Lattice Structure and Linear Complexity of Nonlinear Pseudorandom
advertisement
Lattice Structure and Linear Complexity of
Nonlinear Pseudorandom Numbers
Harald Niederreiter1 , Arne Winterhof2
1
Department of Mathematics, National University of Singapore, 2 Science Drive 2,
Singapore 117543, Republic of Singapore (E-mail: nied@math.nus.edu.sg)
2 Institute of Discrete Mathematics, Austrian Academy of Sciences, Sonnenfelsgasse 19, 1010 Vienna, Austria (E-mail: arne.winterhof@oeaw.ac.at)
Abstract. It is shown that a q-periodic sequence over the finite field Fq
passes an extended version of Marsaglia’s lattice test for high dimensions
if and only if its linear complexity is large. The consequences of this result
for nonlinear and inversive pseudorandom number generators are worked out.
Keywords: Pseudorandom number generator, Nonlinear method, Inversive
method, Linear complexity, Marsaglia’s lattice test
1
Introduction
Nonlinear methods for pseudorandom number generation provide an attractive alternative to linear methods (see the surveys in [6], [17, Chapter 8], [19],
and [21]). Initially, (explicit) nonlinear pseudorandom numbers were defined
over finite prime fields Fp as p-periodic sequences η0 , η1 , . . . defined by
ηn = g(n)
for 0 ≤ n < p,
where g is a nonlinear polynomial over Fp . More recently, nonlinear methods
over arbitrary finite fields were introduced (see e. g. [7], [10], and [22]).
There is no formal definition for a good pseudorandom number generator,
but there are certain characteristic features that we have in mind when we
talk about such a generator. In particular, we require a fine lattice structure,
good equidistribution properties, and statistical independence of successive
pseudorandom numbers. The present paper deals with criteria for a fine
lattice structure.
Let q be a prime power and Fq be the finite field of order q. We focus
on pseudorandom number generators η0 , η1 , . . . over Fq , i. e., on q-periodic
sequences over Fq . The following notion makes sense for arbitrary sequences
Lattice Structure and Linear Complexity
2
over Fq . For a given integer s ≥ 1 we say that a sequence η0 , η1 , . . . over Fq
passes the s-dimensional lattice test if the vectors η n − η0 for n ≥ 0 span Fqs ,
where
η n = (ηn , ηn+1 , . . . , ηn+s−1 ) for n ≥ 0.
Recently, a slightly different lattice test has been introduced by the authors
in [23]. For congruential generators modulo a prime p, both lattice tests
coincide and this test was proposed by Marsaglia [12].
In the present paper we first investigate the relationship between the
lattice test and the linear complexity L(ηn ) of a sequence η0 , η1 , . . . over Fq ,
where L(ηn ) is, by definition, the least nonnegative integer L such that there
are constants γ0 , . . . , γL−1 ∈ Fq satisfying
ηn+L + γL−1 ηn+L−1 + · · · + γ0 ηn = 0
for all n ≥ L.
The linear complexity is defined for any ultimately periodic sequence over
Fq . We prove the following theorem in Section 2.
Theorem 1 The q-periodic sequence η0 , η1 , . . . ∈ Fq passes the s-dimensional
lattice test if and only if
s < L(ηn ).
If we fix an ordering Fq = {ξ0 , . . . , ξq−1 } of the elements of Fq , then
a q-periodic sequence η0 , η1 , . . . of elements of Fq can be represented by a
uniquely determined polynomial g ∈ Fq [X] with deg(g) < q, that is,
ηn = g(ξn )
for 0 ≤ n < q.
For a special class of orderings of Fq , which can be considered as an extension
of the natural ordering {0, 1, . . . , p − 1} of a prime field Fp , we present a
necessary and a sufficient condition on the degree of g for passing the sdimensional lattice test in Section 3 and apply this result to some interesting
nonlinear generators.
In Section 4 we apply Theorem 1 to recursively defined nonlinear pseudorandom number generators, that is,
ηn+1 = f (ηn )
for n ≥ 0
with f ∈ Fq [X] and some initial value η0 . In particular, we consider inversive
generators.
Lattice Structure and Linear Complexity
3
For finite prime fields the result of Theorem 1 is well known, but the
proof cannot be extended to arbitrary finite fields. Eichenauer, Grothe, and
Lehn [5] proved that a nonlinear generator η0 , η1 , . . . over Fp passes the sdimensional lattice test if and only if s ≤ deg(g) (see also [17, Theorem
8.2] for a short proof) and Blackburn, Etzion, and Paterson [1, Theorem 8]
proved L(ηn ) = deg(g) + 1. Combining these results yields Theorem 1 for
the case q = p.
2
Lattice Test and Linear Complexity
In this section we prove Theorem 1.
Put η n = (ηn , ηn+1 , . . . , ηn+s−1 ) for n ≥ 0 and let V be the subspace of
Fqs spanned by all η n − η 0 for n ≥ 0.
First we assume that the sequence η0 , η1 , . . . does not pass the s-dimensional
lattice test. Then dim(V ) < s and dim(V ⊥ ) ≥ 1. Take 0 6= α ∈ V ⊥ , then
α · (η n − η0 ) = 0
for all n ≥ 0
and thus
α · ηn = α · η 0 =: b
for all n ≥ 0,
where · denotes the usual inner product. If α = (α0 , α1 , . . . , αs−1 ), then let j
be the largest index with αj 6= 0 (so 0 ≤ j < s). Then
α0 ηn + α1 ηn+1 + · · · + αj ηn+j = b
for all n ≥ 0
(1)
and
α0 ηn+1 + α1 ηn+2 + · · · + αj ηn+j+1 = b
for all n ≥ 0.
(2)
Subtracting (1) from (2) yields
−α0 ηn + (α0 − α1 )ηn+1 + · · · + αj ηn+j+1 = 0
for all n ≥ 0.
Thus, the sequence η0 , η1 , . . . satisfies a linear recurrence relation of order
j + 1, hence
L(ηn ) ≤ j + 1 ≤ s.
It is obvious that if a sequence fails the lattice test in a certain dimension, then it also fails the lattice test in all higher dimensions. Thus, to
Lattice Structure and Linear Complexity
4
complete the proof, it suffices to show that the sequence η0 , η1 , . . . fails the
s-dimensional lattice test for s = L := L(ηn ), provided that L ≥ 1. We
can indeed assume that L ≥ 1 since the theorem is trivial when L = 0, i. e.,
when we have the zero sequence. In the following, we use some concepts and
facts from the theory of linear recurring sequences over finite fields (see [11,
Chapter 6]). Since the sequence η0 , η1 , . . . has period q, it is a linear recurring
sequence with characteristic polynomial X q − 1 = (X − 1)q ∈ Fq [X]. Consequently, its minimal polynomial is (X − 1)L . (See also [4, Lemma 8.2.1].)
Since (X − 1)L is also a characteristic polynomial of the sequence η0 , η1 , . . .,
we get
∆L ηn = 0
for all n ≥ 0,
where ∆k denotes the kth iterate of the difference operator ∆σn = σn+1 − σn
defined on any sequence σ0 , σ1 , . . . over Fq . It follows that
∆ ∆L−1 ηn = 0
for all n ≥ 0.
A sequence is annihilated by ∆ if and only if it is a constant sequence, and
so
∆L−1 ηn = ∆L−1 η0
for all n ≥ 0.
Thus, with certain coefficients γ0 , . . . , γL−2 ∈ Fq and γL−1 = 1 ∈ Fq we have
L−1
X
γi (ηn+i − ηi ) = 0
for all n ≥ 0.
i=0
This means that the nonzero vector γ = (γ0 , . . . , γL−1 ) ∈ FqL belongs to V ⊥ ,
hence dim(V ⊥ ) ≥ 1 and dim(V ) < L. Thus, the sequence η0 , η1 , . . . fails the
L-dimensional lattice test.
2
Remarks.
1. In the first part of the above proof the condition that η0 , η1 , . . . be
q-periodic was not used. Thus, for any sequence η0 , η1 , . . . ∈ Fq the
property dim(V ) < s always implies L(ηn ) ≤ s. On the other hand, it
is easily seen that L(ηn ) < s always implies dim(V ) < s.
2. If the sequence η0 , η1 , . . . ∈ Fq has least period q, then
L(ηn ) ≥
q
+1
p
(3)
Lattice Structure and Linear Complexity
5
by [1, Proposition 2], and so the sequence passes the s-dimensional
lattice test for all s ≤ q/p.
3
Explicitly Defined Generators
In this section we present the following result on passing or failing the sdimensional lattice test.
Corollary 1 Let p be a prime, q = pr , {β1 , β2 , . . . , βr } a basis of Fq over
Fp , and g ∈ Fq [X]. For integers 0 ≤ n1 , n2 , . . . , nr < p and n = n1 + n2 p +
· · · + nr pr−1 put
ξn = n1 β1 + · · · + nr βr .
Then the q-periodic sequence η0 , η1 , . . . , defined by
ηn = g(ξn )
for 0 ≤ n < q
passes the s-dimensional lattice for all
s < (deg(g) + 1 + p − q)
q
p
and fails the s-dimensional lattice test for all
p
s ≥ (deg(g) + 1) + q − p.
q
Proof. By [15, Theorem 1] we have
q
p
(deg(g) + 1 + p − q) ≤ L(ηn ) ≤ (deg(g) + 1) + q − p
p
q
and the result follows easily from Theorem 1.
2
Remarks.
1. Let η = η −1 if η ∈ Fq∗ and 0 = 0. For given α ∈ Fq∗ and β ∈ Fq with
q ≥ 3, the explicit inversive generator is defined by
ηn = αξn + β = α−1 (ξn + α−1 β)q−2
for n = 0, 1, . . . .
Lattice Structure and Linear Complexity
6
Recently, it has been demonstrated in [22] that pseudorandom numbers
derived from the explicit inversive generator have desirable statistical
independence properties. These pseudorandom numbers show a good
behavior under the lattice test as well. The sequence η0 , η1 , . . . passes
the s-dimensional lattice test for all s < q − q/p by Corollary 1.
2. Let γ be a primitive element of Fq . Then the following function is
closely related to the Diffie-Hellman problem (see e. g. [24, Chapter 8]),
g(γ l ) = γ l
2
for 0 ≤ l ≤ q − 2.
The unique polynomial of degree ≤ q − 2 representing g is also denoted
by g. By [14, Theorem 2] we have the following lower bound on the
linear complexity of the corresponding sequence η0 , η1 , . . . defined by
ηn = g(ξn ):
(
q − 2q/p if q ≡ 1 mod 4,
L(ηn ) ≥
q − q/p
otherwise.
Hence, the sequence η0 , η1 , . . . passes the s-dimensional lattice test for
s<
(
q − 2q/p
q − q/p
if q ≡ 1 mod 4,
otherwise,
by Theorem 1.
3. The sequence defined by the function g(γ l ) = ξl is closely related to
the discrete logarithm (see e. g. [16]). We have
L(ηn ) ≥ q −
q
p
by [13, Theorem 5], and thus the sequence η0 , η1 , . . . passes the sdimensional lattice test for all s < q − q/p by Theorem 1.
4
Recursively Defined Generators
In this section we study the lattice structure of pseudorandom number generators defined by a recurrence relation over Fq of the form
ηn+1 = f (ηn )
for n ≥ 0
(4)
Lattice Structure and Linear Complexity
7
with some initial value η0 and f ∈ Fq [X] a nonlinear polynomial. It is obvious
that this sequence is ultimately periodic with least period t ≤ q. Throughout
this section we assume that this sequence ist purely periodic with the largest
possible value of t, i. e., t = q. In this case it has linear complexity at least
q/p + 1 and passes the s-dimensional lattice test for all s ≤ q/p by (3).
For prime fields Fp the sequence passes the s-dimensional lattice test for all
s ≤ dp/ deg(f )e if deg(f ) ≥ 2 (see [20, Theorem 5]).
For some special polynomials we can improve (3) considerably. For given
α ∈ Fq∗ and β ∈ Fq with q ≥ 3, let ψ be the permutation of Fq defined by
ψ(ξ) = αξ
q−2
+β =
(
αξ −1 + β
β
if ξ 6= 0,
if ξ = 0.
(5)
Let η0 , η1 , . . . be the sequence of elements of Fq obtained by the recurrence
relation
(6)
ηn+1 = ψ(ηn ) for n ≥ 0,
where η0 is the initial value. Obviously, this sequence is purely periodic with
least period t ≤ q. It is known when such a sequence achieves the largest
value of t, i. e., t = q (see [2], [18]).
Theorem 2 A sequence η0 , η1 , . . . ∈ Fq defined by (5) and (6) with least
period t = q has linear complexity at least dq/2e and passes the s-dimensional
lattice test for all
q−1
.
s≤
2
Proof. Let L be the linear complexity of the sequence η0 , η1 , . . .. Then with
γL = 1 we have
L
X
γi ηn+i = 0
for all n ≥ 0.
i=0
Since η0 , η1 , . . . is periodic, we have γ0 6= 0. (Otherwise the sequence would
satisfy a recurrence relation of order smaller than L.)
Let us consider the following sequence of rational functions over Fq :
H0 (X) = X
and
Hi (X) = Hi−1 (αX −1 + β)
for i ≥ 1.
Lattice Structure and Linear Complexity
8
It is obvious that this sequence ist purely periodic. Denote by T the least
period. Obviously, T ≥ t = q. For j ≥ 0 let Ej denote the set of poles of the
rational functions H0 , . . . , Hj . Thus |Ej | ≤ j. By induction we have
ψ j (ξ) = Hj (ξ)
for all ξ ∈ Fq \ Ej .
By an obvious extension of [9, Lemma 1] to arbitrary finite fields, we have
P
either L ≥ q or H(X) := Lj=0 γj Hj (X) does not vanish identically. In
the latter case we see that Hi (X) = fi (X)/gi (X) are nonconstant rational functions, where fi , gi ∈ Fq [X] with max(deg(fi ), deg(gi )) = 1. Hence,
H(X) = F (X)/G(X) with F, G ∈ Fq [X] and deg(F ) ≤ L. On the other
hand, we have F (ξ) = H(ξ) = 0 for all ξ ∈ Fq \ EL and thus deg(F ) ≥ q − L.
Hence in all cases we have L ≥ q/2 and the second assertion follows by Theorem 1.
2
Remark. In the case of prime fields Fp with p ≥ 5 the sequence defined
by (5) and (6) passes the s-dimensional lattice test for all
s≤
(
(p + 3)/2
(p + 1)/2
if p ≡ 3 mod 4 by [8],
otherwise by [17, Theorem 8.5].
In some special cases, e.g. when p is a Mersenne prime and the parameters
α and β are chosen suitably, it can be shown that the sequence passes the
s-dimensional lattice test for all s ≤ p − 2 (see [3]).
Acknowledgment
This paper was written during a visit of the second author to the National
University of Singapore. He wishes to thank the Institute for Mathematical
Sciences for hospitality and financial support.
References
[1] Blackburn, S. R., Etzion, T., Paterson, K. G.: Permutation polynomials,
de Bruijn sequences, and linear complexity. J. Comb. Th. A 76 (1), 55–
82 (1996)
[2] Chou, W.-S.: The period lengths of inversive pseudorandom vector generations. Finite Fields Appl. 1 (1), 126–132 (1995)
Lattice Structure and Linear Complexity
9
[3] Chou, W.-S., Niederreiter, H.: On the lattice test for inversive congruential pseudorandom numbers. In: Niederreiter, H., Shiue, P.J.-S. (eds.):
Monte Carlo and Quasi-Monte Carlo Methods in Scientific Computing.
Lecture Notes in Statistics 106, pp 186–197. New York: Springer 1995
[4] Cusick, T. W., Ding, C., Renvall, A.: Stream Ciphers and Number Theory. Amsterdam: Elsevier 1998
[5] Eichenauer, J., Grothe, H., Lehn, J.: Marsaglia’s lattice test and nonlinear congruential pseudo random number generators. Metrika 35 (3/4),
241–250 (1988)
[6] Eichenauer-Herrmann, J., Herrmann, E., Wegenkittl, S.: A survey
of quadratic and inversive congruential pseudorandom numbers. In:
Niederreiter, H., et al. (eds.): Monte Carlo and Quasi-Monte Carlo
Methods 1996. Lecture Notes in Statistics 127, pp 66–97. New York:
Springer 1998
[7] Eichenauer-Herrmann, J., Niederreiter, H.: Digital inversive pseudorandom numbers. ACM Trans. Modeling and Computer Simulation 4 (4),
339–349 (1994)
[8] Flahive, M., Niederreiter, H.: On inversive congruential generators for
pseudorandom numbers. In: Finite Fields, Coding Theory, and Advances in Communications and Computing (Las Vegas, NV, 1991), Lecture Notes in Pure and Appl. Math. 141, pp 75–80. New York: Dekker
1993
[9] Gutierrez, J., Niederreiter, H., Shparlinski, I. E.: On the multidimensional distribution of inversive congruential pseudorandom numbers in
parts of the period. Monatsh. Math. 129 (1), 31–36 (2000)
[10] Levin, M. B.: Explicit digital inversive pseudorandom numbers. Math.
Slovaca 50 (5), 581–598 (2000)
[11] Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications, rev. ed. Cambridge: Cambridge University Press 1994
Lattice Structure and Linear Complexity
10
[12] Marsaglia, G.: The structure of linear congruential sequences. In:
Zaremba, S.K. (ed.): Applications of Number Theory to Numerical
Analysis, pp 249–285. New York: Academic Press 1972
[13] Meidl, W., Winterhof, A.: Lower bounds on the linear complexity of the
discrete logarithm in finite fields. IEEE Trans. Inform. Th. 47, 2807–
2811 (2001)
[14] Meidl, W., Winterhof, A.: A polynomial representation of the DiffieHellman mapping. Appl. Alg. Engrg. Comm. Comp., to appear
[15] Meidl, W., Winterhof, A.: Linear complexity and polynomial degree
of a function over a finite field. In: Proc. 6th Conf. Finite Fields and
Applications, to appear
[16] Mullen, G. L., White, D.: A polynomial representation for logarithms in
GF (q). Acta Arith. 47 (3), 255–261 (1986)
[17] Niederreiter, H.: Random Number Generation and Quasi-Monte Carlo
Methods. Philadelphia: SIAM 1992
[18] Niederreiter, H.: Pseudorandom vector generation by the inversive
method. ACM Trans. Modeling and Computer Simulation 4 (2), 191–
212 (1994)
[19] Niederreiter, H.: New developments in uniform pseudorandom number
and vector generation. In: Niederreiter, H., Shiue, P.J.-S. (eds.): Monte
Carlo and Quasi-Monte Carlo Methods in Scientific Computing. Lecture
Notes in Statistics 106, pp 87–120. New York: Springer 1995
[20] Niederreiter, H., Shparlinski, I. E.: On the distribution and lattice structure of nonlinear congruential pseudorandom numbers. Finite Fields
Appl. 5 (3), 246–253 (1999)
[21] Niederreiter, H., Shparlinski, I. E.: Recent advances in the theory of
nonlinear pseudorandom number generators. In: Fang, K.-T., Hickernell, F.J., Niederreiter, H. (eds.): Monte Carlo and Quasi-Monte Carlo
Methods 2000, pp 86–102. Berlin: Springer 2002
Lattice Structure and Linear Complexity
11
[22] Niederreiter, H., Winterhof, A.: Incomplete exponential sums over finite
fields and their applications to new inversive pseudorandom number
generators. Acta Arith. 93 (4), 387–399 (2000)
[23] Niederreiter, H., Winterhof, A.: On the lattice structure of pseudorandom numbers generated over arbitrary finite fields. Appl. Alg. Engrg.
Comm. Comp. 12 (3), 265–272 (2001)
[24] Shparlinski, I. E.: Number Theoretic Methods in Cryptography. Basel:
Birkhäuser 1999
