ON THE DISTRIBUTION OF THE ELLIPTIC SUBSET SUM GENERATOR OF PSEUDORANDOM NUMBERS

Similar documents
The Matrix Exponential

The Matrix Exponential

Introduction to Arithmetic Geometry Fall 2013 Lecture #20 11/14/2013

Derangements and Applications

Construction of asymmetric orthogonal arrays of strength three via a replacement method

Deift/Zhou Steepest descent, Part I

On the irreducibility of some polynomials in two variables

LINEAR DELAY DIFFERENTIAL EQUATION WITH A POSITIVE AND A NEGATIVE TERM

COUNTING TAMELY RAMIFIED EXTENSIONS OF LOCAL FIELDS UP TO ISOMORPHISM

BINOMIAL COEFFICIENTS INVOLVING INFINITE POWERS OF PRIMES. 1. Statement of results

Recall that by Theorems 10.3 and 10.4 together provide us the estimate o(n2 ), S(q) q 9, q=1

On the Distribution of the Subset Sum Pseudorandom Number Generator on Elliptic Curves

BINOMIAL COEFFICIENTS INVOLVING INFINITE POWERS OF PRIMES

1 N N(θ;d 1...d l ;N) 1 q l = o(1)

Combinatorial Networks Week 1, March 11-12

SECTION where P (cos θ, sin θ) and Q(cos θ, sin θ) are polynomials in cos θ and sin θ, provided Q is never equal to zero.

On spanning trees and cycles of multicolored point sets with few intersections

Cramér-Rao Inequality: Let f(x; θ) be a probability density function with continuous parameter

A Propagating Wave Packet Group Velocity Dispersion

Hardy-Littlewood Conjecture and Exceptional real Zero. JinHua Fei. ChangLing Company of Electronic Technology Baoji Shannxi P.R.

cycle that does not cross any edges (including its own), then it has at least

SCHUR S THEOREM REU SUMMER 2005

Equidistribution and Weyl s criterion

INCOMPLETE KLOOSTERMAN SUMS AND MULTIPLICATIVE INVERSES IN SHORT INTERVALS. xy 1 (mod p), (x, y) I (j)

(Upside-Down o Direct Rotation) β - Numbers

Chapter 10. The singular integral Introducing S(n) and J(n)

On the number of pairs of positive integers x,y H such that x 2 +y 2 +1, x 2 +y 2 +2 are square-free

1 Isoparametric Concept

Limiting value of higher Mahler measure

Function Spaces. a x 3. (Letting x = 1 =)) a(0) + b + c (1) = 0. Row reducing the matrix. b 1. e 4 3. e 9. >: (x = 1 =)) a(0) + b + c (1) = 0

Bifurcation Theory. , a stationary point, depends on the value of α. At certain values

CPSC 665 : An Algorithmist s Toolkit Lecture 4 : 21 Jan Linear Programming

Quasi-Classical States of the Simple Harmonic Oscillator

Einstein Equations for Tetrad Fields

2.3 Matrix Formulation

DISTRIBUTION OF DIFFERENCE BETWEEN INVERSES OF CONSECUTIVE INTEGERS MODULO P

Inference Methods for Stochastic Volatility Models

Some remarks on Kurepa s left factorial

Another view for a posteriori error estimates for variational inequalities of the second kind

ON A CONJECTURE OF RYSElt AND MINC

Thus, because if either [G : H] or [H : K] is infinite, then [G : K] is infinite, then [G : K] = [G : H][H : K] for all infinite cases.

Section 6.1. Question: 2. Let H be a subgroup of a group G. Then H operates on G by left multiplication. Describe the orbits for this operation.

Basic Polyhedral theory

Mutually Independent Hamiltonian Cycles of Pancake Networks

The van der Waals interaction 1 D. E. Soper 2 University of Oregon 20 April 2012

Content Skills Assessments Lessons. Identify, classify, and apply properties of negative and positive angles.

The graph of y = x (or y = ) consists of two branches, As x 0, y + ; as x 0, y +. x = 0 is the

Fourier Transforms and the Wave Equation. Key Mathematics: More Fourier transform theory, especially as applied to solving the wave equation.

An Extensive Study of Approximating the Periodic. Solutions of the Prey Predator System

A generalized attack on RSA type cryptosystems

That is, we start with a general matrix: And end with a simpler matrix:

Problem Set 6 Solutions

Square of Hamilton cycle in a random graph

COMPUTER GENERATED HOLOGRAMS Optical Sciences 627 W.J. Dallas (Monday, April 04, 2005, 8:35 AM) PART I: CHAPTER TWO COMB MATH.

4. (5a + b) 7 & x 1 = (3x 1)log 10 4 = log (M1) [4] d = 3 [4] T 2 = 5 + = 16 or or 16.

Math 102. Rumbos Spring Solutions to Assignment #8. Solution: The matrix, A, corresponding to the system in (1) is

Middle East Technical University Department of Mechanical Engineering ME 413 Introduction to Finite Element Analysis

An Application of Hardy-Littlewood Conjecture. JinHua Fei. ChangLing Company of Electronic Technology Baoji Shannxi P.R.China

Exponential inequalities and the law of the iterated logarithm in the unbounded forecasting game

#A27 INTEGERS 12 (2012) SUM-PRODUCTS ESTIMATES WITH SEVERAL SETS AND APPLICATIONS

ABEL TYPE THEOREMS FOR THE WAVELET TRANSFORM THROUGH THE QUASIASYMPTOTIC BOUNDEDNESS

ON RIGHT(LEFT) DUO PO-SEMIGROUPS. S. K. Lee and K. Y. Park

Probability and Stochastic Processes: A Friendly Introduction for Electrical and Computer Engineers Roy D. Yates and David J.

10. The Discrete-Time Fourier Transform (DTFT)

ON A SECOND ORDER RATIONAL DIFFERENCE EQUATION

10. Limits involving infinity

SOME PARAMETERS ON EQUITABLE COLORING OF PRISM AND CIRCULANT GRAPH.

The Equitable Dominating Graph

Rational Approximation for the one-dimensional Bratu Equation

NEW APPLICATIONS OF THE ABEL-LIOUVILLE FORMULA

Homotopy perturbation technique

2008 AP Calculus BC Multiple Choice Exam

Elements of Statistical Thermodynamics

u 3 = u 3 (x 1, x 2, x 3 )

Abstract Interpretation: concrete and abstract semantics

Higher order derivatives

CLASSIFYING EXTENSIONS OF THE FIELD OF FORMAL LAURENT SERIES OVER F p

Difference -Analytical Method of The One-Dimensional Convection-Diffusion Equation

EEO 401 Digital Signal Processing Prof. Mark Fowler

Symmetric Interior Penalty Galerkin Method for Elliptic Problems

International Journal of Scientific & Engineering Research, Volume 6, Issue 7, July ISSN

perm4 A cnt 0 for for if A i 1 A i cnt cnt 1 cnt i j. j k. k l. i k. j l. i l

Procdings of IC-IDC0 ( and (, ( ( and (, and (f ( and (, rspctivly. If two input signals ar compltly qual, phas spctra of two signals ar qual. That is

EXST Regression Techniques Page 1

ν a (p e ) p e fpt(a) = lim

Properties of Phase Space Wavefunctions and Eigenvalue Equation of Momentum Dispersion Operator

Supplementary Materials

Platonic Orthonormal Wavelets 1

A Simple Formula for the Hilbert Metric with Respect to a Sub-Gaussian Cone

First derivative analysis

Exercise 1. Sketch the graph of the following function. (x 2

ECE602 Exam 1 April 5, You must show ALL of your work for full credit.

Engineering Mathematics I. MCQ for Phase-I

Text: WMM, Chapter 5. Sections , ,

Computing and Communications -- Network Coding

LINEAR SYSTEMS OF DIFFERENTIAL EQUATIONS DONE RIGHT KYLE ORMSBY

Random Process Part 1

Brief Introduction to Statistical Mechanics

Week 3: Connected Subgraphs

Symmetric centrosymmetric matrix vector multiplication

Transcription:

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 ON THE DISTRIBUTION OF THE ELLIPTIC SUBSET SUM GENERATOR OF PSEUDORANDOM NUMBERS Edwin D. El-Mahassni Dpartmnt of Computing, Macquari Univrsity, North Ryd, NSW 209, Australia dwinlm@ics.mq.du.au Rcivd: 7/26/07, Rvisd: 6/23/08, Accptd: 7//08, Publishd: 7/8/08 Abstract W show that for almost all choics of paramtrs, th lliptic subst sum psudorandom numbr gnrator producs a squnc of uniformly distributd psudorandom numbrs. Th rsult is usful for both cryptographic and Quasi Mont Carlo applications and rlis on bounds of xponntial sums.. Introduction Lt p b a prim. Lt E b an lliptic curv ovr IF p, givn by an affin Wirstrass quation of th form y 2 + a x + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 ; s [, 0]. Assum now that p 5, and so th Wirstrass quation simplifis to Y 2 = X 3 + ax + b, a, b IF p whr w also rqust that 4a 3 + 27b 2 0. It is nown s [, 0] that th st EIF p of IF p -rational points of E forms an Ablian group undr an appropriat composition rul which w dnot by and with th point at infinity O as th nutral lmnt. W also rcall th Hass bound #EIF p p 2p /2, whr #EIF p is th numbr of IF p -rational points, including th point at infinity. Howvr, in this papr, w will only concntrat on EIF p, th st of IF p rational points on E. Furthr, for a point P EIF p, with P O, w writ xp and yp for its affin coordinats. Nxt, w procd to dscrib th lliptic subst sum gnrator. Lt un b a linar rcurrnc squnc dfind ovr IF 2. For a prim intgr p, th lliptic subst sum

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 2 gnrator of psudorandom numbrs, is dfind as follows. Givn an r-dimnsional vctor Z = Z,..., Z r EIF p r of points on can considr th squnc V Z n = r un + i Z i, i= n =,..., N τ p of lmnts of EIF p, whr th squnc un has priod τ. Altrnativly, whn this gnrator is dfind ovr a rsidu ring modulo m, th subst sum gnrator is also nown as th napsac gnrator. It was originally introducd in [9], and studid in [7], s also [6, Sction 6.3.2], and [8, Sction 3.7.9]. Mor rcntly, a bound on th multidimnsional distribution of th subst sum gnrator of psudorandom numbrs has bn givn in [2]. A natural analogu of [2] is to study th distribution of xv Z n. Hr, using som prvious rsults of functions on lliptic curvs, w show for th on-dimnsional cas, that for almost all choics of points Z = Z,..., Z r EIF p r, th vctor xv Z n is uniformly and indpndntly distributd. In fact w us th classical numbr-thortic notion of discrpancy to giv a quantitativ form of this proprty. It can also b rformulatd in trms of th ε-bias of th most significant bits of th lmnts of th gnrating squncs, which is mor common in cryptographic litratur. Our mthod is basd on som simpl bounds on xponntial sums and th famous Erdös- Turán inquality s Lmma 2 blow which rlats th dviation from uniformity of distribution, that is, discrpancy, and th corrsponding xponntial sums. 2. Prliminaris Hr w prsnt svral ncssary tchnical tools. W say that th linar rcurrnc squnc un of lmnts of IF 2 is of ordr r with charactristic polynomial if gt = T r + c r T r +... + c T 0 + c 0 IF 2 [T ] un + r + c r un + r +... + c un + + c 0 un = 0, n =, 2,..., and it dos not satisfy any shortr linar rcurrnc rlation, s [5], Chaptr 8. It is asy to s that th st of all squncs with th sam charactristic polynomial g form a linar spac Lg ovr IF 2. W also nd th following proprty of squncs from Lg with irrducibl g which is ssntially [5], Thorm 8.28. Lmma. If g IF 2 [T ] is irrducibl ovr IF 2 thn all nonzro squncs from Lg ar purly priodic with th sam priod.

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 3 In this papr, w will assum that th priod is of lngth τ. For a ral z and an intgr q w us th notation z = xp2πiz and q z = xp2πiz/q. W nd th idntity s Exrcis.a in Chaptr 3 of [] M η=0 M ηλ = { 0, if λ 0 mod M, M, if λ 0 mod M. W also ma us of th inquality l M l ηλ = Ol log l, 2 η=0 λ= which holds for any intgrs l and M, M l, s [], Chaptr 3, Exrcis c. For a squnc of N points Γ = γ x N x= in th unit intrval, w dnot its discrpancy by D Γ. That is, D Γ = sup T Γ B N B, B [0, whr T Γ B is th numbr of points of th squnc Γ in th intrval B = [α, β [0, and th suprmum is tan ovr all such intrvals. As w hav mntiond, on of our basic tools to study th uniformity of distribution is th Erdös-Turán inquality, which w prsnt in a slightly war form than that givn by Thorm.2 of [3]. Lmma 2. For any intgr L > and any squnc Γ of N points, th bound D Γ = O L + N aγ N a n 0<a<L on th discrpancy D Γ holds, whr th sum is tan ovr all a IF p with 0 < a < L. 3. Main Rsult W dnot by D Z N th discrpancy of th points xvz n, n =,..., N. p

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 4 Thorm 3. Lt un b a linar rcurrnc squnc of ordr r p /2 which is purly priodic with priod τ and suppos that its charactristic polynomial is irrducibl ovr IF 2. Thn, for any δ > 0 and N τ, and for all but at most Oδp r vctors of Z E IF p r, th bound D Z N = O δ N /2 log p log 2 τ holds if p N 2, and othrwis. D Z N = O δ p /4 log p log 2 τ Proof. Lt L = p. Thn by Lmma 2, w hav D Z N = O p + N N a p axv Z n. 0<a<p Lt N µ = min2 µ, τ, µ 0 is th st of positiv intgrs. Dfin by th inquality N < N N, that is, = log 2 N. Thn from w driv N p axv Z n = N N λ= η=0 N N p axv Z n N ηn λ. Hnc, whr Z = D Z N = O p + Z NN 0<a<p a N N ηλ λ= N p axv Z n N ηn. N η=0 3 Applying th Cauchy inquality w driv N p axv Z n N ηn Z EIF p r 2 N 2 p /2 + 2r p axv Z n N ηn Z EIF p r N = O p r N ηn l p axv Z n xv Z l. n,l= Z EIF p r

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 5 Using our uppr bound for r, w thn not that whn n = l. Z EIF p r p axv Z n xv Z l p /2 + 2r = Op r 4 For n l, thn un,..., un + r ul,..., ul + r. To s this, suppos th convrs is tru and quality holds. Thn, sinc uα is of ordr r, w also hav un + r = ul + r, and thus by induction for any 0, w hav un + = ul +. But thn, n l is a priod, which is impossibl by our assumption on n and l. This mans thr is som h with un+h ul +h mod 2, whr 0 h r. Thus, thr is point Z h EIF p which appars in xv Z n but not in xv Z l that is un + h = and ul + h = 0 or vicvrsa. W choos th formr th othr cas can b similarly stimatd. Lt Z h = Z,..., Z h, Z h+,..., Z r EIF p r. Thus, p axv Z n xv Z l Z EIF p r = p axq n Z h + Z h xq l Z h, Z h EIF p r Z h EIF p whr Q n Z h and Q l Z h ar som xprssions which dpnd on Z h, but not on Z h. Now, by Corollary of [4], p axq n Z h + Z h xq l Z h Z h EIF p = Z h EIF p p axq n Z h + Z h = Op/2 5 Thrfor whn n l. Now, sinc and Z EIF p r p axv Z n xv Z l = Op r /2, N n,l=,n=l N n,l=,n l N ηn l = N, N ηn l N 2,

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 6 w hav by 4 and 5 Z EIF p r N p axv Z n N ηn = O N p r /4 + N /2 p r. Hnc, using 2, w obtain, N N Z = a N ηλ Z EIF p r 0<a<p η=0 λ= N p axv Z n N ηn Z EIF p r N = O p r N /2 + N p /4 N a N ηλ 0<a<p η=0 λ= = O p r N 3/2 + N 2 p /4 a 0<a<p = O p r N 3/2 + N 2 p /4 log τ log p, bcaus = Olog τ. This implis that for any th numbr of vctors Z EIF p r with Z δ N 3/2 + N 2 p /4 log p log 2 τ 6 is at most Oδp r log τ. Thrfor, w hav that th numbr of vctors Z EIF p r satisfying 6 for at last on =,..., log τ is at most Oδp r. For othr Z EIF p r, from 3, w obtain D Z N = O p + Z = O δ N N /2 + N p /4 log p log 2 τ. NN Taing into account th inquality N N /2 2N /2, w obtain th dsird rsult. 4. Rmars W rmar that this tchniqu can not unfortunatly b mployd to stablish a similar rsult for th multidimnsional cas. In this instanc, w can not ma us of Corollary

INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 8 2008, #A3 7 of [4]. As such, it would b intrsting if, indd, a similar rsult could b stablishd for dimnsions gratr than on. Also, w not that although in th proof of th main thorm w could hav rplacd N by N, this would hav rsultd in a war rsult as th statmnt would apply to a fixd N. That is, for vry N, th xcption st of unsuitabl Z, which would satisfy 6, dpnds on N. In particular, our rsult mans that aftr rmoving a small xcptional bad st of vctors, th bound holds uniformly for all N. W do not s how to obtain such a rsult without introducing th numbrs N and thus mor complicatd xponntial sums. Finally, w conclud by saying that instad of mploying powrs of 2 w could hav usd any othr ral numbr gratr than, such as +0 00 or 0 00. Howvr, if w want to fit vrything, thn N should grow a littl slowr than a gomtric progrssion, as it savs woring with doubl logarithms. 5. Acnowldgmnts Th author is vry gratful to Igor Shparlinsi for suggsting this problm and for usful discussion. Rfrncs [] I. Bla, G. Sroussi, N. Smart, Elliptic curvs in cryptography, London Math. Soc., Lctur Not Sris, 265, Cambridg Univ. Prss 999. [2] A. Conflitti, I. E. Shparlinsi, On th multidimnsional distribution of th subst sum gnrator of psudorandom numbrs, Mathmatics of Computation, 73, 005 0 2004. [3] M. Drmota, R. Tichy, Squncs, discrpancis and applications, Springr-Vrlag, Brlin 997. [4] D. R. Kohl, I. E. Shparlinsi, Exponntial sums and group gnrators for lliptic curvs ovr finit filds, Lct. Nots in Comp. Sci., Springr-Vrlag, Brlin, 838, 395 404 2000. [5] R. Lidl, H. Nidrritr, Finit filds, Cambridg Univrsity Prss, Cambridg 997. [6] A. J. Mnzs, P. C. van Oorschot, S. A. Vanston, Handboo of applid cryptography, CRC Prss, Boca Raton, FL 996. [7] R. A. Ruppl, Analysis and dsign of stram ciphrs, Springr-Vrlag, Brlin 986. [8] R. A. Ruppl, Stram ciphrs, Contmporary cryptology: Th scinc of information intgrity, 65-34, IEEE Prss, NY 992. [9] R. A. Ruppl, J. L Massy,Knapsac as nonlinar function, IEEE Intrn. Symp. of Inform. Thory, 46, IEEE Prss, NY 985. [0] J. H. Silvrman, Th arithmtic of lliptic curvs, Springr-Vrlag, Brlin 995. [] I. M. Vinogradov, Elmnts of numbr thory, Dovr Publ., Nw Yor 954.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback