On the linear complexity of generalized cyclotomic sequences with the period pm

Applied Mathematics Letters 21 (2008) 187–193 www.elsevier.com/locate/aml

On the linear complexity of generalized cyclotomic sequences with the period p m I Tongjiang Yan a,b,∗ , Shengqiang Li b , Guozhen Xiao b a Institute of Mathematics and Computational Science, China University of Petroleum, Dongying 257061, China b ISN National Key Laboratory, Xidian University, Xi’an 710071, China

Received 9 December 2005; received in revised form 11 March 2007; accepted 13 March 2007

Abstract This letter contributes to the investigation of the linear complexity of generalized cyclotomic sequences with the period p m , which are contained by the sequences constructed by C. Ding and T. Helleseth in 1998, as a representative special case. The results obtained confirm that all of these sequences have high linear complexity. c 2007 Elsevier Ltd. All rights reserved.

Keywords: Stream ciphers; Sequences; Cyclotomy; Linear complexity; Minimal polynomials

1. Introduction Pseudo-random sequences used for stream ciphers are required to have the properties of unpredictability. Balance and linear complexity are two main components that indicate this feature. If a sequence s ∞ = (s0 , s1 , . . . , si , . . .) satisfies s j + c1 s j−1 + · · · + c L s j−L = 0,

j ≥ L, GF( p n ),

(1) GF( p n )

denotes a Galois field of order then the least L where L is a positive integer, c1 , c2 , . . . , c L ∈ is called the linear complexity of the sequence s ∞ , denoted by L(s ∞ ). The Berlekamp–Massey algorithm [1] states that if L(s ∞ ) > N /2 (N is the least period of s ∞ ), s ∞ is considered good with respect to its linear complexity. The ∞ characteristic polynomials of the sequences (s0 , s1 , . . . , si , . . .) and s N = (s0 , s1 , . . . , s N −1 ) are defined as P∞ s = i i s(x) = s0 + s1 x + · · · + si x + · · · = i=0 si x and s N (x) = s0 + s1 x + · · · + s N −1 x N −1 respectively. If N is a period of s ∞ , then m(x) = (1 − x N )/gcd(s N (x), 1 − x N ) is called the minimal polynomial of s ∞ , yielding the classic equation [2] L(s ∞ ) = deg(m(x)) = N − deg(gcd(x N − 1, s N (x))).

pn ,

(2)

We refer readers to [3,4] for details. I Project supported by the National Natural Science Foundations of China (No. 60473028). ∗ Corresponding author at: Institute of Mathematics and Computational Science, China University of Petroleum, Dongying 257061, China. Tel.: +86 5468391368. E-mail address: [email protected] (T. Yan).

c 2007 Elsevier Ltd. All rights reserved. 0893-9659/$ - see front matter doi:10.1016/j.aml.2007.03.011

188

T. Yan et al. / Applied Mathematics Letters 21 (2008) 187–193

In this work, x A = {xa|a ∈ A}, x + A = {x +a|a ∈ A}, ord N (x) denotes the order of x modulo N , gcd(a(x), b(x)) denotes the largest common factor of a(x) and b(x), and ϕ(x) is the Euler function. If g is an element of a group G, then (g) denotes a subgroup generated by the element g in G. 2. Generalized cyclotomy and sequences Here we introduce a fact which we use in the sequel: Lemma 1 ([5]). Let p be a prime; then the following three assertions are equivalent: 1. g is a primitive root of p and g p−1 6≡ 1 (mod p 2 ). 2. g is a primitive root of p 2 . 3. For every e ≥ 2, g is a primitive root of p e . Assume p to be an odd prime and m a natural number larger than 1. By Lemma 1, if g is a primitive root of p 2 and gn ≡ g mod p n , then gn is a primitive root of p n where n = 1, 2, 3, . . . , m, and g2 = g. Moreover, by the Chinese Remainder Theorem, ord pn (gn ) = ϕ( p n ) = p n−1 ( p − 1). (n) (n) (n) For each n, n = 1, 2, 3, . . . , m, define Z ∗pn = (gn ), D0 = (gn2 ), D1 = g D0 , R (n) = {0, p, 2 p, . . . , ( p n−1 − (n)

1) p} = p Z pn−1 ; then Z ∗pn and D0 are multiplicative groups and the residue class ring Z pn possesses the following partitions: (n)

(n)

Z pn = D0 ∪ D1 ∪ R (n) = Z ∗pn ∪ R (n) .

(3)

(n )

(n 1 )

For n 1 , n 2 (n 1 < n 2 ), it is easy to prove that Di 2 mod p n 1 ≡ Di Thus we obtain the m partitions of the residue ring Z pm : (m)

, R (n 2 ) mod p n 1 ≡ R (n 1 ) , i = 0, 1.

(m)

Z pm = D0 ∪ D1 ∪ p Z pm−1     (m) (m−1) (m) (m−1) = D0 ∪ p D0 ∪ D1 ∪ p D1 ∪ p 2 Z pm−2 ··· =

m [

(n)

p m−n D0 ∪

n=1

m [

(n)

p m−n D1 ∪ {0}.

(4)

n=1

If we assume that C0 =

m [ n=1

(n)

p m−n D0 ,

C1 =

m [

(n)

p m−n D1 ∪ {0},

(5)

n=1

then C0 ∪ C1 = Z pm , C0 ∩ C1 = ∅, where ∅ denotes the empty set. The binary generalized cyclotomic sequence s ∞ = (s0 , s1 , . . . , si , . . .) of order 2 is defined as  0, if i mod p m ∈ C0 , si = for all i ≥ 0. 1, if i mod p m ∈ C1 ,

(6)

Its balance is guaranteed by the definition. Since p n (n < m) is not a period of s ∞ , then it possesses the least period p m . This sequence is introduced in [6] and can be considered as a representative special case of the sequences defined by Ding and Helleseth [7], of which the generalized cyclotomic sequence with the period pq is another representative special case, the linear complexity of which was determined by Bai et al. in 2005 [2]. 3. Linear complexity of generalized cyclotomic sequences (n)

(n)

Lemma 2 ([7, Lemma 7]). If a ∈ Di , then a D j

(n)

= D(i+ j) mod 2 , 0 ≤ i, j ≤ 1, 1 ≤ n ≤ m.

Let k = ord pm 2 and θm be a p m th primitive root of unity in GF(2k ). Assume θn = θ m−n ; then θn is a p n th primitive root of unity in GF(2k ).

189

T. Yan et al. / Applied Mathematics Letters 21 (2008) 187–193

Lemma 3. Let the symbols be the same as before. X X θni = 0. θni = 0, (n ≥ 2). 2. 1. 3.

i∈R X(n)

i∈Z pn

X

θni =

θni , (n ≥ 2).

(n)

(n)

i∈D1

i∈D0

p

Proof. Since θn is a p n th primitive root of unity in GF(2k ), θn 6= 1, θn 6= 1, the proofs of 1 and 2 proceed from the following fact: pn

p

( p n−1 −1) p

2p

p

0 = 1 − θn = (1 − θn )(1 + θn + θn + · · · + θn =

(1 − θn )(1 + θn + θn2

P

(n)

i∈D1

(7)



By 1 and 2 of this lemma, 3 holds directly. Lemma 4. For n ≥ 2,

)

p n −1 + · · · + θn ).

θni ∈ {0, 1}.

Proof. By Lemma 2, 2  X X X   θni  = θn2i = θni  (n)

(n)

(n)

i∈D1

i∈D1

i∈2D1

 X i θn ,     (n) i∈D1 X =  θni ,    (n)

(n)

if 2 ∈ D0 , (8)

(n)

if 2 ∈ D1 .

i∈D0

By Lemma 3,

P

(n)

i∈D1

θni

2

=

P

(n)

i∈D1

θni . The conclusion follows.

(n)



(n)

Lemma 5. If p ≡ 1 mod 4, −1 ∈ D0 . If p ≡ 3 mod 4, −1 ∈ D1 . (n)

p−1

Proof. Assume that p = 4t + 1 for some integer t and −1 ∈ D1 . Since ord p (g1 ) = p − 1, then g1 = 1. It follows that g14t − 1 = (g12t − 1)(g12t + 1) = 0. Since g1 is a primitive root of p, then g12t − 1 6= 0. Note that Z p is a field, then (1) (n) (1) (1) we have −1 = g12t ∈ D0 . Since Di mod p = Di and −1 mod p ≡ p n − 1 mod p, and then −1 mod p ∈ D1 , (n) which contradicts the above result. It is obvious that −1 6∈ R (n) . Hence we have −1 ∈ D0 . (n) Similarly, if p = 4t + 3 for some integer t, then the fact that −1 ∈ D1 holds.  Remark 1. Since Z p2 is not a field, then the equation g14t − 1 = (g12t − 1)(g12t + 1) = 0 cannot yield g12t + 1 = 0. So we think that the proof of [4, Lemma 8.4.5] is incorrect. Lemma 6 ([4, Lemma 4.5.4]). For each r ∈ R (n) ,  n−1 p ( p − 1), if i = j, (n) (n) |Di ∩ (D j + r )| = 0, otherwise. (n)

By this lemma, we can conclude that Di

(n)

= Di

(9)

+ r, i = 1, 2.

Lemma 7 ([4, Lemma 8.4.6]). Let p be an odd prime and p ≡ 3 mod 4. Then (n)

(n)

(n)

(n)

|D0 ∩ (D0 + 1)| = |D1 ∩ (D1 + 1)|.

(10)

190

T. Yan et al. / Applied Mathematics Letters 21 (2008) 187–193

Like in the proof of Lemma 8.4.7 in [4], by Lemmas 2, 3 and 5–7, we can prove the following Lemma 8: P P Lemma 8. i∈D (n) θni = i∈D (n) θni = 0, where n ≥ 2. 0 1 P P i Assume that r (x) = i∈D (1) x ∈ GF(2)[x] and s(x) = i∈C1 x i ∈ GF(2)[x]. 1

(1)

Lemma 9 ([4, Lemma 8.4.8]). r (θ1 ) ∈ {0, 1} if and only if 2 ∈ D1 if and only if p ≡ ±1 mod 8. Lemma 10. Let the symbols be the same as before;  pm + 1  , if a = 0,   2   n +1  p (m−n)   , if a ∈ p n D0 , 1 ≤ n ≤ m − 1,  r (θ1 ) + 2 a s(θm ) = pn − 1 (m−n)  , if a ∈ p n D1 , 1 ≤ n ≤ m − 1, r (θ1 ) +   2   (m)   1 + r (θ1 ), if a ∈ D0 ,    (m) r (θ1 ), if a ∈ D1 .

(11)

Proof. For the case a = 0, pm + 1 . 2

s(θma ) = s(1) =

(12)

Note that s(θma ) =

X (m) i∈D1

=

X

θmai +

(m−1) i∈ p D1

X

X

θmi +

(m) i∈a D1

X

θmai + · · · +

(m−1) i∈a D1

X

θmai + 1

(1) i∈ p m−1 D1

(n) i∈ p m−n D1

i θm−1 + ··· +

X

θmai + · · · + X

θni + · · · +

(n) i∈a D1

θ1i + 1.

(13)

(1) i∈a D1

P (m) If a ∈ D0 , by Lemmas 2 and 8, then s(θma ) = 1 + i∈D (1) θ1i = 1 + r (θ1 ). 1 P (m) Similarly, if a ∈ D1 , then s(θma ) = 1 + i∈D (1) θ1i = r (θ1 ). (m−n)

0

θ1i +

X

For the case 1 ≤ n ≤ m − 1, if a ∈ p n D0 , by Lemmas 2 and 8, then X pn i X X pn i X pn i n p i s(θma ) = θm + · · · + θn+1 + θn + · · · + θ1 + 1 (m)

(n+1)

i∈D1

=

X

i θm−n + ··· +

(m) i∈D1

X

(m−n)

= r (θ1 ) +

θ1i +

(1)

1i + · · · +

(n)

If we define di (x) = x p − 1 = (x − 1)

Q

n=1

1i + 1

pn − 1 +1 2 (14)

, then s(θma ) = r1 (θ1 ) + (n)

a∈Di m Y

X (2) i∈D1

pn + 1 . 2 (m−n)

and we have

X i∈D1

Similarly, if a ∈ p n D1

m

i∈D1

(n) i∈D1

i θm−n + · · · + pn

i∈D1

(1)

i∈D1

(n+1) i∈D1

X

= pn

(n)

i∈D1

(n)

p n −1 2 .



(x − θna ), i = 0, 1, then (n)

d0 (x)d1 (x),

(15)

T. Yan et al. / Applied Mathematics Letters 21 (2008) 187–193

191

(n)

Lemma 11. di (x) ∈ GF(2)[x] if and only if p ≡ ±1 mod 8. (1)

Proof. If p ≡ ±1 mod 8, by Lemma 9, then 2 ∈ D0 , and Y Y (n) (di (x))2 = (x − θna )2 = (x 2 − θn2a ) (n)

(n)

a∈Di

=

Y

a∈Di

(x 2 − θna ) =

(n) a∈2Di

(n)

Y (n) a∈Di

(x 2 − θna ) = di (x 2 ).

(16)

(n)

Thus di (x) ∈ GF(2)[x], i = 0, 1. ( p) If p ≡ ±3 mod 8, by Lemma 9, then 2 ∈ D1 , Y (n) (n) (n) (di (x))2 = (x 2 − θna ) = di+1 (x 2 ) 6= di (x 2 ).

(17)

(n) a∈Di+1

(n)

Hence di (x) 6∈ GF(2)[x], i = 0, 1.



Theorem 1. The linear complexity of the generalized cyclotomic sequence s ∞ is given by  pm + 1  , if p ≡ 1 mod 8,   2    m  p +1   , if p ≡ −1 mod 8 and m is even,    2 m ∞ L(s ) = p − 1 , if p ≡ −1 mod 8 and m is odd,    2   m  p , if p ≡ −3 mod 8,    m  p , if p ≡ 3 mod 8 and m is even,   m p − 1, if p ≡ 3 mod 8 and m is odd. Proof. If p ≡ 1 mod 8, by Lemmas 9 and 10, then r (θ1 ) ∈ {0, 1} and  1, if a = 0,    (m−n)   r (θ ) + 1, if a ∈ p n D0 , 1 ≤ n ≤ m − 1,  1 (m−n) n a if a ∈ p D1 , 1 ≤ n ≤ m − 1, s(θm ) = r (θ1 ),  (m)   1 + r (θ ), if a ∈ D , 1  0   (m) r (θ1 ), if a ∈ D1 .

(18)

(19)

(n)

And by Lemma 11 and the definitions of di (x) and θm , Y m  (n)  d1 (x), if r (θ1 ) = 0,   m

gcd(x p − 1, s(x)) =

n=1

m Y  (n)   d0 (x), 

(20)

if r (θ1 ) = 1.

n=1

So we have m

m(x) =

=

xp −1 m gcd(x p − 1, s(x))  m Y  (n)  (x − 1) d0 (x),      (x − 1)

n=1 m Y n=1

(n)

d1 (x),

if r (θ1 ) = 0, (21) if r (θ1 ) = 1.

192

T. Yan et al. / Applied Mathematics Letters 21 (2008) 187–193 m

It follows that L(s ∞ ) = deg(m(x)) = p 2+1 . If p ≡ −1 mod 8, by Lemmas 9 and 10, then r (θ1 ) ∈ {0, 1}, and we have  (m−n) r (θ1 ) + 1, if a ∈ p n D0 , 1 ≤ n ≤ m − 1, n is even,     n (m−n)  if a ∈ p D0 , 1 ≤ n ≤ m − 1, n is odd,  r (θ1 ),   n (m−n) r (θ ), if a ∈ p D1 , 1 ≤ n ≤ m − 1, n is even, 1 s(θma ) = n (m−n)  r (θ1 ) + 1, if a ∈ p D1 , 1 ≤ n ≤ m − 1, n is odd,     (m)   1 + r (θ1 ), if a ∈ D0 ,    (m) r (θ1 ), if a ∈ D1 .

(22)

Note that  pm + 1 1 mod 2, = 0 mod 2, 2

if m is even, if m is odd.

(23) (n)

Then, if m is even, by Lemma 11, Eq. (22) and the definitions of di (x) and θm ,  m−2  2   Y (2n−1) (2n)  d0 (x)d1 (x), if r (θ1 ) = 0,   m gcd(x p − 1, s(x)) = n=1 m−2  2  Y  (2n−1) (2n)   d1 (x)d0 (x), if r (θ1 ) = 1. 

(24)

n=1

So we have m

m(x) =

=

xp −1 m gcd(x p − 1, s(x))  m−2  2 Y   (2n−1) (2n)  d1 (x)d0 (x), (x − 1)  

if r (θ1 ) = 0,

n=1

m−2  2  Y  (2n−1) (2n)   d0 (x)d1 (x), (x − 1) 

(25) if r (θ1 ) = 1.

n=1

(n)

m

It follows that L(s ∞ ) = deg(m(x)) = p 2+1 . If m is odd, by Lemmas 10 and 11 and the definitions of di (x) and θm ,  m−1  2 Y   (2n−1) (2n)  d0 (x)d1 (x), if r (θ1 ) = 0, (x − 1)   m n=1 (26) gcd(x p − 1, s(x)) = m−1  2  Y  (2n−1) (2n)   d1 (x)d0 (x), if r (θ1 ) = 1. (x − 1) n=1

So we have m

m(x) =

=

xp −1 m gcd(x p − 1, s(x))  m−1  2 Y   (2n−1) (2n)  d1 (x)d0 (x),  

if r (θ1 ) = 0,

n=1

m−1  2  Y  (2n−1) (2n)   d0 (x)d1 (x), 

(27) if r (θ1 ) = 1.

n=1

It follows that L(s ∞ ) = deg(m(x)) =

p m −1 2 .

T. Yan et al. / Applied Mathematics Letters 21 (2008) 187–193

If p ≡ ±3 mod 8, by Lemma 9, then r (θ1 ) 6∈ {0, 1} and s(θma ) 6= 0 for each a ∈ Z ∗pm . If p ≡ 3 mod 8, then  pm + 1 1 mod 2, if m is even, = 0 mod 2, if m is odd. 2 m

193

(28)

m

For the case where m is even, gcd(x p − 1, s(x)) = 1. So we have m(x) = x p − 1. Thus L(s ∞ ) = deg(m(x)) =

pm .

m

pm

For the case where m is odd, gcd(x p −1, s(x)) = x −1. So we have m(x) = x x−1−1 . Thus L(s ∞ ) = deg(m(x)) = m p − 1. m m m If p ≡ −3 mod 8, then p 2+1 = 1, and gcd(x p − 1, s(x)) = 1. So we have m(x) = x p − 1. It follows that ∞ m L(s ) = deg(m(x)) = p .  4. Conclusion Our contributions in this work are the determinations of the linear complexity and minimal polynomials of generalized cyclotomic sequences of order 2 with the period p m . It is proved that the linear complexity of each m m generalized cyclotomic sequence takes on one of the values p 2+1 , p 2−1 , p m and p m − 1. Then they always possess good linear complexity. Consequently, these generalized cyclotomic sequences may be employed for cryptographic applications. Acknowledgments The authors would like to acknowledge Dr. D. Yu of MIT for his help in revising this manuscript; also we would like to acknowledge to valuable and constructive comments received from the patient referees, which helped to improve this work. References [1] J.L. Massey, Shift register synthesis and BCH decoding, IEEE Trans. Inform. Theory 15 (1) (1969) 122–127. [2] E. Bai, X. Liu, G. Xiao, Linear complexity of new generalized cyclotomic sequences of order two of length pq, IEEE Trans. Inform. Theory 51 (5) (2005) 1849–1854. [3] R. Lidl, H. Neiderreiter, Finite Fields in Encyclopedia of Mathematics and its Applications, Addison-Wesley, Reading, MA, 1983. [4] T. Cusick, C. Ding, A. Renvall, Stream Ciphers and Number Theory, in: North-Holland Mathematical Library, vol. 66, Elsevier Science Pub. Co, 1998. [5] P. Ribenboim, The Book of Prime Number Records, Springer-Verlag, 1988. e e [6] C. Ding, T. Helleseth, Generalized cyclotomic codes of length p11 · · · pt t , IEEE Trans. Inform. Theory 45 (2) (1999) 467–474. [7] C. Ding, T. Helleseth, New generalized cyclotomy and its applications, Finite Fields Appl. 4 (1998) 140–166.