- Email: [email protected]
On pseudorandomness of families of binary sequences
Discrete Applied Mathematics (
)
–
Contents lists available at ScienceDirect
Discrete Applied Mathematics journal homepage: www.elsevier.com/locate/dam
On pseudorandomness of families of binary sequences András Sárközy Eötvös Loránd University, Department of Algebra and Number Theory, H-1117 Budapest, Pázmány Péter sétány 1/C, Hungary
article
abstract
info
Article history: Received 18 February 2015 Received in revised form 28 July 2015 Accepted 31 July 2015 Available online xxxx Dedicated to the memory of Levon H. Khachatrian Keywords: Pseudorandom Family of binary sequences Family complexity Collision Distance minimum Avalanche effect Cross-correlation measure
In cryptography one needs large families of binary sequences with strong pseudorandom properties. In the last decades many families of this type have been constructed. However, in many applications it is not enough if our family of ‘‘good’’ sequences is large, it is more important to know that it has a rich, complex structure, and the sequences in the family are ‘‘independent’’, and they are ‘‘far apart’’. Thus various measures have been introduced and applied for studying pseudorandomness of families of binary sequences: family complexity, collision, distance minimum, avalanche effect and cross-correlation measure. In this paper a survey of all these definitions and results will be presented. © 2015 Elsevier B.V. All rights reserved.
1. The measures of pseudorandomness of binary sequences Finite binary sequences with strong pseudorandom (briefly PR) properties play a crucial role in cryptography, in particular, they can be used as key sequence in the Vernam cipher. In order to decide whether a certain sequence can be used for such a purpose one needs quantitative measures for pseudorandomness of binary sequences. A classical measure of this type is the linear complexity. However, it measures only one rather special (although important) property, and if we want to be sure that the sequence can be used securely then we also have to check other properties. Thus in 1997 Mauduit and Sárközy [28] (and later others) introduced further PR measures. Here we will need only the two most important measures of this type: Consider the binary sequence EN = (e1 , e2 , . . . , eN ) ∈ {−1, +1}N . Then the well-distribution measure of EN is defined as
t −1 W (EN ) = max ea+jb a,b,t j =0
where the maximum is taken over all a, b, t such that a, b, t ∈ N and 1 6 a < a + (t − 1)b 6 N, while the correlation measure of order k of EN is defined as
M
Ck (EN ) = max M ,D
n=1
en+d1 en+d2 . . . en+dk
E-mail address: [email protected]. http://dx.doi.org/10.1016/j.dam.2015.07.031 0166-218X/© 2015 Elsevier B.V. All rights reserved.
2
A. Sárközy / Discrete Applied Mathematics (
)
–
where the maximum is taken over all D = (d1 , d2 , . . . , dk ) and M such that 0 6 d1 < d2 < · · · < dk 6 N − M. Then the sequence EN is considered as a ‘‘good’’ PR sequence if both measures W (EN ) and Ck (EN ) (at least for small k) are ‘‘small’’ in terms of N. This terminology is justified by the fact that for a (truly) random sequence EN ∈ {−1, +1}N both W (EN ) and, for fixed k, Ck (EN ) are around N 1/2 (up to a logarithmic factor) with probability near 1 (which was proved later by Cassaigne, Mauduit and Sárközy [8], and sharpened by Alon, Kohayakawa, Mauduit, Moreira and Rödl [3]). Since that many constructions have been given for binary sequences possessing strong PR properties (in terms of these measures), and further measures of pseudorandomness of binary sequences have been introduced; a survey of all these results has been given by Gyarmati [16]. 2. The measures of pseudorandomness of families of binary sequences In many applications, e.g. in cryptography it is not enough to construct a few ‘‘good’’ PR binary sequences; one usually needs large families of them. One of the first constructions of this type was given by Goubin, Mauduit and Sárközy [15]; their construction used the Legendre symbol and polynomials, we will return to it. In the last decades many further large families of ‘‘good’’ PR binary sequences have been constructed. However, in many applications, e.g. in cryptography it is not enough to know that our family of ‘‘good’’ sequences is large; it is more important to know that the family has a rich, complex structure, and the sequences in the family are ‘‘independent’’ and they are ‘‘far apart’’ in a well-defined sense. Thus various measures have been introduced and applied for studying pseudorandomness of families of binary sequences: family complexity, collision, distance minimum, avalanche effect and cross-correlation measure. In this paper my goal is to present a survey of all these measures and their applications. It should be noted that some of these measures have been deep roots: variants of them have been used since many decades, and they are still intensively studied in certain closely related fields. Some of these fields are (I will also include a reference to an important survey paper or a paper of basic importance in the field): the cross-correlation of order 2 (see the survey papers [13] and [23]); linear complexity for ‘‘multisequences’’ (see [30]); arithmetic crosscorrelations (which started in [14]); merit factor (see [24]); Boolean functions (sequences of length N = 2n can be identified with Boolean functions; see [7] and [9]). (There are further references in the papers surveyed below.) It would be hopeless to try to overview all these fields and the related results in them. Thus here I will focus on those recent papers in which an attempt has been made to develop a comprehensive, constructive and quantitative approach to the pseudorandomness of families of binary sequences. 3. The family complexity The most important measure of pseudorandomness of families of binary sequences is, perhaps, the family complexity which was introduced in 2003 by Ahlswede, Khachatrian, Mauduit and Sárközy [1]: Definition 1. The family complexity or briefly f -complexity Γ (F ) of a family F of binary sequences EN ∈ {−1, +1}N is defined as the greatest integer j so that for any 1 6 i1 < · · · < ij 6 N and (E1 , . . . , Ej ) ∈ {−1, +1}j there is at least one sequence EN = (e1 , . . . , eN ) ∈ F which satisfies the ‘‘j-specification’’ ei1 = E1 , . . . , eij = Ej . The f complexity of F is denoted by Γ (F ). (If there is no j ∈ N with the property above, then we set Γ (F ) = 0.) It was explained in [1] in the following way why it is important to know that our family F of binary sequences constructed by the given PR generator (the so-called ‘‘key space’’) is of high f -complexity: Assume that Γ (F ) = K is a ‘‘large’’ even number, and someone tries to break the code by determining the key sequence (taken from F ). Suppose he is able to determine K /2 bits of it (at certain positions). Can he use this information? Take any other K /2 positions, and consider all the possible ±1 choices at these positions: this gives 2K /2 possibilities, and by the definition of K , each of these possibilities occurs in at least one sequence of F . Thus there are at least 2K /2 (exponentially many!) possibilities to extend the known bits into a possible key occurring in the key space, so that the attacker has to check exponentially many possibilities to find the right key! Quoting [1]: ‘‘We conclude if we can construct a family F of high f -complexity and of ‘‘good’’ PR binary sequences, then the cryptosystem based on it (as described above) has good security properties.’’ Indeed, this consideration was followed in [1] by the construction of such a family (which was a variant of the constructions of Goubin, Mauduit and Sárközy [15] mentioned earlier and of Sárközy and Stewart [32]). Theorem 1. Let p be a prime number, K ∈ N, L ∈ N and
(4K )L < p. Consider all the polynomials f (x) ∈ Fp [x] with the properties that 0 < degree f (x) 6 K and f (x) has no multiple zero in Fp .
(1)
A. Sárközy / Discrete Applied Mathematics (
)
–
3
For each of these polynomials f (x), consider the binary sequence Ep = Ep (f ) = (e1 , e2 , . . . , ep ) ∈ {−1, +1}p defined by
en =
f (n) p
...
(where
p
for (f (n), p) = 1, for p | f (n)
+1
is the Legendre symbol) and let F denote the family of all the binary sequences obtained in this way. If K is ‘‘not
very large’’ K = po(1) , then
every Ep ∈ F possesses strong PR properties
(2)
(both W (Ep ) and Ck (Ep ) for small k are small, see [1] for the exact formulas), and we also have
Γ (F ) > K .
(3)
(Note: it is easy to see by a simple counting argument that Γ (F ) < cK log p so that our upper bound (3) is sharp apart from the factor c log p.) (2) was derived from the earlier results of Goubin, Mauduit and Sárközy [15], while (3) was proved by using elementary algebra (in particular, Lagrange interpolation) and some elementary number theory. In the second half of the paper the cardinality of the smallest family achieving a prescribed f -complexity was estimated. The following result has been proved (presented here in a simplified form): Theorem 2. For K > 4 the cardinality S (N , K ) of a smallest family F ∈ {−1, +1}N with f -complexity Γ (T ) 6 K satisfies 2K 6 S (N , K ) 6 2K log
N K
2K 6 2K K log N .
The proof is based on a ‘‘covering lemma’’ of Ahlswede. In 2009 Gyarmati [17] improved on the lower bound (3) in Theorem 1: she added a factor log p to it which makes the lower bound best possible apart from the constant factor. More precisely, modify the definition of the family F in Theorem 1 by changing assumption (1) for 0 6 degree f (x) 6 K
(1′ )
(i.e., we add the constant polynomials), and denote this new family by F ′ . She proved that 1 + o(1)
K 2 log 2
log p < Γ (F ′ )
(and Γ (F ′ ) is still less than cK log p trivially); so that she determined the order of magnitude of Γ (F ′ )! This is an unexpectedly sharp, very strong result, with a very elegant and tricky proof. While we constructed sequences satisfying the given specification, she proved existence; by a tricky averaging argument involving products of linear polynomials she was able to force out the applicability of Weil’s theorem, and in this way she could also handle larger specifications. In a very recent paper Gyarmati [18] has extended her result to K values much greater in terms of N. In 2004 Gyarmati [19] studied a large family constructed by using the discrete logarithm and polynomials, while in 2008 Folláth [11] presented a construction by using finite fields of characteristic 2, their additive characters and polynomials, and they both gave good estimates for the family complexity of the family constructed by them (their estimates are sharp apart from a logarithm factor). The notion of family complexity has been extended in various directions: to sequences of k symbols (Ahlswede, Mauduit and Sárközy [2]); to binary lattices, i.e., to the multidimensional case (Gyarmati, Mauduit and Sárközy [20]); to subsets of sets (Balasubramanian, Dartyge and Mosaki [5]). The notion of VC -dimension originates in a paper of Vapnik and Chervonenkis [36], and Alon and Spencer [4, p. 243] formulate its definition in the following way: ‘‘A range space S is a pair of (X , R), where X is a (finite or infinite) set and R is a (finite or infinite) family of subsets of X . The members of X are called points and those of R are called ranges. If A is a subset of X then PR (A) = {r ∩ A : r ∈ R} is the projection of R and A. In case this projection contains all subsets of A we say that A is shattered. The Vapnik–Chervonenkis dimension (or VC-dimension) of S, denoted by VC (S ), is the maximum cardinality of a shattered subset of X . If there are arbitrarily large shattered subsets then VC (S ) = ∞’’. Answering a question of Csiszár and Gách, Mauduit and Sárközy [29] studied the connection between family complexity and VC-dimension.
4
A. Sárközy / Discrete Applied Mathematics (
)
–
4. Collision, distance minimum, avalanche effect Collision and avalanche effect are the most classical notions related to pseudorandomness of families of binary sequences; they appear, e.g., in [6,10,25] and [31]. In order to introduce these notions here I will use the presentation of Tóth [33]. Let N ∈ N, S be a given set (e.g., a set of certain polynomials or {−1, +1}M with M much smaller than N) called parameter set, and for each s ∈ S assign a unique binary sequence EN = EN (s) = (e1 , e2 , . . . , eN ) ∈ {−1, +1}N . Denote the family of the binary sequences EN (s) obtained in this way by F = F (S ):
F = F (S ) = EN (s) : s ∈ S .
(4)
Definition 2. If s ∈ S , s′ ∈ S , s ̸= s′ and EN (s) = EN (s′ ),
(5)
then (5) is said to be a collision in F = F (S ). If there is no collision in F , then it is said to be collision free. A ‘‘good’’ family of PR binary sequences is expected to be collision free. Definition 3. If F is a family of form (4) and for any s ∈ S changing s for any s′ ∈ S , s′ ̸= s changes ‘‘many’’ elements (i.e. for s ̸= s′ ‘‘many’’ elements of EN (s) and EN (s′ ) in the same positions are different), then we speak about avalanche effect, and we say that F possesses the avalanche property. If for any s, s′ ∈ S , s ̸= s′ at least 21 − o(1) N elements of EN (s) and EN (s′ ) are different, then F is said to have the strict avalanche property. Definition 4. If N ∈ N, EN = (e1 , e2 , . . . , eN ) ∈ {−1, +1}N and EN ′ = e1 ′ , e2 ′ , . . . , eN ′ ∈ {−1, +1}N , then the distance d(EN , EN ′ ) between EN and EN ′ is defined by
d EN , EN ′ = n : 1 6 n 6 N , en ̸= en ′
(i.e., d(EN , EN ′ ) is the Hamming distance between the two sequences). The distance minimum m(F ) of the family (4) is defined by m(F ) = min d EN (s), EN (s′ ) .
s,s′ ∈S s̸=s′
Then clearly, F in (4) is collision free if and only if m(F ) > 0, and it possesses the strict avalanche property if m(F ) >
1 2
− o(1) N .
Definitions 2–4 can be extended easily to the case when no parameter set is given. In two papers Tóth [33,34] studied two families of binary sequences. In the first paper she proved the following theorem: Theorem 3. Let S be the set of the polynomials f (x) ∈ Fp [x] of degree D > 2 which do not have multiple zeros. Define Ep = Ep (f ) = (e1 , e2 , . . . , ep ) by en =
f (n) p +1
if (f (n), p) = 1, if p | f (n)
(as in Theorem 1) and F = F (S ) by
F = F (S ) = Ep (f ) : f ∈ S .
Then we have m(F ) >
1 p − (2D − 1)p1/2 − 2D . 2 p1/2 , 2
It follows from this result that if D < F possesses the strict avalanche property.
then m(F ) > 0 so that F is collision free, and if p → ∞ and D = o(p1/2 ), then
In the second paper she constructed a family by using polynomials over Fp and additive characters, and showed that there are many collisions in this family (studied in [27]), however, it possesses a large subset which is collision free. Folláth [12] studied the notions introduced in Definitions 2–4 in a variant of his construction based on finite fields of characteristic 2 and their additive characters which was mentioned in Section 3. Liu [26] studied collisions and avalanche effect in another family of pseudorandom binary sequences. The notions of collision and avalanche effect can be extended easily to sequences of k symbols (k-ary sequences). Tóth [35] studied these notions in such a family of sequences introduced by Ahlswede, Mauduit and Sárközy in [2].
A. Sárközy / Discrete Applied Mathematics (
)
–
5
5. The cross-correlation measure In [21] Gyarmati, Mauduit and Sárközy introduced a new measure of pseudorandomness of families of binary sequences called cross-correlation measure. Recall that in order to measure the pseudorandomness of a single binary sequence EN we used the correlation of order k, i.e. Ck (EN ) which compares the different elements of the given sequence; this is an autocorrelation type quantity. In order to study a family of sequences it is natural to compare elements of different sequences taken from the family, i.e., to consider a cross-correlation type quantity involving different sequences. Thus the following definition was proposed in [21]: Definition 5. Let F be a family of binary sequences of length N given in parametric form:
F = F (S ) = EN (s) : s ∈ S .
(1)
(1)
(k)
(k)
Let N ∈ N, k ∈ N, and for any k binary sequences EN = EN (s1 ), . . . , EN = EN (sk ) with (i)
(i)
(i)
EN = e1 , . . . , eN
∈ {−1, +1}N (for i = 1, 2, . . . , k)
and any M ∈ N and k-tuple D = (d1 , . . . , dk ) of non-negative integers with 0 6 d1 6 . . . 6 dk < M + dk 6 N ,
(6)
write
(k)
(1)
Vk EN , . . . , EN , M , D =
M
(k)
(1)
en+d1 . . . en+dk .
n=1
Let
(k) (1) = max Vk EN(1) , . . . , EN(k) , M , D Ck EN , . . . , EN M ,D
where the maximum is taken over all D = (d1 , . . . , dk ) and M 6 N satisfying (6) with the additional restriction that if (j) (j) (i) (i) for some i ̸= j we have si = sj (thus also EN = EN (si ) = EN (sj ) = EN ), then we must not have di = dj . Then the cross-correlation measure of order k of the family F is defined as
(k) (1) Φk (F ) = max Ck EN , . . . , EN
(1)
(k)
where the maximum is taken over all k-tuples EN , . . . , EN
(i)
with EN for i = 1, 2, . . . , k.
Then by the definition of Ck clearly we have Ck (EN , . . . , EN ) = Ck (EN ), thus by the definition of Φk (F ) we have
(1) (k) Φk (F ) = max Ck EN , . . . , EN > max Ck (EN , . . . , EN ) = max Ck (EN ) EN ∈F
EN ∈F
so that we have proved Proposition 1. We have
Φk (F ) > max Ck (EN ). EN ∈F
Thus if Φk (F ) is small for all small k’s, then Ck (EN ) also must be small for all the single sequences EN ∈ F , and then W (EN ) is also small by the inequality W (EN ) 6 NC2 (EN )
1/2
(proved by Cassaigne, Mauduit and Sárközy [8]). Thus the fact that Φk (F ) is small (for all small k) implies that F consists of sequences possessing strong PR properties. We also showed that Proposition 2. If N ∈ N and EN = (e1 , . . . , eN ) ∈ F , EN ̸= EN′ = (e′1 , . . . , e′N ) ∈ F , F ∈ {−1, +1}N , then we have
1 d(EN , E ′ ) − N 6 1 C2 (EN , EN′ ) 6 Φ2 (F ). N 2 2 2
6
A. Sárközy / Discrete Applied Mathematics (
)
–
It follows from this that Proposition 3. If N ∈ N, F ⊂ {−1, +1}N and
Φ2 (F ) = o(N ), then the family F possesses the strict avalanche property. Probably fora random familyF of binary sequences of length N with fixed |F | = k = exp o(N ) the cross-correlation Φk (F ) is small ≪ N 1/2 (log N )c ; this is unproved yet. (Mérai is working on this problem.) Next we studied the connection between the family complexity Γ (F ) and the cross-correlations Φk (F ). It was shown by two examples that they are independent: it may occur that for a family F the family complexity Γ (F ) is ‘‘good’’ (large) but Φk (F ) is ‘‘bad’’ (it is also large), and reversely, it is possible that Φk (F ) is ‘‘good’’ (small) but Γ (F ) is ‘‘bad’’ (it is also small) so that both Γ (F ) and Φk (F ) have to be studied. Finally, in [21] two Goubin–Mauduit–Sárközy [15] type families were considered and it was shown that their cross-correlations are small: Theorem 4. Let d ∈ N, p be a prime, d < p, consider all the irreducible polynomials f (x) ∈ Fp [x] of the form f (x) = xd + a2 xd−2 + a3 xd−3 + · · · + ad , and let F1 denote the family of the binary sequences Ep = Ep (f ) = (e1 , . . . , ep ) assigned to these polynomials f by the formula
en =
f (n) p +1
for (f (n), p) = 1, for p | f (n)
(for n = 1, 2, . . . , p).
(7)
Then we have
(i) Φk (F1 ) < 10kdp1/2 log p for all k ∈ N, 1 < k < p and
(ii) if d < p1/2 /20 log p, then F1 > p[d/3]−1 . This theorem gives ‘‘good’’ (small) upper bound for Φk , and the size of the family is also ‘‘good’’ (large). However, this theorem also has a weakness: no good algorithm is known for constructing ‘‘many’’ irreducible polynomials over Fp . Consequently, this theorem proves only existence but it does not give a real construction. Thus there was another theorem of more constructive type proved in [21] on a variant of the family constructed by Sárközy and Stewart in [32]: Theorem 5. Let d ∈ N, d odd, d < p, and consider all the polynomials f (x) ∈ Fp [x] of the form f (x) = (x − x1 )(x − x2 ) . . . (x − xd ) where x1 , x2 , . . . , xd are distinct elements of Fp , and x1 + x2 + · · · + xd = 0. Let F2 denote the family of the binary sequences Ep = Ep (f ) assigned to these polynomials by (7) (as in Theorem 4). Then we have
(i) Φk (F2 ) < 10kdp1/2 log p if k = 2 or k is odd, and
1 . (ii) F2 = 1d pd− −1 In [22] Gyarmati, Mauduit and Sárközy started out from the assumption that a binary sequence is given with strong PR properties, and they presented an algorithm which prepares many further binary sequences from the given one. They showed that if certain conditions hold, then each of the sequences obtained in this way also possesses strong PR properties. Moreover, they also proved that under appropriate conditions the family complexity of the large family obtained in this way is large. On the other hand, they presented examples showing that the cross-correlation of the family constructed can be large. It is a challenging problem to find large families with both small crosscorrelation (up to possibly large order) and large f -complexity. A partial result was proved in this direction in a very recent paper by Winterhof and Yayla [37]: they estimated the family complexity of a family of binary sequences in terms of the cross-correlation measure of its dual family, and they applied this result to show that a certain family (not very large in terms of the length of the sequences) has both a large family complexity and a small cross-correlation measure up to a rather large order.
A. Sárközy / Discrete Applied Mathematics (
)
–
7
Acknowledgments The author would like to thank the anonymous referee for a number of interesting comments and important references which are incorporated in this final form of the paper. Research partially supported by Hungarian National Foundation for Scientific Research, Grants No. K100291 and NK104183. References [1] R. Ahlswede, L.H. Khachatrian, C. Mauduit, A. Sárközy, A complexity measure for families of binary sequences, Period. Math. Hungar. 46 (2003) 107–118. [2] R. Ahlswede, C. Mauduit, A. Sárközy, Large families of pseudorandom sequences of k symbols and their complexity, I–II, in: R. Ahlswede, et al. (Eds.), General Theory of Information Transfer and Combinatorics, in: LNCS, vol. 4123, Springer, Berlin, 2006, pp. 293–307 and 308–325. [3] N. Alon, Y. Kohayakawa, C. Mauduit, C.G. Moreira, V. Rödl, Measures of pseudorandomness for finite sequences: Typical values, Proc. Lond. Math. Soc. 95 (2007) 778–812. [4] N. Alon, J.H. Spencer, The Probabilistic Method, third ed., Wiley, Hoboken, 2008. [5] R. Balasubramanian, C. Dartyge, E. Mosaki, Sur la complexité de familles d’ensembles pseudo-aléatoires, arXiv:1302.4622v1 [math.NT]. [6] A. Bérczes, J. Ködmön, A. Pethő, A one-way function based on norm form equations, Period. Math. Hungar. 49 (2004) 1–13. [7] C. Carlet, in: Y. Crama, P.L. Hammer (Eds.), Boolean Functions for Cryptography and Error Correcting Codes, chapter of the monograpy Boolean Models and Methods in Mathematics, Computer Science and Engineering, Cambridge University Press, 2010, pp. 257–397. [8] J. Cassaigne, C. Mauduit, A. Sárközy, On finite pseudorandom binary sequences VII: The measures of pseudorandomness, Acta Arith. 103 (2002) 97–118. [9] T.W. Cusick, P. Stănică, Cryptographic Boolean functions and applications, Elsevier/Academic Press, Amsterdam, 2009. [10] H. Feistel, W.A. Notz, J.L. Smith, Some cryptographic techniques for machine-to-machine data communications, Proc. IEEE 63 (1975) 1545–1554. [11] J. Folláth, Construction of pseudorandom binary sequences using additive characters over GF (2k ), Period. Math. Hungar. 57 (2008) 73–81. [12] J. Folláth, Construction of pseudorandom binary sequences using additive characters over GF (2k ), II, Period. Math. Hungar. 60 (2010) 127–135. [13] G. Gong, Character sums and polyphase sequence families with low correlation, discrete Fourier transform (DFT), and ambugity, in: Finite Fields and their applications, in: Radon Ser. Comput Appl. Math. 11, vol. 141, De Gruyter, Berlin, 2013. [14] M. Goresky, A. Klapper, Arithmetic crosscorrelation of feedback with carry shift register sequences, IEEE Trans. Inf. Theory 43 (1997) 1342–1345. [15] L. Goubin, C. Mauduit, A. Sárközy, Construction of large families of pseudorandom binary sequences, J. Number Theory 106 (2004) 56–69. [16] K. Gyarmati, Measures of pseudorandomness, in: P. Charpin, et al. (Eds.), Finite Fields and Their Applications, in: Radon Series on Computational and Applied Mathematics, vol. 11, De Gruyter, 2013, pp. 43–64. [17] K. Gyarmati, On the complexity of a family related to the Legendre symbol, Period. Math. Hungar. 58 (2009) 209–215. [18] K. Gyarmati, On the complexity of a family of Legendre sequences with irreducible polynomials, Finite Fields Appl. 33 (2015) 175–186. [19] K. Gyarmati, On a family of pseudorandom binary sequences, Period. Math. Hungar. 49 (2004) 45–63. [20] K. Gyarmati, C. Mauduit, A. Sárközy, Measures of pseudorandomness of families of binary lattices, I (Definitions, a construction using quadratic characters.), Publ. Math. Debrecen 79 (3-4) (2011) 445–460. [21] K. Gyarmati, C. Mauduit, A. Sárközy, The cross-correlation measure for families of binary sequences, in: G. Larcher, F. Pillichshammer, A. Winterhof, C. Xing (Eds.), Applications of Algebra and Number Theory (Lectures on the occasion of Harald Niederreiter’s 70th Birthday), 2014, pp. 126–143. [22] K. Gyarmati, C. Mauduit, A. Sárközy, Generation of further pseudorandom binary sequences, I (Blowing up a single sequence), Unif. Distrib. Theory 10 (2015) 35–61. [23] T. Helleseth, Correlation and autocorrelation of sequences, in: G.L. Mullen, D. Panario (Eds.), Discrete Mathematics and its Application (Boca Raton), CRC Press, Boca Raton, FL, 2013, pp. 317–323. [24] J. Jedwab, D.J. Katz, K.-U. Schmidt, Advances in the merit factor problem for binary sequences, J. Combin. Theory Ser. A 120 (2013) 882–906. [25] J. Kam, G. Darida, Structured design of substitution-permutation encryption networks, IEEE Trans. Comput. 28 (1979) 747–753. [26] H. Liu, A family of pseudorandom binary sequences constructed by multiplicative inverse, Acta Arith. 130 (2007) 167–180. [27] C. Mauduit, J. Rivat, A. Sárközy, Construction of pseudorandom binary sequences using additive characters, Monatshefte Math. 141 (2004) 197–208. [28] C. Mauduit, A. Sárközy, On finite pseudorandom binary sequences, I. Measure of pseudorandomness, the Legendre symbol, Acta Arith. 82 (1997) 365–377. [29] C. Mauduit, A. Sárközy, Family complexity and VC dimension, in: H. Aydinian, et al. (Eds.), Information Theory, Combinatorics, and Search Theory, in: LNCS, vol. 7777, Springer, Heidelberg, 2013, pp. 346–363. [30] W. Meidl, A. Winterhof, Character sums and polyphase squence families with low correlation, discrete Fourier transform (DFT), and ambugity, in: G. Gong (Ed.), Finite Fields and their applications, in: Radon Ser. Comput Appl. Math. 11, vol. 141, De Gruyter, Berlin, 2013, pp. 324–336. [31] A.J. Menezes, P.C. van Oorshot, S.A. Vanstone, Handbook of applied cryptography, CRC Press, Boca Raton, 1996. [32] A. Sárközy, C.L. Stewart, On pseudorandomness in families of sequences derived from the Legendre symbol, Period. Math. Hungar. 54 (2007) 163–173. [33] V. Tóth, Collision and avalanche effect in families of pseudorandom binary sequences, Period. Math. Hungar. 55 (2007) 185–196. [34] V. Tóth, The study of collision and avalanche effect in a family of pseudorandom binary sequences, Period. Math. Hungar. 59 (2009) 1–8. [35] V. Tóth, Extension of the notion of collision and avalanche effect to sequences of k symbols, Period. Math. Hungar. 65 (2012) 229–238. [36] V.N. Vapnik, A.Y. Chervonenkis, On the uniform convergence of relative frequencies of events to their probabilities, Theory Probab. Appl. 16 (1971) 264–280. [37] A. Winterhof, O. Yayla, Family complexity and cross-correlation measure for families of binary sequences, Ramanujan J.
)
–
Contents lists available at ScienceDirect
Discrete Applied Mathematics journal homepage: www.elsevier.com/locate/dam
On pseudorandomness of families of binary sequences András Sárközy Eötvös Loránd University, Department of Algebra and Number Theory, H-1117 Budapest, Pázmány Péter sétány 1/C, Hungary
article
abstract
info
Article history: Received 18 February 2015 Received in revised form 28 July 2015 Accepted 31 July 2015 Available online xxxx Dedicated to the memory of Levon H. Khachatrian Keywords: Pseudorandom Family of binary sequences Family complexity Collision Distance minimum Avalanche effect Cross-correlation measure
In cryptography one needs large families of binary sequences with strong pseudorandom properties. In the last decades many families of this type have been constructed. However, in many applications it is not enough if our family of ‘‘good’’ sequences is large, it is more important to know that it has a rich, complex structure, and the sequences in the family are ‘‘independent’’, and they are ‘‘far apart’’. Thus various measures have been introduced and applied for studying pseudorandomness of families of binary sequences: family complexity, collision, distance minimum, avalanche effect and cross-correlation measure. In this paper a survey of all these definitions and results will be presented. © 2015 Elsevier B.V. All rights reserved.
1. The measures of pseudorandomness of binary sequences Finite binary sequences with strong pseudorandom (briefly PR) properties play a crucial role in cryptography, in particular, they can be used as key sequence in the Vernam cipher. In order to decide whether a certain sequence can be used for such a purpose one needs quantitative measures for pseudorandomness of binary sequences. A classical measure of this type is the linear complexity. However, it measures only one rather special (although important) property, and if we want to be sure that the sequence can be used securely then we also have to check other properties. Thus in 1997 Mauduit and Sárközy [28] (and later others) introduced further PR measures. Here we will need only the two most important measures of this type: Consider the binary sequence EN = (e1 , e2 , . . . , eN ) ∈ {−1, +1}N . Then the well-distribution measure of EN is defined as
t −1 W (EN ) = max ea+jb a,b,t j =0
where the maximum is taken over all a, b, t such that a, b, t ∈ N and 1 6 a < a + (t − 1)b 6 N, while the correlation measure of order k of EN is defined as
M
Ck (EN ) = max M ,D
n=1
en+d1 en+d2 . . . en+dk
E-mail address: [email protected]. http://dx.doi.org/10.1016/j.dam.2015.07.031 0166-218X/© 2015 Elsevier B.V. All rights reserved.
2
A. Sárközy / Discrete Applied Mathematics (
)
–
where the maximum is taken over all D = (d1 , d2 , . . . , dk ) and M such that 0 6 d1 < d2 < · · · < dk 6 N − M. Then the sequence EN is considered as a ‘‘good’’ PR sequence if both measures W (EN ) and Ck (EN ) (at least for small k) are ‘‘small’’ in terms of N. This terminology is justified by the fact that for a (truly) random sequence EN ∈ {−1, +1}N both W (EN ) and, for fixed k, Ck (EN ) are around N 1/2 (up to a logarithmic factor) with probability near 1 (which was proved later by Cassaigne, Mauduit and Sárközy [8], and sharpened by Alon, Kohayakawa, Mauduit, Moreira and Rödl [3]). Since that many constructions have been given for binary sequences possessing strong PR properties (in terms of these measures), and further measures of pseudorandomness of binary sequences have been introduced; a survey of all these results has been given by Gyarmati [16]. 2. The measures of pseudorandomness of families of binary sequences In many applications, e.g. in cryptography it is not enough to construct a few ‘‘good’’ PR binary sequences; one usually needs large families of them. One of the first constructions of this type was given by Goubin, Mauduit and Sárközy [15]; their construction used the Legendre symbol and polynomials, we will return to it. In the last decades many further large families of ‘‘good’’ PR binary sequences have been constructed. However, in many applications, e.g. in cryptography it is not enough to know that our family of ‘‘good’’ sequences is large; it is more important to know that the family has a rich, complex structure, and the sequences in the family are ‘‘independent’’ and they are ‘‘far apart’’ in a well-defined sense. Thus various measures have been introduced and applied for studying pseudorandomness of families of binary sequences: family complexity, collision, distance minimum, avalanche effect and cross-correlation measure. In this paper my goal is to present a survey of all these measures and their applications. It should be noted that some of these measures have been deep roots: variants of them have been used since many decades, and they are still intensively studied in certain closely related fields. Some of these fields are (I will also include a reference to an important survey paper or a paper of basic importance in the field): the cross-correlation of order 2 (see the survey papers [13] and [23]); linear complexity for ‘‘multisequences’’ (see [30]); arithmetic crosscorrelations (which started in [14]); merit factor (see [24]); Boolean functions (sequences of length N = 2n can be identified with Boolean functions; see [7] and [9]). (There are further references in the papers surveyed below.) It would be hopeless to try to overview all these fields and the related results in them. Thus here I will focus on those recent papers in which an attempt has been made to develop a comprehensive, constructive and quantitative approach to the pseudorandomness of families of binary sequences. 3. The family complexity The most important measure of pseudorandomness of families of binary sequences is, perhaps, the family complexity which was introduced in 2003 by Ahlswede, Khachatrian, Mauduit and Sárközy [1]: Definition 1. The family complexity or briefly f -complexity Γ (F ) of a family F of binary sequences EN ∈ {−1, +1}N is defined as the greatest integer j so that for any 1 6 i1 < · · · < ij 6 N and (E1 , . . . , Ej ) ∈ {−1, +1}j there is at least one sequence EN = (e1 , . . . , eN ) ∈ F which satisfies the ‘‘j-specification’’ ei1 = E1 , . . . , eij = Ej . The f complexity of F is denoted by Γ (F ). (If there is no j ∈ N with the property above, then we set Γ (F ) = 0.) It was explained in [1] in the following way why it is important to know that our family F of binary sequences constructed by the given PR generator (the so-called ‘‘key space’’) is of high f -complexity: Assume that Γ (F ) = K is a ‘‘large’’ even number, and someone tries to break the code by determining the key sequence (taken from F ). Suppose he is able to determine K /2 bits of it (at certain positions). Can he use this information? Take any other K /2 positions, and consider all the possible ±1 choices at these positions: this gives 2K /2 possibilities, and by the definition of K , each of these possibilities occurs in at least one sequence of F . Thus there are at least 2K /2 (exponentially many!) possibilities to extend the known bits into a possible key occurring in the key space, so that the attacker has to check exponentially many possibilities to find the right key! Quoting [1]: ‘‘We conclude if we can construct a family F of high f -complexity and of ‘‘good’’ PR binary sequences, then the cryptosystem based on it (as described above) has good security properties.’’ Indeed, this consideration was followed in [1] by the construction of such a family (which was a variant of the constructions of Goubin, Mauduit and Sárközy [15] mentioned earlier and of Sárközy and Stewart [32]). Theorem 1. Let p be a prime number, K ∈ N, L ∈ N and
(4K )L < p. Consider all the polynomials f (x) ∈ Fp [x] with the properties that 0 < degree f (x) 6 K and f (x) has no multiple zero in Fp .
(1)
A. Sárközy / Discrete Applied Mathematics (
)
–
3
For each of these polynomials f (x), consider the binary sequence Ep = Ep (f ) = (e1 , e2 , . . . , ep ) ∈ {−1, +1}p defined by
en =
f (n) p
...
(where
p
for (f (n), p) = 1, for p | f (n)
+1
is the Legendre symbol) and let F denote the family of all the binary sequences obtained in this way. If K is ‘‘not
very large’’ K = po(1) , then
every Ep ∈ F possesses strong PR properties
(2)
(both W (Ep ) and Ck (Ep ) for small k are small, see [1] for the exact formulas), and we also have
Γ (F ) > K .
(3)
(Note: it is easy to see by a simple counting argument that Γ (F ) < cK log p so that our upper bound (3) is sharp apart from the factor c log p.) (2) was derived from the earlier results of Goubin, Mauduit and Sárközy [15], while (3) was proved by using elementary algebra (in particular, Lagrange interpolation) and some elementary number theory. In the second half of the paper the cardinality of the smallest family achieving a prescribed f -complexity was estimated. The following result has been proved (presented here in a simplified form): Theorem 2. For K > 4 the cardinality S (N , K ) of a smallest family F ∈ {−1, +1}N with f -complexity Γ (T ) 6 K satisfies 2K 6 S (N , K ) 6 2K log
N K
2K 6 2K K log N .
The proof is based on a ‘‘covering lemma’’ of Ahlswede. In 2009 Gyarmati [17] improved on the lower bound (3) in Theorem 1: she added a factor log p to it which makes the lower bound best possible apart from the constant factor. More precisely, modify the definition of the family F in Theorem 1 by changing assumption (1) for 0 6 degree f (x) 6 K
(1′ )
(i.e., we add the constant polynomials), and denote this new family by F ′ . She proved that 1 + o(1)
K 2 log 2
log p < Γ (F ′ )
(and Γ (F ′ ) is still less than cK log p trivially); so that she determined the order of magnitude of Γ (F ′ )! This is an unexpectedly sharp, very strong result, with a very elegant and tricky proof. While we constructed sequences satisfying the given specification, she proved existence; by a tricky averaging argument involving products of linear polynomials she was able to force out the applicability of Weil’s theorem, and in this way she could also handle larger specifications. In a very recent paper Gyarmati [18] has extended her result to K values much greater in terms of N. In 2004 Gyarmati [19] studied a large family constructed by using the discrete logarithm and polynomials, while in 2008 Folláth [11] presented a construction by using finite fields of characteristic 2, their additive characters and polynomials, and they both gave good estimates for the family complexity of the family constructed by them (their estimates are sharp apart from a logarithm factor). The notion of family complexity has been extended in various directions: to sequences of k symbols (Ahlswede, Mauduit and Sárközy [2]); to binary lattices, i.e., to the multidimensional case (Gyarmati, Mauduit and Sárközy [20]); to subsets of sets (Balasubramanian, Dartyge and Mosaki [5]). The notion of VC -dimension originates in a paper of Vapnik and Chervonenkis [36], and Alon and Spencer [4, p. 243] formulate its definition in the following way: ‘‘A range space S is a pair of (X , R), where X is a (finite or infinite) set and R is a (finite or infinite) family of subsets of X . The members of X are called points and those of R are called ranges. If A is a subset of X then PR (A) = {r ∩ A : r ∈ R} is the projection of R and A. In case this projection contains all subsets of A we say that A is shattered. The Vapnik–Chervonenkis dimension (or VC-dimension) of S, denoted by VC (S ), is the maximum cardinality of a shattered subset of X . If there are arbitrarily large shattered subsets then VC (S ) = ∞’’. Answering a question of Csiszár and Gách, Mauduit and Sárközy [29] studied the connection between family complexity and VC-dimension.
4
A. Sárközy / Discrete Applied Mathematics (
)
–
4. Collision, distance minimum, avalanche effect Collision and avalanche effect are the most classical notions related to pseudorandomness of families of binary sequences; they appear, e.g., in [6,10,25] and [31]. In order to introduce these notions here I will use the presentation of Tóth [33]. Let N ∈ N, S be a given set (e.g., a set of certain polynomials or {−1, +1}M with M much smaller than N) called parameter set, and for each s ∈ S assign a unique binary sequence EN = EN (s) = (e1 , e2 , . . . , eN ) ∈ {−1, +1}N . Denote the family of the binary sequences EN (s) obtained in this way by F = F (S ):
F = F (S ) = EN (s) : s ∈ S .
(4)
Definition 2. If s ∈ S , s′ ∈ S , s ̸= s′ and EN (s) = EN (s′ ),
(5)
then (5) is said to be a collision in F = F (S ). If there is no collision in F , then it is said to be collision free. A ‘‘good’’ family of PR binary sequences is expected to be collision free. Definition 3. If F is a family of form (4) and for any s ∈ S changing s for any s′ ∈ S , s′ ̸= s changes ‘‘many’’ elements (i.e. for s ̸= s′ ‘‘many’’ elements of EN (s) and EN (s′ ) in the same positions are different), then we speak about avalanche effect, and we say that F possesses the avalanche property. If for any s, s′ ∈ S , s ̸= s′ at least 21 − o(1) N elements of EN (s) and EN (s′ ) are different, then F is said to have the strict avalanche property. Definition 4. If N ∈ N, EN = (e1 , e2 , . . . , eN ) ∈ {−1, +1}N and EN ′ = e1 ′ , e2 ′ , . . . , eN ′ ∈ {−1, +1}N , then the distance d(EN , EN ′ ) between EN and EN ′ is defined by
d EN , EN ′ = n : 1 6 n 6 N , en ̸= en ′
(i.e., d(EN , EN ′ ) is the Hamming distance between the two sequences). The distance minimum m(F ) of the family (4) is defined by m(F ) = min d EN (s), EN (s′ ) .
s,s′ ∈S s̸=s′
Then clearly, F in (4) is collision free if and only if m(F ) > 0, and it possesses the strict avalanche property if m(F ) >
1 2
− o(1) N .
Definitions 2–4 can be extended easily to the case when no parameter set is given. In two papers Tóth [33,34] studied two families of binary sequences. In the first paper she proved the following theorem: Theorem 3. Let S be the set of the polynomials f (x) ∈ Fp [x] of degree D > 2 which do not have multiple zeros. Define Ep = Ep (f ) = (e1 , e2 , . . . , ep ) by en =
f (n) p +1
if (f (n), p) = 1, if p | f (n)
(as in Theorem 1) and F = F (S ) by
F = F (S ) = Ep (f ) : f ∈ S .
Then we have m(F ) >
1 p − (2D − 1)p1/2 − 2D . 2 p1/2 , 2
It follows from this result that if D < F possesses the strict avalanche property.
then m(F ) > 0 so that F is collision free, and if p → ∞ and D = o(p1/2 ), then
In the second paper she constructed a family by using polynomials over Fp and additive characters, and showed that there are many collisions in this family (studied in [27]), however, it possesses a large subset which is collision free. Folláth [12] studied the notions introduced in Definitions 2–4 in a variant of his construction based on finite fields of characteristic 2 and their additive characters which was mentioned in Section 3. Liu [26] studied collisions and avalanche effect in another family of pseudorandom binary sequences. The notions of collision and avalanche effect can be extended easily to sequences of k symbols (k-ary sequences). Tóth [35] studied these notions in such a family of sequences introduced by Ahlswede, Mauduit and Sárközy in [2].
A. Sárközy / Discrete Applied Mathematics (
)
–
5
5. The cross-correlation measure In [21] Gyarmati, Mauduit and Sárközy introduced a new measure of pseudorandomness of families of binary sequences called cross-correlation measure. Recall that in order to measure the pseudorandomness of a single binary sequence EN we used the correlation of order k, i.e. Ck (EN ) which compares the different elements of the given sequence; this is an autocorrelation type quantity. In order to study a family of sequences it is natural to compare elements of different sequences taken from the family, i.e., to consider a cross-correlation type quantity involving different sequences. Thus the following definition was proposed in [21]: Definition 5. Let F be a family of binary sequences of length N given in parametric form:
F = F (S ) = EN (s) : s ∈ S .
(1)
(1)
(k)
(k)
Let N ∈ N, k ∈ N, and for any k binary sequences EN = EN (s1 ), . . . , EN = EN (sk ) with (i)
(i)
(i)
EN = e1 , . . . , eN
∈ {−1, +1}N (for i = 1, 2, . . . , k)
and any M ∈ N and k-tuple D = (d1 , . . . , dk ) of non-negative integers with 0 6 d1 6 . . . 6 dk < M + dk 6 N ,
(6)
write
(k)
(1)
Vk EN , . . . , EN , M , D =
M
(k)
(1)
en+d1 . . . en+dk .
n=1
Let
(k) (1) = max Vk EN(1) , . . . , EN(k) , M , D Ck EN , . . . , EN M ,D
where the maximum is taken over all D = (d1 , . . . , dk ) and M 6 N satisfying (6) with the additional restriction that if (j) (j) (i) (i) for some i ̸= j we have si = sj (thus also EN = EN (si ) = EN (sj ) = EN ), then we must not have di = dj . Then the cross-correlation measure of order k of the family F is defined as
(k) (1) Φk (F ) = max Ck EN , . . . , EN
(1)
(k)
where the maximum is taken over all k-tuples EN , . . . , EN
(i)
with EN for i = 1, 2, . . . , k.
Then by the definition of Ck clearly we have Ck (EN , . . . , EN ) = Ck (EN ), thus by the definition of Φk (F ) we have
(1) (k) Φk (F ) = max Ck EN , . . . , EN > max Ck (EN , . . . , EN ) = max Ck (EN ) EN ∈F
EN ∈F
so that we have proved Proposition 1. We have
Φk (F ) > max Ck (EN ). EN ∈F
Thus if Φk (F ) is small for all small k’s, then Ck (EN ) also must be small for all the single sequences EN ∈ F , and then W (EN ) is also small by the inequality W (EN ) 6 NC2 (EN )
1/2
(proved by Cassaigne, Mauduit and Sárközy [8]). Thus the fact that Φk (F ) is small (for all small k) implies that F consists of sequences possessing strong PR properties. We also showed that Proposition 2. If N ∈ N and EN = (e1 , . . . , eN ) ∈ F , EN ̸= EN′ = (e′1 , . . . , e′N ) ∈ F , F ∈ {−1, +1}N , then we have
1 d(EN , E ′ ) − N 6 1 C2 (EN , EN′ ) 6 Φ2 (F ). N 2 2 2
6
A. Sárközy / Discrete Applied Mathematics (
)
–
It follows from this that Proposition 3. If N ∈ N, F ⊂ {−1, +1}N and
Φ2 (F ) = o(N ), then the family F possesses the strict avalanche property. Probably fora random familyF of binary sequences of length N with fixed |F | = k = exp o(N ) the cross-correlation Φk (F ) is small ≪ N 1/2 (log N )c ; this is unproved yet. (Mérai is working on this problem.) Next we studied the connection between the family complexity Γ (F ) and the cross-correlations Φk (F ). It was shown by two examples that they are independent: it may occur that for a family F the family complexity Γ (F ) is ‘‘good’’ (large) but Φk (F ) is ‘‘bad’’ (it is also large), and reversely, it is possible that Φk (F ) is ‘‘good’’ (small) but Γ (F ) is ‘‘bad’’ (it is also small) so that both Γ (F ) and Φk (F ) have to be studied. Finally, in [21] two Goubin–Mauduit–Sárközy [15] type families were considered and it was shown that their cross-correlations are small: Theorem 4. Let d ∈ N, p be a prime, d < p, consider all the irreducible polynomials f (x) ∈ Fp [x] of the form f (x) = xd + a2 xd−2 + a3 xd−3 + · · · + ad , and let F1 denote the family of the binary sequences Ep = Ep (f ) = (e1 , . . . , ep ) assigned to these polynomials f by the formula
en =
f (n) p +1
for (f (n), p) = 1, for p | f (n)
(for n = 1, 2, . . . , p).
(7)
Then we have
(i) Φk (F1 ) < 10kdp1/2 log p for all k ∈ N, 1 < k < p and
(ii) if d < p1/2 /20 log p, then F1 > p[d/3]−1 . This theorem gives ‘‘good’’ (small) upper bound for Φk , and the size of the family is also ‘‘good’’ (large). However, this theorem also has a weakness: no good algorithm is known for constructing ‘‘many’’ irreducible polynomials over Fp . Consequently, this theorem proves only existence but it does not give a real construction. Thus there was another theorem of more constructive type proved in [21] on a variant of the family constructed by Sárközy and Stewart in [32]: Theorem 5. Let d ∈ N, d odd, d < p, and consider all the polynomials f (x) ∈ Fp [x] of the form f (x) = (x − x1 )(x − x2 ) . . . (x − xd ) where x1 , x2 , . . . , xd are distinct elements of Fp , and x1 + x2 + · · · + xd = 0. Let F2 denote the family of the binary sequences Ep = Ep (f ) assigned to these polynomials by (7) (as in Theorem 4). Then we have
(i) Φk (F2 ) < 10kdp1/2 log p if k = 2 or k is odd, and
1 . (ii) F2 = 1d pd− −1 In [22] Gyarmati, Mauduit and Sárközy started out from the assumption that a binary sequence is given with strong PR properties, and they presented an algorithm which prepares many further binary sequences from the given one. They showed that if certain conditions hold, then each of the sequences obtained in this way also possesses strong PR properties. Moreover, they also proved that under appropriate conditions the family complexity of the large family obtained in this way is large. On the other hand, they presented examples showing that the cross-correlation of the family constructed can be large. It is a challenging problem to find large families with both small crosscorrelation (up to possibly large order) and large f -complexity. A partial result was proved in this direction in a very recent paper by Winterhof and Yayla [37]: they estimated the family complexity of a family of binary sequences in terms of the cross-correlation measure of its dual family, and they applied this result to show that a certain family (not very large in terms of the length of the sequences) has both a large family complexity and a small cross-correlation measure up to a rather large order.
A. Sárközy / Discrete Applied Mathematics (
)
–
7
Acknowledgments The author would like to thank the anonymous referee for a number of interesting comments and important references which are incorporated in this final form of the paper. Research partially supported by Hungarian National Foundation for Scientific Research, Grants No. K100291 and NK104183. References [1] R. Ahlswede, L.H. Khachatrian, C. Mauduit, A. Sárközy, A complexity measure for families of binary sequences, Period. Math. Hungar. 46 (2003) 107–118. [2] R. Ahlswede, C. Mauduit, A. Sárközy, Large families of pseudorandom sequences of k symbols and their complexity, I–II, in: R. Ahlswede, et al. (Eds.), General Theory of Information Transfer and Combinatorics, in: LNCS, vol. 4123, Springer, Berlin, 2006, pp. 293–307 and 308–325. [3] N. Alon, Y. Kohayakawa, C. Mauduit, C.G. Moreira, V. Rödl, Measures of pseudorandomness for finite sequences: Typical values, Proc. Lond. Math. Soc. 95 (2007) 778–812. [4] N. Alon, J.H. Spencer, The Probabilistic Method, third ed., Wiley, Hoboken, 2008. [5] R. Balasubramanian, C. Dartyge, E. Mosaki, Sur la complexité de familles d’ensembles pseudo-aléatoires, arXiv:1302.4622v1 [math.NT]. [6] A. Bérczes, J. Ködmön, A. Pethő, A one-way function based on norm form equations, Period. Math. Hungar. 49 (2004) 1–13. [7] C. Carlet, in: Y. Crama, P.L. Hammer (Eds.), Boolean Functions for Cryptography and Error Correcting Codes, chapter of the monograpy Boolean Models and Methods in Mathematics, Computer Science and Engineering, Cambridge University Press, 2010, pp. 257–397. [8] J. Cassaigne, C. Mauduit, A. Sárközy, On finite pseudorandom binary sequences VII: The measures of pseudorandomness, Acta Arith. 103 (2002) 97–118. [9] T.W. Cusick, P. Stănică, Cryptographic Boolean functions and applications, Elsevier/Academic Press, Amsterdam, 2009. [10] H. Feistel, W.A. Notz, J.L. Smith, Some cryptographic techniques for machine-to-machine data communications, Proc. IEEE 63 (1975) 1545–1554. [11] J. Folláth, Construction of pseudorandom binary sequences using additive characters over GF (2k ), Period. Math. Hungar. 57 (2008) 73–81. [12] J. Folláth, Construction of pseudorandom binary sequences using additive characters over GF (2k ), II, Period. Math. Hungar. 60 (2010) 127–135. [13] G. Gong, Character sums and polyphase sequence families with low correlation, discrete Fourier transform (DFT), and ambugity, in: Finite Fields and their applications, in: Radon Ser. Comput Appl. Math. 11, vol. 141, De Gruyter, Berlin, 2013. [14] M. Goresky, A. Klapper, Arithmetic crosscorrelation of feedback with carry shift register sequences, IEEE Trans. Inf. Theory 43 (1997) 1342–1345. [15] L. Goubin, C. Mauduit, A. Sárközy, Construction of large families of pseudorandom binary sequences, J. Number Theory 106 (2004) 56–69. [16] K. Gyarmati, Measures of pseudorandomness, in: P. Charpin, et al. (Eds.), Finite Fields and Their Applications, in: Radon Series on Computational and Applied Mathematics, vol. 11, De Gruyter, 2013, pp. 43–64. [17] K. Gyarmati, On the complexity of a family related to the Legendre symbol, Period. Math. Hungar. 58 (2009) 209–215. [18] K. Gyarmati, On the complexity of a family of Legendre sequences with irreducible polynomials, Finite Fields Appl. 33 (2015) 175–186. [19] K. Gyarmati, On a family of pseudorandom binary sequences, Period. Math. Hungar. 49 (2004) 45–63. [20] K. Gyarmati, C. Mauduit, A. Sárközy, Measures of pseudorandomness of families of binary lattices, I (Definitions, a construction using quadratic characters.), Publ. Math. Debrecen 79 (3-4) (2011) 445–460. [21] K. Gyarmati, C. Mauduit, A. Sárközy, The cross-correlation measure for families of binary sequences, in: G. Larcher, F. Pillichshammer, A. Winterhof, C. Xing (Eds.), Applications of Algebra and Number Theory (Lectures on the occasion of Harald Niederreiter’s 70th Birthday), 2014, pp. 126–143. [22] K. Gyarmati, C. Mauduit, A. Sárközy, Generation of further pseudorandom binary sequences, I (Blowing up a single sequence), Unif. Distrib. Theory 10 (2015) 35–61. [23] T. Helleseth, Correlation and autocorrelation of sequences, in: G.L. Mullen, D. Panario (Eds.), Discrete Mathematics and its Application (Boca Raton), CRC Press, Boca Raton, FL, 2013, pp. 317–323. [24] J. Jedwab, D.J. Katz, K.-U. Schmidt, Advances in the merit factor problem for binary sequences, J. Combin. Theory Ser. A 120 (2013) 882–906. [25] J. Kam, G. Darida, Structured design of substitution-permutation encryption networks, IEEE Trans. Comput. 28 (1979) 747–753. [26] H. Liu, A family of pseudorandom binary sequences constructed by multiplicative inverse, Acta Arith. 130 (2007) 167–180. [27] C. Mauduit, J. Rivat, A. Sárközy, Construction of pseudorandom binary sequences using additive characters, Monatshefte Math. 141 (2004) 197–208. [28] C. Mauduit, A. Sárközy, On finite pseudorandom binary sequences, I. Measure of pseudorandomness, the Legendre symbol, Acta Arith. 82 (1997) 365–377. [29] C. Mauduit, A. Sárközy, Family complexity and VC dimension, in: H. Aydinian, et al. (Eds.), Information Theory, Combinatorics, and Search Theory, in: LNCS, vol. 7777, Springer, Heidelberg, 2013, pp. 346–363. [30] W. Meidl, A. Winterhof, Character sums and polyphase squence families with low correlation, discrete Fourier transform (DFT), and ambugity, in: G. Gong (Ed.), Finite Fields and their applications, in: Radon Ser. Comput Appl. Math. 11, vol. 141, De Gruyter, Berlin, 2013, pp. 324–336. [31] A.J. Menezes, P.C. van Oorshot, S.A. Vanstone, Handbook of applied cryptography, CRC Press, Boca Raton, 1996. [32] A. Sárközy, C.L. Stewart, On pseudorandomness in families of sequences derived from the Legendre symbol, Period. Math. Hungar. 54 (2007) 163–173. [33] V. Tóth, Collision and avalanche effect in families of pseudorandom binary sequences, Period. Math. Hungar. 55 (2007) 185–196. [34] V. Tóth, The study of collision and avalanche effect in a family of pseudorandom binary sequences, Period. Math. Hungar. 59 (2009) 1–8. [35] V. Tóth, Extension of the notion of collision and avalanche effect to sequences of k symbols, Period. Math. Hungar. 65 (2012) 229–238. [36] V.N. Vapnik, A.Y. Chervonenkis, On the uniform convergence of relative frequencies of events to their probabilities, Theory Probab. Appl. 16 (1971) 264–280. [37] A. Winterhof, O. Yayla, Family complexity and cross-correlation measure for families of binary sequences, Ramanujan J.