On the Linear Complexity Profile of Nonlinear ... - Semantic Scholar

On the Linear Complexity Profile of Nonlinear Congruential Pseudorandom Number Generators with Dickson Polynomials Hassan Aly1 and Arne Winterhof2 1

Department of Mathematics, Faculty of Science, Cairo University, Giza, Egypt (e-mail: [email protected]) 2 Johann Radon Institute of Computational and Applied Mathematics (RICAM), Austrian Academy of Sciences, Altenbergerstr. 69, 4040 Linz, Austria (e-mail: [email protected]) Abstract Linear complexity and linear complexity profile are important characteristics of a sequence for applications in cryptography and MonteCarlo methods. The nonlinear congruential method is an attractive alternative to the classical linear congruential method for pseudorandom number generation. Recently, a weak lower bound on the linear complexity profile of a general nonlinear congruential pseudorandom number generator was proven by Gutierrez, Shparlinski and the second author. For most nonlinear generators a much stronger lower bound is expected. Here, we obtain a much stronger lower bound on the linear complexity profile of nonlinear congruential pseudorandom number generators with Dickson polynomials.

2000 MSC. 11K45 94A55 94A60 Keywords. Linear complexity profile, nonlinear congruential generator, Dickson polynomials, cryptography.

1

Introduction

Let p be a prime and denote by Fp the finite field of p elements. We recall that the linear complexity profile L(sn , N ) of an infinite sequence (sn ) over Fp is the function which for every N ≥ 2 is defined as the length L of the shortest linear recurrence relation sn+L = aL−1 sn+L−1 + . . . + a0 sn ,

0 ≤ n ≤ N − L − 1,

with a0 , . . . , aL−1 ∈ Fp , which is satisfied by this sequence. If (sn ) starts with N − 1 zeros then we define L(sn , N ) = 0 if sN −1 = 0 and L(sn , N ) = N 1

if sN −1 6= 0. The value L(sn ) = sup L(sn , N ) N ≥2

is called the linear complexity of (sn ). For a periodic sequence (sn ) of period T we have L(sn ) = L(sn , 2T ). Given a polynomial f (X) ∈ Fp [X] of degree d at least 2 the nonlinear congruential pseudorandom number generator (xn ) is defined by the recurrence relation xn+1 = f (xn ), n ≥ 0, with some initial value x0 ∈ Fp . Obviously, the sequence (xn ) is eventually periodic with some period T ≤ p. Throughout the paper we may assume that it is purely periodic. Recently, in [4] the lower bound L(xn , N ) ≥ min {logd (N − blogd N c), logd T } ,

N ≥ 2,

on the linear complexity profile of a nonlinear congruential pseudorandom number generator with a general polynomial f (X) of degree d ≥ 2 was given. For some special classes of polynomials much better results were proven in [4] and [3, 7]. In case of the largest possible period T = p we have L(xn , N ) ≥ min{N − p + 1, p/d},

N ≥ 2.

The inversive congruential generator (yn ) defined by yn+1 = aynp−2 + b,

n ≥ 0,

with a, b, y0 ∈ Fp , a 6= 0, has linear complexity profile   N −1 T −1 L(yn , N ) ≥ min , , N ≥ 2. 3 2 The power generator (zn ) defined by zn+1 = zne ,

n ≥ 0,

with some integer e ≥ 2 and initial value 0 6= z0 ∈ Fp satisfies   N2 T2 L(zn , N ) ≥ min , , N ≥ 2. 4(p − 1) p − 1 2

This paper introduces a lower bound for the linear complexity of a new class of nonlinear congruential generators when f (x) is a Dickson polynomial. The bound in this case is slightly weaker than the bounds for the above generators. The family of Dickson polynomials De (X, a) ∈ Fp [X] is defined by the following recurrence relation De (X, a) = XDe−1 (X, a) − aDe−2 (X, a),

e = 2, 3, . . . ,

with initial values D0 (X, a) = 2,

D1 (X, a) = X,

where a ∈ Fp . Obviously, the degree of De is e. It is easy to see that De (X, 0) = X e , e ≥ 2, which corresponds to the case of the power generator. Here we concentrate on the special case that a = 1. For brevity we denote De (X) = De (X, 1) and consider the sequence un+1 = De (un ),

n ≥ 0,

(1)

with some initial value u0 and e ≥ 2. After some auxiliary results in Section 2 we prove a lower bound on the linear complexity profile of the sequence (un ) defined by (1) in Section 3. Some final remarks on the results are given in Section 4.

2

Auxiliary results

We need the following results. Lemma 1 Let t ≥ 2 and e be integers with gcd(t, e) = 1, and let T be the order of e modulo t. Then for any 1 ≤ H ≤ T and 1 ≤ h ≤ t the number U (H, h) of solutions (x, y) of the congruence ex ≡ y mod t,

0 ≤ x ≤ H − 1, 0 ≤ y ≤ h − 1,

(2)

satisfies U (H, h) ≥

Hh − t1/2 . 4t

Proof. For an integer k ≥ 2 denote by ek (x) = exp(2πix/k). We start with k−1 X a=0

 ek (au) =

0, u 6≡ 0 mod k, k, u ≡ 0 mod k, 3

(3)

(see [8, Exercise 11.a in Chapter 3]). By [5, Theorem 10] we have for any integers a, b with gcd(a, t) = 1 T −1 X et (aex )eT (bx) ≤ t1/2 . (4) x=0

Next we show

dH/2e−1 X x1 −x2 et (ae ) ≤ t1/2 dH/2e. x1 ,x2 =0

(5)

By (3) we have T −1 T −1 dH/2e−1 dH/2e−1 X X X X 1 x −x y et (ae 1 2 ) = et (ae ) eT (b(y − x1 + x2 )) T b=0 y=0 x1 ,x2 =0 x1 ,x2 =0 dH/2e−1 T −1 T −1 X 1 X X y ≤ et (ae )eT (by) eT (b(x1 − x2 )) T x1 ,x2 =0 b=0 y=0 ≤

t1/2 T

dH/2e−1 T −1

X

X

eT (b(x1 − x2 ))

x1 ,x2 =0 b=0

= t1/2 dH/2e by (4) and (3). Let U ∗ denote the number of solutions (x1 , x2 , y1 , y2 ) of ebH/2c+x1 −x2 ≡ bh/2c + y1 − y2 mod t, 0 ≤ x1 , x2 ≤ dH/2e − 1, 0 ≤ y1 , y2 ≤ dh/2e − 1. For fixed x = bH/2c + x1 − x2 and y = bh/2c + y1 − y2 we have at most dh/2edH/2e solutions (x1 , x2 , y1 , y2 ) and thus U (H, h) ≥

U∗ . dh/2edH/2e

Again by (3) we have t−1 dH/2e−1 dh/2e−1 X 1X X U = et (a(ex1 −x2 +bH/2c − y1 + y2 + bh/2c)). t ∗

a=0 x1 ,x2 =0 y1 ,y2 =0

4

(6)

Separating the term for a = 0 we get 2 dh/2e−1 t−1 dH/2e−1 X X ∗ dH/2e2 dh/2e2 X 1 bH/2c x −x 1 2 U − ≤ et (ae e ) et (ay) t t y=0 a=1 x1 ,x2 =0 2 t−1 dh/2e−1 dH/2e X X e (ay) ≤ t t1/2 a=0 y=0 =

dH/2e t1/2

dh/2e−1 t−1 X X

et (a(y1 − y2 ))

y1 ,y2 =0 a=0

= t1/2 dH/2edh/2e, where we used (5) in the second step and (3) in the last step. Using (6) we get the result.  We need the following result [2, Lemma 6] on Dickson polynomials. For u ∈ Fp define the polynomial Fu (X) = X 2 − uX + 1. Lemma 2 Assume that either Fu (X) is irreducible over Fp and e ≡ f mod p + 1 or Fu (X) has two simple roots in Fp and e ≡ f mod p − 1. Then we have De (u) = Df (u). It is well known that Dickson polynomials commute with respect the composition (see e.g. [6] or [1, Proposition 13.1.4]). Lemma 3 For any positive integers e and f , we have De (Df (X)) = Def (X) = Df (De (X)). The following result is [3, 7, Lemma 2]. Lemma 4 Let a sequence (sn ) satisfy a linear recurrence relation of length L over Fp sn+L = aL−1 sn+L−1 + · · · + a0 sn , n ≥ 0. Then for any U ≥ L + 1 pairwise distinct non-negative integers j1 , j2 , · · · , jU there exist c1 , c2 , · · · , cU ∈ Fp , not all equal to zero, such that U X

ci sn+ji = 0,

i=1

5

n ≥ 0.

3

Main Estimate

By Lemma 3 we have un = Den (u0 ),

n ≥ 0.

We remark that if u0 6= ±2, then Fu0 (X) = X 2 − u0 X + 1 has no multiple roots and thus Lemma 2 applies. Let us denote by t the smallest positive integer for which De (u0 ) = Df (u0 ) whenever e ≡ f mod t. By Lemma 2 we have either t|p − 1 or t|p + 1 and the least period T is a divisor of the multiplicative order of e modulo t. If u0 = 2 then Df (2) = 2 for all f ≥ 0, un = 2 for all n ≥ 0 and we can take T = t = 1 in this case. If u0 = −2 n then Df (−2) = (−1)f 2 for all f ≥ 0 and un = (−1)e 2 for all n ≥ 1. Then we may either choose e = 1 or e = 2 and (un ) is not purely periodic. Both cases are excluded by our general assumptions. Theorem 1 Assume that the sequence (un ) given by (1), is purely periodic with least period T . Then the lower bound L(un , N ) ≥

min{N 2 , 4T 2 } − (p + 1)1/2 16(p + 1)

holds. Proof. Since L(un , N ) = L(un , 2T ) for N > 2T , we may assume that N ≤ 2T . Put   N +1 H=h= . 2 Obviously,  N +1 p≥t−1≥T ≥ = H = h. 2 

From Lemma 1 we see that the number of solutions U of the congruence ex ≡ y mod t, where 0 ≤ x ≤ H − 1 ≤ T − 1, U

≥

0 ≤ y ≤ h − 1 < t − 1, satisfies Hh − (p + 1)1/2 . 4(p + 1)

Let (j1 , k1 ), . . . , (jU , kU ) be the corresponding solutions. Now assume that L(un , N ) ≤ U − 1. Let (wn ) be a sequence of linear complexity L(wn ) = L(un , N ) with wn = un for n = 0, . . . , N − 1. From 6

Lemma 4 we see that there exist c1 , c2 , . . . , cU ∈ Fp , not all equal to zero, such that U X ci wn+ji = 0, n ≥ 0. i=1

Since wn+ji = un+ji = Den+ji (u0 ) = Deji (un ) = Dki (un ) for n = 0, 1, . . . , N − 1 − ji , i = 1, 2, . . . , U , we conclude that the non-zero polynomial U X f (X) = ci Dki (X) i=1

of degree deg f ≤ max ki ≤ h − 1 1≤i≤U

has at least min{T, N − max ji } ≥ H = h 1≤i≤U

distinct zeros un , n = 0, 1, . . . , min{T, N − max1≤i≤U ji } − 1, which is impossible. Hence L(un , N ) ≥ U and the result follows. 

4

Final Remarks

Standard arguments yield the lower bound U (H, h) ≥

Hh − t1/2 (1 + log T ) log t t

for the number of solutions of (2) and thus L(un , N ) ≥

min{N 2 , 4T 2 } − (p + 1)1/2 (1 + log T ) log p, 4(p + 1)

which is asymptotically stronger than Theorem 1. However the bound of Theorem 1 is nontrivial for a wider range. If we apply the symmetrization trick in the proof of Lemma 1 only to y then we get U (H, h) > and L(un , N ) >

Hh − t1/2 (1 + log T ) 2t

min{N 2 , 4T 2 } − (p + 1)1/2 (1 + log T ). 8(p + 1) 7

Moreover, if H = T we get U (T, h) > and U (T, h) ≥

Th − t1/2 2t

Th − t1/2 log t, t

which gives the lower bounds L(un ) > and L(un ) ≥

T2 − (p + 1)1/2 2(p + 1)

T2 − (p + 1)1/2 log(p + 1), p+1

respectively. Theorem 1 can be extended to square-free composite moduli m = p1 · · · pr since the linear complexity profile modulo m is lower bounded by the maximum of the linear complexities modulo pi , i = 1, . . . , r. On the other hand, it would be interesting to obtain a lower bound for prime power modulus. It would be also interesting to extend our result to other classes of polynomials, for example, to arbitrary Dickson polynomials.

Acknowledgments. During the preparation of this paper, A. W. was supported in part by the Austrian Academy of Sciences and by FWF grant S8313. The authors wish to thank Igor Shparlinski for pointing to this problem.

References [1] B.C. Berndt, R.J. Evans and K.S. Williams, Gauss and Jacobi Sums, John Wiley & Sons, Inc., New York (1998). [2] D. Gomez-Perez, J. Gutierrez and I.E. Shparlinski, Exponential sums with Dickson polynomials, Finite Fields and Their Applications, to appear. [3] F. Griffin and I.E. Shparlinski, On the linear complexity profile of the power generator, IEEE Transactions on Information Theory, Vol. 46, No. 6 (2000) pp. 2159–2162. 8

[4] J. Gutierrez, I.E. Shparlinski and A. Winterhof, On the linear and nonlinear complexity profile of nonlinear pseudorandom number generators, IEEE Transactions on Information Theory, Vol. 49, No. 1 (2003) pp. 60–64. [5] N.M. Korobov, Exponential Sums and Their Applications, Kluwer Academic Publishers Group, Dordrecht (1992). [6] R. Lidl, G. Mullen and G. Turnwald, Dickson Polynomials, Longman Scientific & Technical, Harlow (1993). [7] I.E. Shparlinski, On the linear complexity of the power generator, Designs Codes and Cryptography, Vol. 23, No. 1 (2001) pp. 5–10. [8] I.M. Vinogradov, Elements of Number Theory, Dover Publications, Inc., New York (1954).

9