Exponential sums of nonlinear congruential pseudorandom number generators with Rédei functions

Finite Fields and Their Applications 14 (2008) 410–416 http://www.elsevier.com/locate/ffa

Exponential sums of nonlinear congruential pseudorandom number generators with Rédei functions Jaime Gutierrez a,∗ , Arne Winterhof b a Faculty of Sciences, University of Cantabria, E-39071 Santander, Spain b Johann Radon Institute for Computational and Applied Mathematics (RICAM), Austrian Academy of Sciences,

Altenbergerstr. 69, 4040 Linz, Austria Received 31 October 2006; revised 11 March 2007 Available online 7 April 2007 Communicated by Gary L. Mullen Dedicated to Peter M. Gruber on the occasion of his 65th birthday

Abstract The nonlinear congruential method is an attractive alternative to the classical linear congruential method for pseudorandom number generation. We give new bounds of exponential sums with sequences of iterations of Rédei functions over prime finite fields, which are much stronger than bounds known for general nonlinear congruential pseudorandom number generators. © 2007 Elsevier Inc. All rights reserved. Keywords: Exponential sums; Nonlinear congruential generator; Rédei functions; Cryptography

1. Introduction For an integer q > 1 we denote by Zq the residue ring modulo q and always assume that it is represented by the set {0, 1, . . . , q − 1}. As usual, we denote by Uq the set of invertible elements of Zq . Accordingly, for a prime p, we denote by Fp ∼ = Zp the field of p elements and as before, we assume that it is represented by the set {0, 1, . . . , p − 1}. In particular, sometimes, where obvious, we treat elements of Zq and Fp as integers in the above range. * Corresponding author.

E-mail addresses: [email protected] (J. Gutierrez), [email protected] (A. Winterhof). 1071-5797/$ – see front matter © 2007 Elsevier Inc. All rights reserved. doi:10.1016/j.ffa.2007.03.004

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

411

Given a polynomial F (X) ∈ Fp [X] of degree at least 2, we define the nonlinear congruential generator (xn ) of elements of Fp by the recurrence relation xn+1 ≡ F (xn )

(mod p),

n = 0, 1, . . . ,

(1)

with some initial value x0 . Recently in [7], a new method has been invented to study the distribution of such sequences for arbitrary polynomials F (X) by estimating exponential sums, see also recent surveys [6,9, 10,13]. Unfortunately, for general polynomials, this method leads to rather weak bounds. However, in the special case of the inversive congruential generator this method leads to a much stronger bound [8]. For two other special classes of polynomials, namely for monomials and Dickson polynomials an alternative approach, producing much stronger bounds has been proposed in [1–3]. This article deals with another special case of the nonlinear congruential pseudorandom number generator constructed via Rédei functions defined in the sequel. Suppose that r(X) = X 2 − αX − β ∈ Fp [X] is an irreducible quadratic polynomial with the two different roots ξ and ζ = ξ p in Fp2 . Then any polynomial b(X) ∈ Fp2 [X] can uniquely be written in the form b(X) = g(X) + h(X)ξ with g(X), h(X) ∈ Fp [X]. For a positive integer e we consider the elements (X + ξ )e = ge (X) + he (X)ξ.

(2)

Note that ge (X) and he (X) do not depend on the choice of the root ξ of r(X). Evidently, e is the degree of the polynomial ge (X), and he (X) has degree at most e − 1, where equality holds if and only if gcd(e, p) = 1 (see also [4, p. 22], [12]). The Rédei function Re (X) of degree e is then given by Re (X) =

ge (X) . he (X)

The following facts can be found in [11]. The Rédei function Re (X) is a permutation of Fp if and only if gcd(e, p + 1) = 1, the set of these permutations is a group with respect to the composition which is isomorphic to the group of units of Zp+1 . In particular for indices m, n with gcd(m, p + 1) = gcd(n, p + 1) = 1 we have     Rm Rn (u) = Rmn (u) = Rn Rm (u)

for all u ∈ Fp .

(3)

For further background on Rédei functions we refer to [4,11,12]. We consider generators (un ) defined by un+1 = Re (un ),

n  0,

gcd(e, p + 1) = 1,

with a Rédei permutation Re (X) and some initial element u0 ∈ Fp . Note that each mapping over Fp can be uniquely represented by a polynomial of degree at most p − 1 and therefore the generator (un ) belongs to the class of nonlinear congruential pseudorandom number generators (1).

412

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

The sequences (un ) are purely periodic, the period length T divides ϕ(p + 1), where ϕ denotes Euler’s totient function. For details we refer to [11, Lemma 3.5]. For a ∈ F∗p we define the exponential sum Se (a) =

T −1

ep (aun ),

n=0

where ep (z) = exp(2πiz/p) for z ∈ Fp . We apply the method of [1,3] to obtain an upper bound on sums |Se (a)|. We remark, however, that several specific properties of X e do not hold for Re (X) thus our result is slightly weaker than that of [1]. Although we follow the same general method of bounding exponential sums as in [3] the details of the crucial step that a certain auxiliary mapping, see (6) below, is not constant is much more intricate. 2. Preliminaries We recall Lemma 2 from [1]. Lemma 1. For any set K ⊆ Ut of cardinality #K = K, any fixed 1  δ > 0 and any integer t  h  t δ there exists an integer r ∈ Ut such that the congruence rk ≡ y

(mod t),

k ∈ K, 0  y  h − 1,

has Lr (h) 

Kh t

solutions (k, y). Note that each k corresponds at most one solution (k, y). We also need the following bound on exponential sums [5, Theorem 2]. Lemma 2. Let p be a prime and f/g be a rational function over Fp . Let v be the number of distinct roots of the polynomial g in the algebraic closure Fp of Fp . Suppose that f/g is not constant. Then         f (ξ )     max deg(f ), deg(g) + v ∗ − 2 p 1/2 + δ, ep  g(ξ )  ξ ∈Fp , g(ξ )=0

where v ∗ = v and δ = 1 if deg(f )  deg(g), and v ∗ = v + 1 and δ = 0 otherwise. 3. Main result Let t be the smallest positive integer for which Re (u0 ) ≡ Rf (u0 ) (mod p) whenever e ≡ f (mod t). Note that t | p + 1 and T is the multiplicative order of e modulo t.

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

413

Theorem 3. For every fixed integer ν  1,    2ν+1 1 ν+2  max∗ Se (a) = O T 1− 2ν(ν+1) t 2(ν+1) p 4ν(ν+1) ,

a∈Fp

where the implied constant depends only on ν. Proof. We put  ν h = t ν+1 T

−ν ν+1

1 p 2(ν+1) .

Since otherwise the result is trivial we may assume h < p −1/2 T < t. Because t  T , for this choice of h we obtain h  p 1/2(ν+1) , thus Lemma 1 applies. Because the sequence (un ) is purely periodic, for any k ∈ Zt , we have: Se (a) =

T 

  ep aRen+k (u0 ) .

(4)

n=1

Let K be the subgroup of Ut generated by e. Thus #K = T . We select r as in Lemma 1 and let L be the subset of K which satisfies the corresponding congruence. We denote L = #L. In particular, L  hT /t. By (4) we have LSe (a) =

T  

  ep aRen+k (u0 ) .

n=1 k∈L

Applying the Hölder inequality, we derive  T    2ν   2ν 2ν−1   ep aRen+k (u0 )  . L Se (a)  T  2ν 

(5)

n=1 k∈L

Let 1  s  t − 1, be defined by the congruence rs ≡ 1 (mod t). By (3) we obtain   Ren+k (u0 ) ≡ Ren+k rs (u0 ) ≡ Rrek Rsen (u0 )

(mod p).

Obviously, the values of sen , n = 1, . . . , T , are pairwise distinct modulo t. Thus, from the definition of t, we see that the values of Rsen (u0 ) are pairwise distinct modulo p. Therefore, from (5) we derive      2ν  2ν   . L2ν Se (a)  T 2ν−1 aR e (u) k p re   u∈Fp k∈L

Denoting F = {rek | k ∈ L} we deduct

414

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

L



2ν 

     2ν 2ν 2ν−1   Se (a)  T ep aRf (u)   u∈Fp f ∈F

T

2ν−1





 ν    Rfj (u) − Rfν+j (u) . a

ep

f1 ,...,f2ν ∈F u∈Fp

j =1

For the case that (fν+1 , . . . , f2ν ) is a permutation of (f1 , . . . , fν ), we use the trivial bound for the inner sum over u, which gives the total contribution O(Lν p). Otherwise, we claim that the rational function Ψf1 ,...,f2ν (X) =

ν    Rfj (X) − Rfν+j (X)

(6)

j =1

is non-constant. In fact, there exist {k1 , . . . , kU } ⊂ {f1 , . . . , fν , fν+1 , . . . , f2ν } and c1 , . . . , cU ∈ F∗p with 1  k1 < k2 < · · · < k U ,

1 < U  2ν,

satisfying Ψf1 ,...,f2ν (X) =

U  i=1

ci

gki (X) . hki (X)

Multiplying with H (X) =

U

hki (X)

i=1

we get the polynomial G(X) =

U 

ci gki (X)



hkj (X).

j =i

i=1

With (2) we obtain (X + ξ )k − (X + ζ )k = (ξ − ζ )hk (X). Hence, hk (x0 ) = 0 if and only if 

x0 + ξ x0 + ζ

k = 1,

(7)

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

415

i.e., (x0 + ξ )/(x0 + ζ ) is a kth root of unity. We may assume kU  f2ν < p. Let ρ be a primitive kU th root of unity in an appropriate extension field of Fp . We note by (7) that ρ = 1. Then x0 =

ξ − ρζ ρ −1

is a root of hkU and hkj (x0 ) = 0 for the remaining hkj that appear in H (X), and G(x0 ) = cU gkU (x0 )



hkj (x0 ).

1j
It can easily be seen with (2) that gkU (x0 ) = 0, thus G(x0 ) = 0 and hence G(X) is not the zero polynomial. Taking into account that deg gf = f , deg hf  f − 1 and max fj  max f < h

j =1,...,2ν

f ∈F

we have Ψf1 ,...,f2ν (X) = G(X)/H (X),

deg H, deg G < 2νh.

Since G(x0 ) = 0 but H (x0 ) = 0 the rational function G(X)/H (X) cannot be constant and Lemma 2 applies. We obtain that the total contribution from such terms is O(L2ν hp 1/2 ). Hence 2ν     L2ν Se (a) = O T 2ν−1 Lν p + L2ν hp 1/2 . So this leads us to the bound      Se (a)2ν = O T 2ν−1 L−ν p + hp 1/2 . Recalling that L  hT /t, we derive      Se (a)2ν = O T 2ν−1 t ν T −ν h−ν p + hp 1/2 . Substituting the selected value of h, which balances both terms in the above estimate, we finish the proof. 2 Acknowledgments The first author is partially supported by the research project MTM2004-07086 of the Spanish Ministry of Science and Technology. The second author is supported by the Austrian Academy of Sciences and by the grant P19004-N18 of the Austrian Science Fund (FWF). Parts of the paper were written during a visit of A.W. to the University of Cantabria. He wishes to thank for the hospitality and financial support. He also wishes to thank the doctors and nurses of the University Hospital of Valdecilla.

416

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

References [1] J.B. Friedlander, J. Hansen, I.E. Shparlinski, On character sums with exponential functions, Mathematika 47 (2000) 75–85. [2] J.B. Friedlander, I.E. Shparlinski, On the distribution of the power generator, Math. Comp. 70 (2001) 1575–1589. [3] D. Gomez-Perez, J. Gutierrez, I.E. Shparlinski, Exponential sums with Dickson polynomials, Finite Fields Appl. 12 (2006) 16–25. [4] R. Lidl, G.L. Mullen, G. Turnwald, Dickson Polynomials, Pitman Monogr. Surveys Pure Appl. Math., Longman, London, 1993. [5] C.J. Moreno, O. Moreno, Exponential sums and Goppa codes: I, Proc. Amer. Math. Soc. 111 (1991) 523–531. [6] H. Niederreiter, Design and analysis of nonlinear pseudorandom number generators, in: Monte Carlo Simulation, Balkema, Rotterdam, 2001, pp. 3–9. [7] H. Niederreiter, I.E. Shparlinski, On the distribution and lattice structure of nonlinear congruential pseudorandom numbers, Finite Fields Appl. 5 (1999) 246–253. [8] H. Niederreiter, I.E. Shparlinski, On the distribution of inversive congruential pseudorandom numbers in parts of the period, Math. Comp. 70 (2001) 1569–1574. [9] H. Niederreiter, I.E. Shparlinski, Recent advances in the theory of nonlinear pseudorandom number generators, in: Proc. Conf. on Monte Carlo and Quasi-Monte Carlo Methods, 2000, Springer-Verlag, Berlin, 2002, pp. 86–102. [10] H. Niederreiter, I.E. Shparlinski, Dynamical systems generated by rational functions, in: Lecture Notes in Comput. Sci., vol. 2643, Springer-Verlag, Berlin, 2003, pp. 6–17. [11] R. Nöbauer, Rédei-Permutationen endlicher Körper, in: J. Czermak, et al. (Eds.), Contributions to General Algebra, vol. 5, Hölder-Pichler-Tempsky, Vienna, 1987, pp. 235–246. [12] L. Rédei, Über eindeutig umkehrbare Polynome in endlichen Körpern, Acta Sci. Math. 11 (1946) 85–92. [13] A. Topuzo˘glu, A. Winterhof, Pseudorandom sequences, in: Topics in Geometry, Cryptography and Coding Theory, Springer-Verlag, Berlin, 2006.