SCIENCE IN CHINA (Series A)
Vol. 46 No. 4
July 2003
0, 1 distribution in the highest level sequences of primitive sequences over Z2e FAN Shuqin (
) & HAN Wenbao (
)
Department of Information Research, Information Engineering University, Zhengzhou 450002, China Correspondence should be addressed to Fan Shuqin (email:
[email protected]) Received July 19, 2002 Abstract In this paper, we discuss the 0, 1 distribution in the highest level sequence ae−1 of primitive sequence over Z2e generated by a primitive polynomial of degree n. First we get an estimate of the 0, 1 distribution by using the estimates of exponential sums over Galois rings, which is tight for e relatively small to n. We also get an estimate which is suitable for e relatively large to n. Combining the two bounds, we obtain an estimate depending only on n, which shows that the larger n is, the closer to 1/2 the proportion of 1 will be. Keywords:
primitive sequence, highest level sequence, Galois ring, exponential sum over Galois
ring, 0,1 distribution.
1
Introduction Let Z2e be the residue ring of integers modulo 2e . Let f (x) = xn + cn−1 xn−1 + · · · + c0 be
a monic polynomial with coefficients in Z2e . If f (0) = 0(mod2), there exists a positive integer T such that f (x)|xT − 1 in Z2e [x], and the smallest T is called the period of f (x) over Z2e , denoted by per(f (x))e . By ref. [1], we have per(f (x))e 2e−1 (2n − 1). If per(f (x))e = 2e−1 (2n − 1), f (x) is called a primitive polynomial over Z2e of degree n. The sequence a = (ai )∞ i=0 satisfying ai+n = −(cn−1 ai+n−1 + · · · + c0 ai ) is called a linear recurring sequence over Z2e generated by f (x). a is called a primitive sequence if a is generated by a primitive polynomial and a = 0(mod2). If we e−1 e−1 write every ai in binary decomposition ai = j=0 ai,j 2j , then a = j=0 aj 2j where aj = (ai,j )∞ i=0 . aj is called the jth level sequence of a, and ae−1 is called the highest level (or most significant) sequence of a. It is natural to view the jth level sequences of linear recurring sequences over Z2e as nonlinear binary sequences over F2 , the finite field with two elements. So we have a convenient way to derive pseudorandom binary sequences by picking up the highest level sequences or by mixing the highest level sequence with lower level sequences from primitive sequences over Z2e using general-purpose microprocessors if we take e as the processor word length. It is important to research into the cryptographic properties of those derived binary sequences, especially the highest level sequence ae−1 of primitive sequences over Z2e . It is shown that ae−1 has large period[2] and large lower bound of linear complexity[3] . Furthermore, it is proved in ref. [4] that the mapping from the primitive sequences over Z2e to their highest level sequences is injective. To explore the random properties of ae−1 , we also need to discuss its 0,1 distribution.
No. 4
0,1 DISTRIBUTION IN HIGHEST LEVEL SEQUENCES
517
When e = 2, the distribution of 0, 1 in the highest level ae−1 of primitive sequences over Z2e has been explicitly investigated in refs. [5, 6]. In refs. [7, 8], Qi and Zhou discussed the 0,1 distribution in ae−1 for general e and proved that the proportion of 1 is between 40% and 60% for e 8. In ref. [9], Zhu obtained that when e 8 and n 30 the proportion of 1 is between 43.7477% and 56.2523%. In this paper, we discuss the 0, 1 distribution in ae−1 for general e. First we use the estimates of exponential sums over Galois rings to get an estimate which shows that the proportion of i n−3e 1 (i = 0, 1) in one period of ae−1 is roughly bounded by 12 ± 2√ · ( 12 ) 2 , which is nontrivial for 7
n 3e . In fact, the bound is good when e is relatively small to n. For relatively large e, especially when n < 3e, however, the bound is bad and even trivial. To deal with the case when n < 3e, we use a result about the bound of the number of 0 in a primitive sequence over Z2d [10] and a lemma in ref. [7] to get that the proportion of i (i = 0, 1) in one period of ae−1 is bounded by 1 1 + 16 · 2n/2−d } for any 1 d min( 2e , n2 ). As an application of our two estimates, we 12 ±{ 2d+1
have if n 30, the proportion of 1 is between 46.884% and 53.126%, which is not only independent of e but also better than the previous results. At last, by combining the two estimates, we get the
proportion of i (i = 0, 1) in one period of ae−1 is bounded by 12 ± 0.542 · 2−n/8 if n 8, which shows that the larger n is, the closer to 1/2 the proportion of 1 will be.
2
Preliminaries
2.1 Galois rings of characteristic 2e Let e 1 be a fixed integer. A monic polynomial f (x) ∈ Z2e [x] is said to be a basic irreducible polynomial if f (x)(mod2) is a monic irreducible polynomial over F2 . Galois ring Re,n = GR(2e , n) is the unique unramified extension of degree n over Z2e and can be written as Z2e [x]/(f (x)), where f (x) is a basic irreducible polynomial of degree n over Z2e . Re,n is a local ring with unique maximal ideal 2Re,n . Let Γe,n = {ξ ∈ Re,n |ξ 2 = ξ} be the set of Teichm¨ uller points. There exists 2n −2 }. It can be shown that every a primitive element ξ ∈ Γe,n such that Γe,n = {0, 1, ξ, . . . , ξ n
element z ∈ Re,n has a unique 2-adic expansion z = z0 + 2z1 + · · · + 2e−1 ze−1 ,
zi ∈ Γe,n .
Let σ be the Frobenius map from Re,n to Re,n given by 2 σ(z) = z02 + 2z12 + · · · + 2e−1 ze−1 .
As we know, σ is the generator of the Galois group of Re,n /Z2e which is a cyclic group of order n. The trace mapping T re,n (.):Re,n → Z2e is defined via T re,n (x) = x + σ(x) + · · · + σ n−1 (x) for x ∈ Re,n . 2.2 Estimates of exponential sums over Galois rings Let ψ be the canonical additive character over Z2e defined by ψ(a) = e2πia/2 for a ∈ Z2e , ψe,n e the canonical additive character over Re,n defined by ψe,n (x) = (ψ ◦ T re,n )(x) = e2πiT re,n (x)/2 e
for x ∈ Re,n .
518
Lemma 1.
SCIENCE IN CHINA (Series A)
Vol. 46
Let ψ be the canonical additive character over Z2e and a ∈ Z2e . We have 2e if a = 0; ψ(ca) = 0 if a = 0. c∈Z2e
Let g(x) be a polynomial over Re,n with g(0) = 0 and g(x) not identically 0, and let g(x) = g0 (x) + g1 (x)2 + · · · + ge−1 (x)2e−1 be the 2-adic expansion of g(x), where gi (x) is a polynomial of degree di with coefficients in Γe,n for i = 0, 1, · · · , e − 1. Define the weighted degree of g(x) by De,g = max(d0 2e−1 , d1 2e−2 , · · · , de−1 ). di Definition 1. Let g(x) be a polynomial as above and gi (x) = Gi,j xj , Gi,j ∈ Γe,n . g(x) j=0
is called nondegenerate if Gi,j = 0,
if j ≡ 0(mod2), 0 j di , 0 i e − 1.
Various kinds of exponential sums over Galois rings are investigated. Here we give a theorem from ref. [11] which is analogous to Weil estimates on exponential sums over finite fields. Theorem 1[11] . Let g(x) ∈ Re,n [x] be a nondegenerate polynomial of weighted degree De,g , ψe,n the canonical additive character over Re,n . Then √ ψe,n (g(x)) (De,g − 1) · 2n . x∈Γe,n 2.3 The highest level ae−1 of primitive sequence a Let f (x) ∈ Z2e [x] be a primitive polynomial of degree n. Denote by Ω (f (x))e the set of all sequences generated by f (x) over Z2e . For any sequence a = (a0 , a1 , · · ·) ∈ Ω (f (x))e , the period of a is defined by per(a)e = min{T ∈ N |ai+T = ai , ∀i ∈ Z0 }. It is obvious that per(a)e |per(f (x))e . If a is a primitive sequence generated by f (x), we have per(a)e = 2e−1 (2n − 1). The set of all primitive sequences generated by f (x) is Ω (f (x))e = {a ∈ Ω (f (x))e | a = 0(mod2)}. Let a ∈ Ω (f (x))e be a primitive sequence generated by f (x) and aj the jth level sequence of a. By ref. [2], we have per(aj ) = 2j (2n − 1), especially per(ae−1 ) = 2e−1 (2n − 1). For the primitive sequences, we have the following trace description: Lemma 2 (Trace description). Let f (x) be a primitive polynomial of degree n over Z2e , γ ∈ Re,n a root of f (x). Then for any primitive sequence a ∈ Ω (f (x))e , there exists a unique ∗ = Re,n \2Re,n such that ai = T re,n (αγ i ) for i ∈ Z0 . α ∈ Re,n In fact, γ can be written as γ = ξ(1 + 2ξ1 ), where ξ is a generator of the multiplicative group ∗ Γe,n
∗ = Γe,n \{0} and ξ1 ∈ Re,n . So all the primitive sequences generated by f (x) can be written ∞ ∗ }. as Ω (f (x))e ={ T re,n (α(ξ(1 + 2ξ1 ))i ) i=0 |α ∈ Re,n
In sections 3 and 4, we will discuss the 0, 1 distribution in one period of the highest level ae−1 ∞ of the primitive sequence a = T re,n (α(ξ(1 + 2ξ1 ))i ) i=0 in two cases, that is, e is relatively small to n and relatively large to n respectively.
3
0,1 distribution of ae−1 for e relatively small to n In this section, we research into the 0,1 distribution in the highest level sequences of primitive
sequences over Z2e using the estimates of exponential sums over Galois rings. We need to divide
No. 4
0,1 DISTRIBUTION IN HIGHEST LEVEL SEQUENCES
519
the sequence a into 2e−1 subsequences according to index i mod 2e−1 , that is,
2n −2 e−1 ak = T re,n (α(ξ(1 + 2ξ1 ))2 t+k ) t=0
for 0 k < 2e−1 . First we estimate the number of 0,1 in the highest level sequence of ak , 0 k < 2e−1 , and then we sum up the results to get the 0,1 distribution of ae−1 . Lemma 3.
Let N (ak , l) be the number of the integers l (0 l < 2e ) appearing in ak . Then N (ak , l) − 1, if l = 0; N (ak , l) = if l = 0, N (ak , l),
where N (ak , l) = #{x ∈ Γe,n |T re,n (Ck,α x) = l} and Ck,α = α(ξ(1 + 2ξ1 ))k . Proof. N (ak , l) = #{t ∈ {0, 1, · · · , 2n − 2}|T re,n (α(ξ(1 + 2ξ1 ))2
e−1
t+k
) = l}
2e−1 t
= #{t ∈ {0, 1, · · · , 2 − 2}|T re,n (Ck,α (ξ(1 + 2ξ1 )) n
= #{t ∈ {0, 1, · · · , 2n − 2}|T re,n (Ck,α ξ 2
e−1
where Ck,α = α(ξ(1 + 2ξ1 )) . It is obvious that Ck,α ∈ k
t
) = l}
) = l},
∗ Re,n .
Since (2e−1 , 2n − 1) = 1, we have N (ak , l) = #{t ∈ {0, 1, · · · , 2n − 2}|T re,n (Ck,α ξ t ) = l} ∗ = #{x ∈ Γe,n |T re,n (Ck,α x) = l} k N (a , l) − 1, if l = 0, = N (ak , l), if l = 0,
where N (ak , l) = #{x ∈ Γe,n |T re,n (Ck,α x) = l}.
Q.E.D.
Let Ni,k be the number of i (i = 0, 1) appearing in the highest level sequence of the subsequence a . An integer l (0 l < 2e − 1) has the highest level i (i = 0, 1) if and only if i2e−1 l (i + 1)2e−1 − 1. So Ni,k equals the number of l appearing in the subsequence ak such that e−1 (i+1)2 −1 k i2e−1 l (i + 1)2e−1 − 1. Denote Ni,k = N (a , l). We have k
l=i2e−1
(i+1)2
e−1
Ni,k =
−1 k
N (a , l) =
Ni,k − 1, if i = 0; Ni,k
l=i2e−1
if i = 1.
Let ψ be the canonical additive character over Z2e , ψe,n the canonical additive character over Re,n . From Lemma 1 and Lemma 3, we have (i+1)2e−1 −1 Ni,k
=
d∈Z2 x∈Γe,n
l=i2e−1
=
1 2e e
(i+1)2e−1 −1
d∈Z2
=2
n−1
1 − e 2
= 2n−1 −
1 ψ(d(T re,n (Ck,α x) − l)) 2e e
ψ(−dl)
l=i2e−1
(i+1)2e−1 −1
d∈Z2e \{0}
l=i2e−1
1 · Nres , 2e
ψe,n (dCk,α x)
x∈Γe,n
ψ(−dl)
x∈Γe,n
ψe,n (dCk,α x)
520
SCIENCE IN CHINA (Series A)
Vol. 46
where
(i+1)2e−1 −1
d∈Z2e \{0}
l=i2e−1
Nres =
Denote
N+ =
d∈Z2e \{0}
and
ψe,n (dCk,α x).
x∈Γe,n
(i+1)2e−1 −1 2 ψ(−dl) l=i2e−1
2 ψe,n (dCk,α x) .
N− =
ψ(−dl)
d∈Z2e \{0} x∈Γe,n
With the H¨ older inequality, we have 2 N+ · N− . Nres
Now we compute N+ . (i+1)2e−1 −1
N+ =
d∈Z2e \{0}
l1
(i+1)2e−1 −1
=i2e−1
l2
(i+1)2e−1 −1 (i+1)2e−1 −1
= l1
=2
=i2e−1
2e−2
l2
ψ(−dl1 )
=i2e−1
ψ(−dl2 )
=i2e−1
ψ(d(l2 − l1 ))
d∈Z2e \{0}
.
Then we deal with N− . Let De,gd be the weighted degree of gd (x) = dCk,α x. For d ∈ Z2e \{0}, there exist (2e−m − 2e−1−m ) d’s such that De,gd = 2e−1−m for m = 0, 1, · · · , e − 1. From Theorem 1, 2 N− = ψe,n (dCk,α x) d∈Z2e \{0} x∈Γe,n
(De,gd − 1)2 · 2n
d∈Z2e \{0}
2
n
2n
2 De,g d
d∈Z2e \{0}
|Nres | 2
e−1 n/2
2
n−1
|2
n/2−1
and |N0,k − (2
− 1)| 2
1
d∈Z2e \{0}
1/2
23e − 1 2(22e − 1) − + 2e − 1 23 − 1 22 − 1
n/2−1
23e − 1 2(22e − 1) − + 2e − 1 23 − 1 22 − 1
Thus
n−1
De,gd +
23e − 1 2(22e − 1) e − + 2 − 1 . 23 − 1 22 − 1
So we have
|N1,k − 2
−2
d∈Z2e \{0}
. 1/2
23e − 1 2(22e − 1) − + 2e − 1 23 − 1 22 − 1
1/2 .
No. 4
0,1 DISTRIBUTION IN HIGHEST LEVEL SEQUENCES
521
Denote by Ni the number of occurrences of i (i = 0, 1) in one period of ae−1 . It is obvious that 2e−1 −1 Ni,k . Thus Ni = k=0
|N1 − 2e−2 2n | 2e−2 2n/2
23e − 1 2(22e − 1) − + 2e − 1 23 − 1 22 − 1
and
|N0 − (2
2 −2
e−2 n
e−1
)| 2
e−2 n/2
2
1/2
23e − 1 2(22e − 1) − + 2e − 1 23 − 1 22 − 1
1/2 .
As a result, we have Theorem 2. Let f (x) be a primitive polynomial of degree n over Z2e , a a primitive sequence generated by f (x) and ae−1 the highest level sequence of a. Denote the proportion of i (i = 0, 1) in one period of the sequence ae−1 by λi ( ae−1 ). We have 1/2 3e n−1 n/2−1 2 − 1 2(22e − 1) e 2 λ1 (ae−1 ) − 2 − + 2 − 1 2n − 1 2n − 1 23 − 1 22 − 1 and 1/2 n−1 − 1 2n/2−1 23e − 1 2(22e − 1) e λ0 (ae−1 ) − 2 − + 2 − 1 . 2n − 1 2n − 1 23 − 1 22 − 1 Notation 1.
(1)
(2)
We can simplify the right hand side of (1) and (2). In fact, if n 1/2 2n/2−1 23e − 1 2(22e − 1) e − +2 −1 2n − 1 23 − 1 22 − 1
3e 2 ,
3 2n/2−1 1 1 · √ (2 2 e − 1) √ · 23e/2 · 2−n/2 . n 2 −1 7 2 7 By Theorem 2, we have table 1.
Example 1.
Table 1 e
n
4 4 8 8 8
20 30 30 35 40
λ1 (ae−1 ) 48.998% 49.969% 47.659% 49.587% 49.927%
λ1 (ae−1 ) 51.002% λ1 (ae−1 ) 50.031% λ1 (ae−1 ) 52.341% λ1 (ae−1 ) 50.413% λ1 (ae−1 ) 50.073%
From Theorem 2, the mean value of the proportion of 1 (resp. 0) in ae−1 is
2n−1 2n −1
−1 (resp. 2 2n −1 ) n−1
and the deviation of the proportion of 1 (resp. 0) from the corresponding mean value is less than 1 √ · 23e/2 · 2−n/2 , which is nontrivial for n 3e. It shows that for any given e, the deviation 2 7 converges to 0 at very high speed when n increases. When e is relatively large, however, the estimate is not good and even trivial when n < 3e. So we need to find ways to solve the case when e is relatively large.
0,1 distribution of ae−1 for e relatively large to n
4
First we give a lemma in ref. [10] about the element distribution in a primitive sequence over Z2e .
522
SCIENCE IN CHINA (Series A)
Lemma 4[10] .
Vol. 46
Let f (x) be a primitive polynomial in Z2e [x] with degree n, a a primitive
sequence generated by f (x). For l = 0, 1, · · · , 2e − 1, denote by N (a, l) the number of l in one period of a. We have if l = 0 2e
2 −1 1 e − (2 − 1) · 2n/2 |N (a, l) − 2n−1 | · 2 22 − 1 and 2e
2 −1 1 n−1 e−1 e − (2 − 1) · 2n/2 . − 2 )| · |N (a, 0) − (2 2 22 − 1 We still need a result in ref. [7] which relates the 0,1 distribution of ae−1 with the number of 0 appearing in some primitive sequence over Z2d for any 1 d 2e . First we give some notations. Let f (x) be a primitive polynomial of degree n over Z2e . By refs. [1, 2], for 1 k e − 1, we have x2
k−1
(2n −1)
− 1 ≡ 2k hk (x)(mod f (x))
(3)
holds in Z2e [x], where hk (x) ∈ Z2e [x] is a polynomial with degree less than n and hk (x) = 0(mod 2). For 1 d [e/2], let s ≡ he−d (x)a (mod 2d ) be a sequence over Z2d . In fact, s is a primitive sequence over Z2d generated by f (x). Lemma 5[7] . Let f (x) be a primitive polynomial of degree n in Z2e [x], a a primitive sequence generated by f (x). For 1 d e2 , s ≡ he−d (x)a (mod 2d ), where he−d (x) is defined by (3). Then 1 N (s, 0) N (s, 0) 1 − λi (ae−1 ) + d n . 2 2d (2n − 1) 2 2 (2 − 1) Theorem 3.
Let f (x) be a primitive polynomial of degree n in Z2e [x], a a primitive sequence
generated by f (x) and ae−1 the highest level sequence of a. Denote the proportion of i(i = 0, 1) in one period of the sequence ae−1 by λi (ae−1 ). We have for 1 d min( e2 , n2 ), 1 λi (ae−1 ) − 1 1 + 1 · . (4) d+1 n/2−d 2 2 6 2 Proof.
Let s ≡ he−d (x)a (mod 2d ), where he−d (x) is defined by (3). By Lemma 4, we have 2d
2 −1 N (s, 0) 2n−1 − 2d−1 2n/2 d + · − (2 − 1) 2d (2n − 1) 2d (2n − 1) 2d+1 (2n − 1) 22 − 1
4 , let d0 = 8 . It is easy to see that 1 d0 2e . By Theorem 3, we have
λi (ae−1 ) −
1 1 1 1 min · + d+1 2 6 2n/2−d 1d[ e2 ] 2 1 1 1 1 + · n −d0 2 2d0 3 22 1 −n 1 3n n 2 8 + · 2− 8 0.542 · 2− 8 . 2 3
Combining the results above, we finish the proof of Corollary 4.
Q.E.D.
Corollary 4 shows that the larger n is, the closer to 1/2 the proportion of 1 (resp. 0) will be.
5
Conclusion We discussed the 0,1 distribution in the highest level sequence ae−1 of primitive sequence a
over Z2e generated by primitive polynomial f (x) of degree n and obtained two kinds of estimates
524
SCIENCE IN CHINA (Series A)
Vol. 46
which are fitted for different cases. Our results improve the work before and show that the 0,1 distribution of the highest level sequences is very balanced if n is large enough, for example, n 30 if e = 4, or n 35 if e = 8. This provides the important facts that ae−1 has good random property for suitable e and n. Acknowledgements Nos. 19971096, 90104035).
This work was supported by the National Natural Science Foundation of China (Grant
References 1. Ward, M., The arithmetical theory of linear recurring sequences, Trans. Amer. Math. Soc, 1933, 35(6): 600—628. 2. Dai Zongduo, Binary sequences derived from ML-sequences over rings I: Periods and minimal polynomials, Journal of Cryptology, 1992, 5: 193—207. 3. Dai, Z. D., Beth, T., Gollman, D., Lower bounds for the linear complexity of sequences over residue rings, Advances in Cryptology-Eurocrypt’s 90, Spring-Verlag LNCS 19991, 473: 189—195. 4. Zeng Kencheng, Dai Zongduo, Huang Minqiang, Injectiveness of mappings from ring sequences to their sequences of the significant bits, Symposium on Theoretical Problems of Cryptology, State Key Laboratory of Information Security, Beijing, China, June 1995, 132—141. 5. Boztas, S., Hammons, A. R., Kumar, P. V., 4-phase sequences with near-optimum correlation properties, IEEE. Trans. Inform. Theory, 1992, 38: 1101—1113. 6. Kuzmin, A. S., Nechaev, A. A., A construction of noise stable codes using linear recurrents over Galois rings, Russian Math. Surveys, 1992, 47: 189—190. 7. Qi Wenfeng, Zhou Jinjun, Distribution of 0 and 1 in highest level of primitive sequences over Z2e , Science in China, Ser. A, 1997, 40(6): 606—611. 8. Qi Wenfeng, Zhou Jinjun, Distribution of 0 and 1 in highest level of primitive sequences over Z2e (),Chinese Science Bulletin, 1998, 43(8): 633—635. 9. Zhu Fengxiang, Qi Wenfeng, Distribution of 0 and 1 in the highest level of primitive sequences over Z2e , Advances in Cryptology-CHINACRYPT’ 2000, Beijing: Science Press, 2000, 1—5. 10. Kamlovski, O. V., Kuzmin, A. S., Distribution of elements on cycles of linear recurrents sequences over Galois rings, Russian Math. Surveys, 1998, 53(2): 392—393. 11. Kumar, P. V., Helleseth, T., Calderbank, A. R., An upper bound for Weil exponential sums over Galois rings and applications, IEEE. Trans. Infor. Theory, 1995, 41: 456—468.