Pseudorandom Sequences II: Exponential Sums and Uniform Distribution

Size: px

Start display at page:

Download "Pseudorandom Sequences II: Exponential Sums and Uniform Distribution"

Beverly Perkins
5 years ago
Views:

1 Pseudorandom Sequences II: Exponential Sums and Uniform Distribution Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University 2010 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

2 Pseudorandom sequences are generated by a deterministic algorithm and look random. Desirable randomness properties depend on the application! cryptography: unpredictability numerical integration (quasi-monte Carlo): uniform distribution radar: distinction from reflected signal gambling: a good lawyer A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

3 Uniform distribution? A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

4 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

5 Discrepancy Γ = { } (γ n,0,..., γ n,s 1 ) N n=1 sequence of N points in the s-dimensional unit interval [0, 1) s (Γ) = sup B [0,1) s T Γ (B) N B, where T Γ (B) is the number of points of Γ inside the box B = [α 0, β 0 ) [α s 1, β s 1 ) [0, 1) s and the supremum is taken over all such boxes. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

6 Quasi-Monte Carlo Integration x 0,..., x N 1 [0, 1) s [0,1) s f (x)dx 1 N N 1 f (x n ) n=0 How big is the integration error? f (x)dx 1 [0,1) N s N 1 f (x n ) =? n=0 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

7 Uniform distribution is important! A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

8 Bounded variation is important! A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

9 Koksma-Hlawka Inequality Γ = (x 0,..., x N 1 ) f (x)dx 1 [0,1) N s N 1 f (x n ) V (f ) (Γ), n=0 where V (f ) is a measure for the variation of f. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

10 How do we estimate the discrepancy? A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

11 We estimate the discrepancy using exponential sums (additive character sums). A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

12 Erdős-Turan-Koksma inequality (Γ) where ( ) s H N Σ (s) s 1 0< a H j=0 1 max{ a j, 1} N ( ) N (Γ, a) = s 1 exp 2πi a j γ n,j n=1 j=0 Σ (s) and the outer sum is taken over all integer vectors a = (a 0,..., a s 1 ) Z s \ {0} with a = max a j H. j=0,...,s 1 N (Γ, a), A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

13 Group characters Let (G, ) be a finite Abelian group. A mapping χ : G C (F = F \ {0}) is called a character of G if χ(g h) = χ(g)χ(h) for all g, h G. Example. χ 0 (g) = 1 for all g G is called the trivial character. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

14 The character group With the following multiplication of two character χ and ψ is the set of characters Ĝ a group isomorphic to G: χψ(g) = χ(g)ψ(g), g G. Example. G cyclic of order n with generator g χ(g j ) = χ(g) j χ(g) n = 1 χ k (g) = exp(2πik/n), 0 k n 1 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

15 Orthogonality relation 1 G χ(g) = 0, χ χ 0 g G χ(g) = 0, χ Ĝ χ(g h 1 ) = χ Ĝ g 1 G { 1, g = h, 0, g h. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

16 Equations and character sums Let f : G s G be a mapping and h G. Let N(h, f ) be the number of solutions of Then we have N(h, f ) = 1 G f (g 1,..., g s ) = h, (g 1,..., g s ) G s. g 1,...,g s G χ Ĝ = G s G χ(f (g 1,..., g s )h 1 ) N(h, f ) G s 1 < max χ χ 0 χ χ 0 χ(h 1 ) g 1,...,g s G g 1,...,g s G χ(f (g 1,..., g s )). χ(f (g 1,..., g s )) A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

17 From F q to the unit interval (s n ) sequence over F p = {0, 1,..., p 1}, p prime x n = s n /p [0, 1) q = p r, {β 1,..., β r } basis of F q over F p (s n ) sequence over F q with s n = s n,1 β s n,r β r x n = s n,r p s n,1 p r [0, 1) A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

18 (Γ) = sup B [0,1) s T Γ (B) N B, where T Γ (B) is the number of points of Γ inside the box B = [α 0, β 0 ) [α s 1, β s 1 ) [0, 1) s. T Γ (B) can be expressed in terms of character sums (cf. Erdős-Turan-Koksma). A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

19 Characters of finite fields F q finite field of q elements additive characters: (G, ) = (F q, +) q = p prime: ψ a (x) = exp(2πiax/p), a F p q = p r, Tr(x) = x + x p x pr 1, ψ a (x) = exp(2πitr(ax)/p) multiplicative characters: (G, ) = (F q, ) g primitive element of F q (F q = {g j : 0 j q 2}) χ k (g j ) = exp(2πijk/(q 1)), 0 k, j q 2 Example: χ (q 1)/2 (g j ) ( = ) ( 1) j quadratic character q = p: χ (p 1)/2 (x) = Legendre symbol convention: χ k (0) = 0, k 0, χ 0 (0) = 1 x p A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

20 Character sums f, g : F q F q χ multiplicative character and ψ additive character of F q Complete sum: S(χ, ψ, f, g) = x F q χ(f (x))ψ(g(x)) Incomplete sum: X F q S(χ, ψ, f, g, X ) = x X χ(f (x))ψ(g(x)) Trivial bound: S(χ, ψ, f, g, X ) X A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

21 Complete sums Weil-bound: Let f, g F q [X ], χ a multiplicative character and ψ and additive character of F q. If χ is nontrivial of order s > 1 and f is not of the form f = au s, a F q, u F q [X ], or ψ is nontrivial and g is not of the form g = v p v + b, b F q, v F q [X ], then we have S(χ, ψ, f, g) (deg(f ) + deg(g) 1)q 1/2. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

22 Gauss sums Let χ be a multiplicative and ψ an additive Character of F q. Then are called Gauss sums. G(χ, ψ) = c F q If χ and ψ are both nontrivial, we have χ(c)ψ(c) G(χ, ψ) = q 1/2. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

23 G(χ, ψ) 2 = G(χ, ψ)g(χ, ψ) = χ(cd }{{} 1 )ψ(c d) u c,d F q = χ(u) ψ(c(1 u 1 )) u F q c F q = χ(u) + q 1 = q u 0,1 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

24 Gauss sums Type II S n (ψ) = c F q ψ(c n ), n q 1 Let χ be a multiplicative character of order n: 1 + χ(x) + χ 2 (x) χ n 1 (x) n = 1 χ(x) = 1 x = c n and 0 otherwise. n 1 S n (ψ) = G(χ j, ψ) (n 1)q1/2 j=0 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

25 Incomplete sums over intervals Main Idea: Reduce to complete sums and apply, say, the Weil bound. q = p prime, χ nontrivial multiplicative character of F p N 1 χ(n) = O(p1/2 log p). n=0 Method of Polya and Vinogradov: N 1 N 1 χ(n) = χ(x) 1 ψ(x n) n=0 p n=0 x F p ψ 1 N 1 p χ(x)ψ(x) ψ(n) ψ x F p n=0 }{{} p 1/2 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

26 Vinogradov s inequality: N 1 ψ(n) = ψ ψ 0 p 1 a=1 p 1 a=1 p n=0 exp(2πian/p) 1 exp(2πia/p) 1 p 1 1 sin(πia/p) p p 1 dx x = p log p a=1 1 min{a, p a} A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

27 Linear Pseudorandom Number Generators F q finite field of q elements, a, b, x 0 F q, a 0 x n+1 = ax n + b, n 0 Corresponding exponential sums are Gauss sums. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

28 Nonlinear recurrence sequences u 0 F p, f F p [X ], d = deg(f ) 2 u n+1 = f (u n ), n 0 (purely) periodic with period t q N 1 S N = ψ(u n ) = O(N 1/2 p 1/2 (log p) 1/2 ) n=0 Polya-Vinogradov fails! A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

29 Extend and conquer X, Y F q ψ(xy) ( X Y q)1/2 x X y Y A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

30 ψ(xy) x X y Y 2 ( ) 2 ψ(xy) Cauchy-Schwarz x X y Y X 2 ψ(xy) extend x X y Y X 2 ψ(xy) conquer x F q y Y = X ψ(x(y 1 y 2 )) = X Y q x F q y 1,y 2 Y A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

31 Clone N 1 N 1 ψ(u n ) ψ(u n+k ) 2k n=0 n=0 N 1 K 1 K 1 K S N ψ(u n+k ) + 2 k n=0 k=0 k=0 }{{} <K 2 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

32 Nonlinear Pseudorandom Numbers f F q [X ], 2 deg(f ) q 1, x 0 F q u n+1 = f (u n ), n 0 N 1 S N = ψ(u n ) n=0 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

33 Niederreiter/Shparlinski, 1999: S N = O ( N 1/2 p 1/2 log(d) 1/2 log(p) 1/2) Main idea of proof: Reduction to Weil-bound via cloning and extend and conquer: ψ(f (x)) (deg(f ) 1)q1/2 x F q Here: F (X ) = a i F ki (X ) Exponential degree growth when iterating f (X ) is the reason for the weakness of these bounds. (Cf. linear complexity bounds.) A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

34 Inversive Generators a, b, y 0 F q, a 0 { ay y n+1 = ayn q 2 1 n + b, y + b = n 0, b, y n = 0. Niederreiter/Shparlinski, 2001: D N = O(N 1/2 p 1/4 log s (p)) Reason for better result: f (X ) = bx +a X, F j(x ) = a j X +b j c j X +d A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

35 Dickson and Power Generator The Dickson polynomial D e (X, a) F q [X ] is defined by the following recurrence relation D e (X, a) = XD e 1 (X, a) ad e 2 (X, a), e = 2, 3,..., with initial values D 0 (X, a) = 2, D 1 (X, a) = X, where a F q. Obviously, the degree of D e is e. Moreover, if a {0, 1} then we have D e (D f (X, a), a) = D ef (X, a). A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

36 a = 0: D e (X, 0) = X e, e 2 p n+1 = p e n, n 0 power generator power generator: Friedlander/Shparlinski, 2001 Reason for better result: F k (X ) = X ek mod p 1 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

37 a = 1: u n+1 = D e (u n, 1), n 0, with some initial value u 0 and e 2. Dickson generator Dickson generator: Gomez/Gutierrez/Shparlinski, 2006 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

38 Redéi generator Suppose that r(x ) = X 2 αx β F p [X ] is an irreducible quadratic polynomial with the two different roots ξ and ζ = ξ p in F p 2. Then any polynomial b(x ) F p 2[X ] can uniquely be written in the form b(x ) = g(x ) + h(x )ξ with g(x ), h(x ) F p [X ]. We consider the elements (X + ξ) e = g e (X ) + h e (X )ξ. e is the degree of the polynomial g e (X ), and h e (X ) has degree at most e 1. The Rédei function f e (X ) of degree e is then given by f e (X ) = g e(x ) h e (X ). A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

39 u n+1 = f e (u n ), n 0, with a Rédei permutation f e (X ) and some initial element u 0 F p. Redéi generator: Gutierrez/W., 2007 A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

40 p-weight Degree n nonnegative integer p-weight of n: σ p ( l i=0 n i p i ) = l n i, 0 n i < p. i=0 0 e 1 < e 2 < < e l integers, q = p r, f (X ) = l i=1 γ ix e i F q [X ] nonzero polynomial over F q with γ i 0, i = 1,..., l p-weight degree of f : w p (f ) deg(f ) w p (f ) = max{σ p (e i ) : 1 i l}. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

41 If g(x ) F q [X ] and {β 1,..., β r } is a fixed ordered F p -basis of F q, we define G(X 1,..., X r ) = Tr(g(X 1 β X r β r )), where Tr(X ) = X + X p X pr 1 is the absolute trace function of F q. Then the transformed polynomial G R (X 1,..., X r ) of g(x ) is the unique polynomial with all local degrees smaller than p such that G R (X 1,..., X r ) G(X 1,..., X r ) mod (X p 1 X 1,..., X p r X r ). The interest of this construction relies on the fact that, under certain assumptions, the total degree of G R (X 1,..., X r ) coincides with the p-weight degree of g(x ). A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

42 Instead of univariate Weil-bound ψ q (g(x)) (deg(g) 1)q1/2 x F q we apply the multivariate Weil-bound ψ p ((G R (x 1,..., x r )) x 1,...,x r F p (w p 1)p r 1/2 (Ibeas/W., 2010) A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

43 f (X ) = αx d + f (X ) F q [X ] with α 0, w p ( f ) < σ p (d), d 2, (1) and ( gcd d, q 1 ) σ p (d) r. p 1 (2) If the sequence (x n ) defined by x n+1 = f (x n ), n 0, x 0 F q, with f (X ) F q [X ] of the form (1) satisfying (2) is purely periodic with period t, then S a,n (f ) N 1/2 q 1/2 (log w) 1/2 /(log p) 1/2, 1 N t, a 0, where w = σ p (d) > 1 is the p-weight degree of f (X ) and the implied constant depends only on s. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

44 Polynomial Systems Let {F 1,..., F r } be a system of r 2 polynomials F i F q [X i,..., X m ], i = 1,..., r, defined in the following way: F 1 (X 1,..., X r ) = X 1 G 1 (X 2,..., X r ) + H 1 (X 2,..., X r ), F 2 (X 1,..., X r ) = X 2 G 2 (X 3,..., X r ) + H 2 (X 3,..., X r ),... F r 1 (X 1,..., X r ) = X r 1 G r 1 (X r ) + H r 1 (X r ), F r (X 1,..., X r ) = g r X r + h r. Using the following vector notation F = (F 1 (X 1,..., X r ),..., F r (X 1,..., X r )), we define the following vector sequence w n+1 = F ( w n ), n = 0, 1,.... (Ostafe, Shparlinski 2009) A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

45 Open Problem Find more good nonlinear generators. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

46 Thank you for your attention. A.Winterhof (RICAM (Linz)) Uniform Distribution Carleton University / 45

Pseudorandom Sequences I: Linear Complexity and Related Measures

Pseudorandom Sequences I: Linear Complexity and Related Measures Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University 2010