Construction of pseudorandom binary lattices using elliptic curves

Transcription

1 Construction of pseudorandom binary lattices using elliptic curves László Mérai Abstract In an earlier paper Hubert, Mauduit and Sárközy introduced and studied the notion of pseudorandomness of binary lattices. Later constructions were given by using characters and the notion of multiplicative inverse over finite fields. In this paper a further large family of pseudormandom binary lattices is constructed by using elliptic curves Mathematics Subject Classification: Primary 11K45 Key words and phases: pseudorandom, binary sequence, binary lattice, elliptic curve, character sum. 1 Introduction In order to study the pseudorandomness of finite sequences Mauduit and Sárközy introduced measures of pseudorandomness in [11]. Later several constructions have been proposed which have good pseudorandom properties in terms of these measures: for example the Legendre symbol sequence [4], [11], sequence generating by the multiplicative inverse [12] and its extensions [7], [15], the sequences generating by using elliptic curves [1], [2], [9], [16]. See also the survey paper [18]. In applications one may need pseudorandom lattices instead of pseudorandom sequences, for example to encrypt 2-dimensional pictures via the Research partially supported by Hungarian National Foundation for Scientific Research, Grant No. K67676 and by the Momentum fund of the Hungarian Academy of Sciences. 1

2 analogue of the Vernam cipher. In [5], Hubert, Mauduit and Sárközy extended the notion of the binary sequences to n-dimensional binary lattices in the following way: Denote IN n be the set of the n-dimensional vectors whose coordinates are selected from the set {0, 1,..., N 1}: I n N = { x = x 1,..., x n ) : x 1,..., x n {0, 1,..., N 1} }. The n-dimensional binary lattice is defined by the function η : I n N { 1, +1}. They also defined the following measures of pseudorandomness: Definition 1. Let u i i = 1,..., n) denote the n-dimensional unit vector whose i-th coordinate is 1 and the others are 0. Let l N. Then t 1 t n Q l η) = max ηj 1 b 1 u j n b n u n + d 1 ) b,d 1,...,d l,t j 1 =0 j n=0 ηj 1 b 1 u j n b n u n + d l ), 1) where the maximum is taken over all n-dimensional vectors b = b 1,..., b n ), d 1,..., d l, t = t 1,..., t n ) such that their coordinates are non-negative integers, b 1,..., b n are non-zero, d 1,..., d l are distinct, and all the points j 1 b 1 u j n b n u n + d i occurring in the multiple sum above belong to I n N. The binary lattice η is said to have strong pseudorandom properties if for fixed n and l, Q l η) is small much smaller, than the trivial upper bound N n ) at least for small l. This terminology is justified by the fact that for a truly random lattice η the measure Q l η) N n/2+ε see [5]). Several constructions have been proposed for pseudorandom lattices, by using the quadratic characters over finite fields [5], [10] or general characters [17], by using the multiplicative inverse [13], and its extension [8]. These constructions have good pseudorandom properties in terms of the measures Q l. In this paper a new construction of pseudorandom binary lattice is proposed by using elliptic curves. 2

3 In Section 2 we summarize some basic facts about elliptic curves, and prove the analogue of a theorem of Winterhof [20] on elliptic curves. In Section 3 we describe the proposed construction and in Section 4 we prove that this construction has good pseudorandom properties. Finally, in Section 5 we give some sufficient conditions to use the theorem proved in the previous section. 2 Elliptic curves and character sums First we summarize some basic facts and notations about the elliptic curves. Our basic reference on elliptic curves will be [3]. Let p > 3 be a prime, F p the finite field of p elements which we represent by the elements {0, 1,..., p 1}, F p is the set of non-zero elements and F p is the algebraic closure of F p. Let E be an elliptic curve over F p defined by the Weierstrass equation y 2 = x 3 + Ax + B with coefficients A, B F p and non-zero discriminant. The F p -rational points EF p ) of E form an Abelian group with the point in infinity O as the neutral element, where the group operation is denoted by and its inverse operation is denoted by ). For a rational point R EF p ), a multiple of R is defined R. The order of R will be denoted by R. As a group EF p ) is isomorphic to Z M Z L for unique integers M and L with L M and M L = EF p ) ). The elements P and Q are said to be echelonized generators if the order of P is M, the order of Q is L and any point can be written in form mp lq with unique integers 0 m < M and 0 l < L. by nr = n Let F p E) be the function field of E over F p. For a rational function f F p E) and point R EF p ), R is a zero resp. pole) of f if fr) = 0 resp. fr) = ). Any function of F p E) has finitely many zeros and poles. The divisor of f is defined by Divf) = R EF p) where ord R f) is the order of f in R. ord R f)[r], 3

4 The set of zeros and poles of f Suppf) = {R EF p ) ord R f) 0} is the support of Divf) and the degree of f is degf) = ord R f). ord R f)>0 For example degx) = 2 and degy) = 3. The translation map by W EF p ) on EF p ) is defined by τ W : EF p ) EF p ), P P W. For a real number α let eα) = exp{2πiα}, and e n a) = ea/n). For a given Abelian group G let Ĝ = HomG, C ) be the group of characters of G. Clearly F p is the set of multiplicative characters. On the other hand ÊF p) = Ω, where Ω = {ω ab : ω ab mp lq) = e M am)e L bl) for 0 m < M and 0 l < L} where now P and Q are echelonized generators). Lemma 1. For any element ψ of Ĝ, we have 1 G ψg) = g G where ψ 0 is the principal character. { 1, if ψ = ψ0, 0, if ψ ψ 0, By the canonical isomorphism of G with the dual group Ĝ, the lemma is symmetrical in G and Ĝ. For a multiplicative character χ of F p, character ω Ω and function f F p E), we define the sum Sω, χ, f) = P EF p) fp ) ωp )χfp )), 4

5 and for a subgroup H EF p ) we define the sum S H ω, χ, f) = P H fp ) ωp )χfp )). We will need the following bound: Lemma 2. Let χ be a non-principal multiplicative character of order d of F p, ω be a character of EF p ). Let f F p E) which is not a d-th power in F p E). Then Sω, χ, f) 2 degf) p. Proof. This is Proposition 1 in [1]. We can also give a good upper bound for S H ω, χ, f) as it was proved for additive characters instead of multiplicative characters in [6]). Corollary 3. If χ, ω and f are defined as above, then S H ω, χ, f) 2 degf) p. Proof. Let Ω H Ω be the set of characters ψ Ω such that kerψ) contains H. Then the upper bound follows from S H ω, χ, f) = 1 ψp )ωp )χfp )) Ω H ψ Ω H and Lemma 2. = 1 Ω H n=1 P EF p) fp ) ψ Ω H Sψ ω, χ, f) Lemma 4. Let us denote the distance of α from the nearest integer by α. 1. For N N we have N 1 1 < 4N log N. n/n 2. For M, L N and for integers 0 a < M, 0 b < L we have M 1 L 1 m=0 l=0 am/m+bl/l Z 1 am/m + bl/l < 4ML log ML. 5

6 Proof. The proof of assertion 1 is easy see for example equation 10) in [19]). For the proof of assertion 2 in the special case when a = b = 1 observe that each value in the denominator has the form k/[m, L], where k runs in {1,..., [M, L] 1} and each value occurs in M, L) times. Thus the sum is bounded by M, L) 4[M, L] log[m, L] < 4ML log ML. The general case can easily be reduced to this special case, we will leave the details to the reader. Lemma 5. Let P EF p ) and t N such that t < P. Then t ωip ) 3 EF p) log EF p ). ω Ω Proof. The inner sum is trivial if P kerω). Since the number of such characters is at most Ω / P we have that the contributions of the trivial terms is t ωip ) Ω P t + 1) Ω = EF p). 2) ω:ωp )=1 Let Q 1 and Q 2 be echelonized generators and write P = mq 1 lq 2. Then we have ω:ωp ) 1 t ωip ) = = = 1 2 M 1 L 1 a=0 b=0 am/m+bn/n Z M 1 L 1 a=0 b=0 am/m+bn/n Z M 1 L 1 a=0 b=0 am/m+bn/n Z M 1 a=0 b=0 am/m+bn/n Z M 1 L 1 a=0 b=0 am/m+bn/n Z 6 L 1 t e M iam)e L ibl) t e M am)e L bl)) i 1 e M am)e L bl)) t+1 1 e M am)e L bl) 2 1 e M am)e L bl) 1 am/m + bn/n 3)

7 by using the fact 1 eα) 4 α. Combining equations 2), 3) and Lemma 4 we get the desired bound. Definition 2. The elements P 1,..., P n said to be weakly independent if i 1 P 1 i n P n = O = i j P j = O for j = 1,..., n. Remark 1. Clearly, if P 1,..., P n are weakly independent elements, then the elements P 1,..., P n, P n+1 = O are also weakly independent. Thus in order to avoid any confusion we will not consider the points P 1,..., P n as weakly independent if at least one of them is zero. Example 2.1. Let P EF p ) and P = α 1... α n such that the numbers α 1,..., α n are pairwise coprime. Then the elements P α 1 P,..., P α n P are weakly independent. Finally we prove the elliptic curve analogue of a result of Winterhof Theorem 2 in [20]): Lemma 6. Let χ be a nontrivial multiplicative character of order d, f F p E) which is not a d-th power in F p E). Let P 1,..., P n EF p ) be weakly independent elements, and t 1,..., t n N such that t i < P i. If we define the box B by B = {i 1 P 1 i n P n : i 1 t 1,..., i n t n }, then χfq)) 2 3 n degf)p 1/2 log EF p ) ) n. Q B 7

8 Proof. By Lemma 1 we have χfq)) = Q B = = 1 EF p ) n t 1 i 1 =0 t 1 i 1 =0 t n t n i n=0 i n=0 ω 1,...,ω n j 1 =1 χfi 1 P 1 i n P n )) P 1 ω 1 j 1 i 1 )... ω n j n i n ) 1 EF p ) n t 1 i 1 =0 P 1 ω 1,...,ω n j 1 =1 t n i n=0 P n j n=1 P n j n=1 χfj 1 P 1 j n P n )) χfj 1 P 1 j n P n ))ω 1 j 1 P 1 )... ω n j n P n ) ω 1 i 1 P 1 )... ω n i n P n ) = P 1 1 P n = χfj EF p ) n 1 P 1 j n P n ))ω 1 j 1 P 1 )... ω n j n P n ) ω 1,...,ω n j 1 =1 j n=1 n tν ) ω ν i ν P ν ). ν=1 i ν=0 By the triangle inequality we have χfq)) Q B 1 P 1 P n EF p ) n χfj 1 P 1 j n P n ))ω 1 j 1 P 1 ) ω n j n P n ) ω 1,...,ω n j 1 =1 j n=1 n t ν ω ν i ν P ν ). ν=1 i ν=0 4) Now let H EF p ) be a subgroup generated by P 1,..., P n. Since P 1,..., P n are weakly independent elements, thus the function { H C ω : j 1 P 1 j n P n ω 1 j 1 P 1 )... ω n j n P n ) 8

9 is well-defined, and it is a character of H. Let ω be a character of EF p ) such that ω = ω on H. Thus we have P 1 P n χfj 1 P 1 j n P n ))ω 1 j 1 P 1 ) ω n j n P n ) j 1 =1 j n=1 5) = χfp ))ωp ) 2 degf)p1/2 P H by Corollary 3. It follows from 4), 5) and Lemma 5 that χfq)) 2 1 degf)p1/2 EF p ) n Q B n ν=1 ω t ν ωip ν ) 2 degf)p 1/2 1 EF p ) n 3 EF p) log EF p ) ) n = 2 3 n degf)p 1/2 log EF p ) ) n. 3 Construction Let χ be a multiplicative character, f F p E) and P 1,..., P n be weakly independent points of EF p ) such that the order of each point is greater than N. Then define the mapping η : IN n { 1, +1} by { +1 if arg χfx1 P ηx 1,..., x n ) = 1 x n P n )) ) [0, π), 6) 1 otherwise. First, we have to define the notion of admissibility of Abelian groups. Slightly different definitions of admissibility have already been considered in special groups, for example in the additive group of F p in [4] or of F p n in [5] or for multisets over general cyclic group in [16].) Definition 3. For a G Abelian group, the pair k, l) is admissible if for all sets A, B such that A k, B l there exists a c G the equation has exactly one solution. a + b = c a A, b B 7) 9

10 Theorem 1. Let p > 3 be a prime, χ be a multiplicative character of F p with even order d, EF p ) be an elliptic curve over F p, f F p E) which is not a d-th power in F p E) and the orders of zeros and poles of f are co-primes to d. Let N be an integer and P 1,..., P n be weakly independent elements such that the order of each point is greater than N. If we define the binary lattice by 6) and the pair Suppf), l) is admissible then we have Q l η) 2 3 n 2d) l ld degf)p 1/2 log EF p ) ) n log d) l + l Suppf). 8) Remark 2. We can also give the following upper bound for Q l η) if d is odd: Q l η) n,l d degf)p 1/2 log EF p ) ) n log d) l + EF p) d l by an argument similar to the one used in [16], however the proof would be more technical. We also remark that nontrivial upper bound cannot be given for Q l η) if d is odd and small, as it was shown by an example in [14] in a similar situation. 4 Proof of Theorem 1 Proof. Let N = {x = x 1,..., x n ) : fx 1 P 1 x n P n ) }. If g is a primitive element of F p such that χg) = e1/d) and ind is the index discrete logarithm) respect to g, then Thus for x N χfp )) = χg ind fp ) ) = χg) ind fp ). ηx) = 1 r d indfx 1 P 1 x n P n ))) < d 2. where r d i) denotes the least non-negative residue of i modulo d. 10

11 If x N, then by Lemma 1 we have ηx) = k<p 1,r d k)<d/2 g k =fx 1 P 1 x np n) = 2 1 p 1 γ = 2 1 p 1 p 1 d 1 0 k<d/2 γfx 1 P 1 x n P n )) γ γfx 1 P 1 x n P n ))γg k+id ) 1 p 1 d 1 γg d ) i where γ runs over the multiplicative characters of F p. The contribution of the principal character is Similarly, if γ d χ 0 then 2 1 p 1 p 1 d 1 p 1 d 1 Finally, if γ d = χ 0 but γ χ 0 ) then 0 k<d/2 γg d ) i = 0. 1 = 1 0 k<d/2 γg) k 1, p 1 d 1 γg d ) i = p 1 d. Since we have ηx) = 2 d γ d =χ 0 γ χ 0 0 k<d/2 γg) k = 1 γg) d 2 1 γg) 1 γg) d 2 1 γg) γfx 1P 1 x n P n )). 9) 11

12 In order to prove the theorem write d i = d i) 1,..., d i) n ). If j 1 b 1 u j n b n u n + d i N for i = 1,..., n, then the general term of the n-fold sum in 1) is ηj 1 b 1 u j n b n u n + d 1 ) ηj 1 b 1 u j n b n u n + d l ) = = η j 1 b 1 + d 1) 1,..., j n b n + d 1) n ) l l 2 1 γ i g) d 2 = d 1 γ i g) γ i So we have t 1 j 1 =0 t n j n=0 t 1 γ d i =χ 0 γ i χ 0 ) ) η j 1 b 1 + d l) 1,..., j n b n + d l) n ) ) f j 1 b 1 + d i) 1 )P 1 j n b n + d i) n )P n ) ). 10) ηj 1 b 1 u j n b n u n + d 1 ) ηj 1 b 1 u j n b n u n + d l ) t n j 1 =0 j n=0 j 1 b 1 u 1 + +j nb nu n+d i N,...,l γ d i =χ 0 γ i χ 0 1 γ i g) d 2 1 γ i g) γ i + l Suppf) ) l 2 d γ d 1 =χ 0 γ 1 χ 0 t 1 γl d=χ 0 γ l χ 0 t n ) l l 2 d j 1 =0 j n=0 j 1 b 1 u 1 + +j nb nu n+d i N,...,l + l Suppf). f j 1 b 1 + d i) ) ) 1 )P 1 j n b n + d i) n )P n l 1 γ i g) d 2 1 γ i g) l Let us define δ u for u = 1,..., l by γ i f j1 b 1 + d i) 1 )P 1 j n b n + d i) n )P n )) γ u = χ δu, 12 11)

13 where 0 δ u < d for u = 1,..., l. Using this notation, we get that the innermost term is l = = χ γ i f j1 b 1 + d i) 1 )P 1 j n b n + d i) n )P n )) l χ δ i f j 1 b 1 + d i) 1 )P 1 j n b n + d i) n )P n )) l f δ i j 1 b 1 + d i) 1 )P 1 j n b n + d i) n )P n ) ). 12) Now, write Q = j 1 b 1 P 1 j n b n P n and B = {i 1 b 1 P 1 ) i n j n P n ) : i 1 t 1,..., i n t n }. Since b ν t ν b ν N P ν the points b 1 P 1 ),..., b n P n ) are also weakly independent, thus we have that the absolute value of the second double sum in 11) is f δ i Q d i) 1 P 1 d i) n P n )) l χ Q B l = χ Q B ) ) δi f τ i) d 1 P 1 d i) n P n Q), 13) where the sum is taken over all Q B such that fq d i) 1 P 1 d i) n P n ). If we write F γ1,...,γ l = F δ1,...,δ l = ) l δi, f τ i) d 1 P 1 d i) n P n we have that 11) can be written in form ) l 2 d γ1 d=χ 0 γl d=χ 0 γ 1 χ 0 γ l χ 0 It suffices to show: l 1 γ i g) d 2 1 γ i g) Q B Fγ1,...,γ l Q) + l Suppf) 14) Lemma 7. If f, l, χ defined as in Theorem 1 and not all of the values δ 1,..., δ l are zeros, then F δ1,...,δ l is not a d-th power. 13

14 Indeed, by Lemma 6 we have that the sum in 14) is l 1 γ i g) d 2 Fγ1,...,γ 1 γ i g) l Q) γ d 1 =χ 0 γ 1 χ 0 γ d l =χ 0 γ l χ 0 Q B 2 3 n degf γ1,...,γ l )p 1/2 log EF p ) ) n 2 3 n ld degf)p 1/2 log EF p ) ) n γ d 1 =χ 0 γ 1 χ 0 γ d 1 =χ 0 γ 1 χ 0 γ d l =χ 0 γ l χ 0 l γl d=χ 0 γ l χ 0 l 1 γ i g) d 2 1 γ i g) 1 γ i g) d 2 1 γ i g). 15) On the other hand 1 γ i g) d 2 1 γ i g)... 1 γ d 2 ig) 1 γ i g) = γ1 d=χ 0 γ 1 χ 0 = γ d =χ 0 γ χ 0 γ d l =χ 0 γ l χ γg) l 2d log d) l. γ d =χ 0 γ χ 0 1 γg) d 2 1 γg) l 16) It follows from 14), 15), 16) that the sum in 1) is 2 2d) l 3 n ld degf)p 1/2 log EF p ) ) n log d) l + l Suppf), which completes the proof. Finally it remains to prove Lemma 7: Proof of Lemma 7. We will show that not all of the coefficients of the divisor of F δ1,...,δ l are divisible by d. As above, let H be the group generated by P 1,..., P n. The co-sets of H in EF p ) has the form R = {R s 1 P 1 s n P n : s i = 0,..., P i 1}. 14

15 For a fixed co-set R let A be the set of P s such that R P is a zero or a pole of f whose multiplicity d ord R P f). Similarly let B = {d i) 1 P 1 d i) n P n : i = 1,..., l}. Then clearly all of the zeros and poles of F δ1,...,δ l have the form R P Q where P A and Q B. Since A Suppf), B = l, 17) and the pair Suppf), l) is admissible, there are elements P Q B such that the equation A and P Q = Z P A, Q B has exactly one solution, where Z = P Q. If Q corresponds to the n-tuple d i) 1,..., d i) n ) then the coefficient of ord P Q F δ 1,...,δ l ) is ord P f) δ i which is not divisible by d. 5 Admissibility Theorem 2. Let G = Z d1 Z ds be a finite Abelian group, pg) be the least prime factor of G. Then i) For all k < pg) the pair k, 2) is admissible. ii) If k, l N and 4 sk+l) < pg), 18) then the pair k, l) is admissible. Remark 3. In the special case, when G = EF p ) the parameter s is 2, and thus it does not depend on the dimension of the lattice. However if G = F + p n is the additive subgroup of F p n, then the parameter s is the dimension of the lattice see for example constructions studied in [10], [13]). Proof. Since the proof is similar to the proof of Theorem 2 in [10], we will leave some details to the reader. Proof of i) of Theorem 2: Assume that contrary to the assertion k < pg), 19) and there are sets A, B G such that A = k, B = 2 and for all c the equation 7) has at least two solutions. Write B = {b, b + d} with d 0). 15

16 Then every element of A + b has at least two representation of form 7), thus A + b = A + b + d, and A + b = A + b + rd for any r = 1,..., pg). Therefore k = A = A + b {a + b + rd : r = 1,..., pg)} = pg), which contradicts 19). Proof of ii) of Theorem 2: For a Z and d N let m d a) denote the absolute least residue of a modulo d, i.e., define m d a) Z by m d a) a mod d), d 2 < m da) d 2. We will need the analogue of Lemma 3 in [10]: Lemma 8. If d 1,..., d s N, p is the least prime which divides d j, t N such that 4 st < p, 20) and h 1,..., h t Z n, then there is an integer 0 < r < p such that m dj r h i ) j ) d j 4. 21) Proof. For h Z define y j h) as the least non-negative [ integer ] ) such that h is dj congruent to one of the integers in the interval y j h) + 1, y 4 j h) + 1) modulo d j. Clearly y j h) {0, 1, 2, 3}. For u = 1,..., p, consider the n- tuples y i u) = y 1 u h i ) 1 )),..., y s u h i ) s ) ) {0, 1, 2, 3} s, i = 1,..., t. The number of the t-tuples y 1 u),..., y t u)) {0, 1, 2, 3} s ) t is p which is greater than the number of distinct t-tuples in {0, 1, 2, 3} s ) t. Thus by the pigeonhole principle there are at least two of these t-tuples which coincide: y 1 u),..., y t u)) = y 1 v),..., y t v)) with u < v. Then writing r = v u, it follows from y j u hi ) j ) = yj v hi ) j ) that [ dj 4 ] )] + 1 m di r h i ) j ) = m di v u) h i ) j ) = m di v h i ) j u h i ) j ) d i 4 for i = 1,..., t and j = 1,..., s. 16

17 Now, let A, B G such that A = k, B = l. For a A let x i a) denote the i-th coordinate of a in the representation in Z d1 Z ds. Now we apply Lemma 8 with the s-tuples x 1 a),..., x s a)) with a A) and x 1 b),..., x s b)) with b B) in place of h 1,..., h t where now t = k + l. The condition 20) holds by 18). By Lemma 8 there is an integer r such that 0 < r < pg) and m di r x i a)), m di r x i b)) d i 4 Now consider the sets of s-tuples for i = 1,..., s, a A, b B. 22) and A = {m d1 r x 1 a)),..., m ds r x s a))) : a A} B = {m d1 r x 1 b)),..., m ds r x s b))) : b B}, and let w A and w B be the maximal elements of A and B in terms of the lexicographic ordering and assume they correspond to a and b respectively: w A = m d1 r x 1 a)),..., m ds r x s a))) and w B = m d1 r x 1 b)),..., m ds r x s b))). By the maximality of w A and w B, the sum w A + w B has no other representation of the form w + w, w A, w B. 23) By 22), the i-th coordinate of this sum is in the interval 2 [ ] [ d i 4, 2 di ]] [ 4 di ] [ 2, di ]] 2. Thus for any a A, b B we have md1 r x 1 a)),..., m ds r x s a)) ) + m d1 r x 1 b)),..., m ds r x s b)) ) m d1 r x 1 a)),..., m ds r x s a)) ) + m d1 r x 1 b)),..., m ds r x s b)) ), 24) which implies and ra + rb ra + rb, for a A, b B a + b a + b, for a A, b B, by using the fact that r is co-prime to d i. 17

18 References [1] Z. Chen, Elliptic curve analogue of Legendre sequences, Monatsh. Math ), pp [2] Z. Chen, S. Li and G. Xiao, Construction of pseudo-random binary sequences from elliptic curves by using discrete logarithm, Lecture Notes in Comput. Sci., 4086, Springer, Berlin, 2006), pp [3] A. Enge: Elliptic Curves and Their Application to Cryptography: an introduction, Kluwer Academic Publisher, Dordrecht [4] L. Goubin, C. Mauduit and A. Sárközy, Construction of large families of pseudorandom binary sequences, J. Number Theory ), pp [5] P. Hubert, C. Mauduit and A. Sárközy, On pseudorandom binary lattices, Acta Arith ), pp [6] D. Kohel and I. E. Shparlinski: On Exponential Sums and Group Generators for Elliptic Curves over Finite Fields. Proc Algorithmic Number Theory Symposium, Leiden Lecture Notes in Comput. Sci., Springer-Verlag, Berlin Heidelberg New York 2000), pp [7] H. Liu, New pseudorandom sequences constructed by quadratic residues and Lehmer numbers, Proc. Amer. Math. Soc. 135, no. 5, 2007), pp [8] H. Liu, A large family of pseudorandom binary lattices, Proc. Amer. Math. Soc ), pp [9] H. Liu, T. Zhan, X. Wang, Large families of elliptic curve pseudorandom binary sequences, Acta Arith ), pp [10] C. Mauduit and A. Sárközy, On large families of pseudorandom binary lattices, Unif. Distrib. Theory, ), pp [11] C. Mauduit and A. Sárközy, On finite pseudorandom binary sequences I: Measures of pseudorandomness, the Legendre symbol, Acta Arith ), pp

19 [12] C. Mauduit and A. Sárközy, Construction of pseudorandom binary sequences by using the multiplicative inverse, Acta Math. Hungar ), pp [13] C. Mauduit and A. Sárközy, Construction of pseudorandom binary lattices by using the multiplicative inverse, Monatsh. Math ), pp [14] L. Mérai, Construction of large families of pseudorandom binary sequences, Ramanujan J ), pp [15] L. Mérai, A construction of pseudorandom binary sequences using both additive and multiplicative characters, Acta Arith ), pp [16] L. Mérai, Construction of pseudorandom binary sequences over elliptic curves using multiplicative characters, submitted [17] L. Mérai, Construction of pseudorandom binary lattices based on multiplicative characters, Periodica Math. Hun ), pp [18] A. Sárközy, On finite pseudorandom binary sequences and their applications in cryptography, Tatra Mt. Math. Publ ), [19] A. Sárközy, A finite pseudorandom binary sequence, Studia Sci. Math. Hungar ), pp [20] A. Winterhof, Some estimates for character sums and applications, Des. Codes Crytogr ), pp