Pseudorandom Sequences I: Linear Complexity and Related Measures

Size: px

Start display at page:

Download "Pseudorandom Sequences I: Linear Complexity and Related Measures"

Kelley Holt
5 years ago
Views:

1 Pseudorandom Sequences I: Linear Complexity and Related Measures Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University 2010 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

2 Why pseudorandom and not truly random sequences? A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

3 Pseudorandom Sequences Sequences which are generated by a deterministic algorithm and look random are called pseudorandom. Desirable randomness properties depend on the application! cryptography: unpredictability numerical integration (quasi-monte Carlo): uniform distribution radar: distinction from reflected signal gambling: a good lawyer A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

4 Linear Complexity The linear complexity L(s n ) of a periodic sequence (s n ) over a field F is the smallest positive integer L such that there are constants c 0,..., c L 1 F with s n+l = c L 1 s n+l c 0 s n, n 0. For a positive integer N the Nth linear complexity L(s n, N) of a sequence (s n ) over F is the smallest positive integer L such that there are constants c 0,..., c L 1 F satisfying 0 n N L 1. s n+l = c L 1 s n+l c 0 s n, A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

5 Cryptographic Background A low Nth linear complexity has turned out to be undesirable for cryptographical applications as stream ciphers. Example (Stream Cipher) We consider a message m 0, m 1,... represented as a sequence over F. In a stream cipher each message symbol m j is enciphered with an element x j of another sequence x 0, x 1,... over F, the key stream, by c j = m j + x j. The cipher text c 0, c 1,... can be deciphered by subtracting the key stream m j = c j x j. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

6 Relation to Quasi-Monte Carlo Methods Sequences with low linear complexity are shown to be unsuitable for some applications using quasi-monte Carlo methods as well. The following example describes a typical quasi-monte Carlo application. Example (Quasi-Monte-Carlo Calculation of π) 1 Choose N pairs of a sequence (x n ) in [0, 1) (x n, x n+1 ) [0, 1) 2, n = 0,..., N 1. 2 Count the number K of pairs (x n, x n+1 ) in the unit circle. 3 Approximate π by 4K N. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

7 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

8 Marsaglia s Lattice test, 1972 (η n ) T-periodic sequence over F p For s 1 we say that (η n ) passes the s-dimensional lattice test if the vectors {u n u 0 : 1 n < T } span F s p, where u n = (η n, η n+1,..., η n+s 1 ), 0 n < T. S(η n ) = max { s : u n u 0, 1 n < T = F s p } A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

9 s = 2: A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

10 s = 3: A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

11 Niederreiter/W., 2002: L(η n ) = S(η n ) or = S(η n ) + 1 Dorfer/W., 2003: Lattice test for parts of the period, S(η n, N) We have either S(η n, N) = min(l(η n, N), N + 1 L(η n, N)) or S(η n, N) = min(l(η n, N), N + 1 L(η n, N)) 1. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

12 Relation to Information and Coding Theory The Kolmogorov complexity of a sequence over F is the length of a shortest Turing machine that generates it. Beth/Dai, 1989: F = F 2 : Linear complexity and Kolmogorov complexity are the same for almost all binary sequences. In general there is no algorithm for calculating the Kolmogorov complexity. In contrast we have the Berlekamp-Massey Algorithm for calculating the linear complexity. This algorithm stems from coding theory. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

13 A Consequence of the Berlekamp-Massey Algorithm Theorem If L(s n, N) > N/2, then we have L(s n, N + 1) = L(s n, N). If L(s n, N) N/2, then we have either L(s n, N + 1) = L(s n, N) or L(s n, N + 1) = N + 1 L(s n, N). A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

14 The Expected Value F = F q Theorem The expected value for L(s n, N) is { N 2 + q (q+1) 2 q N N(q+1)+q (q+1) 2 for even N, N + q2 +1 q N N(q+1)+q for odd N. 2 2(q+1) 2 (q+1) 2 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

15 Lower Bounds In case of a p-periodic sequence (ξ n ) over F p, where p is a prime, linear complexity is related to the degree of the polynomial g(x ) F p [X ] representing the sequence (ξ n ), i.e., g(x ) is the unique polynomial which satisfies deg g p 1 and ξ n = g(n), 0 n p 1. These sequences are called explicit nonlinear congruential generators and we have L(ξ n ) = deg g + 1. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

16 High linear complexity but low Nth linear complexity Example: ξ n = 1 (n + 1) p 1, 0 n p 1 (ξ 0, ξ 1,..., ξ p 2, ξ p 1 ) = (0, 0,..., 0, 1) L(ξ n ) = p highly predictable L(ξ n, N) = 0, 1 N p 1 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

17 The explicit inversive congruential generator (z n ) is produced by the relation z n = (an + b) p 2, n = 0,..., p 1, z n+p = z n, n 0, with a, b F p, a 0, and p 5. We have (N 1)/3, 1 N (3p 7)/2, L(z n, N) N p + 2, (3p 5)/2 N 2p 3, p 1, N 2p 2. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

18 c L = 1, N p L c l z n+l = 0, 0 n N L 1 l=0 a(n + l) + b 0, 0 l L: L c l (a(n + l) + b) 1 = 0 l=0 F (X ) = L l=0 c l L (a(x + j) + b) j=0 j L has at least N L (L + 1) zeros and degree at most L. L 1 F ( a 1 b L) = c L (a(j L)) 0 j=0 N 2L 1 L and thus L (N 1)/3 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

19 z n = (an + b) p 2 is still highly predictable since inversion is cheap and a = z 1 n+1 z n 1 for all but two n. Open problem: Define a modified linear complexity with inversions and analyze it. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

20 Let p > 2 be a prime. The Legendre-sequence (l n ) is defined by { ( ) n 1, = 1, l n = p n 0, 0, otherwise, ( where. p Theorem ) is the Legendre-symbol. The linear complexity of the Legendre sequence is (p 1)/2, p 1 mod 8, p, p 3 mod 8, L(l n ) = p 1, p 5 mod 8, (p + 1)/2, p 7 mod 8. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

21 Theorem The Nth linear complexity of the Legendre sequence satisfies L(l n, N) > min{n, p} 1, N p 1/2 (1 + log p) A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

22 Weil: Let f (X ) F p [X ] a (monic) polynomial which is not a square and a F p then we have ( ) af (x) p (deg(f ) 1)p1/2. x F p L c k l n+k = 0 F 2, 0 n N L 1, (c L = 1) k=0 ( ) n ( 1) ln =, n 0, p ( L ) ( 1) P L k=0 c kl n+k l=0 = (n + l)c l = 1 p for at least min{n, p} (L + 1) different n A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

23 Summing over n: ( N 1 L ) l=0 min{n, p} (L + 1) (n + l)c l p n=0 < (L + 1)p 1/2 (1 + log p) A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

24 Relation to Wireless Communication The correlation measure of order k of a binary sequence (s n ) is introduced as M C k (s n ) = max ( 1) s n+d 1 ( 1) s n+dk, k 1, M,D n=1 where the maximum is taken over all D = (d 1, d 2,..., d k ) with non-negative integers d 1 < d 2 < < d k and M such that M 1 + d k T 1. L(s n, N) N max C k(s n ), 2 N t 1. 1 k L(s n,n)+1 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

25 Examples. a) b n = 0, 0 n t 2, b t 1 = 1 L(b n ) = t, one change L(b n) = 0 b) c n+4 = c n, n 0, with c 0 = c 1 = c 2 = 1, c 3 = 0 over F 2 : L(c n ) = 4 over F 3 : L(c n ) = 3 since c n+3 = 2c n+2 + 2c n+1 + 2c n, n 0 Desirable: 1. high linear complexity even if we change a few elements 2. high linear complexity over different fields A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

26 Let (s n ) be a sequence over F, with period t. The k-error linear complexity L k (s n ) of (s n ) is defined as L k (s n ) = min (y n) L(y n), where the minimum is taken over all t-periodic sequences (y n ) over F, for which the Hamming distance of the vectors (s 0, s 1,..., s t 1 ) and (y 0, y 1,..., y t 1 ) is at most k. Theorem Let L k (l n ) denote the k-error linear complexity over F p of the Legendre sequence (l n ). Then, L k (l n ) = p, k = 0, (p + 1)/2, 1 k (p 3)/2, 0, k (p 1)/2. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

27 l n = 2 1 (n p 1 n (p 1)/2 ) F p, n 0 l n = 2 1 (1 n (p 1)/2 ) =: h(n), n 0 l n = f (n) implies L(l n ) = deg(f ) + 1 Let (y n ) be obtained from (l n ) by at most k changes. Case I: (y n ) = (l n ): L(y n ) = p Case II: (y n ) = h(n): L(y n ) = (p + 1)/2 Case III: y n = g(n), g(x ) h(x ) deg(g h) p k 1 (p + 1)/2 if k (p 3)/2 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

28 Shparlinski/W.,2006: linear complexity over F k, k prime: L(l n ) 1 { } 2 log k min p 1, 2k 1. p 1/2 log p + 2 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

29 Open Problem Find more sequences with high (Nth, k-error) linear complexity. For example, study recursive sequences. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

30 Linear Pseudorandom Number Generators F q finite field of q elements, a, b, x 0 F q, a 0 x n+1 = ax n + b, n 0 q = p prime, F p = {0, 1,..., p 1}: y n = x n /p [0, 1), n 0 Nice features: long period can be easily obtained uniform distribution in dimension 1 flaws: predictable (L(x n ) 2) coarse structure A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

31 Nonlinear Pseudorandom Numbers f F q [X ], 2 deg(f ) q 1, x 0 F q x n+1 = f (x n ), n 0 (purely) periodic with period t q q = p prime: y n = x n /p [0, 1) A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

32 Lower Bound on the Linear Complexity Profile Gutierrez/Shparlinski/W., 2003: The linear complexity profile of a nonlinear sequence (x n ) defined by x n+1 = f (x n ), n = 0, 1,..., with a polynomial f F q [X ] of degree d 2, purely periodic with period t, satisfies L(x n, N) min { log d (N log d N ), log d t }. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

33 Proof. F 0 (X ) := X, F i (X ) := F i 1 (f (X )), i 1 deg(f i ) = d i, x n+j = F j (x n ) x n+l = a L 1 x n+l a 0 x n, 0 n N L 1 F (X ) := F L (X ) + a L 1 F L 1 (X ) a 0 F 0 (X ) has degree d L and at least min {N L, t} zeros, namely, x n with 0 n min{n L 1, t 1}. d L min {N L, t} A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

34 Inversive Generators a, b, y 0 F q, a 0 { ay y n+1 = ayn q 2 1 n + b, y + b = n 0, b, y n = 0. Gutierrez/Shparlinski/W., 2003: { } N 1 t 1 L(y n, N) min, 3 2 Reason for better result: f (X ) = bx +a X, F j(x ) = a j X +b j c j X +d A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

35 Dickson and Power Generator The Dickson polynomial D e (X, a) F q [X ] is defined by the following recurrence relation D e (X, a) = XD e 1 (X, a) ad e 2 (X, a), e = 2, 3,..., with initial values D 0 (X, a) = 2, D 1 (X, a) = X, where a F q. Obviously, the degree of D e is e. Moreover, if a {0, 1} then we have D e (D f (X, a), a) = D ef (X, a). A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

36 a = 0: D e (X, 0) = X e, e 2 p n+1 = p e n, n 0 power generator Griffin/Shparlinski, 2000: (q = p prime) { } N 2 L(p n, N) min 4(p 1), t 2, N 1. p 1 Reason for better result: F k (X ) = X ek mod p 1 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

37 a = 1: D e (x + x 1, 1) = x e + x e, x F q 2 u n+1 = D e (u n, 1), n 0, with some initial value u 0 and e 2. Dickson generator Aly/W., 2006: L(u n, N) min{n 2, 4t 2 } 16(p + 1) (p + 1) 1/2 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

38 Redéi generator Suppose that r(x ) = X 2 αx β F p [X ] is an irreducible quadratic polynomial with the two different roots ξ and ζ = ξ p in F p 2. Then any polynomial b(x ) F p 2[X ] can uniquely be written in the form b(x ) = g(x ) + h(x )ξ with g(x ), h(x ) F p [X ]. We consider the elements (X + ξ) e = g e (X ) + h e (X )ξ. e is the degree of the polynomial g e (X ), and h e (X ) has degree at most e 1. The Rédei function f e (X ) of degree e is then given by f e (X ) = g e(x ) h e (X ). A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

39 u n+1 = f e (u n ), n 0, with a Rédei permutation f e (X ) and some initial element u 0 F p. Meidl/W., 2007: L(u n, N) min{n 2, 4t 2 }, N 2. 20(p + 1) 3/2 A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

40 p-weight Degree n nonnegative integer p-weight of n: σ p ( l i=0 n i p i ) = l n i, 0 n i < p. i=0 0 e 1 < e 2 < < e l integers, q = p r, f (X ) = l i=1 γ ix e i F q [X ] nonzero polynomial over F q with γ i 0, i = 1,..., l p-weight degree of f : w p (f ) deg(f ) w p (f ) = max{σ p (e i ) : 1 i l}. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

41 If g(x ) F q [X ] and {β 1,..., β r } is a fixed ordered F p -basis of F q, we define G(X 1,..., X r ) = Tr(g(X 1 β X r β r )), where Tr(X ) = X + X p X pr 1 is the absolute trace function of F q. Then the transformed polynomial G R (X 1,..., X r ) of g(x ) is the unique polynomial with all local degrees smaller than p such that G R (X 1,..., X r ) G(X 1,..., X r ) mod (X p 1 X 1,..., X p r X r ). The interest of this construction relies on the fact that, under certain assumptions, the total degree of G R (X 1,..., X r ) coincides with the p-weight degree of g(x ). A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

42 f (X ) = αx d + f (X ) F q [X ] with α 0, w p ( f ) < σ p (d). (1) If the sequence (x n ) given by x n+1 = f (x n ), n 0, with a polynomial f (X ) F q [X ] of the form (1) satisfying ( gcd d, q 1 ) σ p (d) r/2, p 1 with p-weight degree w = σ p (d) > 1, is purely periodic with period t, then for N 1, L(x n, N) min {log(n/pr 1 log(n/p r 1 )/ log w), log(t/p r 1 )}. log w (Ibeas/W., 2010) A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

43 Polynomial Systems Let {F 1,..., F r } be a system of r 2 polynomials F i F q [X i,..., X m ], i = 1,..., r, defined in the following way: F 1 (X 1,..., X r ) = X 1 G 1 (X 2,..., X r ) + H 1 (X 2,..., X r ), F 2 (X 1,..., X r ) = X 2 G 2 (X 3,..., X r ) + H 2 (X 3,..., X r ),... F r 1 (X 1,..., X r ) = X r 1 G r 1 (X r ) + H r 1 (X r ), F r (X 1,..., X r ) = g r X r + h r. Using the following vector notation F = (F 1 (X 1,..., X r ),..., F r (X 1,..., X r )), we define the following vector sequence w n+1 = F ( w n ), n = 0, 1,.... A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

44 Identifying the r dimensional vectors over F q with elements of F q r we get L ( w n, N) N 1/(r 1), 1 N t. q (Ostafe, Shparlinski, W., 2010) A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

45 Open Problem Find more good nonlinear generators. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

46 Thank you for your attention. A.Winterhof (RICAM (Linz)) Linear Complexity Carleton University / 45

Pseudorandom Sequences II: Exponential Sums and Uniform Distribution

Pseudorandom Sequences II: Exponential Sums and Uniform Distribution Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University