A Survey on Recursive Nonlinear Pseudorandom Number · PDF fileA Survey on Recursive Nonlinear...

35
A Survey on Recursive Nonlinear Pseudorandom Number Generators Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz MFO, 2013 A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 0 / 34

Transcript of A Survey on Recursive Nonlinear Pseudorandom Number · PDF fileA Survey on Recursive Nonlinear...

A Survey on Recursive Nonlinear

Pseudorandom Number Generators

Arne Winterhof

Austrian Academy of SciencesJohann Radon Institute for Computational and Applied Mathematics

Linz

MFO, 2013

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 0 / 34

Pseudorandom Numbers

Numbers which are generated by a deterministic algorithm and ’lookrandom’ are called pseudorandom.

Desirable ’randomness properties’ depend on the application!

cryptography:unpredictability → high linear complexity

numerical integration ((quasi-)Monte Carlo):uniform distribution → low discrepancy

wireless communication (radar, CDMA):distinction from delayed/reflected signal → small autocorrelation

gambling: a good lawyer

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 1 / 34

Pseudorandom Number Generators

A pseudorandom number generator is a sequence (sn) over a finitefield Fq (or residue class ring Zm).

We derive pseudorandom numbers in Z or in [0, 1) in the followingway:q = p a prime: Identify Fp with {0, 1, . . . , p − 1}.

xn = sn/p ∈ [0, 1)

q = pr , {β1, . . . , βr} basis of Fq over Fp

sn = sn,1β1 + sn,2β2 + . . . + sn,rβr −→ sn,1 + sn,2p + . . . + sn,rpr−1

xn = sn,rp−1 + . . . + sn,1p

−r ∈ [0, 1)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 2 / 34

Part I: Predictability and Linear Complexity

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 3 / 34

Linear ComplexityThe linear complexity L(sn) of a periodic sequence (sn) over Fq is thesmallest positive integer L such that there are constantsc0, . . . , cL−1 ∈ Fq with

sn+L = cL−1sn+L−1 + . . . + c0sn, n ≥ 0.

For a positive integer N the Nth linear complexity L(sn,N) of asequence (sn) over Fq is the smallest positive integer L such thatthere are constants c0, . . . , cL−1 ∈ Fq satisfying

sn+L = cL−1sn+L−1 + . . . + c0sn, 0 ≤ n ≤ N − L− 1.

A low Nth linear complexity has turned out to be undesirable forcryptographical applications.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 4 / 34

Linear Pseudorandom Number Generators

Fq finite field of q elements, a, b, x0 ∈ Fq, a 6= 0

xn+1 = axn + b, n ≥ 0

– predictable (L(xn) ≤ 2)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 5 / 34

(Recursive) Nonlinear Pseudorandom Number

Generators

f ∈ Fq[X ], 2 ≤ deg(f ) ≤ q − 1, x0 ∈ Fq

xn+1 = f (xn), n ≥ 0

(purely) periodic with period t ≤ q

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 6 / 34

Lower Bound on the Linear Complexity Profile

Gutierrez/Shparlinski/W., 2003:The linear complexity profile of a nonlinear sequence (xn) defined by

xn+1 = f (xn), n = 0, 1, . . . ,

with a polynomial f ∈ Fq[X ] of degree d ≥ 2, purely periodic withperiod t, satisfies

L(xn,N) ≥ min {dlogd(N − blogd Nc)e, dlogd te} .

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 7 / 34

Proof.F0(X ) := X , Fi(X ) := Fi−1(f (X )), i ≥ 1deg(Fi) = d i , xn+j = Fj(xn)xn+L = aL−1xn+L−1 + . . . + a0xn,0 ≤ n ≤ N − L− 1

F (X ) := −FL(X ) + aL−1FL−1(X ) + . . . + a0F0(X )

has degree dL and at least min {N − L, t} zeros, namely, xn with0 ≤ n ≤ min{N − L− 1, t − 1}.

dL ≥ min {N − L, t}

2

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 8 / 34

Inversive Generators

a, b, y0 ∈ Fq, a 6= 0

yn+1 = ayq−2n + b =

{ay−1

n + b, yn 6= 0,b, yn = 0.

Gutierrez/Shparlinski/W., 2003:

L(yn,N) ≥ min

{⌈N − 1

3

⌉,

⌈t − 1

2

⌉}

Reason for better result:f (X ) = bX+a

X, Fj(X ) =

ajX+bjcjX+d

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 9 / 34

Power Generator

f (X ) = X e , e ≥ 2

pn+1 = pen, n ≥ 0

power generatorGriffin/Shparlinski, 2000: (q = p prime)

L(pn,N) ≥ min

{N2

4(p − 1),

t2

p − 1

}, N ≥ 1.

Reason for better result: Fk(X ) ≡ X ek mod p−1

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 10 / 34

Dickson Generator

The Dickson polynomial De(X ) ∈ Fq[X ] is defined by the followingrecurrence relation

De(X ) = XDe−1(X )− De−2(X ), e = 2, 3, . . . ,

with initial values

D0(X ) = 2, D1(X ) = X .

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 11 / 34

x = µ + µ−1 ∈ Fq

De(µ + µ−1) = µe + µ−e , µ ∈ Fq2

un+1 = De(un), n ≥ 0,

with some initial value u0 and e ≥ 2.Dickson generator

Aly/W., 2006:

L(un,N) ≥ min{N2, 4t2}16(p + 1)

− (p + 1)1/2

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 12 / 34

Redei generator

r(X ) = X 2 − αX − β ∈ Fp[X ]

irreducible quadratic polynomial with two different roots ξ andζ = ξp in Fp2

(X + ξ)e = ge(X ) + he(X )ξ

e is the degree of the polynomial ge(X ), and he(X ) has degree atmost e − 1. The Redei function fe(X ) of degree e is then given by

fe(X ) =ge(X )

he(X ).

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 13 / 34

µ = (x + ξ)/(x + ζ) ∈ Fq2 :

Re

(ξ − ζµµ− 1

)=ξ − ζµe

µe − 1

un+1 = fe(un), n ≥ 0,

with a Redei permutation fe(X ) and some initial element u0 ∈ Fp.

Meidl/W., 2007:

L(un,N) ≥ min{N2, 4t2}20(p + 1)3/2

, N ≥ 2.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 14 / 34

p-Weight Degree

n nonnegative integerp-weight of n:

σp

(l∑

i=0

nipi

)=

l∑i=0

ni , 0 ≤ ni < p.

0 ≤ e1 < e2 < · · · < el integers, q = pr , f (X ) =∑l

i=1 γiXei ∈ Fq[X ]

nonzero polynomial over Fq with γi 6= 0, i = 1, . . . , lp-weight degree of f :

wp(f ) = max{σp(ei) : 1 ≤ i ≤ l}.

wp(f ) ≤ deg(f )

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 15 / 34

If g(X ) ∈ Fq[X ] and {β1, . . . , βr} is a fixed ordered Fp-basis of Fq,we define

G (X1, . . . ,Xr ) = Tr(g(X1β1 + . . . + Xrβr )),

where Tr(X ) = X + X p + . . . + X pr−1is the absolute trace function

of Fq. Then the transformed polynomial GR(X1, . . . ,Xr ) of g(X ) isthe unique polynomial with all local degrees smaller than p such that

GR(X1, . . . ,Xr ) ≡ G (X1, . . . ,Xr ) mod (X p1 − X1, . . . ,X

pr − Xr ).

The interest of this construction relies on the fact that, under certainassumptions, the total degree of GR(X1, . . . ,Xr ) coincides with thep-weight degree of g(X ).

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 16 / 34

f (X ) = αX d + f (X ) ∈ Fq[X ] with α 6= 0, wp(f ) < σp(d). (1)

If the sequence (xn) given by xn+1 = f (xn), n ≥ 0, with a polynomialf (X ) ∈ Fq[X ] of the form (1) satisfying

gcd

(d ,

q − 1

p − 1

)≤ σp(d)r/2,

with p-weight degree w = σp(d) > 1, is purely periodic with periodt, then for N ≥ 1,

L(xn,N) ≥ min {log(N/pr−1 − log(N/pr−1)/ logw), log(t/pr−1)}logw

.

(Ibeas/W., 2010)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 17 / 34

Polynomial SystemsLet {F1, . . . ,Fr} be a system of r ≥ 2 polynomialsFi ∈ Fq[Xi , . . . ,Xr ], i = 1, . . . , r , defined in the following way:

F1(X1, . . . ,Xr ) = X1G1(X2, . . . ,Xr ) + H1(X2, . . . ,Xr ),

F2(X1, . . . ,Xr ) = X2G2(X3, . . . ,Xr ) + H2(X3, . . . ,Xr ),

. . .

Fr−1(X1, . . . ,Xr ) = Xr−1Gr−1(Xr ) + Hr−1(Xr ),

Fr (X1, . . . ,Xr ) = grXr + hr .

Using the following vector notation

~F = (F1(X1, . . . ,Xr ), . . . ,Fr (X1, . . . ,Xr )),

we define the following vector sequence

~wn+1 = ~F (~wn), n = 0, 1, . . . .

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 18 / 34

Identifying the r dimensional vectors over Fq with elements of Fqr weget

L (~wn,N)� N1/(r−1)

q, 1 ≤ N ≤ t, r ≥ 2.

(Ostafe/Shparlinski/W., 2010)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 19 / 34

Part II: Uniform Distribution and Discrepancy

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 20 / 34

Discrepancy

Γ ={

(γn,0, . . . , γn,s−1)Nn=1

}sequence of N points in the s-dimensional unit interval [0, 1)s

∆(Γ) = supB⊆[0,1)s

∣∣∣∣TΓ(B)

N− |B |

∣∣∣∣ ,where TΓ(B) is the number of points of Γ inside the box

B = [α0, β0)× · · · × [αs−1, βs−1) ⊆ [0, 1)s

and the supremum is taken over all such boxes.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 21 / 34

Erdos-Turan-Koksma inequality (from discrepancy

to exponential sums)

∆(Γ) ≤(

3

2

)s 2

H + 1+

1

N

∑0<|a|≤H

s−1∏j=0

1

max{|aj |, 1}

∣∣∣Σ(s)N (Γ, a)

∣∣∣ ,

where

Σ(s)N (Γ, a) =

N∑n=1

exp

(2πi

s−1∑j=0

ajγn,j

)and the outer sum is taken over all integer vectorsa = (a0, . . . , as−1) ∈ Zs \ {0} with |a| = max

j=0,...,s−1|aj | ≤ H .

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 22 / 34

Linear Pseudorandom Number Generators

Fp finite field of p elements, a, b, x0 ∈ Fp, a 6= 0

xn+1 = axn + b, n ≥ 0

Corresponding complete exponential sums are Gauss sums.Incomplete sums can be reduced to complete ones using the standardtechnique of Polya and Vinogradov.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 23 / 34

Nonlinear recurrence sequences

u0 ∈ Fp, f ∈ Fp[X ], d = deg(f ) ≥ 2

un+1 = f (un), n ≥ 0

(purely) periodic with period t ≤ qψ(x) = exp(a2πix/p), gcd(a, p) = 1

SN =N−1∑n=0

ψ(un)

Polya-Vinogradov fails!

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 24 / 34

Niederreiter/Shparlinski 1999, (slightly improved, Niederreiter/W.2006):

SN = O(N1/2p1/2 log(d)1/2 log(p)−1/2

)Main idea of proof:Reduction to Weil-bound:∣∣∣∣∣∣

∑x∈Fp

ψ(F (x))

∣∣∣∣∣∣ ≤ (deg(F )− 1)p1/2

Here:F (X ) =

∑aiFki (X )

Exponential degree growth when iterating f (X ) is the reason for theweakness of these bounds. (Cf. linear complexity bounds.)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 25 / 34

Improvements for Special Nonlinear Generators

inversive generators: Niederreiter/Shparlinski, 2001

DN = O(N−1/2p1/4 logs(p))

power generator: Friedlander/Shparlinski, 2001Dickson generator: Gomez/Gutierrez/Shparlinski, 2006Redei generator: Gutierrez/W., 2007p-weight degree: Ibeas/W., 2010linear polynomial systems: Ostafe/Shparlinski, 2009rational polynomial systems: Ostafe/Shparlinski, 2012multivariate power generator: Ostafe/Shparlinski, 2012

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 26 / 34

Open Problems

Find more nonlinear generators with small discrepancy and highlinear complexity.

What about discrepancy of vectors with arbitrary lags?(yn = f (n), Rivat/Niederreiter: modified recursive inversivegenerator)

What about hybrid sequences? (first component low-discrepancysequence, second component pseudorandom number generator)Gomez/Hofer/Niederreiter, 2012: hybrid sequences with Haltonsequence

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 27 / 34

Part III: Related Quality Measures

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 28 / 34

Marsaglia’s Lattice test, 1972

(ηn) T-periodic sequence over Fq

For s ≥ 1 we say that (ηn) passes the s-dimensional lattice test if thevectors {un − u0 : 1 ≤ n < T} span Fs

q, where

un = (ηn, ηn+1, . . . , ηn+s−1), 0 ≤ n < T .

S(ηn) = max{s : 〈un − u0, 1 ≤ n < T 〉 = Fs

q

}

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 29 / 34

s = 2:

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 30 / 34

s = 3:

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 31 / 34

Niederreiter/W., 2002: L(ηn) = S(ηn) or = S(ηn) + 1

Dorfer/W., 2003: Lattice test for parts of the period, S(ηn,N)We have either

S(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))

orS(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))− 1.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 32 / 34

Little is known about lattice tests with arbitrary lags, i.e., vectors(xn+d0 , xn+d1 , . . . , xn+ds−1) ∈ Fs

q with 0 ≤ d0 < d1 < . . . < ds−1.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 33 / 34

Thank you for your attention.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MFO, 2013 34 / 34