Some Notes on the Linear Complexity of Sidel

Designs, Codes and Cryptography, 38, 159–178, 2006 © 2006 Springer Science+Business Media, Inc. Manufactured in The United States.

Some Notes on the Linear Complexity of Sidel’nikov-Lempel-Cohn-Eastman Sequences WILFRIED MEIDL [email protected] Temasek Laboratories, National University of Singapore, 5 Sports Drive 2, 117508, Singapore ARNE WINTERHOF [email protected] Johann Radon Institute for Computational and Applied Mathematics, Austrian Academy of Sciences, Altenbergerstraße 69, A-4040 Linz, Austria Communicated by: D. Jungnickel Received June 4, 2004; Revised January 18, 2005; Accepted January 21, 2005 Abstract. We continue the study of the linear complexity of binary sequences, independently introduced by Sidel’nikov and Lempel, Cohn, and Eastman. These investigations were originated by Helleseth and Yang and extended by Kyureghyan and Pott. We determine the exact linear complexity of several families of these sequences using well-known results on cyclotomic numbers. Moreover, we prove a general lower bound on the linear complexity profile for all of these sequences. Keywords: linear complexity, Sidel’nikov sequences, cyclotomic numbers, character sums AMS Classification: 94A55, 94A60, 11T71, 11T22

1.

Introduction

Let q be an odd prime power, α a primitive element of Fq , and let η denote the quadratic character of Fq , i.e., η(α i ) = (−1)i ,

i = 0, 1, . . . , q − 2,

and η(0) = 0. Then the Sidel’nikov-Lempel-Cohn-Eastman sequence is defined to be the (q − 1)-periodic binary sequence (sn ) with
sn =

1 0

if η(α n + 1) = −1, otherwise,

n = 0, 1, . . . .

(1)

These sequences were independently introduced in [19] and [29] and further analyzed in [15, 17].

160

MEIDL AND WINTERHOF

For an integer N ≥ 2 the Nth linear complexity L(an , N ) of a sequence (an ) over F2 is the smallest positive integer L such that there are constants c1 , . . . , cL ∈ F2 satisfying an = c1 an−1 + c2 an−2 + · · · + cL an−L

for all L ≤ n ≤ N − 1.

(2)

If (an ) starts with N − 1 zeros then we define L(an , N ) = 0 if aN−1 = 0 and L(an , N ) = N if aN−1 = 1. The sequence (L(an , N ))∞ N=2 is called the linear complexity profile of (an ). The linear complexity of (an ) is defined by L(an ) = sup L(an , N ). N≥2

Linear complexity and linear complexity profile are important cryptographic characteristics of sequences and provide information on the predictability and thus unsuitability for cryptography. Hence, a low linear complexity (profile) has turned out to be undesirable in cryptography. Accurately, a good pseudorandom sequence should have a linear complexity close to the period t and a linear complexity profile which follows closely the N/2-line for N ≤ 2t (see [26, p. 53]). We continue the work of [15] and [17] and determine the exact value of the linear complexity of the sequence (1) in many cases. Roughly speaking, we can determine the exact linear complexity whenever we know the value of certain cyclotomic numbers and the factorization of X q−1 − 1 over F2 , i.e., the factorization of the corresponding cyclotomic polynomials. Unconditionally, we prove a general lower bound on the linear complexity profile, as well. After recalling some basic results on linear recurring sequences in Section 2, we describe the general method how to determine the linear complexity of the sequence (1) in Section 3. In the following sections we use this method to deduce explicitely the linear complexity in several cases. Section 7 contains the proof of the lower bound on the linear complexity profile. In the appendix we summarize known results on cyclotomic numbers needed in the proofs of the explicit formulas. 2.

Basic Results on Linear Recurring Sequences

In this section we recall some concepts and facts from the theory of linear recurring sequences over finite fields (see [20, Chapter 6] and [4]). Let (an ) be a sequence over F2 . A polynomial of the form f (X) = 1 + c1 X + c2 X2 + · · · + cL X L ∈ F2 [X]

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

161

is called a characteristic polynomial (or zero polynomial ) of the sequence (an ) if an = c1 an−1 + c2 an−2 + · · · + cL an−L

for all n ≥ L.

For instance, a periodic sequence (an ) with period t has 1 + X t as a characteristic polynomial, and any sequence over F2 admitting a characteristic polynomial is ultimately periodic. A characteristic polynomial of minimal degree L is called minimal polynomial of (an ). The minimal polynomial of a periodic sequence is uniquely defined. The following lemma [4, Lemma 8.2.1] describes the computation of the minimal polynomial of a periodic sequence. Lemma 1.

Let (an ) be a sequence of period t over F2 and

S(X) := a0 + a1 X + · · · + at−1 X t−1 . Then the minimal polynomial m(X) of (an ) is given by m(X) =

Xt − 1 gcd(X t − 1, S(X))

and the linear complexity of (an ) is t − deg(gcd(Xt − 1, S(X))). s

If t = 2s r with an odd r then we have X t − 1 = (Xr − 1)2 and we are interested in the multiplicities of the rth roots of unity as roots of the polynomial S(X). We employ the kth Hasse derivative (cf. [12]) S(X)(k) of S(X), which is defined to be S(X)(k) =

q−2    n n=k

k

an Xn−k .

The multiplicity of ξ as zero of S(X) is v if S(ξ ) = S(ξ )(1) = · · · = S(ξ )(v−1) = 0 and S(ξ )(v) = 0 (cf. [20, Lemma 6.51]). 3.

Binomial Coefficients, Cyclotomic Numbers, and Cyclotomic Polynomials

The binomial coefficients modulo 2 appearing in S(X)(k) can be evaluated with Lucas’ congruence (cf. [11, 21])       nl n n0 ··· mod 2, ≡ k0 kl k

162

MEIDL AND WINTERHOF

if n0 , . . . , nl and k0 , . . . , kl are the bits in the binary representation of n and k, respectively. Thus we have   n ≡ 1 mod 2 if and only if ni ≥ ki for i = 1, . . . , l. k Moreover, if k < 2l and n ≡ i mod 2l then we have     n i ≡ mod 2. k k

(3)

Let d > 1 be a divisor of q − 1. The cyclotomic classes of order d give a partition of F∗q := Fq \ {0} defined by D0 := {α id : 0 ≤ i ≤ (q − 1)/d − 1}

and Dj := α j D0 ,

1 ≤ j ≤ d − 1.

The cyclotomic numbers (i, j )d of order d are defined by (i, j )d = |(Di + 1) ∩ Dj |,

0 ≤ i, j ≤ d − 1.

(For monographs on cyclotomic numbers see [2, 30].) Put l = 1 if k = 0 and l = log2 (k) + 1 if k ≥ 1. For the sequence (sn ) defined by (1) we can express S(1)(k) , k = 0, 1, . . . , 2l − 1, in terms of cyclotomic numbers of order 2l using (3), S(1)

(k)

=

l −1 2

2l−1 −1

i=k (ki )≡1 mod 2

j =0

(i, 2j + 1)2l .

(4)

More general, if r is an odd divisor of q − 1 and ξ a primitive rth root of unity over F2 then for the sequence (sn ) defined by (1) we can express S(ξ )(k) in terms of cyclotomic numbers of order 2l r, q−2    n (k) sn ξ n−k S(ξ ) = k =

=

n=k r−1 

  n sn ξ h k

h=0

n=k n≡h+k mod r

r−1 

l −1 2



i=k

n≡i mod 2l n≡h+k mod r

h=0

=

q−2 

(ki )≡1 mod 2

r−1 

l −1 2

2l−1 r−1 

h=0

i=k (ki )≡1 mod 2

j =0

sn ξ h

((u(h, i), 2j + 1)2l r ξ h ,

(5)

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

163

where u(h, i) is (by the Chinese-Remainder-Theorem) the unique integer u with 0 ≤ u ≤ 2l r − 1, u ≡ h + k mod r, and u ≡ i mod 2l . The polynomial d (X) =

d−1 

(X − ξ j ) ∈ F2 [X]

j =1 gcd(j,d)=1

is called dth cyclotomic polynomial over F2 . Trivially we have for odd r,  Xr − 1 = d (X). d|r

Denote the order of 2 modulo d by w. Then d (X) is the product of ϕ(d)/w distinct monic irreducible polynomials of degree w over F2 (see [16, Theorem 1.5.4]), where ϕ is Euler’s totient function. In particular, d (X) is irreducible over F2 if and only if w = ϕ(d). If f (X) = Xw + g(X) with a polynomial g(X) of degree at most w − 1 is an irreducible factor of d (X) and ξ is a zero of f (X), then by reducing ξ w by g(ξ ) we can write S(ξ )(k) in the form S(ξ )(k) =

w−1 

Ui ξ i ,

i=0

where Ui can be expressed in terms of cyclotomic numbers. Since 1, ξ, . . . , ξ w−1 are linearly independent over F2 we have S(ξ )(k) = 0 if and only if U0 = · · · = Uw−1 = 0 which is equivalent to a certain condition on the cyclotomic numbers or the sequence elements, respectively. In the following sections we describe how these ideas can be explicitly applied to obtain exact values of the linear complexity in several cases. 4.

On the Multiplicity of 1

First we focus on the multiplicity of 1 as root of S(X). Our first Proposition states in which cases (X + 1)i divides gcd(X q−1 + 1, S(X)) over F2 for i = 1, 2, 3, 4. For the proof we have to evaluate the kth Hasse derivative of S(X) at 1 for k = 0, 1, 2, 3. In the proof of Proposition 1 we will need the cyclotomic numbers of orders 2 and 4 (cf. [2, 5, 17, 30]), (1, 1)2 = (q − 1)/4

if q ≡ 1 mod 4,

and (2, 1)4 = (2, 3)4 = (3, 1)4 = (q + 1 − 2x)/16,

164

MEIDL AND WINTERHOF

(3, 3)4 = (q − 3 + 2x + 8y)/16 if q ≡ 1 mod 8 and q = x 2 + 4y 2 ,

x ≡ 1 mod 4

(6)

and if q = p m with a prime p ≡ 1 mod 4 additionally gcd(q, x) = 1. Note that the sign of y is ambiguously determined, which is a consequence of the freedom to choose the primitive element α. Proposition 1. (i) X + 1 divides gcd(X q−1 + 1, S(X)) if and only if q ≡ 1 mod 4. (ii) (X + 1)2 divides gcd(X q−1 + 1, S(X)) if and only if q ≡ 1 mod 8. (iii) (X + 1)i , i = 3, 4, divides gcd(X q−1 + 1, S(X)) if and only if q ≡ 1 mod 8 and (q − 1)/8 + y/2 is even, where y is determined (up to sign) from the representation (6) of q. Proof. For k = 0, 1, 2, 3 we evaluate the kth Hasse derivative at 1 to estimate the multiplicity of 1 as a root of S(X). The additions will be performed modulo 2. For k = 0 the value S(1) is equal to the number of non-squares in F∗q , i.e., S(1) =

q−2 

sn = (q − 1)/2.

n=0

Thus S(1) = 0 if and only if q ≡ 1 mod 4. If k = 1 and q ≡ 1 mod 4 then with (4) we get S(1)(1) = (1, 1)2 = (q − 1)/4, and S(1)(1) = 0 if and only if q ≡ 1 mod 8. Note that in this case (X + 1)2 also divides X q−1 + 1. If q ≡ 1 mod 8 then (X + 1)4 divides X q−1 + 1, and (4) yields S(1)(2) = (2, 1)4 + (2, 3)4 + (3, 1)4 + (3, 3)4 = (3, 1)4 + (3, 3)4 q + 1 − 2x q − 3 + 2x + 8y q − 1 y = + = + . 16 16 8 2 For the third Hasse derivative of S(X) at 1, with (4) we get S(1)(3) = (3, 1)4 + (3, 3)4 = S(1)(2) , which completes the proof.

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

165

Parts (i) and (ii) of Proposition 1 have already been known [15, 17]. Part (iii) was conjectured in [17] (Remark after Corollary 1) where also a partial proof was presented. The following results are new. Employing the cyclotomic numbers of order 8 we can evaluate the kth Hasse derivative of S(X) at 1 for k = 4, 5, 6, 7. The cyclotomic numbers of order 8 are provided in the Appendix. It has to be distinguished if 2 is a fourth power in Fq or not. We will implicitly use the following Lemma (see [2, Corollary 2.6.6] or [30, Theorem 7]). Lemma 2. For q ≡ 1 mod 8, 2 is a fourth power in Fq if and only if q = x 2 + 64y 2 for some integers x and y with gcd(q, x) = 1 if q = pm with a prime p ≡ 1 mod 4. Equivalently 2 is a fourth power if and only if y ≡ 0 mod 4 in the representation (6) of q. Due to Proposition 1 we are just interested in the case that (q − 1)/8 + y/2 is even, i.e., either q ≡ 1 mod 16 and 2 is a fourth power in Fq (Case I) or q ≡ 7 mod 16 and 2 is not a fourth power in Fq (Case II). Moreover, let q have the representation q = a 2 + 2b2

a ≡ 1 mod 4

(7)

and gcd(a, q) = 1 if q = pm with a prime p ≡ 1 or 3 mod 8. Proposition 2. Let q ≡ 1 mod 8 have the representations (6) and (7). (i) (X + 1)i , i = 5, 6, divides gcd(X q−1 + 1, S(X)) if and only if q ≡ 1 mod 16 and 2 is a fourth power in Fq . (ii) (X + 1)i , i = 7, 8, divides gcd(X q−1 + 1, S(X)) if and only if q ≡ 1 mod 16, 2 is a fourth power in Fq , and (q − 1)/16 + (b + y)/4 is even. Proof. First we note that (X + 1)8 divides Xq−1 + 1 if q ≡ 1 mod 8. We evaluate the kth Hasse derivatives of S(X) at 1 for k = 4, 5, 6, 7. All additions are performed modulo 2. Equation (4) yields  S(1)(4) = (i, j )8 with I = {4, 5, 6, 7}, J = {1, 3, 5, 7}, i∈I,j ∈J (5)

S(1)

=



(i, j )8

with

I = {5, 7}, J = {1, 3, 5, 7},

(i, j )8

with

I = {6, 7}, J = {1, 3, 5, 7},

i∈I,j ∈J

S(1)(6) =



i∈I,j ∈J

S(1)(7) = (7, 1)8 + (7, 3)8 + (7, 5)8 + (7, 7)8 .

166

MEIDL AND WINTERHOF

Since otherwise (X + 1)4 does not divide S(X) we may assume that (q − 1)/8 + y/2 is even. In both cases applying the tables in the Appendix we get y y S(1)(4) = S(1)(5) = (5, 5)8 + (7, 7)8 = (5, 5)8 + (5, 5)8 + = 2 2 which is 0 in Case I and 1 in Case II. In Case I we further determine S(1)(6) and S(1)(7) and get S(1)(6) = S(1)(7) = (7, 5)8 + (7, 7)8 =

x −1 y +b + . 8 4

Thus we have S(1)(6) = S(1)(7) = 0 if and only if (x − 1)/8 ≡ (y + b)/4 mod 2. Since in the representation of q = x 2 + 4y 2 with x ≡ 1 mod 4 we have x ≡ 1 mod 16 if and only if q ≡ 1 mod 32, we have (x − 1)/8 ≡ (q − 1)/16 mod 2, which completes the proof. 5.

Some Special Roots of Prime Order

To obtain the exact linear complexity in the general case we need to know the multiplicity of all (q − 1)st roots of unity as a root of S(X). First we consider a case where 1 is the only possible common root of Xq−1 + 1 and S(X). Proposition 3. Let r be an odd prime divisor of q − 1. If 2 is a primitive root mod r and r ≥ q 1/2 + 1 then for each rth root of unity β = 1 we have S(β) = 0. Proof.

Since β r = 1 we get

S(β) =

q−2 

sn β n =

n=0

r−1 (q−1)/r−1  

sh+j r β h .

j =0

h=0

Note that the least residue of (q − 1)/2 modulo r is 0. Since 2 is a primitive root mod r the polynomial r (X) = 1 + X + · · · + X r−1 is irreducible. Consequently we have r (β) = 0, and β, . . . , β r−1 are linearly independent over F2 . Then S(β) = 0 implies (q−1)/r−1 

sh+j r =

(q−1)/r−1 

j =0

sj r ,

h = 1, . . . , r − 1.

j =0

Note that (−1)sn = η(α n + 1),

n = (q − 1)/2,

(8)

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

167

and (q−1)/r−1 

(α j r X + 1) = 1 − X(q−1)/r .

j =0

Hence, (q−1)/r−1

(−1)

j =0

sh+j r

=

(q−1)/r−1 

η(α h+j r + 1) = η(1 − α h(q−1)/r )

j =0

has the same value for all h = 1, . . . , r − 1. Now    r−1    q−2     r    h(q−1)/r  r −1= η(1 − α h(q−1)/r ) = η(1 − α )     q −1   h=0 h=0    r q −1 ≤ − 1 q 1/2 + 1 < q 1/2 q −1 r by Weil’s bound for character sums (see e.g., [20, Theorem 5.41]) contradicting our assumption on r. According to (5) for any odd divisor r of q − 1 we can express the kth Hasse derivative of S(X) at a primitive rth root of unity ξ in terms of cyclotomic numbers. Since in general the determination of cyclotomic numbers of order d is difficult if d is not small, we can utilize these relations solely for small r. As an example we consider the case r = 3. Let q = pm ≡ 1 mod 6 be a prime power with a prime p and (up to the sign of B unique) decomposition q = A2 + 3B 2 ,

A ≡ 1 mod 3,

(9)

and additionally gcd(A, q) = 1 if p ≡ 1 mod 6. Proposition 4. Let q ≡ 1 mod 6 be a prime power with decomposition (9). Then X2 + X + 1 divides gcd(X q−1 + 1, S(X)) if and only if q ≡ 1 mod 12

and

A−1 B ≡ mod 2, 6 2

and (X2 + X + 1)2 divides gcd(X q−1 + 1, S(X)) if and only if additionally B ≡ 0 mod 2. 2

168

MEIDL AND WINTERHOF

Proof. Let ξ be a primitive 3rd root of unity in an extension field of F2 , then ξ and ξ 2 = ξ + 1 are the roots of the irreducible polynomial X 2 + X + 1 ∈ F2 [X]. Hence X 2 + X + 1 divides a polynomial g(X) if and only if g(ξ ) = 0. By definition of ξ and q we have ξ q−1 + 1 = 0, and for r = 3 Equation (5) yields   S(ξ ) = (i, j )6 + (i, j )6 ξ i≡1,4 mod 6 j odd

i≡0,3 mod 6 j odd

= S1 + S2 (ξ ), where S1 =

q −1 − (1, 1)6 − (1, 3)6 − (1, 5)6 − (4, 1)6 − (4, 3)6 − (4, 5)6 2

S2 =

q −1 − (0, 1)6 − (0, 3)6 − (0, 5)6 − (3, 1)6 − (3, 3)6 − (3, 5)6 . 2

and

Since 1 and ξ are linearly independent over F2 we have S(ξ ) = 0 if and only if S1 = S2 = 0. Verify that (9) implies
1 mod 6, if q ≡ 1 mod 12, A≡ 4 mod 6, if q ≡ 7 mod 12. Using the tables for cyclotomic numbers of order 6 in the Appendix we get in the case q ≡ 1 mod 12, S(ξ ) = 0

if and only if

A−1 B ≡ mod 2. 6 2

In the case q ≡ 7 mod 12 we have S2 = (A − 1)/3 = 1 and thus S(ξ ) = 0. For r = 3 Equation (5) and ξ 2 = ξ + 1 yield S (1) (ξ ) = (1, 1)6 + (1, 3)6 + (1, 5)6 + (3, 1)6 + (3, 3)6 + (3, 5)6  + (3, 1)6 + (3, 3)6 + (3, 5)6 + (5, 1)6 + (5, 3)6 + (5, 5)6 ξ. Using the tables in the Appendix for the case q ≡ 1 mod 12 we get S (1) (ξ ) = 0 if and only if B ≡ 0 mod 2, 2 which completes the proof.

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

169

For the remainder of this section let r be an odd prime and let p be a prime such that the order v of p modulo r is even. In [1] formulas for the cyclotomic numbers of order 2r over Fq with q = p uv ≡ 1 mod 2r, u ≥ 1, have been provided, which do not depend on any decomposition of q. We will utilize the following result (see [1, Theorem 5]), (i) (0, j )2r = (j, 0)2r = (j, j )2r , (ii) 4r 2 (0, j )2r = q − 2r + 1 + 2(r − 1)(−1)u q 1/2 := 4r 2 A for j ≡ 0 mod 2r, (iii) 4r 2 (i, j )2r = q + 1 − 2(−1)u q 1/2 := 4r 2 B for i, j, i − j ≡ 0 mod 2r. Proposition 5. Let q = puv , u ≥ 1, where p is a prime, v is the order of p modulo r for an odd prime divisor r of q − 1, and v is even. Suppose that 2 is a primitive root modulo r. Then the polynomial gr (X) := X r−1 + · · · + 1 divides gcd(Xq−1 + 1, S(X)) if and only if q 1/2 ≡ (−1)u mod 4. Proof. Let ξ = 1 be an rth root of unity over F2 then gr (X) divides gcd(Xq−1 + 1, S(X)) if and only if S(ξ ) = 0. With (5) we get ⎞ ⎛ r−1  r−1  ⎝ ((h, 2j + 1)2r + (h + r, 2j + 1)2r )⎠ ξ h S(ξ ) = h=0

=

r−1 

j =0

Th ξ h ,

h=1

where Th =

r−1 

((h, 2j + 1)2r + (h + r, 2j + 1)2r − (0, 2j + 1)2r − (r, 2j + 1)2r ).

j =0

Since ξ, . . . , ξ r−1 are linearly independent we have S(ξ ) = 0 if and only if for all h = 1, . . . , r − 1 we have Th = 0. With (i)–(iii) we get for 1 ≤ h ≤ r − 1 Th = A + (2r − 1)B − rA − A − (r − 1)B = B − A ∈ F2 . The formulas in (ii) and (iii) yield B − A = (1 − (−1)u q 1/2 )/(2r) which is 0 modulo 2 if and only if (−1)u q 1/2 ≡ 1 mod 4.

170 6.

MEIDL AND WINTERHOF

Exact Values for the Linear Complexity

Now we are able to formulate our main results on exact values of the linear complexity of the sequences (sn ) defined by (1). Theorem 1. Let q be a prime power of the form q = 2s r + 1, where r is an odd prime such that 2 is a primitive root modulo r. Then the linear complexity L of (sn ) is L = q − 1 if s = 1, L = q − 2 if s = 2, L = q − 3 if s = 3 and 2 is a fourth power in Fq or s ≥ 4, r ≥ q 1/2 + 1, and 2 is not a fourth power in Fq , L = q − 5 if s = 3 and 2 is not a fourth power in Fq , L = q − 7 if s ≥ 4, r ≥ q 1/2 + 1, 2 is a fourth power in Fq , and (q − 1)/16 + (b + y)/4 is odd, where y and b are the up to sign uniquely determined integers from the representations (6) and (7). The minimal polynomial of (sn ) is given by Xq−1 + 1 (X + 1)q−1−L if s ≤ 3 or s ≥ 4 and r ≥ q 1/2 + 1. Proof. For r ≥ q 1/2 + 1 the result follows from Propositions 1, 2, and 3. For s = 1 (r = (q − 1)/2) we may  either check the remaining case q = 2 7 or use the character sum value x∈Fq η(x − 1) = −1 (see e.g., [16, Lemma 7.3.7]) instead of Weil’s bound. For s = 2 (r = (q − 1)/4) in the remaining case q = 13 and for s = 3 (r = (q − 1)/8) in the remaining cases q = 25 and 41 it can be easily checked that (8) is not valid. Remarks. 1. The case s = 1 is [15, Theorem 13] and the case s = 2 is [17, Theorem 3]. 2. If r is a prime such that 2 is a primitive root modulo r and r ≥ q 1/2 + 1 then we have L ≥ 2s (r − 1). 3. Note also that under the conditions of Proposition 5 with q 1/2 ≡ (−1)u mod 4 we have L ≥ 2s (r − 1) if 2s is a divisor of q − 1. 4. Obviously, the result of the theorem holds also true for r = 1. In this case the sequence (sn ) has least period 2s and in general we have L ≥ 2s−1 + 1 = (q + 1)/2 by [3, Proposition 2].

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

171

5. The last statement of the theorem intersects with [17, Theorem 4]. Combining Theorem 1 and Proposition 4 yields the following Theorem on prime powers of the form q = 2s 3 + 1. Theorem 2. Let q be a prime power of the form q = 2s 3 + 1, s ≥ 1. Then for s = 1, 2, and 3 the linear complexity L of (sn ) is 6, 11 and 20, respectively. For s ≥ 4 let q have the decomposition (9). If s ≥ 4 and 2 is not a fourth power in Fq , then L = q − 3 if (A − 1)/6 ≡ B/2 mod 2, and L = q − 5 if (A − 1)/6 ≡ B/2 ≡ 1 mod 2. If s ≥ 4, 2 is a fourth power in Fq , and (q − 1)/16 + (b + y)/4 is odd, where y and b are as in Theorem 1, then L = q − 7 if (A − 1)/6 ≡ B/2 mod 2, and L = q − 9 if (A − 1)/6 ≡ B/2 ≡ 1 mod 2. Remarks. 1. Note that in the case p ≡ 5 mod 6 we have
A=

q 1/2 , −q 1/2 ,

if m ≡ 0 mod 4, if m ≡ 2 mod 4,

and B = 0.

Hence, (A − 1)/6 ≡ 0 mod 2 if and only if p ≡ 11 mod 12 or p ≡ 5 mod 12 and m ≡ 0 mod 4. 2. For the following s we get large primes of the form 3 · 2s + 1 (see [4, Table 5.1]): s = 189, 201, 209, 276, 353, 408, 438, 534. 7.

A Lower Bound on the Linear Complexity Profile

The following theorem establishes a lower bound on the linear complexity profile of the Sidel’nikov–Lempel–Cohn–Eastman sequence (sn ). Theorem 3. The linear complexity profile L(sn , N ) of (sn ) satisfies 

 N − q 1/2 log q − 1 q −1 L(sn , N) ≥ min , 1/2 , q 1/2 log q + 2 q log q + 1

N ≥ 2.

172

MEIDL AND WINTERHOF

Proof. Suppose that (sn ) satisfies the recurrence relation (2) for 0 ≤ n ≤ N − L − 1. If we put cL = 1 then we have L 

cl sn+l = 0 ∈ F2

for 0 ≤ n ≤ min(N − L, q − 1) − 1.

l=0

Note that for m = (q − 1)/2 we have η(α m + 1) = (−1)sm . Thus η

L 

 (α l α n + 1)cl =

l=0

L 

η(α l α n + 1)cl

l=0 L L  = (−1)cl sn+l = (−1) l=0 cl sn+l l=0

and η

L 

= 1,

  q −3 0 ≤ n ≤ min N − L − 1, −L , 2

= 0,

q −1 q −1 −L≤n≤ . 2 2

 (α α + 1) l n

cl

l=0

Consequently, min(N − L, q − 1) − L − 1 ≤

N−L−1  n=0

η

L 

 (α α + 1) l n

cl

≤ (L + 1)q 1/2 log q,

l=0

where the last step follows from [27, Lemma 3.3]. The bound immediately follows from the above inequality. Corollary 1.

For the linear complexity we have

L(sn ) ≥ q 1/2 − 1. Proof. sums

We get the result in the same way but estimate complete character

q −L−1≤

 x∈Fq

 L  l cl η (α x + 1) ≤ Lq 1/2 , 

l=0

where we used Weil’s bound (see e.g., [20, Theorem 5.41]).

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

8.

173

Final Remarks

Similar results on the linear complexity of related sequences, Legendre sequences and two-prime generators, can be found in [4, 6, 8, 23, 31]. Besides linear complexity and complexity profile, the autocorrelation is an important measure for the randomness of sequences. Results on the autocorrelation of the sequences (sn ) and related sequences can be found in [7, 9, 22, 24, 29]. The cyclotomic numbers can be expressed in solutions of certain Diophantine equations. In particular if we search for an integer solution (a, b) with p = a 2 + db2 for given d (as needed for cyclotomic numbers of orders 4, 6, and 8) then we can use a straightforward modification of the (probabilistic) polynomial time algorithm of [25]. We restricted ourselves to the case that X r−1 + · · · + 1 is irreducible. However, we can also prove similar results if we know the factorization of this polynomial. For example if r = 7 then X6 + X 5 + · · · + 1 = (X3 + X2 + 1)(X 3 + X + 1)

with irreducible factors and we can deal with cyclotomic numbers of order 14. Sidel’nikov sequences can be considered over any residue ring ZM modulo M. Several results on the linear complexity L over Zp of Sidel’nikov sequences have recently been obtained (see [9, 10, 13, 14] and the references therein). For results on arbitrary M see [28]. Acknowledgments The first author was supported by DSTA research grant R-394-000-011422. The second author was supported by the Austrian Academy of Sciences and by the FWF research grant S8313. Appendix Cyclotomic numbers of order 6 References for the following formulas of cyclotomic numbers of order 6 are [4, 5, 30]. Let q ≡ 1 mod 6 be a prime power with decomposition (9). Moreover, let 2 = α M .

174

MEIDL AND WINTERHOF

Case Ia: q ≡ 1 mod 12 and M ≡ 0 mod 3 (0, 1)6 = (5, 5)6 = (q − 5 + 4A + 18B)/36 (0, 3)6 = (3, 3)6 = (q − 5 + 4A)/36 (0, 5)6 = (1, 1)6 = (q − 5 + 4A − 18B)/36 (1, 3)6 = (1, 5)6 = (3, 1)6 = (3, 5)6 = (4, 1)6 = (4, 3)6 = (4, 5)6 = (5, 1)6 = (5, 3)6 = (q + 1 − 2A)/36 Case Ib: q ≡ 1 mod 12 and M ≡ 1 mod 3 (0, 1)6 = (5, 5)6 = (q − 5 + 4A + 12B)/36 (0, 3)6 = (0, 5)6 = (1, 1)6 = (3, 3)6 = (q − 5 + 4A − 6B)/36 (1, 3)6 = (1, 5)6 = (3, 1)6 = (4, 3)6 = (4, 5)6 = (5, 1)6 = (q + 1 − 2A − 6B)/36 (3, 5)6 = (4, 1)6 = (5, 3)6 = (q + 1 − 2A + 12B)/36 Case Ic: q ≡ 1 mod 12 and M ≡ 2 mod 3 (0, 1)6 = (0, 3)6 = (3, 3)6 = (5, 5)6 = (q − 5 + 4A + 6B)/36 (0, 5)6 = (1, 1)6 = (q − 5 + 4A − 12B)/36 (1, 3)6 = (3, 1)6 = (4, 3)6 = (q + 1 − 2A − 12B)/36 (1, 5)6 = (3, 5)6 = (4, 1)6 = (4, 5)6 = (5, 1)6 = (5, 3)6 = (q + 1 − 2A + 6B)/36

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

Case IIa: q ≡ 7 mod 12 and M ≡ 0 mod 3 (0, 1)6 = (q + 1 − 2A + 12B)/36 (0, 3)6 = (q + 1 + 16A)/36 (0, 5)6 = (q + 1 − 2A − 12B)/36 (3, 1)6 = (q − 5 + 4A + 6B)/36 (3, 3)6 = (q − 11 − 8A)/36 (3, 5)6 = (q − 5 + 4A − 6B)/36 Case IIb: q ≡ 7 mod 12 and M ≡ 1 mod 3 (0, 1)6 = (q + 1 + 4A)/36 (0, 3)6 = (q + 1 + 10A − 12B)/36 (0, 5)6 = (q + 1 − 2A + 12B)/36 (3, 1)6 = (q − 5 − 2A + 6B)/36 (3, 3)6 = (q − 11 − 2A)/36 (3, 5)6 = (q − 5 + 4A − 6B)/36 Case IIc: q ≡ 7 mod 12 and M ≡ 2 mod 3 (0, 1)6 = (q + 1 − 2A − 12B)/36 (0, 3)6 = (q + 1 + 10A + 12B)/36 (0, 5)6 = (q + 1 + 4A)/36 (3, 1)6 = (q − 5 + 4A + 6B)/36 (3, 3)6 = (q − 11 − 2A)/36 (3, 5)6 = (q − 5 − 2A − 6B)/36

175

176

MEIDL AND WINTERHOF

Cyclotomic numbers of order 8 References for the following formulas for the cyclotomic numbers of order 8 are [4, 18, 30]. Let q ≡ 1 mod 8 be a prime power with representations (6) and (7). Case I: q ≡ 1 mod 16 and 2 is a fourth power (4, 1)8 = (4, 3)8 = (4, 5)8 = (4, 7)8 = (5, 1)8 = (5, 3)8 = (6, 3)8 = (6, 7)8 = (7, 1)8 = (7, 3)8 = (q + 1 + 2x − 4a)/64 (5, 5)8 = (q − 7 + 2x + 4a − 16y + 16b)/64 (5, 7)8 = (6, 1)8 = (6, 5)8 = (7, 5)8 = (q + 1 − 6x + 4a)/64 (7, 7)8 = (q − 7 + 2x + 4a + 16y + 16b)/64 Case I: q ≡ 9 mod 16 and 2 is not a fourth power (4, 1)8 = (4, 5)8 = (7, 7)8 = (q − 7 + 2x + 4a + 16y)/64 (4, 3)8 = (4, 7)8 = (5, 5)8 = (q − 7 + 2x + 4a − 16y)/64 (5, 1)8 = (7, 3)8 = (q + 1 + 2x − 4a + 16b)/64 (5, 3)8 = (6, 1)8 = (6, 5)8 = (7, 1)8 = (q + 1 + 2x − 4a)/64 (5, 7)8 = (6, 3)8 = (6, 7)8 = (7, 5)8 = (q + 1 − 6x + 4a)/64 References N. Anuradha and S. A. Katre, Number of points on the projective curves aY l = bXl + cZ l and aY 2l = bX 2l + cZ 2l defined over finite fields, l an odd prime, J. Number Th. Vol. 77 (1999), pp. 288–313. 2. B. C. Berndt, R. J. Evans and K. S. Williams, Gauss and Jacobi sums, Canadian Mathematical Society Series of Monographs and Advanced Texts. A Wiley-Interscience Publication. John Wiley & Sons, Inc., New York (1998). 3. S. R. Blackburn, T. Etzion and K. G. Paterson, Permutation polynomials, de Bruijn sequences, and linear complexity, J. Combin. Theory Ser. A, Vol. 76 (1996), pp. 55–82.

1.

LINEAR COMPLEXITY OF SIDEL’NIKOV-LEMPEL-COHN-EASTMAN SEQUENCES

4. 5. 6. 7. 8. 9.

10. 11.

12.

13.

14. 15.

16. 17. 18. 19. 20. 21.

22. 23. 24. 25. 26.

177

T. W. Cusick, C. Ding and A. Renvall, Stream Ciphers and Number Theory, NorthHolland Publishing Co., Amsterdam (1998). L. E. Dickson, Cyclotomy, higher congruences, and Waring’s problem, Amer. J. Math Vol. 57 (1935) pp. 391–424. C. Ding, Linear complexity of generalized cyclotomic binary sequences of order 2, Finite Fields and Applications Vol. 3 (1997) pp. 159–174. C. Ding and T. Helleseth, On cyclotomic generator of order r, Inform. Process. Lett. Vol. 66 (1998) pp. 21–25. C. Ding, T. Helleseth and W. Shan, On the linear complexity of Legendre sequences, IEEE Trans. Inf. Th Vol. 44(1998) pp. 1276–1278. Y.-C. Eun and H.-Y. Song, One-error linear complexity over Fp of SLCE sequences, in: Proc. (Extended Abstracts) Intern. Conf. on Sequences and their Applications, Seoul (2004) pp.39–43. M. Garaev, F. Luca, I. E. Shparlinski and A. Winterhof, On the linear complexity over Fp of Sidelnikov sequences, Preprint (2004). A. Granville, Arithmetic properties of binomial coefficients. I. Binomial coefficients modulo prime powers, In B. C. Burnaby (ed.), Organic mathematics 1995, CMS Conf. Proc. 20, Amer. Math. Soc. Providence, RI, (1997) pp. 253–276. ¨ ¨ H. Hasse, Theorie der hoheren Differentiale in einem algebraischen Funktionenkor¨ per mit vollkommenem Konstantenkorper bei beliebiger Charakteristik, J. Reine Angew. Math. Vol. 175 (1936) pp. 50–54. T. Helleseth, S.-H. Kim and J.-S. No, Linear complexity over Fp and trace representation of Lembel-Cohn-Eastman sequences, IEEE Trans. Inform. Theory Vol. 49 (2003) pp. 1548–1552. T. Helleseth, M. Maas, J.E. Mathiassen and T. Segers, Linear complexity over Fp of Sidel’nikov sequences, IEEE Trans. Inform. Theory Vol. 50 (2004) pp. 2468–2472. T. Helleseth and K. Yang, On binary sequences with period n = pm − 1 with optimal autocorrelation, In (T. Helleseth, P. Kumar, and K. Yang, eds.), Proceedings of SETA 01 (2002) pp. 209–217. D. Jungnickel, Finite Fields, BI-Wissenschaftsverlag, Mannheim (1993). G. M. Kyureghyan and A. Pott, On the linear complexity of the Sidelnikov-Lempel-CohnEastman sequences, Designs, Codes, and Cryptography Vol. 29 (2003) pp. 149–164. E. Lehmer, On the number of solutions of uk + D ≡ w2 ( mod p). Pacific J. Math.. Vol. 5 (1955) pp. 103–118. A. Lempel, M. Cohn and W. L. Eastman, A class of balanced binary sequences with optimal autocorrelation properties. IEEE Trans. Inform. Th. Vol. 23 (1977) pp. 38–42. R. Lidl and H. Niederreiter, Finite Fields, Addison-Wesley, Reading, MA (1983). M. E. Lucas, Sur les congruences des nombres euleriennes et des coefficients differentiels des fuctions trigonometriques, suivant un-module premier, Bull. Soc. Math. France Vol. 6 (1878) pp. 122–127. ¨ H. D. Luke, H. D. Schotten and H. Hadinejad-Mahram, Generalized Sidelnikov sequences with optimal autocorrelation properties, Electronic Letters Vol. 36 (2000) pp. 525–527. W. Meidl and A. Winterhof, Lower bounds on the linear complexity of the discrete logarithm in finite fields, IEEE Trans. Inform. Th. Vol. 47 (2001) pp. 2807–2811. W. Meidl and A. Winterhof, On the autocorrelation of cyclotomic generators, Lecture Notes Comp. Sci. 2948 (2004) pp. 1–11. M. O. Rabin and J. O. Shallit, Randomized algorithms in number theory, Comm. Pure Appl. Math. Vol. 39 (1986), Suppl, pp. 239–256. R. A. Rueppel, Analysis and Design of Stream Ciphers, Springer, Berlin (1986).

178 27.

28. 29.

30. 31.

MEIDL AND WINTERHOF

I. Shparlinski, Cryptographic Applications of Analytic Number Theory. Complexity Lower Bounds and Pseudorandomness. Progress in Computer Science and Applied Logic. 22. Basel: Birkh¨auser (2003). I. Shparlinski and A. Winterhof, On the linear complexity of bounded integer sequences over different moduli, Preprint (2004). V. M. Sidel’nikov, Some k-valued pseudo-random sequences and nearly equidistant codes. Problems of Information Transmission Vol. 5 (1969) pp. 12–16; translated from Problemy Peredaˇci Informacii Vol.5 (1969) pp. 16–22 (Russian). T. Storer, Cyclotomy and Difference Sets, Markham Publishing Co., Chicago, III (1967). A. Winterhof, A note on the linear complexity profile of the discrete logarithm in finite fields, In (K. Q. Feng, H. Niederreiter, and C. P. Xing, eds.),Coding, Cryptography and Combinatorics Birkh¨auser, Basel (2004) pp. 359–368.