On the power generator and its multivariate analogue

On the power generator and its multivariate analogue

Journal of Complexity 28 (2012) 238–249 Contents lists available at SciVerse ScienceDirect Journal of Complexity journal homepage: www.elsevier.com/...
Download PDF
253KB Sizes 2 Downloads 26 Views
Report

Journal of Complexity 28 (2012) 238–249

Contents lists available at SciVerse ScienceDirect

Journal of Complexity journal homepage: www.elsevier.com/locate/jco

On the power generator and its multivariate analogue Alina Ostafe, Igor E. Shparlinski ∗ Department of Computing, Macquarie University, Sydney, NSW 2109, Australia

article

info

Article history: Received 10 June 2011 Accepted 11 October 2011 Available online 15 November 2011 Keywords: Power generator Binomial exponential sums Discrepancy

abstract We obtain a new estimate on the discrepancy of the power generator over a part of the period that improves several previous results. We also introduce a multidimensional analogue and show that the corresponding vector sequence is uniformly distributed, provided it is of a sufficiently large period. This result is based on a recent estimate of T. Cochrane and C. Pinner on binomial exponential sums. Our construction extends the class of nonlinear pseudorandom number generators for which a power saving against the trivial bound is possible in estimates of their discrepancy. It has several additional properties such as high nonlinearity and inhomogeneity which may be useful for its cryptographic applications. © 2011 Elsevier Inc. All rights reserved.

1. Introduction 1.1. Background Given integers e ≥ 2, q > ϑ ≥ 1 with gcd(ϑ, q) = 1, the sequence {un }, defined by un ≡ uen−1 (mod q),

0 ≤ un ≤ q − 1, n = 1, 2, . . . ,

(1)

with the initial value u0 = ϑ is called the power generator of pseudorandom numbers and has many applications in cryptography; see [5,10,11,16,27,31,34,49,50] and the references therein. Various structural properties of the power generator, such as the cycle structure [2,7,8,20,30,45,46, 52], distribution [6,13,14,17–19,21] and linear complexity [25,47] have been extensively investigated. Furthermore, an elliptic curve version of the power generator has also been studied [3,15,33]. We note that one of the advantages of using sequence (1) (especially in cryptographic applications) is the high degree of the map x → xe . On the other hand, its homogeneous structure can be exploited in various attacks; see [16,27,49] for a security analysis of this generator.



Corresponding author. E-mail addresses: [email protected] (A. Ostafe), [email protected] (I.E. Shparlinski).

0885-064X/$ – see front matter © 2011 Elsevier Inc. All rights reserved. doi:10.1016/j.jco.2011.10.010

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

239

1.2. Our results Here, for a prime q = p we obtain new results about the distribution of the power generator (1) in parts of the period which extends the results of [17]. It has been remarked in [3, Section 4] that a bound of double sums of Garaev [22] can be used for this purpose. Here we use a stronger result of Garaev and Karatsuba [23] and also modify the scheme suggested in [3] to get a further improvement. Then, we introduce a multidimensional analogue of the power generator (1) that however does not have any embedded homogeneous properties. We estimate exponential sums with corresponding sequences, that in turn lead to results about their uniformity of distribution. We note that although these estimates are analogues of several one-dimensional results, neither the method used in [17,18,21], nor the method which we use here for the univariate generator, seems to apply to the proposed multidimensional analogue. Instead, we use recent results of Cochrane and Pinner [9] on binomial exponential sums. It seems that this technique has never been applied for analysis of pseudorandom number generators and we hope it will find several other applications. Our work also contributes to the extension of the class of nonlinear pseudorandom number generators for which a power saving is possible in estimates on their measure of uniformity of distribution. We recall that for generic generators only results with logarithmic saving are known; see [36] for the univariate case and [24,26,40] for the multivariate case. Several examples of polynomial pseudorandom number generators with a power saving in the corresponding estimates have been constructed in [38,41,42] (see also [39,43]). However, they all include some linearities and a slow degree growth of its iterations, which may potentially represent a weakness in cryptographic applications of these generators. The most natural multidimensional generalisation of the power generator is a dynamical system generated by iterations of monomial maps ej,1

Fj (X1 , . . . , Xm ) = X1

e

. . . Xmj,m ,

j = 1, . . . , m,

(2)

for some integral matrix

m

2

ei,j i,j=1 ∈ Zm



(3)

of exponents. However, it also has the same undesirable homogeneous properties as its univariate prototype. The construction of this work is free of this disadvantage, does not contain any embedded linear or homogeneous components and has a very fast degree growth of its iterations. Thus it is apparently more robust against standard cryptographic attacks. Besides concrete results, we also see the main points of this work as follows.

• Introduction of a new inductive argument in the estimates of exponential sums and thus the discrepancy of pseudorandom number generators. It has been applied to some number theoretic questions (see, for example, the proof of the Burgess bound [28, Theorem 12.6]), but has never been used in the theory of pseudorandom number generators. • Introduction of a multivariate analogue of the power generator which possesses several new properties that can make them very useful for cryptographic applications. • Bringing to the area new technical tools such as a recent result of Cochrane and Pinner [9]. 1.3. Notation The letter p always denotes a prime; k, m and n always denote integers (and so do K , M and N). We use Fp to denote the prime field of p elements and Zm to denote the residue ring modulo m. For a real z and an integer r ≥ 1, we denote er (z ) = exp(2π iz /r ). For integers e and q with gcd(e, q) = 1 we denote by tq (e) the multiplicative order of e modulo q, that is, the smallest positive integer t with et ≡ 1 (mod q). Throughout the paper, any implied constants in the symbols O and ≪ may occasionally depend, where obvious, on the integer parameter ν ≥ 1 and real parameter ε > 0, but are absolute otherwise.

240

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

We recall that the notations U ≪ V and U = O(V ) are both equivalent to the statement that the inequality |U | ≤ c V holds with some constant c > 0. We also use o(1) to denote any function which tends to zero as p → ∞. We recall that the discrepancy ∆(Γ ) of a sequence Γ of N points

  Γ = (γn,1 , . . . , γn,m )Nn=−01 in the m-dimensional unit cube [0, 1)m is defined as

    TΓ (B)  ∆(Γ ) = sup  − |B| , m N B⊆[0,1) where TΓ (B) is the number of points of Γ inside the box B = [α1 , β1 ) × · · · × [αm , βm ) ⊆ [0, 1)m and the supremum is taken over all such boxes; see [12]. It is a natural and commonly used measure for the statistical uniformity of sequences. 2. Distribution of the power generator in parts of the period 2.1. Bilinear sums We need the following estimate due to Garaev and Karatsuba [23, Corollary 3]. Lemma 1. Let ϑ be an integer with gcd(ϑ, p) = 1 and let T = tp (ϑ). Then, for any sets G, H ⊆ ZT of cardinalities G = #G

and

H = #H ,

and integer a with gcd(a, p) = 1, the bound



ep aϑ gh ≪ G1−1/(2ν+2) H 1−1/2ν T 1/2ν p1/(4ν+4)+ε





g ∈G h∈H

holds for every fixed integer ν = 1, 2, . . . and real ε > 0. 2.2. Main results For an integer a and a sequence {un } given by (1), we introduce the exponential sum Sa ( N ) =

N −1 

ep (aun ) .

n=0

Theorem 2. Let a sequence {un } be given by (1) with the initial value u0 = ϑ such that gcd(ϑ, p) = 1. Assume that gcd(e, T ) = 1, where T = tp (ϑ). Then, for any a ∈ Z with gcd(a, p) = 1, for N ≤ τ , where τ = tT (e) is the period of {un }, the estimate

|Sa (N )| ≤ N 1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+o(1) holds for every fixed integer ν = 1, 2, . . . as p → ∞. Proof. It is enough to show that, for any fixed integer ν = 1, 2, . . . and real ε > 0, there is a constant C (ν, ε) such that, for any ϑ with gcd(ϑ, p) = 1 and tp (ϑ) = T , we have max

gcd(a,p)=1

for any k ≤ τ .

|Sa (k)| ≤ C (ν, ε)k1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε

(4)

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

241

We prove this by induction on k ≤ τ . We can assume that C (ν, ε) > 1 so that (4) trivially holds for k ≤ p1/2 (as we also have k ≤ τ ≤ T ). Now assume that it holds for all k < N. Select any a ∈ Z with gcd(a, p) = 1. Since Sa (N ) =

N −1 



n

ep aϑ e



,

n =0

it is obvious that for any k ≥ 0 we have Sa (N ) =

N −1 



n+k

ep aϑ e



+ Sa (k) − Sa (k),

n =0

where Sa (k) is defined exactly as Sa (k) however with N  ϑ = ϑe

instead of ϑ . We now put K = ⌈N /2⌉. We note that the condition gcd(e, T ) = 1 implies

ϑ = T, tp   

so the induction assumption (4) applies to both Sa (k) and Sa (k) for k ≤ K . Hence

  N −1   n+k     e ep aϑ Sa (N ) −  ≤ 2C (ν, ε)K 1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε .   n =0 Therefore, K |Sa (N )| ≤ W + 2C (ν, ε)K 2−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε ,

(5)

where

  K −1  N −1   n+k    e e aϑ W = .  k=0 n=0 p  We now consider the sets

K = {ek (mod T ) : k = 0, . . . , K − 1} ⊆ ZT , N = {en (mod T ) : n = 0, . . . , N − 1} ⊆ ZT . Since K < N ≤ τ we have #K = K and #N = N. Therefore, by Lemma 1, we have W ≤ c (ν, ε)K 1−1/(2ν+2) N 1−1/2ν T 1/2ν p1/(4ν+4)+ε for some constant c (ν, ε) ≥ 1, depending only on ν and ε , which after the substitution in (5) yields

|Sa (N )| ≤ c (ν, ε)K −1/(2ν+2) N 1−1/2ν T 1/2ν p1/(4ν+4)+ε + 2C (ν, ε)K 1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε . We can certainly assume that N is large enough so we have N /3 ≤ K ≤ N /2. Thus, the last bound implies

|Sa (N )| ≤ 31/(2ν+2) c (ν, ε)N 1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε + 2−(2ν+1)/2ν(ν+1) C (ν, ε)N 1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε   = 31/(2ν+2) c (ν, ε) + 2−(2ν+1)/2ν(ν+1) C (ν, ε) N 1−(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+ε . Taking C (ν, ε) = 31/(2ν+2) c (ν, ε) 1 − 2−(2ν+1)/2ν(ν+1)



we obtain (4) and thus conclude the proof.



 −1

,

242

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

Using the Erdős–Turán inequality (see [12, Theorem 1.21]), to estimate the discrepancy via exponential sums, we obtain the following corollary. Corollary 3. Under the conditions of Theorem 2, the discrepancy D(N ) of the sequence un p

,

n = 0, . . . , N − 1,

satisfies the bound D(N ) ≪ N −(2ν+1)/2ν(ν+1) T 1/2ν p1/(4ν+4)+o(1) . In the most interesting case when T = p1+o(1) (which is also ‘‘typically’’ expected for randomly chosen parameters, see [20,30]), taking a sufficiently large ν , we see that Theorem 2 and Corollary 3 are nontrivial for N ≥ p3/4+ε with some fixed ε > 0, provided that p is large enough. 3. Multidimensional generalisation of the power generator 3.1. Construction Let F1 , . . . , Fm ∈ Fp [X1 , . . . , Xm ] be m polynomials in m variables over Fp . For each i = 1, . . . , m we define the k-th iteration of the polynomial Fi by the recurrence relation (0)

Fi

= Xi ,

(k)

Fi

  = Fi F1(k−1) , . . . , Fm(k−1) ,

k = 1, 2, . . . .

More precisely, we define the vectors un = (un,1 , . . . , un,m ) ∈ Fm p by the recurrence relation un+1,i = Fi (un,1 , . . . , un,m ),

n = 0, 1, . . . , i = 1, . . . , m,

with some initial vector u0 = (u0,1 , . . . , u0,m ) ∈ Using the following vector notation

(6)

Fm p.

F = (F1 (X1 , . . . , Xm ), . . . , Fm (X1 , . . . , Xm )), we have the recurrence relation un+1 = F(un ),

n = 0, 1, . . . .

(7)

In particular, for any n ≥ 0 and i = 1, . . . , m, we have (n)

(n)

un,i = Fi (u0 ) = Fi (u0,1 , . . . , u0,m ) or un = F(n) (u0 ). Clearly, as we work over a finite field of p elements, the above sequence (7) of vectors {un } is eventually periodic with some period τ ≤ pm . In this paper, we consider the following class of multivariate polynomials F1 , . . . , Fm ∈ Fp [X1 , . . . , Xm ] defined by F1 = (X1 − h1 )e1 G1 + h1 ,

···

(8)

Fm−1 = (Xm−1 − hm−1 )em−1 Gm−1 + hm−1 , Fm = gm (Xm − hm )em + hm ,

where Gi ∈ Fp [Xi+1 , . . . , Xm ], i = 1, . . . , m − 1, and gm , hi ∈ Fp , i = 1, . . . , m. We have the following description of the iterations of the polynomials F1 , . . . , Fm , which can be easily proved by induction. Lemma 4. Let F1 , . . . , Fm ∈ Fp [X1 , . . . , Xm ] be defined by (8). Then, we have (k)

Fi

k

= (Xi − hi )ei Gi,k + hi ,

Fm(k) = gm (Xm − hm )em + hm , k

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

243

where, for i = 1, . . . , m − 1 and k = 1, 2, . . . , we define k−1

e

Gi,k = Gi i



(2)

Gi

eki −2

· · · G(i k) ,

with (k)

Gi

  1) (k−1) . = Gi Fi(+k− 1 , . . . , Fm

Proof. To get the formula for Gi,k , we first note that (k)

Gi

(1)

with Gi

= Gi(k−1) (Fi+1 , . . . , Fm ) ,

(9)

= Gi . Indeed,

(k−1)

Fj

= Fj (Fj(k−2) , . . . , Fm(k−2) ) = Fj(k−2) (Fj , . . . , Fm )

for any j = i + 1, . . . , m, and thus (k)

Gi

  1) (k−1) = Gi Fi(+k− 1 , . . . , Fm   2) (k−2) = Gi Fi(+k− ( F , . . . , F ), . . . , F ( F , . . . , F ) i + 1 m i + 1 m m 1 = Gi(k−1) (Fi+1 , . . . , Fm ) . (k)

Now, using representation (9), one can easily prove by induction on k that the polynomials Fi , i = 1, . . . , m, k = 1, 2, . . . , are of the claimed form.  In our construction, we always assume that gcd(e1 . . . em , p − 1) = 1

(10)

and that the polynomials Gi have no zeros over Fp : Gi (zi+1 , . . . , zm ) ̸= 0,

zi+1 , . . . , zm ∈ Fp .

(11)

We note that condition (10) can be relaxed and our approach in fact works for a wider class of exponents; however, condition (11) is essential. As in [37], we recall that a ‘‘typical’’ absolute irreducible polynomial in m ≥ 2 variables over Fp always has zeros. By a special case of the Lang–Weil theorem [32], a polynomial F in m ≥ 2 variables over Fp always has rpm−1 + O(pm−3/2 ) zeros, where r is the number of absolutely irreducible factors of F (with the implied constant depending only on deg F ); see also [44]. Several examples of ‘‘atypical’’ polynomials, that have no zero over Fp , have been given in [37]. For example, one can take Gi (Xi+1 , . . . , Xm ) =

m−i  (Xi2+j − ai,j ) j =1

or even simpler Gi (Xi+1 , . . . , Xm ) = (Xi2+1 − ai ), where ai,j and ai are quadratic nonresidues in Fp . It is easy to see that conditions (10) and (11) and the diagonal structure of (8) guarantee that the map generated by the corresponding polynomial system F is a permutation on Fm p . Therefore, the sequence of vectors {un } given by (7) is purely periodic. 3.2. Binomial exponential sums For positive integers e and f and a, b ∈ Fp , we consider the following binomial exponential sums Ta,b (e, f ) =



ep axe + bxf .





x∈Fp

We need the following estimate of Cochrane and Pinner [9, Theorem 1.3].

244

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

Lemma 5. For any integers e and f and a, b ∈ F∗p , we have

|Ta,b (e, f )| ≤ gcd(e − f , p − 1) + 2.292d13/46 p89/92 , where d = gcd(e, f , p − 1). 3.3. Multiplicative orders of divisors The following result is certainly well-known. Lemma 6. For any integers e and q with gcd(e, q) = 1 and any divisor d | q, we have tq/d (e) ≥ tq (e)/d. Proof. It is enough to prove it when d is prime. From etq/d (e) ≡ 1 (mod q/d) we also obtain e(d−1)tq/d (e) ≡ 1

(mod q/d).

(12)

Besides, since d is prime, we obviously have e(d−1)tq/d (e) ≡ 1

(mod d).

(13)

If gcd(d, q/d) = 1 then (12) and (13) imply e(d−1)tq/d (e) ≡ 1

(mod q),

and thus (d − 1)tq/d (e) ≥ tq (e). If gcd(d, q/d) = d, we write etq/d (e) = 1 + Eq/d and note that edtq/d (e) = 1 + dEq/d

(mod (q/d)2 ).

As q | (q/d)2 , we obtain edtq/d (e) ≡ 1 (mod q) and thus dtq/d (e) ≥ tq (e).



Lemma 7. For any integers e and q with gcd(e, q) = 1 and a positive integer h, we have gcd(eh − 1, q) ≤ hq/tq (e). Proof. Denote D = gcd(eh − 1, q). Then, by Lemma 6 we see that h ≥ tD (e) ≥ Dtq (e)/q.



3.4. Main results For an integer vector a = (a1 , . . . , am ) ∈ Zm and a sequence {un } given by (6), we introduce the exponential sum Sa ( N ) =

N −1  n =0

 ep

m  i=1

 ai un , i

.

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

245

Theorem 8. Let a sequence {un } be given by (6), where the family of m polynomials F = {F1 , . . . , Fm } ∈ Fp [X1 , . . . , Xm ] of total degree d ≥ 2 is of form (8), satisfying the conditions (10) and (11). Assume that T = min tp−1 (ei ) i=1,...,m

satisfies T ≥ p3/46 . Then, for any a = (a1 , . . . , am ) ∈ Zm with gcd(a1 , . . . , am , p) = 1, for N ≤ τ , where τ is the period of {un }, we have the estimate Sa (N ) ≪ N 1/2 pm/2−3/184 . Proof. Select any a = (a1 , . . . , am ) ∈ Zm with gcd(a1 , . . . , am , p) = 1. It is obvious that for any integer k ≥ 1, we have

   N −1 m       ep ai un+k,i  ≤ 2k. Sa (N ) −   n =0 i=1 Therefore, for any integer K ≥ 1, K |Sa (N )| ≤ W + K 2 ,

(14)

where

      K m N −1   N −1  K m           ep ai un+k,i  . ep ai un+k,i  ≤ W =      n=0 k=1 i =1 n=0 k=1 i =1 Using now (7) and the Cauchy inequality, we obtain

  2 K N −1  m      ( k ) ep W2 ≤ N ai Fi (un )     n=0 k=1 i=1   2 K m      (k) ep ≤N ai Fi (x1 , . . . , xm )     x1 ,...,xm ∈Fp k=1 i=1   K m      (k) (ℓ) =N ep ai Fi (x) − Fi (x) . k,ℓ=1 x∈Fm p

i=1

Using Lemma 4, we have (k)

Ri,k,ℓ = Fi



− Fi(ℓ) = (Xi − hi )ei Gi,k − (Xi − hi )ei Gi,ℓ . k

We use xr to denote the ‘‘truncated’’ vector xr = (xr , . . . , xm ). We also denote by s the smallest index such that as ̸= 0. Then, 2

W ≤ Np

s−1

K  k,ℓ=1 x

       ep as Rs,k,ℓ (xs )  .    m−s x ∈F



s+1 ∈Fp

s

p

For each vector xs+1 we change xs − hs to xs in the inner sum and derive 2

W ≤ Np

s−1

K  k,ℓ=1 x

     k  es eℓs   ep as xs Gs,k (xs+1 ) − xs Gs,ℓ (xs+1 )  .    m−s x ∈F



s+1 ∈Fp

s

p

For O(K ) pairs (k, ℓ) with k = ℓ, we estimate the inner sum over xs in (15) trivially as p.

(15)

246

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

To estimate the contribution from the pairs (k, ℓ) with k ̸= ℓ, we assume that K ≤ Tp−3/92 .

(16)

Therefore, for 1 ≤ k, ℓ ≤ K , k ̸= ℓ, by (10) and Lemma 7 we have gcd eks − eℓs , p − 1 = gcd eks −ℓ − 1, p − 1









≤ K (p − 1)/tp−1 (es ) ≤ K (p − 1)/T ≤ p89/92 . We now recall that condition (11) holds. Therefore, for k ̸= ℓ, we see from Lemma 5 that the inner sum over xs in (15) is O(p89/92 ). Therefore, W 2 ≪ Npm−1 Kp + K 2 p89/92 ,





which, after the substitution in (14), implies

|Sa (N )| ≪ K −1/2 N 1/2 pm/2 + N 1/2 pm/2−3/184 + K . Taking K = p3/92





(thus condition (16) is satisfied), we conclude the proof.



Using the link between the multidimensional discrepancy and exponential sums, established independently by Koksma [29] and Szüsz [51] (that generalises the Erdős–Turán inequality to the multidimensional case) (see also [12, Theorem 1.21]), we immediately derive the following corollary. Corollary 9. Under the conditions of Theorem 8, the discrepancy D(N ) of the sequence



un , 1 p

,...,

un , m p



,

n = 0, . . . , N − 1,

satisfies the bound D(N ) ≪ N −1/2 pm/2−3/184 (log p)m . We now follow the scheme previously introduced in [35] to estimate the discrepancy on average of the sequence generated by (6). For a vector a = (a1 , . . . , am ) ∈ Zm and integers c , M , N with M ≥ 1 and N ≥ 1, we introduce Va,c (M , N ) =

 v1 ,...,vm ∈Fp

 2   N −1 m      (n) ep aj Fj (v1 , . . . , vm ) eM (cn) .   n =0  j =1

Theorem 10. Let the family of m polynomials F = {F1 , . . . , Fm } ∈ Fp [X1 , . . . , Xm ] of total degree d ≥ 2 be of form (8), satisfying conditions (10) and (11). Assume that T = min tp−1 (ei ) i=1,...,m

satisfies T ≥ p3/46 . Then, for any positive integers c , M , N and any nonzero vector a = (a1 , . . . , am ) ∈ Zm , we have Va,c (M , N ) ≪ A(N , p), where A(N , p) =



Npm N 2 pm−3/92

if N ≤ p3/92 , if N > p3/92 .

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

247

Proof. We have Va,c (M , K ) =

K −1 

 eM (c (k − l))

k,l=0



ep

m 

v∈Fm p



(k)

(l)

aj Fj (v) − Fj (v)

 

j =1

   K −1   m       ( k ) ( l )  ≤ ep aj Fj (v) − Fj (v)  .   k,l=0 v∈Fm j = 1 p We now assume that (16) holds. Then for O(K ) values of k and l with k = l, we estimate the inner sum trivially by pm . For the other values, we apply the same technique as in Theorem 8 and we get O(pm−3/92 ) for the inner sum for at most K 2 sums. Hence, Va,c (M , K ) ≪ Kpm + K 2 pm−3/92 ,

(17)

which immediately implies the desired result for N ≤ p3/92 . For N > p3/92 , due to conditions (10) and (11), we see that F is a permutation polynomial system on Fm p . Hence for any integer L, we obtain

2    N −1 m    L+  (n) ep aj Fj (v) eM (cn)    n =L m j =1

v∈Fp

 2   N −1 m        (n) (L) (L) ep aj Fj F1 (v), . . . , Fm (v) = eM (cn)    m n=0 j =1 v∈Fp

2    N −1 m      (n) ep aj Fj (v) eM (cn) = Va,c (M , N ). =    m n =0 j =1 v∈Fp

Therefore, for any positive integer K ≤ N, separating the inner sum into at most N /K + 1 subsums of length at most K , and using (17), we derive Va,c (M , N ) ≪ (Kpm + K 2 pm−3/92 )N 2 K −2 = N 2 (K −1 pm + pm−3/92 ). Thus, selecting K = min{N , p3/92 } and taking into account that N −1 pm ≥ pm−3/92 for N ≤ p3/92 , we obtain the desired result. 





Now, exactly as in [35,42], using the result of Koksma [29] and Szüsz [51] (see also [12, Theorem 1.21]) we derive from Theorem 10 an improvement of Corollary 9 on average over all initial values. Corollary 11. Let 0 < ε < 1. Using the conditions of Theorem 10, for all initial values v ∈ Fm p except at most O(ε pm ) of them, and any positive integer N ≤ pm , the discrepancy D(N , v) of the sequence



un,1 p

,...,

un,m p



,

n = 0, . . . , N − 1,

satisfies the bound D(N , v) ≤ ε −1 B(N , p), where B(N , p) =

N −1/2 (log N )m+1 log p p−3/184 (log N )m+1 log p



if N ≤ p3/92 , if N > p3/92 ,

and t = min{ts |s = 1, . . . , m}. We note that Corollary 11 is nontrivial if N ≥ (log p)2+ϵ for some ϵ > 0. Furthermore, using the argument of [48], one can obtain a nontrivial bound for even smaller values of N.

248

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

4. Comments We note that Theorem 2 is a direct generalisation of [17, Theorem 8] and for N = τ gives exactly the same bound (except for the term o(1) in the exponent). We also remark that the argument used in the proof of Theorem 2 together with the elliptic curve analogue of Lemma 1, given in [1, Theorem 2.1], can be used to improve the bound of exponential sums of [15, Theorem 5] with an elliptic curve analogue of the power generator (and thus the corresponding discrepancy bound). Similarly, the multiplicative character analogue of Lemma 1 (see [4]) can be used to improve the bound of multiplicative character sums of [3, Theorem 14] with the power generator (1) for a prime q = p. It is easy to see that Theorem 8 and Corollary 3 are nontrivial only if τ and N are sufficiently large, namely if for some fixed ε > 0, we have

τ ≥ N ≥ pm−3/92+ε . As we have mentioned, the period τ of any sequence (7) always satisfies τ ≤ pm . On the other hand, Theorem 10 and Corollary 11 are nontrivial for any period lengths. We note that the condition on T in Theorems 8 and 10 is not really restrictive as ‘‘typically’’ multiplicative orders modulo p−1 tend to be much larger; see [20,30] for various quantitative versions of this fact. Moreover, it is easy to see that the argument used in the proof of Theorems 8 and 10 works also under a weaker assumption that T ≥ pε for some fixed ε > 0 (however leads to a weaker final estimate). As we have mentioned, condition (10) can also be substantially relaxed. Namely, it is enough to assume that max

max gcd(eki , p − 1) ≤ p3/26−ε

i=1,...,m k=1,2,...

for some fixed ε > 0. Using the bounds of exponential sums of Bourgain [6], one can extend the family of admissible parameters even further (but this leads to less explicit results). In fact the approach used in Section 3 can be used to study some other generalisations of the power generator. For example, this also applies to sequences generated by iterations of polynomial systems with F1 = X1e L1 + L0 where L0 , L1 as well as F2 , . . . , Fm are nonconstant linear polynomials in Fp [X2 , . . . , Xm ]. For the monomial systems (2), one can also obtain nontrivial estimates by using the method of Bourgain [6, Section 7], which however is less explicit. Furthermore, if the exponent matrix (3) is of triangular form with ei,j = 0 for 1 ≤ j < i ≤ m, then our approach via the fully explicit estimates of Cochrane and Pinner [9] also applies. Acknowledgements During the preparation of this paper, A.O. was partially supported by the Swiss National Science Foundation Grant 133399 and I.S. was partially supported by the Australian Research Council Grant DP1092835. References [1] O. Ahmadi, I.E. Shparlinski, Bilinear character sums and the sum-product problem on elliptic curves, Proc. Edinb. Math. Soc. 53 (2010) 1–12. [2] V. Anashin, A. Khrennikov, Applied Algebraic Dynamics, Walter de Gruyter, Berlin, 2009. [3] W.D. Banks, J.B. Friedlander, M. Garaev, I.E. Shparlinski, Double character sums over elliptic curves and finite fields, Pure Appl. Math. Q. 2 (2006) 179–197. [4] W.D. Banks, J.B. Friedlander, M. Garaev, I.E. Shparlinski, Exponential and character sums with Mersenne numbers, Preprint, 2010. [5] L. Blum, M. Blum, M. Shub, A simple unpredictable pseudorandom number generator, SIAM J. Comput. 15 (1986) 364–383. [6] J. Bourgain, Mordell’s exponential sum estimate revisited, J. Amer. Math. Soc. 18 (2005) 477–499. [7] J.J. Brennan, B. Geist, Analysis of iterated modular exponentiation: the orbit of xα mod N, Des. Codes Cryptogr. 13 (1998) 229–245.

A. Ostafe, I.E. Shparlinski / Journal of Complexity 28 (2012) 238–249

249

[8] W.-S. Chou, I.E. Shparlinski, On the cycle structure of repeated exponentiation modulo a prime, J. Number Theory 107 (2004) 345–356. [9] T. Cochrane, C. Pinner, Explicit bounds on monomial and binomial exponential sums, Quart. J. Math. 62 (2011) 323–349. [10] T.W. Cusick, Properties of the x2 mod N pseudorandom number generator, IEEE Trans. Inform. Theory 41 (1995) 1155–1159. [11] T.W. Cusick, C. Ding, A. Renvall, Stream Ciphers and Number Theory, Elsevier, Amsterdam, 2003. [12] M. Drmota, R. Tichy, Sequences, Discrepancies and Applications, Springer-Verlag, Berlin, 1997. [13] E.D. El-Mahassni, On the distribution of the power generator modulo a prime power for parts of the period, Bol. Soc. Mat. Mexicana 13 (2007) 7–13. [14] E.D. El-Mahassni, On the distribution of the power generator over a residue ring for parts of the period, Rev. Mat. Complut. 21 (2008) 319–325. [15] E.D. El-Mahassni, I.E. Shparlinski, On the distribution of the elliptic curve power generator, in: Proc. 8th Conf. on Finite Fields and Appl., in: Contemp. Math., vol. 461, Amer. Math. Soc., Providence, RI, 2008, pp. 111–119. [16] R. Fischlin, C.P. Schnorr, Stronger security proofs for RSA and Rabin bits, J. Cryptology 13 (2000) 221–244. [17] J.B. Friedlander, J.S.dT. Hansen, I.E. Shparlinski, On character sums with exponential functions, Mathematika 47 (2000) 75–85. [18] J.B. Friedlander, J.S.dT. Hansen, I.E. Shparlinski, On the distribution of the power generator modulo a prime power, in: Proc. DIMACS Workshop on Unusual Applications of Number Theory, 2000, Amer. Math. Soc, 2004, pp. 71–79. [19] J.B. Friedlander, S.V. Konyagin, I.E. Shparlinski, Some doubly exponential sums over Zm , Acta Arith. 105 (2002) 349–370. [20] J.B. Friedlander, C. Pomerance, I.E. Shparlinski, Period of the power generator and small values of Carmichael’s function, Math. Comp. 70 (2001) 1591–1605. See also 71 (2002), 1803–1806. [21] J.B. Friedlander, I.E. Shparlinski, On the distribution of the power generator, Math. Comp. 70 (2001) 1575–1589. [22] M.Z. Garaev, Double exponential sums related to Diffie–Hellman distributions, Int. Math. Res. Not. IMRN 2005 (17) (2005) 1005–1014. [23] M.Z. Garaev, A.A. Karatsuba, New estimates of double trigonometric sums with exponential functions, Arch. Math. 87 (2006) 33–40. [24] F. Griffin, H. Niederreiter, I.E. Shparlinski, On the distribution of nonlinear recursive congruential pseudorandom numbers of higher orders, in: Lect. Notes in Comp. Sci., 1719, Springer-Verlag, Berlin, 1999, pp. 87–93. [25] F. Griffin, I.E. Shparlinski, On the linear complexity profile of the power generator, IEEE Trans. Inform. Theory 46 (2000) 2159–2162. [26] J. Gutierrez, D. Gomez-Perez, Iterations of multivariate polynomials and discrepancy of pseudorandom numbers, in: Lect. Notes in Comp. Sci., vol. 2227, Springer-Verlag, Berlin, 2001, pp. 192–199. [27] J. Håstad, M. Näslund, The security of individual RSA and discrete log bits, J. ACM 51 (2004) 187–230. [28] H. Iwaniec, E. Kowalski, Analytic Number Theory, Amer. Math. Soc., Providence, RI, 2004. [29] J.F. Koksma, Some Theorems on Diophantine Inequalities, in: Scriptum, vol. 5, Math. Centrum, Amsterdam, 1950. [30] P. Kurlberg, C. Pomerance, On the period of the linear congruential and power generators, Acta Arith. 119 (2005) 149–169. [31] J.C. Lagarias, Pseudorandom number generators in cryptography and number theory, in: Proc. Symp. in Appl. Math., vol. 42, Amer. Math. Soc., Providence, RI, 1990, pp. 115–143. [32] S. Lang, A. Weil, Number of points of varieties in finite fields, Amer. J. Math. 76 (1954) 819–827. [33] T. Lange, I.E. Shparlinski, Certain exponential sums and random walks on elliptic curves, Canad. J. Math. 57 (2005) 338–350. [34] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1996. [35] H. Niederreiter, I.E. Shparlinski, On the average distribution of inversive pseudorandom numbers, Finite Fields Appl. 8 (2002) 491–503. [36] H. Niederreiter, A. Winterhof, Exponential sums for nonlinear recurring sequences, Finite Fields Appl. 14 (2008) 59–64. [37] A. Ostafe, Multivariate permutation polynomial systems and pseudorandom number generators, Finite Fields Appl. (2010) 144–154. [38] A. Ostafe, Pseudorandom vector sequences derived from triangular polynomial systems with constant multipliers, in: Proc. Intern. Workshop on the Arith. of Finite Fields, Istanbul, WAIFI 2010, in: Lect. Notes in Comp. Sci., vol. 6087, SpringerVerlag, Berlin, 2010, pp. 62–72. [39] A. Ostafe, Pseudorandom vector sequences of maximal period generated by polynomial dynamical systems, Des. Codes Cryptogr. (in press). [40] A. Ostafe, E. Pelican, I.E. Shparlinski, On pseudorandom numbers from multivariate polynomial systems, Finite Fields Appl. 16 (2010) 320–328. [41] A. Ostafe, I.E. Shparlinski, On the degree growth in some polynomial dynamical systems and nonlinear pseudorandom number generators, Math. Comp. 79 (2010) 501–511. [42] A. Ostafe, I.E. Shparlinski, Pseudorandom numbers and hash functions from iterations of multivariate polynomials, Cryptogr. Commun. 2 (2010) 49–67. [43] A. Ostafe, I.E. Shparlinski, Degree growth, linear independence and periods of a class of rational dynamical systems, Preprint, 2011. [44] W.M. Schmidt, A lower bound for the number of solutions of equations over finite fields, J. Number Theory 6 (1974) 448–480. [45] M. Sha, On the cycle structure of repeated exponentiation modulo a prime power, Preprint, 2011. Available from: http://arxiv.org/abs/1101.3482. [46] M. Sha, S. Hu, Monomial dynamical systems of dimension one over finite fields, Acta Arith. 148 (2011) 309–331. [47] I.E. Shparlinski, On the linear complexity of the power generator, Des. Codes Cryptogr. 23 (2001) 5–10. [48] I.E. Shparlinski, On the average distribution of pseudorandom numbers generated by nonlinear permutations, Math. Comp. 80 (2011) 1053–1061. [49] R. Steinfeld, J. Pieprzyk, H. Wang, On the provable security of an efficient RSA-based pseudorandom generator, in: Proc. of ASIACRYPT 2006, in: Lecture Notes in Computer Science, vol. 4284, Springer-Verlag, 2006, pp. 194–209. [50] D.R. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, FL, 1995. [51] P. Szüsz, On a problem in the theory of uniform distribution, in: Comptes Rendus Premier Congrès Hongrois, Budapest, 1952, pp. 461–472 (in Hungarian). [52] T. Vasiga, J.O. Shallit, On the iteration of certain quadratic maps over GF(p), Discrete Math. 277 (2004) 219–240.