On the Distribution of the Subset Sum Pseudorandom Number Generator on Elliptic Curves

Transcription

1 On the Distribution of the Subset Sum Pseudorandom Number Generator on Elliptic Curves Simon R. Blacburn Department of Mathematics Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Alina Ostafe Department of Computing Macquarie University Sydney, NSW 2109, Australia Igor E. Shparlinsi Department of Computing Macquarie University Sydney, NSW 2109, Australia Keywords: Pseudorandom numbers, Subset sum problem, Knapsac, Exponential sums MSC 2010: Primary 11K45, 11T71; Secondary 11G05, 11T23, 65C05, 94A60 1

2 Abstract Given a prime p, an elliptic curve E/F p over the finite field F p of p elements and a binary linear recurrence sequence un of order r, we study the distribution of the sequence of points r 1 un + jp j, n = 1,..., N, j=0 on average over all possible choices of F p -rational points P 1,..., P r on E. For a sufficiently large N we improve and generalise a previous result in this direction due to E. El Mahassni. 1 Introduction The napsac generator or subset sum generator is a pseudorandom number generator introduced by Rueppel and Massey [14] and studied in [12]; see also [10, Section 6.3.2] and [13, Section 3.7.9]. It is defined as follows. For an integer m 1 we denote by Z m the residue ring modulo m. Let un be a linear recurrence sequence of order r over the field of two elements F 2, see [9, Chapter 8]. Given an r-dimensional vector z = z 0,..., z r 1 Z r m of weights, we generate a sequence of pseudorandom elements of Z m by r 1 un + jz j, n = 1, 2, j=0 For cryptographic applications, it is usually recommended to use a linear recurrence sequence of maximal period τ = 2 r 1 and also the modulus m = 2 r. Although the results of [5, 8] suggest that this generator should be used with care, no major attac against it is nown. In [2, 6] results on the joint uniform distribution of several consecutive elements of this generator have been obtained on average over all r-dimensional vectors z = z 0,..., z r 1 Z r m. El Mahassni [4] has recently considered the elliptic curve subset sum generator and obtained some uniformity of distribution results for this generator. More precisely, let p be a prime and let E be an elliptic curve over the finite field F p of p elements. Following [4], given a vector P = P 0,..., P r 1 2

3 EF p r of r points from the group EF p of F p -rational points on E see [16] for a bacground on elliptic curves, we define the sequence: r 1 V P n = un + jp j, n = 1, 2,..., 2 j=0 where the summation symbol refers to the group operation on E; see also [5]. If we fix any function f : EF p F p, we can define the output of the elliptic curve subset sum generator to be the sequence fv P n. One of the simplest and most natural choices for the function f has been considered in [4], namely fp = xp, the x-coordinate of any affine point P EF p. We can define xo = 0 for the point at infinity O. With this choice for the function f, it is nown [4] that for almost all choices of P = P 0,..., P r 1 EF p s, the sequence x V P n /p, n = 1,..., N, is uniformly distributed modulo 1 for a wide range of N. In this paper we improve the result of [4] on the distribution of the sequence x V P n /p, n = 1,..., N, in the case when N is sufficiently large, by adding some combinatorial arguments to the existing techniques. We also establish results on the distribution of the s-dimensional vectors x VP n p,..., x V Pn + s 1 p, n = 1,..., N, 3 for any s 2. Note that we always assume that F p is represented by the set {0,..., p 1}, so the vectors 3 belong to the s-dimensional unit cube. The methods in [4] do not seem to extend to this case. We note that for small values of N the results of [4] remain the only ones nown for the elliptic curve subset sum generator. In particular, full analogues of the results of [2] are still not nown. Throughout the paper, the implied constants in symbols O and may depend on the integer parameter s. We recall that U V and U = OV are both equivalent to the inequality U cv with some constant c > 0. 2 Preliminaries 2.1 Discrepancy and Exponential Sums For a real z and an integer m 1 we use the notation ez = exp2πiz and e m z = exp2πiz/m. 3

4 For a sequence of N points Γ = γ 0,n,..., γ s 1,n N 4 in the s-dimensional unit cube, we denote its discrepancy by D Γ. That is, D Γ = sup T Γ B N B, B [0,1 s where T Γ B is the number of points of the sequence Γ in the box B = [α 0, β 0... [α s 1, β s 1 [0, 1 s of volume B and the supremum is taen over all such boxes. As we have mentioned, one of our basic tools to study the uniformity of distribution is the Kosma Szüsz inequality, which we present in a slightly weaer form than that given by Theorem 1.21 of [3]. For an integer vector a = a 0,..., a s 1 Z s we define a = max a s 1 ν, ra = max{ a ν, 1}.,...,s 1 Lemma 1. For any integer L > 1 and any sequence Γ of N points 4 for the discrepancy D Γ we have D Γ 1 L N s 1 e a ν γ ν,n, N ra 0< a <L where the sum is taen over all integer vectors a = a 0,..., a s 1 Z s with 0 < a < L. For estimation of the corresponding exponential sums with various sequences of pseudorandom numbers, the following special case of the bound of Bombieri [1] is used. Lemma 2. For any rational function fx, Y F p X, Y of degree d which is not constant on an elliptic E over F p, the bound ep fq dp 1/2 P EF p holds, where means the the poles of fx, Y are excluded from the summation. 4

5 We need the orthogonality relation: m 1 η=0 e m ηλ = { 0, if λ 0 mod m, m, if λ 0 mod m. 5 We also mae use of the inequality which is immediate from [7, Bound 8.6] m 1 M e m ηλ m log m, 6 η=0 λ=1 which holds for any integers m and M with 1 M m. 2.2 Combinatorial Estimates Let r and s be positive integers such that s r. Write e 1,..., e s for the standard orthogonal basis vectors of length s and let 0 s = 0,..., 0 be the s- dimensional zero vector. We say that a pair of r-dimensional binary vectors x = x 0,..., x r 1 and y = y 0,..., y r 1 is s-good if for all h = 1,..., s, there exists at least one pair i, j, 0 i, j r s such that and x i, x i+1,..., x i+s 1 = e h, x j, x j+1,..., x j+s 1 = 0 s y i, y i+1,..., y i+s 1 = 0 s, y j, y j+1,..., y j+s 1 = e h. We say that a pair x, y is s-bad if it is not s-good. We wish to obtain a bound on the number f s r of s-bad pairs of vectors of length r. Lemma 3. Let s be a fixed positive integer. The number f s r of s-bad pairs of binary vectors of length r is at most f s r 2s4 s 1 α r s where α s = 4 s 1 1/s. Proof. We say that a pair x, y is s, h-bad with respect to x if there exists no integer i with 0 i r s such that x i, x i+1,..., x i+s 1 = e h and y i, y i+1,..., y i+s 1 = 0. Furthermore, we say that a pair x, y is s-bad with respect to x if and only if it is s, h-bad with respect to x for some h. 5

6 Note that a pair x, y is s-bad if and only if for some h the pair is s, h-bad with respect to either x or y. Since there are at most s possibilities for h, and the roles of x and y in the definition of s-bad pairs are completely symmetrical, our bound follows if we can prove that for any s and h the number of s, h-bad pairs with respect to x is at most 4 s 1 αs. r Let h be fixed. We bound the number of s, h-bad pairs x, y with respect to x as follows. For an integer m = 0,..., r/s 1, there are at most 2 2s 1 possibilities for the pair x ms, x ms+1,..., x ms+s 1, y ms, y ms+1,..., y ms+s 1 of subsequences, since this pair of subsequences cannot be equal to e h, 0. So there are at most 2 2s 1 r/s 2 2s 1 r/s = α r s possibilities for the pair x 0, x 1,..., x r/s s 1, y 0, y 1,..., y r/s s 1. But r r/s s s 1, and so there are at most 4 s 1 possibilities for the last r r/s s positions of x and y. This establishes our bound. In particular, since α s < 4, we see from Lemma 3 that f s r = o4 r as r with s fixed and so s-bad pairs are asymptotically rare. We remar that it is not too difficult to see that f s r is bounded below by c s β r s for some positive constants c s > 0 and β s depending only on s. To see this we may use the Perron Frobenius Theorem, together with the fact that the number of s, h-bad pairs with respect to x is equal to the number of wals of length r s in a certain directed graph namely the tensor product of two copies of a span s binary de Bruijn graph, with a single vertex removed. Indeed, for small values of s computer calculations based on this framewor show that f s r c s β r s where the value of β s is given in the following table to 5 decimal places, with the value of α s given by our upper bound included for comparison: s α s β s The computer calculations show that the pairs that are s, h-bad where h = s 1/2 and h = s 1/2 provide the dominant term for f s r for s 6. 6

7 3 Main Result 3.1 One Dimensional Distribution For P = P 0,..., P r 1 EF p r, we denote by D P N the discrepancy of the points xvp n, n = 1,..., N. p Theorem 4. Let the linear recurrence sequence un be purely periodic with period τ and order r = Op 1/2 and let its characteristic polynomial be irreducible over F 2. Then for any δ > 0, and for all except Oδp r choices for P EF p r, for all 1 N τ, we have D P N δ 1 N 1/2 + 3 r/2 N 1 p 1/4 + p 1/2 log τ 2 log p. Proof. From Lemma 1, used with L = p, we derive D P N 1 p N e p axv P n N a. 0< a <p Let N µ = min{2 µ, τ}, µ = 0, 1,.... Define by the inequality N 1 < N N, that is, = log 2 N. Then from 5 we derive N e p axv P n = 1 N Hence, where P = 0< a <p 1 a N λ=1 η=0 N N e p axv P n e N ηn λ. D P N 1 p + 1 NN P 7 N η=0 N N e N ηλ e p axv P n e N ηn. λ=1 The celebrated Hasse bound shows that #EF p r p 1/ r = Op r 7

8 as we have assumed that r = Op 1/2. Applying the Cauchy inequality, we derive 2 N e p axv P n e N ηn P EF p r p 1/ r p r N n,l=1 P EF p r e N ηn l N e p axv P n e N ηn P EF p r e p a xv P n xv P l. For the case n = l, we estimate the inner sum trivially as #EF p r = Op r. We split the rest of the sum into two sums: the first over distinct 1-bad pairs of vectors un,..., un + r 1, ul..., ul + r 1, 8 and the second over 1-good pairs of vectors 8. Let B r be the set of pairs of indices n, l such that the pair of vectors 8 is 1-bad, that is the set of vectors for which un + i ul + i for all i = 0,..., r 1, or un + i ul + i for all i = 0,..., r 1. As the vectors are distinct, there exists an index i = 0,..., r 1 such that we have for example un + i > ul + i, which means that V P l does not depend on the point P i. The Bombieri bound given by Lemma 2 in the case when fx, Y = X shows that for any fixed c 1 EF p and c 2 F p e p axc 1 + P + c e p axc 1 + P i + c 2 = Op 1/2. P EF p P EF p,p c 1 So we bound our inner sum by summing over the point P i EF p to obtain e p a xv P n xv P l P EF p r = e p a xf n P i + P i xf l P i = Op r 1/2, P i EF p r 1 P i EF p where P i is the vector obtained from P by removing the point P i, and F m P i EF p denotes a point on E that depends only on m and P i. 8 2

9 It remains to consider the case of n, l B r. In this case, there exist two indices i, j = 0,..., r 1 such that we have for example un + i > ul + i and un + j < ul + j. Thus V P l does not depend on the point P i and V P n does not depend on the point P j. Using Lemma 2 again, but this time applied for the sums over the points P i and P j, the inner sum becomes P EF p r e p a xv P n xv P l = P i,j EF p r 2 P i EF p e p a xg n P i,j + P i P j EF p e p axg l P i,j + P j = Op r 1, where P i,j is the vector obtained from P by removing the points P i and P j, and G m P i,j EF p denotes a point on E that depends only on m and P i,j. Putting everything together, by Lemma 3, we obtain 2 N e p axv P n e N ηn P EF p r p r N p r + p r 1/2 N 1 + p n,l=1 n,l B r N p 2r + 3 r p 2r 1/2 + N 2 p 2r 1, r 1 N 1 n,l=1 n,l B r and thus N e p axv P n e N ηn N 1/2 p r + 3 r/2 p r 1/4 + N p r 1/2. P EF p r Using 6, we obtain P P EF p r N 1/2 p r + 3 r/2 p r 1/4 + N p r 1/2 N 1/2 0< a <p 1 a N η=0 N e N ηλ λ=1 p r + 3 r/2 p r 1/4 + N p r 1/2 N log N log p N 3/2 p r + N 3 r/2 p r 1/4 + N 2 p r 1/2 log τ log p. 9

10 Thus, for each = 1,..., log τ, the inequality P δ 1 N 3/2 + N 3 r/2 p 1/4 + N 2 p 1/2 log τ 2 log p 9 holds for at most Oδp r / log τ vectors P EF p r. Therefore, the number of vectors P EF p r for which 9 holds for at least one = 1,..., log τ is Oδp r. For all the other points P EF p r, by 7 and taing into account that N = 2N 1 2N, we get D P N δ 1 N 1 N 1/2 + 3 r/2 p 1/4 + N p 1/2 log τ 2 log p which concludes the proof. δ 1 N 1/2 + 3 r/2 N 1 p 1/4 + p 1/2 log τ 2 log p, We note that El Mahassni [4] obtained the bound D P N δ 1 N 1/2 + p 1/4 log τ 2 log p 10 under the same conditions. Say, in the most interesting case of sequences of maximal period τ = 2 r 1 and r chosen so that 2 r p 2 r, Theorem 4 gives a stronger result for τ N τ 0.5 log 3/ log 2 = τ Multidimensional Distribution For P = P 0,..., P r 1 EF p r, we denote by D P,s N the s-dimensional discrepancy of the points 3. Theorem 5. Let the linear recurrence sequence un be purely periodic with period τ and order r = Op 1/2 and let its characteristic polynomial be irreducible over F 2. Then for any δ > 0, and for all except Oδp r choices for P EF p r, for all 1 N τ, we have D P,s N δ 1 N 1/2 log p + p 1/2 log p + α r/2 s N 1 log p s log τ 2, where the implied constant depends only on s and α s is as in Lemma 3. 10

11 Proof. Exactly as in the proof of Theorem 4, by Lemma 1 we get where P,s = D P,s N 1 p + 1 NN P,s, 11 0< a <p a=a 1,...,a s Z s 1 ra N η=0 N e N ηλ λ=1 N s 1 e p a ν xv P n + ν e N ηn. We further split the sum P,s into two parts P,s,1 and P,s,2 where the summation in P,s,1 is taen over the vectors a = a 1,..., a s Z s with only one non-zero component and P,s,2 includes all other terms. Thus P,s = P,s,1 + P,s,2. 12 As in the proof of Theorem 4 we obtain P,s,1 N 3/2 p r + N 3 r/2 p r 1/4 + N 2 p r 1/2 log τ log p. 13 P EF p r Now, let A s be the set of the vectors a = a 1,..., a s Z s with 0 < a < p and with at least two nonzero components. For a A s, applying the Hasse bound and Cauchy inequality, we derive N s 1 2 e p a ν xv P n + ν e N ηn P EF p r p 1/ r p r N n,l=1 P EF p r e N ηn l P EF p r e p N s 1 e p a ν xv P n + ν e N ηn s 1 a ν xv P n + ν xv P l + ν. 11 2

12 Now, as in Theorem 4, we split the sum into two sums, one over pairs n, l such that the pair of vectors 8 is s-bad and one over s-good pairs. Let B r,s be the set of pairs of indices n, l such that the pair of vectors 8 is s-bad. For n, l B r,s, as in the proof of Theorem 4, we estimate the inner sum over P trivially as Op r. It remains to consider the case of n, l B r,s. Since a A s there exist at least two distinct indices i, j = 0,..., s 1 such that a i, a j 0. Since n, l B r,s, there exist two indices i 1, i 2 = 0,..., r s such that and un + i 1,..., un + i 1 + s 1 = e i, ul + i 1,..., ul + i 1 + s 1 = 0 s, un + i 2,..., un + i 2 + s 1 = 0 s, ul + i 2,..., ul + i 2 + s 1 = e i. Similarly, there exist two indices j 1, j 2 = 0, 1,..., r s such that and un + j 1,..., un + j 1 + s 1 = e j, ul + j 1,..., ul + j 1 + s 1 = 0 s, un + j 2,..., un + j 2 + s 1 = 0 s, ul + j 2,..., ul + j 2 + s 1 = e j. When ν {1, 2,..., s} \ {i, j}, the equations above show that un + ν + i 1 = un + ν + i 2 = un + ν + j 1 = un + ν + j 2 = 0, and so V P n + ν does not depend on any of P i1, P i2, P j1, P j2. V P l + ν does not depend on any of P i1, P i2, P j1, P j2. When ν = i so ν j, the equations above show that Similarly, un + ν + i 1 = 1 and un + ν + i 2 = un + ν + j 1 = un + ν + j 2 = 0, so V P n + ν = V P n + i depends on P i1, but does not depend on any of P i2, P j1, P j2. Similarly V P l + i depends on P i2, but none of P i1, P j1, P j2 ; V P n + j depends on P j1, but none of P i1, P i2, P j2 ; and V P l + j depends on P j2, but none of P i1, P i2, P j1. 12

13 Let P i1,i 2,j 1,j 2 be the vector obtained from P after discarding the points P i1, P i2, P j1 and P j2. We can apply Lemma 2 to our inner sum as in the one dimensional case, but this time applied for four sums over the points P i1, P i2, P j1 and P j2 to obtain s 1 a ν xv P n + ν xv P l + ν where P EF p r e p = e p Ψ n,l P i1,i 2,j 1,j 2 P i1,i 2,j 1,j 2 EF p r 4 e p a i xg n P i1,i 2,j 1,j 2 + P i1 P i1 EF p P j1 EF p P i2 EF p e p a j xg n P i1,i 2,j 1,j 2 + P j1 P j2 EF p = O p r 4 p 1/2 4 = O p r 2, Ψ n,l P i1,i 2,j 1,j 2 = s 1 ν i,j e p a i xg l P i1,i 2,j 1,j 2 + P i2 e p a j xg l P i1,i 2,j 1,j 2 + P j2 a ν xv P n + ν xv P l + ν depends only on n, l and P i1,i 2,j 1,j 2 and G m P i,j EF p denotes a point on EF p that depends only on m and P i,j. Note that we are using the fact that a i and a j are non-zero at this point. Putting everything together, by Lemma 3, we obtain P EF p r N s 1 e p a ν xv P n + ν e N ηn 2 p r N 2 p r 2 + α r sp r N 2 p 2r 2 + α r sp 2r, 13

14 and thus P EF p r N s 1 e p a ν xv P n + ν e N ηn N p r 1 + αs r/2 p r. Now using 6, we obtain P EF p r P,s,2 N p r 1 + α r/2 s p r 0< a <p a=a 1,...,a s Z s 1 ra N p r 1 + αs r/2 p r N log N log p s N 2 p r 1 + αs r/2 N p r log τlog p s. N η=0 N e N ηλ Thus, from 12 and 13, we obtain the inequality P,s, N 3/2 p r + N 3 r/2 p r 1/4 + N 2 p r 1/2 log τ log p P EF p r λ=1 + N 2 p r 1 + αs r/2 N p r log τlog p s N 3/2 p r + N 2 p r 1/2 log τ log p + α r/2 s N p r log τlog p s. Hence, for each = 1,..., log τ, we see that the inequality P,s δ 1 N 3/2 log p + N 2 p 1/2 log p + α r/2 s N log p s log τ 2 14 holds for at most Oδp r / log τ vectors P EF p r. Therefore, the number of vectors P EF p r for which 14 holds for at least one = 1,..., log τ is Oδp r. For all the other points P EF p r, by 11 and taing into account that N = 2N 1 2N, as in the proof of Theorem 4 we get D P,s N δ 1 N 1/2 log p + p 1/2 log p + α r/2 s N 1 log p s log τ 2, which concludes the proof. 14

15 Again, in the most interesting case of sequences of maximal period τ = 2 r 1 and r chosen so that 2 r p 2 r, Theorem 5 is nontrivial for τ N τ γs+ε, for any fixed ε > 0 and a sufficiently large p, where 4 Comments γ s = log α s 2 log 2 < 1. We remar that the proofs of Theorems 4 and 5 depend only on the fact that the binary vectors un + 1,..., un + r, n = 1,..., τ, are pairwise distinct. Thus the same results hold for many other sequences un, for example for sequences generated by non-linear recurrence relations. In fact, in this generality, these results are new even in the case of the classical subset sum generator 1 over a residue ring as the proof in [2] applies only to linear recurrence sequences. Our method also applies to bounds of multiplicative character sums with the sequence 1 on average over the vectors z = z 0,..., z r 1 Z r m. On the other hand, it is still an open problem to obtain nontrivial results about the multidimensional distribution of the elliptic curve subset sum generator 2 on short segments. Note that the bound 10 is nontrivial starting from the values of N of order log τ 4 log p 2 which can be further reduced by using the approach of [15]. Acnowledgements The second and the third authors are very grateful to the organisers of the 2nd International Conference on Uniform Distribution Theory, 2010, Strobl Austria for the invitation to this meeting, where the idea of this wor was born. During the preparation of this paper, A. O. was supported in part by the Swiss National Science Foundation Grant , I. S. was supported in part by the Australian Research Council Grant DP and by the National Research Foundation of Singapore Grant CRP

16 References [1] E. Bombieri, On exponential sums in finite fields, Amer. J. Math , [2] A. Conflitti and I. E. Shparlinsi, On the multidimensional distribution of the subset sum generator of pseudorandom numbers, Math. Comp , [3] M. Drmota and R. Tichy, Sequences, discrepancies and applications, Springer-Verlag, Berlin, [4] E. El Mahassni, On the distribution of the elliptic subset sum generator of pseudorandom numbers, Integers , Article #A31. [5] J. von zur Gathen and I. E. Shparlinsi, Predicting subset sum pseudorandom number generators, Proc. 11th Worshop on Selected Areas in Cryptography, Waterloo, 2004, Lect. Notes in Comp. Sci., Springer- Verlag, Berlin, , [6] J. von zur Gathen and I. E. Shparlinsi, Subset sum pseudorandom numbers: Fast generation and distribution, J. Math. Cryptology, , [7] H. Iwaniec and E. Kowalsi, Analytic number theory, Amer. Math. Soc., Providence, RI, [8] S. Knellwolf and W. Meier, Cryptanalysis of the napsac generator, Proc. 18th Worshop on Fast Software Encryption 2011, Lyngby, Denmar, 2011, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, to appear. [9] R. Lidl and H. Niederreiter, Finite fields, Cambridge University Press, Cambridge, [10] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handboo of applied cryptography, CRC Press, Boca Raton, FL, [11] H. Niederreiter, Random number generation and Quasi Monte Carlo methods, SIAM Press,

17 [12] R. A. Rueppel, Analysis and design of stream ciphers, Springer-Verlag, Berlin, [13] R. A. Rueppel, Stream ciphers, Contemporary cryptology: The science of information integrity, IEEE Press, NY, 1992, [14] R. A. Rueppel and J. L. Massey, Knapsac as a nonlinear function, IEEE Intern. Symp. of Inform. Theory, IEEE Press, NY, 1985, 46. [15] I. E. Shparlinsi, On the average distribution of pseudorandom numbers generated by nonlinear permutations, Math. Comp , [16] J. H. Silverman, The arithmetic of elliptic curves, Springer-Verlag, GTM vol. 106, Berlin,