ ts0 bH/ps0 c ≥ ts0 H/ps0 − ts0 /n = tk H/pk − ts0 /n. n n n

120

4. DISTRIBUTION IN FINITE FIELDS AND RESIDUE RINGS (0)

Using the trivial bound Tpk (I) ≥ Tpk (I), this gives the assertion.

Instead of the trivial estimate |Xs0 | ≥ ts0 /n, any other upper bound on the number of solutions of congruences with linear recurrence sequences could be used. For example, this could replace the coefficient 1/n with some constant c(p) > 0 with c(p) → 1 for p → ∞. The next result gives another application of similar elementary methods. Let I = [K + 1, K + H] and C = I n . Now let Vpk (C) be the number of vectors (a(x + 1), . . . , a(x + n − 1)) ∈ C (mod pk ), 1 ≤ x ≤ tk . Analogously to (4.8) one can prove that 1−1/n+ε (4.12) Vpk (C) = tk |C|/pkn + O tk , which is non-trivial for cubes with side H ≥ pk−1/n upper bound is provided by the following theorem.

2

+ε

. For smaller cubes a better

Theorem 4.6. Let p ≥ 3 be a fixed prime number and let a be an integer nondegenerate linear recurrence sequence with a square-free characteristic polynomial f such that p6 f (0). Then Vpk (C) |C|1/n . Proof. Define s from the inequalities ps−1 < H ≤ ps , where C = I n , I = [K + 1, K + H] as before. Evidently, all vectors (a(x + 1), . . . , a(x + n − 1)) ∈ C are distinct modulo ps . Thus Vpk (C) ≤ ts ≤ t1 ps−1 ≤ t1 H. The same arguments work for any sequence having a similar period structure. For sequences of the maximal period tk = (pn − 1)pk−1 , Kuz’min [581] gives more precise results on the distribution of values; see also [502]. Several results are also known on the distribution of linear recurrence sequences modulo m ‘on average’ over all mn distinct initial values modulo m. Results of this sort are motivated by applications to pseudo-random number generators, for which the two cases m = p (see [629], [1065], [1067]) and m = 2k (see [27]) are most interesting (see Section 10.1). Various results about the distribution of some non-linear sequences satisfying (1.38) are given in [278], [279], [284], [510] (see also the references there, [837, Chap. 8] and the surveys [282], [836]). The results obtained are too technical to be stated here. Generally, the distribution over the full period when it is maximal has been almost completely clarified for quadratic sequences (1.39) and for inversive sequences (1.40). A new method to study the distribution of such sequences over parts of the period has recently been presented in [847] and [844]. Several more results are given in [415], [434], [843], [846]. The following result comes from [434] (for s = 1 it is obtained in [847]). Theorem 4.7. If the sequence a given by (1.40) with a prime modulus M = p is periodic with period t and t ≥ N ≥ 1, then Ds (N ) = O N −1/2 p1/4 (log p)s , where Ds (N ) denotes the discrepancy of the points a(x) a(x + s − 1) ,..., , x = 1, . . . , N. p p The implied constant depends only on d and s.


121

The bound is non-trivial if N ≥ p1/2+ε . The definition of discrepancy is given on page 123. Sequences given by (1.38) with an arbitrary polynomial F have been studied as well. The following result is taken from [844]. Theorem 4.8. If the sequence a, given by (1.38) with a prime modulus M = p, and a polynomial F (X) ∈ Fp [X] of degree d ≥ 2 is purely periodic with period t ≥ N ≥ 1, then Ds (N ) = O N −1/2 p1/2 log−1/2 p (log log p)s , where Ds (N ) denotes the discrepancy of the points a(x) a(x + s − 1) ,..., , x = 1, . . . , N. p p The implied constant depends only on d and s. Theorems 4.7 and 4.8 follows from Theorems 2.5 and 2.6, respectively. Accordingly, the bound of Theorem 4.8, although non-trivial, is much weaker than that of Theorem 4.7. In [415] some of the above results have been extended to sequences given by (10.11). Distribution problems for non-linear recurrence sequences will be discussed in Section 10.1 in their natural setting of pseudo-random number generation.

CHAPTER 5

Distribution Modulo 1 and Matrix Exponential Functions 5.1. Main Definitions and Metric Results The discrepancy of a sequence of points (ω x ) = (ω1x , . . . , ωsx ) in the s-dimensional unit cube is defined to be D(N ) = sup A(B, N )/N − |B| , B⊂[0,1]s

where A(B, N ) is the number of fractional parts ({ω1x }, . . . , {ωsx }), 1 ≤ x ≤ N , in the box B = B = [β1 , γ1 ] × . . . × [βs , γs ], and the supremum is taken over all such boxes. If D(N ) → 0 as N → ∞, the sequence is called uniformly distributed. A sequence (ωx ) of reals is called completely uniformly distributed if, for any s = 1, 2, . . ., the sequence of points (ωx , . . . , ωx+s−1 ) is uniformly distributed. A very important notion related to uniform distribution of sequences is normality. A real number ϑ is called normal to the base g (g ≥ 2 an integer) if the sequence of fractional parts of ϑg x is uniformly distributed. A real ϑ is called absolutely normal if it is normal to every base g ≥ 2. A simple consequence of the ergodic theorem is that almost every real number is absolutely normal. An equivalent definition of normality is the following: ϑ is normal to the base g if any sequence d1 . . . dk of k g-ary digits occurs with frequency 1/g k among the first N digit of the g-ary expansion of ϑ as N → ∞ (cf. Section 10.1). Although normal numbers are the original motivation, many more general results of this section (concerning linear recurrence sequences, matrix exponential functions, and exponential functions ϑαx with real α) are still the best known results even for these more special sequences. Moreover, several authors extend these definitions to such sequences. Thus, for example, it is common to say ‘a number normal to the base α’, for a real α, or ‘a vector normal to the base F’ for a matrix F (in both cases, the uniform distribution of the corresponding sequence is meant). However, the second definition of normality to an integer base is not directly transferable to those more general situations. There are three types of problems related to the distribution of any parametric family of sequences: • To estimate the discrepancy for individual interesting sequences. • To estimate the discrepancy for almost all values of the parameters (initial values, characteristic polynomials etc.). • To estimate the discrepancy for specially constructed good examples. Here these questions are considered for single exponential functions, linear recurrence sequences and, more generally, for matrix exponential functions ϑF x . Many relevant results can be found in the surveys given by Cigler and Helmberg [210] 123

124

5. DISTRIBUTION MODULO 1 AND MATRIX EXPONENTIAL FUNCTIONS

in 1961, Postnikov [939] and [940] in 1960 and in 1966, and Kuipers and Niederreiter [569, Chap. 1, Sec. 8] in 1974. There has not been much progress in this area since then, but some new results have appeared. Unfortunately, nothing is known about the first question, even for single exponential functions αg x . Any progress here would of great interest. On the other hand, for the second question much is known. The most general metric result is obtained by Pushkin [949], completing a chain of many partial results due to several authors. Theorem 5.1. Let B = [β1 , γ1 ] × . . . × [βm , γm ] be an m-dimensional box. Assume that the complex-valued functions ϑ1 , . . . , ϑn are holomorphic in some connected region ∆ ∈ Cm containing B. Then for almost all w ∈ B, and any nonsingular (n × n) matrix F with integer entries whose eigenvalues are not roots of unity, the discrepancy of the sequence of points (ϑ1 (w), . . . , ϑn (w)) F x satisfies D(N ) = O(N 1/2+ε ). This theorem is remarkable for several reasons. Firstly, the set of ‘good’ initial values is the same, for all matrices F, and integers N ≥ 1. This is a substantial generalization of Borel’s classical result [116] that almost all real numbers are absolutely normal. Secondly, it deals with almost all points of an arbitrary analytic manifold rather than Rn (where such a result was known earlier). For sequences of vectors of the form A(x) = (A(x − 1)F + B) (in which the fractional part is taken coordinate-wise), the uniformity of distribution for almost n all initial vectors A(1) ∈ R is shown by Franklin [348]. Note that if B is zero then x−1 A(x) = A(1)F . Nowak and Tichy [870] provide a dual result which improves and extends many previous ones. Theorem 5.2. Let k be a strictly increasing sequence of positive integers. Then for almost all real (n × n) matrices F with at least one eigenvalue of absolute value larger than 1, the discrepancy of the sequence F k(x) in the n2 -dimensional unit cube is 2 O N −1/2 (log N )n +1 . For almost all matrices having at least one real eigenvalue of absolute value larger than 1 the discrepancy can be reduced to 2 O N −1/2 (log N )n +1/2 Log1/2 log N . Several metric results about the distribution of fractional parts of linear recurrence sequences are given by Meiri [714]. If n = 1, Franklin [347, Cor. to Theorem 15], among many other interesting results, proves the following. Theorem 5.3. For almost all real α > 1, the sequence (αx ) is completely uniformly distributed. The following property is called stability of the distribution of exponential functions. It claims that if such a sequence is almost uniformly distributed, then it is uniformly distributed. The result below generalizes several results of PjatetskiShapiro and Postnikov (concerning n = 1), and was independently obtained by Cigler and Polosuev (see [210, Sect. 10.9] or [940, Sect. 16.b]). Theorem 5.4. If for some vector ϑ ∈ Rn and an (n × n) matrix F with integer entries there is a constant C > 0 such that lim sup A(B, N )/N ≤ C|B| N →∞

5.1. MAIN DEFINITIONS AND METRIC RESULTS

125

where A(B, N ) is the number of points in ϑ, ϑF, . . . , ϑF N −1 in the box B ⊂ [0, 1]s , then the sequence (ϑF x ) is uniformly distributed. For n = 1, Pjatetski-Shapiro [900], gets an even stronger result about the sequence ϑg x : ϑ is normal to the base g ≥ 2 if for any ε > 0 there is a constant C(ε) > 0 such that lim sup A(B, N )/N ≤ C(ε)|B|1+ε N →∞

for any interval B = [β, γ] ⊂ [0, 1]. Apparently the same improvement could be obtained for matrix exponential functions as well, but this has not been worked out yet. The following useful observation follows from the multidimensional Weyl criterion for uniform distribution [569, Theorem 6.2]: If ϑF x is uniformly distributed, then for any integer non-singular matrix A, ϑAF x is uniformly distributed too (here F is not required to have integer entries). An example of how this may be applied is the following: For any k ∈ N, ϑF kx is uniformly distributed if and only if ϑF x is uniformly distributed. In one direction, this is implied by Theorem 5.4. In the opposite direction, this follows from the remark above because for each j = 0, . . . , k − 1, the sequence ϑF j F kx is uniformly distributed. This is a particular case of a much more general statement. For n = 1 it was stated by Schmidt [1025] in 1960, who conjectured that its analogue holds for any n (and proved it in some cases). Brown and Moran [147] proved it in full generality in 1993. To present their result two definitions are needed. An (n × n) matrix F is ergodic if ϑAx is uniformly distributed for almost all ϑ ∈ Rn . An invertible (n × n) matrix F is called almost integer if if its entries are rational numbers, and the eigenvalues are algebraic integers. Theorem 5.5. Let F and G be commuting almost integer ergodic matrices. Then either there are k, ` ∈ N such that F k = G ` , or there are uncountably many ϑ ∈ Rn such that ϑF x is uniformly distributed but ϑG x is not. A similar result has been obtained in [78], [79] as well. Pushkin [948] gives another generalization of Schmidt’s result [1025]. For exponential functions with real base the picture is quite different. Indeed, writing B(α) for the set of ϑ ∈ R for which the sequence ϑαx is uniformly distributed, Moran and Polligton [741] prove that B(αk ) 6⊂ B(α` ) for integers k 6= ` and almost all α > 3. On the other hand, it is known that if αn ± α−n ∈ Z for some integer n, then B(α) ⊂ B(αk ) for k = 1, 2, . . .. For several related results, see [742]. The paper [77] addresses similar questions on numbers normal to the base ϑ, where ϑ is a PV-number (for such numbers there is a natural analogue of the notion of normality). For n = 1, Maxfield [704] shows that ϑ is normal to the base g if and only if ϑr is also, for any rational r 6= 0. Although the sequences considered here are uniformly distributed for almost all parameter values, other non-trivial types of distribution occur (for uncountably many values of parameters); see [Sect. 10][210], [569, Sect. 8, Chap. 1], [939], [940] for descriptions of these and many other results.

126


5.2. Explicit Constructions In light of the previous section, it is reasonable to expect that N −1/2 is the correct order for the discrepancy in metric results. To get a better bound special examples should be constructed. Such constructions are interesting in any case, as none of the metric result allow specific parameter values with the required property to be found. Moreover, although almost all of the constructions below produce sequences with a good estimate for the discrepancy, some of them are still the only known examples for the simpler qualitative question about finding uniformly distributed or completely uniformly distributed sequences. In [634], the following result is obtained. Theorem 5.6. Let f ∈ Z[X] be an irreducible polynomial of degree n ≥ 1 with no zero of unit modulus. Then there is an effective construction of the initial values of a real linear recurrence sequence with characteristic polynomial f such that its discrepancy is O N −2/3 (log N )4/3 . The same result should be true for reducible polynomials as well (if we replace the words ‘f is the characteristic polynomial’ with ‘linear recurrence sequence satisfying the equation (1.1)’, it follows from Theorem 5.6). It is not known if the bound in Theorem 5.6 can be improved. There are reasons to suspect that there are sequences with discrepancy O(N −1+ε ), but so far the exponent −2/3 is the best result even for n = 1. Theorem 5.6 is a generalization of results of Korobov [562] and Levin [625] concerning a single exponential function ϑg x . In [625] another generalization was considered: For any integer g ≥ 2 and s ≥ 1, Levin gives a construction of ϑ1 , . . . , ϑs such that the discrepancy of the sequence (ϑ1 g x , . . . , ϑs g x ) is O N −2/3 (log N )s+2/3 . For s = 1 and g = p a prime, another construction is given by Korobov [562] using normal periodic systems which are constructed using M -sequences over finite fields (which is where the requirement that g be prime is needed). Theorem 5.6 treats 1-dimensional discrepancy. The next result, from [628], concerns the n-dimensional discrepancy of the matrix exponential function ϑF x . Theorem 5.7. Let F be an (n × n) matrix with integer entries such that among its eigenvalues there are no roots of unity. Then there is an effective construction of a vector ϑRn such that the discrepancy of the sequence (ϑF x ) is −1/2 n+1 O N (log N ) . Levin also gives several related ingenious constructions. In [624], for any transcendental α > 1 he constructs ϑ such that the sequence (ϑαx ) is completely uniformly distributed. Furthermore, if α is an S or T -number in Mahler’s classification (see [1108], [1109]), then for any s = 1, 2, . . ., and any function ψ(N ) → ∞, a construction is given such that the discrepancy of the sequence of points (ϑαx , . . . , ϑαx+s−1 ) is O N −1/2 (log N )n+1/2 ψ(N ) . This result applies to almost all α, and in particular to distinguished numbers like π, e, log e, etc. For an algebraic number α of degree d, the same is true for any s ≤ d. Now consider a sequence of real numbers αi > 1, i = 1, 2, . . .. For each i ∈ N, define di to be the degree of αi if αi ∈ Q, and put di = 1 otherwise. In [630] Levin gives a construction of a sequence ϑ1 , ϑ2 , . . ., such that for any for any r ≥ 1, and integers k1 , . . . , kr ≥ 1 the discrepancy of the sequence 1 −1 r −1 ϑ1 αkx1 , . . . , ϑ1 αkx+d , . . . , ϑr αkxr , . . . , ϑr αkx+d ) 1 r

5.2. EXPLICIT CONSTRUCTIONS

127

is O N −1/2 (log N )s+3/2 , where s = d1 + . . . + dr . This is a generalization of his previous result [626] concerning the case r = di = 1 only (for which case a slightly better estimate of the discrepancy is found). Choosing αi = i + 1 gives an explicit construction of an absolutely normal number ϑ such that for any g the discrepancy of (ϑg x ) is O(N −1/2 log2 N Log log N ). For n = 1, Levin [627] obtains the following constructive version of Theorem 5.3 as well. Theorem 5.8. There is an effective construction of a number α ∈ R such that for any s ≥ 1 the discrepancy of the sequence (αx , . . . , αx+s−1 ) is O N −1/2 (log N )s+3 . The main idea of all these constructions above is as follows. The parameters are given by extremely rapidly converging series. As a result, they have precise approximations by rationals (with, usually, prime power denominators). These approximations are so fast that we can consider them instead of the original parameters. This reduces the problem to one concerning distribution modulo m, where many results are available (see Chapter 4). Moreover, although results stated for almost all real parameters cannot lead to effective constructions, the same type of results modulo m are inherently effective because of the finite nature of the problem — to find good parameter values only a finite search is needed. Unfortunately these considerations become complicated even in the simplest cases. Theorems 5.9 and 5.10 give some impression of this direction. This approach was discovered and developed by Korobov, then many other authors contributed to it (see [210], [569], [939], [940] for references). This idea is also exploited in the series of papers of Stoneham [1126], [1127], [1128], [1129]. Unfortunately very little is known about other arithmetic features of numbers represented as series. For example, it is not known if there is an algebraic number normal to some integer basis. The only known example of this special sort is the amazing result of Stoneham [1130] who proves that any sequence of decimal digits d1 . . . dk occurs infinitely often in the decimal expansion of π/4. This does not mean that π/4 is normal base 10 but nonetheless is an impressive result. He uses the formula m Y lim 1 − 1/(2i + 1)2 = π/4 m→∞

i=1

and notes that this gives a power series representation of the type needed. Kano and Shiokawa [504], [505], [506] and Jung and Volkmann [496] obtain another application of these idea. They construct sets of numbers which are normal to some base g and non-normal to the base hg with some integer h with gcd(g, h) = 1. All these authors acknowledge the priority of Wagner whose work has never been published1 but is well known among specialists nevertheless. For instance, Kano [505] gives the following construction. Theorem 5.9. Let g ≥ 2 and h ≥ 2 be co-prime and let (λm ) and (µm ) be strictly increasing sequences of positive integers satisfying lim λm /µm−1 = ∞,

m→∞

lim log µm /λm = ∞.

m→∞

1On March 10, 1990, Gerold Wagner tragically lost his life in an avalanche in the Alps.

128


Let R be the ring generated over Z by the set of all products of numbers of the form εm 1 + gλm hµm with εm = ±1. Then R is uncountable, and any ϑ ∈ R is normal to the base g and non-normal to the base gh. In [504], Kano gives a broad generalization of Korobov’s constructions. The discrepancy of the sequences obtained is estimated (the bound is weaker than the example of Levin [625] giving O N −2/3 (log N )4/3 mentioned above). Continued fractions for some normal numbers of this type are found in [558]. Another (classical) approach to the construction of normal numbers is related to the second definition via frequencies of groups of digits. The numbers obtained in this way are more explicit. The discrepancy can be estimated as well but it has not produced any records. To describe this, denote by [f ] the g-ary expansion of the integer f . Many normal numbers have been constructed in the form (5.1)

ϑ = 0.[f1 ][f2 ] . . .

for a chosen integer sequence (fx ) (see [210], [939], [940]). For any polynomial f ∈ Z[X], setting fk = f (k) gives a normal number ϑ; Schiffer [994] shows that the discrepancy of ϑg x is O(1/ log N ), and this bound is best possible. Several more relevant results are given by Dumont and Thomas [270] and by Nakai and Shiokawa [506]. A different example is fk = pk , where pk is the k-th prime number — more generally, fk can be any strictly increasing sequence of integers with |{k : fk ≤ N }| N 1−ε for any ε > 0. Thus the numbers 0.12345678910 . . . ,

0.14925364964 . . . ,

0.235711131719 . . .

are normal to the base 10; see also [1162]. Sz¨ uz and Volkman [1139] give very general conditions on functions f such that fk = bf (k)c generates a normal number. Here we present several interesting examples from that paper, showing a wide variety of such functions: Pn βν • f (x) = logτν x, where n > 1, γn > 0, βn > . . . > β1 , ν=1 γν x γν , βν , τν ∈ R; • f (x) = (πx1/2 + x1/3 )4/5 / log2 x; • f (x) = pβx with β > 0; • f (x) = p2px . On the other hand, no function of logarithmic order like f (x) = logτ x produces a normal number. Several more results of this kind can be found in [635]. Proving normality of numbers given by (5.1) is equivalent to studying the distribution of digits in the sequence (fk ), a subject of independent interest. The papers [56], [265], [266], [267], [269], [337], [403], [405], [406], [407], [889], [1043] (among others) deal with different aspects of the digit distribution, including the sum of digits function and the distribution of digits with respect to two different bases. Expansions with respect to recurrent sequences are considered as well. As mentioned in Section 11.1, Shallit [1034] has shown that any ‘sensitive’ numeration system arises from linear recurrence sequences; see also [1020]. The digits of some specific numbers are studied too. For example, Blecksmith, Filaseta and Nicole [110] define a block in the base g representation of m as a sequence of equal digits of maximal length, and denote by B(m, g) the number of

5.2. EXPLICIT CONSTRUCTIONS

129

such blocks. Using lower bounds for linear forms in logarithms, they show that if a, g ≥ 2 are integers such that log a/ log g is irrational, then lim B(ax , g) = ∞.

x→∞

The proof apparently can be transferred to the values B (a(x), g) for a linear recurrence sequence a. Luca [666] studies the number of non-zero digits in g-ary expansion of the nth term of a linear recurrence sequence and, under some natural conditions, shows that there are at least c log n/ log log n such non-zero digits, where c > 0 is a constant. Some of these results are based on upper bounds for the number of solutions of S-unit equations and bounds for linear forms in logarithms. It follows that the recent progress in both these areas improves those results. Finally, for sequences growing slightly faster than linear recurrence sequences, there is a simple construction providing very uniform distribution of the corresponding fractional parts. This construction may be applied to subsequences of a linear recurrence sequence a like a(x2 ) or (a(p)) where p runs over the sequence of prime numbers. Another interesting sequence which is covered by the result below is x!. Consider sequences f satisfying the growth condition (5.2)

|f (x + 1)| ≥ x1−ε |f (x)|;

we wish to construct ω such that for any s ∈ N the discrepancy of the sequence of points ({ωf (x)}, . . . , {ωf (x + s − 1)}) is uniformly distributed in the s-dimensional unit cube with discrepancy Ds (N ) = O(N −1+ε ). The following result from [1063] will be used, giving an explicit construction for a sequence (ϑx ) such that for any s ∈ N the s-dimensional discrepancy of the sequence of points (ϑx , . . . , ϑx+s−1 ), x = 1, . . . , N , is Ds (N ) = O(N −1+ε ). This sequence (ϑh ) is used to construct ω with the property required in the following way. Put (5.3)

ω=

∞ X ωh , f (h)

h=1

where the sequence (ωx ) is defined from the recurrent relation ( ) x−1 X ωh (5.4) ωx + f (x) = ϑx , 0 ≤ ωx < 1, x ∈ N. f (h) h=1

Theorem 5.10. For a sequence f satisfying the growth condition (5.2), let ω be defined by (5.3), (5.4). Then for any s ∈ N, the s-dimensional discrepancy of the sequence of points ({ωf (x)}, . . . , {ωf (x + s − 1)}) ,

x = 1, . . . , N,

satisfies Ds (N ) = O(N −1+ε ). Proof. It is enough to show that for any M , the discrepancy of points ({ωf (x)}, . . . , {ωf (x + s − 1)}) , satisfies

x = M + 1, . . . , 2M,

130


Ds (M, 2M ) = O(M −1+ε ). For M < x ≤ 2M , (5.5) ) ∞ X ωh ωh {ϑf (x)} = f (x) + ωx + f (x) f (h) f (h) h=1 h=x+1 ( ) ( !) ∞ ∞ X X ωx+h 1 = ϑx + f (x) (5.6) = ϑx + O |f (x)| f (x + h) |f (x)|x(1−ε)h h=1 h=1 (

(5.7)

x−1 X

= {ϑx + O(x−1+ε )} = {ϑx + O(M −1+ε )},

and the assertion follows.

Using the result of Levin [632], one can obtain a slightly stronger bound. Although this result cannot be applied to an integer linear recurrence sequence directly, selecting an appropriate subsequence gives a construction of ω such that the fractional parts {a(x)} are very densely distributed in the unit interval (certainly a must be a non-degenerate sequence to achieve this) in the sense that for any ε > 0, γ and N ≥ 1 there is x, 1 ≤ x ≤ N , with {ωa(x) − γ} N −1+ε . 5.3. Some Other Problems We close with several more questions on the distribution of fractional parts of exponential functions. The surveys [339], [340] are good references for this. In [686], Mahler asked if there exist numbers ϑ > 0 with the property that the fractional part {ϑ(3/2)x } < 1/2 for all x ∈ N. Such numbers are called Z-numbers. Mahler’s 3/2-problem is the conjecture that there are no Z-numbers. Mahler [686] proves that for any k ∈ Z+ the interval [k, k + 1) contains at most one Z-number; since {ϑ} < 1/2 the Z-number in this interval must lie in [k, k + 1/2]. Thus Znumbers (if they exist) are well separated. Mahler also proves that the number of Z-numbers ϑ ≤ x is O(xγ ) with γ = log(1 + 51/2 ) − 1 = 0.70 . . .. Flatto [339] improves this by showing that one can take γ = log 3 − 1 = 0.59 . . .. He also obtains many interesting results about the structure of the set of Z-numbers. In fact he (and other authors) consider, for 0 < t < 1 and α > 1, the more general set of Zt,α -numbers, where Zt,α = {ϑ > 0 : {ϑαx } < t, x ∈ N}. Among other results, [339, Theorem 7.1] shows that Zt,α is either countable or has cardinality of the continuum (without the continuum hypothesis); Theorems 7.4 and 7.5 op. cit. show that both possibilities occur. The first happens if (q − 1)/(` − q) < t ≤ q/p, in which case [k, k + 1) contains precisely one Zt,`/q -number for any k ∈ Z+ . The second happens if 2/(α − 1) < t < 1, in which case[k, k + 1) contains a continuum of Zt,α -numbers for any k ∈ Z+ . In [340], Flatto, Lagarias and Pollington extend these results even further to the set of Zs,t,α -numbers, defined by Zs,t,α = {ϑ > 0 : s ≤ {ϑαx } < s + t, x ∈ N} where 0 ≤ s < s+t ≤ 1. The following statement from [340, Theorem 1.1] improves and generalizes Mahler results.

5.3. SOME OTHER PROBLEMS

131

Theorem 5.11. Let ` and q be co-prime integers and let s, t with 0 ≤ s < s + t ≤ 1 be such that t < 1/q and {(` − q)} ≤ q − `t. Put γ = min{logq ` − 1, logq b`t + {(` − q)}c . Then for any k ∈ Z+ the interval [k, k + 1) contains at most one Zs,t,`/q -number, and the number of Zs,t,`/q -numbers ϑ ≤ x is at most O(xγ ). As in [340], define

x

x

Ω(α) = inf lim sup{ϑα } − lim inf {ϑα } , ϑ

x→∞

x→∞

so Mahler’s conjecture implies that Ω(1/3) ≥ 1/2. The main result of [340] is the following. Theorem 5.12. The bound Ω(`/q) ≥ 1/q holds for any co-prime ` and q. Tijdeman [1151] shows that Z1/(α−1),α 6= ∅, and therefore Ω(α) ≥ 1/(α − 1), so Ω(`/q) ≤ `/(` − q). Several other related results due to different authors are given in [340] as well. Among them is the statement that Ω(α) = 0 if α is a totally positive PV-number (that is, α > 1 while the other conjugates are positive and strictly less than 1). On the other hand, the estimate Ω(α) ≤ 1/2(1 + α)2 is shown to hold for only countably many values of α. In Section 9.4, an analogue of Zt,α -numbers modulo a prime ` is considered. Another old conjecture, supported by computational results, states that the sequence (3/2)x is uniformly distributed modulo 1. As a step towards this conjecture, Kamae [501] considers the following easier problem. Let k be a non-decreasing sequence of integers such that k(x) → ∞ as x → ∞. One may try to prove that the sequence 3x /2k(x) is uniformly distributed. For k(x) = x this is the original problem. Kamae proves uniform distribution for k(x) = log x + O(1), and notes that he cannot prove it even for k(x) = O(log x). His method exploits the fact that 3 is of maximal period 2k−2 modulo 2k for k ≥ 2. Here we describe an essential improvement and generalization of this statement. Theorem 5.13. Let r ≥ 2, and q a prime power, be co-prime. There is a constant c(q) > 0 such that for any non-decreasing sequence of integers k(x) → ∞ as x → ∞ with k(x) ≤ c(q)(log x)3/2 (Log log x)−1/2 , the sequence rx /q k(x) is uniformly distributed. Proof. We may assume that k(x) ≥ 0 for x ∈ N. Fix some sufficiently large N , and separate the interval [1, N ] into m sub-intervals [Ni + 1, Ni+1 ] on each of which k(x) takes the value ki = k(Ni + 1), i = 1, . . . , m. Thus N1 = 0 and Nm+1 = N and k1 < . . . km . Then m ≤ k(Nm ) ≤ k(N ) = O (log N )3/2 (Log log N )−1/2 . Let I be the set of i ≤ m for which 2/3

Ni+1 − Ni ≤ exp(Cp ki

log1/3 ki ),

where p is the prime divisor of q and Cp is the constant from the estimate (4.10). Then ! m m X X X 2/3 1/2 1/3 (Ni+1 − Ni ) ≤ exp(Cp ki log ki ) = O Ni = O(mN 1/2 ) = o(N ). i∈I

i=1

i=1

132


Without loss of generality we can consider intervals with the denominators q ki in the definition of the discrepancy of the sequence rx /q k(x) over x ∈ [Ni + 1, Ni+1 ]. Now applying the estimate (4.10) to intervals [Ni + 1, Ni+1 ] with i 6∈ I and the trivial bound O(Ni+1 − Ni ) to i ∈ I gives   X X 1  D(N ) ≤ (Ni+1 − Ni ) + o(Ni+1 − Ni ) = o(1), N i∈I

i6∈I

and the assertion follows.

Other related results can be found in [1134]. The next result is a generalization of the Riesz–Raikov Theorem on algebraic numbers which previously was only known for rational α (see [930] for further references). Theorem 5.14. If α > 1 is an algebraic number, and ψ is a bounded measurable 1-periodic function on R, then Z 1 N 1 X lim ψ(ϑαx ) = ψ(τ )d τ N →∞ N 0 x=1 for almost all ϑ ∈ R. This result has to do with uniformity of the distribution of the fractional parts of ϑαx . On the other hand, behind it there is a quite different result related to S-unit equations. Theorem 5.15. Let α > 1 be an algebraic number such that all the powers αx , x ∈ N are of the same degree d, and let ω be the number of prime ideal divisors in Q(α) of α . If W is a subspace of dimension dim W ≤ d − 1 of the d-dimensional Q-vector space Q(α), then the set Aα (W ) = {h : αh ∈ W } is finite, and 240(d+1)! (ω+1)6

|Aα (W )| ≤ (4(ω + 1))

.

This result is proved in [930], and is based on bounds for the number of solutions of S-unit equations. As usual, more recent results produce a better bound for |Aα (W )| (for Theorem 5.14 only the finiteness of Aα (W ) is essential). Several results presented in Section 9.1 on normal bases of algebraic number fields are obtained in a similar way. Maxfield’s result [704] says that if ϑ is not normal to the base g, then neither is mϑ for any m ∈ N. On the other hand, Mahler [687] shows that any irrational number ϑ can be ‘improved’ in the same way: For any k ∈ N there is a number M (k) < 102k+1 such that any sequence d1 . . . dk of k decimal digits occurs infinitely often in the decimal expansion of at least one of the numbers mϑ, m = 1, . . . , M (k). The existence of such a function M (k), depending only on k, is not obvious, let alone the question of finding bounds for M (k). Berend and Boshernitzan [68] extend this definition to any base g; for the corresponding function M (g, k), they prove the upper bound M (g, k) ≤ 2g k − 1. This bound is quite precise as they show that • M (g, k) ≥ h(g k − 1) for any proper divisor h of g; • M (g, k) ≥ (1 − ε)g k+1 if g is not a prime power and k ≥ k0 (ε); • M (g, 1) ≥ 1.5(g − 1) for any odd g ≥ 5.

5.3. SOME OTHER PROBLEMS

133

They also show that for any polynomial f ∈ R[X] with at least one irrational coefficient (beside the constant term), there is a constant Mf (g, k) such that any sequence d1 . . . dk of k consecutive g-ary digits occurs infinitely often in the decimal expansion of at least one number f (m) for some m. They do not give any upper bound for the minimal m, but mention that m does not exceed some constant M (g, k, d) depending on g, k and the degree d = deg f . It would be very interesting to have an explicit bound. The method is based on considering limit points of the sequence {αq x } (incidentally, it is straightforward to show that for any irrational α there are infinitely many such limit points). They mention the following applications of the general result: Any sequence d1 . . . dk of k g-ary digits occurs infinitely often in the decimal expansion of at least one element of the following sequences: • ln n (consider n of the form n = 2m ); m • ln ln n (consider n of the form n = 22 ); • nγ with positive rational γ = `/q (consider n of the form n = 2mq ). On the other hand, it is not known if this holds for ln ln ln n or for nγ with irrational γ > 0. In a subsequent paper [69], they extend this research in many directions. There it is shown that the same statement is not true for continued fractions expansions: There exist uncountably many α such that the sequence of partial quotients of each multiple mα converges. For such α, any finite sequence of positive numbers occurs only finitely often in the sequence of partial quotients of mα for any m ∈ N. On the other hand, they also mention that for almost all real α each fixed finite sequence occurs infinitely often (and even with some prescribed positive density). Finally, they show that, for any quadratic irrationality α and for each sequence of positive integers b1 , . . . , bk , there exist infinitely many m for which this sequence appears infinitely often in the continued fractions expansion of mα. Graber, Tichy and Winkler [408] study the distribution of fractions of the form a(x + 1)/a(x) for a recurrence sequence a satisfying the equation (1.5) with asymptotically constant coefficients: In their main theorem they need fi (x) = fi + O x−λ for some f0 , . . . , fn−1 ∈ C and λ > m, where m is the maximal multiplicity of the dominating roots of the asymptotic characteristic polynomial f (X) = X n − fn−1 X n−1 − . . . − f1 X − f0 . Under some conditions on dominating roots of f , an explicit (rather complicated) expression for the distribution function is given. An example from [408] is the following: Let a satisfy (1.5) with n = 2, fi (x) = fi + O x−λ , i = 0, 1. Assume that d = f12 − 4f0 > 0, λ > 1, and π −1 arctan (−d)1/2 /f1 is irrational. Then the distribution function of a(x + 1)/a(x) is ψ(t) = χ(t − {f1 }) + χ(−{f1 }) where χ(t) = t + arctan

sin 2πt . exp π(−d)1/2 − cos 2πt)

Tichy [1148] gives a bound on error terms and shows how such results can be used to study the uniformity of distribution of sequences satisfying the equation a(x + 1) = αx −

βx , a(x)

134


where αx → α, βx → β and α2 < 4β. Tichy [1147] also studies the distribution of fractional parts of log a(x).

Part 2

Applications and Examples

CHAPTER 6

Applications to other Sequences 6.1. Algebraic and Exponential Polynomials Any polynomial over Q of degree n satisfies a linear recurrence equation of order n + 1, by (1.3) on page 17 for example. Thus, many of the results from Chapters 1 to 5 can be directly applied to such polynomials, although they seldom give something non-trivial for this particular case. On the other hand, there is another connection between linear recurrence sequences, exponential polynomials and algebraic polynomials, particularly n-sparse polynomials of the form (6.1)

F (x) = an xr1 + . . . + an xrn

containing exactly n monomials. Letting r1 , . . . rn be negative gives n-sparse rational functions. In either case, the substitution x = g z with some g 6= 0, makes F (x) = a(z) = a1 g r1 z + . . . + an g rn z , and a is a linear recurrence sequence or more precisely an exponential polynomial of order at most n. Over a finite field Fq , in order to study the behaviour of F over Fq , it is reasonable to choose g to be a primitive root of Fq . The same idea works for polynomials over residue rings modulo pk for odd prime p, and after some adjustments over Z/2k Z. By applying the Chinese Remainder Theorem, such polynomials can be studied over arbitrary residue rings Z/mZ. In this section these general considerations will be illustrated using examples. One more application to algebraic polynomials of quite different ideas which nevertheless traditionally belong to the area of linear recurrence sequences and S-unit sums will also be given. We begin by studying two related problems on factorization of exponential polynomials, and fractional power factorization of algebraic polynomials. The first is in the background of the proof of Theorem 1.36, giving a positive solution of the Hadamard Quotient Problem. 6.1.1. Factorization of exponential polynomials. The first problem deals with factorization in the ring of formal exponential polynomials (1.4) — a subject going back to Ritt’s work [969], [970], [971] of 1927–1929, where he essentially proves a unique factorization theorem. This notion of ‘unique’ factorization has to be suitably interpreted. There are many units of the form A exp ψz; worse, polynomials 1 − A exp ψz have factors 1 − A1/n exp(ψz/n) for all n ∈ N. To get around this, let K be an algebraically closed field of zero characteristic and let W be a finitely generated Z-submodule of K. Denote by Kz {W} the ring of exponential polynomials of the shape m X (6.2) E(z) = Ai (z) exp (ψi (z)) , i=1 137

138

6. APPLICATIONS TO OTHER SEQUENCES

where the coefficients belong to K[z] and the frequencies ψ1 , . . . , ψm are distinct elements of W. The exponential function — which looks exotic over an arbitrary field — is only used here to have the formal identity exp(x + y) = exp x exp y. Now it may be shown that irreducible exponential polynomials do exist in the ring Kz {W}, and a unique factorization theorem does hold. For polynomial with constant coefficients this was shown by Ritt [969], and then it was noted in [316] that the arguments work for any polynomial coefficients, and even for exponential polynomials in several variables. Theorem 6.1. An exponential polynomial E ∈ Kz {W} factorizes, uniquely up to units of Kz {W}, as a product of an algebraic polynomial A0 (z), a finite number of polynomials Ai (exp(ϑi z)) with frequencies ϑi no two of which are rational multiples, polynomials Ai ∈ K[z], i = 1, . . . , s, and a finite number of exponential polynomials each irreducible in Kz {W}. Another of Ritt’s result [970] concerns divisibility of polynomials with common zeros. Theorem 6.2. If every zero of an exponential polynomial E is also a zero of an exponential polynomial F , then there is an exponential polynomial G and an algebraic polynomial A dividing each coefficient of E, such that G(z)E(z) = A(z)F (z). The assumption of Theorem 6.2 can be essentially relaxed [251], [937], [1042]. It is also shown in [937] that two notions of greatest common divisors for exponential polynomials can be reasonably defined. The first of these is the Ritt greatest common divisor GR (E, F ) = gcdR (E, F ) defined as usual by the property that every divisor of both E and F divides GR (E, F ) in Kz {W}. The second is the Hadamard greatest common divisor GH (E, F ) = gcdH (E, F ), defined by the property that every entire function of analytical order at most 1, whose zeros are exactly the common zeros of E and F (and no others), is GH (E, F ). Both these greatest common divisors are uniquely defined up to a unit of the shape A exp ψz. Theorem 6.2 is related to a conjecture due to Shapiro [1041]: If two exponential polynomials have infinitely many common zeros, is it true that all but finitely many of these zeros occur because of a common exponential polynomial factor? The condition forces the Ritt greatest common divisor and the Hadamard greatest common divisor to coincide (up to a unit factor of the shape A exp ψz). The only known results beyond some trivial observations implied by Theorem 6.1 are those of Diab [250]. On the other hand, Rubel [308] shows that a natural generalization of Shapiro’s conjecture is certainly false (he calls the Ritt and the Hadamard greatest common divisors the algebraic and the analytic greatest common divisors, respectively). These problems can be formulated in another way. Instead of working with exponential polynomials from Kz {W} we can consider multivariate polynomial factorization in fractional powers – the question originally considered by Schinzel [997]. Equivalently, given an algebraic polynomial f (x1 , . . . , xn ), consider the problem of polynomial factorization of f (xq11 , . . . , xqnn ) for some q1 , . . . , qn ∈ N. In [937], polynomials which remain irreducible for all such substitutions, are called irreducible in the strong sense. This notion of irreducibility was also studied by Gourin [399], and

6.1. ALGEBRAIC AND EXPONENTIAL POLYNOMIALS

139

arises in finding minimal non-mixing shapes for Zd -actions by compact group automorphisms, [537, Sect. 3], [1201]. The structure of fractional power factorizations is completely described in [926]. Finally, Berenstein and Yger [70] develop mixed algebraic and analytic methods to study ideals in the ring of exponential polynomials. 6.1.2. Sparse polynomials over finite fields. Coppersmith and Davenport [225], answering a question of Erdös, prove that the powers of any n-sparse polynomial over a field of zero characteristic cannot be too sparse: They contain at least log log n monomials. This implies a similar lower bound for the order of powers of linear recurrence sequences of a special form; the most general form of such a result with respect to linear recurrence sequences would be a very useful addition to numerous upper bounds outlined in Section 1.4.10. Redei, in his book [955], among many other interesting topics about sparse polynomials, considers sparse polynomials which split into linear factors over a finite field. Such polynomials may be studied by using the following upper bound for the number of zeros of a sparse polynomial over a finite field, which was established in [171]; see also [351], [352], [1080], [1081]. This was presented in Theorem 2.10 in the form of an upper bound on the number of solutions of an exponential equation (the proof given in [171] also deals with this form). Theorem 6.3. For n ≥ 2, elements a1 , . . . , an ∈ F∗q and integers τ1 , . . . , τn , denote by T the number of solutions of the equation n X

ai xri = 0,

x ∈ F∗q .

i=1

Then (6.3)

T ≤ 2q 1−1/(n−1) D1/(n−1) + O q 1−2/(n−1) D2/(n−1) ,

where D = min max gcd(rj − ri , q − 1). 1≤i≤n j6=i

A result about sparse polynomials will be derived from Theorem 6.3 (see also [Sect. 3.3][1080] for related problems). Let Rn (q) be the number of sequences (6.4)

0 ≤ r1 < . . . < rn ≤ q − 1,

for which there exist a1 , . . . , an ∈ Fq such that the polynomial F ∈ Fq [x] given by (6.1) splits into linear factors over Fq . Such a sequence of exponents r1 , . . . , rn is called the type of the polynomial (6.1). Thus Rn (q) is the number of types of n-sparse polynomials which split into linear factors over Fq . Theorem 6.4. For any prime p and n ≥ 3, Rn (p) = O pn−1 log log p . Proof. If a polynomial F ∈ Fp [X] of the form (6.1) splits completely over Fp , then the equation a1 xr1 + . . . + an xrn = 0, x ∈ F∗q , has at least (rn − r1 )/n solutions. Indeed, the multiplicity of each non-zero root of a polynomial of the form (6.1) does not exceed n (this is not true over arbitrary

140


finite fields, and this distinction is the main obstacle to an extension of the result to general finite fields). From Theorem 6.3, (6.5) (rn − r1 )/n = O p1−1/(n−1) D1/(n−1) where D = min max gcd(rj − ri , q − 1). 1≤i≤n j6=i For any fixed r1 and D p − 1 there are at most n−1 1−1/(n−1) 1/(n−1) −2 (6.7) O p D D = O pn−2 D−1 (6.6)

(n − 1)-tuples (r2 , . . . , rn ) satisfying (6.4), (6.5) and (6.6). Taking the sum over all r1 , 0 ≤ r1 ≤ p − 2, and all divisors D|p − 1 and using the well known estimate X1 = O(log log M ), d d|M

gives the desired result.

For n ≥ 5, the condition (6.6) implies that there are at least three differences τj − τi , 1 ≤ i < j ≤ n, whose greatest common divisor with p − 1 is at least D. Thus the bound (6.7) can be replaced with O(pn−2 D−2 ), so Rn (p) = O pn−1 for n ≥ 5. The above approach works only for prime finite fields. On the other hand, for polynomials over Z a similar (and even stronger) result was obtained in [935]. This is based on relations of a rather different kind between algebraic polynomials, linear recurrence sequences, and S-unit sums over function fields described in that paper. The polynomials considered next are a generalization of sparse polynomials. Theorem 6.5. Let n ≥ 2, and let ψ1 , . . . , ψn and Ψ1 , . . . , Ψn be non-zero polynomials with integer coefficients such that no two of the polynomials Ψ1 , . . . , Ψn have the same set of zeros. Let r1 , . . . , rn be fixed integers. Define m = max deg ψi , 1≤i≤n

M = max deg Ψi , 1≤i≤n

ρ = min ri , 1≤i≤n

r = max ri . 1≤i≤n

Suppose that ρ > (n − 2)[1 + m + (M − 1)(n − 1)/2], and that F (x) =

n X

ψi (x)Ψi (x)hi

i=1

is a polynomial of degree deg F ≥ δr where δ > 0 is some constant. Then there is an effectively computable constant C > 0, depending only on the polynomials ψ1 , . . . , ψn and Ψ1 , . . . , Ψn , such that the polynomial F has an irreducible factor over Z of degree k > C log1/2 r. The key idea of the proof is to view the polynomial F as a S-unit sum over the rational function field Q(t). As usual, much stronger results are known for S-unit sums over function fields (compared with algebraic number fields). Several such new results about S-unit sums over function fields of zero characteristic are given in [935]. Define as usual the norm of a polynomial f ∈ Z[x] to be |f | = 2deg f and denote by P (f ) the irreducible factor of largest norm. Then Theorem 6.5 says that |P (F )| ≥ exp C(Log log |F |)1/2 , which is much sharper than the corresponding

6.1. ALGEBRAIC AND EXPONENTIAL POLYNOMIALS

141

double logarithmic estimates for the largest prime divisor of a linear recurrence sequences and ‘dense’ algebraic polynomials (cf. the remark before Theorem 3.1). Ribenboim [957] shows how the results about powers in linear recurrence sequences outlined in Section 3.4 can be used to study possible factorizations of trinomials xn − Bx − A. Further, in [1079], rational exponential sums of the form S(F, q) =

q X

exp (2πiF (x)/q)

x=1 (x,q)=1

for q an integer, are considered for n-sparse polynomials F given by (6.1). In the particular case when q = pα is a power of a fixed prime number p ≥ 3 (that is, when the implied constant is allowed to depend on p), this bound is a direct consequence of the Theorem 2.7. Indeed, substituting x = g z where g is a primitive root modulo p2 (any thus modulo any power of p ≥ 3) the sum S(F, pα ) can be reduced to a sum involving a linear recurrence sequence of order n. It is shown in [1079] that the method employed in [1061] to prove Theorem 2.7, allows us to prove the same bound for any q. It is also observed there that one can consider the case when some of the exponents ri are negative, and thus F is a rational function rather than a polynomial. Theorem 6.6. Let q ≥ 1 and n ≥ 2 be integers, and let F be a rational function given by (6.1) with pairwise distinct non-zero integers r1 , . . . , rt . Assume that gcd(q, a1 , . . . , an ) = 1, and put r = max{|r1 |, . . . , |rn |}. Then, for any ε > 0, S(F, q) = O(q 1−1/n+ε ), where the implied constant depends on ε and r = max{|r1 |, . . . , |rn |}. Even in the most frequently used case of r1 = 1, . . . , rn = n (thus r = n) nothing essentially better than Theorem 6.6 is known (see [483], [644] for details). The same bound (at least if all of r1 , . . . , rn are positive) may be applied to our case as well, but it gives only S(F, q) = O(q 1−1/r+ε ). It is also shown in [1079] that the same trick works for exponential sums over certain finite fields as well: Write X Tm (F ) = χ (F (x)) x∈F2m

where χ is a non-trivial additive character of F2m . For such sums, there is the deep Weil bound Tm (F ) ≤ r2m/2 , where as before F is given by (6.1) with non-zero integer r1 , . . . , rn and r = max{|r1 |, . . . , |rn |} (see [644] and [1080] for this and many other related results). The following bound of [1079] is better than the Weil bound if r is large enough. In particular, when r ≥ 2m/2 , the Weil bound gives nothing, but Theorem 6.7 is non-trivial. Theorem 6.7. Let α ∈ (0, 1) be a fixed real number, and let the exponents r1 , . . . , rn satisfy ri 2k 6≡ rj

(mod 2m − 1),

1 ≤ i < j ≤ n, k = 0, 1, . . . , m.

142


Assume that (2m − 1, r1 , . . . , rn ) < 2αm . Then, for any rational function F given by (6.1) with a1 , . . . , at ∈ F∗2m , Tm (F ) < γ ((1 − α)/n) 2m + o(2m ),

m → ∞,

where γ(λ) = 1 − 2ψ(λ) and ψ(λ) is the unique root of the equation −ψ log ψ − (1 − ψ) log(1 − ψ) = λ on the interval 0 ≤ ψ ≤ 1/2. The function γ(λ) is the same as that of Theorem 2.4, and indeed that theorem is an essential component of the proof of Theorem 6.7. One of the applications of this results is an upper bound for k(r1 , . . . , rt ; m), the smallest k such that the system xr1i + . . . + xrki = Ai , i = 1, . . . , t; x1 , . . . xk ∈ F2m is solvable for any A1 , . . . , At ∈ F2m . Theorem 6.8. Let α ∈ (0, 1) be a fixed real number and let the exponents r1 , . . . , rt satisfy ri 2k 6≡ rj

(mod 2m − 1),

1 ≤ i < j ≤ t, k = 0, 1, . . . , m.

Assume that (2m − 1, ri ) < 2αm ,

i = 1, . . . , t.

Then there is a constant C > 0 depending on α such that k(r1 , . . . , rt ; m) ≤ Cmt2 log(t + 1). Similar results can be obtained for any finite field of fixed characteristic. The bounds (2.3), (2.4), (2.5) can be written in the form  1/2 p−1 if r ≤ p1/3 ; X  rp , r max exp(2πiax /p) r5/8 p5/8 , if p1/3 ≤ r ≤ p1/2 ;  3/8 3/4 gcd(a,p)=1 x=1 r p , if p1/2 ≤ r ≤ p2/3 . Certainly each estimate holds for all r – what has just been pointed out is when each one is of better order than others and remains non-trivial (one may easily check that the value z = 0 can be included in the sum without any harm). In [509], some results of Section 4.1, in particular Theorem 4.3, are applied to certain algorithmic problems about sparse polynomials. For example, for a polynomial F ∈ Fq [x] given by (6.1) with 0 ≤ r1 < . . . < rn ≤ q − 1, denote by V (F ) the value set V (F ) = {F (x) : x ∈ Fq }. Given an integer V > 0, how quickly can one test whether |V (f )| ≥ V ? The brute force algorithm takes time q(log q)O(1) . It turns out that for V < q 1/n this can be done faster. Moreover, the representation (6.1) is not required: It is enough to know how to compute the value of this polynomial at any particular point. Polynomials known in this sense are called black-box. Theorem 6.9. Let F ∈ Fq [x] be a polynomial of the form (6.1) with deg F ≤ q − 1, given by a black-box. Assume that a primitive root ϑ of Fq is known. Then for any V > 0, |V (f )| ≥ V can be tested in time V n (log q)O(1) .

6.2. LINEAR RECURRENCE SEQUENCES AND CONTINUED FRACTIONS

143

Finally, regarding links between linear recurrence sequences and polynomials there are the papers [553], [557], [1077] concerning bounds of polynomial congruences, and the papers [934], [1070] on arithmetic properties of linear recurrence sequences. These two groups of papers seem unrelated, but there are real links between them. In [1070] a bound for the number of solutions of congruences with a linear recurrence sequences is found (cf. Theorem 2.11). Later, it was shown in [1077] that the same idea gives new non-trivial results for polynomial congruences as well. In [934], a refinement and generalization of some of the results of [1077], as well as their applications to congruences with linear recurrence sequences (see Theorem 2.12) is given. Konyagin and Steger [557] used an idea from [1077] as well as several new ones. It is reasonable to ask if the process can go the other way: Can new results on congruences with linear recurrence sequences be derived from the polynomials? This is not straightforward, and further ideas are needed. The approach of [557] does work for congruences with linear recurrence sequences, but does not produce a better estimate than those of [934], [1070].

6.2. Linear Recurrence Sequences and Continued Fractions Consider the sequences (px ) and (qx ) of numerators and denominators of the convergents of the continued fraction of α = [c1 , c2 , . . .] for some α ∈ [0, 1]. In Sections 2.4, 3.1, 3.4, results and techniques traditionally related to linear recurrence sequences are applied to arithmetical properties of continued fractions. Here we consider more explicit inter-connections between these two types of sequences. The following natural question is considered by Lenstra and Shallit [621]: Given an irrational α, could either of the sequences (px ) and (qx ) of the numerators and the denominators be a linear recurrence sequence? The example of (51/2 − 1)/2 = [1, 1, 1, . . .] shows that this really can happen: In this case px+2 = px+1 + px . A more subtle example is given by 31/2 − 1 = [1, 2, 1, 2, . . .], satisfying the fourth order recurrence px+4 = 4px+2 − px . In both cases the same equations hold for the denominators as well. Of course there is nothing special in these examples: Any quadratic irrational has the same property, since for such a number the sequence (cx ) is periodic. This statement is a direct consequence of the fact that if the coefficients f0 (x), . . . , fn−1 (x) of the recurrent equation (1.5) is periodic with some period T , then any solution of this equation is a linear recurrence sequence (after some shift a(x + h), h ∈ Z+ ) of order at most nT ; more details are given in [922]). Lenstra and Shallit [621] prove that this cannot occur for other irrationals. Indeed, if (px ) is a linear recurrence sequence then so are (px+2 − px ) and (px+1 ). By Theorem 1.37, this shows that (cx ) is a linear recurrence sequence too. If there is a characteristic root of (cx ) with absolute value strictly greater then 1 then Theorem 1.20 (Lemma 3 of [621] is another version of this result) or Theorem 1.21 shows that log px x2 . However, this is impossible since px is a linear recurrence sequence and therefore satisfies log px x. Hence, all characteristic roots are of absolute value at most 1, therefore cx = O(1) and thus is periodic. This result is generalized by Bezivin [93] in the following way.

144


Theorem 6.10. Let a and (cx ) be sequences of integers such that a(x + 2) = cx a(x + 1) + a(x). If the generating function r(X) =

∞ X

a(h)X h

h=1

is convergent in some non-empty disc on the complex plane, and satisfies a homogeneous differential equation, then (cx ) is periodic and there is a shift ` ∈ Z+ such that (a(x + `)) is a linear recurrence sequence. A consequence of this result is that any sequence of quadratic irrationalities of bounded period does not converge. Apparently there is an effective form of this result. Bezivin [93] also obtains similar results for sequences satisfying a ternary recurrence equation with variable coefficients. Again the key to all these results is Theorem 1.37, which gave the solution to the Hadamard Quotient Problem. The paper [404] treats general approximation properties of quotients of two binary linear recurrence sequences with the same characteristic polynomial. It is shown that their behaviour depends on the sign of the discriminant of the characteristic polynomial. Approximations by quotients of consecutive terms of linear recurrence sequences of higher orders are studied in [525], see also [262], [264], [263]. In [917, Sect. 2], interesting links are exhibited between linear recurrence sequences, S-unit equations and a problem of Mendès France [715] on continued fractions. For a non-integer rational r, denote by L(r) the length of its continued fraction expansion. Mendès France [715] asks about the behavior of L ((k/`)x ) for gcd(k, `) = 1, k > ` > 1. In [917], a reconstruction of Pourchet’s unpublished proof that L ((k/`)x ) → ∞ as x → ∞ is given. Later, Choquet obtained the same result by another method (see [717] for the details and other relevant problems and results). The strong conjecture is made that 12 log 2 1 L ((k/`)x ) = log ` x π for any 1 < ` < k with gcd(k, `) = 1. The proof of [917] can be transferred on the case of continued fractions with linear recurrence sequences. lim

x→∞

Theorem 6.11. Let a and b be integer linear recurrence sequences, each having a unique dominating characteristic root α1 and β1 , respectively. Assume that |α1 | > |β1 |. If gcd (a(x), b(x)) = 1 for all x, then lim L (|a(x)/b(x)|) = ∞

x→∞

The proof depends on results about S-unit equations, so is not effective. Recall that L (f (x + 1)/f (x)) ≥ x for the Fibonacci sequence and this is the only extremal example giving the worst case for the Euclidean algorithm. This example is not covered by Theorem 6.11. On the other hand, in many cases one can effectively estimate L (|a(x)/b(x)|) for sequences with the same dominating root. For such sequences, it is enough to observe that |a(x)/b(x)| = |A1 (x)/B1 (x)| + O (exp(−cx)) and then use various properties of convergents to an algebraic number |A1 (x)/B1 (x)| (using both the effective Liouville Theorem and the non-effective

6.2. LINEAR RECURRENCE SEQUENCES AND CONTINUED FRACTIONS

145

Roth Theorem). On the other hand, the example a(x) = 2x , b(x) = 2x +1 for which 1 2x = , 2x + 1 1 + 21x shows that for rational |A1 (x)/B1 (x)| such a result cannot be expected. A similar question was considered by Grisel [418]. For a quadratic irrationality α denote by T (α) the period length of its continued fraction expansion. It is known that T (α) ≤ 2 if α is a quadratic unit, so T (αx ) ≤ 2, x = 1, 2, . . ., for any such α. Grisel [418] shows that for many quadratic irrationalities, T (αx ) growth exponentially fast, T (αn ) ≥ C(α)n−1 exp (c(α)n) , where C(α) and c(α) are explicit positive constants. The result is based on results about the prime divisors of convergents. For the special case α = d1/2 , where d ≥ 2 is square-free integer, better lower bounds are known [420]. In another paper, Grisel [419] proves an analogue of Theorem 6.11 for continued fractions of power series over a field of zero characteristic (except for polynomials and their reciprocals). The case of fields of positive characteristic is considered as well: For such fields, the corresponding limit does not exist. Instead, one can consider the lower and upper limits which are finite and infinite, respectively. pFor some special linear recurrence sequences a the continued fraction expansions of a(x) is of special interest because the period length can sometimes be estimated from below. An example is the Shanks sequence (6.8)

Sx = 4x + 8 · 2x + 1.

Although a number of generalizations are known [925], [1209], the general case of arbitrary linear recurrence sequences has not been studied yet. An application of such sequences is to the difficult problem of finding explicit formulaæ for units of quadratic fields. In Section 10.1 parameters rs (f, m, p) and ρs (λ, M ) related to the quality of pseudo-random number generators from linear recurrence sequences are studied (see page 204 and 206). For s = 2, both of these can be expressed in terms of continued fractions. In the function case the following formula holds (see [831] or [837, Theorem 9.9]). For any polynomial f of degree n over Fp , r2 (f, n, p) = n + 1 − H(f ), where H(f ) is the largest degree of the partial quotients of the continued fraction expansion of f (X)/X n . Niederreiter [829] has shown that ! k X n−bn/2i c n H X + X =1 i=0

where k is defined by 2k ≤ n < 2k+1 . This holds over any field and can even be slightly generalized, see [829]. Unfortunately, it is not useful for pseudo-random number generators since the arithmetic nature of such polynomials is not known, while for the application mentioned we need irreducible or primitive polynomials over finite fields. Having this application in mind, Niederreiter [829] proves that there is an irreducible polynomial f ∈ Fq [X] of degree n such that H(f ) ≤ 2 + 2 logq n,

146


and there is a primitive polynomial f ∈ Fq [X] of degree n such that H(f ) ≤ 2 + 2 logq n + logq

qk . − 1)

ϕ(q k

The main disadvantage of these two results is that they are obtained by a nonconstructive method and give no clue how to efficiently find such polynomials (neither does Theorem 10.2). Also, it has been conjectured that the two expressions on the right-hand sides of these inequalities can be replaced with absolute constants. Finally, notice that the same results hold (this is proved in [829]) for partial quotients of more general fractions f /g for any polynomial g ∈ Fq [X] with only one exception: q = n = 2, g(X) = X 2 + X + 1 for an irreducible numerator and with two more exceptions, q = 23 , n = 1, g(X) = X + 1 for a primitive numerator. Several more results about polynomial fractions f /g with small partial quotients can be found in [106], [600], [601] [602], [603]. In the integer case [837, Theorem 5.17] shows that for any co-prime integers λ and M , m m ≤ ρ2 (λ, M ) ≤ (6.9) H(λ, M ) + 2 H(λ, M ) where H(λ, M ) is the largest partial quotient of λ/M (with a minor modification – the last element is allowed to be 1). It is known (see [826] or [837, Chap. 5]) that (6.10)

H (f (h), f (h + 1)) = 1,

ρ2 (f (h), f (h + 1)) = f (h − 1) ≥ 38 f (h + 1)

for two consecutive terms f (h) and f (h + 1) of the Fibonacci sequence. This gives a very simple explicit construction: Recall that f (h)/f (h + 1) is the h-th convergent to (51/2 − 1)/2 = [1, 1, . . . , ] (a further discussion is in [826]). It is not difficult to show that for any M K(M ) =

H(λ, M ) log M.

min gcd(λ,M )=1

It is an old conjecture of Zaremba that K(M ) ≤ 5. Recently, Niederreiter proved that K(2k ) ≤ 3 for powers of 2. It is also known that (6.11)

K(22

k

−1

) ≤ 2.

These and many other results about numbers with bounded partial quotients and their applications are presented in the exhaustive survey of Shallit [1033] (see also [466] and [837, Chap. 5]). Laurent series over finite fields whose continued fraction expansions have bounded partial quotients are also related to the theory of pseudo-random numbers, see Theorem 10.11 below. It is shown in [17] that the product F (X) =

∞ Y

h

(1 + 1/X 3 )

h=0

has linear partial quotients over Q((X)); this is a consequence of the identity F (X) = (1 + 1/X)−1/2 in characteristic 3. Cantor [179] generalizes this result and presents an entire family of examples which establishes another link to linear recurrence sequences. He considers functions Fu,v (X) = (1 + u/X + v/X 2 )−1/2

6.3. COMBINATORIAL SEQUENCES

147

and exhibits that any such function has linear partial quotients over a field F not of characteristic 2 if and only if there no zeros in the binary linear recurrence sequence au,v , where au,v (x + 2) = uau,v (x + 1) − δau,v (x), x ∈ N, with the initial values au,v (1) = 1, au,v (2) = u/2, where δ = u2 /4 − v 6= 0. In Section 1.4.10 power series in linear recurrence sequences are considered. Similar power series are related to the theory of continued fractions. In particular, they produce uncountably many numbers with partial quotients 1 or 2 only. Following [933], for any binary expansion a = 0.a1 a2 . . . set a0 = 0 and consider the power series X Fa (X) = (−1)ah X −Mh h=0

where Mh = 2h − 1, h = 0, 1, . . . are Mersenne numbers. The paper [933] describes the complete structure of partial quotients of any specialization F2 (r) with rational r ≥ 2, and in particular, any number Fa (2) has partial quotients 1 and 2 only. Choosing ah = 0 for h > k gives (6.11). This line of research, studying continued fraction expansions of specializations of power series of the form X X −a(h) h=0

for a linear recurrence sequence a, is pursued in many papers. For more results and conjectures consult the expository paper [923]. Normal numbers were the primary motivation for the notion of normal continued fractions and subsequent researches in this direction [939], [940]. Let ∆ = (δ1 , . . . , δs ) be an s-tuple of positive integers and denote by M (∆) the set of all numbers 0 ≤ α < 1 whose continued fraction expansion starts with ∆. The Gauss measure is defined by Z 1 dx µ(∆) = . log 2 M (∆) 1 + x Then α has a normal continued fraction expansion α = [c1 , c2 , . . .] if for any ∆ 1 Tα (N, ∆) = µ(∆), N →∞ N lim

where Tα (N, ∆) is the number of occurrences of the tuple ∆ among (c1 , . . . , cs ), (c2 , . . . , cs+1 ), . . . , (cN , . . . , cN +s−1 ). It is known that almost all numbers 0 ≤ α < 1 have normal continued fraction expansions. In [939], one can find analogues of many results on normal numbers such as Theorem 5.4, as well as explicit constructions. On the other hand, there does not seem to be any construction with a good explicit bound for the error term analogous to Theorems 5.6–5.8. 6.3. Combinatorial Sequences In this section several unrelated sequences that have been studied using linear recurrence sequences are considered. The first is the sequences of values of Ramanujan’s τ -function, defined to be the sequence of coefficients of the power series

148


expansion z

∞ Y

(1 − z h )24 =

h=1

∞ X

τ (h)z h ,

|z| < 1.

h=1

The second is the sequences of Bell numbers B, defined by exp(exp z − 1) =

∞ X

B(h)z h /h !.

h=0

There are several equivalent definitions. There is a direct formula B(x) = e−1

∞ X

hx /h!

h=0

and a recurrence relation B(x + 1) =

x X x h=0

h

B(h).

There is also a combinatorial definition: B(x) is the number of partitions of a set of x elements into non-empty subsets. Finally, the Bell numbers arise as the coefficients in a formula for the higher derivatives of the composition of two functions. Although neither of them is a linear recurrence sequence various results about linear recurrence sequence can be applied to these sequences. The first sequence contains very interesting subsequences which are binary linear recurrence sequences, and the second sequence is a linear recurrence sequence modulo any integer m. 6.3.1. Ramanujan τ -function. The recurrence equation (6.12)

τ (ph+2 ) = τ (p)τ (ph+1 ) − p11 τ (ph ),

h∈N

which holds for any p ∈ P, gives a link between this function and binary linear recurrence sequences, which already leads to interesting facts about this famous function. There is more: τ is multiplicative, so the values τ (ph ) determine its behaviour. To be more precise, several results from [795] and [1050] are presented. Although Deligne has proved the very precise upper bound τ (p) < 2p11/2 , we still do not know non-trivial lower bounds for τ (p). The following result [795], [1050] gives a lower bounds for τ (x) when τ (x) is odd, which unfortunately gives no information about values of τ (p), which are known to be even. Theorem 6.12. There is an absolute constant c > 0 such that for any x for which τ (x) is odd, |τ (x)| ≥ logc x. Proof. It is enough to prove this bound for τ (pm ), m ≥ 2 only. For large m, using linear form in logarithms (just as in the proof of Theorem 1.22) one can show that there is a absolute constant C > 0 such that |τ (pm )| ≥ γm (p)p11m/2−C log m where γm (p) =

1, if m is even; τ (p), if m is odd.


149

Apart from the constant γm (p), this follows from Theorem 1.22. Indeed, since τ (p) < 2p11/2 , the characteristic roots of (6.12) are complex conjugates with absolute value p11/2 . Thus, since τ (1) = 1, (6.13)

m

bm/2c

τ (p ) = γm (p)

Y

2

τ (p) − 4p

r=1

11

πr cos m+1 2

.

In particular, if m is even it follows that τ (pm ) = 0 if and only if τ (p) = 0. Indeed, 4 cos2 (πr/(m + 1)) is an algebraic integer and therefore can be rational only if it is 1, 2, or 3. However, none of τ (p)2 − p11 , τ (p)2 − 2p11 , τ (p)2 − 3p11 can be zero since τ (2) = −24 6= ±26 and τ (3) = 252 6= ±36 . Thus for m sufficiently large we are done. The case of small m ≥ 2 needs separate considerations which are based on the representation (6.13). This can be viewed as a binary form in τ 2 (u) and p11 , and such forms are well studied in the theory of Diophantine equations [1107]. There are two cases. If m ≥ 6 then this form has at least 3 distinct linear factors, and it is possible to show that there is a constant α(m) > 0 such that either τ (pm ) = 0 or |τ (pm )| ≥ pα(m) . The case m ≤ 5 is carried out by hand. The identities, τ (p3 ) = τ (p) τ (p)2 − 2p11 , τ (p5 ) = τ (p) τ (p)2 − p11 τ (p)2 − 3p11 show that min{|τ (p3 )|, |τ (p5 )|} ≥ 0.5p11/2 whenever τ (p) 6= 0. Also, p11 + τ (p2 ) = τ (p)2 ,

5p22 + 4τ (p4 ) = 2τ (p)2 − 3p11

2

and general bounds [1107] for the solutions of the equations f (x) = y 2 then gives min{|τ (p2 )|, |τ (p4 )|} ≥ logc p for some absolute constant c > 0.

The proof shows that the real constraints are τ (p2 ) and τ (p4 ), where nothing better than a logarithmic lower bound is known. Shorey [1050] shows that similar arguments also lead to lower bounds for P (τ (x)), and also proves an effective upper bound max{m, n, p} over all solutions (m, n, p) of the equation τ (pn ) = τ (pm ) with m 6= n, p ∈ P with τ (p) 6= 0. 6.3.2. Bell numbers. In studying arithmetic properties of Bell numbers the recurrent congruence (6.14)

B(x + p) ≡ B(x + 1) + B(x)

(mod p),

x ∈ N.

for any p ∈ P plays the central role. It follows from this congruence that the p −1 sequence is purely periodic modulo p with some period Tp dividing pp−1 . There is a conjecture (supported by calculations, see [1190]) that (6.15)

Tp =

pp − 1 . p−1

150


Although this conjecture is still open, a good lower bound for Tp is proved by Lunnon, Pleasants and Stephens [679], (6.16)

Tp ≥

2p − 1 ≥ 22p−1 /(2p − 1) ≥ p−1 4p−1 . p−1

Radoux [952] shows that the congruence B(x) ≡ 0 (mod p) is solvable for any prime p for which (6.15) holds. In fact this follows from Theorem 4.1 or Theorem 4.2 (since the characteristic polynomial is the Artin–Schrier polynomial f (X) = X p − X − 1, which is known to be irreducible over Fp ) Layman [611] demonstrates that this and even a stronger statement are valid for any p independently of the still unproven conjecture (6.15). He shows that any prime p is a maximal divisor in the following sense: There is an Mp such that B(Mp + k) ≡ 0

(mod p),

k = 0, 1, . . . , p − 2.

Moreover, an explicit expression for Mp is given: One can take pp − p (p − 1)2

Mp ≡ 1 −

(mod

pp − 1 ). p−1

Let Jp be the index of entry of p in the sequence of Bell numbers (as for linear recurrence sequences, this is the smallest x with p B(x)). The existence of Jp follows from Layman’s result above. Independently, the existence of Jp has been proved in [1070]; moreover the upper bound Jp ≤

2p − 2 + 1 = 4p+O(log p) p−1

is shown. The proof uses the same arguments as does the proof of Theorem 4.4: Jp does not exceed the order of the sequence W (x) = B(x)p−1 − 1 (provided it is known that Jp exists). This estimate immediately produces ν

N Y

! B(x)

x=1

log N Log log N

and shows that P (B(x)) ≥ 12 log x infinitely often. Furthermore, it is demonstrated in [1078], that for any integer a the congruence B(x) ≡ a (mod p) is soluble, and the minimal solution Jp (a) does not exceed Jp (a) ≤

2p − 1 = 4p+O(log p) . p−1

Using this result, define Np and Gp to be the smallest x for which B(x) is a quadratic non-residue modulo p and a primitive root modulo p, respectively. By considering the sequences (over Fp ) U (x) = B(x)(p+1) − B(x),

V (x) =

Y λ∈Λ

(B(x) − λ)


151

where Λ is the set of all ` = p − ϕ(p − 1) elements of Fp which are not primitive roots, one gets (3p − 1)/p Np ≤ + p = O(21.38p ), (p + 1)/2 X ` l X p+j−1 p+`−1 Gp ≤ ≤ ≤ 2p+`−1 = 22p−ϕ(p−1)−1 . j j j=0 j=0 Both these bound are better than the trivial Np ≤ Gp ≤ Tp . If the conjecture (6.15) holds this is obvious, but even the proved (6.16) gives Np = o(Tp0.7 ),

Gp ≤ Tp exp(−c log Tp / Log log log Tp )

for some absolute constant c > 0. For more details see [1078]. Several generalizations of these results are possible. Following Layman [611] define Bs by the expansion exp (s(exp z − 1)) =

∞ X

Bs (h)z h /h !

h=0

for an integer s. Then, instead of (6.14), Bs (x + p) ≡ Bs (x + 1) + sB(x)

(mod p),

and everything follows along more or less the same lines. 6.3.3. Other combinatorial sequences. Granville and Sun [414] express residues modulo a prime p of the Bernoulli polynomials Bp−1 (x) of degree p − 1 at a rational point k/` via the values of some linear recurrence sequence of order bp/2c. The family of d-th binary partition sequences bd is defined as follows: bd (x) is the number of representations of x ∈ N in the form x=

∞ X

δi 2i ,

δi ∈ {0, 1, . . . , d − 1}.

i=0

Thus, (b2 (x)) is the sequence (1, 1, 1, . . . ). The first non-trivial example is the Stern sequence s(x) = b3 (x) (the next sequence is less interesting, as b4 (n) = bn/2c + 1). The Stern sequence satisfies the relation s (bx/2c) , if x is even; s(x) = s (bx/2c) + s (bx/2c + 1) , if x is odd; with the initial values s(0) = 0, s(1) = 1. Other sequences in the family satisfy similar but more complicated relations. The Euler binary partition sequence b∞ is defined by b∞ (x) = lim bd (x). d→∞

An alternative definition uses the power series expansions k ∞ ∞ Y X 1 − X2 d = bd (h)X h k 2 1 − X k=0 h=0

∞ Y

∞

X 1 = b∞ (h)X h . k 2 1 − X k=0 h=0

152


Reznick [956] gives an extended account of these sequences. In particular, it has been shown that the theory of linear recurrence sequences is useful in studying the growth of such sequences as well. In 1940, Mahler demonstrated that log b∞ (x) ∼

log2 x . log 4

Reznick [956] shows that if d is even then xlog d−1 bd (x) xlog d−1 .

(6.17)

Next we present elegant arguments from [956], showing that if d is odd then lim sup log bd (x)/ log x > lim inf log bd (x)/ log x. x→∞

x→∞

It makes use of two basic facts. The first is the identity x X

bd (h) = b2d (2x),

h=0

so the previous inequality ultimately implies that λ = log d − 1. If Bd (x) = bd (2x ) then log Bd (x) ∼ λx. We need to know that Bd satisfies a linear recurrence equation with integer coefficients of order d, (the order is not important at the moment but will become important later). The results of Section 1.1 show that log Bd (x) ∼ x log α infinitely often, where α is some algebraic integer. It follows that d/2 = α is an algebraic integer, which is impossible. These arguments can be put in the quantitative form (6.18)

lim sup x→∞

log bd (x) log bd (x) − lim inf (2d)−d−2 x→∞ log x log x

for any odd d ≥ 3. Assume now that µ1 (d) ≥ µ2 (d) are two functions such that xµ1 (d)+o(1) bd (x) xµ2 (d)+o(1) . Then, as before, µ1 (d) − µ2 (d) ≥ | log α − log(d/2)|, where α is a characteristic root of some recurrent equation. It is enough to show that δ = |α − d/2| ≥ 2−d (d + 1)−d−1 . We can certainly assume that δ ≤ 1/2, otherwise there is nothing to prove. Reznick shows that the characteristic polynomial of that equation, f (X) = X d − fd−1 X d−1 − . . . − f1 X − f0 , is the characteristic polynomial of some 0, 1-matrix of order d with at most (d + 1) non-zero elements in each row. Thus each characteristic root is of absolute value at most (d + 1)/2. Therefore, if g(X) = X k + g1 X k−1 + . . . + gk−1 X + gk is the minimal polynomial of α, then k ≤ d and i k d+1 gi ≤ . i 2


153

Now g(α) = 0; on the other hand, g(d/2) = 6 0, so |g(d/2)| ≥ 2−k ≥ 2−d . Hence, since δ ≤ 1/2, k i j X X d −d gk−i αi−j 2 ≤ |g(α) − g(d/2)| = δ 2 i=1 j=0 ≤ δ

k X

gk−i

i=1

i−j i j X d+1 d j=0

2

=δ

2

k X

gk−i 2−i (d + 1)i+1 − di+1

i=1

k−i k k X X k k d+1 −i i+1 −k k+1 ≤ δ 2 (d + 1) = δ2 (d + 1) k−i 2 k−i i=1 i=1 ≤ δ(d + 1)k+1 ≤ δ(d + 1)d+1 . Therefore | log α − log(d/2)| = | log(2α/d)| |1 − 2α/d| ≥ 2δ/d −d+1

≥2

(d + 1)−d−1 d−1

= 8(2d)−d−2 (1 + 1/d)−d−1 (2d)−d−2 ,

and (6.18) follows. Although there is little hope of an asymptotic for bd (x) if d is odd, quite tight upper and lower bounds can be obtained nevertheless, xµ1 (d) bd (x) xµ2 (d) where µ1 (d) = log

2s + 1 + (4s2 + 1)1/2 2

,

µ2 (d) = log s + (s2 + s)1/2 ,

if d = 4s + 1, and 2s + 1 + (4s2 + 8s + 5)1/2 µ1 (d) = log , µ2 (d) = log s + 1 + (s2 + s)1/2 , 2 if d = 4s + 3. Thus, log bd (x) log bd (x) lim sup − lim inf d−1 x→∞ log x log x x→∞ It is also shown that for the Stern sequence s(x) = b3 (x) both bounds x(1+5

1/2

)/2

s(x) 1

are attained; see [956]. Some results and conjectures about the distribution of such sequences modulo m are known as well, see [956]. For integers m, d, a define the set A(d, m, a) = {x : bd (x) ≡ a (mod m)}. Reznick [956] conjectures that for any m, d, a, A(d, m, a) has a well-defined density. This holds for d = 2k , and any m, a, for m = 2 and any a and d and a few other known cases. There is one more result (taken from [956]), 1/(p + 1), if a = 0; A(3, p, a) = p/(p2 − 1), if 1 ≤ ap − 1. Kiss and Zay [535] consider the number Fk (x) of 0, 1-sequences of length x having at least k − 1 zeros between any two ones, and the total number wk (x) of ones in these sequences. It turns out that the sequence Fk is a linear recurrence sequence with

154


characteristic polynomial fk (X) = X k − X k−1 − 1, while wk is a linear recurrence sequence with characteristic polynomial fk2 . The initial values are found as well. As an application, the asymptotic 1 Gk (x) ∼ k , x→∞ αk + k − 1 is given for the average density Gk (x) =

Fk (x) xwk (x)

of ones in such sequences, where αk is the unique dominating zero of fk . Grady and Newman [409] discover very similar congruences for coefficients of the generating functions ∞ X gG (z) = M (h)z h h=0

where M (h) is the number of subgroups of index h of the group G. Another possible generalization is to consider the behaviour of Bell numbers modulo a composite m. An analogue of (6.14) exists [679] but the details are messy. The technique above is not applicable to sequences over rings with zero divisors; nonetheless, some non-trivial facts can be found in this way. There are other natural combinatorial sequences to which the theory of linear recurrent sequences can be applied. The majority of such sequences come from group theory, where the general philosophy is as follows: For many parametric families of groups, the corresponding generating function is rational. The same is also true for many other generating functions, including zeta-functions of algebraic varieties over finite fields [644], zeta-functions of iterations of polynomial mappings [473], Poincaré series [117], [246], [991], and many others. An immediate consequence is that the coefficients of such functions are either of polynomial or exponential growth. Such results are similar to the famous Gromov Theorem (see [421], [663], [802], [1155] and references). They cannot grow like exp(n1/2 ) or exp(log2 n) for example. In particular, it follows that the generating functions corresponding to the groups studied by Lubotzky [663] cannot be rational. Du Sautoy [992], [993] discovers another quite different connection between the generating functions of some groups and linear recurrence sequences, and the Mersenne numbers in particular. The question of rationality of such a generating function depends on how the number of solutions to the equation qn − 1 = pk q−1 varies in (q, n, k), where p is a fixed prime number, q ∈ P, n, k ∈ N. This is a particular case of the equation (6.24) below. Accordingly, it follows from Theorem 6.15 that there are only finitely many such solutions with n ≥ 3. The case n = 2 and p ≥ 3 is obvious: q + 1 = pk implies that q = 2` , giving a particular case of the Catalan equation (see below) with fixed bases, pk − 2` = 1. There are very general statements about the finiteness of solutions of general Catalan equation as well as results about the growth of the distance between two powers. All of them ultimately lead to an effective upper bound for such k and `. It is possible that in this case some elementary considerations would suffice to show that the equation is solvable for p = 3 only, where there is the unique solution ` = 3, k = 2 (this

6.4. SOLUTIONS OF DIOPHANTINE EQUATIONS

155

certainly follows from the old but still more or less open conjecture about the Catalan equation, see [958], [1059, Chap. 12] and [1154]). The only non-trivial case is n = 2 and p = 2. In this case the equation has infinitely many solutions if and only if there are infinitely many Mersenne primes q = 2k − 1. Primitive prime divisors of q h −1 play a role in several group theory algorithms; more details can be found in the exhaustive survey by Praeger [943], see also [432]. Nabney [802] applies results of Evertse [324] and van der Poorten and Schlickewei [931] to derive a new result about equations with recurrent sequences, and applies it to a problem in group theory. Schmidt and Ward [1024] apply results about S-unit equations to study mixing properties of Zd -actions by compact group automorphisms. The paper [481] applies S-unit equations to the problem of powers in finitely-generated groups. Lichtman’s papers [642], [643] address the problem of extending the Tits alternative to linear groups over division rings, and exhibit a connection with Artin’s conjecture. Some of the questions raised by Lichtman are successfully resolved by Murty [793]. Finally, [8] makes use of Fibonacci and other binary linear recurrence sequences to get new results on the structure of the units in certain integral group rings. 6.4. Solutions of Diophantine Equations There are two major types of Diophantine equations related to linear recurrence sequence. The first class is the Norm-form equations, the second is the class of exponential equations. Both are discussed in great detail in the monograph [1059] by Shorey and Tijdeman; see also [1053], [1154]. Here we present a brief overview, and give some results which are not included in that book. The first connections between Diophantine equations and linear recurrence sequences go back to Skolem’s classical result concerning finiteness of the number of solution of the Thue equation F (x, y) = 0 for a binary form F ∈ Z[X, Y ] such that F (x, 1) = 0 has at least one complex root, see [1107]. It is possible that this work motivated Skolem to study linear recurrence sequences themselves, and led to the first really non-trivial result in the theory of linear recurrence sequences, the Skolem–Mahler–Lech Theorem 1.17. This work can be described in a more general setting. Let K be an algebraic number field of degree n over Q. For an integer a, consider the Norm-form equation (6.19)

N(ϑ) = A,

ϑ ∈ ZK .

Sometimes it is convenient to write this in an equivalent form: Let (ω1 , . . . , ωn ) be an integral basis for ZK over Z. Then (6.19) can be re-written as the equation (6.20)

N(t1 ω1 + . . . + tn ωn ) = A,

t1 , . . . , tn ∈ Z.

If (µ1 , . . . , µn ) is the dual basis to (ω1 , . . . , ωn ) — the unique basis with T(µi ωj ) = δi,j — then ti = T(µi ϑ). To see the relationship between such equations and linear recurrence sequences, exponential polynomials, and finitely generated groups it is enough to notice that if ϑ is a solution of (6.19) and ε is a positive unit (that is, a unit of norm 1) of ZK , then ϑε is another solution. Calling such solutions equivalent, the set of solutions can be separated into classes of equivalent solutions. The main result of the theory claims that there are only finitely many equivalence classes of solutions [117]. This result can be re-formulated as follows. Let (ε1 , . . . , εr ) be a multiplicative basis of the group of positive fundamental units of ZK . Then there is a finite number

156


of solutions ϑ1 , . . . , ϑk such that any other solution ϑ = (t1 , . . . , tn ) of (6.19), (6.20) has a unique representation in the form ϑ = ϑm εx1 1 . . . , εxr r ,

1 ≤ m ≤ k, x1 , . . . , xr ∈ Z,

relating the theory to finitely generated groups. On the other hand, ti = T(µi ϑm εx1 1 . . . , εxr r ),

1 ≤ m ≤ k, x1 , . . . , xr ∈ Z.

for all i = 1, . . . , n,. If ϑν and r − 1 variables (say x2 , . . . , xr ) are fixed, then each ti is a linear recurrence sequence in x1 . Notice that the Thue equation is a particular Norm-form equation with the additional condition that ϑ has only two non-zero components, so t3 = . . . = tn = 0. Thus the Thue equation is related to a question about zeros of linear recurrence sequences, or more generally about zeros of multivariate exponential polynomials. Moreover, if r = 1 – the interesting case of binary quadratic forms – then there are no variables to fix, so the set of solutions comprises several binary recurrences. Denote by T (N ) the set of solutions of (6.20) with |ti | ≤ N , i = 1, . . . , n. It is observed in [1073] that Theorem 3.2 yields the following. Theorem 6.13. Let f ∈ Z[t1 , . . . , tn ] be a polynomial such that for any a ∈ Z the equation f (t1 , . . . , tn ) = a and (6.20) have only finitely many common integer solutions. Then   Y ν max {1, |f (t1 , . . . , tn )|} ≥ log N/ Log log N. t1 ,...,tn ∈T (N )

This bound is of the correct logarithmic order: We should expect that logr N |T (N )| logr N , and indeed there are many classes of equations for which this is true (cf. the known asymptotic for a related function Sa (Q) given in Section 1.4). For such an equation we easily obtain the upper bound O logr+1 N/ Log log N for the number of prime divisors of the product appearing in Theorem 6.13. In the same spirit, results about powers in linear recurrence sequences can be applied to the study of the Diophantine equation (6.21)

au2k + buk v + cv 2 = d

in integer variables k, u, v. This is equivalent to studying k-th powers among the sequence of values of first coordinates of solutions of the binary quadratic equation ax2 + bxy + cy 2 = d (which may have infinitely many solutions if b2 > 4ac). This sequence is a binary linear recurrence sequence, and an approach using this was developed by Shorey and Stewart [1057], [1058]. The most general result is given by the following result, [1058, Theorem 2]. Theorem 6.14. Let G(U, V ) = aU 2 + bU V + cV 2 + dU + eV + f ∈ Z[U, V ] be a quadratic polynomial such that (b2 − 4ac)(4acf + bde − ae2 − cd2 − f b2 )f 6= 0. Let F (U, V ) ∈ Z(U, V ) be a binary form of positive degree such that (aα2 + bα + c) 4f (aα2 + bα + c) − (dα + e)2 6= 0


157

for at least one root α of F (w, 1) = 0. Then for any integer Q there is an effective constant C(G, F, P ) such that for any solution of the system of equations G(u, v) = 0, k, s, u, v, w ∈ Z, k > 1,

F (u, v) = swk |w| > 1, P (s) ≤ P

max{k, s, u, v, w} ≤ C(G, F, P ). Another class of Diophantine equation to which the theory or recurrence sequences can be successfully applied is the class of exponential equations. For equations with fixed bases of exponents this is clear, but it is less evident for equations where the exponents as well as their bases are variables. To deal with such equations ‘uniform’ results about recurrence sequences are needed; these are results with absolute constants which do not depend on the sequence. Examples of such results are the multiplicity bounds (1.20), (1.21) and the estimate (3.3) giving a lower bound for the greatest prime divisor of Lucas and Lehmer numbers with absolute constants. For a systematic account of this idea see Shorey and Tijdeman [1059] and also [1053], [1154]. It is important to emphasize that there is still no general theory for such equations, and it is almost impossible to recognize if such an equation can be treated successfully or not at a glance. To illustrate the difficulties, consider the innocuous exponential equation (6.22)

ux + v x + wx = 0,

u, v, w, x ∈ Z, uvw 6= 0, x ≥ 3,

a Diophantine problem whose lengthy history inspired a great deal of mathematical developments and ended in a highly non-trivial denouement (see [928], [1208], [1144], [966]). Frey’s idea of reducing the Fermat equation (6.22) to a question about elliptic curves works in another situation also: Adachi [1] uses this approach to show that if A, B, C, a, b, c are relatively prime natural numbers then the equation Aax + Bby = Ccz has finitely many solutions, and all of them can be effectively determined. For the famous Catalan equation ux − v y = 1,

u, v, x, y ∈ Z, u, v, x, y ≥ 2,

Tijdeman shows that there are only finitely many solutions, and for many years it was conjectured that 32 − 23 = 1 is the only solution: The gap between the two statements is simply a matter of checking a (very) large number of cases, see [958], [1059], [1053], and [1154]. That this is the only solution has recently been shown by Preda Mih˘ ailescu — see [732] and [102]. Van der Poorten [911] shows that the same approach works for the equation ux − v y = (p1 . . . pr )lcm(x,y) ,

u, v, x, y ∈ Z, u, v, x, y ≥ 2.

where p1 , . . . , pr are fixed primes, and [1059, Theorem 12.4] extends this even further. These results generalize to algebraic number fields [140] and function fields; good lower bounds are also known for the difference ux − v y , see [1059, Notes to Ch. 12]. On the other hand, the Pillai equation aux − bv y = c, cannot be treated by this method.

u, v, x, y ∈ Z, u, v, x, y ≥ 2.

158


Using the lower bound mentioned above for the greatest prime divisor of Lucas numbers, Gy˝ ory [437] shows that for any P and ν, any solution of the equation x u − vx = s, s, u, v, x ∈ N, u > v, x ≥ 3, P (w) ≤ P, ν(s) ≤ ν. u−v satisfies x ≤ P, max{s, u, v} ≤ exp ν νP (P +30)/2 (20P 2 )νP (P +6)+14(P +2) . We may assume that s ≤ π(P ), giving an estimate in terms of P only. Denote by s(N ) the number of solutions of the equation ux − 1 = N, u, x ∈ Z, u ≥ 2, x ≥ 3. (6.23) u−1 An arithmetic interpretation of s(N ) is that it is the number of bases with respect to which N has the representation 1 . . . 1. There is a conjecture (supported by computations) that s(N ) ≤ 1 for any N 6= 31, 8191. This is verified for all N ≤ 104 (this material is taken from [1051]). Shorey shows that if N 6= 31, 8191 and ν(N − 1) ≤ 5, then there is at most one solution of (6.23) equation with x odd. In particular, this is the case for any solution if N is prime. Thus if p 6= 31, 8191 is prime and ν(p − 1) ≤ 5 then s(p) ≤ 1. He also observes that the number of such primes p ≤ L is at least of order L/ log2 L, and proves that max{0, 2ν(N − 1) − 3}, if ν(N − 1) ≤ 3; s(N ) ≤ 2ν(N − 1) − 4, if ν(N − 1) ≥ 4, which in many cases is better then the estimate s(N ) = O (log N )1/2+ε due to Loxton (recall that ν(k) ∼ log log k for almost all k ∈ N, but ν(k) can reach the order log k/ log log k for some k). For special values of N it is known that s(N ) = 0. For instance, s(N ) = 0 for N = M p + 1 with M ∈ N, p ∈ P, see [612] (in [1051] this result is stated for sufficiently large values of N ). Another important equation for many applications (see Section 6.3, for example) is ux − 1 = vy , u, v, y ≥ 2, x ≥ 3. (6.24) u−1 Shorey and Tijdeman conjecture that this equation has only finitely many solutions. The following statement, [1059, Theorem 12.5], provides background for this conjecture. Theorem 6.15. The equation (6.24) has only finitely many solutions, which can be effectively bounded if at least one of the conditions is satisfied: • u is fixed; • x has a fixed prime divisor; • v has a fixed prime divisor. This equation was also studied by Bugeaud [152], [155], by Bugeaud, Hanrot and Mignotte [157], by Bugeaud and Mignotte [158], by Bugeaud, Mignotte and Roy [159], by Le and Yu [1223], by Saradha and Shorey [984] and by Shorey [1052], [1054]. In particular, it is shown in [1223] that the equation has no solutions with gcd(uϕ(u), y) = 1, and that for x ≡ 1 (mod y) the only solution is u = 3, v = 11, x = 5, y = 2.


159

Nesterenko and Shorey [822] study the equation xm − 1 yn − 1 = , x, y ≥ 1, x 6= y, m, n > 2. x−1 y−1 Applications of linear recurrence sequence to Diophantine equations are not limited to the two large classes above. There are many other particular equations whose solutions are related to some recurrence sequences (linear or non-linear). They are hard to describe systematically, so just one example will be discussed. The Egyptian fraction equation is (6.25)

N N X Y 1 1 + =1 uh uh

h=1

h=1

in uh ∈ N. The sequence a(x + 1) = a(x)2 − a(x) + 1, a(1) = 2 satisfies this equation (where ux = a(x)). This sequence appeared in Section 3.2, where it was noted that a(h + 1) = a(1) . . . a(h) + 1. Let E(N ) be the number of solutions of (6.25). From [136, Lem 2] E(N ) ≥ 0.5τ a(N − 1)2 + 2a(N − 1) + 2 , which can be used to get a lower bound for E(N ). Bugeaud [154] gives an application of the results of [103] to certain Diophantine equations.

CHAPTER 7

Elliptic divisibility sequences Here we expand on Section 1.1.18, and show how elliptic divisibility sequences and their growth rates relate to the geometry and arithmetic of the underlying curve. An integral divisibility sequence u is an elliptic divisibility sequence if for all m ≥ n ≥ 1 it satisfies the recurrence relation (7.1)

u(m + n)u(m − n) = u(m + 1)u(m − 1)u(n)2 − u(n + 1)u(n − 1)u(m)2 .

The definition (7.1) was first coined by Morgan Ward in his paper [1196]. The way he came upon this definition is interesting. Apparently Lucas emphasised the connection between the sequences which now bear his name and the circular functions, and claimed to have found a generalization involving elliptic functions. Unfortunately, he published almost nothing on this apart from a few scattered hints. For an interesting overview of Morgan Ward’s work, see the survey paper [614]. Some sequences satisfy the recurrence relation (7.1) trivially: For example, the sequence of integers u(n) = n for all n satisfies (7.1), as does the sequence 0, 1, −1, 0, 1, −1, . . .. Less obviously, the linear recurrence sequence 0, 1, 4, 15, 56, 209, 780 . . . (whose recurrence relation is un+2 = 4un+1 − un ) also satisfies (7.1). Morgan Ward was aware of these degenerate examples and called them singular. In [1196, Lem. 22.2] he shows that the only singular sequences u which satisfy (7.1), besides the integers, must be Lucas sequences of the form (7.2)

un =

an − bn , a−b

√ √ where a + b is an integer and ab = 1. For example, taking a = 2 + 3, b = 2 − 3 gives the sequence 0, 1, 4, 15 . . . above. Thus the singular sequences are all of the form un = sin(nθ)/ sin(θ) for some θ. Knowing that the relation (7.1) is satisfied by 2 τn (z) = σ(nz)/σ(z)n , where σ is the Weierstrass σ-function, Morgan Ward began an abstract study of sequences which satisfy the relation (7.1). Some of his results are recalled below. The recurrence relation (7.1) is less straightforward than a linear recurrence. In order to calculate terms, notice firstly that the single relation (7.1) gives rise to two relations (7.3)

(7.4)

u(2n + 1) = u(n + 2)u(n)3 − u(n − 1)u(n + 1)3 ,

and

u(2n)u(2) = u(n + 2)u(n)u(n − 1)2 − u(n)u(n − 2)u(n + 1)2 .

The relation (7.3) comes about by setting m = n + 1 whilst (7.4) comes about by setting m = n + 2 then replacing n by n − 1. The relations (7.3) and (7.4) can then 161

162

7. ELLIPTIC DIVISIBILITY SEQUENCES

be subsumed into the single relation u(n)u(bn/b(n + 1)/2cc) = u(b(n + 4)/2c)u(bn/2c)u(b(n − 1)/2c)2 − u(b(n + 1)/2c)u(b(n − 3)/2c)u(b(n + 2)/2c)2 , where b·c denotes, as usual, the integer part. Following Morgan Ward, a solution of (7.1) is called proper if u(0) = 0, u(1) = 1, and u(2)u(3) 6= 0. The justification for this term is worked out in the paper; non-proper sequences are degenerate in one way or another. Such a proper solution will be an elliptic divisibility sequence if and only if u(2), u(3), u(4) are integers with u(2)|u(4) and relations (7.3) and (7.4) are satisfied for all n. Hence the terms u(i), 0 ≤ i ≤ 4 uniquely determine an elliptic divisibility sequence. For example, there is an elliptic divisibility sequence starting 0, 1, 1, −1, 1. The formulae above show the sequence continues 2, −1, −3, −5, 7, −4, −23, 29, 59, 129, −314, −65, 1529, −3689, −8209, −16264, 833313, 113689, −620297, 2382785, 7869898, 7001471, −126742987, −398035821, 168705471, −7911171597, . . . This sequence may be viewed as the simplest non-trivial elliptic divisibility sequence, analogous to the Mersenne sequence, and will be used below. For brevity, call this sequence S for future reference. Recently, Shipsey [1044] has used elliptic divisibility sequences to study the discrete logarithm problem for elliptic curves over finite fields, and has found an elegant algorithm for computing high order values, using a kind of repeated doubling. 7.1. Periodicity and Prime Apparition Suppose p is a prime and u is a proper elliptic divisibility sequence. The rank of apparition for p is r if r is the smallest positive integer for which u(r) ≡ 0 mod p. In his paper, Morgan Ward proves that every prime has a rank of apparition, and this rank is bounded by 2p + 2. The theory of division polynomials (see below) explains this result in a simple way. He went on to prove beautiful congruences about the periodicity of elliptic divisibility sequences modulo p. Once again, we introduce an assumption to avoid many special cases having to be explained. Theorem 7.1. Let p denote an odd prime and suppose gcd(p, u(2)u(3)) = 1. Let r denote the rank of apparition for p. Then there are integers a, b, c with ac ≡ 1 mod p, such that for every n > 0, (7.5)

u(r − n) ≡ ban u(n) (mod p) and u(r + n) ≡ −bcn u(n)

(mod p).

The integers can be computed explicitly from the congruences a≡

u(r − 2) u(r − 1)u(2)

(mod p),

b≡

u(r − 1)2 u(2) u(r − 2)

(mod p).

Theorem 7.1 gives the periodic behaviour of elliptic divisibility sequences. They are always purely periodic, meaning that for all n, u(n + ρ) ≡ u(n) mod p for some ρ which is a multiple of r, the rank of apparition. For example, take p = 5 for the sequence S. The rank of apparition is 8 and the period is 32. Morgan Ward’s formulae give a = 2, b = 1, c = 3. Theorem 7.1 is actually a consequence of the periodicity of the Weierstrass σ-function, and it does not seem to be readily provable any other way. We now

7.2. ELLIPTIC CURVES

163

give the definition of this function and use it to give a sketch proof of (7.5). Let L denote a lattice in C – a discrete subgroup of rank 2 over R. Write L =< w1 , w2 >, where w1 and w2 are complex numbers with w1 /w2 ∈ / R. These numbers are usually called periods. For z ∈ C, define the Weierstrass σ-function σL (z) = σ(z) by Y z z` + 12 ( z` )2 σ(z) = z 1− e . ` 06=`∈L

By taking logarithms, the convergence of the product follows from the convergence P of the series 06=`∈L |`|−3 . Thus σ defines an analytic function which has simple zeros at the lattice points and nowhere else. A fundamental fact about the σfunction is the following periodicity relation. Let w denote either of the periods for L. Then there is an R-linear form η such that for all z ∈ C, σ(z + w) = −eη(z+w) σ(z).

(7.6)

Proof. (of Theorem 7.1) The proof uses the basic relation in some suitably large number field, u(n) ≡ τn (w/r) (mod p), where p is any prime ideal dividing p. Now, for 0 ≤ n < r, consider τr−n (w/r). This is σ(w − nw/r) = an bτn (w/r), σ(w/r)(r−n)2 using (7.6) and the fact that σ(−z) = −σ(z), where a = e2η(w/r) σ(w/r)r and 2 b = eη(w) /σ(w/r)r . Letting n = 0, 1, a and b are congruent to rational integers mod p. This shows the congruence holds not just for the prime ideal divisors of p but also for p itself. 7.2. Elliptic Curves All the examples of elliptic divisibility sequences which are non-linear arise from elliptic division polynomials, analogues of the classical cyclotomic polynomials from arithmetic. All of the theory of elliptic curves needed can be found in Silverman’s volumes [1091] and [1093]. Consider an elliptic curve defined over the rational numbers, determined by a generalized Weierstrass equation (7.7)

y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

with coefficients a1 , . . . , a6 in Z. Define associated constants by b2 b4 b6

= a21 + 4a2 , = 2a4 + a1 a3 , = a23 + 4a6 ,

b8

= a21 a6 + 4a2 a6 − a1 a3 a4 + a2 a23 − a24 .

Define a sequence of polynomials in Z[x, y] as follows: ψ0 = 0, ψ1 = 1, and ψ2 ψ3 ψ4

= 2y + a1 x + a3 , = 3x4 + b2 x3 + 3b4 x2 + 3b6 x + b8 , = ψ2 (2x6 + b2 x5 + 5b4 x4 + 10b6 x3 + 10b8 x2 + (b2 b8 − b4 b6 )x + b4 b8 − b26 ).

164


Now define inductively for n ≥ 2 ψ2n+1

3 = ψn+2 ψn3 − ψn−1 ψn+1 and

ψ2n ψ2

2 2 = ψn (ψn+2 ψn−1 − ψn−2 ψn+1 ).

It is straightforward to check that each ψn ∈ Z[x, y]. Write ψn (Q) for ψn evaluated at the point Q = (x, y). The basic properties of elliptic division polynomials can be found in [1091], [1093] and [1196]. Proposition 7.2. The sequence (ψn ) satisfies the recurrence (7.1). Also, ψn2 (Q) = n2 xn

2

−1

+ . . . ∈ Z[x]

is a primitive integral polynomial in x alone whose roots are the x-coordinates of the finite torsion points on the curve whose order divides n. More is true. Suppose the point (x, y) is viewed as generic, that is, x and y are variables. Then the point Q can be added to itself using the addition on the elliptic curve. Repeating this gives a point nQ = Q + . . . + Q (n times) whose coordinates are rational functions in x and y. The denominator of this rational function is ψn2 . For example, if E is the curve with equation E : y 2 + y = x3 − x and Q = (0, 0), then the sequence sn (Q) of square roots of denominators of x(nQ) is precisely the sequence S obtained earlier. In [1045], it is proved that this construction always gives an elliptic divisibility sequence if Q = (0, 0) on the curve (7.7) with a6 = 0, under the additional assumption gcd(a3 , a4 ) = 1. When this condition is violated, the construction does not necessarily give an elliptic divisibility sequence. The following example appears in [1045]: Consider the elliptic curve E given by the equation y 2 + 27y = x3 + 28x2 + 27x. The point Q = (0, 0) is a non-torsion point on E, but it does not give rise to an elliptic divisibility sequence. Notice that in this example the point Q reduces to a singular point mod 3. Proposition 7.2 guarantees that the evaluated sequence ψ(Q) = (ψn (Q)) satisfies (7.1) for any integral point Q. It is readily checked that if u is any rational 2 sequence which satisfies (7.1) and c is a non-zero rational then v(n) = cn −1 u(n) also satisfies (7.1). Given any rational point Q, the shape of the equation (7.7) guarantees that the denominator of the x-coordinate is a square, say x(Q) = a/b2 . Thus, from the point Q and the curve we can produce the terms of an elliptic di2 visibility sequence bn −1 ψn (Q) by clearing the denominator. Define the sequence E = E(Q) by (7.8)

E(n) = bn

2

−1

ψn (Q) ∈ Z.

The process outlined here is invertible. That is, given an elliptic divisibility sequence E, one may find a rational point on an elliptic curve whose division sequence is E. In fact Morgan Ward calculates the transformation explicitly: If the sequence begins 0, 1, a, b, c . . . then the point has x-coordinate x = c2 + 2a5 c + 4a2 b3 + a10 / 12a4 b2

7.3. GROWTH RATES

165

on the elliptic curve y 2 = x3 + Ax + B, where A is − a20 + 4a15 c − 16a12 b3 + 6a10 c2 − 8a7 b3 c + 4a5 c3 + 16a4 b6 +8a2 b3 c2 + c4 / 48a8 b4 , and B is a30 + 6a25 c − 24a22 b3 + 15a20 c2 − 60a17 b3 c + 20a15 c3 +120a14 b6 − 36a12 b3 c2 + 15a10 c4 − 48a9 b6 c + 12a7 b3 c3 +64a6 b9 + 6a5 c5 + 48a4 b6 c2 + 12a2 b3 c4 + c6 / 864a12 b6 . Lucas defined an elliptic divisibility sequence to be singular if the corresponding cubic curve is not elliptic (that is, the discriminant vanishes). For example, the sequence u(n) = n gives rise to the point (0, 0) on the singular curve y 2 = x3 . The principle underlying Morgan Ward’s analysis is that non-singular sequences u are 2 all of the form u(n) = σ(nz)/σ(z)n for some z, whereas singular sequences are of the form u(n) = sin(nθ)/ sin(θ) for some θ. 7.3. Growth Rates Finding growth rates for integral linear recurrence sequences is not trivial, requiring machinery from Diophantine approximation. A similar story is true in the case of elliptic divisibility sequences. Write (7.9)

∆ = −b22 b8 − 8b34 − 27b26 + 9b2 b4 b6

for the discriminant of the curve (7.7). Primes p which divide ∆ are precisely the primes for which the elliptic curve reduces to a singular curve mod p. The theorem that follows was proved in [287]; it shows that the growth rate for elliptic divisibility sequences exists, and is quadratic exponential in n. Moreover the p-adic growth rate exists for primes of singular reduction. A more general version, together with numerical examples, appears in [322]. Theorem 7.3. Let Q denote a non-torsion rational point on the curve. Then for p = ∞ or a finite prime of singular reduction, there are positive constants A, B, with B < 2, for which O((log n)A /n2 ) if p = ∞, (7.10) 1/n2 log |ψn (Q)|p = λp (Q) + O(1/nB ) if p < ∞. Here p = ∞ denotes as usual the Archimedean norm. The expressions λp (Q) are called local heights in the literature; for every prime p ≤ ∞, there is a local height λp (Q). The constant A depends on the curve and the point Q only, whilst B depends upon the curve, the point Q and the prime p. The method of proof uses elliptic transcendence theory. It is a surprising feature of the underlying bounds in elliptic transcendence theory that the bound for the finite primes is inferior to that for the infinite prime. Theorem 7.3 explains a phenomenon which the Chudnovsky’s discovered in their papers [207] and [208]. There they reported having found elliptic divisibility sequences in which all the terms are divisible by high powers of certain primes. For a prime of singular reduction (or for p = ∞), the canonical local height of a rational point can be negative. It follows from (7.10) that if p is a prime of singular reduction for the curve and the canonical local height of Q at that prime is negative, then E(n) = En (Q) must ultimately be divisible by very high powers of p.

166


The relationship between local heights and elliptic divisibility sequences is exˆ plained in [322]. Any rational point has a canonical global height h(Q): This global height is non-negative and vanishes if and only if Q is a torsion point. It has the ˆ ˆ functoriality property that h(kQ) = k 2 h(Q) for every rational point Q and every k ∈ Z. The global height can be defined quite concretely. For each k > 0, x(kQ) is rational number ak /bk so define h(kQ) = log max{|ak |, |bk |}. Then 1 ˆ h(Q) = lim h(kQ). k→∞ 2k 2 It is not trivial to prove this limit exists. The global height is a sum of local heights, one for each prime, X ˆ (7.11) h(Q) = λp (Q). p≤∞

The canonical local heights can be given by explicit formulæ. For finite primes, these involve only the discriminant ∆ of the curve (see (7.9) below), the coordinates of Q, and ψ2 (Q) or ψ3 (Q) (see Exercises 6.7 and 6.8 in [1093]). The singular primes can be divided out from each term of E by writing Y (7.12) F (n) = |E(n)| |E(n)|p . p|∆

The sequence F is still a divisibility sequence, although it might not satisfy (7.1). The next result also comes from [287]. Theorem 7.4. If Q is a rational point with x(Q) = a/b2 , and F is defined as in (7.12), then (7.13)

n ˆ F (n) = h(Q)

2

+O(n2−C )

,

where 0 < C < 2 is a constant. 7.4. Primes in Elliptic Divisibility Sequences The question of prime appearance in divisibility sequences has received much attention when the sequence satisfies a linear recurrence relation. It seems plausible that such sequences will contain infinitely many primes after taking account of any generic divisibility. For example, odd terms of Lehmer–Pierce sequences associated to reciprocal polynomials (cf. page 171) are all squares, and have all terms divisible by the first. The result of [98] characterizes precisely when there will be generic divisibility (cf. Section 1.6.1). One other kind of generic divisibility can occur as evidenced by the sequence (4n − 1): For n > 1, the terms will have non-trivial factors. Essentially the same kind of argument explains Ribenboim’s example in [959, p. 64]: He points out that the Lucasian sequence 0, 1, 3, 8, 21, 55, . . . (the even terms of the Fibonacci sequence) has only one prime term. This kind of generic divisibility occurs in elliptic divisibility sequences also, as detailed in Proposition 7.6. Although Morgan Ward wrote many papers about elliptic divisibility sequences, including one on repetition of prime factors [1195], he did not touch on the question of prime appearance. In [207] and [208], the Chudnovskys consider this question, and suggest that elliptic divisibility sequences should contain very large prime values. The table below shows prime appearance (that is, values of n for which un is a probable prime) in sequences specified by the first 5 terms, which the Chudnovskys calculated.

7.4. PRIMES IN ELLIPTIC DIVISIBILITY SEQUENCES

167

Initial terms Growth rate Prime incidence up to n = 500 0, 1, 1, 1, −2 0.0560 5, 7, 11, 13, 23, 61, 71 0, 1, 1, 1, 6 0.1107 5, 7, 13, 23, 43, 47 0, 1, 2, 1, 4 0.1262 5, 7, 71 0, 1, 1, 2, 7 0.1311 11, 17, 73 0, 1, 1, 1, −9 0.1383 7, 47, 79 0, 1, 1, 1, 10 0.1432 7, 13, 41, 61 0, 1, 1, 4, 1 0.1730 71, 79 0, 1, 1, 4, 3 0.1737 5, 7, 13, 53, 71 0, 1, 1, 5, 2 0.2010 7, 43 Table 1. Primes in the elliptic divisibility sequences from the paper [207] of Chudnovsky & Chudnovsky.

They did indeed exhibit some primes, and some are quite large. The largest prime found has 469 decimal digits: It appears in the third sequence from the end in Table 1. The heuristics in [288] predict that any given elliptic divisibility sequence should only contain finitely many primes. The Chudnovskys’ sequences were run to the first 500 terms and in every case no new primes emerged. In [288] it is argued that the number of prime terms should be uniformly bounded. In [320] a finiteness proof is given for a class of elliptic divisibility sequences; in the function field case, uniformity is proved using Lang’s conjecture. More generally, one can search for primes in the sequences Fn = Fn (Q). The asymptotic formula (7.13) is important because it can be used to restrict the search for primes. A prime of the form Fn = Fn (Q) is an anomalous prime if the index n is not a prime. Proposition 7.5. There can only be finitely many anomalous primes in the sequence F . Proof. Since F is a divisibility sequence with Fn > 1 for all large n, the only way large anomalous primes can appear is if they are of the form Fmn = Fn with 1 < m, n. If there are infinitely many anomalous primes then this relation will hold with mn → ∞. Then (7.13) implies that n2 = (mn)2 + o((mn)2 ), which is clearly impossible.

Another important application of 7.13 is the following. For a non-torsion ratioˆ ˆ nal point Q, compare Fn (Q) with Fn (kQ) when 1 < k ∈ N. Since h(kQ) = k 2 h(Q), it follows from (7.13) that the terms of the sequence (Fn (kQ)) are all larger than those in the sequence (Fn (Q)) from some point on. Proposition 7.6 shows that for prime n > k, Fn (Q)|Fn (kQ). Since only finitely many terms of Fn (Q) are equal to 1, this means that from some point, every term Fn (kQ) has a non-trivial factor, and therefore that only finitely many terms of Fn (kQ) are primes. This is an elliptic analogue of the generic divisibility discussed above. Proposition 7.6. Suppose Q is a non-torsion rational point and 1 ≤ k ∈ N is fixed. Then for all primes n > k, Fn (Q)|Fn (kQ).

168


Proof. Let Kn denote the algebraic number field obtained by adjoining to Q all the x-coordinates of the n-torsion points. Suppose that p is a prime of nonsingular reduction and p|Fn (Q). Let P denote a prime ideal above p in Kn . By Proposition 7.2, Y |b2 T − a|. (7.14) En2 = n2 T :nT =O

Suppose that P i |b2 T − a, for some n-torsion point T and some i ≥ 1. Clearly gcd(p, b) = 1 and it follows that x(Q) ≡ x(T ) mod P i . If p is a prime of nonsingular reduction, we can find kQ mod P i . Also, gcd(n, k) = 1 so kT must be a finite point so x(kQ) ≡ x(kT ) mod P i . Thus P i certainly appears in some factor of Fn (kQ), because kT is also an n-torsion point. The map T 7→ kT permutes the n-torsion points when gcd(n, k) = 1. Thus, every factor of Fn (Q) divisible by P i yields a distinct factor of Fn (kQ) which is divisible by P i . Since this is true for all P |p in Kn , every power of p in Fn (Q) also appears in Fn (kQ). 7.5. Heuristics on Prime Appearance Wagstaff gave a heuristic argument for the appearance of primes in the Mersenne sequence in [1189]. Roughly speaking, the Prime Number Theorem implies that the probability a large integer N is prime is 1/ log N . The Euler-Fermat theorem implies that if n is prime, then any prime divisor q of 2n − 1 is forced to be greater than 2n. Thus, the probability that 2n − 1 is prime needs to be adjusted by Euler factors for primes less than 2n, leading to the heuristic estimate of −1 X Y (7.15) 1/ log(2n − 1) 1 − 1q prime n c/d(log d log log d)3 . It was proved in [1090] that Lang’s conjecture is true for all points Q for which the number of primes at which Q has singular reduction is uniformly bounded. This was improved and generalized in [469]. Note that the analogy is very strong and can be used to suggest problems hitherto unconsidered. For example, what should the elliptic analogue of the Hadamard Quotient Theorem say? The following is a possible interpretation. Let E be an elliptic curve defined over Q, with rational points P and Q. The points define integral sequences Pn and Qn which are the sequences of square roots of the denominators of nP and nQ respectively. If P is actually a multiple of Q, that is, P = kQ for some integer k, then the sequence Qn divides Pn term-wise. The question we pose is whether the converse is true: If Qn divides Pn for all n ≥ 1, then is it true that P = kQ for some integer k? One could ask the same question of two elliptic divisibility sequences, one dividing the other term-wise; what would this imply about the under-lying curves and points? If the rank of the underlying elliptic curve is 1, these questions are easy to answer.

CHAPTER 8

Sequences arising in dynamics Many of the sequences studied so far are well-known in dynamical systems, partly because they arise naturally as sequences counting periodic points. A dynamical system is a continuous map T : X → X, where X is a compact space. The space X may carry additional structure: For example, it could be a manifold or a compact group, in which case it would be natural to study diffeomorphisms or group endomorphisms respectively. Dynamical systems have been studied in the context of applied mathematics and physics historically and more recently, pure mathematicians have studied a kind of synthetic dynamics, where X and T are very far removed from the world of applications. The subject of complex dynamics has received a great deal of attention, and motivates some of the definitions below; see [62]. Most of this section is taken from [317] and [946]. Let T : X → X be a map on an arbitrary set X. A point x ∈ X is a point of period n under T if T n (x) = x; that is x is fixed by the n-th iterate of T under composition of functions. The number of points of period n ≥ 1 under T is Fixn (T ) = |{x ∈ X | T n (x) = x}| if this quantity is finite. Example 8.1. (1) Let X = C and T (x) = x2 . Clearly x has period n if n and only if it is solution of x2 = x; thus Fixn (T ) = 2n . If X = S1 then there is one fewer point of period n, so the sequence of periodic points is counted by the Mersenne sequence. (2) The map T : z 7→ z k on C gives Fixn (T ) = k n for all n ≥ 1. (3) Let X = S1 and T (x) = x−2 . The periodic points are counted by the Jacobsthal-Lucas sequence 1, 5, 7, 17, . . . , since Fixn (T ) = |1 + (−2)n |. (4) More generally, if F ∈ Z[x] is a monic polynomial with associated companion matrix AF ∈ Md (), then AF defines an endomorphism of the d-torus Qd Qd Td , and Fixn (AF ) = ∆n (F ) = i=1 |λni − 1| where F (x) = i= (x − λi ). This is the Lehmer–Pierce sequence associated to F (see [615], [896]) . (5) Let X denote the compact subset of {0, 1}Z comprising all doubly-infinite sequences in which every 0 is followed by a 1, and let T denote the left shift map; then it is easy to show that the sequence of periodic points agrees with the Lucas sequence 1, 3, 4, 7, 11 . . . . (6) Let A denote an integral d × d matrix with no eigenvalues which are roots of unity. Then A acts on X = [0, 1)d by multiplication mod 1 to define a map T (x) = Ax mod 1. As above, Fixn (T ) = | det(An − Id )|, the LehmerPierce sequence associated to the characteristic polynomial of A. Simple proofs of this are in [297] and [321]. (7) Another way the Lucas sequence can be recognized as counting periodic points is to notice that it agrees with the sequence of traces of powers of 171

172

8. SEQUENCES ARISING IN DYNAMICS

a non-negative integer matrix. Let A denote the matrix 0 1 A= . 1 1 Pd Let trace denote the usual trace of a matrix; trace(aij ) = i=1 aii . It is easily checked that the sequence trace(An ) agrees with the Lucas sequence. Now let G denote the graph on two vertices with incidence matrix A. It is clear that the left shift on the space of all paths has periodic points counted by this sequence – see Section 8.3 for an account of this material. In general, if A ∈ Md (Z+ ) then A can be used as the incidence matrix for a graph G with d vertices. If T denotes the edge shift on G then Fixn (T ) = trace(An ). A reasonable type of question in view of these examples is the following. Is there a map T on a set X for which (Fixn (T )), the sequence of Fibonacci numbers? To understand this question, and because of what follows, a key idea is the distinction between the period of a point under a map and the least period of a point under a map. The number of points of least period n ≥ 1 under T is Ln (T ) = {x ∈ Fixn (T ) | |{T k (x)}k∈N | = n} . The number of orbits of length n under T is Ln (T ) . On (T ) = n Thus, a point x has period n if and only if it is fixed by the nth iterate of T , and has least period n if there are exactly n points on the orbit x, T (x), T 2 (x), . . . of the point. These notions make it easy to settle the question about the Fibonacci sequence and whether it counts the periodic points for a map (see [947]). Lemma 8.2. There is no map T : X → X for which Fixn (T ) is the nth Fibonacci number. Proof. Assume there is such a map T ; then T must have one fixed point. Now the points in X that are fixed by T 3 come in two forms: One of them must be the fixed point, and the others (if there are any) must come from orbits of length three. This means that if Fix1 (T ) = 1, then the only possible values for Fix3 (T ) are 1, 4, 7, 10, 13, . . . : It is not possible to have Fix3 (T ) = 2. Definition 8.3. A sequence a is realizable if there is a map T : X → X for which Fixn (T ) = a(n) for all n ≥ 1. No assumption is made about the topological nature of the set X: A map which is realizable in this sense is always realizable by a continuous map on a compact space X – see the comment after the proof of Lemma 8.4. This area of enquiry hinges upon a simple combinatorial device characterizing realizable sequences. The constraint seen in the proof of Lemma 8.2 takes the following general form. If T : X → X is any map with finitely many points of each period n ≥ 1, then the set of points with period n is the disjoint union of the orbits of length d, as d runs through the divisors of n. It follows that X (8.1) Fixn (T ) = Ld (T ) for all n ≥ 1. d|n


173

On the other hand, the set of points with least period d comprises a certain number of orbits of length d, so (8.2)

Ld (T ) ≡ 0

(mod d) for all d ≥ 0.

It turns out that the equations (8.1) and (8.2) express exactly that property of a sequence that makes it arise as a periodic-point sequence. The equation (8.1) may be inverted to give X (8.3) Ln (T ) = µ(n/d) Fixd (T ). d|n

Lemma 8.4. A sequence a is exactly realizable if and only if X (8.4) 0≤ µ(n/d)a(d) ≡ 0 (mod n) for all n ≥ 1. d|n

Proof. That (8.4) is necessary follows from the discussion above. To see that it is sufficient, P assume that a is a sequence with (8.4). Then for each n ≥ 1, r(n) = n1 d|n µ(n/d)a(d) is a non-negative integer. If r(n) > 0 for arbitrarily large values of n, then let X = N, and define T to be the permutation with r(n) cycles of length n for each n P ≥ 1. If r(n) is eventually zero but not always zero, let X be a set with cardinality n≥1 nr(n), and again let T be the permutation with r(n) cycles of length n for each n ≥ 1. Finally, if a is identically zero, take X = Z and T : x 7→ x + 1. Using a suitable compactification, any realizable map has a realization as a homeomorphism on a compact space. Finer questions can be asked of course. Some of the realizable sequences are realized by endomorphisms of compact groups (examples include the Lehmer–Pierce sequences), and any such sequence must of necessity be a divisibility sequence. It is more delicate to decide which realizable divisibility sequences are realizable by group endomorphisms – see [772]. An analogous question may be asked for realisability by edge shifts, and this has been solved by Kim, Ormes and Roush [514]. To explain their result, we first describe the Spectral Conjecture of Boyle and Handelman [129], [130] which may be viewed as a characterization of a certain class of recurrence sequences. A matrix is primitive if all entries are non-negative, and for some n ≥ 1 all entries of the nth power are positive. Conjecture 8.5. Let Λ = (λ1 , λ2 , . . . , λk ) be a d-tuple of non-zero complex numbers, and let S be a unital subring of R. Then there is a primitive matrix over Qk S with characteristic polynomial tm i=1 (t − λi ) for some m ≥ 0 if and only if Qk (1) i=1 (t − λi ) ∈ S[t], (2) there is a dominant root λj with λj > |λi | for all i 6= j, P Pk (3) if S = Z, then d|n µ(n/d) i=1 λdi , and Pk Pk (4) if S 6= Z, then i=1 λni ≥ 0 for all n ≥ 1, and i=1 λni > 0 implies that Pk nm > 0 for all m ≥ 1. i=1 λi Boyle and Handelman proved this for the case S = R, and Kim, Ormes and Roush proved it for S = Z (and hence for Q). The set of realizable sequences has some natural structure: If a and a are exactly realizable, then so are the product (a(n)b(n)) and the sum (a(n) + b(n)).

174


To see this, let T : X → X and S : Y → Y be maps that realize a and b respectively. Then the Cartesian product T × S : X × Y → X × Y realizes the product, and the map U : X t Y → X t Y defined on the disjoint union of X and Y by U (x) = T (x) if x ∈ X and U (x) = S(x) if x ∈ Y realizes the sum. Lemma 8.4 can be used to show that some natural families of sequences are not realizable. For example, if P (n) = c0 + c1 n + · · · + ck nk with ck 6= 0, k ≥ 1, then (P (n)) is realizable if and only if P is constant. To see this, multiply the divisibility condition (8.4) by the least common multiple of the denominators of the (rational) coefficients of P , to produce a polynomial with integer coefficients satisfying (8.4). It is enough therefore to assume that the coefficients ci are all integers. Let (Fixn ) and (Ln ) be the periodic points and least periodic points in the corresponding system T : X → X, and let p be any prime. By (8.3), Lp2 = Fixp2 − Fixp , so Op2 =

Lp2 p2

Fixp2 − Fixp p2 1 = c1 p2 + c2 p4 + · · · + ck p2k − (c1 p + c2 p2 + · · · + ck pk ) 2 p c1 ∈ − +Z p =

so p divides c1 for all primes p, so c1 = 0. Now let q be another prime, and recall that µ(1) = 1, µ(p) = −1, µ(q) = −1, µ(p2 ) = 0, µ(p2 q) = 0, µ(pq) = 1. Since c1 = 0, Fixn = c0 + n2 (c2 + c3 n + · · · + ck nk−2 ),

(8.5) and by (8.4)

p2 q Fixp2 q − Fixpq − Fixp2 + Fixp = Lp2 q , so Fixp2 − Fixp ∈Z p2 q by (8.5). It follows that c0 (1 − 1) + c2 (p4 − p2 ) + c3 (p6 − p3 ) + · · · + ck (p2k − pk ) ∈ qZ for all primes q and p (since Fixp2 − Fixp is certainly divisible by p2 ). So c0 (1 − 1) + c2 (p4 − p2 ) + c3 (p6 − p3 ) + · · · + ck (p2k − pk ) = 0; taking the limit as p → ∞ of contradiction.

1 (Fixp2 p2k

− Fixp ) shows that ck = 0, which is a

8.1. REALIZATION OF LINEAR RECURRENCE SEQUENCES

175

8.1. Realization of Linear Recurrence Sequences Consider the Fibonacci recurrence – what is shown above is that the Lucas sequence L+ : 1, 3, 4, . . . is realizable, while the Fibonacci sequence 1, 1, 2, . . . is not. In his thesis [945], Puri showed that the only solutions of the Fibonacci recurrence which are realizable are multiples of the Lucas sequence: If U : a, b, a + b, . . . is a recurrence sequence satisfying u(n + 2) = u(n + 1) + u(n), then U is exactly realizable if and only if b = 3a. This gives a stronger form of Lemma 8.2. For any k ≥ 1, there is no map T : X → X for which Fixn (T ) = F (n + k), where F : 1, 1, 2, 3, . . . is the Fibonacci sequence. For, if F (k + 1), F (k + 2), . . . is exactly realizable, then F (k + 2) = 3F (k + 1), which is impossible. These arguments generalize to give a precise characterization of all realizable sequences which satisfy a given binary recurrence relation. Notice that any such sequence could be signed, so it makes sense to ask whether the sequence of absolute values is realizable or not. An example is the sequence −1, 3, −4, 7 . . . which satisfies u(n + 2) = −u(n + 1) + u(n) and is realizable in absolute value. Given a binary recurrence relation with integer coefficients, the C-space of all solutions has dimension 2. The realizable subspace is the subspace generated by the realizable solutions. For the Fibonacci recurrence, the realizable subspace has dimension 1 and is spanned by the Lucas sequence. Theorem 8.6. Let u be an integer sequence which satisfies a non-degenerate binary recurrence relation. Let ∆ denote the discriminant of the characteristic polynomial associated to the recurrence relation. Then the realizable subspace has (1) dimension 0 if ∆ < 0, (2) dimension 1 if ∆ = 0 or ∆ > 0 and non-square, and (3) dimension 2 if ∆ > 0 is a square. Example 8.7. (1) If the recurrence relation is u(n + 2) = u(n + 1) − 2u(n) then ∆ = −7. Theorem 8.6 says no solution, besides the trivial solution, is realizable in absolute value. (2) For the Fibonacci recurrence, ∆ = 5 is non-square. Theorem 8.6 explains why the realizable subspace has dimension 1. The proof is constructive and yields the Lucas sequence as a generator for the realizable sequences. (3) For the recurrence relation u(n + 2) = 4u(n + 1) − 4u(n), the solutions u(n) = A2n , for A ≥ 1 are all realizable. Since ∆ = 0, these are the only ones. (4) For the Mersenne recurrence u(n + 2) = 3u(n + 1) − 2u(n), there are realizable solutions u(n) = A2n + B for all A, B ≥ 1. Here ∆ = 1 is a square. Before the proof of Theorem 8.6, we begin with some notation. Suppose we are given a binary recurrence sequence u. This means that u(1) and u(2) are given as initial values with subsequent terms defined by a recurrence relation (8.6)

u(n + 2) = Bu(n + 1) − Cu(n).

The polynomial f (x) = x2 −Bx+C is the characteristic polynomial of the recurrence relation. Write 0 1 Af = −C B

176


for the companion matrix of f . The zeros α1 and α2 of f , are the characteristic roots of the recurrence relation. The assumption on non-degeneracy means that α1 /α2 is not a root of unity. The discriminant of the recurrence relation is ∆ = B 2 − 4C. The general solution of the recurrence relation in these cases is as follows: ∆ = 0: u(n) = (γ1 + γ2 n)α1n (here α1 = α2 ). ∆ 6= 0: u(n) = γ1 α1n + γ2 α2n . Proof. (of Theorem 8.6) Assume first that ∆ = 0, and let p denote any prime which does not divide γ2 . Then the congruence in Lemma 8.4 is plainly violated at n = p unless γ2 = 0. In that case, |γ1 α1n | is realizable and the space this generates is 1-dimensional. If ∆ > 0 is a square, then the roots are rationals and plainly, must be integers. We claim that for any integers γ1 and γ2 , the sequence |γ1 α1n + γ2 α2n | is realizable. In fact (up to multiplying by a full shift) this sequence counts the periodic points for an automorphism on a one-dimensional solenoid, see [321] or [649]. √ The two cases where ∆ 6= 0 is not a square are similar. Write α = e + f ∆ for one of the roots of f and let K = Q(α) denote the quadratic number field generated by α. Write TK|Q : K → Q for the usual field trace. The general integral solution √ to the recurrence is u(n) = TK|Q ((a + b ∆)αn ), where a and b are both integers or √ both half-odd integers. Write v(n) = TK|Q (aαn ) and w(n) = TK|Q (b ∆αn ). Now v(n) = a trace(Anf ), so v(p) ≡ v(1) mod p for all primes p. Let p denote any inert prime for K. The residue field is isomorphic to Fp2 . Moreover, the non-trivial field isomorphism restricts to the Frobenius at the finite field level. Reducing mod p gives the congruence √ p √ √ √ ∆α − ∆α ≡ ∆α − ∆αp (mod p). Thus w(p) ≡ −w(1) mod p for all inert primes p. On the other hand, v(p) ≡ v(1) mod p for all inert primes p. If |u(n)| is realizable then |u(p)| ≡ |u(1)| mod p by Lemma 8.4. If u(p) ≡ −u(1) mod p for infinitely many primes p then v(p) + w(p) ≡ v(1) − w(1) ≡ −v(1) − w(1) mod p. We deduce that p|v(1) for infinitely primes and hence v(1) = 2ae = 0. We cannot have e = 0 by the non-degeneracy, so a = 0. If u(p) ≡ u(1) mod p then, by a similar argument, we deduce that bf = 0. We cannot have f = 0 again, by the non-degeneracy so b = 0. This proves that when ∆ 6= 0 is not a square, the realizable subspace must have rank less than 2. Suppose firstly that ∆ > 0. We will prove that the rank is precisely 1. In this case, there is a dominant root. If this root is positive then all the terms of u are positive. If the dominant term is negative then the sequence of absolute values agrees with the sequence obtained by replacing α by −α and the dominant root is now positive. In the recurrence relation (8.6) C = NK|Q (α), the field norm, and B = TK|Q (α). We are assuming B > 0. If C < 0 then the sequence u(n) = trace(Anf ) is realizable because the matrix Af has non-negative entries. If C > 0 then we may conjugate Af to such a matrix (this leaves the sequence of traces invariant). To see this, let E denote the matrix 1 0 E= . k 1 Then E

−1

Af E =

k Bk − k 2 − C

1 . B−k

8.1. REALIZATION OF LINEAR RECURRENCE SEQUENCES

177

If B is even, take k = B/2. Then the lower entries in E −1 Af E are (B 2 − 4C)/4 = ∆/4 > 0 and B/2 > 0. If B is odd, take k = (B + 1)/2. Then the lower entries are (B 2 − 1 − 4C)/4 = (∆ − 1)/4 ≥ 0 and (B − 1)/2 ≥ 0. In both cases we have conjugated Af to a matrix with non-negative entries. Since we know that the sequence of traces of a matrix with non-negative entries is realizable, we have completed this part of the proof. Finally, we must show that when ∆ < 0, both sequences v(n) and w(n) are not realizable in absolute value. Assume a 6= 0, and note that v(1) = 2ae 6= 0 by the non-degeneracy assumption. For all primes p we have v(p) ≡ v(1) by the remark above. Since the roots α1 and α2 are complex conjugates, |α1 | = |α2 |. 1 arg(α1 /α2 ); β is irrational by the non-degeneracy assumption. The Let β = 2π sequence of fractional parts of pβ, with p running through the primes, is dense in (0, 1) (this was proved by Vinogradov [1170]; see [1164] for a modern treatment). It follows that there are infinitely many primes p for which v(p)v(1) < 0. Therefore, if |v(n)| is realizable then it satisfies v(p) ≡ v(1) mod p and −v(p) ≡ v(1) mod p for infinitely many primes. We deduce that v(1) = 0, which is a contradiction. With w(n) we may argue in a similar way to obtain a contradiction to w(1) 6= 0. If |w(n)| is realizable then Lemma 8.4 says |w(p2 )| ≡ |w(p)| ≡ |w(1)| for all primes p. Arguing as before, w(p2 ) ≡ w(1) for both split and inert primes. However, the sequence {p2 β}, p running over the primes, is dense in (0, 1). (Again, this is due to Vinogradov in [1170] or see [371] for a modern treatment. The general case of {F (p)}, where F is a polynomial can be found in [455].) We deduce that w(p2 )w(1) < 0 for infinitely many primes. This means w(p2 ) ≡ w(1) mod p and w(p2 ) ≡ −w(1) mod p infinitely often. This forces w(1) = 0 – a contradiction. Theorem 8.8. Let f denote the characteristic polynomial of a non-degenerate linear recurrence sequence with integer coefficients. If f is separable and has ` irreducible factors and a dominant root then the dimension of the realizable subspace is ≤ `. Example 8.9. Consider the sequences which satisfy the Tribonacci relation (8.7)

u(n + 3) = u(n + 2) + u(n + 1) + u(n).

The sequence 1, 3, 7, 11, 21, . . . satisfies (8.7) and is realizable. This is the sequence of traces trace(An ), where A is the companion matrix to f (x) = x3 − x2 − x − 1,   0 1 0 A = 0 0 1 . 1 1 1 Theorem 8.8 says that any realizable sequence which satisfies (8.7) is a multiple of this one. The proof of Theorem 8.8 uses the methods introduced in the proof of Theorem 8.6. Proof. Let d denote the degree of f . In the first place assume ` = 1, so f is irreducible. The irreducibility of f implies that the rational solutions of the recurrence are given by u(n) = TK|Q (γαn ), where K = Q(α), and γ ∈ K. Write γi , αi , i = 1, . . . , d for the algebraic conjugates of γ and α. The dominant root hypothesis says, after re-labelling, |α1 | > |αi | for i = 2, . . . , d. We will show that if u(n) is realizable then γ ∈ Q.

178


Let p denote any inert prime. If p is sufficiently large, the dominant root hypothesis guarantees that u(p), . . . , u(pd ) will all have the same sign. Using Lemma 8.4 several times, this shows that u(p) ≡ u(p2 ) ≡ · · · ≡ u(pd ) ≡ ±u(1) (mod p). Therefore u(p) + · · · + u(pd ) ≡ ±du(1) mod p, the sign depending upon the sign of u1 . However, u(p) + · · · + u(pd ) ≡ TK|Q (γ) TK|Q (α) (mod p). Hence TK|Q (γ) TK|Q (α) ≡ ±d TK|Q (γα)

(mod p).

Since this holds for infinitely many primes p, the congruence is actually an equality, (8.8)

TK|Q (γ) TK|Q (α) = ±d TK|Q (γα).

The next step comes with the observation that if u is realizable then (u(rn)) is realizable for every r ≥ 1. Thus equation (8.8) now reads (8.9)

TK|Q (γ) TK|Q (αr ) = ±d TK|Q (γαr ).

Dividing equation (8.9) by α1r and letting r → ∞ gives TK|Q (γ) = ±dγ1 . This means that one conjugate of γ is rational, hence γ is rational. The end of the proof in the case ` = 1 can be re-worked in a way that makes it more amenable to generalization. The trace is a Q-linear map on K so its kernel has rank d − 1. Thus every element γ of K can be written q + γ0 where q ∈ Q and TK|Q (γ0 ) = 0. Noting that TK|Q (q) = dq and cancelling d, this simply means equation (8.9) can be written u(r) = ±q TK|Q (αr ), for all r ≥ 1 confirming that the realizable subspace has rank ≤ 1. The general case is similar. Each of the irreducible factors of f generates a number field Kj , j = 1, . . . , ` of degree dj = [Kj : Q]. The separability of f means the solutions of the recurrence look like u(n) =

` X

TKj |Q (γj αjn ),

j=1

where each γj ∈ Kj . Let L denote the compositum of the Kj . Using the inert primes of L and noting that each one is inert in every Kj gives (8.10)

` ` X X d TKj |Q (γj ) TKj |Q (αj ) = ±d TKj |Q (γj αj ). d j=1 j=1 j

As before, replace αj by αjr , and cancel d so that u(r) = ±

` X 1 TKj |Q (γj ) TKj |Q (αjr ) d j=1 j

8.2. LOCAL REALISABILITY

179

Each γj can be written γj = qj +γ0j , where TKj |Q (γ0j ) = 0. Noting that TKj |Q (qj ) = dj qj we deduce that ` X u(r) = ± qj TKj |Q (αjr ) j=1

which proves that the realizable subspace has rank ≤ `.

8.2. Local Realisability This section explores the idea that some realizable sequences are realizable everywhere locally as well. For any non-zero integer n, and any prime p, let [n]p ≥ 1 denote the p-part of n. A sequence u is locally realizable at p if the sequence ([un ]p ) is realizable. A sequence is everywhere locally realizable if it is locally realizable at every prime p. To stress the comparison, we will sometimes refer to a realizable sequence as globally realizable. A sequence is globally realizable if it is everywhere locally realizable by multiplying. Recall that the Bernoulli numbers Bn are defined by the formula ∞ X tn t = B n et − 1 n=0 n! (see Section 6.3). Then Bn ∈ Q for all n, and Bn = 0 for all odd n > 1. Theorem 8.10. (1) Any Lehmer–Pierce sequence is everywhere locally, and hence globally, realizable. (2) Let b(n) denote the denominator of B2n for n ≥ 1. Then b is everywhere locally, and hence globally, realizable. Proof. Start with the simple special case of the Mersenne sequence. For each prime p, let Xp denote the group of p-th power roots of unity. The map Tp : x 7→ x2 satisfies Fixn (Tp ) = [2n − 1]p . The general case uses the powerful idea of duality. To see this at work, first re-do the Mersenne case in these terms. Let Z(p) denote the localization of Z at p. Then the map T dual to x 7→ 2x on Z(p) is an S-integer dynamical system in the language of [200], so Y Fixn (T ) = |2n − 1|q = [2n − 1]p . p6=q≤∞

The product runs over all primes, including the infinite prime, corresponding to the usual absolute value. The general case follows exactly the same lines. For the Bernoulli denominators, for each odd prime p, let q = (p − 1)/2 and let q = 2 if p = 2. Define Xp = Z/qZ. Now define Tp : Xp → Xp by the map Tp (x) = x + 1 mod q. Plainly Fixn (Tp ) = q if and only if q|n. The Clausen von Staudt Theorem [454], [548] states that X1 ∈ Z, Bn + p where the sum ranges over primes p for which p − 1|n. Thus Fixn (Tp ) = max{1, |B2n |p }, which concludes the proof.

This came about because the sequence b : 6, 30, 42, . . . of denominators of even Bernoulli numbers is everywhere locally realizable: For each prime p, the p-part

180


[bn ]p is itself a realizable sequence. It turns out that the numerators of the even Bernoulli numbers are realizable globally, but not locally at the irregular primes (see [773]). Taking these remarks together with n = pr in Lemma 8.4, suggests a dynamical interpretation of the Kummer congruences which are stated now (for a proof of these see [548]). If p denotes a prime and p − 1 does not divide n then n ≡ n0 mod (p − 1)pr implies (1 − pn−1 )

0 B n0 Bn ≡ (1 − pn −1 ) 0 n n

(mod pr+1 ).

8.3. Group Automorphisms and Subshifts Example 8.1 included a map constructed on the set of all infinite paths on a labelled graph. It will be useful to record here the periodic point sequence associated to this construction in general, and to a simple class of algebraic examples. Example 8.11. Given a matrix A ∈ Mk (Z+ ), there is an associated subshift of finite type TA : XA → XA , with trace(An ) points of period n. The set XA is the set of labels of infinite paths on the graph with adjacency matrix A, and the map TA is the left shift on this set. Two simple cases are worth mentioning: (1) If A = (aij ) ∈ Mk ({0, 1}), then XA = {x ∈ {1, . . . , k}Z : axj xj+1 = 1 for all j} and TA is the left shift on the closed subset XA of the compact space {1, . . . , k}Z . (2) If A = (aij ) has aij = 1 for all i and j, then the full shift on k symbols is obtained, with k n points of period n. The defining matrix A is called irreducible if for each pair i, j there is some power of A for which the (i, j)th entry is positive. Example 8.12. Recall Example 8.1(4): Let AF denote the automorphism of the d-torus defined by the companion matrix of the monic polynomial F ∈ Z[x]. Qd Qd Then Fixn (AF ) = ∆n (F ) = i=1 |λni − 1| where F (x) = i= (x − λi ). By analogy with the dynamical properties of the map AF , call F ergodic if no λi is a root of unity, expansive if no λi has unit modulus, and quasihyperbolic if it is ergodic but not expansive (see Lind [646]). 1 ] be the smallest subring of the rationals in Example 8.13. Let R = Z[ q1 ...q s which the chosen primes q1 , . . . , qs are invertible. Then, for each ξ ∈ R× , the ˆ→X =R ˆ dual to the automorphism x 7→ ξx of R is a automorphism T : X = R Qs homeomorphism of a compact space with |ξ n − 1| × i=1 |ξ n − 1|qi points of period n.

For example, if s = 1, q1 = 2, and ξ = −2, then this construction gives a map T : X → X for which there are |(−2)n − 1|2 × |(−2)n − 1| = |(−2)n − 1| points of period n.

8.4. REALIZATION IN RATE

181

8.3.1. Growth rates. The number of periodic points in an irreducible subshift of finite type or an ergodic toral automorphism always has a specific logarithmic growth rate, related to a global invariant of the dynamical system. Theorem 8.14. If T is an irreducible subshift of finite type or an ergodic toral endomorphism, then 1 log Fixn (T ) −→ h(T ), n where h(T ) (the topological entropy of T ) is given by log λA if T is the subshift of finite type corresponding to the matrix A with Perron-Frobenius eigenvalue λA , Pd and i=1 log+ |λi | if T is the toral endomorphism corresponding to the matrix with eigenvalues {λ1 , . . . , λd }. For sequences of the form given in Example 8.1(4), Lehmer [615] used the more delicate measure Fixn (AF )/ Fixn−1 (AF ); this converges in the expansive case but never converges in the quasihyperbolic case. Example 8.13 is rather different: The sequence of periodic points is not in general a linear recurrence sequence, and the growth rate may be extremely complicated (see [200] for some examples, and [1202] for conjectures and results about ‘typical’ examples, where the Artin and Mersenne conjectures appear yet again). It should be noted that the examples of exotic sequences of periodic points constructed for group automorphisms in [298] are not correct; indeed they violate Lemma 8.4. 8.4. Realization in Rate The sharp property in Definition 8.3 has a softer counterpart expressing the property of being approximated by the sequence of periodic points for some map. Write bxc for the greatest integer less than or equal to x and dxe for the smallest integer greater than or equal to x. A sequence (φn )n≥1 is realizable in rate if there is a map T : X → X for which Fixφnn(T ) → 1 as n → ∞. Theorem 8.15. Let α, β be positive constants. (1) If φn → ∞ with φnn → 0, then φ is not realizable in rate. (2) The sequence (bnα c) is realizable in rate if and only if α > 1. (3) The sequence (bβ n c) is realizable in rate if and only if β ≥ 1. Proof. 1. Assume that φ is realizable in rate; let (Fixn ) be the corresponding Fixn n sequence of periodic points. Then Fix φn → 1, so { φn } is bounded. It follows that { Lφnn = φnn On } is bounded, and hence Ln = n On = 0 for all large n. This implies n that Fixn is bounded, and so Fix φn → 0, which contradicts the assumption. 2. For α ∈ (0, 1) this follows from the previous part. Suppose therefore that (n) is exactly realizable. Then there is a sequence or periodic points (Fixn ) with Fixn /n → 1, so for p a prime, p Op = Lp = Fixp − L1 , and therefore Op → 1 as p → ∞. Since Op is an integer, it follows that Op = 1 for all large p. Now let q be another large prime. Then Fixpq Lpq + Lp + Lq + L1 Lpq 1 1 L1 , = = + + + pq pq pq p q pq so

1 1 L1 Fixpq + + − ∈ Z. p q pq pq

182


Fix p large and let q tend to infinity to deduce that 1 ∈ Z, p which is impossible. The same argument shows that Fixn /n cannot have any positive limit as n → ∞. Q For α > 1, let On = dnα−1 p|d (1 − p−α )e, where the product runs over prime divisors. Then X Y X X dα (1 − p−α ) = nα ≤ dfdo = fn ≤ nα + d, d|n

p|d

d|n

d|n

α

so 0 ≤ Fixn −φn ≤ o(n ). 3. This is clear: For β < 1 the sequence is eventually 0; for β > 1 the construction used in part 2. works. There are sequences growing more slowly than nα , α > 1 that are realizable in rate: In [945, Chap. 5] it is shown that (bCns (log n)r c) is realizable in rate for any r ≥ 1, C > 0, s ≥ 1. Much of this chapter was motivated by the thesis of Yash Puri, [945]. Most of the results appeared in [317]. Background on Example 8.11 may be found in the book of Lind and Marcus [648]; the periodic-point formula is in [648, Prop. 2.2.12]. Example 8.13 comes from [200].

CHAPTER 9

Finite Fields and Algebraic Number Fields 9.1. Bases and Other Special Elements of Fields As mentioned in Section 6.2, the Shanks sequence (6.8) and its generalizations are used in computational number theory because they provide explicit formulaæ for fundamental units of the corresponding quadratic number fields [925], [1209]. For example, p p εx = 4−x (2x + 1 + Sx )(2x + 3 + Sx )x √ is a fundamental unit of Q( Sx ). Let L be a field and K a normal extension of degree n. Any normal extension has a normal basis, that is a basis of the form (9.1)

σ0 (α), σ1 (α), . . . , σn−1 (α),

α ∈ K,

where {σi } is the Galois group Gal(K/L). Although the approach described here works in many other situations we concentrate on the cases L = Q and L = Fq . In the latter case (9.1) takes the form (9.2)

α, αq , . . . , αq

n−1

,

α ∈ Fq n .

A survey of methods to construct normal bases (with an emphasis on the case L = Fq ) is given in [1080, Chap. 4]. Here we present only certain relevant results which heavily rely on the theory of linear recurrence sequences. Historically, the first connection between normal bases and linear recurrence sequences was discovered in [1111], [1113]. In those papers the problem of finding a primitive normal basis over Fq is considered. That is, a normal basis of the form (9.2) for which α is a primitive root of Fqn . The question about the existence of such bases was raised by Davenport [242] in 1952. In full generality, the existence result, as well as a brief outline of previous results are presented by Lenstra and Schoof [620]. Theorem 9.1. Let α be a primitive root of Fqn . Then there is an absolute constant c > 0 such that for some h ≤ N (n, q) where N (n, q) = max cn log q, exp exp(c log2 n) , αh generates a primitive normal basis of Fqn over Fq . Proof. The elements αx , αxq , . . . , αxq

n−1

form a primitive normal basis if and only if (x, q n − 1) = 1 and if they are linearly independent over Fq . Fix a normal basis i

ωi = ω q ,

0 ≤ i ≤ n − 1, 183

184

9. FINITE FIELDS AND ALGEBRAIC NUMBER FIELDS

of Fqn over Fq . Denote the coordinates of the elements αx in this basis by a0 (x), . . . , an−1 (x), so that ν

αxq =

n−1 X

ai−j (x)ωi

0 ≤ j ≤ n − 1,

i=0

where a` (x) = a`+n (x) for ` < 0. Denote by A(x) the circulant matrix A(x) = (ai−j (x))0≤i,j≤n−1 . It is clear that αx generates a normal basis if and only if det A(x) 6= 0. On the other hand, αx is primitive if and only if (x, q n − 1) = 1. Let f (X) = X n − fn−1 X n−1 . . . − f1 X − f0 be the minimal polynomial of α over Fq . Then, for each i = 0, . . . , n − 1, the sequences ai satisfy the recurrence relation ai (x + n) = fn−1 ai (x + n − 1) + · · · + f0 ai (x),

x ∈ N.

Let ρ1 , . . . , ρn be distinct n-th roots of unity in Fq . Then det A(x) = b1 (x) . . . bn (x),

x = 1, 2, . . . ,

where bi (x) = a0 (x) + ρi a1 (x) + · · · + ρn−1 an−1 (x), i

1 ≤ i ≤ n.

Since Fqn has a normal basis over Fq , each sequence bi , 1 ≤ i ≤ n, is non-zero. i j It is easy to see that αT q 6= αT q if 0 ≤ i < j ≤ n − 1 and 0 < T < q. Hence, applying Theorem 2.9 to each sequence b1 , . . . , bn (with τ ≥ q) we find that the number of integers x ≤ N with det A(x) = 0 is T1 (N ) ≤ 2n2 N −δn + q −δn . On the other hand, the number of x ≤ N with (x, q n − 1) = 1 is T2 (N ) ≥ π(N ) − ν(q n − 1). Noticing that T1 (N (n, q)) < T2 (N (n, q)) we obtain the assertion.

This statement is non-trivial in the sense that N (n, q) ≤ q n for n ≤ exp C(Log log q)1/2 with some absolute constant C > 0. Schlickewei and Stepanov [1016] noticed that the same method can be transferred directly to the study of normal bases of algebraic number fields K whose Galois group is cyclic. More precisely, they deal with normal bases generated by powers of a fixed element α ∈ K. Multiplicity bounds presented in Section 1.1 play the role of Theorem 2.9 in the considerations above. Later, in [1015], [1112], the results of that paper were transferred to arbitrary algebraic number fields and drastically improved by using better estimates from [1013] for the number of zeros of linear recurrence sequences. The result of [1013] is supplemented by that of [5]. The next result is one of the results from [1015] relying on the bound (1.21) from [1013]. Other bounds imply other version of this assertion.

9.1. BASES AND OTHER SPECIAL ELEMENTS OF FIELDS

185

Theorem 9.2. Let K be a Galois extension of Q of degree n. Suppose that α ∈ K generates a normal basis of K over Q. Then there exists an effectively computable subset R(α) ⊂ Q of cardinality 2 2n − 1 |R(α)| 2n3 n−1 such that, for each r ∈ Q\R(α), all powers (α + r)x , x ∈ Z, with possibly 22 exceptions, generate a normal basis of K.

7n

Over number fields some complications arise which do not occur in the case of finite fields. First, the exceptional set R(α) must be introduced to guarantee that the corresponding linear recurrence sequence is non-degenerate. The characteristic roots of that sequence are all possible products of the form s

sn

(σ1 (α) + r) 1 . . . (σn (α) + r)

,

si ≥ 0, s1 + . . . + sn = n.

Thus the sequence itself is of order L=

2n − 1 . n−1

Indeed, the analogue of the matrix A in the proof of Theorem 9.1 is not circulant, so its determinant is still a linear recurrence sequence but cannot be split into a product of n linear recurrence sequences of order n. To exclude degeneracy, we have to exclude the set R(α) of solutions r ∈ Q of the equations s

sn

(σ1 (α) + r) 1 . . . (σn (α) + r)

t

tn

− ρ (σ1 (α) + r) 1 . . . (σn (α) + r)

=0

where ρ runs through the roots of unity in K, and where (s1 , . . . , sn ) 6= (t1 , . . . , tn ) satisfy si ≥ 0, s1 + . . . + sn = n; ti ≥ 0, t1 + . . . + tn = n. Therefore |R(α)| ≤ nmL where m is the number of roots of unity of K. We have ϕ(m) ≤ n, thus m = O(n Log log n). In the same paper, the considerations used in the proof of Theorem 4.4 are applied to derive the following statement [1015]. Theorem 9.3. Let K be an abelian extension of Q of degree n. Suppose the Galois group Gal(L/Q) is a product of s cyclic groups of orders n1 , . . . , ns respectively. Suppose moreover that α is an element in L such that for some integer k, αk generates a normal basis of K over Q. Let N (K) = nτ (n1 )...τ (ns ) . Then for each M ∈ Z at least one of the powers αM +x ,

1 ≤ x ≤ N (K),

generates a normal basis of K over Q. In particular, this implies that for s fixed (indeed for s = o(log n)), log N (K) = O(nε ). Moreover, for cyclic extensions of degree n one can take n + τ (n) − 1 N (K) = . n These questions concerning normal bases of algebraic number fields generated by powers might seem to be a bit unnatural, but they are related to a very classical

186


question about normal bases generated by a unit. For example, let ε1 , . . . , εr be a multiplicative basis of the group of fundamental units K,and put Nn = 2n−1 . If n K has a normal basis over F generated by a unit, then there exists a root of unity ρ ∈ R(K) such that, for any integers M1 , . . . , Mr , at least one unit 1 +x1 r +xr . . . εM , ε = ρεM r 1

1 ≤ x1 , . . . , xr ≤ Nn

generates a normal basis of K. Lorenz [656] proves that any finite normal extension K of an algebraic number field F has a normal basis which consists of units if and only if K is not of one of the following ‘exceptional’ types: • K is imaginary; • F is real; • every unit of K is either real or pure imaginary. Several other results can be found in [486] as well. All these results above about the distribution of normal bases can be translated into efficient algorithms to construct such bases. Some interesting equations involving linear recurrence sequences are in the paper [858] addressing so-called exceptional units. These are units ε of an algebraic number field K for which 1 − ε is also a unit. Primitive roots of finite fields are another type of special element for which the theory of linear recurrence sequences can be useful. For example, it is not known if there are any approaches to the complete solution of this question via linear recurrence sequences (or via any other technique; a survey of this problem is in [1080]). On the other hand, one can consider approximate versions of this question which are important from the point of view of practical computation and are theoretically attractive as well. • Given an integer T , construct a field Fq and an element α ∈ Fq of period at least T . • Given a prime p and an integer T , construct a field Fq of characteristic p and an element α ∈ Fq of period at least T . Of course ‘construct’ should be understood as ‘efficiently construct’, preferably in polynomial time. Also, it is desirable to have q as small as possible. Surprisingly, there is a very nice answer to the first question and a satisfactory answer to the second one. Let p be the smallest prime with 2p − 1 ≥ T, p−1 so p ∼ 12 log T . The bound (6.16) says that the roots of the Artin–Schrier polynomial X p − X − 1 are of period at least T . Thus we obtain a very simple and efficient construction of a finite field Fq with q = T O(Log log T ) elements, and an element α ∈ Fq of period at least T . In the language of complexity theory, this is a polynomial (indeed, quasi-linear) time construction. For the second question, when the characteristic is fixed, the situation is more complicated and a more ingenious approach is needed. To explain this construction, we introduce Gaussian periods over a field Fq . Let n and k be positive integers such that r = nk + 1 is prime with gcd(r, q) = 1, and let β be a primitive r-th root of

9.1. BASES AND OTHER SPECIAL ELEMENTS OF FIELDS

187

unity in Fqr−1 . A Gaussian period of type (n, k) is defined as α=

k−1 X

in

βg ,

i=0

where g is a primitive root of Fr . Gaussian periods can also be defined for algebraic number fields, and there is a similar construction for composite r. Gaussian periods are of great interest but unfortunately, there are two obstacles on the path to finding good complexity estimates for their construction. The first is, given n we need to find or at least to estimate the smallest k satisfying the conditions above. The second is finding β, which is equivalent to factoring cyclotomic polynomials. Nevertheless, as Bach and Shallit demonstrate in [48], both problems can be satisfactory solved under the Generalized Riemann Hypothesis. They provide the conditional bound k n4 log2 (np) for the smallest acceptable k, and design a polynomial-time algorithm for factoring cyclotomic polynomials. Moreover, if the characteristic of Fq if fixed, then Berlekamp’s algorithm factors any polynomial over Fq (not necessary cyclotomic) in polynomial time and does not rely on any unproven hypothesis. A survey of various improvement of Berlekamp’s basic scheme is presented in [1080, Sect. 1.1]. Gao, von zur Gathen and Panario [362] show that if r = nk + 1 is prime and gcd(nk/t, n) = 1 where t is the period q modulo r, then any Gaussian period α of type (n, k) generates a normal basis of Fqn over Fq . They also present many computational results showing that very often a Gaussian period is of large multiplicative order or even is a primitive root of Fqn (thus generating a primitive normal basis of Fqn over Fq ). The paper [365], although having a classical numbertheoretic flavour, has been motivated by applications to Gaussian periods. The papers [366], [368], [367] have been motivated by that computation. Below we present two results obtained there, in slightly simplified forms. Let A be the set of all Artin integers a ∈ N . Those are integers for which Artin’s conjecture holds in the following quantitative form: a ∈ A if and only if a is a primitive root for πa (N ) N/ log2 N primes less than or equal to N . As shown in Section 1.5, it is known that A contains the odd powers of all but at most three prime numbers, and contains all prime numbers under the Generalized Riemann Hypothesis. Theorem 9.4. For any fixed prime power q ∈ A there is a constant c(q) > 0 such that for any N ≥ 2 there is an integer n with N ≤ n ≤ c(q)N log N such that α = β + β −1 where β is a primitive (2n + 1)-th root of unity in Fq2n , generates a normal basis of Fqn over Fq , and has period T ≥ 2(2n)

1/2

−2

.

The numbers n and α can be found in time polynomial in N . The following result holds for all primes, not only Artin primes, and produces a denser sequence of allowed n. In compensation, the property of α being normal is lost, and a weaker and less explicit bound is found. Theorem 9.5. There is an absolute constant C > 0 such that for any fixed prime power q there is a constant c(q) > 0 such that for any N ≥ 2 there is an

188


integer n with N ≤ m ≤ N + O(N/ logC N ) where m = ϕ(2n + 1) and such that α = β + β −1 , where β is a primitive (2n + 1)-th root of unity in Fqm , generates a normal basis of Fqm over Fq and has period T ≥ exp c(q)m1/2 . The numbers n, m and α can be found in time polynomial in N . The main ingredients of the proof are the bound (4.9) and the result of Tijdeman [1152]. All the constants above can be evaluated in terms of q, so the condition that q is fixed can be dropped by doing everything explicitly; see [366] for the details. It is plausible that the sub-exponential lower bound above can be essentially improved (perhaps to exp(cn)). Several more results of this kind have also been given in [367] and [368]. Returning to the original question about approximate constructions, notice that for any prime p and integer T , Theorem 9.5 provides a polynomial time construction of a field Fpn with n ∼ log2 T and an element α ∈ Fpn of period at least T . 9.2. Euclidean Algebraic Number Fields The Euclidean property and ‘near-Euclidean property’ (see below) of algebraic number fields (with respect to the field norm) is related to certain properties of finitely generated groups. It is also interesting to note that Lenstra [619] demonstrates that the Euclidean property with respect to some other function (a certain modification of the norm) is related to Artin’s conjecture and its modifications. Let K be an algebraic number field of degree n over Q, and let ZK be its ring of integers. For an integer ideal q, denote by Λq the residue ring modulo q, and by Λq∗ the multiplicative group of units of this ring. It is well-known that |Λq | = N(q) and |Λq∗ | = ϕ(q), where ϕ is the Euler function in ZK . For a residue class α ∈ Λq denote by Nq (α) the minimal norm of all elements of α, Nq (α) = min | N(a)|, a∈α

and let L(K, q) and A(K, q) be the largest and average values of Nq (α) over all residue classes of Λq∗ . That is, X 1 Nq (α). L(K, q) = max Nq (α), A(K, q) = α∈Λq∗ ϕ(q) α∈Λq∗

Clearly A(K, q) ≤ L(K, q) = O(N(q)). Upper bounds for the implied constant in this estimate are obtained by Davenport in [243] where some connections of this problem with the theory of Diophantine approximation are found. Notice that the inequality L(K, q) < N(q) (even for principal ideals) would mean that K is Euclidean with respect to its norm (so far very few examples of such fields are known, see [618], [619], [622], [810],

9.2. EUCLIDEAN ALGEBRAIC NUMBER FIELDS

189

[859]; a complete catalogue of known Euclidean number fields is given in [617]). On the other hand, upper bounds on L(K, q) and A(K, q) show that in some sense any algebraic number field is nearly Euclidean, or is at least Euclidean on average. Now suppose that K has r ≥ 1 fundamental units; that is, that K is neither Q nor an imaginary quadratic extension of Q. Egami [276] was the first to notice that non-trivial estimates for A(K, q) are possible, and proved that A(K, p) = o(pn ) for almost all p ∈ P. From now on it will be convenient to identify integer algebraic numbers with the corresponding principal ideals. Thus, (9.3)

A(K, q) = o(N(q))

for some infinite sequence of integer ideals q. In fact, Egami formulates this result in a slightly different but equivalent form. Thus in fields with r ≥ 1 the behavior of A(K, q) differs from that of A(Q, q) with integers q ≥ 2, for there one has X A(Q, q) = q −1 |a| = q/4 + O(1). −q/2≤a 0 let Bh denote the box Bh = {z = z1 ω1 + . . . + zn ωn ∈ ZK ; |zi | ≤ h, i = 1, . . . , n}. Denote by R(U, q, h) the set of α ∈ Λq such that the congruence αu ≡ x − y (mod q), u ∈ Uq , x, y ∈ Bh , has no solution. Let H(U, q) denote the minimal h for which R(U, q, h) = 0. Further, let H(ϑ) be the height of ϑ ∈ ZK , that is, the maximal absolute value of coordinates in the representation of ϑ with respect n to the basis ω1 , . . . , ωn . Then | N(ϑ)| ≤ (nωH(ϑ)) , where ω is the maximum of the absolute values of ω1 , . . . , ωn and of their conjugates over Q. So, for α ∈ n Λq \R(U, q, h), Nq (α) ≤ (nωh) . Denote by `p (N ) and Lp (N ) the number of classes α ∈ Λp with Np (α) = N and Np (α) > N , respectively. The considerations above show that Lp (N ) ≤ |R(U, p, n−1 ω −1 N 1/n )|. On the other hand, L(K, p) = max{L : Lp (N ) = 0, N ≥ L}. and N(p)−1

A(K, p) = N(p)−1

X N =1

N(p)−1

lp (N )N = N(p)−1

X

Lp (N ).

N =0

Thus, in order to get an upper bound for L(K, q), it is enough to find a non-trivial upper bound for H(U, q), just as an upper bound for |R(U, q, h)| is needed to estimate A(K, q). This reduces the original problem to a question on the distribution of elements of Uq .


191

To treat this problem, estimates for character sums on elements of finitely generated groups, in particular the estimates presented in Section 2.1 (‘individual’ as well as ‘on average’) could be used. After a standard technical argument, one can derive from (2.2) that for any prime ideal p |R(U, p, h)| = O N(p)|Up |−1 (1 + N(p)2 h−2n ) and H(U, p) = O N(p)3/2n |Up |−1/n . This implies (9.5). Also, for a prime ideal of first degree, (9.6) can be derived from (2.4) and (2.4). For a prime ideal p of first degree one can get the estimate |R(U, p, h)| = O N(p)|Up |−3/2 1 + N(p)4 /h4n , which improves the previous one for some values of parameters but unfortunately does not improve (9.6). Finally, for a sufficiently large power pk of an unramified fixed prime ideal p of first degree, (4.9) implies H(U, pk ) = O(1), and (9.7) follows. Some comments on these bounds are in order. First, there are links between the problems considered and an appropriate version of Artin’s conjecture for algebraic number fields. Indeed, if Up = Λp∗ for an infinite sequence of prime ideals p (this can be viewed as a modification of Artin’s conjecture) then L(K, p) = 1 for this sequence. Note that elementary considerations give the lower bound n−1

L(K, q) ≥ A(K, q) N(q)/|Uq | (log log N(q))

(9.8)

,

revealing (together with (9.5) – (9.7)) that the behaviour of L(K, q) and A(K, q) depends on the size of Uq . To show (9.8), denote by τn (N ) the number of representations of integer N > 0 as a product of n different positive integers. It follows from [810, Lem. 4.2] that there exist at most τn (N ) integer ideals q with N(q) = R. Thus `q (N ) = O (|Uq |dn (N )). The well-known estimates Q X

dn (N ) = O(Q(log log Q)n−1 ),

ϕ(q) N(q)/ log log N(q)

N =1

and the equality N(q)−1

X N =1

`q (N ) = ϕ(q) − 1,

192


give N(q)−1

A(K, q)

=

ϕ(q)−1

X

lq (N )R

N =1 N(q)−1

=

−1

ϕ(q)

X

ϕ(q) − 1 −

Q=1

Q−1 X

! lq (N )

N =1

N(q)−1

=

−1

ϕ(q)

X

min{0, ϕ(q) − O(|Uq |Q(log log Q)n−1 )}

Q=1 n−1

ϕ(q)/|Uq | (log log ϕ(q))

n

N(q)/|Uq | (log log N(q)) .

In particular, one can derive from this bound that, for r = 1 (that is, n ≤ 4), A(K, q) can be large. Indeed, consider the sequence of principal ideals qk = (εk − 1), k = 1, 2, . . . , where ε is a fundamental unit of K. It is easy to prove that |Uqk | = O(k) = O(log N(qk )) for such ideals, so n

A(K, q) N(q)/ log N(q) (log log N(q))

for an infinite sequence of integer ideals. We are not aware of other non-trivial general lower bounds for L(K, q) and A(K, q) (in terms of N(q) only). Any such bounds would be very interesting. Of course there is a gap between (9.8) and the upper bounds above, but (9.8) seems to be more precise. As the next step, one could try to extend (9.5) to an arbitrary integer ideal q. An appropriate version of (9.5) (and therefore of Theorem 9.6) may perhaps be valid for arbitrary integer ideals q. Difficulties arise from zero-divisors in Λq but nonetheless it is believed possible to obtain such a generalization. If the bound (9.5) were generalized in this way one would get an estimates for |Uq | for almost all integer ideals, and the estimate of A(K, q) would be better than that which follows from (1.33). It is also possible that the bound A(K, q) = O N(q)|Uq |−1+ε holds for an arbitrary integer ideal q and any ε > 0. It may be too much to expect the weak estimate L(K, q) = o (N(q)) for all integer ideals. However, it is believed that L(K, q) = o (N(q)) for almost all integer ideals q. It would be very useful to study the statistical distribution of A(K, q) and L(K, q) on the sets of integer ideals, prime ideals and principal ideals, but this seems to be a difficult problem. If one could prove that L(K, q) = o (N(q)) (or at least A(K, q) = o (N(q))) for almost all principal ideals, this would mean that any algebraic number field is nearly Euclidean, and moreover that the analogue of the Euclidean algorithm would work and would run in a sub-logarithmic number of steps, for the majority of inputs. This is quite different to the Euclidean algorithm on the integers, where it runs


193

in a logarithmic number of steps in both the worst and average cases (see [549, Sect. I.2]). Finally, for applications to the Euclidean algorithm an important question is how fast can one find a ∈ α with | N(a)| = Nq (α) for all (or ‘almost all’) integer ideal q and all (or ‘almost all’) α ∈ Λq∗ ? Relations between a generalization of Artin’s conjecture and Euclidean number fields are discussed by Lenstra in [619]. In another paper [618], Lenstra develops a different approach to finding Euclidean number fields; many new results and references can be found in [622], [810], [859]. This approach is also related to studying finitely generated groups, and unit groups in particular. Lenstra [618] considers the largest integer M (K) with the property that there exists a set Ω = {ω1 , . . . ωM (K) } ⊂ ZK with ωi − ωj ∈ U,

1 ≤ i < j ≤ M (K),

where U is the unit group of K. If M (K) is large enough, then K is Euclidean. Lenstra also obtains some upper and lower bounds for M (K). The same quantity M (K, V ) can be defined with respect to any finitely generated multiplicative group V of K, but in this more general setting it is not clear how to apply the methods of [618], [622], [810], [859] to obtain upper and lower bounds for M (K, V ). These functions M (K, V ) are related to a question about the cycles in polynomial mappings over algebraic number fields — a problem briefly considered in Section 1.5 (for more details see [811, Chap. 12]). In [556], Konyagin and Shparlinski consider an analogue of these functions modulo an integer ideal q. Define M (K, V, q) to be the largest integer M such that there exists a set Ω = {ω1 , . . . , ωM } ⊂ Λq with (9.9)

ωi − ωj ∈ Vq ,

1 ≤ i, j ≤ M, i 6= j.

We present an upper bound for M (K, V, p) for prime ideals p. Using this bound and the trivial inequality M (K, V ) ≤ M (K, V, p), for an appropriate prime ideal p, one may get an upper bound for M (K, V ). In the case K = Q, q = p a rational prime number and Vp the set of quadratic residues modulo q, this function has been considered by Fabrykowski [331]. Theorem 9.9. Let K have r ≥ 1 multiplicatively independent fundamental units. If Vp = Λp∗ then M (K, V, p) = N(p). Otherwise ( 2 N(p)1/2 + 2, for any p, M (K, V, p) ≤ 4|Vp |2/3 + 2, if p is of first degree. In the particular case considered in [331], when q = p is prime, a lower bound of order log p holds (see [331, Theorem 3]). For groups with |Vp | large — of order N(p), say — this can be extended to the case of M (K, V, p). However, for smaller |Vp | — of order N(p)1−ε , say — the approach of that paper does not work, and this question about lower bounds is still open. It is possible that M (K, V, p) is bounded for |Vp | = O N(p)1−ε . In support of this conjecture, it is shown in [556] that for K = Q, p = p, M (Q, V, p) = 2 infinitely often for |Vp | > cp1/3 , where c > 0 is an absolute constant.

194


More generally, for a set Ω = {ω1 , . . . , ωM } ⊂ ZK , consider the directed graphs G(Ω, V ) and G(Ω, V, q) with vertices labelled by ω1 , . . . , ωM , and an edge from ωi to ωj if and only if ωi − ωj ∈ V and ωi − ωj ∈ Vq , respectively. Now M (K, V ) and M (K, V, q) are the maximal values of M such that there exist sets Ω for which the graphs G(Ω, V ) and G(Ω, V, q) are each M -vertex complete graphs, respectively. Gy˝ ory [438], [439] deals with various other problems concerning the graph G(Ω, V ). One might try to obtain analogues of those results for the graphs G(Ω, V, q). The question about the diameter of the graph G(Λp , V, p) can be reformulated as a variant of the Waring problem for Fpd , where N(p) = pd , for the power k = (N(p) − 1)/|Vp |. A survey of known results can be found in [554] and in [1080]. The majority of these results deal with the particular case of a prime field (that is, when p is an unramified prime ideal of first degree). For example, Konyagin’s [554] estimate (2.6) implies that for any ε > 0 and any prime ideal p of first degree with sufficiently large norm, the graph G(Λp , V, p) is connected, and has diameter 2+ε

D (G(Λp , V, p)) (log N(p))

.

Indeed, (1.33) implies that k = (N(p) − 1)/|Vp | p/ log p, and that bound is applicable. The rest goes along the standard lines of using bounds on exponential sums to derive bounds for the number of solutions of congruences and equations over finite fields. 9.3. Cyclotomic Fields and Gaussian Periods Let p be a prime, and g a fixed primitive root modulo p. In the papers [372], [373], Girstmair demonstrates relations between the distribution of the g-ary digits of 1/p (and thus residues of g x ) and some properties of the minus part h− (p, s) of the class numbers of the subfield Ks ⊂ Q (exp(2πi/p)) of degree [Ks : Q] = s, where s is an even divisor of p − 1, but 2s is not. Denote by δx , 0 ≤ δx ≤ g − 1 the g-ary digits of 1/p, ∞

1 X = δx g −x−1 . p x=0 As g is a primitive root modulo p, the sequence δ1 , δ2 , . . . is periodic with the least period p − 1. For a divisor s|p − 1 and j = 0, 1, . . . , s − 1, write (p−1)/s

Tj (p, s, g) =

X

δsx+j −

x=1

(g − 1)(p − 1) . 2s

The relation between Tj (p, s, g) and h− (p, s) is given by the following result from [373, Theorem 1]. Let s be even and p ≡ s + 1 (mod 2s). Then (9.10)

h− (p, s) =

r 2γ(s, p) Y X Tj (p, s, g)ζ j g r + 1 ζ∈C, j=1 ζ r =−1

9.3. CYCLOTOMIC FIELDS AND GAUSSIAN PERIODS

195

where r = s/2, and ( p, if p = s + 1, γ(s, p) = 1, otherwise. Put T (p, s, g) =

max |Tj (p, s, g)|,

0≤j≤s−1

 1/2 s−1 1 X τ (p, s, g) = |Tj (p, s, g)|2  . s j=0

In [556], results about the distribution of residues of exponential functions modulo p are used to derive the following bounds. Theorem 9.10. (1) T (p, s, g) min{p1/2 , p5/8 s−3/8 , p3/4 s−5/8 }g log p; 1/2 −1/2 (2) τ (p, s, g) gp s log p. Since Tj (p, s.g) = −Tj+n (p, s.g), j = 1 . . . , r, (9.10) implies that h− (p, s) ≤

γ(s, p) −s/2+1 s/2 2 s τ (p, s, g)s/2 . g s/2 + 1

Substituting the second estimate of Theorem 9.10 into this inequality gives h− (p, s)1/s p1/4 s−1/4 log1/2 p. Similar questions are studied in [374] for arbitrary integers rather than for primes. For example, expansions of 1/m and m-th cyclotomic fields are dealt with for m ∈ N. A relation between another classical question of algebraic number theory — that of Gaussian periods — and residues of exponential functions has been found by Myerson [798], [799]. Let p be a prime again. For a divisor t of p − 1, denote by Gt the subgroup of s-th powers of Fp∗ , where s = (p − 1)/tFp∗ , so |Gt | = t. Let R(t, p, a) be the number of representations a = g0 + . . . + gs−1 of a ∈ Fp as a sum of elements g0 , . . . , gs−1 chosen from each coset of Gt , that is, the number of solutions of the equation a=

s−1 X

g j+xj s ,

0 ≤ x1 , . . . ≤ t − 1,

j=0

where g is a primitive root of Fp . Myerson studies this function in the papers [798], [799]; it turns out that it has many relations to a number of quite different deep problems in number theory. It is shown in these papers that R(t, p, a) takes only two different values: R(t, p, 0), and the same value for all non-zero a ∈ Fp . Thus R(t, p, 0) + (p − 1)R(t, p, 1) = ts . Also, there is the non-trivial relation R(t, p, 0) − R(t, p, 1) =

s−1 Y

ηj ,

j=0

where ηj =

t−1 X

exp(2πiϑj+xs /p),

j = 0, . . . , s − 1,

x=0

are Gaussian periods, [798], [799]. It is known that ηj , j = 0, . . . , s − 1, are conjugate algebraic integers. Therefore, it is enough to concentrate on the norm

196


NQ(η0 )/Q (η0 ). It is more convenient to work with N (t, p) = | NQ(η0 )|Q (η0 )|1/s . To emphasize the link to cyclotomic fields, notice that it can also be written in the form N (t, p) = | NQ(η0 )|Q TQ(exp(2πi/p)|Q(η0 )) exp(2πi/p)|1/s . In [798], Myerson proposes the following approach to estimating N (t, p). The geometric mean – arithmetic mean inequality implies that  1/2 s X N (t, p) ≤ s−1 |ηj |2  , j=1

and the last sum is equal to p − t. Indeed, t−1 2 p−1 X s X X s s |ηj |2 = exp (2πiaϑxs /p) = (pt − t2 ) = p − t p − 1 p − 1 a=1 x=0 j=1 (this is a version of (2.8) with n = 1). Hence, N (t, p) < t1/2 .

(9.11)

A very interesting asymptotic formula is conjectured in [798]. We present it for the case of prime t; for composite t some technical adjustments are needed. Let ! t−1 t−1 X X F (x1 , . . . , xt−1 ) = exp(2πixi ) + exp −2πi xi . i=1

i=1

The conjecture is that if t is a fixed prime number, then Z 1 Z 1 (9.12) log N (t, p) ∼ ... log |F (x1 , . . . , xt−1 )| dx1 . . . dxt−1 . 0

0

There are natural reasons for suspecting this might be true. Put g = ϑs ; since g t−1 ≡ −1 − g − . . . g t−2 (mod p), ηj = F (ϑj /p, ϑj g/p, . . . , ϑj g t−2 /p),

j = 0, . . . s − 1.

Also, 1/s

 (9.13)

s−1 Y

N (t, p) = 

F (ϑj /p, ϑj g/p, . . . , ϑj g t−2 /p)

j=0

(9.14)

=

p−1 Y

!1/(p−1) F (a/p, ag/p, . . . , ag

t−2

/p)

.

a=1

It follows from [799, Theorem 12] that, for t prime, the sequence of points (a/p, ag/p, . . . , ag t−2 /p),

a = 1, . . . p − 1,

is uniformly distributed modulo 1 in the (t − 1)-dimensional unit cube. So, for any continuous function f , Z 1 Z 1 p−1 1 X t−2 f (a/p, ag/p, . . . , ag /p) ∼ ... f (x1 , . . . , xt−1 ) dx1 . . . dxt−1 p − 1 a=1 0 0

9.3. CYCLOTOMIC FIELDS AND GAUSSIAN PERIODS

197

and the error term can be estimated (if the considerations of that theorem are put in the quantitative form (9.16) and one uses the Erd˝os–Turan inequality for discrepancy, see [569]). Unfortunately the function log |F | is not continuous. This is the main obstacle to proving (9.12). Nevertheless, in [799], this is proved for t = 3 (that is, s = (p − 1)/3). In this case the set of singular points of log |F (x1 , x2 )| is finite, while for t ≥ 5 it is not. This problem is analogous to the difficulties involved in proving convergence results for Mahler measure (see [122], [606]). It is shown in [556] that in any case, the integral in (9.12) can be used as an upper bound for ln N (t, p). That is, for any prime t Z 1 Z 1 lim sup log N (t, p) ≤ ... log |F (x1 , . . . , xt−1 )| dx1 . . . dxt−1 . p→∞

0

0

The cases t = 2 and t = 4 are simpler: N (2, p) = N (4, p) = 1. An improvement of (9.11) is given in [556]. Theorem 9.11. N (t, p) ≤ (t − 3/4)1/2 . Although for large t, Theorem 9.11 is not much stronger than (9.11), for small t it produces better estimates. Nevertheless, it shows that (9.11) can be improved. For example, N (3, p) ≤ 1.5, which is better than the 1.732 . . . provided by the estimate (9.11), but of course is worse than the precise value 1.381 . . . given by (9.12). For t = 5, N (5, p) ≤ 2.061 . . . while the bound (9.11) gives N (5, p) ≤ 2.236 . . .. It is observed in [556] that the integral (and its modification for composite t) on the right-hand side of (9.12) really gives an asymptotic upper bound for N (t, p). This integral has been estimated for large t, giving −γ/2 N (t, p) e , if t is odd; lim sup lim sup 1/2 ≤ 2−1/2 e−γ/2 , if t is even t t→∞ p→∞ where γ is the Euler constant. Of course e−γ/2 < 0.75 and 2−1/2 e−γ/2 < 0.53. On the other hand, at the moment we do not know any approach to proving (9.12) in full generality. We do not even know any non-trivial lower bounds for N (t, p). The original question about the number of representations can be asked for subgroups of the unit group modulo an integer M , and of the multiplicative group of a finite field. Although there is a real difference between the basic case of prime finite fields and these two, similar results can be obtained here as well. In particular, to estimate N (t, pr ), the analogue of N (t, p) over Fpr , exponential sum with TFpr /Fp (aϑj+xs ) (that is, with linear recurrence sequences of order r) are needed. In particular, (2.8) in full generality is needed. So far only the constant term of the minimal polynomial ! s−1 t−1 Y X j+hs ϕt,p (X) = X− exp(2πiϑ /p) j=0

h=0

(the Gaussian period polynomial of type (t, s)) has been considered. The other coefficients are just as important. The behavior of the coefficients of period polynomials and other related problems — their irreducible factors, for example — are dealt with in the paper of Gupta and Zagier [427] and in a series of papers of Gurak; see [430] and [431] for his recent results and references to earlier papers. Analogous questions are also considered with respect to an arbitrary finite field

198


Fq , where a crucial role is played by the quantity Tn (t, q), which is the number of solutions of the equation (considered over the ground prime field Fp ⊂ Fq ) TFq |Fp (ϑsx1 ) + . . . + TFq |Fp (ϑsxn ) = 0,

0 ≤ x1 , . . . xn ≤ t − 1

where ϑ is a primitive root of Fq . As usual Tn (t, q) can be expressed and studied via exponential sums with linear recurrence sequences. 9.4. Questions of Kodama and Robinson This section begins with a question attributed to Kodama by Niederreiter [828]. Let ` be an odd prime, and denote by T (`) the largest t for which there exists some integer g with gcd(g, `) = 1, of period t modulo `, and such that for some a, gcd(a, `) = 1, and all the smallest positive residues of ag x (mod `), x = 1, . . . , t, belong to the interval [1, (` − 1)/2]. The problem is related to a question considered in [1204], [1205] (and several other papers) on super-singular hyperelliptic curves over Fp of the form y 2 = x` + λ,

λ ∈ F∗p .

It follows from [1205, Lem. 2] that if this curve is not super-singular and p > (` − 1)/2, then the period p modulo ` does not exceed T (`). This was the primary motivation for the problem. Another reason is that this problem can be viewed as a discrete version of Mahler’s still unsolved 3/2-problem, considered in Section 5.3. The first upper bound of T (`) of the form T (`) = O(`1/2 log `) is stated in [828]. Moreover, [1205, Theorem 1] essentially claims that T (`) is odd. In [1076], [1080], the bound T (`) ≤ 100l3/7 is obtained. Finally, it is shown in [556] that (2.5) implies a better estimate. Theorem 9.12. T (`) `1/3 . Using Theorem 9.12, it may be shown (see [556], [1080]) that, for a given `, the density δ(`) of primes p for which the corresponding curve is not super-singular over Fp is quite small, δ(`) = O(`−2/3+ε ). In fact δ(`) = O T (`)`−1+ε , so the bound for T (`) from [828] implies a non-trivial upper bound for δ(`) as well. On the other hand, for the following dual question it cannot imply anything because an estimate below the square-root bound for T (`) is needed. Given a prime p and integer L < 2p+1, let Np (L) be the number of primes ` ≤ L which correspond to non-super-singular curves. Then Np (L)

L2/3 log p . log(L log p)

In particular, the curve y 2 = x` + λ, λ ∈ F∗p is super-singular over Fp for almost all prime numbers ` of the segment [1, L] with L > log3 p log log p. This follows from the fact that Np (L) = o(π(L)) for such values of L. The question of lower bounds for T (`) is also important. Nakahara [803] shows that T (`) ≥ 3 infinitely often. Moreover, he proposes a construction showing that

9.4. QUESTIONS OF KODAMA AND ROBINSON

199

T (`) ≥ r whenever ` is a prime of the form ` = (ar − 1)/(a − 1) for an integer a > 2 and odd r > 1, thus T (`) log ` for such `. Of course it has not been proved that there are infinitely many primes of this form. Nonetheless, it is shown in [556] that 1 . log(2 + π/2) `→∞ This follows from known results about the distribution of prime numbers in arithmetic progressions, and the following statement.

(9.15)

lim sup T (`)/ log ` ≥

Theorem 9.13. Let r be a sufficiently large prime. Then, for all but O(4r r log r) primes ` ≡ 1 (mod r), T (`) ≥ r. It is also shown in [556] that selecting ` slightly greater (of the order r2r+o(1) ) eliminates the set of exceptional primes. Theorem 9.14. Let r ≥ 7 and ` be prime numbers such that ` ≡ 1 (mod r) and ` > (200000r + 2)r−1 r(2r−3)/2 . Then T (`) ≥ r. Both results are based on the following observation. Let g be of period r modulo `, where r is prime. Then solutions of the congruence m0 + m1 g + . . . + mr−2 g r−2 ≡ 0

(mod `)

cannot be too small in the following sense: (9.16)

max

k=0,...r−2

|mk | ≥ r−(2r−3)/2(r−1) `1/(r−1)

Indeed, the resultant R of the polynomials F (X) = m0 + m1 X + . . . + mr−2 X r−2 and G(X) = 1 + X + . . . + X r−1 is divisible by `. Therefore, since r is prime, G is irreducible over Z so R 6= 0, and therefore |R| ≥ `. On the other hand, by the Hadamard inequality, r−1 |R| ≤ max |mk | r(2r−3)/2 , k=0,...r−2

and (9.16) follows. If ` − 1 = 2q1 q2 , where q1 , q2 ≥ 100l3/8 are primes (or if ` − 1 = 2q, where q is prime, which is widely believed to be true for infinitely many prime `), then T (`) = 1. Unfortunately, at the moment one cannot hope to prove that either of these representations holds infinitely often. The best results of [457] give the representation ` = 2q1 q2 + 1 with q1 , q2 ≥ `α for some α > 1/4 (one can take α = 0.276 . . .; see the proof of [457, Lem. 1]). Nevertheless, it is shown in [556] that this weaker result together with Theorems 2.8 and 9.12 produces the following result. Theorem 9.15. lim inf T (`) = 1. `→∞

Certainly, Theorems 9.13 and 9.14 lead to a non-trivial lower bound for T (`) for almost all primes `. On the other hand, Theorem 2.8 readily produces an upper bound. More precisely, it can be shown that for any function ψ(`) → 0 and any ε > 0, logψ(`) ` ≤ T (`) ≤ `ε

200


for almost all primes `. It is possible that these bounds can be tightened to logA1 −ε ` ≤ T (`) ≤ logA2 +ε `, for almost all primes `, with some absolute constants A2 ≥ A1 > 0. It is also possible that A1 = A2 = 1 will suffice. Moreover, it is also quite possible that T (`) ≤ log1+ε ` for all primes `. The bound (9.15) shows that this would be the best possible result. Another question about fitting the values of a single exponential function on an interval is raised by Robinson [974]. Let p be an odd prime, and let m > 1 be a divisor of p − 1. For each m-th power residue a modulo p, define Hm,p (a) to be the largest absolute value of all m solutions of the congruence xm ≡ a (mod p),

−(p − 1)/2 ≤ x ≤ (p − 1)/2.

Clearly, Hm,p (a) can take at most (p − 1)/m distinct values (as there are (p − 1)/m distinct m-th power residues modulo p), which can be enumerated in the nondecreasing order M1 (m, p) ≤ · · · ≤ M(p−1)/m (m, p). Finding lower bounds for M1 (m, p) is in some sense dual to the problem considered above concerning T (`). First notice that the estimates (9.17)

mj/2 ≤ Mj (m, p) ≤ (p + 1)/2 − (p − jm − 1)/2m

follow from elementary counting arguments (as there are exactly m different values x, |x| ≤ Mj (m, p) corresponding to each Mj (m, p), 2Mj (m, p) ≥ mj; similar considerations imply the upper bound too). Robinson [974], among many other interesting results, shows that M1 (m, p) ≤ 2ν∗ (m) p1−1/ϕ(m)

(9.18)

where ν∗ (m) is the number of distinct odd prime divisors of m. Powell [941] obtains the better bound     Y (9.19) M1 (m, p) ≤ min p1−1/m , `1/(2`−2) p1−1/ϕ(m) .   `|m, 3≤`∈P

Clearly Y

1/(2`−2)

`

`|m, 3≤`∈P

1/2

ν(m)

log m log log m

1/2 ,

so (9.19) is of the same order as (9.18) with respect to p, but improves it dramatically with respect to the factor depending on m. For m with special arithmetic structure, better bounds are obtained. For example, for m = 2s 3t , M1 (m, p) ≤ 2 × 3−1/2 p1−1/ϕ(m) . Powell [941] also proves a lower bound of the same order (at least for fixed or small m). Roughly speaking, this can be written in the form     Y M1 (m, p) ≥ min p/m, ϕ(m)1/2 m−1 `1/(`−1) p1−1/ϕ(m) .   `|m, 3≤`∈P

9.4. QUESTIONS OF KODAMA AND ROBINSON

201

Clearly, ϕ(m)1/2 m−1

Y

`1/(`−1) ≥ (2m)−1/2

`|m, 3≤`∈P

Y

(1 − 1/`)1/2 `1/(`−1) m−1/2 .

`|m, 3≤`∈P

Several other lower bounds for M1 (m, p) are presented in [556]. These are obtained using a quite different method, and are mainly useful for larger values of m. Powell [941] studies the problem of when M1 (m, p) is about of its expected order p1−ϕ(m) , while the authors of [556] concentrate on the case when M1 (m, p) reaches its trivial upper bound (p − 1)/2. The method of [941] uses geometry of numbers, while results of [556] are based on bounds for exponential sums. For m of order log p, both approaches give very similar results. Another result of [556] gives a lower bound for Mj (m, p) for any j. Theorem 9.16. For all j = 1, . . . , (p − 1)/m, Mj (m, p) ≥ (p − 1)/2 − p3/2 /mj 1/2 . Notice that (9.17) implies that Mj (m, p) ∼ (p − 1)/2 if j ∼ (p − 1)/m, while Theorem 9.15 does the same for jm2 p−1 → ∞. For M1 (m, p) several more bounds are available. Theorem 9.17. M1 (m, p) > (p − 1)/2 + O min m−5/8 p5/4 , m−3/8 p9/8 . In particular, M1 (m, p) ≥ (p − 1)/4 if m ≥ 1728p3/8 and Mj (m, p) ∼ (p − 1)/2,

j = 1, . . . , (p − 1)/m,

−3/8

if mp → ∞. A slightly weaker estimate, which holds for m of much lower order, follows from [554, Lem. 6]. Theorem 9.18. For m > log p(Log log p)−1+ε , M1 (m, p) p/(log p)1/2+ε . The bound of Theorem 9.18 is very precise as it follows from (9.19) that for any δ > 0 the bound M1 (m, p) p/(log p)δ implies that m log p(log log p)−1 . On the other hand, knowledge about values of m for which M1 (m, p) is of the order p is poor. Denote by µ(p) the smallest µ such that M1 (m, p) > (p − 1)/4 if m ≥ µ, p ≡ 1 (mod m). The bound (9.19) and Theorem 9.17 imply that lim sup µ(p)/ log p > 0 p→∞

and

lim sup µ(p)/p3/8 < ∞, p→∞

respectively. A tighter bound for µ(p) would be of much interest.

CHAPTER 10

Pseudo-Random Number Generators 10.1. Uniformly Distributed Pseudo-Random Numbers The most direct way to get pseudo-random numbers from linear recurrence sequences is the following. Let M > 1 be an integer, and let a be a linear recurrence sequence taking values in the residue ring modulo M , identified as usual with the set {0, 1, . . . , M − 1}. Finally, use elements of the sequence a as M -ary digits of some other sequence. This can be done in several ways; the most popular are to fix some integer m ≥ 1 and define the sequence (10.1)

γx =

m−1 X i=0

a(mx + i) , Mi

x ∈ N,

or, alternatively, the sequence γx =

m−1 X i=0

a(x + i) , Mi

x ∈ N.

a(x + hi ) , Mi

x ∈ N.

or even γx =

m−1 X i=0

for some integers h1 , . . . , hm . Elements of the first sequence look more independent so that construction is more common (without any particular theoretical background, it must be admitted). The integer M is called the modulus of the pseudorandom number generator. In order to use these numbers as pseudo-random numbers, which should be uniformly distributed on the unit interval as a minimal requirement, information on their period and their distribution on [0, 1] (more generally, about the distribution of the vectors (γx , . . . , γx+s−1 ) in the s-dimensional unit cube) is needed. That is, estimates are needed on their discrepancy. These questions have been addressed in Sections 1.5 and Section 4.2, respectively. Indeed, many of those results can be directly applied to such pseudo-random number generators, although for m > 1 some adjustments are needed. On the other hand, there are some new aspects to the problem of pseudo-random numbers generators. Previously the interest was in general results which hold for all sequences from some wide class. As a result, these estimates are not very strong. For pseudo-random numbers it would be enough to prove stronger results for special sequences. Alternatively, it is sometimes useful to show that for ‘almost all’ members of some class of sequences (rather than for all) some refinements can be obtained. Both kind of results will be discussed below. Typically, the modulus M is chosen as a prime power pk with a special emphasis on the case M = 2k (because of the connection with computing). The two extreme 203

204

10. PSEUDO-RANDOM NUMBER GENERATORS

cases of M a large prime and M = 2 are of great interest as well, and deserve special treatment. For the parameter m, a reasonable choice is m = 1, so γx = a(x)/M . This generator is the Tausworthe generator; it has the important advantage that all the results about periods of (see Section 1.5) and distribution for (see Section 4.2) linear recurrence sequences may be applied without any of the adjustments needed for (10.1) with m ≥ 2. In any case, m should usually not exceed the order of a, in order to have some hope of independent digits of γx (at least independent in the weakest sense of not being obviously dependent). Clearly, if t is the period of a, then the period of the sequence γ given by (10.1) is at least τ = t/ gcd(m, t). In a series of papers by Niederreiter the discrepancy of such sequences has been estimated. His results are given below in a simplified form which can be extracted from [831, Theorem 3.1, 3.2]. More explicit information about the constants may be found in [831]. Theorem 10.1. Let M = p be a prime, and let a be a linear recurrence sequence of order n and period t over Fp with characteristic polynomial irreducible over Fp . If gcd(m, t) = 1 and sm ≤ n, then for any 1 ≤ N ≤ t, the s-dimensional discrepancy of the sequence (γx , . . . , γx+s−1 ), x = 1, . . . , N is ( (2/π)s ms pn/2 t−1 logs p + sp−m , for N = t, Ds (N ) (2/π)s ms pn/2 t−1 log t logs p + sp−m , for 1 ≤ N < t, if p ≥ 3 and ( 2−s ms 2n/2 t−1 + s2−m , Ds (N ) 2−s ms 2n/2 t−1 log t + s2−m ,

for N = t, for 1 ≤ N < t,

if p = 2. The general case of gcd(t, m) > 1 can be considered as well (with slightly worse constants). Notice that if a is an M -sequence (that is, with period t = pn − 1) and ms ≥ n, then Ds (N ) = O(t1/2+ε N −1 ) where the implied constant depends on n only. Several more results about the discrepancy of such sequences can be found in [596]. The case of sm > n (that is the case of manifestly dependent digits) is more complicated. It turns out that the discrepancy depends not only on the period, but also on the number s−1 X rs (f, m, p) = min deg hi , i=0

where the minimum is taken over all non-zero polynomial solutions of the congruence s−1 X deg hi (X)X im ≡ 0 (mod f (X)) i=0

in polynomials h0 , . . . hs−1 over Fp . These numbers are called figures of merit of f . Clearly rs (f, m, p) ≤ n + 1, and it is known that the bigger rs (f, m, p) is, the smaller is the discrepancy Ds,m (N ). In fact, rs (f, m, p) appears in lower and upper

10.1. UNIFORMLY DISTRIBUTED PSEUDO-RANDOM NUMBERS

205

bounds for Ds (N ) as the term p−rs (f,m,p) and p−rs (f,m,p) logs t respectively (the exact results may be found in [831, Sect. 4, 7] and [837, Chap. 9]). It is also known that both requirements, a large period and a large figure of merit, can be attained simultaneously. This result may be found in [831, Theorem 5.4]. Theorem 10.2. For any positive integers n, m, s, t such that n is the period of t modulo p, there exists an irreducible polynomial f over Fp of degree n and of period t such that (m + 1)(p − 1)ϕ(t) rs (f, m, p) ≥ logp . (ms − 1)(m + 1 − m/p)s To understand this result better, consider the case t = pn − 1. Then there exists a primitive period f with rs (f, m, p) ≥ n − logp log n log p − s logp (m + 1) + O(1), so choosing m = n gives a sequence having discrepancy Ds (N ) = O(t1/2+ε N −1 ) for any fixed s. As mentioned in Section 6.2, the problem is related to continued fraction expansions of rational fractions. All the above estimates of discrepancy need the period to be large enough to be non-trivial; it should certainly exceed pn/2 , and the length N of sequence considered should be at least of the same size. This second requirement is very difficult to meet. Certainly if M = pk is a power of a fixed prime number, m = 1, −1/n+ε s = m then (4.8) gives the bound O(tk ) for the full period discrepancy of a(x)/pk . It is possible that a similar result can be obtained for any ms ≤ n, but for incomplete periods the corresponding result has not been worked out yet, and one cannot expect particularly strong estimates here. The situation is quite different if one agrees to consider ‘almost all’ sequences from L(f ), rather then all of them. The following assertion is obtained in [1065] for m = 1 (that is, for the sequence γx = a(x)/p). Levin [629] extends it to arbitrary m ≤ n. Theorem 10.3. Let f be an irreducible polynomial modulo p of period t. Then for all but o(pn ) sequences a ∈ L(f ) the following holds. For any 1 ≤ N ≤ t the s-dimensional discrepancy of the sequence γx given by (10.1) is O(N −1/2 logn+3 p + p−m ), where s ≤ n/m and gcd(m, t) = 1. The upshot is that the bound holds for all N for all sequences from the same set of ‘good’ sequences. For every fixed N such a result is quite simply obtained. In [629] (but not in [1065]) the result is formulated for primitive polynomials only, but certainly holds in the form given above. Ambrosimov [27] obtains results for sequences in residue rings modulo 2k . These concern the distribution of tuples (a(x), . . . , a(x + s − 1)) (that is, the question discussed in Section 4.2) rather than the discrepancy of the points (γx , . . . , γx+s−1 ).

206


Nevertheless, they are in the same spirit, and in particular provide good estimates which hold for almost all initial values, and certainly could be useful for analysis of pseudo-random number generators from linear recurrence sequences (see also [581]). Apparently, these are the simplest in a series of results which can be obtained using similar methods. In [280], [281], [283], [598] more general non-linear pseudo-random number generators are analyzed ‘on average’. Niederreiter, in [837, Sect. 10.1] and in more detail in [840], proposes a multidimensional matrix generalization of the pseudo-random number generators just considered. That is, sequences of vectors satisfying linear recurrence equations with matrix coefficients. He analyzes their periods, discrepancy, and other useful properties. This work has been continued by Larcher [596]. Returning to the particular case of pseudo-random number generators discussed above, the most popular, theoretically attractive and practically convenient are the linear congruencial generators, also known as the Lehmer generators. Such a generator is a sequence γx = a(x)/M , where (10.2)

a(x) ≡ λa(x − 1) + η

0 < a(x) < M, x ∈ N.

(mod M ),

Here the initial value a(0) = a and the multiplier λ are integers co-prime to the modulus M , and b is an arbitrary integer. These generators, and discussions of their features and applications, can be met everywhere from mathematics books through to computer science sources, to programming manuals; [837], [547], [513], respectively, are representatives of the literature. As discussed in Section 1.1, the parameter η in (10.2) is a little arbitrary. For M = 2k , this parameter allows sequences of maximal period 2k to be constructed (period 2k−2 is maximal for sequences with η = 0). From now on only the homogeneous linear congruencial generator (10.3)

a(x) ≡ λa(x − 1)

(mod M ),

0 < a(x) < M, x ∈ N,

x

will be considered. Thus a(x) = aλ , and aλx . M Generally speaking, the s-dimensional discrepancy Ds (N ) of (γx , . . . , γx+s−1 ) depends on several characteristics. The first is the maximal value of the exponential sums N X max exp(2πimγx ) gcd(m,M )=1 γx =

x=1

which does not depend on s but does depend on all the other parameters. The second depends on s, λ and M , but does not depend on the initial value and the length N of the interval considered: ρs (λ, M ) = min (m0 . . . ms−1 ) , where the minimum is taken over all non-trivial solutions of the congruence (10.4)

m0 + m1 λ + . . . + ms−1 λs−1 ≡ 0

(mod M ),

and m = max{1, |m|}. If M = p is a prime, then N X logs p logs p (10.5) Ds (N ) max exp(2πimγx ) + ; ρs (λ, p) N gcd(m,p)=1 x=1


207

for other values of M some simple adjustments are necessary. All these classical facts can be found in [826]; the bound (10.5) is a combination of Theorem 10.3 and the bound [831, Eqn. (5.11)]. There is also one more characteristic which is defined analogously to ρs (λ, M ), ωs (λ, M ) = min(m20 + . . . + m2s−1 )1/2 , where the minimum is taken over the same set of non-trivial solutions of (10.4). This parameter is responsible for the lattice structure of points (γx , . . . , γx+s−1 ), see [547, Sect. 3.3.4]. By employing standard techniques for the exponential sums in (10.5), a good bound — actually nearly square-root — can be found for almost all initial values. Moreover, in Section 2.4, it is shown that for many special moduli M and a wide range of N , individual bounds are available. The parameter ρs (λ, M ) is less well understood. The simplest case is as usual M = p prime. For such moduli, one can prove that there is a primitive root modulo M , λ (needed to provide the large period) such that p (10.6) ρs (λ, p) . (log p)s+ε In fact such an inequality holds for almost all λ. The fact that almost all λ are of larger period modulo p gives the following statement (cf. [1072], [629]). Theorem 10.4. Let p be a prime and s ≥ 1 an integer. Then for all but o(p2 ) pairs (a, λ), 1 ≤ a, λ ≤ p − 1 of initial values and multipliers, the s-dimensional discrepancy of the sequence (10.1) is Ds (N ) = O(N −1/2 pε ). From the computational point of view it would be very desirable to find a similar result for arbitrary M , especially for M = 2k and other prime powers (in addition to the computational simplifications, in this case typically there are better bounds for exponential sums, as shown in Section 2.4). Unfortunately, the proof uses a bound on the number of solutions of polynomial congruences of degree n with coefficients co-prime to M which can be as large as M 1−1/n for highly composite M : The simplest example is λn ≡ 0 (mod 2k ) or (λ − 1)n ≡ 0 (mod 2k ). As a result, for arbitrary M all that can be said is that for almost all λ, (10.7)

ρs (λ, M ) ≥ M 1/(s−1)−ε ,

s ≥ 2,

which is much worse than (10.6) for s ≥ 3. In [556] an ‘on-average’ estimate k

1 M

2 X

1/ρs (λ, M ) M −1/(s−1)

λ=1, gcd(λ,2)=1

is found (notice that 1/ρs (λ, M ) rather than ρs (λ, M ) appears in (10.5)). This method, leading to the bound (10.6), which is almost as good as possible for M = p, cannot produce anything better than (10.7) for arbitrary M . Of course, a weak average bound does not preclude the possibility of there being a good multiplier for such moduli, so it still makes sense to show that (10.7) can be refined for some λ, and even to try to describe such λ. The case s = 2 has been studied independently by many authors (in the different context of Korobov’s optimal coefficients [561], [826], [837]). Notice that for s = 2 (10.6) and (10.7) are not much different. The most convenient tool in this case is the formula (6.9). In the Fibonacci case, (6.10) applies, but there is still

208


an open question about the period of f (h) modulo f (h + 1). Modulo an arbitrary fixed M , a desirable choice for λ has λ/M ∼ (51/2 − 1)/2 = [1, 1, 1, . . .]. This is quite a naive approach, and does not guarantee that all the partial quotients of λ/M will be small. Nevertheless, in practical computations this has been successfully used, and this procedure is presented in many standard numerical analysis recipes. See also [3] for explicit expressions for the 2-dimensional discrepancy of linear congruencial generators. For s = 3, Larcher and Niederreiter [597] prove that for M = pk , a power of a fixed prime number, there is a λ which is a primitive root modulo pk if p ≥ 3 and λ ≡ 5 (mod 8) if p = 2 (thus of period 2k−2 modulo 2k ) with the property that M ρ3 (λ, M ) ≥ . log2 M The proof is based on a detailed study of the structure of solutions of quadratic congruences. Although it is possible that the method can be extended to higher dimensions, the technical complications will increase with each step, and it is not clear how to carry out this approach for arbitrary s. The following completely explicit construction of [1067] gives an estimate weaker than (10.6) but stronger than (10.7); however it works for any M . If λ is defined by the congruence λτ ≡ ϑ (mod M ), where 1 ≤ ϑ < τ ≤ M are arbitrary integers with gcd(ϑτ, M ) = 1 and ϑ ∼ τ ∼ M 1/(s+1) , then (10.8)

ρs (λ, M ) ≥ min{ϑτ, M τ −s+1 } ∼ M 2/(s+1) .

If in the previous construction one takes ϑ ∼ τ ∼ (M/2s)1/s then ωs (λ, M ) ≥ min{(ϑ2 + τ 2 )1/2 , s−1/2 M τ −s+1 } ∼ 21/2 (2s)−1/2s M 1/s . This bound is tight, as for any λ of the same order (at least for s fixed) both meet the upper bound ωs (λ, M ) ≤ γ(s)M 1/s , where γ(s) is the Hermite constant (see [547, Sect. 3.3.4], [224]). Similar problems arise in cryptography. Let Ws (δ, M ) be the size of the set of λ, 1 ≤ λ ≤ M , with ws (λ, M ) ≤ M δ . For s = 3, the bound W3 (δ, M ) = O(M 1/2+3δ/2+ε ) is given in [358]. For the special case of M = pk a further improvement to (10.8) is possible. The following result is taken from [556]. Theorem 10.5. Let p be a fixed prime and let ϑ, 1 ≤ ϑ ≤ p2 be a primitive root modulo p2 if p ≥ 3, and ϑ = 3 if p = 2. Set λ ≡ (pt + ϑ)(pt + 1)−1

(mod pk ),

where t = 2 bk/(2s + 1)c. Then, for sufficiently large M = pk , ρs (λ, M ) M 4/(2s+1) , and the period λ modulo M is at least M/4. The proof is ad hoc in that it exploits several coincidences rather than general principles. Dynamical systems arising from, and motivated by, linear congruencial generators are studied in [38], [1172]. Marsaglia [690] uses ‘add-with-carry’ and ‘subtract-with-borrow’ sequences, discussed in Section 1.5, as pseudo-random number generators of a new type. As shown in Section 1.5, their period structure is


209

reasonably well understood. Couture and L’Ecuyer [233] show how to combine such generators with a linear congruencial generator and prove several geometric results about the distribution of such combinations. The work of Tezuka [1145] goes in the same direction, but with respect to combining several generators from linear recurrence sequences. Roughly speaking, instead of the standard addition of several such sequences a1 (x) + . . . + am (x) (which is a linear recurrence sequence again by Section 1.4.10) he uses bit-wise addition XOR without carry. That is, the sequence a1 (x) XOR . . . XOR am (x) is studied. Further developments and applications to cryptography can be found in [545] where p-adic analysis is used; see also [45], [394], [395], [396], [546], [1217] and [839, Sect. 2.2] for additional references. ‘Multiplication-with-carry’ sequences are also studied in the literature as useful sources of pseudo-random numbers [233]. Non-linear recurrence sequences are also successfully used as pseudo-random number generators. In Section 1.5 periods of quadratic (1.39) and inversive (1.40) sequences are studied. Bounds for the discrepancy of pseudo-random number generators arising from such sequences (and more general sequences of types (1.38) and (10.11)) have been obtained by Eichenaurer-Herrmann, Emmerich, Niederreiter, Tezuka and others [278], [279], [282], [284], [295], [296], [510], [836], [837], [839], [1132], [1146]. For example, the 2-dimensional discrepancy of the inversive generator (1.40) modulo a power of a fixed prime is O(t−1/2 log2 t) over the complete period, but increases at least to t−1/3 in the 3-dimensional case, see [278]. On the other hand, generators modulo a square-free M have discrepancy of order M −1/2+ε in any dimension s [279], [836]. The 2-dimensional discrepancy of a quadratic generator can be estimated as well. Moreover, if M = pk where k is of order p1/2 log−1 p then, over the complete period, the discrepancy is O(t−1/2 log t), which is log t better than the usual estimate for similar sequences [284]. The papers mentioned above deal with the distribution of sequences over the full period, and their methods cannot be used to study the distribution over parts of the period. A new approach, and the first non-trivial results on the distribution over parts of the period are given in [844], [847]. Several more applications of this method are given in [415], [434], [843], [846]. In particular, Theorems 4.7 and 4.8 are proved. This method has also been applied in [356] (together with some other new ideas) to studying the power generator, see Section 10.2. For non-linear generators arising from the congruence (1.38) modulo a prime M = p, a kind of lattice test can be defined. The corresponding sequence of pseudorandom number numbers γx = a(x)/p passes the s-dimensional lattice test if the vectors (a(x), . . . , a(x + s − 1)) , x∈N span the vector space Fsp . As seen in Section 1.5, for several non-linear generators the maximal period t = p can be guaranteed. Such a generator can be considered as a map Fp −→ Fp , so there is a unique polynomial G ∈ Fp [X] with degree D = deg G < p such that a(x) = G(x), x = 1, . . . , p (G must be a permutation polynomial over Fp , that is polynomial inducing a bijection). The parameter D is an important characteristic of the sequence, see [836, Sect. 3] or [837, Sect. 8.1].

210


In particular, the sequence passes the s-dimensional lattice test for all s ≤ D. A lower bound on D is given in [844], which immediately yields the following result. Theorem 10.6. Let p be prime. Then a non-linear generator of maximal period t = p, given by (1.38), with a polynomial F ∈ Fp (X) of degree d ≥ 2, and M = p, passes the s-dimensional lattice test for all s ≤ dp/de. It is also known [206], [336] that an inversive generator (1.40) (of maximal period) passes the s-dimensional lattice test for all s ≤ (p + 1)/2. A close look at Theorem 10.6 shows that this test is not very dependable. It seems plausible that there are sequences which can only be represented by a polynomial of high degree and which nonetheless have bad distribution properties. Such sequences do indeed exist; see a discussion in [836, Sect. 3]. Motivated by applications to pseudo-random number generators, Anashin [29] describes polynomials for which the sequences satisfying the congruence (1.38) with M = pk a prime power are uniformly distributed modulo pk (that is, they generate a one-to-one mapping in the residue ring Z/pk Z). Uniform distribution in the ring of p-adic integers Zp is also considered. So far the continuous aspect of the problem, dealing with numbers distributed in [0, 1], has been considered. The discrete aspect of the problem relates to binary sequences, also known as sequences of pseudo-random bits. For an infinite sequence (δx ) of g-ary digits, 0 ≤ δx ≤ g − 1 and a finite g-ary string S = (d1 . . . dk ), denote by F (S, N ) the number of occurrences of this string in the initial segment of length N , and by f (S, N ) = F (S, N )/N the corresponding frequencies. The sequence (δx ) is called a pseudo-random sequence of g-ary digits if for any string S, f (S, N ) → g −|S| as N → ∞, where |S| is the length of S. As shown in Section 5.1, such sequences correspond to g-ary expansions of numbers normal to base g, and such g-ary sequences are also known as normal sequences of signs. Postnikov [939], [940] provides a good outline of early approaches to such sequences and their applications. He also discusses various generalization of this notion of normality such as Bernoulli normal sequences, Markov normal sequences and normal continued fractions. A construction of a Markov normal sequence with a very small discrepancy (appropriately defined) is due to Levin [631]. Such discrete pseudo-random sequences (finite or infinite) are of great importance in theoretical computer science [1135]. They may also be used to rule out random walks on lattices, and Postnikov [938] notices that this leads to an algorithm for solving finite-difference equations arising from the Dirichlet problem in the theory of partial differential equations. There is, however, one minor logical irritation here. Theorem 5.5 says that there are numbers which are normal to some base g but are not normal to some other base f . If such g-ary sequences are identified with the corresponding number ϑ=

∞ X

δh g −h

h=1

which they represent, then the property of being pseudo-random is therefore not invariant under change of basis. On the other hand, it seems reasonable that being pseudo-random should be an intrinsic property of ϑ. This question is discussed by Calude and J¨ urgensen [169], who show how to change the definition of pseudorandom sequence (random in their terminology) in order to make it invariant to


211

basis change. A dynamical overview of randomness for g-ary sequences may be found in [1206]. Certainly the smaller the difference |f (S, N )−g −|S| | is the better, and this is related to the discrepancy of (ϑg x ). This relation is not very direct, and the sequences having the best bounds for the frequencies do not necessarily correspond to values of ϑ with the best value of the discrepancy. Indeed, [1063] gives a construction of a sequence with f (S, N ) = g −|S| + O(N −1+ε ) for any finite string S. The result of Levin [632] yields a slight improvement of this asymptotic formula. On the other hand, the long standing record of Korobov [562] and Levin [625] giving explicit constructions of ϑ such that the discrepancy of (ϑg x ) is O(N −2/3+ε ), has recently been bettere: Levin [633] gives a construction which leads to the bound O(N −1 log2 N ). Frequencies f (S, N ) can also be considered for finite sequences, and here the theory of linear recurrence sequences is of great use. For example, if g = q is a prime power, Theorems 4.1 and 4.2 are nothing but bounds for f (N, S); see also [581], [827]. Levin [631] also give a construction of a Markov normal number. A different point of view on pseudo-random bits obtained from linear recurrence sequences and their applications is pursued in [25]. Results of these papers are also used later in [226] to study the statistical properties of shrinking two M -sequences over F2 , when the sequences a and s are selected at random from the sets of M sequences of orders n and m. The results of Section 4.1 can be used to obtain some individual estimates as well. It is shown in [226] that if both a and s are M -sequences over F2 , and the characteristic polynomial of a is chosen with uniform probability among all the ϕ(2n − 1)/n primitive polynomials of degree n over F2 , then the shrunken sequence (as (x)) has good statistical properties. Another important question concerns the output rate of (as (x)), or equivalently the upper bound for hx , the position of the x-th 1 in s (see Section 1.4.10). It is shown in [226] that if the characteristic polynomial of the selector sequence s is chosen with uniform probability among all the ϕ(2m − 1)/n primitive polynomials of degree m over F2 , then hx = O(x). A very natural question is whether it is possible in these two statement to get individual estimates (rather than estimates which hold with high probability). An encouraging remark in this direction is that Theorem 11.7 below implies that hx = O(x) for any x ≥ 2εm . This and several similar results about the output rate and the distribution of the shrinking generator from two linear recurrence sequences are presented in [1083]. All these properties make such sequences very attractive for applications. Moreover, (1.42) shows the shrunken sequence is of exponential linear complexity (see Section 10.2 for the definition), which is especially important for applications in cryptography. Finally, one of the closest relatives of pseudo-random numbers are so-called quasi-random numbers or points. The main difference is: Instead of seeking for 1-dimensional sequences (γx ) for which the s-tuples (γx , . . . , γx+s−1 ) admit a good bound for the s-dimensional discrepancy, construct sequences of s-dimensional points (γ1,x , . . . , γs,x ) which are uniformly distributed (with respect to the discrepancy and other criteria) in the s-dimensional unit cube. One of the most celebrated applications of such points is the Monte Carlo Method, see [826], [837], [1146].

212


Some 30 years ago, Sobol [1101] found a construction of a family of quasirandom points which he called LΠτ -nets; these still give the best known order for the s-dimensional discrepancy, Ds (N ) N −1 logs N . The construction is based on properties of sequences of maximal period over F2 . To construct such a net in s-dimensional space, fix s − 1 distinct M -sequences over F2 of orders n1 , . . . , ns−1 , say (distinct means that they correspond to distinct primitive polynomials over F2 ). The constant in the bound for the discrepancy as well as many other useful features of these sequences depend on the parameter (10.9)

τ = n1 + . . . + ns−1 − s + 1;

the smaller τ is, the better the sequence is. For the minimal values τs of those τ of the form (10.9), the explicit expression (3.14) and the asymptotic formula (3.15) follow from the fact that there are ϕ(2n − 1)/n primitive polynomials of degree n over F2 . The LΠτ -nets of Sobol influenced much further research, and in particular it appears that their analogues and generalizations with respect to M -sequences over other fields produce better constants in the estimate of the discrepancy [836], [837]. Moreover, the classical LΠτ -nets have not lost their value as among many other advantages their are directly related to binary representation of numbers — the native language of modern computers. It might seem that building a good pseudo-random number generator is just a matter of mixing up several functions in an unexpected way. Unfortunately this wide-spread belief has no real theoretical background: Knuth’s example [547, Algorithm K, Sect. 3.1] of an a priori exotic generator with very poor randomness is instructive, and in some sense representative. 10.2. Pseudo-Random Number Generators in Cryptography The previous section dealt with pseudo-random numbers from the point of view of uniform distribution. Another view of pseudo-random numbers is related to Kolmogorov’s complexity-theoretic approach to random numbers. Roughly speaking, if γ is a sequence exhibiting almost random behaviour, then the next term γx should be hard to guess from knowledge of the previous ones γ1 , . . . , γx−1 without knowing the algorithm that produces them. Constructing sequences that are unpredictable in this sense is an important part of modern cryptography. The predictability problem is the following. Assume that some segment γh , . . . , γh+k−1 of the sequence γ is known, as is some partial information about the nature of the sequence (that is, the general shape of formulaæ for the sequence, and some of the parameters involved are known). The problem is to predict the sequence forward (that is, to generate γh+k , γh+k+1 , . . .) and backward (to recover γh−1 , γh−2 , . . .). These two aspects are closely related but for certain sequences can be problems with essentially different complexities. General approaches to this problem are beyond the scope of these notes; a good introduction to the area is [586]. Instead, the predictability of the most common pseudo-random number generators related to recurrence sequences will be discussed. The majority of results obtained concern linear recurrence sequences, and in particular sequences generated by a linear congruencial generator. Several non-linear generators have been studied as well. Slightly changing the terminology of [586] we obtain the following list of sequences.

10.2. PSEUDO-RANDOM NUMBER GENERATORS IN CRYPTOGRAPHY

213

(1) The power generator a(x + 1) ≡ a(x)k

(mod M ),

0 ≤ a(x) ≤ M − 1,

where k is some fixed integer. (2) The exponential generator a(x + 1) ≡ g a(x)

(mod M ),

0 ≤ a(x) ≤ M − 1,

where g is some fixed integer. (3) The 1/M -generator, the sequence (dx ) of g-ary digits of A/M (with some integer 1 ≤ A < M ) in some fixed base g, A/M = 0.d1 d2 . . . . An important special case of the power generator is the Blum, Blum and Shub generator, a(x + 1) ≡ a(x)2 (mod M ) introduced in [113] and studied by several other authors, see [133], [235], [349], [356], [357], [417] [586], [739], [1085] and references therein. Hallgren [446] has proposed using the elliptic curve analogue of the homogeneous linear congruencial generator (10.3). This and similar generators have also been studied in [291], [383], [386]. In particular, using the bound for exponential sums from [551], El Mahassni and Shparlinski obtained an upper bound on the one-dimensional discrepancy of such generators. The same method can probably be used to estimate the discrepancy in any fixed small dimension s, say for s = 2, 3, 4, but it is not clear how to extend it to a general result which would apply to any dimension. Many other natural questions about these constructions still remain open, and they definitely deserve more attention. For example, it would be interesting to study the linear complexity of such generators (in some special cases this is done in [383]). We now describe the construction of a pseudo-random function given by Naor and Reingold [806]. Let p be a prime, and let ` be a prime divisor of p − 1. Select an element g ∈ F∗p of multiplicative order `. Then for each n-dimensional vector a = (a1 , . . . , an ) ∈ (Z/`Z)n one can define the function (10.10)

x1 n ...ax n

fa (x) = g a1

∈ Fp ,

where x = x1 . . . xn is the bit representation of an integer x, 0 ≤ x ≤ 2n − 1, with some extra leading zeros if necessary. Naor and Reingold [806] have shown that this function has some very desirable security property, provided certain standard cryptographic assumptions hold. The results of [55], [416], [1082], [1086], [1087] demonstrate that for almost all vectors a ∈ (Z/`Z)n the function (10.10), as well as its natural generalization to elliptic curves, poses very good linear complexity and uniformity of distribution properties. Several other generators are proposed in [586], including cellular automata considered in Section 11.1 (see also [1213] and several other papers from [1214]). Knowledge of M and k for the power generator, or of M and g for the exponential generator, makes the forward prediction trivial. However, knowledge only of a segment of the sequence, or trying to compute earlier values, involves computationally hard problems: Discrete root extraction and the discrete logarithm problems, respectively. If gcd (k, ϕ(M )) = 1 and g is a primitive root modulo p, then both problems have unique solution but are computationally difficult (for a survey of the current state of the art see [1080]). If M = p is a prime, or any other number

214


with known Euler function ϕ(M ), then the backward computation for the power generator can be done via the formula a(x) ≡ a(x + 1)`

(mod M )

where ` is defined from the congruence k` ≡ 1 (mod ϕ(M )). In general nothing better is known than to reduce the problem to computing ϕ(M ), and thence to the integer factorization of M . Thus if M = p1 p2 is a product of two large primes then the problem is hard; such M are called Rabin primes after the person who first understood their importance for cryptography. That this problem is difficult of course provides the security of the celebrated RSA-cryptosystem [549]. In fact, this idea cannot be used without due care and attention: For example, Wiener [1207] shows that if M = p1 p2 with p1 ∼ p2 ∼ M 1/2 , and k is such that k`2 < (0.25 − ε)M 3/2 , then the RSA scheme can be broken in polynomial time via continued fractions. For a simple description of this see [921]. In particular, this problem arises if k < ϕ(M ) < M and ` < (0.5 − ε)M 1/4 . The most straightforward way to avoid the problem is to choose k ≥ M 3/2 ; only the residue k modulo ϕ(M ) is important, and this can be given by an artificially large value if desired. Turning to the forward prediction problem, recall that the classical Berlekamp– Massey algorithm to decode linear cyclic codes [72], [680], [680] efficiently solves this problem if the field of definition is known. To find the characteristic polynomial of a linear recurrence sequence a of order n, the algorithm takes 2n consecutive terms and produce the characteristic polynomial in O(n2 ) field operations. The basic algorithm is a version of the continued fraction algorithm. A more efficient version is given by Blahut [109]; this uses only O(n log1+ε n) field operations (see the survey [707] and the recent papers [26], [104], [334], [335], [867], [868], [869], [882] for details). This leaves the case where the definition domain is not known: The observer sees integers forming a linear recurrence sequence over some unknown residue ring. Boyar [121] gives general results about the predictability of linear and non-linear recurrence sequences. The model is as follows: To predict the sequence a from several initial values, we are allowed to guess each value and if we make a mistake the correct value is revealed. The fewer mistakes made, the less secure is the sequence. The following results are obtained in [121]. Assume that a satisfies a linear non-homogeneous recurrent congruence a(x + n) ≡ fn−1 a(x + n − 1) + . . . + f1 a(x + 1) + f0 a(x) + e (mod M ) of order n, but neither the modulus M nor the coefficients e, f0 , f1 , . . . , fn−1 are known. It is important to remember that the objective is to predict the sequence rather than to find its parameters. In particular, the parameters are not uniquely defined by the sequence, as the following example shows: The two sequences a1 (x+2) ≡ a1 (x+1)+a1 (x)

(mod 6),

a2 (x+2) ≡ 4a2 (x+1)+a2 (x)

(mod 6)

with the initial values a1 (1) = a2 (1) = 0, a1 (1) = a2 (1) = 2, are identical. Boyar proves that there is a prediction procedure of polynomial complexity (n log M )O(1) which makes at most 2n + 3 + log n + 0.5n log n + n log M


215

mistakes. Several related results have been obtained by Joux and Stern [495]. Clearly one cannot guarantee to do this with less than n − 1 mistakes. For the quadratic generator a(x + 1) ≡ f2 a(x)2 + f1 a(x) + f0

(mod M )

a similar results is obtained, with the number of mistakes at most 10 + 3 log M (see the comment after [121, Theorem 11]). Lagarias and Reeds [589] and, later, Krawczyk [565] combine these two results in a general statement about the predictability of non-linear recurrence sequences (including vector-valued sequences). The methods of [589] work for k-dimensional vector-polynomial sequences A(x+1) = F (A(x)) over a commutative ring R where A(x) ∈ Rk , and the map F : Rk → Rk is given by k polynomials in k variables. This method relies on Hilbert’s Basis Theorem and is therefore not computationally effective. If R is the residue ring modulo M , and all polynomials involved are of total degree d, then the total number of mistakes is estimated as 1 + ϕ(d, k) + 0.5N log N + dN log M where

k+d N =1+k . k The function ϕ(d, k) is generally speaking not explicit, but for two important cases it is known: ϕ(1, k) = k + 1 and ϕ(d, 1) = d + 1. These two cases subsume the cases considered by Boyar [121]. For the polynomial recurrent equation (10.11) a(x + n) ≡ F (a(x + n − 1), . . . , a(x)) (mod M ), 0 ≤ a(x) ≤ M − 1, x ∈ N in which neither the polynomial F ∈ Z[X1 , . . . , Xn ] nor the modulus M are known the following effective result holds [565]. Theorem 10.7. Each polynomial recurrence sequence is predictable in polyno mial time, with the number of mistakes at most O k 2 log(kM d ) , where d is the degree and k is the number of monomials in the polynomial F . Clearly k ≤ n+d d , but many generators are based on sparse polynomials for which k may be significantly smaller [565]. For vector-valued sequences similar results have also been proved. Blum, Blum and Shub [113] introduce and study the 1/M generator. Let g ≥ 2 be a fixed integer, and M an positive integer that can be written with at most L g-ary digits (that is, M < g L ). They show that given k = 2L + 3 consecutive digits dh+1 , . . . , dh+k the denominator M (and hence the numerator) can be found in polynomial time LO(1) . Indeed, the fraction α = 0.(dh+1 , . . . , dh+k )g is an approximation to the fractional part {Ag h /M } with error at most g −k < 1/2M 2 . So, ultimately, {Ag h /M } is one of the convergents of the continued fraction expansion of α, and thus can be found effectively. On the other hand, it is observed in [113] that, under Artin’s conjecture, k = L−1 digits are not enough to determine M unambiguously.

216


In [556], similar results are shown for smaller segments of digits without reliance on any standard conjectures. The first statement claims that a string of k = b3L/37c consecutive digits provides no information about M . Roughly speaking, we see without any unproven conjectures that M may take almost any value among all the primes p < g L . Theorem 10.8. Given any string of k = b3L/37c consecutive g-digits, there are at least (1 + o(1))π(g L ) prime numbers p < g L such that the g-adic expansion of 1/p contains that string. Further, using results of [563], [564] it is shown that for an arbitrary ε > 0, any string of k ≤ (1−ε)L consecutive digits appears in the g-adic expansion of 1/M for at least C(g)g εL/2 values of M < g L . Here C(g) is some constant depending on g only. Theorem 10.9. There is a constant c(g) > 0, depending only on g, such that for every element M of the set M = {M = pα µ : 1 ≤ µ ≤ Q, (µ, g) = 1}, where

j k Q = c(g)g εL/2 ,

p is the smallest odd prime number with gcd(p, g) = 1, and pα is the largest power of p that is less than g L /Q, and any string of k = b(1 − ε)Lc consecutive g-digits, the g-adic expansion of 1/M contains the string. To make prediction harder several tricks can be used. One of them is to use two or more generators in parallel (with different initial values, or even of different types) and to mix their results. For example, a power generator ap and an exponential generator ae can be combined to form a(x) ≡ ap (x) + ae (x) (mod M ). The shrinkage operation described in Section 1.4.10 can be also be used. There do not seem to be significant results about the predictability of such combined sequences. The only exception is the bound (1.42) for the linear complexity of shrinking two M -sequences. Another way to increase the security of a sequence is to use parts of the elements. For example, given integers h, s, instead of a sequence a, consider the truncation ah,s (x) ≡ 2−h a(x) (mod 2s ), 0 ≤ ah,s (x) ≤ 2s − 1. Thus, ah,s is formed by the s bits of a(x) starting from the (h + 1)-th lowest significant bit. For several common pseudo-random generators, an extensive detailed study of this and similar truncation procedures has been made in the papers [120], [358], [586], [589] (and references therein). Some of these results follow. For integers s, k ≥ 1 denote by Bk,s (a(0), λ, M ) the binary sk-dimensional vector obtained by adjoining s leading bits of the k first elements of the sequence a produced by the homogeneous linear congruencial generator (10.3) with the initial value a(0) (for general generators (10.2) similar results can be obtained). All elements of the sequence having L = dlog M e bits are considered, so Bk,s (a(0), λ, M ) is obtained from the bits of a(j)/2L−s , j = 0, . . . , k − 1. It is shown in [Theorem 3.1][358], that for any k ≥ 1, ε > 0 and sufficiently large square-free M > c(k, ε), there is an exceptional set E(M, k, ε) of multipliers λ of cardinality |E(M, k, ε)| ≤ M 1−ε


217

such that for any multiplier not in E(M, k, ε) the following is true: If s = d(1/k + ε) log M + k(1/2 + log 3) + 3.5 log k + 2 − log 3e , then the initial value of the sequence a can be uniquely determined in polynomial time from knowledge of the multiplier λ, the modulus M and the vector Bk,s (a(0), λ, M ). It is also remarked in that paper that an exceptional set E(M, k, ε) is necessary, as λ = 1 is always a bad multiplier. Also, by Dirichlet’s principle, if 1−ε s≤ log M k then there is an initial value a0 such that Bk,s (a(0), λ, M ) = Bk,s (a0 , λ, M ) for at least M ε initial values of a(0) = 0, . . . , M − 1. Such an initial value is secure in the following sense: Knowledge of Bk,s (a(0), λ, M ) is not enough to determine the entire sequence. In the opposite direction, it is shown in [556] that for infinitely many primes M = p, 1−ε log p − log log p + O(1) , s= k and all but at most p1−ε multipliers λ, and any initial value a(0) = 0, . . . , p − 1, the problem is secure: That is the knowledge of λ, M and Bk,s (a(0), λ, M ) for such k and s is not enough to determine the initial value uniquely (regardless of the complexity of the algorithm) and moreover, the number of candidates for the initial value is exponentially large. Theorem 10.10. Let p be an L-bit prime with 2L − 23L/4 < p < 2L . Then for any k ≥ 5, ε > 0 there is an exceptional set F (p, k, ε) of multipliers λ of cardinality |F (p, k, ε)| ≤ p1−ε , such that for any multiplier λ 6∈ F (p, k, ε) the following is true. If 1−ε L − log L − c s≤ k where c is an absolute constant, then for any binary sk-dimensional vector B there exist at least pε initial values of a(0) = 0, . . . p − 1 such that Bk,s (a(0), λ, p) = B. In the results above, only the initial value is unknown. Boyar [120] shows that even if the multiplier λ and the modulus M are unknown and only the t ≤ C log log M lowest bits are available, then the sequence can be predicted in polynomial time with at most (2 + log M ) log4C M + 3 errors (provided that each wrong prediction is corrected). The results of [565], [589] are applicable to such truncated sequences as well (see also [586]). Finally, Kuzmin and Nechaev [582], [583] show that any linear recurrence sequence a of order n over Z/pk Z can be recovered from its last coordinate ak−1 (x) given by (1.37) in time O(npk ). (Unfortunately it is not clear in these papers exactly what ‘recovered’ means — perhaps that the characteristic polynomials and initial values can be found). There are other approaches to predictability of sequences. For brevity, only linear methods of prediction will be considered. This leads to the notion of linear complexity and the linear complexity profile of a sequence. For a finite or infinite sequence a of elements over a ring R the linear complexity profile La is defined as

218


follows: La (h) is the least n such that a(1), . . . , a(h) form the first h terms of some linear recurrence sequence of order n over R. If R = F is a field, then this function is well-defined and satisfies the inequalities La (h) ≤ min{h, La (h + 1)} (put La (h) = 0 for identically zero sequence). Also define the linear complexity L∗a = lim sup La (h). h→∞

L∗a

Clearly, < ∞ if and only if the sequence a is a linear recurrence sequence beyond some point. It is also clear that La (h) ≤ L∗a ≤ n if a is a linear recurrence sequence of order n (in particular, for a periodic sequence of period t, La (h) ≤ L∗a ≤ t). As mentioned above, the Berlekamp–Massey algorithm computes La (h) in O(h2 ) field operations, and the Blahut algorithm improves this to O(h log1+ε n) field operations. Linear complexity is a widely accepted measure of randomness and unpredictability of sequences, and has many applications to cryptography [236], [538], [707], [830], [833], [834], [838], [835], [921], [979]. Many results giving bounds for, and algorithms to compute, the linear complexity and even the linear complexity profile of various sequences (de Bruijn sequences, sequences generated by finite automata, random sequences and others). In addition to the sources quoted above, the papers [104], [105], [106], [107], [108], [191], [192], [193], [252], [361], [377], [380], [381], [471], [472], [482], [539], [540], [696], [705], [850], [852], [853], [865], [882], [1161] discuss this. A surprising result is obtained in [1216], showing that algebraic curves could be a source of sequences with very good linear complexity profile properties. Many of the results of Section 1.4.10 can be considered as results on the linear complexity of sums, products, convolution, shrinking, self-shrinking and other functions of linear recurrence sequences, and several of them are obtained in that context. Thus the works [107], [226], [239], [240], [241], [397], [467], [572], [573], [574], [575], [576], [583], [599], [713], [980], [1229] are relevant to this subject as well. For example, it is shown in [713] that a self-shrunken M -sequence of order n has linear complexity at least 2bn/2c . The linear complexity of various non-linear generators, including power, inversive and Naor–Reingold generators, has been estimated in [55], [416], [417], [435], [712], [739], [857], [1085], [1087]. In the series of papers [191], [192], [193], [538], [539], [540] (and references therein) the following construction is considered. Let ρ be any mapping from Fq to F2 (whose elements are as usual called bits). Notice that Fq may or may not be an extension of F2 ; odd q are of equal or even greater interest. For example, if q = p is prime, and ρ(a) is the last bit of the least positive residue of its argument a, then this is related to the truncation operation considered above. For a sequence a taking values in Fq , the sequence of bits b with b(x) = ρ (a(x)) is an important example. Sometimes it is convenient to view ρ as a function from Fq to {0, 1} ⊂ Fq ; examples here include polynomials. This is particularly convenient when q is even, so Fq is an algebraic extension of F2 (recall that over a finite field any function can be represented by a polynomial). If a is a linear recurrence sequence then Theorems 1.34 and 1.35 apply. Certainly this construction is too general to handle in such generality but, for some specializations, it produces very interesting and


219

useful sequences. For example, the authors of [191], [192], [538], [539], [540] concentrate on the case when a is an M -sequence. For odd q, the following result appears in [538]. For an M -sequence a of order n over Fq , define the subsequence aτ (x) = a(τ x) where τ = (q n − 1)/(q − 1) is its restricted period (see Section 1.5 for the definition). Put bτ (x) = ρ (at au(x)). Since both b and bτ are periodic, L∗b ≤ τ L∗bτ ,

(10.12)

so it is of exponential linear complexity. If the mapping ρ is chosen so that L∗bτ = q − 1 (for small q this should not be difficult), then L∗b attains its maximal possible value q n − 1, which is the period of the sequence b. Klapper [538] notices that since b and bτ are 0, 1-sequences they can be thought of over any other finite field F` . This potentially gives different linear complexity, however the formula (10.12) holds for any field of characteristic different from the characteristic of Fq , q = pr . He shows that over Fp the maximal value of the linear complexity is essentially smaller, being at most r n+p−1 . n For fixed p, this is of polynomial order nO(1) rather than of exponential order as over other fields. The question about finding q from values of the bit sequence b is also considered in [538], where some probabilistic algorithms are presented. Statistical properties of La (h) for a random sequence a of elements of Fq are summarized by Niederreiter [833]. In particular, denote by Nh (L) the number of different h-term sequences a over Fq with La (h) = L. Then Nh (L) = (q − 1)q min{2h−2L, 2L−1} , for h ≥ L > 0. This formula can be used to show that La (h) = h/2 + O(log h) for an infinite uniformly distributed random sequence over Fq . More precisely, for such a sequence |La (h) − h/2| 1 lim sup = log h 2 log q h→∞ with probability 1, see [833], [838]. As seen above, for a random sequence La (h) is about h/2. A natural question is how to construct a pseudo-random sequence having similar behaviour of the linear complexity profile. The construction of such sequences uses the theory of continued fractions in the field Fq ((X −1 )) of formal Laurent series over Fq . For a sequence a, write ∞ X A(X) = a(h)X −h ∈ Fq ((X −1 )). h=1

Let [C1 (X), C2 (X), . . .] be the continued fraction expansion of A(X) in which the partial quotients Cj (X), j = 1, 2, . . . , are polynomials over Fq with positive degree. Then the following remarkable statement holds [830], [838]. Theorem 10.11. Put dj = deg Cj . Then La (h) =

m X j=0

dj ,

220


where m is uniquely defined by the inequalities 2

m−1 X j=0

dj + dm ≤ h ≤ 2

m X

dj + dm+1 .

j=0

If all the dj = 1 then the sequence a has a perfect linear complexity profile, namely La (h) = b(h + 1)/2c. The reverse is also true: In particular, the sequence ( 1, if x = 2k − 1; a(x) = 0, otherwise; corresponding to the continued fraction [x, x, . . .] over F2 has perfect linear complexity profile. On the other hand, the bit distribution of this sequence is very poor, which shows some of the weaknesses of this measure of randomness for sequences. Further discussion of the density of unit bits in such sequences can be found in [758], [1219]. Niederreiter [835] demonstrates that a finite sequence of positive integers L1 , . . . , Lh can be realized as the initial segment of the linear complexity profile of some sequence a over Fq if and only if the following conditions are satisfied: If Lk > k/2 then Lk+1 = Lk , and if Lk ≤ k/2 then Lk+1 = Lk or Lk+1 = k + 1 − Lk , k = 0, 1, . . . , h−1. Moreover, there are exactly q min{Lh ,h−Lh } such h-element sequences. It is striking that this number depends on Lh only. The jump complexity profile of a sequence a is defined as follows: Ja (h) is the number of positive integers among the list La (1), La (2) − La (1), . . . , La (h) − La (h − 1). Some combinatorial and statistical properties of linear complexity and jump complexity profiles were considered in [185], [299], [479], [1193] for the binary case and in [835] for sequences over arbitrary finite fields. For example, it is shown in [835] that ( min{L−1,h−L} (q − 1)j q min{L,h−L }, if 1 ≤ j ≤ min{L, h − L + 1}; j−1 Nh (L, j) = 0 if j ≥ min{L, h − L + 1}. where Nh (L, r) is the number of different h-term sequences a over Fq such that La (h) = L and Ja (h) = j (trivially, Nh (0, 0) = 1 and Nh (L, 0) = 0 if L ≥ 1). The mean value and variance of Ja (h) for an infinite uniformly distributed random sequence over Fq are evaluated in [835] as well. One of the results obtained asserts that lim sup(h log h)−1/2 |Ja (h) − (q − 1)h/2q| ≤ (2/q)1/2 h→∞

with probability 1. For random binary sequences a the expected value E(Ja (h)) and the variance of V(Ja (h)) of Ja (h) are explicitly evaluated by Wang [1193]. For instance, ( h/4 + 1/3 − 2−h /3 if h is even; E(Ja (h)) = −h h/4 + 5/12 − 2 /3 if h is odd. In [1081] a lower bound of order Hp−1/2 log−1 p is obtained for the linear complexity of a sequence of H consecutive values of the discrete logarithm modulo


221

p modulo any divisor d of p−1. Several other similar results can be found in [1140], [711]. The case d = 2 is of interest because it corresponds to the sequence of values of the rightmost bit of the discrete logarithm, which determines whether x is a quadratic residue modulo p. In this case, the linear complexity of the infinite sequence (which is periodic with period p) has been evaluated in [258]:  (p − 1)/2, if p ≡ 1 (mod 8),    p, if p ≡ 3 (mod 8), Lp =  p − 1, if p ≡ 5 (mod 8),    (p + 1)/2, if p ≡ 7 (mod 8). This result has been generalized in [256], see also [236], [253], [254], [255]. As mentioned above, many properties of the linear complexity can be expressed in terms of properties of continued fractions related to the sequence. Links between linear complexity profiles of sequences over Fq and q-adic expansions of real numbers of the interval [0, 1] have been discovered in [851]. Fix a bijection ψ : Fq → {0, . . . , q − 1}. Then each infinite sequence s over Fq can be mapped to the point α(s) =

∞ X

ψ(si )q −i ∈ [0, 1].

i=1

Now let d : N → R be any non-negative function. If |Ln (s) − n/2| ≤ d(n) for all n = 1, 2, . . . then the sequence s has d-almost perfect linear complexity profile. The case of constant d has special interest. The Hausdorff dimension D(d, q) and the Hausdorff measure M (d, q) of the set of points corresponding to sequences with d-almost perfect linear complexity profile is evaluated explicitly in [851]. In particular, if d(n) = d is constant then M (d, q) = 0 and 1 + logq ϑ(d, q) D(d, q) = , 2 where ϑ(d, q) is the largest root of the equation ϑq − (q − 1)

d−1 X

ϑj = 0.

j=0

The case d(n) → ∞ is considered as well. In this case (under some additional natural assumptions) logq n is the threshold: The measure is zero if d(n) grows slower than logq n and is positive if d(n) grows faster than (1 + ε) logq n. On the other hand, D(d, q) = 1 for any d(n) → ∞. For example, the k-error linear complexity La (k, h), see [1188], [1187], [841], [842], of a sequence a is defined as the smallest possible linear complexity Lb (h) taken over all sequences b which differ from a in at most k places. This is an important characteristic of ‘stability’ of the linear complexity of the sequence. Efficient algorithms to compute the k-error linear complexity are discussed in [498], [499]. Relations between the linear complexity and the k-error linear complexity have been studied in [579]; see also [500]. A very similar function is called sphere

222


complexity in [236]. Several results about the distribution of La (k, h) over the set of all binary sequences are given in [842].

CHAPTER 11

Computer Science And Coding Theory 11.1. Finite Automata and Power Series Finite discrete automata are a very wide generalization of recurrence sequences. The first case to consider is that of a classical finite m-automata operating on finite words formed from the alphabet Am = {0, 1, . . . , m−1}. Formally, an m-automaton consists of a finite set S of states containing a distinguished initial state i, a subset F of final states (the acceptance set) and a map τ : Am × S −→ S. Denote by Wm the set of all finite words in the alphabet Am , Wm =

∞ [

Ahm .

h=0

From a finite word w = (ω0 . . . ωh−1 ) ∈ Wm , form the sequence s(0) = i,

s(x + 1) = τ (ωx , s(x)),

x = 0, . . . , h − 1.

Notice that if τ depends on the second argument only, then it is a recurrence sequence. A word is said to be accepted by the automaton if a(h) ∈ F . The set of all accepted words is called the language L generated by the automaton. If words w of Wm and natural numbers represented in base m are identified, then there is an associated generating power series X gL(X) = Xw. w∈L

In this definition, and to get rid of initial zeros, we always assume that τ (0, i) = i. More generally, consider a function ψ : S −→ Z. For each word w ∈ Wm of length h, put fw = ψ(s(h)) and consider the power series f (X) =

∞ X

fw X w .

w=0

This power series — and the sequence (fw ) — are called m-automatic. In particular, defining ψ(s) = 1 for s ∈ F and ψ(s) = 0 otherwise gives the generating function gL (X) of accepted words. As seen above, linear recurrence sequences are closely related to rational functions. Similarly, m-automatic functions are related to many other interesting classes 223

224

11. COMPUTER SCIENCE AND CODING THEORY

of functions. In particular, every m-automatic power series satisfies a functional equation of the form r X i Ai (x)f (X m ) = 0, (11.1) i=0

with polynomial coefficients A0 (X), . . . , Am (X) ∈ Z[X], see [10], [653], [657], [662], [918], [924]. The study of various arithmetic and analytic properties of such functions was initiated by Mahler and then continued in those papers, as well as in [63], [92], [658], [660], [860], [1157] and many others. In particular, several power series from Section 1.4.10 arose in this very context. For example, T¨ opfer [1157] studies transcendence properties of solutions of such equations, which are called Mahler m-functions after [662], proving the following. Theorem 11.1. Let f be a Mahler m-function which is not rational. Then for any integer g > 1, f (1/g) is transcendental. In particular, the sequence of g-ary digits of an irrational algebraic number is not m-automatic for any m. Theorem 11.1 is particular case of the more general [662, Theorem 2]. Loxton and van der Poorten conjecture [657] that the only analytic functions which are Mahler m1 -functions and m2 -functions for two multiplicatively independent integers m1 and m2 are rational functions. Some possible approaches to a proof of this (still open conjecture) are discussed by Becker [63]. The papers [95] and [936] demonstrate that the question about rationality of a solution of a linear differential equation with polynomial coefficients is effectively decidable. We are not aware of any similar result for functional equations of the form (11.1), which certainly would be of interest. The theory of m-automatic sequences becomes richer if the alphabet Am has the structure of a finite field or a residue ring. For example, for p prime, if (fw ) is p-automatic then the subsequence (fpx ) is periodic (this can be derived from the more general Theorem 11.2 below). In the context of coefficients of power series representing algebraic functions, this result is given in Section 1.5. However, it is known that a power series is algebraic over Fp ((X −1 )) if and only if its coefficients are generated by a finite automaton [247], [653]. There are several more relations between automatic sequences and formal Laurent series, see [75], [76] for example. Notice that (fw ) is automatic if it is a function depending on finitely many digits of the m-ary expansion of w; thus it is not surprising that many sequences related to m-ary expansions of real numbers are m-automatic. Many interesting examples of such sequences are considered in [19], and some of these are described below. The m-kernel of the sequence a is the set Kera,m of all possible subsequences of the form Kera,m = {(a(xmr + k)) , : r = 0, 1 . . . , 0 ≤ k ≤ mr − 1} . The following property is closely related to the functional equation (11.1): A sequence (fw ) is m-automatic if and only if its m-kernel is finite. Generalizing the notion of m-automatic sequences, Allouche and Shallit [19] introduced (R, m)-regular sequences as sequences of elements from the ring R (or an extension) whose m-kernel is finitely generated over R. They establish several relations between m-automatic and (R, m)-regular sequence. For example, a

11.1. FINITE AUTOMATA AND POWER SERIES

225

(R, m)-regular sequence takes only finitely many different values if and only if it is m-automatic. Thus, the sequence of residues modulo M of any (Z, m)-regular sequence is m-automatic. On the other hand, (C, m)-regular sequences cannot grow faster than O(xO(1) ). The following assertion provides a more direct link to linear recurrence sequences; it follows from [19, Theorem 2.2]. Theorem 11.2. Suppose that a is a (R, m)-regular sequence. Then the subsequence (a(mx )) is a linear recurrence sequence of order n, where n is the dimension of Kera . On the other hand, if F is an algebraically closed field then a linear recurrence sequence a is an (F, m)-regular sequence if and only if all its characteristic roots are roots of unity – see [Theorem 3.3][19]. Several other structural results are proved for the class of (R, m)-regular sequences in [19]. For example, it is closed under pointwise sums and products (in particular, it is a ring), as well as convolution. Finally, some interesting complexity theory properties of regular sequences are established in [19]. 11.1.1. Examples of m-automatic and (R, m)-regular sequences. In this section, several examples of m-automatic and (R, m)-regular sequences are given, together with the recurrence equations which they satisfy. Many such sequences can be defined in terms of the counting function eP (x) which equals the number of occurrence of a finite binary string (or pattern) P in the binary representation of n. For example e11 (7) = 2, e1 (9) = 2, e11 (9) = 0, e101 (21) = 2. Allouche and Shallit [19] provide a nice collection of 34 examples of regular and (non-regular) sequences; some sequences are well-known, and are named after other researches who studied them from different angles. Some of their examples are the following. • For any pattern P , (eP (x)) is (Z, 2)-regular. In particular, for P = 1, it is easy to see that e1 (2x) = e1 (x) and e1 (2x + 1) = e1 (x) + 1. Therefore, its 2-kernel is generated by this sequence and the constant sequence (1). • (e1 (3x)) is (Z, 2)-regular. • The binary length sequence B where B(0) = 0 and B(x) = 1 + blog xc if x ≥ 1, is (Z, 2)-regular. Indeed, it is easy to see that B(2x+1) = B(x)+1, B(4x) = 2B(2x) − B(x) and B(4x + 2) = B(x) + 2. Therefore, its 2-kernel is generated by (B(x)), (B(2x)) and the constant sequence (1). • The power sequence (xk ) is (Z, 2)-regular. Its kernel is generated by the j sequences x , j = 0, 1, . . . , k. • The van der Corput sequence (of great importance in the theory of uniformly distributed sequences [569]) ψ is (Q, 2)-regular. Recall that ψ(x) = d0 2−1 + d1 2−2 + . . . + ds 2−s−1 where x = d0 20 + d1 21 + . . . + ds 2s is the binary representation of x. One can verify that ψ(2x) = ψ(x)/2, ψ(2x) = (1 + ψ(x)) /2. It is mentioned in [19] that this sequence is related to two other (Z, 2)-regular sequences. • The characteristic function χ3 of the integers representable as a sum of three squares is 2-automatic.

226


• The Euler binary partition sequence (see Section 6.3) b∞ is not regular (and has no chance to be since it is growing too fast for (6.17)) but the residue sequence modulo any power of 2 is 2-automatic. • The complexity of the MergeSort algorithm T (n) = n blog nc − 2blog nc + 1 is (Z, 2)-regular. • The sequence of primes is not (Z, m)-regular for any m. Indeed, by Theorem 11.2, (pmx ) would be a linear recurrence sequence over Z, so pmx log m = lim x→∞ xmx would be an algebraic number, which is impossible. The same consideration as in the last example shows that prime numbers cannot even be approximated in the form px = a(x) + o(x log x) by a (Z, m)-regular sequence. Other examples from [19] involve sequences arising from combinatorics, number theory, design of algorithms and other branches of mathematics. See also [10], [18], [245] for further examples. Many famous 0, 1-sequences are of the form a(x) ≡ eP (x)

(mod 2),

a(x) = 0, 1,

for various binary patterns P . Examples are the Thue–Morse sequence corresponding to P = 1, and the Rudin–Shapiro sequence corresponding to P = 11. Besides that, these sequences also satisfy interesting recurrent equations. For example, the Thue–Morse sequence atm satisfies the relation ( atm (k), if x = 2k; atm (x) = 1 − atm (k), if x = 2k + 1, with the initial value atm (0) = 0. Its generating function Ltm obeys the functional equation X − (1 − X 2 )Ltm (X) + (1 − X)(1 − X 2 )Lrs (X 2 ) = 0 The Rudin–Shapiro sequence ars satisfies the recurrent relation ( ars (k), if x = 2k or x = 4k + 1; ars (x) = 1 − ars (2k + 1), if x = 4k + 3, with the initial value ars (0) = 1. Its generating function Lrs obeys the functional equation X 3 + X(1 − X 4 )Lrs (X) − (1 − X)(1 − X 4 )Lrs (X 2 ) − 2X(1 − X 4 )Lrs (X 4 ) = 0. One more related 2-automatic sequence, the Baum–Sweet sequence abs , cannot be obtained in this way but satisfies a similar recurrence relation, ( abs (k), if x = 2k + 1 or x = 4k; abs (x) = 0, if x = 4k + 2, with the initial value a(0) = 1. Its generating function Lbs obeys the functional equation Lbs (X) − XLbs (X 2 ) + Lbs (X 4 ) = 0


227

Finally, the family of paper-folding sequences comprises sequences satisfying the recurrent relation ( apf (2s ), if x = 2s (4k + 1), apf (x) = s 1 − apf (2 ), if x = 2s (4k + 3). Thus the initial values of such a sequence are all its elements on positions which are powers of 2. Such a 0, 1-sequence can be characterized by the following recursive definition: (1) apf (2x + 1) ≡ apf (1) + x (mod 2); (2) (apf (2x)) is again a paper-folding sequence. To justify the name, recall that such sequences arise if we fold a piece of paper several times (every time folding one half over the other) and mark ‘hills’ with 1’s and ‘valley’ with 0’s. The sequence (apf (2s )) is the sequence of folding instructions. Various relations between paper-folding sequences and pattern sequences are analyzed in [245], [716], [718], [761], [767]. Morton and Mourant [767] show that the only possible patterns P for which (eP (x) (mod 2)) is a paper-folding sequence are P = 11 (that is, the Rudin–Shapiro sequence [245], [716], [718]), P = 10, and P = 01. Paper-folding sequences which are 2-automatic are completely described in [761] as paper-folding sequences with a periodic sequence of folding instructions of the form (apf (2s )). A paper-folding sequence itself is never periodic, but is almost periodic [718]. Many of the sequences above may also be constructed as fixed points of iterations of finite substitutions. Let ϑ be a substitution that acts on an alphabet Am . That is, each letter ω of Am maps to some word ϑ(ω) ∈ Wm . There is an associated class of sequences invariant under this substitution, satisfying a(1)a(2)a(3) . . . = ϑ (a(1)) ϑ (a(2)) ϑ (a(3)) . . . . It turns out that such sequences are essentially the same things as m-automatic sequences, see [217], [245], [653], [662], [918]. To get the binary sequences above, sometimes the letters of such an invariant sequence should be replaced with their binary representations. For example, the Thue–Morse sequence 01101001100101101001011001101001 . . . , is invariant under the substitution ϑ(0) = 01, ϑ(1) = 10. To get the Rudin–Shapiro sequence, consider the sequence 02010232020131010201023231320232 . . . , which is invariant under the substitution ϑ(0) = 02, ϑ(1) = 32, ϑ(2) = 01, ϑ(3) = 31, and then make the changes 0 → 00, 1 → 01, 2 → 10, 3 → 11. The areas of application of such sequences include number theory, theoretical computer science, normal numbers, pseudo-random number generations, ergodic theory, and classical analysis. Originally the Rudin–Shapiro sequence was defined as the sequence of coefficients of the trigonometric polynomial Trs (N ; z) =

N X h=0

(−1)ars (h) exp(2πihz)

228


which is distinguished for being flat: (11.2)

sup |Trs (N ; z)| ≤ CN 1/2 , 0≤z≤1

which is Log1/2 log N better then a typical polynomial. The constant C can be taken as C = 2 + 21/2 in (11.2). For special values z = 0 and z = 1/2 even more is known: Trs (N ; 0)N −1/2 and Trs (N ; 1/2)N −1/2 are dense in the intervals [(3/5)1/2 , 61/2 ] and [0, 31/2 ], respectively by [137]. Boyd, Cook and Morton [124] study trigonometric polynomials corresponding to an arbitrary pattern sequence ∞ X TP (N ; z) = (−1)eP (h) exp(2πihz). h=0

In particular, they show that for any P there is a constant τP < 1 such that sup |TP (N ; z)| ≤ CN τP , 0≤z≤1

and this bound cannot be essentially improved. This bound follows from asymptotic expansions for such polynomials. Notice that τ > 1/2, and τ is transcendental for any pattern with 3 or more digits. For example, τ111 = log ξ = 0.823 . . ., where ξ is the largest root of the equation ξ 3 − 2ξ − 2 = 0. The Baum–Sweet sequence abs is the sequence of coefficients of the unique solution of the cubic equation f 3 + Xf + 1 = 0 in the field F2 ((X −1 )) of formal Laurent series over F2 . This is known to be a power series, all of whose partial quotients are bounded. Thus several of the results from Section 6.2 apply to this power series. It is shown in [718] that if apf is a paper-folding sequence and 0 < α < 1, then ∞ X

(−1)apf (h) αh

h=1

is transcendental. The coefficients of the Fourier Transform of a paper-folding sequence are evaluated in that paper as well. Various interesting sums and products including the pattern counting function eP are asymptotically estimated in [337] and precisely evaluated in [21]. The main result of [21] says that for any pattern P of length n there is an effectively computable rational function bP such that ∞ X 1 log bP (h)X eP (x) = − 1−X h=0

(if P = 0 . . . 0 then the summation starts from h = 1). It is shown in [15] that if P is of length k then bP can be chosen with degree O(k 11.1 ), and that it must be of degree k 3 for infinitely many patterns P . Several nice explicit formulaæ, many of them new, are derived from this general result. Allouche [11] deals with the counting function Na (k) which is defined as the total number of different patterns P of length k in the infinite word a(1)a(2) . . .. Surprisingly, for any paper-folding sequence apf (11.3) (11.4)

Napf (1) = 2, Napf (4) = 12,

Napf (2) = 4, Napf (5) = 18,

Napf (3) = 8 Napf (6) = 23,


229

and Napf (k) = 4k, k ≥ 7. For the Thue–Morse sequence atm , the behaviour of Natm (k) is more complicated; it is independently described by de Luca and Varricchio [664] and by Brlek [143]: ( 6 · 2r−1 + 4s, if 0 < s ≤ 2r−1 , Natm (k) = 8 · 2r−1 + 2s, if 2r−1 < s ≤ 2r , where r and s are uniquely defined by the representation k − 1 = 2r + s,

0 < s ≤ 2r .

Hence lim inf Natm (k)/k = 3, k→∞

lim sup Natm (k)/k = 10/3. k→∞

Tromp and Shallit [1158] generalize this result, and obtain an explicit formula for the counting function of the sequence of residues e1 (x) modulo an integer k (see also [13]). Non-existence of palindromic patterns in the Thue–Morse sequence has been shown in [20]. Pseudo-random properties of the Thue–Morse and Rudin–Shapiro sequences have been studied in [703]. In [11], a brief summary of many other interesting features of Na (k) is given. For example Na (k) = O(k) for any automatic sequence (see also [22], [1143]) and if a is an automatic sequence then (under some mild restrictions) (Na (k + 1) − Na (k)) is automatic too. Allouche [12] gives a survey of results of this kind. Such results are related to a question about the minimal size of finite automaton which can compute correctly given functions from Wm to some other finite alphabet Bk = {0, 1, . . . , k − 1}, including the characteristic functions of languages [14], [906], [1035], [1037], [1038]. Specifically, for a function f : Wm −→ Bk , denote by Sf (n) the smallest number of stages in any automaton which computes f correctly on any words of length at most n. It is shown in [1038] that, if k, m ≥ 2 then for any such function f Sf (n) ≤ C(m, k) (1 + o(1))

mn+2 , n

n→∞

where

logk . (m − 1)2 log m This bound is precise, because for almost all such functions C(m, k) =

mn+1 , n → ∞. n On the other hand, the characteristic functions χL of a special class of languages satisfy SχL (n) ≥ (n + 3)/2, and this bound is best possible. The case m = 1 is exceptional, but can be dealt with as well. Pomerance, Robson and Shallit [906] prove that for any function f : W1 −→ Bk the inequality Sf (n) ≤ n + 1 − blogk nc holds for infinitely many n, while for almost all functions Sf (n) ≥ n + 1 − 2 logk n − 2 logk logk n for all sufficiently large n. Once again, the case of characteristic functions of languages is special and is considered separately. Sf (n) ≥ C(m, k) (1 + o(1))

230


More precise estimates for some interesting functions, mainly number-theoretic in nature, are given in [1035]. Following [616] a real number α is called (m, g)-automatic if the sequence of its g-ary digits is m-automatic; denote by L(m, g) the set of all such numbers. Lehr, Shallit and Tromp [616] show that L(m, g) is a vector space of infinite dimension over Q. Moreover, for m = 2 they exhibit a constructive proof which runs as follows. Consider the power series ∞ X h f (X) = X2 , h=0

and put α = f (1/g). By Theorem 11.1, α is transcendental over Q. Using ingenious arguments they show that each power αr is (2, g) automatic (apparently a similar result holds for any m as well). The proof of this is based on the following estimate, which is of independent interest. Denote by F (n, r) the coefficient of X n in the r-th power f (X)r . Then, for any n (2r)! 2r r! (for the proof of the main result, it is enough to know that F (n, r) is bounded by a constant depending on r only). On the other hand, the authors of [616] demonstrate that L(m, g) is not closed under product, nor under inversion. Links between linear recurrence sequences, automata and numeration systems are given in [359], [360], [406], [1020], [1034], [1036], [1149]. For example, Shallit [1034] introduces the notion of a regular numeration system and shows that all such system are generated by linear recurrence sequences. Various operations (taking the diagonal, Hadamard products, specialization and lifting, for instance) on power series which preserve the property of being automatic are considered in [653]; see also [247], [651], [652]. Multivariate power series are of interest as well: These questions are related to the still open Grothendieck conjecture, which asserts that if a linear homogeneous differential equation n X Fi (X)f (i) (X) = 0 F (n, r) ≤

i=0

with coefficients from Q[X], and of order n, has for almost all primes p, n independent solutions in Fp [[X]], then all its solutions are algebraic [82], [950]. Bezivin [92] considers an analogue of this conjecture for functional equations of the shape (11.1). Other various useful features (some of them unique to these sequences), generalizations and applications of automatic and related sequences can be found in the papers quoted above, and in [16], [244]. Finally, consider the special family of cellular automata. Roughly speaking, such an automaton is a line (finite or infinite) of cells, each cell contains an element from some alphabet finite alphabet Am = {0, 1, . . . , m − 1}. At each discrete moment of time t, the state a(t, h) of the cell with coordinate h depends on the state of itself and of its several neighbours (say with coordinates h − s, . . . , h + s) at several preceding moments of time (say at moments of time t − n, . . . , t − 1). More formally, for all t ∈ N, and h ∈ Z, a(t, h) (11.5)

= F a(t − 1, h − s), . . . , a(t − 1, h + s), . . . , a(t − n, h − s), . . . , a(t − n, h + s) ,


231

for some function F on Am , and fixed integers n and s. The sequence (finite or infinite) (a(0, h)) is called the initial configuration. The function F is called the transition rule. For the case of a finite set of cells, for cells at both ends (with 0 ≤ h ≤ s − 1 and N − s ≤ h ≤ N − 1) some special boundary rule should be given. One approach is to compute coordinates in the residue ring modulo N (that is, assume that the automaton is of circular shape). This removes the boundary cells. In many settings only the case n = 1 is considered. A good introduction to the general theory of such automata, as well as many more advanced topics, can be found in the collection [1214]. As usual, the theory is much richer if the alphabet Am has some special algebraic structure. Define the generating function ∞ XX At (X, Y ) = a(t, h)X h Y t . h∈Z t=1

One can also consider the following two specializations: The time generating function X At (X) = A(X, 1) = a(t, h)X h . h∈Z

Respectively, for each position h define the vertical generating function ∞ X Ah (Y ) = A(1, Y ) = a(t, h)Y t . t=1

We see from (11.5) that cellular automata are essentially 2-dimensional recurrence sequences, but here we concentrate on more direct relations between cellular automata and linear recurrence sequences. To exhibit such relations, consider the class of linear cellular automata, those are cellular automata whose transition rule is a linear function (provided that the alphabet is a finite ring). It is shown in [692] that for any linear cellular automata over a ring R there are rational functions F0 (X), . . . , Fs (X) ∈ R(X) such that (At (X)) satisfies a recurrent equation of the form At+n (X) = Fn−1 (X)At+n−1 (X) + . . . + F0 (X)An (X),

t ∈ N,

for an infinite set of cells, or a recurrent congruence (11.6) At+n (X) ≡ Fn−1 (X)At+n−1 (X) + . . . + F0 (X)An (X) (mod M (X)),

t ∈ N,

for a finite set of cells, where the modulus polynomial M (X) ∈ R[X] depends on the boundary rule (in particular M (X) = X N − 1 for the periodic boundary rule). For instance, the transition rule a(t + 1, h) ≡ f1 a(t, h − 1) + f0 a(t, h) + f1 a(t, h + 1),

a(t, h) ∈ Fq ,

can be found in almost every paper devoted to linear cellular automata. For this sequence, the recurrent equation is At+1 (X) = F (X)At (X), −1

t ∈ N,

where F (X) = f1 X + f0 + f−1 X (or an analogous congruence modulo some polynomial M (X) ∈ Fq [X] for the case of a finite set of cells). Thus, known results about linear recurrence sequences over function fields can be applied to linear cellular automata. Such applications are the main motivation of the paper [935] on

232


linear recurrence sequences over function fields. Other methods which are traditionally used for linear recurrence sequences over algebraic number fields or finite fields can be applied as well. We describe several examples of questions which are not worked out yet but no doubt can be successfully approached. The two types of automata, finite automata and linear cellular automata are essentially different and should not be confused. Generally they generate distinct classes of sequences which nevertheless have non-trivial intersection [23], [24]. In Section 1.5 the question of periods of solutions of (11.6) over Fq was discussed. Multidimensional linear cellular automata are of interest as well. In this case, instead of (11.6) a recurrent congruence arises modulo an ideal in the ring of multivariate polynomials over Fq , and the theory becomes even more complicated. In particular cases, periods of such automata are studied in [692] and later in [488], [489]. In Section 4.1 (and below in Section 11.3 in the more specific setting of cyclic linear codes) we considered a question about the distribution of values of linear recurrence sequences. Many of these results seem to be extendable to linear cellular automata. Then, in Section 11.2 we consider the Orbit Problem for linear recurrence sequences which is of great interest for finite automata too, and is known there under another name as the Reachability Problem. One can also study predictability and unpredictability of such automata in the spirit of Section 10.2. The techniques used for linear recurrence sequences can be applied (after some adjustments and modifications) to linear cellular automata as well. Polynomial time prediction and the Reachability Problem for linear cellular automata are considered by Clementi and Impagliazzo [214] from the point of view of complexity class theory. It is shown that the Reachability problem for linear cellular automata is not NP-complete unless some very plausible complexity class classification collapses. Studying reversible and irreversible cellular automata [271], [759], [1177] can be though as a modification of this question. For a cellular automaton, given an initially configuration I denote by Lt (I) the ‘length’ of its alive cells at the time t; that is Lt = Mt − mt + 1 where Mt and mt are the maximal and minimal, respectively, index h with a(t, h) 6== 0. In [131], the following classes of binary cellular automata are defined • For any initial configuration I, lim Lt (I) = 0.

t→∞

• For any initial configuration I, 0 < sup Lt (I) < ∞. t→∞

• For some initial configuration I, sup Lt (I) = ∞. t→∞

Then, it is demonstrated in that paper that for each automaton we can effectively decide to which class it belongs. Cellular automata defined from (11.5) are one-dimensional. One can also define higher-dimensional cellular automata (that is, with cells in a higher-dimensional space), see [151], [760], [988], [989], [990], [1142], [1214].

11.2. ALGORITHMS AND CRYPTOGRAPHY

233

Sato [986], [987] shows that there is an essential distinction between onedimensional and higher-dimensional automata. Roughly speaking, the backward prediction problem (considered in Section 10.2) is decidable for one-dimensional but is not for higher-dimensional automata. Several other complexity related issues of the theory of cellular automata are dealt with in [271]. Litow and Dumas [655], using some properties of diagonals of power series, prove that for any h the vertical generating function Ah (Y ) of a linear cellular automaton over Fq is algebraic over this field (and thus is q-automatic). Various aspects of the theory of cellular automata, including links to linear recurrence sequences are discussed in [105], [227], [487], [592], [593], [647], [706], [1142]. Applications of linear cellular automata include cryptography [105], [731], [805], [1213], pseudo-random number generation [223], [1213], [1214], complexity theory and theoretical computer science [1214], theory of self-organizing systems [1214] and even dynamical systems and physics [475], [698], [716], [1142], [1173], [1203], [1214]. Many natural orbit portraits arising from linear cellular automata are (when suitably rescaled in the limit) sets of fractional Hausdorff dimension or fractals. Fractals also arise from the iterative scheme a(x + 1) = Fx (a(x)) in which the map Fx is chosen at random from some fixed finite set of mappings [709] according to a fixed distribution. Such iterations are a particular case of probabilistic automata; more details and further references can be found in [1214, Chap. 4]. Finally, Granville [411] gives a generalization of the classical Lucas congruence for binomial coefficients modulo a prime to prime powers. This result is motivated in part by applications to finite automata. As an application, an algorithm of complexity O(log2 n + k 4 log n log p + k 4 p logp ) has been designed to compute the residue n (mod pk ), 0 ≤ m ≤ n, m which can accelerate some computations with finite automata.

11.2. Algorithms and Cryptography 11.2.1. Primality testing. Linear recurrence sequences have been used in several primality testing and integer factorization algorithms, see [234], [968]. The first attempts to create a fast and reliable primality test were related to the Fermat congruence: If gcd(a, M ) = 1 and aM −1 6≡ 1 (mod M ), then M is composite. This gives a necessary condition for M to be prime that is computationally easy. Selecting different a gives a series of tests which test primality to a high level of confidence. Composite numbers M that pass this test in the sense that aM −1 ≡ 1 (mod M ) for some a with gcd(a, M ) = 1 are called pseudo-primes to the base a. The most extreme form of composite pseudo-primality is exhibited by the Carmichael numbers: These are numbers which are pseudo-prime to the base a for all a with gcd(a, M ) = 1. The number Pa (N ) of pseudo-primes to the base a, and the number C(N ) of Carmichael numbers, in the interval 1 ≤ M ≤ N are not too large: (11.7) Pa (N ) N 1−0.5 Log log log N/ Log log N ,

C(N ) N 1−Log log log N/ Log log N ,

234


see [234, Sect. 3.3], [436, Sect. A12], and [968, Chap. 4]. Nonetheless, these deceptive numbers are significant: Alford, Granville and Pomerance [9] prove that C(N ) N α−ε for α = 5/6(2 − e−1/2 ) = 0.290 . . . > 2/7 and any ε > 0. This result improves all previously known bounds not only of C(N ) but of Pa (N ) as well. It is mentioned in their paper that the results of computation and some heuristic considerations suggest that the upper bound in (11.7) may be very precise. Several more results about Carmichael pseudo-primes and other related questions appear in [52], [53], [162], [163], [480]. Thus the primality test based on the Fermat Theorem is not entirely reliable. Nonetheless, it is practical and fast, and as a result is widely used. There are many sophisticated approaches to primality testing, in particular using elliptic curves, that are outside our scope – consult the papers [51], [390], [391], [393], [736] for references and discussions. A different kind of generalization exploits Euler’s criterion for quadratic residues modulo a prime: If M is odd, gcd(a, M ) = 1, and a(M −1)/2 6≡ ±1 (mod M ), then M is composite. Although there are composite numbers which pass this test — the Euler pseudo-primes — this simple modification has turned out to be very fruitful. A further development is the Lehmer test which is very quick when the prime number factorization of M − 1 = pk11 . . . pks s is known. The Lehmer test goes as follows. Select an integer a > 1 and check whether a(M −1)/pi 6≡ 1

(mod M ),

i = 1, . . . , s,

and aM −1 ≡ 1

(mod M ).

If both of these are satisfied, then M is declared to be prime. This statement rests on the fact that the only integers modulo which there exists a primitive root are 2, 4, odd primes and their powers (but the latter possibility can be verified easily). Using the lower bound C/ log log M for the density of primitive roots modulo a prime M , and selecting M at random gives a probabilistic algorithm of the Las Vegas type: It is never cheating when it says ‘YES’ and almost always correct when it says ‘NO’. For example, this gives the classical rigorous test for Fermat numbers, see [234, Theorem 4.1.2], [968, Theorem 4.5]. h

Theorem 11.3. The Fermat number Fh = 22 + 1 is prime if and only if 3(Fh −1)/2 ≡ −1

(mod Fh ).

The culmination of this circle of ideas in complexity theory is the result of Pratt [944] that primality testing belongs to the complexity class NP. Further results can be found in [555], where an algorithm is designed to test the primality of M in O(log17/7 M ) arithmetic operations involving integers of size at most M (thus in time O(log24/7 M )), provided the factorization of M − 1 is known. The notion of Euler pseudo-primes can be extended to the notion of strong pseudo-primes to the base a which are odd composite numbers M = m2s , with m r odd and such that either am ≡ 1 (mod M ) or am2 ≡ −1 (mod M ). Miller [734] remarks that the number of consecutive bases a = 2, 3 . . . with respect to which M is a strong pseudo-prime is related to the distribution of primitive roots modulo


235

a prime, and uses this to show that under the Generalized Riemann Hypothesis deterministic primality testing can be done in polynomial time. Finally, there is the notion of pseudo-prime with respect to some linear recurrence sequences. For example, for a Lucas sequence `− (x) = (α1x − α2x )/(α1 − α2 ) having characteristic polynomial f (X) = X 2 − f1 X − f2 with gcd(f1 , f2 ) = 1, f1 f2 6= −1 and D = f12 + 4f2 6= 0, Lucas pseudo-primes are composite numbers for which `− (M − (D/M )) ≡ 0 (mod M ), where (D/M ) is the Jacobi symbol modulo M , see [234, Sect. 3.5], [Chap. 4][968] (it is easy to verify that this condition holds for any prime M ). The best bounds for L(N ), the number of Lucas pseudo-primes on the interval 1 ≤ M ≤ N (for a fixed Lucas sequence), are (11.8)

exp(logc N ) L(N ) N 1−0.5 Log log log N/ Log log N

with some absolute constant c > 0. The lower bound is due to Erdös, Kiss and S´ arkosy [302] and the upper bound is due to Gordon and Pomerance [393]. The constant c depends on results on the distribution of prime numbers, and on the Linnik constant, in particular. An analogue of the Lehmer test can be designed with respect to Lucas sequences as well. One application of this is a criterion for the primality of Mersenne numbers Mn = 2n − 1 which is simpler to formulate in terms of a non-linear recurrence sequence. This appears in a more general form in [968, Theorem 4.16]. Theorem 11.4. The number M = h2n − 1 with n odd and gcd(hM, 3) = 1 is prime if and only if a(x − 2) ≡ 0 (mod Mn ), where the sequence a satisfies the recurrence relation a(x + 1) = a(x)2 − 2, 1/2 h

x ∈ Z+ 1/2 h

with the initial value a(0) = (2 + 3 ) + (2 − 3 ) . If 3 h a similar sequence with a different initial value can be used in the same way too – see [968, Theorem 4.16]. Lehmer sequences can be used as well. Many interesting results on Lehmer and Lucas pseudo-primes can be found in [37], [780], [781], [782], [787], [977]. M¨ uller and Oswald [788] consider an analogue of Carmichael pseudo-primes for binary linear recurrence sequences. These are odd composite numbers M such that af (M ) ≡ f (mod M ) for all integer f , where af (x) = λx + λ−x and λ is a zero of the polynomial X 2 − f X + 1. Numerical results suggest that such pseudo-primes are very sparsely distributed. Matthews [702] and More [743] obtain several more relevant results. Each of these papers also provides a good outline of previously known results. Somer [1103] obtains several related results, see also [785]. Gurak [428], [429] carries this definition further, and considers pseudo-primes with respect to a linear recurrence sequence of higher degree (see also [740]). In particular, Gurak extends the upper bound from (11.8) to estimates for such pseudoprimes. Many other results and references can be found in [234, Chap. 3, 4], [423], [436, Sect.A12–13], [740], [968, Chap. 4] and [1210].

236


Grantham [412], [413] introduces a new type of pseudo-prime related to properties of the Frobenius automorphism in finite fields; see also [234, Sect. 3.5]. A related approach has also been used in [784]. Several factorization algorithms are based on non-linear recurrence sequences similar to the one used in Theorem 11.4. One of them is Pollard’s ρ-method. Consider the sequence a(x + 1) = a(x)2 + b

x ∈ Z+ ;

assuming that its values are randomly distributed modulo M , it is reasonable to expect that the smallest period of this sequence is of order M 1/2 (this is a reformulation of the birthday paradox). However, if p is a proper divisor of M then for similar reasons the period modulo p should be of order p1/2 . Selecting b and the initial value a(0) at random modulo M , it is therefore expected that one of the numbers gcd (a(2x) − a(x), M ) produces a proper divisor of M for some x of order M 1/4 . It is not yet clear how to put these considerations in a precise form, but the resulting algorithm is known to be working well, see [234, Sect. 5.2], [968, Chap. 6]. The only known rigorous result in this direction is due to Bach [44]. Clearly, other recurrence sequences can be tried as well. 11.2.2. Algorithm design. Several papers study what happens to a probabilistic algorithm if instead of ideal random numbers, pseudo-random numbers are used (usually generated by a linear congruencial generator (10.2) or (10.3)). This question relates directly to any practical implementation of the algorithm. For both primality testing and the problem of extracting roots in finite fields, this is done by Bach [43]. Several other probabilistic algorithms are studied by Karloff and Raghavan [507]. An example of a problem arising in analyzing such pseudo-random algorithms is the following: For a primitive root λ modulo a prime number p and 1 ≤ a ≤ p − 1, denote by Ia,λ,p (N, H) the number of indices i with 0 ≤ i ≤ p/H − 1 such that the congruence aλx ≡ u

(mod p),

1 ≤ x ≤ N,

iH + 1 ≤ y ≤ (i + 1)H,

has a solution. Karloff and Raghavan [507] show that the complexity of the QuickSort algorithm using a linear congruencial generator depends on Ia,λ,p (N, bp/N c) (see also [1156]). The number of comparisons made by the algorithm to sort a sequence of N elements is Ca,λ,p (N ) Ia,ϑ (N, bp/N c)N 2 p−1 + N log N. In particular, an important question is to determine how large should the modulus p be in order to have Ca,λ,p (N ) = O(N log N ), the estimate for the QuickSort algorithm using an ideal random number generator. Estimating Ia,λ,p (N, H) is an interesting question for its own merits. Clearly min{p/H, N } ≥ Ia,λ,p (N, H) ≥ max{N/H, 1}, so Ca,λ,p (N ) = O(N log N ) implies p N 3/2 log−1/2 N . The behavior of Ia,λ,p (N, H) is related to the quantity Ra,λ,p (N, H) introduced in Section 4.2, but this relation is not explicit and some efforts are needed to estimate Ia,λ,p (N, H) using estimates for Ra,λ,p (N, H). The asymptotic result p Ia,λ,p (N, H) = 1 + O p2 Ra,λ,p (N, bH/2c)N −2 H −2 H


237

was communicated to the authors by Hugh Montgomery. Any upper bound for Ra,ϑ (N, H) can be applied to this to estimate Ia,λ,p (N, H). Unfortunately, when N H ∼ p, the bound (4.7) is not strong enough to produce a non-trivial result for Ia,λ,p (N, H). In [556], the relation Ia,ϑ (N, H) min{p/H, N 2 HRa,ϑ,p (N, H)−1 p−1 }. between Ia,λ,p (N, H) and Ra,λ,p (N, H) is found. It is also shown that, for any k ≥ 2, min{p1/k H −1 , 1} Ia,ϑ (N, H) N p−ε . 1/k min{N , N 1/k Hp−1/k + p1/2k } Combining the two bounds above and (4.7) gives the following result. Theorem 11.5. For any ε > 0,  N,    N 11/4 p−5/4−ε , Ia,λ,p (N, bp/N c) −1/4−ε  ,  N p  3/2 −1/2−ε N p ,

if if if if

N ≥ p5/7+ε ; p4/7 ≤ N < p5/7+ε ; p1/2 ≤ N < p4/7 ; p1/3+ε ≤ N < p1/2 .

Thus Ca,λ,p (N ) = O(N log N ) implies p N 5/3−ε . The bounds for Ra,ϑ (N, H) on average can be used as well. In particular, ( N, if N < p1/4−ε ; Ia,λ,p (N, bp/N c) 1/4−ε p , if N ≥ p1/4−ε ; for all but o (ϕ(p − 1)) primitive roots λ modulo p. This bound unfortunately is not applicable to estimating Ca,λ,p (N ). Another bound from [556], Ia,λ,p (N, bp/N c) N p−ε holds for all but O(p1−ε ) values a = 1, . . . , p − 1. Thus to have Ca,λ,p (N ) = O(N log N ) for almost all a, p should be of order N 2−ε at least. Seroussi and Bshouty [1032] have found an application of linear recurrence sequences over finite fields to the problem of testing Boolean functions. Alon, Goldreich, H˚ astad and Peralta [25] use linear recurrence sequences to construct socalled almost k-wise independent random variables – a fast growing area of modern computer science with a vast number of applications. In [571], a probabilistic algorithm to verify if a given sequence satisfies a linear recurrent equation is designed. This paper belongs to a new area of computer science, that of testing and verification of functions. Rabin [951] shows that computing the number of zeros modulo p of a linear recurrence sequence over Fp is an NP-hard problem. Upper bounds from [934] for the number of solutions of equations and congruences with exponential polynomials of the shape (1.29) (like Theorem 1.25, for instance) can be used to design algorithm to test identities with such polynomials [508] in the same way as this is done in [1231] for algebraic polynomials. The next topic is the Orbit Problem. In its most general form, this can be formulated as follows: Given an initial vector a, a matrix A, and a target vector t of dimension n over a commutative ring R, determine if t belongs to the orbit aAx .

238


That is, decide if the equation aAx = t is solvable. As remarked in Section 1.1, coordinates of any matrix exponential function are linear recurrence sequences whose characteristic polynomial is the characteristic polynomial of the matrix. Thus the Orbit Problem is a question about simultaneous solubility of a system of equations in linear recurrence sequences. For the Orbit Problem over Q, Kannan and Lipton [503] get a version of Theorems 1.2 and 1.20 for the vector aAx , and show that this problem can be solved in polynomial time. On the other hand, good explicit upper bounds for this problem are still not known. It is possible that the original algorithm of [503] can be essentially refined using results about the growth and number of solutions of equations with linear recurrence sequences over Q, as well as results about the number of solutions of congruences. The paper [167] addresses a more general question about 2-generated matrix (semi-)groups over algebraic number fields, and provides a new approach leading to a deterministic polynomial time algorithm as well. In particular, this paper contains a very simple proof of the main result of [503]. For further progress in the Orbit Problem for matrix groups see [42], [165], [166], [195]. The case of fields of positive characteristic seems to be harder. Indeed, the Orbit Problem over a finite field Fq is related to the discrete logarithm problem: Let q = pr be a prime power and a, g, t ∈ F∗q . Then the equation ag x = t is equivalent to the system of equations (11.9)

aj (x) = ϑj ,

j = 1, . . . , r,

where aj (x) = TFq /Fp (ag x ωj ),

ϑj = TFq /Fp (tωj )

and ω1 , . . . , ωr is a basis of Fq over Fp . The system (11.9) is a particular case of (4.1). It is shown in [776] (using results given in Section 4.1), that for some values of parameters the solubility of (4.1) can be efficiently verified. For example, if both m and q are fixed, then this can be done in polynomial time nO(1) . Unfortunately, for m large this method does not produce any non-trivial bounds. Thus in particular it is not applicable to the system (11.9) (where m = n = r) corresponding to the discrete logarithm case. Lange [592], [593] shows that linear recurrence sequences are useful in implementation of some polynomial factorization algorithms over finite fields. 11.2.3. Cryptography. As mentioned in Section 2.1, bounds for exponential sums from [171], [172], [352], [355], [356] are often motivated by cryptographic questions. The result of [353] on the period of the power generator has also found some cryptographic applications: It implies that the cycling attack on the RSA cryptosystem has negligible chance of success. On the other hand, it gives some security assurances to a recent cryptographic construction related to timed-release cryptography; see [353] for more details. Theorem 2.8 and the bounds (2.2), (2.4), (2.5) have been one of the main tools (together with some methods from geometry of numbers) in proving certain bit security results for some major cryptosystems [388], [389], as well as in designing rigorously proved attacks on the Digital Signature Algorithm and its modifications [290], [824], [825]. On the other hand, the bit security results of [387]

11.3. CODING THEORY

239

and [1084] are based on the bound for the number of zeros of linear recurrence sequences given by Theorem 2.10. In turn, the result of [1084] has recently been improved in [641] by using the bound (2.1). In Sections 10.1 and 10.2, potential applications of linear recurrence sequences to cryptography (related to pseudo-random properties of such sequences) have been discussed. There are also more direct applications: Niederreiter [832], [838] describes the following generalization of the celebrated Diffie–Hellman key-exchange system. Two participants, Alice and Bob, use the same linear recurrence sequence a of order n over a field F which is known to the attacker. Each of them selects a secret number, say k and `. Then Alice computes and sends to Bob the values a(`), . . . , a(2n`), and Bob computes and sends to Alice the values a(k), . . . , a(2nk). Knowing these values and using the Berlekamp–Massey algorithm, for example, Alice and Bob compute the characteristic polynomials of sequences a` (x) = a(`x) and ak (x) = a(kx). Now each of them can compute the same sequence ak` (x) = a` (kx) = ak (`x), whose first m < n values can be used as the common key. To break this cryptosystem, the attacker will have to find the values ak` (1), . . . , ak` (m) from the values a(`), . . . , a(2n`) and a(k), . . . , a(2nk) only. Several more modifications of this basic scheme are considered in [832] as well. A study of a cryptosystem based on Lucas sequences (analogous to the discrete logarithm and RSA cryptosystem) can be found in [111] and [112]. Krawczyk [566] shows how to use linear recurrence sequences for hashing. Another way of using linear recurrence sequences for cryptographic purposes is presented by Johansson [491]. Klapper [541] addresses some complexity issues of using linear and non-linear recurrence sequences in cryptography. Many of the aforementioned links between cryptography and recurrent sequences as well as several others are discussed by Stinson [1123]. 11.3. Coding Theory 11.3.1. Cyclic linear codes. The widely used cyclic linear codes are linear recurrence sequences over finite fields [72] and [681], so the theory of linear recurrence sequences applies to such codes. More precisely, given a polynomial f of degree n and period t over Fq , the set of vectors, or code-words (a(1), . . . , a(t)) over all sequences from L(f ) is called a cyclic linear code of dimension n and length t with checking polynomial f . The polynomial g(X) =

Xt − 1 f (X)

is called the generating polynomial. The period of f is the length of the code and the degree of f is the dimension of the code. The cyclic linear code of dimension n and length t with checking polynomial f and the cyclic linear code of dimension t − n and length t with the checking polynomial g are dual as vector spaces over Fq . Hence, results on the number of zeros and the distribution of values of linear recurrence sequences can be translated into results about the weight distribution of codewords of a cyclic linear code, while bounds for exponential sums with linear recurrence sequences readily produce bounds for correlation functions (both periodic and aperiodic) for such codes. For example, for a linear recurrence sequences

240


a of order n over a prime field Fp , let La (N ) =

N X

ka(x)kp

x=1

be the Lee weight of the vector (11.10)

A(N ) = (a(1), . . . , a(N )) , ,

where kakp is the smallest by absolute value representative of the residue class of a. It is shown in [1074] that La (N ) = N

p2 − 1 + O(pn/2+1 log t log p) 4p

for any N ≤ t, where t is the period a. Direct application of Theorems 4.1 and 4.2 produces worse error terms; in order to get the bound above some additional considerations are needed. For the Hamming weight Wa (N ), the number of non-zero elements of the vector (11.10), those two theorems can be applied immediately. On the other hand, some new specific problems arise in the coding theory context. Indeed, the results mentioned above are directly or indirectly related to Theorems 2.1, 2.2, 4.1 and 4.2 and therefore are non-trivial for the case of larger periods only (of order about q n/2 for sequences over Fq ). This situation is not typical for coding theory where the case of small t (logarithmically small sometimes) is of major interest, because it corresponds to cyclic linear codes with small redundancy. One of the approaches to the case of small periods is discovered in [1080, Sect. 7.3] and relies on Szemerédi’s Theorem [1137] on integer sets without arithmetical progressions (as in Section 1.4). This theorem implies that any cyclic linear code with irreducible generating polynomial is not too bad in the following sense: Let ε > 0 be fixed, and consider a cyclic linear code with a square-free checking polynomial f of degree n, and of period t with n ≤ t(1 − ε) and such that g(X) = (X t − 1)/f (X) is irreducible over Fq . Then the minimal non-zero weight of the code has w → ∞ as n → ∞. Indeed, let α1 , . . . , αr be the roots of the generating polynomial g, r = t − n ≥ εt. Then for some primitive root ϑ of Fqr , αi = ϑnmi ,

0 < mi < n,

i = 1, . . . , r.

Since r > εn, for any ∆ and n large enough, the set {m1 , . . . , mr } ⊂ {0, . . . , n − 1} contains an arithmetical progression of length at least ∆. The latter means that the code is a sub-code of a BCH-code with designed distance ∆, so its minimal weight is at least ∆. These considerations also apply to the dual code, and [681, Chap. 9, Theorem 23] can be used to find an asymptotic formula for the weight enumerator of an arbitrary cyclic linear code of length t with an irreducible checking polynomial of degree n = o(t). The first proofs of the Szemerédi Theorem were non-effective. However, for ∆ = 3, Heath-Brown [458] gets an effective result, which shows that there exists some constant A, c > 0 such that for n ≤ t − ct(log t)−A the minimal weight is at least 3. More recently, Gowers has found an effective result for ∆ = 4, [401]; and then for all ∆ in [402] with analogous consequences for the problem of small periods. See [400] for an overview of these developments.

11.3. CODING THEORY

241

One more characteristic of coding theory problems is that q is usually small. To avoid some messy details, the case q = 2 (which is the most important case for computing applications) will be considered. The method used to prove Theorems 2.3 and 2.4 turns out to be useful for studying cyclic linear codes as well. For a cyclic linear code, denote by M (w) the number of code-words A(t) given by (11.10) with Hamming weight Wa (t) ≤ w. The following theorem is proved in [1069]. Similar results are independently obtained in [899]. Theorem 11.6. Let f be an irreducible checking polynomial of degree n and period t over F2 . For any integer r with n ≥ r > nw/t, r−1 X n t (r − v) + 1. M (w) ≤ rt − nw v=1 v Proof. Let ai , i = 1, . . . , Q be m = M (w) − 1 non-zero sequences generating code words of weight at most w. Since t

Wa (t) =

1X wa (x), n x=1

where wa (x) is the Hamming weight of the vector (a(x + 1), . . . , a(x + n)), mw ≤

n t n 1X 1 XX wai (x) = I(v)v n i=1 x=1 n v=1

where I(v) is the numbers of vectors (11.11)

(ai (x + 1), . . . , ai (x + n)) ,

i = 1, . . . , m, x = 1, . . . , t,

of weight v. Among the vectors (11.11), each non-zero binary string (d1 , . . . , dn ) occurs at most n times (in fact either never or exactly n times). Therefore n I(v) ≤ n v and certainly I(0) = 0. Then n X

I(v) = mt,

v=1

so n

mw

≤

=

≤

1X 1 I(v) = n v=1 n 1 n

r−1 X v=1

I(v)v + r

r−1 X

I(v)v +

! I(v)v

v=r

v=1 n X

n X

! I(v)

v=r

1 = n

rmt −

r−1 X

! I(v)(r − v)

v=1

r−1 rmt 1X n − (r − v), n n v=1 v

and the bound follows. Now let w/t ≤ ω < 1/2. The estimate r−1 X n ≤ 2nH(r/n) , v v=1

242


from [681, Sect. 10.11], where H(ψ) = −ψ log ψ − (1 − ψ) log(1 − ψ), and the choice r = b(ω + δ)nc for sufficiently small δ > 0, together show that the bound M (w) = O(2H(ω)n+εn) ) holds. Now let 0 ≤ ψ(α) ≤ 1/2 be the unique root of the equation H (ψ(α)) = α,

0 < α < 1/2.

Theorem 11.7. Let W be the minimum weight of non-zero code-words of the cyclic linear code with irreducible checking polynomial f of degree n and of period t over F2 . Assume that log2 t/n ≥ α > 0. Then, for t → ∞, W ≥ ψ(α)t + o(t). This result was proved in [1066], but it follows also from Theorem 11.6. Indeed, it is clear that M (W ) ≥ t+1, (the zero-word plus t cyclic shifts of a minimal weight word). Then r−1 X t n t+1≤ (r − v) + 1, rt − nW v=1 v so r−1 rt 1X n W ≥ − (r − v). n n v=1 v Setting r = nψ(α) − n1/2 gives Theorem 11.7. Other applications of these techniques give Theorems 6.7 and 6.8; the latter can also be reformulated as an upper bound on the covering radius of cyclic linear codes. 11.3.2. Correlation functions. Fix a non-trivial additive character χ of a ring R. For two sequences a and b of period t over R, define the periodic and aperiodic correlation functions as ρab (h) =

t X

χ (a(x) − b(x + h)) ,

ϑab (h) =

x=1

t−h X

χ (a(x) − b(x + h))

x=1

respectively [985], [1228]. In the case a = b these functions are called autocorrelation functions. Let Mn be the set of all M -sequences a of order n and period t = 2n − 1. Set τn = max

N X (−1)a(x)+b(x) . max n

a,b∈Mn N ≤2 −1 x=1 a6=b

It is clear that any non-trivial correlation functions (periodic or aperiodic) between M -sequences of order N does not exceed RN . Define τ = lim sup τn /n. n→∞

Helleseth [461] gives examples of sequences with high periodic correlation, which show that ρ ≥ 1/3. An upper bound for τ follows from Theorem 2.4: 1/3 ≤ τ ≤ 1 − 2ψ(1/2) = 0.78 . . . . At the present time it is not clear how to apply this method to estimating the correlation between non-linear recurrent sequences (sums with a single non-linear

11.3. CODING THEORY

243

sequence can be dealt with; cf. Theorem 2.3). Certainly other bounds for exponential sums with linear recurrence sequences produce bounds for correlation functions of cyclic linear code. On the other hand, in Section 2.1 bounds which hold for all, or at least a very wide class of, linear recurrence sequences are obtained. For coding theory applications only special classes of sequences need be considered, many of which admit good estimates for correlation functions. An exhaustive survey of older results is provided by Sarwate and Pursley [985]; more recent results are surveyed by Helleseth [462] and by Helleseth and Kumar [463]. A variety of examples of families of linear recurrence sequences with small correlation can be found in [194], [213], [238], [257], [378], [379], [380], [381], [384], [385], [464], [539], [540], [542], [543], [544], [623], [862], [863], [864], [865], [883], [1136], [1160], and references therein. Klapper [539] considers the dual problem of constructing sequences with large linear complexity and low correlation. For n = 2km, he finds a family of sequences (derived from linear recurrence sequences) of size 2n/2 with the largest value of periodic correlation function 2n/2 + 1 and with linear complexity at least 3mk(3k − 1)m−2 . For k = 2, the complexity is exponentially large, being of order 1.5n5n/4−2 . This work is continued in [540], see also [209], [382], [1031], [1136]. The problems considered so far are specific forms of a well-known numbertheoretic question: To find bounds for the number of zeros in exponential sums. The next question is specific to coding theory. For a cyclic linear code with irreducible checking polynomial f ∈ F2 [X] of degree n and period t, denote by s the number of different weights of its codewords and put T = (2n − 1) /t. Trivially, s ≤ min{t, T }. Better upper bounds for s are established in [1069] n o (11.12) s ≤ min (1 + o(1)) T / log T, (3/4)1/3 2n/3 + 2 . The first bound is derived by considering intersections of cyclotomic classes Cm = m2i (mod 2n − 1), i = 0, . . . , n ⊆ Z/(2n − 1)Z, where m ∈ Z/(2n − 1)Z, under the shifts jT + Cm , j = 1, . . . , t, in the residue ring Z/(2n − 1)Z. The second bound follows from the identity (2.8) (with q = 2, c = 0, N = t). Indeed, for the weight Wa (t) of a non-zero code vector A(t) of the form (11.10), t X t − 2Wa (t) = (−1)a(x) . i=1

Also, t non-zero code words generate t distinct shifts of the same sequence and of the same weight. Thus if w1 , . . . ws−1 are s − 1 distinct non-zero weights of the code, then t2 + t(t − 2w1 )2 + . . . + t(t − 2ws )2 ≤ 2n t. Since the sum of squares of s different integers is at least s3 /12 + O s2 , the last inequality gives the bound s = O 2n/3 . More exact computation and the congruence Wa (t) ≡ 0 (mod 2) produce the desired estimate. The same question is important for correlation functions as well. Let a be a binary M -sequence of order n and of period t = 2n −1. In this case all possible M -sequences of the same period admit a unique representation in the form

244


(a(kx + `)) with certain integers k and `, satisfying the conditions 0 ≤ k, ` ≤ t − 1, gcd(k, t) = 1. Set P X ϑn (k, `) = (−1)a(x)+a(kx+`) x=1

and denote by sn (k) the number of different values among the ϑn (k, `), 0 ≤ ` ≤ t, for a fixed k with gcd(d, t) = 1, and by sn the number of different values among ϑn (k, `) for all possible values k and ` with 0 ≤ k, ` ≤ t − 1, gcd(k, t) = 1. There are many investigations that study the distribution of values of the functions ϑn (k, `) and sn (`), and in particular for ` of a special form, [461], [985]. The values of ` with small sn (`) are of special interest. For example, Cusic and Dobbertin [237] show that sn (`) = 3 for ` = 2m + 2(m+1)/2 + 1 and ` = 2(m+1)/2 + 3 if n is even and m = n/2 is odd. Some other results can be found in [175], [259], [380], [461], [476], [543] and [985]. Non-trivial upper bounds for sn (`) and sn , are given in [1069]. The bound of sn has been substantially improved in [351] which makes use of Theorem 2.10. The results of [1069] and [351] can be combined in the following statement. Theorem 11.8. For n → ∞, the bounds (1) sn (`) ≤ (3/4)1/3 + o(1) t2/3 ; (2) sn ≤ (γ + o(1))t14/15 log−1/5 t; hold, where !1/5 70 1 − 2−5/3 ζ(5/3) γ= = 1.447 . . . . 16 In [1074], it is pointed out that bounds for exponential sums over exponential functions can be successfully applied to studying the dimension of the most famous cyclic linear codes, namely, BCH-codes [72], [681]. Roughly speaking, estimating the dimension of BCH-codes of length n with designed distance ∆ over Fq is equivalent to estimating the maximal number J(q, n, ∆) over all ` = 0, . . . , n − 1 of a = 0, . . . , n − 1 for which the congruence aq x ≡ ` + y

(mod n),

1 ≤ x ≤ t, 1 ≤ y ≤ ∆,

where t is the period of q modulo n, see [681, Sect. 7.3]. The result of that paper was improved in [1080, Sect. 7.3]. Finally, in [556] results on the distribution of exponential functions are used to give the following improved estimates: 2 nδ log δ σ(n)δ 2 nδ 2 Log log n J(q, n, ∆) min , , t t t where δ = ∆/n, σ(n) is the sum of the positive divisors of n, and J(q, n, ∆) qn1−C(q)δ/ log δ

−1

with some positive constant C(q) > 0 depending only on q, which is better for some values of parameters. Despite being one of the most theoretically attractive and practically useful codes, BCH-codes are not optimal in the class of cyclic linear codes for several reasons. In [1066], a construction is given for an infinite sequence of cyclic linear codes of length t, dimension n and minimal weight w, satisfying the conditions w/n → 1/2,

log n/ log t → 2/3,

n → ∞.

11.3. CODING THEORY

245

For primitive BCH-codes with the same relation between the length and dimension, instead of 1/2 one would get some number u2/3 < 3/8 which is the root of the equation s(u2/3 ) = 2/3 where s(u) is the Berlekamp function (see [72, Sect. 12.6]). Kuz’min and Nechaev [582] show that projections of linear recurrence sequences over Galois rings produce new codes with many useful features; see also [733], [820] and references. BCH-codes are not the only codes whose behaviour is related to questions about the distribution of residues of exponential functions. Clark and Lewis [212] show that the existence of some special arithmetic codes is related to the following question: Describe the set of pairs (r, p) where r is an integer and p is a prime, gcd(p, r) = 1, such that the number of solutions of the congruence p rp arx ≡ y (mod p), 1 ≤ xt, ≤y≤ , r+1 r+1 where t is the period of r modulo p, does not depend on a = 1, . . . p−1. Gordon [392] indicates links of this problem to many classical questions of number theory. Finally, the classification of self-dual codes over Z4 leads to a question about integer divisors of binary linear recurrence sequences [901]. This link is a primary motivation of the study of such divisors in [746].

Bibliography [1] N. Adachi. An application of Frey’s idea to exponential Diophantine equations. Proc. Japan Acad. Ser. A Math. Sci., 70(8):261–263, 1994. [2] R. Adler, M. Keane, and M. Smorodinsky. A construction of a normal number for the continued fraction transformation. J. Number Theory, 13(1):95–105, 1981. [3] L. Afflerbach and R. Weilb¨ acher. The exact determination of rectangle discrepancy for linear congruential pseudorandom numbers. Math. Comp., 53(187):343–354, 1989. [4] S. D. Ahlgren. Polynomial-exponential equations in two variables. J. Number Theory, 62(2):428–438, 1997. [5] S. D. Ahlgren. The set of solutions of a polynomial-exponential equation. Acta Arith., 87(3):189–207, 1999. [6] S. Akiyama. A new type of inclusion exclusion principle for sequences and asymptotic formulas for ζ(k). J. Number Theory, 45(2):200–214, 1993. [7] S. Akiyama. A criterion to estimate the least common multiple of sequences and asymptotic formulas for ζ(3) arising from recurrence relation of an elliptic function. Japan. J. Math. (N.S.), 22(1):129–146, 1996. ˇ Aleev. Higman’s central unit theory, units of integral group rings of finite cyclic [8] R. Z. groups and Fibonacci numbers. Internat. J. Algebra Comput., 4(3):309–358, 1994. [9] W. R. Alford, A. Granville, and C. Pomerance. There are infinitely many Carmichael numbers. Ann. of Math. (2), 139(3):703–722, 1994. [10] J.-P. Allouche. Automates finis en th´ eorie des nombres. Exposition. Math., 5(3):239–266, 1987. [11] J.-P. Allouche. The number of factors in a paperfolding sequence. Bull. Austral. Math. Soc., 46(1):23–32, 1992. [12] J.-P. Allouche. Sur la complexit´ e des suites infinies. Bull. Belg. Math. Soc. Simon Stevin, 1(2):133–143, 1994. [13] J.-P. Allouche, A. Arnold, J. Berstel, S. Brlek, W. Jockusch, S. Plouffe, and B. E. Sagan. A relative of the Thue-Morse sequence. Discrete Math., 139(1-3):455–461, 1995. [14] J.-P. Allouche and M. Bousquet-M´ elou. On the conjectures of Rauzy and Shallit for infinite words. Comment. Math. Univ. Carolin., 36(4):705–711, 1995. [15] J.-P. Allouche, P. Hajnal, and J. O. Shallit. Analysis of an infinite product algorithm. SIAM J. Discrete Math., 2(1):1–15, 1989. [16] J.-P. Allouche and P. Liardet. Generalized Rudin-Shapiro sequences. Acta Arith., 60(1):1– 27, 1991. [17] J.-P. Allouche, M. Mend` es France, and A. J. van der Poorten. An infinite product with bounded partial quotients. Acta Arith., 59(2):171–182, 1991. [18] J.-P. Allouche, P. Morton, and J. Shallit. Pattern spectra, substring enumeration, and automatic sequences. Theoret. Comput. Sci., 94(2):161–174, 1992. [19] J.-P. Allouche and J. Shallit. The ring of k-regular sequences. Theoret. Comput. Sci., 98(2):163–197, 1992. [20] J.-P. Allouche and J. Shallit. Sums of digits, overlaps, and palindromes. Discrete Math. Theor. Comput. Sci., 4(1):1–10 (electronic), 2000. [21] J.-P. Allouche and J. O. Shallit. Infinite products associated with counting blocks in binary strings. J. London Math. Soc. (2), 39(2):193–204, 1989. [22] J.-P. Allouche and J. O. Shallit. Complexit´ e des suites de Rudin-Shapiro g´ en´ eralis´ ees. J. Th´ eor. Nombres Bordeaux, 5(2):283–302, 1993.

247

248

BIBLIOGRAPHY

[23] J.-P. Allouche, F. von Haeseler, H.-O. Peitgen, A. Petersen, and G. Skordev. Automaticity of double sequences generated by one-dimensional linear cellular automata. Theoret. Comput. Sci., 188(1-2):195–209, 1997. [24] J.-P. Allouche, F. von Haeseler, H.-O. Peitgen, and G. Skordev. Linear cellular automata, finite automata and Pascal’s triangle. Discrete Appl. Math., 66(1):1–22, 1996. [25] N. Alon, O. Goldreich, J. H˚ astad, and R. Peralta. Simple constructions of almost k-wise independent random variables. Random Structures Algorithms, 3:289–304, 1992. Addendum 4:119–120, 1993. [26] J. Althaler and A. D¨ ur. Finite linear recurring sequences and homogeneous ideals. Appl. Algebra Engrg. Comm. Comput., 7(5):377–390, 1996. [27] A. S. Ambrosimov. On the distribution of the frequencies of multigrams in linear recurrent sequences over a residue ring. Uspekhi Mat. Nauk, 48(5(293)):157–158, 1993. [28] Y. Amice. Les nombres p-adiques. Presses Universitaires de France, Paris, 1975. [29] V. S. Anashin. Uniformly distributed sequences over p-adic integers. In Number-theoretic and algebraic methods in computer science (Moscow, 1993), pages 1–18. World Sci. Publishing, River Edge, NJ, 1995. [30] M. Anderson and D. W. Masser. Lower bounds for heights on elliptic curves. Math. Z., 174(1):23–34, 1980. [31] S ¸ . Andrei, M. Kudlek, and R. S ¸ . Niculescu. Some results on the Collatz problem. Acta Inform., 37(2):145–160, 2000. [32] S. Andrei and C. Masalagiu. About the Collatz conjecture. Acta Inform., 35(2):167–179, 1998. [33] D. Applegate and J. C. Lagarias. Density bounds for the 3x + 1 problem. I. Tree-search method. Math. Comp., 64(209):411–426, 1995. [34] D. Applegate and J. C. Lagarias. Density bounds for the 3x + 1 problem. II. Krasikov inequalities. Math. Comp., 64(209):427–438, 1995. [35] D. Applegate and J. C. Lagarias. The distribution of 3x + 1 trees. Experiment. Math., 4(3):193–209, 1995. [36] D. Applegate and J. C. Lagarias. Lower bounds for the total stopping time of 3x+1 iterates. Math. Comp., to appear. arXiv:math.NT/0103054. [37] F. Arnault. The Rabin-Monier theorem for Lucas pseudoprimes. Math. Comp., 66(218):869–881, 1997. [38] D. K. Arrowsmith and F. Vivaldi. Geometry of p-adic Siegel discs. Phys. D, 71(1-2):222– 236, 1994. [39] M. Artin and B. Mazur. On periodic points. Ann. of Math. (2), 81:82–99, 1965. [40] M. Ayad. P´ eriodicit´ e (mod q) des suites elliptiques et points S-entiers sur les courbes elliptiques. Ann. Inst. Fourier (Grenoble), 43(3):585–618, 1993. [41] M. Ayad and D. L. McQuillan. Irreducibility of the iterates of a quadratic polynomial over a field. Acta Arith., 93(1):87–97, 2000. Erratum: Acta Arith., 99 (2001), 97. [42] L. Babai, R. Beals, J.-Y. Cai, G. Ivanyos, and E. M. Luks. Multiplicative equations over commuting matrices. In Proceedings of the Seventh Annual ACM-SIAM Symposium on Discrete Algorithms (Atlanta, GA, 1996), pages 498–507, New York, 1996. ACM. [43] E. Bach. Realistic analysis of some randomized algorithms. J. Comput. System Sci., 42(1):30–53, 1991. [44] E. Bach. Toward a theory of Pollard’s rho method. Inform. and Comput., 90(2):139–155, 1991. [45] E. Bach. Efficient prediction of Marsaglia-Zaman random number generators. IEEE Trans. Inform. Theory, 44(3):1253–1257, 1998. [46] E. Bach and L. Huelsbergen. Statistical evidence for small generating sets. Math. Comp., 61(203):69–82, 1993. [47] E. Bach, R. Lukes, J. Shallit, and H. C. Williams. Results and estimates on pseudopowers. Math. Comp., 65(216):1737–1747, 1996. [48] E. Bach and J. Shallit. Factoring with cyclotomic polynomials. Math. Comp., 52(185):201– 219, 1989. [49] A. Baker. The theory of linear forms in logarithms. In Transcendence theory: advances and applications (Proc. Conf., Univ. Cambridge, Cambridge, 1976), pages 1–27. Academic Press, London, 1977.

BIBLIOGRAPHY

249

[50] A. Baker. Logarithmic forms and the abc-conjecture. In Number theory (Eger, 1996), pages 37–44. de Gruyter, Berlin, 1998. [51] R. Balasubramanian and M. Ram Murty. Elliptic pseudoprimes. II. In S´ eminaire de Th´ eorie des Nombres, Paris 1988–1989, pages 13–25. Birkh¨ auser Boston, Boston, MA, 1990. [52] R. Balasubramanian and S. V. Nagaraj. Density of Carmichael numbers with three prime factors. Math. Comp., 66(220):1705–1708, 1997. [53] R. Balasubramanian and S. V. Nagaraj. The least witness of a composite number. Theoret. Comput. Sci., 1396, 1998. [54] C. Ballot. Density of prime divisors of linear recurrences. Mem. Amer. Math. Soc., 115(551):viii+102, 1995. [55] W. Banks, F. Griffin, D. Lieman, and I. E. Shparlinski. Non-linear complexity of the NaorReingold pseudo-random function. Lect. Notes in Comp. Sci., 1787:53–59, 2000. [56] G. Barat and P. J. Grabner. Distribution of binomial coefficients and digital functions. J. London Math. Soc. (2), 64(3):523–547, 2001. [57] E. Barone. A heuristic probabilistic argument for the Collatz sequence. Ital. J. Pure Appl. Math., (4):151–153 (1999), 1998. [58] D. Barsky, J.-P. B´ ezivin, and A. Schinzel. Une caract´ erisation arithm´ etique de suites r´ ecurrentes lin´ eaires. J. Reine Angew. Math., 494:73–84, 1998. [59] A. Batra and P. Morton. Algebraic dynamics of polynomial maps on the algebraic closure of a finite field. I. Rocky Mountain J. Math., 24(2):453–481, 1994. [60] A. Batra and P. Morton. Algebraic dynamics of polynomial maps on the algebraic closure of a finite field. II. Rocky Mountain J. Math., 24(3):905–932, 1994. [61] E. Bavencoffe and J.-P. B´ ezivin. Une famille remarquable de suites r´ ecurrentes lin´ eaires. Monatsh. Math., 120(3-4):189–203, 1995. [62] A. F. Beardon. Iteration of rational functions. Springer-Verlag, New York, 1991. [63] P.-G. Becker. k-regular power series and Mahler-type functional equations. J. Number Theory, 49(3):269–286, 1994. [64] P.-G. Becker and T. T¨ opfer. Transcendency results for sums of reciprocals of linear recurrences. Math. Nachr., 168:5–17, 1994. [65] W. Beckner and A. Regev. Asymptotics and algebraicity of some generating functions. Adv. in Math., 65(1):1–15, 1987. [66] E. G. Belaga and M. Mignotte. Embedding the 3x + 1 conjecture in a 3x + d context. Experiment. Math., 7(2):145–151, 1998. [67] B. Benzaghou and J.-P. B´ ezivin. Propri´ et´ es alg´ ebriques de suites diff´ erentiellement finies. Bull. Soc. Math. France, 120(3):327–346, 1992. [68] D. Berend and M. D. Boshernitzan. On a result of Mahler on the decimal expansions of (nα). Acta Arith., 66(4):315–322, 1994. [69] D. Berend and M. D. Boshernitzan. Numbers with complicated decimal expansions. Acta Math. Hungar., 66(1-2):113–126, 1995. [70] C. A. Berenstein and A. Yger. Exponential polynomials and D-modules. Compositio Math., 95(2):131–181, 1995. [71] F. Bergeron and C. Reutenauer. Combinatorial resolution of systems of differential equations. III. A special class of differentially algebraic series. European J. Combin., 11(6):501– 512, 1990. [72] E. R. Berlekamp. Algebraic coding theory. McGraw-Hill Book Co., New York, 1968. [73] D. J. Bernstein and J. C. Lagarias. The 3x+1 conjugacy map. Canad. J. Math., 48(6):1154– 1169, 1996. [74] J. Berstel and M. Mignotte. Deux propri´ et´ es d´ ecidables des suites r´ ecurrentes lin´ eaires. Bull. Soc. Math. France, 104(2):175–184, 1976. [75] V. Berth´ e. Automates et valeurs de transcendance du logarithme de Carlitz. Acta Arith., 66(4):369–390, 1994. [76] V. Berth´ e. Combinaisons lin´ eaires de ζ(s)/Πs sur Fq (x), pour 1 ≤ s ≤ q − 2. J. Number Theory, 53(2):272–299, 1995. [77] A. Bertrand-Mathis. Nombres normaux dans diverses bases. Ann. Inst. Fourier (Grenoble), 45(5):1205–1222, 1995. [78] A. Bertrand-Mathis. Nombres normaux. J. Th´ eor. Nombres Bordeaux, 8(2):397–412, 1996. [79] A. Bertrand-Mathis. Ensembles normaux relatifs ` a des matrices non-commutantes. J. Number Theory, 63(1):180–190, 1997.

250

BIBLIOGRAPHY

[80] F. Beukers. The multiplicity of binary recurrences. Compositio Math., 40(2):251–267, 1980. [81] F. Beukers. The zero-multiplicity of ternary recurrences. Compositio Math., 77(2):165–177, 1991. [82] F. Beukers. Recurrent sequences and p-adic spectra. Math. Z., to appear. [83] F. Beukers and H. P. Schlickewei. The equation x + y = 1 in finitely generated groups. Acta Arith., 78(2):189–199, 1996. [84] F. Beukers and R. Tijdeman. On the multiplicities of binary complex recurrences. Compositio Math., 51(2):193–213, 1984. [85] J.-P. B´ ezivin. Factorisation de suites r´ ecurrentes lin´ eaires et applications. Bull. Soc. Math. France, 112(3):365–376, 1984. [86] J.-P. B´ ezivin. Diviseurs premiers de suites r´ ecurrentes lin´ eaires. European J. Combin., 7(3):199–204, 1986. [87] J.-P. B´ ezivin. Sur les diviseurs premiers des suites r´ ecurrentes lin´ eaires. Ann. Fac. Sci. Toulouse Math. (5), 8(1):61–73, 1986/87. [88] J.-P. B´ ezivin. Diviseurs premiers de suites r´ ecurrentes non lin´ eaires. Collect. Math., 38(1):37–55, 1987. [89] J.-P. B´ ezivin. Suites r´ ecurrentes lin´ eaires en caract´ eristique non nulle. Bull. Soc. Math. France, 115(2):227–239, 1987. [90] J.-P. B´ ezivin. Plus petit commun multiple des termes cons´ ecutifs d’une suite r´ ecurrente lin´ eaire. Collect. Math., 40(1):1–11 (1990), 1989. [91] J.-P. B´ ezivin. Une g´ en´ eralisation du th´ eor` eme de Skolem-Mahler-Lech. Quart. J. Math. Oxford Ser. (2), 40(158):133–138, 1989. [92] J.-P. B´ ezivin. Les suites q-r´ ecurrentes lin´ eaires. Compositio Math., 80(3):285–307, 1991. [93] J.-P. B´ ezivin. Fractions continues et suites r´ ecurrentes. C. R. Acad. Sci. Paris S´ er. I Math., 318(11):991–994, 1994. [94] J.-P. Bezivin. Fonctions multiplicatives et ´ equations diff´ erentielles. Bull. Soc. Math. France, 123(3):329–349, 1995. [95] J.-P. Bezivin. Sur les suites r´ ecurrentes ` a coefficients polynˆ omes. J. Number Theory, 66(2):282–290, 1997. [96] J.-P. B´ ezivin. Sur les suites presque-p´ eriodiques. Arch. Math. (Basel), 70(6):447–454, 1998. [97] J.-P. B´ ezivin and V. Laohakosol. On the theorem of Skolem-Mahler-Lech. Exposition. Math., 9(1):89–96, 1991. [98] J.-P. B´ ezivin, A. Peth˝ o, and A. J. van der Poorten. A full characterisation of divisibility sequences. Amer. J. Math., 112(6):985–1001, 1990. [99] J.-P. B´ ezivin and P. Robba. Rational solutions of linear differential equations. J. Austral. Math. Soc. Ser. A, 46(2):184–196, 1989. [100] M. Bicknell-Johnson. A short history of The Fibonacci Quarterly. Fibonacci Quart., 25(1):2–5, 1987. [101] H. Bilharz. Primdivisoren mit vorgegebener primitivwurzel. Math. Ann., 114:476–492, 1937. [102] Y. F. Bilu. Catalan’s conjecture (after Mih˘ ailescu). Preprint, 2002. [103] Yu. Bilu, G. Hanrot, and P. M. Voutier. Existence of primitive divisors of Lucas and Lehmer numbers. J. Reine Angew. Math., 539:75–122, 2001. With an appendix by M. Mignotte. [104] S. R. Blackburn. Fast rational interpolation, Reed-Solomon decoding, and the linear complexity profiles of sequences. IEEE Trans. Inform. Theory, 43(2):537–548, 1997. [105] S. R. Blackburn. Linear cellular automata as stream cipher components. Preprint, 1997. [106] S. R. Blackburn. Orthogonal sequences of polynomials over arbitrary fields. J. Number Theory, 68(1):99–111, 1998. [107] S. R. Blackburn. The linear complexity of the self-shrinking generator. IEEE Trans. Inform. Theory, 45(6):2073–2077, 1999. [108] S. R. Blackburn, T. Etzion, and K. G. Paterson. Permutation polynomials, de Bruijn sequences, and linear complexity. J. Combin. Theory Ser. A, 76(1):55–82, 1996. [109] R. E. Blahut. Theory and practice of error control codes. Addison-Wesley Publishing Company Advanced Book Program, Reading, MA, 1983. [110] R. Blecksmith, M. Filaseta, and C. Nicol. A result on the digits of an . Acta Arith., 64(4):331–339, 1993. [111] D. Bleichenbacher. Efficiency and security of cryptosystems based on number theory. PhD thesis, Zurich, 1996.

BIBLIOGRAPHY

251

[112] D. Bleichenbacher, W. Bosma, and A. K. Lenstra. Some remarks on Lucas-based cryptosystems. In Advances in cryptology—CRYPTO ’95 (Santa Barbara, CA, 1995), pages 386–396. Springer, Berlin, 1995. [113] L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudorandom number generator. SIAM J. Comput., 15(2):364–383, 1986. [114] E. Bombieri, J. Mueller, and M. Poe. The unit equation and the cluster principle. Acta Arith., 79(4):361–389, 1997. [115] E. Bombieri and A. J. van der Poorten. Continued fractions of algebraic numbers. In Computational algebra and number theory (Sydney, 1992), pages 137–152. Kluwer Acad. Publ., Dordrecht, 1995. [116] E. Borel. Les probabilit´ es denombrables et leurs applications arithmetiques. Rend. Circ. Math. Palermo, 27:247–271, 1909. [117] A. I. Borevich and I. R. Shafarevich. Number theory. Academic Press, New York, 1966. [118] J. Bourgain. On triples in arithmetic progression. Geom. Funct. Anal., 9(5):968–984, 1999. [119] R. Bowen and O. E. Lanford, III. Zeta functions of restrictions of the shift transformation. In Global Analysis (Proc. Sympos. Pure Math., Vol. XIV, Berkeley, Calif., 1968), pages 43–49. Amer. Math. Soc., Providence, R.I., 1970. [120] J. Boyar. Inferring sequences produced by a linear congruential generator missing low-order bits. J. Cryptology, 1(3):177–184, 1989. [121] J. Boyar. Inferring sequences produced by pseudo-random number generators. J. Assoc. Comput. Mach., 36(1):129–141, 1989. [122] D. W. Boyd. Speculations concerning the range of Mahler’s measure. Canad. Math. Bull., 24(4):453–469, 1981. [123] D. W. Boyd. Irreducible polynomials with many roots of maximal modulus. Acta Arith., 68(1):85–88, 1994. [124] D. W. Boyd, J. Cook, and P. Morton. On sequences of ±1’s defined by binary patterns. Dissertationes Math. (Rozprawy Mat.), 283:64, 1989. [125] David W. Boyd. Salem numbers of degree four have periodic expansions. In Th´ eorie des nombres (Quebec, PQ, 1987), pages 57–64. de Gruyter, Berlin, 1989. [126] David W. Boyd. On beta expansions for Pisot numbers. Math. Comp., 65(214):841–860, 1996. [127] David W. Boyd. On the beta expansion for Salem numbers of degree 6. Math. Comp., 65(214):861–875, S29–S31, 1996. [128] David W. Boyd. The beta expansion for Salem numbers. In Organic mathematics (Burnaby, BC, 1995), pages 117–131. Amer. Math. Soc., Providence, RI, 1997. [129] M. Boyle and D. Handelman. The spectra of nonnegative matrices via symbolic dynamics. Ann. of Math. (2), 133(2):249–316, 1991. [130] M. Boyle and D. Handelman. Algebraic shift equivalence and primitive matrices. Trans. Amer. Math. Soc., 336(1):121–149, 1993. [131] G. Braga, G. Cattaneo, P. Flocchini, and C. Quaranta Vogliotti. Pattern growth in elementary cellular automata. Theoret. Comput. Sci., 145(1-2):1–26, 1995. [132] B. Branner. The Mandelbrot set. In Chaos and fractals (Providence, RI, 1988), pages 75–105. Amer. Math. Soc., Providence, RI, 1989. [133] J. J. Brennan and B. Geist. Analysis of iterated modular exponentiation: the orbits of xα mod N . Des. Codes Cryptogr., 13(3):229–245, 1998. [134] B. Brent. 3x + 1 dynamics on rationals with fixed denominator. Preprint, 2002. arXiv:math.DS/0204170. [135] R. P. Brent. On the periods of generalized Fibonacci recurrences. Math. Comp., 63(207):389–401, 1994. [136] L. Brenton and R. R. Bruner. On recursive solutions of a unit fraction equation. J. Austral. Math. Soc. Ser. A, 57(3):341–356, 1994. [137] J. Brillhart, P. Erd˝ os, and P. Morton. On sums of Rudin-Shapiro coefficients. II. Pacific J. Math., 107(1):39–69, 1983. [138] B. Brindza. Zeros of polynomials and exponential Diophantine equations. Compositio Math., 61(2):137–157, 1987. [139] B. Brindza. On the generators of S-unit groups in algebraic number fields. Bull. Austral. Math. Soc., 43(2):325–329, 1991.

252

BIBLIOGRAPHY

[140] B. Brindza, K. Gy˝ ory, and R. Tijdeman. On the Catalan equation over algebraic number fields. J. Reine Angew. Math., 367:90–102, 1986. [141] B. Brindza, K. Liptai, and L. Szalay. On products of the terms of linear recurrences. In Number theory (Eger, 1996), pages 101–106. de Gruyter, Berlin, 1998. ´ Pint´ [142] B. Brindza, A. er, and W. M. Schmidt. Multiplicities of binary recurrences. Canad. Math. Bull., 44(1):19–21, 2001. [143] S. Brlek. Enumeration of factors in the Thue-Morse word. Discrete Appl. Math., 24(13):83–96, 1989. [144] S. Brocco. A note on Mignosi’s generalization of the (3X + 1)-problem. J. Number Theory, 52(2):173–178, 1995. [145] J. Browkin. The abc-conjecture. In Number theory, pages 75–105. Birkh¨ auser, Basel, 2000. [146] J. Browkin, M. Filaseta, G. Greaves, and A. Schinzel. Squarefree values of polynomials and the abc-conjecture. In Sieve methods, exponential sums, and their applications in number theory (Cardiff, 1995), pages 65–85. Cambridge Univ. Press, Cambridge, 1997. [147] G. Brown and W. Moran. Schmidt’s conjecture on normality for commuting matrices. Invent. Math., 111(3):449–463, 1993. [148] T. C. Brown, D.-Y. Pei, and P. J.-S. Shiue. Irrational sums. Rocky Mountain J. Math., 25(4):1219–1223, 1995. [149] W. D. Brownawell and D. W. Masser. Vanishing sums in function fields. Math. Proc. Cambridge Philos. Soc., 100(3):427–434, 1986. [150] T. Brox. Collatz cycles with few descents. Acta Arith., 92(2):181–188, 2000. [151] L. Le Bruyn and M. Van den Bergh. Algebraic properties of linear cellular automata. Linear Algebra Appl., 157:217–234, 1991. [152] Y. Bugeaud. Linear forms in p-adic logarithms and the Diophantine equation (xn − 1)/(x − 1) = y q . Math. Proc. Cambridge Philos. Soc., 127(3):373–381, 1999. [153] Y. Bugeaud. Fundamental systems of S-units with small height and their applications to Diophantine equations. Publ. Math. Debrecen, 56(3-4):279–292, 2000. Dedicated to Professor K´ alm´ an Gy˝ ory on the occasion of his 60th birthday. [154] Y. Bugeaud. On some exponential Diophantine equations. Monatsh. Math., 132(2):93–97, 2001. [155] Y. Bugeaud. On the Diophantine equation a(xn − 1)/(x − 1) = y q . In Number theory (Turku, 1999), pages 19–24. de Gruyter, Berlin, 2001. [156] Y. Bugeaud, P. Corvaja, and U. Zannier. An upper bound for the g.c.d. of an − 1 and bn − 1. Math. Z., to appear. [157] Y. Bugeaud, G. Hanrot, and M. Mignotte. Sur l’´ equation diophantienne (xn − 1)/(x − 1) = y q . III. Proc. London Math. Soc. (3), 84(1):59–78, 2002. [158] Y. Bugeaud and M. Mignotte. On integers with identical digits. Mathematika, 46(2):411– 417, 1999. [159] Y. Bugeaud, M. Mignotte, and Y. Roy. On the Diophantine equation (xn − 1)/(x − 1) = y q . Pacific J. Math., 193(2):257–268, 2000. [160] D. A. Burgess. On character sums and primitive roots. Proc. London Math. Soc. (3), 12:179–192, 1962. [161] D. A. Burgess and P. D. T. A. Elliott. The average of the least primitive root. Mathematika, 15:39–50, 1968. [162] R. J. Burthe, Jr. The average least witness is 2. Acta Arith., 80(4):327–341, 1997. [163] R. J. Burthe, Jr. Upper bounds for least witnesses and generating sets. Acta Arith., 80(4):311–326, 1997. [164] R. N. Buttsworth and K. R. Matthews. On some Markov matrices arising from the generalized Collatz mapping. Acta Arith., 55(1):43–57, 1990. [165] J. Cai and Z. Liu. The bounded membership problem of the monoid SL2 (N). Math. Systems Theory, 29(6):573–587, 1996. [166] J.-Y. Cai, W. H. Fuchs, D. Kozen, and Z. Liu. Efficient average-case algorithms for the modular group. In 35th Annual Symposium on Foundations of Computer Science (Santa Fe, NM, 1994), pages 143–152. IEEE Comput. Soc. Press, Los Alamitos, CA, 1994. [167] J.-Y. Cai, R. J. Lipton, and Y. Zalcstein. The complexity of the ABC problem. SIAM J. Comput., 29(6):1878–1888 (electronic), 2000. [168] E. C ¸ ak¸cak. A remark on the minimal polynomial of the product of linear recurring sequences. Finite Fields Appl., 4(1):87–97, 1998.

BIBLIOGRAPHY

253

[169] C. Calude and H. J¨ urgensen. Randomness as an invariant for number representations. In Results and trends in theoretical computer science (Graz, 1994), pages 44–66. Springer, Berlin, 1994. [170] C. Calude, S. Marcus, and I. T ¸ evy. The first example of a recursive function which is not primitive recursive. Historia Math., 6(4):380–384, 1979. [171] R. Canetti, J. B. Friedlander, S. V. Konyagin, M. Larsen, D. Lieman, and I. E. Shparlinski. On the statistical properties of Diffie-Hellman distributions. Israel J. Math., 120(part A):23–46, 2000. [172] R. Canetti, J. B. Friedlander, and I. E. Shparlinski. On certain exponential sums and the distribution of Diffie-Hellman triples. J. London Math. Soc. (2), 59(3):799–812, 1999. [173] E. R. Canfield and N. C. Wormald. M´ enage numbers, bijections and P -recursiveness. Discrete Math., 63(2-3):117–129, 1987. [174] L. Cangelmi and F. Pappalardi. On the r-rank Artin conjecture. II. J. Number Theory, 75(1):120–132, 1999. [175] A. Canteaut, P. Charpin, and H. Dobbertin. Binary m-sequences with three-valued crosscorrelation: a proof of Welch’s conjecture. IEEE Trans. Inform. Theory, 46(1):4–8, 2000. [176] D. G. Cantor. On arithmetic properties of coefficients of rational functions. Pacific J. Math., 15:55–58, 1965. [177] D. G. Cantor. On arithmetic properties of the Taylor series of rational functions. Canad. J. Math., 21:378–382, 1969. [178] D. G. Cantor. On arithmetic properties of the Taylor series of rational functions. II. Pacific J. Math., 41:329–334, 1972. [179] D. G. Cantor. On the continued fractions of quadratic surds. Acta Arith., 68(4):295–305, 1994. [180] W. Carlip and E. Jacobson. A criterion for stability of two-term recurrence sequences modulo 2k . Finite Fields Appl., 2(4):369–406, 1996. [181] W. Carlip and E. Jacobson. Unbounded stability of two-term recurrence sequences modulo 2k . Acta Arith., 74(4):329–346, 1996. [182] W. Carlip and E. Jacobson. Stability of two-term recurrence sequences with even parameter. Finite Fields Appl., 3(1):70–83, 1997. [183] W. Carlip, E. Jacobson, and Somer L. A criterion for stability of two-term recurrence sequences modulo odd primes. In Applications of Fibonacci numbers, Vol. 7, pages 49–60. Kluwer Acad. Publ., Dordrecht. [184] W. Carlip and L. Somer. Bounds for frequencies of residues of regular second-order recurrences modulo pr . In Number theory in progress, Vol. 2 (Zakopane-Ko´scielisko, 1997), pages 691–719. de Gruyter, Berlin, 1999. [185] G. Carter. Enumeration results on linear complexity profiles. In Cryptography and coding, II (Cirencester, 1989), pages 23–34. Oxford Univ. Press, New York, 1992. [186] J. W. S. Cassels. An embedding theorem for fields. Bull. Austral. Math. Soc., 14(2):193– 198, 1976. Addendum 14:479–480, 1976. [187] L. Cerlienco, M. Mignotte, and F. Piras. Suites r´ ecurrentes lin´ eaires: propri´ et´ es alg´ ebriques et arithm´ etiques. Enseign. Math. (2), 33(1-2):67–108, 1987. [188] U. Cerruti and F. Vaccarino. R-algebras of linear recurrent sequences. J. Algebra, 175(1):332–338, 1995. [189] J. S. Chahal. Topics in number theory. Plenum Press, New York, 1988. [190] M. Chamberland. A continuous extension of the 3x + 1 problem to the real line. Dynam. Contin. Discrete Impuls. Systems, 2(4):495–509, 1996. [191] A. H. Chan and R. A. Games. On the linear span of binary sequences obtained from finite geometries. In Advances in cryptology—CRYPTO ’86 (Santa Barbara, Calif., 1986), pages 405–417. Springer, Berlin, 1987. [192] A. H. Chan, M. Goresky, and A. Klapper. On the linear complexity of feedback registers. IEEE Trans. Inform. Theory, 36(3):640–644, 1990. [193] Agnes H. Chan and R. A. Games. On the quadratic spans of de Bruijn sequences. IEEE Trans. Inform. Theory, 36(4):822–829, 1990. [194] A. Chang, P. Gaal, S. W. Golomb, G. Gong, T. Helleseth, and P. V. Kumar. On a conjectured ideal autocorrelation sequence and a related triple-error correcting cyclic code. IEEE Trans. Inform. Theory, 46(2):680–687, 2000.

254

BIBLIOGRAPHY

[195] D. X. Charles. A note on the subgroup membership problem for PSL(2, p). Electronic Colloq. on Comp. Compl., Report 2001-0029, pages 1–6, 2001. [196] G. Chass´ e. Combinatorial cycles of a polynomial map over a commutative field. Discrete Math., 61(1):21–26, 1986. [197] Y.-G. Chen. On integers of the form k2n + 1. Proc. Amer. Math. Soc., 129(2):355–361 (electronic), 2001. [198] Y.-G. Chen. On integers of the forms k −2n and k2n +1. J. Number Theory, 89(1):121–125, 2001. [199] B. P. Chisala. Cycles in Collatz sequences. Publ. Math. Debrecen, 45(1-2):35–39, 1994. [200] V. Chothi, G. R. Everest, and T. Ward. S-integer dynamical systems: periodic points. J. Reine Angew. Math., 489:99–132, 1997. [201] W. S. Chou. On inversive maximal period polynomials over finite fields. Appl. Algebra Engrg. Comm. Comput., 6(4-5):245–250, 1995. [202] W.-S. Chou. The period lengths of inversive congruential recursions. Acta Arith., 73(4):325– 341, 1995. [203] W. S. Chou. The period lengths of inversive pseudorandom vector generations. Finite Fields Appl., 1(1):126–132, 1995. [204] W.-S. Chou and S. D. Cohen. The dynamics of linearized and sublinearized polynomials in finite fields. Preprint. [205] W. S. Chou and G. L. Mullen. Generating linear spans over finite fields. Acta Arith., 61(2):183–191, 1992. [206] W.-S. Chou and H. Niederreiter. On the lattice test for inversive congruential pseudorandom numbers. In Monte Carlo and quasi-Monte Carlo methods in scientific computing (Las Vegas, NV, 1994), pages 186–197. Springer, New York, 1995. [207] D. V. Chudnovsky and G. V. Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. in Appl. Math., 7(4):385–434, 1986. [208] D. V. Chudnovsky and G. V. Chudnovsky. Computer assisted number theory with applications. In Number theory (New York, 1984–1985), pages 1–68. Springer, Berlin, 1987. [209] H. Chung and J.-S. No. Linear span of extended sequences and cascaded GMW sequences. IEEE Trans. Inform. Theory, 45(6):2060–2065, 1999. [210] J. Cigler and G. Helmberg. Neuere Entwicklungen der Theorie der Gleichverteilung. Jber. Deutsch. Math. Verein., 64(Abt. 1):1–50 (1961), 1961. [211] D. A. Clark and M. Kuwata. Generalized Artin’s conjecture for primitive roots and cyclicity mod p of elliptic curves over function fields. Canad. Math. Bull., 38(2):167–173, 1995. [212] W. E. Clark and L. W. Lewis. Prime cyclic arithmetic codes and the distribution of power residues. J. Number Theory, 32(2):220–225, 1989. [213] F. Clarke. The discrete Fourier transform of a recurrent sequence. Appl. Algebra Engrg. Comm. Comput., 8(6):485–489, 1997. [214] Andrea Clementi and Russell Impagliazzo. The reachability problem for finite cellular automata. Inform. Process. Lett., 53(1):27–31, 1995. [215] C. I. Cobeli, S. M. Gonek, and A. Zaharescu. On the distribution of small powers of a primitive root. J. Number Theory, 88(1):49–58, 2001. [216] C. I. Cobeli and A. Zaharescu. On the distribution of primitive roots mod p. Acta Arith., 83(2):143–153, 1998. [217] A. Cobham. Uniform tag sequences. Math. Systems Theory, 6:164–192, 1972. [218] G. L. Cohen and H. J. J. te Riele. Iterating the sum-of-divisors function. Experiment. Math., 5(2):91–100, 1996. Erratum: Experiment. Math., 6 (1997), 177. [219] S. D. Cohen and D. Hachenberger. Actions of linearized polynomials on the algebraic closure of a finite field. In Finite fields: theory, applications, and algorithms (Waterloo, ON, 1997), pages 17–32. Amer. Math. Soc., Providence, RI, 1999. [220] S. D. Cohen and D. Hachenberger. The dynamics of linearized polynomials. Proc. Edinburgh Math. Soc. (2), 43(1):113–128, 2000. [221] S. D. Cohen, H. Niederreiter, I. E. Shparlinski, and M. Zieve. Incomplete character sums and a special class of permutations. J. Th´ eor. Nombres Bordeaux, 13(1):53–63, 2001. [222] P. Collas and D. Klein. An ergodic adding machine on the Cantor set. Enseign. Math. (2), 40(3-4):249–266, 1994.

BIBLIOGRAPHY

255

[223] A. Compagner and A. Hoogland. Maximum-length sequences, cellular automata, and random numbers. J. Comput. Phys., 71(2):391–428, 1987. [224] J. H. Conway and N. J. A. Sloane. Sphere packings, lattices and groups. Springer-Verlag, New York, third edition, 1999. [225] D. Coppersmith and J. Davenport. Polynomials whose powers are sparse. Acta Arith., 58(1):79–87, 1991. [226] D. Coppersmith, H. Krawczyk, and Y. Mansour. The shrinking generator. In Advances in cryptology—CRYPTO ’93 (Santa Barbara, CA, 1993), pages 22–39. Springer, Berlin, 1994. [227] R. Cordovil, R. Dil˜ ao, and A. Noronha da Costa. Periodic orbits for additive cellular automata. Discrete Comput. Geom., 1(3):277–288, 1986. [228] I. P. Cornfeld, S. V. Fomin, and Ya. G. Sina˘ı. Ergodic theory. Springer-Verlag, New York, 1982. [229] C. Corrales-Rodrig´ an ˜ ez and R. Schoof. The support problem and its elliptic analogue. J. Number Theory, 64(2):276–290, 1997. [230] P. Corvaja and U. Zannier. Diophantine equations with power sums and universal Hilbert sets. Indag. Math. (N.S.), 9(3):317–332, 1998. [231] P. Corvaja and U. Zannier. Finiteness of integral values for the ratio of two linear recurrences. Invent. Math., to appear. [232] P. Corvaja and U. Zannier. On the greatest prime factor of (ab + 1)(ac + 1). Proc. Amer. Math. Soc., to appear. arXiv:math.NT/0205136. [233] R. Couture and P. L’Ecuyer. On the lattice structure of certain linear congruential sequences related to AWC/SWB generators. Math. Comp., 62(206):799–808, 1994. [234] R. Crandall and C. Pomerance. Prime numbers: A computational perspective. SpringerVerlag, New York, 2001. [235] T. W. Cusick. Properties of the x2 mod N pseudorandom number generator. IEEE Trans. Inform. Theory, 41(4):1155–1159, 1995. [236] T. W. Cusick, C. Ding, and Ari Renvall. Stream ciphers and number theory. North-Holland Publishing Co., Amsterdam, 1998. [237] T. W. Cusick and H. Dobbertin. Some new three-valued crosscorrelation functions for binary m-sequences. IEEE Trans. Inform. Theory, 42(4):1238–1240, 1996. [238] T. W. Cusick and G. Gong. A conjecture on binary sequences with the “trinomial property”. IEEE Trans. Inform. Theory, 47(1):426–427, 2001. [239] Z. D. Dai. Binary sequences derived from ML-sequences over rings. I. Periods and minimal polynomials. J. Cryptology, 5(3):193–207, 1992. [240] Z. D. Dai, T. Beth, and D. Gollmann. Lower bounds for the linear complexity of sequences over residue rings. In Advances in cryptology—EUROCRYPT ’90 (Aarhus, 1990), pages 189–195. Springer, Berlin, 1991. [241] Z. D. Dai, X. N. Feng, M. L. Liu, and Z. X. Wan. Nonlinear feedforward sequences of m-sequences. III. Systems Sci. Math. Sci., 7(4):367–370, 1994. [242] H. Davenport. Linear forms associated with an algebriac number-field. Quart. J. Math., Oxford Ser. (2), 3:32–41, 1952. [243] H. Davenport. Bases for finite fields. J. London Math. Soc., 43:21–39, 1968. Addendum 44:378, 1969. [244] F. M. Dekking. Iteration of maps by an automaton. Discrete Math., 126(1-3):81–86, 1994. [245] F. M. Dekking, M. Mend` es France, and A. J. van der Poorten. Folds! 1–3. Math. Intell., 4:130–138, 173–181, 190–195, 1982. [246] J. Denef. The rationality of the Poincar´ e series associated to the p-adic points on a variety. Invent. Math., 77(1):1–23, 1984. [247] J. Denef and L. Lipshitz. Algebraic power series and diagonals. J. Number Theory, 26(1):46– 67, 1987. [248] L. Denis. G´ eom´ etrie et suites r´ ecurrentes. Bull. Soc. Math. France, 122(1):13–27, 1994. [249] L. Denis. Points p´ eriodiques des automorphismes affines. J. Reine Angew. Math., 467:157– 167, 1995. [250] A. Diab. Sur les z´ eros communs des polynˆ omes exponentiels. C. R. Acad. Sci. Paris S´ er. A-B, 281(18):Ai, A757–A758, 1975. [251] A. Diab. Une remarque sur les polynˆ omes exponentiels. C. R. Acad. Sci. Paris S´ er. A-B, 280:Ai, A759–A761, 1975.

256

BIBLIOGRAPHY

[252] C. Ding. Linear complexity of generalized cyclotomic binary sequences of order 2. Finite Fields Appl., 3(2):159–174, 1997. [253] C. Ding. Autocorrelation values of generalized cyclotomic sequences of order two. IEEE Trans. Inform. Theory, 44(4):1699–1702, 1998. [254] C. Ding. Linear complexity of some generalized cyclotomic sequences. Internat. J. Algebra Comput., 8(4):431–442, 1998. [255] C. Ding. Pattern distributions of Legendre sequences. IEEE Trans. Inform. Theory, 44(4):1693–1698, 1998. [256] C. Ding and T. Helleseth. On cyclotomic generator of order r. Inform. Process. Lett., 66(1):21–25, 1998. [257] C. Ding, T. Helleseth, and H. Martinsen. New families of binary sequences with optimal three-level autocorrelation. IEEE Trans. Inform. Theory, 47(1):428–433, 2001. [258] C. Ding, T. Helleseth, and Weijuan Shan. On the linear complexity of Legendre sequences. IEEE Trans. Inform. Theory, 44(3):1276–1278, 1998. [259] H. Dobbertin, T. Helleseth, P. V.F Kumar, and H. Martinsen. Ternary m-sequences with three-valued cross-correlation function: new decimations of Welch and Niho type. IEEE Trans. Inform. Theory, 47(4):1473–1481, 2001. [260] E. Dobrowolski. On a question of Lehmer and the number of irreducible factors of a polynomial. Acta Arith., 34(4):391–401, 1979. Pa+H [261] E. Dobrowolski and K. S. Williams. An upper bound for the sum n=a+1 f (n) for a certain class of functions f . Proc. Amer. Math. Soc., 114(1):29–35, 1992. [262] A. Dress and F. Luca. A characterization of certain binary recurrence sequences. In Algebraic combinatorics and applications (G¨ oßweinstein, 1999), pages 89–101. Springer, Berlin, 2001. [263] A. Dress and F. Luca. Real numbers that have good Diophantine approximations of the form rn+1 /rn . Acta Acad. Paedagog. Agriensis Sect. Mat. (N.S.), 28:13–19, 2001. [264] A. Dress and F. Luca. Unbounded integer sequences (An )n≥0 with An+1 An−1 − A2n bounded are of Fibonacci type. In Algebraic combinatorics and applications (G¨ oßweinstein, 1999), pages 102–109. Springer, Berlin, 2001. [265] M. Drmota. The distribution of patterns in digital expansions. In Algebraic number theory and Diophantine analysis (Graz, 1998), pages 103–121. de Gruyter, Berlin, 2000. [266] M. Drmota and J. Gajdosik. The distribution of the sum-of-digits function. J. Th´ eor. Nombres Bordeaux, 10(1):17–32, 1998. [267] M. Drmota and G. Larcher. The sum-of-digits-function and uniform distribution modulo 1. J. Number Theory, 89(1):65–96, 2001. [268] A. Dujella and R. F. Tichy. Diophantine equations for second-order recursive sequences of polynomials. Q. J. Math., 52(2):161–169, 2001. [269] J. M. Dumont, P. J. Grabner, and A. Thomas. Distribution of the digits in the expansions of rational integers in algebraic bases. Acta Sci. Math. (Szeged), 65(3-4):469–492, 1999. [270] J.-M. Dumont and A. Thomas. Modifications de nombres normaux par des transducteurs. Acta Arith., 68(2):153–170, 1994. [271] B. Durand. A random NP-complete problem for inversion of 2D cellular automata. Theoret. Comput. Sci., 148(1):19–32, 1995. P n n [272] D. Duverney. Sur l’irrationalit´ e de +∞ er. I Math., n=1 r /(q − r). C. R. Acad. Sci. Paris S´ 320(1):1–4, 1995. [273] R. Dvornicich and U. Zannier. On sums of roots of unity. Monatsh. Math., 129(2):97–108, 2000. [274] Bernard Dwork. On the rationality of the zeta function of an algebraic variety. Amer. J. Math., 82:631–648, 1960. [275] Bernard M. Dwork and A. J. van der Poorten. The Eisenstein constant. Duke Math. J., 65(1):23–43, 1992. [276] S. Egami. The distribution of residue classes modulo a in an algebraic number field. Tsukuba J. Math., 4(1):9–13, 1980. [277] S. Egami. Average version of Artin’s conjecture in an algebraic number field. Tokyo J. Math., 4(1):203–212, 1981. [278] J. Eichenauer-Herrmann. Improved lower bounds for the discrepancy of inversive congruential pseudorandom numbers. Math. Comp., 62(206):783–786, 1994.

BIBLIOGRAPHY

257

[279] J. Eichenauer-Herrmann. On generalized inversive congruential pseudorandom numbers. Math. Comp., 63(207):293–299, 1994. [280] J. Eichenauer-Herrmann and F. Emmerich. Compound inversive congruential pseudorandom numbers: an average-case analysis. Math. Comp., 65(213):215–225, 1996. [281] J. Eichenauer-Herrmann, F. Emmerich, and G. Larcher. Average discrepancy, hyperplanes, and compound pseudorandom numbers. Finite Fields Appl., 3(3):203–218, 1997. [282] J. Eichenauer-Herrmann, E. Herrmann, and S. Wegenkittl. A survey of quadratic and inversive congruential pseudorandom numbers. In Monte Carlo and quasi-Monte Carlo methods 1996 (Salzburg), pages 66–97. Springer, New York, 1998. [283] J. Eichenauer-Herrmann and G. Larcher. Average behaviour of compound nonlinear congruential pseudorandom numbers. Finite Fields Appl., 2(1):111–123, 1996. [284] J. Eichenauer-Herrmann and H. Niederreiter. An improved upper bound for the discrepancy of quadratic congruential pseudorandom numbers. Acta Arith., 69(2):193–198, 1995. [285] J. Eichenauer-Herrmann and A. Topuzo˘ glu. On the period length of congruential pseudorandom number sequences generated by inversions. J. Comput. Appl. Math., 31(1):87–96, 1990. [286] M. Einsiedler, G. R. Everest, and T. Ward. Primes in sequences associated to polynomials (after Lehmer). LMS J. Comput. Math., 3:125–139 (electronic), 2000. [287] M. Einsiedler, G. R. Everest, and T. Ward. Morphic heights and periodic points. New York Number Theory Seminar, 2001. arXiv:math.NT/0204179. [288] M. Einsiedler, G. R. Everest, and T. Ward. Primes in elliptic divisibility sequences. LMS J. Comput. Math., 4:1–15 (electronic), 2001. [289] M. Einsiedler and T. Ward. Asymptotic geometry of non-mixing shapes. Ergodic Theory Dynam. Systems, to appear. arXiv:math.DS/0204174. [290] E. El Mahassni, P. Q. Nguyen, and I. E. Shparlinski. The insecurity of Nyberg–Rueppel and other DSA-like signature schemes with partially known nonce. Lect. Notes in Comp. Sci., 2146:97–109, 2001. [291] E. El Mahassni and I. E. Shparlinski. On the uniformity of distribution of congruential generators over elliptic curves. In Sequences and their applications (Bergen, 2001), pages 257–264. Springer, Berlin, 2002. [292] S. Eliahou. The 3x + 1 problem: new lower bounds on nontrivial cycle lengths. Discrete Math., 118(1-3):45–56, 1993. [293] N. Elkies. On finite sequences satisfying linear recursions. New York J. Math., 8:85–97 (electronic), 2002. [294] P. D. T. A. Elliott and L. Murata. On the average of the least primitive root modulo p. J. London Math. Soc. (2), 56(3):435–454, 1997. [295] F. Emmerich. Pseudorandom vector generation by the compound inversive method. Math. Comp., 65(214):749–760, 1996. [296] F. Emmerich. Equidistribution properties of compound inversive pseudorandom vectors. Finite Fields Appl., 4(1):16–28, 1998. [297] J. W. England. The zeta function of toral endomorphisms. Proc. Amer. Math. Soc., 34:321– 322, 1972. [298] J. W. England and R. L. Smith. The zeta function of automorphisms of solenoid groups. J. Math. Anal. Appl., 39:112–121, 1972. [299] D. Erdmann and S. Murphy. An approximate distribution for the maximum order complexity. Des. Codes Cryptogr., 10(3):325–339, 1997. P [300] P. Erd˝ os. On the sum d|2n −1 d−1 . Israel J. Math., 9:43–48, 1971. [301] P. Erd˝ os, P. Kiss, and C. Pomerance. On prime divisors of Mersenne numbers. Acta Arith., 57(3):267–281, 1991. [302] P. Erd˝ os, P. Kiss, and A. S´ ark¨ ozy. A lower bound for the counting function of Lucas pseudoprimes. Math. Comp., 51(183):315–323, 1988. [303] P. Erd˝ os and K. Mahler. Some arithmetical properties of the convergents of a continued fraction. J. London Math. Soc., 14:12–18, 1939. [304] P. Erd˝ os and M. Ram Murty. On the order of a (mod p). In Number theory (Ottawa, ON, 1996), pages 87–97. Amer. Math. Soc., Providence, RI, 1999. [305] P. Erd˝ os and A. M. Odlyzko. On the density of odd integers of the form (p − 1)2−n and related questions. J. Number Theory, 11(2):257–263, 1979.

258

BIBLIOGRAPHY

[306] P. Erd˝ os and T. N. Shorey. On the greatest prime factor of 2p − 1 for a prime p and other expressions. Acta Arith., 30(3):257–265, 1976. [307] P. Erd¨ os, C. L. Stewart, and R. Tijdeman. Some Diophantine equations with many solutions. Compositio Math., 66(1):37–56, 1988. [308] A. Eremenko and L. A. Rubel. On the zero sets of certain entire functions. Proc. Amer. Math. Soc., 124(8):2401–2404, 1996. [309] G. R. Everest. A “Hardy-Littlewood” approach to the S-unit equation. Compositio Math., 70(2):101–118, 1989. [310] G. R. Everest. p-primary parts of unit traces and the p-adic regulator. Acta Arith., 62(1):11– 23, 1992. [311] G. R. Everest. An asymptotic formula implied by the Leopoldt conjecture. Quart. J. Math. Oxford Ser. (2), 45(177):19–28, 1994. [312] G. R. Everest. The mean value of a sum of S-units. J. London Math. Soc. (2), 51(3):417– 428, 1995. [313] G. R. Everest. Mean values of algebraic linear forms. Proc. London Math. Soc. (3), 70(3):529–555, 1995. [314] G. R. Everest. On the p-adic integral of an exponential polynomial. Bull. London Math. Soc., 27(4):334–340, 1995. [315] G. R. Everest and J. H. Loxton. Counting algebraic units with bounded height. J. Number Theory, 44(2):222–227, 1993. [316] G. R. Everest and A. J. van der Poorten. Factorisation in the ring of exponential polynomials. Proc. Amer. Math. Soc., 125(5):1293–1298, 1997. [317] G. R. Everest, Y. Puri, and T. Ward. Sequences counting periodic points. Preprint, 2001. arXiv:math.NT/0204173. [318] G. R. Everest and I. E. Shparlinski. Divisor sums of generalised exponential polynomials. Canad. Math. Bull., 39(1):35–46, 1996. [319] G. R. Everest and I. E. Shparlinski. Counting the values taken by algebraic exponential polynomials. Proc. Amer. Math. Soc., 127(3):665–675, 1999. [320] G. R. Everest and N. Stephens. Primes generated by elliptic curves. Preprint, 2002. [321] G. R. Everest and T. Ward. Heights of polynomials and entropy in algebraic dynamics. Springer-Verlag London Ltd., London, 1999. [322] G. R. Everest and T. Ward. The canonical height of an algebraic point on an elliptic curve. New York J. Math., 6:331–342 (electronic), 2000. [323] J.-H. Evertse. On equations in S-units and the Thue-Mahler equation. Invent. Math., 75(3):561–584, 1984. [324] J.-H. Evertse. On sums of S-units and linear recurrences. Compositio Math., 53(2):225–244, 1984. [325] J.-H. Evertse. The number of solutions of linear equations in roots of unity. Acta Arith., 89(1):45–51, 1999. [326] J.-H. Evertse, K. Gy˝ ory, C. L. Stewart, and R. Tijdeman. S-unit equations and their applications. In New advances in transcendence theory (Durham, 1986), pages 110–174. Cambridge Univ. Press, Cambridge, 1988. [327] J.-H. Evertse, P. Moree, C. L. Stewart, and R. Tijdeman. Multivariate Diophantine equations with many solutions. Preprint, 2001. arXiv:math.NT/0107219. [328] J.-H. Evertse and H. P. Schlickewei. The absolute subspace theorem and linear equations with unknowns from a multiplicative group. In Number theory in progress, Vol. 1 (Zakopane-Ko´scielisko, 1997), pages 121–142. de Gruyter, Berlin, 1999. [329] J.-H. Evertse, H. P. Schlickewei, and W. M. Schmidt. Linear equations with variables which lie in a multiplicative group. Preprint, 1997. [330] F. Fabris. Periods distribution in the linear feedback generalized registers. J. Inform. Optim. Sci., 16(1):61–82, 1995. [331] J. Fabrykowski. On quadratic residues and nonresidues in difference sets modulo m. Proc. Amer. Math. Soc., 122(2):325–331, 1994. [332] R. G. Ferretti. An estimate for the multiplicity of binary recurrences. C. R. Acad. Sci. Paris S´ er. I Math., 325(11):1143–1148, 1997. [333] M. Filaseta and S. Konyagin. On a limit point associated with the abc-conjecture. Colloq. Math., 76(2):265–268, 1998.

BIBLIOGRAPHY

259

[334] P. Fitzpatrick and S. M. Jennings. Comparison of two algorithms for decoding alternant codes. Appl. Algebra Engrg. Comm. Comput., 9(3):211–220, 1998. [335] P. Fitzpatrick and G. H. Norton. The Berlekamp-Massey algorithm and linear recurring sequences over a factorial domain. Appl. Algebra Engrg. Comm. Comput., 6(4-5):309–323, 1995. [336] M. Flahive and H. Niederreiter. On inversive congruential generators for pseudorandom numbers. In Finite fields, coding theory, and advances in communications and computing (Las Vegas, NV, 1991), pages 75–80. Dekker, New York, 1993. [337] P. Flajolet, P. J. Grabner, P. Kirschenhofer, H. Prodinger, and R. F. Tichy. Mellin transforms and asymptotics: digital sums. Theoret. Comput. Sci., 123(2):291–314, 1994. [338] A. Flammenkamp and F. Luca. Binomial coefficients and Lucas sequences. J. Number Theory, 93:246–284, 2002. [339] L. Flatto. Z-numbers and β-transformations. In Symbolic dynamics and its applications (New Haven, CT, 1991), pages 181–201. Amer. Math. Soc., Providence, RI, 1992. [340] L. Flatto, J. C. Lagarias, and A. D. Pollington. On the range of fractional parts {ξ(p/q)n }. Acta Arith., 70(2):125–147, 1995. [341] L. Flatto, J. C. Lagarias, and B. Poonen. The zeta function of the beta transformation. Ergodic Theory Dynam. Systems, 14(2):237–266, 1994. [342] M. Fletcher and G. C. Smith. Chaos, elliptic curves and all that. In Applications of Fibonacci numbers, Vol. 5 (St. Andrews, 1992), pages 245–256. Kluwer Acad. Publ., Dordrecht, 1993. [343] E. V. Flynn, B. Poonen, and E. F. Schaefer. Cycles of quadratic polynomials and rational points on a genus-2 curve. Duke Math. J., 90(3):435–463, 1997. [344] W. Forman and H. N. Shapiro. An arithmetic property of certain rational powers. Comm. Pure Appl. Math., 20:561–573, 1967. [345] A. S. Fraenkel. Iterated floor function, algebraic numbers, discrete chaos, Beatty subsequences, semigroups. Trans. Amer. Math. Soc., 341(2):639–664, 1994. [346] Z. Franco and C. Pomerance. On a conjecture of Crandall concerning the qx + 1 problem. Math. Comp., 64(211):1333–1336, 1995. [347] J. N. Franklin. Deterministic simulation of random processes. Math. Comp., 17:28–59, 1963. [348] J. N. Franklin. Equidistribution of matrix-power residues modulo one. Math. Comp., 18:560–568, 1964. [349] J. B. Friedlander, J. S. dT. Hansen, and I. E. Shparlinski. On the distribution of the power generator modulo a prime power. Preprint, 2001. [350] J. B. Friedlander, S. V. Konyagin, and I. E. Shparlinski. Some doubly exponential sums over Zm . Acta Arithm., to appear. [351] J. B. Friedlander, M. Larsen, D. Lieman, and I. E. Shparlinski. On the correlation of binary M -sequences. Des. Codes Cryptogr., 16(3):249–256, 1999. [352] J. B. Friedlander, D. Lieman, and I. E. Shparlinski. On the distribution of the RSA generator. In Sequences and their applications (Singapore, 1998), pages 205–212. Springer, London, 1999. [353] J. B. Friedlander, C. Pomerance, and I. E. Shparlinski. Period of the power generator and small values of Carmichael’s function. Math. Comp., 70(236):1591–1605 (electronic), 2001. [354] J. B. Friedlander and I. E. Shparlinski. Double exponential sums over thin sets. Proc. Amer. Math. Soc., 129(6):1617–1621 (electronic), 2001. [355] J. B. Friedlander and I. E. Shparlinski. On the distribution of Diffie-Hellman triples with sparse exponents. SIAM J. Discrete Math., 14(2):162–169 (electronic), 2001. [356] J. B. Friedlander and I. E. Shparlinski. On the distribution of the power generator. Math. Comp., 70(236):1575–1589 (electronic), 2001. [357] J. B. Friedlander and I. E. Shparlinski. On character sums with exponential functions. Mathematika, to appear. [358] A. M. Frieze, J. H˚ astad, R. Kannan, J. C. Lagarias, and A. Shamir. Reconstructing truncated integer variables satisfying linear congruences. SIAM J. Comput., 17(2):262–280, 1988. [359] C. Frougny. Representations of numbers and finite automata. Math. Systems Theory, 25(1):37–60, 1992. [360] C. Frougny. On multiplicatively dependent linear numeration systems, and periodic points. Preprint, 2001.

260

BIBLIOGRAPHY

[361] Amparo F´ uster-Sabater and Pino Caballero-Gil. On the linear complexity of nonlinearly filtered PN-sequences. In Advances in cryptology—ASIACRYPT ’94 (Wollongong, 1994), pages 80–90. Springer, Berlin, 1995. [362] S. Gao, J. von zur Gathen, and D. Panario. Gauss periods: orders and cryptographical applications. Math. Comp., 67(221):343–352, 1998. [363] A. Garc´ıa and J. F. Voloch. Fermat curves over finite fields. J. Number Theory, 30(3):345– 356, 1988. [364] M. V. P. Garcia and F. A. Tal. A note on the generalized 3n + 1 problem. Acta Arith., 90(3):245–250, 1999. [365] J. von zur Gathen and F. Pappalardi. Density estimates related to Gauss periods. In K.-Y. Lam, I. E. Shparlinski, H. Wang, and C. Xing, editors, Proc. Workshop on Cryptography and Computational Number Theory (CCNT’99), Singapore, pages 33–41. Birkh¨ auser, 2001. [366] J. von zur Gathen and I. E. Shparlinski. Orders of Gauss periods in finite fields. Appl. Algebra Engrg. Comm. Comput., 9(1):15–24, 1998. [367] J. von zur Gathen and I. E. Shparlinski. Constructing elements of large order in finite fields. In Applied algebra, algebraic algorithms and error-correcting codes (Honolulu, HI, 1999), pages 404–409. Springer, Berlin, 1999. [368] J. von zur Gathen and I. E. Shparlinski. Gauß periods in finite fields. In Finite fields and applications (Augsburg, 1999), pages 162–177. Springer, Berlin, 2001. [369] Guoqiang Ge. Recognizing units in number fields. Math. Comp., 63(207):377–387, 1994. [370] A. O. Gelfond. Sur les divisere premiers de valeurs de la fonction exponentielle. Proc. Phys. Math. Inst. Acad. Sci. USSR, 5, 1934. [371] A. Ghosh. The distribution of αp2 modulo 1. Proc. London Math. Soc. (3), 42(2):252–269, 1981. [372] K. Girstmair. On the cosets of the 2q-power group in the unit group modulo p. Abh. Math. Sem. Univ. Hamburg, 62:217–232, 1992. [373] K. Girstmair. The digits of 1/p in connection with class number factors. Acta Arith., 67(4):381–386, 1994. [374] K. Girstmair. Class number factors and distribution of residues. Abh. Math. Sem. Univ. Hamburg, 67:65–104, 1997. [375] J. P. Glass, J. H. Loxton, and A. J. van der Poorten. Identifying a rational function. C. R. Math. Rep. Acad. Sci. Canada, 3(5):279–284, 1981. [376] D. Gluck and Taylor B. D. A new statistic for the 3x + 1 problem. Proc. Amer. Math. Soc., 130(5):1293–1301, 2002. [377] J. Dj. Goli´ c. On the linear complexity of functions of periodic GF(q) sequences. IEEE Trans. Inform. Theory, 35(1):69–75, 1989. [378] S. W. Golomb and G. Gong. Periodic binary sequences with the “trinomial property”. IEEE Trans. Inform. Theory, 45(4):1276–1279, 1999. [379] S. W. Golomb, G. Gong, and Z. D. Dai. Cyclic inequivalence of cascaded GMW-sequences. Discrete Math., 219(1-3):279–285, 2000. [380] G. Gong. Theory and applications of q-ary interleaved sequences. IEEE Trans. Inform. Theory, 41(2):400–411, 1995. [381] G. Gong. On q-ary cascaded GMW sequences. IEEE Trans. Inform. Theory, 42:263–267, 1996. [382] G. Gong. New designs for signal sets with low cross-correlation, balance property and large linear span: GF(p) case. Faculty of Math., Univ. Waterloo, Research Report CORR 2000-32 , 2000. [383] G. Gong, T. A. Berson, and D. R. Stinson. Elliptic curve pseudorandom sequence generators. In Selected areas in cryptography (Kingston, ON, 1999), pages 34–48. Springer, Berlin, 2000. [384] G. Gong, Z. D. Dai, and S. W. Golomb. Enumeration and criteria for cyclically shift-distinct GMW sequences. IEEE Trans. Inform. Theory, 46(2):474–484, 2000. [385] G. Gong and S. W. Golomb. Binary sequences with two-level autocorrelation. IEEE Trans. Inform. Theory, 45(2):692–693, 1999. [386] G. Gong and C. C. Y. Lam. Linear recursive sequences over elliptic curves. In Sequences and their applications (Bergen, 2001), pages 182–196. Springer, Berlin, 2002. [387] M. I. Gonz´ alez Vasco, M. N¨ aslund, and I. E. Shparlinski. The hidden number problem in extension fields and its applications. Lect. Notes in Comp. Sci., 2286, 2002.

BIBLIOGRAPHY

261

[388] M. I. Gonz´ alez Vasco and I. E. Shparlinski. On the security of Diffie-Hellman bits. In K.-Y. Lam, I. E. Shparlinski, H. Wang, and C. Xing, editors, Proc. Workshop on Cryptography and Computational Number Theory (CCNT’99), Singapore, pages 257–268. Birkh¨ auser, 2001. [389] M. I. Gonz´ alez Vasco and I. E. Shparlinski. Security of the most significant bits of the Shamir message passing scheme. Math. Comp., 71(237):333–342 (electronic), 2002. [390] D. M. Gordon. On the number of elliptic pseudoprimes. Math. Comp., 52(185):231–245, 1989. [391] D. M. Gordon. Pseudoprimes on elliptic curves. In Th´ eorie des nombres (Quebec, PQ, 1987), pages 290–305. de Gruyter, Berlin, 1989. [392] D. M. Gordon. Equidistant arithmetic codes and character sums. J. Number Theory, 46(3):323–333, 1994. [393] D. M. Gordon and C. Pomerance. The distribution of Lucas and elliptic pseudoprimes. Math. Comp., 57(196):825–838, 1991. [394] M. Goresky and A. Klapper. Arithmetic crosscorrelations of feedback with carry shift register sequences. IEEE Trans. Inform. Theory, 43(4):1342–1345, 1997. [395] M. Goresky, A. Klapper, M. Ram Murty, and I. E. Shparlinski. On decimations of `sequences. Preprint, 2002. [396] M. Goresky, A. Klapper, and L. Washington. Fourier transforms and the 2-adic span of periodic binary sequences. IEEE Trans. Inform. Theory, 46(2):687–691, 2000. [397] Rainer G¨ ottfert and H. Niederreiter. On the minimal polynomial of the product of linear recurring sequences. Finite Fields Appl., 1(2):204–218, 1995. [398] X. Gourdon and B. Salvy. Effective asymptotics of linear recurrences with rational coefficients. In Proceedings of the 5th Conference on Formal Power Series and Algebraic Combinatorics (Florence, 1993), volume 153, pages 145–163, 1996. [399] E. Gourin. On irreducible polynomials in several variables which become reducible when the variables are replaced by powers of themselves. Trans. Amer. Math. Soc., 32(3):485–501, 1930. [400] W. T. Gowers. Fourier analysis and Szemer´ edi’s theorem. In Proceedings of the International Congress of Mathematicians, Vol. I (Berlin, 1998), number Extra Vol. I, pages 617–629 (electronic), 1998. [401] W. T. Gowers. A new proof of Szemer´ edi’s theorem for arithmetic progressions of length four. Geom. Funct. Anal., 8(3):529–551, 1998. Erratum: Geom. Funct. Anal., 11 (2001), 869. [402] W. T. Gowers. A new proof of Szemer´ edi’s theorem. Geom. Funct. Anal., 11(3):465–588, 2001. [403] P. J. Grabner, P. Kirschenhofer, H. Prodinger, and R. F. Tichy. On the moments of the sum-of-digits function. In Applications of Fibonacci numbers, Vol. 5 (St. Andrews, 1992), pages 263–271. Kluwer Acad. Publ., Dordrecht, 1993. [404] P. J. Grabner, P. Kiss, and R. F. Tichy. Diophantine approximation in terms of linear recurrent sequences. In Number theory (Halifax, NS, 1994), pages 187–195. Amer. Math. Soc., Providence, RI, 1995. [405] P. J. Grabner and P. Liardet. Harmonic properties of the sum-of-digits function for complex bases. Acta Arith., 91(4):329–349, 1999. [406] P. J. Grabner, P. Liardet, and R. F. Tichy. Odometers and systems of numeration. Acta Arith., 70(2):103–123, 1995. [407] P. J. Grabner and J. M. Thuswaldner. On the sum of digits function for number systems with negative bases. Ramanujan J., 4(2):201–220, 2000. [408] P. J. Grabner, R. F. Tichy, and R. Winkler. On the stability of the quotients of successive terms of linear recurring sequences. In Number-theoretic and algebraic methods in computer science (Moscow, 1993), pages 185–192. World Sci. Publishing, River Edge, NJ, 1995. [409] M. Grady and M. Newman. Residue periodicity in subgroup counting functions. In The Rademacher legacy to mathematics (University Park, PA, 1992), pages 265–273. Amer. Math. Soc., Providence, RI, 1994. [410] S. W. Graham and C. J. Ringrose. Lower bounds for least quadratic nonresidues. In Analytic number theory (Allerton Park, IL, 1989), pages 269–309. Birkh¨ auser Boston, Boston, MA, 1990.

262

BIBLIOGRAPHY

[411] D. Grant. Sequences of fields with many solutions to the unit equation. Rocky Mountain J. Math., 26(3):1017–1029, 1996. [412] J. Grantham. A probable prime test with high confidence. J. Number Theory, 72(1):32–47, 1998. [413] J. Grantham. Frobenius pseudoprimes. Math. Comp., 70(234):873–891, 2001. [414] A. Granville and Z.-W. Sun. Values of Bernoulli polynomials. Pacific J. Math., 172(1):117– 137, 1996. [415] F. Griffin, H. Niederreiter, and I. E. Shparlinski. On the distribution of nonlinear recursive congruential pseudorandom numbers of higher orders. In Applied algebra, algebraic algorithms and error-correcting codes (Honolulu, HI, 1999), pages 87–93. Springer, Berlin, 1999. [416] F. Griffin and I. E. Shparlinski. On the linear complexity of the Naor-Reingold pseudorandom function. Lect. Notes in Comp. Sci., 1726:301–308, 1999. [417] F. Griffin and I. E. Shparlinski. On the linear complexity profile of the power generator. IEEE Trans. Inform. Theory, 46(6):2159–2162, 2000. [418] G. Grisel. Sur la longueur de la fraction continue de αn . Acta Arith., 74(2):161–176, 1996. [419] G. Grisel. Length of the powers of a rational fraction. J. Number Theory, 62(2):322–337, 1997. [420] G. Grisel. Length of continued fractions in principal quadratic fields. Acta Arith., 85(1):35– 49, 1998. ´ [421] M. Gromov. Groups of polynomial growth and expanding maps. Inst. Hautes Etudes Sci. Publ. Math., (53):53–73, 1981. [422] G. Grossman and F. Luca. Sum of factorials in binary recurrence sequences. J. Number Theory, 93:87–107, 2002. [423] D. Guillaume and F. Morain. Building pseudoprimes with a large number of prime factors. Appl. Algebra Engrg. Comm. Comput., 7(4):263–277, 1996. [424] R. Gupta and M. Ram Murty. A remark on Artin’s conjecture. Invent. Math., 78(1):127– 130, 1984. [425] R. Gupta and M. Ram Murty. Primitive points on elliptic curves. Compositio Math., 58(1):13–44, 1986. [426] R. Gupta and M. Ram Murty. Cyclicity and generation of points mod p on elliptic curves. Invent. Math., 101(1):225–235, 1990. [427] S. Gupta and D. Zagier. On the coefficients of the minimal polynomials of Gaussian periods. Math. Comp., 60(201):385–398, 1993. [428] S. Gurak. Pseudoprimes for higher-order linear recurrence sequences. Math. Comp., 55(192):783–813, 1990. [429] S. Gurak. On higher-order pseudoprimes of Lehmer type. In Number theory (Halifax, NS, 1994), pages 215–227. Amer. Math. Soc., Providence, RI, 1995. [430] S. Gurak. On the minimal polynomials for certain Gauss periods over finite fields. In Finite fields and applications (Glasgow, 1995), pages 85–96. Cambridge Univ. Press, Cambridge, 1996. [431] S. Gurak. On the middle factor of the period polynomial for finite fields. In Number theory (Ottawa, ON, 1996), pages 121–131. Amer. Math. Soc., Providence, RI, 1999. [432] R. Guralnick, T. Penttila, C. E. Praeger, and J. Saxl. Linear groups with orders having certain large prime divisors. Proc. London Math. Soc. (3), 78(1):167–214, 1999. [433] J. Gutierrez and Gomes-Perez D. Iterations of multivariate polynomials and discrepancy of pseudorandom numbers. Lect. Notes in Comp. Sci., 2227:192–199, 2001. [434] J. Gutierrez, H. Niederreiter, and I. E. Shparlinski. On the multidimensional distribution of inversive congruential pseudorandom numbers in parts of the period. Monatsh. Math., 129(1):31–36, 2000. [435] J. Gutierrez, I. E. Shparlinski, and A. Winterhof. On the linear and nonlinear complexity profile of nonlinear pseudorandom number generators. IEEE Trans. Inform. Theory, to appear. [436] R. K. Guy. Unsolved problems in number theory. Springer-Verlag, New York, second edition, 1994. [437] K. Gy˝ ory. On some arithmetical properties of Lucas and Lehmer numbers. Acta Arith., 40(4):369–373, 1981/82.

BIBLIOGRAPHY

263

[438] K. Gy˝ ory. On arithmetic graphs associated with integral domains. In A tribute to Paul Erd˝ os, pages 207–222. Cambridge Univ. Press, Cambridge, 1990. [439] K. Gy˝ ory. On arithmetic graphs associated with integral domains. II. In Sets, graphs and numbers (Budapest, 1991), pages 365–374. North-Holland, Amsterdam, 1992. [440] K. Gy˝ ory. Some recent applications of S-unit equations. Ast´ erisque, (209):11, 17–38, 1992. [441] K. Gy˝ ory, P. Kiss, and A. Schinzel. On Lucas and Lehmer sequences and their applications to Diophantine equations. Colloq. Math., 45(1):75–80 (1982), 1981. [442] K. Gy˝ ory and A. Schinzel. On a conjecture of Posner and Rumsey. J. Number Theory, 47(1):63–78, 1994. [443] L. Hajdu. A quantitative version of Dirichlet’s S-unit theorem in algebraic number fields. Publ. Math. Debrecen, 42(3-4):239–246, 1993. [444] L. Halbeisen and N. Hungerb¨ uhler. Optimal bounds for the length of rational Collatz cycles. Acta Arith., 78(3):227–239, 1997. [445] M. Hall. An isomorphism between linear recurring sequences and algebraic rings. Trans. Amer. Math. Soc., 44(2):196–218, 1938. [446] S. Hallgren. Linear congruential generators over elliptic curves. Preprint CS-94-143, Dept. of Comp. Sci., Cornegie Mellon Univ., 1994. [447] F. Halter-Koch and W. Narkiewicz. Finiteness properties of polynomial mappings. Math. Nachr., 159:7–18, 1992. [448] F. Halter-Koch and W. Narkiewicz. Polynomial mappings defined by forms with a common factor. S´ em. Th´ eor. Nombres Bordeaux (2), 4(2):187–198, 1992. [449] F. Halter-Koch and W. Narkiewicz. Polynomial cycles in finitely generated domains. Monatsh. Math., 119(4):275–279, 1995. [450] F. Halter-Koch and W. Narkiewicz. Scarcity of finite polynomial orbits. Publ. Math. Debrecen, 56(3-4):405–414, 2000. Dedicated to Professor K´ alm´ an Gy˝ ory on the occasion of his 60th birthday. [451] G. Hansel. Une d´ emonstration simple du th´ eor` eme de Skolem-Mahler-Lech. Theoret. Comput. Sci., 43(1):91–98, 1986. [452] J. C. Hansen and E. Schmutz. How random is the characteristic polynomial of a random matrix? Math. Proc. Cambridge Philos. Soc., 114(3):507–515, 1993. [453] G. H. Hardy. Divergent Series. Oxford, at the Clarendon Press, 1949. [454] G. H. Hardy and E. M. Wright. An introduction to the theory of numbers. The Clarendon Press Oxford University Press, New York, fifth edition, 1979. [455] G. Harman. Trigonometric sums over primes. I. Mathematika, 28(2):249–254 (1982), 1981. [456] S. Hatjispyros and F. Vivaldi. A family of rational zeta functions for the quadratic map. Nonlinearity, 8(3):321–332, 1995. [457] D. R. Heath-Brown. Artin’s conjecture for primitive roots. Quart. J. Math. Oxford Ser. (2), 37(145):27–38, 1986. [458] D. R. Heath-Brown. Integer sets containing no arithmetic progressions. J. London Math. Soc. (2), 35(3):385–394, 1987. [459] D. R. Heath-Brown. Zero-free regions for Dirichlet L-functions, and the least prime in an arithmetic progression. Proc. London Math. Soc. (3), 64(2):265–338, 1992. [460] D. R. Heath-Brown and S. Konyagin. New bounds for Gauss sums derived from kth powers, and for Heilbronn’s exponential sum. Q. J. Math., 51(2):221–235, 2000. [461] T. Helleseth. Some results about the cross-correlation function between two maximal linear sequences. Discrete Math., 16(3):209–232, 1976. [462] T. Helleseth. Correlation of m-sequences and related topics. In Sequences and their applications (Singapore, 1998), pages 49–66. Springer, London, 1999. [463] T. Helleseth and P. V. Kumar. Sequences with low correlations. In Handbook in Coding Theory. Kluwer Acad. Publ., Dordrecht, 1998. [464] T. Helleseth, P. V. Kumar, and H. Martinsen. A new family of ternary sequences with ideal two-level autocorrelation function. Des. Codes Cryptogr., 23(2):157–166, 2001. [465] T. Helleseth and H. M. Martinsen. Binary sequences of period 2m − 1 with large linear complexity. Inform. and Comput., 151(1-2):73–91, 1999. [466] D. Hensley. The distribution mod n of fractions with bounded partial quotients. Pacific J. Math., 166(1):43–54, 1994. [467] T. Herlestam. On functions of linear shift register sequences. In Advances in cryptology— EUROCRYPT ’85 (Linz, 1985), pages 119–129. Springer, Berlin, 1986.

264

BIBLIOGRAPHY

[468] S. Hern´ andes and F. Luca. On the largest prime factor of (ab + 1)(ac + 1)(bc + 1). Preprint, 2002. [469] M. Hindry and J. H. Silverman. The canonical height and integral points on elliptic curves. Invent. Math., 93(2):419–450, 1988. [470] M. Hindry and J. H. Silverman. On Lehmer’s conjecture for elliptic curves. In S´ eminaire de Th´ eorie des Nombres, Paris 1988–1989, pages 103–116. Birkh¨ auser Boston, Boston, MA, 1990. [471] P. A. Hines. Characterising the linear complexity of span 1 de Bruijn sequences over finite fields. J. Combin. Theory Ser. A, 81(2):140–148, 1998. [472] P. A. Hines. On the minimum linear complexity of de Bruijn sequences over non-prime finite fields. J. Combin. Theory Ser. A, 86(1):127–139, 1999. [473] A. Hinkkanen. Zeta functions of rational functions are rational. Ann. Acad. Sci. Fenn. Ser. A I Math., 19(1):3–10, 1994. [474] J. G. Hinz. A note on Artin’s conjecture in algebraic number fields. J. Number Theory, 22(3):334–349, 1986. [475] A. Hof and O. Knill. Cellular automata with almost periodic initial conditions. Nonlinearity, 8(4):477–491, 1995. [476] H. D. L. Hollmann and Q. Xiang. A proof of the Welch and Niho conjectures on crosscorrelations of binary m-sequences. Finite Fields Appl., 7(2):253–286, 2001. [477] C. Hooley. On Artin’s conjecture. J. Reine Angew. Math., 225:209–220, 1967. [478] C. Hooley. Applications of sieve methods to the theory of numbers. Cambridge University Press, Cambridge, 1976. [479] A. E. D. Houston. On the limit of maximal density of sequences with a perfect linear complexity profile. Des. Codes Cryptogr., 10(3):351–359, 1997. [480] E. W. Howe. Higher-order Carmichael numbers. Math. Comp., 69(232):1711–1719, 2000. [481] E. Hrushovski, P. H. Kropholler, A. Lubotzky, and A. Shalev. Powers in finitely generated groups. Trans. Amer. Math. Soc., 348(1):291–304, 1996. [482] C. Hua and G.-Z. Xiao. The linear complexity of binary sequences with period (2n − 1)k . IEEE Trans. Inform. Theory, 37:672–673, 1991. [483] Loo-Keng Hua. Die Absch¨ atzung von Exponentialsummen und ihre Anwendung in der Zahlentheorie. B. G. Teubner Verlagsgesellschaft, Leipzig, 1959. [484] K. Huber. On the period length of generalized inversive pseudorandom number generators. Appl. Algebra Engrg. Comm. Comput., 5(5):255–260, 1994. [485] Krasikov I. and J. C. Lagarias. Bounds for the 3x + 1 problem using difference inequalities. Preprint, 2002. [486] S. Jakubec, J. Kostra, and K. Nemoga. On the existence of an integral normal basis generated by a unit in prime extensions of rational numbers. Math. Comp., 56(194):809–815, 1991. [487] E. Jen. Linear cellular automata and recurring sequences in finite fields. Comm. Math. Phys., 119(1):13–28, 1988. [488] E. Jen. Aperiodicity in one-dimensional cellular automata. In Chaos (Woods Hole, MA, 1989), pages 121–144. Amer. Inst. Phys., New York, 1990. [489] E. Jen. Exact solvability and quasiperiodicity of one-dimensional cellular automata. Nonlinearity, 4(2):251–276, 1991. [490] E. Jensen and M. Ram Murty. Artin’s conjecture for polynomials over finite fields. In Number theory, pages 167–181. Birkh¨ auser, Basel, 2000. [491] T. Johansson. A shift register construction of unconditionally secure authentication codes. Des. Codes Cryptogr., 4(1):69–81, 1994. [492] J. P. Jones and P. Kiss. An asymptotic formula concerning Lehmer numbers. Publ. Math. Debrecen, 42(3-4):199–213, 1993. [493] J. P. Jones and P. Kiss. Representation of integers as terms of a linear recurrence with maximal index. Acta Acad. Paedagog. Agriensis Sect. Mat. (N.S.), 25:21–37 (1999), 1998. [494] J. A. Joseph. A chaotic extension of the 3x + 1 function to Z2 [i]. Fibonacci Quart., 36(4):309–316, 1998. [495] A. Joux and J. Stern. Lattice reduction: a toolbox for the cryptanalyst. J. Cryptology, 11(3):161–185, 1998. [496] S.-M. Jung and B. Volkmann. Remarks on a paper of Wagner. J. Number Theory, 56(2):329–335, 1996.

BIBLIOGRAPHY

265

[497] T. Kagawa and N. Terai. Squares in Lucas sequences and some Diophantine equations. Manuscripta Math., 96(2):195–202, 1998. [498] T. Kaida, S. Uehara, and K. Imamura. An algorithm for the k-error linear complexity of sequences over GF(pm ) with period pn , p a prime. Inform. and Comput., 151(1-2):134–147, 1999. [499] T. Kaida, S. Uehara, and K. Imamura. A new algorithm for the k-error linear complexity of sequences over GF(pm ) with period pn . In Sequences and their applications (Singapore, 1998), pages 284–296. Springer, London, 1999. [500] T. Kaida, S. Uehara, and K. Imamura. On the profile of the k-error linear complexity and zero sum property of sequences over GF(pm ) with period pn . In Sequences and their applications (Bergen, 2001), pages 218–227. Springer, Berlin, 2002. [501] T. Kamae. Number-theoretic problems involving two independent bases. In Number theory and cryptography (Sydney, 1989), pages 196–203. Cambridge Univ. Press, Cambridge, 1990. [502] O. V. Kamlovski˘ı and A. S. Kuz0 min. Distribution of elements on cycles of linear recurrent sequences over Galois rings. Uspekhi Mat. Nauk, 53(2(320)):149–150, 1998. [503] R. Kannan and R. J. Lipton. Polynomial-time algorithm for the orbit problem. J. Assoc. Comput. Mach., 33(4):808–821, 1986. [504] H. Kano. General constructions of normal numbers of Korobov type. Osaka J. Math., 30(4):909–919, 1993. [505] H. Kano. A remark on Wagner’s ring of normal numbers. Arch. Math. (Basel), 60(1):46–50, 1993. [506] H. Kano and I. Shiokawa. Rings of normal and nonnormal numbers. Israel J. Math., 84(3):403–416, 1993. [507] H. J. Karloff and P. Raghavan. Randomized algorithms and pseudorandom numbers. J. Assoc. Comput. Mach., 40(3):454–476, 1993. [508] M. Karpinski, A. J. van der Poorten, and I. E. Shparlinski. Zero testing of p-adic and modular polynomials. Theoret. Comput. Sci., 233(1-2):309–317, 2000. [509] M. Karpinski and I. E. Shparlinski. On some approximation problems concerning sparse polynomials over finite fields. Theoret. Comput. Sci., 157(2):259–266, 1996. [510] T. Kato, L.-M. Wu, and N. Yanagihara. The serial test for a nonlinear pseudorandom number generator. Math. Comp., 65(214):761–769, 1996. [511] A. Katok and B. Hasselblatt. Introduction to the modern theory of dynamical systems. Cambridge University Press, Cambridge, 1995. [512] N. M. Katz. Gauss sums, Kloosterman sums, and monodromy groups. Princeton University Press, Princeton, NJ, 1988. [513] B. W. Kernighan and D. M. Ritchie. The C programming language. Prentice Hall, Englewood Cliffs, NJ, 1988. [514] K. H. Kim, N. S. Ormes, and F. W. Roush. The spectra of nonnegative integer matrices via formal power series. J. Amer. Math. Soc., 13(4):773–806 (electronic), 2000. [515] P. Kiss. On sums of the reciprocals of prime divisors of terms of a linear recurrence. In Applications of Fibonacci numbers, Vol. 7, pages 215–220. Kluwer Acad. Publ., Dordrecht. [516] P. Kiss. Zero terms in second-order linear recurrences. Math. Sem. Notes Kobe Univ., 7(1):145–152, 1979. [517] P. Kiss. On common terms of linear recurrences. Acta Math. Acad. Sci. Hungar., 40(12):119–123, 1982. [518] P. Kiss. Differences of the terms of linear recurrences. Studia Sci. Math. Hungar., 20(14):285–293, 1985. [519] P. Kiss. Primitive divisors of Lucas numbers. In Applications of Fibonacci numbers (San Jose, CA, 1986), pages 29–38. Kluwer Acad. Publ., Dordrecht, 1988. [520] P. Kiss. On rank of apparition of primes in Lucas sequences. Publ. Math. Debrecen, 36(14):147–151 (1990), 1989. [521] P. Kiss. On prime divisors of the terms of second order linear recurrence sequences. In Applications of Fibonacci numbers, Vol. 3 (Pisa, 1988), pages 203–207. Kluwer Acad. Publ., Dordrecht, 1990. [522] P. Kiss. On primitive prime power divisors of Lucas numbers. In Number theory, Vol. II (Budapest, 1987), pages 773–786. North-Holland, Amsterdam, 1990.

266

BIBLIOGRAPHY

[523] P. Kiss. Some results concerning the reciprocal sum of prime divisors of a Lucas number. In Applications of Fibonacci numbers, Vol. 5 (St. Andrews, 1992), pages 417–420. Kluwer Acad. Publ., Dordrecht, 1993. [524] P. Kiss. Pure powers and power classes in recurrence sequences. Math. Slovaca, 44(5):525– 529, 1994. [525] P. Kiss. An approximation problem concerning linear recurrences. In Number theory (Eger, 1996), pages 289–293. de Gruyter, Berlin, 1998. [526] P. Kiss. On a problem concerning perfect powers in linear recurrences. Acta Acad. Paedagog. Agriensis Sect. Mat. (N.S.), 26:25–30 (2000), 1999. [527] P. Kiss. Note on a result of I. Nemes and A. Peth˝ o concerning polynomial values in linear recurrences. Publ. Math. Debrecen, 56(3-4):451–455, 2000. Dedicated to Professor K´ alm´ an Gy˝ ory on the occasion of his 60th birthday. [528] P. Kiss. Results concerning products and sums of the terms of linear recurrences. Acta Acad. Paedagog. Agriensis Sect. Mat. (N.S.), 27:1–7 (2001), 2000. [529] P. Kiss and F. M´ aty´ as. An asymptotic formula for π. J. Number Theory, 31(3):255–259, 1989. [530] P. Kiss and F. M´ aty´ as. Perfect powers from the sums of terms of linear recurrences. Period. Math. Hungar., 42(1-2):163–168, 2001. [531] P. Kiss and F. M´ aty´ as. Products of the terms of linear recurrences. Studia Sci. Math. Hungar., 37(3-4):355–362, 2001. [532] P. Kiss and B. M. Phong. Weakly composite Lucas numbers. Ann. Univ. Sci. Budapest. E¨ otv¨ os Sect. Math., 31:179–182 (1989), 1988. [533] P. Kiss and B. M. Phong. Reciprocal sum of prime divisors of Lucas numbers. Acta Acad. Paed. Agriensis, Sect. Math., 19:47–54, 1989. [534] P. Kiss and B. Tropak. Average order of logarithms of terms in binary recurrences. Discuss. Math., 10:29–39 (1991), 1990. [535] P. Kiss and B. Zay. On sequences of zeros and ones. Studia Sci. Math. Hungar., 29(34):437–442, 1994. 2 [536] B. Kitchens and K. Schmidt. Markov subgroups of (Z/2Z)Z . In Symbolic dynamics and its applications (New Haven, CT, 1991), pages 265–283. Amer. Math. Soc., Providence, RI, 1992. [537] B. Kitchens and K. Schmidt. Mixing sets and relative entropies for higher-dimensional Markov shifts. Ergodic Theory Dynam. Systems, 13(4):705–735, 1993. [538] A. Klapper. The vulnerability of geometric sequences based on fields of odd characteristic. J. Cryptology, 7(1):33–51, 1994. [539] A. Klapper. d-form sequences: families of sequences with low correlation values and large linear spans. IEEE Trans. Inform. Theory, 41(2):423–431, 1995. [540] A. Klapper. Large families of sequences with near-optimal correlations and large linear span. IEEE Trans. Inform. Theory, 42(4):1241–1248, 1996. [541] A. Klapper. On the existence of secure feedback registers. Lect. Notes in Comp. Sci., 1070:256–267, 1996. [542] A. Klapper. Cross-correlations of quadratic form sequences in odd characteristic. Des. Codes Cryptogr., 11(3):289–305, 1997. [543] A. Klapper, A. H. Chan, and M. Goresky. Cross-correlations of linearly and quadratically related geometric sequences and GMW sequences. Discrete Appl. Math., 46(1):1–20, 1993. [544] A. Klapper and M. Goresky. Partial period autocorrelations of geometric sequences. IEEE Trans. Inform. Theory, 40(2):494–502, 1994. [545] A. Klapper and M. Goresky. Feedback shift registers, 2-adic span, and combiners with memory. J. Cryptology, 10(2):111–147, 1997. [546] A. Klapper and J. Xu. Algebraic feedback shift registers. Theoret. Comput. Sci., 226(12):61–92, 1999. Cryptography. [547] D. E. Knuth. The art of computer programming. Vol. 2. Addison-Wesley Publishing Co., Reading, Mass., third edition, 1998. [548] N. Koblitz. p-adic numbers, p-adic analysis, and zeta-functions. Springer-Verlag, New York, 1977. [549] N. Koblitz. A course in number theory and cryptography. Springer-Verlag, New York, 1987. [550] N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.

BIBLIOGRAPHY

267

[551] D. R. Kohel and I. E. Shparlinski. On exponential sums and group generators for elliptic curves over finite fields. In Algorithmic number theory (Leiden, 2000), pages 395–404. Springer, Berlin, 2000. [552] S. V. Konjagin. Letter to the editors: “The number of solutions of congruences of the nth degree with one unknown” [Mat. Sb. (N.S.) 109(151) (1979), no. 2, 171–187, 327; MR 80k:10013a]. Mat. Sb. (N.S.), 110(152)(1):158, 1979. [553] V. S. Konjagin. The number of solutions of congruences of the nth degree with one unknown. Mat. Sb. (N.S.), 109(151)(2):171–187, 327, 1979. [554] S. V. Konyagin. Estimates for Gaussian sums and Waring’s problem modulo a prime. Trudy Mat. Inst. Steklov., 198:111–124, 1992. [555] S. V. Konyagin and C. Pomerance. On primes recognizable in deterministic polynomial time. In The mathematics of Paul Erd˝ os, I, pages 176–198. Springer, Berlin, 1997. [556] S. V. Konyagin and I. E. Shparlinski. Character sums with exponential functions and their applications. Cambridge University Press, Cambridge, 1999. [557] S. V. Konyagin and T. Steger. Polynomial congruences. Mat. Zametki, 55(6):73–79, 158, 1994. [558] A. N. Korobov. Continued fractions of some normal numbers. Mat. Zametki, 47(2):28–33, 158, 1990. [559] N. M. Korobov. The distribution of non-residues and of primitive roots in recurrence series. Doklady Akad. Nauk SSSR (N.S.), 88:603–606, 1953. [560] N. M. Korobov. Unimprovable estimates of trigonometric sums with exponential functions. Doklady Akad. Nauk SSSR (N.S.), 89:597–600, 1953. [561] N. M. Korobov. Teoretiko-chislovye metody v priblizhennom analize. Gosudarstv. Izdat. Fiz.-Mat. Lit., Moscow, 1963. [562] N. M. Korobov. Distribution of fractional parts of exponential functions. Vestnik Moskov. Univ. Ser. I Mat. Meh., 21(4):42–46, 1966. [563] N. M. Korobov. Trigonometric sums with exponential functions, and the distribution of the digits in periodic fractions. Mat. Zametki, 8:641–652, 1970. [564] N. M. Korobov. The distribution of digits in periodic fractions. Mat. Sb. (N.S.), 89(131):654–670, 672, 1972. [565] H. Krawczyk. How to predict congruential generators. J. Algorithms, 13(4):527–545, 1992. [566] H. Krawczyk. LFSR-based hashing and authentication. Lect. Notes in Comp. Sci., 839:129– 139, 1994. [567] M. Kˇr´ıˇ zek, F. Luca, and L. Somer. 17 lectures on Fermat numbers. Springer-Verlag, New ˇ York, 2001. From number theory to geometry, With a foreword by Alena Solcov´ a. [568] K. K. Kubota. On a conjecture of Morgan Ward. I. Acta Arith., 33(1):11–28, 1977. II 33(1):29–48; III 33(2):99–109, 1977. [569] L. Kuipers and H. Niederreiter. Uniform distribution of sequences. Wiley-Interscience [John Wiley & Sons], New York, 1974. [570] P. V. Kumar and T. Helleseth. An expansion for the coordinates of the trace function over Galois rings. Appl. Algebra Engrg. Comm. Comput., 8(5):353–361, 1997. [571] S. R. Kumar and D. Sivakumar. Efficient self-testing/self-correction of linear recurrences. In 37th Annual Symposium on Foundations of Computer Science (Burlington, VT, 1996), pages 602–611. IEEE Comput. Soc. Press, Los Alamitos, CA, 1996. [572] V. L. Kurakin. Representations over the ring Zpn of a linear recursive sequence of maximal period over the field GF (p). Diskret. Mat., 4(4):96–116, 1992. [573] V. L. Kurakin. Convolution of linear recurrent sequences. Uspekhi Mat. Nauk, 48(4(292)):235–236, 1993. [574] V. L. Kurakin. The structure of Hopf algebras of linear recurrent sequences. Uspekhi Mat. Nauk, 48(5(293)):177–178, 1993. [575] V. L. Kurakin. The first coordinate sequence of a linear recurrence of maximum period over a Galois ring. Diskret. Mat., 6(2):88–100, 1994. [576] V. L. Kurakin. Representations over a field of linear recurrents of maximal period over a residue ring. Uspekhi Mat. Nauk, 49(2(296)):157–158, 1994. [577] P. Kurlberg. On the order of unimodular matrices modulo integers. Preprint, 2001. arXiv:math.NT/0202053. [578] P. Kurlberg and Z. Rudnick. On quantum ergodicity for linear maps of the torus. Comm. Math. Phys., 222(1):201–227, 2001.

268

BIBLIOGRAPHY

[579] K. Kurosawa, F. Sato, T. Sakata, and W. Kishimoto. A relationship between linear complexity and k-error linear complexity. IEEE Trans. Inform. Theory, 46(2):694–698, 2000. [580] H. C. Kurtz. The linear cubic p-adic recurrence and its value function. Illinois J. Math., 8:125–131, 1964. [581] A. S. Kuz0 min. Distribution of elements on cycles of linear recurrence sequences over residue rings. Uspekhi Mat. Nauk, 47(6(288)):213–214, 1992. [582] A. S. Kuz0 min and A. A. Nechaev. Construction of noise-stable codes using linear recurrent sequences over Galois rings. Uspekhi Mat. Nauk, 47(5(287)):183–184, 1992. [583] A. S. Kuz0 min and A. A. Nechaev. Linear recurrence sequences over Galois rings. Uspekhi Mat. Nauk, 48(1(289)):167–168, 1993. [584] J. C. Lagarias. The 3x + 1 problem and its generalizations. Amer. Math. Monthly, 92(1):3– 23, 1985. [585] J. C. Lagarias. The set of primes dividing the Lucas numbers has density 2/3. Pacific J. Math., 118(2):449–461, 1985. Erratum: Pacific J. Math., 162 (1994), 393–396. [586] J. C. Lagarias. Pseudorandom number generators in cryptography and number theory. In Cryptology and computational number theory (Boulder, CO, 1989), pages 115–143. Amer. Math. Soc., Providence, RI, 1990. [587] J. C. Lagarias, H. A. Porta, and K. B. Stolarsky. Asymmetric tent map expansions. I. Eventually periodic points. J. London Math. Soc. (2), 47(3):542–556, 1993. [588] J. C. Lagarias, H. A. Porta, and K. B. Stolarsky. Asymmetric tent map expansions. II. Purely periodic points. Illinois J. Math., 38(4):574–588, 1994. [589] J. C. Lagarias and J. A. Reeds. Unique extrapolation of polynomial recurrences. SIAM J. Comput., 17(2):342–362, 1988. [590] J. C. Lagarias and A. Weiss. The 3x + 1 problem: two stochastic models. Ann. Appl. Probab., 2(1):229–261, 1992. [591] D. Laksov. Linear recurring sequences over finite fields. Math. Scand., 16:181–196, 1965. [592] E. Lange. Cellular automata, substitutions and factorization of polynomials over finite fields. In Finite fields and applications (Glasgow, 1995), pages 163–179. Cambridge Univ. Press, Cambridge, 1996. [593] E. Lange. Substitutions for linear shift register sequences and the factorization algorithms of Berlekamp and Niederreiter. Linear Algebra Appl., 249:217–228, 1996. [594] K. Langmann. Primzahlen in Fibonacci-Progressionen. Arch. Math. (Basel), 65(2):125– 129, 1995. [595] V. Laohakosol. Some extensions of the Skolem-Mahler-Lech theorem. Exposition. Math., 7(2):137–187, 1989. [596] G. Larcher. A bound for the discrepancy of digital nets and its application to the analysis of certain pseudo-random number generators. Acta Arith., 83(1):1–15, 1998. [597] G. Larcher and H. Niederreiter. Optimal coefficients modulo prime powers in the threedimensional case. Ann. Mat. Pura Appl. (4), 155:299–315, 1989. [598] G. Larcher, R. Wolf, and J. Eichenauer-Herrmann. On the average discrepancy of successive tuples of pseudo-random numbers over parts of the period. Monatsh. Math., 127(2):141– 154, 1999. [599] R. G. Larson and E. J. Taft. The algebraic structure of linearly recursive sequences under Hadamard product. Israel J. Math., 72(1-2):118–132, 1990. [600] A. Lasjaunias. A survey of Diophantine approximation in fields of power series. Monatsh. Math., 130(3):211–229, 2000. [601] A. Lasjaunias and J.-J. Ruch. Algebraic and badly approximable power series over a finite field. Finite Fields Appl., 8(1):91–107, 2002. [602] A. G. B. Lauder. Polynomials with odd orthogonal multiplicity. Finite Fields Appl., 4(4):453–464, 1998. [603] A. G. B. Lauder. Continued fractions of Laurent series with partial quotients from a given set. Acta Arith., 90(3):251–271, 1999. [604] M. Laurent. Minoration de la hauteur de N´ eron-Tate. In Seminar on number theory, Paris 1981–82 (Paris, 1981/1982), pages 137–151. Birkh¨ auser Boston, Boston, MA, 1983. ´ [605] M. Laurent. Equations exponentielles-polynˆ omes et suites r´ ecurrentes lin´ eaires. II. J. Number Theory, 31(1):24–53, 1989. [606] Wayne M. Lawton. A problem of Boyd concerning geometric means of polynomials. J. Number Theory, 16(3):356–362, 1983.

BIBLIOGRAPHY

269

[607] R. R. Laxton. Linear recurrences of order two. J. Austral. Math. Soc., 7:108–114, 1967. [608] R. R. Laxton. On groups of linear recurrences. I. Duke Math. J., 36:721–736, 1969. [609] R. R. Laxton. On groups of linear recurrences. II. Elements of finite order. Pacific J. Math., 32:173–179, 1970. [610] R. R. Laxton. On a problem of M. Ward. Fibonacci Quart., 12:41–44, 1974. [611] J. W. Layman. Maximum zero strings of Bell numbers modulo primes. J. Combin. Theory Ser. A, 40(1):161–168, 1985. [612] M. H. Le. A note on the Diophantine equation (xm − 1)/(x − 1) = y n + 1. Math. Proc. Cambridge Philos. Soc., 116(3):385–389, 1994. [613] Christer Lech. A note on recurring series. Ark. Mat., 2:417–421, 1953. [614] D. H. Lehmer. The mathematical work of Morgan Ward. Math. Comp., 61(203):307–311, 1993. [615] D.H. Lehmer. Factorization of certain cyclotomic functions. Ann. of Math., 34:461–479, 1933. [616] S. Lehr, J. Shallit, and J. Tromp. On the vector space of the automatic reals. Theoret. Comput. Sci., 163(1-2):193–210, 1996. [617] F. Lemmermeyer. The Euclidean algorithm in algebraic number fields. Exposition. Math., 13(5):385–416, 1995. [618] H. W. Lenstra, Jr. Euclidean number fields of large degree. Invent. Math., 38(3):237–254, 1976/77. [619] H. W. Lenstra, Jr. On Artin’s conjecture and Euclid’s algorithm in global fields. Invent. Math., 42:201–224, 1977. [620] H. W. Lenstra, Jr. and R. J. Schoof. Primitive normal bases for finite fields. Math. Comp., 48(177):217–231, 1987. [621] H. W. Lenstra, Jr. and J. O. Shallit. Continued fractions and linear recurrences. Math. Comp., 61(203):351–354, 1993. [622] A. Leutbecher and G. Niklasch. On cliques of exceptional units and Lenstra’s construction of Euclidean fields. In Number theory (Ulm, 1987), pages 150–178. Springer, New York, 1989. [623] V. I. Levenshte˘ın. Bounds for packings of metric spaces and some of their applications. Problemy Kibernet., (40):43–110, 1983. [624] M. B. Levin. The uniform distribution of the sequence {αλx }. Mat. Sb. (N.S.), 98(140)(2 (10)):207–222, 333, 1975. [625] M. B. Levin. The distribution of the fractional parts of the exponential function. Izv. Vysˇs. Uˇ cebn. Zaved. Matematika, (11(186)):50–57, 1977. [626] M. B. Levin. Absolutely normal numbers. Vestnik Moskov. Univ. Ser. I Mat. Mekh., (1):31– 37, 87, 1979. [627] M. B. Levin. On the complete uniform distribution of the fractional parts of the exponential function. Trudy Sem. Petrovsk., (7):245–256, 1981. [628] M. B. Levin. Uniform distribution of a matrix exponential function. In Investigations in number theory (Russian), pages 46–62. Saratov. Gos. Univ., Saratov, 1988. [629] M. B. Levin. The choice of parameters in generators of pseudorandom numbers. Dokl. Akad. Nauk SSSR, 307(3):529–534, 1989. [630] M. B. Levin. Simultaneously absolutely normal numbers. Mat. Zametki, 48(6):61–71, 1990. [631] M. B. Levin. On the discrepancy of Markov-normal sequences. J. Th´ eor. Nombres Bordeaux, 8(2):413–428, 1996. [632] M. B. Levin. Discrepancy estimates of completely uniformly distributed and pseudorandom number sequences. Internat. Math. Res. Notices, (22):1231–1251, 1999. [633] M. B. Levin. On the discrepancy estimate of normal numbers. Acta Arith., 88(2):99–111, 1999. [634] M. B. Levin and I. E. Shparlinski. Uniform distribution of fractional parts of recurrent sequences. Uspekhi Mat. Nauk, 34(3(207)):203–204, 1979. [635] M. B. Levin and M. Smorodinsky. A Zd generalization of the Davenport-Erd˝ os construction of normal numbers. Colloq. Math., 84/85(, part 2):431–441, 2000. Dedicated to the memory of Anzelm Iwanik. [636] D. J. Lewis and J. Turk. Repetitiveness in binary recurrences. J. Reine Angew. Math., 356:19–48, 1985.

270

BIBLIOGRAPHY

[637] S. Li. On the number of elements with maximal order in the multiplicative group modulo n. Acta Arith., 86(2):113–132, 1998. [638] S. Li. On extending Artin’s conjecture to composite moduli. Mathematika, 46(2):373–390, 1999. [639] S. Li. Artin’s conjecture on average for composite moduli. J. Number Theory, 84(1):93–118, 2000. [640] S. Li and C. Pomerance. On generalizing artin’s conjecture on primitive roots to composite moduli. Preprint, 2002. [641] W.-C. W. Li, M. N¨ aslund, and I. E. Shparlinski. Hidden number problem with the trace and bit security of XTR and LUC. 2002. [642] A. I. Lichtman. The soluble subgroups and the Tits alternative in linear groups over rings of fractions of polycylic group rings. I. J. Pure Appl. Algebra, 86(3):231–287, 1993. [643] A. I. Lichtman. The soluble subgroups and the Tits alternative in linear groups over rings of fractions of polycyclic group rings. II. J. Group Theory, 2(2):173–189, 1999. [644] R. Lidl and H. Niederreiter. Finite fields. Addison-Wesley Publishing Company Advanced Book Program, Reading, MA, 1983. [645] D. Lieman and I. E. Shparlinski. On a new exponential sum. Canad. Math. Bull., 44(1):87– 92, 2001. [646] D. Lind. Dynamical properties of quasihyperbolic toral automorphisms. Ergodic Theory Dynamical Systems, 2(1):49–68, 1982. [647] D. Lind. Applications of ergodic theory and sofic systems to cellular automata. Phys. D, 10(1-2):36–44, 1984. [648] D. Lind and B. Marcus. An Introduction to Symbolic Dynamics and Coding. Cambridge University Press, Cambridge, 1995. [649] D. Lind and T. Ward. Automorphisms of solenoids and p-adic entropy. Ergodic Theory Dynam. Systems, 8(3):411–419, 1988. [650] U. V. Linnik. On the least prime in an arithmetic progression. I. The basic theorem. Rec. Math. [Mat. Sbornik] N.S., 15(57):139–178, 1944. [651] L. Lipshitz. The diagonal of a D-finite power series is D-finite. J. Algebra, 113(2):373–378, 1988. [652] L. Lipshitz. D-finite power series. J. Algebra, 122(2):353–373, 1989. [653] L. Lipshitz and A. J. van der Poorten. Rational functions, diagonals, automata and arithmetic. In Number theory (Banff, AB, 1988), pages 339–358. de Gruyter, Berlin, 1990. [654] L. Lipshitz and L. A. Rubel. A gap theorem for power series solutions of algebraic differential equations. Amer. J. Math., 108(5):1193–1213, 1986. [655] B. Litow and Ph. Dumas. Additive cellular automata and algebraic series. Theoret. Comput. Sci., 119(2):345–354, 1993. [656] F. Lorenz. Normal bases of units. In Number theory, Vol. II (Budapest, 1987), pages 851– 869. North-Holland, Amsterdam, 1990. [657] J. H. Loxton. Automata and transcendence. In New advances in transcendence theory (Durham, 1986), pages 215–228. Cambridge Univ. Press, Cambridge, 1988. [658] J. H. Loxton and A. J. van der Poorten. Arithmetic properties of certain functions in several variables. III. Bull. Austral. Math. Soc., 16(1):15–47, 1977. [659] J. H. Loxton and A. J. van der Poorten. On the growth of recurrence sequences. Math. Proc. Cambridge Philos. Soc., 81(3):369–376, 1977. [660] J. H. Loxton and A. J. van der Poorten. Arithmetic properties of the solutions of a class of functional equations. J. Reine Angew. Math., 330:159–172, 1982. [661] J. H. Loxton and A. J. van der Poorten. Multiplicative dependence in number fields. Acta Arith., 42(3):291–302, 1983. [662] J. H. Loxton and A. J. van der Poorten. Arithmetic properties of automata: regular sequences. J. Reine Angew. Math., 392:57–69, 1988. [663] A. Lubotzky. Subgroup growth and congruence subgroups. Invent. Math., 119(2):267–295, 1995. [664] A. de Luca and S. Varricchio. Some combinatorial properties of the Thue-Morse sequence and a problem in semigroups. Theoret. Comput. Sci., 63(3):333–348, 1989. [665] F. Luca. Products of factorials in binary recurrence sequences. Rocky Mountain J. Math., 29(4):1387–1411, 1999.

BIBLIOGRAPHY

271

[666] F. Luca. Distinct digits in base b expansions of linear recurrence sequences. Quaest. Math., 23(4):389–404, 2000. [667] F. Luca. Divisibility properties of binary recurrence sequences. Indag. Math., 12(3):353– 367, 2001. [668] F. Luca. Multiply perfect numbers in Lucas sequences with odd parameters. Publ. Math. Debrecen, 58(1-2):121–155, 2001. [669] F. Luca. Arithmetic properties of members of a binary recurrence sequence. Preprint, 2002. [670] F. Luca. On the greatest common divisor of two Cullen numbers. Preprint, 2002. [671] F. Luca. Palindromes in Lucas sequences. Preprint, 2002. [672] F. Luca and P. G. Walsh. Squares in Lehmer sequences and some Diophantine applications. Acta Arith., 100(1):47–62, 2001. [673] L. G. Lucht. Arithmetical aspects of certain functional equations. Acta Arith., 82(3):257– 277, 1997. [674] L. G. Lucht. Arithmetical sequences and systems of functional equations. Aequationes Math., 53(1-2):73–90, 1997. [675] L. G. Lucht. Recurrent and almost-periodic sequences. Arch. Math. (Basel), 68(1):22–26, 1997. [676] L. G. Lucht and C. Methfessel. Recurrent sequences and endomorphisms of Euclidean spaces. Arch. Math. (Basel), 63(1):92–96, 1994. [677] L. G. Lucht and C. Methfessel. Recurrent sequences and affine functional equations. J. Number Theory, 57(1):105–113, 1996. [678] L. G. Lucht and M. Peter. On the characterization of exponential polynomials. Arch. Math. (Basel), 71(3):201–210, 1998. [679] W. F. Lunnon, P. A. B. Pleasants, and N. M. Stephens. Arithmetic properties of Bell numbers to a composite modulus. I. Acta Arith., 35(1):1–16, 1979. [680] F. J. MacWilliams and N. J. A. Sloane. The theory of error-correcting codes. I. NorthHolland Publishing Co., Amsterdam, 1977. [681] F. J. MacWilliams and N. J. A. Sloane. The theory of error-correcting codes. II. NorthHolland Publishing Co., Amsterdam, 1977. [682] K. Mahler. Eine Arithmetische Eigenschaft der Rekurrierenden Reihen. Mathematika, 3:1– 4, 1934. [683] K. Mahler. Eine Arithmetische Eigenschaft der Taylor Koeffizienten Rationaler Funktionen. Proc. Akad. Wet. Amsterdam, 38:51–60, 1935. [684] K. Mahler. On the Taylor coefficients of rational functions. Proc. Cambridge Philos. Soc., 52:39–48, 1956. Addendum 53:544, 1957. [685] K. Mahler. A remark on recursive sequences. J. Math. Sci., 1:12–17, 1966. [686] K. Mahler. An unsolved problem on the powers of 3/2. J. Austral. Math. Soc., 8:313–321, 1968. [687] K. Mahler. Arithmetical properties of the digits of the multiples of an irrational number. Bull. Austral. Math. Soc., 8:191–203, 1973. [688] A. Manning. Axiom a diffeomorphisms have rational zeta functions. Bull. London Math. Soc., 3:215–220, 1971. [689] M. Margenstern and Y. V. Matiyasevich. A binomial representation of the 3x + 1 problem. Acta Arith., 91(4):367–378, 1999. [690] G. Marsaglia. The mathematics of random number generators. In The unreasonable effectiveness of number theory (Orono, ME, 1991), pages 73–90. Amer. Math. Soc., Providence, RI, 1992. [691] G. Martin. The least prime primitive root and the shifted sieve. Acta Arith., 80(3):277–288, 1997. [692] O. Martin, A. M. Odlyzko, and S. Wolfram. Algebraic properties of cellular automata. Comm. Math. Phys., 93(2):219–258, 1984. [693] R. C. Mason. The study of Diophantine equations over function fields. In New advances in transcendence theory (Durham, 1986), pages 229–247. Cambridge Univ. Press, Cambridge, 1988. [694] D. W. Masser. Counting points of small height on elliptic curves. Bull. Soc. Math. France, 117(2):247–265, 1989. [695] D. W. Masser. Mixing and equations over groups in positive characteristic. Preprint, 2002.

272

BIBLIOGRAPHY

[696] J. L. Massey and S. Serconek. Linear complexity of periodic sequences: a general theory. In Advances in cryptology—CRYPTO ’96 (Santa Barbara, CA), pages 358–371. Springer, Berlin, 1996. [697] Y. V. Matiyasevich. Hilbert’s tenth problem. MIT Press, Cambridge, MA, 1993. [698] K. Matsumoto. C ∗ -algebras associated with cellular automata. Math. Scand., 75(2):195– 216, 1994. [699] H. Matsumura. Commutative ring theory. Cambridge University Press, Cambridge, second edition, 1989. [700] K. R. Matthews. Some Borel measures associated with the generalized Collatz mapping. Colloq. Math., 63(2):191–202, 1992. [701] K. R. Matthews. The generalized 3x + 1 problem. Preprint, 1995. [702] R. Matthews. Strong pseudoprimes and generalized Carmichael numbers. In Finite fields: theory, applications, and algorithms (Las Vegas, NV, 1993), pages 227–233. Amer. Math. Soc., Providence, RI, 1994. [703] C. Mauduit and A. S´ ark¨ ozy. On finite pseudorandom binary sequences. II. The Champernowne, Rudin-Shapiro, and Thue-Morse sequences, a further construction. J. Number Theory, 73(2):256–276, 1998. [704] J. E. Maxfield. Normal k-tuples. Pacific J. Math., 3:189–196, 1953. [705] G. L. Mayhew and S. W. Golomb. Linear spans of modified deBruijn sequences. IEEE Trans. Inform. Theory, 36:1166–1167, 1990. [706] J. Mazoyer and I. Rapaport. Additive cellular automata over Zp and the bottom of (CA, ≤). In Mathematical foundations of computer science, 1998 (Brno), pages 834–843. Springer, Berlin, 1998. [707] K. S. McCurley. Odds and ends from cryptology and computational number theory. In Cryptology and computational number theory (Boulder, CO, 1989), pages 145–166. Amer. Math. Soc., Providence, RI, 1990. [708] W. L. McDaniel and P. Ribenboim. Square-classes in Lucas sequences having odd parameters. J. Number Theory, 73(1):14–27, 1998. [709] I. McFarlane and S. G. Hoggar. Combinatorics for faster fractal pictures. In Numbertheoretic and algebraic methods in computer science (Moscow, 1993), pages 95–124. World Sci. Publishing, River Edge, NJ, 1995. [710] M. D. McIlroy. Number theory in computer graphics. In The unreasonable effectiveness of number theory (Orono, ME, 1991), pages 105–121. Amer. Math. Soc., Providence, RI, 1992. [711] W. Meidl and A. Winterhof. Lower bounds on the linear complexity of the discrete logarithm in finite fields. IEEE Trans. Inform. Theory, 47(7):2807–2811, 2001. [712] W. Meidl and A. Winterhof. On the linear complexity profile of explicit nonlinear pseudorandom numbers. Preprint, 2002. [713] W. Meier and O. Staffelbach. The self-shrinking generator. In Advances in cryptology— EUROCRYPT ’94 (Perugia), pages 205–214. Springer, Berlin, 1995. [714] D. Meiri. Entropy and uniform distribution of orbits in Td . Israel J. Math., 105:155–183, 1998. [715] M. Mend` es France. The depth of a rational number. In Topics in number theory (Proc. Colloq., Debrecen, 1974), pages 183–194. Colloq. Math. Soc. J´ anos Bolyai, Vol. 13. NorthHolland, Amsterdam, 1976. [716] M. Mend` es France. The Rudin-Shapiro sequence, Ising chain, and paperfolding. In Analytic number theory (Allerton Park, IL, 1989), pages 367–382. Birkh¨ auser Boston, Boston, MA, 1990. [717] M. Mend` es France. Remarks and problems on finite and periodic continued fractions. Enseign. Math. (2), 39(3-4):249–257, 1993. [718] M. Mend` es France and A. J. van der Poorten. Arithmetic and analytic properties of paper folding sequences. Bull. Austral. Math. Soc., 24(1):123–131, 1981. [719] M. Mend` es France and A. J. van der Poorten. Automata and the arithmetic of formal power series. Acta Arith., 46(3):211–214, 1986. [720] L. Merel. Bornes pour la torsion des courbes elliptiques sur les corps de nombres. Invent. Math., 124(1-3):437–449, 1996. [721] C. Methfessel. Multiplicative and additive recurrent sequences. Arch. Math. (Basel), 63(4):321–328, 1994.

BIBLIOGRAPHY

273

[722] C. Methfessel. Rekurrente Folgen mit lokal gleichm¨ aßig beschr¨ ankter Primteileranzahl. Acta Arith., 70(1):1–7, 1995. [723] F. Mignosi. On a generalization of the 3x + 1 problem. J. Number Theory, 55(1):28–45, 1995. [724] M. Mignotte. A note on linear recursive sequences. J. Austral. Math. Soc., 20(2):242–244, 1975. [725] M. Mignotte. Une extension du th´ eor` eme de Skolem-Mahler. C. R. Acad. Sci. Paris S´ er. A-B, 288(4):A233–A235, 1979. [726] M. Mignotte. Une extension de th´ eor` eme de Skolem-Mahler. In Noncommutative structures in algebra and geometric combinatorics (Naples, 1978), pages 97–100. CNR, Rome, 1981. [727] M. Mignotte. Determination des r´ epetitions d’une certaine suite recurrente lin´ eaire. Publ. Math. Debrecen, 33(3-4):297–306, 1986. [728] M. Mignotte. Propri´ et´ es arithm´ etiques des suites r´ ecurrentes lin´ eaires. In Th´ eorie des nombres, Ann´ ee 1988/89, Fasc. 1, page 30. Univ. Franche-Comt´ e, Besan¸con, 1989. [729] M. Mignotte, T. N. Shorey, and R. Tijdeman. The distance between terms of an algebraic recurrence sequence. J. Reine Angew. Math., 349:63–76, 1984. [730] M. Mignotte and N. Tzanakis. Arithmetical study of recurrence sequences. Acta Arith., 57(4):357–364, 1991. [731] M. Mihaljevi´ c, Y. Zheng, and H. Imai. A fast cryptographic hash function based on linear cellular automata. In Proc. IFIP 14th Intern. Inform. Security Conf., Vienna, 1998. Chapman and Hall, to appear. [732] P. Mih˘ ailescu. Primary cyclotomic units and a proof of Catalan’s conjecture. draft. Preprint, 2002. [733] A. V. Mikhalev and A. A. Nechaev. Linear recurring sequences over modules. Acta Appl. Math., 42(2):161–202, 1996. [734] G. L. Miller. Riemann’s hypothesis and tests for primality. In Seventh Annual ACM Symposium on Theory of Computing (Albuquerque, N.M., 1975), pages 234–239. Assoc. Comput. Mach., New York, 1975. [735] D. A. Mit0 kin. Estimates and asymptotic formulas for rational trigonometric sums that are nearly complete. Mat. Sb. (N.S.), 122(164)(4):527–545, 1983. [736] I. Miyamoto and M. Ram Murty. Elliptic pseudoprimes. Math. Comp., 53(187):415–430, 1989. [737] H. L. Montgomery. Distribution of small powers of a primitive root. In Advances in number theory (Kingston, ON, 1991), pages 137–149. Oxford Univ. Press, New York, 1993. [738] F. Montoya Vitini, J. Mu˜ noz Masqu´ e, and A. Peinado Dom´ınguez. Maximum cycles of quadratic functions in GF(2n ). In XXX National Congress of the Mexican Mathematical Society (Spanish) (Aguascalientes, 1997), pages 125–130. Soc. Mat. Mexicana, M´ exico, 1998. [739] F. Montoya Vitini, J. Mu˜ noz Masqu´ e, and A. Peinado Dom´ınguez. Linear complexity of the x2 mod p orbits. Inform. Process. Lett., 72(1-2):3–7, 1999. [740] F. Morain. Pseudoprimes: a survey of recent results. In Eurocode ’92 (Udine, 1992), pages 207–215. Springer, Vienna, 1993. [741] W. Moran and A. D. Pollington. Metrical results on normality to distinct bases. J. Number Theory, 54(2):180–189, 1995. [742] W. Moran and A. D. Pollington. The discrimination theorem for normality to non-integer bases. Israel J. Math., 100:339–347, 1997. [743] W. More. The LD probable prime test. In Finite fields: theory, applications, and algorithms (Waterloo, ON, 1997), pages 185–191. Amer. Math. Soc., Providence, RI, 1999. [744] P. Moree. On the prime density of Lucas sequences. J. Th´ eor. Nombres Bordeaux, 8(2):449– 459, 1996. [745] P. Moree. On a conjecture of Rodier on primitive roots. Abh. Math. Sem. Univ. Hamburg, 67:165–171, 1997. [746] P. Moree. On the divisors of ak + bk . Acta Arith., 80(3):197–212, 1997. [747] P. Moree. Counting divisors of Lucas numbers. Pacific J. Math., 186(2):267–284, 1998. [748] P. Moree. Improvement of an estimate of H. M¨ uller involving the order of 2 (mod u). Arch. Math. (Basel), 71(3):197–200, 1998. [749] P. Moree. On some sums connected with primitive roots. Preprint of the Max-PlanckInstitute, MPI 98-42, 1998.

274

BIBLIOGRAPHY

[750] P. Moree. On some sums involving primitive roots, 2. Preprint of the Max-Planck-Institute, MPI 98-59, 1998. [751] P. Moree. On primes in arithmetic progression having a prescribed primitive root. J. Number Theory, 78(1):85–98, 1999. [752] P. Moree. Uniform distribution of primes having a prescribed primitive root. Acta Arith., 89(1):9–21, 1999. [753] P. Moree. Asymptotically exact heuristics for (near) primitive roots. J. Number Theory, 83(1):155–181, 2000. [754] P. Moree and P. Stevenhagen. Prime divisors of Lucas sequences. Acta Arith., 82(4):403– 410, 1997. [755] P. Moree and P. Stevenhagen. A two-variable Artin conjecture. J. Number Theory, 85(2):291–304, 2000. [756] P. Moree and P. Stevenhagen. Prime divisors of the Lagarias sequence. J. Th´ eor. Nombres Bordeaux, 13(1):241–251, 2001. 21st Journ´ ees Arithm´ etiques (Rome, 2001). [757] M. D. Morgan. The distribution of second order linear recurrence sequences mod 2m . Acta Arith., 83(2):181–195, 1998. [758] M. Morii and M. Kasahara. Perfect staircase profile of linear complexity for finite sequences. Inform. Process. Lett., 44(2):85–89, 1992. [759] K. Morita. Reversible simulation of one-dimensional irreversible cellular automata. Theoret. Comput. Sci., 148(1):157–163, 1995. [760] G. Morris and T. Ward. Entropy bounds for endomorphisms commuting with K actions. Israel J. Math., 106:1–11, 1998. [761] P. Morton. Connections between binary patterns and paperfolding. S´ em. Th´ eor. Nombres Bordeaux (2), 2(1):1–12, 1990. [762] P. Morton. Arithmetic properties of periodic points of quadratic maps. Acta Arith., 62(4):343–372, 1992. [763] P. Morton. Characterizing cyclic cubic extensions by automorphism polynomials. J. Number Theory, 49(2):183–208, 1994. [764] P. Morton. On certain algebraic curves related to polynomial maps. Compositio Math., 103(3):319–350, 1996. [765] P. Morton. Periods of maps on irreducible polynomials over finite fields. Finite Fields Appl., 3(1):11–24, 1997. [766] P. Morton. Arithmetic properties of periodic points of quadratic maps. II. Acta Arith., 87(2):89–102, 1998. [767] P. Morton and W. J. Mourant. Paper folding, digit patterns and groups of arithmetic fractals. Proc. London Math. Soc. (3), 59(2):253–293, 1989. [768] P. Morton and Pratiksha Patel. The Galois theory of periodic points of polynomial maps. Proc. London Math. Soc. (3), 68(2):225–263, 1994. [769] P. Morton and J. H. Silverman. Rational periodic points of rational functions. Internat. Math. Res. Notices, (2):97–110, 1994. [770] P. Morton and J. H. Silverman. Periodic points, multiplicities, and dynamical units. J. Reine Angew. Math., 461:81–122, 1995. [771] P. Morton and F. Vivaldi. Bifurcations and discriminants for polynomial maps. Nonlinearity, 8(4):571–584, 1995. [772] P. Moss. Periodic points and group endomorphisms. Preprint, 2002. [773] P. Moss. Algebraic realizability problems. PhD thesis, The University of East Anglia, 2004. [774] J. Mu˜ noz Masqu´ e, F. Montoya Vitini, and A. Peinado Dom´ınguez. Iterated quadratic functions in F2n . Int. J. Appl. Math., 5(1):65–83, 2001. [775] J. Mueller. S-unit equations in function fields via the abc-theorem. Bull. London Math. Soc., 32(2):163–170, 2000. [776] G. L. Mullen and I. E. Shparlinski. Values of linear recurring sequences of vectors over finite fields. Acta Arith., 65(3):221–226, 1993. [777] G. L. Mullen and T. P. Vaughan. Cycles of linear permutations over a finite field. Linear Algebra Appl., 108:63–82, 1988. ¨ [778] H. M¨ uller. Uber eine Klasse 2-adischer Funktionen im Zusammenhang mit dem “3x + 1”Problem. Abh. Math. Sem. Univ. Hamburg, 64:293–302, 1994. [779] Helmut M¨ uller. Eine Bemerkung u ¨ber die Ordnungen von 2 (mod u) bei ungeradem u. Arch. Math. (Basel), 69(3):217–220, 1997.

BIBLIOGRAPHY

275

[780] S. M¨ uller. A note on strong Dickson pseudoprimes. Appl. Algebra Engrg. Comm. Comput., 9(3):247–264, 1998. [781] S. M¨ uller. Carmichael numbers and Lucas tests. In Finite fields: theory, applications, and algorithms (Waterloo, ON, 1997), pages 193–202. Amer. Math. Soc., Providence, RI, 1999. [782] S. M¨ uller. On the combined Fermat/Lucas probable prime test. In Cryptography and coding (Cirencester, 1999), pages 222–235. Springer, Berlin, 1999. [783] S. M¨ uller. On the rank of appearance of Lucas sequences. In Applications of Fibonacci numbers, Vol. 8 (Rochester, NY, 1998), pages 259–275. Kluwer Acad. Publ., Dordrecht, 1999. [784] S. M¨ uller. On probable prime testing and the computation of square roots mod n. In Algorithmic number theory (Leiden, 2000), pages 423–437. Springer, Berlin, 2000. [785] S. M¨ uller. On QF-pseudoprimes and second-order recurrence sequences. In Contributions to general algebra, 12 (Vienna, 1999), pages 299–310. Heyn, Klagenfurt, 2000. [786] S. M¨ uller. On the rank of appearance and the number of zeros of the Lucas sequences over Fq . In Finite fields and applications (Augsburg, 1999), pages 390–408. Springer, Berlin, 2001. [787] S. M¨ uller. A probable prime test with very high confidence for n ≡ 1 mod 4. Lect. Notes in Comp. Sci., 2248:87–106, 2001. [788] W. B. M¨ uller and A. Oswald. Generalized Fibonacci pseudoprimes and probable primes. In Applications of Fibonacci numbers, Vol. 5 (St. Andrews, 1992), pages 459–464. Kluwer Acad. Publ., Dordrecht, 1993. [789] L. Murata. On the magnitude of the least primitive root. Ast´ erisque, (198-200):253–257 (1992), 1991. [790] L. Murata. A problem analogous to Artin’s conjecture for primitive roots and its applications. Arch. Math. (Basel), 57(6):555–565, 1991. [791] M. Ram Murty. On Artin’s conjecture. J. Number Theory, 16(2):147–168, 1983. [792] M. Ram Murty. An analogue of Artin’s conjecture for abelian extensions. J. Number Theory, 18(3):241–248, 1984. [793] M. Ram Murty. Finitely generated groups (mod p). Proc. Amer. Math. Soc., 122(1):37–45, 1994. [794] M. Ram Murty. Artin’s conjecture and elliptic analogues. In Sieve methods, exponential sums, and their applications in number theory (Cardiff, 1995), pages 325–344. Cambridge Univ. Press, Cambridge, 1997. [795] M. Ram Murty, V. Kumar Murty, and T. N. Shorey. Odd values of the Ramanujan τ function. Bull. Soc. Math. France, 115(3):391–395, 1987. [796] M. Ram Murty, M. Rosen, and J. H. Silverman. Variations on a theme of Romanoff. Internat. J. Math., 7(3):373–391, 1996. [797] M. Ram Murty and S. Srinivasan. Some remarks on Artin’s conjecture. Canad. Math. Bull., 30(1):80–85, 1987. [798] G. Myerson. A combinatorial problem in finite fields. I. Pacific J. Math., 82(1):179–187, 1979. [799] G. Myerson. A combinatorial problem in finite fields. II. Quart. J. Math. Oxford Ser. (2), 31(122):219–231, 1980. [800] G. Myerson. An arithmetic property of certain rational powers. Preprint, 1997. [801] G. Myerson and A. J. van der Poorten. Some problems concerning recurrence sequences. Amer. Math. Monthly, 102(8):698–705, 1995. [802] I. T. Nabney. Growth functions for groups and recurrence sequences. Proc. London Math. Soc. (3), 63(2):315–343, 1991. [803] T. Nakahara. On a periodic solution of some congruences. Rep. Fac. Sci. Engrg. Saga Univ. Math., (14):1–5, 1986. [804] K. Nakamula and A. Peth˝ o. Squares in binary recurrence sequences. In Number theory (Eger, 1996), pages 409–421. de Gruyter, Berlin, 1998. [805] S. Nandi, B. K. Kar, and P. Pal Chaudhuri. Theory and applications of cellular automata in cryptography. IEEE Trans. Comput., 43(12):1346–1357, 1994. [806] M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. In Proc. 38th IEEE Symp. on Foundations of Comp. Sci., pages 458–467. IEEE, 1997.

276

BIBLIOGRAPHY

[807] W. Narkiewicz. Classical problems in number theory. Pa´ nstwowe Wydawnictwo Naukowe (PWN), Warsaw, 1986. [808] W. Narkiewicz. A note on Artin’s conjecture in algebraic number fields. J. Reine Angew. Math., 381:110–115, 1987. [809] W. Narkiewicz. Units in residue classes. Arch. Math. (Basel), 51(3):238–241, 1988. [810] W. Narkiewicz. Elementary and analytic theory of algebraic numbers. Springer-Verlag, Berlin, second edition, 1990. [811] W. Narkiewicz. Polynomial mappings. Springer-Verlag, Berlin, 1995. [812] W. Narkiewicz and T. Pezda. Finite polynomial orbits in finitely generated domains. Monatsh. Math., 124(4):309–316, 1997. [813] V. I. Neˇ caev. The group of non-singular matrices over a finite field, and recurrent sequences. Dokl. Akad. Nauk SSSR, 152:275–277, 1963. [814] V. I. Neˇ caev. Linear recurrent congruences with periodic coefficients. Mat. Zametki, 3:625– 632, 1968. [815] V. I. Neˇ caev. Recurrent sequences. Algebra and number theory, Moskov. Gos. Ped. Inst. Uˇ cen. Zap., (375):103–123, 1971. [816] V. I. Neˇ caev. Trigonometric sums for recurrent sequences of elements of a finite field. Mat. Zametki, 11:597–607, 1972. [817] V. I. Neˇ caev and L. L. Stepanova. The distirbution of nonresidues and primitive roots in recurrence sequences over a field of algebraic numbers. Uspehi Mat. Nauk, 20(3 (123)):197– 203, 1965. [818] A. A. Nechaev. Linear recurrent sequences over commutative rings. Diskret. Mat., 3(4):105– 127, 1991. [819] A. A. Nechaev. Cycle types of linear maps over finite commutative rings. Mat. Sb., 184(3):21–56, 1993. [820] A. A. Nechaev. Linear codes and polylinear recurrences over finite rings and quasiFrobenius modules. Dokl. Akad. Nauk, 345(4):451–454, 1995. [821] Yu. V. Nesterenko. Estimates for the number of zeros of functions of certain classes. Acta Arith., 53(1):29–46, 1989. [822] Yu. V. Nesterenko and T. N. Shorey. On an equation of Goormaghtigh. Acta Arith., 83(4):381–389, 1998. [823] S.-H. Ng and E. J. Taft. Quantum convolution of linearly recursive sequences. J. Algebra, 198(1):101–119, 1997. [824] P. Q. Nguyen and I. E. Shparlinski. The insecurity of the Digital Signature Algorithm with partially known nonces. J. Cryptology, to appear. [825] P. Q. Nguyen and I. E. Shparlinski. The insecurity of the elliptic curve Digital Signature Algorithm with partially known nonces. Design, Codes and Cryptography, to appear. [826] H. Niederreiter. Quasi-Monte Carlo methods and pseudo-random numbers. Bull. Amer. Math. Soc., 84(6):957–1041, 1978. [827] H. Niederreiter. Distribution properties of feedback shift register sequences. Problems Control Inform. Theory/Problemy Upravlen. Teor. Inform., 15(1):19–34, 1986. [828] H. Niederreiter. On a problem of Kodama concerning the Hasse-Witt matrix and the distribution of residues. Proc. Japan Acad. Ser. A Math. Sci., 63(9):367–369, 1987. [829] H. Niederreiter. Rational functions with partial quotients of small degree in their continued fraction expansion. Monatsh. Math., 103(4):269–288, 1987. [830] H. Niederreiter. Sequences with almost perfect linear complexity profile. Lect. Notes in Comp. Sci., 304:37–51, 1988. [831] H. Niederreiter. The serial test for digital k-step pseudorandom numbers. Math. J. Okayama Univ., 30:93–119, 1988. [832] H. Niederreiter. Some new cryptosystems based on feedback shift register sequences. Math. J. Okayama Univ., 30:121–149, 1988. [833] H. Niederreiter. A combinatorial approach to probabilistic results on the linear-complexity profile of random sequences. J. Cryptology, 2(2):105–112, 1990. [834] H. Niederreiter. Keystream sequences with a good linear complexity profile for every starting point. In Advances in cryptology—EUROCRYPT ’89 (Houthalen, 1989), pages 523– 532. Springer, Berlin, 1990.

BIBLIOGRAPHY

277

[835] H. Niederreiter. The linear complexity profile and the jump complexity of keystream sequences. In Advances in cryptology—EUROCRYPT ’90 (Aarhus, 1990), pages 174–188. Springer, Berlin, 1991. [836] H. Niederreiter. Recent trends in random number and random vector generation. Ann. Oper. Res., 31(1-4):323–345, 1991. [837] H. Niederreiter. Random number generation and quasi-Monte Carlo methods. Society for Industrial and Applied Mathematics (SIAM), Philadelphia, PA, 1992. [838] H. Niederreiter. Finite fields and cryptology. In Finite fields, coding theory, and advances in communications and computing (Las Vegas, NV, 1991), pages 359–373. Dekker, New York, 1993. [839] H. Niederreiter. New developments in uniform pseudorandom number and vector generation. In Monte Carlo and quasi-Monte Carlo methods in scientific computing (Las Vegas, NV, 1994), pages 87–120. Springer, New York, 1995. [840] H. Niederreiter. Pseudorandom vector generation by the multiple-recursive matrix method. Math. Comp., 64(209):279–294, 1995. [841] H. Niederreiter. Some computable complexity measures for binary sequences. In Sequences and their applications (Singapore, 1998), pages 67–78. Springer, London, 1999. [842] H. Niederreiter and H. Paschinger. Counting functions and expected values in the stability theory of stream ciphers. In Sequences and their applications (Singapore, 1998), pages 318–329. Springer, London, 1999. [843] H. Niederreiter and I. E. Shparlinski. On the distribution of inversive congruential pseudorandom numbers modulo a prime power. Preprint, 1998. [844] H. Niederreiter and I. E. Shparlinski. On the distribution and lattice structure of nonlinear congruential pseudorandom numbers. Finite Fields Appl., 5(3):246–253, 1999. [845] H. Niederreiter and I. E. Shparlinski. Exponential sums and the distribution of inversive congruential pseudorandom numbers with prime-power modulus. Acta Arith., 92(1):89–98, 2000. [846] H. Niederreiter and I. E. Shparlinski. On the distribution of pseudorandom numbers and vectors generated by inversive methods. Appl. Algebra Engrg. Comm. Comput., 10(3):189– 202, 2000. [847] H. Niederreiter and I. E. Shparlinski. On the distribution of inversive congruential pseudorandom numbers in parts of the period. Math. Comp., 70(236):1569–1574 (electronic), 2001. [848] H. Niederreiter and I. E. Shparlinski. Recent advances in the theory of nonlinear pseudorandom number generators. In Proc. Conf. on Monte Carlo and Quasi-Monte Carlo Methods, 2000, pages 86–102. Springer, Berlin, 2002. [849] H. Niederreiter and I. E. Shparlinski. On the average distribution of inversive pseudorandom numbers. Finite Fields and Their Appl., to appear. [850] H. Niederreiter and M. Vielhaber. Tree complexity and a doubly exponential gap between structured and random sequences. J. Complexity, 12(3):187–198, 1996. [851] H. Niederreiter and M. Vielhaber. Linear complexity profiles: Hausdorff dimensions for almost perfect profiles and measures for general profiles. J. Complexity, 13(3):353–383, 1997. [852] H. Niederreiter and M. Vielhaber. Simultaneous shifted continued fraction expansions in quadratic time. Appl. Algebra Engrg. Comm. Comput., 9(2):125–138, 1998. [853] H. Niederreiter and M. Vielhaber. An algorithm for shifted continued fraction expansions in parallel linear time. Theoret. Comput. Sci., 226(1-2):93–104, 1999. [854] H. Niederreiter and A. Winterhof. Incomplete exponential sums over finite fields and their applications to new inversive pseudorandom number generators. Acta Arith., 93(4):387– 399, 2000. [855] H. Niederreiter and A. Winterhof. On a new class of inversive pseudorandom numbers for parallelized simulation methods. Period. Math. Hungar., 42(1-2):77–87, 2001. [856] H. Niederreiter and A. Winterhof. On the distribution of compound inversive congruential pseudorandom numbers. Monatsh. Math., 132(1):35–48, 2001. [857] H. Niederreiter and A. Winterhof. On the lattice structure of pseudorandom numbers generated over arbitrary finite fields. Appl. Algebra Engrg. Comm. Comput., 12(3):265– 272, 2001. [858] G. Niklasch. Counting exceptional units. Collect. Math., 48(1-2):195–207, 1997.

278

BIBLIOGRAPHY

[859] G. Niklasch and R. Quˆ eme. An improvement of Lenstra’s criterion for Euclidean number fields: the totally real case. Acta Arith., 58(2):157–168, 1991. [860] K. Nishioka. Mahler functions and transcendence. Springer-Verlag, Berlin, 1996. [861] K. Nishioka. Algebraic independence of reciprocal sums of binary recurrences. Monatsh. Math., 123(2):135–148, 1997. [862] J.-S. No, H. Chung, H.-Y. Song, K. Yang, J.-D. Lee, and T. Helleseth. New construction for binary sequences of period pm − 1 with optimal autocorrelation using (z + 1)d + az d + b. IEEE Trans. Inform. Theory, 47(4):1638–1644, 2001. [863] J.-S. No, H. Chung, and M.-S. Yun. Binary pseudorandom sequences of period 2m − 1 with ideal autocorrelation generated by the polynomial z d + (z + 1)d . IEEE Trans. Inform. Theory, 44(3):1278–1282, 1998. [864] J.-S. No, S. W. Golomb, G. Gong, H.-K. Lee, and P. Gaal. Binary pseudorandom sequences of period 2n − 1 with ideal autocorrelation. IEEE Trans. Inform. Theory, 44(2):814–817, 1998. [865] J.-S. No, K. Yang, H. Chung, and H.-Y. Song. New construction for families of binary sequences with optimal correlation properties. IEEE Trans. Inform. Theory, 43(5):1596– 1602, 1997. [866] D. G. Northcott. Periodic points on an algebraic variety. Ann. of Math. (2), 51:167–177, 1950. [867] G. H. Norton. On the minimal realizations of a finite sequence. J. Symbolic Comput., 20(1):93–115, 1995. [868] G. H. Norton. On minimal realization over a finite chain ring. Des. Codes Cryptogr., 16(2):161–178, 1999. [869] G. H. Norton. On shortest linear recurrences. J. Symbolic Comput., 27(3):325–349, 1999. [870] W.-G. Nowak and R. F. Tichy. An improved estimate on the distribution mod 1 of powers of real matrices. Compositio Math., 49(2):283–289, 1983. [871] R. W. K. Odoni. The Galois theory of iterates and composites of polynomials. Proc. London Math. Soc. (3), 51(3):385–414, 1985. [872] R. W. K. Odoni. On the prime divisors of the sequence wn+1 = 1 + w1 · · · wn . J. London Math. Soc. (2), 32(1):1–11, 1985. [873] R. W. K. Odoni. On the Galois groups of iterated generic additive polynomials. Math. Proc. Cambridge Philos. Soc., 121(1):1–6, 1997. [874] T. Oliveira e Silva. Maximum excursion and stopping time record-holders for the 3x + 1 problem: computational results. Math. Comp., 68(225):371–384, 1999. [875] F. Pappalardi. On Hooley’s theorem with weights. Rend. Sem. Mat. Univ. Politec. Torino, 53(4):375–388, 1995. [876] F. Pappalardi. On minimal sets of generators for primitive roots. Canad. Math. Bull., 38(4):465–468, 1995. [877] F. Pappalardi. On the order of finitely generated subgroups of Q∗ (mod p) and divisors of p − 1. J. Number Theory, 57(2):207–222, 1996. [878] F. Pappalardi and I. E. Shparlinski. On Artin’s conjecture over function fields. Finite Fields Appl., 1(4):399–404, 1995. [879] W. Parry. An analogue of the prime number theorem for closed orbits of shifts of finite type and their suspensions. Israel J. Math., 45(1):41–52, 1983. [880] W. Parry and M. Pollicott. An analogue of the prime number theorem for closed orbits of Axiom A flows. Ann. of Math. (2), 118(3):573–591, 1983. [881] W. Parry and M. Pollicott. Zeta functions and the periodic orbit structure of hyperbolic dynamics. Ast´ erisque, (187-188):268, 1990. [882] K. G. Paterson. Root counting, the DFT and the linear complexity of nonlinear filtering. Des. Codes Cryptogr., 14(3):247–259, 1998. [883] K. G. Paterson and P. J. G. Lothian. Bounds on partial correlations of sequences. IEEE Trans. Inform. Theory, 44(3):1164–1175, 1998. [884] A. Peinado Dom´ınguez, F. Montoya Vitini, J. Mu˜ noz Masqu´ e, and A. J. Yuste. Maximal periods of x2 + c in Fq . Lect. Notes in Comp. Sci., 2227:219–228, 2001. [885] A. Perelli and U. Zannier. Arithmetic properties of certain recurrence sequences. J. Austral. Math. Soc. Ser. A, 37(1):4–16, 1984. [886] A. Peth˝ o. Perfect powers in second order linear recurrences. J. Number Theory, 15(1):5–13, 1982.

BIBLIOGRAPHY

279

[887] A. Peth˝ o. Divisibility properties of linear recursive sequences. In Number theory, Vol. II (Budapest, 1987), pages 899–916. North-Holland, Amsterdam, 1990. [888] A. Peth¨ o. Diophantine properties of linear recursive sequences. I. In Applications of Fibonacci numbers, Vol. 7 (Graz, 1996), pages 295–309. Kluwer Acad. Publ., Dordrecht, 1998. [889] A. Peth˝ o and R. F. Tichy. S-unit equations, linear recurrences and digit expansions. Publ. Math. Debrecen, 42(1-2):145–154, 1993. [890] A. Peth˝ o and H. G. Zimmer. Lineare rekurrente Folgen auf elliptischen Kurven. S´ em. Th´ eor. Nombres Bordeaux (2), 2(1):217–227, 1990. [891] T. Pezda. Cycles of polynomial mappings in several variables. Manuscripta Math., 83(34):279–289, 1994. [892] T. Pezda. Polynomial cycles in certain local domains. Acta Arith., 66(1):11–22, 1994. [893] T. Pezda. Cycles of polynomials in algebraically closed fields of positive chracteristic. II. Colloq. Math., 71(1):23–30, 1996. [894] T. Pezda. Cycles of rational mappings in algebraically closed fields of positive characteristics. Ann. Math. Sil., (12):15–21, 1998. Number theory (Cieszyn, 1998). [895] B. M. Phong. On generalized Lehmer sequences. Acta Math. Hungar., 57(3-4):201–211, 1991. Q m [896] T. A. Pierce. Numerical factors of the arithmetic forms n i=1 (1 ± αi ). Ann. of Math., 18:53–64, 1917. [897] R. G. E. Pinch. Recurrent sequences modulo prime powers. In Cryptography and coding, III (Cirencester, 1991), pages 297–310. Oxford Univ. Press, New York, 1993. ´ Pint´ [898] A. er. Exponential Diophantine equations over function fields. Publ. Math. Debrecen, 41(1-2):89–98, 1992. [899] P. Piret. An upper bound on the weight distribution of some systematic codes. IEEE Trans. Inform. Theory, 31(4):520–521, 1985. [900] I. M. Pjatetski-Shapiro. On the distribution of franction parts of exponential functions. Proc. Moscow State Pedagogical Inst., 108:317–322, 1957. [901] V. Pless, P. Sol´ e, and Z. Qian. Cyclic self-dual Z4 -codes. Finite Fields Appl., 3(1):48–69, 1997. With an appendix by P. Moree. [902] M. Poe. On distribution of solutions of S-unit equations. J. Number Theory, 62(2):221–241, 1997. [903] A. M. Polosuev. The structure of the solutions of linear recurrent congruences with coefficients that are periodic modulo a prime. Vestnik Moskov. Univ. Ser. I Mat. Meh., 27(1):57–61, 1972. [904] G. P´ olya. Arithmetische eigenschaften der reihenentwicklungen rationaler funktionen. J. Reine Angew. Math., 151:1–31, 1920. [905] G. P´ olya and G. Szeg˝ o. Problems and theorems in analysis. I. Springer-Verlag, Berlin, german edition, 1978. [906] C. Pomerance, J. M. Robson, and J. Shallit. Automaticity. II. Descriptional complexity in the unary case. Theoret. Comput. Sci., 180(1-2):181–201, 1997. [907] A. J. van der Poorten. Generalizing Tur´ an’s main theorems on lower bounds for sums of powers. Acta Math. Acad. Sci. Hungar., 24:93–96, 1973. [908] A. J. van der Poorten. Hermite interpolation and p-adic exponential polynomials. J. Austral. Math. Soc. Ser. A, 22(1):12–26, 1976. [909] A. J. van der Poorten. On the distribution of zeros of exponential polynomials. Math. Slovaca, 26(4):299–307, 1976. [910] A. J. van der Poorten. Zeros of p-adic exponential polynomials. Nederl. Akad. Wetensch. Proc. Ser. A 79=Indag. Math., 38(1):46–49, 1976. [911] A. J. van der Poorten. Effectively computable bounds for the solutions of certain Diophantine equations. Acta Arith., 33(3):195–207, 1977. [912] A. J. van der Poorten. Linear forms in logarithms in the p-adic case. In Transcendence theory: advances and applications (Proc. Conf., Univ. Cambridge, Cambridge, 1976), pages 29–57. Academic Press, London, 1977. [913] A. J. van der Poorten. On the number of zeros of functions. Enseignement Math. (2), 23(1-2):19–38, 1977. [914] A. J. van der Poorten. Identification of rational functions: lost and regained. C. R. Math. Rep. Acad. Sci. Canada, 4(5):309–314, 1982.

280

BIBLIOGRAPHY

[915] A. J. van der Poorten. Hadamard operations on rational functions. In Study group on ultrametric analysis, 10th year: 1982/83, No. 1, pages Exp. No. 4, 11. Inst. Henri Poincar´ e, Paris, 1984. [916] A. J. van der Poorten. p-adic methods in the study of Taylor coefficients of rational functions. Bull. Austral. Math. Soc., 29(1):109–117, 1984. [917] A. J. van der Poorten. Some problems of recurrent interest. In Topics in classical number theory, Vol. I, II (Budapest, 1981), pages 1265–1294. North-Holland, Amsterdam, 1984. [918] A. J. van der Poorten. Remarks on automata, functional equations and transcendence. Semin. de Theorie des Nombres de Bordeaux, 27:1–11, 1988. [919] A. J. van der Poorten. Solution de la conjecture de Pisot sur le quotient de Hadamard de deux fractions rationnelles. C. R. Acad. Sci. Paris S´ er. I Math., 306(3):97–102, 1988. [920] A. J. van der Poorten. Some facts that should be better known, especially about rational functions. In Number theory and applications (Banff, AB, 1988), pages 497–528. Kluwer Acad. Publ., Dordrecht, 1989. [921] A. J. van der Poorten. Notes on continued fractions and recurrence sequences. In Number theory and cryptography (Sydney, 1989), pages 86–97. Cambridge Univ. Press, Cambridge, 1990. [922] A. J. van der Poorten. Recurrence sequences, continued fractions, and the Hadamard Quotient Theorem. Macquarie Math. Report 92–109, Macquarie Univ., 1992. [923] A. J. van der Poorten. Continued fractions of formal power series. In Advances in number theory (Kingston, ON, 1991), pages 453–466. Oxford Univ. Press, New York, 1993. [924] A. J. van der Poorten. Power series representing algebraic functions. In S´ eminaire de Th´ eorie des Nombres, Paris, 1990–91, pages 241–262. Birkh¨ auser Boston, Boston, MA, 1993. [925] A. J. van der Poorten. Explicit formulas for units in certain quadratic number fields. In Algorithmic number theory (Ithaca, NY, 1994), pages 194–208. Springer, Berlin, 1994. [926] A. J. van der Poorten. Factorisation in fractional powers. Acta Arith., 70(3):287–293, 1995. [927] A. J. van der Poorten. A note on Hadamard roots of rational functions. Rocky Mountain J. Math., 26(3):1183–1197, 1996. [928] A. J. van der Poorten. Notes on Fermat’s last theorem. John Wiley & Sons Inc., New York, 1996. [929] A. J. van der Poorten and R. S. Rumely. Zeros of p-adic exponential polynomials. II. J. London Math. Soc. (2), 36(1):1–15, 1987. [930] A. J. van der Poorten and H. P. Schlickewei. A Diophantine problem in harmonic analysis. Math. Proc. Cambridge Philos. Soc., 108(3):417–420, 1990. [931] A. J. van der Poorten and H. P. Schlickewei. Additive relations in fields. J. Austral. Math. Soc. Ser. A, 51(1):154–170, 1991. [932] A. J. van der Poorten and H. P. Schlickewei. Zeros of recurrence sequences. Bull. Austral. Math. Soc., 44(2):215–223, 1991. [933] A. J. van der Poorten and J. Shallit. Folded continued fractions. J. Number Theory, 40(2):237–250, 1992. [934] A. J. van der Poorten and I. E. Shparlinski. On the number of zeros of exponential polynomials and related questions. Bull. Austral. Math. Soc., 46(3):401–412, 1992. [935] A. J. van der Poorten and I. E. Shparlinski. On sequences of polynomials defined by certain recurrence relations. Acta Sci. Math. (Szeged), 61(1-4):77–103, 1995. [936] A. J. van der Poorten and I. E. Shparlinski. On linear recurrence sequences with polynomial coefficients. Glasgow Math. J., 38(2):147–155, 1996. [937] A. J. van der Poorten and R. Tijdeman. On common zeros of exponential polynomials. Enseignement Math. (2), 21(1):57–67, 1975. [938] A. G. Postnikov. A solution of a set of simultaneous difference equations corresponding to the Dirichlet problem by means of a normal sequence of digits. Dokl. Akad. Nauk SSSR, 123:407–409, 1958. [939] A. G. Postnikov. Arithmetic modeling of random processes. Trudy Mat. Inst. Steklov., 57:84, 1960. [940] A. G. Postnikov. Ergodic problems in the theory of congruences and of Diophantine approximations. American Mathematical Society, Providence, R.I., 1967. [941] C. Powell. Bounds for multiplicative cosets over fields of prime order. Math. Comp., 66(218):807–822, 1997.

BIBLIOGRAPHY

281

[942] K. Prachar. Primzahlverteilung. Springer-Verlag, Berlin, 1978. [943] C. E. Praeger. Primitive prime divisor elements in finite classical groups. In Groups St. Andrews 1997 in Bath, II, pages 605–623. Cambridge Univ. Press, Cambridge, 1999. [944] V. R. Pratt. Every prime has a succinct certificate. SIAM J. Comput., 4(3):214–220, 1975. [945] Y. Puri. Arithmetic Properties of Periodic Orbits. PhD thesis, The University of East Anglia, 2000. [946] Y. Puri and T. Ward. Arithmetic and growth of periodic orbits. J. Integer Seq., 4(2):Article 01.2.1, 18 pp. (electronic), 2001. [947] Y. Puri and T. Ward. A dynamical property unique to the Lucas sequence. Fibonacci Quart., 39(5):398–402, 2001. [948] L. N. Pushkin. A metric variant of the Cassels-Schmidt theorem. Mat. Zametki, 46(1):60– 66, 124, 1989. [949] L. N. Pushkin. Vectors that are Borel normal on a manifold in Rn . Teor. Veroyatnost. i Primenen., 36(2):372–376, 1991. [950] M. van der Put. Reduction modulo p of differential equations. Indag. Math. (N.S.), 7(3):367–387, 1996. [951] M. O. Rabin. Computationally hard algebraic problems (extended abstract). In 37th Annual Symposium on Foundations of Computer Science (Burlington, VT, 1996), pages 284–289. IEEE Comput. Soc. Press, Los Alamitos, CA, 1996. [952] C. Radoux. Nombres de Bell, modulo p premier, et extensions de degr´ e p de Fp . C. R. Acad. Sci. Paris S´ er. A-B, 281(21):Ai, A879–A882, 1975. [953] U. Rausch. Geometrische Reihen in algebraischen Zahlk¨ orpern. Acta Arith., 47(4):313–345, 1986. [954] U. Rausch. A summation formula in algebraic number fields and applications. I. J. Number Theory, 36(1):46–79, 1990. [955] L. R´ edei. Lacunary polynomials over finite fields. North-Holland Publishing Co., Amsterdam, 1973. [956] B. Reznick. Some binary partition functions. In Analytic number theory (Allerton Park, IL, 1989), pages 451–477. Birkh¨ auser Boston, Boston, MA, 1990. [957] P. Ribenboim. On the factorization of X n − BX − A. Enseign. Math. (2), 37(3-4):191–200, 1991. [958] P. Ribenboim. Catalan’s conjecture. Academic Press Inc., Boston, MA, 1994. [959] P. Ribenboim. The Fibonacci numbers and the Arctic Ocean. In Proceedings of the 2nd Gauss Symposium. Conference A: Mathematics and Theoretical Physics (Munich, 1993), pages 41–83, Berlin, 1995. de Gruyter. [960] P. Ribenboim. An algorithm to determine the points with integral coordinates in certain elliptic curves. J. Number Theory, 74(1):19–38, 1999. [961] P. Ribenboim. Binary recurring sequences and powers. I. In Number theory in progress, Vol. 1 (Zakopane-Ko´scielisko, 1997), pages 419–430. de Gruyter, Berlin, 1999. [962] P. Ribenboim. Binary recurring sequences and powers. II. Publ. Math. Debrecen, 54(34):349–375, 1999. [963] P. Ribenboim and W. L. McDaniel. The square terms in Lucas sequences. J. Number Theory, 58(1):104–123, 1996. [964] P. Ribenboim and W. L. McDaniel. On Lucas sequence terms of the form kx2 . In Number theory (Turku, 1999), pages 293–303. de Gruyter, Berlin, 2001. [965] P. Ribenboim and P. G. Walsh. The ABC conjecture and the powerful part of terms in binary recurring sequences. J. Number Theory, 74(1):134–147, 1999. [966] K. A. Ribet. On modular representations of Gal(Q/Q) arising from modular forms. Invent. Math., 100(2):431–476, 1990. [967] H. J. J. te Riele. Iteration of number-theoretic functions. Nieuw Arch. Wisk. (4), 1(3):345– 360, 1983. [968] H. Riesel. Prime numbers and computer methods for factorization. Birkh¨ auser Boston Inc., Boston, MA, second edition, 1994. Pn αi z . Trans. Amer. Math. Soc., [969] J. F. Ritt. A factorisation theory for functions i=1 ai e 29:584–596, 1927. [970] J. F. Ritt. Algebraic combinations of exponentials. Trans. Amer. Math. Soc., 31:654–679, 1929.

282

BIBLIOGRAPHY

[971] J. F. Ritt. On the zeros of exponential polynomials. Trans. Amer. Math. Soc., 31:680–686, 1929. [972] P. Robba. Z´ eros de suites r´ ecurrentes lin´ eaires. In Groupe d’Etude d’Analyse Ultram´ etrique, 5e ann´ ee (1977/78), pages Exp. No. 13, 5. Secr´ etariat Math., Paris, 1978. [973] R. M. Robinson. Periodicity of Somos sequences. Proc. Amer. Math. Soc., 116(3):613–619, 1992. [974] R. M. Robinson. Numbers having m small mth roots mod p. Math. Comp., 61(203):393– 413, 1993. [975] H. Roskam. A quadratic analogue of Artin’s conjecture on primitive roots. J. Number Theory, 81(1):93–109, 2000. [976] H. Roskam. Prime divisors of linear recurrences and Artin’s primitive root conjecture for number fields. J. Th´ eor. Nombres Bordeaux, 13(1):303–314, 2001. 21st Journ´ ees Arithm´ etiques (Rome, 2001). [977] A. Rotkiewicz. On strong Lehmer pseudoprimes in the case of negative discriminant in arithmetic progressions. Acta Arith., 68(2):145–151, 1994. [978] Z. Rudnick and A. Zaharescu. The distribution of spacings between small powers of a primitive root. Israel J. Math., 120(, part A):271–287, 2000. [979] R. A. Rueppel. Analysis and design of stream ciphers. Springer-Verlag, Berlin, 1986. [980] R. A. Rueppel and O. J. Staffelbach. Products of linear recurring sequences with maximum complexity. IEEE Trans. Inform. Theory, 33:124–131, 1987. [981] R. S. Rumely. Notes on van der Poorten’s proof of the Hadamard quotient theorem. I, II. In S´ eminaire de Th´ eorie des Nombres, Paris 1986–87, pages 349–382, 383–409. Birkh¨ auser Boston, Boston, MA, 1988. [982] R. S. Rumely and A. J. van der Poorten. A note on the Hadamard kth root of a rational function. J. Austral. Math. Soc. Ser. A, 43(3):314–327, 1987. [983] R. S. Rumely and A. J. van der Poorten. Remarks on generalised power sums. Bull. Austral. Math. Soc., 36(2):311–329, 1987. [984] N. Saradha and T. N. Shorey. The equation (xn − 1)/(x − 1) = y q with x square. Math. Proc. Cambridge Philos. Soc., 125(1):1–19, 1999. [985] D. Sarwate and M. Pursley. Crosscorrelation properties of pseudorandom and related sequences. Proc. IEEE, 68:593–619, 1980. [986] T. Sato. Decidability for some problems of linear cellular automata over finite commutative rings. Inform. Process. Lett., 46(3):151–155, 1993. [987] T. Sato. Group structured linear cellular automata over Zm . J. Comput. System Sci., 49(1):18–23, 1994. [988] T. Sato. Ergodicity of linear cellular automata over Zm . Inform. Process. Lett., 61(3):169– 172, 1997. [989] T. Sato. Ergodic characterization of linear cellular automata over Zm . Theoret. Comput. Sci., 205(1-2):135–144, 1998. [990] T. Sato. Surjective linear cellular automata over Zm . Inform. Process. Lett., 66(2):101–104, 1998. [991] N. P. F. du Sautoy. Finitely generated groups, p-adic analytic groups and Poincar´ e series. Ann. of Math. (2), 137(3):639–670, 1993. [992] N. P. F. du Sautoy. Counting congruence subgroups in arithmetic subgroups. Bull. London Math. Soc., 26(3):255–262, 1994. [993] N. P. F. du Sautoy. Mersenne primes, irrationality and counting subgroups. Bull. London Math. Soc., 29(3):285–294, 1997. [994] J. Schiffer. Discrepancy of normal numbers. Acta Arith., 47(2):175–186, 1986. [995] A. Schinzel. On two theorems of Gelfond and some of their applications. Acta Arith, 13:177– 236, 1967/1968. [996] A. Schinzel. Primitive divisors of the expression An − B n in algebraic number fields. J. Reine Angew. Math., 268/269:27–33, 1974. [997] A. Schinzel. Selected topics on polynomials. University of Michigan Press, Ann Arbor, Mich., 1982. [998] A. Schinzel. Systems of exponential congruences. Demonstratio Math., 18(1):377–394, 1985. [999] A. Schinzel. An extension of the theorem on primitive divisors in algebraic number fields. Math. Comp., 61(203):441–444, 1993.

BIBLIOGRAPHY

283

[1000] A. Schinzel. Exponential congruences. In Number theory and its applications (Kyoto, 1997), pages 303–308. Kluwer Acad. Publ., Dordrecht, 1999. [1001] H. P. Schlickewei. The number of subspaces occurring in the p-adic subspace theorem in Diophantine approximation. J. Reine Angew. Math., 406:44–108, 1990. [1002] H. P. Schlickewei. The quantitative subspace theorem for number fields. Compositio Math., 82(3):245–273, 1992. [1003] H. P. Schlickewei. Multiplicities of algebraic linear recurrences. Acta Math., 170(2):151–180, 1993. [1004] H. P. Schlickewei. Equations in roots of unity. Acta Arith., 76(2):99–108, 1996. [1005] H. P. Schlickewei. Multiplicities of recurrence sequences. Acta Math., 176(2):171–243, 1996. [1006] H. P. Schlickewei. Lower bounds for heights on finitely generated groups. Monatsh. Math., 123(2):171–178, 1997. [1007] H. P. Schlickewei. The multiplicity of binary recurrences. Invent. Math., 129(1):11–36, 1997. [1008] H. P. Schlickewei. The subspace theorem and applications. In Proceedings of the International Congress of Mathematicians, Vol. II (Berlin, 1998), number Extra Vol. II, pages 197–205 (electronic), 1998. [1009] H. P. Schlickewei and W. M. Schmidt. Equations auln = bukm satisfied by members of recurrence sequences. Proc. Amer. Math. Soc., 118(4):1043–1051, 1993. [1010] H. P. Schlickewei and W. M. Schmidt. Linear equations in members of recurrence sequences. Ann. Scuola Norm. Sup. Pisa Cl. Sci. (4), 20(2):219–246, 1993. [1011] H. P. Schlickewei and W. M. Schmidt. On polynomial-exponential equations. Math. Ann., 296(2):339–361, 1993. [1012] H. P. Schlickewei and W. M. Schmidt. The intersection of recurrence sequences. Acta Arith., 72(1):1–44, 1995. [1013] H. P. Schlickewei and W. M. Schmidt. The number of solutions of polynomial-exponential equations. Compositio Math., 120(2):193–225, 2000. [1014] H. P. Schlickewei, W. M. Schmidt, and M. Waldschmidt. Zeros of linear recurrence sequences. Manuscripta Math., 98(2):225–241, 1999. [1015] H. P. Schlickewei, I. E. Shparlinski, and S. A. Stepanov. On the distribution of normal bases of number fields. Preprint, 1994. [1016] H. P. Schlickewei and S. A. Stepanov. Algorithms to construct normal bases of cyclic number fields. J. Number Theory, 44(1):30–40, 1993. [1017] H. P. Schlickewei and C. Viola. Polynomials that divide many trinomials. Acta Arith., 78(3):267–273, 1997. [1018] H. P. Schlickewei and C. Viola. Polynomials that divide many k-nomials. In Number theory in progress, Vol. 1 (Zakopane-Ko´scielisko, 1997), pages 445–450. de Gruyter, Berlin, 1999. [1019] H. P. Schlickewei and C. Viola. Generalized Vandermonde determinants. Acta Arith., 95(2):123–137, 2000. [1020] J. Schmeling. Symbolic dynamics for β-shifts and self-normal numbers. Ergodic Theory Dynam. Systems, 17(3):675–694, 1997. [1021] K. Schmidt. On periodic expansions of Pisot numbers and Salem numbers. Bull. London Math. Soc., 12(4):269–278, 1980. [1022] K. Schmidt. Mixing automorphisms of compact groups and a theorem by Kurt Mahler. Pacific J. Math., 137(2):371–385, 1989. [1023] K. Schmidt. Dynamical systems of algebraic origin. Birkh¨ auser Verlag, Basel, 1995. [1024] K. Schmidt and T. Ward. Mixing automorphisms of compact groups and a theorem of Schlickewei. Invent. Math., 111(1):69–76, 1993. [1025] W. M. Schmidt. On normal numbers. Pacific J. Math., 10:661–672, 1960. [1026] W. M. Schmidt. Eisenstein’s theorem on power series expansions of algebraic functions. Acta Arith., 56(2):161–179, 1990. [1027] W. M. Schmidt. The zero multiplicity of linear recurrence sequences. Acta Math., 182(2):243–282, 1999. [1028] W. M. Schmidt. Zeros of linear recurrence sequences. Publ. Math. Debrecen, 56(3-4):609– 630, 2000. Dedicated to Professor K´ alm´ an Gy˝ ory on the occasion of his 60th birthday. [1029] E. Schmutz. The order of a typical matrix with entries in a finite field. Israel J. Math., 91(1-3):349–371, 1995. [1030] F. Schweiger. Ergodic theory of fibred systems and metric number theory. The Clarendon Press Oxford University Press, New York, 1995.

284

BIBLIOGRAPHY

[1031] C. Seo, S. Lee, Y. Sung, K. Han, and S. Kim. A lower bound on the linear span of an FCSR. IEEE Trans. Inform. Theory, 46(2):691–693, 2000. [1032] Gadiel Seroussi and Nader H. Bshouty. Vector sets for exhaustive testing of logic circuits. IEEE Trans. Inform. Theory, 34(3):513–522, 1988. [1033] J. Shallit. Real numbers with bounded partial quotients: a survey. Enseign. Math. (2), 38(1-2):151–187, 1992. [1034] J. Shallit. Numeration systems, linear recurrences, and regular sets. Inform. and Comput., 113(2):331–347, 1994. [1035] J. Shallit. Automaticity. IV. Sequences, sets, and diversity. J. Th´ eor. Nombres Bordeaux, 8(2):347–367, 1996. Erratum: J. Th´ eor. Nombres Bordeaux, 9 (1997), 247. [1036] J. Shallit. Number theory and formal languages. In Emerging applications of number theory (Minneapolis, MN, 1996), pages 547–570. Springer, New York, 1999. [1037] J. Shallit. Automaticity and rationality. J. Autom. Lang. Comb., 5(3):255–268, 2000. Descriptional complexity of automata, grammars and related structures (Magdeburg, 1999). [1038] J. Shallit and Y. Breitbart. Automaticity. I. Properties of a measure of descriptional complexity. J. Comput. System Sci., 53(1):10–25, 1996. [1039] H. N. Shapiro and G. H. Sparer. Composite values of exponential and related sequences. Comm. Pure Appl. Math., 25:569–615, 1972. [1040] H. N. Shapiro and G. H. Sparer. Extension of a theorem of Mason. Comm. Pure Appl. Math., 47(5):711–718, 1994. [1041] H. S. Shapiro. The expansion of mean-periodic functions in series of exponentials. Comm. Pure Appl. Math., 11:1–21, 1958. [1042] A. Shields. On quotients of exponential polynomials. Comm. Pure Appl. Math., 16:27–31, 1963. [1043] I. Shiokawa. Asymptotic distributions of digits in integers. In Number theory, Vol. I (Budapest, 1987), pages 505–525. North-Holland, Amsterdam, 1990. [1044] R. Shipsey. Elliptic Divisibility Sequences. PhD thesis, Goldsmith’s College (University of London), 2000. [1045] R. Shipsey. Elliptic divisibility sequences and elliptic curves. Preprint, 2001. [1046] T. N. Shorey. Applications of linear forms in logarithms to binary recursive sequences. In Seminar on number theory, Paris 1981–82 (Paris, 1981/1982), pages 287–301. Birkh¨ auser Boston, Boston, MA, 1983. [1047] T. N. Shorey. Divisors of convergents of a continued fraction. J. Number Theory, 17(1):127– 133, 1983. [1048] T. N. Shorey. The greatest square free factor of a binary recursive sequence. HardyRamanujan J., 6:23–36, 1983. [1049] T. N. Shorey. Linear forms in members of a binary recursive sequence. Acta Arith., 43(4):317–331, 1984. [1050] T. N. Shorey. Ramanujan and binary recursive sequences. J. Indian Math. Soc. (N.S.), 52:147–157 (1988), 1987. [1051] T. N. Shorey. Some exponential Diophantine equations. II. In Number theory and related topics (Bombay, 1988), pages 217–229. Tata Inst. Fund. Res., Bombay, 1989. [1052] T. N. Shorey. The equation a(xn − 1)/(x − 1) = by q with ab > 1. In Number theory in progress, Vol. 1 (Zakopane-Ko´scielisko, 1997), pages 473–485. de Gruyter, Berlin, 1999. [1053] T. N. Shorey. Exponential Diophantine equations involving products of consecutive integers and related equations. In Number theory, pages 463–495. Birkh¨ auser, Basel, 2000. [1054] T. N. Shorey. Some conjectures in the theory of exponential Diophantine equations. Publ. Math. Debrecen, 56(3-4):631–641, 2000. Dedicated to Professor K´ alm´ an Gy˝ ory on the occasion of his 60th birthday. [1055] T. N. Shorey and S. Srinivasan. Metrical results on square free divisors of convergents of continued fractions. Bull. London Math. Soc., 19(2):135–138, 1987. [1056] T. N. Shorey and C. L. Stewart. On divisors of Fermat, Fibonacci, Lucas and Lehmer numbers. II. J. London Math. Soc. (2), 23(1):17–23, 1981. [1057] T. N. Shorey and C. L. Stewart. On the Diophantine equation ax2t + bxt y + cy 2 = d and pure powers in recurrence sequences. Math. Scand., 52(1):24–36, 1983. [1058] T. N. Shorey and C. L. Stewart. Pure powers in recurrence sequences and some related Diophantine equations. J. Number Theory, 27(3):324–352, 1987.

BIBLIOGRAPHY

285

[1059] T. N. Shorey and R. Tijdeman. Exponential Diophantine equations. Cambridge University Press, Cambridge, 1986. [1060] V. Shoup. Searching for primitive roots in finite fields. Math. Comp., 58(197):369–380, 1992. [1061] I. E. Shparlinski. Bounds for exponential sums with recurrence sequences and their applications. Proc. Voronezh State Pedagogical Inst., 197:74–85, 1978. [1062] I. E. Shparlinski. Distribution of nonresidues and primitive roots in recurrent sequences. Mat. Zametki, 24(5):603–613, 733, 1978. [1063] I. E. Shparlinski. Completely uniform distribution. Zh. Vychisl. Mat. i Mat. Fiz., 19(5):1330–1333, 1359, 1979. [1064] I. E. Shparlinski. Prime divisors of recurrence sequences. Izv. Vyssh. Uchebn. Zaved. Mat., (4):100–103, 1980. [1065] I. E. Shparlinski. On the distribution of the fractional parts of recurrent sequences. Zh. Vychisl. Mat. i Mat. Fiz., 21(6):1588–1591, 1616, 1981. [1066] I. E. Shparlinski. On some properties of linear cyclic codes. Problemy Peredachi Inform., 19:106–110, 1983. [1067] I. E. Shparlinski. A multiplicative pseudo-random number transducer. Zh. Vychisl. Mat. i Mat. Fiz., 24(9):1406–1408, 1984. [1068] I. E. Shparlinski. The number of prime divisors of recurrence sequences. Mat. Zametki, 38(1):29–34, 168, 1985. [1069] I. E. Shparlinski. Weight spectra of certain codes. Problemy Peredachi Informatsii, 22(2):43–48, 1986. [1070] I. E. Shparlinski. The number of different prime divisors of recurrent sequences. Mat. Zametki, 42(4):494–507, 622, 1987. [1071] I. E. Shparlinski. Residue classes modulo a prime in an algebraic number field. Mat. Zametki, 43(4):433–438, 573, 1988. [1072] I. E. Shparlinski. A sequence of pseudorandom numbers. Avtomat. i Telemekh., (7):185– 188, 1988. [1073] I. E. Shparlinski. Arithmetic properties of solutions of norm form equations. Uspekhi Mat. Nauk, 44(3(267)):183–184, 1989. [1074] I. E. Shparlinski. Distribution of values of recurrent sequences. Problemy Peredachi Informatsii, 25(2):46–53, 1989. [1075] I. E. Shparlinski. Some arithmetic properties of recurrence sequences. Mat. Zametki, 47(6):124–131, 1990. [1076] I. E. Shparlinski. Estimates for Gauss sums. Mat. Zametki, 50(1):122–130, 1991. [1077] I. E. Shparlinski. On polynomial congruences. Acta Arith., 58(2):153–156, 1991. [1078] I. E. Shparlinski. On the distribution of values of recurring sequences and the Bell numbers in finite fields. European J. Combin., 12(1):81–87, 1991. [1079] I. E. Shparlinski. On exponential sums with sparse polynomials and rational functions. J. Number Theory, 60(2):233–244, 1996. [1080] I. E. Shparlinski. Finite fields: Theory and computation. Kluwer Academic Publishers, Dordrecht, 1999. [1081] I. E. Shparlinski. Number theoretic methods in cryptography: Complexity lower bounds. Birkh¨ auser Verlag, Basel, 1999. [1082] I. E. Shparlinski. On the Naor-Reingold pseudo-random function from elliptic curves. Appl. Algebra Engrg. Comm. Comput., 11(1):27–34, 2000. [1083] I. E. Shparlinski. On some properties of the shrinking generator. Des. Codes Cryptogr., 23(2):147–155, 2001. [1084] I. E. Shparlinski. On the generalised hidden number problem and bit security of XTR. Lect. Notes in Comp. Sci., 2227:268–277, 2001. [1085] I. E. Shparlinski. On the linear complexity of the power generator. Des. Codes Cryptogr., 23(1):5–10, 2001. [1086] I. E. Shparlinski. On the uniformity of distribution of the Naor-Reingold pseudo-random function. Finite Fields Appl., 7(2):318–326, 2001. [1087] I. E. Shparlinski and J. H. Silverman. On the linear complexity of the Naor-Reingold pseudo-random function from elliptic curves. Des. Codes Cryptogr., 24(3):279–289, 2001. [1088] V. M. Sidel0 nikov. Estimates for the number of appearances of elements on an interval of a recurrent sequence over a finite field. Diskret. Mat., 3(2):87–95, 1991.

286

BIBLIOGRAPHY

[1089] L. Sigler. Fibonacci’s Liber Abaci. Springer-Verlag, New York, 2002. A Translation into Modern English of Leonardo Pisano’s Book of Calculation. [1090] J. H. Silverman. Lower bound for the canonical height on elliptic curves. Duke Math. J., 48(3):633–648, 1981. [1091] J. H. Silverman. The arithmetic of elliptic curves. Springer-Verlag, New York, 1986. [1092] J. H. Silverman. Integer points, Diophantine approximation, and iteration of rational maps. Duke Math. J., 71(3):793–829, 1993. [1093] J. H. Silverman. Advanced topics in the arithmetic of elliptic curves. Springer-Verlag, New York, 1994. [1094] J. H. Silverman. The field of definition for dynamical systems on P1 . Compositio Math., 98(3):269–304, 1995. [1095] J. H. Silverman. The space of rational maps on P1 . Duke Math. J., 94(1):41–77, 1998. [1096] Sirazhdinov, S. Kh., Azlarov, T. A., and Zuparov, T. M. Additivnye zadachi s rastushchim chislom slagaemykh. Izdat. “Fan” Uzbek. SSR, Tashkent, 1975. [1097] T. Skolem. Ein verfahren zur behandlung gewisser exponentialer gleichungen. Comptes rendus du congr´ es des math´ ematiciens scandinaves, Stockholm, 1934, pages 163–188, 1935. [1098] N. J. A. Sloane. An on-line version of the encyclopedia of integer sequences. Electron. J. Combin., 1:Feature 1, approx. 5 pp. (electronic), 1994. [1099] N. J. A. Sloane and S. Plouffe. The encyclopedia of integer sequences. Academic Press Inc., San Diego, CA, 1995. [1100] S. Smale. Differentiable dynamical systems. Bull. Amer. Math. Soc., 73:747–817, 1967. [1101] I. M. Sobol0 . Mnogomernye kvadraturnye formuly i funktsii Khaara. Izdat. “Nauka”, Moscow, 1969. [1102] L. Somer. Linear recurrences having almost all primes as maximal divisors. In Fibonacci numbers and their applications (Patras, 1984), pages 257–272. Reidel, Dordrecht, 1986. [1103] L. Somer. Divisibility of terms in Lucas sequences by their subscripts. In Applications of Fibonacci numbers, Vol. 5 (St. Andrews, 1992), pages 515–525. Kluwer Acad. Publ., Dordrecht, 1993. [1104] L. Somer. Upper bounds for frequencies of elements in second-order recurrences over a finite field. In Applications of Fibonacci numbers, Vol. 5 (St. Andrews, 1992), pages 527–546. Kluwer Acad. Publ., Dordrecht, 1993. [1105] L. Somer. Periodicity properties of kth order linear recurrences whose characteristic polynomial splits completely over a finite field. I. In Finite fields: theory, applications, and algorithms (Las Vegas, NV, 1993), pages 327–339. Amer. Math. Soc., Providence, RI, 1994. [1106] L. Somer. Periodicity properties of kth order linear recurrences whose characteristic polynomial splits completely over a finite field. II. In Finite fields and applications (Glasgow, 1995), pages 333–347. Cambridge Univ. Press, Cambridge, 1996. [1107] V. G. Sprindzhuk. Klassicheskie diofantovy uravneniya ot dvukh neizvestnykh. “Nauka”, Moscow, 1982. [1108] V. G. Sprindˇ zuk. Problema Malera v metricheskoiteorii chisel. Izdat. “Nauka i Tehnika”, Minsk, 1967. [1109] V. G. Sprindˇ zuk. Mahler’s problem in metric number theory. American Mathematical Society, Providence, R.I., 1969. [1110] R. P. Stanley. Differentiably finite power series. European J. Combin., 1(2):175–188, 1980. [1111] S. A. Stepanov and I. E. Shparlinski. On the construction of a primitive normal basis of a finite field. Mat. Sb., 180(8):1067–1072, 1151, 1989. [1112] S. A. Stepanov and I. E. Shparlinski. On normal bases of algebraic number fields. In New trends in probability and statistics, Vol. 2 (Palanga, 1991), pages 369–378. VSP, Utrecht, 1992. [1113] S. A. Stepanov and I. E. Shparlinskiy. On the construction of primitive elements and primitive normal bases in a finite field. In Computational number theory (Debrecen, 1989), pages 1–14. de Gruyter, Berlin, 1991. [1114] P. J. Stephens. An average result for Artin’s conjecture. Mathematika, 16:178–188, 1969. [1115] P. J. Stephens. Prime divisors of second-order linear recurrences. I. J. Number Theory, 8(3):313–332, 1976. II 8(3):333–345, 1976. [1116] C. L. Stewart. On divisors of Fermat, Fibonacci, Lucas, and Lehmer numbers. Proc. London Math. Soc. (3), 35(3):425–447, 1977.

BIBLIOGRAPHY

287

[1117] C. L. Stewart. Primitive divisors of Lucas and Lehmer numbers. In Transcendence theory: advances and applications (Proc. Conf., Univ. Cambridge, Cambridge, 1976), pages 79–92. Academic Press, London, 1977. [1118] C. L. Stewart. On divisors of terms of linear recurrence sequences. J. Reine Angew. Math., 333:12–31, 1982. [1119] C. L. Stewart. On some diophantine equations and related linear recurrence sequences. In Progress in Math., volume 22, pages 317–321. Birkh¨ auser, Boston, 1982. [1120] C. L. Stewart. On divisors of Fermat, Fibonacci, Lucas and Lehmer numbers. III. J. London Math. Soc. (2), 28(2):211–217, 1983. [1121] C. L. Stewart. On the greatest prime factor of terms of a linear recurrence sequence. Rocky Mountain J. Math., 15(2):599–608, 1985. [1122] C. L. Stewart and K. R. Yu. On the abc conjecture. Math. Ann., 291(2):225–230, 1991. [1123] D. R. Stinson. Cryptography: Theory and practice. CRC Press, Boca Raton, FL, 1995. [1124] M. Stoll. Galois groups over Q of some iterated polynomials. Arch. Math. (Basel), 59(3):239–244, 1992. [1125] M. Stoll. Bounds for the length of recurrence relations for convolutions of P -recursive sequences. European J. Combin., 18(6):707–712, 1997. [1126] R. G. Stoneham. A general arithmetic construction of transcendental non-Liouville normal numbers from rational fractions. Acta Arith., 16:239–253, 1969/1970. [1127] R. G. Stoneham. On (j, ε)-normality in the rational fractions. Acta Arith., 16:221–237, 1969/1970. [1128] R. G. Stoneham. On absolute (j, ε)-normality in the rational fractions with applications to normal numbers. Acta Arith., 22:277–286, 1972/73. [1129] R. G. Stoneham. On the uniform ε-distribution of residues within the periods of rational fractions with applications to normal numbers. Acta Arith., 22:371–389, 1973. [1130] R. G. Stoneham. On a sequence of (j, ε)-normal approximations to π/4 and the Brouwer conjecture. Acta Arith., 42(3):265–279, 1983. [1131] R. Stong. The average order of a matrix. J. Combin. Theory Ser. A, 64(2):337–343, 1993. [1132] S. Strandt. Quadratic congruential generators with odd composite modulus. In Monte Carlo and quasi-Monte Carlo methods 1996 (Salzburg), pages 415–426. Springer, New York, 1998. [1133] R. Strassman. Uber den wertevorrat von potenzreichen im gebiet der p-adischen zahlen. J. Reine Angew. Math., 159:13–28, 1928. [1134] O. Strauch. On distribution functions of ξ(3/2)n mod 1. Acta Arith., 81(1):25–35, 1997. [1135] M. Strauss. Normal numbers and sources for BPP. Theoret. Comput. Sci., 178(1-2):155– 169, 1997. [1136] W. Sun, A. Klapper, and Y. X. Yang. On correlations of a family of generalized geometric sequences. IEEE Trans. Inform. Theory, 47(6):2609–2618, 2001. [1137] E. Szemer´ edi. On sets of integers containing no k elements in arithmetic progression. Acta Arith., 27:199–245, 1975. [1138] E. Szemer´ edi. Integer sets containing no arithmetic progressions. Acta Math. Hungar., 56(1-2):155–158, 1990. [1139] P. Sz¨ usz and B. Volkmann. A combinatorial method for constructing normal numbers. Forum Math., 6(4):399–414, 1994. [1140] Lange T., S. V. Konyagin, and I. E. Shparlinski. Linear complexity of the discrete logarithm. Des. Codes Cryptogr., to appear. [1141] E. J. Taft. Hadamard invertibility of linearly recursive sequences in several variables. Discrete Math., 139(1-3):393–397, 1995. [1142] S. Takahashi. Cellular automata, fractals and multifractals: space-time patterns and dimension spectra of linear cellular automata. In Chaos in Australia (Sydney, 1990), pages 173–195. World Sci. Publishing, River Edge, NJ, 1993. [1143] T. Tapsoba. Automates calculant la complexit´ e de suites automatiques. J. Th´ eor. Nombres Bordeaux, 6(1):127–134, 1994. [1144] R. Taylor and A. Wiles. Ring-theoretic properties of certain Hecke algebras. Ann. of Math. (2), 141(3):553–572, 1995. [1145] S. Tezuka. The k-dimensional distribution of combined GFSR sequences. Math. Comp., 62(206):809–817, 1994. [1146] S. Tezuka. Uniform Random Numbers. Kluwer, Dordrecht, 1996.

288

BIBLIOGRAPHY

[1147] R. F. Tichy. Three examples of triangular arrays with optimal discrepancy and linear recurrences. In Applications of Fibonacci numbers, Vol. 7, pages 415–421. Kluwer Acad. Publ., Dordrecht. [1148] R. F. Tichy. Stability of a class of nonuniform random number generators. J. Math. Anal. Appl., 181(2):546–561, 1994. [1149] R. F. Tichy. Diophantine properties of digital expansions. In Number theory (Eger, 1996), pages 501–522. de Gruyter, Berlin, 1998. [1150] R. Tijdeman. On the number of zeros of general exponential polynomials. Nederl. Akad. Wetensch. Proc. Ser. A 74 = Indag. Math., 33:1–7, 1971. [1151] R. Tijdeman. Note on Mahler’s 3/2-problem. Det Kong. Norske Vidensk. Selsk., 16:1–4, 1972. [1152] R. Tijdeman. On the maximal distance between integers composed of small primes. Compositio Math., 28:159–162, 1974. [1153] R. Tijdeman. Multiplicities of binary recurrences. In Seminar on Number Theory, 1980– 1981 (Talence, 1980–1981), pages Exp. No. 29, 11. Univ. Bordeaux I, Talence, 1981. [1154] R. Tijdeman. Exponential Diophantine equations 1986–1996. In Number theory (Eger, 1996), pages 523–539. de Gruyter, Berlin, 1998. [1155] J. Tits. Appendix to: “Groups of polynomial growth and expanding maps” [Inst. Hautes ´ ´ Etudes Sci. Publ. Math. No. 53 (1981), 53–73] by M. Gromov. Inst. Hautes Etudes Sci. Publ. Math., (53):74–78, 1981. [1156] M. Tompa. Lecture notes on probabilistic algorithms and pseudorandom generators. Technical Report 91-07-05, Dept. of Comp. Sci. and Engin., Univ. of Washington, 1991. [1157] Th. T¨ opfer. Simultaneous approximation measures for functions satisfying generalized functional equations of Mahler type. Abh. Math. Sem. Univ. Hamburg, 66:177–201, 1996. [1158] J. Tromp and J. Shallit. Subword complexity of a generalized Thue-Morse word. Inform. Process. Lett., 54(6):313–316, 1995. [1159] P. Tur´ an. Eine Extremalaufgabe aus der Graphentheorie. Mat. Fiz. Lapok, 48:436–452, 1941. [1160] P. Udaya and M. U. Siddiqi. Optimal and suboptimal quadriphase sequences derived from maximal length sequences over Z4 . Appl. Algebra Engrg. Comm. Comput., 9(2):161–191, 1998. [1161] P. Udaya and M. U. Siddiqi. Optimal large linear complexity frequency hopping patterns derived from polynomial residue class rings. IEEE Trans. Inform. Theory, 44(4):1492–1503, 1998. [1162] E. Ugalde. An alternative construction of normal numbers. J. Th´ eor. Nombres Bordeaux, 12(1):165–177, 2000. [1163] M. Vˆ ajˆ aitu and A. Zaharescu. A finiteness theorem for a class of exponential congruences. Proc. Amer. Math. Soc., 127(8):2225–2232, 1999. [1164] R. C. Vaughan. On the distribution of αp modulo 1. Mathematika, 24(2):135–141, 1977. [1165] G. Venturini. Iterates of number-theoretic functions with periodic rational coefficients (generalization of the 3x + 1 problem). Stud. Appl. Math., 86(3):185–218, 1992. [1166] G. Venturini. On a generalization of the 3x+1 problem. Adv. in Appl. Math., 19(3):295–305, 1997. [1167] N. K. Vereshchagin. Zeros of linear recursive sequences. Dokl. Akad. Nauk SSSR, 278(5):1036–1039, 1984. [1168] N. K. Vereshchagin. The problem of the appearance of a zero in a linear recursive sequence. Mat. Zametki, 38(2):177–189, 347, 1985. [1169] N. K. Vereshchagin. Effective upper bounds for the number of zeros of a linear recurrence sequence. Vestnik Moskov. Univ. Ser. I Mat. Mekh., (1):25–30, 92, 1986. [1170] I. M. Vinogradov. A new estimation of a trigonometric sum involving primes. Bull. Acad. Sc. URSS Ser. Math., 2, 1938. [1171] F. Vivaldi. Dynamics over irreducible polynomials. Nonlinearity, 5(4):941–960, 1992. [1172] F. Vivaldi. Geometry of linear maps over finite fields. Nonlinearity, 5(1):133–147, 1992. [1173] F. Vivaldi. Cellular automata and finite fields. Phys. D, 79(2-4):115–131, 1994. [1174] F. Vivaldi and S. Hatjispyros. Galois theory of periodic orbits of rational maps. Nonlinearity, 5(4):961–978, 1992. [1175] J. F. Voloch. Diagonal equations over function fields. Bol. Soc. Brasil. Mat., 16(2):29–39, 1985.

BIBLIOGRAPHY

289

[1176] J. F. Voloch. The equation ax + by = 1 in characteristic p. J. Number Theory, 73(2):195– 200, 1998. [1177] B. Voorhees. A note on injectivity of additive cellular automata. Complex Systems, 8(3):151–159, 1994. [1178] M. Voorhoeve. On the oscillation of exponential polynomials. Math. Z., 151(3):277–294, 1976. [1179] M. Voorhoeve. Zeros of exponential polynomials. Rijksuniversiteit te Leiden, Leiden, 1977. Doctoral dissertation, University of Leiden, Leiden. [1180] M. Voorhoeve and A. J. van der Poorten. Wronskian determinants and the zeros of certain functions. Nederl. Akad. Wetensch. Proc. Ser. A78=Indag. Math., 37(5):417–424, 1975. [1181] M. Voorhoeve, A. J. van der Poorten, and R. Tijdeman. On the number of zeros of certain functions. Nederl. Akad. Wetensch. Proc. Ser. A78=Indag. Math., 37(5):407–416, 1975. [1182] P. M. Voutier. Primitive divisors of Lucas and Lehmer sequences. Math. Comp., 64(210):869–888, 1995. [1183] P. M. Voutier. Primitive divisors of Lucas and Lehmer sequences. II. J. Th´ eor. Nombres Bordeaux, 8(2):251–274, 1996. [1184] P. M. Voutier. Primitive divisors of Lucas and Lehmer sequences. III. Math. Proc. Cambridge Philos. Soc., 123(3):407–419, 1998. [1185] M. A. Vsemirnov. Diophantine representations of linear recurrent sequences. I. Zap. Nauchn. Sem. S.-Peterburg. Otdel. Mat. Inst. Steklov. (POMI), 227(Voprosy Teor. Predstav. Algebr i Grupp. 4):52–60, 156–157, 1995. [1186] M. A. Vsemirnov. Diophantine representations of linear recurrent sequences. II. Zap. Nauchn. Sem. S.-Peterburg. Otdel. Mat. Inst. Steklov. (POMI), 241(Issled. po Konstr. Mat. i Mat. Log. X):5–29, 150, 1997. [1187] Meidl W. and H. Niederreiter. Counting functions and expected values for the k-error linear complexity. Finite Fields Appl., 8:142–154, 2002. [1188] Meidl W. and H. Niederreiter. Linear complexity, k-error linear complexity and the discrete Fourier transform. J. Complexity, 18:87–103, 2002. [1189] S. S. Wagstaff, Jr. Divisors of Mersenne numbers. Math. Comp., 40(161):385–397, 1983. [1190] S. S. Wagstaff, Jr. Aurifeuillian factorizations and the period of the Bell numbers modulo a prime. Math. Comp., 65(213):383–391, 1996. [1191] M. Waldschmidt. Introduction to recent results in transcendental number theory. Preprint of the Math. Sci. Inst., Berkeley, MSRI 074-93, 1993. [1192] J. T.-Y. Wang. A note on Wronskians and the ABC theorem in function fields of prime characteristic. Manuscripta Math., 98(2):255–264, 1999. [1193] M. Z. Wang. Linear complexity profiles and jump complexity. Inform. Process. Lett., 61(3):165–168, 1997. [1194] M. Ward. The arithmetical theory of linear recurring series. Trans. Amer. Math. Soc., 35(3):600–628, 1933. [1195] M. Ward. The law of repetition of primes in an elliptic divisibility sequence. Duke Math. J., 15:941–946, 1948. [1196] M. Ward. Memoir on elliptic divisibility sequences. Amer. J. Math., 70:31–74, 1948. [1197] M. Ward. Prime divisors of second order recurring sequences. Duke Math. J., 21:607–614, 1954. [1198] M. Ward. The laws of apparition and repetition of primes in a cubic recurrence. Trans. Amer. Math. Soc., 79:72–90, 1955. [1199] M. Ward. The linear p-adic recurrence of order two. Illinois J. Math., 6:40–52, 1962. [1200] T. Ward. Additive relations in fields: an entropy approach. J. Number Theory, 53(1):137– 143, 1995. [1201] T. Ward. Three results on mixing shapes. New York J. Math., 3A(Proceedings of the New York Journal of Mathematics Conference, June 9–13, 1997):1–10 (electronic), 1997/98. [1202] T. Ward. Almost all S-integer dynamical systems have many periodic points. Ergodic Theory Dynam. Systems, 18(2):471–486, 1998. [1203] T. Ward. Additive cellular automata and volume growth. Entropy, 2:142–167, 2000. [1204] T. Washio and T. Kodama. Hasse-Witt matrices of hyperelliptic function fields. Sci. Bull. Fac. Ed. Nagasaki Univ., (37):9–15, 1986. [1205] T. Washio and T. Kodama. A note on a supersingular function field. Sci. Bull. Fac. Ed. Nagasaki Univ., (37):17–21, 1986.

290

BIBLIOGRAPHY

[1206] B. Weiss. Single orbit dynamics. American Mathematical Society, Providence, RI, 2000. [1207] M. J. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inform. Theory, 36(3):553–558, 1990. [1208] A. Wiles. Modular elliptic curves and Fermat’s last theorem. Ann. of Math. (2), 141(3):443– 551, 1995. [1209] H. C. Williams. Some generalizations of the Sn sequence of Shanks. Acta Arith., 69(3):199– 215, 1995. [1210] H. C. Williams and J. O. Shallit. Factoring integers before computers. In Mathematics of Computation 1943–1993: a half-century of computational mathematics (Vancouver, BC, 1993), pages 481–531. Amer. Math. Soc., Providence, RI, 1994. [1211] S. Williams. Zeros in nth order linear recurrence sequences. Master’s thesis, Macquarie University (Honours Thesis), 1994. [1212] G. J. Wirsching. The dynamical system generated by the 3n + 1 function. Springer-Verlag, Berlin, 1998. [1213] S. Wolfram. Random sequence generation by cellular automata. Adv. in Appl. Math., 7(2):123–169, 1986. [1214] S. Wolfram, editor. Theory and applications of cellular automata. World Scientific Publishing Co., Singapore, 1986. [1215] John W. Wrench, Jr. Evaluation of Artin’s constant and the twin-prime constant. Math. Comp., 15:396–398, 1961. [1216] C. Xing, H. Niederreiter, K. Y. Lam, and C. Ding. Constructions of sequences with almost perfect linear complexity profile from curves over finite fields. Finite Fields Appl., 5(3):301– 313, 1999. [1217] J. Xu and A. Klapper. Feedback with carry shift registers over Z/(N ). In Sequences and their applications (Singapore, 1998), pages 379–392. Springer, London, 1999. [1218] A. A. Yacobson. Bounds for exponential sums with recurring sequences and their applications. Proc. Voronezh State Pedagogical Inst., 197:86–91, 1978. [1219] Y. X. Yang. New binary sequences with perfect staircase profile of linear complexity. Inform. Process. Lett., 46(1):27–29, 1993. [1220] K. Yokoyama, Z. Li, and I. Nemes. Finding roots of unity among quotients of the roots of an integral polynomial. Proc. Intern. Symp. on Symb. and Algebraic Comp., pages 85–89, 1995. [1221] K. R. Yu. Linear forms in p-adic logarithms. II. Compositio Math., 74(1):15–113, 1990. Erratum: Compositio Math., 76 (1990), 307. [1222] K. R. Yu and L.-K. Hung. On binary recurrence sequences. Indag. Math. (N.S.), 6(3):341– 354, 1995. [1223] L. Yu and M. Le. On the Diophantine equation (xm − 1)/(x − 1) = y n . Acta Arith., 73(4):363–366, 1995. [1224] U. Zannier. Some remarks on the S-unit equation in function fields. Acta Arith., 64(1):87– 98, 1993. [1225] U. Zannier. Vanishing sums of roots of unity. Rend. Sem. Mat. Univ. Politec. Torino, 53(4):487–495, 1995. [1226] U. Zannier. A proof of Pisot’s dth root conjecture. Ann. of Math. (2), 151(1):375–383, 2000. [1227] C. Z. Zhou. Some discussion on the 3x + 1 problem. J. South China Normal Univ. Natur. Sci. Ed., (3):103–105, 1995. [1228] N. Zierler. Linear recurring sequences. J. Soc. Indust. Appl. Math., 7:31–48, 1959. [1229] N. Zierler and W. H. Mills. Products of linear recurring sequences. J. Algebra, 27:147–157, 1973. [1230] M. Zieve. Cycles of polynomial mappings. PhD thesis, Univ. of California, Berkeley, 1996. [1231] R. Zippel. Effective polynomial computation. Kluwer A. P., Dordrecht, 1993.

Index

ˆ h(Q), 166 Hm,p (a), 200 h(p), 101 H(U, q), 190 Ia,λ,p (N, H), 236 Im , Im (a), 100 Ja (h), 220 J(q, n, ∆), 244 Kera,m , 224 Kz {W}, 137 L, 223 La (k, h), 221 Λq∗ , 188 Λq , 188 La (N ), 240 L(f ), 15 L∗ (f ), 15 L(K, q), 188 L(m, g), 230 L− x , 95 Ln (T ), 172 ln(n) , 108 ln x, 5 La , 217 L∗a , 218 Log x, 6 log x, 5 L+ x , 95 Lp (N ), 190 `p (N ), 190 M (a), 31 m(a), 31 m(a, c), 31 Mj (m, p), 200 E(M, k, ε), 216 M (K, V ), 193 M (K, V, q), 193 M (f ), 62 M (n), 35 Mp , 91 M (ϑ), 34 µ(k), 5 µ0 (n, R), µ(n, R), 31 N, 5

↔, 18 | · |p , 24 abs , 228 A(d, m, a), 153 a b, 66 A(K, q), 188 a− (x), 91 a+ (x), 91 ars , 226 a ∗ b, 66 as (x), 71 atm , 226 Bh , 190 Bk,s (a(0), λ, M ), 216 Bn , 179 C, 5 Ca,λ,p (N ), 236 Cp , 5 CyclR (F ), 59 ∆(a), 103 δij , 5 eP (x), 225 ε, 5 F, 5 Fixn (T ), 171 f − , 19 F∗q , 5 Fq , 5 F (S, N ), 210 f (S, N ), 210 f λ , 70 F((X)), 5 F(X), 5 F[X], 5 F[[X]], 5 G(f ), 17 GH (E, F ), 138 G(m), 56 Gµ , 51 G(Ω, V ), 194 G(Ω, V, q), 194 G(p), 56 g(p), 56 GR (E, F ), 138 H(f ), 5 291

292

N (n), 35 N (p), 56 Np,F,k (n), 67 Np,s,k (n), 67 Np (s, n), 66 Nq (α), 188 ν(k), 5 ν∗ (m), 200 ω(M, N ), 92 ω(N ), 92 Ω(α), 131 Ω(k), 104 ω(k), 104 ωs (λ, M ), 207 On (T ), 172 ordp z, 5 P, 5 Pa (N ), 91 per(f ), 47 ϕ(k), 5 Πa (N ), 103 πa (N ), 101 π(x), 5 P (k), 5 p(λ), 52 Q, 5 Qa (N ), 63 Qa,p (N, H), 116 Q(k), 5 Qp , 5 R, 5 R, 5 Ra,g,p (N, H), 118 ρs (λ, M ), 206 Rn (q), 139 rs (f, m, p), 204 R(t, p, a), 195 R(U, q, h), 190 σ(k), 5 σ(z), 163 τ (k), 5 Tj (p, s, g), 194 tk , 81 T (`), 198 tλ (p), 52 Tm (N, I), 116 TN (ϑ1 , . . . , ϑs ), 113 Tn (t, q), 198 T (p, s, g), 195 τ (p, s, g), 195 TR (F ), 60 Wa (N ), 240 Wm , 223 Ws (δ, M ), 208 XOR, 209 Z, 5 ζf (z), 62 ZK , 5

INDEX

Zp , 5 Z+ , 5 Zs,t,α , 130 Zt,α , 130 abc-conjecture, 12 absolutely normal number, 123 explicit construction, 127 add-with-carry sequence, 57, 208 period, 57 additive function, 70 affine equations in linear recurrence sequences, 71 aliquot sequence, 64 almost all, 6 almost periodic sequence, 227 anomalous prime, 167 Artin integers, 187 Artin’s conjecture, 51, 53, 191, 193 elliptic analogue, 53 for function fields over finite fields, 54 on elliptic curves, 54 in number fields, 53, 103 on average, 52 on CM curves, 53 on elliptic curves, 53 Artin’s constant, 52 Artin–Schrier polynomial, 150, 186 autocorrelation function, 242 backward prediction, 212 power, exponential generator, 213 Baker’s theorem, 28 Baum–Sweet sequence, 226 Baum-Sweet sequence, 228 BCH codes, 244 Bell numbers, 148 recurrent congruence, 149 Berlekamp–Massey algorithm, 214, 218 Bernoulli numbers, 179 Bernoulli polynomials, 151 Berstel’s sequence, 32 binary length sequence, 225 binary partition sequences, 151 birthday paradox, 236 black-box, 142 Blahut algorithm, 218 Blum, Blum and Shub generator, 60, 213 Boolean functions, 237 Borel’s Theorem, 26 canonical height, 46 functoriality, 166 sum of local heights, 166 Carmicheal number, 233 Catalan equation, 154, 157 cellular automata, 230 backward prediction, 233 boundary rule, 231 initial configuration, 231

INDEX

linear, 231 probabilistic, 233 reachability problem, 232 transition rule, 231 character multiplicative, 86 of Fq , 75 character sums, 75 over C, 85 upper bounds algebraic number fields, 76 finitely generated groups, 76 incomplete sums, 77 multiplicative characters, 86 on average, 82 positive characteristic, 75 rationals, 76 characteristic polynomial, 15 checking polynomial, 239 Chinese Remainder Theorem, 137 code-words, 239 Collatz sequence, 63 generalisation, 64 completely uniformly distributed, 123 complexity profile jump, 220 composition, 66 continued fraction, 22, 90, 97, 133, 143 Fibonacci sequence, 146 Gauss measure, 147 length, 144 normal, 147 normal expansion, 147 of power series, 145 over field of formal Laurent series, 219 quadratic irrational, 143 convolution, 66 sequences with polynomial coefficients, 67 coordinate sequences, 57 period, 58 correlation function, 242 counting function, 225 cryptography, 208 cyclic linear code, 239 checking polynomial, 239 code-words, 239 covering radius, 242 generating polynomial, 239 Hamming weight, 240 Lee weight, 240 redundancy, 240 Dickson polynomial, 7 difference operator, 16 difference sequence, 64 differential operators, 68 Diffie–Hellman key-exchange, 239 discrepancy, 85, 120, 123, 203

293

discrete logarithm, 221 discrete logarithm problem, 213, 238 for elliptic curves, 162 discrete root problem, 213 divisibility sequence, 70 characterization, 70 elliptic, 70 dominating roots, 18 dual basis, 155 dual sequence, 100 dynamical zeta function for β-transformations, 62 effective constant, 6 Egyptian fraction equation, 159 Eisenstein Theorem, 99 elliptic curve, 163 canonical global height, 166 canonical local height, 165 discriminant, 165 division polynomial, 163 generalised Weierstrass equation, 163 periods, 163 singular reduction, 165 with cyclic reduction infinitely often, 53 elliptic divisibility sequence, 161 and discrete logarithms, 162 defines a point on a curve, 164 generated by a point on a curve, 164 growth rate, 165 periodic behaviour, 162 prime apparition, 166 prime apparition heuristics, 168 proper, 162 rank of apparition, 162 singular, 161, 165 elliptic division polynomials, 164 elliptic Lehmer problem, 170 ergodic toral automorphism, 180 Euclidean algorithm, 25, 144, 192, 193 Euclidean property, 188 Euler binary partition sequence, 151, 226 Euler function, 5 exceptional units, 186 expansive toral automorphism, 180 exponential equations, 155 exponential generator, 213 exponential linear complexity, 211, 219 exponential polynomial, 20 divisibility, 138 greatest common divisor, 138 ideal, 139 unique factorization, 138 Fermat number, 91, 96, 97 Fermat sequence, 168 Fibonacci sequence, 73, 144, 146, 172, 175 and periodic points, 172 squares and cubes in, 110

294

figures of merit, 204 finite automata reachability problem, 232 forward prediction, 212, 214 1/M generator, 215 Berlekamp–Massey algorithm, 214 linear recurrence, 214 non-linear recurrence sequence, 215 polynomial recurrent equation, 215 power, exponential generator, 213 quadratic generator, 215 truncation, 216 full shift, 180 fundamental units, 183 g-ary expansion, 128 Gauss map, 21 Gauss measure, 147 Gaussian period polynomial, 197 Gaussian periods, 186, 195 generalized exponential polynomial, 20 Generalized Lindel¨ of Hypothesis, 118 generalized power sums, 16 characteristic roots, 16 Generalized Riemann Hypothesis, 52–56, 91, 101, 103, 108, 187, 235 generating polynomial, 239 generic divisibility, 91 globally realizable, 179 greatest common divisor algebraic, analytic, 138 Hadamard, 138 Ritt, 138 Grothendieck conjecture, 230 group structure of recurrence sequences, 17 Hadamard k-th Root Problem, 69 greatest common divisor, 138 inequality, 199 inversion, 69 product, 65 multivariate, 66 quotient, 27 Quotient Problem, 27, 68 Root Problem, 69 Hamming weight, 240 Hardy, 24 Hasse’s Theorem, 168 height algebraic number, 10 canonical, 22 na¨ıve, 5 of a polynomial, 5, 89 Heilbronn’s conjecture, 77 Hermite constant, 208 impulse sequences, 16 index of entry, 100

INDEX

inhomogeneous recurrence relation, 20 initial values, 15 interlacing sequences, 67 inversive sequence, 58 discrepancy, 209 lattice test, 210 maximal period, 58 irregularity index, 67 Jacobsthal-Lucas sequence, 171 jump complexity profile, 220 Kodama’s question, 198 Kronecker–Hankel determinant, 19 matrix, 26 Lang’s conjecture, 170 lattice test, 209 inversive generator, 210 Lee weight, 240 Legendre symbol, 22 Lehmer generator, 206 discrepancy, 208 homogeneous, 206 multiplier, 206 Lehmer numbers, 96 Lehmer problem, 34, 169 elliptic, 169 Lehmer test, 234, 235 Lehmer–Pierce sequence, 34, 166, 168, 171, 173 Leopold conjecture, 39 linear complexity, 216–218 and continued fractions, 221 k-error, 221 self-shrunken M -sequence, 218 linear complexity profile, 218 d-almost perfect, 221 perfect, 220 linear congruencial generator, 206 discrepancy, 208 elliptic analogue, 213 homogeneous, 206 linear forms in logarithms, 9, 29, 40, 93, 129 multiplicative form, 10 linear recurrence relation homogeneous, 15 order, 15 linear recurrence sequence, 15 and linear differential equations, 21 and rational functions, 19 and traces, 17 arithmetic subsequence, 19 as a generalized power sum, 17 binary, ternary, 15 characteristic polynomial, 15 degenerate, non-degenerate, 18 divisors, 18

INDEX

exceptional, 42 group structure, 17, 18 initial values, 15 many variables, 22 minimal polynomial, 15 multipliers, 51 number of zeros, 87 order, 15 periodic structure, 47 powers in, 109 prime divisors, 91 reduction to non-degenerate, 18 restricted period, 51 set of solutions, 16 squares and cubes in, 110 sum and product, 65 zeros, 35 linearized polynomial, 59 Linnik constant, 235 Linnik’s theorem, 60 Liouville Theorem, 144 locally realizable, 179 everywhere, 179 LΠτ -nets, 212 Lucas numbers, 95, 111 Lucas pseudo-prime, 235 Lucas sequence, 99, 102, 107, 108, 161, 171, 175 and periodic points, 171 primitive power divisors, 100 Mahler 3/2-problem, 62, 130, 198 m-functions, 224 Mahler measure, 34 matrix almost integer, 125 ergodic, 125 m-automatic, 223 algebraic irrationals are not, 224 m-automatic sequences over finite fields, 224 m-automaton, 223 acceptance set, 223 initial state, 223 language, 223 max sequence, 64 maximal divisor, 102 maximal period construction of sequences, 49 modulo composites, 54 modulo prime powers, 49 of matrices, 48 MergeSort algorithm complexity, 226 Mersenne number, 96, 97, 147 prime, 54, 91, 154 sequence, 171

295

prime heuristics, 168 Merten’s Theorem, 168, 169 (m, g)-automatic, 230 real number, 230 minimal quadratic residue, 56 m-kernel, 224 finiteness characterizes m-automatic, 224 M¨ obius function, 5 modulus of a linear cellular automata, 51 of a pseudo-random number generator, 203 Monte Carlo method, 211 M -sequences, 47 in residue rings, 48 over finite fields, 48 over Galois rings, 47 multiplication-with-carry sequence, 209 multiplicative character, 86 order, 86 multiplicative function, 70 multiplicative order, 47 multiplicity, 31 low order sequences, 32 lower bounds, 33 non-uniform bounds, 33 total, 31 uniform bounds, 32 multipliers, 51 group of, 51 Naor–Reingold pseudo-random number generator, 84 near-Euclidean property, 188 norm of a polynomial, 140 Norm-form equations, 155 normal basis, 183 normal extension, 183 normal numbers, 85 to base g, 99 normal periodic systems, 126 normal sequences of signs, 210 normality, 123 NP-hard problem, 237 n-sparse polynomials, 137 n-sparse rational functions, 137 Orbit Problem, 237 for linear recurrences, 232 for matrix groups, 238 over Q, 238 over a finite field, 238 order of a character, 86 p-adic, 5 order of a linear recurrence sequence, 15 p-adic analytic function, 24 convergence, 24

296

differential equations, 43 expansion, 23 logarithms, 30 meromorphic function, 24 metric, 24 rationals, 24 subspace theorem, 28 valuation, 24 paper-folding sequence, 227 2-automatic, 227 Fourier transform, 228 pattern function, 228 pattern sequence, 227 associated trigonometric polynomial, 228 p-binomial coefficients, 69 perfectly cyclic, 61 period, 51 in finitely generated groups, 55 modulo p, 52 modulo p, lower bounds on average, 54 of m-dimensional sequences, 60 of a polynomial, 47 of a sequence, 47 of add-with-carry sequence, 57 of doubly exponential sequence, 57 of matrices, 48 of shrunken sequences, 57 relation to linear recurrence sequence, 56 periodic points, 171 realizable in rate, 181 permutation polynomial, 209 Pillai equation, 157 Pisot-Varadarajan number, 61 Pollard’s ρ-method, 236 Polya operator, 68 polynomial black-box, 142 positive unit, 155 power generator, 84, 209, 213 predictability problem, 212 primality test, 233 complexity, 234 deterministic, 235 Lehmer, 234 Prime Number Theorem, 9, 168 number of orbits, 62 primitive divisor, 100 of Lehmer number, 100 primitive normal basis, 183 primitive polynomial, 58 primitive power divisors, 100 primitive root, 52, 137 analogues for composite modulus, 54 in arithmetic progressions, 53 least, 56 modulo prime powers, 49 unconditional results, 53 product formula, 24

INDEX

pseudo-prime Euler, 234 Lucas, 235 strong to the base a, 234 to the base a, 233 pseudo-random number generator, 203 complexity, 212 Naor and Reingold, 213 Naor–Reingold, 84 pseudo-random sequence of digits, 210 purely periodic, 61 purely periodic sequence, 47 PV-number, 61, 62, 125 special, 61 totally positive, 131 quadratic generator discrepancy, 209 quadratic residue Euler’s criterion, 234 quadratic sequences, 58 maximal period, 59 quantum convolution, 67 quasi-random number, 211 quasihyperbolic toral automorphism, 180 QuickSort algorithm, 236 Rabin primes, 214 Ramanujan τ -function, 147 recurrence equation, 148 rational function modulo composites, 58 realizable in rate, 181 reciprocal polynomial, 19 recurrence relation inhomogeneous, 20 non-linear, 21 recurrence sequence q-generalization, 21, 98 elliptic, 22, 161 group structure, 17 growth, 36 on elliptic curves, 46 zeros, 35 zeros in a segment, 36 regular numeration system, 230 regular sequences, 225 restricted period, 51 over finite rings, 51 Riesz–Raikov Theorem, 132 Ritt greatest common divisor, 138 (R, m)-regular sequences, 224 Robinson’s question, 200 Roth Theorem, 110 Roth theorem, 29, 92, 145 p-adic, 40 RSA-cryptosystem, 214 Rudin–Shapiro sequence, 226, 227 and trigonometric polynomial, 227

INDEX

pseudo-random properties, 229 Salem number, 39, 61, 98 selector sequence, 71 self-shrinking generator, 71 Selfridge’s problem, 104 sequences of maximal period, 49 Shanks sequence, 145, 183 shrinkage, 71 shrinking generator, 71, 211 shrunken generator output rate, 211 shrunken sequence, 57, 71, 211 Skolem–Mahler–Lech Theorem, 30 for q-recurrence sequences, 45 linear differential equations, 45 requires zero characteristic, 46 S-norm, 27 S-number, 126 Somos sequence, 64 sparse polynomial, 75 linear factors, 139 number of zeros, 139 powers, 139 type, 139 sphere complexity, 222 stability of distribution, 124 Stern sequence, 151, 153 Strassman’s Theorem, 10, 25 subshift of finite type, 180 subspace theorem, 28 substitutions sequences realized as fixed points, 227 subtract-with-borrow sequence, 57, 208 S-units, 27, 28 average value of sums, 39 linear equations in, 11 sums in function fields, 46 S-unit equations, 11, 44, 129 in positive characteristic, 44

297

over function fields, 140 super-singular hyperelliptic curves, 198 Szemer´ edi Theorem, 36–38, 46, 98, 240 effective, 240 Tausworthe generator, 204 Tchebotarev Density Theorem, 34, 102–104 Tchebychev polynomial, 7 Thue equation, 155 Thue–Morse sequence, 226, 229 palindromic patterns, 229 pseudo-random properties, 229 T -number, 126 toral automorphism ergodic, 180 expansive, 180 quasihyperbolic, 180 transcendental number constructions, 72 Turan’s Theorem, 36 type of a polynomial, 139 uniform distribution Weyl criterion, 125 uniformly distributed, 123 completely, 123, 124, 126 van der Corput sequence, 225 Vandermonde determinant, 50 Vandermonde matrix, 18 Waring problem, 194 Weierstrass σ-function, 161, 163 periodicity, 162 Weil bound, 77, 81, 141 Weil’s theorem, 61 Weyl criterion, 125 Wieferich numbers, 63 Z-numbers, 130 Zs,t,α -numbers, 130 Zt,α -numbers, 130