On the linear complexity profile of explicit nonlinear pseudorandom numbers

On the linear complexity profile of explicit nonlinear pseudorandom numbers

Information Processing Letters 85 (2003) 13–18 www.elsevier.com/locate/ipl On the linear complexity profile of explicit nonlinear pseudorandom number...
Download PDF
95KB Sizes 1 Downloads 82 Views
Report

Information Processing Letters 85 (2003) 13–18 www.elsevier.com/locate/ipl

On the linear complexity profile of explicit nonlinear pseudorandom numbers Wilfried Meidl, Arne Winterhof ∗ Institute of Discrete Mathematics, Austrian Academy of Sciences, Sonnenfelsgasse 19, 1010 Vienna, Austria Received 31 January 2002; received in revised form 24 May 2002 Communicated by H. Ganzinger

Abstract Bounds on the linear complexity profile of a general explicit nonlinear pseudorandom number generator are obtained. For some special explicit nonlinear generators including the explicit inversive generator these results are improved.  2002 Elsevier Science B.V. All rights reserved. Keywords: Linear complexity profile; Explicit nonlinear pseudorandom number generator; Explicit inversive generator; Computational complexity; Cryptography

1. Introduction The linear complexity profile L(S, N) (over the finite field Fq ) of an infinite sequence S = (σn )∞ n=0 of elements of Fq is the function which for every integer N  2 is defined as the least order L of a linear recurrence relation over Fq σn+L = γL−1 σn+L−1 + · · · + γ0 σn , 0  n  N −L−1, which is satisfied by this sequence, with the convention that L(S, N) = 0 if the first N terms of S are all 0 and L(S, N) = N if σ0 = σ1 = · · · = σN−2 = 0 and σN−1 = 0. The value L(S) = sup L(S, N) N1

* Corresponding author.

is called the linear complexity of the sequence S. For the linear complexity of any periodic sequence of period t one easily verifies that L(S) = L(S, 2t)  t. The linear complexity and the linear complexity profile are important cryptographic characteristics of sequences (see the surveys in [2,12,15,21]). A low linear complexity of a generator has turned out to be undesirable for more traditional applications in Monte Carlo methods as well (see the surveys in [4,13,14,16,17]). Recently, lower bounds on the linear complexity profile of recursively defined nonlinear generators, i.e., σn+1 = f (σn ),

n = 0, 1, . . . ,

with a nonlinear polynomial f (X) ∈ Fq [X] and some initial value σ0 ∈ Fg , have been obtained by Gutierrez, Shparlinski, and the second author [6]. In the present paper we consider explicit nonlinear generators. Ini-

0020-0190/02/$ – see front matter  2002 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 0 - 0 1 9 0 ( 0 2 ) 0 0 3 3 5 - 6

14

W. Meidl, A. Winterhof / Information Processing Letters 85 (2003) 13–18

tially, these generators were defined as p-periodic sequences Y = (yn )∞ n=0 over a finite prime field Fp , i.e., yn = f (n), n = 0, . . . , p − 1, yn+p = yn , n  0, where f (X) is a nonlinear polynomial over Fp of degree at most p − 1. In this case they belong to the family of nonlinear congruential generators (cf. [13, Chapter 8]). In Section 2 we prove   L(Y, N)  min N − deg(f ), deg(f ) + 1 (1) and in Section 3 we improve this result for some special generators including explicit inversive generators Z = (zn )∞ n=0 introduced in [3], zn = (an + b)p−2 , n = 0, . . . , p − 1, n  0, zn+p = zn ,

(2)

with a, b ∈ Fp , a = 0, and p  5. In particular we show   (N − 1)/3, 2  N  (3p − 7)/2, L(Z, N)  N − p + 2, (3p − 5)/2  N  2p − 3,  p − 1, N  2p − 2. (3) More recently, explicit nonlinear generators over an arbitrary finite field Fq , q = pr , r  2, were defined (see [18,19]) as the q-periodic sequences Y = (ηn )∞ n=0 , ηn = f (ξn ) ηn+q = ηn ,

for n = 0, 1, . . . , q − 1, n  0,

(4)

where f (X) ∈ Fg [X] with 2  deg(f ) < q and for some fixed basis {β1 , . . . , βr } of Fq over Fp ξn = n1 β1 + n2 β2 + · · · + nr βr if n = n1 + n2 p + · · · + nr pr−1 , 0  ni < p, i = 1, 2, . . . , r. In this case they belong to the family of digital nonlinear generators. We will also prove analogs of (1) and (3) for this family of generators. The results of this paper provide evidence that nonlinear generators are attractive alternatives to linear generators. In particular the inversive generators seem to be especially suited for applications in Monte Carlo methods.

2. Results on general nonlinear generators To obtain the main result of this section we utilize the following two lemmas. For a proof of the first lemma see [7, Theorem 6.7.4], [9], or [20]. The second lemma was proven by the authors [11] (cf. [1, Theorem 8]). Lemma 1. If L(S, N) > N/2 then L(S, N + 1) = L(S, N). If L(S, N)  N/2, then L(S, N + 1) = L(S, N) or L(S, N + 1) = N + 1 − L(S, N). Lemma 2. Let Fq be a finite field of characteristic p, f (X) ∈ Fq [X] be a polynomial of degree 1  D  q − 1, and let Y be the sequence defined by (4). Then we have p q (D + 1 + p − q)  L(Y )  (D + 1) + q − p. p q Theorem 3. The linear complexity profile of a sequence Y = (ηn )∞ n=0 produced by an explicit nonlinear digital generator (4) with a polynomial f (X) ∈ Fq [X] of degree 1  D  q − 1 satisfies  p min N + 1 − (D + 1) − q + p, q  q (D + 1 + p − q) p   p  L(Y, N)  min N, (D + 1) + q − p . q Proof. The upper bound follows immediately by Lemma 2. Since otherwise the lower bound is trivial we may suppose that L(Y, N) < (D + 1 + p − q)q/p. Then due to Lemma 2 there exists an integer k  1 such that L(Y, N) = L(Y, N + 1) = · · · = L(Y, N + k − 1) < L(Y, N + k)  L(Y ) and Lemma 1 yields L(Y, N + k) = N + k − L(Y, N). If L(Y, N) < N + 1 − (D + 1)p/q − q + p, then L(Y )  L(Y, N + k)   p > N + k − N + 1 − (D + 1) − q + p q p  (D + 1) + q − p q which is a contradiction to Lemma 2. ✷

W. Meidl, A. Winterhof / Information Processing Letters 85 (2003) 13–18

In the case of an explicit nonlinear digital generator for small N or small D Theorem 3 yields just the trivial lower bound. Employing a different method we also obtain nontrivial results for many small N and D, respectively.

for 0  i < r,

and suppose that for some integers m  0 and 0  s < r we have Dm = Dm+1 = · · · = Dm+s−1 = p − 1, where the indices are considered modulo r. Then for N > D the linear complexity profile of a sequence Y = (ηn )∞ n=0 produced by an explicit nonlinear digital generator (4) with a polynomial f (X) ∈ Fq [X] of degree 1  D  q − 1 satisfies  L(Y, N)  min N/(4D) + 1,  q/(2D), ps (Dm+s + 1) . Proof. Since L(Y, N) = L(Y, 2q) for N  2q we may assume that N  2q. Since f (X) has at most D zeros and N > D we have L(Y, N)  1. Suppose that Y fulfills the recurrence relation ηn+L = γL−1 ηn+L−1 + · · · + γ0 ηn , 0  n  N − L − 1,

Nv pv  N < (Nv + 1)pv Ll

 L < (Ll

Since yields

pl

and

+ 1)pl .

LN <

pv+1

L 

γl f (X + ξl ),

γL = −1,

has at least Nv (p − Ll )pv−l−1 distinct zeros if N < 2q, namely ξk with k = kl pl + kl+1 pl+1 + · · · + kv−1 pv−1 + kv pv , where 0  kl+1 , . . . , kv−1 < p, 0  kl < p − Ll , and 0  kv  Nv − 1 (for those k we have ξk+t = ξk + ξt for all 0  t  L), and (p − Ll )pr−l−1 zeros if N = 2q. If l = v, then the polynomial F (X) has at least Nv − Ll zeros. First we consider the case that F (X) ≡ 0. If l < v and N < 2q, then we have D  Nv (p − Ll )pv−l−1 Nv (p − Ll )Ll N > (Nv + 1)Lp N (p − 1)N  .  2pL 4L If l < v and N = 2q, then we have D  (p − Ll )pr−l−1  q/(2L). If l = v and D  (Nv + 1)/4, then we have L  pv > N/(Nv + 1)  N/(4D). If l = v and D < (Nv + 1)/4, then we have Ll  Nv − D > Nv − (Nv + 1)/4  Nv /2. Thus N Nv v N p   . 2 4 4D Finally we have to consider the case that F (X) ≡ 0. d Let f (X) = D d=0 αd X , then with

D D   d  d−j Xj ξ f (X + ξl ) = αd j l j =0

we get we have l  v, which

N − L − 1  Nv pv − (Ll + 1)pl  v v l+1  (Nv − 1)p + p − p l = + (p − 1 − Ll )p , if l < v,  if l = v, (Nv − 1 − Ll )pl , and

Consequently, if l < v then the polynomial

L>

which is equivalent to f (ξn+L ) = γL−1 f (ξn+L−1 ) + · · · + γ0 f (ξn ) for 0  n  N − L − 1. Let v, l and 1  Nv , Ll < p be the integers defined by pl

= Ll pl + (p − 1)(pl−1 + · · · + 1).

l=0

1  D = D0 + D1 p + · · · + Dr−1 pr−1 , 0  Di < p

L  (Ll + 1)pl − 1

F (X) :=

Theorem 4. Let

15

F (X) =

D D   j =0

d=j

d=j

  L d d−j αd γl ξl Xj ≡ 0 j l=0

and thus SD−j :=

D 

αd

d=j

0  j  D.

  L d d−j γl ξl = 0, j l=0

16

W. Meidl, A. Winterhof / Information Processing Letters 85 (2003) 13–18

Now we define recursively, T0 := S0 and −1 Tj := Sj − αD

j −1 

only homogeneous linear polynomials. In general we have L(S, N)  NL1 (S, N)  NL2 (S, N)  · · · . We present the following results in this general context.

αD−j +k

k=0 (Dk)≡0 mod p



×

D−j +k k



D k

−1 Tk ,

1  j  D.

  L j For all 0  j  D we get Tj = aD Dj l=0 γl ξl = 0. Thus we have   L  D j γl ξl = 0 for all j with ≡ 0 mod p. (5) j l=0

If j = j0 + j1 p + · · · + jr−1 pr−1 , 0  ji < p, then by Lucas’ congruence (cf. [5,8,10]) we have        D D0 D1 Dr−1 ≡ ··· mod p, j j0 j1 jr−1   and thus Dj ≡ 0 mod p if and only if ji  Di for 0  i < r. The hypothesis   Dm = Dm+1 = · · · = Dm+s−1 = p − 1, yields jpDm ≡ 0 mod p for j = 0, . . . , ps (Dm+s + 1) − 1. If L  ps (Dm+s + 1) − 1, pm then the matrix ((ξl )j )l,j , 0  l, j  L, is an invertible Vandermonde matrix and thus we had γl = 0 for 0  l  L by (5), which contradicts γL = −1. ✷ Remark. If we do not restrict ourselves to the case N > D, then we also might have L(Y, N) = 0. For instance if f (X) = X(X − ξ1 ) · · · · · (X − ξD−1 ) then we have L(Y, N) = 0 for all N with N  D.

Theorem 5. Let f (X) ∈ Fp [X] be a polynomial of degree D, suppose that 1  b  D is the number of zeros of f (X), and let Y = (yn )∞ n=0 be the sequence defined by yn = f (n)k , k = p − 1 − c, c  1. Then we have   N − b − cD p − b − cD , NLm (Y, N)  min cDm + b + 1 cDm + b and

 L(Y, N)  min

Proof. Suppose that for n = 0, 1, . . . , N − L − 1, the sequence Y satisfies the recurrence relation yn+L = Ψ (yn+L−1 , . . . , yn ),

0  n  N − L − 1, (6)

with a polynomial Ψ (X1 , . . . , XL ) over Fp of total degree at most m. We may assume that L  p/b − 1. For every zero z of f (X) exactly L + 1 different n do not fulfill the property f (n + t) = 0 for all 0  t  L. Thus at least min(p, N − L) − b(L + 1) integers n fulfill 0  n  min(N − L, p) − 1 and f (n + t) = 0 for all 0  t  L. For those integers (6) is equivalent L − 1)−c , . . . , f (n)−c ). to f (n + L)−c = Ψ (f (n + c cm yields Multiplying with f (n + L) L−1 i=0 f (n + i) L−1

f (n + i)cm

i=0

3. Results on special nonlinear generators

 p−b N −b , . cD + b + 1 cD + b

= f (n + L)c

L−1

f (n + i)cm

i=0

  × Ψ f (n + L − 1)−c , . . . , f (n)−c

We recall that the nonlinear complexity profile NLm (S, N) of order m of an infinite sequence S = (σn )∞ n=0 of elements of Fq is the function which for every integer N  2 is defined as the least order L of a polynomial recurrence relation

for all n with 0  n  N − L − 1 and f (n + t) = 0 for all 0  t  L. Hence the polynomial

σn+L = Ψ (σn+L−1 , . . . , σn ),

F (X) := −

0  n  N − L − 1,

with a polynomial Ψ (X1 , . . . , XL ) over Fq of total degree at most m, which is satisfied by the sequence. Note, that NL1 (S, N) = L(S, N) is possible because in the definition of L(S, N) one can use

L−1

f (X + i)cm

i=0

+ f (X + L)c

L−1

i=0

f (X + i)cm

  × Ψ f (X + L − 1)−c , . . . , f (X)−c

W. Meidl, A. Winterhof / Information Processing Letters 85 (2003) 13–18

of degree at most LcDm + cD has at least min(p, N − L) − b(L + 1) zeros. If we demand that the polynomial Ψ has no constant term as in the case of the linear complexity, then F (X) has degree at most LcDm. Suppose that z0 is a zero of f (X) such that f (z0 − t) = 0 for 0 < t  L. (Since L  p/b − 1 the existence of z0 is guaranteed.) Then F (z0 − L) = − L f (z 0 − t) = 0 yields F (X) ≡ 0 t =1 and min(p, N − L) − b(L + 1)  LcDm + cD or min(p, N − L) − b(L + 1)  LcD, respectively, in the case of the linear complexity, which yields the assertions of the theorem. ✷ Corollary 6. Let Z be a sequence produced by an inversive generator (2). Then Z satisfies   N −2 p−2 , NLm (Z, N)  min m+2 m+1 and



 N −1 p−1 L(Z, N)  min , . 3 2 Remark. Lemma 1 yields also an upper bound on the linear complexity profile,   p−1 2N + 2 . ,N − L(Z, N)  max 3 2 For N  (3p −5)/2 Theorem 3 yields stronger bounds and we get (3). Finally we prove a similar result for special digital nonlinear generators including the digital explicit inversive generator introduced by Niederreiter and the second author [18]. Theorem 7. Let f (X) ∈ Fq [X] be a polynomial of degree D  1 with exactly one zero ρ ∈ Fq and Y = k (ηn )∞ n=0 be the sequence defined by ηn = f (ξn ) , k = q − 1 − c, c  1. Then Y satisfies 

 N + 1, NLm (Y, N)  min 8(cDm + 1)   q . 4(cDm + 1) Proof. We proceed as in the previous proofs and may assume that N  2q. Suppose that Y satisfies the

17

recurrence relation ηn+L = Ψ (ηn+L−1 , . . . , ηn ), 0  n  N − L − 1, with a polynomial Ψ (X1 , . . . , XL ) over Fq of total degree at most m. Then the polynomial F (X) := −

L−1

f (X + ξi )cm

i=0

+ f (X + ξL )c

L−1

f (X + ξi )cm

i=0

  × Ψ f (X + ξL−1 )−c , . . . , f (X)−c of degree at most LcDm + cD  2LcDm has at least T zeros, where T is the number of 0  n  N − L − 1 with ξn+t = ξn + ξt and ξn+t = ρ for all 0cm t  L. Since F (ρ − ξL ) = − L−1 = 0 we i=0 f (ρ − ξL + ξi ) have T  2LcDm. Let v, l and 1  Nv , Ll < p be the integers defined by Nv pv  N < (Nv + 1)pv and Ll pl  L <√(Ll + 1)pl . If l = v  1 then we have L  pv > N . If l = v = 0 then we have T  N − L − L − 1  N − 3L. If l < v and N < 2q then T  Nv (p − Ll )pv−l−1 − L − 1 > N/(4L) − 2L. If l < v and N = 2q then T  (p − Ll )pr−l−1 − L − 1  q/(2L) − 2L. Simple calculations yield the result. ✷

Acknowledgements The work was partially supported by the Austrian Science Fund (FWF) under the project S8306-MAT.

References [1] S.R. Blackburn, T. Etzion, K.G. Paterson, Permutation polynomials, de Bruijn sequences, and linear complexity, J. Comb. Theory A 76 (1996) 55–82. [2] T.W. Cusick, C. Ding, A. Renvall, Stream Ciphers and Number Theory, North-Holland, Amsterdam, 1998. [3] J. Eichenauer-Herrmann, Statistical independence of a new class of inversive congruential pseudorandom numbers, Math. Comp. 60 (1993) 375–384. [4] J. Eichenauer-Herrmann, E. Herrmann, S. Wegenkittl, A survey of quadratic and inversive congruential pseudorandom numbers, in: Monte Carlo and Quasi-Monte Carlo Methods, Salzburg, 1996, Lecture Notes in Statistics, Vol. 127, Springer, New York, 1998, pp. 66–97. [5] A. Granville, Arithmetic properties of binomial coefficients. I. Binomial coefficients modulo prime powers, in: Organic Mathematics, Burnaby, BC, 1995, CMS Conf. Proc., Vol. 20, Amer. Mathematical Society, Providence, RI, 1997, pp. 253–276.

18

W. Meidl, A. Winterhof / Information Processing Letters 85 (2003) 13–18

[6] J. Gutierrez, I. Shparlinski, A. Winterhof, On the linear and nonlinear complexity profile of nonlinear pseudorandom number generators, IEEE Trans. Inform. Theory, to appear. [7] D. Jungnickel, Finite Fields: Structure and Arithmetics, Bibliographisches Institut, Mannheim, 1993. [8] M.E. Lucas, Sur les congruences des nombres euleriennes et des coefficients différentiels des functions trigonométriques, suivant un-module premier, Bull. Soc. Math. France 6 (1878) 49–54. [9] J.L. Massey, Shift-register synthesis and BCH decoding, IEEE Trans. Inform. Theory 15 (1969) 122–127. [10] R.J. Mclntosh, A generalization of a congruential property of Lucas, Amer. Math. Monthly 99 (1992) 231–238. [11] W. Meidl, A. Winterhof, Linear complexity and polynomial degree of a function over a finite field, finite fields and applications, in: Proceedings of the 6th International Conference, Oaxaca, Mexico, 2001. [12] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1997. [13] H. Niederreiter, Random Number Generation and QuasiMonte Carlo Methods, SIAM, Philadelphia, 1992. [14] H. Niederreiter, New developments in uniform pseudorandom number and vector generation, in: Monte Carlo and QuasiMonte Carlo Methods in Scientific Computing, Las Vegas, NV, 1994, Lecture Notes in Statistics, Vol. 106, Springer, New York, 1995, pp. 87–120.

[15] H. Niederreiter, Some computable complexity measures for binary sequences, in: C. Ding, T. Helleseth, H. Niederreiter (Eds.), Sequences and Their Applications, Springer, London, 1999, pp. 67–78. [16] H. Niederreiter, Design and analysis of nonlinear pseudorandom number generators, in: Monte Carlo Simulation, Balkema, Rotterdam, 2001, pp. 3–9. [17] H. Niederreiter, I.E. Shparlinski, Recent advances in the theory of nonlinear pseudorandom number generators, in: K.-T. Fang, F.J. Hickernell, H. Niederreiter (Eds.), Monte Carlo and QuasiMonte Carlo Methods 2000, Springer, Berlin, 2002, pp. 86– 102. [18] H. Niederreiter, A. Winterhof, Incomplete exponential sums over finite fields and their applications to new inversive pseudorandom number generators, Acta Arith. 93 (2000) 387– 399. [19] H. Niederreiter, A. Winterhof, On the lattice structure of pseudorandom numbers generated over arbitrary finite fields, Appl. Alg. Engrg. Comm. Comp. 12 (2001) 265–272. [20] R.A. Rueppel, Analysis and Design of Stream Ciphers, Springer, Berlin, 1986. [21] R.A. Rueppel, Stream ciphers, in: Contemporary Cryptology: The Science of Information Integrity, IEEE Press, New York, 1992, pp. 65–134.